177410 – [GStreamer][MSE] Likely race condition causes WTF::Deque to crash on debug

RESOLVED FIXED Bug 177410

[GStreamer][MSE] Likely race condition causes WTF::Deque to crash on debug

https://bugs.webkit.org/show_bug.cgi?id=177410

Summary [GStreamer][MSE] Likely race condition causes WTF::Deque to crash on debug

Alicia Boya García

Reported 2017-09-23 12:33:13 PDT

When running the YouTube 2018 MSE tests, many of them sometimes crash WebKit on this assertion: http://yt-dash-mse-test.commondatastorage.googleapis.com/unit-tests/2018.html?tests=73,74,75,85,93,94,101,102&command=run ASSERTION FAILED: m_next->m_previous == this ../../../Source/WTF/wtf/Deque.h(634) : void WTF::DequeIteratorBase<T, inlineCapacity>::removeFromIteratorsList() [with T = _Stream*; long unsigned int inlineCapacity = 0] 1 0x7fc8398e24d4 /webkit/WebKitBuild/webm/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7fc8398e24d4] 2 0x7fc8441d985b /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(WTF::DequeIteratorBase<_Stream*, 0ul>::removeFromIteratorsList()+0xc1) [0x7fc8441d985b] 3 0x7fc8441d8ef6 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(WTF::DequeIteratorBase<_Stream*, 0ul>::~DequeIteratorBase()+0x18) [0x7fc8441d8ef6] 4 0x7fc8441d8e20 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(WTF::DequeIterator<_Stream*, 0ul>::~DequeIterator()+0x18) [0x7fc8441d8e20] 5 0x7fc8441de38a /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(+0x7bc638a) [0x7fc8441de38a] 6 0x7fc8441de5c3 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(+0x7bc65c3) [0x7fc8441de5c3] 7 0x7fc829139bde /lib64/libffi.so.6(ffi_call_unix64+0x4c) [0x7fc829139bde] 8 0x7fc82913954f /lib64/libffi.so.6(ffi_call+0x22f) [0x7fc82913954f] 9 0x7fc832affc33 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(g_cclosure_marshal_generic+0x1d3) [0x7fc832affc33] 10 0x7fc832aff46d /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(g_closure_invoke+0x19d) [0x7fc832aff46d] 11 0x7fc832b111fe /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(+0x211fe) [0x7fc832b111fe] 12 0x7fc832b19895 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(g_signal_emit_valist+0xa45) [0x7fc832b19895] 13 0x7fc832b1a252 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(g_signal_emit+0x82) [0x7fc832b1a252] 14 0x7fc834c34684 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgstreamer-1.0.so.0(gst_bus_async_signal_func+0x54) [0x7fc834c34684] 15 0x7fc834c3546d /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgstreamer-1.0.so.0(+0x4246d) [0x7fc834c3546d] 16 0x7fc8328274d5 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libglib-2.0.so.0(g_main_context_dispatch+0x135) [0x7fc8328274d5] 17 0x7fc832827878 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libglib-2.0.so.0(+0x49878) [0x7fc832827878] 18 0x7fc832827b82 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libglib-2.0.so.0(g_main_loop_run+0xc2) [0x7fc832827b82] 19 0x7fc839950f54 /webkit/WebKitBuild/webm/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTF::RunLoop::run()+0xac) [0x7fc839950f54] 20 0x7fc843086b51 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**)+0x82) [0x7fc843086b51] 21 0x7fc843086a03 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(WebProcessMainUnix+0x20) [0x7fc843086a03] 22 0x400d22 /webkit/WebKitBuild/webm/Debug/bin/WebKitWebProcess(main+0x3d) [0x400d22] 23 0x7fc82d9d050a /lib64/libc.so.6(__libc_start_main+0xea) [0x7fc82d9d050a] 24 0x400bfa /webkit/WebKitBuild/webm/Debug/bin/WebKitWebProcess(_start+0x2a) [0x400bfa] Tests that may show the error: 73, 74, 75, 85, 93, 94, 101, 102. It's likely a result of using WTF::Deque's from different threads. Since removeFromIteratorsList() only contains code in debug mode it's possible that this race is hidden on release.

Attachments
Patch (7.20 KB, patch) 2017-10-05 14:22 PDT, Enrique Ocaña	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Enrique Ocaña

Comment 1 2017-09-25 02:16:59 PDT

These crashes come from a suggestion to use a Deque instead of the original GList during the upstreaming of the MSE code. GLists were more robust to multithreading because the links are maintained using pointers, which are atomically swappable. What we've done downstream to mitigate this problem is to use a Vector: https://github.com/WebPlatformForEmbedded/WPEWebKit/commit/44d8a78783b195c1a4d5e7b765e33d654da0e1d2

Enrique Ocaña

Comment 2 2017-10-05 14:22:38 PDT

Created attachment 322916 [details] Patch

WebKit Commit Bot

Comment 3 2017-10-06 02:43:29 PDT

Comment on attachment 322916 [details] Patch Clearing flags on attachment: 322916 Committed r222972: <http://trac.webkit.org/changeset/222972>

WebKit Commit Bot

Comment 4 2017-10-06 02:43:30 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebKitGTK

Assignee

Enrique Ocaña

Reported

2017-09-23 12:33 PDT

Modified

2017-10-06 02:43 PDT History

CC List

4 users Show

URL

Keywords

Depends on

Blocks