New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Email to this user bounced
Closed: Oct 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

repeatedly re-setting video.src crashes in WebCore::VideoLayerChromium::updateCompositorResources

Project Member Reported by fischman@chromium.org, Oct 7 2011 Back to list

Issue description

Setting video.src at an unlucky point during initialization/playback causes a crash.
(it used to cause a hang but that was fixed as r104542, exposing this crash)

Load this snippet in the browser, wait for a few reloads, and watch the aw snap page come up:

<html>
  <script>
function SetSrc() {
  document.getElementById("video").src = "http://mirror.cessen.com/blender.org/peach/trailer/trailer_400p.ogg";
  setTimeout(SetSrc, Math.random()*1000);
}
  </script>
<body onload="SetSrc()" >
  <video id="video" autoplay controls></video>
</body>
</html>

Debugging the dropped core, we see the SEGV in thread 1 below:

Program terminated with signal 11, Segmentation fault.
#0  0x00007f966cf7a3b2 in WebCore::VideoLayerChromium::updateCompositorResources (this=0x7f965bd6d400, context=0x7f965d8f5dc0, allocator=0x7f965d8c25e0)
    at ../../third_party/WebKit/Source/WebCore/platform/graphics/chromium/VideoLayerChromium.cpp:102
102         VideoFrameChromium* frame = m_provider->getCurrentFrame();
(gdb) thread apply all bt

Thread 5 (Thread 25269):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:162
#1  0x00007f966b070e69 in base::ConditionVariable::Wait (this=0x7f965cf834f8) at ../../base/synchronization/condition_variable_posix.cc:35
#2  0x00007f966b032f53 in base::WaitableEvent::TimedWait (this=0x7f966a507880, max_time=...) at ../../base/synchronization/waitable_event_posix.cc:206
#3  0x00007f966b032c97 in base::WaitableEvent::Wait (this=0x7f966a507880) at ../../base/synchronization/waitable_event_posix.cc:153
#4  0x00007f966affca4e in base::MessagePumpDefault::Run (this=0x7f966a507870, delegate=0x7f965cf83ba8) at ../../base/message_pump_default.cc:42
#5  0x00007f966aff25a7 in MessageLoop::RunInternal (this=0x7f965cf83ba8) at ../../base/message_loop.cc:444
#6  0x00007f966aff1e35 in MessageLoop::RunHandler (this=0x7f965cf83ba8) at ../../base/message_loop.cc:417
#7  0x00007f966aff1e0d in MessageLoop::Run (this=0x7f965cf83ba8) at ../../base/message_loop.cc:341
#8  0x00007f966b042999 in base::Thread::Run (this=0x7f966a47c280, message_loop=0x7f965cf83ba8) at ../../base/threading/thread.cc:128
#9  0x00007f966b042ac9 in base::Thread::ThreadMain (this=0x7f966a47c280) at ../../base/threading/thread.cc:163
#10 0x00007f966b03dcb5 in base::(anonymous namespace)::ThreadFunc (params=0x7f966a4ab100) at ../../base/threading/platform_thread_posix.cc:54
#11 0x00007f9665b179ca in start_thread (arg=<value optimized out>) at pthread_create.c:300
#12 0x00007f966358870d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#13 0x0000000000000000 in ?? ()

Thread 4 (Thread 25266):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:162
#1  0x00007f966b070e69 in base::ConditionVariable::Wait (this=0x7f965e8ed4f8) at ../../base/synchronization/condition_variable_posix.cc:35
#2  0x00007f966b032f53 in base::WaitableEvent::TimedWait (this=0x7f966a4ac340, max_time=...) at ../../base/synchronization/waitable_event_posix.cc:206
#3  0x00007f966b032c97 in base::WaitableEvent::Wait (this=0x7f966a4ac340) at ../../base/synchronization/waitable_event_posix.cc:153
#4  0x00007f966affca4e in base::MessagePumpDefault::Run (this=0x7f966a4ac330, delegate=0x7f965e8edba8) at ../../base/message_pump_default.cc:42
#5  0x00007f966aff25a7 in MessageLoop::RunInternal (this=0x7f965e8edba8) at ../../base/message_loop.cc:444
#6  0x00007f966aff1e35 in MessageLoop::RunHandler (this=0x7f965e8edba8) at ../../base/message_loop.cc:417
#7  0x00007f966aff1e0d in MessageLoop::Run (this=0x7f965e8edba8) at ../../base/message_loop.cc:341
#8  0x00007f966b042999 in base::Thread::Run (this=0x7f966a460978, message_loop=0x7f965e8edba8) at ../../base/threading/thread.cc:128
#9  0x00007f966b042ac9 in base::Thread::ThreadMain (this=0x7f966a460978) at ../../base/threading/thread.cc:163
#10 0x00007f966b03dcb5 in base::(anonymous namespace)::ThreadFunc (params=0x7f966a4aba00) at ../../base/threading/platform_thread_posix.cc:54
#11 0x00007f9665b179ca in start_thread (arg=<value optimized out>) at pthread_create.c:300
#12 0x00007f966358870d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#13 0x0000000000000000 in ?? ()

Thread 3 (Thread 25265):
#0  syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:39
#1  0x00007f966d056167 in epoll_wait (epfd=13, events=0x7f966a457380, maxevents=32, timeout=-1) at ../../third_party/libevent/epoll_sub.c:51
#2  0x00007f966d055cc5 in epoll_dispatch (base=0x7f966a4af700, arg=0x7f966a4ac3c0, tv=0x0) at ../../third_party/libevent/epoll.c:198
#3  0x00007f966d050f10 in event_base_loop (base=0x7f966a4af700, flags=1) at ../../third_party/libevent/event.c:516
#4  0x00007f966afb772b in base::MessagePumpLibevent::Run (this=0x7f966a410d20, delegate=0x7f965f0eeba8) at ../../base/message_pump_libevent.cc:260
#5  0x00007f966aff25a7 in MessageLoop::RunInternal (this=0x7f965f0eeba8) at ../../base/message_loop.cc:444
#6  0x00007f966aff1e35 in MessageLoop::RunHandler (this=0x7f965f0eeba8) at ../../base/message_loop.cc:417
#7  0x00007f966aff1e0d in MessageLoop::Run (this=0x7f965f0eeba8) at ../../base/message_loop.cc:341
#8  0x00007f966b042999 in base::Thread::Run (this=0x7fffa163f698, message_loop=0x7f965f0eeba8) at ../../base/threading/thread.cc:128
#9  0x00007f966b042ac9 in base::Thread::ThreadMain (this=0x7fffa163f698) at ../../base/threading/thread.cc:163
#10 0x00007f966b03dcb5 in base::(anonymous namespace)::ThreadFunc (params=0x7f966a4ab900) at ../../base/threading/platform_thread_posix.cc:54
#11 0x00007f9665b179ca in start_thread (arg=<value optimized out>) at pthread_create.c:300
#12 0x00007f966358870d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#13 0x0000000000000000 in ?? ()

Thread 2 (Thread 25268):
#0  sem_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/sem_wait.S:86
#1  0x00007f966b7e78a6 in v8::internal::LinuxSemaphore::Wait (this=0x7f966a424ea0) at ../../v8/src/platform-linux.cc:803
#2  0x00007f966b6c3257 in v8::internal::RuntimeProfiler::WaitForSomeIsolateToEnterJS () at ../../v8/src/runtime-profiler.cc:311
#3  0x00007f966b6c344e in v8::internal::RuntimeProfilerRateLimiter::SuspendIfNecessary (this=0x7f966a47c32c) at ../../v8/src/runtime-profiler.cc:357
#4  0x00007f966b7e8b39 in v8::internal::SignalSender::Run (this=0x7f966a47c300) at ../../v8/src/platform-linux.cc:1028
#5  0x00007f966b7e76b6 in v8::internal::ThreadEntry (arg=0x7f966a47c300) at ../../v8/src/platform-linux.cc:680
#6  0x00007f9665b179ca in start_thread (arg=<value optimized out>) at pthread_create.c:300
#7  0x00007f966358870d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#8  0x0000000000000000 in ?? ()

Thread 1 (Thread 25264):
#0  0x00007f966cf7a3b2 in WebCore::VideoLayerChromium::updateCompositorResources (this=0x7f965bd6d400, context=0x7f965d8f5dc0, allocator=0x7f965d8c25e0)
    at ../../third_party/WebKit/Source/WebCore/platform/graphics/chromium/VideoLayerChromium.cpp:102
#1  0x00007f966cf8ac9a in WebCore::CCLayerTreeHost::updateCompositorResources (this=0x7f966a4c3480, layer=0x7f965bd6d400, context=0x7f965d8f5dc0, allocator=0x7f965d8c25e0)
    at ../../third_party/WebKit/Source/WebCore/platform/graphics/chromium/cc/CCLayerTreeHost.cpp:397
#2  0x00007f966cf89d54 in WebCore::CCLayerTreeHost::updateCompositorResources (this=0x7f966a4c3480, renderSurfaceLayerList=..., context=0x7f965d8f5dc0, allocator=0x7f965d8c25e0)
    at ../../third_party/WebKit/Source/WebCore/platform/graphics/chromium/cc/CCLayerTreeHost.cpp:378
#3  0x00007f966cf89a36 in WebCore::CCLayerTreeHost::commitToOnCCThread (this=0x7f966a4c3480, hostImpl=0x7f965d8f5d40)
    at ../../third_party/WebKit/Source/WebCore/platform/graphics/chromium/cc/CCLayerTreeHost.cpp:128
#4  0x00007f966cf90816 in WebCore::CCSingleThreadProxy::commitIfNeeded (this=0x7f965d8f5d00) at ../../third_party/WebKit/Source/WebCore/platform/graphics/chromium/cc/CCSingleThreadProxy.cpp:251
#5  0x00007f966cf9100f in WebCore::CCSingleThreadProxy::compositeImmediately (this=0x7f965d8f5d00)
    at ../../third_party/WebKit/Source/WebCore/platform/graphics/chromium/cc/CCSingleThreadProxy.cpp:192
#6  0x00007f966cf8a262 in WebCore::CCLayerTreeHost::composite (this=0x7f966a4c3480) at ../../third_party/WebKit/Source/WebCore/platform/graphics/chromium/cc/CCLayerTreeHost.cpp:246
#7  0x00007f966cd11c77 in WebKit::WebViewImpl::composite (this=0x7f966a4b4000) at ../../third_party/WebKit/Source/WebKit/chromium/src/WebViewImpl.cpp:1171
#8  0x00007f966ad137a0 in RenderWidget::DoDeferredUpdate (this=0x7f966a477800) at ../../content/renderer/render_widget.cc:810
#9  0x00007f966ad103b9 in RenderWidget::DoDeferredUpdateAndSendInputAck (this=0x7f966a477800) at ../../content/renderer/render_widget.cc:678
#10 0x00007f966ad0eb32 in RenderWidget::OnUpdateRectAck (this=0x7f966a477800) at ../../content/renderer/render_widget.cc:366
#11 0x00007f966ad160a7 in IPC::Dispatch (msg=0x7f965bfd06a0, obj=0x7f966a477800, sender=0x7f966a477800, func=...)
    at /usr/local/google/fischman/src/chromium/src/ninja/Debug/../../ipc/ipc_message.h:137
#12 0x00007f966ad0e241 in RenderWidget::OnMessageReceived (this=0x7f966a477800, message=...) at ../../content/renderer/render_widget.cc:195
#13 0x00007f966ace28dd in RenderView::OnMessageReceived (this=0x7f966a477800, message=...) at ../../content/renderer/render_view.cc:694
#14 0x00007f966ab4101e in MessageRouter::RouteMessage (this=0x7f966a41d6f0, msg=...) at ../../content/common/message_router.cc:46
#15 0x00007f966ab40f9e in MessageRouter::OnMessageReceived (this=0x7f966a41d6f0, msg=...) at ../../content/common/message_router.cc:38
#16 0x00007f966aa50288 in ChildThread::OnMessageReceived (this=0x7f966a41d6c8, msg=...) at ../../content/common/child_thread.cc:169
#17 0x00007f966c718a2e in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) ()
#18 0x00007f966c71ca07 in DispatchToMethod (obj=0x7f966a457a80, method=..., arg=...) at /usr/local/google/fischman/src/chromium/src/ninja/Debug/../../base/tuple.h:547
#19 0x00007f966c71c906 in RunnableMethod<IPC::ChannelProxy::Context, void (IPC::ChannelProxy::Context::*)(IPC::Message const&), Tuple1<IPC::Message> >::Run (this=0x7f965bfd0680)
    at /usr/local/google/fischman/src/chromium/src/ninja/Debug/../../base/task.h:349
#20 0x00007f966b03d6b1 in base::subtle::TaskClosureAdapter::Run (this=0x7f965d978390) at ../../base/task.cc:71
#21 0x00007f966aff7b92 in base::internal::Invoker1<false, base::internal::InvokerStorage1<void (base::subtle::TaskClosureAdapter::*)(), base::subtle::TaskClosureAdapter*>, void (base::subtle::TaskClosureAdapter::*)()>::DoInvoke (base=0x7f965bd72210) at /usr/local/google/fischman/src/chromium/src/ninja/Debug/../../base/bind_internal.h:596
#22 0x00007f966adfeffe in base::Callback<void ()>::Run(void) const (this=0x7fffa163f170) at /usr/local/google/fischman/src/chromium/src/ninja/Debug/../../base/callback.h:269
#23 0x00007f966aff2b02 in MessageLoop::RunTask (this=0x7fffa163fb58, pending_task=...) at ../../base/message_loop.cc:481
#24 0x00007f966aff2c9a in MessageLoop::DeferOrRunPendingTask (this=0x7fffa163fb58, pending_task=...) at ../../base/message_loop.cc:497
#25 0x00007f966aff2e5e in MessageLoop::DoWork (this=0x7fffa163fb58) at ../../base/message_loop.cc:687
#26 0x00007f966affc94c in base::MessagePumpDefault::Run (this=0x7f966a475cf0, delegate=0x7fffa163fb58) at ../../base/message_pump_default.cc:23
#27 0x00007f966aff25a7 in MessageLoop::RunInternal (this=0x7fffa163fb58) at ../../base/message_loop.cc:444
#28 0x00007f966aff1e35 in MessageLoop::RunHandler (this=0x7fffa163fb58) at ../../base/message_loop.cc:417
#29 0x00007f966aff1e0d in MessageLoop::Run (this=0x7fffa163fb58) at ../../base/message_loop.cc:341
#30 0x00007f966acd3847 in RendererMain (parameters=...) at ../../content/renderer/renderer_main.cc:228
#31 0x00007f966aa43a3d in (anonymous namespace)::RunZygote (main_function_params=..., delegate=0x7fffa16405f8) at ../../content/app/content_main.cc:222
#32 0x00007f966aa437c9 in (anonymous namespace)::RunNamedProcessTypeMain (process_type=..., main_function_params=..., delegate=0x7fffa16405f8) at ../../content/app/content_main.cc:259
#33 0x00007f966aa43273 in content::ContentMain (argc=2, argv=0x7fffa1640758, delegate=0x7fffa16405f8) at ../../content/app/content_main.cc:442
#34 0x00007f966aa4096e in ChromeMain (argc=2, argv=0x7fffa1640758) at ../../chrome/app/chrome_main.cc:32
#35 0x00007f966aa40922 in main (argc=2, argv=0x7fffa1640758) at ../../chrome/app/chrome_exe_main_gtk.cc:18

This is on a z600/glucid 16.0.904.0 (Developer Build 104560-dirty)
 

Comment 1 by jsc...@chromium.org, Oct 12 2011

Labels: -Type-Bug Type-Security Restrict-View-SecurityTeam
Looks like a security issue based on comment in  bug 97807 . Hiding for now and I'll investigate tomorrow.

Comment 2 by jsc...@chromium.org, Oct 12 2011

Cc: jsc...@chromium.org
Labels: SecSeverity-High Feature-GPU-Video
VideoLayerChromium::m_provider is stale. I'm not familiar with this code, but according to the comments VideoLayerChromium is expected to outlive WebMediaPlayerClientImpl. So, it looks like we just need to clear the corresponding m_provider in ~WebMediaPlayerClientImpl(). I've attached a patch that stops the crash, but I'm not sure about a layout test.


bug99553.diff
2.0 KB View Download

Comment 3 by jsc...@chromium.org, Oct 12 2011

Labels: -Pri-2 Pri-1 SecImpacts-Stable ReleaseBlock-Stable SecImpacts-Beta WebKit-69973 OS-All Mstone-15
Owner: hclam@chromium.org
Reported upstream: https://bugs.webkit.org/show_bug.cgi?id=69973
could I (scherkus@chromium.org) get cc'd on the wk bug?

Comment 5 by jsc...@chromium.org, Oct 12 2011

Done

Comment 6 by laforge@google.com, Oct 12 2011

Labels: -WebKit-69973 WebKit-ID-69973

Comment 7 by jsc...@chromium.org, Oct 13 2011

Cc: jam...@chromium.org

Comment 8 by vrk@chromium.org, Oct 14 2011

Cc: -jsc...@chromium.org
Owner: jsc...@chromium.org
Status: Started
jschuh has a patch up in WebKit!

Comment 9 by jsc...@chromium.org, Oct 14 2011

Labels: Merge-Approved
Status: FixUnreleased
Landed upstream: http://trac.webkit.org/changeset/97451

Comment 10 by cdn@chromium.org, Oct 17 2011

Labels: -Merge-Approved Merge-Pending
Labels: -Mstone-15 -Merge-Pending Mstone-16
I'm not confident this is a clean merge to m15. So, punting to m16 (where no merge is needed).
Labels: -Mstone-16 Mstone-15
Owner: vrk@chromium.org
vrk is confident!
Labels: Merge-Approved
@vrk knows the code better than I, so have at it. Just remember the deadline for merges is tonight.

Comment 14 by vrk@chromium.org, Oct 18 2011

Labels: -Merge-Approved Merge-Merged
Merged into WebKit r97679.
Labels: merge-merged-874
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify CVE-2011-3890

Comment 17 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 18 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 19 by laforge@google.com, Jan 18 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-WebKit -Feature-Media -SecSeverity-High -Feature-GPU-Video -SecImpacts-Stable -SecImpacts-Beta -Mstone-15 Cr-Content Cr-Internals-Media Security-Impact-Stable Security-Impact-Beta Security-Severity-High M-15 Type-Bug-Security Cr-Internals-GPU-Video
Project Member

Comment 21 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 25 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 26 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 27 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 28 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 29 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment