New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 675080 link

Starred by 1 user
Status: WontFix
Owner:
rtoy@chromium.org
Closed: Jan 2017
Cc:
lukasza@chromium.org
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Float-cast-overflow in blink::AudioParamTimeline::valuesForFrameRangeImpl

Project Member Reported by ClusterFuzz, Dec 16 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4643356933357568

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::AudioParamTimeline::valuesForFrameRangeImpl
  blink::AudioParamTimeline::valuesForFrameRange
  blink::AudioParamHandler::calculateTimelineValues
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085

Minimized Testcase (0.98 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95PPSL-ZnYNNoTinAeOrQ3l6nKOjCtY4OTuArPl-HWYNIl8azitxNzk9E_-x7g8V7LbYhuQntiGTLQ7y_JXtLNBUmt7vKzxH_T3chdw6KDb2qAU7Dzkh8zhnsZsjxN3RkFr0hPMgAXa3vXn3DT9IUMw3inGbA?testcase_id=4643356933357568
<script src=../resources/js-test.js></script>
    <script src=resources/audio-testing.js></script>
<script>
      var sampleRate = 48000;
      var renderDuration = 0.125;
      var largeTime = 1e300;
      var audit = Audit.createTaskRunner();
"linearRamp", function () {
      };
      audit.defineTask("exponentialRamp", function () {
        var graph = createGraph();
        graph.gain.gain.exponentialRampToValueAtTime(.1, largeTime);
        graph.source.start();
        graph.context.startRendering();
      });
      audit.runTasks();
      function createGraph() {
        var context = new OfflineAudioContext(1, renderDuration * sampleRate, sampleRate);
        var src = context.createBufferSource();
        src.buffer = createConstantBuffer(context, 1, 1);
        var gain = context.createGain();
        src.connect(gain);
        gain.connect(context.destination);
        return {
          context: context,
          gain: gain,
          source: src
        };
      }
     </script>


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Dec 22 2016

Cc: msrchandra@chromium.org
Components: Blink>WebAudio
Labels: Test-Predator-Correct-CLs
Owner: lukasza@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Find it results --
The result is a list of CLs that change the crashed files. 

Author: lukasza
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/9d858647530db2c22e1267e443034d23f2e602d9
Time: Thu Dec 08 21:52:12 2016
Files AudioNodeInput.cpp, AudioNodeOutput.cpp are changed in this cl (and is part of stack frame #6, "blink::AudioNodeInput::sumAllConnections")
Minimum distance from crash line to modified line: 82. (file: AudioNodeOutput.cpp, crashed on: 136, modified: 54).

@lukasza -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by rtoy@chromium.org, Dec 22 2016

Cc: lukasza@chromium.org
Owner: rtoy@chromium.org
I'll take a look.

Comment 3 by rtoy@chromium.org, Dec 22 2016

Status: Started (was: Assigned)
Project Member

Comment 4 by bugdroid1@chromium.org, Dec 22 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b5abf978ca7c77453c1932080bb5a823a48465ab

commit b5abf978ca7c77453c1932080bb5a823a48465ab
Author: rtoy <rtoy@chromium.org>
Date: Thu Dec 22 20:47:56 2016

Use double for time-related variables

This doesn't convert all time-related variables from float to double,
which requires a more careful examination.  (One such change changes
the test results.)  Only enough to fix the bug.

BUG= 675080 
TEST=None. Not testable in a layout test in a reasonable number of frames

Review-Url: https://codereview.chromium.org/2599813002
Cr-Commit-Position: refs/heads/master@{#440493}

[modify] https://crrev.com/b5abf978ca7c77453c1932080bb5a823a48465ab/third_party/WebKit/Source/modules/webaudio/AudioParamTimeline.cpp
Project Member

Comment 5 by ClusterFuzz, Jan 21 2017

Status: WontFix (was: Started)
ClusterFuzz testcase 4643356933357568 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment