Bug 224260

Summary: [MSE][GStreamer] Crash in WebCore::PlaybackPipeline::addSourceBuffer when setting duration and preload is set to none
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: MediaAssignee: Philippe Normand <pnormand>
Status: RESOLVED FIXED    
Severity: Normal CC: aboya, calvaris, cgarcia, eric.carlson, ews-watchlist, glenn, gustavo, jer.noble, mcatanzaro, menard, philipj, pnormand, sergio, smoley, vjaquez
Priority: P2 Keywords: DoNotImportToRadar
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
GStreamer debug log
none
"full" backtrace for first few frames of critical
none
Patch
none
Patch none

Michael Catanzaro
Reported 2021-04-06 20:05:24 PDT
Created attachment 425344 [details] GStreamer debug log Visit https://msdprojectclear.org/msd-ballot-issues-townhalls/ in Ephy Tech Preview (WebKitGTK 2.32.0) and scroll down the page, crash is guaranteed: #0 0x00007f39188eec79 in WebCore::PlaybackPipeline::addSourceBuffer(WTF::RefPtr<WebCore::SourceBufferPrivateGStreamer, WTF::RawPtrTraits<WebCore::SourceBufferPrivateGStreamer>, WTF::DefaultRefDerefTraits<WebCore::SourceBufferPrivateGStreamer> >) (this=0x7f373869ade0, sourceBufferPrivate=...) at DerivedSources/ForwardingHeaders/wtf/glib/GRefPtr.h:106 #1 0x00007f39188ec499 in WebCore::MediaSourcePrivateGStreamer::addSourceBuffer(WebCore::ContentType const&, bool, WTF::RefPtr<WebCore::SourceBufferPrivate, WTF::RawPtrTraits<WebCore::SourceBufferPrivate>, WTF::DefaultRefDerefTraits<WebCore::SourceBufferPrivate> >&) (this=this@entry=0x7f373b858380, contentType=..., sourceBufferPrivate=...) at DerivedSources/ForwardingHeaders/wtf/RefCounted.h:49 #2 0x00007f391769525b in WebCore::MediaSource::createSourceBufferPrivate(WebCore::ContentType const&) (this=this@entry=0x7f38642f09c0, incomingType=...) at ../Source/WebCore/page/RuntimeEnabledFeatures.h:255 #3 0x00007f3917699abd in WebCore::MediaSource::addSourceBuffer(WTF::String const&) (this=this@entry=0x7f38642f09c0, type=...) at ../Source/WebCore/Modules/mediasource/MediaSource.cpp:734 #4 0x00007f39171f34e7 in WebCore::jsMediaSourcePrototypeFunction_addSourceBufferBody (castedThis=0x7f37e06429f8, callFrame=<optimized out>, lexicalGlobalObject=0x7f37a0608068) at DerivedSources/WebCore/JSMediaSource.cpp:467 #5 WebCore::IDLOperation<WebCore::JSMediaSource>::call<WebCore::jsMediaSourcePrototypeFunction_addSourceBufferBody> (operationName=0x7f3918bcf89f "addSourceBuffer", callFrame=..., lexicalGlobalObject=...) at ../Source/WebCore/bindings/js/JSDOMOperation.h:53 #6 WebCore::jsMediaSourcePrototypeFunction_addSourceBuffer(JSC::JSGlobalObject*, JSC::CallFrame*) (lexicalGlobalObject=0x7f37a0608068, callFrame=<optimized out>) at DerivedSources/WebCore/JSMediaSource.cpp:472 #7 0x00007f38bffff1d8 in () #8 0x00007ffdee2ba740 in () #9 0x00007f3914736b6c in llint_op_call () at /usr/lib/debug/source/sdk/webkitgtk.bst/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:1093 #10 0x0000000000000000 in () Before it crashes, it hits this critical: GStreamer-CRITICAL **: 21:57:36.023: gst_element_post_message: assertion 'GST_IS_ELEMENT (element)' failed I'll attach a full backtrace for this critical and a debug log.
Attachments
GStreamer debug log (17.97 KB, text/plain)
2021-04-06 20:05 PDT, Michael Catanzaro 		no flags
Details
"full" backtrace for first few frames of critical (8.52 KB, text/plain)
2021-04-06 20:11 PDT, Michael Catanzaro 		no flags
Details
Patch (5.09 KB, patch)
2021-04-11 04:27 PDT, Philippe Normand 		no flags
DetailsFormatted DiffDiff
Patch (6.23 KB, patch)
2021-04-11 05:03 PDT, Philippe Normand 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2021-04-06 20:11:20 PDT
(In reply to Michael Catanzaro from comment #0) > I'll attach a full backtrace for this critical Um, it seems one of the stack frames exceeded my terminal scrollback. O_O Will attach a "full" backtrace for the first few frames. Truncated backtrace for the critical: #0 g_logv (log_domain=0x7f8e23844510 <g_log_domain_gstreamer> "GStreamer", log_level=G_LOG_LEVEL_CRITICAL, format=<optimized out>, args=<optimized out>) at ../glib/gmessages.c:1413 #1 0x00007f8e2638cd73 in g_log (log_domain=<optimized out>, log_level=log_level@entry=G_LOG_LEVEL_CRITICAL, format=format@entry=0x7f8e263e4ad0 "%s: assertion '%s' failed") at ../glib/gmessages.c:1451 #2 0x00007f8e2638d59d in g_return_if_fail_warning (log_domain=<optimized out>, pretty_function=pretty_function@entry=0x7f8e2384e850 <__func__.23> "gst_element_post_message", expression=expression@entry=0x7f8e23845699 "GST_IS_ELEMENT (element)") at ../glib/gmessages.c:2883 #3 0x00007f8e237c3bad in gst_element_post_message (element=0x0, message=0x558ab8755d90 [GstMessage]) at ../gst/gstelement.c:2035 #4 0x00007f8e290f859b in WebCore::PlaybackPipeline::notifyDurationChanged() (this=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/glib/GRefPtr.h:104 #5 0x00007f8e290f577d in WebCore::MediaPlayerPrivateGStreamerMSE::durationChanged() (this=0x7f8c47003a80) at DerivedSources/ForwardingHeaders/wtf/RawPtrTraits.h:43 #6 0x00007f8e290f5bfd in WebCore::MediaSourcePrivateGStreamer::durationChanged(WTF::MediaTime const&) (this=0x7f8c6c08f8c0) at ../Source/WebCore/platform/graphics/gstreamer/mse/MediaSourcePrivateGStreamer.cpp:107 #7 0x00007f8e27ea1748 in WebCore::MediaSource::setDurationInternal(WTF::MediaTime const&) (this=this@entry=0x7f8d4c7e4680, duration=...) at DerivedSources/ForwardingHeaders/wtf/RawPtrTraits.h:43 #8 0x00007f8e27ea1f71 in WebCore::MediaSource::setDuration(double) (this=this@entry=0x7f8d4c7e4680, duration=<optimized out>) at ../Source/WebCore/Modules/mediasource/MediaSource.cpp:523 #9 0x00007f8e279fa104 in operator() (__closure=<optimized out>) at DerivedSources/WebCore/JSMediaSource.cpp:354 #10 WebCore::AttributeSetter::call<WebCore::setJSMediaSource_durationSetter(JSC::JSGlobalObject&, WebCore::JSMediaSource&, JSC::JSValue)::<lambda()> > (functor=..., functor=..., throwScope=..., lexicalGlobalObject=...) at ../Source/WebCore/bindings/js/JSDOMAttribute.h:99 #11 WebCore::setJSMediaSource_durationSetter (value=..., thisObject=..., lexicalGlobalObject=...) at DerivedSources/WebCore/JSMediaSource.cpp:353 #12 WebCore::IDLAttribute<WebCore::JSMediaSource>::set<WebCore::setJSMediaSource_durationSetter> (attributeName=0x7f8e293ca4c5 "duration", encodedValue=4639633856514973412, thisValue=<error reading variable: value has been optimized out>, lexicalGlobalObject=...) at ../Source/WebCore/bindings/js/JSDOMAttribute.h:50 #13 WebCore::setJSMediaSource_duration(JSC::JSGlobalObject*, JSC::EncodedJSValue, JSC::EncodedJSValue) (lexicalGlobalObject=0x7f8cac0dc068, lexicalGlobalObject@entry=<error reading variable: value has been optimized out>, thisValue=<error reading variable: value has been optimized out>, encodedValue=4639633856514973412, encodedValue@entry=<error reading variable: value has been optimized out>) at DerivedSources/WebCore/JSMediaSource.cpp:361 #14 0x00007f8e25aa7a23 in JSC::callCustomSetter(JSC::JSGlobalObject*, bool (*)(JSC::JSGlobalObject*, long, long), bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (globalObject=<optimized out>, setter=<optimized out>, isAccessor=<optimized out>, slotBase=<optimized out>, thisValue=..., value=...) at ../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:219 #15 0x00007f8e25bb9b41 in JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (this=0x7f8c462e2338, globalObject=globalObject@entry=0x7f8cac0dc068, propertyName=..., value=..., slot=...) at ../Source/JavaScriptCore/runtime/PutPropertySlot.h:111 #16 0x00007f8e258fe9a5 in JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (slot=..., value=..., propertyName=..., globalObject=0x7f8cac0dc068, cell=<optimized out>) at ../Source/JavaScriptCore/runtime/JSObjectInlines.h:277 #17 JSC::JSCell::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (slot=..., value=..., propertyName=..., globalObject=0x7f8cac0dc068, this=<optimized out>) at ../Source/JavaScriptCore/runtime/JSCellInlines.h:447 #18 JSC::JSValue::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (slot=..., value=..., propertyName=..., globalObject=0x7f8cac0dc068, this=0x7ffc0c3c0be8) at ../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1060 #19 JSC::LLInt::llint_slow_path_put_by_id(JSC::CallFrame*, JSC::Instruction const*) (callFrame=<optimized out>, pc=0x7f8cac2b4576) at ../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:907 #20 0x00007f8e24f2fe2d in llint_op_put_by_id () at /usr/lib/debug/source/sdk/webkitgtk.bst/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:97 #21 0x00007ffc0c3c0d00 in () #22 0x00007f8e24f40b6c in llint_op_call () at /usr/lib/debug/source/sdk/webkitgtk.bst/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:1093 #23 0x0000000000000000 in ()
Michael Catanzaro
Comment 2 2021-04-06 20:11:59 PDT
Created attachment 425345 [details] "full" backtrace for first few frames of critical
Philippe Normand
Comment 3 2021-04-11 04:27:33 PDT
Created attachment 425702 [details] Patch
Philippe Normand
Comment 4 2021-04-11 05:03:11 PDT
Created attachment 425703 [details] Patch
Michael Catanzaro
Comment 5 2021-04-11 06:30:36 PDT
Comment on attachment 425703 [details] Patch Nice test.
EWS
Comment 6 2021-04-12 06:41:46 PDT
Committed r275821 (236391@main): <https://commits.webkit.org/236391@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 425703 [details].
Note You need to log in before you can comment on or make changes to this bug.