1864450 - Assertion failure: !aNext || aStartTime + static_cast<TimeType>(count) <= TimeOf(aNext), at /dom/media/webaudio/AudioEventTimeline.cpp:457

Status: VERIFIED FIXED

(Core :: Web Audio, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 211dc86c8f53 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 211dc86c8f53 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: !aNext || aStartTime + static_cast<TimeType>(count) <= TimeOf(aNext), at /dom/media/webaudio/AudioEventTimeline.cpp:457

    ==1094362==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc6f6ad012c bp 0x7ffef1d366e0 sp 0x7ffef1d366c0 T1094362)
    ==1094362==The signal is caused by a WRITE memory access.
    ==1094362==Hint: address points to the zero page.
        #0 0x7fc6f6ad012c in void mozilla::dom::AudioEventTimeline::GetValuesAtTimeHelperInternal<double>(double, mozilla::Span<float, 18446744073709551615ul>, mozilla::dom::AudioTimelineEvent const*, mozilla::dom::AudioTimelineEvent const*) /dom/media/webaudio/AudioEventTimeline.cpp:456:7
        #1 0x7fc6f6af3b73 in GetValueAtTime<double> /dom/media/webaudio/AudioEventTimeline.h:364:5
        #2 0x7fc6f6af3b73 in GetValueAtTime<double> /dom/media/webaudio/AudioParamTimeline.h:104:21
        #3 0x7fc6f6af3b73 in operator() /dom/media/webaudio/BiquadFilterNode.cpp:343:35
        #4 0x7fc6f6af3b73 in CallProcessorNoGC<(lambda at /dom/media/webaudio/BiquadFilterNode.cpp:315:34)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:562:12
        #5 0x7fc6f6af3b73 in ProcessDataHelper<(lambda at /dom/media/webaudio/BiquadFilterNode.cpp:315:34)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:625:12
        #6 0x7fc6f6af3b73 in ProcessData<(lambda at /dom/media/webaudio/BiquadFilterNode.cpp:315:34)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:633:12
        #7 0x7fc6f6af3b73 in operator() /dom/media/webaudio/BiquadFilterNode.cpp:315:22
        #8 0x7fc6f6af3b73 in CallProcessorNoGC<(lambda at /dom/media/webaudio/BiquadFilterNode.cpp:313:30)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:562:12
        #9 0x7fc6f6af3b73 in ProcessDataHelper<(lambda at /dom/media/webaudio/BiquadFilterNode.cpp:313:30)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:625:12
        #10 0x7fc6f6af3b73 in ProcessData<(lambda at /dom/media/webaudio/BiquadFilterNode.cpp:313:30)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:633:12
        #11 0x7fc6f6af3b73 in operator() /dom/media/webaudio/BiquadFilterNode.cpp:313:18
        #12 0x7fc6f6af3b73 in CallProcessorNoGC<(lambda at /dom/media/webaudio/BiquadFilterNode.cpp:311:28)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:562:12
        #13 0x7fc6f6af3b73 in ProcessDataHelper<(lambda at /dom/media/webaudio/BiquadFilterNode.cpp:311:28)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:625:12
        #14 0x7fc6f6af3b73 in ProcessData<(lambda at /dom/media/webaudio/BiquadFilterNode.cpp:311:28)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:633:12
        #15 0x7fc6f6af3b73 in mozilla::dom::BiquadFilterNode::GetFrequencyResponse(mozilla::dom::TypedArray<JS::TypedArray<(JS::Scalar::Type)6>> const&, mozilla::dom::TypedArray<JS::TypedArray<(JS::Scalar::Type)6>> const&, mozilla::dom::TypedArray<JS::TypedArray<(JS::Scalar::Type)6>> const&, mozilla::ErrorResult&) /dom/media/webaudio/BiquadFilterNode.cpp:311:16
        #16 0x7fc6f471df6e in mozilla::dom::BiquadFilterNode_Binding::getFrequencyResponse(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./BiquadFilterNodeBinding.cpp:536:24
        #17 0x7fc6f58e3a38 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3330:13
        #18 0x7fc6fa0b1c34 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:472:13
        #19 0x7fc6fa0b154d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:566:12
        #20 0x7fc6fa0c1b18 in CallFromStack /js/src/vm/Interpreter.cpp:638:10
        #21 0x7fc6fa0c1b18 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3053:16
        #22 0x7fc6fa0b0aa2 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:444:13
        #23 0x7fc6fa0b1569 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:598:13
        #24 0x7fc6fa0b2a0d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:665:8
        #25 0x7fc6fa199a64 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #26 0x7fc6f57180bd in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./FunctionBinding.cpp:50:8
        #27 0x7fc6f44aa9e3 in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject>>(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12
        #28 0x7fc6f44aa783 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /dom/base/TimeoutHandler.cpp:168:29
        #29 0x7fc6f415475d in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /dom/base/nsGlobalWindowInner.cpp:6309:38
        #30 0x7fc6f44a7279 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /dom/base/TimeoutManager.cpp:879:44
        #31 0x7fc6f44a627b in mozilla::dom::TimeoutExecutor::MaybeExecute() /dom/base/TimeoutExecutor.cpp:179:11
        #32 0x7fc6f44a8959 in Notify /dom/base/TimeoutExecutor.cpp:246:5
        #33 0x7fc6f44a8959 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /dom/base/TimeoutExecutor.cpp
        #34 0x7fc6f26ee47e in operator() /xpcom/threads/nsTimerImpl.cpp:677:44
        #35 0x7fc6f26ee47e in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:309:16
        #36 0x7fc6f26ee47e in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
        #37 0x7fc6f26ee47e in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:902:12
        #38 0x7fc6f26ee47e in match<(lambda at /xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:857:12
        #39 0x7fc6f26ee47e in nsTimerImpl::Fire(int) /xpcom/threads/nsTimerImpl.cpp:675:22
        #40 0x7fc6f26ed613 in nsTimerEvent::Run() /xpcom/threads/TimerThread.cpp:515:11
        #41 0x7fc6f2713460 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /xpcom/threads/ThrottledEventQueue.cpp:254:22
        #42 0x7fc6f270fe81 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /xpcom/threads/ThrottledEventQueue.cpp:81:15
        #43 0x7fc6f26e0f27 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:549:16
        #44 0x7fc6f26d8af3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:876:26
        #45 0x7fc6f26d7337 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:699:15
        #46 0x7fc6f26d7795 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:485:36
        #47 0x7fc6f26e4ca9 in operator() /xpcom/threads/TaskController.cpp:214:37
        #48 0x7fc6f26e4ca9 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #49 0x7fc6f26fb792 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1198:16
        #50 0x7fc6f270287d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #51 0x7fc6f33bfcb3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #52 0x7fc6f32d9c31 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #53 0x7fc6f32d9c31 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #54 0x7fc6f7c258f8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #55 0x7fc6f9e72c6b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:721:20
        #56 0x7fc6f33c0be6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #57 0x7fc6f32d9c31 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #58 0x7fc6f32d9c31 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #59 0x7fc6f9e724d2 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:656:34
        #60 0x559916100276 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #61 0x559916100276 in main /browser/app/nsBrowserApp.cpp:375:18
        #62 0x7fc708329d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #63 0x7fc708329e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #64 0x5599160d5fa8 in _start (/home/jkratzer/builds/m-c-20231113091505-fuzzing-debug/firefox-bin+0x58fa8) (BuildId: c8a40462047621d4157d002b8b9277484ae9dbc8)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/media/webaudio/AudioEventTimeline.cpp:456:7 in void mozilla::dom::AudioEventTimeline::GetValuesAtTimeHelperInternal<double>(double, mozilla::Span<float, 18446744073709551615ul>, mozilla::dom::AudioTimelineEvent const*, mozilla::dom::AudioTimelineEvent const*)
    ==1094362==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20231113091505-211dc86c8f53.
The bug appears to have been introduced in the following build range:

Start: 7768cf51f090145a9009fb37298f3c1da7d60a2f (20230927212433)
End: 6fc66d324cb8d3114020c6bfc3e66d7a8f3b5e45 (20230927190330)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7768cf51f090145a9009fb37298f3c1da7d60a2f&tochange=6fc66d324cb8d3114020c6bfc3e66d7a8f3b5e45

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1853597

Comment 4

[Bugmon [:jkratzer for issues]]

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 5

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 6

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 7

[Karl Tomlinson (:karlt)]

Attachment: Bug 1864450 adjust SetValueCurve assertion to pass when TimeType is double and count == 1 r?padenot

This checks that the last value obtained from the SetValueCurve is before the
next event time.

Comment 8

[Dianna Smith [:diannaS]]

:karlt what is the severity/impact on the user here? Wondering if this needs to be tracked for a fix in 120

Comment 9

[Karl Tomlinson (:karlt)]

The bug is only in the assertion, thanks, so affects only debug builds.
I'll try to change this from defect to task, but that doesn't always succeed.

Comment 10

[Pulsebot]

Pushed by ktomlinson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/96fef7ee7351
adjust SetValueCurve assertion to pass when TimeType is double and count == 1 r=padenot

Comment 11

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/96fef7ee7351

Comment 12

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20231115052415-0083ca2f4709.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.