Open Bug 1884796 Opened 1 year ago Updated 1 year ago

Assertion failure: mIsValid (Invalid checked integer (division by zero or integer overflow)), at /builds/worker/workspace/obj-build/dist/include/mozilla/CheckedInt.h:562

Categories

(Core :: Audio/Video: Web Codecs, defect)

Product:
Core
Component:
Audio/Video: Web Codecs
Platform:
x86
Unspecified
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox125 --- affected
firefox129 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

testcase.html
311 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20240112-734e2e027196 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing --cpu x86 -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: mIsValid (Invalid checked integer (division by zero or integer overflow)), at /builds/worker/workspace/obj-build/dist/include/mozilla/CheckedInt.h:562

#0 0xe4d48341 in value /builds/worker/workspace/obj-build/dist/include/mozilla/CheckedInt.h:560:5
#1 0xe4d48341 in mozilla::dom::VideoFrame::Format::SampleCount(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&) const /builds/worker/checkouts/gecko/dom/media/webcodecs/VideoFrame.cpp:2189:26
#2 0xe4d44309 in operator() /builds/worker/checkouts/gecko/dom/media/webcodecs/VideoFrame.cpp:926:3
#3 0xe4d44309 in CallProcessor<(lambda at /builds/worker/checkouts/gecko/dom/media/webcodecs/VideoFrame.cpp:926:3)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:578:12
#4 0xe4d44309 in ProcessFixedData<(lambda at /builds/worker/checkouts/gecko/dom/media/webcodecs/VideoFrame.cpp:926:3)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:753:12
#5 0xe4d44309 in CreateVideoFrameFromBuffer<mozilla::dom::TypedArray<JS::ArrayBuffer> > /builds/worker/checkouts/gecko/dom/media/webcodecs/VideoFrame.cpp:926:3
#6 0xe4d44309 in CreateVideoFrameFromBuffer<mozilla::dom::TypedArray<JS::ArrayBuffer> > /builds/worker/checkouts/gecko/dom/media/webcodecs/VideoFrame.cpp:972:12
#7 0xe4d44309 in mozilla::dom::VideoFrame::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::TypedArray<JS::ArrayBuffer> const&, mozilla::dom::VideoFrameBufferInit const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/media/webcodecs/VideoFrame.cpp:1551:10
#8 0xe329f891 in mozilla::dom::VideoFrame_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/./VideoFrameBinding.cpp:2302:64
#9 0xe7f887d3 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
#10 0xe7fb4d5e in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:495:8
#11 0xe7f89a5e in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:720:10
#12 0xe7f97c27 in ConstructFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:748:10
#13 0xe7f97c27 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3045:16
#14 0xe7f87ce8 in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:393:10
#15 0xe7f87815 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13
#16 0xe7f882de in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13
#17 0xe7f89239 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
#18 0xe7f8940b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#19 0xe80a8b63 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#20 0xe3717ecb in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8
#21 0xe40551d1 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#22 0xe4054da0 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1340:43
#23 0xe4055ea3 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1661:12
#24 0xe40556df in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1558:35
#25 0xe4049014 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#26 0xe4049014 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:364:17
#27 0xe4048671 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:605:16
#28 0xe404b0c6 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1222:11
#29 0xe404e6cc in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#30 0xe277a1f6 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1407:17
#31 0xe228cb63 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4755:29
#32 0xe228c9e3 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4721:10
#33 0xe24c4e2a in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8053:3
#34 0xe257c235 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#35 0xe257c235 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#36 0xe257c235 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#37 0xe257c235 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#38 0xe257c235 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#39 0xe257c235 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#40 0xe257c235 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#41 0xe07bb195 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#42 0xe07b05b0 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#43 0xe07aec4f in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#44 0xe07af132 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#45 0xe07bf31c in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
#46 0xe07bf31c in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#47 0xe07d5977 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#48 0xe07dcee2 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#49 0xe1505923 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#50 0xe141636e in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#51 0xe141626a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#52 0xe141626a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#53 0xe5eac8a6 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#54 0xe5f75938 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#55 0xe7d63774 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#56 0xe1506990 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#57 0xe141636e in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#58 0xe141626a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#59 0xe141626a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#60 0xe7d62fad in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#61 0xe7d727c1 in mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12
#62 0x5da89dbf in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#63 0x5da89dbf in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#64 0xf0821518  (/lib/i386-linux-gnu/libc.so.6+0x21518) (BuildId: 0598ef3e075d7653ff4d565675d15666ec9b7b31)
#65 0xf08215f2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x215f2) (BuildId: 0598ef3e075d7653ff4d565675d15666ec9b7b31)
#66 0x5da5ac60 in _start (/home/user/workspace/browsers/linux32-m-c-20240311211339-fuzzing-debug/firefox-bin+0x5cc60) (BuildId: ed8791497eed2335098359ab4990ed1fca4a1b1a)
Flags: in-testsuite?

Unable to reproduce bug 1884796 using build mozilla-central 20240112173417-734e2e027196. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Hardware: Unspecified → x86
Blocks: webcodecs
Severity: -- → S3

This has only been reported on 32 bit machines. Pernosco does not support 32 bit traces.

status-firefox129: --- → affected
Keywords: pernosco-wanted
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: