Closed Bug 1840002 Opened 2 years ago Closed 2 years ago

Assertion failure: aA >= 0, at /builds/worker/workspace/obj-build/dist/include/mozilla/MathAlgorithms.h:451

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
116 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- fixed
firefox114 --- unaffected
firefox115 --- wontfix
firefox116 --- verified

People

(Reporter: tsmith, Assigned: padenot)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.webm
512 bytes, video/webm
Details
Bug 1840002 - Ignore negative media duration found in container. r?alwu
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-esr115+
Details | Review
Attached video testcase.webm

Found while fuzzing m-c 20230622-45769d7ff3c6 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing --cpu x86 -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.webm

Assertion failure: aA >= 0, at /builds/worker/workspace/obj-build/dist/include/mozilla/MathAlgorithms.h:451

#0 0x7fd3edd22e3e in GCD<long> /builds/worker/workspace/obj-build/dist/include/mozilla/MathAlgorithms.h:451:3
#1 0x7fd3edd22e3e in mozilla::media::TimeUnit::Reduced() const /builds/worker/checkouts/gecko/dom/media/TimeUnits.cpp:408:17
#2 0x7fd3edd23150 in mozilla::media::TimeUnit::operator>=(mozilla::media::TimeUnit const&) const /builds/worker/checkouts/gecko/dom/media/TimeUnits.cpp:209:22
#3 0x7fd3edd2393f in mozilla::media::TimeUnit::operator<(mozilla::media::TimeUnit const&) const /builds/worker/checkouts/gecko/dom/media/TimeUnits.cpp:253:18
#4 0x7fd3edb3aa39 in max<mozilla::media::TimeUnit> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algobase.h:224:15
#5 0x7fd3edb3aa39 in mozilla::MediaFormatReader::OnDemuxerInitDone(mozilla::MediaResult const&) /builds/worker/checkouts/gecko/dom/media/MediaFormatReader.cpp:1270:19
#6 0x7fd3edc2acb5 in mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>::ThenValue<mozilla::MediaFormatReader*, void (mozilla::MediaFormatReader::*)(mozilla::MediaResult const&), void (mozilla::MediaFormatReader::*)(mozilla::MediaResult const&)>::DoResolveOrRejectInternal(mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h
#7 0x7fd3eda21e05 in mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:490:21
#8 0x7fd3e9c1b69f in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:259:20
#9 0x7fd3e9c455b5 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
#10 0x7fd3e9c3bbf4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#11 0x7fd3e9c4283d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#12 0x7fd3ea8f42fe in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#13 0x7fd3ea80c591 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#14 0x7fd3ea80c591 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#15 0x7fd3e9c37296 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#16 0x7fd3fde8a9ef in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#17 0x7fd3fd894b42 in start_thread nptl/pthread_create.c:442:8
#18 0x7fd3fd9269ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20230622214511-45769d7ff3c6.
The bug appears to have been introduced in the following build range:

Start: 9fa4a7ae19238256fcd261c727ad2b08c6f1a4fd (20230524162134)
End: 6a96bb1f430f92b83cc31f74db4e4c1f71e155e5 (20230524133440)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9fa4a7ae19238256fcd261c727ad2b08c6f1a4fd&tochange=6a96bb1f430f92b83cc31f74db4e4c1f71e155e5

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

:padenot can you take look at this? Maybe due to bug 1821362?

Flags: needinfo?(padenot)
Assignee: nobody → padenot
Status: NEW → ASSIGNED

Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:padenot, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Flags: needinfo?(padenot)
status-firefox114: --- → unaffected
status-firefox115: --- → affected
Flags: needinfo?(padenot)
Regressed by: 1821362

Set release status flags based on info from the regressing bug 1821362

status-firefox-esr102: --- → unaffected
Pushed by padenot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0b144226be34 Ignore negative media duration found in container. r=alwu

https://hg.mozilla.org/mozilla-central/rev/0b144226be34

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox116: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch

Verified bug as fixed on rev mozilla-central 20230629153145-e784085dfb50.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox116: fixedverified
Keywords: bugmon
status-firefox115: affectedwontfix
status-firefox-esr115: --- → affected
Flags: in-testsuite? → in-testsuite+

Is this worth an ESR115 uplift? It grafts cleanly.

Flags: needinfo?(padenot)

Comment on attachment 9341217 [details]
Bug 1840002 - Ignore negative media duration found in container. r?alwu

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Loading a specially crafted file can crash a content process
  • User impact if declined: Loading a specially crafted file can crash a content process
  • Fix Landed on Version: 116
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Verified for a long time in Nightly / beta, has a test.
Flags: needinfo?(padenot)
Attachment #9341217 - Flags: approval-mozilla-esr115?

Comment on attachment 9341217 [details]
Bug 1840002 - Ignore negative media duration found in container. r?alwu

Approved for 115.1esr

Attachment #9341217 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Regressed by: 1817997
No longer regressed by: 1821362
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: