Bug 213506 - [GStreamer][WebRTC] SIGSEGV at _mm_mul_pd() during audio resampling
Summary: [GStreamer][WebRTC] SIGSEGV at _mm_mul_pd() during audio resampling
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-23 03:22 PDT by Alicia Boya García
Modified: 2021-12-30 22:09 PST (History)
6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alicia Boya García 2020-06-23 03:22:21 PDT 
Hit once on fast/mediastream/RTCPeerConnection-page-cache.html, but not easy to reproduce (can't reproduce after >8000 iterations).

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f278686c480 in _mm_mul_pd (__B=..., __A=...) at /usr/lib/gcc/x86_64-unknown-linux-gnu/9.3.0/include/emmintrin.h:272
272	  return (__m128d) ((__v2df)__A * (__v2df)__B);
[Current thread is 1 (Thread 0x7f27292fe700 (LWP 1014))]

Thread 1 (Thread 0x7f27292fe700 (LWP 1014)):
#0  0x00007f278686c480 in _mm_mul_pd (__B=..., __A=...) at /usr/lib/gcc/x86_64-unknown-linux-gnu/9.3.0/include/emmintrin.h:272
#1  0x00007f278686c480 in inner_product_gdouble_full_1_sse2 (icoeff=<optimized out>, bstride=<optimized out>, len=<optimized out>, b=<optimized out>, a=<optimized out>, o=<optimized out>) at ../gst-libs/gst/audio/audio-resampler-x86-sse2.c:189
#2  0x00007f278686c480 in resample_gdouble_full_1_sse2 (resampler=0x7f270409fea0, in=0x7f26f4036570, in_len=464, out=0x7f27080301e0, out_len=480, consumed=0x7f27292fd6f0) at ../gst-libs/gst/audio/audio-resampler-x86-sse2.c:264
#3  0x00007f278683b64c in gst_audio_resampler_resample (resampler=0x7f270409fea0, in=in@entry=0x7f270802f3f0, in_frames=<optimized out>, out=out@entry=0x7f27080301e0, out_frames=out_frames@entry=480) at ../gst-libs/gst/audio/audio-resampler.c:1786
#4  0x00007f2786830081 in do_resample (chain=0x7f26f4007570, user_data=0x7f26f40080a0) at ../gst-libs/gst/audio/audio-converter.c:546
#5  0x00007f278682f562 in audio_chain_get_samples (avail=<synthetic pointer>, chain=0x7f26f4007570) at ../gst-libs/gst/audio/audio-converter.c:257
#6  0x00007f278682f562 in do_convert_out (chain=0x7f26f40075e0, user_data=0x7f26f40080a0) at ../gst-libs/gst/audio/audio-converter.c:562
#7  0x00007f27868301d2 in audio_chain_get_samples (avail=<synthetic pointer>, chain=0x7f26f40075e0) at ../gst-libs/gst/audio/audio-converter.c:257
#8  0x00007f27868301d2 in do_quantize (chain=0x7f26f40076c0, user_data=0x7f26f40080a0) at ../gst-libs/gst/audio/audio-converter.c:581
#9  0x00007f278682ed8a in audio_chain_get_samples (avail=<synthetic pointer>, chain=0x7f26f40076c0) at ../gst-libs/gst/audio/audio-converter.c:257
#10 0x00007f278682ed8a in converter_generic (convert=0x7f26f40080a0, flags=<optimized out>, in=<optimized out>, in_frames=<optimized out>, out=0x7f27292fd8b0, out_frames=<optimized out>) at ../gst-libs/gst/audio/audio-converter.c:1275
#11 0x00007f279fa19f3c in WebCore::RealtimeOutgoingAudioSourceLibWebRTC::pullAudioData() (this=0x7f270ee0a450) at ../../Source/WebCore/platform/mediastream/gstreamer/RealtimeOutgoingAudioSourceLibWebRTC.cpp:120
#12 0x00007f279fa19893 in WebCore::RealtimeOutgoingAudioSourceLibWebRTC::<lambda()>::operator()(void) const (__closure=0x7f270ee16038) at ../../Source/WebCore/platform/mediastream/gstreamer/RealtimeOutgoingAudioSourceLibWebRTC.cpp:91
#13 0x00007f279fa1aba6 in WTF::Detail::CallableWrapper<WebCore::RealtimeOutgoingAudioSourceLibWebRTC::audioSamplesAvailable(const WTF::MediaTime&, const WebCore::PlatformAudioData&, const WebCore::AudioStreamDescription&, size_t)::<lambda()>, void>::call(void) (this=0x7f270ee16030) at DerivedSources/ForwardingHeaders/wtf/Function.h:52
#14 0x00007f279ae1957b in WTF::Function<void ()>::operator()() const (this=0x7f26f4036508) at DerivedSources/ForwardingHeaders/wtf/Function.h:84
#15 0x00007f279eb02def in WebCore::PeerConnectionFactoryAndThreads::OnMessage(rtc::Message*) (this=0x7f27a69b4100 <WebCore::staticFactoryAndThreads()::factoryAndThreads>, message=0x7f27292fdbc0) at ../../Source/WebCore/platform/mediastream/libwebrtc/LibWebRTCProvider.cpp:219
#16 0x00007f279c37fae0 in rtc::Thread::Dispatch(rtc::Message*) (this=0x5623f5798eb0, pmsg=0x7f27292fdbc0) at ../../Source/ThirdParty/libwebrtc/Source/webrtc/rtc_base/thread.cc:664
#17 0x00007f279c381989 in rtc::Thread::ProcessMessages(int) (this=0x5623f5798eb0, cmsLoop=-1) at ../../Source/ThirdParty/libwebrtc/Source/webrtc/rtc_base/thread.cc:1000
#18 0x00007f279c380cbb in rtc::Thread::Run() (this=0x5623f5798eb0) at ../../Source/ThirdParty/libwebrtc/Source/webrtc/rtc_base/thread.cc:842
#19 0x00007f279c380c5d in rtc::Thread::PreRun(void*) (pv=0x5623f5798eb0) at ../../Source/ThirdParty/libwebrtc/Source/webrtc/rtc_base/thread.cc:831
#20 0x00007f27870b95e2 in start_thread (arg=<optimized out>) at pthread_create.c:479
#21 0x00007f2784d4a473 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Comment 1 Philippe Normand 2020-06-23 04:34:47 PDT 
Looks like an ORC bug? or an issue with the GCC intrinsics...
Comment 2 Alicia Boya García 2020-06-23 05:05:18 PDT 
I don't even know how this got a SIGSEGV. _mm_mul_pd() takes integral values, not pointers:

https://software.intel.com/sites/landingpage/IntrinsicsGuide/#text=_mm_mul_pd&expand=3919

Synopsis
__m128d _mm_mul_pd (__m128d a, __m128d b)
#include <emmintrin.h>
Instruction: mulpd xmm, xmm
CPUID Flags: SSE2
Description
Multiply packed double-precision (64-bit) floating-point elements in a and b, and store the results in dst.
Comment 3 Philippe Normand 2020-06-24 02:28:08 PDT 
Same crash in webrtc/multi-audio.html
Comment 4 Alicia Boya García 2020-06-24 05:49:13 PDT 
RealtimeOutgoingAudioSourceLibWebRTC::pullAudioData() is the most suspicious part of the code, although I couldn't quickly find a blatant memory error. The input buffer is ref'ed and locked during conversion, and the output buffer (m_audioBuffer) is protected by [protectedThis = makeRef(*this)] in the calling lambda.

I can only think of audio being non interleaved in either and therefore in/out expecting an array of more than one pointer, and an invalid pointer being read. But if that was the case that would happen more consistently.

Catching the error with asan would be helpful.
Comment 5 Lauro Moura 2020-11-09 09:03:35 PST 
fast/mediastream/RTCPeerConnection-inspect-offer-bundlePolicy-bundle-only.html

This is sparsely crashing in the release bots with the same trace. Some number from recent history:

GTK-Release: 2 crashes since r269185
GTK-Release-Wayland[1]: 4 crashes since r268715
GTK-Debug: Crashing almost half of the time since circa r269034. 3 crashes between r267523 and r269034.
WPE-Release: 1 crash in r269580
WPE-Debug: 13 crashes since r268991


With this test, I managed to get it to somewhat reliably crash in debug mode when using `--iterations=10`. (i.e. it crashed at least once during the run).


[1] Wayland had some "FAIL TIMEOUT CRASH" results not include in the sum above
Comment 6 Philippe Normand 2021-04-14 09:39:02 PDT 
(In reply to Lauro Moura from comment #5)
> fast/mediastream/RTCPeerConnection-inspect-offer-bundlePolicy-bundle-only.
> html
> 

This has been failing on all ports for months. Not sure it's a good indicator :)
Comment 7 Philippe Normand 2021-04-19 04:13:52 PDT 
webrtc/audio-video-element-playing.html also affected by this crash, in WPE.
Comment 8 Philippe Normand 2021-04-19 09:50:53 PDT 
also webrtc/remove-track.html
Comment 9 Diego Pino 2021-12-30 22:09:03 PST 
There were 2 tests left filed under this bug:

  webrtc/audio-video-element-playing.html [ Crash Pass ]
  webrtc/remove-track.html [ Crash Pass ]

The tests have been constantly passing for the last 4 months so I'm marking this bug as resolved.

https://results.webkit.org/?limit=4000&platform=GTK&platform=WPE&suite=layout-tests&suite=layout-tests&test=webrtc%2Faudio-video-element-playing.html&test=webrtc%2Fremove-track.html

Tests removed from test expectations in r287490.