1267711 - Speex: crash [@resampler_basic_interpolate_single]

Status: RESOLVED DUPLICATE of bug 1266260

(Core :: Audio/Video: Playback, defect, P1)

Description

[Christoph Diehl [:posidron]]

The following testcase crashes on en-us.linux-x86_64-asan.tar.bz2 revision a31ebd5b270a75035fce70f3baf11daa9a10167f

See attachment.

Backtrace:

==8707==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fca571e0e3c sp 0x7fca1785ad40 bp 0x7fca1785aeb0 T395)
    #0 0x7fca571e0e3b in resampler_basic_interpolate_single /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libspeex_resampler/src/resample.c:493
    #1 0x7fca571dc129 in speex_resampler_process_native /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libspeex_resampler/src/resample.c:898
    #2 0x7fca571dc129 in moz_speex_resampler_process_float /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libspeex_resampler/src/resample.c:961
    #3 0x7fca571de23c in moz_speex_resampler_process_interleaved_float /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libspeex_resampler/src/resample.c:1064
    #4 0x7fca5391b144 in mozilla::AudioConverter::ResampleAudio(void*, void const*, unsigned long) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/AudioConverter.cpp:258
    #5 0x7fca5391b698 in mozilla::AudioConverter::DrainResampler(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/AudioConverter.cpp:312
    #6 0x7fca53c745e4 in mozilla::AudioDataBuffer<(mozilla::AudioConfig::SampleFormat)6, float> mozilla::AudioConverter::Process<(mozilla::AudioConfig::SampleFormat)6, float>(mozilla::AudioDataBuffer<(mozilla::AudioConfig::SampleFormat)6, float> const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/AudioConverter.h:173
    #7 0x7fca53c5fe60 in mozilla::AudioDataBuffer<(mozilla::AudioConfig::SampleFormat)6, float> mozilla::AudioConverter::Process<(mozilla::AudioConfig::SampleFormat)6, float>(mozilla::AudioDataBuffer<(mozilla::AudioConfig::SampleFormat)6, float>&&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/AudioConverter.h:143
    #8 0x7fca53c5e8c1 in mozilla::media::DecodedAudioDataSink::DrainConverter(unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/mediasink/DecodedAudioDataSink.cpp:523
    #9 0x7fca53c5bbd4 in mozilla::media::DecodedAudioDataSink::NotifyAudioNeeded() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/mediasink/DecodedAudioDataSink.cpp:467
    #10 0x7fca53c598e5 in mozilla::media::DecodedAudioDataSink::Init(mozilla::media::MediaSink::PlaybackParams const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/mediasink/DecodedAudioDataSink.cpp:95
    #11 0x7fca53c576df in mozilla::media::AudioSinkWrapper::Start(long, mozilla::MediaInfo const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/mediasink/AudioSinkWrapper.cpp:191
    #12 0x7fca53c6ac27 in mozilla::media::VideoSink::Start(long, mozilla::MediaInfo const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/mediasink/VideoSink.cpp:162
    #13 0x7fca539ece4a in mozilla::MediaDecoderStateMachine::StartMediaSink() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoderStateMachine.cpp:1707
    #14 0x7fca539eca5a in mozilla::MediaDecoderStateMachine::MaybeStartPlayback() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoderStateMachine.cpp:973
    #15 0x7fca539fbf7f in mozilla::MediaDecoderStateMachine::RunStateMachine() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoderStateMachine.cpp:2137
    #16 0x7fca53a08f30 in applyImpl<mozilla::MediaDecoderStateMachine, nsresult (mozilla::MediaDecoderStateMachine::*)()> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:675
    #17 0x7fca53a08f30 in apply<mozilla::MediaDecoderStateMachine, nsresult (mozilla::MediaDecoderStateMachine::*)()> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:681
    #18 0x7fca53a08f30 in nsRunnableMethodImpl<nsresult (mozilla::MediaDecoderStateMachine::*)(), true>::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:709
    #19 0x7fca4e91047a in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:192
    #20 0x7fca4e8ef990 in mozilla::TaskQueue::Runner::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/TaskQueue.cpp:171
    #21 0x7fca4e904e93 in nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228
    #22 0x7fca4e9054cc in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242
    #23 0x7fca4e8fe450 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:989
    #24 0x7fca4e9781fa in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290
    #25 0x7fca4f6757f1 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:340
    #26 0x7fca4f5ec64c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:230
    #27 0x7fca4f5ec64c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:223
    #28 0x7fca4f5ec64c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:203
    #29 0x7fca4e8f9e9e in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:391
    #30 0x7fca64d333ef in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:216
    #31 0x7fca68255181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libspeex_resampler/src/resample.c:493 resampler_basic_interpolate_single
Thread T395 (MediaPl~back #2) created by T0 here:
    #0 0x45ea55 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7fca64d2fb40 in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:457
    #2 0x7fca64d2f6aa in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:548
    #3 0x7fca4e8fb62d in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:521
    #4 0x7fca4e901f2e in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:253
    #5 0x7fca4e90393e in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>&&, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:106
    #6 0x7fca4e9059d6 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>&&, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:277
    #7 0x7fca4e8ee320 in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, mozilla::TaskQueue::DispatchMode, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/TaskQueue.cpp:67
    #8 0x7fca4e907741 in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/mozilla/TaskQueue.h:49
    #9 0x7fca4e90fddc in mozilla::AutoTaskDispatcher::DispatchTaskGroup(mozilla::UniquePtr<mozilla::AutoTaskDispatcher::PerThreadTaskGroup, mozilla::DefaultDelete<mozilla::AutoTaskDispatcher::PerThreadTaskGroup> >) /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:244
    #10 0x7fca4e910ce1 in mozilla::AutoTaskDispatcher::~AutoTaskDispatcher() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:90
    #11 0x7fca4e914ba1 in reset /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/mozilla/Maybe.h:373
    #12 0x7fca4e914ba1 in mozilla::XPCOMThreadWrapper::FireTailDispatcher() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/AbstractThread.cpp:81
    #13 0x7fca4e914d40 in applyImpl<mozilla::XPCOMThreadWrapper, void (mozilla::XPCOMThreadWrapper::*)()> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:675
    #14 0x7fca4e914d40 in apply<mozilla::XPCOMThreadWrapper, void (mozilla::XPCOMThreadWrapper::*)()> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:681
    #15 0x7fca4e914d40 in nsRunnableMethodImpl<void (mozilla::XPCOMThreadWrapper::*)(), true>::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:709
    #16 0x7fca4e7c80c9 in mozilla::CycleCollectedJSRuntime::ProcessStableStateQueue() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1327
    #17 0x7fca501bda81 in XPCJSRuntime::AfterProcessTask(unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/xpconnect/src/XPCJSRuntime.cpp:3727
    #18 0x7fca4e8fe90f in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:1004
    #19 0x7fca4e9781fa in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290
    #20 0x7fca4f67457e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:98
    #21 0x7fca4f5ec64c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:230
    #22 0x7fca4f5ec64c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:223
    #23 0x7fca4f5ec64c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:203
    #24 0x7fca54c393d7 in nsBaseAppShell::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/widget/nsBaseAppShell.cpp:156
    #25 0x7fca56af90a8 in nsAppStartup::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:284
    #26 0x7fca56bfd73c in XREMain::XRE_mainRun() /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4347
    #27 0x7fca56bfea58 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4451
    #28 0x7fca56bff93e in XRE_main /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4559
    #29 0x48a793 in do_main /builds/slave/m-in-l64-asan-0000000000000000/build/src/browser/app/nsBrowserApp.cpp:220
    #30 0x48a793 in main /builds/slave/m-in-l64-asan-0000000000000000/build/src/browser/app/nsBrowserApp.cpp:360
    #31 0x7fca6727dec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

Comment 1

[Christoph Diehl [:posidron]]

Attachment: Testcase

Comment 2

[Jean-Yves Avenard [:jya]]

The is the speex called from the AudioConverter, it's not called from cubeb.

The code went into central (and fixes) just a few hours ago, in particular potential failed memory allocation.

So because of the backtrack, I'll take it for now.

Ultimately, it would be good to have a single interface to speex resampler. Hopefully the AudioConverter class is flexible and generic enough that it could be used elsewhere in the code (including webrtc)

Comment 3

[Jean-Yves Avenard [:jya]]

Finally got a asan build locally.

Can't recreate the problem with the file provided

I created this page:
http://people.mozilla.org/~jyavenard/tests/fuzzing/1267711.html

username: mozilla
password: Auckland

plays just fine. This is a 8bits wav, mono, 11025Hz.

File will be decoded, converted to floats, upmixed to stereo then upsampled to 44.1kHz (or whatever your system default sampling rate is, on mac it's 44.1kHz and also on linux with pulse with default config)

This makes me think that it would be more efficient to resample first and then upmix to stereo, but not be worth the hassle considering mono files are not that common and it's better to downmix first as there's less job for the resampler.

How exactly do you reproduce the problem? is it just in the file data_1_output_Output.txt included in the zip file?

Comment 4

[Christoph Diehl [:posidron]]

(In reply to Jean-Yves Avenard [:jya] from comment #3)
> Finally got a asan build locally.

You can get configuration here 
https://github.com/posidron/mozilla-build-configs
or use this script to get an ASan build from TaskCluster:
https://gist.github.com/posidron/48d7de90a91609d0aabb
 
> How exactly do you reproduce the problem? is it just in the file
> data_1_output_Output.txt included in the zip file?

Yes, it only needs to get renamed. The crash is still appearing on our fuzzing cluster.

Comment 5

[Jean-Yves Avenard [:jya]]

If you run the page I listed above, and press play in your asan build, does it crash?

You don't give me much details to go by. We can't play wav files directly, it must be embedded in a HTML5 audio element, so surely there's more to it than what you describe.

Is it the file as-is, or once it's fuzzed? if so can you provide the fuzzed file instead ? (the file in the zip is identical to the one I found on github, and plays just fine)

Comment 6

[Christoph Diehl [:posidron]]

Woot, it is identical? Okay let me check that today, we are on a work week and am a bit busy but will try to come back today here. I reported the bug/testcase right out of our web interface which was marked as a crasher. Usually the file provided in the zip is the testcase and does not need any template.

Comment 7

[Jean-Yves Avenard [:jya]]

yes, every single of the asan bugs that I've been assigned to me and that you reported have files identical to the one there:
https://raw.githubusercontent.com/MozillaSecurity/fuzzdata/master/samples (link that was given to me in another bug report).

So here the data_1_output_Output_fileName.txt contains:
./fuzzdata/samples/wav/diodes.wav

so I get:
https://raw.githubusercontent.com/MozillaSecurity/fuzzdata/master/samples/wav/diodes.wav
MD5(diodes.wav)= f0e041673c39bcb5d7f641693620b239

MD5(/Volumes/DATA/Users/jyavenard/Downloads/500eac1f2c1f9f7106bb5d9de8407d23c6fde272(1)/data_1_output_Output.txt)= f0e041673c39bcb5d7f641693620b239

they aren't fuzzed files

That includes bug 1267637, bug 1266129 and bug 1264991.

Each time the crash report indicates that resampling or downmixing would be required, yet the files included are perfect with valid metadata. So the crash reported can *NOT* happen under any circumstances because we can't hit that code path.

Comment 8

[Jean-Yves Avenard [:jya]]

FWIW, looking, and relooking and rerelooking at the code, I can see where we could theoretically allocate a buffer that is one frame short of what the speex resampler could write.

But that the theory, and looking at the speex code it will always write the right amount of frames. Now a rounding issue could maybe occur, I don't know.

Comment 9

[Christoph Diehl [:posidron]]

Attachment: 98aad97fccfbe1ace1660cca2beca6b0a02cfb71.zip

This is another testcase but it uses the same sample.

Comment 10

[Christoph Diehl [:posidron]]

(In reply to Jean-Yves Avenard [:jya] from comment #7)
> So here the data_1_output_Output_fileName.txt contains:
> ./fuzzdata/samples/wav/diodes.wav
> 

That's the name of the sample being used. The testcase "data_1_output_Output.txt" which you need to rename to the extension being used in the data_1_output_Output_fileName.txt

Comment 11

[Christoph Diehl [:posidron]]

Ah nevermind. Gotcha. Yes, that is weird that the sample is the same file like the testcase.

Comment 12

[Tyson Smith [:tsmith]]

Attachment: test_case.wav

Comment 13

[Tyson Smith [:tsmith]]

Attachment: test_case.html

Comment 14

[Jean-Yves Avenard [:jya]]

Same issue as bug 1266260, just crashes at another spot.