New issue
Advanced search Search tips

Issue 805832 link

Starred by 1 user
Status: Verified
Owner: ----
Closed: Jan 2018
Cc:
ale...@webrtc.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Undefined-shift in WebRtcAecm_ProcessBlock

Project Member Reported by ClusterFuzz, Jan 25 2018 
Detailed report: https://clusterfuzz.com/testcase?key=5697909369864192

Fuzzer: libFuzzer_audio_processing_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  WebRtcAecm_ProcessBlock
  WebRtcAecm_ProcessFrame
  WebRtcAecm_Process
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=529631:529648

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5697909369864192

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
Project Member

Comment 1 by ClusterFuzz, Jan 25 2018

Cc: ale...@webrtc.org
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

AEC-m and AEC-2 fuzzing. by aleloi@webrtc.org - https://webrtc.googlesource.com/src/+/ab20a6016c5d0798a00dd566c78f5f49065a9492

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.
Project Member

Comment 2 by bugdroid1@chromium.org, Jan 25 2018 

The following revision refers to this bug:
  https://webrtc.googlesource.com/src.git/+/600bdb4adc89a0f326c4d3ec37b840378e989f26

commit 600bdb4adc89a0f326c4d3ec37b840378e989f26
Author: Alex Loiko <aleloi@webrtc.org>
Date: Thu Jan 25 12:26:51 2018

Undefined shifts.

This change

* replaces a left shift with multiplication, because the shiftee can
  be negative.

* replaces a right shift (a >> b) with the expression (b >= 32 ? 0 : a >> b)
  because a is a 32-bit value, and b can be >= 32.

cppreference quote relating to the second change:
"In any case, if the value of the right operand is
negative or is greater or equal to the number of bits in the promoted
left operand, the behavior is undefined."


Bug:  chromium:805832   chromium:803078 
Change-Id: I67db0c3fedb0af197b2205d424414a84f8fde474
Reviewed-on: https://webrtc-review.googlesource.com/43761
Reviewed-by: Oskar Sundbom <ossu@webrtc.org>
Commit-Queue: Alex Loiko <aleloi@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#21760}
[modify] https://crrev.com/600bdb4adc89a0f326c4d3ec37b840378e989f26/modules/audio_processing/aecm/aecm_core.cc
[modify] https://crrev.com/600bdb4adc89a0f326c4d3ec37b840378e989f26/modules/audio_processing/aecm/aecm_core_c.cc

Comment 3 by dtapu...@chromium.org, Jan 27 2018

Components: Blink>WebRTC
Project Member

Comment 4 by ClusterFuzz, Jan 28 2018 

ClusterFuzz has detected this issue as fixed in range 532192:532201.

Detailed report: https://clusterfuzz.com/testcase?key=5697909369864192

Fuzzer: libFuzzer_audio_processing_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  WebRtcAecm_ProcessBlock
  WebRtcAecm_ProcessFrame
  WebRtcAecm_Process
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=529631:529648
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=532192:532201

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5697909369864192

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Jan 28 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Untriaged)
ClusterFuzz testcase 5697909369864192 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment