Issue metadata
Sign in to add a comment
|
Crash in media::VideoFramePool::PoolImpl::CreateFrame |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5201588188086272 Fuzzer: inferno_twister Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x00000000000c Crash State: media::VideoFramePool::PoolImpl::CreateFrame media::VideoFramePool::CreateFrame media::FFmpegVideoDecoder::GetVideoBuffer Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=340078:341518 Minimized Testcase (6.67 Kb): https://cluster-fuzz.appspot.com/download/AMIfv971r2gK4iFtUPgY0MqXNfHbnw5P-jJ2bsQfFZiliuOR7md27ALMjdwGpOqmrkv_iL5MjoAO9PDSCR5ibmvEI8ggFtPfitmSIs9rADk17Gb52Xj5A-epNQab0BL-RLMLta6VWg218MBxX-yrU4STQbskJz12ZA Additional requirements: Requires HTTP Filer: nyerramilli See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 9 2016
,
Mar 10 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5201588188086272 Fuzzer: inferno_twister Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x00000000000c Crash State: media::VideoFramePool::PoolImpl::CreateFrame media::VideoFramePool::CreateFrame media::FFmpegVideoDecoder::GetVideoBuffer Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=340078:341518 Minimized Testcase (6.67 Kb): https://cluster-fuzz.appspot.com/download/AMIfv971r2gK4iFtUPgY0MqXNfHbnw5P-jJ2bsQfFZiliuOR7md27ALMjdwGpOqmrkv_iL5MjoAO9PDSCR5ibmvEI8ggFtPfitmSIs9rADk17Gb52Xj5A-epNQab0BL-RLMLta6VWg218MBxX-yrU4STQbskJz12ZA Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 15 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5907509012856832 Fuzzer: inferno_twister Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x00000000000c Crash State: media::VideoFramePool::PoolImpl::CreateFrame media::VideoFramePool::CreateFrame media::FFmpegVideoDecoder::GetVideoBuffer Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=340078:341518 Minimized Testcase (6.68 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97dBt2JBb0saXvhv_tw901_MXBcXtr8M3f8dl3StmlkGq3nqKDoRKauKMIbbOV2jfMp2L_Cn2ealNfoyTccPZK9hv4XjIcVcXcLzgx02vuOPgoHcP4ZS2KZQLtZpy-9Lnrxh_X1_V0EJ4K25OJo9bn_lDc_Ig Additional requirements: Requires HTTP Filer: pucchakayala See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 18 2016
,
Mar 18 2016
Hmm, this trace is crazy town. It's a null-deref on VideoFrame::format() it says, but we literally null-check the ref-counted VideoFrame right before this call. Not sure what might be going on here.
,
Mar 18 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6260462764687360 Fuzzer: inferno_twister Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000000000c Crash State: media::VideoFramePool::PoolImpl::CreateFrame media::VideoFramePool::CreateFrame media::FFmpegVideoDecoder::GetVideoBuffer Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=340078:341518 Minimized Testcase (6.68 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96afiJ4iuJ-A93EGhKd_d21jpdY4LYUFCEc6InHdTORdr7P3brDtxOffcEnfm52J4CsFtGz6lrYg80CBrYPpHEbF13Ug4l5o3AUEl54ExKS6xuWLE-XOo4TAKKcUOmAR63QteQoToigADgUaAH6z1ggQZSQOA Additional requirements: Requires HTTP Filer: ajha See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 18 2016
Actually my analysis from last night is crazy town. WrapVideoFrame can return nullptr and is clearly doing so in this case. Chris, want to patch this up?
,
Mar 20 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6260462764687360 Fuzzer: inferno_twister Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000000000c Crash State: media::VideoFramePool::PoolImpl::CreateFrame media::VideoFramePool::CreateFrame media::FFmpegVideoDecoder::GetVideoBuffer Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=340078:341518 Minimized Testcase (6.68 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96afiJ4iuJ-A93EGhKd_d21jpdY4LYUFCEc6InHdTORdr7P3brDtxOffcEnfm52J4CsFtGz6lrYg80CBrYPpHEbF13Ug4l5o3AUEl54ExKS6xuWLE-XOo4TAKKcUOmAR63QteQoToigADgUaAH6z1ggQZSQOA Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 21 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5907509012856832 Fuzzer: inferno_twister Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x00000000000c Crash State: media::VideoFramePool::PoolImpl::CreateFrame media::VideoFramePool::CreateFrame media::FFmpegVideoDecoder::GetVideoBuffer Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=340078:341518 Minimized Testcase (6.68 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97dBt2JBb0saXvhv_tw901_MXBcXtr8M3f8dl3StmlkGq3nqKDoRKauKMIbbOV2jfMp2L_Cn2ealNfoyTccPZK9hv4XjIcVcXcLzgx02vuOPgoHcP4ZS2KZQLtZpy-9Lnrxh_X1_V0EJ4K25OJo9bn_lDc_Ig Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 21 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5691291618246656 Fuzzer: inferno_twister Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000000000c Crash State: media::VideoFramePool::PoolImpl::CreateFrame media::VideoFramePool::CreateFrame media::FFmpegVideoDecoder::GetVideoBuffer Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=340078:341518 Minimized Testcase (6.73 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94-7LTty1CaZDoctdb44A6nzVfPwMICPldXZaqG1u_HpdEezgk4dIH5tW3kBp6BvqfgCN7SrqEs-o_C1mkOVvVz7heoi98BArJuwZzEno1oLbipaS8Htac78rm5LLnCWkBvbhcWHpy29Bi9sMlGOlqqoYyROg Additional requirements: Requires HTTP Filer: ashejole See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 23 2016
Sure thing. FYI, this is sort of a DUP of Issue 537435.
,
Jun 9 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5691291618246656 Fuzzer: inferno_twister Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000000000c Crash State: media::VideoFramePool::PoolImpl::CreateFrame media::VideoFramePool::CreateFrame media::FFmpegVideoDecoder::GetVideoBuffer Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=340078:341518 Minimized Testcase (6.73 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97vFYgXhl8gKnMACE0JTw1uSwkShhlRYZ4R95B1ALJE07eNW3jWzCAWtUAFUa8Ap9tM2cI-s0ZufbloCZRpFwTIsWW0dzClk_5zNSkZkoXANaWF96gksKhb6gyexO_ZPSgIsB2weArH5Si_diHTFH2S-U19pw Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 10 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4651519400214528 Fuzzer: inferno_twister Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000000000c Crash State: media::VideoFramePool::PoolImpl::CreateFrame media::VideoFramePool::CreateFrame media::FFmpegVideoDecoder::GetVideoBuffer Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=340078:341518 Minimized Testcase (6.52 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Pw-j9Qa87BDjVjfkQYyXsyMCMStZT5AeyjcxiT6BC3CLuVQRdtpnKlfcQja2M6uKndQ9s3Wu4ZyTdIt505601_rydu5fjLWek-31IoNA_0hSffBkLPuSEVXp3aqpYCHUf0rUZvJijGNVvCFR2DOknFrzfcA Additional requirements: Requires HTTP Filer: ashejole See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 12 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4651519400214528 Fuzzer: inferno_twister Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000000000c Crash State: media::VideoFramePool::PoolImpl::CreateFrame media::VideoFramePool::CreateFrame media::FFmpegVideoDecoder::GetVideoBuffer Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=340078:341518 Minimized Testcase (6.52 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Pw-j9Qa87BDjVjfkQYyXsyMCMStZT5AeyjcxiT6BC3CLuVQRdtpnKlfcQja2M6uKndQ9s3Wu4ZyTdIt505601_rydu5fjLWek-31IoNA_0hSffBkLPuSEVXp3aqpYCHUf0rUZvJijGNVvCFR2DOknFrzfcA Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 13 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 14 2016
Not fixed - I've not yet made any changes to check the nulls here.
,
Jun 14 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 14 2016
,
Jun 14 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5960623687204864 Fuzzer: inferno_twister Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000000000c Crash State: media::VideoFramePool::PoolImpl::CreateFrame media::VideoFramePool::CreateFrame media::FFmpegVideoDecoder::GetVideoBuffer Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=340078:341518 Minimized Testcase (6.68 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9518pR4FxJsgQR3D24CI-NZz3wMarUsxpFKbjFtaZj2__Vyf86GryyPQzXohbn0Amj3WbVWropOtQxS4t3cDucARFxTMZ7cXq--EY9KiyIeRBvGgDjRPehFzUQ1SVQ1m5FZcpEufiHzvbpSEk0TuGqH_I86KQ Additional requirements: Requires HTTP Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 14 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2017
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
,
Oct 2 2017
+mmoroz, kcc - we could use some help with this one. It appears to be a null-deref on an object that is null-checked immediately prior?
,
Oct 2 2017
Do you mean the check on line 82: https://chromium.googlesource.com/chromium/src/+/a3658604ac48aaa8628237c42ffeaf9d197bf152/media/base/video_frame_pool.cc#82 then the crash happens on line 89, right? https://chromium.googlesource.com/chromium/src/+/a3658604ac48aaa8628237c42ffeaf9d197bf152/media/base/video_frame_pool.cc#89
,
Oct 2 2017
Durr, I do, but now that you've pointed that out I see how CreateZeroInitializedFrame() could fail :) I was stuck with an old memory of that function where it would only fail for OOM reasons, but it looks like that has changed and we haven't updated the code to match. Will send a small CL to fix. Sorry for the noise!
,
Oct 2 2017
Cool, sounds good! :)
,
Oct 2 2017
Actually, this is fixed in ToT, per issue 648849 , https://cs.chromium.org/chromium/src/media/base/video_frame_pool.cc?type=cs&q=video_frame_pool&sq=package:chromium&l=103 So I think we can just close this. CF has zero crashes in the stats for this.
,
Nov 7 2017
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by nyerramilli@chromium.org
, Mar 9 2016Labels: -Type-Bug M-49 findit-wrong Te-Logged Type-Bug-Regression
Owner: tkent@chromium.org
Status: Assigned (was: Available)