Bug 200530 - [GTK] WebKitWebProcess crashes when viewing an HTML with a <video> element referencing unknown file
Summary: [GTK] WebKitWebProcess crashes when viewing an HTML with a <video> element re...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Charlie Turner
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-07 23:58 PDT by Milan Crha
Modified: 2019-08-08 05:08 PDT (History)
4 users (show)

See Also:

Attachments
Patch (1.69 KB, patch)
2019-08-08 02:29 PDT, Charlie Turner 		no flags Details | Formatted Diff | Diff
Patch for landing (1.72 KB, patch)
2019-08-08 04:25 PDT, Charlie Turner 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Milan Crha 2019-08-07 23:58:16 PDT 
Moving this from a downstream bug report:
https://gitlab.gnome.org/GNOME/evolution/issues/558

When viewing a message in Evolution, whose body contains a video link, WebKitWebProcess either crashes or keeps showing runtime warning:

>   (WebKitWebProcess:2100): GStreamer-CRITICAL **: 19:18:18.041: gst_element_query: assertion 'GST_IS_ELEMENT (element)' failed

depending on user settings (either how glib had been compiled, or when fatal-warnings/fatal-criticals had been used).

Example of such HTML:

  <html><body><video src="evo-https://gitlab.gnome.org/GNOME/gtk/uploads/a3998120d6283183158157e981e1cdaf/recording-jitter-3.mp4"></video></body></html>

Save it as a file, then open it in the MiniBrowser. Note the src of the video link is slightly modified, it uses a different schema, which mimics what Evolution does - it rejects to download it, unless user allows it.

It's a new behaviour in 2.24.3. More information can be found in the upstream bug.

Backtrace of the crash:

    #0  0x00007f30dbbd588e in gst_element_query (element=0x0, query=0x7f30c40060f0 [None]) at ../gstreamer/gst/gstelement.c:1955
            klass = <optimized out>
            res = 0
            __func__ = "gst_element_query"
    #1  0x00007f30e17dd2b8 in WebCore::MediaPlayerPrivateGStreamer::fillTimerFired() (this=0x7f306b61f700) at /usr/src/debug/webkitgtk-2.24.3/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:1662
            query = {m_ptr = 0x7f30c40060f0 [None]}
            fillStatus = 100
            mode = GST_BUFFERING_DOWNLOAD
            __FUNCTION__ = "fillTimerFired"
    #2  0x00007f30e113fc04 in WebCore::ThreadTimers::sharedTimerFiredInternal() (this=0x7f30d248cfc8) at /usr/src/debug/webkitgtk-2.24.3/Source/WebCore/platform/ThreadTimers.h:101
            item = {static isRef = <optimized out>, m_ptr = 0x7f306b613000}
            timer = <optimized out>
            interval = <optimized out>
            timeToQuit = {static clockType = WTF::ClockType::Monotonic, m_value = 1624734.0698240001}
    #3  0x00007f30e113fc04 in WebCore::ThreadTimers::sharedTimerFiredInternal() (this=0x7f30d248cfc8) at /usr/src/debug/webkitgtk-2.24.3/Source/WebCore/platform/ThreadTimers.cpp:101
    #4  0x00007f30dd842f14 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::operator() (__closure=0x0, userData=0x7f30e24ac9b0 <WebCore::MainThreadSharedTimer::singleton()::instance+16>) at /usr/src/debug/webkitgtk-2.24.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:171
            timer = 0x7f30e24ac9b0 <WebCore::MainThreadSharedTimer::singleton()::instance+16>
            source = 0x5627f7813fd0
    #5  0x00007f30dd842f14 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer) () at /usr/src/debug/webkitgtk-2.24.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:177
    #6  0x00007f30dde7b34f in g_main_dispatch (context=0x5627f7362d40) at ../glib/glib/gmain.c:3189
            dispatch = 0x7f30dd842880 <WTF::<lambda(GSource*, GSourceFunc, gpointer)>::_FUN(GSource *, GSourceFunc, gpointer)>
            prev_source = 0x0
            was_in_call = 0
            user_data = 0x7f30e24ac9b0 <WebCore::MainThreadSharedTimer::singleton()::instance+16>
            callback = 0x7f30dd842f00 <WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer)>
            cb_funcs = <optimized out>
            cb_data = 0x5627f78190b0
            need_destroy = <optimized out>
            source = 0x5627f7813fd0
            current = 0x5627f73ca5d0
            i = 0
    #7  0x00007f30dde7b34f in g_main_context_dispatch (context=context@entry=0x5627f7362d40) at ../glib/glib/gmain.c:3854
    #8  0x00007f30dde7d240 in g_main_context_iterate (context=0x5627f7362d40, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/glib/gmain.c:3927
            max_priority = 2147483647
            timeout = 21
            some_ready = 1
            nfds = <optimized out>
            allocated_nfds = <optimized out>
            fds = 0x5627f79502b0
    #9  0x00007f30dde7e123 in g_main_loop_run (loop=0x5627f74e0d30) at ../glib/glib/gmain.c:4123
            __FUNCTION__ = "g_main_loop_run"
    #10 0x00007f30dd843358 in WTF::RunLoop::run() () at /usr/src/debug/webkitgtk-2.24.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:96
            runLoop = 
                @0x7f30d24fa000: {<WTF::FunctionDispatcher> = {<WTF::ThreadSafeRefCounted<WTF::FunctionDispatcher, (WTF::DestructionThread)0>> = {<WTF::ThreadSafeRefCountedBase> = {m_refCount = {<std::__atomic_base<unsigned int>> = {static _S_alignment = 4, _M_i = 19}, <No data fields>}}, <No data fields>}, _vptr.FunctionDispatcher = 0x7f30ddafce40 <vtable for WTF::RunLoop+16>}, m_functionQueueLock = {static isHeldBit = 1 '\001', static hasParkedBit = 2 '\002', m_byte = {value = {<std::__atomic_base<unsigned char>> = {static _S_alignment = 1, _M_i = 0 '\000'}, <No data fields>}}}, m_functionQueue = {m_start = 5, m_end = 5, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()> >> = {m_buffer = 0x7f30d24e5100, m_capacity = 16, m_size = 0}, <No data fields>}}, m_mainContext = {m_ptr = 0x5627f7362d40}, m_mainLoops = {<WTF::VectorBuffer<WTF::GRefPtr<_GMainLoop>, 0>> = {<WTF::VectorBufferBase<WTF::GRefPtr<_GMainLoop> >> = {m_buffer = 0x7f30d24fd180, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}, m_source = {m_ptr = 0x5627f742a400}}
            mainContext = 0x5627f7362d40
            innermostLoop = 0x5627f74e0d30
            nestedMainLoop = <optimized out>
    #11 0x00007f30e00f6f1a in WebKit::AuxiliaryProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (argv=<optimized out>, argc=3) at /usr/src/debug/webkitgtk-2.24.3/Source/WebKit/Shared/unix/AuxiliaryProcessMain.h:47
            auxiliaryMain = 
                  {<WebKit::AuxiliaryProcessMainBase> = {_vptr.AuxiliaryProcessMainBase = 0x7f30e22db9c0 <vtable for WebKit::WebProcessMain+16>, m_parameters = {uiProcessName = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x0}}, clientIdentifier = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x0}}, processIdentifier = {<WTF::constexpr_Optional_base<WTF::ObjectIdentifier<WebCore::ProcessIdentifierType> >> = {init_ = true, storage_ = {dummy_ = 14 '\016', value_ = {<WTF::ObjectIdentifierBase> = {<No data fields>}, m_identifier = 14}}}, <No data fields>}, connectionIdentifier = 35, extraInitializationData = {m_impl = {static m_maxLoad = 2, static m_minLoad = 6, m_table = 0x0, m_tableSize = 0, m_tableSizeMask = 0, m_keyCount = 0, m_deletedCount = 0}}, processType = WebKit::AuxiliaryProcess::ProcessType::WebContent}}, <No data fields>}
    #12 0x00007f30e00f6f1a in WebKit::WebProcessMainUnix(int, char**) (argc=3, argv=<optimized out>) at /usr/src/debug/webkitgtk-2.24.3/Source/WebKit/WebProcess/gtk/WebProcessMainGtk.cpp:67
    #13 0x00007f30df36fee3 in __libc_start_main () at /usr/lib/libc.so.6
    #14 0x00005627f6f6f8ae in _start ()
Comment 1 Charlie Turner 2019-08-08 02:15:22 PDT 
I can confirm this, looks like the fill timer is not being made aware of an erroneous load. Will take a look.
Comment 2 Charlie Turner 2019-08-08 02:29:17 PDT 
Created attachment 375793 [details]
Patch
Comment 3 Xabier Rodríguez Calvar 2019-08-08 03:22:04 PDT 
Comment on attachment 375793 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=375793&action=review

> Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:1659
> +    if (m_errorOccured) {
> +        GST_DEBUG_OBJECT(pipeline(), "[Buffering] An error occurred, disabling the fill timer");
> +        m_fillTimer.stop();
> +        return;
> +    }
> +

You can move this piece of code to the beginning of the method. We don't need to initialize anything if we're going to bail out.
Comment 4 Charlie Turner 2019-08-08 04:25:15 PDT 
Created attachment 375795 [details]
Patch for landing
Comment 5 WebKit Commit Bot 2019-08-08 05:08:56 PDT 
Comment on attachment 375795 [details]
Patch for landing

Clearing flags on attachment: 375795

Committed r248405: <https://trac.webkit.org/changeset/248405>
Comment 6 WebKit Commit Bot 2019-08-08 05:08:58 PDT 
All reviewed patches have been landed.  Closing bug.