44757 2010-08-27 02:24:54 -0700 [GStreamer] ImageGStreamer doesn't need to hold a Cairo surface 2010-09-01 07:13:24 -0700 1 1 1 Unclassified WebKit Media 528+ (Nightly build) PC OS X 10.5 RESOLVED FIXED P2 Normal --- 1 pnormand webkit-unassigned alex oldest_to_newest 270391 0 pnormand 2010-08-27 02:24:54 -0700 The BitmapImage created already holds it and destroy it when needed. So there could be cases where ImageGStreamerCairo tries to free the already freed surface in its destructor. It happened once on the 64-bits bot: Thread 1 (Thread 1100): #0 0x00007f476eb71f45 in raise () from /lib/libc.so.6 #1 0x00007f476eb74d80 in abort () from /lib/libc.so.6 #2 0x00007f476eb6b08a in __assert_fail () from /lib/libc.so.6 #3 0x00007f476fb2b046 in cairo_surface_destroy () from /usr/lib/libcairo.so.2 #4 0x00007f4774e9ed4d in ~ImageGStreamer (this=0xc64750, __in_chrg=<value optimized out>) at ../../WebCore/platform/graphics/gstreamer/ImageGStreamerCairo.cpp:69 #5 0x00007f4774e9c197 in WTF::RefCounted<WebCore::ImageGStreamer>::deref ( this=0xc64750) at ../../JavaScriptCore/wtf/RefCounted.h:139 #6 0x00007f4774e9c006 in WTF::derefIfNotNull<WebCore::ImageGStreamer> ( ptr=0xc64750) at ../../JavaScriptCore/wtf/PassRefPtr.h:58 #7 0x00007f4774e9be85 in ~RefPtr (this=0x7fffffff9260, __in_chrg=<value optimized out>) at ../../JavaScriptCore/wtf/RefPtr.h:58 #8 0x00007f4774e9a857 in WebCore::MediaPlayerPrivateGStreamer::paint ( this=0xbf2c30, context=0x7fffffffb350, rect=...) at ../../WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:1218 #9 0x00007f4774cabc02 in WebCore::MediaPlayer::paint (this=0xa2f0c0, p=0x7fffffffb350, r=...) at ../../WebCore/platform/graphics/MediaPlayer.cpp:549 #10 0x00007f4774cb8e36 in WebCore::RenderVideo::paintReplaced (this=0xbab678, paintInfo=..., tx=0, ty=-53) at ../../WebCore/rendering/RenderVideo.cpp:207 #11 0x00007f4774b9d33e in WebCore::RenderReplaced::paint (this=0xbab678, paintInfo=..., tx=0, ty=-53) 270396 1 65694 pnormand 2010-08-27 02:43:57 -0700 Created attachment 65694 proposed patch 272019 2 pnormand 2010-08-31 03:37:45 -0700 It happened again with media/video-seek-past-end-paused.html on the 30th of august: http://webkit-bots.igalia.com/amd64/svn_66395.core-when_1283190163-_-who_DumpRenderTree-_-why_6.11551.trace.html 272722 3 65694 xan.lopez 2010-09-01 03:25:27 -0700 Comment on attachment 65694 proposed patch I don't quite see in the code who will be handling the lifecycle of the surface. Can you point me to it? 272723 4 65694 xan.lopez 2010-09-01 03:33:08 -0700 Comment on attachment 65694 proposed patch OK, I think it's in ImageCairo.cpp, the BitmapImage constructor steals the surface (I suppose this was desired, seems a bit obscure). 272791 5 pnormand 2010-09-01 07:13:24 -0700 Thanks, see http://trac.webkit.org/changeset/66600 \m/ \m/ 65694 2010-08-27 02:43:57 -0700 2010-09-01 03:33:08 -0700 proposed patch proposed-patch.patch text/plain 3162 pnormand RnJvbSAyZDE3NGFjMjkxMmM5YzFkYTU3ZTQ2NTY0MmJmZWNjOTRkYzQ2NWZmIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBQaGlsaXBwZSBOb3JtYW5kIDxwbm9ybWFuZEBpZ2FsaWEuY29t PgpEYXRlOiBGcmksIDI3IEF1ZyAyMDEwIDExOjQ0OjE1ICswMjAwClN1YmplY3Q6IFtQQVRDSF0g cHJvcG9zZWQgcGF0Y2gKCi0tLQogV2ViQ29yZS9DaGFuZ2VMb2cgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgfCAgIDE1ICsrKysrKysrKysrKysrKwogLi4uL3BsYXRmb3JtL2dyYXBo aWNzL2dzdHJlYW1lci9JbWFnZUdTdHJlYW1lci5oICAgfCAgICAxIC0KIC4uLi9ncmFwaGljcy9n c3RyZWFtZXIvSW1hZ2VHU3RyZWFtZXJDYWlyby5jcHAgICAgIHwgICAxMiArKystLS0tLS0tLS0K IDMgZmlsZXMgY2hhbmdlZCwgMTggaW5zZXJ0aW9ucygrKSwgMTAgZGVsZXRpb25zKC0pCgpkaWZm IC0tZ2l0IGEvV2ViQ29yZS9DaGFuZ2VMb2cgYi9XZWJDb3JlL0NoYW5nZUxvZwppbmRleCBiMTU1 ZjE3Li4zODNkYjA2IDEwMDY0NAotLS0gYS9XZWJDb3JlL0NoYW5nZUxvZworKysgYi9XZWJDb3Jl L0NoYW5nZUxvZwpAQCAtMSwzICsxLDE4IEBACisyMDEwLTA4LTI3ICBQaGlsaXBwZSBOb3JtYW5k ICA8cG5vcm1hbmRAaWdhbGlhLmNvbT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9P UFMhKS4KKworICAgICAgICBbR1N0cmVhbWVyXSBJbWFnZUdTdHJlYW1lciBkb2Vzbid0IG5lZWQg dG8gaG9sZCBhIENhaXJvIHN1cmZhY2UKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcv c2hvd19idWcuY2dpP2lkPTQ0NzU3CisKKyAgICAgICAgUGFzcyB0aGUgY2Fpcm8gc3VyZmFjZSB0 byB0aGUgQml0bWFwSW1hZ2UgY29uc3RydWN0b3Igd2hpY2ggd2lsbAorICAgICAgICBoYW5kbGUg aXRzIGxpZmUtY3ljbGUuCisKKyAgICAgICAgKiBwbGF0Zm9ybS9ncmFwaGljcy9nc3RyZWFtZXIv SW1hZ2VHU3RyZWFtZXIuaDoKKyAgICAgICAgKiBwbGF0Zm9ybS9ncmFwaGljcy9nc3RyZWFtZXIv SW1hZ2VHU3RyZWFtZXJDYWlyby5jcHA6CisgICAgICAgIChJbWFnZUdTdHJlYW1lcjo6SW1hZ2VH U3RyZWFtZXIpOgorICAgICAgICAoSW1hZ2VHU3RyZWFtZXI6On5JbWFnZUdTdHJlYW1lcik6CisK IDIwMTAtMDgtMjcgIERpcmsgU2NodWx6ZSAgPGtyaXRAd2Via2l0Lm9yZz4KIAogICAgICAgICBS ZXZpZXdlZCBieSBOaWtvbGFzIFppbW1lcm1hbm4uCmRpZmYgLS1naXQgYS9XZWJDb3JlL3BsYXRm b3JtL2dyYXBoaWNzL2dzdHJlYW1lci9JbWFnZUdTdHJlYW1lci5oIGIvV2ViQ29yZS9wbGF0Zm9y bS9ncmFwaGljcy9nc3RyZWFtZXIvSW1hZ2VHU3RyZWFtZXIuaAppbmRleCAzZDZkNzRhLi45Mjg4 ZGY5IDEwMDY0NAotLS0gYS9XZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNzL2dzdHJlYW1lci9JbWFn ZUdTdHJlYW1lci5oCisrKyBiL1dlYkNvcmUvcGxhdGZvcm0vZ3JhcGhpY3MvZ3N0cmVhbWVyL0lt YWdlR1N0cmVhbWVyLmgKQEAgLTUxLDcgKzUxLDYgQEAgY2xhc3MgSW1hZ2VHU3RyZWFtZXIgOiBw dWJsaWMgUmVmQ291bnRlZDxJbWFnZUdTdHJlYW1lcj4gewogCiAjaWYgUExBVEZPUk0oQ0FJUk8p CiAgICAgICAgIEltYWdlR1N0cmVhbWVyKEdzdEJ1ZmZlciomLCBJbnRTaXplLCBjYWlyb19mb3Jt YXRfdCYpOwotICAgICAgICBjYWlyb19zdXJmYWNlX3QqIG1fc3VyZmFjZTsKICNlbmRpZgogCiAj aWYgUExBVEZPUk0oTUFDKQpkaWZmIC0tZ2l0IGEvV2ViQ29yZS9wbGF0Zm9ybS9ncmFwaGljcy9n c3RyZWFtZXIvSW1hZ2VHU3RyZWFtZXJDYWlyby5jcHAgYi9XZWJDb3JlL3BsYXRmb3JtL2dyYXBo aWNzL2dzdHJlYW1lci9JbWFnZUdTdHJlYW1lckNhaXJvLmNwcAppbmRleCA2Zjk3NWE0Li5hZWFl ZTE5IDEwMDY0NAotLS0gYS9XZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNzL2dzdHJlYW1lci9JbWFn ZUdTdHJlYW1lckNhaXJvLmNwcAorKysgYi9XZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNzL2dzdHJl YW1lci9JbWFnZUdTdHJlYW1lckNhaXJvLmNwcApAQCAtNDksMTMgKzQ5LDEyIEBAIFBhc3NSZWZQ dHI8SW1hZ2VHU3RyZWFtZXI+IEltYWdlR1N0cmVhbWVyOjpjcmVhdGVJbWFnZShHc3RCdWZmZXIq IGJ1ZmZlcikKIAogSW1hZ2VHU3RyZWFtZXI6OkltYWdlR1N0cmVhbWVyKEdzdEJ1ZmZlciomIGJ1 ZmZlciwgSW50U2l6ZSBzaXplLCBjYWlyb19mb3JtYXRfdCYgY2Fpcm9Gb3JtYXQpCiAgICAgOiBt X2ltYWdlKDApCi0gICAgLCBtX3N1cmZhY2UoMCkKIHsKLSAgICBtX3N1cmZhY2UgPSBjYWlyb19p bWFnZV9zdXJmYWNlX2NyZWF0ZV9mb3JfZGF0YShHU1RfQlVGRkVSX0RBVEEoYnVmZmVyKSwgY2Fp cm9Gb3JtYXQsCisgICAgY2Fpcm9fc3VyZmFjZV90KiBzdXJmYWNlID0gY2Fpcm9faW1hZ2Vfc3Vy ZmFjZV9jcmVhdGVfZm9yX2RhdGEoR1NUX0JVRkZFUl9EQVRBKGJ1ZmZlciksIGNhaXJvRm9ybWF0 LAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNp emUud2lkdGgoKSwgc2l6ZS5oZWlnaHQoKSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBjYWlyb19mb3JtYXRfc3RyaWRlX2Zvcl93aWR0aChjYWly b0Zvcm1hdCwgc2l6ZS53aWR0aCgpKSk7Ci0gICAgQVNTRVJUKGNhaXJvX3N1cmZhY2Vfc3RhdHVz KG1fc3VyZmFjZSkgPT0gQ0FJUk9fU1RBVFVTX1NVQ0NFU1MpOwotICAgIG1faW1hZ2UgPSBCaXRt YXBJbWFnZTo6Y3JlYXRlKG1fc3VyZmFjZSk7CisgICAgQVNTRVJUKGNhaXJvX3N1cmZhY2Vfc3Rh dHVzKHN1cmZhY2UpID09IENBSVJPX1NUQVRVU19TVUNDRVNTKTsKKyAgICBtX2ltYWdlID0gQml0 bWFwSW1hZ2U6OmNyZWF0ZShzdXJmYWNlKTsKIH0KIAogSW1hZ2VHU3RyZWFtZXI6On5JbWFnZUdT dHJlYW1lcigpCkBAIC02NCw5ICs2Myw0IEBAIEltYWdlR1N0cmVhbWVyOjp+SW1hZ2VHU3RyZWFt ZXIoKQogICAgICAgICBtX2ltYWdlLmNsZWFyKCk7CiAKICAgICBtX2ltYWdlID0gMDsKLQotICAg IGlmIChtX3N1cmZhY2UgJiYgY2Fpcm9fc3VyZmFjZV9nZXRfcmVmZXJlbmNlX2NvdW50KG1fc3Vy ZmFjZSkpCi0gICAgICAgIGNhaXJvX3N1cmZhY2VfZGVzdHJveShtX3N1cmZhY2UpOwotCi0gICAg bV9zdXJmYWNlID0gMDsKIH0KLS0gCjEuNy4x