Assertion failure: aA >= 0, at /builds/worker/workspace/obj-build/dist/include/mozilla/MathAlgorithms.h:451
Categories
(Core :: Audio/Video: Playback, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox-esr115 | --- | fixed |
| firefox114 | --- | unaffected |
| firefox115 | --- | wontfix |
| firefox116 | --- | verified |
People
(Reporter: tsmith, Assigned: padenot)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
|
512 bytes,
video/webm
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-esr115+
|
Details | Review |
Found while fuzzing m-c 20230622-45769d7ff3c6 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing --cpu x86 -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.webm
Assertion failure: aA >= 0, at /builds/worker/workspace/obj-build/dist/include/mozilla/MathAlgorithms.h:451
#0 0x7fd3edd22e3e in GCD<long> /builds/worker/workspace/obj-build/dist/include/mozilla/MathAlgorithms.h:451:3
#1 0x7fd3edd22e3e in mozilla::media::TimeUnit::Reduced() const /builds/worker/checkouts/gecko/dom/media/TimeUnits.cpp:408:17
#2 0x7fd3edd23150 in mozilla::media::TimeUnit::operator>=(mozilla::media::TimeUnit const&) const /builds/worker/checkouts/gecko/dom/media/TimeUnits.cpp:209:22
#3 0x7fd3edd2393f in mozilla::media::TimeUnit::operator<(mozilla::media::TimeUnit const&) const /builds/worker/checkouts/gecko/dom/media/TimeUnits.cpp:253:18
#4 0x7fd3edb3aa39 in max<mozilla::media::TimeUnit> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algobase.h:224:15
#5 0x7fd3edb3aa39 in mozilla::MediaFormatReader::OnDemuxerInitDone(mozilla::MediaResult const&) /builds/worker/checkouts/gecko/dom/media/MediaFormatReader.cpp:1270:19
#6 0x7fd3edc2acb5 in mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>::ThenValue<mozilla::MediaFormatReader*, void (mozilla::MediaFormatReader::*)(mozilla::MediaResult const&), void (mozilla::MediaFormatReader::*)(mozilla::MediaResult const&)>::DoResolveOrRejectInternal(mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h
#7 0x7fd3eda21e05 in mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:490:21
#8 0x7fd3e9c1b69f in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:259:20
#9 0x7fd3e9c455b5 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
#10 0x7fd3e9c3bbf4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#11 0x7fd3e9c4283d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#12 0x7fd3ea8f42fe in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#13 0x7fd3ea80c591 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#14 0x7fd3ea80c591 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#15 0x7fd3e9c37296 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#16 0x7fd3fde8a9ef in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#17 0x7fd3fd894b42 in start_thread nptl/pthread_create.c:442:8
#18 0x7fd3fd9269ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
||
Comment 1•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230622214511-45769d7ff3c6.
The bug appears to have been introduced in the following build range:
Start: 9fa4a7ae19238256fcd261c727ad2b08c6f1a4fd (20230524162134)
End: 6a96bb1f430f92b83cc31f74db4e4c1f71e155e5 (20230524133440)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9fa4a7ae19238256fcd261c727ad2b08c6f1a4fd&tochange=6a96bb1f430f92b83cc31f74db4e4c1f71e155e5
|
||
Comment 2•1 year ago
|
||
:padenot can you take look at this? Maybe due to bug 1821362?
|
Assignee | |
Comment 3•1 year ago
|
||
|
||
Updated•1 year ago
|
|
||
Comment 4•1 year ago
|
||
Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.
:padenot, if possible, could you fill the Regressed by field and investigate this regression?
For more information, please visit BugBot documentation.
|
|
||
Updated•1 year ago
|
|
|
||
Comment 5•1 year ago
|
||
Set release status flags based on info from the regressing bug 1821362
|
||
Comment 7•1 year ago
|
||
| bugherder | ||
|
|
||
Comment 8•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20230629153145-e784085dfb50.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 10•1 year ago
|
||
Comment on attachment 9341217 [details]
Bug 1840002 - Ignore negative media duration found in container. r?alwu
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Loading a specially crafted file can crash a content process
- User impact if declined: Loading a specially crafted file can crash a content process
- Fix Landed on Version: 116
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Verified for a long time in Nightly / beta, has a test.
|
|
||
Comment 11•1 year ago
|
||
Comment on attachment 9341217 [details]
Bug 1840002 - Ignore negative media duration found in container. r?alwu
Approved for 115.1esr
|
||
Comment 12•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
Description
•