RESOLVED FIXED 250477
REGRESSION(256018@main): [WPE][GTK] Crash in WebCore::AVIFImageReader::parseHeader, deep in dav1d 
https://bugs.webkit.org/show_bug.cgi?id=250477
Summary REGRESSION(256018@main): [WPE][GTK] Crash in WebCore::AVIFImageReader::parseH...
Michael Catanzaro
Reported 2023-01-11 14:42:31 PST
Created attachment 464458 [details] Full backtrace Reproducer: visit https://www.kmov.com/2023/01/11/legal-documents-claim-racism-retaliation-st-louis-circuit-attorneys-office-circuit-attorney-kim-gardner/ in Ephy Tech Preview, the web process will crash 100% of the time. The crash is deep in dav1d, so presumably it is a bug there. I found the issue tracker here: https://code.videolan.org/videolan/dav1d/-/issues. But I'm not very motivated to create an account there to report one bug, so I decided to do it here instead, and point the dav1d developers to it here. They can create their own issue if desired. For us on WebKit Bugzilla, all we have to do is decide whether to live with the crash or disable the AVIF support. I think we should tolerate it if fixed quickly, and disable AVIF support by reverting 256018@main otherwise. This is with dav1d 1.0.0 from freedesktop-sdk 22.08.5, build rules here: https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/blob/362fe115679a444c19c75ff2da330c57d57ef245/elements/components/dav1d.bst CC: Myles only for interest, since the same issue may or may not exist in PAL's copy of dav1d (that is NOT used here). #0 0x00007f629d0be3a2 in dav1d_msac_decode_symbol_adapt16_avx2 () at /usr/lib/x86_64-linux-gnu/libdav1d.so.6 #1 0x00007f629d1f312c in decode_sb (t=t@entry=0x55de6ecf27c0, bl=bl@entry=BL_64X64, node=<optimized out>) at ../src/decode.c:2334 #2 0x00007f629d1f488a in dav1d_decode_tile_sbrow (t=0x55de6ecf27c0) at ../src/decode.c:2889 #3 0x00007f629d200d33 in dav1d_decode_frame_main (f=0x55de6ecf1260) at ../src/decode.c:3383 #4 dav1d_decode_frame (f=0x55de6ecf1260) at ../src/decode.c:3458 #5 dav1d_submit_frame (c=<optimized out>) at ../src/decode.c:3838 #6 0x00007f629d2016fa in dav1d_parse_obus (c=<optimized out>, in=<optimized out>, global=<optimized out>) at ../src/obu.c:1626 #7 0x00007f629d1d6a03 in gen_picture (c=c@entry=0x55de6ecdb680) at ../src/lib.c:425 #8 0x00007f629d1ddf9f in dav1d_send_data (c=0x55de6ecdb680, in=in@entry=0x7fff34da8130) at ../src/lib.c:455 #9 0x00007f62a19769a8 in dav1dCodecGetNextImage (codec=0x55de6eaa6c00, decoder=<optimized out>, sample=0x55de6ec25950, alpha=0, isLimitedRangeAlpha=0x7fff34da8334, image=0x55de6ea5c5b0) at /usr/lib/debug/source/sdk/libavif.bst/src/codec_dav1d.c:93 #10 0x00007f62a1967a08 in avifDecoderDecodeTiles (decoder=decoder@entry=0x55de6ec66510, nextImageIndex=nextImageIndex@entry=0, firstTileIndex=firstTileIndex@entry=0, tileCount=<optimized out>, decodedTileCount=<optimized out>) at /usr/lib/debug/source/sdk/libavif.bst/src/read.c:3853 #11 0x00007f62a196d52d in avifDecoderNextImage (decoder=0x55de6ec66510) at /usr/lib/debug/source/sdk/libavif.bst/src/read.c:3936 #12 0x00007f62a470deb6 in WebCore::AVIFImageReader::parseHeader(WebCore::SharedBuffer const&, bool) (this=this@entry=0x7f60df9df9c0, data=<optimized out>, allDataReceived=allDataReceived@entry=true) at /usr/include/c++/12.1.0/bits/unique_ptr.h:191 #13 0x00007f62a470dc41 in WebCore::AVIFImageDecoder::tryDecodeSize(bool) (this=0x7f60df9d85e0, allDataReceived=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WTF/Headers/wtf/RawPtrTraits.h:44 #14 0x00007f62a470ce61 in WebCore::ScalableImageDecoder::setData(WebCore::FragmentedSharedBuffer const&, bool) (this=0x7f60df9d85e0, data=<optimized out>, allDataReceived=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/image-decoders/ScalableImageDecoder.h:83 #15 0x00007f62a5f11ff0 in WebCore::BitmapImage::destroyDecodedData(bool) (this=0x7f629910c400, destroyAll=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WTF/Headers/wtf/RawPtrTraits.h:44 #16 0x00007f62a458d7c7 in WebKit::NetworkProcessConnection::didCacheResource(WebCore::ResourceRequest const&, WebKit::ShareableResource::Handle const&) (this=<optimized out>, request=..., handle=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/WebProcess/Network/NetworkProcessConnection.cpp:304 #17 0x00007f62a40034f4 in _ZZN3IPC18callMemberFunctionIN6WebKit24NetworkProcessConnectionES2_FvRKN7WebCore15ResourceRequestERKNS1_17ShareableResource6HandleEESt5tupleIJS4_S8_EEEEvPT_MT0_T1_OT2_ENKUlDpOT_E_clIJS4_S8_EEEDaSN_ (__closure=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:133 #18 _ZSt13__invoke_implIvZN3IPC18callMemberFunctionIN6WebKit24NetworkProcessConnectionES3_FvRKN7WebCore15ResourceRequestERKNS2_17ShareableResource6HandleEESt5tupleIJS5_S9_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_JS5_S9_EESF_St14__invoke_otherOSH_DpOT1_ (__f=<optimized out>) at /usr/include/c++/12.1.0/bits/invoke.h:61 #19 _ZSt8__invokeIZN3IPC18callMemberFunctionIN6WebKit24NetworkProcessConnectionES3_FvRKN7WebCore15ResourceRequestERKNS2_17ShareableResource6HandleEESt5tupleIJS5_S9_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_JS5_S9_EENSt15__invoke_resultISF_JDpT0_EE4typeEOSF_DpOSR_ (__fn=<optimized out>) at /usr/include/c++/12.1.0/bits/invoke.h:96 #20 _ZSt12__apply_implIZN3IPC18callMemberFunctionIN6WebKit24NetworkProcessConnectionES3_FvRKN7WebCore15ResourceRequestERKNS2_17ShareableResource6HandleEESt5tupleIJS5_S9_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_SE_JLm0ELm1EEEDcOSF_OSH_St16integer_sequenceImJXspT1_EEE (__t=..., __f=<optimized out>) at /usr/include/c++/12.1.0/tuple:1852 #21 _ZSt5applyIZN3IPC18callMemberFunctionIN6WebKit24NetworkProcessConnectionES3_FvRKN7WebCore15ResourceRequestERKNS2_17ShareableResource6HandleEESt5tupleIJS5_S9_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_SE_EDcOSF_OSH_ (__t=..., __f=<optimized out>) at /usr/include/c++/12.1.0/tuple:1863 #22 IPC::callMemberFunction<WebKit::NetworkProcessConnection, WebKit::NetworkProcessConnection, void (WebCore::ResourceRequest const&, WebKit::ShareableResource::Handle const&), std::tuple<WebCore::ResourceRequest, WebKit::ShareableResource::Handle> >(WebKit::NetworkProcessConnection*, void (WebKit::NetworkProcessConnection::*)(WebCore::ResourceRequest--Type <RET> for more, q to quit, c to continue without paging--c const&, WebKit::ShareableResource::Handle const&), std::tuple<WebCore::ResourceRequest, WebKit::ShareableResource::Handle>&&) (tuple=..., function=<optimized out>, object=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:131 #23 IPC::handleMessage<Messages::NetworkProcessConnection::DidCacheResource, WebKit::NetworkProcessConnection, WebKit::NetworkProcessConnection, void (WebCore::ResourceRequest const&, WebKit::ShareableResource::Handle const&)>(IPC::Connection&, IPC::Decoder&, WebKit::NetworkProcessConnection*, void (WebKit::NetworkProcessConnection::*)(WebCore::ResourceRequest const&, WebKit::ShareableResource::Handle const&)) (decoder=..., object=object@entry=0x7f6299014240, function=<optimized out>, connection=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:227 #24 0x00007f62a4003f64 in WebKit::NetworkProcessConnection::didReceiveNetworkProcessConnectionMessage(IPC::Connection&, IPC::Decoder&) (this=0x7f6299014240, connection=<optimized out>, decoder=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/DerivedSources/WebKit/NetworkProcessConnectionMessageReceiver.cpp:71 #25 0x00007f62a41ffe0a in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (this=0x7f62990284e0, message=std::unique_ptr<IPC::Decoder> = {...}) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1241 #26 0x00007f62a42018da in IPC::Connection::dispatchOneIncomingMessage() (this=0x7f62990284e0) at /usr/include/c++/12.1.0/bits/unique_ptr.h:189 #27 0x00007f62a2e6c3e5 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Function.h:79 #28 WTF::RunLoop::performWork() (this=0x7f62990100e0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/RunLoop.cpp:147 #29 0x00007f62a2ecdc8d in operator() (userData=<optimized out>, __closure=0x0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:80 #30 _FUN(gpointer) () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:82 #31 0x00007f62a2ece70d in operator() (__closure=0x0, userData=0x7f62990100e0, callback=0x7f62a2ecdc80 <_FUN(gpointer)>, source=0x55de6e3297b0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:53 #32 _FUN(GSource*, GSourceFunc, gpointer) () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:56 #33 0x00007f629fb66301 in g_main_dispatch (context=<optimized out>) at ../glib/gmain.c:3454 #34 g_main_context_dispatch (context=<optimized out>) at ../glib/gmain.c:4172 #35 0x00007f629fb66858 in g_main_context_iterate (context=0x55de6e2e7b40, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4248 #36 0x00007f629fb66b3f in g_main_loop_run (loop=0x55de6e2e1710) at ../glib/gmain.c:4448 #37 0x00007f62a2ece870 in WTF::RunLoop::run() () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:108 #38 0x00007f62a466501f in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (argc=3, argv=0x7fff34da8be8, this=0x7fff34da8a50) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:71 #39 WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (argv=0x7fff34da8be8, argc=3, this=0x7fff34da8a50) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:58 #40 WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) (argc=3, argv=0x7fff34da8be8) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:97 #41 0x00007f62a342954a in __libc_start_call_main (main=main@entry=0x55de6c686060 <main>, argc=argc@entry=3, argv=argv@entry=0x7fff34da8be8) at ../sysdeps/nptl/libc_start_call_main.h:58 #42 0x00007f62a342960b in __libc_start_main_impl (main=0x55de6c686060 <main>, argc=3, argv=0x7fff34da8be8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=<optimized out>) at ../csu/libc-start.c:389 #43 0x000055de6c686095 in _start () Full backtrace attached.
Attachments
Full backtrace (38.03 KB, text/plain)
2023-01-11 14:42 PST, Michael Catanzaro 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2023-01-11 15:23:32 PST
Dump of assembler code for function dav1d_msac_decode_symbol_adapt16_avx2: 0x00007f1160373360 <+0>: lea 0x14acb9(%rip),%rax # 0x7f11604be020 0x00007f1160373367 <+7>: vpbroadcastw 0x18(%rdi),%ymm2 0x00007f116037336d <+13>: vmovdqa (%rsi),%ymm0 0x00007f1160373371 <+17>: vpbroadcastw 0x16(%rdi),%ymm3 0x00007f1160373377 <+23>: vbroadcasti128 (%rax),%ymm4 0x00007f116037337c <+28>: mov 0x20(%rdi),%ecx 0x00007f116037337f <+31>: mov %edx,%r8d 0x00007f1160373382 <+34>: not %rdx 0x00007f1160373385 <+37>: vpsrlw $0x6,%ymm0,%ymm1 0x00007f116037338a <+42>: vmovd %xmm2,-0x3c(%rsp) 0x00007f1160373390 <+48>: vpand %ymm4,%ymm2,%ymm2 0x00007f1160373394 <+52>: vpsllw $0x7,%ymm1,%ymm1 0x00007f1160373399 <+57>: vpmulhuw %ymm2,%ymm1,%ymm1 0x00007f116037339d <+61>: vpaddw (%rax,%rdx,2),%ymm1,%ymm1 => 0x00007f11603733a2 <+66>: vmovdqa %ymm1,-0x38(%rsp) 0x00007f11603733a8 <+72>: vpmaxuw %ymm3,%ymm1,%ymm1 0x00007f11603733ad <+77>: vpcmpeqw %ymm3,%ymm1,%ymm1 0x00007f11603733b1 <+81>: vpmovmskb %ymm1,%eax 0x00007f11603733b5 <+85>: test %ecx,%ecx 0x00007f11603733b7 <+87>: je 0x7f11603733ef <dav1d_msac_decode_symbol_adapt16_avx2.renorm> 0x00007f11603733b9 <+89>: movzwl (%rsi,%r8,2),%ecx 0x00007f11603733be <+94>: vpcmpeqw %ymm2,%ymm2,%ymm2 0x00007f11603733c2 <+98>: lea 0x50(%rcx),%edx 0x00007f11603733c5 <+101>: shr $0x4,%edx 0x00007f11603733c8 <+104>: cmp $0x20,%ecx 0x00007f11603733cb <+107>: adc $0x0,%ecx 0x00007f11603733ce <+110>: vmovd %edx,%xmm3 0x00007f11603733d2 <+114>: vpavgw %ymm1,%ymm2,%ymm2 0x00007f11603733d6 <+118>: vpsubw %ymm0,%ymm2,%ymm2 0x00007f11603733da <+122>: vpsubw %ymm1,%ymm0,%ymm0 0x00007f11603733de <+126>: vpsraw %xmm3,%ymm2,%ymm2 0x00007f11603733e2 <+130>: vpaddw %ymm2,%ymm0,%ymm0 0x00007f11603733e6 <+134>: vmovdqa %ymm0,(%rsi) 0x00007f11603733ea <+138>: mov %cx,(%rsi,%r8,2) End of assembler dump.
Michael Catanzaro
Comment 2 2023-01-11 15:24:46 PST
(gdb) info registers rax 0x7f11604be020 139712606756896 rbx 0x1 1 rcx 0x1 1 rdx 0xfffffffffffffff6 -10 rsi 0x564572901760 94856274777952 rdi 0x564572904800 94856274790400 rbp 0x7ffc4c68cbc0 0x7ffc4c68cbc0 rsp 0x7ffc4c68cb48 0x7ffc4c68cb48 r8 0x9 9 r9 0xc8 200 r10 0x564572904b50 94856274791248 r11 0x72 114 r12 0x8 8 r13 0x5645728fb550 94856274752848 r14 0x7f10f3f24040 139710788943936 r15 0x5645728feea0 94856274767520 rip 0x7f11603733a2 0x7f11603733a2 <dav1d_msac_decode_symbol_adapt16_avx2+66> eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0
Michael Catanzaro
Comment 3 2023-01-11 16:16:27 PST
I discussed this with the dav1d developers and we think LTO is breaking the required 32-bit stack alignment (known issue with clang, but possibly happening with GCC too?). freedesktop-sdk enables LTO only for projects that use Meson.
Michael Catanzaro
Comment 5 2023-01-13 08:58:44 PST
(In reply to Michael Catanzaro from comment #3) > I discussed this with the dav1d developers and we think LTO is breaking the > required 32-bit stack alignment (known issue with clang, but possibly > happening with GCC too?). freedesktop-sdk enables LTO only for projects that > use Meson. This was the problem. Fixed by disabling LTO.
Michael Catanzaro
Comment 6 2023-01-13 09:42:48 PST
Upstream bug report: https://code.videolan.org/videolan/dav1d/-/issues/402
Note You need to log in before you can comment on or make changes to this bug.