Bug 137065

Summary: [GStreamer] Video resolution changes trigger a crash in the TextureMapper
Product: WebKit Reporter: Philippe Normand <pnormand>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: pnormand, slomo, vjaquez, xclaesse, zan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch
none
patch
none
patch gustavo: review+

Description Philippe Normand 2014-09-24 04:30:18 PDT 
When the video sink updates its caps the player is notified and clears its internal video size cache but this is not protected by a mutex so it's possible that the player tries to use caps that don't correspond to the buffer being rendered, triggering this crash:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
36	../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0  __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
#1  0x00007fe5bd010b5e in ?? () from /usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so
#2  0x00007fe5bd015f20 in ?? () from /usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so
#3  0x00007fe5bd0160d2 in ?? () from /usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so
#4  0x00007fe5bd06a902 in ?? () from /usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so
#5  0x00007fe5bd000e27 in ?? () from /usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so
#6  0x00007fe5bd004b5f in ?? () from /usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so
#7  0x00007fe623104f1a in WebCore::BitmapTextureGL::updateContentsNoSwizzle(void const*, WebCore::IntRect const&, WebCore::IntPoint const&, int, unsigned int, unsigned int) ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#8  0x00007fe62310569a in WebCore::BitmapTextureGL::updateContents(void const*, WebCore::IntRect const&, WebCore::IntPoint const&, int, WebCore::BitmapTexture::UpdateContentsFlag) ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#9  0x00007fe6230b891c in WebCore::MediaPlayerPrivateGStreamerBase::updateTexture(WebCore::TextureMapper*) () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#10 0x00007fe6230b8a2f in WebCore::MediaPlayerPrivateGStreamerBase::paintToTextureMapper(WebCore::TextureMapper*, WebCore::FloatRect const&, WebCore::TransformationMatrix const&, float) ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#11 0x00007fe622bbe3f3 in WebCore::TextureMapperLayer::paintSelf(WebCore::TextureMapperPaintOptions const&) () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#12 0x00007fe622bc1dc2 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions const&) () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#13 0x00007fe622bc1f7d in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions const&) ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#14 0x00007fe622bc1aa5 in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions const&) () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#15 0x00007fe622bc1d45 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions const&) [clone .part.108] ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#16 0x00007fe622bc1f7d in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions const&) ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#17 0x00007fe622bc1aa5 in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions const&) () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#18 0x00007fe622bc1d45 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions const&) [clone .part.108] ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#19 0x00007fe622bc1f7d in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions const&) ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#20 0x00007fe622bc1aa5 in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions const&) () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#21 0x00007fe622bc1d45 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions const&) [clone .part.108] ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#22 0x00007fe622bc1f7d in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions const&) ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#23 0x00007fe622bc1aa5 in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions const&) () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#24 0x00007fe622bc1d45 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions const&) [clone .part.108] ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#25 0x00007fe622bc1f7d in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions const&) ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#26 0x00007fe622bc1aa5 in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions const&) () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#27 0x00007fe622bc1d45 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions const&) [clone .part.108] ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#28 0x00007fe622bc1f7d in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions const&) ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#29 0x00007fe622bc1aa5 in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions const&) () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#30 0x00007fe622bc1d45 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions const&) [clone .part.108] ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#31 0x00007fe622bc1f7d in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions const&) ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#32 0x00007fe622bc1aa5 in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions const&) () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#33 0x00007fe622bc1d45 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions const&) [clone .part.108] ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#34 0x00007fe622bc1f7d in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions const&) ()
   from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#35 0x00007fe622bc1aa5 in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions const&) () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#36 0x00007fe622bc1bc1 in WebCore::TextureMapperLayer::paint() () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#37 0x00007fe6223171a7 in WebKit::LayerTreeHostGtk::compositeLayersToContext(WebKit::LayerTreeHostGtk::CompositePurpose) () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#38 0x00007fe622317710 in WebKit::LayerTreeHostGtk::flushAndRenderLayers() () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#39 0x00007fe6223177bb in WebKit::LayerTreeHostGtk::layerFlushTimerFired() () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#40 0x00007fe62048174c in WTF::GMainLoopSource::voidCallback() () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
---Type <return> to continue, or q <return> to quit---
#41 0x00007fe620481929 in WTF::GMainLoopSource::voidSourceCallback(WTF::GMainLoopSource*) () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#42 0x00007fe61db9c0fe in g_main_dispatch (context=0x13fdb10) at gmain.c:3065
#43 g_main_context_dispatch (context=context@entry=0x13fdb10) at gmain.c:3641
#44 0x00007fe61db9c4a8 in g_main_context_iterate (context=0x13fdb10, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3712
#45 0x00007fe61db9c912 in g_main_loop_run (loop=0x19c76b0) at gmain.c:3906
#46 0x00007fe62231b911 in WebProcessMainUnix () from /home/phil/dev/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#47 0x00007fe6207bfb45 in __libc_start_main (main=0x4006f0 <main>, argc=2, argv=0x7fffe3e8fd28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffe3e8fd18)
    at libc-start.c:287
#48 0x0000000000400723 in _start ()
Comment 1 Philippe Normand 2014-09-24 04:31:53 PDT 
One workaround is to clear m_buffer when video caps changed but the side effect is a quick flash during the video size transition...
Comment 2 Philippe Normand 2014-09-24 04:36:18 PDT 
The proper fix would be to have DRAIN query support in the sink but currently only the OMX video decoder supports this, see also: https://bugzilla.gnome.org/show_bug.cgi?id=737240
Comment 3 Sebastian Dröge (slomo) 2014-09-24 04:49:34 PDT 
Or you always pass caps and buffer around at the same time? You could use GstSample for that
Comment 4 Philippe Normand 2014-10-27 02:00:05 PDT 
Created attachment 240473 [details]
patch
Comment 5 Sebastian Dröge (slomo) 2014-10-27 02:16:42 PDT 
Comment on attachment 240473 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=240473&action=review

Looks good overall and seems like a little simplification of the code :)

> Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp:421
> +    GRefPtr<GstCaps> currentCaps = gst_sample_get_caps(m_sample);

Doesn't this need the sampleMutex locked too?
Comment 6 Philippe Normand 2014-10-27 02:20:03 PDT 
(In reply to comment #5)
> Comment on attachment 240473 [details]
> patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=240473&action=review
> 
> Looks good overall and seems like a little simplification of the code :)
> 
> > Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp:421
> > +    GRefPtr<GstCaps> currentCaps = gst_sample_get_caps(m_sample);
> 
> Doesn't this need the sampleMutex locked too?

Well that method is always invoked with the mutex locked already. Perhaps I can add an ASSERT about this.
Comment 7 Philippe Normand 2014-10-27 02:23:17 PDT 
Or drop this method all together :)
Comment 8 Philippe Normand 2014-10-27 10:08:15 PDT 
Created attachment 240485 [details]
patch
Comment 9 Philippe Normand 2014-10-27 10:24:39 PDT 
Oops the sample caps don't really need to be stored in a GRefPtr.
Comment 10 Philippe Normand 2014-10-27 10:30:41 PDT 
Created attachment 240486 [details]
patch

Please review this one :)
Comment 11 Gustavo Noronha (kov) 2014-10-29 08:50:22 PDT 
Comment on attachment 240486 [details]
patch

Great =)
Comment 12 Philippe Normand 2014-10-30 01:54:06 PDT 
Committed r175370: <http://trac.webkit.org/changeset/175370>
Comment 13 Xavier Claessens 2014-11-07 11:30:25 PST 
*** Bug 138505 has been marked as a duplicate of this bug. ***