RESOLVED DUPLICATE of bug 220091 203378
[GStreamer][MSE] Crash in PlaybackPipeline::removeSourceBuffer 
https://bugs.webkit.org/show_bug.cgi?id=203378
Summary [GStreamer][MSE] Crash in PlaybackPipeline::removeSourceBuffer
Michael Catanzaro
Reported 2019-10-24 11:54:18 PDT
This is 100% reproducible in today's Tech Preview (which is still using 2.26.1; beware as we have an update to 2.27.2 pending that could affect this). Just visit https://fortintam.com/blog/significance-of-rotschild-vs-gnome/ and click on the YouTube embed. WebKit will crash with SIGSEGV: #0 0x00007eff01ca82d8 in WebCore::PlaybackPipeline::removeSourceBuffer(WTF::RefPtr<WebCore::SourceBufferPrivateGStreamer, WTF::DumbPtrTraits<WebCore::SourceBufferPrivateGStreamer> >) (this=0x0, sourceBufferPrivate=...) at ../Source/WebCore/platform/graphics/gstreamer/mse/PlaybackPipeline.cpp:150 __FUNCTION__ = "removeSourceBuffer" priv = <optimized out> stream = <optimized out> #1 0x00007eff01ca68e3 in WebCore::MediaSourceClientGStreamerMSE::removedFromMediaSource(WTF::RefPtr<WebCore::SourceBufferPrivateGStreamer, WTF::DumbPtrTraits<WebCore::SourceBufferPrivateGStreamer> >) (this=0x7efd34210cf8, sourceBufferPrivate=...) at DerivedSources/ForwardingHeaders/wtf/RefCounted.h:49 #2 0x00007eff01caad62 in WebCore::SourceBufferPrivateGStreamer::removedFromMediaSource() (this=0x7efd344dc680) at DerivedSources/ForwardingHeaders/wtf/RefCounted.h:49 #3 0x00007eff00c2104f in WebCore::SourceBuffer::removedFromMediaSource() (this=0x7efe38440390) at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:43 #4 0x00007eff00c2104f in WebCore::SourceBuffer::removedFromMediaSource() (this=0x7efe38440390) at ../Source/WebCore/Modules/mediasource/SourceBuffer.cpp:464 #5 0x00007eff00c2c3a3 in WebCore::MediaSource::removeSourceBuffer(WebCore::SourceBuffer&) (this=this@entry=0x7efe78723d90, buffer=...) at ../Source/WebCore/Modules/mediasource/MediaSource.cpp:867 #6 0x00007eff00c2c716 in WebCore::MediaSource::detachFromElement(WebCore::HTMLMediaElement&) (this=0x7efe78723d90, element=...) at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:43 #7 0x00007eff011f5cac in WebCore::HTMLMediaElement::detachMediaSource() (this=this@entry=0x7efe7814dc50) at ../Source/WebCore/html/HTMLMediaElement.cpp:3693 #8 0x00007eff0120d7c0 in WebCore::HTMLMediaElement::noneSupported() (this=0x7efe7814dc50) at ../Source/WebCore/html/HTMLMediaElement.cpp:2171 #9 0x00007eff0120d7c0 in WebCore::HTMLMediaElement::noneSupported() (this=0x7efe7814dc50) at ../Source/WebCore/html/HTMLMediaElement.cpp:2140 #10 0x00007eff0120d953 in WebCore::HTMLMediaElement::mediaLoadingFailed(WebCore::MediaPlayerEnums::NetworkState) (this=0x7efe7814dc50, error=WebCore::MediaPlayerEnums::FormatError) at ../Source/WebCore/html/HTMLMediaElement.cpp:2311 #11 0x00007eff01687975 in WebCore::MediaPlayer::loadWithNextMediaEngine(WebCore::MediaPlayerFactory const*) (this=0x7efd3428e958, current=<optimized out>) at ../Source/WebCore/platform/graphics/MediaPlayer.h:419 engine = <optimized out> #12 0x00007eff01604db4 in WebCore::ThreadTimers::sharedTimerFiredInternal() (this=0x7efef369beb0) at ../Source/WebCore/platform/ThreadTimers.h:101 item = {static isRef = <error reading variable: Missing ELF symbol "WTF::Ref<WebCore::ThreadTimerHeapItem, WTF::DumbPtrTraits<WebCore::ThreadTimerHeapItem> >::isRef".>, m_ptr = 0x7efd1ca81570} timer = <optimized out> interval = <optimized out> timeToQuit = {static clockType = WTF::ClockType::Monotonic, m_value = 1052.4927740000001} #13 0x00007eff01604db4 in WebCore::ThreadTimers::sharedTimerFiredInternal() (this=0x7efef369beb0) at ../Source/WebCore/platform/ThreadTimers.cpp:101 #14 0x00007efefe129368 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::operator() (__closure=0x0, userData=0x7eff029cef70 <WebCore::MainThreadSharedTimer::singleton()::instance+16>) at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:171 timer = 0x7eff029cef70 <WebCore::MainThreadSharedTimer::singleton()::instance+16> source = 0x5598a62f4290 #15 0x00007efefe129368 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer) () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:177 #16 0x00007efefe77f58e in g_main_dispatch (context=0x5598a4d5cad0) at ../glib/gmain.c:3178 dispatch = 0x7efefe128d70 <WTF::<lambda(GSource*, GSourceFunc, gpointer)>::_FUN(GSource *, GSourceFunc, gpointer)> prev_source = 0x0 was_in_call = 0 user_data = 0x7eff029cef70 <WebCore::MainThreadSharedTimer::singleton()::instance+16> callback = 0x7efefe129350 <WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer)> cb_funcs = 0x7efefe854280 <g_source_callback_funcs> cb_data = 0x5598a62f1660 need_destroy = <optimized out> source = 0x5598a62f4290 current = 0x5598a4d65ac0 i = 0 __func__ = "g_main_dispatch" #17 0x00007efefe77f58e in g_main_context_dispatch (context=context@entry=0x5598a4d5cad0) at ../glib/gmain.c:3843 #18 0x00007efefe77f940 in g_main_context_iterate (context=0x5598a4d5cad0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3916 max_priority = 100 timeout = 0 some_ready = 1 nfds = <optimized out> allocated_nfds = <optimized out> fds = 0x5598a672fe00 #19 0x00007efefe77fc33 in g_main_loop_run (loop=0x5598a4dfbf30) at ../glib/gmain.c:4110 __func__ = "g_main_loop_run" #20 0x00007efefe1297d0 in WTF::RunLoop::run() () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:96 runLoop = @0x7efef36f9000: {<WTF::FunctionDispatcher> = {<WTF::ThreadSafeRefCounted<WTF::FunctionDispatcher, (WTF::DestructionThread)0>> = {<WTF::ThreadSafeRefCountedBase> = {m_refCount = {<std::__atomic_base<unsigned int>> = {static _S_alignment = 4, _M_i = 52}, static is_always_lock_free = true}}, <No data fields>}, _vptr.FunctionDispatcher = 0x7efefe3fd4c8 <vtable for WTF::RunLoop+16>}, m_functionQueueLock = {static isHeldBit = 1 '\001', static hasParkedBit = 2 '\002', m_byte = {value = {<std::__atomic_base<unsigned char>> = {static _S_alignment = 1, _M_i = 0 '\000'}, static is_always_lock_free = true}}}, m_functionQueue = {m_start = 37, m_end = 37, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()> >> = {m_buffer = 0x7efe706e8000, m_capacity = 68, m_size = 0}, <No data fields>}}, m_mainContext = {m_ptr = 0x5598a4d5cad0}, m_mainLoops = {<WTF::VectorBuffer<WTF::GRefPtr<_GMainLoop>, 0>> = {<WTF::VectorBufferBase<WTF::GRefPtr<_GMainLoop> >> = {m_buffer = 0x7efef36fc100, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}, m_source = {m_ptr = 0x5598a4e6cae0}} mainContext = 0x5598a4d5cad0 innermostLoop = 0x5598a4dfbf30 nestedMainLoop = <optimized out> #21 0x00007eff0056ecaa in WebKit::AuxiliaryProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (argc=3, argv=<optimized out>) at ../Source/WebKit/Shared/unix/AuxiliaryProcessMain.h:47 auxiliaryMain = {<WebKit::AuxiliaryProcessMainBase> = {_vptr.AuxiliaryProcessMainBase = 0x7eff027deca8 <vtable for WebKit::WebProcessMain+16>, m_parameters = {uiProcessName = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >::isRefPtr".>, m_ptr = 0x0}}, clientIdentifier = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >::isRefPtr".>, m_ptr = 0x0}}, processIdentifier = {<WTF::constexpr_Optional_base<WTF::ObjectIdentifier<WebCore::ProcessIdentifierType> >> = {init_ = true, storage_ = {dummy_ = 36 '$', value_ = {<WTF::ObjectIdentifierBase> = {<No data fields>}, m_identifier = 36}}}, <No data fields>}, connectionIdentifier = 77, extraInitializationData = {m_impl = {static m_maxLoad = 2, static m_minLoad = 6, m_table = 0x0, m_tableSize = 0, m_tableSizeMask = 0, m_keyCount = 0, m_deletedCount = 0}}, processType = WebKit::AuxiliaryProcess::ProcessType::WebContent}}, <No data fields>} #22 0x00007efeff6ce173 in __libc_start_main (main=0x5598a47a3780 <main(int, char**)>, argc=3, argv=0x7fffa90aeac8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffa90aeab8) at ../csu/libc-start.c:308 result = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 1868289502364029906, 94114082863056, 140736029452992, 0, 0, 5558397995539485650, 5702059926884570066}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7fffa90aeae8, 0x7eff02a16130}, data = {prev = 0x0, cleanup = 0x0, canceltype = -1458902296}}} not_first_call = <optimized out> #23 0x00005598a47a37fe in _start () at ../sysdeps/x86_64/start.S:120
Attachments
Newer backtrace from 2.29.91 (261.81 KB, text/plain)
2020-08-26 09:07 PDT, Michael Catanzaro 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2019-10-24 11:55:51 PDT
If trying to reproduce outside Tech Preview, remember to uninstall gst-libav to ensure you wind up in HTMLMediaElement::noneSupported.
Michael Catanzaro
Comment 2 2019-10-25 08:27:38 PDT
OK, I confirm it's fixed in 2.27.2, so adding STABLE tag.
Michael Catanzaro
Comment 3 2020-04-27 11:58:00 PDT
Removing STABLE tag. It's 100% reproducible in 2.28.1, following the original reproducer of visiting https://fortintam.com/blog/significance-of-rotschild-vs-gnome/ and then clicking the YouTube embed. I found a new reproducer, which is to visit https://nourish.schnucks.com/schnucks-store-status/
Michael Catanzaro
Comment 4 2020-08-20 13:34:42 PDT
Neither of those reproducers work for me anymore, but this crash sometimes occurs when replaying videos on reddit.com. I hit it twice just now in 2.29.91.
Michael Catanzaro
Comment 5 2020-08-26 09:07:51 PDT
Created attachment 407300 [details] Newer backtrace from 2.29.91
Michael Catanzaro
Comment 6 2020-08-26 09:12:15 PDT
I wonder if the ASSERT(m_sourceBuffers.contains(sourceBufferPrivateGStreamer)) would be failing in debug builds.
Alicia Boya García
Comment 7 2020-08-31 06:27:41 PDT
This draws my attention: #11 0x00007f051b3fb7fb in WebCore::HTMLMediaElement::mediaLoadingFailedFatally(WebCore::MediaPlayerEnums::NetworkState) (this=0x7f04b000a350, error=<optimized out>) at ../Source/WebCore/html/HTMLMediaElement.cpp:2095 #12 0x00007f051bf60f11 in WebCore::MediaSourcePrivateGStreamer::open(WebCore::MediaSourcePrivateClient&, WebCore::MediaPlayerPrivateGStreamerMSE&) (mediaSource=..., playerPrivate=...) at DerivedSources/ForwardingHeaders/wtf/Ref.h:279 #13 0x00007f051bf5c41b in WebCore::MediaPlayerPrivateGStreamerMSE::sourceSetup(_GstElement*) (this=0x7f0326ed8380, sourceElement=0x55f315508310 [WebKitMediaSrc]) at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:43 Being a release traceback it's not clear what calls are between #11 and #12.
Philippe Normand
Comment 8 2021-03-21 07:54:34 PDT
*** This bug has been marked as a duplicate of bug 220091 ***
Note You need to log in before you can comment on or make changes to this bug.