ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5574968700305408

Fuzzer: libfuzzer_audio_decoder_isacfix_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  WebRtcIsacfix_NormLatticeFilterAr
  WebRtcIsacfix_DecodeImpl
  WebRtcIsacfix_Decode
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961

Minimized Testcase (4.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96tv-j5LcEJq6gJp00EPXqcKU0xeWXjSVzrOPTUOwTQi7ZRkaWzdNwBBmxF2GxqBlmGOFJBgJivMWVX8crlQxCfC31wt8_AHCMReU83rRHsAm_i8-k3yuw4Db-FKHMO4_4whckbF-iN6keAnsimMYOPew2PLg?testcase_id=5574968700305408

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6293490074124288

Fuzzer: libfuzzer_audio_decoder_isacfix_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  WebRtcIsacfix_NormLatticeFilterAr
  WebRtcIsacfix_DecodeImpl
  WebRtcIsacfix_Decode
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746

Minimized Testcase (6.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97PUxlf-uHsIzr-YouWRT0DtcmrB06NJUp8ivoGz5xJ8daHeCBVv7YlE6PuIJWeXkIOpJWbZf-4c2MvKoSSnrSAyrLBYw5zDcYN8ZcPg7uK4e7i54H0lHnQzVh8IID4naFnDojPm0gfgq0aXmhP63y2Cx3Kmg?testcase_id=6293490074124288

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4837527156686848

Fuzzer: libfuzzer_audio_decoder_isacfix_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  WebRtcIsacfix_NormLatticeFilterAr
  WebRtcIsacfix_DecodeImpl
  WebRtcIsacfix_Decode
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746

Minimized Testcase (1.82 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97W0xK0eWa77sPYbXzLGP12FEzIUEo5aKYEhUrDR72s6EcSK9TWOWjOjlfSmzA5c6ABDQ5ToTk9vieyLDvkR_f3lpOm4y_gHwXG4wx9QMySPacL-U44VBZ-lDa60euR3a1Ug6fro0qkT948A-vnz1kUOF31bg?testcase_id=4837527156686848

Filer: rnimmagadda

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Gentle Ping.

@kwiberg: Could you please provide some update on this issue.

Thank you.

The bot hits the following error:

  webrtc/modules/audio_coding/codecs/isac/fix/source/lattice.c:261:34: runtime error: left shift of 2506752 by 10 places cannot be represented in type int32_t

in this line of WebRtcIsacfix_NormLatticeFilterAr:

    /* Simulation of the 25 files shows that maximum value in
       the vector gain_lo_hiQ17[] is 441344, which means that
       it is log2((2^31)/441344) = 12.2 shifting bits from
       saturation. Therefore, it should be safe to use Q27 instead
       of Q17. */

    tmp32 = gain_lo_hiQ17[temp3] << 10;  // Q27

:-)

Tina, please advise. I'm guessing we're not interested in doing something as drastic as not using Q27 here? Would saturating be reasonable?

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/2b1b7a83ad377b8540096d96c472f12bceed8172

commit 2b1b7a83ad377b8540096d96c472f12bceed8172
Author: kwiberg <kwiberg@webrtc.org>
Date: Fri Sep 09 12:51:33 2016

iSAC fix: Ignore overflow in signed left shift

A left shift by 10 was assumed to never overflow, since "[s]imulation
of the 25 files shows that maximum value in the vector gain_lo_hiQ17[]
is 441344, which means that it is log2((2^31)/441344) = 12.2 shifting
bits from saturation." However, a fuzzer test succeeded in provoking
an overflow, which we ignore in this CL on the theory that only
"abnormal" inputs cause overflow.

Also had to replace a "foo << 1" with "foo * (1 << 1)" in
WEBRTC_SPL_MUL_16_32_RSFT15 because foo could be negative; this
problem showed up as soon as I'd asked UBSan to ignore the overflow
discussed above.

BUG= chromium:615819 

Review-Url: https://codereview.webrtc.org/2314413002
Cr-Commit-Position: refs/heads/master@{#14162}

[modify] https://crrev.com/2b1b7a83ad377b8540096d96c472f12bceed8172/webrtc/common_audio/signal_processing/include/signal_processing_library.h
[modify] https://crrev.com/2b1b7a83ad377b8540096d96c472f12bceed8172/webrtc/modules/audio_coding/codecs/isac/fix/source/lattice.c

The commit in comment #8 should fix the bug.

ClusterFuzz has detected this issue as fixed in range 418188:418225.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4837527156686848

Fuzzer: libfuzzer_audio_decoder_isacfix_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  WebRtcIsacfix_NormLatticeFilterAr
  WebRtcIsacfix_DecodeImpl
  WebRtcIsacfix_Decode
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=418188:418225

Minimized Testcase (1.82 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97W0xK0eWa77sPYbXzLGP12FEzIUEo5aKYEhUrDR72s6EcSK9TWOWjOjlfSmzA5c6ABDQ5ToTk9vieyLDvkR_f3lpOm4y_gHwXG4wx9QMySPacL-U44VBZ-lDa60euR3a1Ug6fro0qkT948A-vnz1kUOF31bg?testcase_id=4837527156686848

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 418188:418225.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6293490074124288

Fuzzer: libfuzzer_audio_decoder_isacfix_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  WebRtcIsacfix_NormLatticeFilterAr
  WebRtcIsacfix_DecodeImpl
  WebRtcIsacfix_Decode
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=418188:418225

Minimized Testcase (6.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97PUxlf-uHsIzr-YouWRT0DtcmrB06NJUp8ivoGz5xJ8daHeCBVv7YlE6PuIJWeXkIOpJWbZf-4c2MvKoSSnrSAyrLBYw5zDcYN8ZcPg7uK4e7i54H0lHnQzVh8IID4naFnDojPm0gfgq0aXmhP63y2Cx3Kmg?testcase_id=6293490074124288

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot