Bug 224260

Summary: [MSE][GStreamer] Crash in WebCore::PlaybackPipeline::addSourceBuffer when setting duration and preload is set to none
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: MediaAssignee: Philippe Normand <pnormand>
Status: RESOLVED FIXED    
Severity: Normal CC: aboya, calvaris, cgarcia, eric.carlson, ews-watchlist, glenn, gustavo, jer.noble, mcatanzaro, menard, philipj, pnormand, sergio, smoley, vjaquez
Priority: P2 Keywords: DoNotImportToRadar
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
GStreamer debug log
none
"full" backtrace for first few frames of critical
none
Patch
none
Patch none

Description Michael Catanzaro 2021-04-06 20:05:24 PDT
Created attachment 425344 [details]
GStreamer debug log

Visit https://msdprojectclear.org/msd-ballot-issues-townhalls/ in Ephy Tech Preview (WebKitGTK 2.32.0) and scroll down the page, crash is guaranteed:

#0  0x00007f39188eec79 in WebCore::PlaybackPipeline::addSourceBuffer(WTF::RefPtr<WebCore::SourceBufferPrivateGStreamer, WTF::RawPtrTraits<WebCore::SourceBufferPrivateGStreamer>, WTF::DefaultRefDerefTraits<WebCore::SourceBufferPrivateGStreamer> >) (this=0x7f373869ade0, sourceBufferPrivate=...) at DerivedSources/ForwardingHeaders/wtf/glib/GRefPtr.h:106
#1  0x00007f39188ec499 in WebCore::MediaSourcePrivateGStreamer::addSourceBuffer(WebCore::ContentType const&, bool, WTF::RefPtr<WebCore::SourceBufferPrivate, WTF::RawPtrTraits<WebCore::SourceBufferPrivate>, WTF::DefaultRefDerefTraits<WebCore::SourceBufferPrivate> >&) (this=this@entry=0x7f373b858380, contentType=..., sourceBufferPrivate=...)
    at DerivedSources/ForwardingHeaders/wtf/RefCounted.h:49
#2  0x00007f391769525b in WebCore::MediaSource::createSourceBufferPrivate(WebCore::ContentType const&)
    (this=this@entry=0x7f38642f09c0, incomingType=...) at ../Source/WebCore/page/RuntimeEnabledFeatures.h:255
#3  0x00007f3917699abd in WebCore::MediaSource::addSourceBuffer(WTF::String const&)
    (this=this@entry=0x7f38642f09c0, type=...) at ../Source/WebCore/Modules/mediasource/MediaSource.cpp:734
#4  0x00007f39171f34e7 in WebCore::jsMediaSourcePrototypeFunction_addSourceBufferBody
    (castedThis=0x7f37e06429f8, callFrame=<optimized out>, lexicalGlobalObject=0x7f37a0608068)
    at DerivedSources/WebCore/JSMediaSource.cpp:467
#5  WebCore::IDLOperation<WebCore::JSMediaSource>::call<WebCore::jsMediaSourcePrototypeFunction_addSourceBufferBody>
    (operationName=0x7f3918bcf89f "addSourceBuffer", callFrame=..., lexicalGlobalObject=...)
    at ../Source/WebCore/bindings/js/JSDOMOperation.h:53
#6  WebCore::jsMediaSourcePrototypeFunction_addSourceBuffer(JSC::JSGlobalObject*, JSC::CallFrame*)
    (lexicalGlobalObject=0x7f37a0608068, callFrame=<optimized out>) at DerivedSources/WebCore/JSMediaSource.cpp:472
#7  0x00007f38bffff1d8 in  ()
#8  0x00007ffdee2ba740 in  ()
#9  0x00007f3914736b6c in llint_op_call ()
    at /usr/lib/debug/source/sdk/webkitgtk.bst/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:1093
#10 0x0000000000000000 in  ()

Before it crashes, it hits this critical:

GStreamer-CRITICAL **: 21:57:36.023: gst_element_post_message: assertion 'GST_IS_ELEMENT (element)' failed

I'll attach a full backtrace for this critical and a debug log.
Comment 1 Michael Catanzaro 2021-04-06 20:11:20 PDT
(In reply to Michael Catanzaro from comment #0)
> I'll attach a full backtrace for this critical

Um, it seems one of the stack frames exceeded my terminal scrollback. O_O  Will attach a "full" backtrace for the first few frames. Truncated backtrace for the critical:

#0  g_logv
    (log_domain=0x7f8e23844510 <g_log_domain_gstreamer> "GStreamer", log_level=G_LOG_LEVEL_CRITICAL, format=<optimized out>, args=<optimized out>) at ../glib/gmessages.c:1413
#1  0x00007f8e2638cd73 in g_log
    (log_domain=<optimized out>, log_level=log_level@entry=G_LOG_LEVEL_CRITICAL, format=format@entry=0x7f8e263e4ad0 "%s: assertion '%s' failed") at ../glib/gmessages.c:1451
#2  0x00007f8e2638d59d in g_return_if_fail_warning
    (log_domain=<optimized out>, pretty_function=pretty_function@entry=0x7f8e2384e850 <__func__.23> "gst_element_post_message", expression=expression@entry=0x7f8e23845699 "GST_IS_ELEMENT (element)") at ../glib/gmessages.c:2883
#3  0x00007f8e237c3bad in gst_element_post_message (element=0x0, message=0x558ab8755d90 [GstMessage])
    at ../gst/gstelement.c:2035
#4  0x00007f8e290f859b in WebCore::PlaybackPipeline::notifyDurationChanged() (this=<optimized out>)
    at DerivedSources/ForwardingHeaders/wtf/glib/GRefPtr.h:104
#5  0x00007f8e290f577d in WebCore::MediaPlayerPrivateGStreamerMSE::durationChanged() (this=0x7f8c47003a80)
    at DerivedSources/ForwardingHeaders/wtf/RawPtrTraits.h:43
#6  0x00007f8e290f5bfd in WebCore::MediaSourcePrivateGStreamer::durationChanged(WTF::MediaTime const&)
    (this=0x7f8c6c08f8c0) at ../Source/WebCore/platform/graphics/gstreamer/mse/MediaSourcePrivateGStreamer.cpp:107
#7  0x00007f8e27ea1748 in WebCore::MediaSource::setDurationInternal(WTF::MediaTime const&)
    (this=this@entry=0x7f8d4c7e4680, duration=...) at DerivedSources/ForwardingHeaders/wtf/RawPtrTraits.h:43
#8  0x00007f8e27ea1f71 in WebCore::MediaSource::setDuration(double)
    (this=this@entry=0x7f8d4c7e4680, duration=<optimized out>)
    at ../Source/WebCore/Modules/mediasource/MediaSource.cpp:523
#9  0x00007f8e279fa104 in operator() (__closure=<optimized out>) at DerivedSources/WebCore/JSMediaSource.cpp:354
#10 WebCore::AttributeSetter::call<WebCore::setJSMediaSource_durationSetter(JSC::JSGlobalObject&, WebCore::JSMediaSource&, JSC::JSValue)::<lambda()> > (functor=..., functor=..., throwScope=..., lexicalGlobalObject=...)
    at ../Source/WebCore/bindings/js/JSDOMAttribute.h:99
#11 WebCore::setJSMediaSource_durationSetter (value=..., thisObject=..., lexicalGlobalObject=...)
    at DerivedSources/WebCore/JSMediaSource.cpp:353
#12 WebCore::IDLAttribute<WebCore::JSMediaSource>::set<WebCore::setJSMediaSource_durationSetter>
    (attributeName=0x7f8e293ca4c5 "duration", encodedValue=4639633856514973412, thisValue=<error reading variable: value has been optimized out>, lexicalGlobalObject=...) at ../Source/WebCore/bindings/js/JSDOMAttribute.h:50
#13 WebCore::setJSMediaSource_duration(JSC::JSGlobalObject*, JSC::EncodedJSValue, JSC::EncodedJSValue)
    (lexicalGlobalObject=0x7f8cac0dc068, 
    lexicalGlobalObject@entry=<error reading variable: value has been optimized out>, thisValue=<error reading variable: value has been optimized out>, encodedValue=4639633856514973412, 
    encodedValue@entry=<error reading variable: value has been optimized out>)
    at DerivedSources/WebCore/JSMediaSource.cpp:361
#14 0x00007f8e25aa7a23 in JSC::callCustomSetter(JSC::JSGlobalObject*, bool (*)(JSC::JSGlobalObject*, long, long), bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue)
    (globalObject=<optimized out>, setter=<optimized out>, isAccessor=<optimized out>, slotBase=<optimized out>, thisValue=..., value=...) at ../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:219
#15 0x00007f8e25bb9b41 in JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
    (this=0x7f8c462e2338, globalObject=globalObject@entry=0x7f8cac0dc068, propertyName=..., value=..., slot=...)
    at ../Source/JavaScriptCore/runtime/PutPropertySlot.h:111
#16 0x00007f8e258fe9a5 in JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
    (slot=..., value=..., propertyName=..., globalObject=0x7f8cac0dc068, cell=<optimized out>)
    at ../Source/JavaScriptCore/runtime/JSObjectInlines.h:277
#17 JSC::JSCell::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
    (slot=..., value=..., propertyName=..., globalObject=0x7f8cac0dc068, this=<optimized out>)
    at ../Source/JavaScriptCore/runtime/JSCellInlines.h:447
#18 JSC::JSValue::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
    (slot=..., value=..., propertyName=..., globalObject=0x7f8cac0dc068, this=0x7ffc0c3c0be8)
    at ../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1060
#19 JSC::LLInt::llint_slow_path_put_by_id(JSC::CallFrame*, JSC::Instruction const*) (callFrame=<optimized out>, pc=0x7f8cac2b4576) at ../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:907
#20 0x00007f8e24f2fe2d in llint_op_put_by_id () at /usr/lib/debug/source/sdk/webkitgtk.bst/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:97
#21 0x00007ffc0c3c0d00 in  ()
#22 0x00007f8e24f40b6c in llint_op_call () at /usr/lib/debug/source/sdk/webkitgtk.bst/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:1093
#23 0x0000000000000000 in  ()
Comment 2 Michael Catanzaro 2021-04-06 20:11:59 PDT
Created attachment 425345 [details]
"full" backtrace for first few frames of critical
Comment 3 Philippe Normand 2021-04-11 04:27:33 PDT
Created attachment 425702 [details]
Patch
Comment 4 Philippe Normand 2021-04-11 05:03:11 PDT
Created attachment 425703 [details]
Patch
Comment 5 Michael Catanzaro 2021-04-11 06:30:36 PDT
Comment on attachment 425703 [details]
Patch

Nice test.
Comment 6 EWS 2021-04-12 06:41:46 PDT
Committed r275821 (236391@main): <https://commits.webkit.org/236391@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 425703 [details].