MojoLPM: Fix OOM issues.

This change creates a new mojo::Message for each deserialisation, avoiding OOM issues created when too many objects are deserialised in a single testcase. It also adds a maximum action size to the CodeCacheHost fuzzer to enforce a "reasonable" maximum. Bug: 1121032 Change-Id: I7d1c07330e66f856ab2eb0697973b186bed66f02 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2397616Reviewed-by: Jonathan Metzman <metzman@chromium.org> Reviewed-by: Oksana Zhuravlova <oksamyt@chromium.org> Commit-Queue: Mark Brand <markbrand@google.com> Cr-Commit-Position: refs/heads/master@{#806122}

MojoLPM: Fix OOM issues.
This change creates a new mojo::Message for each deserialisation, avoiding OOM issues created when too many objects are deserialised in a single testcase. It also adds a maximum action size to the CodeCacheHost fuzzer to enforce a "reasonable" maximum. Bug: 1121032 Change-Id: I7d1c07330e66f856ab2eb0697973b186bed66f02 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2397616Reviewed-by: Jonathan Metzman <metzman@chromium.org> Reviewed-by: Oksana Zhuravlova <oksamyt@chromium.org> Commit-Queue: Mark Brand <markbrand@google.com> Cr-Commit-Position: refs/heads/master@{#806122}
b763d39c · Mark Brand · Commit Bot · a0141087 · b763d39c · b763d39c
Commit b763d39c authored Sep 11, 2020 by Mark Brand Committed by Commit Bot Sep 11, 2020
4 changed files
--- a/content/test/fuzzer/code_cache_host_mojolpm_fuzzer.cc
+++ b/content/test/fuzzer/code_cache_host_mojolpm_fuzzer.cc
@@ -156,6 +156,11 @@ class CodeCacheHostTestcase {
  // Apply a reasonable upper-bound on testcase complexity to avoid timeouts.
  const int max_action_count_ = 512;
+  // Apply a reasonable upper-bound on maximum size of action that we will
+  // deserialize. (This is deliberately slightly larger than max mojo message
+  // size)
+  const size_t max_action_size_ = 300 * 1024 * 1024;
  // Count of total actions performed in this testcase.
  int action_count_ = 0;
@@ -246,6 +251,9 @@ void CodeCacheHostTestcase::NextAction() {
      }
      const auto& action =
          testcase_.actions(action_idx % testcase_.actions_size());
+      if (action.ByteSizeLong() > max_action_size_) {
+        return;
+      }
      switch (action.action_case()) {
        case Action::kNewCodeCacheHost: {
          AddCodeCacheHost(action.new_code_cache_host().id(),

--- a/mojo/public/tools/bindings/generators/mojolpm_templates/mojolpm_from_proto_macros.tmpl
+++ b/mojo/public/tools/bindings/generators/mojolpm_templates/mojolpm_from_proto_macros.tmpl
@@ -247,12 +247,12 @@ bool FromProto(
 {%-     set dataview_type = (struct|get_qualified_name_for_kind(flatten_nested_kind=True)) ~ "DataView" %}
 {%-     set data_type = (struct|get_qualified_name_for_kind(flatten_nested_kind=True, internal=True)) %}
  ::mojo::internal::SerializationContext mojolpm_serialization_context;
-  auto mojolpm_buffer = mojolpm::GetContext()->message().payload_buffer();
+  ::mojo::Message mojolpm_message(0, 0, 0, 0, nullptr);
  {{data_type}}::BufferWriter mojolpm_writer;
  bool result = false;
  ::mojo::internal::Serializer<{{dataview_type}}, const {{struct_type}}>::Serialize(
-    input, mojolpm_buffer, &mojolpm_writer, &mojolpm_serialization_context);
+    input, mojolpm_message.payload_buffer(), &mojolpm_writer, &mojolpm_serialization_context);
  result = ::mojo::internal::Serializer<{{dataview_type}}, {{mojom_type}}>::Deserialize(
    mojolpm_writer.data(), &output, &mojolpm_serialization_context);
@@ -325,11 +325,11 @@ bool FromProto(
 {%-     set dataview_type = (union|get_qualified_name_for_kind(flatten_nested_kind=True)) ~ "DataView" %}
 {%-     set data_type = (union|get_qualified_name_for_kind(flatten_nested_kind=True, internal=True)) %}
  ::mojo::internal::SerializationContext mojolpm_serialization_context;
-  auto mojolpm_buffer = mojolpm::GetContext()->message().payload_buffer();
+  ::mojo::Message mojolpm_message(0, 0, 0, 0, nullptr);
  {{data_type}}::BufferWriter mojolpm_writer;
  ::mojo::internal::Serializer<{{dataview_type}}, const {{union_type}}>::Serialize(
-    input, mojolpm_buffer, &mojolpm_writer, false, &mojolpm_serialization_context);
+    input, mojolpm_message.payload_buffer(), &mojolpm_writer, false, &mojolpm_serialization_context);
  return ::mojo::internal::Serializer<{{dataview_type}}, {{mojom_type}}>::Deserialize(
    mojolpm_writer.data(), &output, &mojolpm_serialization_context);
 {%-   else %}

--- a/mojo/public/tools/fuzzers/mojolpm.cc
+++ b/mojo/public/tools/fuzzers/mojolpm.cc
@@ -14,7 +14,7 @@ const uint32_t kPipeElementMaxSize = 0x1000u;
 const uint32_t kPipeCapacityMaxSize = 0x100000u;
 const uint32_t kPipeActionMaxSize = 0x100000u;
-Context::Context() : message_(0, 0, 0, 0, nullptr) {}
+Context::Context() = default;
 Context::~Context() = default;

--- a/mojo/public/tools/fuzzers/mojolpm.h
+++ b/mojo/public/tools/fuzzers/mojolpm.h
@@ -147,8 +147,6 @@ class Context {
  void StartTestcase();
  void EndTestcase();
-  mojo::Message& message() { return message_; }
 private:
  // Lookup the previously stored instance of type T using a fuzzy-match on
  // the provided id, and remove that instance from the object storage.
@@ -256,8 +254,6 @@ class Context {
  std::set<TypeId> interface_type_ids_ GUARDED_BY_CONTEXT(sequence_checker_);
  std::vector<std::pair<TypeId, uint32_t>> rollback_;
-  mojo::Message message_;
  SEQUENCE_CHECKER(sequence_checker_);
 };