Closed Bug 1905395 Opened 3 months ago Closed 3 months ago

Assertion failure: mIsValid (Invalid checked integer (division by zero or integer overflow)), at /builds/worker/workspace/obj-build/dist/include/mozilla/CheckedInt.h:562

Categories

(Core :: Audio/Video: Web Codecs, defect)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1902555
Tracking Status
firefox129 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase)

Crash Data

Attachments

(1 file)

Attached file testcase.html

Found while fuzzing m-c 20240611-1f6dc95932ad (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: mIsValid (Invalid checked integer (division by zero or integer overflow)), at /builds/worker/workspace/obj-build/dist/include/mozilla/CheckedInt.h:562

#0 0x7d147f32c861 in value /builds/worker/workspace/obj-build/dist/include/mozilla/CheckedInt.h:560:5
#1 0x7d147f32c861 in mozilla::dom::AudioData::CopyTo(mozilla::dom::MaybeSharedArrayBufferViewOrMaybeSharedArrayBuffer const&, mozilla::dom::AudioDataCopyToOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/media/webcodecs/AudioData.cpp:563:18
#2 0x7d147d18079d in mozilla::dom::AudioData_Binding::copyTo(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./AudioDataBinding.cpp:745:24
#3 0x7d147e139157 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3268:13
#4 0x7d1481907f04 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:487:13
#5 0x7d14819076ef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:581:12
#6 0x7d1481917789 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:653:10
#7 0x7d1481917789 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3291:16
#8 0x7d1481906e36 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#9 0x7d14819077e8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:613:13
#10 0x7d1481908cef in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:680:8
#11 0x7d1481a13667 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#12 0x7d147dfcc921 in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./FunctionBinding.cpp:50:8
#13 0x7d147cf938c4 in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject>>(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12
#14 0x7d147cf93673 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /builds/worker/checkouts/gecko/dom/base/TimeoutHandler.cpp:168:29
#15 0x7d1480145076 in mozilla::dom::WorkerPrivate::RunExpiredTimeouts(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:5527:21
#16 0x7d148014e43b in mozilla::dom::WorkerThreadRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:443:12
#17 0x7d147ac1c9be in operator() /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:677:44
#18 0x7d147ac1c9be in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:309:16
#19 0x7d147ac1c9be in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
#20 0x7d147ac1c9be in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:902:12
#21 0x7d147ac1c9be in match<(lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:857:12
#22 0x7d147ac1c9be in nsTimerImpl::Fire(int) /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:675:22
#23 0x7d147ac1bb7b in nsTimerEvent::Run() /builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp:515:11
#24 0x7d148015c584 in mozilla::dom::(anonymous namespace)::ExternalRunnableWrapper::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:220:37
#25 0x7d148014e43b in mozilla::dom::WorkerThreadRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:443:12
#26 0x7d147ac29c7c in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16
#27 0x7d147ac30aef in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#28 0x7d1480139575 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3510:7
#29 0x7d148011d678 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2134:42
#30 0x7d147ac29c7c in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16
#31 0x7d147ac30aef in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#32 0x7d147b8dee8c in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#33 0x7d147b7f4ba1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#34 0x7d147b7f4ba1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#35 0x7d147ac24e33 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370:10
#36 0x7d148fd10c2f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#37 0x7d148fa94ac2 in start_thread nptl/pthread_create.c:442:8
#38 0x7d148fb2684f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?
Crash Signature: [@ mozilla::CheckedInt<T>::value | mozilla::dom::AudioData::CopyTo ]
Keywords: crash
Status: NEW → RESOLVED
Closed: 3 months ago
Duplicate of bug: 1902555
Resolution: --- → DUPLICATE

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: