New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 803810 link

Starred by 1 user

Issue metadata

Status: Verified
Owner: ----
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failure: isfinite(mean_) in mean_variance_estimator.cc

Project Member Reported by ClusterFuzz, Jan 19 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6305600802914304

Fuzzer: libFuzzer_audio_processing_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  isfinite(mean_) in mean_variance_estimator.cc
  rtc::FatalMessage::~FatalMessage
  webrtc::MeanVarianceEstimator::Update
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=529629:529646

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6305600802914304

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Jan 19 2018

Cc: ale...@webrtc.org
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

AEC-m and AEC-2 fuzzing. by aleloi@webrtc.org - https://webrtc.googlesource.com/src/+/ab20a6016c5d0798a00dd566c78f5f49065a9492

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.

Comment 2 by aleloi@chromium.org, Jan 23 2018

Cc: mbonadei@chromium.org brajkumar@chromium.org peah@chromium.org
 Issue 804634  has been merged into this issue.
Project Member

Comment 3 by bugdroid1@chromium.org, Jan 24 2018

The following revision refers to this bug:
  https://webrtc.googlesource.com/src.git/+/d2b5b1f5bae94c24cc279fe198ff28236821f1ac

commit d2b5b1f5bae94c24cc279fe198ff28236821f1ac
Author: Alex Loiko <aleloi@webrtc.org>
Date: Wed Jan 24 14:26:28 2018

Division by zero in NoiseSuppression.

This change handles a special case in NoiseSuppression. The special
case was found by the AudioProcessing fuzzer.

A const copy of the capture audio stream is sent to
NoiseSuppression::AnalyzeCaptureAudio. Then audio undergoes processing
by e.g. the echo canceller. Then it's processed by
NoiseSuppression::ProcessCaptureAudio.

The special case is when the following conditions are all satisfied:

* All stream samples are constantly zero in the call to
  AnalyzeCaptureAudio

* a processing component modifies it to be nonzero before the call to
  ProcessCaptureAudio

* The array NoiseSuppressionC::magnPrevAnalyze is filled with
  zeros. This holds after initialization.

In this case, there is a division by zero in WebRtcNs_ProcessCore. The
resulting NaN values pollute the output signal. They are only detected
several submodules later in the process chain. The NaN values cause
the EchoDetector to crash in debug mode.

There is special handling of the case when the signal is constant zero
in ProcessCore. This change avoids zero division by handling this
issue the same way.

Bug:  chromium:803810   chromium:804634 
Change-Id: I6d698dd0cd27e6d550b42085124300ce58533125
Reviewed-on: https://webrtc-review.googlesource.com/41282
Commit-Queue: Alex Loiko <aleloi@webrtc.org>
Reviewed-by: Henrik Lundin <henrik.lundin@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#21745}
[modify] https://crrev.com/d2b5b1f5bae94c24cc279fe198ff28236821f1ac/modules/audio_processing/ns/ns_core.c
[modify] https://crrev.com/d2b5b1f5bae94c24cc279fe198ff28236821f1ac/modules/audio_processing/ns/ns_core.h

Components: Blink>WebRTC
Project Member

Comment 5 by ClusterFuzz, Jan 26 2018

ClusterFuzz has detected this issue as fixed in range 531875:531882.

Detailed report: https://clusterfuzz.com/testcase?key=6305600802914304

Fuzzer: libFuzzer_audio_processing_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  isfinite(mean_) in mean_variance_estimator.cc
  rtc::FatalMessage::~FatalMessage
  webrtc::MeanVarianceEstimator::Update
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=529629:529646
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=531875:531882

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6305600802914304

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Jan 26 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Untriaged)
ClusterFuzz testcase 6305600802914304 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment