RESOLVED FIXED 200530
[GTK] WebKitWebProcess crashes when viewing an HTML with a <video> element referencing unknown file 
https://bugs.webkit.org/show_bug.cgi?id=200530
Summary [GTK] WebKitWebProcess crashes when viewing an HTML with a <video> element re...
Milan Crha
Reported 2019-08-07 23:58:16 PDT
Moving this from a downstream bug report: https://gitlab.gnome.org/GNOME/evolution/issues/558 When viewing a message in Evolution, whose body contains a video link, WebKitWebProcess either crashes or keeps showing runtime warning: > (WebKitWebProcess:2100): GStreamer-CRITICAL **: 19:18:18.041: gst_element_query: assertion 'GST_IS_ELEMENT (element)' failed depending on user settings (either how glib had been compiled, or when fatal-warnings/fatal-criticals had been used). Example of such HTML: <html><body><video src="evo-https://gitlab.gnome.org/GNOME/gtk/uploads/a3998120d6283183158157e981e1cdaf/recording-jitter-3.mp4"></video></body></html> Save it as a file, then open it in the MiniBrowser. Note the src of the video link is slightly modified, it uses a different schema, which mimics what Evolution does - it rejects to download it, unless user allows it. It's a new behaviour in 2.24.3. More information can be found in the upstream bug. Backtrace of the crash: #0 0x00007f30dbbd588e in gst_element_query (element=0x0, query=0x7f30c40060f0 [None]) at ../gstreamer/gst/gstelement.c:1955 klass = <optimized out> res = 0 __func__ = "gst_element_query" #1 0x00007f30e17dd2b8 in WebCore::MediaPlayerPrivateGStreamer::fillTimerFired() (this=0x7f306b61f700) at /usr/src/debug/webkitgtk-2.24.3/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:1662 query = {m_ptr = 0x7f30c40060f0 [None]} fillStatus = 100 mode = GST_BUFFERING_DOWNLOAD __FUNCTION__ = "fillTimerFired" #2 0x00007f30e113fc04 in WebCore::ThreadTimers::sharedTimerFiredInternal() (this=0x7f30d248cfc8) at /usr/src/debug/webkitgtk-2.24.3/Source/WebCore/platform/ThreadTimers.h:101 item = {static isRef = <optimized out>, m_ptr = 0x7f306b613000} timer = <optimized out> interval = <optimized out> timeToQuit = {static clockType = WTF::ClockType::Monotonic, m_value = 1624734.0698240001} #3 0x00007f30e113fc04 in WebCore::ThreadTimers::sharedTimerFiredInternal() (this=0x7f30d248cfc8) at /usr/src/debug/webkitgtk-2.24.3/Source/WebCore/platform/ThreadTimers.cpp:101 #4 0x00007f30dd842f14 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::operator() (__closure=0x0, userData=0x7f30e24ac9b0 <WebCore::MainThreadSharedTimer::singleton()::instance+16>) at /usr/src/debug/webkitgtk-2.24.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:171 timer = 0x7f30e24ac9b0 <WebCore::MainThreadSharedTimer::singleton()::instance+16> source = 0x5627f7813fd0 #5 0x00007f30dd842f14 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer) () at /usr/src/debug/webkitgtk-2.24.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:177 #6 0x00007f30dde7b34f in g_main_dispatch (context=0x5627f7362d40) at ../glib/glib/gmain.c:3189 dispatch = 0x7f30dd842880 <WTF::<lambda(GSource*, GSourceFunc, gpointer)>::_FUN(GSource *, GSourceFunc, gpointer)> prev_source = 0x0 was_in_call = 0 user_data = 0x7f30e24ac9b0 <WebCore::MainThreadSharedTimer::singleton()::instance+16> callback = 0x7f30dd842f00 <WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer)> cb_funcs = <optimized out> cb_data = 0x5627f78190b0 need_destroy = <optimized out> source = 0x5627f7813fd0 current = 0x5627f73ca5d0 i = 0 #7 0x00007f30dde7b34f in g_main_context_dispatch (context=context@entry=0x5627f7362d40) at ../glib/glib/gmain.c:3854 #8 0x00007f30dde7d240 in g_main_context_iterate (context=0x5627f7362d40, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/glib/gmain.c:3927 max_priority = 2147483647 timeout = 21 some_ready = 1 nfds = <optimized out> allocated_nfds = <optimized out> fds = 0x5627f79502b0 #9 0x00007f30dde7e123 in g_main_loop_run (loop=0x5627f74e0d30) at ../glib/glib/gmain.c:4123 __FUNCTION__ = "g_main_loop_run" #10 0x00007f30dd843358 in WTF::RunLoop::run() () at /usr/src/debug/webkitgtk-2.24.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:96 runLoop = @0x7f30d24fa000: {<WTF::FunctionDispatcher> = {<WTF::ThreadSafeRefCounted<WTF::FunctionDispatcher, (WTF::DestructionThread)0>> = {<WTF::ThreadSafeRefCountedBase> = {m_refCount = {<std::__atomic_base<unsigned int>> = {static _S_alignment = 4, _M_i = 19}, <No data fields>}}, <No data fields>}, _vptr.FunctionDispatcher = 0x7f30ddafce40 <vtable for WTF::RunLoop+16>}, m_functionQueueLock = {static isHeldBit = 1 '\001', static hasParkedBit = 2 '\002', m_byte = {value = {<std::__atomic_base<unsigned char>> = {static _S_alignment = 1, _M_i = 0 '\000'}, <No data fields>}}}, m_functionQueue = {m_start = 5, m_end = 5, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()> >> = {m_buffer = 0x7f30d24e5100, m_capacity = 16, m_size = 0}, <No data fields>}}, m_mainContext = {m_ptr = 0x5627f7362d40}, m_mainLoops = {<WTF::VectorBuffer<WTF::GRefPtr<_GMainLoop>, 0>> = {<WTF::VectorBufferBase<WTF::GRefPtr<_GMainLoop> >> = {m_buffer = 0x7f30d24fd180, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}, m_source = {m_ptr = 0x5627f742a400}} mainContext = 0x5627f7362d40 innermostLoop = 0x5627f74e0d30 nestedMainLoop = <optimized out> #11 0x00007f30e00f6f1a in WebKit::AuxiliaryProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (argv=<optimized out>, argc=3) at /usr/src/debug/webkitgtk-2.24.3/Source/WebKit/Shared/unix/AuxiliaryProcessMain.h:47 auxiliaryMain = {<WebKit::AuxiliaryProcessMainBase> = {_vptr.AuxiliaryProcessMainBase = 0x7f30e22db9c0 <vtable for WebKit::WebProcessMain+16>, m_parameters = {uiProcessName = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x0}}, clientIdentifier = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x0}}, processIdentifier = {<WTF::constexpr_Optional_base<WTF::ObjectIdentifier<WebCore::ProcessIdentifierType> >> = {init_ = true, storage_ = {dummy_ = 14 '\016', value_ = {<WTF::ObjectIdentifierBase> = {<No data fields>}, m_identifier = 14}}}, <No data fields>}, connectionIdentifier = 35, extraInitializationData = {m_impl = {static m_maxLoad = 2, static m_minLoad = 6, m_table = 0x0, m_tableSize = 0, m_tableSizeMask = 0, m_keyCount = 0, m_deletedCount = 0}}, processType = WebKit::AuxiliaryProcess::ProcessType::WebContent}}, <No data fields>} #12 0x00007f30e00f6f1a in WebKit::WebProcessMainUnix(int, char**) (argc=3, argv=<optimized out>) at /usr/src/debug/webkitgtk-2.24.3/Source/WebKit/WebProcess/gtk/WebProcessMainGtk.cpp:67 #13 0x00007f30df36fee3 in __libc_start_main () at /usr/lib/libc.so.6 #14 0x00005627f6f6f8ae in _start ()
Attachments
Patch (1.69 KB, patch)
2019-08-08 02:29 PDT, Charlie Turner 		no flags
DetailsFormatted DiffDiff
Patch for landing (1.72 KB, patch)
2019-08-08 04:25 PDT, Charlie Turner 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Charlie Turner
Comment 1 2019-08-08 02:15:22 PDT
I can confirm this, looks like the fill timer is not being made aware of an erroneous load. Will take a look.
Charlie Turner
Comment 2 2019-08-08 02:29:17 PDT
Created attachment 375793 [details] Patch
Xabier Rodríguez Calvar
Comment 3 2019-08-08 03:22:04 PDT
Comment on attachment 375793 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=375793&action=review > Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:1659 > + if (m_errorOccured) { > + GST_DEBUG_OBJECT(pipeline(), "[Buffering] An error occurred, disabling the fill timer"); > + m_fillTimer.stop(); > + return; > + } > + You can move this piece of code to the beginning of the method. We don't need to initialize anything if we're going to bail out.
Charlie Turner
Comment 4 2019-08-08 04:25:15 PDT
Created attachment 375795 [details] Patch for landing
WebKit Commit Bot
Comment 5 2019-08-08 05:08:56 PDT
Comment on attachment 375795 [details] Patch for landing Clearing flags on attachment: 375795 Committed r248405: <https://trac.webkit.org/changeset/248405>
WebKit Commit Bot
Comment 6 2019-08-08 05:08:58 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.