177410 – [GStreamer][MSE] Likely race condition causes WTF::Deque to crash on debug

Bug 177410 - [GStreamer][MSE] Likely race condition causes WTF::Deque to crash on debug

Summary: [GStreamer][MSE] Likely race condition causes WTF::Deque to crash on debug

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Enrique Ocaña

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-23 12:33 PDT by Alicia Boya García
Modified:	2017-10-06 02:43 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Patch (7.20 KB, patch) 2017-10-05 14:22 PDT, Enrique Ocaña	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alicia Boya García 2017-09-23 12:33:13 PDT

When running the YouTube 2018 MSE tests, many of them sometimes crash WebKit on
this assertion:

http://yt-dash-mse-test.commondatastorage.googleapis.com/unit-tests/2018.html?tests=73,74,75,85,93,94,101,102&command=run

ASSERTION FAILED: m_next->m_previous == this
../../../Source/WTF/wtf/Deque.h(634) : void WTF::DequeIteratorBase<T, inlineCapacity>::removeFromIteratorsList() [with T = _Stream*; long unsigned int inlineCapacity = 0]
1   0x7fc8398e24d4 /webkit/WebKitBuild/webm/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7fc8398e24d4]
2   0x7fc8441d985b /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(WTF::DequeIteratorBase<_Stream*, 0ul>::removeFromIteratorsList()+0xc1) [0x7fc8441d985b]
3   0x7fc8441d8ef6 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(WTF::DequeIteratorBase<_Stream*, 0ul>::~DequeIteratorBase()+0x18) [0x7fc8441d8ef6]
4   0x7fc8441d8e20 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(WTF::DequeIterator<_Stream*, 0ul>::~DequeIterator()+0x18) [0x7fc8441d8e20]
5   0x7fc8441de38a /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(+0x7bc638a) [0x7fc8441de38a]
6   0x7fc8441de5c3 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(+0x7bc65c3) [0x7fc8441de5c3]
7   0x7fc829139bde /lib64/libffi.so.6(ffi_call_unix64+0x4c) [0x7fc829139bde]
8   0x7fc82913954f /lib64/libffi.so.6(ffi_call+0x22f) [0x7fc82913954f]
9   0x7fc832affc33 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(g_cclosure_marshal_generic+0x1d3) [0x7fc832affc33]
10  0x7fc832aff46d /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(g_closure_invoke+0x19d) [0x7fc832aff46d]
11  0x7fc832b111fe /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(+0x211fe) [0x7fc832b111fe]
12  0x7fc832b19895 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(g_signal_emit_valist+0xa45) [0x7fc832b19895]
13  0x7fc832b1a252 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(g_signal_emit+0x82) [0x7fc832b1a252]
14  0x7fc834c34684 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgstreamer-1.0.so.0(gst_bus_async_signal_func+0x54) [0x7fc834c34684]
15  0x7fc834c3546d /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgstreamer-1.0.so.0(+0x4246d) [0x7fc834c3546d]
16  0x7fc8328274d5 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libglib-2.0.so.0(g_main_context_dispatch+0x135) [0x7fc8328274d5]
17  0x7fc832827878 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libglib-2.0.so.0(+0x49878) [0x7fc832827878]
18  0x7fc832827b82 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libglib-2.0.so.0(g_main_loop_run+0xc2) [0x7fc832827b82]
19  0x7fc839950f54 /webkit/WebKitBuild/webm/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTF::RunLoop::run()+0xac) [0x7fc839950f54]
20  0x7fc843086b51 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**)+0x82) [0x7fc843086b51]
21  0x7fc843086a03 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(WebProcessMainUnix+0x20) [0x7fc843086a03]
22  0x400d22 /webkit/WebKitBuild/webm/Debug/bin/WebKitWebProcess(main+0x3d) [0x400d22]
23  0x7fc82d9d050a /lib64/libc.so.6(__libc_start_main+0xea) [0x7fc82d9d050a]
24  0x400bfa /webkit/WebKitBuild/webm/Debug/bin/WebKitWebProcess(_start+0x2a) [0x400bfa]

Tests that may show the error: 73, 74, 75, 85, 93, 94, 101, 102.

It's likely a result of using WTF::Deque's from different threads. Since
removeFromIteratorsList() only contains code in debug mode it's possible that
this race is hidden on release.

Comment 1 Enrique Ocaña 2017-09-25 02:16:59 PDT

These crashes come from a suggestion to use a Deque instead of the original GList during the upstreaming of the MSE code. GLists were more robust to multithreading because the links are maintained using pointers, which are atomically swappable.

What we've done downstream to mitigate this problem is to use a Vector:

https://github.com/WebPlatformForEmbedded/WPEWebKit/commit/44d8a78783b195c1a4d5e7b765e33d654da0e1d2

Comment 2 Enrique Ocaña 2017-10-05 14:22:38 PDT

Created attachment 322916 [details]
Patch

Comment 3 WebKit Commit Bot 2017-10-06 02:43:29 PDT

Comment on attachment 322916 [details]
Patch

Clearing flags on attachment: 322916

Committed r222972: <http://trac.webkit.org/changeset/222972>

Comment 4 WebKit Commit Bot 2017-10-06 02:43:30 PDT

All reviewed patches have been landed.  Closing bug.