[libav-bugs] [Bug 542] New: Frame threading hwaccel heap corruption

bugzilla at libav.org bugzilla at libav.org
Wed Jul 17 22:56:48 CEST 2013


https://bugzilla.libav.org/show_bug.cgi?id=542

           Summary: Frame threading hwaccel heap corruption
           Product: Libav
           Version: git HEAD
          Platform: X86
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: Normal
         Component: libavcodec
        AssignedTo: bugzilla at libav.org
        ReportedBy: remi at remlab.net


When running frame threading with VDPAU hwaccel, multiple threads try to change
the bitstream buffers simultanously. Depending on timing, this either results
in broken/slow decoding, or heap corruption.

Unfortunately, many many attempts to reproduce the heap corruption under
valgrind/vlc all failed. Nevertheless, it is possible under gdb/vlc and it
clearly shows multiple worker threads trying to use the VDPAU bitstream buffers
simultaneously. In this case, consider threads 9 and 8:

----8<--------8<--------8<--------8<----
*** glibc detected *** /home/remi/videolan/vlc/build/vlc: double free or
corruption (!prev): 0x081478b0 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x70a8a)[0xb7eb0a8a]
/lib/i386-linux-gnu/libc.so.6(+0x722e8)[0xb7eb22e8]
/lib/i386-linux-gnu/libc.so.6(+0x76051)[0xb7eb6051]
/lib/i386-linux-gnu/libc.so.6(realloc+0xd7)[0xb7eb64d7]
/home/remi/videolan/vlc/build/modules/codec/.libs/libavcodec_plugin.so(+0x57833d)[0xb00b333d]
----8<--------8<--------8<--------8<----
Program received signal SIGABRT, Aborted.
[Switching to Thread 0xafb3ab70 (LWP 9982)]
0xb7e6a667 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64      ../nptl/sysdeps/unix/sysv/linux/raise.c: Aucun fichier ou dossier de ce
type.
(gdb) thread apply all bt

Thread 10 (Thread 0xb7314b70 (LWP 9984)):
#0  0xb7f9bea5 in __pthread_cond_wait (cond=0x8134f80, mutex=0x8134fe0)
    at pthread_cond_wait.c:153
#1  0xafe64492 in avcodec_thread_park_workers (c=0x8134f60, 
    thread_count=<optimized out>) at libavcodec/pthread.c:174
#2  avcodec_thread_execute (avctx=0x8131c20, 
    func=0xafdef540 <slice_decode_thread>, arg=0x81322d0, ret=0x0, 
    job_count=2, job_size=4) at libavcodec/pthread.c:225
#3  0xafdee9ce in decode_chunks (avctx=avctx at entry=0x8131c20, 
    picture=picture at entry=0x8134720, got_output=got_output at entry=0xb73141d4, 
    buf=0xb7117a20 "", buf_size=32500) at libavcodec/mpeg12dec.c:2073
#4  0xafdef1f6 in mpeg_decode_frame (avctx=0x8131c20, data=0x8134720, 
    got_output=0xb73141d4, avpkt=0xb73141d8) at libavcodec/mpeg12dec.c:2349
#5  0xafee4a19 in avcodec_decode_video2 (avctx=avctx at entry=0x8131c20, 
    picture=0x8134720, got_picture_ptr=got_picture_ptr at entry=0xb73141d4, 
    avpkt=avpkt at entry=0xb73141d8) at libavcodec/utils.c:1379
#6  0xafb90a22 in DecodeVideo (p_dec=0x80d3888, pp_block=0xb731428c)
    at ../../../modules/codec/avcodec/video.c:595
#7  0xb7d80b79 in DecoderDecodeVideo (p_dec=p_dec at entry=0x80d3888, p_block=0x3)
    at ../../src/input/decoder.c:1483
#8  0xb7d81c55 in DecoderProcessVideo (b_flush=false, p_block=0x813ef60, 
    p_dec=0x80d3888) at ../../src/input/decoder.c:1829
#9  DecoderProcess (p_dec=p_dec at entry=0x80d3888, 
    p_block=p_block at entry=0x813ef60) at ../../src/input/decoder.c:2018
#10 0xb7d81e42 in DecoderThread (p_data=0x80d3888)
    at ../../src/input/decoder.c:939
#11 0xb7f97954 in start_thread (arg=0xb7314b70) at pthread_create.c:304
#12 0xb7f1495e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

Thread 9 (Thread 0xaf33ab70 (LWP 9983)):
#0  __lll_lock_wait_private ()
    at ../nptl/sysdeps/unix/sysv/linux/i386/i486/lowlevellock.S:97
#1  0xb7eb6d31 in _L_lock_11604 () from /lib/i386-linux-gnu/libc.so.6
#2  0xb7eb64b7 in *__GI___libc_realloc (oldmem=0x817f698, bytes=172)
    at malloc.c:3813
#3  0xb00b333d in av_realloc (ptr=0x817f698, size=172) at libavutil/mem.c:135
#4  0xafee24fd in av_fast_realloc (ptr=0x817f698, size=size at entry=0xb710b338, 
    min_size=172) at libavcodec/utils.c:64
#5  0xaff2aa93 in ff_vdpau_add_buffer (avctx=avctx at entry=0x8131c20, 
    buf=buf at entry=0xb7119729 "", size=size at entry=258) at libavcodec/vdpau.c:76
#6  0xaff2bf98 in vdpau_mpeg_decode_slice (avctx=0x8131c20, 
    buffer=0xb7119729 "", size=258) at libavcodec/vdpau_mpeg12.c:86
#7  0xafdeb440 in mpeg_decode_slice (s=s at entry=0xb71383a0, mb_y=28, 
    buf=buf at entry=0xaf33a328, buf_size=25063) at libavcodec/mpeg12dec.c:1613
#8  0xafdef65e in slice_decode_thread (c=0x8131c20, arg=0x81322d4)
    at libavcodec/mpeg12dec.c:1784
#9  0xafe64366 in worker (v=0x8131c20) at libavcodec/pthread.c:164
#10 0xb7f97954 in start_thread (arg=0xaf33ab70) at pthread_create.c:304
#11 0xb7f1495e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

Thread 8 (Thread 0xafb3ab70 (LWP 9982)):
#0  0xb7e6a667 in *__GI_raise (sig=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0xb7e6da52 in *__GI_abort () at abort.c:92
#2  0xb7ea698d in __libc_message (do_abort=2, 
    fmt=0xb7f6d330 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3  0xb7eb0a8a in malloc_printerr (action=<optimized out>, 
    str=0x6 <Address 0x6 out of bounds>, ptr=0x81478b0) at malloc.c:6283
#4  0xb7eb22e8 in _int_free (av=<optimized out>, p=<optimized out>)
    at malloc.c:4795
#5  0xb7eb6051 in _int_realloc (av=0x26fe, oldp=0x81478a8, oldsize=88, nb=128)
    at malloc.c:5341
#6  0xb7eb64d7 in *__GI___libc_realloc (oldmem=0x81478b0, bytes=121)
    at malloc.c:3821
#7  0xb00b333d in av_realloc (ptr=0x81478b0, size=121) at libavutil/mem.c:135
#8  0xafee24fd in av_fast_realloc (ptr=0x81478b0, size=size at entry=0xb710b338, 
---Type <return> to continue, or q <return> to quit---
    min_size=121) at libavcodec/utils.c:64
#9  0xaff2aa93 in ff_vdpau_add_buffer (avctx=avctx at entry=0x8131c20, 
    buf=buf at entry=0xb7117a5b "", size=size at entry=408) at libavcodec/vdpau.c:76
#10 0xaff2bf98 in vdpau_mpeg_decode_slice (avctx=0x8131c20, 
    buffer=0xb7117a5b "", size=408) at libavcodec/vdpau_mpeg12.c:86
#11 0xafdeb440 in mpeg_decode_slice (s=s at entry=0x8131fa0, mb_y=0, 
    buf=buf at entry=0xafb3a328, buf_size=32437) at libavcodec/mpeg12dec.c:1613
#12 0xafdef65e in slice_decode_thread (c=0x8131c20, arg=0x81322d0)
    at libavcodec/mpeg12dec.c:1784
#13 0xafe64366 in worker (v=0x8131c20) at libavcodec/pthread.c:164
#14 0xb7f97954 in start_thread (arg=0xafb3ab70) at pthread_create.c:304
#15 0xb7f1495e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

Thread 7 (Thread 0xb6e8ab70 (LWP 9981)):
#0  0xb7f9bea5 in __pthread_cond_wait (cond=0x812f528, mutex=0x812f4e0)
    at pthread_cond_wait.c:153
#1  0xb7debc63 in vlc_cond_wait (p_condvar=p_condvar at entry=0x812f528, 
    p_mutex=p_mutex at entry=0x812f4e0) at ../../src/posix/thread.c:414
#2  0xb7d836ab in input_DecoderWaitBuffering (p_dec=0x80d3888)
    at ../../src/input/decoder.c:599
#3  0xb7d85f46 in EsOutDecodersStopBuffering (b_forced=158, 
    b_forced at entry=false, 
    out=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
    at ../../src/input/es_out.c:649
#4  0xb7d8c3f8 in EsOutControlLocked (args=<optimized out>, i_query=6, 
    out=0xb7108210) at ../../src/input/es_out.c:2317
#5  EsOutControl (out=0xb7108210, i_query=6, args=0xb6e8a088 "RF\n=\001")
    at ../../src/input/es_out.c:2698
#6  0xb7d8cd6d in es_out_vaControl (args=0xb6e8a088 "RF\n=\001", i_query=6, 
    out=0xb7108210) at ../../include/vlc_es_out.h:126
#7  es_out_Control (out=0xb7108210, i_query=6)
    at ../../include/vlc_es_out.h:135
#8  0xb7d8cf0a in CmdExecuteControl (p_out=<optimized out>, 
    p_cmd=p_cmd at entry=0xb6e8a11b) at ../../src/input/es_out_timeshift.c:1462
#9  0xb7d8ee2c in ControlLocked (args=0xb6e8a188 "RF\n=\001", i_query=6, 
    p_out=<optimized out>) at ../../src/input/es_out_timeshift.c:620
#10 Control (p_out=0x80fad78, i_query=6, args=0xb6e8a188 "RF\n=\001")
    at ../../src/input/es_out_timeshift.c:718
#11 0xb6d9686d in es_out_vaControl (args=0xb6e8a188 "RF\n=\001", i_query=6, 
    out=0x80fad78) at ../../../include/vlc_es_out.h:126
#12 es_out_Control (out=out at entry=0x80fad78, i_query=6, i_query=6)
    at ../../../include/vlc_es_out.h:135
#13 0xb6d9a212 in Demux (p_demux=0x8119240) at ../../../modules/demux/ps.c:405
#14 0xb7d972f8 in demux_Demux (p_demux=0x8119240) at ../../src/input/demux.h:44
#15 MainLoopDemux (i_start_mdate=1828142696, 
    pb_demux_polled=<synthetic pointer>, pb_changed=<synthetic pointer>, 
    p_input=0xb71050c8) at ../../src/input/input.c:561
#16 MainLoop (p_input=p_input at entry=0xb71050c8, 
    b_interactive=b_interactive at entry=true) at ../../src/input/input.c:737
#17 0xb7d9848c in Run (obj=0xb71050c8) at ../../src/input/input.c:523
#18 0xb7f97954 in start_thread (arg=0xb6e8ab70) at pthread_create.c:304
#19 0xb7f1495e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

Thread 6 (Thread 0xb6f82b70 (LWP 9980)):
#0  0xb7f070fc in *__GI___poll (fds=0xb7f89ff4, fds at entry=0x812a058, 
    nfds=nfds at entry=2, timeout=timeout at entry=-1)
    at ../sysdeps/unix/sysv/linux/poll.c:87
#1  0xb69aae94 in vlclua_net_poll (L=0x80fb940)
    at ../../../modules/lua/libs/net.c:228
#2  0xb69b63cf in luaD_precall ()
   from /home/remi/videolan/vlc/build/modules/lua/.libs/liblua_plugin.so
#3  0xb69bfd0d in luaV_execute ()
   from /home/remi/videolan/vlc/build/modules/lua/.libs/liblua_plugin.so
#4  0xb69b6818 in luaD_call ()
   from /home/remi/videolan/vlc/build/modules/lua/.libs/liblua_plugin.so
#5  0xb69b28f0 in f_call ()
   from /home/remi/videolan/vlc/build/modules/lua/.libs/liblua_plugin.so
#6  0xb69b5a90 in luaD_rawrunprotected ()
---Type <return> to continue, or q <return> to quit---
   from /home/remi/videolan/vlc/build/modules/lua/.libs/liblua_plugin.so
#7  0xb69b69ef in luaD_pcall ()
   from /home/remi/videolan/vlc/build/modules/lua/.libs/liblua_plugin.so
#8  0xb69b3ec4 in lua_pcall ()
   from /home/remi/videolan/vlc/build/modules/lua/.libs/liblua_plugin.so
#9  0xb699ce8a in Run (data=0x80fb1b0) at ../../../modules/lua/intf.c:412
#10 0xb7f97954 in start_thread (arg=0xb6f82b70) at pthread_create.c:304
#11 0xb7f1495e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

Thread 5 (Thread 0xb7002b70 (LWP 9979)):
#0  0xb7f070fc in *__GI___poll (fds=0xb7f89ff4, fds at entry=0xb70022a0, 
    nfds=nfds at entry=2, timeout=timeout at entry=-1)
    at ../sysdeps/unix/sysv/linux/poll.c:87
#1  0xb722b7c8 in Run (data=0x80f7148)
    at ../../../modules/control/dbus/dbus.c:817
#2  0xb7f97954 in start_thread (arg=0xb7002b70) at pthread_create.c:304
#3  0xb7f1495e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

Thread 3 (Thread 0xb7394b70 (LWP 9976)):
#0  0xb7f9bea5 in __pthread_cond_wait (cond=0x80eb6d4, mutex=0x80eb6bc)
    at pthread_cond_wait.c:153
#1  0xb7debc63 in vlc_cond_wait (p_condvar=p_condvar at entry=0x80eb6d4, 
    p_mutex=p_mutex at entry=0x80eb6bc) at ../../src/posix/thread.c:414
#2  0xb7d6a9a4 in LoopInput (p_playlist=<optimized out>)
    at ../../src/playlist/thread.c:462
#3  Thread (data=0x80eb5f8) at ../../src/playlist/thread.c:514
#4  0xb7f97954 in start_thread (arg=0xb7394b70) at pthread_create.c:304
#5  0xb7f1495e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

Thread 2 (Thread 0xb6818b70 (LWP 9975)):
#0  0xb7f070fc in *__GI___poll (fds=0xb7f89ff4, fds at entry=0x80d9bd8, 
    nfds=nfds at entry=2, timeout=timeout at entry=-1)
    at ../sysdeps/unix/sysv/linux/poll.c:87
#1  0xb787a756 in poll_func (ufds=0x80d9bd8, nfds=2, timeout=-1, 
    userdata=0x80e1bd8) at pulse/thread-mainloop.c:69
#2  0xb7868a4a in pa_mainloop_poll (m=m at entry=0x80eb020)
    at pulse/mainloop.c:873
#3  0xb7869289 in pa_mainloop_iterate (m=m at entry=0x80eb020, 
    block=block at entry=1, retval=retval at entry=0x0) at pulse/mainloop.c:955
#4  0xb7869364 in pa_mainloop_run (m=0x80eb020, retval=retval at entry=0x0)
    at pulse/mainloop.c:973
#5  0xb787a6de in thread (userdata=0x80dac08) at pulse/thread-mainloop.c:88
#6  0xb781a1fa in internal_thread_func (userdata=0x80db050)
    at pulsecore/thread-posix.c:83
#7  0xb7f97954 in start_thread (arg=0xb6818b70) at pthread_create.c:304
#8  0xb7f1495e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

Thread 1 (Thread 0xb7c936c0 (LWP 9974)):
#0  0xb7f9fcc8 in do_sigwait (set=0xbffff454, sig=<optimized out>)
    at
../nptl/sysdeps/unix/sysv/linux/../../../../../sysdeps/unix/sysv/linux/sigwait.c:63
#1  0xb7f9fd60 in __sigwait (set=set at entry=0xbffff454, 
    sig=sig at entry=0xbffff450)
    at
../nptl/sysdeps/unix/sysv/linux/../../../../../sysdeps/unix/sysv/linux/sigwait.c:100
#2  0x08049182 in main (i_argc=<optimized out>, ppsz_argv=<optimized out>)
    at ../../bin/vlc.c:268
----8<--------8<--------8<--------8<----

No wonder that the heap gets corrupted if more than one thread realloc the same
buffer simultaneously.

-- 
Configure bugmail: https://bugzilla.libav.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the libav-bugs mailing list