Closed
Bug 1759016
Opened 2 years ago
Closed 2 years ago
OOM [@ WebCore::ReverbConvolverStage::ReverbConvolverStage]
Categories
(Core :: Web Audio, defect)
Core
Web Audio
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox100 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, testcase, Whiteboard: [bugmon:confirm])
Attachments
(1 file)
|
437 bytes,
text/html
|
Details |
I'm not sure if this is an actual bug or not but the following testcase uses excessive memory and is eventually killed via oom_reaper. When using a grizzly and an asan build, a soft-rss-limit of 10GB is used.
Testcase found while fuzzing mozilla-central rev ae667f73a8f1 (built with --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build ae667f73a8f1 --asan --fuzzing -n build
$ python -m grizzly.replay ./build/firefox ./testcase.html
==29718==AddressSanitizer: soft rss limit exhausted (10000Mb vs 10009Mb)
=================================================================
==29718==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000090 (pc 0x7ff3cf5e2a8f bp 0x7ffce9e892a0 sp 0x7ffce9e89280 T0)
==29718==The signal is caused by a READ memory access.
==29718==Hint: address points to the zero page.
#0 0x7ff3cf5e2a8f in av_rdft_calc /gecko/media/ffvpx/libavcodec/avfft.c:107:8
#1 0x7ff46f0b2c8c in mozilla::FFTBlock::PerformFFT(float const*) /gecko/dom/media/webaudio/FFTBlock.h:88:5
#2 0x7ff46f169389 in mozilla::FFTBlock::PadAndMakeScaledDFT(float const*, unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/FFTBlock.h:167:5
#3 0x7ff46f171a71 in WebCore::ReverbConvolverStage::ReverbConvolverStage(float const*, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, WebCore::ReverbAccumulationBuffer*) /gecko/dom/media/webaudio/blink/ReverbConvolverStage.cpp:51:16
#4 0x7ff46f170b3e in WebCore::ReverbConvolver::ReverbConvolver(float const*, unsigned long, unsigned long, unsigned long, bool, bool*) /gecko/dom/media/webaudio/blink/ReverbConvolver.cpp:111:47
#5 0x7ff46f16ee8a in WebCore::Reverb::initialize(nsTArray<float const*> const&, unsigned long, unsigned long, bool) /gecko/dom/media/webaudio/blink/Reverb.cpp:153:13
#6 0x7ff46f16ea00 in WebCore::Reverb::Reverb(mozilla::AudioChunk const&, unsigned long, bool, bool, float, bool*) /gecko/dom/media/webaudio/blink/Reverb.cpp:112:26
#7 0x7ff46f113ebe in mozilla::dom::ConvolverNode::SetBuffer(JSContext*, mozilla::dom::AudioBuffer*, mozilla::ErrorResult&) /gecko/dom/media/webaudio/ConvolverNode.cpp:460:43
#8 0x7ff46d39b5b1 in mozilla::dom::ConvolverNode_Binding::set_buffer(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/ConvolverNodeBinding.cpp:222:24
#9 0x7ff46d91c754 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3254:8
#10 0x7ff475635194 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:425:13
#11 0x7ff475635194 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:512:12
#12 0x7ff47563741b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:589:8
#13 0x7ff475638d2d in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:730:10
#14 0x7ff475b33aa8 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /gecko/js/src/vm/NativeObject.cpp:2493:8
#15 0x7ff475b30e01 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /gecko/js/src/vm/NativeObject.cpp:2527:14
#16 0x7ff47561d0f8 in SetProperty /gecko/js/src/vm/ObjectOperations-inl.h:308:10
#17 0x7ff47561d0f8 in SetObjectElementOperation /gecko/js/src/vm/Interpreter.cpp:1812:10
#18 0x7ff47561d0f8 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3064:12
#19 0x7ff4756064b1 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:394:13
#20 0x7ff4756352cf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:544:13
#21 0x7ff47563741b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:589:8
#22 0x7ff4758b5e6d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
#23 0x7ff46d62c8e1 in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:50:8
#24 0x7ff46bc675d1 in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12
#25 0x7ff46bc671b3 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /gecko/dom/base/TimeoutHandler.cpp:167:29
#26 0x7ff46b7e4580 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /gecko/dom/base/nsGlobalWindowInner.cpp:6337:38
#27 0x7ff46bc7ad39 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /gecko/dom/base/TimeoutManager.cpp:893:44
#28 0x7ff46bc63bf5 in mozilla::dom::TimeoutExecutor::MaybeExecute() /gecko/dom/base/TimeoutExecutor.cpp:179:11
#29 0x7ff46bc645ba in mozilla::dom::TimeoutExecutor::Run() /gecko/dom/base/TimeoutExecutor.cpp:234:5
#30 0x7ff468193d12 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /gecko/xpcom/threads/ThrottledEventQueue.cpp:254:22
#31 0x7ff46818b9ef in mozilla::ThrottledEventQueue::Inner::Executor::Run() /gecko/xpcom/threads/ThrottledEventQueue.cpp:81:15
#32 0x7ff46818d882 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:467:16
#33 0x7ff468151f0d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:770:26
#34 0x7ff46814f468 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:606:15
#35 0x7ff46814fb79 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:390:36
#36 0x7ff468195f81 in operator() /gecko/xpcom/threads/TaskController.cpp:124:37
#37 0x7ff468195f81 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:531:5
#38 0x7ff468172c77 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1171:16
#39 0x7ff46817e1ec in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#40 0x7ff46969632f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
#41 0x7ff46951c761 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#42 0x7ff46951c761 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#43 0x7ff46951c761 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#44 0x7ff47060f2e7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#45 0x7ff47535198f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:878:20
#46 0x7ff46951c761 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#47 0x7ff46951c761 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#48 0x7ff46951c761 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#49 0x7ff475350bc3 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:715:34
#50 0x55fd678f880d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#51 0x55fd678f8c40 in main /gecko/browser/app/nsBrowserApp.cpp:327:18
#52 0x7ff48cbe60b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#53 0x55fd678478d9 in _start (/home/worker/builds/m-c-20220213214259-fuzzing-asan-opt/firefox+0x5d8d9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /gecko/media/ffvpx/libavcodec/avfft.c:107:8 in av_rdft_calc
==29718==ABORTING
|
||
Comment 1•2 years ago
|
||
Yes this makes a lot of copies, it's kind of expected. Some allocations on the path taken in this script are using fallible allocs, but if it succeeds, it succeeds.
|
Reporter | |
Comment 2•2 years ago
|
||
Ok, if there's nothing to do here I can go ahead and close this issue.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
|
||
Comment 3•1 year ago
|
||
No valid actions for resolution (WORKSFORME).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
You need to log in
before you can comment on or make changes to this bug.
Description
•