WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
303365
REGRESSION(
303317@main
): [GStreamer] Crash in VideoFrame::copyTo()
https://bugs.webkit.org/show_bug.cgi?id=303365
Summary
REGRESSION(303317@main): [GStreamer] Crash in VideoFrame::copyTo()
Claudio Saavedra
Reported
2025-12-01 22:36:48 PST
Thread 1 (Thread 0x7fc46ffff6c0 (LWP 623839)): #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007fc75f43327e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007fc75f4168ff in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007fc75bf8590d in std::__glibcxx_assert_fail(char const*, int, char const*, char const*) () at /lib/x86_64-linux-gnu/libstdc++.so.6 #6 0x00007fc766334d0f in WebCore::copyPlane(std::span<unsigned char, 18446744073709551615ul>&, std::span<unsigned char, 18446744073709551615ul> const&, unsigned long, WebCore::ComputedPlaneLayout const&) () at /home/buildbot-worker/WPE-Linux-64-bit-Release-Build/build/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #7 0x00007fc766346503 in WebCore::VideoFrame::copyTo(std::span<unsigned char, 18446744073709551615ul>, WebCore::VideoPixelFormat, WTF::Vector<WebCore::ComputedPlaneLayout, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&, WTF::CompletionHandler<void (std::optional<WTF::Vector<WebCore::PlaneLayout, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)>&&) () at /home/buildbot-worker/WPE-Linux-64-bit-Release-Build/build/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #8 0x00007fc764f97f2d in WebCore::WebCodecsVideoFrame::copyTo(WebCore::BufferSource&&, WebCore::WebCodecsVideoFrame::CopyToOptions&&, WebCore::DOMPromiseDeferred<WebCore::IDLSequence<WebCore::IDLDictionary<WebCore::PlaneLayout> > >&&) () at /home/buildbot-worker/WPE-Linux-64-bit-Release-Build/build/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #9 0x00007fc764937cf2 in WebCore::jsWebCodecsVideoFramePrototypeFunction_copyTo(JSC::JSGlobalObject*, JSC::CallFrame*) () at /home/buildbot-worker/WPE-Linux-64-bit-Release-Build/build/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #10 0x00007fc70b20d778 in ??? () #11 0x00007fc46fffdfc0 in ??? () #12 0x00007fc70b314abb in ??? () #13 0x0000000000000000 in ??? () This started happening after
https://commits.webkit.org/303317@main
Tests reproducing this: imported/w3c/web-platform-tests/webcodecs/video-encoder-rescaling.https.any.html?h264_annexb imported/w3c/web-platform-tests/webcodecs/video-encoder-rescaling.https.any.html?h264_avc imported/w3c/web-platform-tests/webcodecs/video-encoder-rescaling.https.any.worker.html?h264_annexb imported/w3c/web-platform-tests/webcodecs/video-encoder-rescaling.https.any.worker.html?h264_avc
Attachments
Add attachment
proposed patch, testcase, etc.
Claudio Saavedra
Comment 1
2025-12-02 01:30:37 PST
Gardened in
https://commits.webkit.org/303742@main
Philippe Normand
Comment 2
2025-12-02 03:21:53 PST
(gdb) bt #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007f51666dc493 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:89 #2 0x00007f516668218e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007f51666696d0 in __GI_abort () at abort.c:77 #4 0x00007f5166987084 in std::__glibcxx_assert_fail (file=<optimized out>, line=<optimized out>, function=<optimized out>, condition=<optimized out>) at ../../../../../libstdc++-v3/src/c++11/assert_fail.cc:41 #5 0x00007f51785bd184 in std::span<unsigned char, 18446744073709551615ul>::subspan (this=0x7ffd66846ab8, __offset=8192, __count=64) at /usr/bin/../lib/gcc/x86_64-redhat-linux/15/../../../../include/c++/15/span:456 #6 0x00007f5180ebffb0 in WebCore::copyPlane (destination=std::span of length 9216 = {...}, source=std::span of length 8192 = {...}, sourceStride=128, spanPlaneLayout=...) at ./Source/WebCore/platform/graphics/gstreamer/VideoFrameGStreamer.cpp:521 #7 0x00007f5180ebf927 in WebCore::VideoFrame::copyTo (this=0x7f51580a3700, destination=std::span of length 9216 = {...}, pixelFormat=WebCore::VideoPixelFormat::I420, computedPlaneLayout=..., callback=...) at ./Source/WebCore/platform/graphics/gstreamer/VideoFrameGStreamer.cpp:576 #8 0x00007f517e110129 in WebCore::WebCodecsVideoFrame::copyTo (this=0x7f51582639c0, source=..., options=..., promise=...) at ./Source/WebCore/Modules/webcodecs/WebCodecsVideoFrame.cpp:514 #9 0x00007f517cf9c8bf in WebCore::jsWebCodecsVideoFramePrototypeFunction_copyToBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebCodecsVideoFrame*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise> >&&)::{lambda()#1}::operator()() const (this=0x7ffd66847258) at ./WebKitBuild/GTK/Debug/WebCore/DerivedSources/JSWebCodecsVideoFrame.cpp:836 #10 0x00007f517cf9c831 in WebCore::toJS<WebCore::IDLPromise<WebCore::IDLSequence<WebCore::IDLDictionary<WebCore::PlaneLayout> > >, WebCore::jsWebCodecsVideoFramePrototypeFunction_copyToBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebCodecsVideoFrame*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise> >&&)::{lambda()#1}>(JSC::JSGlobalObject&, WebCore::JSDOMGlobalObject&, JSC::ThrowScope&, WebCore::jsWebCodecsVideoFramePrototypeFunction_copyToBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebCodecsVideoFrame*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise> >&&)::{lambda()#1}&&) (lexicalGlobalObject=..., globalObject=..., throwScope=..., valueOrFunctor=...) at ./WebKitBuild/GTK/Debug/WebCore/PrivateHeaders/WebCore/JSDOMConvertBase.h:220 #11 0x00007f517cf9c4c5 in WebCore::jsWebCodecsVideoFramePrototypeFunction_copyToBody (lexicalGlobalObject=0x7f5156166088, callFrame=0x7ffd66847590, castedThis=0x7f51566d8460, promise=...) at ./WebKitBuild/GTK/Debug/WebCore/DerivedSources/JSWebCodecsVideoFrame.cpp:836 #12 0x00007f517cf9cb41 in WebCore::IDLOperationReturningPromise<WebCore::JSWebCodecsVideoFrame>::call<&WebCore::jsWebCodecsVideoFramePrototypeFunction_copyToBody, (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::{lambda(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise> >&&)#1}::operator()(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise> >&&) const (this=0x7ffd66847510, lexicalGlobalObject=..., callFrame=..., promise=...) at ./Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:54 #13 0x00007f517cf9c6b0 in WebCore::callPromiseFunction<WebCore::IDLOperationReturningPromise<WebCore::JSWebCodecsVideoFrame>::call<&WebCore::jsWebCodecsVideoFramePrototypeFunction_copyToBody, (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::{lambda(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise> >&&)#1}>(JSC::JSGlobalObject&, JSC::CallFrame&, WebCore::IDLOperationReturningPromise<WebCore::JSWebCodecsVideoFrame>::call<&WebCore::jsWebCodecsVideoFramePrototypeFunction_copyToBody, (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::{lambda(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise> >&&)#1}) (lexicalGlobalObject=..., callFrame=..., functor=...) at ./WebKitBuild/GTK/Debug/WebCore/PrivateHeaders/WebCore/JSDOMPromiseDeferred.h:392 #14 0x00007f517cf9c22d in WebCore::IDLOperationReturningPromise<WebCore::JSWebCodecsVideoFrame>::call<&WebCore::jsWebCodecsVideoFramePrototypeFunction_copyToBody, (WebCore::CastedThisErrorBehavior)2> (lexicalGlobalObject=..., callFrame=..., operationName=0x7f51761cfc7d <.L__FUNCTION__._ZN7WebCore20PlatformRawAudioData6copyToESt4spanIhLm18446744073709551615EENS_17AudioSampleFormatEmSt8optionalImES5_m> "copyTo") at ./Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:41 #15 0x00007f517cf9aa74 in WebCore::jsWebCodecsVideoFramePrototypeFunction_copyTo (lexicalGlobalObject=0x7f5156166088, callFrame=0x7ffd66847590) at ./WebKitBuild/GTK/Debug/WebCore/DerivedSources/JSWebCodecsVideoFrame.cpp:841 #16 0x00007f5115e0c038 in ??? () #17 0x00007ffd66847650 in ??? () #18 0x00007f5115e92f28 in ??? () #19 0x0000000000000000 in ??? () (gdb) f 6 #6 0x00007f5180ebffb0 in WebCore::copyPlane (destination=std::span of length 9216 = {...}, source=std::span of length 8192 = {...}, sourceStride=128, spanPlaneLayout=...) at ./Source/WebCore/platform/graphics/gstreamer/VideoFrameGStreamer.cpp:521 521 memcpySpan(destination.subspan(destinationOffset, rowBytes), source.subspan(sourceOffset, rowBytes)); (gdb) p sourceOffset $1 = 8192 (gdb) p rowBytes $2 = 64
Philippe Normand
Comment 3
2025-12-02 08:23:26 PST
Pull request:
https://github.com/WebKit/WebKit/pull/54703
EWS
Comment 4
2025-12-03 00:42:51 PST
Committed
303818@main
(27ef0d75f0e4): <
https://commits.webkit.org/303818@main
> Reviewed commits have been landed. Closing PR #54703 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug