Issue metadata
Sign in to add a comment
|
Float-cast-overflow in blink::OfflineAudioContext::suspendContext |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4748834346106880 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: blink::OfflineAudioContext::suspendContext suspendMethod blink::V8OfflineAudioContext::suspendMethodCallback Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=552707:552711 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4748834346106880 Additional requirements: Requires HTTP Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
May 17 2018
> Predator was unable to identify any culprit changelists for this test case. > Unable to find actual suspect through code search and also observing no possible CL under regression range, hence requesting someone from v8 team to look in to it. Thanks!
,
May 17 2018
This is a WebAudio problem. oac.suspend() is called with a time value of 1.125899906842624e+15. Internally, we convert this to a frame number as a size_t (64-bit). The sample rate is 16384, so the frame number is 18446744073709551616, but that doesn't fit in a size_t. Hence the overflow.
,
May 17 2018
,
May 18 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fad75adf0a02ff1173f2579c673985d3ca368586 commit fad75adf0a02ff1173f2579c673985d3ca368586 Author: Raymond Toy <rtoy@chromium.org> Date: Fri May 18 00:02:30 2018 Handle huge suspend times carefully for offline context Instead of computing the number of frames from the time immediately, first verify that the specified time is not past the end of the total render duration. If the verification passes, the conversion from time to frame is safe because the offline context render length is an unsigned long (32-bits). Bug: 843849 Change-Id: I94fd41aa9b90d758b4b3cf81a539bd69e213c376 Reviewed-on: https://chromium-review.googlesource.com/1064819 Commit-Queue: Raymond Toy <rtoy@chromium.org> Reviewed-by: Hongchan Choi <hongchan@chromium.org> Cr-Commit-Position: refs/heads/master@{#559742} [modify] https://crrev.com/fad75adf0a02ff1173f2579c673985d3ca368586/third_party/blink/renderer/modules/webaudio/offline_audio_context.cc
,
May 18 2018
ClusterFuzz has detected this issue as fixed in range 559741:559743. Detailed report: https://clusterfuzz.com/testcase?key=4748834346106880 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: blink::OfflineAudioContext::suspendContext suspendMethod blink::V8OfflineAudioContext::suspendMethodCallback Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=552707:552711 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=559741:559743 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4748834346106880 Additional requirements: Requires HTTP See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 18 2018
ClusterFuzz testcase 4748834346106880 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, May 17 2018Labels: Test-Predator-Auto-Components