Bug 230318

Summary:

REGRESSION(r282220): [GCC] Several flaky crashes on media/track/cue tests

Product:

WebKit

Reporter:

Carlos Alberto Lopez Perez <clopez>

Component:

WebKitGTK

Assignee:

Philippe Normand <pnormand>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

aperez, bugs-noreply, calvaris, cdumez, cgarcia, changseok, eric.carlson, esprehn+autocc, ews-watchlist, glenn, gyuyoung.kim, jer.noble, philipj, pnormand, sergio, zdobersek

Priority:

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=229924

Attachments:

Description	Flags
Crash log with threads for imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/TextTrack/label.html from the GTK Release bot	none
Patch	none

Description Carlos Alberto Lopez Perez 2021-09-15 13:42:41 PDT

Created attachment 438283 [details]
Crash log with threads for imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/TextTrack/label.html from the GTK Release bot

r282220 caused at least the following flaky crashes on GTK and WPE:

  imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/TextTrack/cues.html [ Pass Crash ]
  imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/TextTrack/kind.html [ Pass Crash ]
  imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/TextTrack/label.html [ Pass Crash ]
  imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/TextTrack/language.html [ Pass Crash ]
  imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/TextTrack/oncuechange.html [ Pass Crash ]
  imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/TextTrack/removeCue.html [ Pass Crash ]
  imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-cues-cuechange-dynamically-created-track-element.html [ Pass Crash ]
  imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-cues-enter-seeking.html [ Pass Crash ]
  media/track/track-cue-inline-assertion-crash.html [ Pass Crash ]
  media/track/track-cue-left-align.html [ Pass Crash ]
  media/track/track-cue-line-position.html [ Pass Crash ]
  media/track/track-cues-cuechange.html [ Pass Crash ]


On GTK can be easily reproduced by running WTR with: --repeat-each=20 media/track/track-cue-inline-assertion-crash.html


The backtrace is the same on all of them, which is:

Thread 1 (Thread 0x7f7783eafe80 (LWP 269462)):
#0  0x00007f7790490350 in WTF::MediaTime::compare(WTF::MediaTime const&) const () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.1.so.0
#1  0x00007f778ec3a6d5 in WebCore::HTMLMediaElement::textTrackRemoveCue(WebCore::TextTrack&, WebCore::TextTrackCue&) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.1.so.0
#2  0x00007f778ec3aa66 in non-virtual thunk to WebCore::HTMLMediaElement::textTrackRemoveCues(WebCore::TextTrack&, WebCore::TextTrackCueList const&) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.1.so.0
#3  0x00007f778edd9856 in WTF::WeakHashSet<WebCore::TextTrackClient, WTF::EmptyCounter>::forEach(WTF::Function<void (WebCore::TextTrackClient&)> const&) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.1.so.0
#4  0x00007f778edd5388 in WebCore::TextTrack::~TextTrack() () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.1.so.0
#5  0x00007f778edd5cd9 in WebCore::TextTrack::~TextTrack() () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.1.so.0
#6  0x00007f778ededbff in WebCore::TextTrackList::~TextTrackList() () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.1.so.0
#7  0x00007f778edf0969 in WebCore::TextTrackList::~TextTrackList() () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.1.so.0
#8  0x00007f778ec35fa6 in WebCore::HTMLMediaElement::~HTMLMediaElement() () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.1.so.0
#9  0x00007f778ecaaf24 in WebCore::HTMLVideoElement::~HTMLVideoElement() () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.1.so.0
#10 0x00007f778ec4c42d in WTF::Detail::CallableWrapper<WebCore::ActiveDOMObject::queueTaskKeepingObjectAlive<WebCore::HTMLMediaElement>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::Function<void ()>&&)::{lambda()#1}, void>::~CallableWrapper() () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.1.so.0
#11 0x00007f778ea08271 in WebCore::EventLoopFunctionDispatchTask::~EventLoopFunctionDispatchTask() () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.1.so.0
#12 0x00007f778ea064e5 in WebCore::EventLoop::run() () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.1.so.0
#13 0x00007f778ea9e61d in WebCore::WindowEventLoop::didReachTimeToRun() () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.1.so.0
#14 0x00007f778f1aa257 in WebCore::ThreadTimers::sharedTimerFiredInternal() () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.1.so.0
#15 0x00007f778a16b6e5 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::_FUN(void*) () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0
#16 0x00007f778a16b95f in WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0
#17 0x00007f77865d82bf in g_main_dispatch (context=0x5585ee593930) at ../glib/gmain.c:3344
#18 g_main_context_dispatch (context=0x5585ee593930) at ../glib/gmain.c:4062
#19 0x00007f77865d8668 in g_main_context_iterate (context=0x5585ee593930, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4138
#20 0x00007f77865d8983 in g_main_loop_run (loop=0x5585ee5c24e0) at ../glib/gmain.c:4336
#21 0x00007f778a16baa8 in WTF::RunLoop::run() () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0
#22 0x00007f778d8ee774 in int WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.1.so.0
#23 0x00007f7785f7a062 in __libc_start_main (main=0x5585ecceb850 <main>, argc=4, argv=0x7ffd82c3f088, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd82c3f078) at ../csu/libc-start.c:308
#24 0x00005585ecceb88e in _start () at ../sysdeps/x86_64/start.S:120

I'm attaching the complete trace with threads.


What intrigues me is that this tests are not crashing on the Debug bots, only on the Release ones.
I wonder if the crash may be caused by some optimization that GCC does and Clang doesn't. I will try to check this further later.

Comment 1 Carlos Alberto Lopez Perez 2021-09-15 14:02:21 PDT

Test expectations updated in r282471

Comment 2 Carlos Alberto Lopez Perez 2021-09-16 07:01:45 PDT

(In reply to Carlos Alberto Lopez Perez from comment #0)
> 
> What intrigues me is that this tests are not crashing on the Debug bots,
> only on the Release ones.
> I wonder if the crash may be caused by some optimization that GCC does and
> Clang doesn't. I will try to check this further later.

Confirmed.

Tested to build:

 1. WebKitGTK Release at r282220 with GCC 10.2.0  (flatpak SDK)
 2. WebKitGTK Debug at r282220 with GCC 10.2.0  (flatpak SDK)
 3. WebKitGTK Release at r282220 with Clang 11.1.0 (flatpak SDK)


The crash is only reproducible with 1. (GCC+Release). With Clang or GCC Debug (no optimizations) the crash is not reproducible.

So this is either undefined behaviour on the code or a bug in GCC

Comment 3 Philippe Normand 2021-09-17 07:51:29 PDT

Created attachment 438475 [details]
Patch

Comment 4 EWS 2021-09-17 11:57:33 PDT

Committed r282680 (241820@main): <https://commits.webkit.org/241820@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 438475 [details].