USAN: division-by-zero in acelp gain decoding in ISM4 bitrate switching

Basic info

• Commit SHA: fe197c3c

Bug description

Clang USAN sanitizer test in pipeline found an error:

lib_dec/gain_dec.c:415:34: runtime error: division by zero
SUMMARY: UndefinedBehaviorSanitizer: float-divide-by-zero lib_dec/gain_dec.c:415:34 in
lib_dec/syn_outp.c:112:16: runtime error: -nan is outside the range of representable values of type 'short'
SUMMARY: UndefinedBehaviorSanitizer: float-cast-overflow lib_dec/syn_outp.c:112:16 in
lib_com/tools.c:431:20: runtime error: -nan is outside the range of representable values of type 'short'
SUMMARY: UndefinedBehaviorSanitizer: float-cast-overflow lib_com/tools.c:431:20 in

My guess is that the second and third ones are ultimately caused by the first. This is the relevant code part:

    *norm_gain_code = *gain_code / *gain_inov;

gain_inov is before set like this:

        *gain_inov = 1.0f / (float) sqrt( Ecode );

Here, Ecode is already +Inf. It is set as

        Ecode = ( dotp( code, code, L_SUBFR ) + 0.01f ) / L_SUBFR;

with code array containing a lot of surprisingly big values. So it seems that something is already wrong with that variable:

(const float *) $6 = 0x00007ff7bfee3280 {
  [0] = -1
  [1] = -4069.24927
  [2] = -927.278198
  [3] = -5290.34961
  [4] = -27154.8633
  [5] = -91683.3671
  [6] = -326499.469
  [7] = -1155279.5
  [8] = -4103592.75
  [9] = -14560936
  [10] = -51641224
  [11] = -183134032
  [12] = -649456960
  [13] = -2.30321997E+9
  [14] = -8.16808704E+9
  [15] = -2.89670902E+10
  [16] = -1.0272818E+11
  [17] = -3.64312691E+11
  [18] = -1.29198942E+12
  [19] = -4.58188023E+12
  [20] = -1.62490682E+13
  [21] = -5.7625291E+13
  [22] = -2.04360936E+14
  [23] = -7.24740566E+14
  [24] = -2.57020265E+15
  [25] = -9.114902E+15
  [26] = -3.23248688E+16
  [27] = -1.14636122E+17
  [28] = -4.06542741E+17
  [29] = -1.44175345E+18
  [30] = -5.112999E+18
  [31] = -1.81326114E+19
  [32] = -6.43050563E+19
  [33] = -2.28049883E+20
  [34] = -8.08750439E+20
  [35] = -2.86813262E+21
  [36] = -1.01714755E+22
  [37] = -3.60718649E+22
  [38] = -1.27924387E+23
  [39] = -4.53667875E+23
  [40] = -1.60887674E+24
  [41] = -5.70568113E+24
  [42] = -2.02344895E+25
  [43] = -7.17590842E+25
  [44] = -2.54484659E+26
  [45] = -9.02498099E+26
  [46] = -3.20059776E+27
  [47] = -1.13505219E+28
  [48] = -4.02532158E+28
  [49] = -1.42753002E+29
  [50] = -5.06255783E+29
  [51] = -1.79537347E+30
  [52] = -6.36706714E+30
  [53] = -2.25800142E+31
  [54] = -8.0077196E+31
  [55] = -2.83983813E+32
  [56] = -1.00711328E+33
  [57] = -3.57160123E+33
  [58] = -1.26662385E+34
  [59] = -4.49192386E+34
  [60] = -1.59300491E+35
  [61] = -5.64939384E+35
  [62] = -2.00348707E+36
  [63] = -7.1051176E+36

Link to test pipeline: https://forge.3gpp.org/rep/ivas-codec-pc/ivas-codec/-/jobs/284059

Ways to reproduce

Using the scripts:

dly_profile.dat

python3 scripts/IvasBuildAndRunChecks.py --checks CLANG3 -m ISM4_ball_fb_rs -p /path/to/my/local/ci_linux_ltv_local.json --usan_supp_file scripts/ubsan.supp -J dly_profile.dat --ism_metadata_files ltvISM1.csv ltvISM2.csv ltvISM3.csv ltvISM4.csv

or directly:

make clean
make -j CLANG=3
UBSAN_OPTIONS=suppressions=scripts/ubsan.supp,report_error_type=1,log_path=usan_log_catchall ./IVAS_cod -ism 4 ltvISM1.csv ltvISM2.csv ltvISM3.csv ltvISM4.csv -max_band fb scripts/switchPaths/sw_32k_384k.bin 48 ltv48_4ISM.wav bit
networkSimulator_g192 dly_profile.dat bit bit_err trace_dump 1
UBSAN_OPTIONS=suppressions=scripts/ubsan.supp,report_error_type=1,log_path=usan_log_catchall ./IVAS_dec -voip BINAURAL 48 bit_err out.wav