Issue metadata
Sign in to add a comment
|
CHECK failure: !(state_ >= PARSE_ERROR && new_state < PARSE_ERROR) in chunk_demuxer.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6275786030710784 Fuzzer: inferno_twister Job Type: windows_asan_content_shell Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: !(state_ >= PARSE_ERROR && new_state < PARSE_ERROR) in chunk_demuxer.cc media::ChunkDemuxer::ChangeState_Locked media::ChunkDemuxer::UnmarkEndOfStream Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=538495:538532 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6275786030710784 Additional requirements: Requires HTTP Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Feb 28 2018
Excellent - we have a CF repro of unexpectedly bad state in the extra state CHECKs added to diagnose the larger issue exposed in bug 786975.
,
Feb 28 2018
,
Mar 1 2018
I couldn't repro this locally to get better info about the state, but it looks from the stack trace to be just like bug 815207. Probable fix is in CQ: https://chromium-review.googlesource.com/c/chromium/src/+/942237
,
Mar 1 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/21d0f03dc419aa224e5d7425469f846ed6287184 commit 21d0f03dc419aa224e5d7425469f846ed6287184 Author: Matt Wolenetz <wolenetz@chromium.org> Date: Thu Mar 01 03:08:29 2018 MSE: Prevent UnmarkEOS from undoing PARSE_ERROR or SHUTDOWN If a previous parse error's ReportError_Locked(...) error has not yet reached HTMLMediaElement due to thread hopping delays (through media thread via pipeline_impl), then another appendBuffer operation on one of that HTMLMediaElement's MediaSource's SourceBuffers could race that error state. This change prevents such a race from resetting the ChunkDemuxer's |state_| from PARSE_ERROR to INITIALIZED in UnmarkEndOfStream. Note that the MediaSource's append error algorithm (including marking end of stream with a decode error) would have already been done synchronously. allowing subsequent ignoring of a racing UnmarkEndOfStream call. Eventually, the media element will have a non-null error attribute, preventing further attempts at appendBuffer on those SourceBuffers. This change lets the SourceBuffers fail any racing appendBuffer that occurs in the interim, preventing conditions that sometimes led to running a null ChunkDemuxer |init_cb_|. BUG=786975,815207, 816407 Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Change-Id: Id76d6ccd9a03c63637c65b8bd492ab382175f0f4 Reviewed-on: https://chromium-review.googlesource.com/942237 Reviewed-by: Chrome Cunningham <chcunningham@chromium.org> Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org> Cr-Commit-Position: refs/heads/master@{#540014} [modify] https://crrev.com/21d0f03dc419aa224e5d7425469f846ed6287184/media/filters/chunk_demuxer.cc [modify] https://crrev.com/21d0f03dc419aa224e5d7425469f846ed6287184/media/filters/chunk_demuxer_unittest.cc
,
Mar 1 2018
ClusterFuzz has detected this issue as fixed in range 540000:540017. Detailed report: https://clusterfuzz.com/testcase?key=6275786030710784 Fuzzer: inferno_twister Job Type: windows_asan_content_shell Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: !(state_ >= PARSE_ERROR && new_state < PARSE_ERROR) in chunk_demuxer.cc media::ChunkDemuxer::ChangeState_Locked media::ChunkDemuxer::UnmarkEndOfStream Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=538495:538532 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=540000:540017 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6275786030710784 Additional requirements: Requires HTTP See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 1 2018
ClusterFuzz testcase 6275786030710784 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by brajkumar@chromium.org
, Feb 27 2018Components: Internals>Media
Labels: -Type-Bug M-66 Test-Predator-Wrong Type-Bug-Regression
Owner: wolenetz@chromium.org
Status: Assigned (was: Untriaged)