I suppose that we should ignore crashes like this one and/or disable media_vpx_video_decoder_fuzzer for Debug build.

  DCHECK(config.IsValidConfig());

Looks like we will be hitting this almost 100% of times. Am I wrong?

An alternative way is to generate only valid configs (https://cs.chromium.org/chromium/src/media/filters/vpx_video_decoder_fuzzertest.cc?q=/vpx_video_decoder_fuzzertest.cc&sq=package:chromium&l=56) or at least hardcode a valid one.

Assigning this to myself until figure out what to do.

One option is to simply call IsValidConfig() in vpx_video_decoder_fuzzertest, and if it fails move on to the next iteration?

I looked at the code that validates configs, and it looks like there are a few conditions that could be fixed by changing the way the config is generated.
- codec_ != kUnknownVideoCodec (= 0), so avoid generating 0.
- avoid pixel_format == PIXEL_FORMAT_UNKNOWN (= 0).
- natural_size_.width() > 0 && natural_size_.height() > 0, so add 1 to the dimensions when creating it.
- actually it looks like all 3 (coded_size, visible_rect, and natural_size) need dimensions > 0.
- visible_rect <= coded_size, so make them the same, or use the coded_size values when generating visible_rect.
However, I don't know if adding these changes will improve the success rate.

The second error in the detailed report is "Called Decode() before successful Initialize()". It appears that Initialize() succeeds only if OnInitDone(true). That might be a second check that needs to be added.

Thanks jrummell@ for the detailed info.

I've tried to make it work in the following draft CL: https://codereview.chromium.org/2324843004

Not sure if we want to proceed with this approach, since it will affect Release build as well. On the other hand, running this with Release configuration looks interesting too. If we provide a valid config more often, we should get a better coverage, right?

ClusterFuzz has detected this issue as fixed in range 423792:423807.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5502463300075520

Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x03e90000098c
Crash State:
  media::VpxVideoDecoder::Initialize
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=395717:395804
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=423792:423807

Minimized Testcase (0.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95-8ufdtFaqoKG8g-yaLObja0e8CN3z_a7ONjSj8UMd2fW9quZx_cw2qWQi8eiRqYcs-Ej_u3WurLGbJY6TB2q_cw6hlhQPGtjhmyTxAPPC-sQLdblJKjCX7w0tdYsiVNT3vI87JiaxDwZ6O28w8xj2UtlPjA?testcase_id=5502463300075520

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/29b3abb7b00ec613920892937199d39f684c9493

commit 29b3abb7b00ec613920892937199d39f684c9493
Author: mmoroz <mmoroz@chromium.org>
Date: Wed Nov 09 13:33:51 2016

Generate more valid configurations in media_vpx_video_decoder_fuzzer.

That helps to bypass some DCHECK()'s and to make the Debug build work.
Also that increases execution speed and helps to find new coverage.
Speed increased ~5-10 times. Also I see lot of NEW testcases while
running locally both Debug and Release builds.

R=jrummell@chromium.org
BUG= 644672 

Review-Url: https://codereview.chromium.org/2324843004
Cr-Commit-Position: refs/heads/master@{#430921}

[modify] https://crrev.com/29b3abb7b00ec613920892937199d39f684c9493/media/filters/vpx_video_decoder_fuzzertest.cc

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot