331661 – www-client/chromium-6.0.472.25 renderer processes crash when trying to play <video>/<audio>

Bug 331661 - www-client/chromium-6.0.472.25 renderer processes crash when trying to play <video>/<audio>

Summary: www-client/chromium-6.0.472.25 renderer processes crash when trying to play <...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Chromium Project

URL:	http://code.google.com/p/chromium/iss...
Whiteboard:	ht-wanted
Keywords:

Depends on:
Blocks:

Reported:	2010-08-08 15:46 UTC by Enne Eziarc
Modified:	2010-08-12 19:51 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Enne Eziarc 2010-08-08 15:46:15 UTC

Last known working version is 6.0.472.14. Tried testing the -9999 ebuild but it wouldn't compile today.

Backtrace (a Youtube HTML5 video, it looks identical for audio though):

#0  0x0000000000000000 in ?? ()
#1  0x00000000011a6801 in media::FFmpegGlue::FFmpegGlue() ()
#2  0x00000000011a64d9 in media::FFmpegDemuxer::InitializeTask(media::DataSource*, CallbackRunner<Tuple0>*) ()
#3  0x0000000000b5a871 in MessageLoop::RunTask(Task*) ()
#4  0x0000000000b5ab5b in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) ()
#5  0x0000000000b5ae25 in MessageLoop::DoWork() ()
#6  0x0000000000b5b729 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) ()
#7  0x0000000000b58463 in MessageLoop::RunInternal() ()
#8  0x0000000000b585fb in MessageLoop::Run() ()
#9  0x0000000000b76409 in base::Thread::ThreadMain() ()
#10 0x0000000000b642ea in ThreadFunc(void*) ()
#11 0x00000034096067ea in start_thread () from /lib/libpthread.so.0
#12 0x0000003408acf0bd in clone () from /lib/libc.so.6

Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2010-08-08 16:15:50 UTC

Here's a more detailed stack trace, thanks to -ggdb3 (later frames omitted, they are probably irrelevant):

#0  0x00000000 in ?? ()
#1  0x08dd7885 in FFmpegGlue (this=0xab20cd0) at media/filters/ffmpeg_glue.cc:133
#2  0x08dd6e09 in DefaultSingletonTraits<media::FFmpegGlue>::New (this=0xac024e8, data_source=0xa9a7700, callback=0xab018f8) at ./base/singleton.h:22
#3  Singleton<media::FFmpegGlue, DefaultSingletonTraits<media::FFmpegGlue>, media::FFmpegGlue>::get (this=0xac024e8, data_source=0xa9a7700, 
    callback=0xab018f8) at ./base/singleton.h:197
#4  media::FFmpegDemuxer::InitializeTask (this=0xac024e8, data_source=0xa9a7700, callback=0xab018f8) at media/filters/ffmpeg_demuxer.cc:381

FFmpegGlue::FFmpegGlue() {
  // Before doing anything disable logging as it interferes with layout tests.
  av_log_set_level(AV_LOG_QUIET);  // CRASHES HERE (?)

  // Register our protocol glue code with FFmpeg.
  avcodec_init();
  av_register_protocol(&kFFmpegURLProtocol);
  av_lockmgr_register(&LockManagerOperation);

  // Now register the rest of FFmpeg.
  av_register_all();
}

Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2010-08-10 01:25:07 UTC

When using bundled ffmpeg, I'm getting this:

#1  0x08db97e9 in media::ScaleYUVToRGB32 (y_buf=0xa405f008 '\020' <repeats 200 times>..., 
    u_buf=0xa4109008 "\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200"..., 
    v_buf=0xa4133808 "\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200"..., rgb_buf=0xabaf7000 "", source_width=1280, source_height=544, width=600, height=255, y_pitch=1280, uv_pitch=640, 
    rgb_pitch=2400, yuv_type=<value optimized out>, view_rotate=media::ROTATE_0, filter=<value optimized out>) at media/base/yuv_convert.cc:314
#2  0x08d6780d in webkit_glue::VideoRendererImpl::FastPaint (this=0xaf3b9d0, video_frame=0xafa59f0, canvas=0xabf6acb8, dest_rect=...)
    at webkit/glue/media/video_renderer_impl.cc:304
#3  0x08d67d97 in webkit_glue::VideoRendererImpl::Paint (this=0xaf3b9d0, canvas=0xabf6acb8, dest_rect=...) at webkit/glue/media/video_renderer_impl.cc:80
#4  0x08da52f8 in webkit_glue::WebMediaPlayerImpl::Proxy::Paint (this=0xab457498, canvas=0xabf6acb8, dest_rect=...) at webkit/glue/webmediaplayer_impl.cc:92
#5  0x08da5b7d in webkit_glue::WebMediaPlayerImpl::paint (this=0xab4e3760, canvas=0xabf6acb8, rect=...) at webkit/glue/webmediaplayer_impl.cc:490
#6  0x08f6e248 in WebKit::WebMediaPlayerClientImpl::paint (this=0xab444ba0, context=0xb11a02a8, rect=...)
    at third_party/WebKit/WebKit/chromium/src/WebMediaPlayerClientImpl.cpp:341
#7  0x092b9ecd in WebCore::RenderVideo::paintReplaced (this=0xaafb340, paintInfo=..., tx=339, ty=200)
    at third_party/WebKit/WebCore/rendering/RenderVideo.cpp:180
#8  0x09292f8d in WebCore::RenderReplaced::paint (this=0xaafb340, paintInfo=..., tx=339, ty=200)
    at third_party/WebKit/WebCore/rendering/RenderReplaced.cpp:145
#9  0x0925afec in WebCore::RenderImage::paint (this=0xaafb340, paintInfo=..., tx=339, ty=200) at third_party/WebKit/WebCore/rendering/RenderImage.cpp:309
#10 0x0926ea29 in WebCore::RenderLayer::paintLayer (this=0xab41b080, rootLayer=0xab41a7bc, p=0xb11a02a8, paintDirtyRect=..., paintBehavior=0, 
    paintingRoot=0x0, overlapTestRequests=0xb119ffbc, paintFlags=0) at third_party/WebKit/WebCore/rendering/RenderLayer.cpp:2449
#11 0x0926da01 in WebCore::RenderLayer::paintList (this=0xab41a8ec, list=0xab41d898, rootLayer=0xab41a7bc, p=0xb11a02a8, paintDirtyRect=..., paintBehavior=0, 
    paintingRoot=0x0, overlapTestRequests=0xb119ffbc, paintFlags=0) at third_party/WebKit/WebCore/rendering/RenderLayer.cpp:2502
---Type <return> to continue, or q <return> to quit---
#12 0x0926e22c in WebCore::RenderLayer::paintLayer (this=0xab41a8ec, rootLayer=0xab41a7bc, p=0xb11a02a8, paintDirtyRect=..., paintBehavior=0, 
    paintingRoot=0x0, overlapTestRequests=0xb119ffbc, paintFlags=0) at third_party/WebKit/WebCore/rendering/RenderLayer.cpp:2470
#13 0x0926da01 in WebCore::RenderLayer::paintList (this=0xab41a7bc, list=0xae1a95c8, rootLayer=0xab41a7bc, p=0xb11a02a8, paintDirtyRect=..., paintBehavior=0, 
    paintingRoot=0x0, overlapTestRequests=0xb119ffbc, paintFlags=0) at third_party/WebKit/WebCore/rendering/RenderLayer.cpp:2502
#14 0x0926e22c in WebCore::RenderLayer::paintLayer (this=0xab41a7bc, rootLayer=0xab41a7bc, p=0xb11a02a8, paintDirtyRect=..., paintBehavior=0, 
    paintingRoot=0x0, overlapTestRequests=0xb119ffbc, paintFlags=0) at third_party/WebKit/WebCore/rendering/RenderLayer.cpp:2470
#15 0x0926eb35 in WebCore::RenderLayer::paint (this=0xab41a7bc, p=0xb11a02a8, damageRect=..., paintBehavior=0, paintingRoot=0x0)
    at third_party/WebKit/WebCore/rendering/RenderLayer.cpp:2255
#16 0x0917e155 in WebCore::FrameView::paintContents (this=0xab4e4130, p=0xb11a02a8, rect=...) at third_party/WebKit/WebCore/page/FrameView.cpp:1936
#17 0x091f85ca in WebCore::ScrollView::paint (this=0xab4e4130, context=0xb11a02a8, rect=...) at third_party/WebKit/WebCore/platform/ScrollView.cpp:797
#18 0x08f11c5b in WebKit::WebFrameImpl::paintWithContext (this=0xac0ab4d0, gc=..., rect=...) at third_party/WebKit/WebKit/chromium/src/WebFrameImpl.cpp:1814
#19 0x08f11d27 in WebKit::WebFrameImpl::paint (this=0xac0ab4d0, canvas=0xabf6acb8, rect=...) at third_party/WebKit/WebKit/chromium/src/WebFrameImpl.cpp:1836
#20 0x08f34ea5 in WebKit::WebViewImpl::paint (this=0xab4405f8, canvas=0xabf6acb8, rect=...) at third_party/WebKit/WebKit/chromium/src/WebViewImpl.cpp:929
#21 0x086df1d2 in RenderWidget::PaintRect (this=0xab47fa18, rect=..., canvas_origin=..., canvas=0xabf6acb8) at chrome/renderer/render_widget.cc:389
#22 0x086e1241 in RenderWidget::DoDeferredUpdate (this=0xab47fa18) at chrome/renderer/render_widget.cc:500
#23 0x086e1f02 in RenderWidget::CallDoDeferredUpdate (this=0xab47fa18) at chrome/renderer/render_widget.cc:425
#24 0x086e2edb in RenderWidget::OnUpdateRectAck (this=0xab47fa18) at chrome/renderer/render_widget.cc:282
#25 0x086dcf20 in IPC::Message::Dispatch<RenderWidget> (msg=0xae1b7560, obj=0xb119bc10, func=0xb119cc10) at ./ipc/ipc_message.h:134
#26 0x086e34d4 in RenderWidget::OnMessageReceived (this=0xab47fa18, msg=...) at chrome/renderer/render_widget.cc:143
#27 0x086cda52 in RenderView::OnMessageReceived (this=0xab47fa18, message=...) at chrome/renderer/render_view.cc:734

Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2010-08-11 21:55:58 UTC

Okay, repro steps (Release mode build):

1. Navigate to http://jilion.com/sublime/video
2. Click the big "play" button.
3. After a few seconds the tab crashes (sad tab), stack trace is posted above.

During the few seconds delay the movie does not play at all. It seems like when it would normally start playing, here it crashes.

Comment 4 PM 2010-08-12 09:52:29 UTC

chromium-6.0.472.33, ffmpeg-0.6: no crash


Portage 2.2_rc67 (default/linux/amd64/10.0/desktop/kde, gcc-4.4.4, glibc-2.11.2-r0, 2.6.34-zen1 x86_64)
=================================================================
System uname: Linux-2.6.34-zen1-x86_64-Pentium-R-_Dual-Core_CPU_T4300_@_2.10GHz-with-gentoo-2.0.1
Timestamp of tree: Wed, 11 Aug 2010 22:30:19 +0000
app-shells/bash:     4.1_p7
dev-java/java-config: 2.1.11
dev-lang/python:     2.6.5-r3, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.6.1-r1
sys-apps/sandbox:    2.2
sys-devel/autoconf:  2.65-r1
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.4-r1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
virtual/os-headers:  2.6.34
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=native -pipe -g"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=native -pipe -g"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--keep-going"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="pl_PL.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="pl"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/layman/kde-sunset /usr/local/portage/moje"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X Xaw3d a52 aac aalib acl acpi alsa amd64 amr amrnb amrwb async audiofile automount bash-completion berkdb bfq bineditor bluetooth branding bzip2 cairo cdaudio cddb cdio cdparanoia cdr cli consolekit cracklib crypt css cups curl cxx dbus devhelp dirac disk-partition divx djvu dri dts dvd dvdr editor emboss emovix enca encode exchange exif faac faad fam fat ffmpeg fftw firefox firefox3 flac fontconfig fortran gd gdbm geoip gif glitz gmedia gphoto2 gpm gtk hal hddtemp htmlhandbook iconv id3 id3tag imagemagick inotify ipod jack jpeg kde kde4 kdehiddenvisibility kipi kpathsea kqemu ladspa lame laptop lcms libcaca libnotify libsamplerate lm_sensors mad mikmod mjpeg mmap mmx mmxext mng modules mp3 mp3tunes mp4 mpeg mplayer mtp mudflap multilib musicbrainz ncurses nls nptl nptlonly nsplugin ntfs ogg openal opencore-amr opencore-amrnb opencore-amrwb opengl openmp pam pango pch pcre pdf perl plasma png policykit ppds pppd python qt-copy qt3 qt3support qt4 rar readline realmedia reflection roe sasl scanner schroedinger sdl secure-delete sensord session sndfile solver soundtouch sourceview spell spl sse sse2 ssl ssse3 startup-notification svg swat symlink sysfs syslog tcpd theora threads tiff truetype unicode upnp usb vamp vcd vorbis webkit wicd wmf wmp wxwidgets wxwindows x264 xcb xcomposite xine xml xorg xscreensaver xulrunner xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="pl" QEMU_SOFTMMU_TARGETS="x86_64 i386" QEMU_USER_TARGETS="x86_64 i386" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2010-08-12 19:51:35 UTC

Fixed in 6.0.472.33-r1, thanks for the report.

Piotr, 64-bit build seems to be unaffected.