1530721 - AddressSanitizer: negative-size-param /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:31:3 in __asan_memmove

Status: RESOLVED DUPLICATE of bug 1530322

(Core :: Audio/Video: Playback, defect)

Description

[Bob Clary [:bc] (inactive)]

mozversion INFO | application_buildid: 20190226035343
mozversion INFO | application_changeset: 7c89a561baee4bf8a5b726a30032d40a5986180f
mozversion INFO | application_display_name: Nightly

Bughunter hit two cases of:

• AddressSanitizer: negative-size-param: (size=-6144)
  This one also included the message: Address 0x62900044ca00 is a wild pointer.

• AddressSanitizer: negative-size-param: (size=-1024)

on a NSFW url on Ubuntu 18.10 Asan opt builds. Attaching the asan output. Contact me for the url. Full logs are available if needed.

This url also hit in a debug build:

Assertion failure: aStart <= aEnd, at /builds/worker/workspace/build/src/dom/media/Intervals.h:48
#01: mozilla::MediaDecoderStateMachine::AccurateSeekingState::DropAudioUpToSeekTarget(mozilla::AudioData*) [dom/media/MediaDecoderStateMachine.cpp:1329]
#02: mozilla::MediaDecoderStateMachine::AccurateSeekingState::HandleAudioDecoded(mozilla::AudioData*) [dom/media/MediaDecoderStateMachine.cpp:1061]
#03: mozilla::MediaDecoderStateMachine::RequestAudioData()::$_14::operator()(RefPtr<mozilla::AudioData>) const [dom/media/MediaDecoderStateMachine.cpp:3093]
#04: mozilla::MozPromise<RefPtr<mozilla::AudioData>, mozilla::MediaResult, true>::ThenValue<mozilla::MediaDecoderStateMachine::RequestAudioData()::$_14, mozilla::MediaDecoderStateMachine::RequestAudioData()::$_15>::DoResolveOrRejectInternal(mozilla::MozPromise<RefPtr<mozilla::AudioData>, mozilla::MediaResult, true>::ResolveOrRejectValue&) [mfbt/RefPtr.h:75]
#05: mozilla::MozPromise<RefPtr<mozilla::AudioData>, mozilla::MediaResult, true>::ThenValueBase::ResolveOrRejectRunnable::Run() [mfbt/RefPtr.h:61]

and crashed an opt build with

Operating system: Linux
                  0.0.0 Linux 4.18.0-15-generic #16-Ubuntu SMP Thu Feb 7 10:56:39 UTC 2019 x86_64
CPU: amd64
     family 6 model 45 stepping 2
     2 CPUs

GPU: UNKNOWN

Crash reason:  SIGSEGV /SEGV_MAPERR
Crash address: 0x7f1e00900000
Process uptime: not available

Thread 23 (crashed)
 0  libc-2.28.so + 0xb7241
    rax = 0x00007f1e007cb000   rdx = 0xffffffffffecf030
    rcx = 0x00007f1e007c91f0   rbx = 0x00007f1dfe44d820
    rsi = 0x00007f1e008fffd0   rdi = 0x00007f1e008fa1d0
    rbp = 0x00007f1e060fe1f0   rsp = 0x00007f1e060fe1c8
     r8 = 0xfffffffffffffff0    r9 = 0x0000000000000001
    r10 = 0x00007f1e007c9200   r11 = 0x00007f1e007cb000
    r12 = 0x0000000000001780   r13 = 0x0000000000000000
    r14 = 0x00007f1dfe44d898   r15 = 0x00007f1e060fe2c0
    rip = 0x00007f1e19f87241
    Found by: given as instruction pointer in context
 1  libxul.so!mozilla::AudioSink::NotifyAudioNeeded() [AudioSink.cpp:7c89a561baee4bf8a5b726a30032d40a5986180f : 419 + 0xf]
    rbp = 0x00007f1e060fe4e0   rsp = 0x00007f1e060fe200
    rip = 0x00007f1e10aa4c37
    Found by: previous frame's frame pointer
 2  libxul.so!mozilla::AudioSink::Init(mozilla::MediaSink::PlaybackParams const&, RefPtr<mozilla::MozPromise<bool, nsresult, false> >&) [AudioSink.cpp:7c89a561baee4bf8a5b726a30032d40a5986180f : 84 + 0x8]
    rbx = 0x00007f1dfe215c00   rbp = 0x00007f1e060fe530
    rsp = 0x00007f1e060fe4f0   r12 = 0x00007f1df5bda8b0
    r13 = 0x00007f1dfe08e640   r14 = 0x00007f1df5bda8e8
    r15 = 0x00007f1df5bda8d8   rip = 0x00007f1e10aa3ff3
    Found by: call frame info
 3  libxul.so!mozilla::AudioSinkWrapper::Start(mozilla::media::TimeUnit const&, mozilla::MediaInfo const&) [AudioSinkWrapper.cpp:7c89a561baee4bf8a5b726a30032d40a5986180f : 170 + 0x8]
    rbx = 0x00007f1df5d13000   rbp = 0x00007f1e060fe580
    rsp = 0x00007f1e060fe540   r12 = 0x00007f1df5bda8b0
    r13 = 0x00007f1dfe08e640   r14 = 0x00007f1df5d130e0
    r15 = 0x00007f1df5d13358   rip = 0x00007f1e10aa6636
    Found by: call frame info
 4  libxul.so!mozilla::VideoSink::Start(mozilla::media::TimeUnit const&, mozilla::MediaInfo const&) [VideoSink.cpp:7c89a561baee4bf8a5b726a30032d40a5986180f : 190 + 0xc]
    rbx = 0x00007f1df5d13358   rbp = 0x00007f1e060fe5d0
    rsp = 0x00007f1e060fe590   r12 = 0x00007f1df5d13000
    r13 = 0x00007f1dfe08e640   r14 = 0x00007f1e060fe5f0
    r15 = 0x00007f1dfe1b7a00   rip = 0x00007f1e10aabec3
    Found by: call frame info
 5  libxul.so!mozilla::MediaDecoderStateMachine::StartMediaSink() [MediaDecoderStateMachine.cpp:7c89a561baee4bf8a5b726a30032d40a5986180f : 3204 + 0xa]
    rbx = 0x00007f1df5d13000   rbp = 0x00007f1e060fe630
    rsp = 0x00007f1e060fe5e0   r12 = 0x00007f1df5d13000
    r13 = 0x00007f1e0479a000   r14 = 0x0000000000000000
    r15 = 0x00007f1dfe1b7a00   rip = 0x00007f1e10968931
    Found by: call frame info
 6  libxul.so!mozilla::MediaDecoderStateMachine::MaybeStartPlayback() [MediaDecoderStateMachine.cpp:7c89a561baee4bf8a5b726a30032d40a5986180f : 2851 + 0x8]
    rbx = 0x00007f1df5d13000   rbp = 0x00007f1e060fe670
    rsp = 0x00007f1e060fe640   r12 = 0x00007f1dfe4a9c20
    r13 = 0x00007f1e0479a000   r14 = 0x00007f1e0479a000
    r15 = 0x00007f1dfe1b7a00   rip = 0x00007f1e10963039
    Found by: call frame info
 7  libxul.so!mozilla::MediaDecoderStateMachine::DecodingState::Step() [MediaDecoderStateMachine.cpp:7c89a561baee4bf8a5b726a30032d40a5986180f : 2337 + 0x5]
    rbx = 0x00007f1df53ff1f0   rbp = 0x00007f1e060fe690
    rsp = 0x00007f1e060fe680   r12 = 0x00007f1dfe4a9c20
    r13 = 0x00007f1e0479a000   r14 = 0x00007f1e0479a000
    r15 = 0x00007f1dfe1b7a00   rip = 0x00007f1e10962eb3
    Found by: call frame info

Comment 1

[Bob Clary [:bc] (inactive)]

Attachment: AddressSanitizer: negative-size-param: (size=-6144)

Comment 2

[Bob Clary [:bc] (inactive)]

Attachment: AddressSanitizer: negative-size-param: (size=-1024)

Comment 3

[Andrew McCreight [:mccr8]]

jya, somebody was saying this is similar to a crash you are investigating, so you might be interested.

Comment 5

[Jean-Yves Avenard [:jya]]

What was the original URL?

Want to verify that it is indeed fixed.

Thank you