309739 – [GStreamer] AddressSanitizer SEGV in WebCore::configureVideoDecoderForHarnessing

RESOLVED FIXED309739

[GStreamer] AddressSanitizer SEGV in WebCore::configureVideoDecoderForHarnessing

https://bugs.webkit.org/show_bug.cgi?id=309739

Summary [GStreamer] AddressSanitizer SEGV in WebCore::configureVideoDecoderForHarnessing

Felipe Erias

Reported 2026-03-11 18:30:58 PDT

Created attachment 478642 [details] Command output Version: WPE WebKit version 2.50.5. Setup: git checkout wpewebkit-2.50.5 Tools/Scripts/set-webkit-configuration --wpe --asan --release Tools/Scripts/build-webkit --wpe --release Test file: <!DOCTYPE html> <html> <body> <script> var decoder = new VideoDecoder({ output: function(frame) { frame.close(); }, error: function(e) {}, }); decoder.configure({codec: 'vp8', codedWidth: 320, codedHeight: 240}); </script> </body> </html> Command: WebKitBuild/WPE/Release/bin/MiniBrowser --headless test_webcodecs_videodecoder.html Result: > ... > SUMMARY: AddressSanitizer: SEGV (/home/felipe/WebKit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1+0x1ecac395) (BuildId: 291eb88f6c779b00) in WebCore::configureVideoDecoderForHarnessing(WTF::GRefPtr<_GstElement, WTF::GRefPtrDefaultRefDerefTraits<_GstElement> > const&)

Attachments
Command output (4.50 KB, text/plain) 2026-03-11 18:30 PDT, Felipe Erias	no flags	Details
Test file (267 bytes, text/html) 2026-03-11 18:57 PDT, Felipe Erias	no flags	Details
*gst log GST_DEBUG="3,webkit:9"** (42.20 KB, text/plain) 2026-03-13 05:45 PDT, Felipe Erias	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Felipe Erias

Comment 1 2026-03-11 18:57:38 PDT

Created attachment 478645 [details] Test file

Felipe Erias

Comment 2 2026-03-11 19:25:20 PDT

As far as I could see, the crash seems to come from WebCore::GStreamerVideoDecoder::create(). The code validates that a VP8 decoder is available but instantiating that decoder fails and returns NULL, which is not checked. In VideoDecoderGStreamer.cpp, around line 111: if (!lookupResult) { GST_WARNING("No decoder found for codec %s", codecName.utf8().data()); callback(makeUnexpected(makeString("No decoder found for codec "_s, codecName))); return; } GRefPtr<GstElement> element = gst_element_factory_create(lookupResult.factory.get(), nullptr); I don't know the real-world impact of this bug, as it might only happen in this particular test environment (ASan, headless, etc.). Nevertheless, if gst_element_factory_create() may return NULL then the code should check for that.

Philippe Normand

Comment 3 2026-03-12 01:32:56 PDT

Can you provide a gst log please? GST_DEBUG="3,webkit*:9"

Philippe Normand

Comment 4 2026-03-12 02:27:12 PDT

> Nevertheless, if gst_element_factory_create() may return NULL then the code should check for that. Sure, but if you reached this code it means GStreamerRegistryScanner::isCodecSupported() should have found an element factory for vp8, so there's something odd going on.

Philippe Normand

Comment 5 2026-03-12 02:31:41 PDT

Here I have this: 0:00:01.629353038 4164095 4164095 LOG webkitregistryscanner GStreamerRegistryScanner.cpp:371:hasElementForCaps: Lookup result for video decoder matching caps video/x-vp8 : isSupported=true, isUsingHardware=false, factory=<vp8dec> 0:00:01.631498689 4164095 4164095 LOG webkitregistryscanner GStreamerRegistryScanner.cpp:371:hasElementForCaps: Lookup result for video encoder matching caps video/x-vp8 : isSupported=true, isUsingHardware=false, factory=<vp8enc> 0:00:01.632150484 4164095 4164095 DEBUG webkitregistryscanner GStreamerRegistryScanner.cpp:407:refresh: Hardware decoder codec pattern registered: vp8 0:00:01.632210716 4164095 4164095 DEBUG webkitregistryscanner GStreamerRegistryScanner.cpp:407:refresh: Hardware decoder codec pattern registered: vp8.0 0:00:01.632377819 4164095 4164095 DEBUG webkitregistryscanner GStreamerRegistryScanner.cpp:407:refresh: Hardware decoder codec pattern registered: x-vp8 0:00:01.632489620 4164095 4164095 DEBUG webkitregistryscanner GStreamerRegistryScanner.cpp:411:refresh: Hardware encoder codec pattern registered: vp8.0 0:00:01.632578636 4164095 4164095 DEBUG webkitregistryscanner GStreamerRegistryScanner.cpp:411:refresh: Hardware encoder codec pattern registered: x-vp8 0:00:01.632594398 4164095 4164095 DEBUG webkitregistryscanner GStreamerRegistryScanner.cpp:411:refresh: Hardware encoder codec pattern registered: vp8 0:00:01.632697874 4164095 4164095 LOG webkitregistryscanner GStreamerRegistryScanner.cpp:819:isCodecSupported: Checked hardware decoding codec "vp8" supported false 0:00:01.632707669 4164095 4164095 DEBUG webkitvideodecoder VideoDecoderGStreamer.cpp:106:create: No hardware decoder found for codec vp8, falling back to software 0:00:01.632715709 4164095 4164095 LOG webkitregistryscanner GStreamerRegistryScanner.cpp:819:isCodecSupported: Checked software decoding codec "vp8" supported true 0:00:01.634216139 4164095 4164095 DEBUG webkitvideodecoder VideoDecoderGStreamer.cpp:170:GStreamerInternalVideoDecoder:<vp8dec0> Configuring decoder for codec vp8 0:00:01.635793443 4164095 4164095 DEBUG webkitelementharness GStreamerElementHarness.cpp:147:GStreamerElementHarness:<vp8dec0> Expecting output buffers on static src pad. 0:00:01.636536919 4164095 4164095 TRACE webkitelementharness GStreamerElementHarness.cpp:454:srcEvent:<vp8dec0> Got event on src pad: reconfigure event: 0x36bcab90, time 99:99:99.999999999, seq-num 4, (NULL) 0:00:01.637021904 4164095 4164224 DEBUG webkitvideodecoder VideoDecoderGStreamer.cpp:127:operator():<vp8dec0> Video decoder created 0:00:05.114015783 4164095 4164095 DEBUG webkitvideodecoder VideoDecoderGStreamer.cpp:67:~GStreamerInternalVideoDecoder:<vp8dec0> Disposing video decoder 0:00:05.114063760 4164095 4164095 DEBUG webkitelementharness GStreamerElementHarness.cpp:174:~GStreamerElementHarness:<vp8dec0> Stopping harness 0:00:05.114126789 4164095 4164095 TRACE webkitelementharness GStreamerElementHarness.cpp:285:pushEvent:<vp8dec0> Pushing eos event: 0x3640f270, time 99:99:99.999999999, seq-num 5, (NULL) 0:00:05.114161385 4164095 4164095 TRACE webkitelementharness GStreamerElementHarness.cpp:287:pushEvent:<vp8dec0> Result: false

Philippe Normand

Comment 6 2026-03-12 02:34:36 PDT

With GST_PLUGIN_FEATURE_RANK=vp8dec:0,avdec_vp8:0 : 0:00:01.633608370 4167019 4167019 LOG webkitregistryscanner GStreamerRegistryScanner.cpp:371:hasElementForCaps: Lookup result for video decoder matching caps video/x-vp8 : isSupported=false, isUsingHardware=false, factory=(NULL) 0:00:01.635629908 4167019 4167019 LOG webkitregistryscanner GStreamerRegistryScanner.cpp:371:hasElementForCaps: Lookup result for video encoder matching caps video/x-vp8 : isSupported=true, isUsingHardware=false, factory=<vp8enc> 0:00:01.636577119 4167019 4167019 DEBUG webkitregistryscanner GStreamerRegistryScanner.cpp:411:refresh: Hardware encoder codec pattern registered: vp8.0 0:00:01.636666315 4167019 4167019 DEBUG webkitregistryscanner GStreamerRegistryScanner.cpp:411:refresh: Hardware encoder codec pattern registered: x-vp8 0:00:01.636682242 4167019 4167019 DEBUG webkitregistryscanner GStreamerRegistryScanner.cpp:411:refresh: Hardware encoder codec pattern registered: vp8 0:00:01.636781946 4167019 4167019 LOG webkitregistryscanner GStreamerRegistryScanner.cpp:819:isCodecSupported: Checked hardware decoding codec "vp8" supported false 0:00:01.636790939 4167019 4167019 DEBUG webkitvideodecoder VideoDecoderGStreamer.cpp:106:create: No hardware decoder found for codec vp8, falling back to software 0:00:01.636812051 4167019 4167019 LOG webkitregistryscanner GStreamerRegistryScanner.cpp:819:isCodecSupported: Checked software decoding codec "vp8" supported false 0:00:01.636817981 4167019 4167019 WARN webkitvideodecoder VideoDecoderGStreamer.cpp:111:create: No decoder found for codec vp8

Felipe Erias

Comment 7 2026-03-13 05:45:46 PDT

Created attachment 478665 [details] gst log GST_DEBUG="3,webkit*:9"

Felipe Erias

Comment 8 2026-03-13 05:48:48 PDT

GStreamer log attached. This seems to be the key point, right before the crash: > LOG webkitregistryscanner GStreamerRegistryScanner.cpp:788:isCodecSupported: Checked hardware decoding codec "vp8" supported true > ERROR nvcodec plugin.c:171:plugin_init: Failed to init cuda, cuInit ret: 0x2: CUDA_ERROR_OUT_OF_MEMORY: out of memory > WARN nvcodec plugin.c:175:plugin_init: CUDA call failed: CUDA_ERROR_NO_DEVICE, no CUDA-capable device is detected > WARN GST_ELEMENT_FACTORY gstelementfactory.c:531:gst_element_factory_create_with_properties:<nvvp8dec> loading plugin returned NULL! > DEBUG webkitvideodecoder VideoDecoderGStreamer.cpp:165:GStreamerInternalVideoDecoder: Configuring decoder for codec vp8 > AddressSanitizer:DEADLYSIGNAL

Philippe Normand

Comment 9 2026-03-13 05:55:16 PDT

Pull request: https://github.com/WebKit/WebKit/pull/60555

EWS

Comment 10 2026-03-13 07:28:54 PDT

Committed 309207@main (edcaf48cc49a): <https://commits.webkit.org/309207@main> Reviewed commits have been landed. Closing PR #60555 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware PC

OS Linux

Product WebKit

Component WPE WebKit

Assignee

Philippe Normand

Reported

2026-03-11 18:30 PDT

Modified

2026-03-13 07:28 PDT History

CC List

4 users Show

URL

Keywords

Depends on

Blocks