CHECK failure: IsRangeListSorted(ranges_) in source_buffer_stream.cc |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6097053263593472 Fuzzer: libFuzzer_mediasource_MP2T_MP3_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: IsRangeListSorted(ranges_) in source_buffer_stream.cc media::SourceBufferStream<media::SourceBufferRangeByDts>::Append media::ChunkDemuxerStream::Append Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=529129:529141 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6097053263593472 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Jan 13 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/03c6fb32c54b64bb9424b7e2dbdf8753e409e7ce (MSE: Improve sorted range checking in debug builds). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Jan 16 2018
Investigating... Such can indicate my fixes for bug 791095 haven't fully fixed that problem.
,
Jan 16 2018
,
Jan 16 2018
I have a confirmed local repro.
,
Jan 16 2018
The repro case passes the ByPts version; it hits the DCHECK when buffering ByDts.. investigating further.
,
Jan 16 2018
A precisely overlapping buffer of the previously appended buffer (continuous in same MSE coded frame group, when buffering by Dts) appears to trigger the problem. This doesn't seem to be specific to mp2ts at first glance. I'll investigate further and work on a fix.
,
Jan 16 2018
Fix is in review: https://chromium-review.googlesource.com/c/chromium/src/+/867972
,
Jan 17 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cfe1e5f7d7aafa697a51d137b955fd0c40667c1d commit cfe1e5f7d7aafa697a51d137b955fd0c40667c1d Author: Matt Wolenetz <wolenetz@chromium.org> Date: Wed Jan 17 05:32:18 2018 MSE: Prevent disjoint (but adjacent) ranges in a ByDts case Like many cases fixed by bug 791095 , this change fixes another case where a set of buffered ranges [a,b) [b,c) might result from a sequence of appends to the MSE API. This fix expands an additional MergeWithAdjacentRangeIfNecessary() call in SBS::Append() to occur not just when buffering by PTS, but also when buffering by DTS. New unit tests are included that demonstrated the fault prior to the rest of this change, in both sequence and segments mode when buffering by DTS. With this change, the clusterfuzz case in bug 801796 no longer repros. BUG= 801796 , 791095 TEST=SourceBufferStreamTest.PreciselyOverlapLastAudioFrameAppended_* Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Change-Id: Icf103726b5220d021519c1fce086a06f87c48161 Reviewed-on: https://chromium-review.googlesource.com/867972 Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org> Reviewed-by: Chrome Cunningham <chcunningham@chromium.org> Cr-Commit-Position: refs/heads/master@{#529628} [modify] https://crrev.com/cfe1e5f7d7aafa697a51d137b955fd0c40667c1d/media/filters/source_buffer_stream.cc [modify] https://crrev.com/cfe1e5f7d7aafa697a51d137b955fd0c40667c1d/media/filters/source_buffer_stream_unittest.cc [modify] https://crrev.com/cfe1e5f7d7aafa697a51d137b955fd0c40667c1d/media/test/pipeline_integration_fuzzertest.cc
,
Jan 17 2018
ClusterFuzz has detected this issue as fixed in range 529616:529629. Detailed report: https://clusterfuzz.com/testcase?key=6097053263593472 Fuzzer: libFuzzer_mediasource_MP2T_MP3_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: IsRangeListSorted(ranges_) in source_buffer_stream.cc media::SourceBufferStream<media::SourceBufferRangeByDts>::Append media::ChunkDemuxerStream::Append Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=529129:529141 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=529616:529629 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6097053263593472 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 17 2018
ClusterFuzz testcase 6097053263593472 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Jan 13 2018Labels: Test-Predator-Auto-Components