Summary: | [GStreamer][WebRTC] SIGSEGV at _mm_mul_pd() during audio resampling | ||
---|---|---|---|
Product: | WebKit | Reporter: | Alicia Boya García <aboya> |
Component: | WebKitGTK | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | Normal | CC: | bugs-noreply, calvaris, dpino, lmoura, pnormand, youennf |
Priority: | P2 | ||
Version: | WebKit Nightly Build | ||
Hardware: | Unspecified | ||
OS: | Unspecified |
Description
Alicia Boya García
2020-06-23 03:22:21 PDT
Looks like an ORC bug? or an issue with the GCC intrinsics... I don't even know how this got a SIGSEGV. _mm_mul_pd() takes integral values, not pointers: https://software.intel.com/sites/landingpage/IntrinsicsGuide/#text=_mm_mul_pd&expand=3919 Synopsis __m128d _mm_mul_pd (__m128d a, __m128d b) #include <emmintrin.h> Instruction: mulpd xmm, xmm CPUID Flags: SSE2 Description Multiply packed double-precision (64-bit) floating-point elements in a and b, and store the results in dst. Same crash in webrtc/multi-audio.html RealtimeOutgoingAudioSourceLibWebRTC::pullAudioData() is the most suspicious part of the code, although I couldn't quickly find a blatant memory error. The input buffer is ref'ed and locked during conversion, and the output buffer (m_audioBuffer) is protected by [protectedThis = makeRef(*this)] in the calling lambda. I can only think of audio being non interleaved in either and therefore in/out expecting an array of more than one pointer, and an invalid pointer being read. But if that was the case that would happen more consistently. Catching the error with asan would be helpful. fast/mediastream/RTCPeerConnection-inspect-offer-bundlePolicy-bundle-only.html This is sparsely crashing in the release bots with the same trace. Some number from recent history: GTK-Release: 2 crashes since r269185 GTK-Release-Wayland[1]: 4 crashes since r268715 GTK-Debug: Crashing almost half of the time since circa r269034. 3 crashes between r267523 and r269034. WPE-Release: 1 crash in r269580 WPE-Debug: 13 crashes since r268991 With this test, I managed to get it to somewhat reliably crash in debug mode when using `--iterations=10`. (i.e. it crashed at least once during the run). [1] Wayland had some "FAIL TIMEOUT CRASH" results not include in the sum above (In reply to Lauro Moura from comment #5) > fast/mediastream/RTCPeerConnection-inspect-offer-bundlePolicy-bundle-only. > html > This has been failing on all ports for months. Not sure it's a good indicator :) webrtc/audio-video-element-playing.html also affected by this crash, in WPE. also webrtc/remove-track.html There were 2 tests left filed under this bug: webrtc/audio-video-element-playing.html [ Crash Pass ] webrtc/remove-track.html [ Crash Pass ] The tests have been constantly passing for the last 4 months so I'm marking this bug as resolved. https://results.webkit.org/?limit=4000&platform=GTK&platform=WPE&suite=layout-tests&suite=layout-tests&test=webrtc%2Faudio-video-element-playing.html&test=webrtc%2Fremove-track.html Tests removed from test expectations in r287490. |