Float-cast-overflow in blink::AudioParamTimeline::valuesForFrameRangeImpl |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4643356933357568 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: blink::AudioParamTimeline::valuesForFrameRangeImpl blink::AudioParamTimeline::valuesForFrameRange blink::AudioParamHandler::calculateTimelineValues Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085 Minimized Testcase (0.98 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95PPSL-ZnYNNoTinAeOrQ3l6nKOjCtY4OTuArPl-HWYNIl8azitxNzk9E_-x7g8V7LbYhuQntiGTLQ7y_JXtLNBUmt7vKzxH_T3chdw6KDb2qAU7Dzkh8zhnsZsjxN3RkFr0hPMgAXa3vXn3DT9IUMw3inGbA?testcase_id=4643356933357568 <script src=../resources/js-test.js></script> <script src=resources/audio-testing.js></script> <script> var sampleRate = 48000; var renderDuration = 0.125; var largeTime = 1e300; var audit = Audit.createTaskRunner(); "linearRamp", function () { }; audit.defineTask("exponentialRamp", function () { var graph = createGraph(); graph.gain.gain.exponentialRampToValueAtTime(.1, largeTime); graph.source.start(); graph.context.startRendering(); }); audit.runTasks(); function createGraph() { var context = new OfflineAudioContext(1, renderDuration * sampleRate, sampleRate); var src = context.createBufferSource(); src.buffer = createConstantBuffer(context, 1, 1); var gain = context.createGain(); src.connect(gain); gain.connect(context.destination); return { context: context, gain: gain, source: src }; } </script> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 22 2016
I'll take a look.
,
Dec 22 2016
,
Dec 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b5abf978ca7c77453c1932080bb5a823a48465ab commit b5abf978ca7c77453c1932080bb5a823a48465ab Author: rtoy <rtoy@chromium.org> Date: Thu Dec 22 20:47:56 2016 Use double for time-related variables This doesn't convert all time-related variables from float to double, which requires a more careful examination. (One such change changes the test results.) Only enough to fix the bug. BUG= 675080 TEST=None. Not testable in a layout test in a reasonable number of frames Review-Url: https://codereview.chromium.org/2599813002 Cr-Commit-Position: refs/heads/master@{#440493} [modify] https://crrev.com/b5abf978ca7c77453c1932080bb5a823a48465ab/third_party/WebKit/Source/modules/webaudio/AudioParamTimeline.cpp
,
Jan 21 2017
ClusterFuzz testcase 4643356933357568 is flaky and no longer reproduces, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by msrchandra@chromium.org
, Dec 22 2016Components: Blink>WebAudio
Labels: Test-Predator-Correct-CLs
Owner: lukasza@chromium.org
Status: Assigned (was: Untriaged)