Open Bug 1838486 Opened 1 year ago Updated 3 months ago

Assertion failure: mStart <= mEnd (Invalid Interval), at /builds/worker/checkouts/gecko/dom/media/Intervals.h:54

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox116 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Crash Data

Attachments

(1 file)

testcase.mp3
1.25 KB, audio/mpeg
Details
Attached audio testcase.mp3

Found while fuzzing m-c 20230612-53b4b785ae2a (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.mp3

Assertion failure: mStart <= mEnd (Invalid Interval), at /builds/worker/checkouts/gecko/dom/media/Intervals.h:54

#0 0x7f201d851061 in Interval<mozilla::media::TimeUnit, mozilla::media::TimeUnit, mozilla::media::TimeUnit> /builds/worker/checkouts/gecko/dom/media/Intervals.h:54:5
#1 0x7f201d851061 in mozilla::media::TimeIntervals::ToMicrosecondResolution() const /builds/worker/checkouts/gecko/dom/media/TimeUnits.h:279:20
#2 0x7f201d850d1c in mozilla::dom::HTMLMediaElement::Buffered() const /builds/worker/checkouts/gecko/dom/html/HTMLMediaElement.cpp:6637:40
#3 0x7f201cee185a in mozilla::dom::HTMLMediaElement_Binding::get_buffered(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/HTMLMediaElementBinding.cpp:445:77
#4 0x7f201cf477a1 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3211:13
#5 0x7f20216872c5 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
#6 0x7f2021686b1d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12
#7 0x7f202168814d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
#8 0x7f20217721f2 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#9 0x7f201a96bd62 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSObject*>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/obj-build/dist/include/js/CallAndConstruct.h:110:10
#10 0x7f201a96b5ac in xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) const /builds/worker/checkouts/gecko/js/xpconnect/wrappers/XrayWrapper.cpp:2097:10
#11 0x7f2021c4a7ae in js::Proxy::getInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:527:19
#12 0x7f2021c4a352 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:535:10
#13 0x7f2021c4a864 in js::Proxy::getInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:523:14
#14 0x7f2021c4a352 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:535:10
#15 0x7f2021c4a864 in js::Proxy::getInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:523:14
#16 0x7f2021c4b02f in js::ProxyGetPropertyByValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:552:10
#17 0x229d84188bae  (<unknown module>)
Flags: in-testsuite?

Unable to reproduce bug 1838486 using build mozilla-central 20230612211509-53b4b785ae2a. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Crash Signature: [@ mozilla::media::Interval<T>::Interval ]

The severity field is not set for this bug.
:jimm, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jmathies)
Flags: needinfo?(jmathies)
Severity: -- → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: