231519 – [GStreamer] Crash in WebCore::MediaPlayerPrivateGStreamer::sourceSetup when loading reddit video

Bug 231519 - [GStreamer] Crash in WebCore::MediaPlayerPrivateGStreamer::sourceSetup when loading reddit video

Summary: [GStreamer] Crash in WebCore::MediaPlayerPrivateGStreamer::sourceSetup when l...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Media (show other bugs)
Version:	WebKit Nightly Build
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Philippe Normand

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-10-11 10:52 PDT by Michael Catanzaro
Modified:	2021-10-13 06:57 PDT (History)
CC List:	15 users (show)

See Also:

Attachments
Full backtrace (29.37 KB, text/plain) 2021-10-11 10:52 PDT, Michael Catanzaro	no flags	Details
gst.log (30.01 KB, text/x-log) 2021-10-11 10:54 PDT, Michael Catanzaro	no flags	Details
Patch (7.69 KB, patch) 2021-10-13 05:01 PDT, Philippe Normand	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Catanzaro 2021-10-11 10:52:25 PDT

Created attachment 440806 [details]
Full backtrace

WebKit trunk is crashing when loading reddit.com:

(WebKitWebProcess:2): GLib-GObject-WARNING **: 12:44:29.407: invalid (NULL) pointer instance

(WebKitWebProcess:2): GLib-GObject-CRITICAL **: 12:44:29.407: g_signal_connect_data: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed

Pretty sure WebCore::MediaPlayerPrivateGStreamer::sourceSetup is being called with an invalid sourceElement.

I'll attach a full backtrace and a GStreamer debug log. Here's the short backtrace:

#0  _g_log_abort (breakpoint=1) at ../../../../Projects/glib/glib/gmessages.c:559
#1  0x00007fa612eb28e9 in g_logv (log_domain=0x7fa612fed650 "GLib-GObject", log_level=G_LOG_LEVEL_CRITICAL, 
    format=0x7fa612f1dd15 "%s: assertion '%s' failed", args=0x7ffc1c9c2438)
    at ../../../../Projects/glib/glib/gmessages.c:1413
#2  0x00007fa612eb29dd in g_log (log_domain=0x7fa612fed650 "GLib-GObject", log_level=G_LOG_LEVEL_CRITICAL, 
    format=0x7fa612f1dd15 "%s: assertion '%s' failed") at ../../../../Projects/glib/glib/gmessages.c:1455
#3  0x00007fa612eb49ef in g_return_if_fail_warning (log_domain=0x7fa612fed650 "GLib-GObject", 
    pretty_function=0x7fa612fef450 <__func__.17> "g_signal_connect_data", 
    expression=0x7fa612fed880 "G_TYPE_CHECK_INSTANCE (instance)") at ../../../../Projects/glib/glib/gmessages.c:2891
#4  0x00007fa612fceb83 in g_signal_connect_data (instance=0x0, detailed_signal=0x7fa61a11f46b "element-added", 
    c_handler=0x7fa619e2a5e0 <WebCore::MediaPlayerPrivateGStreamer::uriDecodeBinElementAddedCallback(_GstBin*, _GstElement*, WebCore::MediaPlayerPrivateGStreamer*)>, data=0x7fa6003ed380, destroy_data=0x0, connect_flags=0)
    at ../../../../Projects/glib/gobject/gsignal.c:2571
#5  0x00007fa619e288cb in WebCore::MediaPlayerPrivateGStreamer::sourceSetup (this=0x7fa6003ed380, 
    sourceElement=<optimized out>)
    at /home/mcatanzaro/Projects/WebKit/WebKitBuild/GNOME/WTF/Headers/wtf/glib/GRefPtr.h:110
#6  0x00007fa612fb7db2 in g_cclosure_marshal_VOID__OBJECTv (closure=0x201a290, return_value=0x0, instance=0x1fd2070, 
    args=0x7ffc1c9c29b8, marshal_data=0x0, n_params=1, param_types=0x1ff6670)
    at ../../../../Projects/glib/gobject/gmarshal.c:1910
#7  0x00007fa612fb2a99 in _g_closure_invoke_va (closure=0x201a290, return_value=0x0, instance=0x1fd2070, 
    args=0x7ffc1c9c29b8, n_params=1, param_types=0x1ff6670) at ../../../../Projects/glib/gobject/gclosure.c:893
#8  0x00007fa612fd06b2 in g_signal_emit_valist (instance=0x1fd2070, signal_id=247, detail=0, var_args=0x7ffc1c9c29b8)
    at ../../../../Projects/glib/gobject/gsignal.c:3406
#9  0x00007fa612fd1944 in g_signal_emit (instance=0x1fd2070, signal_id=247, detail=0)
    at ../../../../Projects/glib/gobject/gsignal.c:3553
#10 0x00007fa612fb7db2 in g_cclosure_marshal_VOID__OBJECTv (closure=0x2061550, return_value=0x0, instance=0x1983350, 
    args=0x7ffc1c9c2e68, marshal_data=0x0, n_params=1, param_types=0x205be00)
    at ../../../../Projects/glib/gobject/gmarshal.c:1910
#11 0x00007fa612fb2a99 in _g_closure_invoke_va (closure=0x2061550, return_value=0x0, instance=0x1983350, 
    args=0x7ffc1c9c2e68, n_params=1, param_types=0x205be00) at ../../../../Projects/glib/gobject/gclosure.c:893
#12 0x00007fa612fd06b2 in g_signal_emit_valist (instance=0x1983350, signal_id=276, detail=0, var_args=0x7ffc1c9c2e68)
    at ../../../../Projects/glib/gobject/gsignal.c:3406
#13 0x00007fa612fd1944 in g_signal_emit (instance=0x1983350, signal_id=276, detail=0)
    at ../../../../Projects/glib/gobject/gsignal.c:3553
#14 0x00007fa568293cac in gen_source_element (decoder=0x1983350 [GstURIDecodeBin|uridecodebin0])
    at ../gst/playback/gsturidecodebin.c:1400
#15 setup_source (decoder=<optimized out>) at ../gst/playback/gsturidecodebin.c:2253
#16 gst_uri_decode_bin_change_state (element=<optimized out>, transition=<optimized out>)
    at ../gst/playback/gsturidecodebin.c:2876
#17 0x00007fa612094d69 in gst_element_change_state (element=element@entry=0x1983350 [GstURIDecodeBin|uridecodebin0], 
    transition=GST_STATE_CHANGE_READY_TO_PAUSED) at ../gst/gstelement.c:3077
#18 0x00007fa612094bfa in gst_element_continue_state (
    element=element@entry=0x1983350 [GstURIDecodeBin|uridecodebin0], ret=ret@entry=GST_STATE_CHANGE_SUCCESS)
    at ../gst/gstelement.c:2785
#19 0x00007fa612094daf in gst_element_change_state (element=element@entry=0x1983350 [GstURIDecodeBin|uridecodebin0], 
    transition=transition@entry=GST_STATE_CHANGE_NULL_TO_READY) at ../gst/gstelement.c:3116
#20 0x00007fa612095475 in gst_element_set_state_func (element=0x1983350 [GstURIDecodeBin|uridecodebin0], 
    state=GST_STATE_PAUSED) at ../gst/gstelement.c:3031
#21 0x00007fa5682d6edd in activate_group (target=GST_STATE_PAUSED, group=0x1fd2500, 
    playbin=0x1fd2070 [GstPlayBin|media-player-0]) at ../gst/playback/gstplaybin2.c:5513
#22 setup_next_source.constprop.0 (playbin=playbin@entry=0x1fd2070 [GstPlayBin|media-player-0], 
    target=<optimized out>) at ../gst/playback/gstplaybin2.c:5738
#23 0x00007fa5682a8daa in gst_play_bin_change_state (element=0x1fd2070 [GstPlayBin|media-player-0], 
    transition=GST_STATE_CHANGE_READY_TO_PAUSED) at ../gst/playback/gstplaybin2.c:5867
--Type <RET> for more, q to quit, c to continue without paging--c
#24 0x00007fa612094d69 in gst_element_change_state (element=element@entry=0x1fd2070 [GstPlayBin|media-player-0], transition=GST_STATE_CHANGE_READY_TO_PAUSED) at ../gst/gstelement.c:3077
#25 0x00007fa612094bfa in gst_element_continue_state (element=element@entry=0x1fd2070 [GstPlayBin|media-player-0], ret=ret@entry=GST_STATE_CHANGE_SUCCESS) at ../gst/gstelement.c:2785
#26 0x00007fa612094daf in gst_element_change_state (element=element@entry=0x1fd2070 [GstPlayBin|media-player-0], transition=transition@entry=GST_STATE_CHANGE_NULL_TO_READY) at ../gst/gstelement.c:3116
#27 0x00007fa612095475 in gst_element_set_state_func (element=0x1fd2070 [GstPlayBin|media-player-0], state=GST_STATE_PAUSED) at ../gst/gstelement.c:3031
#28 0x00007fa619e27536 in WebCore::MediaPlayerPrivateGStreamer::changePipelineState (this=0x7fa6003ed380, newState=GST_STATE_PAUSED) at /home/mcatanzaro/Projects/WebKit/WebKitBuild/GNOME/WTF/Headers/wtf/glib/GRefPtr.h:110
#29 0x00007fa619e2b95e in WebCore::MediaPlayerPrivateGStreamer::commitLoad (this=0x7fa6003ed380) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:1194
#30 0x00007fa619e37be0 in WebCore::MediaPlayerPrivateGStreamer::load (this=0x7fa6003ed380, urlString=...) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:341
#31 0x00007fa6197aef4f in WebCore::MediaPlayerPrivateInterface::load (url=..., this=<optimized out>) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/platform/graphics/MediaPlayerPrivate.h:49
#32 WebCore::MediaPlayer::loadWithNextMediaEngine (this=this@entry=0x7fa5485b8570, current=current@entry=0x0) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/platform/graphics/MediaPlayer.cpp:607
#33 0x00007fa6197af51d in WebCore::MediaPlayer::load (this=0x7fa5485b8570, url=..., contentType=..., keySystem=...) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/platform/graphics/MediaPlayer.cpp:486
#34 0x00007fa619293b7b in WebCore::HTMLMediaElement::loadResource (this=<optimized out>, initialURL=..., contentType=..., keySystem=...) at /home/mcatanzaro/Projects/WebKit/WebKitBuild/GNOME/WTF/Headers/wtf/RawPtrTraits.h:44
#35 0x00007fa619294b81 in WebCore::HTMLMediaElement::loadNextSourceChild (this=0x7fa58c725b70) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/html/HTMLMediaElement.cpp:1453
#36 0x00007fa6190a664a in WTF::Function<void ()>::operator()() const (this=<optimized out>) at /home/mcatanzaro/Projects/WebKit/WebKitBuild/GNOME/WTF/Headers/wtf/Function.h:82
#37 WebCore::EventLoopFunctionDispatchTask::execute (this=<optimized out>) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/dom/EventLoop.cpp:159
#38 WebCore::EventLoop::run (this=this@entry=0x7fa58c0a8a90) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/dom/EventLoop.cpp:123
#39 0x00007fa61912be5d in WebCore::WindowEventLoop::didReachTimeToRun (this=0x7fa58c0a8a90) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/dom/WindowEventLoop.cpp:120
#40 0x00007fa619713a7f in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x7fa601585668) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/platform/ThreadTimers.cpp:127
#41 0x00007fa616528ba5 in operator() (__closure=0x0, userData=userData@entry=0x7fa61aeea2b0 <WebCore::MainThreadSharedTimer::singleton()::instance+16>) at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:177
#42 _FUN () at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:181
#43 0x00007fa61652903f in operator() (__closure=0x0, userData=0x7fa61aeea2b0 <WebCore::MainThreadSharedTimer::singleton()::instance+16>, callback=0x7fa616528b30 <_FUN(gpointer)>, source=0x1d0d0c0) at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:53
#44 _FUN () at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:56
#45 0x00007fa612ea8004 in g_main_dispatch (context=0x198dd60) at ../../../../Projects/glib/glib/gmain.c:3381
#46 0x00007fa612ea8f57 in g_main_context_dispatch (context=0x198dd60) at ../../../../Projects/glib/glib/gmain.c:4099
#47 0x00007fa612ea9143 in g_main_context_iterate (context=0x198dd60, block=1, dispatch=1, self=0x1970150) at ../../../../Projects/glib/glib/gmain.c:4175
#48 0x00007fa612ea95e0 in g_main_loop_run (loop=0x1a38130) at ../../../../Projects/glib/glib/gmain.c:4373
#49 0x00007fa616529160 in WTF::RunLoop::run () at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:108
#50 0x00007fa61846c33f in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run (argc=3, argv=0x7ffc1c9c3a98, this=0x7ffc1c9c38f0) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:70
#51 WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run (argv=0x7ffc1c9c3a98, argc=3, this=0x7ffc1c9c38f0) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:57
#52 WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk> (argc=3, argv=0x7ffc1c9c3a98) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:96
#53 0x00007fa612881560 in __libc_start_call_main (main=main@entry=0x400760 <main(int, char**)>, argc=argc@entry=3, argv=argv@entry=0x7ffc1c9c3a98) at ../sysdeps/nptl/libc_start_call_main.h:58
#54 0x00007fa61288160c in __libc_start_main_impl (main=0x400760 <main(int, char**)>, argc=3, argv=0x7ffc1c9c3a98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc1c9c3a88) at ../csu/libc-start.c:409
#55 0x0000000000400795 in _start ()

Comment 1 Michael Catanzaro 2021-10-11 10:54:02 PDT

Created attachment 440808 [details]
gst.log

Comment 2 Philippe Normand 2021-10-12 09:57:52 PDT

I can't repro this in Canary, you'll need a more detailed repro explanation too.

So anyway, this means that WEBKIT_IS_WEB_SRC(m_source.get()) is working on a null pointer? How come?

Comment 3 Philippe Normand 2021-10-12 10:02:14 PDT

Try this? http://sprunge.us/9TFo4S

Comment 4 Michael Catanzaro 2021-10-12 10:38:37 PDT

(In reply to Philippe Normand from comment #2)
> I can't repro this in Canary, you'll need a more detailed repro explanation
> too.

The reproducer is: load reddit.com. (You might need to sign out, if you're logged in, in order to get default front page contents.) Presumably there must be some video on the front page that triggers the crash.

> So anyway, this means that WEBKIT_IS_WEB_SRC(m_source.get()) is working on a
> null pointer? How come?

Will build and test.

Comment 5 Michael Catanzaro 2021-10-12 10:43:19 PDT

(In reply to Michael Catanzaro from comment #4)
> > So anyway, this means that WEBKIT_IS_WEB_SRC(m_source.get()) is working on a
> > null pointer? How come?
> 
> Will build and test.

Yup, that fixes it. None of the videos work, but it doesn't crash anymore.

Seems like something is wrong with video in my jhbuild environment....

Comment 6 Philippe Normand 2021-10-13 04:15:16 PDT

Behaviour break in GStreamer I'm afraid :(

https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/1241

Comment 7 Philippe Normand 2021-10-13 05:01:55 PDT

Created attachment 441058 [details]
Patch

Comment 8 EWS 2021-10-13 06:56:55 PDT

Committed r284091 (242919@main): <https://commits.webkit.org/242919@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 441058 [details].

Comment 9 Radar WebKit Bug Importer 2021-10-13 06:57:21 PDT

<rdar://problem/84196336>