Closed Bug 1636540 Opened 4 years ago Closed 4 years ago

Assertion failure: aDuration == WEBAUDIO_BLOCK_SIZE, at /builds/worker/checkouts/gecko/dom/media/webaudio/AudioBlock.h:76

Categories

(Core :: Web Audio, defect, P2)

Product:
Core
Component:
Web Audio
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
85 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox78 --- wontfix
firefox83 --- wontfix
firefox84 --- wontfix
firefox85 --- fixed

People

(Reporter: jkratzer, Assigned: karlt)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(3 files)

testcase.html
418 bytes, text/html
Details
Bug 1636540 use full block size to set null buffer r?padenot
47 bytes, text/x-phabricator-request
Details | Review
Bug 1636540 AudioBufferSourceNode with empty buffer crashtest r?padenot
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 19e273db8019 (built with --enable-debug).

Assertion failure: aDuration == WEBAUDIO_BLOCK_SIZE, at /builds/worker/checkouts/gecko/dom/media/webaudio/AudioBlock.h:76

rax = 0x00007fe72a187538   rdx = 0x0000000000000000
rcx = 0x0000559e1631ca48   rbx = 0x0000000000000008
rsi = 0x00007fe73b1b18b0   rdi = 0x00007fe73b1b0680
rbp = 0x00007fe718108d60   rsp = 0x00007fe718108d50
r8 = 0x00007fe73b1b18b0    r9 = 0x00007fe71810a700
r10 = 0x0000000000000002   r11 = 0x0000000000000000
r12 = 0x0000559e17120e50   r13 = 0x0000000000000008
r14 = 0x00007fe718108dc8   r15 = 0x00007fe718108dc4
rip = 0x00007fe724796e2a
OS|Linux|0.0.0 Linux 5.3.0-46-generic #38~18.04.1-Ubuntu SMP Tue Mar 31 04:17:56 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|35
35|0|libxul.so|mozilla::AudioBlock::SetNull(long)|hg:hg.mozilla.org/mozilla-central:dom/media/webaudio/AudioBlock.h:19e273db80195cc5de59647fcaf16bafad9bbcce|76|0x29
35|1|libxul.so|mozilla::dom::AudioBufferSourceNodeEngine::FillWithZeroes(mozilla::AudioBlock*, unsigned int, unsigned int*, long*, long)|hg:hg.mozilla.org/mozilla-central:dom/media/webaudio/AudioBufferSourceNode.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|350|0xe
35|2|libxul.so|mozilla::dom::AudioBufferSourceNodeEngine::ProcessBlock(mozilla::AudioNodeTrack*, long, mozilla::AudioBlock const&, mozilla::AudioBlock*, bool*)|hg:hg.mozilla.org/mozilla-central:dom/media/webaudio/AudioBufferSourceNode.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|0|0x5
35|3|libxul.so|mozilla::AudioNodeTrack::ProcessInput(long, long, unsigned int)|hg:hg.mozilla.org/mozilla-central:dom/media/webaudio/AudioNodeTrack.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|522|0xd
35|4|libxul.so|mozilla::MediaTrackGraphImpl::ProduceDataForTracksBlockByBlock(unsigned int, int)|hg:hg.mozilla.org/mozilla-central:dom/media/MediaTrackGraph.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|1120|0x26
35|5|libxul.so|mozilla::MediaTrackGraphImpl::Process(mozilla::AudioMixer*)|hg:hg.mozilla.org/mozilla-central:dom/media/MediaTrackGraph.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|1284|0xb
35|6|libxul.so|mozilla::MediaTrackGraphImpl::OneIterationImpl(long, long, mozilla::AudioMixer*)|hg:hg.mozilla.org/mozilla-central:dom/media/MediaTrackGraph.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|1407|0xf
35|7|libxul.so|mozilla::GraphRunner::Run()|hg:hg.mozilla.org/mozilla-central:dom/media/GraphRunner.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|114|0x20
35|8|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|1200|0x11
35|9|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|481|0xc
35|10|libxul.so|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|332|0x13
35|11|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:19e273db80195cc5de59647fcaf16bafad9bbcce|315|0x17
35|12|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:19e273db80195cc5de59647fcaf16bafad9bbcce|290|0x8
35|13|libxul.so|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|444|0x8
35|14|libnspr4.so|_pt_root|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/pthreads/ptthread.c:19e273db80195cc5de59647fcaf16bafad9bbcce|201|0x7
35|15|libpthread.so.0||||0x76db
35|16|libc.so.6||||0x12188f
Flags: in-testsuite?

It's probably best to just modify this assert to allow this case of having zero channels, and continue skipping the allocation.

Priority: -- → P2
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

(In reply to Jason Kratzer [:jkratzer] from comment #2)

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200519094847-96c90df47bda.
The bug appears to have been introduced in the following build range:

Start: ca560ff55451aafb3dae3f679d09206b120b38eb (20190521041940)
End: 15a1de74bc510d9e03edbe4af04a90b6d4d4d8f8 (20190521013400)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=ca560ff55451aafb3dae3f679d09206b120b38eb&tochange=15a1de74bc510d9e03edbe4af04a90b6d4d4d8f8

Bugmon is confused here. The testcase bisects back further than a year which is the maximum range we can bisect using taskcluster binaries.

This issue is hit fairly frequently by the fuzzers and it would be great to get it out of the way.

Assignee: nobody → karlt
Status: NEW → ASSIGNED

The decision not to allocate has been made for the whole block and null
buffers are not filled, so the incremental frame count is irrelevant.

Pushed by ktomlinson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2a2fa7de34bc
use full block size to set null buffer r=padenot
https://hg.mozilla.org/integration/autoland/rev/0e1b98025c39
AudioBufferSourceNode with empty buffer crashtest r=padenot

https://hg.mozilla.org/mozilla-central/rev/2a2fa7de34bc
https://hg.mozilla.org/mozilla-central/rev/0e1b98025c39

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox85: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 85 Branch
status-firefox78: affectedwontfix
status-firefox83: --- → wontfix
status-firefox84: --- → wontfix
status-firefox-esr78: --- → wontfix
Flags: in-testsuite? → in-testsuite+

:karlt, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(karlt)

(Answering on Karl's behalf because he is currently on PTO).

The regression range in this bug is wrong, says comment 3.

Flags: needinfo?(karlt)

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201117094406-31d67eef91da.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: