googcc fuzz target timeouts

[expiringplatform]

Hello,
I was trying to run the quite new fuzz target googcc and I'm a little confused about the observed behavior:
When started, the fuzz target runs for about 20min (it seems on a single input) and then exits with a libfuzzer timeout. I wasn't really able to understand what the fuzz target does, so sorry for opening this issue if this is the intended behavior.
It just seems to me that that way it can't really make use of the input mutation of the fuzzer and many code paths might not be executed. Also most targets I have seen so far can be executed multiple times per second, often multiple 1000 times per second.

This is the output I get. The input file causing the timeout is empty.

[user@machine fuzz]$ cargo fuzz run googcc
Finished release [optimized] target(s) in 0.13s
Finished release [optimized] target(s) in 0.13s
Running target/x86_64-unknown-linux-gnu/release/googcc -artifact_prefix=/home/user/playground/Signal-Calling-Service/backend/fuzz/artifacts/googcc/ /home/user/playground/Signal-Calling-Service/backend/fuzz/corpus/googcc
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1041795743
INFO: Loaded 1 modules (1001594 inline 8-bit counters): 1001594 [0x55f995d26630, 0x55f995e1aeaa),
INFO: Loaded 1 PC tables (1001594 PCs): 1001594 [0x55f995e1aeb0,0x55f996d63650),
INFO: 0 files found in /home/user/playground/Signal-Calling-Service/backend/fuzz/corpus/googcc
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
ALARM: working on the last Unit for 1201 seconds
and the timeout value is 1200 (use -timeout=N to change)
MS: 0 ; base unit: 0000000000000000000000000000000000000000

artifact_prefix='/home/user/playground/Signal-Calling-Service/backend/fuzz/artifacts/googcc/'; Test unit written to /home/user/playground/Signal-Calling-Service/backend/fuzz/artifacts/googcc/timeout-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64:
==7152== ERROR: libFuzzer: timeout after 1201 seconds
#0 0x55f992327651 (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x1b03651) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#1 0x55f9923977b9 (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x1b737b9) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#2 0x55f992373a1c (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x1b4fa1c) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#3 0x7f2bdbc4faaf (/usr/lib/libc.so.6+0x39aaf) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
#4 0x55f992395427 (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x1b71427) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#5 0x55f992c5b6e2 (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x24376e2) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#6 0x55f9923fb6a7 (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x1bd76a7) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#7 0x55f992af2f6a (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x22cef6a) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#8 0x55f992af771e (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x22d371e) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#9 0x55f992366b14 (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x1b42b14) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#10 0x55f992365e68 (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x1b41e68) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#11 0x55f9923672f8 (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x1b432f8) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#12 0x55f99236c447 (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x1b48447) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#13 0x55f99236b805 (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x1b47805) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#14 0x55f992373d09 (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x1b4fd09) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#15 0x55f99237c972 (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x1b58972) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#16 0x55f99237d035 (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x1b59035) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#17 0x55f99239288b (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x1b6e88b) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#18 0x55f9922853c2 (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x1a613c2) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)
#19 0x7f2bdbc3984f (/usr/lib/libc.so.6+0x2384f) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
#20 0x7f2bdbc39909 (/usr/lib/libc.so.6+0x23909) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
#21 0x55f992285584 (/home/user/playground/Signal-Calling-Service/backend/fuzz/target/x86_64-unknown-linux-gnu/release/googcc+0x1a61584) (BuildId: 33cb54bef70c8f1174e3f9a84c8494ba239e4977)

SUMMARY: libFuzzer: timeout

────────────────────────────────────────────────────────────────────────────────

Failing input:

artifacts/googcc/timeout-da39a3ee5e6b4b0d3255bfef95601890afd80709

Output of std::fmt::Debug:

[]

Reproduce with:

cargo fuzz run googcc artifacts/googcc/timeout-da39a3ee5e6b4b0d3255bfef95601890afd80709

Minimize test case with:

cargo fuzz tmin googcc artifacts/googcc/timeout-da39a3ee5e6b4b0d3255bfef95601890afd80709

────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit status: 70

[jrose-signal]

Hmm, I'm not seeing that behavior on

macOS 13.4
cargo 1.72.0-nightly (64fb38c97 2023-05-23)
cargo-fuzz v0.11.2
libfuzzer-sys v0.4.2

Can you check that your cargo-fuzz is up to date and that you're using a relatively recent Rust compiler?

[jrose-signal]

Oops, I take it back, I was able to reproduce after deleting Cargo.lock. Now to see what changed…

[jrose-signal]

Okay, we'll fix this in an updated release, but if you want to run locally the diff is

diff --git a/backend/fuzz/fuzz_targets/googcc.rs b/backend/fuzz/fuzz_targets/googcc.rs
index 350bebdc..9ae741de 100644
--- a/backend/fuzz/fuzz_targets/googcc.rs
+++ b/backend/fuzz/fuzz_targets/googcc.rs
@@ -45,8 +45,9 @@ fuzz_target!(|data: &[u8]| {
     });
 
     // Consume all available entropy.
-    while let Ok(ack) = make_ack(&mut gen, epoch) {
+    while !gen.is_empty() {
         // Process acks one at a time so that they can't be sorted into a "better" order.
+        let ack = make_ack(&mut gen, epoch).unwrap();
         cc.recalculate_target_send_rate(vec![ack]);
     }
 });

Thank you for reporting this!