WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
259280
[GStreamer] UI process crash in MediaPlayerPrivateGStreamer::codecForStreamId
https://bugs.webkit.org/show_bug.cgi?id=259280
Summary
[GStreamer] UI process crash in MediaPlayerPrivateGStreamer::codecForStreamId
Michael Catanzaro
Reported
2023-07-17 11:07:23 PDT
I hit this UI process crash randomly on the homepage of youtube.com. Notice the scary this=0x0 in frame 3 indicating we're calling methods of a destroyed MediaPlayerPrivateGStreamer: (gdb) bt full #0 WTF::HashTable<WTF::String, WTF::KeyValuePair<WTF::String, WTF::String>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::String, WTF::String> >, WTF::DefaultHash<WTF::String>, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>::KeyValuePairTraits, WTF::HashTraits<WTF::String> >::contains<WTF::IdentityHashTranslator<WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>::KeyValuePairTraits, WTF::DefaultHash<WTF::String> >, WTF::String>(WTF::String const&) const (this=0x3c8, key=<optimized out>) at WTF/Headers/wtf/HashTable.h:1039 #1 WTF::HashTable<WTF::String, WTF::KeyValuePair<WTF::String, WTF::String>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::String, WTF::String> >, WTF::DefaultHash<WTF::String>, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>::KeyValuePairTraits, WTF::HashTraits<WTF::String> >::contains(WTF::String const&) const (this=0x3c8, key=<optimized out>) at WTF/Headers/wtf/HashTable.h:489 #2 WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>::contains(WTF::String const&) const (this=0x3c8, key=<optimized out>) at WTF/Headers/wtf/HashMap.h:323 #3 WebCore::MediaPlayerPrivateGStreamer::codecForStreamId(WTF::String const&) (this=0x0, streamId="6bd23d7859548e56dbfcc7e408694057/001:001") at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:4443 #4 0x00007ff9ceaf1797 in WebCore::AudioTrackPrivateGStreamer::capsChanged(WTF::String const&, WTF::GRefPtr<_GstCaps> const&) (this=0x7ff9b2437600, streamId="6bd23d7859548e56dbfcc7e408694057/001:001", caps=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/gstreamer/AudioTrackPrivateGStreamer.cpp:86 codec = Python Exception <class 'gdb.MemoryError'>: Cannot access memory at address 0x3 #5 0x00007ff9ceb23b66 in WebCore::TrackPrivateBaseGStreamer::setPad(WTF::GRefPtr<_GstPad>&&)::$_0::operator()(_GstPad*, _GstPadProbeInfo*, WebCore::TrackPrivateBaseGStreamer*) const::{lambda()#1}::operator()() const (this=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/gstreamer/TrackPrivateBaseGStreamer.cpp:136 caps = <optimized out> #6 WTF::Detail::CallableWrapper<WebCore::TrackPrivateBaseGStreamer::setPad(WTF::GRefPtr<_GstPad>&&)::$_0::operator()(_GstPad*, _GstPadProbeInfo*, WebCore::TrackPrivateBaseGStreamer*) const::{lambda()#1}, void>::call() (this=<optimized out>) at WTF/Headers/wtf/Function.h:53 #7 0x00007ff9cbab59fb in WTF::Function<void ()>::operator()() const (this=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Function.h:82 function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7ff7f6a14100}} didSuspendFunctions = false #8 WTF::RunLoop::performWork() (this=0x7ff9b20100e0) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/RunLoop.cpp:147 function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7ff7f6a14100}} didSuspendFunctions = false #9 0x00007ff9cbb149dd in WTF::RunLoop::RunLoop()::$_0::operator()(void*) const (userData=0x7ffe5b402888, userData@entry=0x7ff9b20100e0, this=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:80 #10 WTF::RunLoop::RunLoop()::$_0::__invoke(void*) (userData=0x7ffe5b402888) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:79 #11 0x00007ff9cbb13de1 in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const (source=0x564246804eb0, callback=0x7ff9cbb149d0 <WTF::RunLoop::RunLoop()::$_0::__invoke(void*)>, userData=0x7ff9b20100e0, this=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:53 name = 0x5642467bd7b0 "[WebKit] RunLoop work" runLoopSource = @0x564246804eb0: {source = {callback_data = 0x5642467e6da0, callback_funcs = 0x7ff9c85882e0 <g_source_callback_funcs>, source_funcs = 0x7ff9cbfb53d0 <WTF::RunLoop::s_runLoopSourceFunctions>, ref_count = 3, context = 0x5642467c4ab0, priority = 100, flags = 35, source_id = 2, poll_fds = 0x0, prev = 0x0, next = 0x564246962c30, name--Type <RET> for more, q to quit, c to continue without paging--c = 0x5642467bd7b0 "[WebKit] RunLoop work", priv = 0x56424678b740}, runLoop = 0x7ff9b20100e0} returnValue = <optimized out> #12 WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) (source=0x564246804eb0, callback=0x7ff9cbb149d0 <WTF::RunLoop::RunLoop()::$_0::__invoke(void*)>, userData=0x7ff9b20100e0) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:45 #13 0x00007ff9c849ba47 in g_main_dispatch (context=context@entry=0x5642467c4ab0) at ../glib/gmain.c:3476 dispatch = 0x7ff9cbb13d90 <WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*)> prev_source = 0x0 begin_time_nsec = 16422526645309 was_in_call = 0 user_data = 0x7ff9b20100e0 callback = 0x7ff9cbb149d0 <WTF::RunLoop::RunLoop()::$_0::__invoke(void*)> cb_funcs = 0x7ff9c85882e0 <g_source_callback_funcs> cb_data = 0x5642467e6da0 need_destroy = <optimized out> source = 0x564246804eb0 current = 0x5642467d6b60 i = 0 __func__ = "g_main_dispatch" #14 0x00007ff9c849db57 in g_main_context_dispatch_unlocked (context=0x5642467c4ab0) at ../glib/gmain.c:4286 max_priority = 100 timeout = 0 some_ready = 1 nfds = 11 allocated_nfds = <optimized out> fds = 0x56424708fa40 begin_time_nsec = 16422526614170 #15 g_main_context_iterate_unlocked (context=0x5642467c4ab0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4351 max_priority = 100 timeout = 0 some_ready = 1 nfds = 11 allocated_nfds = <optimized out> fds = 0x56424708fa40 begin_time_nsec = 16422526614170 #16 0x00007ff9c849e567 in g_main_loop_run (loop=0x564246804e00) at ../glib/gmain.c:4553 __func__ = "g_main_loop_run" #17 0x00007ff9cbb143b1 in WTF::RunLoop::run() () at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:108 runLoop = @0x7ff9b20100e0: {<WTF::SerialFunctionDispatcher> = {<WTF::FunctionDispatcher> = {_vptr$FunctionDispatcher = 0x7ff9cbfa5d68 <vtable for WTF::RunLoop+16>}, <No data fields>}, <WTF::ThreadSafeRefCounted<WTF::RunLoop, (WTF::DestructionThread)0>> = {<WTF::ThreadSafeRefCountedBase> = {m_refCount = std::atomic<unsigned int> = { 417 }}, <No data fields>}, m_currentIteration = {m_start = 4, m_end = 5, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void ()>, WTF::FastMalloc>> = {m_buffer = 0x7ff9b2a74e80, m_capacity = 16, m_size = 0}, <No data fields>}}, m_nextIterationLock = {static isHeldBit = 1 '\001', static hasParkedBit = 2 '\002', m_byte = {value = std::atomic<unsigned char> = { 0 '\000' }}}, m_nextIteration = {m_start = 0, m_end = 2, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void ()>, WTF::FastMalloc>> = {m_buffer = 0x7ff7e6d70980, m_capacity = 16, m_size = 0}, <No data fields>}}, m_isFunctionDispatchSuspended = false, m_hasSuspendedFunctions = false, static s_runLoopSourceFunctions = {prepare = 0x0, check = 0x0, dispatch = 0x7ff9cbb13d90 <WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*)>, finalize = 0x0, closure_callback = 0x0, closure_marshal = 0x0}, m_mainContext = {m_ptr = 0x5642467c4ab0}, m_mainLoops = WTF::Vector of length 1, capacity 16 = {{m_ptr = 0x564246804e00}}, m_source = {m_ptr = 0x564246804eb0}, m_observers = {m_set = {m_impl = {static smallMaxLoadNumerator = 3, static smallMaxLoadDenominator = 4, static largeMaxLoadNumerator = 1, static largeMaxLoadDenominator = 2, static maxSmallTableCapacity = 1024, static minLoad = 6, static tableSizeOffset = -1, static tableSizeMaskOffset = -2, static keyCountOffset = -3, static deletedCountOffset = -4, static metadataSize = 16, {m_table = 0x0, m_tableForLLDB = 0x0}}}, m_operationCountSinceLastCleanup = 0}} mainContext = 0x5642467c4ab0 innermostLoop = 0x564246804e00 nestedMainLoop = <optimized out> #18 0x00007ff9cd255857 in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (this=0x7ffe5b402b40, argc=3, argv=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:72 auxiliaryMain = {m_storage = {__data = "p\276B\320\371\177", '\000' <repeats 26 times>, "\017\005\000\000\000\000\000\000\001\000\000\000\000\000\000\000r", '\000' <repeats 22 times>, __align = {<No data fields>}}} #19 WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) (argc=3, argv=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:98 auxiliaryMain = {m_storage = {__data = "p\276B\320\371\177", '\000' <repeats 26 times>, "\017\005\000\000\000\000\000\000\001\000\000\000\000\000\000\000r", '\000' <repeats 22 times>, __align = {<No data fields>}}} #20 0x00007ff9cc23bb8a in __libc_start_call_main (main=main@entry=0x56424607e150 <main(int, char**)>, argc=argc@entry=3, argv=argv@entry=0x7ffe5b402cd8) at ../sysdeps/nptl/libc_start_call_main.h:58 self = <optimized out> result = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140730429353176, -5724701081780959803, 3, 0, 140710921564160, 94842642763168, -5724701081766279739, -5727760185627982395}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x3, 0x7ffe5b402cd0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 3}}} not_first_call = <optimized out> #21 0x00007ff9cc23bc4b in __libc_start_main_impl (main=0x56424607e150 <main(int, char**)>, argc=3, argv=0x7ffe5b402cd8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe5b402cc8) at ../csu/libc-start.c:360 #22 0x000056424607e085 in _start () at ../sysdeps/x86_64/start.S:115
Attachments
Add attachment
proposed patch, testcase, etc.
Michael Catanzaro
Comment 1
2023-07-17 11:08:38 PDT
This is with WebKitGTK 2.41.6
Philippe Normand
Comment 2
2023-07-18 07:44:59 PDT
In frame 4 m_player is a WeakPtr so it should be checked, oops.
Philippe Normand
Comment 3
2023-07-18 08:05:40 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/15906
EWS
Comment 4
2023-07-18 10:02:52 PDT
Committed
266132@main
(b6f626b07c72): <
https://commits.webkit.org/266132@main
> Reviewed commits have been landed. Closing PR #15906 and removing active labels.
Radar WebKit Bug Importer
Comment 5
2023-07-18 10:03:25 PDT
<
rdar://problem/112477332
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug