Bug 250477

Summary: REGRESSION(256018@main): [WPE][GTK] Crash in WebCore::AVIFImageReader::parseHeader, deep in dav1d
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, mcatanzaro, mmaxfield
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Full backtrace none

Description Michael Catanzaro 2023-01-11 14:42:31 PST 
Created attachment 464458 [details]
Full backtrace

Reproducer: visit https://www.kmov.com/2023/01/11/legal-documents-claim-racism-retaliation-st-louis-circuit-attorneys-office-circuit-attorney-kim-gardner/ in Ephy Tech Preview, the web process will crash 100% of the time. The crash is deep in dav1d, so presumably it is a bug there. I found the issue tracker here: https://code.videolan.org/videolan/dav1d/-/issues. But I'm not very motivated to create an account there to report one bug, so I decided to do it here instead, and point the dav1d developers to it here. They can create their own issue if desired.

For us on WebKit Bugzilla, all we have to do is decide whether to live with the crash or disable the AVIF support. I think we should tolerate it if fixed quickly, and disable AVIF support by reverting 256018@main otherwise.

This is with dav1d 1.0.0 from freedesktop-sdk 22.08.5, build rules here: https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/blob/362fe115679a444c19c75ff2da330c57d57ef245/elements/components/dav1d.bst

CC: Myles only for interest, since the same issue may or may not exist in PAL's copy of dav1d (that is NOT used here).

#0  0x00007f629d0be3a2 in dav1d_msac_decode_symbol_adapt16_avx2 () at /usr/lib/x86_64-linux-gnu/libdav1d.so.6
#1  0x00007f629d1f312c in decode_sb (t=t@entry=0x55de6ecf27c0, bl=bl@entry=BL_64X64, node=<optimized out>)
    at ../src/decode.c:2334
#2  0x00007f629d1f488a in dav1d_decode_tile_sbrow (t=0x55de6ecf27c0) at ../src/decode.c:2889
#3  0x00007f629d200d33 in dav1d_decode_frame_main (f=0x55de6ecf1260) at ../src/decode.c:3383
#4  dav1d_decode_frame (f=0x55de6ecf1260) at ../src/decode.c:3458
#5  dav1d_submit_frame (c=<optimized out>) at ../src/decode.c:3838
#6  0x00007f629d2016fa in dav1d_parse_obus (c=<optimized out>, in=<optimized out>, global=<optimized out>)
    at ../src/obu.c:1626
#7  0x00007f629d1d6a03 in gen_picture (c=c@entry=0x55de6ecdb680) at ../src/lib.c:425
#8  0x00007f629d1ddf9f in dav1d_send_data (c=0x55de6ecdb680, in=in@entry=0x7fff34da8130) at ../src/lib.c:455
#9  0x00007f62a19769a8 in dav1dCodecGetNextImage
    (codec=0x55de6eaa6c00, decoder=<optimized out>, sample=0x55de6ec25950, alpha=0, isLimitedRangeAlpha=0x7fff34da8334, image=0x55de6ea5c5b0) at /usr/lib/debug/source/sdk/libavif.bst/src/codec_dav1d.c:93
#10 0x00007f62a1967a08 in avifDecoderDecodeTiles
    (decoder=decoder@entry=0x55de6ec66510, nextImageIndex=nextImageIndex@entry=0, firstTileIndex=firstTileIndex@entry=0, tileCount=<optimized out>, decodedTileCount=<optimized out>)
    at /usr/lib/debug/source/sdk/libavif.bst/src/read.c:3853
#11 0x00007f62a196d52d in avifDecoderNextImage (decoder=0x55de6ec66510)
    at /usr/lib/debug/source/sdk/libavif.bst/src/read.c:3936
#12 0x00007f62a470deb6 in WebCore::AVIFImageReader::parseHeader(WebCore::SharedBuffer const&, bool)
    (this=this@entry=0x7f60df9df9c0, data=<optimized out>, allDataReceived=allDataReceived@entry=true)
    at /usr/include/c++/12.1.0/bits/unique_ptr.h:191
#13 0x00007f62a470dc41 in WebCore::AVIFImageDecoder::tryDecodeSize(bool)
     (this=0x7f60df9d85e0, allDataReceived=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WTF/Headers/wtf/RawPtrTraits.h:44
#14 0x00007f62a470ce61 in WebCore::ScalableImageDecoder::setData(WebCore::FragmentedSharedBuffer const&, bool)
    (this=0x7f60df9d85e0, data=<optimized out>, allDataReceived=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/image-decoders/ScalableImageDecoder.h:83
#15 0x00007f62a5f11ff0 in WebCore::BitmapImage::destroyDecodedData(bool)
     (this=0x7f629910c400, destroyAll=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WTF/Headers/wtf/RawPtrTraits.h:44
#16 0x00007f62a458d7c7 in WebKit::NetworkProcessConnection::didCacheResource(WebCore::ResourceRequest const&, WebKit::ShareableResource::Handle const&) (this=<optimized out>, request=..., handle=...)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/WebProcess/Network/NetworkProcessConnection.cpp:304
#17 0x00007f62a40034f4 in _ZZN3IPC18callMemberFunctionIN6WebKit24NetworkProcessConnectionES2_FvRKN7WebCore15ResourceRequestERKNS1_17ShareableResource6HandleEESt5tupleIJS4_S8_EEEEvPT_MT0_T1_OT2_ENKUlDpOT_E_clIJS4_S8_EEEDaSN_
    (__closure=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:133
#18 _ZSt13__invoke_implIvZN3IPC18callMemberFunctionIN6WebKit24NetworkProcessConnectionES3_FvRKN7WebCore15ResourceRequestERKNS2_17ShareableResource6HandleEESt5tupleIJS5_S9_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_JS5_S9_EESF_St14__invoke_otherOSH_DpOT1_ (__f=<optimized out>) at /usr/include/c++/12.1.0/bits/invoke.h:61
#19 _ZSt8__invokeIZN3IPC18callMemberFunctionIN6WebKit24NetworkProcessConnectionES3_FvRKN7WebCore15ResourceRequestERKNS2_17ShareableResource6HandleEESt5tupleIJS5_S9_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_JS5_S9_EENSt15__invoke_resultISF_JDpT0_EE4typeEOSF_DpOSR_ (__fn=<optimized out>) at /usr/include/c++/12.1.0/bits/invoke.h:96
#20 _ZSt12__apply_implIZN3IPC18callMemberFunctionIN6WebKit24NetworkProcessConnectionES3_FvRKN7WebCore15ResourceRequestERKNS2_17ShareableResource6HandleEESt5tupleIJS5_S9_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_SE_JLm0ELm1EEEDcOSF_OSH_St16integer_sequenceImJXspT1_EEE (__t=..., __f=<optimized out>) at /usr/include/c++/12.1.0/tuple:1852
#21 _ZSt5applyIZN3IPC18callMemberFunctionIN6WebKit24NetworkProcessConnectionES3_FvRKN7WebCore15ResourceRequestERKNS2_17ShareableResource6HandleEESt5tupleIJS5_S9_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_SE_EDcOSF_OSH_ (__t=..., __f=<optimized out>)
    at /usr/include/c++/12.1.0/tuple:1863
#22 IPC::callMemberFunction<WebKit::NetworkProcessConnection, WebKit::NetworkProcessConnection, void (WebCore::ResourceRequest const&, WebKit::ShareableResource::Handle const&), std::tuple<WebCore::ResourceRequest, WebKit::ShareableResource::Handle> >(WebKit::NetworkProcessConnection*, void (WebKit::NetworkProcessConnection::*)(WebCore::ResourceRequest--Type <RET> for more, q to quit, c to continue without paging--c
 const&, WebKit::ShareableResource::Handle const&), std::tuple<WebCore::ResourceRequest, WebKit::ShareableResource::Handle>&&) (tuple=..., function=<optimized out>, object=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:131
#23 IPC::handleMessage<Messages::NetworkProcessConnection::DidCacheResource, WebKit::NetworkProcessConnection, WebKit::NetworkProcessConnection, void (WebCore::ResourceRequest const&, WebKit::ShareableResource::Handle const&)>(IPC::Connection&, IPC::Decoder&, WebKit::NetworkProcessConnection*, void (WebKit::NetworkProcessConnection::*)(WebCore::ResourceRequest const&, WebKit::ShareableResource::Handle const&)) (decoder=..., object=object@entry=0x7f6299014240, function=<optimized out>, connection=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:227
#24 0x00007f62a4003f64 in WebKit::NetworkProcessConnection::didReceiveNetworkProcessConnectionMessage(IPC::Connection&, IPC::Decoder&) (this=0x7f6299014240, connection=<optimized out>, decoder=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/DerivedSources/WebKit/NetworkProcessConnectionMessageReceiver.cpp:71
#25 0x00007f62a41ffe0a in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (this=0x7f62990284e0, message=std::unique_ptr<IPC::Decoder> = {...}) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1241
#26 0x00007f62a42018da in IPC::Connection::dispatchOneIncomingMessage() (this=0x7f62990284e0) at /usr/include/c++/12.1.0/bits/unique_ptr.h:189
#27 0x00007f62a2e6c3e5 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Function.h:79
#28 WTF::RunLoop::performWork() (this=0x7f62990100e0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/RunLoop.cpp:147
#29 0x00007f62a2ecdc8d in operator() (userData=<optimized out>, __closure=0x0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:80
#30 _FUN(gpointer) () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:82
#31 0x00007f62a2ece70d in operator() (__closure=0x0, userData=0x7f62990100e0, callback=0x7f62a2ecdc80 <_FUN(gpointer)>, source=0x55de6e3297b0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:53
#32 _FUN(GSource*, GSourceFunc, gpointer) () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:56
#33 0x00007f629fb66301 in g_main_dispatch (context=<optimized out>) at ../glib/gmain.c:3454
#34 g_main_context_dispatch (context=<optimized out>) at ../glib/gmain.c:4172
#35 0x00007f629fb66858 in g_main_context_iterate (context=0x55de6e2e7b40, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4248
#36 0x00007f629fb66b3f in g_main_loop_run (loop=0x55de6e2e1710) at ../glib/gmain.c:4448
#37 0x00007f62a2ece870 in WTF::RunLoop::run() () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:108
#38 0x00007f62a466501f in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (argc=3, argv=0x7fff34da8be8, this=0x7fff34da8a50) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:71
#39 WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (argv=0x7fff34da8be8, argc=3, this=0x7fff34da8a50) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:58
#40 WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) (argc=3, argv=0x7fff34da8be8) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:97
#41 0x00007f62a342954a in __libc_start_call_main (main=main@entry=0x55de6c686060 <main>, argc=argc@entry=3, argv=argv@entry=0x7fff34da8be8) at ../sysdeps/nptl/libc_start_call_main.h:58
#42 0x00007f62a342960b in __libc_start_main_impl (main=0x55de6c686060 <main>, argc=3, argv=0x7fff34da8be8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=<optimized out>) at ../csu/libc-start.c:389
#43 0x000055de6c686095 in _start ()

Full backtrace attached.
Comment 1 Michael Catanzaro 2023-01-11 15:23:32 PST 
Dump of assembler code for function dav1d_msac_decode_symbol_adapt16_avx2:
   0x00007f1160373360 <+0>:	lea    0x14acb9(%rip),%rax        # 0x7f11604be020
   0x00007f1160373367 <+7>:	vpbroadcastw 0x18(%rdi),%ymm2
   0x00007f116037336d <+13>:	vmovdqa (%rsi),%ymm0
   0x00007f1160373371 <+17>:	vpbroadcastw 0x16(%rdi),%ymm3
   0x00007f1160373377 <+23>:	vbroadcasti128 (%rax),%ymm4
   0x00007f116037337c <+28>:	mov    0x20(%rdi),%ecx
   0x00007f116037337f <+31>:	mov    %edx,%r8d
   0x00007f1160373382 <+34>:	not    %rdx
   0x00007f1160373385 <+37>:	vpsrlw $0x6,%ymm0,%ymm1
   0x00007f116037338a <+42>:	vmovd  %xmm2,-0x3c(%rsp)
   0x00007f1160373390 <+48>:	vpand  %ymm4,%ymm2,%ymm2
   0x00007f1160373394 <+52>:	vpsllw $0x7,%ymm1,%ymm1
   0x00007f1160373399 <+57>:	vpmulhuw %ymm2,%ymm1,%ymm1
   0x00007f116037339d <+61>:	vpaddw (%rax,%rdx,2),%ymm1,%ymm1
=> 0x00007f11603733a2 <+66>:	vmovdqa %ymm1,-0x38(%rsp)
   0x00007f11603733a8 <+72>:	vpmaxuw %ymm3,%ymm1,%ymm1
   0x00007f11603733ad <+77>:	vpcmpeqw %ymm3,%ymm1,%ymm1
   0x00007f11603733b1 <+81>:	vpmovmskb %ymm1,%eax
   0x00007f11603733b5 <+85>:	test   %ecx,%ecx
   0x00007f11603733b7 <+87>:	je     0x7f11603733ef <dav1d_msac_decode_symbol_adapt16_avx2.renorm>
   0x00007f11603733b9 <+89>:	movzwl (%rsi,%r8,2),%ecx
   0x00007f11603733be <+94>:	vpcmpeqw %ymm2,%ymm2,%ymm2
   0x00007f11603733c2 <+98>:	lea    0x50(%rcx),%edx
   0x00007f11603733c5 <+101>:	shr    $0x4,%edx
   0x00007f11603733c8 <+104>:	cmp    $0x20,%ecx
   0x00007f11603733cb <+107>:	adc    $0x0,%ecx
   0x00007f11603733ce <+110>:	vmovd  %edx,%xmm3
   0x00007f11603733d2 <+114>:	vpavgw %ymm1,%ymm2,%ymm2
   0x00007f11603733d6 <+118>:	vpsubw %ymm0,%ymm2,%ymm2
   0x00007f11603733da <+122>:	vpsubw %ymm1,%ymm0,%ymm0
   0x00007f11603733de <+126>:	vpsraw %xmm3,%ymm2,%ymm2
   0x00007f11603733e2 <+130>:	vpaddw %ymm2,%ymm0,%ymm0
   0x00007f11603733e6 <+134>:	vmovdqa %ymm0,(%rsi)
   0x00007f11603733ea <+138>:	mov    %cx,(%rsi,%r8,2)
End of assembler dump.
Comment 2 Michael Catanzaro 2023-01-11 15:24:46 PST 
(gdb) info registers
rax            0x7f11604be020      139712606756896
rbx            0x1                 1
rcx            0x1                 1
rdx            0xfffffffffffffff6  -10
rsi            0x564572901760      94856274777952
rdi            0x564572904800      94856274790400
rbp            0x7ffc4c68cbc0      0x7ffc4c68cbc0
rsp            0x7ffc4c68cb48      0x7ffc4c68cb48
r8             0x9                 9
r9             0xc8                200
r10            0x564572904b50      94856274791248
r11            0x72                114
r12            0x8                 8
r13            0x5645728fb550      94856274752848
r14            0x7f10f3f24040      139710788943936
r15            0x5645728feea0      94856274767520
rip            0x7f11603733a2      0x7f11603733a2 <dav1d_msac_decode_symbol_adapt16_avx2+66>
eflags         0x10202             [ IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
Comment 3 Michael Catanzaro 2023-01-11 16:16:27 PST 
I discussed this with the dav1d developers and we think LTO is breaking the required 32-bit stack alignment (known issue with clang, but possibly happening with GCC too?). freedesktop-sdk enables LTO only for projects that use Meson.
Comment 5 Michael Catanzaro 2023-01-13 08:58:44 PST 
(In reply to Michael Catanzaro from comment #3)
> I discussed this with the dav1d developers and we think LTO is breaking the
> required 32-bit stack alignment (known issue with clang, but possibly
> happening with GCC too?). freedesktop-sdk enables LTO only for projects that
> use Meson.

This was the problem. Fixed by disabling LTO.
Comment 6 Michael Catanzaro 2023-01-13 09:42:48 PST 
Upstream bug report: https://code.videolan.org/videolan/dav1d/-/issues/402