AssertedCast error: Cannot cast 33556992 from uint32_t to float: out of range
Categories
(Core :: Audio/Video: Playback, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | wontfix |
| firefox130 | --- | wontfix |
| firefox131 | --- | wontfix |
| firefox132 | --- | verified |
People
(Reporter: tsmith, Assigned: padenot)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Found while fuzzing m-c 20240909-50016ed27344 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
AssertedCast error: Cannot cast 33556992 from uint32_t to float: out of range
#0 0x78f2729e51a4 in float mozilla::AssertedCast<float, unsigned int>(unsigned int) /builds/worker/workspace/obj-build/dist/include/mozilla/Casting.h:232:5
#1 0x78f2729e4e27 in mozilla::H264::DecodeSPS(mozilla::MediaByteBuffer const*, mozilla::SPSData&) /builds/worker/checkouts/gecko/dom/media/platforms/agnostic/bytestreams/H264.cpp:687:9
#2 0x78f2729e52a0 in GetSPSData /builds/worker/checkouts/gecko/dom/media/platforms/agnostic/bytestreams/H264.cpp:324:12
#3 0x78f2729e52a0 in mozilla::H264::DecodeSPSFromExtraData(mozilla::MediaByteBuffer const*, mozilla::SPSData&) /builds/worker/checkouts/gecko/dom/media/platforms/agnostic/bytestreams/H264.cpp:880:16
#4 0x78f27292ca7c in mozilla::MP4TrackDemuxer::MP4TrackDemuxer(mozilla::MediaResource*, mozilla::UniquePtr<mozilla::TrackInfo, mozilla::DefaultDelete<mozilla::TrackInfo>>&&, mozilla::IndiceWrapper const&, unsigned int) /builds/worker/checkouts/gecko/dom/media/mp4/MP4Demuxer.cpp:337:9
#5 0x78f272928c9d in mozilla::MP4Demuxer::Init() /builds/worker/checkouts/gecko/dom/media/mp4/MP4Demuxer.cpp:236:15
#6 0x78f2725c0b31 in operator() /builds/worker/checkouts/gecko/dom/media/MediaFormatReader.cpp:795:47
#7 0x78f2725c0b31 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_2, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1813:29
#8 0x78f26e9e82e5 in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:257:20
#9 0x78f26ea10f95 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:456:14
#10 0x78f26ea07536 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1149:16
#11 0x78f26ea0e01f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#12 0x78f26f5711fc in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:299:20
#13 0x78f26f4c7f71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#14 0x78f26f4c7f71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#15 0x78f26ea02a63 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:366:10
#16 0x78f2822d76ef in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#17 0x78f282094ac2 in start_thread nptl/pthread_create.c:442:8
#18 0x78f28212684f misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
Reporter | |
Comment 1•4 months ago
|
||
A Pernosco session is available here: https://pernos.co/debug/jc4aTsCBypro-Utg9J_L_w/index.html
|
||
Comment 2•4 months ago
|
||
Verified bug as reproducible on mozilla-central 20240909092518-50016ed27344.
The bug appears to have been introduced in the following build range:
Start: a518b336e4b71eafeb2bb9111227fdeeecbe7f16 (20231209212602)
End: 815bf21f166b5019bdab6ec104bc2f4475a7b553 (20231210031938)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a518b336e4b71eafeb2bb9111227fdeeecbe7f16&tochange=815bf21f166b5019bdab6ec104bc2f4475a7b553
|
||
Comment 3•4 months ago
|
||
Set release status flags based on info from the regressing bug 1867542
:padenot, since you are the author of the regressor, bug 1867542, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
||
Updated•4 months ago
|
|
Assignee | |
Comment 4•4 months ago
|
||
We should just use a double, the number is too big for floats.
|
|
||
Comment 5•3 months ago
|
||
The severity field is not set for this bug.
:jimm, could you have a look please?
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 6•3 months ago
|
||
INT32_MAX doesn't fit in a 32-bits float, it's not exact.
|
||
Comment 8•3 months ago
|
||
| bugherder | ||
|
|
||
Comment 9•3 months ago
|
||
Verified bug as fixed on rev mozilla-central 20240925090641-2dd8febaaab7.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Updated•3 months ago
|
Description
•