ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5559609409929216

Fuzzer: libfuzzer_audio_decoder_isac_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  WebRtcSpl_SynthesisQMF
  Decode
  DecodeInternal
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94yOi9snSonMODMbXGq6yV6zVSPO4TiOXk4DW6KUyKKmVO2VJlHrXIbjjpe5E17a8eVsSk8QURuwp4qNPl1IZDHo67pdGoWfaPwTp8-oVApxXMs63Nt_QgAXHIbquly8Yhe4RTfOEm2i8Evp84RkLSIRGSmAw

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948156408397824

Fuzzer: libfuzzer_audio_decoder_isac_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  WebRtcSpl_SynthesisQMF
  Decode
  DecodeInternal
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94xWpLnwUvZ3kMnVa8LIf0B5QBBTd2r53ZnfPJvZ5u0rNWIvge0BcIuREmvobl9_yICJAmE5N64mTPJSB_L1FxQl9IayPFlkhu4Ie9MibCqtZ0JqmfY4f9w2LhmLD7BvtzSfL1j12cpfkdDPOWu0mDZjXfZeA

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948156408397824

Fuzzer: libfuzzer_audio_decoder_isac_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  WebRtcSpl_SynthesisQMF
  Decode
  DecodeInternal
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97VAiSTUewyzOyWbvGVdVKHAl2tIi5GZCPBlYeJqA0zJVlsD2D2HRZjXSG-xpuOqXX4Sbomn12u_Z77b7y7YAvQCIMd6fRD-2XhUZW881txc4C3FiuLvAzHloyYxkQiAhCl_5R0c2NGUR8S9T0Z-G3XkPR2Sg?testcase_id=4948156408397824

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5611178470670336

Fuzzer: libfuzzer_audio_decoder_isac_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  WebRtcSpl_SynthesisQMF
  Decode
  DecodeInternal
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96tu-cwc_PJS3jcEoGAPhtq10Q36bL44KrPHMo75kVIneohP5sIScn3G57eNl_uoYWwXh52dSJvsCXNKYzwFFpexzJP9ja0nK1WqQskAOgsE47xq8TX-6p4fne4J_4UgiTZSV04k-qcO4ZFva74QrdxQ-VaCw?testcase_id=5611178470670336

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4855375027503104

Fuzzer: libfuzzer_audio_decoder_isac_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  WebRtcSpl_SynthesisQMF
  Decode
  DecodeInternal
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ZL-Qfk820BQya1nqfpMxXn5FSAuI6yKnjvE-PmbpS4OPw06mW8Kshx3DlwCccMgglkMrHmmDJz9wzE-KNxqzqZ_o49nEfnXzxEB8x8bxm6v6JqsMV3ndTe6O4XKxaLYpgzLtajqObewuGtiNccYViyOiPpQ?testcase_id=4855375027503104

Filer: rnimmagadda

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Gentle Ping.

@kwiberg: Could you please provide some update on this issue.

Thank you.

Tried to reproduce, but got an interesting error that I haven't seen before:

kwiberg@tummetott:~/webrtc5/src> gn gen out/Fuzzer --args='use_libfuzzer=true is_ubsan=true enable_nacl=false is_debug=false proprietary_codecs=true'
Done. Made 360 targets from 111 files in 164ms
[at this point I build in emacs, with ninja -j50 -C ~/webrtc5/src/out/Fuzzer/ audio_decoder_isac_fuzzer]
kwiberg@tummetott:~/webrtc5/src> ./out/Fuzzer/audio_decoder_isac_fuzzer ~/Downloads/fuzz-bug-614033 2>&1 | tools/valgrind/asan/asan_symbolize.py
../../buildtools/third_party/libc++/trunk/include/list:208:16: runtime error: downcast of address 0x000001010c68 with insufficient space for an object of type 'std::__1::__list_node<std::__1::pair<rtc::LogSink *, rtc::LoggingSeverity>, void *>'
0x000001010c68: note: pointer points here
 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  72 08 00 00
              ^
    #0 0x4072fe in __self ./out/Fuzzer/../../buildtools/third_party/libc++/trunk/include/list:208:16
    #1 0x4072fe in __list_node_base ./out/Fuzzer/../../buildtools/third_party/libc++/trunk/include/list:203:0
    #2 0x4072fe in __list_imp ./out/Fuzzer/../../buildtools/third_party/libc++/trunk/include/list:516:0
    #3 0x4072fe in list ./out/Fuzzer/../../buildtools/third_party/libc++/trunk/include/list:779:0
    #4 0x4072fe in __cxx_global_var_init.2 ./out/Fuzzer/../../webrtc/base/logging.cc:114:0
    #5 0x4072fe in ?? ./out/Fuzzer/../../webrtc/base/logging.cc:0:0
    #6 0x4947ac in __libc_csu_init ??:?
    #7 0x7fecbd872ed4 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:246:0
    #8 0x407378 in _start ??:?

WARNING: Failed to find function "__sanitizer_print_stack_trace".
INFO: Seed: 1231128267
./out/Fuzzer/audio_decoder_isac_fuzzer: Running 1 inputs 1 time(s) each.
Running: /usr/local/google/home/kwiberg/Downloads/fuzz-bug-614033
../../buildtools/third_party/libc++/trunk/include/list:549:25: runtime error: downcast of address 0x000001010c68 with insufficient space for an object of type 'std::__1::__list_node<std::__1::pair<rtc::LogSink *, rtc::LoggingSeverity>, void *>'
0x000001010c68: note: pointer points here
 00 00 00 00  68 0c 01 01 00 00 00 00  68 0c 01 01 00 00 00 00  00 00 00 00 00 00 00 00  72 08 00 00
              ^
    #0 0x493274 in end ./out/Fuzzer/../../buildtools/third_party/libc++/trunk/include/list:549:25
    #1 0x493274 in end ./out/Fuzzer/../../buildtools/third_party/libc++/trunk/include/list:853:0
    #2 0x493274 in UpdateMinLogSeverity ./out/Fuzzer/../../webrtc/base/logging.cc:334:0
    #3 0x493205 in ?? ./out/Fuzzer/../../webrtc/base/logging.cc:235:3
    #4 0x491c81 in InitializeWebRtcFuzzDefaults ./out/Fuzzer/../../webrtc/test/fuzzers/webrtc_fuzzer_main.cc:26:3
    #5 0x491c81 in LLVMFuzzerTestOneInput ./out/Fuzzer/../../webrtc/test/fuzzers/webrtc_fuzzer_main.cc:38:0
    #6 0x46fa11 in ExecuteCallback ./out/Fuzzer/../../third_party/libFuzzer/src/FuzzerLoop.cpp:512:13
    #7 0x46e1bf in RunOne ./out/Fuzzer/../../third_party/libFuzzer/src/FuzzerLoop.cpp:468:3
    #8 0x45e138 in RunOneTest ./out/Fuzzer/../../third_party/libFuzzer/src/FuzzerDriver.cpp:257:6
    #9 0x4605c8 in FuzzerDriver ./out/Fuzzer/../../third_party/libFuzzer/src/FuzzerDriver.cpp:380:9
    #10 0x47ce82 in ?? ./out/Fuzzer/../../third_party/libFuzzer/src/FuzzerMain.cpp:21:10
    #11 0x7fecbd872f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0
    #12 0x407378 in _start ??:?

Executed /usr/local/google/home/kwiberg/Downloads/fuzz-bug-614033 in 0 ms

Any clue as to what may be the problem?

s/is_ubsan=true/is_ubsan_security=true/

That doesn't work, because WebRTC only has the blacklist for is_ubsan, not for is_ubsan_security.

Per, pbos@'s suggestion, I tried reproducing in a Chromium checkout instead of a WebRTC checkout. That solved the problem. CL up for review now: https://codereview.webrtc.org/2253943002/

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/96bbdd585eb2ddd9fa11da01b46ae71d7be1672a

commit 96bbdd585eb2ddd9fa11da01b46ae71d7be1672a
Author: kwiberg <kwiberg@webrtc.org>
Date: Thu Aug 18 10:17:02 2016

WebRtcSpl_SynthesisQMF: Fix UBSan fuzzer bug (left shift of negative value)

BUG= chromium:614033 

Review-Url: https://codereview.webrtc.org/2253943002
Cr-Commit-Position: refs/heads/master@{#13814}

[modify] https://crrev.com/96bbdd585eb2ddd9fa11da01b46ae71d7be1672a/webrtc/common_audio/signal_processing/splitting_filter.c

That CL ought to fix the bug. Closing.

ClusterFuzz has detected this issue as fixed in range 412724:412928.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4855375027503104

Fuzzer: libfuzzer_audio_decoder_isac_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  WebRtcSpl_SynthesisQMF
  Decode
  DecodeInternal
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=412724:412928

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ZL-Qfk820BQya1nqfpMxXn5FSAuI6yKnjvE-PmbpS4OPw06mW8Kshx3DlwCccMgglkMrHmmDJz9wzE-KNxqzqZ_o49nEfnXzxEB8x8bxm6v6JqsMV3ndTe6O4XKxaLYpgzLtajqObewuGtiNccYViyOiPpQ?testcase_id=4855375027503104

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 412724:412928.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5611178470670336

Fuzzer: libfuzzer_audio_decoder_isac_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  WebRtcSpl_SynthesisQMF
  Decode
  DecodeInternal
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=412724:412928

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96tu-cwc_PJS3jcEoGAPhtq10Q36bL44KrPHMo75kVIneohP5sIScn3G57eNl_uoYWwXh52dSJvsCXNKYzwFFpexzJP9ja0nK1WqQskAOgsE47xq8TX-6p4fne4J_4UgiTZSV04k-qcO4ZFva74QrdxQ-VaCw?testcase_id=5611178470670336

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot