Float-cast-overflow in blink::IIRFilter::Process |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5330908266364928 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: blink::IIRFilter::Process blink::IIRFilter::TailTime blink::IIRDSPKernel::IIRDSPKernel Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=552707:552711 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5330908266364928 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Apr 30 2018
Running the clusterfuzz repro tool fails to reproduce this issue. it gets a different issue: New crash type: Pointer-overflow New crash state: SkRasterPipelineBlitter::blitMask blitClippedMask draw_nine_clipped However, the fact that we're computing the tail time of an unstable IIR filter in the repro test case makes it pretty clear that we are in fact trying to convert a double float infinity value to a single-float. In this case, the conversion is ok, but we can fix this (mostly) in WebAudio.
,
May 1 2018
,
May 1 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/949538bb77dce13f23abe328338f50f39c6350e0 commit 949538bb77dce13f23abe328338f50f39c6350e0 Author: Raymond Toy <rtoy@chromium.org> Date: Tue May 01 17:51:27 2018 Bypass tail time computation if IIR filter is unstable If the IIRFilter is known to be unstable, we can bypass the computation of the tail time because we know a priori that the impulse response won't converge to 0. So, in construction of the IIRFilterNode where we determine if the filter is stable or not, pass a stability flag to the IIRProcessor. Then computation of the tail time can check the IIRProcess to see if the filter is stable or not. If not, just return the max tail time value. Bug: 837872 Change-Id: I9f0e030c2a9e5a5b5635c964214fdafdd57e8668 Reviewed-on: https://chromium-review.googlesource.com/1035722 Reviewed-by: Hongchan Choi <hongchan@chromium.org> Commit-Queue: Raymond Toy <rtoy@chromium.org> Cr-Commit-Position: refs/heads/master@{#555105} [modify] https://crrev.com/949538bb77dce13f23abe328338f50f39c6350e0/third_party/blink/renderer/modules/webaudio/iir_filter_node.cc [modify] https://crrev.com/949538bb77dce13f23abe328338f50f39c6350e0/third_party/blink/renderer/modules/webaudio/iir_filter_node.h [modify] https://crrev.com/949538bb77dce13f23abe328338f50f39c6350e0/third_party/blink/renderer/modules/webaudio/iir_processor.cc [modify] https://crrev.com/949538bb77dce13f23abe328338f50f39c6350e0/third_party/blink/renderer/modules/webaudio/iir_processor.h [modify] https://crrev.com/949538bb77dce13f23abe328338f50f39c6350e0/third_party/blink/renderer/modules/webaudio/iirdsp_kernel.cc [modify] https://crrev.com/949538bb77dce13f23abe328338f50f39c6350e0/third_party/blink/renderer/platform/audio/iir_filter.cc [modify] https://crrev.com/949538bb77dce13f23abe328338f50f39c6350e0/third_party/blink/renderer/platform/audio/iir_filter.h
,
May 2 2018
ClusterFuzz has detected this issue as fixed in range 555098:555107. Detailed report: https://clusterfuzz.com/testcase?key=5330908266364928 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: blink::IIRFilter::Process blink::IIRFilter::TailTime blink::IIRDSPKernel::IIRDSPKernel Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=552707:552711 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=555098:555107 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5330908266364928 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 2 2018
ClusterFuzz testcase 5330908266364928 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by ClusterFuzz
, Apr 28 2018Labels: Test-Predator-Auto-Components