Bug 232914

Summary: [GStreamer] Crash in gst_buffer_get_meta when playing reddit video
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: MediaAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, mcatanzaro, pnormand, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Full backtrace
none
GStreamer log none

Description Michael Catanzaro 2021-11-09 16:15:38 PST 
This is a recent regression:

 * Visit https://www.reddit.com/r/StLouis/comments/qqc4tk/explosions_rocked_a_home_in_belleville_this/ (probably any reddit video would suffice)
 * Try to play the video

Epiphany Tech Preview with WebKitGTK 2.34.1 and GStreamer 1.18.5 will crash 100% of the time with this backtrace:

#0  0x00007f88e136e94c in gst_buffer_get_meta
    (buffer=buffer@entry=0x557280d5c5a0 [None], api=0x7f86cc0459e0 [GstVideoTimeCodeMetaAPI])
    at ../gst/gstbuffer.c:2242
#1  0x00007f87e0346ed6 in gst_h264_parse_pre_push_frame (parse=0x7f87080804f0 [GstH264Parse], frame=0x5572809c0800)
    at ../gst/videoparsers/gsth264parse.c:3137
#2  0x00007f88e1493dc7 in gst_base_parse_push_frame
    (parse=parse@entry=0x7f87080804f0 [GstH264Parse], frame=frame@entry=0x5572809c0800)
    at ../libs/gst/base/gstbaseparse.c:2524
#3  0x00007f88e14973fc in gst_base_parse_handle_and_push_frame
    (frame=0x5572809c0800, parse=0x7f87080804f0 [GstH264Parse]) at ../libs/gst/base/gstbaseparse.c:2440
#4  0x00007f87e0344514 in gst_h264_parse_handle_frame_packetized
    (frame=0x5572809c0800, parse=0x7f87080804f0 [GstH264Parse]) at ../gst/videoparsers/gsth264parse.c:1282
#5  gst_h264_parse_handle_frame (parse=0x7f87080804f0 [GstH264Parse], frame=0x5572809c0800, skipsize=<optimized out>)
    at ../gst/videoparsers/gsth264parse.c:1326
#6  0x00007f88e148eee2 in gst_base_parse_handle_buffer
    (parse=parse@entry=0x7f87080804f0 [GstH264Parse], buffer=<optimized out>, skip=skip@entry=0x7f871dff9ee8, flushed=flushed@entry=0x7f871dff9eec) at ../libs/gst/base/gstbaseparse.c:2248
#7  0x00007f88e1494f82 in gst_base_parse_chain (pad=<optimized out>, parent=<optimized out>, buffer=<optimized out>)
    at ../libs/gst/base/gstbaseparse.c:3297
#8  0x00007f88e13aa5f7 in gst_pad_chain_data_unchecked
    (pad=pad@entry=0x7f87340352f0 [GstPad], type=type@entry=4112, data=data@entry=0x557280d4ca20)
    at ../gst/gstpad.c:4404
#9  0x00007f88e13acacc in gst_pad_push_data
    (pad=pad@entry=0x7f8734035540 [GstPad], type=type@entry=4112, data=data@entry=0x557280d4ca20)
    at ../gst/gstpad.c:4668
#10 0x00007f88e13b4551 in gst_pad_push (pad=0x7f8734035540 [GstPad], buffer=0x557280d4ca20 [GstBuffer])
    at ../gst/gstpad.c:4787
#11 0x00007f88e13aa5f7 in gst_pad_chain_data_unchecked
    (pad=pad@entry=0x7f8734035790 [GstPad], type=type@entry=4112, data=data@entry=0x557280d4ca20)
    at ../gst/gstpad.c:4404
#12 0x00007f88e13acacc in gst_pad_push_data
    (pad=pad@entry=0x7f8708036a80 [GstProxyPad], type=type@entry=4112, data=data@entry=0x557280d4ca20)
    at ../gst/gstpad.c:4668
#13 0x00007f88e13b4551 in gst_pad_push
    (pad=pad@entry=0x7f8708036a80 [GstProxyPad], buffer=buffer@entry=0x557280d4ca20 [GstBuffer])
    at ../gst/gstpad.c:4787
#14 0x00007f88e1396a43 in gst_proxy_pad_chain_default
    (pad=<optimized out>, parent=<optimized out>, buffer=0x557280d4ca20 [GstBuffer]) at ../gst/gstghostpad.c:127
#15 0x00007f88e13aa5f7 in gst_pad_chain_data_unchecked
    (pad=pad@entry=0x7f8734013b20 [GstGhostPad], type=type@entry=4112, data=data@entry=0x557280d4ca20)
    at ../gst/gstpad.c:4404
#16 0x00007f88e13acacc in gst_pad_push_data
    (pad=pad@entry=0x7f86e802a540 [GstProxyPad], type=type@entry=4112, data=data@entry=0x557280d4ca20)
    at ../gst/gstpad.c:4668
#17 0x00007f88e13b4551 in gst_pad_push
    (pad=pad@entry=0x7f86e802a540 [GstProxyPad], buffer=buffer@entry=0x557280d4ca20 [GstBuffer])
    at ../gst/gstpad.c:4787
#18 0x00007f88e1396a43 in gst_proxy_pad_chain_default
    (pad=<optimized out>, parent=<optimized out>, buffer=0x557280d4ca20 [GstBuffer]) at ../gst/gstghostpad.c:127
#19 0x00007f88e13aa5f7 in gst_pad_chain_data_unchecked
    (pad=pad@entry=0x7f86e4015640 [GstGhostPad], type=type@entry=4112, data=data@entry=0x557280d4ca20)
    at ../gst/gstpad.c:4404
#20 0x00007f88e13acacc in gst_pad_push_data
    (pad=pad@entry=0x7f86e40158b0 [GstGhostPad], type=type@entry=4112, data=data@entry=0x557280d4ca20)
    at ../gst/gstpad.c:4668
#21 0x00007f88e13b4551 in gst_pad_push (pad=pad@entry=0x7f86e40158b0 [GstGhostPad], buffer=buffer@entry=0x557280d4ca20 [GstBuffer]) at ../gst/gstpad.c:4787
#22 0x00007f88e1396a43 in gst_proxy_pad_chain_default (pad=<optimized out>, parent=<optimized out>, buffer=0x557280d4ca20 [GstBuffer]) at ../gst/gstghostpad.c:127
#23 0x00007f88e13aa5f7 in gst_pad_chain_data_unchecked (pad=pad@entry=0x7f86e802aec0 [GstProxyPad], type=type@entry=4112, data=data@entry=0x557280d4ca20) at ../gst/gstpad.c:4404
#24 0x00007f88e13acacc in gst_pad_push_data (pad=pad@entry=0x7f86b4020630 [GstPad], type=type@entry=4112, data=data@entry=0x557280d4ca20) at ../gst/gstpad.c:4668
#25 0x00007f88e13b4551 in gst_pad_push (pad=0x7f86b4020630 [GstPad], buffer=0x557280d4ca20 [GstBuffer]) at ../gst/gstpad.c:4787
#26 0x00007f88e13aa5f7 in gst_pad_chain_data_unchecked (pad=pad@entry=0x7f86b4020880 [GstPad], type=type@entry=4112, data=data@entry=0x557280d4ca20) at ../gst/gstpad.c:4404
#27 0x00007f88e13acacc in gst_pad_push_data (pad=pad@entry=0x7f86cc1d65b0 [WebKitMediaSrcPad], type=type@entry=4112, data=data@entry=0x557280d4ca20) at ../gst/gstpad.c:4668
#28 0x00007f88e13b4551 in gst_pad_push (pad=0x7f86cc1d65b0 [WebKitMediaSrcPad], buffer=0x557280d4ca20 [GstBuffer]) at ../gst/gstpad.c:4787
#29 0x00007f88e53eb5e7 in webKitMediaSrcLoop(void*) (userData=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk.bst/Source/WebCore/platform/graphics/gstreamer/mse/WebKitMediaSourceGStreamer.cpp:523
#30 0x00007f88e13e5c2c in gst_task_func (task=0x557280d5f050 [GstTask]) at ../gst/gsttask.c:384
#31 0x00007f88e406b6c5 in g_thread_pool_thread_proxy (data=<optimized out>) at ../glib/gthreadpool.c:354
#32 0x00007f88e406acf9 in g_thread_proxy (data=0x5572806b40c0) at ../glib/gthread.c:827
#33 0x00007f88e06173ba in start_thread (arg=0x7f871dffb640) at pthread_create.c:481
#34 0x00007f88e4580b03 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

I'll attach a full backtrace and a GStreamer debug log.
Comment 1 Michael Catanzaro 2021-11-09 16:16:03 PST 
Created attachment 443748 [details]
Full backtrace
Comment 2 Michael Catanzaro 2021-11-09 16:19:27 PST 
To take the GStreamer debug log, I copy/pasted this line from https://trac.webkit.org/wiki/WebKitGTK/Debugging#Debuggingmultimediastuff:

$ export GST_DEBUG="3,webkit*:6" GST_DEBUG_FILE="$HOME/gst.log" GST_DEBUG_NO_COLOR=1 WEBKIT_FORCE_SANDBOX=0

Then realized it doesn't work because the log is being generated in the sandboxed home directory, so I decided to run using --filesystem=home:

$ flatpak run --filesystem=home org.gnome.Epiphany.Devel -p

Irritatingly, adding --filesystem=home somehow avoids the crash. O_O
Comment 3 Michael Catanzaro 2021-11-09 16:29:10 PST 
Created attachment 443753 [details]
GStreamer log

I wound up writing the log under ~/.var/app/org.gnome.Epiphany.Devel/config in order to exfiltrate it from the sandbox without using --filesystem=home or -d, which for some reason causes the video to play properly.

Note there are a bunch of FIXMEs at the bottom of the log immediately before the crash:

0:00:03.947285498   345 0x5616fd08f920 FIXME             decodebin3 gstdecodebin3.c:1422:handle_stream_collection:<decodebin3-0> New collection but already had one ...
0:00:03.947313491   345 0x5616fd08f920 DEBUG      webkitmediaplayer MediaPlayerPrivateGStreamer.cpp:1503:handleStreamCollectionMessage:<MSE-media-player-2> Ignoring redundant STREAM_COLLECTION from <decodebin3-0>
0:00:03.947339070   345 0x5616fd08f920 FIXME             decodebin3 gstdecodebin3.c:1103:update_requested_selection:<decodebin3-0> Implement EXPOSE_ALL_MODE
0:00:03.947365761   345 0x5616fd08f920 FIXME             decodebin3 gstdecodebin3.c:1156:update_requested_selection:<decodebin3-0> Replacing non-NULL requested_selection, what should we do ??
Comment 4 Philippe Normand 2021-11-13 07:16:22 PST 
I can't reproduce this, but I think I see what the problem is... 

1. In gst_h264_parse_pre_push_frame() a local buffer variable is set to the frame->out_buffer pointer
2. When gst_h264_parse_handle_sps_pps_nals() is called with that buffer, the frame->out_buffer pointer is updated (gst_buffer_replace() call) and now buffer is dangling
3. buffer pointer is accessed (un-modified) after the gst_h264_parse_handle_sps_pps_nals() BOOM

Can you cherry-pick this commit in your SDK? I think it might fix the problem. If so, I'll ask to have it in 1.18.6 if that ever happens.

https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/0f084d46247f9009584b482cea8196b5b871cc73
Comment 5 Michael Catanzaro 2021-11-13 09:34:18 PST 
(In reply to Philippe Normand from comment #4)
> Can you cherry-pick this commit in your SDK? I think it might fix the
> problem. If so, I'll ask to have it in 1.18.6 if that ever happens.
> 
> https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/
> 0f084d46247f9009584b482cea8196b5b871cc73

Sure, I'll plan to add it to freedesktop-sdk, then update GNOME runtime to a newer freedesktop-sdk. It's still crashing 100% for me so I'll know whether it's fixed or not.
Comment 7 Philippe Normand 2022-04-10 10:38:44 PDT 
> * Visit https://www.reddit.com/r/StLouis/comments/qqc4tk/explosions_rocked_a_home_in_belleville_this/ (probably any reddit video would suffice)
> * Try to play the video

Works fine in Ephy TP. Closing.
Comment 8 Radar WebKit Bug Importer 2022-04-10 10:39:17 PDT 
<rdar://problem/91536952>
Comment 9 Michael Catanzaro 2022-04-10 14:15:02 PDT 
(In reply to Michael Catanzaro from comment #6)
> Backports:
> 
> https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/6596
> https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/6597

I think this probably fixed it.