Closed
Bug 1848660
Opened 11 months ago
Closed 11 months ago
Hit MOZ_CRASH(ElementAt(aIndex = 21, aLength = 18)) at /builds/worker/checkouts/gecko/mfbt/Assertions.cpp:51
Categories
(Core :: Audio/Video: Playback, defect)
Core
Audio/Video: Playback
Tracking
()
VERIFIED
FIXED
118 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox-esr115 | --- | unaffected |
| firefox116 | --- | unaffected |
| firefox117 | --- | unaffected |
| firefox118 | --- | verified |
People
(Reporter: tsmith, Assigned: padenot)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(3 files)
Found while fuzzing m-c 20230813-6d77e3e6758e (--enable-address-sanitizer --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
Hit MOZ_CRASH(ElementAt(aIndex = 21, aLength = 18)) at /builds/worker/checkouts/gecko/mfbt/Assertions.cpp:51
#0 0x562e5898060f in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3
#1 0x562e5898060f in mozilla::detail::InvalidArrayIndex_CRASH(unsigned long, unsigned long) /builds/worker/checkouts/gecko/mfbt/Assertions.cpp:50:3
#2 0x7fe5c2296eb7 in ElementAt /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1217:7
#3 0x7fe5c2296eb7 in operator[] /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1248:12
#4 0x7fe5c2296eb7 in mozilla::FormatChunk::ChannelMap() const /builds/worker/checkouts/gecko/dom/media/wave/WaveDemuxer.cpp:718:7
#5 0x7fe5c2291137 in mozilla::WAVTrackDemuxer::Init() /builds/worker/checkouts/gecko/dom/media/wave/WaveDemuxer.cpp:163:34
#6 0x7fe5c228fe0e in mozilla::WAVDemuxer::InitInternal() /builds/worker/checkouts/gecko/dom/media/wave/WaveDemuxer.cpp:35:25
#7 0x7fe5c2291638 in mozilla::WAVDemuxer::Init() /builds/worker/checkouts/gecko/dom/media/wave/WaveDemuxer.cpp:39:8
#8 0x7fe5c172fbf6 in operator() /builds/worker/checkouts/gecko/dom/media/MediaFormatReader.cpp:788:47
#9 0x7fe5c172fbf6 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_2, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1690:29
#10 0x7fe5b93d309c in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:257:20
#11 0x7fe5b942825b in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
#12 0x7fe5b94164bf in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#13 0x7fe5b9423f04 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#14 0x7fe5bb020a01 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#15 0x7fe5bae49d4a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#16 0x7fe5bae49d4a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#17 0x7fe5bae49d4a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#18 0x7fe5b940d4fa in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#19 0x7fe5e0ed3b3f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#20 0x7fe5e0c94b42 in start_thread nptl/pthread_create.c:442:8
#21 0x7fe5e0d269ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?
|
Reporter | |
Comment 1•11 months ago
|
||
With a debug build I get:
Assertion failure: (detail::IsInBounds<From, To>(aFrom)), at /builds/worker/workspace/obj-build/dist/include/mozilla/Casting.h:183
#0 0x7f60025ffc3c in AssertedCast<signed char, int> /builds/worker/workspace/obj-build/dist/include/mozilla/Casting.h:183:3
#1 0x7f60025ffc3c in mozilla::WAVTrackDemuxer::Init() /builds/worker/checkouts/gecko/dom/media/wave/WaveDemuxer.cpp:157:21
#2 0x7f60025ff1ab in mozilla::WAVDemuxer::InitInternal() /builds/worker/checkouts/gecko/dom/media/wave/WaveDemuxer.cpp:35:25
#3 0x7f60025ffe97 in mozilla::WAVDemuxer::Init() /builds/worker/checkouts/gecko/dom/media/wave/WaveDemuxer.cpp:39:8
#4 0x7f60020a5001 in operator() /builds/worker/checkouts/gecko/dom/media/MediaFormatReader.cpp:788:47
#5 0x7f60020a5001 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_2, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1690:29
#6 0x7f5ffe124d1b in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:257:20
#7 0x7f5ffe14edf5 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
#8 0x7f5ffe14530d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#9 0x7f5ffe14c0ad in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#10 0x7f5ffedf712e in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#11 0x7f5ffed10121 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#12 0x7f5ffed10121 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#13 0x7f5ffe140996 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#14 0x7f60125f89ef in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#15 0x7f6012294b42 in start_thread nptl/pthread_create.c:442:8
#16 0x7f60123269ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
||
Comment 2•11 months ago
|
||
Got a crash from the testcase : https://crash-stats.mozilla.org/report/index/dca6a945-a47c-4ba4-b045-ddb820230814
Crash Signature: [@ mozilla::detail::InvalidArrayIndex_CRASH | nsTArray_Impl<T>::ElementAt | nsTArray_Impl<T>::operator[] | mozilla::FormatChunk::ChannelMap ]
|
|
||
Comment 3•11 months ago
|
||
Regression range : https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d1fbe6c1f87656fb4f55677904f55f6df433ea9a&tochange=e78e15a11c7c9c583172c6dc65f25fc847c46f5f
Flags: needinfo?(padenot)
|
||
Comment 4•11 months ago
|
||
Verified bug as reproducible on mozilla-central 20230814214038-27c67d619752.
The bug appears to have been introduced in the following build range:
Start: d1fbe6c1f87656fb4f55677904f55f6df433ea9a (20230808155443)
End: 062a5e5729067f579bd6d1ab2f1a3021d7fd291a (20230808122031)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d1fbe6c1f87656fb4f55677904f55f6df433ea9a&tochange=062a5e5729067f579bd6d1ab2f1a3021d7fd291a
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 5•11 months ago
|
||
Set release status flags based on info from the regressing bug 1840402
status-firefox116:
--- → unaffected
status-firefox117:
--- → unaffected
status-firefox-esr102:
--- → unaffected
status-firefox-esr115:
--- → unaffected
|
|
Reporter | |
Comment 6•11 months ago
|
||
This issues was also discovered via live site testing.
Reported while visiting http://yahoo.com/ with a debug build.
Blocks: site-scout
|
Assignee | |
Comment 7•11 months ago
|
||
|
||
Updated•11 months ago
|
Assignee: nobody → padenot
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 8•11 months ago
|
||
Depends on D186338
|
|
Assignee | |
Comment 9•11 months ago
|
||
Both issues fixed here: the one triggered in debug build and the one triggered by non-debug build.
Flags: needinfo?(padenot)
|
||
Comment 10•11 months ago
|
||
Pushed by padenot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/21491130777e Reject more invalid wav. r=alwu
|
||
Comment 11•11 months ago
|
||
Backed out for causing assertion failures on Casting.h
- backout: https://hg.mozilla.org/integration/autoland/rev/d85402f11fc4636036f3e809d57fd20d20c41d7f
- push: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&revision=21491130777e3d47453e9edcefe88ba379bcf078&selectedTaskRun=VCS1ZgerQTC2IFSxljZa4w.0
- failure log: https://treeherder.mozilla.org/logviewer?job_id=426229964&repo=autoland&lineNumber=8190
[task 2023-08-16T17:54:18.407Z] 17:54:18 INFO - Assertion failure: (detail::IsInBounds<From, To>(aFrom)), at /builds/worker/workspace/obj-build/dist/include/mozilla/Casting.h:183
[task 2023-08-16T17:54:18.408Z] 17:54:18 INFO - #01: mozilla::WAVTrackDemuxer::Init() [dom/media/wave/WaveDemuxer.cpp:157]
[task 2023-08-16T17:54:18.408Z] 17:54:18 INFO - #02: mozilla::WAVDemuxer::InitInternal() [dom/media/wave/WaveDemuxer.cpp:0]
[task 2023-08-16T17:54:18.409Z] 17:54:18 INFO - #03: mozilla::WAVDemuxer::Init() [dom/media/wave/WaveDemuxer.cpp:39]
[task 2023-08-16T17:54:18.410Z] 17:54:18 INFO - #04: mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_2, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false> >::Run() [xpcom/threads/MozPromise.h:1691]
[task 2023-08-16T17:54:18.410Z] 17:54:18 INFO - #05: mozilla::TaskQueue::Runner::Run() [xpcom/threads/TaskQueue.cpp:264]
[task 2023-08-16T17:54:18.411Z] 17:54:18 INFO - #06: nsThreadPool::Run() [xpcom/threads/nsThreadPool.cpp:345]
[task 2023-08-16T17:54:18.411Z] 17:54:18 INFO - #07: nsThread::ProcessNextEvent(bool, bool*) [xpcom/threads/nsThread.cpp:1194]
[task 2023-08-16T17:54:18.412Z] 17:54:18 INFO - #08: NS_ProcessNextEvent(nsIThread*, bool) [xpcom/threads/nsThreadUtils.cpp:480]
[task 2023-08-16T17:54:18.412Z] 17:54:18 INFO - #09: mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) [ipc/glue/MessagePump.cpp:301]
[task 2023-08-16T17:54:18.413Z] 17:54:18 INFO - #10: MessageLoop::Run() [ipc/chromium/src/base/message_loop.cc:346]
[task 2023-08-16T17:54:18.413Z] 17:54:18 INFO - #11: nsThread::ThreadFunc(void*) [xpcom/threads/nsThread.cpp:393]
[task 2023-08-16T17:54:18.581Z] 17:54:18 INFO - #12: _pt_root [nsprpub/pr/src/pthreads/ptthread.c:204]
[task 2023-08-16T17:54:18.582Z] 17:54:18 INFO - #13: _pthread_start [/usr/lib/system/libsystem_pthread.dylib + 0x6109]
Flags: needinfo?(padenot)
|
|
||
Comment 12•11 months ago
|
||
Pushed by padenot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8012a2c9ab25 Reject more invalid wav. r=alwu https://hg.mozilla.org/integration/autoland/rev/ccb74bf3d439 Make mProfile and mExtendedProfile uint8_t. r=alwu
|
||
Comment 13•11 months ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/8012a2c9ab25
https://hg.mozilla.org/mozilla-central/rev/ccb74bf3d439
Status: ASSIGNED → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
Target Milestone: --- → 118 Branch
|
|
||
Comment 14•11 months ago
|
||
Verified bug as fixed on rev mozilla-central 20230817150115-a6c91cd0d909.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
Assignee | |
Updated•11 months ago
|
Flags: needinfo?(padenot)
You need to log in
before you can comment on or make changes to this bug.
Description
•