WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
REOPENED
260455
[GStreamer][MSE] Crash in webKitMediaSrcStreamFlush
https://bugs.webkit.org/show_bug.cgi?id=260455
Summary
[GStreamer][MSE] Crash in webKitMediaSrcStreamFlush
Kdwk
Reported
2023-08-20 19:33:07 PDT
Created
attachment 467354
[details]
gdb (bt full; c) output.txt On Nvidia RTX 4070 (driver version 535) 1. Set WEBKIT_DMABUF_RENDERER_DISABLE_GBM=1 2. Set WEBKIT_GST_DMABUF_SINK_DISABLED=1 3. Visit apple.com/apple-watch-series-8 4. Crash
Attachments
gdb (bt full; c) output.txt
(166.78 KB, text/plain)
2023-08-20 19:33 PDT
,
Kdwk
no flags
Details
gdb (bt full; c) 2.txt
(166.61 KB, text/plain)
2023-08-22 03:51 PDT
,
Kdwk
no flags
Details
screenshot
(230.60 KB, image/png)
2024-01-20 05:24 PST
,
Philippe Normand
no flags
Details
gdb (MacBook; software decoding).txt
(13.98 KB, text/plain)
2024-01-24 05:34 PST
,
Kdwk
no flags
Details
Debug log
(31.76 KB, text/x-log)
2024-01-25 18:10 PST
,
Michael Catanzaro
no flags
Details
Debug
(9.52 KB, application/x-xz)
2024-01-27 05:43 PST
,
Michael Catanzaro
no flags
Details
region in the page where the crash happens
(535.92 KB, image/png)
2024-03-20 06:46 PDT
,
Carlos Bentzen
no flags
Details
gdb.txt
(46.00 KB, text/plain)
2024-08-09 06:40 PDT
,
Kdwk
no flags
Details
A back trace from MacBook Air landing page
(183.40 KB, text/plain)
2024-12-31 14:54 PST
,
tri.voxel
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Kdwk
Comment 1
2023-08-22 03:51:28 PDT
Created
attachment 467384
[details]
gdb (bt full; c) 2.txt Here's a similar one encountered on
https://www.apple.com/apple-watch-ultra/
Michael Catanzaro
Comment 2
2023-09-21 06:14:17 PDT
***
Bug 260984
has been marked as a duplicate of this bug. ***
Michael Catanzaro
Comment 3
2023-09-21 06:15:24 PDT
***
Bug 261872
has been marked as a duplicate of this bug. ***
Michael Catanzaro
Comment 4
2023-09-21 06:16:23 PDT
This isn't an NVIDIA-related issue, because in my
bug #260984
I hit the same crash with AMD graphics.
Kdwk
Comment 5
2023-09-21 06:18:41 PDT
This seems to be a regression. This website has always worked before this bug was reported and Apple didn't change the website design
Michael Catanzaro
Comment 6
2023-09-21 06:56:31 PDT
Are you able to reproduce the crash reliably? I'm not able to trigger it by visiting those apple.com websites.
Kdwk
Comment 7
2023-09-21 06:57:47 PDT
Yes I am able to trigger it reliably
Michael Catanzaro
Comment 8
2023-09-21 07:57:13 PDT
If you could figure out which WebKitGTK release it broke in, that would help. If you could bisect it, that would help even more (but if you're not familiar with building WebKit, this may not be easy).
Kdwk
Comment 9
2023-09-21 08:15:03 PDT
I do know how to build WebKit, but as I've said on the Matrix channel, all downloads from the Igalia repo fail so it's not convenient (I have to use system libraries in a toolbox), and the resultant MiniBrowser can't get GPU acceleration (I am unable to work around this issue). Beyond that, I also don't know how to use git bisect so instructions are welcome
Michael Catanzaro
Comment 10
2023-09-21 09:10:09 PDT
(In reply to Kdwk from
comment #9
)
> I do know how to build WebKit, but as I've said on the Matrix channel, all > downloads from the Igalia repo fail so it's not convenient (I have to use > system libraries in a toolbox),
System libraries in a toolbox is the way to go. That said, is there a bug report for the problem with the Igalia repo? We need to either fix it or change build-webkit to stop depending on it.
> and the resultant MiniBrowser can't get GPU > acceleration (I am unable to work around this issue). Beyond that, I also > don't know how to use git bisect so instructions are welcome
Is that GPU acceleration problem caused by toolbx, perhaps? I wonder if GPU acceleration is required for you to reproduce this bug reliably? git bisect is really easy to use, if you have a regression you can confidently reproduce to determine whether a particular commit is bad or good. Example tutorial:
https://stackoverflow.com/a/37306623/1120203
Michael Catanzaro
Comment 11
2023-10-22 05:52:20 PDT
***
Bug 263509
has been marked as a duplicate of this bug. ***
Michael Catanzaro
Comment 12
2023-12-16 06:42:24 PST
***
Bug 266535
has been marked as a duplicate of this bug. ***
Philippe Normand
Comment 13
2024-01-20 05:24:07 PST
Here with Canary and WEBKIT_GST_DMABUF_SINK_DISABLED=1 and va decoders ranked to 0 I get scrambled output.
Philippe Normand
Comment 14
2024-01-20 05:24:27 PST
Created
attachment 469480
[details]
screenshot
Philippe Normand
Comment 15
2024-01-20 05:26:58 PST
With default dmabuf sink enabled and va decoders up-ranked, all is fine here... Anyway, is this crash in webKitMediaSrcStreamFlush still happening?
Kdwk
Comment 16
2024-01-22 07:43:23 PST
It is still reliably happening in WebKitGTK 2.42.4. The original pages no longer exist so here's another one: apple.com/apple-watch-ultra-2
Philippe Normand
Comment 17
2024-01-22 09:50:34 PST
I got a critical warning here in Ephy TP Commit: 0e3a544be3ab1e038c36260379e91163f7f02a7d3eb8d62d3a4ae9ff3a91d626 Parent: b0d6f546c77add052c453376afa9afacb0f0ba77ce055b57bf7644015564c650 Subject: Export org.gnome.Epiphany.Devel Date: 2024-01-21 05:07:56 +0000 (WebKitWebProcess:2): GStreamer-CRITICAL **: 17:44:13.183: gst_caps_remove_structure: assertion 'IS_WRITABLE (caps)' failed (gdb) bt #0 g_logv (log_domain=0x7f490fb229ae "GStreamer", log_level=G_LOG_LEVEL_CRITICAL, format=<optimized out>, args=args@entry=0x7f483bdd8fb0) at ../glib/gmessages.c:1277 #1 0x00007f490eec2233 in g_log (log_domain=<optimized out>, log_level=<optimized out>, format=<optimized out>) at ../glib/gmessages.c:1315 #2 0x00007f4843ea5f14 in gst_vp9_parse_negotiate (in_align=<optimized out>, in_caps=0x7f483000aae0 [GstCaps], self=0x559120b5b320 [GstVp9Parse|V0_parser]) at ../gst/videoparsers/gstvp9parse.c:299 #3 gst_vp9_parse_set_sink_caps (parse=0x559120b5b320 [GstVp9Parse|V0_parser], caps=<optimized out>) at ../gst/videoparsers/gstvp9parse.c:816 #4 0x00007f490fbaa7f8 in gst_base_parse_sink_event_default (parse=0x559120b5b320 [GstVp9Parse|V0_parser], event=0x7f4830007580 [GstEvent]) at ../libs/gst/base/gstbaseparse.c:1244 #5 0x00007f490fac466d in gst_pad_send_event_unchecked (pad=pad@entry=0x559120b4ded0 [GstPad|sink], event=event@entry=0x7f4830007580 [GstEvent], type=<optimized out>, type@entry=GST_PAD_PROBE_TYPE_EVENT_DOWNSTREAM) at ../gst/gstpad.c:5939 #6 0x00007f490fac4d53 in gst_pad_push_event_unchecked (pad=pad@entry=0x7f483000dde0 [GstPad|video_0], event=0x7f4830007580 [GstEvent], type=<optimized out>, type@entry=GST_PAD_PROBE_TYPE_EVENT_DOWNSTREAM) at ../gst/gstpad.c:5572 #7 0x00007f490fac5518 in push_sticky (pad=pad@entry=0x7f483000dde0 [GstPad|video_0], ev=ev@entry=0x7f483bdd9410, user_data=user_data@entry=0x7f483bdd9480) at ../gst/gstpad.c:4057 #8 0x00007f490fab9c85 in events_foreach (pad=0x7f483000dde0 [GstPad|video_0], func=0x7f490fac5470 <push_sticky>, user_data=0x7f483bdd9480) at ../gst/gstpad.c:613 #9 0x00007f490fac85f1 in check_sticky (event=0x7f483000baa0 [GstEvent], pad=0x7f483000dde0 [GstPad|video_0]) at ../gst/gstpad.c:4116 #10 gst_pad_push_event (pad=0x7f483000dde0 [GstPad|video_0], event=0x7f483000baa0 [GstEvent]) at ../gst/gstpad.c:5705 #11 0x00007f488c0d4a0e in gst_matroska_demux_send_tags (demux=demux@entry=0x559120b54320 [GstMatroskaDemux|matroskademux0]) at ../gst/matroska/matroska-demux.c:1993 #12 0x00007f488c0dfef1 in gst_matroska_demux_parse_id (demux=0x559120b54320 [GstMatroskaDemux|matroskademux0], id=<optimized out>, length=<optimized out>, needed=6) at ../gst/matroska/matroska-demux.c:5655 #13 0x00007f488c0e7df4 in gst_matroska_demux_chain (pad=pad@entry=0x559120b54920 [GstPad|sink], parent=parent@entry=0x559120b54320 [GstMatroskaDemux|matroskademux0], buffer=<optimized out>, buffer@entry=0x5591209dbf30 [GstBuffer]) at ../gst/matroska/matroska-demux.c:6202 #14 0x00007f490fac2eec in gst_pad_chain_data_unchecked (pad=pad@entry=0x559120b54920 [GstPad|sink], type=type@entry=4112, data=data@entry=0x5591209dbf30) at ../gst/gstpad.c:4463 #15 0x00007f490fac628e in gst_pad_push_data (pad=pad@entry=0x559120b59800 [GstPad|src], type=type@entry=4112, data=data@entry=0x5591209dbf30) at ../gst/gstpad.c:4739 #16 0x00007f490fac68c4 in gst_pad_push (pad=0x559120b59800 [GstPad|src], buffer=0x5591209dbf30 [GstBuffer]) at ../gst/gstpad.c:4858 #17 0x00007f490fbbda5c in gst_base_transform_chain (pad=pad@entry=0x559120b56520 [GstPad|sink], parent=parent@entry=0x559120b56110 [GstIdentity|identity0], buffer=buffer@entry=0x5591209dbf30 [GstBuffer]) at ../libs/gst/base/gstbasetransform.c:2391 #18 0x00007f490fac2eec in gst_pad_chain_data_unchecked (pad=pad@entry=0x559120b56520 [GstPad|sink], type=type@entry=4112, data=data@entry=0x5591209dbf30) at ../gst/gstpad.c:4463 #19 0x00007f490fac628e in gst_pad_push_data (pad=pad@entry=0x559120b56aa0 [GstPad|src], type=type@entry=4112, data=data@entry=0x5591209dbf30) at ../gst/gstpad.c:4739 #20 0x00007f490fac68c4 in gst_pad_push (pad=pad@entry=0x559120b56aa0 [GstPad|src], buffer=0x5591209dbf30 [GstBuffer]) at ../gst/gstpad.c:4858 #21 0x00007f490fbc1efb in gst_base_src_loop (pad=0x559120b56aa0 [GstPad|src]) at ../libs/gst/base/gstbasesrc.c:3035 #22 0x00007f490faf3204 in gst_task_func (task=0x559120b5ae00 [GstTask|appsrc0:src]) at ../gst/gsttask.c:384 #23 0x00007f490eee92c2 in g_thread_pool_thread_proxy (data=<optimized out>) at ../glib/gthreadpool.c:336 #24 0x00007f490eee86c9 in g_thread_proxy (data=0x7f48fc0019d0) at ../glib/gthread.c:821 #25 0x00007f49132a1e39 in start_thread (arg=<optimized out>) at pthread_create.c:444 #26 0x00007f4913329904 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:100
Philippe Normand
Comment 18
2024-01-22 09:56:34 PST
Apart from that, unable to reproduce the issue (but I'm on Intel and AMD).
Kdwk
Comment 19
2024-01-24 04:19:38 PST
I am able to reproduce this on non-Nvidia hardware. On my MacBook, visiting apple.com/apple-watch-ultra-2 with software decoding and scrolling all the way down crashes the WebProcess.
Philippe Normand
Comment 20
2024-01-24 04:33:30 PST
(In reply to Kdwk from
comment #19
)
> I am able to reproduce this on non-Nvidia hardware. On my MacBook, visiting > apple.com/apple-watch-ultra-2 with software decoding and scrolling all the > way down crashes the WebProcess.
Can you share the backtrace? The one I shared earlier results from a warning, so it shouldn't trigger crashes, unless you set this env var G_DEBUG=fatal-criticals
Philippe Normand
Comment 21
2024-01-24 04:38:39 PST
(In reply to Philippe Normand from
comment #17
)
> I got a critical warning here in Ephy TP > > (WebKitWebProcess:2): GStreamer-CRITICAL **: 17:44:13.183: > gst_caps_remove_structure: assertion 'IS_WRITABLE (caps)' failed >
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5975
Kdwk
Comment 22
2024-01-24 05:34:58 PST
Created
attachment 469531
[details]
gdb (MacBook; software decoding).txt (In reply to Philippe Normand from
comment #20
)
> (In reply to Kdwk from
comment #19
) > > I am able to reproduce this on non-Nvidia hardware. On my MacBook, visiting > > apple.com/apple-watch-ultra-2 with software decoding and scrolling all the > > way down crashes the WebProcess. > > Can you share the backtrace? > > The one I shared earlier results from a warning, so it shouldn't trigger > crashes, unless you set this env var G_DEBUG=fatal-criticals
Philippe Normand
Comment 23
2024-01-24 06:01:32 PST
Can you collect gst logs? Do you remember how?
Michael Catanzaro
Comment 24
2024-01-25 18:06:58 PST
I haven't been able to reproduce the crash on apple.com, but I hit this crash 100% of the time in Ephy Tech Preview (WebKitGTK 2.43.3, GStreamer 1.22.5) when loading
https://www.newsweek.com/missouri-republican-senators-duel-nick-schroer-1863838
and scrolling down the page. Backtrace is basically the same as what I posted in
bug #260984
. I will attach a gst.log following the instructions
https://trac.webkit.org/wiki/WebKitGTK/Debugging#Debuggingmultimediastuff
. We should really move all the instructions you care about to
https://docs.webkit.org/
so we can have some updated link to point to instructions.
Michael Catanzaro
Comment 25
2024-01-25 18:10:55 PST
Created
attachment 469550
[details]
Debug log BTW, since streamByName may return nullptr, I suggest webKitMediaSrcFlush should either handle that case or assert that it returns non-null.
Philippe Normand
Comment 26
2024-01-27 02:55:44 PST
That log looks incomplete. I can't reproduce this issue here in Ephy TP.
Philippe Normand
Comment 27
2024-01-27 03:46:55 PST
(In reply to Michael Catanzaro from
comment #24
)
> I will attach a gst.log following the instructions >
https://trac.webkit.org/wiki/WebKitGTK/Debugging#Debuggingmultimediastuff
. > We should really move all the instructions you care about to >
https://docs.webkit.org/
so we can have some updated link to point to > instructions.
https://github.com/WebKit/Documentation/pull/78
Michael Catanzaro
Comment 28
2024-01-27 05:43:06 PST
(In reply to Philippe Normand from
comment #26
)
> That log looks incomplete.
I reproduced the issue today and got a second log. It looks the same as the first. That's really all there is before the crash occurs. I'll attach my second debug log and the dots requested by your new documentation.
Michael Catanzaro
Comment 29
2024-01-27 05:43:17 PST
Created
attachment 469566
[details]
Debug
Michael Catanzaro
Comment 30
2024-01-27 05:44:23 PST
BTW to reproduce in Tech Preview, just keep scrolling up and down the page. It seems to crash about 70% of the time, not the 100% that I claimed earlier. If it refuses to crash, then I press Ctrl+R and try again and it will probably crash.
Philippe Normand
Comment 31
2024-01-27 08:07:38 PST
I can reproduce the crash now, for the record, you need to start playing the video (auto play doesn't kick in here) and scroll down until the player moves to PiP state, then scroll up until it goes back to non-PiP state, and scroll down again and so on... So it seems the MSE src element tears down its streams and later on a seek triggers a flush on the same src element... One of the issues is that m_hasAllTracks in MediaSourcePrivateGStreamer doesn't seem to be set back to false after the streams have been removed...
Carlos Bentzen
Comment 32
2024-03-20 06:46:59 PDT
Created
attachment 470445
[details]
region in the page where the crash happens I can reproduce the crash when scrolling down on
https://apple.com/apple-watch-ultra-2
until it hits this area where the watch side view is a video element that is played and seeked as you scroll through it (you may need to scroll past it and return). Bisected it down to
https://commits.webkit.org/265206@main
. Before the user agent quirk, the video element played this MP4 file, without MSE:
https://www.apple.com/105/media/us/apple-watch-ultra-2/2023/4d9e62e1-fe94-4bb9-abbe-0b8c9626a304/anim/schematic_rotation-2/large.mp4
After the user agent quirk, it now plays this WebM file instead, that has alpha channel signaled in the WebM container, and it's played via MSE:
https://www.apple.com/105/media/us/apple-watch-ultra-2/2023/4d9e62e1-fe94-4bb9-abbe-0b8c9626a304/anim/schematic_rotation-2/large.webm
(In reply to Michael Catanzaro from
comment #25
)
> Created
attachment 469550
[details]
> Debug log > > BTW, since streamByName may return nullptr, I suggest webKitMediaSrcFlush > should either handle that case or assert that it returns non-null.
Indeed. Though checking for a null Stream pointer and bailing early doesn't seem sufficient, as it does fixes the crash in webKitMediaSrcFlush, but then then video element is broken, not displaying anything. I'm investing this further.
Carlos Bentzen
Comment 33
2024-03-20 07:18:09 PDT
(In reply to Carlos Bentzen from
comment #32
)
> > I'm investing this further.
investigating*, obviously.
Michael Catanzaro
Comment 34
2024-03-20 07:48:48 PDT
(In reply to Carlos Bentzen from
comment #32
)
> Bisected it down to
https://commits.webkit.org/265206@main
.
Good job!
Michael Catanzaro
Comment 35
2024-03-20 09:34:23 PDT
Found another reproducer for this crash. Try to play this video on nbcnews.com:
https://www.nbcnews.com/news/us-news/toddler-dies-pinned-tire-uber-suv-dropped-houston-rcna144187
Michael Catanzaro
Comment 36
2024-03-20 09:35:47 PDT
(Um, although maybe I should have picked a different video for bug report purposes. Presumably that one contains disturbing content if it doesn't trigger the crash.)
Philippe Normand
Comment 37
2024-03-20 10:05:25 PDT
(In reply to Michael Catanzaro from
comment #34
)
> (In reply to Carlos Bentzen from
comment #32
) > > Bisected it down to
https://commits.webkit.org/265206@main
. > > Good job!
Well, I'm not sure this can be flagged as regression, unless we update the bug title again to be specific to Apple website.
Carlos Bentzen
Comment 38
2024-03-21 03:52:10 PDT
(In reply to Philippe Normand from
comment #37
)
> (In reply to Michael Catanzaro from
comment #34
) > > (In reply to Carlos Bentzen from
comment #32
) > > > Bisected it down to
https://commits.webkit.org/265206@main
. > > > > Good job! > > Well, I'm not sure this can be flagged as regression, unless we update the > bug title again to be specific to Apple website.
Yeah, we get different content served with the user-agent quirk, but the new content seems valid on Firefox and Chrome, so the GStreamer MSE code is the one broken IMO, and was broken before already. Had the same page been served with WebM + MSE before
r265206
, it would also crash (I checked with the test below). Reduced the test case down to
https://people.igalia.com/cadubentzen/webkit/bug260455
. Scrolling past the video area and back, I get a crash reliably. (the video area is blank in webkitgtk, it doesn't play). In
https://people.igalia.com/cadubentzen/webkit/bug260455_2
, on the other hand, the video plays and I get no crash anymore. The only difference is the web page starts with the video in the viewport. Philippe pointed out to me that we have a setting via the environment variable WEBKIT_GST_ALLOW_PLAYBACK_OF_INVISIBLE_VIDEOS. Setting that to 1, the video plays and I get no crashes, so it's definitely related. Continuing to investigate...
Carlos Bentzen
Comment 39
2024-03-26 14:04:11 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/26472
EWS
Comment 40
2024-03-28 13:26:13 PDT
Committed
276798@main
(f91aeb92bd8e): <
https://commits.webkit.org/276798@main
> Reviewed commits have been landed. Closing PR #26472 and removing active labels.
Michael Catanzaro
Comment 41
2024-05-17 12:48:20 PDT
Reopened Bugzilla. Causes excessive CPU usage of cached web process and web process failure to render web content after cache restore, tracking revert in
https://bugs.webkit.org/show_bug.cgi?id=274329
.
Michael Catanzaro
Comment 42
2024-05-17 12:52:55 PDT
I wound up using
bug #274261
to track the revert. This will need a second try, sorry. :(
Michael Catanzaro
Comment 43
2024-05-17 12:56:53 PDT
Fortunately it looks like this was not backported to 2.44 since nobody requested it.
Philippe Normand
Comment 44
2024-05-18 02:34:33 PDT
(In reply to Michael Catanzaro from
comment #43
)
> Fortunately it looks like this was not backported to 2.44 since nobody > requested it.
It was backported to 2.44. See
https://github.com/WebKit/WebKit/commit/30ad9a720e6b12a6c958fcef0d7dd3f52da485bd
Michael Catanzaro
Comment 45
2024-05-18 06:26:37 PDT
OK, will revert there too. I must have gotten very confused when I checked for the backport....
Michael Catanzaro
Comment 46
2024-05-31 06:20:03 PDT
Found yet another reproducer: visit
https://www.msnbc.com/opinion/msnbc-opinion/trump-hush-money-verdict-biden-campaign-reaction-rcna154560
and just scroll down the page
Kdwk
Comment 47
2024-08-09 06:40:27 PDT
Created
attachment 472096
[details]
gdb.txt I have hit this again on one of Apple's product pages. It seems this bug is crashing a lot of websites
Jeff Fortin
Comment 48
2024-08-24 06:24:24 PDT
***
Bug 278569
has been marked as a duplicate of this bug. ***
Michael Catanzaro
Comment 49
2024-08-29 11:09:21 PDT
Hit this just now on
https://www.nbcnews.com/nbc-out/out-news/probe-closed-owners-pulse-nightclub-49-died-mass-shooting-rcna168778
Philippe Normand
Comment 50
2024-08-29 11:29:48 PDT
I think by now, we do know how to reproduce this.
Philippe Normand
Comment 51
2024-10-30 08:23:07 PDT
http/tests/media/media-source/mediasource-rvfc.html is affected by this ASSERT.
Philippe Normand
Comment 52
2024-12-31 03:09:31 PST
***
Bug 270733
has been marked as a duplicate of this bug. ***
tri.voxel
Comment 53
2024-12-31 14:54:28 PST
Created
attachment 473732
[details]
A back trace from MacBook Air landing page Encountered this issue just opening the webpage. Has been an issue for at least a year for me consistently.
https://apple.com/macbook-air
Michael Catanzaro
Comment 54
2025-01-06 19:46:26 PST
***
Bug 285390
has been marked as a duplicate of this bug. ***
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug