Bug 175575

Summary: [GStreamer] Memory corruption in GStreamerGL code
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: MediaAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, dpino, magomez, mcatanzaro, pnormand
Priority: P2    
Version: Other   
Hardware: PC   
OS: Linux   

Description Michael Catanzaro 2017-08-15 09:14:09 PDT 
Unfortunately memory corruption is usually really hard to track down since the backtrace rarely points to the real problem, and I don't have a consistent reproducer. But here it is. It happens sometimes when running layout test compositing/video/video-object-position.html:

Thread 1 (Thread 0x2b6fc8320700 (LWP 11367)):
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00002b6b198ea3fa in __GI_abort () at abort.c:89
#2  0x00002b6b19926bd0 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x2b6b19a1bbd0 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00002b6b1992cf96 in malloc_printerr (action=3, str=0x2b6b19a1bd28 "double free or corruption (fasttop)", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5046
#4  0x00002b6b1992d78e in _int_free (av=av@entry=0x2b6ef0000020, p=p@entry=0x2b6ef02c6220, have_lock=have_lock@entry=1) at malloc.c:3902
#5  0x00002b6b1992fef8 in _int_realloc (av=av@entry=0x2b6ef0000020, oldp=oldp@entry=0x2b6ef02c6220, oldsize=oldsize@entry=64, nb=nb@entry=96) at malloc.c:4393
#6  0x00002b6b19931539 in __GI___libc_realloc (oldmem=0x2b6ef02c6230, bytes=84) at malloc.c:3080
#7  0x00002b6b9c2a5251 in resize () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/Mesa/src/util/ralloc.c:147
#8  0x00002b6b9c2a588f in ralloc_vasprintf_rewrite_tail () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/Mesa/src/util/ralloc.c:510
#9  0x00002b6b9c2a5936 in ralloc_vasprintf_append () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/Mesa/src/util/ralloc.c:479
#10 0x00002b6b9c2aed4d in _Z12linker_errorP17gl_shader_programPKcz () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/Mesa/src/glsl/linker.cpp:529
#11 0x00002b6b9c2b152c in link_intrastage_shaders () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/Mesa/src/glsl/linker.cpp:2026
#12 _Z12link_shadersP10gl_contextP17gl_shader_program () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/Mesa/src/glsl/linker.cpp:3539
#13 0x00002b6b9c22399b in _mesa_glsl_link_shader () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/Mesa/src/mesa/program/ir_to_mesa.cpp:2975
#14 0x00002b6b9c16005a in link_program () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/Mesa/src/mesa/main/shaderapi.c:1042
#15 0x00002b6b142fe47c in gst_gl_shader_link () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.10.5/gst-libs/gst/gl/gstglshader.c:686
#16 0x00002b6b1430427e in _create_shader () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.10.5/gst-libs/gst/gl/gstglcolorconvert.c:1945
#17 _init_convert () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.10.5/gst-libs/gst/gl/gstglcolorconvert.c:2028
#18 _do_convert () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.10.5/gst-libs/gst/gl/gstglcolorconvert.c:2368
#19 0x00002b6b14308683 in _run_message_sync () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.10.5/gst-libs/gst/gl/gstglwindow.c:601
#20 0x00002b6b14308622 in _run_message_async () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.10.5/gst-libs/gst/gl/gstglwindow.c:668
#21 0x00002b6b150e25ca in g_main_dispatch () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/glib-2.52.1/glib/gmain.c:3212
#22 g_main_context_dispatch () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/glib-2.52.1/glib/gmain.c:3865
#23 0x00002b6b150e2948 in g_main_context_iterate () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/glib-2.52.1/glib/gmain.c:3938
#24 0x00002b6b150e2c62 in g_main_loop_run () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/glib-2.52.1/glib/gmain.c:4134
#25 0x00002b6b143086f5 in gst_gl_window_default_run () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.10.5/gst-libs/gst/gl/gstglwindow.c:527
#26 0x00002b6b142f195c in gst_gl_context_create_thread () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.10.5/gst-libs/gst/gl/gstglcontext.c:1273
#27 0x00002b6b15109315 in g_thread_proxy () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/glib-2.52.1/glib/gthread.c:784
#28 0x00002b6b187c2494 in start_thread (arg=0x2b6fc8320700) at pthread_create.c:333
#29 0x00002b6b1999e93f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
Comment 1 Michael Catanzaro 2017-08-15 09:44:43 PDT 
I'm adding a crash expectation for this test.
Comment 2 Michael Catanzaro 2017-08-28 04:47:23 PDT 
Another variant:

Thread 1 (Thread 0x2b8468200700 (LWP 21392)):
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00002b82c9e873fa in __GI_abort () at abort.c:89
#2  0x00002b82c9ec3bd0 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x2b82c9fb8bd0 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00002b82c9ec9f96 in malloc_printerr (action=3, str=0x2b82c9fb8d28 "double free or corruption (fasttop)", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5046
#4  0x00002b82c9eca78e in _int_free (av=0x2b8478000020, p=0x2b84781d6b90, have_lock=0) at malloc.c:3902
#5  0x00002b83a0366dcd in _mesa_clear_shader_program_data () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/Mesa/src/mesa/main/shaderobj.c:304
#6  0x00002b83a0425921 in _mesa_glsl_link_shader () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/Mesa/src/mesa/program/ir_to_mesa.cpp:2964
#7  0x00002b83a036205a in link_program () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/Mesa/src/mesa/main/shaderapi.c:1042
#8  0x00002b82c4ba347c in gst_gl_shader_link () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.10.5/gst-libs/gst/gl/gstglshader.c:686
#9  0x00002b82c4ba927e in _create_shader () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.10.5/gst-libs/gst/gl/gstglcolorconvert.c:1945
#10 _init_convert () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.10.5/gst-libs/gst/gl/gstglcolorconvert.c:2028
#11 _do_convert () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.10.5/gst-libs/gst/gl/gstglcolorconvert.c:2368
#12 0x00002b82c4bad683 in _run_message_sync () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.10.5/gst-libs/gst/gl/gstglwindow.c:601
#13 0x00002b82c4bad622 in _run_message_async () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.10.5/gst-libs/gst/gl/gstglwindow.c:668
#14 0x00002b82c59875ca in g_main_dispatch () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/glib-2.52.1/glib/gmain.c:3212
#15 g_main_context_dispatch () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/glib-2.52.1/glib/gmain.c:3865
#16 0x00002b82c5987948 in g_main_context_iterate () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/glib-2.52.1/glib/gmain.c:3938
#17 0x00002b82c5987c62 in g_main_loop_run () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/glib-2.52.1/glib/gmain.c:4134
#18 0x00002b82c4bad6f5 in gst_gl_window_default_run () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.10.5/gst-libs/gst/gl/gstglwindow.c:527
#19 0x00002b82c4b9695c in gst_gl_context_create_thread () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.10.5/gst-libs/gst/gl/gstglcontext.c:1273
#20 0x00002b82c59ae315 in g_thread_proxy () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/glib-2.52.1/glib/gthread.c:784
#21 0x00002b82c8d5f494 in start_thread (arg=0x2b8468200700) at pthread_create.c:333
#22 0x00002b82c9f3b93f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Adding crash expectation for imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/ready-states/autoplay-with-slow-text-tracks.html.
Comment 3 Diego Pino 2020-02-27 10:15:31 PST 
*** Bug 208288 has been marked as a duplicate of this bug. ***
Comment 4 Philippe Normand 2020-07-20 07:13:43 PDT 
compositing/video/video-object-position.html hasn't been crashing for the past 7 months and seems to only require a rebaseline:
--- /home/buildbot/worker/gtk-linux-64-release-tests/build/layout-test-results/compositing/video/video-object-position-expected.txt
+++ /home/buildbot/worker/gtk-linux-64-release-tests/build/layout-test-results/compositing/video/video-object-position-actual.txt
@@ -13,74 +13,60 @@
           (bounds 124.00 204.00)
           (contentsOpaque 1)
           (drawsContent 1)
-          (contents layer 2.00, 2.00 120.00 x 200.00)
         )
         (GraphicsLayer
           (position 151.00 13.00)
           (bounds 124.00 204.00)
           (contentsOpaque 1)
           (drawsContent 1)
-          (contents clipping layer 2.00, 2.00 120.00 x 200.00)
-          (contents layer 22.00, 12.00 120.00 x 200.00)
         )
         (GraphicsLayer
           (position 289.00 13.00)
           (bounds 124.00 204.00)
           (contentsOpaque 1)
           (drawsContent 1)
-          (contents layer 2.00, 2.00 120.00 x 200.00)
         )
         (GraphicsLayer
           (position 427.00 13.00)
           (bounds 124.00 204.00)
           (contentsOpaque 1)
           (drawsContent 1)
-          (contents clipping layer 2.00, 2.00 120.00 x 200.00)
-          (contents layer -8.00, -8.00 120.00 x 200.00)
         )
         (GraphicsLayer
           (position 565.00 13.00)
           (bounds 124.00 204.00)
           (contentsOpaque 1)
           (drawsContent 1)
-          (contents layer 2.00, 2.00 120.00 x 200.00)
         )
         (GraphicsLayer
           (position 13.00 231.00)
           (bounds 124.00 204.00)
           (contentsOpaque 1)
           (drawsContent 1)
-          (contents layer 2.00, 57.00 120.00 x 90.00)
         )
         (GraphicsLayer
           (position 151.00 231.00)
           (bounds 124.00 204.00)
           (contentsOpaque 1)
           (drawsContent 1)
-          (contents clipping layer 2.00, 2.00 120.00 x 200.00)
-          (contents layer 22.00, 12.00 120.00 x 90.00)
         )
         (GraphicsLayer
           (position 289.00 231.00)
           (bounds 124.00 204.00)
           (contentsOpaque 1)
           (drawsContent 1)
-          (contents layer 2.00, 30.00 120.00 x 90.00)
         )
         (GraphicsLayer
           (position 427.00 231.00)
           (bounds 124.00 204.00)
           (contentsOpaque 1)
           (drawsContent 1)
-          (contents clipping layer 2.00, 2.00 120.00 x 200.00)
-          (contents layer -8.00, 102.00 120.00 x 90.00)
         )
         (GraphicsLayer
           (position 565.00 231.00)
           (bounds 124.00 204.00)
           (contentsOpaque 1)
           (drawsContent 1)
-          (contents layer 2.00, 101.00 120.00 x 90.00)
         )
       )
     )
Comment 5 Diego Pino 2020-11-03 08:29:27 PST 
This test(s) has been consistenly passing in the last 4000 revisions. Closing bug.