RESOLVED FIXED 232914
[GStreamer] Crash in gst_buffer_get_meta when playing reddit video 
https://bugs.webkit.org/show_bug.cgi?id=232914
Summary [GStreamer] Crash in gst_buffer_get_meta when playing reddit video
Michael Catanzaro
Reported 2021-11-09 16:15:38 PST
This is a recent regression: * Visit https://www.reddit.com/r/StLouis/comments/qqc4tk/explosions_rocked_a_home_in_belleville_this/ (probably any reddit video would suffice) * Try to play the video Epiphany Tech Preview with WebKitGTK 2.34.1 and GStreamer 1.18.5 will crash 100% of the time with this backtrace: #0 0x00007f88e136e94c in gst_buffer_get_meta (buffer=buffer@entry=0x557280d5c5a0 [None], api=0x7f86cc0459e0 [GstVideoTimeCodeMetaAPI]) at ../gst/gstbuffer.c:2242 #1 0x00007f87e0346ed6 in gst_h264_parse_pre_push_frame (parse=0x7f87080804f0 [GstH264Parse], frame=0x5572809c0800) at ../gst/videoparsers/gsth264parse.c:3137 #2 0x00007f88e1493dc7 in gst_base_parse_push_frame (parse=parse@entry=0x7f87080804f0 [GstH264Parse], frame=frame@entry=0x5572809c0800) at ../libs/gst/base/gstbaseparse.c:2524 #3 0x00007f88e14973fc in gst_base_parse_handle_and_push_frame (frame=0x5572809c0800, parse=0x7f87080804f0 [GstH264Parse]) at ../libs/gst/base/gstbaseparse.c:2440 #4 0x00007f87e0344514 in gst_h264_parse_handle_frame_packetized (frame=0x5572809c0800, parse=0x7f87080804f0 [GstH264Parse]) at ../gst/videoparsers/gsth264parse.c:1282 #5 gst_h264_parse_handle_frame (parse=0x7f87080804f0 [GstH264Parse], frame=0x5572809c0800, skipsize=<optimized out>) at ../gst/videoparsers/gsth264parse.c:1326 #6 0x00007f88e148eee2 in gst_base_parse_handle_buffer (parse=parse@entry=0x7f87080804f0 [GstH264Parse], buffer=<optimized out>, skip=skip@entry=0x7f871dff9ee8, flushed=flushed@entry=0x7f871dff9eec) at ../libs/gst/base/gstbaseparse.c:2248 #7 0x00007f88e1494f82 in gst_base_parse_chain (pad=<optimized out>, parent=<optimized out>, buffer=<optimized out>) at ../libs/gst/base/gstbaseparse.c:3297 #8 0x00007f88e13aa5f7 in gst_pad_chain_data_unchecked (pad=pad@entry=0x7f87340352f0 [GstPad], type=type@entry=4112, data=data@entry=0x557280d4ca20) at ../gst/gstpad.c:4404 #9 0x00007f88e13acacc in gst_pad_push_data (pad=pad@entry=0x7f8734035540 [GstPad], type=type@entry=4112, data=data@entry=0x557280d4ca20) at ../gst/gstpad.c:4668 #10 0x00007f88e13b4551 in gst_pad_push (pad=0x7f8734035540 [GstPad], buffer=0x557280d4ca20 [GstBuffer]) at ../gst/gstpad.c:4787 #11 0x00007f88e13aa5f7 in gst_pad_chain_data_unchecked (pad=pad@entry=0x7f8734035790 [GstPad], type=type@entry=4112, data=data@entry=0x557280d4ca20) at ../gst/gstpad.c:4404 #12 0x00007f88e13acacc in gst_pad_push_data (pad=pad@entry=0x7f8708036a80 [GstProxyPad], type=type@entry=4112, data=data@entry=0x557280d4ca20) at ../gst/gstpad.c:4668 #13 0x00007f88e13b4551 in gst_pad_push (pad=pad@entry=0x7f8708036a80 [GstProxyPad], buffer=buffer@entry=0x557280d4ca20 [GstBuffer]) at ../gst/gstpad.c:4787 #14 0x00007f88e1396a43 in gst_proxy_pad_chain_default (pad=<optimized out>, parent=<optimized out>, buffer=0x557280d4ca20 [GstBuffer]) at ../gst/gstghostpad.c:127 #15 0x00007f88e13aa5f7 in gst_pad_chain_data_unchecked (pad=pad@entry=0x7f8734013b20 [GstGhostPad], type=type@entry=4112, data=data@entry=0x557280d4ca20) at ../gst/gstpad.c:4404 #16 0x00007f88e13acacc in gst_pad_push_data (pad=pad@entry=0x7f86e802a540 [GstProxyPad], type=type@entry=4112, data=data@entry=0x557280d4ca20) at ../gst/gstpad.c:4668 #17 0x00007f88e13b4551 in gst_pad_push (pad=pad@entry=0x7f86e802a540 [GstProxyPad], buffer=buffer@entry=0x557280d4ca20 [GstBuffer]) at ../gst/gstpad.c:4787 #18 0x00007f88e1396a43 in gst_proxy_pad_chain_default (pad=<optimized out>, parent=<optimized out>, buffer=0x557280d4ca20 [GstBuffer]) at ../gst/gstghostpad.c:127 #19 0x00007f88e13aa5f7 in gst_pad_chain_data_unchecked (pad=pad@entry=0x7f86e4015640 [GstGhostPad], type=type@entry=4112, data=data@entry=0x557280d4ca20) at ../gst/gstpad.c:4404 #20 0x00007f88e13acacc in gst_pad_push_data (pad=pad@entry=0x7f86e40158b0 [GstGhostPad], type=type@entry=4112, data=data@entry=0x557280d4ca20) at ../gst/gstpad.c:4668 #21 0x00007f88e13b4551 in gst_pad_push (pad=pad@entry=0x7f86e40158b0 [GstGhostPad], buffer=buffer@entry=0x557280d4ca20 [GstBuffer]) at ../gst/gstpad.c:4787 #22 0x00007f88e1396a43 in gst_proxy_pad_chain_default (pad=<optimized out>, parent=<optimized out>, buffer=0x557280d4ca20 [GstBuffer]) at ../gst/gstghostpad.c:127 #23 0x00007f88e13aa5f7 in gst_pad_chain_data_unchecked (pad=pad@entry=0x7f86e802aec0 [GstProxyPad], type=type@entry=4112, data=data@entry=0x557280d4ca20) at ../gst/gstpad.c:4404 #24 0x00007f88e13acacc in gst_pad_push_data (pad=pad@entry=0x7f86b4020630 [GstPad], type=type@entry=4112, data=data@entry=0x557280d4ca20) at ../gst/gstpad.c:4668 #25 0x00007f88e13b4551 in gst_pad_push (pad=0x7f86b4020630 [GstPad], buffer=0x557280d4ca20 [GstBuffer]) at ../gst/gstpad.c:4787 #26 0x00007f88e13aa5f7 in gst_pad_chain_data_unchecked (pad=pad@entry=0x7f86b4020880 [GstPad], type=type@entry=4112, data=data@entry=0x557280d4ca20) at ../gst/gstpad.c:4404 #27 0x00007f88e13acacc in gst_pad_push_data (pad=pad@entry=0x7f86cc1d65b0 [WebKitMediaSrcPad], type=type@entry=4112, data=data@entry=0x557280d4ca20) at ../gst/gstpad.c:4668 #28 0x00007f88e13b4551 in gst_pad_push (pad=0x7f86cc1d65b0 [WebKitMediaSrcPad], buffer=0x557280d4ca20 [GstBuffer]) at ../gst/gstpad.c:4787 #29 0x00007f88e53eb5e7 in webKitMediaSrcLoop(void*) (userData=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk.bst/Source/WebCore/platform/graphics/gstreamer/mse/WebKitMediaSourceGStreamer.cpp:523 #30 0x00007f88e13e5c2c in gst_task_func (task=0x557280d5f050 [GstTask]) at ../gst/gsttask.c:384 #31 0x00007f88e406b6c5 in g_thread_pool_thread_proxy (data=<optimized out>) at ../glib/gthreadpool.c:354 #32 0x00007f88e406acf9 in g_thread_proxy (data=0x5572806b40c0) at ../glib/gthread.c:827 #33 0x00007f88e06173ba in start_thread (arg=0x7f871dffb640) at pthread_create.c:481 #34 0x00007f88e4580b03 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 I'll attach a full backtrace and a GStreamer debug log.
Attachments
Full backtrace (13.76 KB, text/x-log)
2021-11-09 16:16 PST, Michael Catanzaro 		no flags
Details
GStreamer log (173.97 KB, text/x-log)
2021-11-09 16:29 PST, Michael Catanzaro 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2021-11-09 16:16:03 PST
Created attachment 443748 [details] Full backtrace
Michael Catanzaro
Comment 2 2021-11-09 16:19:27 PST
To take the GStreamer debug log, I copy/pasted this line from https://trac.webkit.org/wiki/WebKitGTK/Debugging#Debuggingmultimediastuff: $ export GST_DEBUG="3,webkit*:6" GST_DEBUG_FILE="$HOME/gst.log" GST_DEBUG_NO_COLOR=1 WEBKIT_FORCE_SANDBOX=0 Then realized it doesn't work because the log is being generated in the sandboxed home directory, so I decided to run using --filesystem=home: $ flatpak run --filesystem=home org.gnome.Epiphany.Devel -p Irritatingly, adding --filesystem=home somehow avoids the crash. O_O
Michael Catanzaro
Comment 3 2021-11-09 16:29:10 PST
Created attachment 443753 [details] GStreamer log I wound up writing the log under ~/.var/app/org.gnome.Epiphany.Devel/config in order to exfiltrate it from the sandbox without using --filesystem=home or -d, which for some reason causes the video to play properly. Note there are a bunch of FIXMEs at the bottom of the log immediately before the crash: 0:00:03.947285498 345 0x5616fd08f920 FIXME decodebin3 gstdecodebin3.c:1422:handle_stream_collection:<decodebin3-0> New collection but already had one ... 0:00:03.947313491 345 0x5616fd08f920 DEBUG webkitmediaplayer MediaPlayerPrivateGStreamer.cpp:1503:handleStreamCollectionMessage:<MSE-media-player-2> Ignoring redundant STREAM_COLLECTION from <decodebin3-0> 0:00:03.947339070 345 0x5616fd08f920 FIXME decodebin3 gstdecodebin3.c:1103:update_requested_selection:<decodebin3-0> Implement EXPOSE_ALL_MODE 0:00:03.947365761 345 0x5616fd08f920 FIXME decodebin3 gstdecodebin3.c:1156:update_requested_selection:<decodebin3-0> Replacing non-NULL requested_selection, what should we do ??
Philippe Normand
Comment 4 2021-11-13 07:16:22 PST
I can't reproduce this, but I think I see what the problem is... 1. In gst_h264_parse_pre_push_frame() a local buffer variable is set to the frame->out_buffer pointer 2. When gst_h264_parse_handle_sps_pps_nals() is called with that buffer, the frame->out_buffer pointer is updated (gst_buffer_replace() call) and now buffer is dangling 3. buffer pointer is accessed (un-modified) after the gst_h264_parse_handle_sps_pps_nals() BOOM Can you cherry-pick this commit in your SDK? I think it might fix the problem. If so, I'll ask to have it in 1.18.6 if that ever happens. https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/0f084d46247f9009584b482cea8196b5b871cc73
Michael Catanzaro
Comment 5 2021-11-13 09:34:18 PST
(In reply to Philippe Normand from comment #4) > Can you cherry-pick this commit in your SDK? I think it might fix the > problem. If so, I'll ask to have it in 1.18.6 if that ever happens. > > https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/ > 0f084d46247f9009584b482cea8196b5b871cc73 Sure, I'll plan to add it to freedesktop-sdk, then update GNOME runtime to a newer freedesktop-sdk. It's still crashing 100% for me so I'll know whether it's fixed or not.
Philippe Normand
Comment 7 2022-04-10 10:38:44 PDT
> * Visit https://www.reddit.com/r/StLouis/comments/qqc4tk/explosions_rocked_a_home_in_belleville_this/ (probably any reddit video would suffice) > * Try to play the video Works fine in Ephy TP. Closing.
Radar WebKit Bug Importer
Comment 8 2022-04-10 10:39:17 PDT
<rdar://problem/91536952>
Michael Catanzaro
Comment 9 2022-04-10 14:15:02 PDT
(In reply to Michael Catanzaro from comment #6) > Backports: > > https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/6596 > https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/6597 I think this probably fixed it.
Note You need to log in before you can comment on or make changes to this bug.