[Webkit-unassigned] [Bug 250477] New: REGRESSION(256018 at main): [WPE][GTK] Crash in WebCore::AVIFImageReader::parseHeader, deep in dav1d

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jan 11 14:42:31 PST 2023 

https://bugs.webkit.org/show_bug.cgi?id=250477

            Bug ID: 250477
           Summary: REGRESSION(256018 at main): [WPE][GTK] Crash in
                    WebCore::AVIFImageReader::parseHeader, deep in dav1d
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at gnome.org
                CC: bugs-noreply at webkitgtk.org, mmaxfield at apple.com

Created attachment 464458

  --> https://bugs.webkit.org/attachment.cgi?id=464458&action=review

Full backtrace

Reproducer: visit https://www.kmov.com/2023/01/11/legal-documents-claim-racism-retaliation-st-louis-circuit-attorneys-office-circuit-attorney-kim-gardner/ in Ephy Tech Preview, the web process will crash 100% of the time. The crash is deep in dav1d, so presumably it is a bug there. I found the issue tracker here: https://code.videolan.org/videolan/dav1d/-/issues. But I'm not very motivated to create an account there to report one bug, so I decided to do it here instead, and point the dav1d developers to it here. They can create their own issue if desired.

For us on WebKit Bugzilla, all we have to do is decide whether to live with the crash or disable the AVIF support. I think we should tolerate it if fixed quickly, and disable AVIF support by reverting 256018 at main otherwise.

This is with dav1d 1.0.0 from freedesktop-sdk 22.08.5, build rules here: https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/blob/362fe115679a444c19c75ff2da330c57d57ef245/elements/components/dav1d.bst

CC: Myles only for interest, since the same issue may or may not exist in PAL's copy of dav1d (that is NOT used here).

#0  0x00007f629d0be3a2 in dav1d_msac_decode_symbol_adapt16_avx2 () at /usr/lib/x86_64-linux-gnu/libdav1d.so.6
#1  0x00007f629d1f312c in decode_sb (t=t at entry=0x55de6ecf27c0, bl=bl at entry=BL_64X64, node=<optimized out>)
    at ../src/decode.c:2334
#2  0x00007f629d1f488a in dav1d_decode_tile_sbrow (t=0x55de6ecf27c0) at ../src/decode.c:2889
#3  0x00007f629d200d33 in dav1d_decode_frame_main (f=0x55de6ecf1260) at ../src/decode.c:3383
#4  dav1d_decode_frame (f=0x55de6ecf1260) at ../src/decode.c:3458
#5  dav1d_submit_frame (c=<optimized out>) at ../src/decode.c:3838
#6  0x00007f629d2016fa in dav1d_parse_obus (c=<optimized out>, in=<optimized out>, global=<optimized out>)
    at ../src/obu.c:1626
#7  0x00007f629d1d6a03 in gen_picture (c=c at entry=0x55de6ecdb680) at ../src/lib.c:425
#8  0x00007f629d1ddf9f in dav1d_send_data (c=0x55de6ecdb680, in=in at entry=0x7fff34da8130) at ../src/lib.c:455
#9  0x00007f62a19769a8 in dav1dCodecGetNextImage
    (codec=0x55de6eaa6c00, decoder=<optimized out>, sample=0x55de6ec25950, alpha=0, isLimitedRangeAlpha=0x7fff34da8334, image=0x55de6ea5c5b0) at /usr/lib/debug/source/sdk/libavif.bst/src/codec_dav1d.c:93
#10 0x00007f62a1967a08 in avifDecoderDecodeTiles
    (decoder=decoder at entry=0x55de6ec66510, nextImageIndex=nextImageIndex at entry=0, firstTileIndex=firstTileIndex at entry=0, tileCount=<optimized out>, decodedTileCount=<optimized out>)
    at /usr/lib/debug/source/sdk/libavif.bst/src/read.c:3853
#11 0x00007f62a196d52d in avifDecoderNextImage (decoder=0x55de6ec66510)
    at /usr/lib/debug/source/sdk/libavif.bst/src/read.c:3936
#12 0x00007f62a470deb6 in WebCore::AVIFImageReader::parseHeader(WebCore::SharedBuffer const&, bool)
    (this=this at entry=0x7f60df9df9c0, data=<optimized out>, allDataReceived=allDataReceived at entry=true)
    at /usr/include/c++/12.1.0/bits/unique_ptr.h:191
#13 0x00007f62a470dc41 in WebCore::AVIFImageDecoder::tryDecodeSize(bool)
     (this=0x7f60df9d85e0, allDataReceived=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WTF/Headers/wtf/RawPtrTraits.h:44
#14 0x00007f62a470ce61 in WebCore::ScalableImageDecoder::setData(WebCore::FragmentedSharedBuffer const&, bool)
    (this=0x7f60df9d85e0, data=<optimized out>, allDataReceived=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/image-decoders/ScalableImageDecoder.h:83
#15 0x00007f62a5f11ff0 in WebCore::BitmapImage::destroyDecodedData(bool)
     (this=0x7f629910c400, destroyAll=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WTF/Headers/wtf/RawPtrTraits.h:44
#16 0x00007f62a458d7c7 in WebKit::NetworkProcessConnection::didCacheResource(WebCore::ResourceRequest const&, WebKit::ShareableResource::Handle const&) (this=<optimized out>, request=..., handle=...)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/WebProcess/Network/NetworkProcessConnection.cpp:304
#17 0x00007f62a40034f4 in _ZZN3IPC18callMemberFunctionIN6WebKit24NetworkProcessConnectionES2_FvRKN7WebCore15ResourceRequestERKNS1_17ShareableResource6HandleEESt5tupleIJS4_S8_EEEEvPT_MT0_T1_OT2_ENKUlDpOT_E_clIJS4_S8_EEEDaSN_
    (__closure=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:133
#18 _ZSt13__invoke_implIvZN3IPC18callMemberFunctionIN6WebKit24NetworkProcessConnectionES3_FvRKN7WebCore15ResourceRequestERKNS2_17ShareableResource6HandleEESt5tupleIJS5_S9_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_JS5_S9_EESF_St14__invoke_otherOSH_DpOT1_ (__f=<optimized out>) at /usr/include/c++/12.1.0/bits/invoke.h:61
#19 _ZSt8__invokeIZN3IPC18callMemberFunctionIN6WebKit24NetworkProcessConnectionES3_FvRKN7WebCore15ResourceRequestERKNS2_17ShareableResource6HandleEESt5tupleIJS5_S9_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_JS5_S9_EENSt15__invoke_resultISF_JDpT0_EE4typeEOSF_DpOSR_ (__fn=<optimized out>) at /usr/include/c++/12.1.0/bits/invoke.h:96
#20 _ZSt12__apply_implIZN3IPC18callMemberFunctionIN6WebKit24NetworkProcessConnectionES3_FvRKN7WebCore15ResourceRequestERKNS2_17ShareableResource6HandleEESt5tupleIJS5_S9_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_SE_JLm0ELm1EEEDcOSF_OSH_St16integer_sequenceImJXspT1_EEE (__t=..., __f=<optimized out>) at /usr/include/c++/12.1.0/tuple:1852
#21 _ZSt5applyIZN3IPC18callMemberFunctionIN6WebKit24NetworkProcessConnectionES3_FvRKN7WebCore15ResourceRequestERKNS2_17ShareableResource6HandleEESt5tupleIJS5_S9_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_SE_EDcOSF_OSH_ (__t=..., __f=<optimized out>)
    at /usr/include/c++/12.1.0/tuple:1863
#22 IPC::callMemberFunction<WebKit::NetworkProcessConnection, WebKit::NetworkProcessConnection, void (WebCore::ResourceRequest const&, WebKit::ShareableResource::Handle const&), std::tuple<WebCore::ResourceRequest, WebKit::ShareableResource::Handle> >(WebKit::NetworkProcessConnection*, void (WebKit::NetworkProcessConnection::*)(WebCore::ResourceRequest--Type <RET> for more, q to quit, c to continue without paging--c
 const&, WebKit::ShareableResource::Handle const&), std::tuple<WebCore::ResourceRequest, WebKit::ShareableResource::Handle>&&) (tuple=..., function=<optimized out>, object=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:131
#23 IPC::handleMessage<Messages::NetworkProcessConnection::DidCacheResource, WebKit::NetworkProcessConnection, WebKit::NetworkProcessConnection, void (WebCore::ResourceRequest const&, WebKit::ShareableResource::Handle const&)>(IPC::Connection&, IPC::Decoder&, WebKit::NetworkProcessConnection*, void (WebKit::NetworkProcessConnection::*)(WebCore::ResourceRequest const&, WebKit::ShareableResource::Handle const&)) (decoder=..., object=object at entry=0x7f6299014240, function=<optimized out>, connection=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:227
#24 0x00007f62a4003f64 in WebKit::NetworkProcessConnection::didReceiveNetworkProcessConnectionMessage(IPC::Connection&, IPC::Decoder&) (this=0x7f6299014240, connection=<optimized out>, decoder=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/DerivedSources/WebKit/NetworkProcessConnectionMessageReceiver.cpp:71
#25 0x00007f62a41ffe0a in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (this=0x7f62990284e0, message=std::unique_ptr<IPC::Decoder> = {...}) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1241
#26 0x00007f62a42018da in IPC::Connection::dispatchOneIncomingMessage() (this=0x7f62990284e0) at /usr/include/c++/12.1.0/bits/unique_ptr.h:189
#27 0x00007f62a2e6c3e5 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Function.h:79
#28 WTF::RunLoop::performWork() (this=0x7f62990100e0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/RunLoop.cpp:147
#29 0x00007f62a2ecdc8d in operator() (userData=<optimized out>, __closure=0x0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:80
#30 _FUN(gpointer) () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:82
#31 0x00007f62a2ece70d in operator() (__closure=0x0, userData=0x7f62990100e0, callback=0x7f62a2ecdc80 <_FUN(gpointer)>, source=0x55de6e3297b0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:53
#32 _FUN(GSource*, GSourceFunc, gpointer) () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:56
#33 0x00007f629fb66301 in g_main_dispatch (context=<optimized out>) at ../glib/gmain.c:3454
#34 g_main_context_dispatch (context=<optimized out>) at ../glib/gmain.c:4172
#35 0x00007f629fb66858 in g_main_context_iterate (context=0x55de6e2e7b40, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>) at ../glib/gmain.c:4248
#36 0x00007f629fb66b3f in g_main_loop_run (loop=0x55de6e2e1710) at ../glib/gmain.c:4448
#37 0x00007f62a2ece870 in WTF::RunLoop::run() () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:108
#38 0x00007f62a466501f in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (argc=3, argv=0x7fff34da8be8, this=0x7fff34da8a50) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:71
#39 WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (argv=0x7fff34da8be8, argc=3, this=0x7fff34da8a50) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:58
#40 WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) (argc=3, argv=0x7fff34da8be8) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:97
#41 0x00007f62a342954a in __libc_start_call_main (main=main at entry=0x55de6c686060 <main>, argc=argc at entry=3, argv=argv at entry=0x7fff34da8be8) at ../sysdeps/nptl/libc_start_call_main.h:58
#42 0x00007f62a342960b in __libc_start_main_impl (main=0x55de6c686060 <main>, argc=3, argv=0x7fff34da8be8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=<optimized out>) at ../csu/libc-start.c:389
#43 0x000055de6c686095 in _start ()

Full backtrace attached.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230111/f6e0b757/attachment-0001.htm>

More information about the webkit-unassigned mailing list