Bug 309360

Summary:

[WPE][GStreamer] 4 webcodecs/video-encoder-rescaling WPT tests crash on ARM64: imported/w3c/web-platform-tests/webcodecs/video-encoder-rescaling.https.any.worker.html?h264_avc

Product:

WebKit

Reporter:

Carlos Alberto Lopez Perez <clopez>

Component:

WPE WebKit

Assignee:

Philippe Normand <philn>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

aboya, bugs-noreply, calvaris, csaavedra, eocanha, fujii, philn, vwatermeier

Priority:

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

309450

Bug Blocks:

Attachments:

Description	Flags
video-encoder-rescaling.https.any_h264_avc-crash-log.txt	none

Carlos Alberto Lopez Perez

Reported 2026-03-06 10:21:55 PST

The following layout tests crash on WPE on ARM64: Regressions: Unexpected crashes (4) imported/w3c/web-platform-tests/webcodecs/video-encoder-rescaling.https.any.html?h264_annexb [ Crash ] imported/w3c/web-platform-tests/webcodecs/video-encoder-rescaling.https.any.html?h264_avc [ Crash ] imported/w3c/web-platform-tests/webcodecs/video-encoder-rescaling.https.any.worker.html?h264_annexb [ Crash ] imported/w3c/web-platform-tests/webcodecs/video-encoder-rescaling.https.any.worker.html?h264_avc [ Crash ] All of them crash with the same assertion. /usr/include/c++/13/span:429: constexpr std::span<_Type, 18446744073709551615> std::span<_Type, _Extent>::subspan(size_type, size_type) const [with _Type = unsigned char; long unsigned int _Extent = 18446744073709551615; size_type = long unsigned int]: Assertion '__offset + __count <= size()' failed. The crash log: Thread 1 (Thread 0xfffcca7cee20 (LWP 3840865)): #0 __pthread_kill_implementation (threadid=281461194026528, signo=signo@entry=6, no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44 #1 0x0000ffff7b017670 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78 #2 0x0000ffff7afccb3c in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x0000ffff7afb7e00 in __GI_abort () at ./stdlib/abort.c:79 #4 0x0000ffff773f276c in std::__glibcxx_assert_fail(char const*, int, char const*, char const*) () at /lib/aarch64-linux-gnu/libstdc++.so.6 #5 0x0000ffff8204b9c4 in WebCore::copyPlane(std::span<unsigned char, 18446744073709551615ul>&, std::span<unsigned char, 18446744073709551615ul> const&, unsigned long, WebCore::ComputedPlaneLayout const&) () at /sdk/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #6 0x0000ffff82059058 in WebCore::VideoFrame::copyTo(std::span<unsigned char, 18446744073709551615ul>, WebCore::VideoPixelFormat, WTF::Vector<WebCore::ComputedPlaneLayout, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&, WTF::CompletionHandler<void (std::optional<WTF::Vector<WebCore::PlaneLayout, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)>&&) () at /sdk/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #7 0x0000ffff80cf4bb4 in WebCore::WebCodecsVideoFrame::copyTo(WebCore::BufferSource&&, WebCore::WebCodecsVideoFrame::CopyToOptions&&, WebCore::DOMPromiseDeferred<WebCore::IDLSequence<WebCore::IDLDictionary<WebCore::PlaneLayout> > >&&) () at /sdk/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #8 0x0000ffff806a0414 in WebCore::jsWebCodecsVideoFramePrototypeFunction_copyTo(JSC::JSGlobalObject*, JSC::CallFrame*) () at /sdk/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #9 0x0000ffff4646803c in ??? () #10 0x0000ffff679cf920 in ??? () You can check more details about this at: https://build.webkit.org/results/WPE-Linux-ARM64-bit-Release-Tests/308796@main%20(164)/results.html Note that this tests don't crash on x86_64 It is not known when this tests started to crash. They have been crashing since we deployed the new ARM64 WPE bot at https://build.webkit.org/#/builders/1882

Attachments
video-encoder-rescaling.https.any_h264_avc-crash-log.txt (10.42 KB, text/plain) 2026-03-11 01:47 PDT, Fujii Hironori	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Carlos Alberto Lopez Perez

Comment 1 2026-03-06 15:33:10 PST

Test expectations updated at 308825@main

Philippe Normand

Comment 2 2026-03-07 02:41:42 PST

(gdb) bt #0 __pthread_kill_implementation (threadid=281472984584224, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x0000ffff889016d4 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:89 #2 0x0000ffff888abcbc in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x0000ffff88895d48 in __GI_abort () at abort.c:77 #4 0x0000ffff88be6368 in std::__glibcxx_assert_fail (file=<optimized out>, line=<optimized out>, function=<optimized out>, condition=<optimized out>) at ../../../../../libstdc++-v3/src/c++11/assert_fail.cc:41 #5 0x0000ffff94a50210 in std::span<unsigned char, 18446744073709551615ul>::subspan (this=0xfffff26ead18, __offset=4096, __count=64) at /usr/bin/../lib/gcc/aarch64-redhat-linux/15/../../../../include/c++/15/span:456 #6 0x0000ffff9fdbb0d4 in WebCore::copyPlane (destination=std::span of length 9216 = {...}, source=std::span of length 4096 = {...}, sourceStride=64, spanPlaneLayout=...) at /home/igalia/pnormand/WebKit/Source/WebCore/platform/graphics/gstreamer/VideoFrameGStreamer.cpp:561 #7 0x0000ffff9fdbaaf8 in WebCore::VideoFrame::copyTo (this=0xffff782ac100, destination=std::span of length 9216 = {...}, pixelFormat=WebCore::VideoPixelFormat::I420, computedPlaneLayout=..., callback=...) at /home/igalia/pnormand/WebKit/Source/WebCore/platform/graphics/gstreamer/VideoFrameGStreamer.cpp:616 #8 0x0000ffff9cff3808 in WebCore::WebCodecsVideoFrame::copyTo (this=0xffff782ddd40, source=..., options=..., promise=...) at /home/igalia/pnormand/WebKit/Source/WebCore/Modules/webcodecs/WebCodecsVideoFrame.cpp:515 #9 0x0000ffff9bf60b38 in WebCore::jsWebCodecsVideoFramePrototypeFunction_copyToBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebCodecsVideoFrame*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise> >&&)::{lambda()#1}::operator()() const (this=0xfffff26eb578) at WebCore/DerivedSources/JSWebCodecsVideoFrame.cpp:836 #10 0x0000ffff9bf60a9c in WebCore::toJS<WebCore::IDLPromise<WebCore::IDLSequence<WebCore::IDLDictionary<WebCore::PlaneLayout> > >, WebCore::jsWebCodecsVideoFramePrototypeFunction_copyToBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebCodecsVideoFrame*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise> >&&)::{lambda()#1}>(JSC::JSGlobalObject&, WebCore::JSDOMGlobalObject&, JSC::ThrowScope&, WebCore::jsWebCodecsVideoFramePrototypeFunction_copyToBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebCodecsVideoFrame*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise> >&&)::{lambda()#1}&&) (lexicalGlobalObject=..., globalObject=..., throwScope=..., valueOrFunctor=...) at WebCore/PrivateHeaders/WebCore/JSDOMConvertBase.h:220 #11 0x0000ffff9bf60790 in WebCore::jsWebCodecsVideoFramePrototypeFunction_copyToBody (lexicalGlobalObject=0xffff761e2088, callFrame=0xfffff26eb8e0, castedThis=0xffff7693c3a0, promise=...) at WebCore/DerivedSources/JSWebCodecsVideoFrame.cpp:836 #12 0x0000ffff9bf60dd4 in WebCore::IDLOperationReturningPromise<WebCore::JSWebCodecsVideoFrame>::call<&WebCore::jsWebCodecsVideoFramePrototypeFunction_copyToBody, (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::{lambda(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::Deferred Promise> >&&)#1}::operator()(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise> >&&) const (this=0xfffff26eb860, lexicalGlobalObject=..., callFrame=..., promise=...) at /home/igalia/pnormand/WebKit/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:54 #13 0x0000ffff9bf60934 in WebCore::callPromiseFunction<WebCore::IDLOperationReturningPromise<WebCore::JSWebCodecsVideoFrame>::call<&WebCore::jsWebCodecsVideoFramePrototypeFunction_copyToBody, (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::{lambda(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise> >&&)#1}>(JSC::JSGlobalObject&, JSC::CallFrame&, WebCore::IDLOperationReturningPromise<WebCore::JSWebCodecsVideoFrame>::call<&WebCore::jsWebCodecsVideoFramePrototypeFunction_copyToBody, (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::{lambda(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise> >&&)#1}) (lexicalGlobalObject=..., callFrame=..., functor=...) at /home/igalia/pnormand/WebKit/Source/WebCore/bindings/js/JSDOMPromiseDeferred.h:399 #14 0x0000ffff9bf60578 in WebCore::IDLOperationReturningPromise<WebCore::JSWebCodecsVideoFrame>::call<&WebCore::jsWebCodecsVideoFramePrototypeFunction_copyToBody, (WebCore::CastedThisErrorBehavior)2> (lexicalGlobalObject=..., callFrame=..., operationName=0xffff91d29d3c "copyTo") at /home/igalia/pnormand/WebKit/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:41 #15 0x0000ffff9bf5f04c in WebCore::jsWebCodecsVideoFramePrototypeFunction_copyTo (lexicalGlobalObject=0xffff761e2088, callFrame=0xfffff26eb8e0) at WebCore/DerivedSources/JSWebCodecsVideoFrame.cpp:841 #16 0x0000ffff55e7c03c in ??? () #17 0x0000ffff7634c5a0 in ??? () (gdb) f 6 #6 0x0000ffff9fdbb0d4 in WebCore::copyPlane (destination=std::span of length 9216 = {...}, source=std::span of length 4096 = {...}, sourceStride=64, spanPlaneLayout=...) at /home/igalia/pnormand/WebKit/Source/WebCore/platform/graphics/gstreamer/VideoFrameGStreamer.cpp:561 561 memcpySpan(destination.subspan(destinationOffset, rowBytes), source.subspan(sourceOffset, rowBytes)); (gdb) p rowBytes $1 = 64 (gdb) p destinationOffset $2 = 4096 (gdb) p sourceOffset $3 = 4096 (gdb) p destination $4 = std::span of length 9216 = {210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322'...} (gdb) p source $5 = std::span of length 4096 = {210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 81 'Q', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322', 210 '\322'...} (gdb)

Claudio Saavedra

Comment 3 2026-03-07 05:23:56 PST

I was looking into this a bit. The specific dimensions in these tests that cause this are: { from: { w: 128, h: 192 }, to: { w: 64, h: 64 } }, // Factor 0.5 (w) and 1/3 (h) The format (RGBX or I420) seems to be irrelevant. and in that specific call to copyPlane() values are: destination size: 9216, source size 4096, source stride: 64, spanPlaneLayout.sourceTop: 0, spanPlaneLayout.sourceLeftBytes: 0, spanPlaneLayout.destinationOffset: 0, spanPlaneLayout.sourceWidthBytes: 64, spanPlaneLayout.sourceHeight: 96 rowIndex: 64, destinationOffset: 4096, sourceOffset: 4096 Since Phil is looking into it I think I'll leave it in better hands :)

Philippe Normand

Comment 4 2026-03-08 03:25:12 PDT

It seems to boil down to an incorrect GstMappedFrame::planeStride(0) return value on arm64, leading to a too small span for the planeY span: on x86_64: layoutY: destinationOffset: 0, destinationStride: 64, sourceHeight: 96, sourceLeftBytes: 0, sourceWidthBytes: 64, sourceTop: 0, bytesPerRow: 64, planeY.size: 8192, planeY.stride: 128 on arm64: layoutY: destinationOffset: 0, destinationStride: 64, sourceHeight: 96, sourceLeftBytes: 0, sourceWidthBytes: 64, sourceTop: 0, bytesPerRow: 64, planeY.size: 4096, planeY.stride: 64

Fujii Hironori

Comment 5 2026-03-11 01:47:45 PDT

Created attachment 478628 [details] video-encoder-rescaling.https.any_h264_avc-crash-log.txt ASan enabled WebKitTestRunner is also crashing on my PC.

Philippe Normand

Comment 6 2026-03-11 08:32:24 PDT

I think our current code just assumes the input and output formats are the same, but the test always uses RGBX as output format.

Philippe Normand

Comment 7 2026-03-11 08:36:48 PDT

And these tests are currently expected to fail on all ports BTW, and even skipped on some Apple ports. I think we should skip them as well, bug 30450 won't be fixed overnight...

Claudio Saavedra

Comment 8 2026-03-11 09:14:42 PDT

Failure is one thing but crashing is something else, I think we should fix the crashes even if the test fails. Looks like in x86 there's a vulnerability risk that thankfully in arm64 is caught by an assertion.

Philippe Normand

Comment 9 2026-03-11 09:28:26 PDT

Pull request: https://github.com/WebKit/WebKit/pull/60370

EWS

Comment 10 2026-03-13 06:05:05 PDT

Committed 309201@main (e4fd5cb695df): <https://commits.webkit.org/309201@main> Reviewed commits have been landed. Closing PR #60370 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.