Closed Bug 1748332 Opened 3 years ago Closed 2 years ago

Assertion failure: aSample->HasValidTime(), at /dom/media/mediasource/TrackBuffersManager.cpp:1816

Categories

(Core :: Audio/Video, defect, P3)

Product:
Core
Component:
Audio/Video
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1835075

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
1.81 MB, application/octet-stream
Details

Testcase found while fuzzing mozilla-central rev 1cb2015e6fbc (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 1cb2015e6fbc --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: aSample->HasValidTime(), at /dom/media/mediasource/TrackBuffersManager.cpp:1816

    ==1171862==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2ce5b6ea1a bp 0x7f2cf49bd2c0 sp 0x7f2cf49bd290 T1171912)
    ==1171862==The signal is caused by a WRITE memory access.
    ==1171862==Hint: address points to the zero page.
        #0 0x7f2ce5b6ea1a in mozilla::TrackBuffersManager::ProcessFrames(nsTArray<RefPtr<mozilla::MediaRawData> >&, mozilla::TrackBuffersManager::TrackData&)::$_30::operator()(mozilla::MediaRawData*, mozilla::media::Interval<mozilla::media::TimeUnit> const&) const /dom/media/mediasource/TrackBuffersManager.cpp:1816:5
        #1 0x7f2ce5b6d329 in mozilla::TrackBuffersManager::ProcessFrames(nsTArray<RefPtr<mozilla::MediaRawData> >&, mozilla::TrackBuffersManager::TrackData&) /dom/media/mediasource/TrackBuffersManager.cpp:2036:5
        #2 0x7f2ce5b6a1f5 in mozilla::TrackBuffersManager::CompleteCodedFrameProcessing() /dom/media/mediasource/TrackBuffersManager.cpp:1659:5
        #3 0x7f2ce5b6ada2 in mozilla::TrackBuffersManager::DoDemuxAudio() /dom/media/mediasource/TrackBuffersManager.cpp:1611:5
        #4 0x7f2ce5b6b10c in mozilla::TrackBuffersManager::OnVideoDemuxCompleted(RefPtr<mozilla::MediaTrackDemuxer::SamplesHolder>) /dom/media/mediasource/TrackBuffersManager.cpp:1605:3
        #5 0x7f2ce5b8ac76 in InvokeMethod<mozilla::TrackBuffersManager, void (mozilla::TrackBuffersManager::*)(RefPtr<mozilla::MediaTrackDemuxer::SamplesHolder>), RefPtr<mozilla::MediaTrackDemuxer::SamplesHolder> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:630:12
        #6 0x7f2ce5b8ac76 in InvokeCallbackMethod<false, mozilla::TrackBuffersManager, void (mozilla::TrackBuffersManager::*)(RefPtr<mozilla::MediaTrackDemuxer::SamplesHolder>), RefPtr<mozilla::MediaTrackDemuxer::SamplesHolder>, RefPtr<mozilla::MozPromise<RefPtr<mozilla::MediaTrackDemuxer::SamplesHolder>, mozilla::MediaResult, true>::Private> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:661:5
        #7 0x7f2ce5b8ac76 in mozilla::MozPromise<RefPtr<mozilla::MediaTrackDemuxer::SamplesHolder>, mozilla::MediaResult, true>::ThenValue<mozilla::TrackBuffersManager*, void (mozilla::TrackBuffersManager::*)(RefPtr<mozilla::MediaTrackDemuxer::SamplesHolder>), void (mozilla::TrackBuffersManager::*)(mozilla::MediaResult const&)>::DoResolveOrRejectInternal(mozilla::MozPromise<RefPtr<mozilla::MediaTrackDemuxer::SamplesHolder>, mozilla::MediaResult, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:715:9
        #8 0x7f2ce5706762 in mozilla::MozPromise<RefPtr<mozilla::MediaTrackDemuxer::SamplesHolder>, mozilla::MediaResult, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:487:21
        #9 0x7f2ce1c1f476 in mozilla::TaskQueue::Runner::Run() /xpcom/threads/TaskQueue.cpp:204:20
        #10 0x7f2ce1c3aa9b in nsThreadPool::Run() /xpcom/threads/nsThreadPool.cpp:305:14
        #11 0x7f2ce1c31119 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1177:16
        #12 0x7f2ce1c382ba in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #13 0x7f2ce26dbd9b in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #14 0x7f2ce25fa0b7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:331:10
        #15 0x7f2ce25f9fc2 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #16 0x7f2ce25f9fc2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #17 0x7f2ce1c2cd4b in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
        #18 0x7f2cf7f26997 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #19 0x7f2cf8c9a608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
        #20 0x7f2cf8862292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/media/mediasource/TrackBuffersManager.cpp:1816:5 in mozilla::TrackBuffersManager::ProcessFrames(nsTArray<RefPtr<mozilla::MediaRawData> >&, mozilla::TrackBuffersManager::TrackData&)::$_30::operator()(mozilla::MediaRawData*, mozilla::media::Interval<mozilla::media::TimeUnit> const&) const
    ==1171862==ABORTING
Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220104034109-8bc2581b2c7b.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 1d89f3cb5bb3e5a37b0249977838c4a98c162c80 (20210105043131)
End: 1cb2015e6fbc11f3a03137692fe60b111b94693a (20220103092929)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Hey Alastor, this seems a hint for Bug 1605699? Could you take a look?

Severity: -- → S4
Flags: needinfo?(alwu)

Will check it later, keep NI.

Priority: -- → P3
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed,media-assertion]
Flags: needinfo?(alwu)
Whiteboard: [bugmon:bisected,confirmed,media-assertion] → [bugmon:bisected,confirmed,assertion]
Keywords: assertion
Whiteboard: [bugmon:bisected,confirmed,assertion] → [bugmon:bisected,confirmed]

Testcase crashes using the initial build (mozilla-central 20220528091325-c7f47d9896aa) but not with tip (mozilla-central 20230526215433-fc6056442a0f.)

The bug appears to have been fixed in the following build range:

Start: 895d9ffe6269bcd7fcd19a447d765d35055fb554 (20230525151924)
End: 4971297a8917c4ce5f9136ebb0c82cde74eb50c4 (20230525170024)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=895d9ffe6269bcd7fcd19a447d765d35055fb554&tochange=4971297a8917c4ce5f9136ebb0c82cde74eb50c4

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(jkratzer)
Keywords: bugmon

:padenot, this looks like it was fixed via bug 1835075. Can you confirm?

Flags: needinfo?(jkratzer)

Extremely likely I rewrote a lot of this, the code is more robust against wild inputs now.

Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1835075
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: