-
Bug
-
Resolution: Done
-
P2: Important
-
None
-
5.12.3, 5.13.0
-
None
-
Windows 10 x64; QT 5.12.3 32-bit (WOW64)
-
Windows
-
56c9ec96237de4c7787c643c7ac7ac4e00c9a1d1 (qt/qtwebengine-chromium/73-based)
Environment Details:
64 bit version of Windows 8.1 or Windows 10 1903; 32-bit version of any Windows hasn't checked, it does not mean that issue is not reproduced on 32-bit Windows.
Intel Core iAny processor;
PC with camera;
32-bit Release builds of QT and QT samples; does not reproduce in Debug builds for QT and samples.
Steps to reproduce
1. Install Qt 5.12.3 or 5.13. Qt 5.12.0, 5.12.1 and 5.12.2 hasn't been checked yet.
2. Compile 32-bit Sample Browser application with MSVC 2017.
3. Launch Sample Browser and open appr.tc with forced VP8 video codec.
4. [Optional] Attach WinDBG or Visual Studio to QtWebEngineProcess.exe
5. Click "join room" to launch WebRTC session
Actual result:
QtWebEngineProcess.exe crashes with access violation in arbitrary place inside VP8 encoder. This was verified by private build from sources, when PDB available.
Expected result:
QtWebEngineProcess.exe does not crash, as it was in version 5.11.3.
Details:
During many debugging session when crash reproduced it was observed, that it almost always related to SSE instruction attempting to read/write memory address unaligned by 16 bytes, which is mandatory for most SSE institutions. Addresses themselves pointed to some address within a heap and address has read/write permission. There was no heap corruption detected by WinDBG's command !heap -s -v.
Crash does not reproduce on Qt version 5.11.3 or when using 64-bit sample application. Crash does not reproduce, when VP9 codec selected.
One of the examples produced by !analyze -v in WinDBG during one of the crashed sessions:
0:014> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for C:\Users\IEUser\AppData\Local\ExampleApp\QtWebEngineProcess.exe KEY_VALUES_STRING: 1 Key : AV.Fault Value: Read Key : Timeline.OS.Boot.DeltaSec Value: 754 Key : Timeline.Process.Start.DeltaSec Value: 386 PROCESSES_ANALYSIS: 1 SERVICE_ANALYSIS: 1 STACKHASH_ANALYSIS: 1 TIMELINE_ANALYSIS: 1 Timeline: !analyze.Start Name: <blank> Time: 2019-05-02T11:17:58.297Z Diff: 297 mSec Timeline: Dump.Current Name: <blank> Time: 2019-05-02T11:17:58.0Z Diff: 0 mSec Timeline: Process.Start Name: <blank> Time: 2019-05-02T11:11:32.0Z Diff: 386000 mSec Timeline: OS.Boot Name: <blank> Time: 2019-05-02T11:05:24.0Z Diff: 754000 mSec DUMP_CLASS: 2 DUMP_QUALIFIER: 0 FAULTING_IP: Qt5WebEngineCore!vp8_fast_quantize_b_ssse3+79 6f0d5cec 660fe529 pmulhw xmm5,xmmword ptr [ecx] EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 6f0d5cec (Qt5WebEngineCore!vp8_fast_quantize_b_ssse3+0x00000079) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: ffffffff Attempt to read from address ffffffff FAULTING_THREAD: 000004a0 DEFAULT_BUCKET_ID: INVALID_POINTER_READ PROCESS_NAME: QtWebEngineProcess.exe FOLLOWUP_IP: Qt5WebEngineCore!vp8_fast_quantize_b_ssse3+79 6f0d5cec 660fe529 pmulhw xmm5,xmmword ptr [ecx] READ_ADDRESS: ffffffff ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE_STR: c0000005 EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: ffffffff WATSON_BKT_PROCSTAMP: 5cc1c414 WATSON_BKT_PROCVER: 5.12.3.0 PROCESS_VER_PRODUCT: Qt5 WATSON_BKT_MODULE: Qt5WebEngineCore.dll WATSON_BKT_MODSTAMP: 5cc1c406 WATSON_BKT_MODOFFSET: 1985cec WATSON_BKT_MODVER: 5.12.3.0 MODULE_VER_PRODUCT: Qt5 BUILD_VERSION_STRING: 9600.18895.amd64fre.winblue_ltsb.180101-1800 MODLIST_WITH_TSCHKSUM_HASH: 97c805c5ad0bf8b687ac1b3cbb231c0af6fbc773 MODLIST_SHA1_HASH: 5bdf2ac02a26cb58aeeb58d33a1152f6c1e3bc1e NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 PRODUCT_TYPE: 1 SUITE_MASK: 272 DUMP_TYPE: fe ANALYSIS_SESSION_HOST: IE11WIN8_1 ANALYSIS_SESSION_TIME: 05-02-2019 04:17:58.0297 ANALYSIS_VERSION: 10.0.18362.1 x86fre THREAD_ATTRIBUTES: OS_LOCALE: ENU BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT PROBLEM_CLASSES: ID: [0n313] Type: [@ACCESS_VIOLATION] Class: Addendum Scope: BUCKET_ID Name: Omit Data: Omit PID: [Unspecified] TID: [0x4a0] Frame: [0] : Qt5WebEngineCore!vp8_fast_quantize_b_ssse3 ID: [0n285] Type: [INVALID_POINTER_READ] Class: Primary Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) BUCKET_ID Name: Add Data: Omit PID: [Unspecified] TID: [0x4a0] Frame: [0] : Qt5WebEngineCore!vp8_fast_quantize_b_ssse3 LAST_CONTROL_TRANSFER: from 6e179d0a to 6f0d5cec STACK_TEXT: 0494ec10 6e179d0a 05b2cd64 6e179d0a 05b2cd64 Qt5WebEngineCore!vp8_fast_quantize_b_ssse3+0x79 0494ec58 6e1db018 05b1a500 00000014 05b2c500 Qt5WebEngineCore!vp8_encode_inter16x16+0x1ba 0494ec7c 6e1d98a7 0494ed40 00021d40 000087a0 Qt5WebEngineCore!vp8cx_encode_inter_macroblock+0x2a8 0494ece0 6e1da17c 00000006 05b2c500 05b2d180 Qt5WebEngineCore!vp8_activity_masking+0x3a7 0494ed70 6e17ef70 05b34500 0494ef8c 05b1a500 Qt5WebEngineCore!vp8_encode_frame+0x38c 0494edd4 6e1807e1 06504020 06804620 0494ef88 Qt5WebEngineCore!vp8_loopfilter_frame+0x1290 0494ef30 6e8a1dd1 0494ef8c 06504020 06804620 Qt5WebEngineCore!vp8_get_compressed_data+0x7b1 0494f05c 6e1ddb09 05af5688 055556d8 0000e1ff Qt5WebEngineCore!vpx_img_free+0x1ab1 0494f09c 7036afe0 005ce468 055556d8 0000e1ff Qt5WebEngineCore!vpx_codec_encode+0x99 0494f2fc 70689e6a 0494f448 00000000 0494f488 Qt5WebEngineCore!webrtc::LibvpxVp8Encoder::Encode+0x4f6 0494f338 706865bf 0494f448 00000000 0494f488 Qt5WebEngineCore!webrtc::VCMGenericEncoder::Encode+0xc4 0494f5b8 705639c5 0494f60c 00000000 0543d050 Qt5WebEngineCore!webrtc::vcm::VideoSender::AddVideoFrame+0x37f 0494f654 70563f18 0543d050 1829e1f0 00000000 Qt5WebEngineCore!webrtc::VideoStreamEncoder::EncodeVideoFrame+0x1ec 0494f748 70562c86 0543d050 1829e1f0 00000000 Qt5WebEngineCore!webrtc::VideoStreamEncoder::MaybeEncodeVideoFrame+0x34e 0494f820 70564c18 6f3026be 05c0894c 05c08938 Qt5WebEngineCore!webrtc::VideoStreamEncoder::~VideoStreamEncoder+0x1ba 0494f824 6f3026be 05c0894c 05c08938 0494f9f0 Qt5WebEngineCore!webrtc::VideoStreamEncoder::VideoSourceProxy::RestrictFramerate+0x111 0494f838 6f30231a 0543d040 71171c00 0494f85c Qt5WebEngineCore!rtc::TaskQueue::Impl::RunTask+0x5c 0494f848 6f30265d 05c08948 05c0894c 05c08938 Qt5WebEngineCore!base::internal::Invoker<base::internal::BindState<void (__thiscall rtc::TaskQueue::Impl::*)(std::unique_ptr<rtc::QueuedTask,std::default_delete<rtc::QueuedTask> >),scoped_refptr<rtc::TaskQueue::Impl>,base::internal::PassedWrapper<std::unique_ptr<rtc::QueuedTask,std::default_delete<rtc::QueuedTask> > > >,void __cdecl(void)>::RunImpl<void (__thiscall rtc::TaskQueue::Impl::*)(std::unique_ptr<rtc::QueuedTask,std::default_delete<rtc::QueuedTask> >),std::tuple<scoped_refptr<rtc::TaskQueue::Impl>,base::internal::PassedWrapper<std::unique_ptr<rtc::QueuedTask,std::default_delete<rtc::QueuedTask> > > >,0,1>+0x26 0494f85c 6df812cd 05c08938 7104f058 05c16190 Qt5WebEngineCore!base::internal::Invoker<base::internal::BindState<void (__thiscall rtc::TaskQueue::Impl::*)(std::unique_ptr<rtc::QueuedTask,std::default_delete<rtc::QueuedTask> >),scoped_refptr<rtc::TaskQueue::Impl>,base::internal::PassedWrapper<std::unique_ptr<rtc::QueuedTask,std::default_delete<rtc::QueuedTask> > > >,void __cdecl(void)>::RunOnce+0x16 0494f8c0 6dfa25da 00000000 0494f9f0 00539ff0 Qt5WebEngineCore!base::debug::TaskAnnotator::RunTask+0x17d 0494f9e8 6dfa1c86 00000000 70f8705c 707605c0 Qt5WebEngineCore!base::internal::TaskTracker::RunOrSkipTask+0x5fa 0494fb14 6dfa5dab 0494fb48 054a9548 046817c8 Qt5WebEngineCore!base::internal::TaskTracker::RunAndPopNextTask+0xf6 0494fbf4 6dfa5700 000000df 0494fc5c 6df13aeb Qt5WebEngineCore!base::internal::SchedulerWorker::RunWorker+0x57b 0494fc00 6df13aeb 6df13a20 6df13a20 0468a0d8 Qt5WebEngineCore!base::internal::SchedulerWorker::RunPooledWorker+0x10 0494fc5c 75397c04 0468a0d8 75397be0 34e88490 Qt5WebEngineCore!base::TimeDelta::FromHours+0x19b 0494fc70 778ead8f 0468a0d8 5656314d 00000000 KERNEL32!BaseThreadInitThunk+0x24 0494fcb8 778ead5a ffffffff 778d00cb 00000000 ntdll!__RtlUserThreadStart+0x2f 0494fcc8 00000000 6df13a20 0468a0d8 00000000 ntdll!_RtlUserThreadStart+0x1b THREAD_SHA1_HASH_MOD_FUNC: c585935a120db01041248977c6ce5c838228e8f4 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: f36ceb61f41fb8818dedae300c8574c5d32742d2 THREAD_SHA1_HASH_MOD: 94ce15d50fbce3ab77fbb3091206137332c4db8a FAULT_INSTR_CODE: 29e50f66 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: Qt5WebEngineCore!vp8_fast_quantize_b_ssse3+79 FOLLOWUP_NAME: MachineOwner MODULE_NAME: Qt5WebEngineCore IMAGE_NAME: Qt5WebEngineCore.dll DEBUG_FLR_IMAGE_TIMESTAMP: 5cc1c406 STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~14s ; .cxr ; kb FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_Qt5WebEngineCore.dll!vp8_fast_quantize_b_ssse3 BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_Qt5WebEngineCore!vp8_fast_quantize_b_ssse3+79 FAILURE_EXCEPTION_CODE: c0000005 FAILURE_IMAGE_NAME: Qt5WebEngineCore.dll BUCKET_ID_IMAGE_STR: Qt5WebEngineCore.dll FAILURE_MODULE_NAME: Qt5WebEngineCore BUCKET_ID_MODULE_STR: Qt5WebEngineCore FAILURE_FUNCTION_NAME: vp8_fast_quantize_b_ssse3 BUCKET_ID_FUNCTION_STR: vp8_fast_quantize_b_ssse3 BUCKET_ID_OFFSET: 79 BUCKET_ID_MODTIMEDATESTAMP: 5cc1c406 BUCKET_ID_MODCHECKSUM: 0 BUCKET_ID_MODVER_STR: 5.12.3.0 BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_READ_ FAILURE_PROBLEM_CLASS: APPLICATION_FAULT FAILURE_SYMBOL_NAME: Qt5WebEngineCore.dll!vp8_fast_quantize_b_ssse3 WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/QtWebEngineProcess.exe/5.12.3.0/5cc1c414/Qt5WebEngineCore.dll/5.12.3.0/5cc1c406/c0000005/01985cec.htm?Retriage=1 TARGET_TIME: 2019-05-02T11:19:36.000Z OSBUILD: 9600 OSSERVICEPACK: 17415 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 OSPLATFORM_TYPE: x86 OSNAME: Windows 8.1 OSEDITION: Windows 8.1 WinNt SingleUserTS USER_LCID: 0 OSBUILD_TIMESTAMP: 2014-10-28 18:58:22 BUILDDATESTAMP_STR: 180101-1800 BUILDLAB_STR: winblue_ltsb BUILDOSVER_STR: 6.3.9600.18895.amd64fre.winblue_ltsb.180101-1800 ANALYSIS_SESSION_ELAPSED_TIME: 180bb ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0000005_qt5webenginecore.dll!vp8_fast_quantize_b_ssse3 FAILURE_ID_HASH: {7cd944e4-3191-8503-7a5d-72915b4b7d0e} Followup: MachineOwner ---------
where assembly of the failed function vp8_fast_quantize_b_ssse3 from VP8 encoder is the following (I've checked that assembly of this function is the same in Qt5WebEngineCore.dll 5.12.3 and 5.11.3):
push ebx mov ebx,esp push ecx push ecx and esp,0FFFFFFF0h add esp,4 // stack alignment 4 bytes? push ebp mov ebp,dword ptr [ebx+4] mov dword ptr [esp+4],ebp mov ebp,esp sub esp,3Ch mov ecx,dword ptr [ebx+8] // BLOCK *b push esi mov esi,dword ptr [ebx+0Ch] // BLOCKD *d? mov dword ptr [ebp-20h],8040100h mov eax,dword ptr [ecx+4] // b->coeff mov dword ptr [ebp-1Ch],6030205h mov dword ptr [ebp-18h],0A0D0C09h mov dword ptr [ebp-14h],0F0E0B07h movups xmm0,xmmword ptr [eax] // __m128i z0 = _mm_load_si128((__m128i *)(b->coeff)); movups xmm4,xmmword ptr [eax+10h] // __m128i z1 = _mm_load_si128((__m128i *)(b->coeff + 8)); mov eax,dword ptr [esi+0Ch] // d->dequant?? movaps xmm2,xmm4 psraw xmm2,0Fh // sz1 = _mm_srai_epi16(z1, 15); movups xmm1,xmmword ptr [eax+10h] // movups xmm7,xmmword ptr [eax] // mov eax,dword ptr [ecx+1Ch] // b->round mov ecx,dword ptr [ecx+0Ch] // b->quant_fast movaps xmmword ptr [ebp-30h],xmm1 movaps xmm1,xmm0 pabsw xmm0,xmm0 // x0 = _mm_abs_epi16(z0); psraw xmm1,0Fh // sz0 = _mm_srai_epi16(z0, 15); movups xmm5,xmmword ptr [eax] // __m128i round0 = _mm_load_si128((__m128i *)(b->round)); movups xmm3,xmmword ptr [eax+10h] // __m128i round1 = _mm_load_si128((__m128i *)(b->round + 8)); paddw xmm5,xmm0 // x0 = _mm_add_epi16(x0, round0); pmulhw xmm5,xmmword ptr [ecx] // y0 = _mm_mulhi_epi16(x0, quant_fast0); // ECX (quant_fast0) contains misaligned (16 bytes alignment required) address pabsw xmm0,xmm4 // x1 = _mm_abs_epi16(z1); mov eax,dword ptr [esi] paddw xmm3,xmm0 // x1 = _mm_add_epi16(x1, round1); pmulhw xmm3,xmmword ptr [ecx+10h] // y1 = _mm_mulhi_epi16(x1, quant_fast1); movaps xmm0,xmm5 pxor xmm0,xmm1 // y0 = _mm_xor_si128(y0, sz0); psubw xmm0,xmm1 // x0 = _mm_sub_epi16(y0, sz0); movaps xmm1,xmm3 movups xmmword ptr [eax],xmm0 pxor xmm1,xmm2 // y1 = _mm_xor_si128(y1, sz1); mov eax,dword ptr [esi] psubw xmm1,xmm2 // x1 = _mm_sub_epi16(y1, sz1); pmullw xmm0,xmm7 // x0 = _mm_mullo_epi16(x0, dequant0); movups xmmword ptr [eax+10h],xmm1 mov eax,dword ptr [esi+4] pmullw xmm1,xmmword ptr [ebp-30h] // x1 = _mm_mullo_epi16(x1, dequant1); movups xmmword ptr [eax],xmm0 xorps xmm0,xmm0 // zeros = _mm_setzero_si128(); mov eax,dword ptr [esi+4] pcmpgtw xmm5,xmm0 // x0 = _mm_cmpgt_epi16(abs0, zeros); pcmpgtw xmm3,xmm0 // x1 = _mm_cmpgt_epi16(abs1, zeros); packsswb xmm5,xmm3 // x = _mm_packs_epi16(x0, x1); pshufb xmm5,xmmword ptr [ebp-20h] // x = _mm_shuffle_epi8(x, zig_zag); movups xmmword ptr [eax+10h],xmm1 pmovmskb ecx,xmm5 // mask = _mm_movemask_epi8(x); bsr eax,ecx // eob = bsr(mask); mov edx,eax mov dword ptr [ebp-4],eax xor eax,eax inc edx test ecx,ecx cmove edx,eax mov eax,dword ptr [esi+14h] pop esi mov byte ptr [eax],dl // *d->eob = 0xFF & eob; mov esp,ebp pop ebp mov esp,ebx pop ebx ret
During many reproduce sessions an access violation exception happens in different places and with different delays, sometimes it crashed immediately, sometime up to ~15 seconds of video were encoded.
| For Gerrit Dashboard: QTBUG-75594 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 274232,3 | Add workaround for MSVC bug in libvpx AVX2 code | 73-based | qt/qtwebengine-chromium | Status: MERGED | +2 | 0 |