1904459 - Assertion failure: (detail::IsInBounds<From, To>(aFrom)), at /builds/worker/workspace/obj-build/dist/include/mozilla/Casting.h:183

Status: RESOLVED FIXED

(Core :: Audio/Video: Playback, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.ogg

Found while fuzzing m-c 20240624-51c72e671bce (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: (detail::IsInBounds<From, To>(aFrom)), at /builds/worker/workspace/obj-build/dist/include/mozilla/Casting.h:183

#0 0x71e1028bb85c in AssertedCast<long, unsigned long> /builds/worker/workspace/obj-build/dist/include/mozilla/Casting.h:183:3
#1 0x71e1028bb85c in mozilla::TheoraState::ReconstructTheoraGranulepos() /builds/worker/checkouts/gecko/dom/media/ogg/OggCodecState.cpp:598:7
#2 0x71e1028bb094 in mozilla::TheoraState::PageIn(rlbox::tainted_opaque<ogg_page*, rlbox::rlbox_wasm2c_sandbox>) /builds/worker/checkouts/gecko/dom/media/ogg/OggCodecState.cpp:557:5
#3 0x71e1028cb2dd in mozilla::OggDemuxer::DemuxOggPage(mozilla::TrackInfo::TrackType, rlbox::tainted_opaque<ogg_page*, rlbox::rlbox_wasm2c_sandbox>) /builds/worker/checkouts/gecko/dom/media/ogg/OggDemuxer.cpp:852:7
#4 0x71e1028c9bc4 in mozilla::OggDemuxer::DemuxUntilPacketAvailable(mozilla::TrackInfo::TrackType, mozilla::OggCodecState*) /builds/worker/checkouts/gecko/dom/media/ogg/OggDemuxer.cpp:902:5
#5 0x71e1028cd103 in mozilla::OggDemuxer::GetNextPacket(mozilla::TrackInfo::TrackType) /builds/worker/checkouts/gecko/dom/media/ogg/OggDemuxer.cpp:872:5
#6 0x71e1028cb47a in FindStartTime /builds/worker/checkouts/gecko/dom/media/ogg/OggDemuxer.cpp:1099:21
#7 0x71e1028cb47a in mozilla::OggDemuxer::FindStartTime(mozilla::media::TimeUnit&) /builds/worker/checkouts/gecko/dom/media/ogg/OggDemuxer.cpp:1064:5
#8 0x71e1028c87ef in mozilla::OggDemuxer::ReadMetadata() /builds/worker/checkouts/gecko/dom/media/ogg/OggDemuxer.cpp:582:5
#9 0x71e1028c7c99 in mozilla::OggDemuxer::Init() /builds/worker/checkouts/gecko/dom/media/ogg/OggDemuxer.cpp:231:7
#10 0x71e10250fc81 in operator() /builds/worker/checkouts/gecko/dom/media/MediaFormatReader.cpp:789:47
#11 0x71e10250fc81 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_2, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1813:29
#12 0x71e0fe40f328 in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:257:20
#13 0x71e0fe438e28 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:456:14
#14 0x71e0fe42eeac in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16
#15 0x71e0fe435d1f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#16 0x71e0ff0e187c in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#17 0x71e0feff7731 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#18 0x71e0feff7731 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#19 0x71e0fe42a063 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370:10
#20 0x71e112df7c2f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#21 0x71e112a94ac2 in start_thread nptl/pthread_create.c:442:8
#22 0x71e112b2684f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240624213429-fc0f7d3e6a3d.
The bug appears to have been introduced in the following build range:

Start: d1fbe6c1f87656fb4f55677904f55f6df433ea9a (20230808155443)
End: b19ed5a6579d312e71c03201698107835378c612 (20230808212319)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d1fbe6c1f87656fb4f55677904f55f6df433ea9a&tochange=b19ed5a6579d312e71c03201698107835378c612

Comment 2

[Donal Meehan [:dmeehan]]

There are several possible regressing commits in the pushlog from Comment 1.
Setting Bug 1823953 as the possible regressor, :padenot please correct if needed.

Comment 3

[Bugmon [:jkratzer for issues]]

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 4

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 5

[Paul Adenot (:padenot)]

I'm removing all this code in https://bugzilla.mozilla.org/show_bug.cgi?id=1890370, that is awaiting review but green on try.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:jimm, could you have a look please?

For more information, please visit BugBot documentation.

Comment 7

[Bugmon [:jkratzer for issues]]

Testcase crashes using the initial build (mozilla-central 20240624144542-51c72e671bce) but not with tip (mozilla-central 20240719162139-0614dadb2b13.)

The bug appears to have been fixed in the following build range:

Start: 75452a75f7ec2411d1ceaf6958c4c742a82cab08 (20240715134452)
End: 72e40f9471c4f8348d84d2e211b97f26c4a84d7b (20240715145215)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=75452a75f7ec2411d1ceaf6958c4c742a82cab08&tochange=72e40f9471c4f8348d84d2e211b97f26c4a84d7b

padenot, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 8

[Paul Adenot (:padenot)]

Yes, thanks, fixed as stated in https://bugzilla.mozilla.org/show_bug.cgi?id=1904459#c5. Closing.