164928 2016-11-18 09:20:16 -0800 [GStreamer] Crash in WebCore::HTMLMediaElement::removeAudioTrack 2018-02-20 10:51:09 -0800 1 1 1 Unclassified WebKit Media WebKit Nightly Build PC Linux RESOLVED WORKSFORME https://bugzilla.redhat.com/show_bug.cgi?id=1369960 P2 Normal --- 1 mcatanzaro webkit-unassigned bugs-noreply calvaris mcatanzaro pnormand oldest_to_newest 1252697 0 mcatanzaro 2016-11-18 09:20:16 -0800 Web process crash in WebCore::HTMLMediaElement::removeAudioTrack: Truncated backtrace: Thread no. 1 (10 frames) #0 WTF::RefPtr<WebCore::AudioTrackList>::operator-> at /usr/src/debug/webkitgtk-2.12.3/Source/WTF/wtf/RefPtr.h:69 #1 WebCore::HTMLMediaElement::removeAudioTrack at /usr/src/debug/webkitgtk-2.12.3/Source/WebCore/html/HTMLMediaElement.cpp:3605 #2 WebCore::MediaPlayer::removeAudioTrack at /usr/src/debug/webkitgtk-2.12.3/Source/WebCore/platform/graphics/MediaPlayer.cpp:1253 #3 WebCore::MediaPlayerPrivateGStreamer::notifyPlayerOfAudio at /usr/src/debug/webkitgtk-2.12.3/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:698 #4 WebCore::MediaPlayerPrivateGStreamer::<lambda()>::operator() at /usr/src/debug/webkitgtk-2.12.3/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:665 #5 WebCore::MainThreadNotifier<WebCore::MediaPlayerPrivateGStreamerBase::MainThreadNotification>::notify<WebCore::MediaPlayerPrivateGStreamer::audioChangedCallback(WebCore::MediaPlayerPrivateGStreamer*)::<lambda()> > at /usr/src/debug/webkitgtk-2.12.3/Source/WebCore/platform/graphics/gstreamer/MainThreadNotifier.h:42 #6 WebCore::MediaPlayerPrivateGStreamer::audioChangedCallback at /usr/src/debug/webkitgtk-2.12.3/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:665 #7 _g_closure_invoke_va at gclosure.c:867 #10 g_cclosure_marshal_VOID__OBJECTv at gmarshal.c:2102 #11 _g_closure_invoke_va at gclosure.c:867 We have seven reports of this crash. Full backtrace on the downstream bug. 1256294 1 pnormand 2016-12-05 07:00:01 -0800 Steps to reproduce? 1256295 2 pnormand 2016-12-05 07:05:49 -0800 Looks like a use-after-free, the track is removed from the list and then reused, not sure how that is supposed to work :) https://github.com/WebKit/webkit/blob/master/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp#L727 1272850 3 calvaris 2017-02-03 02:28:50 -0800 A use case for testing would be interesting 1272867 4 mcatanzaro 2017-02-03 04:05:56 -0800 Normally users don't know what causes a crash; this case is no exception. Note: we're still at only seven reports, so nobody has hit this in Fedora in the past two months. 1400769 5 pnormand 2018-02-20 07:56:17 -0800 Looking at the stack-trace in the downstream bug, it refers to code that was removed in bug 137552 ... So I'll close this issue because the crash should no longer happen. Please re-open otherwise. 1400824 6 mcatanzaro 2018-02-20 10:26:01 -0800 (In reply to Philippe Normand from comment #5) > Looking at the stack-trace in the downstream bug, it refers to code that was > removed in bug 137552 ... So I'll close this issue because the crash should > no longer happen. Please re-open otherwise. The timeline is not right. This crash was reported in late 2016. That bug was closed in 2014. Sometimes frames get omitted from the stack trace; likely the crash is really inside mediaPlayerDidRemoveAudioTrack. The MediaPlayerClient is surely HTMLMediaElement. I assume the crash must have been happening here: void HTMLMediaElement::removeAudioTrack(AudioTrack& track) { m_audioTracks->remove(track); // <--- track.clearClient(); } But I agree the current code does not match up. I'm not sure when it changed; trac doesn't allow blaming HTMLMediaElement because it is too big, and GitHub just times out. 1400836 7 pnormand 2018-02-20 10:51:09 -0800 Could the fix not be part of the stable release that was crashing?