Last Comment Bug 746577 - ASAN: Opus crash [@nsNativeAudioStream::Write]
: ASAN: Opus crash [@nsNativeAudioStream::Write]
Status: VERIFIED FIXED
[asan][sg:critical]
: crash, testcase
Product: Core
Classification: Components
Component: Audio/Video (show other bugs)
: Other Branch
: x86_64 Mac OS X
: -- critical (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on:
Blocks: fuzzing-opus
  Show dependency treegraph
 
Reported: 2012-04-18 08:00 PDT by Christoph Diehl [:posidron]
Modified: 2012-06-14 10:22 PDT (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected


Attachments
callstack (7.25 KB, text/plain)
2012-04-18 08:00 PDT, Christoph Diehl [:posidron]
no flags Details
sample (6.16 KB, text/plain)
2012-04-18 08:02 PDT, Christoph Diehl [:posidron]
no flags Details

Description Christoph Diehl [:posidron] 2012-04-18 08:00:58 PDT
Created attachment 616143 [details]
callstack

Happens only in builds with ASAN enabled but is reproducible everytime.


Origin:

case FORMAT_FLOAT32: {
const float* buf = static_cast<const float*>(aBuf);
for (PRUint32 i = 0; i <  samples; ++i) {
  float scaled_value = floorf(0.5 + 32768 * buf[i] * scaled_volume); // <--
  if (buf[i] < 0.0) {
    s_data[i] = (scaled_value < -32768.0) ?
      -32768 :
      short(scaled_value);
  } else {
    s_data[i] = (scaled_value > 32767.0) ?
      32767 :
      short(scaled_value);
  }
}
Comment 1 Christoph Diehl [:posidron] 2012-04-18 08:02:37 PDT
Created attachment 616144 [details]
sample
Comment 2 Ralph Giles (:rillian) needinfo me 2012-04-18 08:48:11 PDT
Awesome, that didn't take you long!

Help me out here though, what does "0 bytes to the right of 2592-byte region" mean? It ran off the end of the buf?
Comment 3 Christian Holler (:decoder) 2012-04-18 08:57:18 PDT
(In reply to Ralph Giles (:rillian) from comment #2)
> Help me out here though, what does "0 bytes to the right of 2592-byte
> region" mean? It ran off the end of the buf?

Yes, I assume it's an off-by-one error. Looking at the shadow data, it seems to be accessing one byte outside the valid memory:

0x100026df5754: fb
0x100026df5750: 00 00 00 00 fb fb fb fb

fb means the memory here is not valid.

The error message seems to confirm this, it says the memory region in question is [0x000136fab080,0x000136fabaa0) but 0x000136fabaa0 (which is not included, but the boundary) is accessed.
Comment 4 Ralph Giles (:rillian) needinfo me 2012-04-18 09:09:35 PDT
For the record, this is testing the patches in Bug 674225.
Comment 5 Ralph Giles (:rillian) needinfo me 2012-04-18 09:12:28 PDT
I'd guess it's an off-by-many, actually. Looks like I missed a change when I last updated the patch.

Does applying https://github.com/rillian/firefox/commit/ba1bf373e3b71c5c71cee576aeb917a66cdce13d resolve the problem?
Comment 6 Christoph Diehl [:posidron] 2012-04-18 09:26:45 PDT
Yes, that did it.
Comment 7 Ralph Giles (:rillian) needinfo me 2012-04-18 09:31:10 PDT
Ok, good. I'd say sorry for wasting your time, but this probably also explains why my try builds didn't work when local testing did!
Comment 8 Daniel Veditz [:dveditz] 2012-04-18 10:19:54 PDT
based on comments 5-7 calling this "fixed" before it ever hit mozilla-central.

Note You need to log in before you can comment on or make changes to this bug.