UBSan: signed integer overflow in [@ mozilla::AudioSink::PushProcessedAudio]

RESOLVED FIXED in Firefox 67

Status

()

defect
P2
normal
RESOLVED FIXED
5 months ago
4 months ago

People

(Reporter: tsmith, Assigned: achronop)

Tracking

(Blocks 2 bugs, {csectype-undefined, testcase})

unspecified
mozilla67
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox67 fixed)

Details

Attachments

(2 attachments)

Posted video testcase.mp4

Found in m-c commit 78601cacfe69

This was build with undefined behavior sanitizer checks enabled via mozconfig.
ac_add_options --enable-undefined-sanitizer="signed-integer-overflow"

Once the test is loaded it takes about 30 seconds or so for is to be triggered.

src/objdir-ff-ubsan/dist/include/mozilla/Atomics.h:432:56: runtime error: signed integer overflow: -1251434985 + -1251481401 cannot be represented in type 'int'
    #0 0x7f64a20b9c9f in mozilla::Atomic<int, (mozilla::MemoryOrdering)2, (mozilla::recordreplay::Behavior)1, void>::operator+=(int) src/objdir-ff-ubsan/dist/include/mozilla/Atomics.h:432:56
    #1 0x7f64a6f6939a in mozilla::AudioSink::PushProcessedAudio(mozilla::AudioData*) src/dom/media/mediasink/AudioSink.cpp:441:25
    #2 0x7f64a6f66619 in mozilla::AudioSink::NotifyAudioNeeded() src/dom/media/mediasink/AudioSink.cpp:412:7
    #3 0x7f64a6c03b97 in apply<mozilla::detail::Listener<RefPtr<mozilla::AudioData> >, void (mozilla::detail::Listener<RefPtr<mozilla::AudioData> >::*)(RefPtr<mozilla::AudioData> &&)> src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1128:12
    #4 0x7f64a6c03b97 in mozilla::detail::RunnableMethodImpl<mozilla::detail::Listener<RefPtr<mozilla::AudioData> >*, void (mozilla::detail::Listener<RefPtr<mozilla::AudioData> >::*)(RefPtr<mozilla::AudioData>&&), true, (mozilla::RunnableKind)0, RefPtr<mozilla::AudioData>&&>::Run() src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1174
    #5 0x7f64a1632c83 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() src/objdir-ff-ubsan/dist/include/mozilla/TaskDispatcher.h:197:35
    #6 0x7f64a1628450 in mozilla::TaskQueue::Runner::Run() src/xpcom/threads/TaskQueue.cpp:199:12
    #7 0x7f64a1657fc3 in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:241:14
    #8 0x7f64a165833c in non-virtual thunk to nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp
    #9 0x7f64a164ffd1 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1166:14
    #10 0x7f64a16549fd in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:482:10
    #11 0x7f64a2752a5a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:303:20
    #12 0x7f64a2619650 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308:3
    #13 0x7f64a2619650 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #14 0x7f64a164a902 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:453:11
    #15 0x7f64c78d8592 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #16 0x7f64c75586da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #17 0x7f64c653688e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Alex, would you mind taking a first pass triage here?

Flags: needinfo?(achronop)

mProcessedQueueLength is int32_t (wrapped around an Atomic) but it is updated from the method FramesToUsecs() which returns int64_t (wrapped around a CheckedInt).

Flags: needinfo?(achronop)
Attachment #9049929 - Attachment description: Bug 1533612 - Change to 64 bit int to avoid integer overflow. r?jya → Bug 1533612 - Change to unsigned int to avoid integer overflow. r?jya
Assignee: nobody → achronop
Priority: -- → P2
Pushed by achronopoulos@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/814b2ae9ef66
Change to unsigned int to avoid integer overflow. r=jya
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.