OSS-Fuzz issue 62149

[oss-fuzz-robot]

OSS-Fuzz has found a bug in this project. Please see https://oss-fuzz.com/testcase?key=5722322787106816 for details and reproducers.

This issue is mirrored from https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62149 and will auto-close if the status changes there.

If you have trouble accessing this report, please file an issue at https://github.com/google/oss-fuzz/issues/new.

[a-nogikh]

The reproducer forces us to do an at least O(N^2) processing on a big input data.

The input file consists of a single program with tons of comments. On such an input, ParseLog https://github.com/google/syzkaller/blob/59da83662ae7076f1369c8a5b9dd1245223039df/prog/parse.go#L19

feeds all its end-of-line prefixes (around 40k) into Deserialize(). It's a lot of work by itself and also creates tons of small string objects, which puts a burden on the garbage collector.

@dvyukov, was there a particular reason why we are considering all prefixes in ParseLog() rather than splitting by executing program and only feeding the resulting chunks into Deserialize()?

[dvyukov]

There can be intermixed kernel output and/or corrupted lines. So I tried to exact what's extractable in best-effort manner.

[a-nogikh]

Ah, I see. I didn't notice that the code doesn't just look at prefixes, but picks a subset of lines. Then it all makes sense.

Maybe we can speed it up by returning the line/position of the first parse error from Deserialize(). This will help reduce the number of times we do parsing.