Bug 217647

Summary: [GStreamer] Crash in WebCore::GStreamerRegistryScanner::isAVC1CodecSupported
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: MediaAssignee: Philippe Normand <pnormand>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, calvaris, cgarcia, eric.carlson, ews-watchlist, glenn, gustavo, jer.noble, mcatanzaro, menard, philipj, pnormand, sergio, vjaquez, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Patch calvaris: review+

Michael Catanzaro
Reported 2020-10-12 20:24:21 PDT
Load https://proofing.statefarm.com/login-interceptor/login in Tech Preview, or build WebKit trunk with jhbuild, either way it will crash immediately: #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 set = {__val = {0, 140628309954960, 93936283386752, 140620386244921, 140735321198224, 140735321198216, 140620386244912, 140628310519853, 0, 1, 140735321198272, 140735321198240, 140735321198624, 140735321198776, 0, 1}} pid = <optimized out> tid = <optimized out> #1 0x00007fe694755855 in __GI_abort () at abort.c:79 save_stage = 1 act = {__sigaction_handler = {sa_handler = 0x7fff7ed3d030, sa_sigaction = 0x7fff7ed3d030}, sa_mask = {__val = {140628298606868, 140626159797808, 1, 140620386245076, 139642271694853, 140735321198848, 15911148392968547328, 140626161041408, 46, 140735321199120, 140735321198736, 140628368873568, 140628298249298, 140735321199120, 140628298605424, 140620203346288}}, sa_flags = -1687491584, sa_restorer = 0x7fe697f8d860 <WebCore::GStreamerRegistryScanner::singleton()::sharedInstance>} sigs = {__val = {32, 0 <repeats 15 times>}} #2 0x00007fe6971e1724 in WTF::CrashOnOverflow::crash() () at DerivedSources/ForwardingHeaders/wtf/CheckedArithmetic.h:127 components = {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3780, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>} spsAsInteger = <optimized out> sps = "\177\000" profile = <optimized out> level = <optimized out> levelAsStringFallback = "~\377" __FUNCTION__ = "isAVC1CodecSupported" checkH264Caps = {__this = 0x0, __shouldCheckForHardwareUse = @0x100003600, __codec = @0x5} #3 WTF::CrashOnOverflow::overflowed() () at DerivedSources/ForwardingHeaders/wtf/CheckedArithmetic.h:120 components = {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3780, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>} spsAsInteger = <optimized out> sps = "\177\000" profile = <optimized out> level = <optimized out> levelAsStringFallback = "~\377" __FUNCTION__ = "isAVC1CodecSupported" checkH264Caps = {__this = 0x0, __shouldCheckForHardwareUse = @0x100003600, __codec = @0x5} #4 WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at(unsigned long) (i=<optimized out>, this=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:701 components = {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3780, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>} spsAsInteger = <optimized out> sps = "\177\000" profile = <optimized out> level = <optimized out> levelAsStringFallback = "~\377" __FUNCTION__ = "isAVC1CodecSupported" checkH264Caps = {__this = 0x0, __shouldCheckForHardwareUse = @0x100003600, __codec = @0x5} #5 WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::operator[](unsigned long) (i=<optimized out>, this=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:721 components = {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMa--Type <RET> for more, q to quit, c to continue without paging--c lloc>> = {m_buffer = 0x7fe4b35a3780, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>} spsAsInteger = <optimized out> sps = "\177\000" profile = <optimized out> level = <optimized out> levelAsStringFallback = "~\377" __FUNCTION__ = "isAVC1CodecSupported" checkH264Caps = {__this = 0x0, __shouldCheckForHardwareUse = @0x100003600, __codec = @0x5} #6 WebCore::GStreamerRegistryScanner::isAVC1CodecSupported(WTF::String const&, bool) const (this=this@entry=0x7fe697f8d860 <WebCore::GStreamerRegistryScanner::singleton()::sharedInstance>, codec=..., shouldCheckForHardwareUse=<optimized out>, shouldCheckForHardwareUse@entry=false) at ../Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:366 components = {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3780, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>} spsAsInteger = <optimized out> sps = "\177\000" profile = <optimized out> level = <optimized out> levelAsStringFallback = "~\377" __FUNCTION__ = "isAVC1CodecSupported" checkH264Caps = {__this = 0x0, __shouldCheckForHardwareUse = @0x100003600, __codec = @0x5} #7 0x00007fe6971e1a29 in WebCore::GStreamerRegistryScanner::isCodecSupported(WTF::String, bool) const (this=this@entry=0x7fe697f8d860 <WebCore::GStreamerRegistryScanner::singleton()::sharedInstance>, codec=..., shouldCheckForHardwareUse=shouldCheckForHardwareUse@entry=false) at ../Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:305 supported = false __FUNCTION__ = "isCodecSupported" #8 0x00007fe6971e2049 in WebCore::GStreamerRegistryScanner::isContentTypeSupported(WebCore::ContentType const&, WTF::Vector<WebCore::ContentType, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) const (this=0x7fe697f8d860 <WebCore::GStreamerRegistryScanner::singleton()::sharedInstance>, contentType=..., contentTypesRequiringHardwareSupport=...) at DerivedSources/ForwardingHeaders/wtf/text/StringImpl.h:1107 codec = @0x7fe4b35a3700: {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7fe4bc2b99c0}} __for_range = @0x7fff7ed3d1f0: {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3700, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>} __for_begin = 0x7fe4b35a3700 __for_end = 0x7fe4b35a3708 containerType = @0x7fff7ed3d1c8: {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7fe4bc2b9980}} codecs = @0x7fff7ed3d1f0: {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3700, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>} #9 0x00007fe696ffc91c in WebCore::MediaPlayerPrivateGStreamer::supportsType(WebCore::MediaEngineSupportParameters const&) (parameters=...) at ../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:2693 result = <optimized out> gstRegistryScanner = <optimized out> finalResult = <optimized out> #10 WebCore::MediaPlayerPrivateGStreamer::supportsType(WebCore::MediaEngineSupportParameters const&) (parameters=...) at ../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:2674 #11 0x00007fe6969a241b in WebCore::bestMediaEngineForSupportParameters(WebCore::MediaEngineSupportParameters const&, WebCore::MediaPlayerFactory const*) (parameters=..., current=<optimized out>, current@entry=0x0) at /usr/include/c++/10.2.0/bits/unique_ptr.h:421 engineSupport = <optimized out> engine = <optimized out> __for_range = <optimized out> __for_begin = <optimized out> __for_end = 0x7fe5e44fda90 foundEngine = <optimized out> supported = <optimized out> #12 0x00007fe6969a5d01 in WebCore::MediaPlayer::supportsType(WebCore::MediaEngineSupportParameters const&) (parameters=...) at ../Source/WebCore/platform/graphics/MediaPlayer.cpp:993 engine = <optimized out> #13 0x00007fe6964b51c6 in WebCore::HTMLMediaElement::canPlayType(WTF::String const&) const (this=this@entry=0x7fe5d470d830, mimeType=...) at ../Source/WebCore/html/HTMLMediaElement.cpp:1064 parameters = {type = {m_type = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7fe5d44ed7b0}}}, url = {m_string = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x0}}, m_isValid = 0, m_protocolIsInHTTPFamily = 0, m_cannotBeABaseURL = 0, m_portLength = 0, static maxPortLength = 7, static maxSchemeLength = 67108863, m_schemeEnd = 0, m_userStart = 0, m_userEnd = 0, m_passwordEnd = 0, m_hostEnd = 0, m_pathAfterLastSlash = 0, m_pathEnd = 0, m_queryEnd = 0}, isMediaSource = false, isMediaStream = false, contentTypesRequiringHardwareSupport = {<WTF::VectorBuffer<WebCore::ContentType, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WebCore::ContentType, WTF::FastMalloc>> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>}} contentType = {m_type = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7fe5d44ed7b0}}} support = <optimized out> canPlay = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7fe5240d4520}} __func__ = "canPlayType"
Attachments
Patch (5.86 KB, patch)
2020-10-13 02:23 PDT, Philippe Normand 		calvaris: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2020-10-12 20:43:41 PDT
Added some debug: isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42AC23 hardware=0 isAVC1CodecSupported: sps[0]=66 sps[1]=172 sps[2]=35 isAVC1CodecSupported: profile=baseline level=(null) isAVC1CodecSupported: 2 isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E034 hardware=0 isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=52 isAVC1CodecSupported: profile=constrained-baseline level=5.2 isAVC1CodecSupported: 2 isAVC1CodecSupported: 3 isAVC1CodecSupported: 4 isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E034 hardware=0 isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=52 isAVC1CodecSupported: profile=constrained-baseline level=5.2 isAVC1CodecSupported: 2 isAVC1CodecSupported: 3 isAVC1CodecSupported: 4 isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E01E hardware=0 isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=30 isAVC1CodecSupported: profile=constrained-baseline level=3 isAVC1CodecSupported: 2 isAVC1CodecSupported: 3 isAVC1CodecSupported: 4 isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E01E hardware=0 isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=30 isAVC1CodecSupported: profile=constrained-baseline level=3 isAVC1CodecSupported: 2 isAVC1CodecSupported: 3 isAVC1CodecSupported: 4 isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E009 hardware=0 isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=9 isAVC1CodecSupported: profile=constrained-baseline level=1b isAVC1CodecSupported: 2 isAVC1CodecSupported: 3 isAVC1CodecSupported: 4 isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E009 hardware=0 isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=9 isAVC1CodecSupported: profile=constrained-baseline level=1b isAVC1CodecSupported: 2 isAVC1CodecSupported: 3 isAVC1CodecSupported: 4 isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.123456 hardware=0 isAVC1CodecSupported: sps[0]=18 sps[1]=52 sps[2]=86 isAVC1CodecSupported: profile=(null) level=(null) isAVC1CodecSupported: 2 isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42F01E hardware=0 isAVC1CodecSupported: sps[0]=66 sps[1]=240 sps[2]=30 isAVC1CodecSupported: profile=constrained-baseline level=3 isAVC1CodecSupported: 2 isAVC1CodecSupported: 3 isAVC1CodecSupported: 4 isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42F01E hardware=0 isAVC1CodecSupported: sps[0]=66 sps[1]=240 sps[2]=30 isAVC1CodecSupported: profile=constrained-baseline level=3 isAVC1CodecSupported: 2 isAVC1CodecSupported: 3 isAVC1CodecSupported: 4 isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.4D001E hardware=0 isAVC1CodecSupported: sps[0]=77 sps[1]=0 sps[2]=30 isAVC1CodecSupported: profile=main level=3 isAVC1CodecSupported: 2 isAVC1CodecSupported: 3 isAVC1CodecSupported: 4 isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.4D001E hardware=0 isAVC1CodecSupported: sps[0]=77 sps[1]=0 sps[2]=30 isAVC1CodecSupported: profile=main level=3 isAVC1CodecSupported: 2 isAVC1CodecSupported: 3 isAVC1CodecSupported: 4 isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1x hardware=0 1 0x7f7e7d7afbd9 WTFCrash 2 0x7f7e814b2255 WebCore::GStreamerRegistryScanner::isAVC1CodecSupported(WTF::String const&, bool) const 3 0x7f7e814b24b9 WebCore::GStreamerRegistryScanner::isCodecSupported(WTF::String, bool) const 4 0x7f7e814b2ab9 WebCore::GStreamerRegistryScanner::isContentTypeSupported(WebCore::ContentType const&, WTF::Vector<WebCore::ContentType, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) const 5 0x7f7e812df7d4 WebCore::MediaPlayerPrivateGStreamer::supportsType(WebCore::MediaEngineSupportParameters const&) 6 0x7f7e80cf510b /home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37(+0x2eb010b) [0x7f7e80cf510b] 7 0x7f7e80cf6fc4 WebCore::MediaPlayer::supportsType(WebCore::MediaEngineSupportParameters const&) 8 0x7f7e808637f2 WebCore::HTMLMediaElement::canPlayType(WTF::String const&) const 9 0x7f7e7fd8aeee WebCore::jsHTMLMediaElementPrototypeFunctionCanPlayType(JSC::JSGlobalObject*, JSC::CallFrame*) 10 0x7f7e280ff178 [0x7f7e280ff178] So it crashes when there is no period in the codec string (accessing components[1] off the end of the array).
Philippe Normand
Comment 2 2020-10-13 02:23:39 PDT
Created attachment 411204 [details] Patch
Xabier Rodríguez Calvar
Comment 3 2020-10-13 03:43:30 PDT
Comment on attachment 411204 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=411204&action=review > Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:367 > + auto checkH264Caps = [&](const char* capsString) { Nit: I would do this a private method instead of a lambda, even if this was already like this before. > Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:370 > + bool supported = false; > + auto lookupResult = hasElementForMediaType(m_videoDecoderFactories, capsString, true); > + supported = lookupResult; Nit: I think one line would be enough, wouldn't it?
Philippe Normand
Comment 4 2020-10-13 04:53:21 PDT
Comment on attachment 411204 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=411204&action=review >> Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:370 >> + supported = lookupResult; > > Nit: I think one line would be enough, wouldn't it? No because lookupResult is used below.
Philippe Normand
Comment 5 2020-10-13 05:03:57 PDT
Comment on attachment 411204 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=411204&action=review >> Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:367 >> + auto checkH264Caps = [&](const char* capsString) { > > Nit: I would do this a private method instead of a lambda, even if this was already like this before. I find more convenient to use a lambda here, instead of adding a new method which would need 3 arguments :)
Philippe Normand
Comment 6 2020-10-13 05:08:51 PDT
Committed r268392: <https://trac.webkit.org/changeset/268392>
Radar WebKit Bug Importer
Comment 7 2020-10-13 05:09:19 PDT
<rdar://problem/70248585>
Note You need to log in before you can comment on or make changes to this bug.