New issue
Advanced search Search tips

Issue 855838 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jul 4
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Breakpoint in blink::WaveShaperProcessor::SetCurve

Project Member Reported by ClusterFuzz, Jun 23 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6265318260080640

Fuzzer: attekett_webaudio_fuzzer
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Breakpoint
Crash Address: 0xffff8400b0820080
Crash State:
  blink::WaveShaperProcessor::SetCurve
  blink::WaveShaperNode::SetCurveImpl
  blink::V8WaveShaperNode::curveAttributeSetterCallback
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6265318260080640

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Jun 23 2018

Components: Blink>WebAudio
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 2 by rtoy@chromium.org, Jun 25 2018

Status: Available (was: Untriaged)
I can reproduce this on my linux box, sort of. The backtrace and cause is different though:

[113863:113863:0625/104616.877127:FATAL:vector.h(1053)] Check failed: i < size() (0 vs. 0)
    #0 0x55b2e73f37d1 in __interceptor_backtrace /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:4024:13
    #1 0x7f0258302cdc in base::debug::StackTrace::StackTrace(unsigned long) ./../../base/debug/stack_trace_posix.cc:808:41
    #2 0x7f025810b7cf in logging::LogMessage::~LogMessage() ./../../base/logging.cc:592:29
    #3 0x7f023673a048 in at ./../../third_party/blink/renderer/platform/wtf/vector.h:1053:5
    #4 0x7f023673a048 in operator[] ./../../third_party/blink/renderer/platform/wtf/vector.h:1061:0
    #5 0x7f023673a048 in blink::WaveShaperProcessor::SetCurve(float const*, unsigned int) ./../../third_party/blink/renderer/modules/webaudio/wave_shaper_processor.cc:65:0
    #6 0x7f0236738c9d in SetCurveImpl ./../../third_party/blink/renderer/modules/webaudio/wave_shaper_node.cc:102:29
    #7 0x7f0236738c9d in blink::WaveShaperNode::setCurve(blink::NotShared<blink::DOMTypedArray<WTF::Float32Array, v8::Float32Array> >, blink::ExceptionState&) ./../../third_party/blink/renderer/modules/webaudio/wave_shaper_node.cc:110:0
    #8 0x7f023594312d in curveAttributeSetter ./gen/third_party/blink/renderer/bindings/modules/v8/v8_wave_shaper_node.cc:105:9
    #9 0x7f023594312d in blink::V8WaveShaperNode::curveAttributeSetterCallback(v8::FunctionCallbackInfo<v8::Value> const&) ./gen/third_party/blink/renderer/bindings/modules/v8/v8_wave_shaper_node.cc:198:0
    #10 0x7f02412a95c9 in v8_Default_embedded_blob_ embedded.cc:?
    #11 0x7f02412a95c9 in ?? ??:0

Received signal 6
    #0 0x55b2e73f37d1 in __interceptor_backtrace /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:4024:13
    #1 0x7f0258302cdc in base::debug::StackTrace::StackTrace(unsigned long) ./../../base/debug/stack_trace_posix.cc:808:41
    #2 0x7f0258301c5d in base::debug::(anonymous namespace)::StackDumpSignalHandler(int, siginfo_t*, void*) ./../../base/debug/stack_trace_posix.cc:334:3
    #3 0x7f0232c3c0c0 in __funlockfile ??:?
    #4 0x7f0232c3c0c0 in ?? ??:0
    #5 0x7f022e7d6fcf in gsignal ??:0:0
    #6 0x7f022e7d83fa in abort ??:0:0
    #7 0x7f02582ff4ba in base::debug::BreakDebugger() ./../../base/debug/debugger_posix.cc:258:3
    #8 0x7f025810bfb7 in logging::LogMessage::~LogMessage() ./../../base/logging.cc:855:7
    #9 0x7f023673a048 in at ./../../third_party/blink/renderer/platform/wtf/vector.h:1053:5
    #10 0x7f023673a048 in operator[] ./../../third_party/blink/renderer/platform/wtf/vector.h:1061:0
    #11 0x7f023673a048 in blink::WaveShaperProcessor::SetCurve(float const*, unsigned int) ./../../third_party/blink/renderer/modules/webaudio/wave_shaper_processor.cc:65:0
    #12 0x7f0236738c9d in SetCurveImpl ./../../third_party/blink/renderer/modules/webaudio/wave_shaper_node.cc:102:29
    #13 0x7f0236738c9d in blink::WaveShaperNode::setCurve(blink::NotShared<blink::DOMTypedArray<WTF::Float32Array, v8::Float32Array> >, blink::ExceptionState&) ./../../third_party/blink/renderer/modules/webaudio/wave_shaper_node.cc:110:0
    #14 0x7f023594312d in curveAttributeSetter ./gen/third_party/blink/renderer/bindings/modules/v8/v8_wave_shaper_node.cc:105:9
    #15 0x7f023594312d in blink::V8WaveShaperNode::curveAttributeSetterCallback(v8::FunctionCallbackInfo<v8::Value> const&) ./gen/third_party/blink/renderer/bindings/modules/v8/v8_wave_shaper_node.cc:198:0
    #16 0x7f02412a95c9 in v8_Default_embedded_blob_ embedded.cc:?
    #17 0x7f02412a95c9 in ?? ??:0
  r8: 0000000000000000  r9: 00007ffcc9445790 r10: 0000000000000008 r11: 0000000000000246
 r12: 00000fe0c4007100 r13: 00007f0220078060 r14: 00007f0220078ae0 r15: 00007f0220078070
  di: 0000000000000002  si: 00007ffcc9445790  bp: 00007ffcc94459d0  bx: 0000000000000006
  dx: 0000000000000000  ax: 0000000000000000  cx: 00007f022e7d6fcf  sp: 00007ffcc9445808
  ip: 00007f022e7d6fcf efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]

Project Member

Comment 3 by bugdroid1@chromium.org, Jun 26 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/40936fd20097926aa9801208d309ba9ea62d0a33

commit 40936fd20097926aa9801208d309ba9ea62d0a33
Author: Raymond Toy <rtoy@chromium.org>
Date: Tue Jun 26 14:53:26 2018

GraphLock needed for WaveShaperNode::setCurve

When a channel count change happens, the audio thread (in the
DeferredTaskHandler) may change the number of kernels for the
processor by clearing the kernels_ array and then initializing with
the new size.

But setting the curve from the main thread access the kernels_ array
and it may be in the process of being reinitialized.

Thus, make the main thread get the graph lock to force it to wait
until any channel count changes in the DeferredTaskHandler to finish
before setting the curve.  (The audio thread will skip this if it
doesn't have the graph lock.)

Bug:  855838 
Test: Repro case from the bug doesn't cause DCHECK in asan build

Change-Id: I5282a9c555f80870b81e8d50436d5715e0d28365
Reviewed-on: https://chromium-review.googlesource.com/1114219
Commit-Queue: Raymond Toy <rtoy@chromium.org>
Reviewed-by: Hongchan Choi <hongchan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#570405}
[modify] https://crrev.com/40936fd20097926aa9801208d309ba9ea62d0a33/third_party/blink/renderer/modules/webaudio/wave_shaper_node.cc
[modify] https://crrev.com/40936fd20097926aa9801208d309ba9ea62d0a33/third_party/blink/renderer/modules/webaudio/wave_shaper_processor.cc

Comment 4 by rtoy@chromium.org, Jun 27 2018

The latest clusterfuzz result seems to show that the original SetCurve issue is gone, but there's now font or layout issue.  I've asked clusterfuzz to reanalyze the issue.

Comment 5 by rtoy@chromium.org, Jun 29 2018

Components: Blink>Fonts
The SetCurve appears to be fixed, but clusterfuzz shows that it's now crashing in font_cache.cc:

	[9988:10012:0628/163817.516:FATAL:font_cache.cc(404)] Check failed: false.
Backtrace:
base::debug::StackTrace::StackTrace [0x00007FFAB64FDA3C+44] (base/debug/stack_trace_win.cc:286)
logging::LogMessage::~LogMessage [0x00007FFAB6541436+582] (base/logging.cc:592)
blink::FontCache::CrashWithFontInfo [0x00007FFAB925A8AA+954] (third_party/blink/renderer/platform/fonts/font_cache.cc:404)
blink::FontFallbackIterator::Next [0x00007FFABC55E985+3581] (third_party/blink/renderer/platform/fonts/font_fallback_iterator.cc:121)
blink::FontFallbackIterator::Next [0x00007FFABC55E6DC+2900] (third_party/blink/renderer/platform/fonts/font_fallback_iterator.cc:139)
blink::HarfBuzzShaper::ShapeSegment [0x00007FFABEEAE7B1+3437] (third_party/blink/renderer/platform/fonts/shaping/harf_buzz_shaper.cc:842)
blink::HarfBuzzShaper::Shape [0x00007FFABEEB21ED+6621] (third_party/blink/renderer/platform/fonts/shaping/harf_buzz_shaper.cc:957)
Owner: rtoy@chromium.org
Status: Fixed (was: Available)
Font one is another known issue, ignore that.
Project Member

Comment 7 by ClusterFuzz, Jul 11

Labels: Needs-Feedback
ClusterFuzz testcase 6265318260080640 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
Labels: ClusterFuzz-Wrong
Clusterfuzz is wrong in c#7.  The original backtrace no longer shows up, but the check in font_cache.cc(404) is now showing up.

Adding ClusterFuzz-Wrong as suggested in c#7

Sign in to add a comment