1533612 - UBSan: signed integer overflow in [@ mozilla::AudioSink::PushProcessedAudio]

Status: RESOLVED FIXED

(Core :: Audio/Video: Playback, defect, P2)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.mp4

Found in m-c commit 78601cacfe69

This was build with undefined behavior sanitizer checks enabled via mozconfig.
ac_add_options --enable-undefined-sanitizer="signed-integer-overflow"

Once the test is loaded it takes about 30 seconds or so for is to be triggered.

src/objdir-ff-ubsan/dist/include/mozilla/Atomics.h:432:56: runtime error: signed integer overflow: -1251434985 + -1251481401 cannot be represented in type 'int'
    #0 0x7f64a20b9c9f in mozilla::Atomic<int, (mozilla::MemoryOrdering)2, (mozilla::recordreplay::Behavior)1, void>::operator+=(int) src/objdir-ff-ubsan/dist/include/mozilla/Atomics.h:432:56
    #1 0x7f64a6f6939a in mozilla::AudioSink::PushProcessedAudio(mozilla::AudioData*) src/dom/media/mediasink/AudioSink.cpp:441:25
    #2 0x7f64a6f66619 in mozilla::AudioSink::NotifyAudioNeeded() src/dom/media/mediasink/AudioSink.cpp:412:7
    #3 0x7f64a6c03b97 in apply<mozilla::detail::Listener<RefPtr<mozilla::AudioData> >, void (mozilla::detail::Listener<RefPtr<mozilla::AudioData> >::*)(RefPtr<mozilla::AudioData> &&)> src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1128:12
    #4 0x7f64a6c03b97 in mozilla::detail::RunnableMethodImpl<mozilla::detail::Listener<RefPtr<mozilla::AudioData> >*, void (mozilla::detail::Listener<RefPtr<mozilla::AudioData> >::*)(RefPtr<mozilla::AudioData>&&), true, (mozilla::RunnableKind)0, RefPtr<mozilla::AudioData>&&>::Run() src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1174
    #5 0x7f64a1632c83 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() src/objdir-ff-ubsan/dist/include/mozilla/TaskDispatcher.h:197:35
    #6 0x7f64a1628450 in mozilla::TaskQueue::Runner::Run() src/xpcom/threads/TaskQueue.cpp:199:12
    #7 0x7f64a1657fc3 in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:241:14
    #8 0x7f64a165833c in non-virtual thunk to nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp
    #9 0x7f64a164ffd1 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1166:14
    #10 0x7f64a16549fd in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:482:10
    #11 0x7f64a2752a5a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:303:20
    #12 0x7f64a2619650 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308:3
    #13 0x7f64a2619650 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #14 0x7f64a164a902 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:453:11
    #15 0x7f64c78d8592 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #16 0x7f64c75586da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #17 0x7f64c653688e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment 1

[Nico Grunbaum [:ng, @chew:mozilla.org]]

Alex, would you mind taking a first pass triage here?

Comment 2

[Alex Chronopoulos [:achronop]]

Attachment: Bug 1533612 - Change to unsigned int to avoid integer overflow. r?jya

mProcessedQueueLength is int32_t (wrapped around an Atomic) but it is updated from the method FramesToUsecs() which returns int64_t (wrapped around a CheckedInt).

Comment 3

[Pulsebot]

Pushed by achronopoulos@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/814b2ae9ef66
Change to unsigned int to avoid integer overflow. r=jya

Comment 4

[Dorel Luca [:dluca]]

https://hg.mozilla.org/mozilla-central/rev/814b2ae9ef66