[Webkit-unassigned] [Bug 200530] New: [GTK] WebKitWebProcess crashes when viewing an HTML with a <video> element referencing unknown file

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 7 23:58:16 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=200530

            Bug ID: 200530
           Summary: [GTK] WebKitWebProcess crashes when viewing an HTML
                    with a <video> element referencing unknown file
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcrha at redhat.com
                CC: bugs-noreply at webkitgtk.org

Moving this from a downstream bug report:
https://gitlab.gnome.org/GNOME/evolution/issues/558

When viewing a message in Evolution, whose body contains a video link, WebKitWebProcess either crashes or keeps showing runtime warning:

>   (WebKitWebProcess:2100): GStreamer-CRITICAL **: 19:18:18.041: gst_element_query: assertion 'GST_IS_ELEMENT (element)' failed

depending on user settings (either how glib had been compiled, or when fatal-warnings/fatal-criticals had been used).

Example of such HTML:

  <html><body><video src="evo-https://gitlab.gnome.org/GNOME/gtk/uploads/a3998120d6283183158157e981e1cdaf/recording-jitter-3.mp4"></video></body></html>

Save it as a file, then open it in the MiniBrowser. Note the src of the video link is slightly modified, it uses a different schema, which mimics what Evolution does - it rejects to download it, unless user allows it.

It's a new behaviour in 2.24.3. More information can be found in the upstream bug.

Backtrace of the crash:

    #0  0x00007f30dbbd588e in gst_element_query (element=0x0, query=0x7f30c40060f0 [None]) at ../gstreamer/gst/gstelement.c:1955
            klass = <optimized out>
            res = 0
            __func__ = "gst_element_query"
    #1  0x00007f30e17dd2b8 in WebCore::MediaPlayerPrivateGStreamer::fillTimerFired() (this=0x7f306b61f700) at /usr/src/debug/webkitgtk-2.24.3/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:1662
            query = {m_ptr = 0x7f30c40060f0 [None]}
            fillStatus = 100
            mode = GST_BUFFERING_DOWNLOAD
            __FUNCTION__ = "fillTimerFired"
    #2  0x00007f30e113fc04 in WebCore::ThreadTimers::sharedTimerFiredInternal() (this=0x7f30d248cfc8) at /usr/src/debug/webkitgtk-2.24.3/Source/WebCore/platform/ThreadTimers.h:101
            item = {static isRef = <optimized out>, m_ptr = 0x7f306b613000}
            timer = <optimized out>
            interval = <optimized out>
            timeToQuit = {static clockType = WTF::ClockType::Monotonic, m_value = 1624734.0698240001}
    #3  0x00007f30e113fc04 in WebCore::ThreadTimers::sharedTimerFiredInternal() (this=0x7f30d248cfc8) at /usr/src/debug/webkitgtk-2.24.3/Source/WebCore/platform/ThreadTimers.cpp:101
    #4  0x00007f30dd842f14 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::operator() (__closure=0x0, userData=0x7f30e24ac9b0 <WebCore::MainThreadSharedTimer::singleton()::instance+16>) at /usr/src/debug/webkitgtk-2.24.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:171
            timer = 0x7f30e24ac9b0 <WebCore::MainThreadSharedTimer::singleton()::instance+16>
            source = 0x5627f7813fd0
    #5  0x00007f30dd842f14 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer) () at /usr/src/debug/webkitgtk-2.24.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:177
    #6  0x00007f30dde7b34f in g_main_dispatch (context=0x5627f7362d40) at ../glib/glib/gmain.c:3189
            dispatch = 0x7f30dd842880 <WTF::<lambda(GSource*, GSourceFunc, gpointer)>::_FUN(GSource *, GSourceFunc, gpointer)>
            prev_source = 0x0
            was_in_call = 0
            user_data = 0x7f30e24ac9b0 <WebCore::MainThreadSharedTimer::singleton()::instance+16>
            callback = 0x7f30dd842f00 <WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer)>
            cb_funcs = <optimized out>
            cb_data = 0x5627f78190b0
            need_destroy = <optimized out>
            source = 0x5627f7813fd0
            current = 0x5627f73ca5d0
            i = 0
    #7  0x00007f30dde7b34f in g_main_context_dispatch (context=context at entry=0x5627f7362d40) at ../glib/glib/gmain.c:3854
    #8  0x00007f30dde7d240 in g_main_context_iterate (context=0x5627f7362d40, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>) at ../glib/glib/gmain.c:3927
            max_priority = 2147483647
            timeout = 21
            some_ready = 1
            nfds = <optimized out>
            allocated_nfds = <optimized out>
            fds = 0x5627f79502b0
    #9  0x00007f30dde7e123 in g_main_loop_run (loop=0x5627f74e0d30) at ../glib/glib/gmain.c:4123
            __FUNCTION__ = "g_main_loop_run"
    #10 0x00007f30dd843358 in WTF::RunLoop::run() () at /usr/src/debug/webkitgtk-2.24.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:96
            runLoop = 
                @0x7f30d24fa000: {<WTF::FunctionDispatcher> = {<WTF::ThreadSafeRefCounted<WTF::FunctionDispatcher, (WTF::DestructionThread)0>> = {<WTF::ThreadSafeRefCountedBase> = {m_refCount = {<std::__atomic_base<unsigned int>> = {static _S_alignment = 4, _M_i = 19}, <No data fields>}}, <No data fields>}, _vptr.FunctionDispatcher = 0x7f30ddafce40 <vtable for WTF::RunLoop+16>}, m_functionQueueLock = {static isHeldBit = 1 '\001', static hasParkedBit = 2 '\002', m_byte = {value = {<std::__atomic_base<unsigned char>> = {static _S_alignment = 1, _M_i = 0 '\000'}, <No data fields>}}}, m_functionQueue = {m_start = 5, m_end = 5, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()> >> = {m_buffer = 0x7f30d24e5100, m_capacity = 16, m_size = 0}, <No data fields>}}, m_mainContext = {m_ptr = 0x5627f7362d40}, m_mainLoops = {<WTF::VectorBuffer<WTF::GRefPtr<_GMainLoop>, 0>> = {<WTF::VectorBufferBase<WTF::GRefPtr<_GMainLoop> >> = {m_buffer = 0x7f30d24fd180, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}, m_source = {m_ptr = 0x5627f742a400}}
            mainContext = 0x5627f7362d40
            innermostLoop = 0x5627f74e0d30
            nestedMainLoop = <optimized out>
    #11 0x00007f30e00f6f1a in WebKit::AuxiliaryProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (argv=<optimized out>, argc=3) at /usr/src/debug/webkitgtk-2.24.3/Source/WebKit/Shared/unix/AuxiliaryProcessMain.h:47
            auxiliaryMain = 
                  {<WebKit::AuxiliaryProcessMainBase> = {_vptr.AuxiliaryProcessMainBase = 0x7f30e22db9c0 <vtable for WebKit::WebProcessMain+16>, m_parameters = {uiProcessName = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x0}}, clientIdentifier = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x0}}, processIdentifier = {<WTF::constexpr_Optional_base<WTF::ObjectIdentifier<WebCore::ProcessIdentifierType> >> = {init_ = true, storage_ = {dummy_ = 14 '\016', value_ = {<WTF::ObjectIdentifierBase> = {<No data fields>}, m_identifier = 14}}}, <No data fields>}, connectionIdentifier = 35, extraInitializationData = {m_impl = {static m_maxLoad = 2, static m_minLoad = 6, m_table = 0x0, m_tableSize = 0, m_tableSizeMask = 0, m_keyCount = 0, m_deletedCount = 0}}, processType = WebKit::AuxiliaryProcess::ProcessType::WebContent}}, <No data fields>}
    #12 0x00007f30e00f6f1a in WebKit::WebProcessMainUnix(int, char**) (argc=3, argv=<optimized out>) at /usr/src/debug/webkitgtk-2.24.3/Source/WebKit/WebProcess/gtk/WebProcessMainGtk.cpp:67
    #13 0x00007f30df36fee3 in __libc_start_main () at /usr/lib/libc.so.6
    #14 0x00005627f6f6f8ae in _start ()

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190808/667e4cbb/attachment.html>

More information about the webkit-unassigned mailing list