Closed Bug 1848681 Opened 2 years ago Closed 2 years ago

Assertion failure: mIsValid (Invalid checked integer (division by zero or integer overflow)), at /builds/worker/workspace/obj-build/dist/include/mozilla/CheckedInt.h:562

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1848258
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- unaffected
firefox116 --- unaffected
firefox117 --- unaffected
firefox118 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

testcase.zip
4.25 KB, application/x-zip-compressed
Details
Attached file testcase.zip

Found while fuzzing m-c 20230808-b19ed5a6579d (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: mIsValid (Invalid checked integer (division by zero or integer overflow)), at /builds/worker/workspace/obj-build/dist/include/mozilla/CheckedInt.h:562

#0 0x7ff5c8929276 in mozilla::media::TimeUnit::operator>=(mozilla::media::TimeUnit const&) const /builds/worker/checkouts/gecko/dom/media/TimeUnits.cpp
#1 0x7ff5c892a59f in mozilla::media::TimeUnit::operator<(mozilla::media::TimeUnit const&) const /builds/worker/checkouts/gecko/dom/media/TimeUnits.cpp:253:18
#2 0x7ff5c8efc627 in min<mozilla::media::TimeUnit> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algobase.h:200:15
#3 0x7ff5c8efc627 in mozilla::OggDemuxer::FindStartTime(mozilla::media::TimeUnit&) /builds/worker/checkouts/gecko/dom/media/ogg/OggDemuxer.cpp:1069:24
#4 0x7ff5c8ef47a0 in mozilla::OggDemuxer::ReadMetadata() /builds/worker/checkouts/gecko/dom/media/ogg/OggDemuxer.cpp:574:5
#5 0x7ff5c8ef272a in mozilla::OggDemuxer::Init() /builds/worker/checkouts/gecko/dom/media/ogg/OggDemuxer.cpp:223:7
#6 0x7ff5c872fbf6 in operator() /builds/worker/checkouts/gecko/dom/media/MediaFormatReader.cpp:788:47
#7 0x7ff5c872fbf6 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_2, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1690:29
#8 0x7ff5c03d309c in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:257:20
#9 0x7ff5c042825b in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
#10 0x7ff5c04164bf in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#11 0x7ff5c0423f04 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#12 0x7ff5c2020a01 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#13 0x7ff5c1e49d4a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#14 0x7ff5c1e49d4a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#15 0x7ff5c1e49d4a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#16 0x7ff5c040d4fa in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#17 0x7ff5e8103b3f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#18 0x7ff5e7e94b42 in start_thread nptl/pthread_create.c:442:8
#19 0x7ff5e7f269ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?

Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/a1db2a35-df42-4045-b8e2-b41b50230815

Crash Signature: [@ mozilla::media::TimeUnit::operator>= ]
Keywords: crash

Verified bug as reproducible on mozilla-central 20230814214038-27c67d619752.
The bug appears to have been introduced in the following build range:

Start: d1fbe6c1f87656fb4f55677904f55f6df433ea9a (20230808155443)
End: 062a5e5729067f579bd6d1ab2f1a3021d7fd291a (20230808122031)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d1fbe6c1f87656fb4f55677904f55f6df433ea9a&tochange=062a5e5729067f579bd6d1ab2f1a3021d7fd291a

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Regressed by: 1839391

Set release status flags based on info from the regressing bug 1839391

status-firefox116: --- → unaffected
status-firefox117: --- → unaffected
status-firefox-esr102: --- → unaffected
status-firefox-esr115: --- → unaffected

Dup. of bug 1835118?

No, it's different but same stack in the end.

Flags: needinfo?(padenot)
Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1848258
Resolution: --- → DUPLICATE

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: