RESOLVED FIXED299529
[GStreamer] _gst_util_uint64_scale_int: assertion "num >= 0" failed 
https://bugs.webkit.org/show_bug.cgi?id=299529
Summary [GStreamer] _gst_util_uint64_scale_int: assertion "num >= 0" failed
Michael Catanzaro
Reported 2025-09-25 08:02:34 PDT
I saw this fatal-criticals crash when viewing an image on imgur.com using Epiphany Tech Preview with WebKitGTK 2.50.0. Unfortunately I was unable to figure out how to reproduce it. #0 _g_log_abort (breakpoint=<optimized out>) at ../glib/gmessages.c:430 #1 g_logv (log_domain=0x7f2a054b49f7 "GStreamer", log_level=G_LOG_LEVEL_CRITICAL, format=<optimized out>, args=args@entry=0x7ffe78245e90) at ../glib/gmessages.c:1291 #2 0x00007f2a0470f7e3 in g_log (log_domain=log_domain@entry=0x7f2a054b49f7 "GStreamer", log_level=log_level@entry=G_LOG_LEVEL_CRITICAL, format=format@entry=0x7f2a0476e360 "%s: assertion '%s' failed") at ../glib/gmessages.c:1333 #3 0x00007f2a0471016d in g_return_if_fail_warning (log_domain=log_domain@entry=0x7f2a054b49f7 "GStreamer", pretty_function=pretty_function@entry=0x7f2a054e44b0 <__func__.59> "_gst_util_uint64_scale_int", expression=expression@entry=0x7f2a054c0401 "num >= 0") at ../glib/gmessages.c:3162 #4 0x00007f2a0548f6b2 in _gst_util_uint64_scale_int (val=<optimized out>, num=<optimized out>, denom=<optimized out>, correct=0) at ../gst/gstutils.c:726 #5 gst_util_uint64_scale_int (val=<optimized out>, num=<optimized out>, denom=<optimized out>) at ../gst/gstutils.c:775 #6 0x00007f2a0c3bbbe8 in WebCore::MediaPlayerPrivateGStreamer::updateVideoSizeAndOrientationFromCaps (this=0x7f290e32a070, caps=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:3785 #7 0x00007f2a0c3c6420 in WebCore::MediaPlayerPrivateGStreamer::triggerRepaint(WTF::GRefPtr<_GstSample, WTF::GRefPtrDefaultRefDerefTraits<_GstSample> >&&)::$_0::operator()() const (this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:3881 #8 WTF::Detail::CallableWrapper<WebCore::MediaPlayerPrivateGStreamer::triggerRepaint(WTF::GRefPtr<_GstSample, WTF::GRefPtrDefaultRefDerefTraits<_GstSample> >&&)::$_0, void>::call (this=<optimized out>) at WTF/Headers/wtf/Function.h:53 #9 0x00007f2a08a823a5 in WTF::Function<void()>::operator() (this=0x7ffe78246070) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Function.h:82 #10 WTF::RunLoop::performWork (this=0x7f29e7008180) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/RunLoop.cpp:148 Full backtrace is attached.
Attachments
Full backtrace (8.55 KB, text/plain)
2025-09-25 08:03 PDT, Michael Catanzaro 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2025-09-25 08:03:04 PDT
Created attachment 476855 [details] Full backtrace
Philippe Normand
Comment 2 2025-09-26 02:42:39 PDT
#6 0x00007f2a0c3bbbe8 in WebCore::MediaPlayerPrivateGStreamer::updateVideoSizeAndOrientationFromCaps (this=0x7f290e32a070, caps=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:3785 pixelAspectRatioNumerator = 7201628 pixelAspectRatioDenominator = 7170075 stride = 0 frameRate = 30 format = GST_VIDEO_FORMAT_DMA_DRM colorSpace = {primaries = std::optional = {[contained value] = WebCore::PlatformVideoColorPrimaries::Bt709}, transfer = std::optional = {[contained value] = WebCore::PlatformVideoTransferCharacteristics::Bt709}, matrix = std::optional = {[contained value] = WebCore::PlatformVideoMatrixCoefficients::Bt709}, fullRange = std::optional = {[contained value] = false}} pad = {m_ptr = 0x559009ac6430 [GstGhostPad|sink]} tagsEvent = {m_ptr = 0x7f270400c790 [GstEvent]} orientation = <optimized out> originalSize = {m_width = 330, m_height = <optimized out>} scopeExit = {m_exitFunction = {this = 0x7f290e32a070}, m_executeOnDestruction = true} displayWidth = -479607514 displayHeight = 351333675 displayAspectRatioGCD = <optimized out> width = 0 height = 0 Well the negative displayWidth is clearly suspicious :) Too bad the m_height originalSize isn't reported... Maybe a unit-test could be written using these values.
Cristina Murillo
Comment 3 2025-10-14 08:06:12 PDT
The calculation for the displayWidth overflows. The displayWidth is a signed integer calculated by multiplying the width with the pixel-aspect-ratio numerator. The pixelAspectRatioNumerator in the trace is 7201628, causing an overflow and therefore, the negative value in the display width. The negative value is passed to the function _gst_util_uint64_scale_int, causing the assertion.
Cristina Murillo
Comment 4 2025-10-14 08:29:28 PDT
Pull request: https://github.com/WebKit/WebKit/pull/52302
EWS
Comment 5 2025-10-18 02:10:13 PDT
Committed 301767@main (2a29f6f8ced1): <https://commits.webkit.org/301767@main> Reviewed commits have been landed. Closing PR #52302 and removing active labels.
Radar WebKit Bug Importer
Comment 6 2025-10-18 02:11:14 PDT
<rdar://problem/162923071>
Note You need to log in before you can comment on or make changes to this bug.