New issue
Advanced search Search tips

Issue 758802 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Sep 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug

Blocking:
issue 718641



Sign in to add a comment

CHECK failure: timestamp_delta > base::TimeDelta() in source_buffer_range.cc

Project Member Reported by ClusterFuzz, Aug 25 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4731411063111680

Fuzzer: libFuzzer_mediasource_WEBM_VP9_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  timestamp_delta > base::TimeDelta() in source_buffer_range.cc
  base::debug::DebugBreak
  media::SourceBufferRange::AdjustEstimatedDurationForNewAppend
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=497039:497107

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4731411063111680

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 

Comment 1 by mmoroz@chromium.org, Aug 29 2017

Cc: mmoroz@chromium.org wolenetz@chromium.org
Components: Internals>Media>Source
Owner: chcunningham@chromium.org
Status: Assigned (was: Untriaged)
=> chcunningham@ -- with this fuzzer case, we now should have a reliable repro. Please take a look.
See also potential duplicate  bug 761567 .
One approach I'm taking to fix  bug 759336  also hits this DCHECK. I may take over fixing this issue since it's related.
Cc: chcunningham@chromium.org
Owner: wolenetz@chromium.org
I'll take a stab at fixing this one...
Status: Started (was: Assigned)
Project Member

Comment 7 by bugdroid1@chromium.org, Sep 6 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c2b16265430412636e3856901ffafab66541d9b6

commit c2b16265430412636e3856901ffafab66541d9b6
Author: Matt Wolenetz <wolenetz@chromium.org>
Date: Wed Sep 06 21:07:46 2017

MSE: Remove the +1us in SBS::PotentialNextAppendTimestamp()

That +1us was enough to trigger a problem when prepending a previous
buffer with a couple new buffers that are 1us long and are in their own
continuous coded frame group. Removing the +1us seems to fix the problem
without regressing any other test cases (caveat [0]). Also, removing the
+1us was previously tracked by  bug 589295  as part of residual future
work leftover from relaxing the keyframe restriction ( bug 249412 ). See
related CR comment thread [1].

New tests for this required microsecond-granularity timestamp and
duration test modifications, included too.

[0] An immediate result of this +1us removal is that both of the new test
    cases trigger  bug 758802  (one more than before), so I fixed that issue
    in this CL as well: buffers can have 0 duration (consider WebM alt-ref).
    Fixing  bug 758802  essentially lets estimated buffers be adjusted to
    have 0 duration minimum (instead of 1 microsecond minimum).

[1] https://codereview.chromium.org/1670033002/diff/80001/media/filters/source_buffer_stream.cc#newcode442

BUG= 759336 ,  589295 ,  758802 
TEST=2 new SourceBufferStreamTests, both of which failed prior to this CL;
fuzzer cases in 759336 and 758802 no longer repro locally.

Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: If04dbdf605a3c6d4876afb015d521ad60863bafa
Reviewed-on: https://chromium-review.googlesource.com/651352
Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org>
Reviewed-by: Chrome Cunningham <chcunningham@chromium.org>
Cr-Commit-Position: refs/heads/master@{#500086}
[modify] https://crrev.com/c2b16265430412636e3856901ffafab66541d9b6/media/filters/source_buffer_range.cc
[modify] https://crrev.com/c2b16265430412636e3856901ffafab66541d9b6/media/filters/source_buffer_stream.cc
[modify] https://crrev.com/c2b16265430412636e3856901ffafab66541d9b6/media/filters/source_buffer_stream_unittest.cc

Blocking: 718641
Labels: M-63
Status: Fixed (was: Started)
#7 should fix this. Pending CF verification...
Project Member

Comment 9 by ClusterFuzz, Sep 7 2017

ClusterFuzz has detected this issue as fixed in range 500028:500106.

Detailed report: https://clusterfuzz.com/testcase?key=4731411063111680

Fuzzer: libFuzzer_mediasource_WEBM_VP9_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  timestamp_delta > base::TimeDelta() in source_buffer_range.cc
  base::debug::DebugBreak
  media::SourceBufferRange::AdjustEstimatedDurationForNewAppend
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=497039:497107
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=500028:500106

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4731411063111680

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Sep 7 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 4731411063111680 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 11 by ClusterFuzz, Sep 7 2017

ClusterFuzz has detected this issue as fixed in range 500028:500106.

Detailed report: https://clusterfuzz.com/testcase?key=4731411063111680

Fuzzer: libFuzzer_mediasource_WEBM_VP9_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  timestamp_delta > base::TimeDelta() in source_buffer_range.cc
  base::debug::DebugBreak
  media::SourceBufferRange::AdjustEstimatedDurationForNewAppend
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=497039:497107
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=500028:500106

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4731411063111680

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment