Bug 217647

Summary: [GStreamer] Crash in WebCore::GStreamerRegistryScanner::isAVC1CodecSupported
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: MediaAssignee: Philippe Normand <pnormand>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, calvaris, cgarcia, eric.carlson, ews-watchlist, glenn, gustavo, jer.noble, mcatanzaro, menard, philipj, pnormand, sergio, vjaquez, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Patch calvaris: review+

Description Michael Catanzaro 2020-10-12 20:24:21 PDT 
Load https://proofing.statefarm.com/login-interceptor/login in Tech Preview, or build WebKit trunk with jhbuild, either way it will crash immediately:

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
        set = 
            {__val = {0, 140628309954960, 93936283386752, 140620386244921, 140735321198224, 140735321198216, 140620386244912, 140628310519853, 0, 1, 140735321198272, 140735321198240, 140735321198624, 140735321198776, 0, 1}}
        pid = <optimized out>
        tid = <optimized out>
#1  0x00007fe694755855 in __GI_abort () at abort.c:79
        save_stage = 1
        act = 
          {__sigaction_handler = {sa_handler = 0x7fff7ed3d030, sa_sigaction = 0x7fff7ed3d030}, sa_mask = {__val = {140628298606868, 140626159797808, 1, 140620386245076, 139642271694853, 140735321198848, 15911148392968547328, 140626161041408, 46, 140735321199120, 140735321198736, 140628368873568, 140628298249298, 140735321199120, 140628298605424, 140620203346288}}, sa_flags = -1687491584, sa_restorer = 0x7fe697f8d860 <WebCore::GStreamerRegistryScanner::singleton()::sharedInstance>}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007fe6971e1724 in WTF::CrashOnOverflow::crash() ()
    at DerivedSources/ForwardingHeaders/wtf/CheckedArithmetic.h:127
        components = 
              {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3780, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}
        spsAsInteger = <optimized out>
        sps = "\177\000"
        profile = <optimized out>
        level = <optimized out>
        levelAsStringFallback = "~\377"
        __FUNCTION__ = "isAVC1CodecSupported"
        checkH264Caps = {__this = 0x0, __shouldCheckForHardwareUse = @0x100003600, __codec = @0x5}
#3  WTF::CrashOnOverflow::overflowed() () at DerivedSources/ForwardingHeaders/wtf/CheckedArithmetic.h:120
        components = 
              {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3780, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}
        spsAsInteger = <optimized out>
        sps = "\177\000"
        profile = <optimized out>
        level = <optimized out>
        levelAsStringFallback = "~\377"
        __FUNCTION__ = "isAVC1CodecSupported"
        checkH264Caps = {__this = 0x0, __shouldCheckForHardwareUse = @0x100003600, __codec = @0x5}
#4  WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at(unsigned long)
    (i=<optimized out>, this=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:701
        components = 
              {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3780, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}
        spsAsInteger = <optimized out>
        sps = "\177\000"
        profile = <optimized out>
        level = <optimized out>
        levelAsStringFallback = "~\377"
        __FUNCTION__ = "isAVC1CodecSupported"
        checkH264Caps = {__this = 0x0, __shouldCheckForHardwareUse = @0x100003600, __codec = @0x5}
#5  WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::operator[](unsigned long)
    (i=<optimized out>, this=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:721
        components = 
              {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMa--Type <RET> for more, q to quit, c to continue without paging--c
lloc>> = {m_buffer = 0x7fe4b35a3780, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}
        spsAsInteger = <optimized out>
        sps = "\177\000"
        profile = <optimized out>
        level = <optimized out>
        levelAsStringFallback = "~\377"
        __FUNCTION__ = "isAVC1CodecSupported"
        checkH264Caps = {__this = 0x0, __shouldCheckForHardwareUse = @0x100003600, __codec = @0x5}
#6  WebCore::GStreamerRegistryScanner::isAVC1CodecSupported(WTF::String const&, bool) const (this=this@entry=0x7fe697f8d860 <WebCore::GStreamerRegistryScanner::singleton()::sharedInstance>, codec=..., shouldCheckForHardwareUse=<optimized out>, shouldCheckForHardwareUse@entry=false) at ../Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:366
        components = {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3780, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}
        spsAsInteger = <optimized out>
        sps = "\177\000"
        profile = <optimized out>
        level = <optimized out>
        levelAsStringFallback = "~\377"
        __FUNCTION__ = "isAVC1CodecSupported"
        checkH264Caps = {__this = 0x0, __shouldCheckForHardwareUse = @0x100003600, __codec = @0x5}
#7  0x00007fe6971e1a29 in WebCore::GStreamerRegistryScanner::isCodecSupported(WTF::String, bool) const (this=this@entry=0x7fe697f8d860 <WebCore::GStreamerRegistryScanner::singleton()::sharedInstance>, codec=..., shouldCheckForHardwareUse=shouldCheckForHardwareUse@entry=false) at ../Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:305
        supported = false
        __FUNCTION__ = "isCodecSupported"
#8  0x00007fe6971e2049 in WebCore::GStreamerRegistryScanner::isContentTypeSupported(WebCore::ContentType const&, WTF::Vector<WebCore::ContentType, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) const (this=0x7fe697f8d860 <WebCore::GStreamerRegistryScanner::singleton()::sharedInstance>, contentType=..., contentTypesRequiringHardwareSupport=...) at DerivedSources/ForwardingHeaders/wtf/text/StringImpl.h:1107
        codec = @0x7fe4b35a3700: {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7fe4bc2b99c0}}
        __for_range = @0x7fff7ed3d1f0: {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3700, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}
        __for_begin = 0x7fe4b35a3700
        __for_end = 0x7fe4b35a3708
        containerType = @0x7fff7ed3d1c8: {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7fe4bc2b9980}}
        codecs = @0x7fff7ed3d1f0: {<WTF::VectorBuffer<WTF::String, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::String, WTF::FastMalloc>> = {m_buffer = 0x7fe4b35a3700, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}
#9  0x00007fe696ffc91c in WebCore::MediaPlayerPrivateGStreamer::supportsType(WebCore::MediaEngineSupportParameters const&) (parameters=...) at ../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:2693
        result = <optimized out>
        gstRegistryScanner = <optimized out>
        finalResult = <optimized out>
#10 WebCore::MediaPlayerPrivateGStreamer::supportsType(WebCore::MediaEngineSupportParameters const&) (parameters=...) at ../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:2674
#11 0x00007fe6969a241b in WebCore::bestMediaEngineForSupportParameters(WebCore::MediaEngineSupportParameters const&, WebCore::MediaPlayerFactory const*) (parameters=..., current=<optimized out>, current@entry=0x0) at /usr/include/c++/10.2.0/bits/unique_ptr.h:421
        engineSupport = <optimized out>
        engine = <optimized out>
        __for_range = <optimized out>
        __for_begin = <optimized out>
        __for_end = 0x7fe5e44fda90
        foundEngine = <optimized out>
        supported = <optimized out>
#12 0x00007fe6969a5d01 in WebCore::MediaPlayer::supportsType(WebCore::MediaEngineSupportParameters const&) (parameters=...) at ../Source/WebCore/platform/graphics/MediaPlayer.cpp:993
        engine = <optimized out>
#13 0x00007fe6964b51c6 in WebCore::HTMLMediaElement::canPlayType(WTF::String const&) const (this=this@entry=0x7fe5d470d830, mimeType=...) at ../Source/WebCore/html/HTMLMediaElement.cpp:1064
        parameters = {type = {m_type = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7fe5d44ed7b0}}}, url = {m_string = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x0}}, m_isValid = 0, m_protocolIsInHTTPFamily = 0, m_cannotBeABaseURL = 0, m_portLength = 0, static maxPortLength = 7, static maxSchemeLength = 67108863, m_schemeEnd = 0, m_userStart = 0, m_userEnd = 0, m_passwordEnd = 0, m_hostEnd = 0, m_pathAfterLastSlash = 0, m_pathEnd = 0, m_queryEnd = 0}, isMediaSource = false, isMediaStream = false, contentTypesRequiringHardwareSupport = {<WTF::VectorBuffer<WebCore::ContentType, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WebCore::ContentType, WTF::FastMalloc>> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>}}
        contentType = {m_type = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7fe5d44ed7b0}}}
        support = <optimized out>
        canPlay = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7fe5240d4520}}
        __func__ = "canPlayType"
Comment 1 Michael Catanzaro 2020-10-12 20:43:41 PDT 
Added some debug:

isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42AC23 hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=172 sps[2]=35
isAVC1CodecSupported: profile=baseline level=(null)
isAVC1CodecSupported: 2
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E034 hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=52
isAVC1CodecSupported: profile=constrained-baseline level=5.2
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E034 hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=52
isAVC1CodecSupported: profile=constrained-baseline level=5.2
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E01E hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=30
isAVC1CodecSupported: profile=constrained-baseline level=3
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E01E hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=30
isAVC1CodecSupported: profile=constrained-baseline level=3
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E009 hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=9
isAVC1CodecSupported: profile=constrained-baseline level=1b
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42E009 hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=224 sps[2]=9
isAVC1CodecSupported: profile=constrained-baseline level=1b
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.123456 hardware=0
isAVC1CodecSupported: sps[0]=18 sps[1]=52 sps[2]=86
isAVC1CodecSupported: profile=(null) level=(null)
isAVC1CodecSupported: 2
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42F01E hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=240 sps[2]=30
isAVC1CodecSupported: profile=constrained-baseline level=3
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.42F01E hardware=0
isAVC1CodecSupported: sps[0]=66 sps[1]=240 sps[2]=30
isAVC1CodecSupported: profile=constrained-baseline level=3
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.4D001E hardware=0
isAVC1CodecSupported: sps[0]=77 sps[1]=0 sps[2]=30
isAVC1CodecSupported: profile=main level=3
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1.4D001E hardware=0
isAVC1CodecSupported: sps[0]=77 sps[1]=0 sps[2]=30
isAVC1CodecSupported: profile=main level=3
isAVC1CodecSupported: 2
isAVC1CodecSupported: 3
isAVC1CodecSupported: 4
isAVC1CodecSupported: this=0x7f7e822eee00 1: codec=avc1x hardware=0
1   0x7f7e7d7afbd9 WTFCrash
2   0x7f7e814b2255 WebCore::GStreamerRegistryScanner::isAVC1CodecSupported(WTF::String const&, bool) const
3   0x7f7e814b24b9 WebCore::GStreamerRegistryScanner::isCodecSupported(WTF::String, bool) const
4   0x7f7e814b2ab9 WebCore::GStreamerRegistryScanner::isContentTypeSupported(WebCore::ContentType const&, WTF::Vector<WebCore::ContentType, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) const
5   0x7f7e812df7d4 WebCore::MediaPlayerPrivateGStreamer::supportsType(WebCore::MediaEngineSupportParameters const&)
6   0x7f7e80cf510b /home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37(+0x2eb010b) [0x7f7e80cf510b]
7   0x7f7e80cf6fc4 WebCore::MediaPlayer::supportsType(WebCore::MediaEngineSupportParameters const&)
8   0x7f7e808637f2 WebCore::HTMLMediaElement::canPlayType(WTF::String const&) const
9   0x7f7e7fd8aeee WebCore::jsHTMLMediaElementPrototypeFunctionCanPlayType(JSC::JSGlobalObject*, JSC::CallFrame*)
10  0x7f7e280ff178 [0x7f7e280ff178]

So it crashes when there is no period in the codec string (accessing components[1] off the end of the array).
Comment 2 Philippe Normand 2020-10-13 02:23:39 PDT 
Created attachment 411204 [details]
Patch
Comment 3 Xabier Rodríguez Calvar 2020-10-13 03:43:30 PDT 
Comment on attachment 411204 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=411204&action=review

> Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:367
> +    auto checkH264Caps = [&](const char* capsString) {

Nit: I would do this a private method instead of a lambda, even if this was already like this before.

> Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:370
> +        bool supported = false;
> +        auto lookupResult = hasElementForMediaType(m_videoDecoderFactories, capsString, true);
> +        supported = lookupResult;

Nit: I think one line would be enough, wouldn't it?
Comment 4 Philippe Normand 2020-10-13 04:53:21 PDT 
Comment on attachment 411204 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=411204&action=review

>> Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:370
>> +        supported = lookupResult;
> 
> Nit: I think one line would be enough, wouldn't it?

No because lookupResult is used below.
Comment 5 Philippe Normand 2020-10-13 05:03:57 PDT 
Comment on attachment 411204 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=411204&action=review

>> Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:367
>> +    auto checkH264Caps = [&](const char* capsString) {
> 
> Nit: I would do this a private method instead of a lambda, even if this was already like this before.

I find more convenient to use a lambda here, instead of adding a new method which would need 3 arguments :)
Comment 6 Philippe Normand 2020-10-13 05:08:51 PDT 
Committed r268392: <https://trac.webkit.org/changeset/268392>
Comment 7 Radar WebKit Bug Importer 2020-10-13 05:09:19 PDT 
<rdar://problem/70248585>