honggfuzz: raise per-input timeout and wrap in restart loop#2
Merged
Conversation
Heavy transplant targets (ghostscript) race honggfuzz's fork-follow ptrace-attach when a persistent-mode child is SIGKILLed on the default 1s deadline, fatally aborting the fuzzer. Raise --timeout to 25s and wrap the invocation in a retry loop so coverage carries forward across the remaining races (corpus/crashdir on disk survive intact).
linkeLi0421
added a commit
that referenced
this pull request
Apr 23, 2026
The generator captured an empty/stub crash log for OSV-2022-339 because
its `-runs=10` replay hit the 30s timeout before ghostpdl's garbage
collector got enough allocator churn to trip the bug. The testcase is
bytewise identical to the original OSS-Fuzz PoC (dispatch_value=0, this
is a local bug — no transplant patch needed).
Rerun with -runs=100 reproduces the crash in ~30s:
AddressSanitizer: heap-use-after-free
READ of size 2 at 0x62a00031bcb0
#0 0xdef27b in gc_trace /src/ghostpdl/./psi/igc.c:915:17
#1 0xde9b3c in gs_gc_reclaim /src/ghostpdl/./psi/igc.c:338
#2 0xd10d24 in ireclaim /src/ghostpdl/./psi/ireclaim.c:80
...
Replace the truncated crashes/OSV-2022-339.txt with the full ASan
report and update bug_metadata.json to add crash_file / crash_line /
crash_function so triage can map coverage back to this bug.
Now 88/89 bugs have crash lines. OSV-2022-232 still doesn't reproduce
at -runs=100 — tracked separately.
linkeLi0421
added a commit
that referenced
this pull request
Apr 23, 2026
Same pattern as OSV-2022-339: generator ran `-runs=100` with a 180s
timeout, which wasn't enough allocator churn for this testcase-only
bug to manifest. Its offending memcpy only overruns once ghostpdl's
freelist hits a specific layout, which in the merged binary needs
roughly 1000 replay iterations to reproduce (the merged benchmark
binary has one of the transplant patches in base/fapi_ft.c,
OSV-2022-456's dispatch-gated branch, which shifts codegen just
enough to push the vulnerable allocator path further into the run).
Reran at -runs=1000 and got the expected heap-buffer-overflow:
AddressSanitizer: heap-buffer-overflow
READ of size 19589104 at 0x62a00036b050
#0 __interceptor_memcpy
#1 pdfi_fapi_get_glyph /src/ghostpdl/./pdf/pdf_fapi.c:1187:21
#2 get_fapi_glyph_data /src/ghostpdl/./base/fapi_ft.c:427
...
Replace the empty crashes/OSV-2022-232.txt with the full ASan report
and update bug_metadata.json to add the crash file/line/function.
Now 89/89 bugs have crash lines.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Heavy transplant targets (ghostscript) race honggfuzz's fork-follow ptrace-attach when a persistent-mode child is SIGKILLed on the default 1s deadline, fatally aborting the fuzzer. Raise --timeout to 25s and wrap the invocation in a retry loop so coverage carries forward across the remaining races (corpus/crashdir on disk survive intact).