CHECK failure: start <= end in source_buffer_range_by_pts.cc |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5397511413170176 Fuzzer: libFuzzer_mediasource_WEBM_OPUS_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: start <= end in source_buffer_range_by_pts.cc media::SourceBufferRangeByPts::SameConfigThruRange media::SourceBufferStream<media::SourceBufferRangeByPts>::Seek Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=499783:499873 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5397511413170176 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Jan 27 2018
Automatically adding ccs based on suspected regression changelists: [media] Report overflow from media::mp4::TimeDeltaFromRational() by sandersd@chromium.org - https://chromium.googlesource.com/chromium/src/+/2a46bc6d26418be826941cbe12b4bbf9c57cb186 Reland "Implement Storage Id for encrypted media" by jrummell@chromium.org - https://chromium.googlesource.com/chromium/src/+/e5621c10a168129e43e8acaedbb4de48e311df14 MSE: Expand pipeline integration fuzzer mimetype/codec coverage by wolenetz@chromium.org - https://chromium.googlesource.com/chromium/src/+/2ad785825859b6be6964d484a1d6a5f3f2c2ded5 If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.
,
Jan 29 2018
,
Jan 29 2018
I have a local repro on tip-of-tree. Investigating...
,
Jan 29 2018
Wow. Very simple repro case. Looking into details and fix now.
,
Jan 29 2018
It also occurs in ByDts (if I disable the ByPts preliminary portion of the fuzzer case).
,
Jan 29 2018
,
Jan 29 2018
It looks like this dates back to chcunningham@'s https://crrev.com/c5bf0429542b3. If seek time is 0, but that is well before the time of the range start that is being seeked to (e.g. RangeCanSeekTo(seek_time) returns true [in this case, because of large fudge room allowing 0 to be within range of seek_time], then SameConfigThruRange(range start time, seek time) (>0, 0) is called, violating the DCHECK(start<=end). Fortunately, release code should gracefully handle this condition in both SBRByPts and SBRByDts; => P2. I'll have a fix out shortly for review.
,
Jan 29 2018
,
Jan 29 2018
,
Jan 31 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3e962244f4adfb5db03ad384dc072269de13c12d commit 3e962244f4adfb5db03ad384dc072269de13c12d Author: Matt Wolenetz <wolenetz@chromium.org> Date: Wed Jan 31 23:05:26 2018 MSE: Check a sane time interval for SameConfigThruRange on Opus If seek time is well before the time of the range start that is being seeked to (e.g. RangeCanSeekTo(seek_time) returns true -- in this case due to large fudge room allowing seek time to seek to the range), then the check for same Opus decoder configuration through the preroll in advance of the seek time could be done with parameters that were out of order in time, start > end. This change modifies the call to RangeSameConfigThruRange to ensure end >= start. Note: this issue affected both kinds of buffering (ByDts and ByPts). BUG= 806545 TEST=CF case no longer repros. Added SBSTest.Audio_Opus_SeekToJustBeforeRangeStart Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Change-Id: I0b7da3c4f0b57153c00242a1961188ef2859423b Reviewed-on: https://chromium-review.googlesource.com/892179 Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org> Reviewed-by: Chrome Cunningham <chcunningham@chromium.org> Cr-Commit-Position: refs/heads/master@{#533462} [modify] https://crrev.com/3e962244f4adfb5db03ad384dc072269de13c12d/media/filters/source_buffer_stream.cc [modify] https://crrev.com/3e962244f4adfb5db03ad384dc072269de13c12d/media/filters/source_buffer_stream_unittest.cc
,
Feb 1 2018
ClusterFuzz has detected this issue as fixed in range 533451:533471. Detailed report: https://clusterfuzz.com/testcase?key=5397511413170176 Fuzzer: libFuzzer_mediasource_WEBM_OPUS_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: start <= end in source_buffer_range_by_pts.cc media::SourceBufferRangeByPts::SameConfigThruRange media::SourceBufferStream<media::SourceBufferRangeByPts>::Seek Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=499783:499873 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=533451:533471 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5397511413170176 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 1 2018
ClusterFuzz testcase 5397511413170176 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Jan 27 2018Labels: Test-Predator-Auto-Components