RESOLVED DUPLICATE of bug 220091 196902
[GStreamer][MSE] Invalid free in MediaPlayerPrivateGStreamerMSE::sourceSetup 
https://bugs.webkit.org/show_bug.cgi?id=196902
Summary [GStreamer][MSE] Invalid free in MediaPlayerPrivateGStreamerMSE::sourceSetup
Michael Catanzaro
Reported 2019-04-13 16:27:37 PDT
Created attachment 367397 [details] Full backtrace Core was generated by `/usr/libexec/webkit2gtk-4.0/WebKitWebProcess 22 51'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007fb47ef6725f in webKitMediaSrcFreeStream ( source=source@entry=0x5570753b4140, stream=0x5570752d0cf0) at ../Source/WebCore/platform/graphics/gstreamer/mse/WebKitMediaSourceGStreamer.cpp:512 512 if (GST_IS_APP_SRC(stream->appsrc)) { Reproducer: visit https://www.reddit.com/r/WTF/comments/bcqcar/engine_cold_start_turkish_style/, wait for the video to finish. It will crash a little more than half the time. Due to a bug in the GNOME runtime, it seems there's no debuginfo for GStreamer so some possibly-important frames are missing, but I hope the attached backtrace should suffice. Note: this is with 2.24.0 since we don't have 2.24.1 in the runtime yet. Truncated backtrace is: #0 0x00007fb47ef6725f in webKitMediaSrcFreeStream (source=source@entry=0x5570753b4140, stream=0x5570752d0cf0) at ../Source/WebCore/platform/graphics/gstreamer/mse/WebKitMediaSourceGStreamer.cpp:512 #1 0x00007fb47ef67a07 in webKitMediaSrcFinalize (object=0x5570753b4140) at ../Source/WebCore/platform/graphics/gstreamer/mse/WebKitMediaSourceGStreamer.cpp:278 #2 0x00007fb47d526f1d in g_object_unref (_object=<optimized out>) at ../gobject/gobject.c:3345 #3 g_object_unref (_object=0x5570753b4140) at ../gobject/gobject.c:3237 #4 0x00007fb480348ebc in WebCore::MediaPlayerPrivateGStreamerMSE::sourceSetup (this=0x7fb31dc76780, sourceElement=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:41 #5 0x00007fb47a5c4bae in ffi_call_unix64 () from /usr/lib/x86_64-linux-gnu/libffi.so.6 #6 0x00007fb47a5c456f in ffi_call () from /usr/lib/x86_64-linux-gnu/libffi.so.6 #7 0x00007fb47d522245 in g_cclosure_marshal_generic (closure=<optimized out>, return_gvalue=<optimized out>, n_param_values=<optimized out>, param_values=<optimized out>, invocation_hint=<optimized out>, marshal_data=<optimized out>) at ../gobject/gclosure.c:1500 #8 0x00007fb47d52177d in g_closure_invoke (closure=0x55707526ff70, return_value=0x0, n_param_values=2, param_values=0x7ffd0f543d40, invocation_hint=0x7ffd0f543cc0) at ../gobject/gclosure.c:810 #9 0x00007fb47d535865 in signal_emit_unlocked_R (node=node@entry=0x557075233ed0, detail=detail@entry=0, instance=instance@entry=0x557075238890, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7ffd0f543d40) at ../gobject/gsignal.c:3635 #10 0x00007fb47d53eb7e in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7ffd0f543f10) at ../gobject/gsignal.c:3391 #11 0x00007fb47d53f233 in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at ../gobject/gsignal.c:3447 #12 0x00007fb3fc5ae19f in ?? () from /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstplayback.so
Attachments
Full backtrace (111.91 KB, text/plain)
2019-04-13 16:27 PDT, Michael Catanzaro 		no flags
Details
screenshot after 19s of playback (503.97 KB, image/png)
2019-04-15 07:16 PDT, Michael Catanzaro 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Philippe Normand
Comment 1 2019-04-15 04:26:22 PDT
Again, without gst logs this is not as easy to debug... but I suppose the stream pointer is dangling?
Michael Catanzaro
Comment 2 2019-04-15 07:15:44 PDT
(In reply to Philippe Normand from comment #1) > Again, without gst logs this is not as easy to debug... I was going to say "feel free to ask for logs" but it seems the crash just doesn't want to occur for me today so no way to get a log. Oh well. BTW video playback reliably gets messed up at the 19s mark. I suppose that's a separate bug but I'll attach a screenshot. > but I suppose the stream pointer is dangling? Clearly so, yes.
Michael Catanzaro
Comment 3 2019-04-15 07:16:08 PDT
Created attachment 367414 [details] screenshot after 19s of playback
Philippe Normand
Comment 4 2019-04-15 07:37:05 PDT
(In reply to Michael Catanzaro from comment #3) > Created attachment 367414 [details] > screenshot after 19s of playback Thanks to ... gstreamer-vaapi!
Michael Catanzaro
Comment 5 2019-04-15 10:38:44 PDT
Oh, that's brand new, because you requested it in https://gitlab.gnome.org/GNOME/gnome-build-meta/issues/118. I've left a comment there.
Philippe Normand
Comment 6 2019-04-15 10:55:37 PDT
(In reply to Michael Catanzaro from comment #5) > Oh, that's brand new, because you requested it in > https://gitlab.gnome.org/GNOME/gnome-build-meta/issues/118. I've left a > comment there. I would rather blacklist AMD in gst-vaapi, for the time being: https://gitlab.freedesktop.org/gstreamer/gstreamer-vaapi/merge_requests/72
Michael Catanzaro
Comment 7 2019-04-15 12:38:45 PDT
Note my GPU is Radeon RX 570 Series (POLARIS10) so it's indeed AMD, and very similar to yours.
Michael Catanzaro
Comment 8 2019-04-23 09:21:03 PDT
BTW is the crash really caused by gstreamer-vaapi, or just the corrupted video?
Philippe Normand
Comment 9 2019-04-23 11:37:27 PDT
(In reply to Michael Catanzaro from comment #8) > BTW is the crash really caused by gstreamer-vaapi, or just the corrupted > video? The crash is most likely a bug on WebKit side, the rendering issue is a bug in gstreamer-vaapi/mesa.
Michael Catanzaro
Comment 10 2019-04-28 17:57:07 PDT
(In reply to Michael Catanzaro from comment #2) > BTW video playback reliably gets messed up at the 19s mark. I suppose that's > a separate bug but I'll attach a screenshot. I've noticed the web process becomes extremely slow and laggy once the gstreamer-vaapi bug occurs. Scrolling the web view becomes almost impossible. Is this likely to be fixed in gstreamer-vaapi, or do you want a separate bug report?
Michael Catanzaro
Comment 11 2019-05-25 15:26:31 PDT
*** Bug 198184 has been marked as a duplicate of this bug. ***
Philippe Normand
Comment 12 2020-01-13 03:56:39 PST
Is this still an issue?
Michael Catanzaro
Comment 13 2020-01-15 08:35:46 PST
Maybe? I tried playing that video in Tech Preview and it crashed almost immediately, but the backtrace is different: #0 0x00007f5f7c479354 in <lambda()>::operator()(void) const (__closure=0x7f5d7ba200f8) at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:43 #1 0x00007f5f79ed282c in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at ../Source/WTF/wtf/Function.h:76 #2 0x00007f5f79ed282c in WTF::RunLoop::performWork() (this=0x7f5f749f5000) at ../Source/WTF/wtf/RunLoop.cpp:124 #3 0x00007f5f79f1ee1d in WTF::RunLoop::<lambda(gpointer)>::operator() (__closure=0x0, userData=<optimized out>) at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:68 #4 0x00007f5f79f1ee1d in WTF::RunLoop::<lambda(gpointer)>::_FUN(gpointer) () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:70 #5 0x00007f5f7a5a1b3e in g_main_dispatch (context=0x55f53e811cf0) at ../glib/gmain.c:3272 #6 0x00007f5f7a5a1b3e in g_main_context_dispatch (context=context@entry=0x55f53e811cf0) at ../glib/gmain.c:3937 #7 0x00007f5f7a5a1ef0 in g_main_context_iterate (context=0x55f53e811cf0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4010 #8 0x00007f5f7a5a21e3 in g_main_loop_run (loop=0x55f53e82a100) at ../glib/gmain.c:4204 #9 0x00007f5f79f1f8b0 in WTF::RunLoop::run() () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:96 #10 0x00007f5f7c47151f in WebKit::AuxiliaryProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (argc=3, argv=<optimized out>) at ../Source/WebKit/Shared/unix/AuxiliaryProcessMain.h:47 #11 0x00007f5f7b4f4173 in __libc_start_main (main= 0x55f53cdb8780 <main(int, char**)>, argc=3, argv=0x7ffdd785aed8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffdd785aec8) at ../csu/libc-start.c:308 #12 0x000055f53cdb87fe in _start () at ../sysdeps/x86_64/start.S:120 It's a WebKitWebSrc bug: #0 0x00007f5f7c479354 in <lambda()>::operator()(void) const (__closure=0x7f5d7ba200f8) at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:43 priv = 0x55f5404c50e0 loadOptions = 0 notifyAsyncCompletion = false src = 0x55f5404c5280 [WebKitWebSrc] request = {<WebCore::ResourceRequestBase> = {m_url = {m_string = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >::isRefPtr".>, m_ptr = 0x7f5d62074400}}, m_isValid = 1, m_protocolIsInHTTPFamily = 1, m_cannotBeABaseURL = 0, m_portLength = 0, static maxPortLength = 7, static maxSchemeLength = 67108863, m_schemeEnd = 5, m_userStart = 8, m_userEnd = 8, m_passwordEnd = 8, m_hostEnd = 17, m_pathAfterLastSlash = 32, m_pathEnd = 40, m_queryEnd = 40}, m_timeoutInterval = 0, m_firstPartyForCookies = {m_string = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >::isRefPtr".>, m_ptr = 0x7f5d62074400}}, m_isValid = 1, m_protocolIsInHTTPFamily = 1, m_cannotBeABaseURL = 0, m_portLength = 0, static maxPortLength = 7, static maxSchemeLength = 67108863, m_schemeEnd = 5, m_userStart = 8, m_userEnd = 8, m_passwordEnd = 8, m_hostEnd = 17, m_pathAfterLastSlash = 32, m_pathEnd = 40, m_queryEnd = 40}, m_httpMethod = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >::isRefPtr".>, m_ptr = 0x7f5d76b83300}}, m_initiatorIdentifier = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >::isRefPtr".>, m_ptr = 0x0}}, m_cachePartition = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >::isRefPtr".>, m_ptr = 0x7f5f7a250b00 <WTF::StringImpl::s_emptyAtomString>}}, m_httpHeaderFields = {m_commonHeaders = {<WTF::VectorBuffer<WebCore::HTTPHeaderMap::CommonHeader, 0>> = {<WTF::VectorBufferBase<WebCore::HTTPHeaderMap::CommonHeader>> = {m_buffer = 0x7f5d620726c0, m_capacity = 6, m_size = 4}, <No data fields>}, <No data fields>}, m_uncommonHeaders = {<WTF::VectorBuffer<WebCore::HTTPHeaderMap::UncommonHeader, 0>> = {<WTF::VectorBufferBase<WebCore::HTTPHeaderMap::UncommonHeader>> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>}}, m_responseContentDispositionEncodingFallbackArray = {<WTF::VectorBuffer<WTF::String, 0>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>}, m_httpBody = {static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WebCore::FormData, WTF::DumbPtrTraits<WebCore::FormData> >::isRefPtr".>, m_ptr = 0x0}, m_cachePolicy = WebCore::ResourceRequestCachePolicy::UseProtocolCachePolicy, m_sameSiteDisposition = WebCore::ResourceRequestBase::SameSiteDisposition::Unspecified, m_priority = WebCore::ResourceLoadPriority::Low, m_requester = WebCore::ResourceRequestBase::Requester::Unspecified, m_inspectorInitiatorNodeIdentifier = {<WTF::constexpr_Optional_base<int>> = {init_ = false, storage_ = {dummy_ = 0 '\000', value_ = -1600039936}}, <No data fields>}, m_allowCookies = true, m_resourceRequestUpdated = true, m_platformRequestUpdated = false, m_resourceRequestBodyUpdated = true, m_platformRequestBodyUpdated = false, m_hiddenFromInspector = false, m_isTopSite = false, static s_defaultTimeoutInterval = 0}, m_acceptEncoding = false, m_soupFlags = (unknown: 0), m_initiatingPageID = {<WTF::constexpr_Optional_base<unsigned long>> = {init_ = false, storage_ = {dummy_ = 0 '\000', value_ = 140040083070464}}, <No data fields>}} protector = {m_ptr = 0x55f5404c5280 [WebKitWebSrc]}
Philippe Normand
Comment 14 2021-03-21 07:55:12 PDT
*** This bug has been marked as a duplicate of bug 220091 ***
Note You need to log in before you can comment on or make changes to this bug.