Assertion failure: mIsValid (Invalid checked integer (division by zero or integer overflow)), at /builds/worker/workspace/obj-build/dist/include/mozilla/CheckedInt.h:562
Categories
(Core :: Audio/Video: Playback, defect)
Tracking
()
People
(Reporter: tsmith, Assigned: padenot)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(3 files, 1 obsolete file)
Found while fuzzing m-c 20230524-6b82236cab6f (--enable-address-sanitizer --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.aac
Assertion failure: mIsValid (Invalid checked integer (division by zero or integer overflow)), at /builds/worker/workspace/obj-build/dist/include/mozilla/CheckedInt.h:562
#0 0x7f987a5e0eaa in mozilla::media::TimeUnit::operator>=(mozilla::media::TimeUnit const&) const /builds/worker/checkouts/gecko/dom/media/TimeUnits.cpp
#1 0x7f987a5e205f in mozilla::media::TimeUnit::operator<(mozilla::media::TimeUnit const&) const /builds/worker/checkouts/gecko/dom/media/TimeUnits.cpp:253:18
#2 0x7f987a01b9c1 in max<mozilla::media::TimeUnit> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/stl_algobase.h:224:15
#3 0x7f987a01b9c1 in mozilla::ADTSTrackDemuxer::GetNextFrame(mozilla::adts::Frame const&) /builds/worker/checkouts/gecko/dom/media/ADTSDemuxer.cpp:656:18
#4 0x7f987a0174ec in mozilla::ADTSTrackDemuxer::Init() /builds/worker/checkouts/gecko/dom/media/ADTSDemuxer.cpp:304:30
#5 0x7f987a016f6e in mozilla::ADTSDemuxer::InitInternal() /builds/worker/checkouts/gecko/dom/media/ADTSDemuxer.cpp:250:25
#6 0x7f987a01891f in mozilla::ADTSDemuxer::Init() /builds/worker/checkouts/gecko/dom/media/ADTSDemuxer.cpp:254:8
#7 0x7f987a3e79b6 in operator() /builds/worker/checkouts/gecko/dom/media/MediaFormatReader.cpp:784:47
#8 0x7f987a3e79b6 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_2, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1696:29
#9 0x7f9871fa32cb in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:259:20
#10 0x7f9871fda52b in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
#11 0x7f9871fc8b33 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:16
#12 0x7f9871fd6124 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#13 0x7f9873be9c41 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#14 0x7f9873a11b1a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:368:10
#15 0x7f9873a11b1a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#16 0x7f9873a11b1a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#17 0x7f9871fbf162 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#18 0x7f9898f03b5f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#19 0x7f9898c94b42 in start_thread nptl/pthread_create.c:442:8
#20 0x7f9898d269ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
||
Comment 1•1 year ago
|
||
Unable to reproduce bug 1835118 using build mozilla-central 20230524214208-6b82236cab6f. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Comment 2•1 year ago
|
||
The severity field is not set for this bug.
:jimm, could you have a look please?
For more information, please visit BugBot documentation.
|
||
Updated•1 year ago
|
|
Reporter | |
Comment 3•1 year ago
|
||
Here is a test case that is a bit more bugmon friendly.
|
|
Reporter | |
Updated•1 year ago
|
|
|
||
Comment 4•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230814214038-27c67d619752.
The bug appears to have been introduced in the following build range:
Start: 9fa4a7ae19238256fcd261c727ad2b08c6f1a4fd (20230524162134)
End: 6a96bb1f430f92b83cc31f74db4e4c1f71e155e5 (20230524133440)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9fa4a7ae19238256fcd261c727ad2b08c6f1a4fd&tochange=6a96bb1f430f92b83cc31f74db4e4c1f71e155e5
|
|
Reporter | |
Updated•1 year ago
|
|
|
||
Comment 5•1 year ago
|
||
Set release status flags based on info from the regressing bug 1817997
|
||
Updated•1 year ago
|
|
Assignee | |
Updated•1 year ago
|
|
|
||
Comment 6•1 year ago
|
||
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
|
|
||
Comment 8•1 year ago
|
||
:padenot, since you are the author of the regressor, bug 1817997, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 9•1 year ago
|
||
|
|
Assignee | |
Comment 10•1 year ago
|
||
Depends on D186345
|
||
Comment 11•1 year ago
|
||
|
||
Comment 12•1 year ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/b534e9cc7137
https://hg.mozilla.org/mozilla-central/rev/5bdf8e3fbac7
|
|
||
Comment 13•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20230818212320-e2305368eaae.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
Description
•