docs(state): refresh 2026-05-03 — close #239, add Y4M OOB, audit slugs#352
Merged
docs(state): refresh 2026-05-03 — close #239, add Y4M OOB, audit slugs#352
Conversation
lusoris
pushed a commit
that referenced
this pull request
May 3, 2026
PR #348's libFuzzer harness caught a 1-byte heap-buffer-overflow in y4m_convert_411_422jpeg at libvmaf/tools/y4m_input.c:507. When the chroma decimation produces dst_c_w == 1, the first sub-loop unconditionally writes _dst[1], missing the (x << 1 | 1) < dst_c_w guard the third sub-loop carries. Same gap in the second sub-loop. Fix: add the `(x << 1 | 1) < dst_c_w` guard to the first AND second sub-loops so the same condition the third already enforces is applied uniformly. ASan-clean on the parked reproducer. Regression test added at libvmaf/test/test_y4m_411_oob.c covers the W=2 H=4 4:1:1 fixture; runs under the fast suite. Netflix golden unaffected (the fix only kicks in for 4:1:1 with dst_c_w==1, a shape the goldens don't exercise). Six deliverables (ADR-0108): - (1) Research digest: no digest needed: PR #348's libFuzzer findings documented the bug; this PR is the fix - (2) Decision matrix: no alternatives: only-one-way fix - (3) AGENTS.md invariant note: libvmaf/tools/AGENTS.md updated - (4) Reproducer / smoke-test command: meson test test_y4m_411_oob - (5) CHANGELOG fragment: changelog.d/fixed/ entry added - (6) Rebase note: docs/rebase-notes.md entry added Closes the Open-bugs row added to docs/state.md by PR #352. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
9 tasks
Per ADR-0165 / CLAUDE.md §12 r13. Bookkeeping refresh of `docs/state.md` to close out the busy 2026-05-02/03 session: - Header date bumped 2026-04-29 → 2026-05-03. - Closed Issue #239 (FFmpeg `libvmaf_vulkan` wall-clock serialisation): row moved Open → Recently closed; cited PR #241 / commit `e266bf8e` and ADR-0251 (renumbered from 0235 by PR #310 dedup sweep). Closure verified by the v2 async pending-fence ring's `v2 ≤ 0.7 × v1` measurement gate flipping ADR-0251 to Accepted. - New Open-bugs row: `y4m_convert_411_422jpeg` heap-buffer-overflow on 4:1:1 with `dst_c_w == 1` (PR #348 fuzz). Reproducer parked at `libvmaf/test/fuzz/y4m_input_known_crashes/y4m_411_w2_h4_oob_dst.y4m`; fix follow-up PR TBD. - Recently closed audited for stale drafts: six rows updated with merged commit SHAs (#288, #292, #296, #297, #300, #304, #305) and the kernel-template citation corrected to ADR-0246 (post-dedup; ADR-0221 is now `changelog-adr-fragment-pattern.md`). - Netflix#955 deferred row: last-checked stamp refreshed to 2026-05-03; Netflix#1494 still `state=OPEN` per gh API. - "Update protocol" untouched; no row removed below its closure threshold; "Confirmed not-affected" entries unchanged. Six ADR-0108 deliverables: 1. Research digest — no digest needed: state-md bookkeeping. 2. Decision matrix — no alternatives: only-one-way fix per ADR-0165 / CLAUDE.md §12 r13. 3. AGENTS.md invariant note — no rebase-sensitive invariants. 4. Reproducer / smoke command — `mkdocs build --strict` + view the file; PR #348's harness reproduces the new Open bug. 5. CHANGELOG fragment — `changelog.d/changed/state-md-refresh-2026-05-03.md`. 6. Rebase note — no rebase impact: fork-local doc bookkeeping. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
lusoris
force-pushed
the
chore/state-md-refresh-2026-05-03
branch
from
7f11c38 to
9570d4c
Compare
There was a problem hiding this comment.
Pull request overview
Bookkeeping refresh of the fork’s bug-status registry (docs/state.md) plus a matching changelog fragment, intended to reflect the 2026-05-02/03 session outcomes (closing #239, adding the new Y4M fuzz-found OOB, and updating “Recently closed” citations from draft PRs to merged commits).
Changes:
- Updates
docs/state.mdheader “Updated” date to 2026-05-03 and adds/updates multiple bug-status rows. - Adds a changelog fragment describing the
docs/state.mdrefresh.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
docs/state.md |
Updates the bug-status tables (Open/Recently closed/Deferred), including new rows and refreshed citations. |
changelog.d/changed/state-md-refresh-2026-05-03.md |
Adds a changelog entry summarizing the docs/state.md refresh. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+32
to
+33
| |---|---|---|---|---| | ||
| | **`y4m_convert_411_422jpeg` heap-buffer-overflow on 4:1:1 with `dst_c_w == 1`** (PR #348 fuzz, 2026-05-03) | The first sub-loop of the 411→422 chroma upsample writes `_dst[1]` unconditionally when `OC_MINI(c_w, 1) == 1` and `dst_c_w == 1`, missing the `((x << 1) \| 1) < dst_c_w` guard the third sub-loop carries. ASan flags a 1-byte heap-buffer-overflow in `libvmaf/tools/y4m_input.c:507`. Surfaced within seconds by the smoke-fuzz seed corpus added in PR #348. | `./build-fuzz/test/fuzz/fuzz_y4m_input libvmaf/test/fuzz/y4m_input_known_crashes/y4m_411_w2_h4_oob_dst.y4m` reproduces the ASan abort. | TBD (follow-up fix PR after PR #348 lands the harness) | Fix PR adds the missing guard in the first sub-loop, ships a regression test that loads the parker `.y4m`, and removes it from the `y4m_input_known_crashes/` quarantine. | |
| | **CLAUDE.md §12 r14 ffmpeg-patches reviewer command was wrong** — `for p in ffmpeg-patches/000*-*.patch; do git apply --check "$p"; done` only succeeds for patch 0001 because patches 0002–0006 build on each other; correct gate is `git am --3way` series replay against pristine `n8.1` | PR #297 (draft, 2026-05-02) | — (rule wording fix, no ADR) | 2026-05-02 `/refresh-ffmpeg-patches` skill run: per-patch `apply --check` failed on 4/6 patches; `git am --3way` series replay succeeded for all 6 | | ||
| | **`docs/state.md` + `CHANGELOG.md` carried 15 stale ADR slug refs** (slug renames where NNNN stayed but filename evolved, e.g. `0152-monotonic-index-rejection.md` → `0152-vmaf-read-pictures-monotonic-index.md`) | PR #304 (draft, 2026-05-02) | — (doc cleanup, no ADR) | mkdocs `--strict` build clean; spot-check verifies each rewritten ref points at the actual on-disk filename for that NNNN. 11 wrong-NNNN refs (different concept under same NNNN, e.g. `0246-gpu-kernel-template.md` while disk-0221 is `vmaf-roi-tool.md`) split into a separate per-ADR-review PR | | ||
| | **1.07e-3 CPU `vmaf_v0.6.1` score drift between `/usr/local/bin/vmaf` v3.0.0 and master tip** — surfaced by 2026-05-02 `/run-netflix-bench` subagent run; well within Netflix golden's `places=2` tolerance, so the gate did NOT fire, but the drift was stable + reproducible | PR #305 (draft, 2026-05-02) — bisect identifies upstream Netflix `a44e5e61` (motion edge-mirror bugfix, Kyle Swanson 2026-04-17) inherited at fork root. Per-feature isolation: drift is entirely `integer_motion` (-1.005e-3) + `integer_motion2` (-0.985e-3); ADM and VIF are bit-identical. Snapshot regen via separate PR aligns `testdata/netflix_benchmark_results.json` with the fork's actual behavior. | — (bisect triage, no ADR) | `/bisect-regression` predicate against `vmaf_v0.6.1.json` brackets fork root `41301496` ↔ master `4cd3a8d8`; "first bad" = fork root means drift was inherited, not introduced. Doc at `docs/development/cpu-score-drift-bisect-2026-05-02.md` | | ||
| | **#239** — FFmpeg `libvmaf_vulkan` filter wall-clock serialisation (lawrence profile 2026-04-30) — synchronous fence wait inside `vmaf_vulkan_import_image` (ADR-0186 v1) blocked the FFmpeg decoder thread on every frame, preventing CPU/GPU overlap | PR #241 / commit `e266bf8e` (2026-05-02), Issue #239 closed 2026-05-03 | [ADR-0251](adr/0251-vulkan-async-pending-fence.md) (renumbered from 0235 in PR #310 dedup sweep) | v2 async pending-fence ring shipped; the `v2 ≤ 0.7 × v1` measurement gate flipped ADR-0251 from Proposed to Accepted. Reproducer: `ffmpeg -hwaccel vulkan -i ref.mkv -i dis.mkv -filter_complex '[0:v]hwupload[r];[1:v]hwupload[d];[r][d]libvmaf_vulkan' -f null -` against the Netflix normal pair shows the wall-clock improvement on lavapipe + hardware. Netflix golden CPU gate unchanged (Vulkan path is host-side; goldens are CPU-only per ADR-0214 / CLAUDE §8) | |
| | **CI workflows ran on draft PRs, burning runner-minutes** — none of the 7 `pull_request`-triggered workflows filtered on the draft flag, silently violating single-active-CI policy whenever a subagent pushed a branch as draft | PR #300 / commit `257f1e28` (merged 2026-05-03) | — (CI-infrastructure fix, no ADR) | 33 jobs across 7 workflows now carry a draft-skip guard (`if:` clause that allows `pull_request` events only when `pull_request.draft == false`). The `ready_for_review` event re-triggers CI on un-draft; push-to-master and `workflow_dispatch` are unaffected | | ||
| | **CLAUDE.md §12 r14 ffmpeg-patches reviewer command was wrong** — `for p in ffmpeg-patches/000*-*.patch; do git apply --check "$p"; done` only succeeds for patch 0001 because patches 0002–0006 build on each other; correct gate is `git am --3way` series replay against pristine `n8.1` | PR #297 / commit `b161fc39` (merged 2026-05-03) | — (rule wording fix, no ADR) | 2026-05-02 `/refresh-ffmpeg-patches` skill run: per-patch `apply --check` failed on 4/6 patches; `git am --3way` series replay succeeded for all 6 | | ||
| | **`docs/state.md` + `CHANGELOG.md` carried 15 stale ADR slug refs** (slug renames where NNNN stayed but filename evolved, e.g. `0152-monotonic-index-rejection.md` → `0152-vmaf-read-pictures-monotonic-index.md`) | PR #304 / commit `3cbb0956` (merged 2026-05-03) | — (doc cleanup, no ADR) | mkdocs `--strict` build clean; spot-check verifies each rewritten ref points at the actual on-disk filename for that NNNN. 11 wrong-NNNN refs (different concept under same NNNN, e.g. `0246-gpu-kernel-template.md` while disk-0221 is now `changelog-adr-fragment-pattern.md`) split into a separate per-ADR-review PR (#306) | | ||
| | **1.07e-3 CPU `vmaf_v0.6.1` score drift between `/usr/local/bin/vmaf` v3.0.0 and master tip** — surfaced by 2026-05-02 `/run-netflix-bench` subagent run; well within Netflix golden's `places=2` tolerance, so the gate did NOT fire, but the drift was stable + reproducible | PR #305 / commit `ae1dafad` (merged 2026-05-03) — bisect identifies upstream Netflix `a44e5e61` (motion edge-mirror bugfix, Kyle Swanson 2026-04-17) inherited at fork root. Per-feature isolation: drift is entirely `integer_motion` (-1.005e-3) + `integer_motion2` (-0.985e-3); ADM and VIF are bit-identical. Snapshot regen via PR #309 aligns `testdata/netflix_benchmark_results.json` with the fork's actual behavior. | — (bisect triage, no ADR) | `/bisect-regression` predicate against `vmaf_v0.6.1.json` brackets fork root `41301496` ↔ master `4cd3a8d8`; "first bad" = fork root means drift was inherited, not introduced. Doc at `docs/development/cpu-score-drift-bisect-2026-05-02.md` | |
Comment on lines
+106
to
+107
| |---|---|---|---| | ||
| | Netflix#955 — `i4_adm_cm` rounding overflow (`1u << 31` overflows `int32_t add_bef_shift_flt[]`) | Bit-exactness against Netflix golden requires preserving the overflow until Netflix merges their own fix and updates the goldens | Netflix merges PR #1494 (`feature/adm: fix integer precision issue`) to master | Last checked 2026-05-03 — Netflix#1494 still `state=OPEN` (`mergedAt=null`). Scheduled remote agent re-runs weekly until merged. [ADR-0155](adr/0155-adm-i4-rounding-deferred-netflix-955.md) | |
Comment on lines
+1
to
+12
| - `docs/state.md` refresh 2026-05-03. Bumped header date | ||
| (2026-04-29 → 2026-05-03). Closed Issue #239 (FFmpeg | ||
| `libvmaf_vulkan` filter wall-clock serialisation) by moving the | ||
| Open-bugs row to "Recently closed" with PR #241 / commit | ||
| `e266bf8e` and ADR-0251 (renumbered from 0235 in PR #310 dedup | ||
| sweep) — the `v2 ≤ 0.7 × v1` measurement gate flipped ADR-0251 | ||
| to Accepted. Added a new Open-bugs row for the | ||
| `y4m_convert_411_422jpeg` heap-buffer-overflow surfaced by the | ||
| PR #348 libFuzzer scaffold (reproducer parked at | ||
| `libvmaf/test/fuzz/y4m_input_known_crashes/y4m_411_w2_h4_oob_dst.y4m`, | ||
| fix follow-up TBD). Audited "Recently closed" for stale draft-PR | ||
| refs: six rows updated to cite merged commit SHAs and slug-correct |
lusoris
pushed a commit
that referenced
this pull request
May 4, 2026
PR #348's libFuzzer harness caught a 1-byte heap-buffer-overflow in y4m_convert_411_422jpeg at libvmaf/tools/y4m_input.c:507. When the chroma decimation produces dst_c_w == 1, the first sub-loop unconditionally writes _dst[1], missing the (x << 1 | 1) < dst_c_w guard the third sub-loop carries. Same gap in the second sub-loop. Fix: add the `(x << 1 | 1) < dst_c_w` guard to the first AND second sub-loops so the same condition the third already enforces is applied uniformly. ASan-clean on the parked reproducer. Regression test added at libvmaf/test/test_y4m_411_oob.c covers the W=2 H=4 4:1:1 fixture; runs under the fast suite. Netflix golden unaffected (the fix only kicks in for 4:1:1 with dst_c_w==1, a shape the goldens don't exercise). Six deliverables (ADR-0108): - (1) Research digest: no digest needed: PR #348's libFuzzer findings documented the bug; this PR is the fix - (2) Decision matrix: no alternatives: only-one-way fix - (3) AGENTS.md invariant note: libvmaf/tools/AGENTS.md updated - (4) Reproducer / smoke-test command: meson test test_y4m_411_oob - (5) CHANGELOG fragment: changelog.d/fixed/ entry added - (6) Rebase note: docs/rebase-notes.md entry added Closes the Open-bugs row added to docs/state.md by PR #352. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
lusoris
pushed a commit
that referenced
this pull request
May 4, 2026
PR #348's libFuzzer harness caught a 1-byte heap-buffer-overflow in y4m_convert_411_422jpeg at libvmaf/tools/y4m_input.c:507. When the chroma decimation produces dst_c_w == 1, the first sub-loop unconditionally writes _dst[1], missing the (x << 1 | 1) < dst_c_w guard the third sub-loop carries. Same gap in the second sub-loop. Fix: add the `(x << 1 | 1) < dst_c_w` guard to the first AND second sub-loops so the same condition the third already enforces is applied uniformly. ASan-clean on the parked reproducer. Regression test added at libvmaf/test/test_y4m_411_oob.c covers the W=2 H=4 4:1:1 fixture; runs under the fast suite. Netflix golden unaffected (the fix only kicks in for 4:1:1 with dst_c_w==1, a shape the goldens don't exercise). Six deliverables (ADR-0108): - (1) Research digest: no digest needed: PR #348's libFuzzer findings documented the bug; this PR is the fix - (2) Decision matrix: no alternatives: only-one-way fix - (3) AGENTS.md invariant note: libvmaf/tools/AGENTS.md updated - (4) Reproducer / smoke-test command: meson test test_y4m_411_oob - (5) CHANGELOG fragment: changelog.d/fixed/ entry added - (6) Rebase note: docs/rebase-notes.md entry added Closes the Open-bugs row added to docs/state.md by PR #352. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
lusoris
added a commit
that referenced
this pull request
May 4, 2026
…#357) * fix(y4m): heap-buffer-overflow in 411→422jpeg conversion (dst_c_w==1) PR #348's libFuzzer harness caught a 1-byte heap-buffer-overflow in y4m_convert_411_422jpeg at libvmaf/tools/y4m_input.c:507. When the chroma decimation produces dst_c_w == 1, the first sub-loop unconditionally writes _dst[1], missing the (x << 1 | 1) < dst_c_w guard the third sub-loop carries. Same gap in the second sub-loop. Fix: add the `(x << 1 | 1) < dst_c_w` guard to the first AND second sub-loops so the same condition the third already enforces is applied uniformly. ASan-clean on the parked reproducer. Regression test added at libvmaf/test/test_y4m_411_oob.c covers the W=2 H=4 4:1:1 fixture; runs under the fast suite. Netflix golden unaffected (the fix only kicks in for 4:1:1 with dst_c_w==1, a shape the goldens don't exercise). Six deliverables (ADR-0108): - (1) Research digest: no digest needed: PR #348's libFuzzer findings documented the bug; this PR is the fix - (2) Decision matrix: no alternatives: only-one-way fix - (3) AGENTS.md invariant note: libvmaf/tools/AGENTS.md updated - (4) Reproducer / smoke-test command: meson test test_y4m_411_oob - (5) CHANGELOG fragment: changelog.d/fixed/ entry added - (6) Rebase note: docs/rebase-notes.md entry added Closes the Open-bugs row added to docs/state.md by PR #352. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(test): gate test_y4m_411_oob off Windows (fmemopen is POSIX-only) MinGW64 + MSVC + oneAPI SYCL Windows builds all failed with 'implicit declaration of function fmemopen' on the new test introduced in this PR. fmemopen is a POSIX function with no direct Windows equivalent. The bug being tested is Y4M-parser-side, not platform-specific. The test wiring uses fmemopen for in-memory FILE* injection; Windows builds skip the test target. CI Linux/macOS still builds and runs it, which is sufficient regression coverage. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Lusoris <lusoris@pm.me> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bookkeeping-only refresh of
docs/state.mdperADR-0165 /
CLAUDE.md §12 r13. Brings the file in line with the
busy 2026-05-02/03 session — header was stale at 2026-04-29 and a
handful of rows still cited draft-PR numbers.
libvmaf_vulkanwall-clockserialisation, lawrence profile 2026-04-30): row moved
Open → Recently closed; cited PR feat(vulkan): T7-29 part 4 — v2 async pending-fence model (ADR-0235) #241 / commit
e266bf8eandADR-0251
(renumbered from 0235 by the PR docs(adr): dedup duplicate-NNNN ADRs (10 renumbered, keeps earliest at original) #310 dedup sweep). Verification:
the v2 async pending-fence ring's
v2 ≤ 0.7 × v1measurementgate flipped ADR-0251 to Accepted.
y4m_convert_411_422jpegheap-buffer-overflow on 4:1:1 with
dst_c_w == 1(
libvmaf/tools/y4m_input.c:507), surfaced by the libFuzzerscaffold in PR feat(security): libFuzzer scaffold for y4m_input (OSSF Scorecard) #348. Reproducer parked at
libvmaf/test/fuzz/y4m_input_known_crashes/y4m_411_w2_h4_oob_dst.y4m.Owner TBD; fix follow-up PR will add the missing
((x << 1) | 1) < dst_c_wguard plus a regression test.SHAs (PR refactor(vulkan): T-GPU-DEDUP-22 — float_adm_vulkan migrated to kernel_template + _add_variant #288
bb9d772e, chore(vulkan,ci): harden kernel_template binding cap + deliverables-check backslash strip #29276d6d41e, fix(ai): vmaf_tiny_v1 — repair broken external-data filename ref #296fa81d5b4,docs: fix ffmpeg-patches reviewer command (series replay, not per-patch) #297
b161fc39, ci: skip workflow runs on draft PRs (saves runner-minutes) #300257f1e28, docs: ADR slug-drift cleanup + regen-docs SKILL refresh #3043cbb0956,chore(perf): bisect — first commit introducing 1.07e-3 CPU vmaf_v0.6.1 score drift #305
ae1dafad) instead of the previous "draft" labels. Thekernel-template citation now points at the post-dedup
ADR-0246 (ADR-0221 is
now
changelog-adr-fragment-pattern.md).2026-05-03.
gh pr view 1494 --repo Netflix/vmafconfirmsfeature/adm: fix integer precision issue Netflix/vmaf#1494 (
feature/adm: fix integer precision issue) stillstate=OPEN,mergedAt=null— fork stays bit-exact-deferred.not-affected" rows, every closure-threshold guard from ADR-0165.
Test plan
pre-commit run --files docs/state.md changelog.d/changed/state-md-refresh-2026-05-03.md— clean.ls docs/adr/: 0122, 0123,0131, 0137, 0149, 0150, 0151, 0152, 0153, 0154, 0155, 0156,
0157, 0158, 0165, 0198, 0200, 0246, 0251 all present.
gh pr view 1494 --repo Netflix/vmaf --json state,mergedAt→ stillOPEN.Reproducer / smoke-test command:
mkdocs build --strict # verifies all in-tree links resolve gh pr view 1494 --repo Netflix/vmaf --json state,mergedAtSix deep-dive deliverables (ADR-0108)
no digest needed: state-md bookkeeping
refresh per ADR-0165 / CLAUDE.md §12 r13*.
## Alternatives considered—no alternatives: only-one-way fix; the rule mandates the
row movements.
no rebase-sensitive invariants:
invariants*.
changelog.d/changed/state-md-refresh-2026-05-03.md.no rebase impact: fork-local doc
bookkeeping; no upstream-mirror surface touched*.
Other rule compliance
docs/state.mdis itself theuser-discoverable doc; refresh ships in this PR.
.mdfiles touched; noclang-tidy / cppcheck surface.
(state-md update).
public-header /
meson_options.txtchange.🤖 Generated with Claude Code