Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Timeout in fuzz_skrifa_outline #1290

Open
rsheeter opened this issue Dec 13, 2024 · 2 comments
Open

Timeout in fuzz_skrifa_outline #1290

rsheeter opened this issue Dec 13, 2024 · 2 comments
Assignees
@dfrg
Labels
bug Something isn't working fuzzer reported

Comments

@rsheeter
Copy link
Collaborator

See https://issues.oss-fuzz.com/issues/42538387
@rsheeter rsheeter added bug Something isn't working fuzzer reported labels Dec 13, 2024
@rsheeter
Copy link
Collaborator Author

rsheeter commented Jan 29, 2025
edited
Loading

After executing with gdb this seems to be a timeout in hinting. Adding a few prints suggests the issue is DELTA3P:

$ rust-gdb --args target/debug/fuzz_skrifa_outline ~/Downloads/clusterfuzz-testcase-minimized-fuzz_skrifa_outline-5187984201154560
...noise...
run Ok(Instruction { opcode: PUSHW011, inline_operands: InlineOperands { bytes: [187, 187, 187, 187, 187, 187, 187, 187], is_words: true }, pc: 0 })
run Ok(Instruction { opcode: PUSHW011, inline_operands: InlineOperands { bytes: [187, 187, 187, 187, 187, 187, 187, 187], is_words: true }, pc: 9 })
run Ok(Instruction { opcode: PUSHW011, inline_operands: InlineOperands { bytes: [187, 187, 187, 196, 187, 187, 187, 187], is_words: true }, pc: 18 })
run Ok(Instruction { opcode: PUSHW011, inline_operands: InlineOperands { bytes: [187, 187, 187, 187, 33, 187, 187, 187], is_words: true }, pc: 27 })
run Ok(Instruction { opcode: PUSHW011, inline_operands: InlineOperands { bytes: [187, 187, 187, 187, 187, 187, 187, 187], is_words: true }, pc: 36 })
run Ok(Instruction { opcode: PUSHW011, inline_operands: InlineOperands { bytes: [187, 187, 187, 181, 187, 44, 0, 32], is_words: true }, pc: 45 })
run Ok(Instruction { opcode: SVTCA0, inline_operands: InlineOperands { bytes: [], is_words: false }, pc: 54 })
run Ok(Instruction { opcode: WCVTF, inline_operands: InlineOperands { bytes: [], is_words: false }, pc: 55 })
run Ok(Instruction { opcode: SVTCA0, inline_operands: InlineOperands { bytes: [], is_words: false }, pc: 56 })
run Ok(Instruction { opcode: MIRP01111, inline_operands: InlineOperands { bytes: [], is_words: false }, pc: 57 })
run Ok(Instruction { opcode: SVTCA0, inline_operands: InlineOperands { bytes: [], is_words: false }, pc: 58 })
run Ok(Instruction { opcode: DELTAP3, inline_operands: InlineOperands { bytes: [], is_words: false }, pc: 59 })
op_deltap 0..18446744073709534139 cycles
^C
Thread 1 "fuzz_skrifa_out" received signal SIGINT, Interrupt.
skrifa::outline::glyf::hint::value_stack::ValueStack::pop_usize (self=0x7fffffffa640) at skrifa/src/outline/glyf/hint/value_stack.rs:113
113	    }
(gdb) bt
#0  skrifa::outline::glyf::hint::value_stack::ValueStack::pop_usize (self=0x7fffffffa640) at skrifa/src/outline/glyf/hint/value_stack.rs:113
#1  0x0000555555692af4 in skrifa::outline::glyf::hint::engine::Engine::op_deltap (self=0x7fffffffa610, 
    opcode=read_fonts::tables::glyf::bytecode::opcode::Opcode::DELTAP3) at skrifa/src/outline/glyf/hint/engine/delta.rs:43
#2  0x0000555555695746 in skrifa::outline::glyf::hint::engine::Engine::dispatch_inner (self=0x7fffffffa610, ins=0x7fffffffa1d8)
    at skrifa/src/outline/glyf/hint/engine/dispatch.rs:199
#3  0x0000555555693ce0 in skrifa::outline::glyf::hint::engine::Engine::dispatch (self=0x7fffffffa610, ins=0x7fffffffa1d8)
    at skrifa/src/outline/glyf/hint/engine/dispatch.rs:90
#4  0x00005555556939d7 in skrifa::outline::glyf::hint::engine::Engine::run (self=0x7fffffffa610) at skrifa/src/outline/glyf/hint/engine/dispatch.rs:60
#5  0x00005555556936ac in skrifa::outline::glyf::hint::engine::Engine::run_program (self=0x7fffffffa610, 
    program=skrifa::outline::glyf::hint::program::Program::Font, is_pedantic=false) at skrifa/src/outline/glyf/hint/engine/dispatch.rs:16
#6  0x000055555567f44e in skrifa::outline::glyf::hint::instance::HintInstance::reconfigure (self=0x5555558f1da0, outlines=0x7fffffffbe28, scale=65536, 
    ppem=0, target=..., coords=...) at skrifa/src/outline/glyf/hint/instance.rs:75
#7  0x00005555555c8b71 in skrifa::outline::hint::HintingInstance::reconfigure<&skrifa::instance::Location, skrifa::outline::hint::HintingOptions> (
    self=0x7fffffffbbd0, outlines=0x7fffffffbe20, size=..., location=0x7fffffffc840, options=...) at skrifa/src/outline/hint.rs:347
#8  0x00005555555c96af in skrifa::outline::hint::HintingInstance::new<&skrifa::instance::Location, skrifa::outline::hint::HintingMode> (
    outline_glyphs=0x7fffffffbe20, size=..., location=0x7fffffffc840, options=...) at skrifa/src/outline/hint.rs:302
#9  0x00005555555c5a47 in fuzz_skrifa_outline::do_glyf_things (outline_request=..., font=0x7fffffffc768) at fuzz/fuzz_targets/fuzz_skrifa_outline.rs:97
#10 0x00005555555c66f4 in fuzz_skrifa_outline::_::__libfuzzer_sys_run (data=...) at fuzz/fuzz_targets/fuzz_skrifa_outline.rs:224
#11 0x00005555555c6467 in fuzz_skrifa_outline::_::rust_fuzzer_test_input (bytes=...)
    at /usr/local/google/home/rsheeter/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/src/lib.rs:224
#12 0x00005555557464f6 in libfuzzer_sys::test_input_wrap::{closure#0} () at src/lib.rs:61
#13 0x0000555555744be6 in std::panicking::try::do_call<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32> (data=0x7fffffffca88)
    at /usr/local/google/home/rsheeter/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:557
#14 0x000055555574670b in __rust_try ()
#15 0x0000555555744b54 in std::panicking::try<i32, libfuzzer_sys::test_input_wrap::{closure_env#0}> (f=...)
    at /usr/local/google/home/rsheeter/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:520
#16 std::panic::catch_unwind<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32> (f=...)
    at /usr/local/google/home/rsheeter/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:358
#17 0x0000555555746423 in libfuzzer_sys::test_input_wrap (data=0x5555558ef2d0, size=1699) at src/lib.rs:59
#18 0x000055555574cee1 in fuzzer::Fuzzer::ExecuteCallback (this=0x5555558eebb0, Data=0x5555558f12e0 "", Size=1699) at libfuzzer/FuzzerLoop.cpp:612
#19 0x0000555555763414 in fuzzer::RunOneTest (F=0x5555558eebb0, 
    InputFilePath=0x5555558ee5f0 "/usr/local/google/home/rsheeter/Downloads/clusterfuzz-testcase-minimized-fuzz_skrifa_outline-5187984201154560", MaxLen=0)
    at libfuzzer/FuzzerDriver.cpp:324
#20 0x00005555557672d0 in fuzzer::FuzzerDriver (argc=0x7fffffffd4ec, argv=0x7fffffffd4e0, Callback=0x555555746400 <libfuzzer_sys::test_input_wrap>)
    at libfuzzer/FuzzerDriver.cpp:860
#21 0x00005555557730da in main (argc=2, argv=0x7fffffffd608) at libfuzzer/FuzzerMain.cpp:20

Processing op_deltap with n=18446744073709534139 seems slightly unreasonable, either we need a work limit here or some sanity checks on value range? Perhaps we can reject adjusting more points than exist? - not quite sure if thats valid, hinting noob. Certainly producing a usize > i32::MAX seems undesirable.

@rsheeter
Copy link
Collaborator Author

This produces very large values for negatives, that much is an easy fix:

    pub fn pop_usize(&mut self) -> Result<usize, HintErrorKind> {
        Ok(self.pop()? as usize)
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dfrg dfrg

Labels
bug Something isn't working fuzzer reported
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dfrg @rsheeter