Closed Bug 1850453 Opened 2 years ago Closed 2 years ago

Assertion failure: Header().Info().mRate (Invalid Frame. Need Header), at /builds/worker/checkouts/gecko/dom/media/flac/FlacDemuxer.cpp:336

Tracking

()

Status:

VERIFIED FIXED

Milestone:

119 Branch

Tracking Flags:

Tracking

Status

firefox-esr102

---

wontfix

firefox-esr115

---

wontfix

firefox117

---

wontfix

firefox118

---

wontfix

firefox119

---

verified

People

(Reporter: tsmith, Assigned: padenot)

References

(Regressed 1 open bug)

Details

(Keywords: assertion, pernosco, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(3 files)

testcase.zip 2 years ago Tyson Smith [:tsmith] (PTO) 3.32 MB, application/x-zip-compressed		Details
Bug 1850453 - Ensure Flac frames have a valid sample-rate. r?alwu 2 years ago Paul Adenot (:padenot) 48 bytes, text/x-phabricator-request		Details \| Review
Bug 1850453 - Fix clang-tidy issues in FlacDemuxer.cpp. r?alwu 2 years ago Paul Adenot (:padenot) 48 bytes, text/x-phabricator-request		Details \| Review

Tyson Smith [:tsmith] (PTO)

Reporter

Description

•

2 years ago

•

Edited

Attached file testcase.zip — Details

Reproduced with m-c 20230828-18ac70a5128d (--enable-debug --enable-fuzzing)

This was originally reported by chylex. I've repackaged the test case to make it bugmon friendly.

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: Header().Info().mRate (Invalid Frame. Need Header), at /builds/worker/checkouts/gecko/dom/media/flac/FlacDemuxer.cpp:336

#0 0x7ff6fce80ea8 in Time /builds/worker/checkouts/gecko/dom/media/flac/FlacDemuxer.cpp:336:5
#1 0x7ff6fce80ea8 in mozilla::FlacTrackDemuxer::FastSeek(mozilla::media::TimeUnit const&) /builds/worker/checkouts/gecko/dom/media/flac/FlacDemuxer.cpp:753:26
#2 0x7ff6fce8021a in mozilla::FlacTrackDemuxer::Seek(mozilla::media::TimeUnit const&) /builds/worker/checkouts/gecko/dom/media/flac/FlacDemuxer.cpp:700:3
#3 0x7ff6fccfe670 in operator() /builds/worker/checkouts/gecko/dom/media/MediaFormatReader.cpp:651:62
#4 0x7ff6fccfe670 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Wrapper::Seek(mozilla::media::TimeUnit const&)::'lambda'(), mozilla::MozPromise<mozilla::media::TimeUnit, mozilla::MediaResult, true>>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1690:29
#5 0x7ff6f8d673db in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:257:20
#6 0x7ff6f8d914b5 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
#7 0x7ff6f8d879cd in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#8 0x7ff6f8d8e76d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#9 0x7ff6f9a3b4ae in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#10 0x7ff6f9953f01 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#11 0x7ff6f9953f01 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#12 0x7ff6f8d83056 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#13 0x7ff70d3d09ef in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#14 0x7ff70d094b42 in start_thread nptl/pthread_create.c:442:8
#15 0x7ff70d1269ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Tyson Smith [:tsmith] (PTO)

Reporter

Updated

•

2 years ago

No longer depends on: 1839193

Updated

•

2 years ago

Flags: needinfo?(padenot)

Bugmon [:jkratzer for issues]

Comment 1

•

2 years ago

Verified bug as reproducible on mozilla-central 20230828212120-18ac70a5128d.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 9c0fe9c1bb3c457728c14eb7adf128660540444c (20220830034908)
End: 18ac70a5128d520641cced852fc0059536c52713 (20230828212120)
BuildFlags: BuildFlags(asan=True, tsan=None, debug=None, fuzzing=True, coverage=None, valgrind=None, no_opt=None, fuzzilli=None, nyx=None)

Whiteboard: [bugmon:bisected,confirmed]

Paul Adenot (:padenot)

Assignee

Updated

•

2 years ago

Flags: needinfo?(padenot)

Keywords: pernosco-wanted

Bugmon [:jkratzer for issues]

Comment 2

•

2 years ago

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wanted → pernosco

Bugmon [:jkratzer for issues]

Comment 3

•

2 years ago

A pernosco session for this bug can be found here.

Paul Adenot (:padenot)

Assignee

Comment 4

•

2 years ago

I've been reproducing this in very old builds, version 70 or so.

Paul Adenot (:padenot)

Assignee

Updated

•

2 years ago

Duplicate of this bug: 1628326

BugBot [:suhaib / :marco/ :calixte]

Comment 6

•

2 years ago

Copying crash signatures from duplicate bugs.

Crash Signature: [@ mozilla::media::TimeUnit::TimeUnit ] → [@ mozilla::media::TimeUnit::TimeUnit ] [@ mozilla::FlacTrackDemuxer::FastSeek] [@ mozilla::media::TimeUnit::operator==]

Paul Adenot (:padenot)

Assignee

Comment 7

•

2 years ago

Attached file Bug 1850453 - Ensure Flac frames have a valid sample-rate. r?alwu — Details

If the sample-rate is 0, per spec the sample-rate to use is what's specified in
the STREAMINFO header. This was causing a crash. This sets the sample-rate on
the frame.

Phabricator Automation

Updated

•

2 years ago

Assignee: nobody → padenot

Status: NEW → ASSIGNED

Paul Adenot (:padenot)

Assignee

Comment 8

•

2 years ago

Attached file Bug 1850453 - Fix clang-tidy issues in FlacDemuxer.cpp. r?alwu — Details

Depends on D188471

Pulsebot

Comment 9

•

2 years ago

Pushed by padenot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6cd854033459 Ensure Flac frames have a valid sample-rate. r=alwu https://hg.mozilla.org/integration/autoland/rev/bd493776d27e Fix clang-tidy issues in FlacDemuxer.cpp. r=alwu

Treeherder Bug Filer

Updated

•

2 years ago

Regressions: 1853980

Atila Butkovits

Comment 10

•

2 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/6cd854033459
https://hg.mozilla.org/mozilla-central/rev/bd493776d27e

Status: ASSIGNED → RESOLVED

Closed: 2 years ago

status-firefox119: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → 119 Branch

Bugmon [:jkratzer for issues]

Comment 11

•

2 years ago

Verified bug as fixed on rev mozilla-central 20230920005018-f90822eea608.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED

status-firefox119: fixed → verified

Keywords: bugmon

Ryan VanderMeulen [:RyanVM]

Updated

•

2 years ago

Crash Signature: [@ mozilla::media::TimeUnit::TimeUnit ] [@ mozilla::FlacTrackDemuxer::FastSeek] [@ mozilla::media::TimeUnit::operator==] → [@ mozilla::media::TimeUnit::TimeUnit ] [@ mozilla::FlacTrackDemuxer::FastSeek] [@ mozilla::media::TimeUnit::operator==]

status-firefox117: --- → wontfix

status-firefox118: --- → wontfix

status-firefox-esr102: --- → wontfix

status-firefox-esr115: --- → wontfix

Flags: in-testsuite+

You need to log in before you can comment on or make changes to this bug.