[Webkit-unassigned] [Bug 177410] New: [GStreamer][MSE] Likely race condition causes WTF::Deque to crash on debug

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Sep 23 12:33:13 PDT 2017 

https://bugs.webkit.org/show_bug.cgi?id=177410

            Bug ID: 177410
           Summary: [GStreamer][MSE] Likely race condition causes
                    WTF::Deque to crash on debug
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Gtk
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: aboya at igalia.com
                CC: bugs-noreply at webkitgtk.org

When running the YouTube 2018 MSE tests, many of them sometimes crash WebKit on
this assertion:

http://yt-dash-mse-test.commondatastorage.googleapis.com/unit-tests/2018.html?tests=73,74,75,85,93,94,101,102&command=run

ASSERTION FAILED: m_next->m_previous == this
../../../Source/WTF/wtf/Deque.h(634) : void WTF::DequeIteratorBase<T, inlineCapacity>::removeFromIteratorsList() [with T = _Stream*; long unsigned int inlineCapacity = 0]
1   0x7fc8398e24d4 /webkit/WebKitBuild/webm/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7fc8398e24d4]
2   0x7fc8441d985b /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(WTF::DequeIteratorBase<_Stream*, 0ul>::removeFromIteratorsList()+0xc1) [0x7fc8441d985b]
3   0x7fc8441d8ef6 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(WTF::DequeIteratorBase<_Stream*, 0ul>::~DequeIteratorBase()+0x18) [0x7fc8441d8ef6]
4   0x7fc8441d8e20 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(WTF::DequeIterator<_Stream*, 0ul>::~DequeIterator()+0x18) [0x7fc8441d8e20]
5   0x7fc8441de38a /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(+0x7bc638a) [0x7fc8441de38a]
6   0x7fc8441de5c3 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(+0x7bc65c3) [0x7fc8441de5c3]
7   0x7fc829139bde /lib64/libffi.so.6(ffi_call_unix64+0x4c) [0x7fc829139bde]
8   0x7fc82913954f /lib64/libffi.so.6(ffi_call+0x22f) [0x7fc82913954f]
9   0x7fc832affc33 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(g_cclosure_marshal_generic+0x1d3) [0x7fc832affc33]
10  0x7fc832aff46d /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(g_closure_invoke+0x19d) [0x7fc832aff46d]
11  0x7fc832b111fe /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(+0x211fe) [0x7fc832b111fe]
12  0x7fc832b19895 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(g_signal_emit_valist+0xa45) [0x7fc832b19895]
13  0x7fc832b1a252 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgobject-2.0.so.0(g_signal_emit+0x82) [0x7fc832b1a252]
14  0x7fc834c34684 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgstreamer-1.0.so.0(gst_bus_async_signal_func+0x54) [0x7fc834c34684]
15  0x7fc834c3546d /webkit/WebKitBuild/DependenciesGTK/Root/lib/libgstreamer-1.0.so.0(+0x4246d) [0x7fc834c3546d]
16  0x7fc8328274d5 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libglib-2.0.so.0(g_main_context_dispatch+0x135) [0x7fc8328274d5]
17  0x7fc832827878 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libglib-2.0.so.0(+0x49878) [0x7fc832827878]
18  0x7fc832827b82 /webkit/WebKitBuild/DependenciesGTK/Root/lib/libglib-2.0.so.0(g_main_loop_run+0xc2) [0x7fc832827b82]
19  0x7fc839950f54 /webkit/WebKitBuild/webm/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTF::RunLoop::run()+0xac) [0x7fc839950f54]
20  0x7fc843086b51 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**)+0x82) [0x7fc843086b51]
21  0x7fc843086a03 /webkit/WebKitBuild/webm/Debug/lib/libwebkit2gtk-4.0.so.2(WebProcessMainUnix+0x20) [0x7fc843086a03]
22  0x400d22 /webkit/WebKitBuild/webm/Debug/bin/WebKitWebProcess(main+0x3d) [0x400d22]
23  0x7fc82d9d050a /lib64/libc.so.6(__libc_start_main+0xea) [0x7fc82d9d050a]
24  0x400bfa /webkit/WebKitBuild/webm/Debug/bin/WebKitWebProcess(_start+0x2a) [0x400bfa]

Tests that may show the error: 73, 74, 75, 85, 93, 94, 101, 102.

It's likely a result of using WTF::Deque's from different threads. Since
removeFromIteratorsList() only contains code in debug mode it's possible that
this race is hidden on release.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170923/e585c65c/attachment.html>

More information about the webkit-unassigned mailing list