Bug 177410

Summary: [GStreamer][MSE] Likely race condition causes WTF::Deque to crash on debug
Product: WebKit Reporter: Alicia Boya García <aboya>
Component: WebKitGTKAssignee: Enrique Ocaña <eocanha>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, calvaris, commit-queue, eocanha
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Alicia Boya García
Reported 2017-09-23 12:33:13 PDT
When running the YouTube 2018 MSE tests, many of them sometimes crash WebKit on this assertion: http://yt-dash-mse-test.commondatastorage.googleapis.com/unit-tests/2018.html?tests=73,74,75,85,93,94,101,102&command=run ASSERTION FAILED: m_next->m_previous == this ../../../Source/WTF/wtf/Deque.h(634) : void WTF::DequeIteratorBase<T, inlineCapacity>::removeFromIteratorsList() [with T = _Stream*; long unsigned int inlineCapacity = 0] 1 0x7fc8398e24d4 /webkit/WebKitBuild/webm/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7fc8398e24d4] 2 0x7fc8441d985b /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(WTF::DequeIteratorBase<_Stream*, 0ul>::removeFromIteratorsList()+0xc1) [0x7fc8441d985b] 3 0x7fc8441d8ef6 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(WTF::DequeIteratorBase<_Stream*, 0ul>::~DequeIteratorBase()+0x18) [0x7fc8441d8ef6] 4 0x7fc8441d8e20 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(WTF::DequeIterator<_Stream*, 0ul>::~DequeIterator()+0x18) [0x7fc8441d8e20] 5 0x7fc8441de38a /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(+0x7bc638a) [0x7fc8441de38a] 6 0x7fc8441de5c3 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(+0x7bc65c3) [0x7fc8441de5c3] 7 0x7fc829139bde /lib64/libffi.so.6(ffi_call_unix64+0x4c) [0x7fc829139bde] 8 0x7fc82913954f /lib64/libffi.so.6(ffi_call+0x22f) [0x7fc82913954f] 9 0x7fc832affc33 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(g_cclosure_marshal_generic+0x1d3) [0x7fc832affc33] 10 0x7fc832aff46d /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(g_closure_invoke+0x19d) [0x7fc832aff46d] 11 0x7fc832b111fe /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(+0x211fe) [0x7fc832b111fe] 12 0x7fc832b19895 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(g_signal_emit_valist+0xa45) [0x7fc832b19895] 13 0x7fc832b1a252 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(g_signal_emit+0x82) [0x7fc832b1a252] 14 0x7fc834c34684 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgstreamer-1.0.so.0(gst_bus_async_signal_func+0x54) [0x7fc834c34684] 15 0x7fc834c3546d /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgstreamer-1.0.so.0(+0x4246d) [0x7fc834c3546d] 16 0x7fc8328274d5 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libglib-2.0.so.0(g_main_context_dispatch+0x135) [0x7fc8328274d5] 17 0x7fc832827878 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libglib-2.0.so.0(+0x49878) [0x7fc832827878] 18 0x7fc832827b82 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libglib-2.0.so.0(g_main_loop_run+0xc2) [0x7fc832827b82] 19 0x7fc839950f54 /webkit/WebKitBuild/webm/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTF::RunLoop::run()+0xac) [0x7fc839950f54] 20 0x7fc843086b51 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**)+0x82) [0x7fc843086b51] 21 0x7fc843086a03 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(WebProcessMainUnix+0x20) [0x7fc843086a03] 22 0x400d22 /webkit/WebKitBuild/webm/Debug/bin/WebKitWebProcess(main+0x3d) [0x400d22] 23 0x7fc82d9d050a /lib64/libc.so.6(__libc_start_main+0xea) [0x7fc82d9d050a] 24 0x400bfa /webkit/WebKitBuild/webm/Debug/bin/WebKitWebProcess(_start+0x2a) [0x400bfa] Tests that may show the error: 73, 74, 75, 85, 93, 94, 101, 102. It's likely a result of using WTF::Deque's from different threads. Since removeFromIteratorsList() only contains code in debug mode it's possible that this race is hidden on release.
Attachments
Patch (7.20 KB, patch)
2017-10-05 14:22 PDT, Enrique Ocaña 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Enrique Ocaña
Comment 1 2017-09-25 02:16:59 PDT
These crashes come from a suggestion to use a Deque instead of the original GList during the upstreaming of the MSE code. GLists were more robust to multithreading because the links are maintained using pointers, which are atomically swappable. What we've done downstream to mitigate this problem is to use a Vector: https://github.com/WebPlatformForEmbedded/WPEWebKit/commit/44d8a78783b195c1a4d5e7b765e33d654da0e1d2
Enrique Ocaña
Comment 2 2017-10-05 14:22:38 PDT
Created attachment 322916 [details] Patch
WebKit Commit Bot
Comment 3 2017-10-06 02:43:29 PDT
Comment on attachment 322916 [details] Patch Clearing flags on attachment: 322916 Committed r222972: <http://trac.webkit.org/changeset/222972>
WebKit Commit Bot
Comment 4 2017-10-06 02:43:30 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.