From 4433e03492059a0e2f7f15afc1548356699e1fca Mon Sep 17 00:00:00 2001 From: Miklos Vajna Date: Tue, 31 May 2022 11:10:45 +0200 Subject: [PATCH] client session fuzzer: try harder to empty SocketPoll::_newCallbacks on shutdown The DocumentBroker dtor adds a callback: #0 SocketPoll::addCallback(std::function const&) (this=0x377dce0 , fn=...) at ./net/Socket.hpp:773 #1 0x0000000000947db5 in Admin::rmDoc (this=, docKey=...) at wsd/Admin.cpp:544 #2 0x0000000000bb8192 in DocumentBroker::~DocumentBroker (this=0x61900000e690) at wsd/DocumentBroker.cpp:579 So even if the fuzzer called Admin::instance().poll() on shutdown, there was one more callback inserted to the list later, leading to OOM in the long run. Signed-off-by: Miklos Vajna Change-Id: I0832d839b098407fa9e8aadb6f84388a85d62323 --- fuzzer/ClientSession.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fuzzer/ClientSession.cpp b/fuzzer/ClientSession.cpp index fb916012f2..06a7393bcc 100644 --- a/fuzzer/ClientSession.cpp +++ b/fuzzer/ClientSession.cpp @@ -41,6 +41,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) session->handleMessage(lineVector); } + // The DocumentBroker dtor grows SocketPoll::_newCallbacks. + docBroker.reset(); + // Make sure SocketPoll::_newCallbacks does not grow forever, leading to OOM. Admin::instance().poll(std::chrono::microseconds(0));