Bug 217647 - [GStreamer] Crash in WebCore::GStreamerRegistryScanner::isAVC1CodecSupported
Summary: [GStreamer] Crash in WebCore::GStreamerRegistryScanner::isAVC1CodecSupported
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Media (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Linux
: P2 Normal
Assignee: Philippe Normand
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-10-12 20:24 PDT by Michael Catanzaro
Modified: 2020-10-13 05:09 PDT (History)
15 users (show)

See Also:

Attachments
Patch (5.86 KB, patch)
2020-10-13 02:23 PDT, Philippe Normand 		calvaris: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2020-10-12 20:24:21 PDT 
Load https://proofing.statefarm.com/login-interceptor/login in Tech Preview, or build WebKit trunk with jhbuild, either way it will crash immediately:

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
        set = 
            {__val = {0, 140628309954960, 93936283386752, 140620386244921, 140735321198224, 140735321198216, 140620386244912, 140628310519853, 0, 1, 140735321198272, 140735321198240, 140735321198624, 140735321198776, 0, 1}}
        pid = <optimized out>
        tid = <optimized out>
#1  0x00007fe694755855 in __GI_abort () at abort.c:79
        save_stage = 1
        act = 
          {__sigaction_handler = {sa_handler = 0x7fff7ed3d030, sa_sigaction = 0x7fff7ed3d030}, sa_mask = {__val = {140628298606868, 140626159797808, 1, 140620386245076, 139642271694853, 140735321198848, 15911148392968547328, 140626161041408, 46, 140735321199120, 140735321198736, 140628368873568, 140628298249298, 140735321199120, 140628298605424, 140620203346288}}, sa_flags = -1687491584, sa_restorer = 0x7fe697f8d860 <WebCore::GStreamerRegistryScanner::singleton()::sharedInstance>}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007fe6971e1724 in WTF::CrashOnOverflow::crash() ()
    at DerivedSources/ForwardingHeaders/wtf/CheckedArithmetic.h:127
        components = 
              {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3780, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}
        spsAsInteger = <optimized out>
        sps = "\177\000"
        profile = <optimized out>
        level = <optimized out>
        levelAsStringFallback = "~\377"
        __FUNCTION__ = "isAVC1CodecSupported"
        checkH264Caps = {__this = 0x0, __shouldCheckForHardwareUse = @0x100003600, __codec = @0x5}
#3  WTF::CrashOnOverflow::overflowed() () at DerivedSources/ForwardingHeaders/wtf/CheckedArithmetic.h:120
        components = 
              {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3780, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}
        spsAsInteger = <optimized out>
        sps = "\177\000"
        profile = <optimized out>
        level = <optimized out>
        levelAsStringFallback = "~\377"
        __FUNCTION__ = "isAVC1CodecSupported"
        checkH264Caps = {__this = 0x0, __shouldCheckForHardwareUse = @0x100003600, __codec = @0x5}
#4  WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at(unsigned long)
    (i=<optimized out>, this=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:701
        components = 
              {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3780, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}
        spsAsInteger = <optimized out>
        sps = "\177\000"
        profile = <optimized out>
        level = <optimized out>
        levelAsStringFallback = "~\377"
        __FUNCTION__ = "isAVC1CodecSupported"
        checkH264Caps = {__this = 0x0, __shouldCheckForHardwareUse = @0x100003600, __codec = @0x5}
#5  WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::operator[](unsigned long)
    (i=<optimized out>, this=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:721
        components = 
              {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMa--Type <RET> for more, q to quit, c to continue without paging--c
lloc>> = {m_buffer = 0x7fe4b35a3780, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}
        spsAsInteger = <optimized out>
        sps = "\177\000"
        profile = <optimized out>
        level = <optimized out>
        levelAsStringFallback = "~\377"
        __FUNCTION__ = "isAVC1CodecSupported"
        checkH264Caps = {__this = 0x0, __shouldCheckForHardwareUse = @0x100003600, __codec = @0x5}
#6  WebCore::GStreamerRegistryScanner::isAVC1CodecSupported(WTF::String const&, bool) const (this=this@entry=0x7fe697f8d860 <WebCore::GStreamerRegistryScanner::singleton()::sharedInstance>, codec=..., shouldCheckForHardwareUse=<optimized out>, shouldCheckForHardwareUse@entry=false) at ../Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:366
        components = {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3780, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}
        spsAsInteger = <optimized out>
        sps = "\177\000"
        profile = <optimized out>
        level = <optimized out>
        levelAsStringFallback = "~\377"
        __FUNCTION__ = "isAVC1CodecSupported"
        checkH264Caps = {__this = 0x0, __shouldCheckForHardwareUse = @0x100003600, __codec = @0x5}
#7  0x00007fe6971e1a29 in WebCore::GStreamerRegistryScanner::isCodecSupported(WTF::String, bool) const (this=this@entry=0x7fe697f8d860 <WebCore::GStreamerRegistryScanner::singleton()::sharedInstance>, codec=..., shouldCheckForHardwareUse=shouldCheckForHardwareUse@entry=false) at ../Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:305
        supported = false
        __FUNCTION__ = "isCodecSupported"
#8  0x00007fe6971e2049 in WebCore::GStreamerRegistryScanner::isContentTypeSupported(WebCore::ContentType const&, WTF::Vector<WebCore::ContentType, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) const (this=0x7fe697f8d860 <WebCore::GStreamerRegistryScanner::singleton()::sharedInstance>, contentType=..., contentTypesRequiringHardwareSupport=...) at DerivedSources/ForwardingHeaders/wtf/text/StringImpl.h:1107
        codec = @0x7fe4b35a3700: {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7fe4bc2b99c0}}
        __for_range = @0x7fff7ed3d1f0: {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3700, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}
        __for_begin = 0x7fe4b35a3700
        __for_end = 0x7fe4b35a3708
        containerType = @0x7fff7ed3d1c8: {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7fe4bc2b9980}}
        codecs = @0x7fff7ed3d1f0: {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3700, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}
#9  0x00007fe696ffc91c in WebCore::MediaPlayerPrivateGStreamer::supportsType(WebCore::MediaEngineSupportParameters const&) (parameters=...) at ../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:2693
        result = <optimized out>
        gstRegistryScanner = <optimized out>
        finalResult = <optimized out>
#10 WebCore::MediaPlayerPrivateGStreamer::supportsType(WebCore::MediaEngineSupportParameters const&) (parameters=...) at ../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:2674
#11 0x00007fe6969a241b in WebCore::bestMediaEngineForSupportParameters(WebCore::MediaEngineSupportParameters const&, WebCore::MediaPlayerFactory const*) (parameters=..., current=<optimized out>, current@entry=0x0) at /usr/include/c++/10.2.0/bits/unique_ptr.h:421
        engineSupport = <optimized out>
        engine = <optimized out>
        __for_range = <optimized out>
        __for_begin = <optimized out>
        __for_end = 0x7fe5e44fda90
        foundEngine = <optimized out>
        supported = <optimized out>
#12 0x00007fe6969a5d01 in WebCore::MediaPlayer::supportsType(WebCore::MediaEngineSupportParameters const&) (parameters=...) at ../Source/WebCore/platform/graphics/MediaPlayer.cpp:993
        engine = <optimized out>
#13 0x00007fe6964b51c6 in WebCore::HTMLMediaElement::canPlayType(WTF::String const&) const (this=this@entry=0x7fe5d470d830, mimeType=...) at ../Source/WebCore/html/HTMLMediaElement.cpp:1064
        parameters = {type = {m_type = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7fe5d44ed7b0}}}, url = {m_string = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x0}}, m_isValid = 0, m_protocolIsInHTTPFamily = 0, m_cannotBeABaseURL = 0, m_portLength = 0, static maxPortLength = 7, static maxSchemeLength = 67108863, m_schemeEnd = 0, m_userStart = 0, m_userEnd = 0, m_passwordEnd = 0, m_hostEnd = 0, m_pathAfterLastSlash = 0, m_pathEnd = 0, m_queryEnd = 0}, isMediaSource = false, isMediaStream = false, contentTypesRequiringHardwareSupport = {<WTF::VectorBuffer<WebCore::ContentType, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WebCore::ContentType, WTF::FastMalloc>> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>}}
        contentType = {m_type = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7fe5d44ed7b0}}}
        support = <optimized out>
        canPlay = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7fe5240d4520}}
        __func__ = "canPlayType"
Comment 1 Michael Catanzaro 2020-10-12 20:43:41 PDT 
Added some debug:

isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42AC23 hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=172 sps[2]=35
isAVC1CodecSupported: profile=baseline level=(null)
isAVC1CodecSupported: 2
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E034 hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=52
isAVC1CodecSupported: profile=constrained-baseline level=5.2
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E034 hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=52
isAVC1CodecSupported: profile=constrained-baseline level=5.2
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E01E hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=30
isAVC1CodecSupported: profile=constrained-baseline level=3
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E01E hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=30
isAVC1CodecSupported: profile=constrained-baseline level=3
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E009 hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=9
isAVC1CodecSupported: profile=constrained-baseline level=1b
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E009 hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=9
isAVC1CodecSupported: profile=constrained-baseline level=1b
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.123456 hardware=0
isAVC1CodecSupported: sps[0]=18 sps[1]=52 sps[2]=86
isAVC1CodecSupported: profile=(null) level=(null)
isAVC1CodecSupported: 2
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42F01E hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=240 sps[2]=30
isAVC1CodecSupported: profile=constrained-baseline level=3
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42F01E hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=240 sps[2]=30
isAVC1CodecSupported: profile=constrained-baseline level=3
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.4D001E hardware=0
isAVC1CodecSupported: sps[0]=77 sps[1]=0 sps[2]=30
isAVC1CodecSupported: profile=main level=3
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.4D001E hardware=0
isAVC1CodecSupported: sps[0]=77 sps[1]=0 sps[2]=30
isAVC1CodecSupported: profile=main level=3
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1x hardware=0
1   0x7f7e7d7afbd9 WTFCrash
2   0x7f7e814b2255 WebCore::GStreamerRegistryScanner::isAVC1CodecSupported(WTF::String const&, bool) const
3   0x7f7e814b24b9 WebCore::GStreamerRegistryScanner::isCodecSupported(WTF::String, bool) const
4   0x7f7e814b2ab9 WebCore::GStreamerRegistryScanner::isContentTypeSupported(WebCore::ContentType const&, WTF::Vector<WebCore::ContentType, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) const
5   0x7f7e812df7d4 WebCore::MediaPlayerPrivateGStreamer::supportsType(WebCore::MediaEngineSupportParameters const&)
6   0x7f7e80cf510b /home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37(+0x2eb010b) [0x7f7e80cf510b]
7   0x7f7e80cf6fc4 WebCore::MediaPlayer::supportsType(WebCore::MediaEngineSupportParameters const&)
8   0x7f7e808637f2 WebCore::HTMLMediaElement::canPlayType(WTF::String const&) const
9   0x7f7e7fd8aeee WebCore::jsHTMLMediaElementPrototypeFunctionCanPlayType(JSC::JSGlobalObject*, JSC::CallFrame*)
10  0x7f7e280ff178 [0x7f7e280ff178]

So it crashes when there is no period in the codec string (accessing components[1] off the end of the array).
Comment 2 Philippe Normand 2020-10-13 02:23:39 PDT 
Created attachment 411204 [details]
Patch
Comment 3 Xabier Rodríguez Calvar 2020-10-13 03:43:30 PDT 
Comment on attachment 411204 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=411204&action=review

> Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:367
> +    auto checkH264Caps = [&](const char* capsString) {

Nit: I would do this a private method instead of a lambda, even if this was already like this before.

> Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:370
> +        bool supported = false;
> +        auto lookupResult = hasElementForMediaType(m_videoDecoderFactories, capsString, true);
> +        supported = lookupResult;

Nit: I think one line would be enough, wouldn't it?
Comment 4 Philippe Normand 2020-10-13 04:53:21 PDT 
Comment on attachment 411204 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=411204&action=review

>> Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:370
>> +        supported = lookupResult;
> 
> Nit: I think one line would be enough, wouldn't it?

No because lookupResult is used below.
Comment 5 Philippe Normand 2020-10-13 05:03:57 PDT 
Comment on attachment 411204 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=411204&action=review

>> Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:367
>> +    auto checkH264Caps = [&](const char* capsString) {
> 
> Nit: I would do this a private method instead of a lambda, even if this was already like this before.

I find more convenient to use a lambda here, instead of adding a new method which would need 3 arguments :)
Comment 6 Philippe Normand 2020-10-13 05:08:51 PDT 
Committed r268392: <https://trac.webkit.org/changeset/268392>
Comment 7 Radar WebKit Bug Importer 2020-10-13 05:09:19 PDT 
<rdar://problem/70248585>