New issue
Advanced search Search tips

Issue 806545 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

CHECK failure: start <= end in source_buffer_range_by_pts.cc

Project Member Reported by ClusterFuzz, Jan 27 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5397511413170176

Fuzzer: libFuzzer_mediasource_WEBM_OPUS_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  start <= end in source_buffer_range_by_pts.cc
  media::SourceBufferRangeByPts::SameConfigThruRange
  media::SourceBufferStream<media::SourceBufferRangeByPts>::Seek
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=499783:499873

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5397511413170176

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Jan 27 2018

Components: Internals>Media
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jan 27 2018

Cc: jrumm...@chromium.org sande...@chromium.org wolenetz@chromium.org
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

[media] Report overflow from media::mp4::TimeDeltaFromRational() by sandersd@chromium.org - https://chromium.googlesource.com/chromium/src/+/2a46bc6d26418be826941cbe12b4bbf9c57cb186

Reland "Implement Storage Id for encrypted media" by jrummell@chromium.org - https://chromium.googlesource.com/chromium/src/+/e5621c10a168129e43e8acaedbb4de48e311df14

MSE: Expand pipeline integration fuzzer mimetype/codec coverage by wolenetz@chromium.org - https://chromium.googlesource.com/chromium/src/+/2ad785825859b6be6964d484a1d6a5f3f2c2ded5

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.
Owner: wolenetz@chromium.org
Status: Assigned (was: Untriaged)
Labels: M-66
Status: Started (was: Assigned)
I have a local repro on tip-of-tree. Investigating...
Wow. Very simple repro case. Looking into details and fix now.
It also occurs in ByDts (if I disable the ByPts preliminary portion of the fuzzer case).
Cc: chcunningham@chromium.org
Components: -Internals>Media Internals>Media>Source
It looks like this dates back to chcunningham@'s https://crrev.com/c5bf0429542b3.

If seek time is 0, but that is well before the time of the range start that is being seeked to (e.g. RangeCanSeekTo(seek_time) returns true [in this case, because of large fudge room allowing 0 to be within range of seek_time], then SameConfigThruRange(range start time, seek time) (>0, 0) is called, violating the DCHECK(start<=end).

Fortunately, release code should gracefully handle this condition in both SBRByPts and SBRByDts; => P2.

I'll have a fix out shortly for review.
Labels: -Pri-1 Pri-2
Project Member

Comment 11 by bugdroid1@chromium.org, Jan 31 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3e962244f4adfb5db03ad384dc072269de13c12d

commit 3e962244f4adfb5db03ad384dc072269de13c12d
Author: Matt Wolenetz <wolenetz@chromium.org>
Date: Wed Jan 31 23:05:26 2018

MSE: Check a sane time interval for SameConfigThruRange on Opus

If seek time is well before the time of the range start that is being
seeked to (e.g. RangeCanSeekTo(seek_time) returns true -- in this case
due to large fudge room allowing seek time to seek to the range), then
the check for same Opus decoder configuration through the preroll in
advance of the seek time could be done with parameters that were out of
order in time, start > end.

This change modifies the call to RangeSameConfigThruRange to ensure end
>= start. Note: this issue affected both kinds of buffering (ByDts and
ByPts).

BUG= 806545 
TEST=CF case no longer repros. Added SBSTest.Audio_Opus_SeekToJustBeforeRangeStart

Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: I0b7da3c4f0b57153c00242a1961188ef2859423b
Reviewed-on: https://chromium-review.googlesource.com/892179
Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org>
Reviewed-by: Chrome Cunningham <chcunningham@chromium.org>
Cr-Commit-Position: refs/heads/master@{#533462}
[modify] https://crrev.com/3e962244f4adfb5db03ad384dc072269de13c12d/media/filters/source_buffer_stream.cc
[modify] https://crrev.com/3e962244f4adfb5db03ad384dc072269de13c12d/media/filters/source_buffer_stream_unittest.cc

Project Member

Comment 12 by ClusterFuzz, Feb 1 2018

ClusterFuzz has detected this issue as fixed in range 533451:533471.

Detailed report: https://clusterfuzz.com/testcase?key=5397511413170176

Fuzzer: libFuzzer_mediasource_WEBM_OPUS_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  start <= end in source_buffer_range_by_pts.cc
  media::SourceBufferRangeByPts::SameConfigThruRange
  media::SourceBufferStream<media::SourceBufferRangeByPts>::Seek
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=499783:499873
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=533451:533471

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5397511413170176

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 13 by ClusterFuzz, Feb 1 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5397511413170176 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment