[vlc-devel] segfault in mpgatofixed32.c
Denis Lukianov
denis at voxelsoft.com
Sun Jul 12 18:29:23 CEST 2009
Laurent Aimar wrote:
> Hi,
> On Sun, Jul 12, 2009, Denis wrote:
>
>> I get a reproducible crash in a loop within DoWork:
>>
>> int i_size = p_out_buf->i_nb_bytes / sizeof(float);
>> float * a = (float *)p_out_buf->p_buffer;
>> for ( i = 0 ; i < i_size ; i++ )
>> *a++ = 0.0; // crash
>>
>
> What VLC version are you testing ? (the line number does not seems to
> match 1.0).
>
>
I am using master; the numbers in gdb might be off due to optimisations?
Originally, I noticed the crash in VLC 1.0 (Ubuntu).
>> (gdb) print *p_in_buf
>> $35 = {p_buffer = 0x20c7968, i_alloc_type = 2,
>> i_size = 4212, i_nb_bytes = 322, i_nb_samples = 1152,
>> start_date = 22173084417, end_date = 22173110539, b_discontinuity =
>> false,
>> p_next = 0x20cebf0, p_sys = 0x183bed0, pf_release = 0x1839910}
>>
>> (gdb) print *p_out_buf
>> $34 = {p_buffer = 0x7f8f0d3efc68, i_alloc_type = 1,
>> i_size = 4220, i_nb_bytes = 9216, i_nb_samples = 1152,
>> start_date = 22173084417, end_date = 22173110539, b_discontinuity =
>> false,
>> p_next = 0x3630382e30, p_sys = 0x7f8f5eaef187, pf_release = 0}
>>
>
> Could you also print the content of the parameter aout_filter_t * p_filter ?
> It will help to understand the problem (as with master, I failed to reproduce
> the problem).
>
>
(gdb) print *p_filter
$37 = {psz_object_type = 0x7f8f5f9ca701 "audio output",
psz_object_name = 0x2097880 "mpgatofixed32", psz_header = 0x0, i_flags
= 0,
b_error = false, b_die = false, b_force = false,
be_sure_to_add_VLC_COMMON_MEMBERS_to_struct = false, p_libvlc =
0x16a49e8,
p_parent = 0x20563d8, p_private = 0x0, input = {i_format = 1634168941,
i_rate = 44100, i_physical_channels = 6, i_original_channels = 6,
i_bytes_per_frame = 1053, i_frame_length = 1152, i_bitspersample = 0,
i_blockalign = 0, i_channels = 2 '\002', i_flavor = 0 '\0'}, output = {
i_format = 842230886, i_rate = 44100, i_physical_channels = 6,
i_original_channels = 6, i_bytes_per_frame = 1053, i_frame_length =
1152,
i_bitspersample = 0, i_blockalign = 0, i_channels = 2 '\002',
i_flavor = 0 '\0'}, output_alloc = {i_alloc_type = 1,
i_bytes_per_sec = 161240}, p_module = 0x1a3ca70, p_sys = 0x20c9310,
b_in_place = false, b_continuity = false,
pf_do_work = 0x7f8f209f4100 <DoWork>, request_vout = {pf_request_vout
= 0,
p_private = 0x0}, p_owner = 0x0}
(gdb) print sizeof(vlc_fixed_t)
$1 = 4
(gdb) print aout_FormatNbChannels( &p_filter->output )
$2 = 2
>> Looks like p_out_buf->i_nb_bytes is a bit big compared to p_out_buf->i_size.
>>
> If possible, a check using valgrind would be a plus.
>
Under gdb, it was caught as it starts playback.
Without gdb or valgrind, it crashes when I stop playback.
Under valgrind, it crashes when I stop playback.
Some strange things in the valgrind output at stop/exit.
Two runs shown below.
First where I close VLC:
$ valgrind vlc
==9556== Memcheck, a memory error detector.
==9556== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==9556== Using LibVEX rev 1884, a library for dynamic binary translation.
==9556== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==9556== Using valgrind-3.4.1-Debian, a dynamic binary instrumentation
framework.
==9556== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==9556== For more details, rerun with: -v
==9556==
VLC media player 1.1.0-git Yellow Bastard
[0x61b5128] main libvlc: Running vlc with the default interface. Use
'cvlc' to use vlc without interface.
==9556== Thread 6:
==9556== Syscall param write(buf) points to uninitialised byte(s)
==9556== at 0x5787E5B: (within /lib/libpthread-2.9.so)
==9556== by 0x1DA3CEFE: (within /usr/lib/libICE.so.6.3.0)
==9556== by 0x1DA40787: _IceWrite (in /usr/lib/libICE.so.6.3.0)
==9556== by 0x1DA40863: IceFlush (in /usr/lib/libICE.so.6.3.0)
==9556== by 0x1E9BA31C: (within /usr/lib/libQtGui.so.4.5.0)
==9556== by 0x1E9BE32F: (within /usr/lib/libQtGui.so.4.5.0)
==9556== by 0x1E9C2236: (within /usr/lib/libQtGui.so.4.5.0)
==9556== by 0x1E9C2F59: (within /usr/lib/libQtGui.so.4.5.0)
==9556== by 0x1D8306F6: _SmcProcessMessage (in /usr/lib/libSM.so.6.0.0)
==9556== by 0x1DA44BDF: IceProcessMessages (in /usr/lib/libICE.so.6.3.0)
==9556== by 0x1E9BA948: (within /usr/lib/libQtGui.so.4.5.0)
==9556== by 0x1F5311F1: QMetaObject::activate(QObject*, int, int,
void**) (in /usr/lib/libQtCore.so.4.5.0)
==9556== Address 0x31466904 is 12 bytes inside a block of size 1,024
alloc'd
==9556== at 0x4C25684: calloc (vg_replace_malloc.c:397)
==9556== by 0x24CF213E: (within /usr/lib/libGL.so.180.44)
==9556== by 0x30C3744F: ???
==9556== by 0x7FF0009B0: ???
==9556== by 0x4: ???
==9556== by 0x263E2ACC: (within /usr/lib/tls/libnvidia-tls.so.180.44)
==9556== by 0x1DA39373: IceOpenConnection (in /usr/lib/libICE.so.6.3.0)
==9556== by 0x1D82CA00: SmcOpenConnection (in /usr/lib/libSM.so.6.0.0)
==9556== by 0x1E9C157D:
QSessionManager::QSessionManager(QApplication*, QString&, QString&) (in
/usr/lib/libQtGui.so.4.5.0)
==9556== by 0x1E963267: QApplicationPrivate::initialize() (in
/usr/lib/libQtGui.so.4.5.0)
==9556== by 0x1E963378: QApplicationPrivate::construct(_XDisplay*,
unsigned long, unsigned long) (in /usr/lib/libQtGui.so.4.5.0)
==9556== by 0x1E963F97: QApplication::QApplication(int&, char**,
bool, int) (in /usr/lib/libQtGui.so.4.5.0)
[0x30bc7f60] access_http access: Raw-audio server found, mp3 demuxer
selected
[0x313bfd20] main demux error: no meta reader module matched "any"
==9567== Warning: invalid file descriptor 1014 in syscall close()
I: caps.c: Limited capabilities successfully to CAP_SYS_NICE.
I: caps.c: Dropping root privileges.
I: caps.c: Limited capabilities successfully to CAP_SYS_NICE.
==9556==
==9556== Thread 8:
==9556== Conditional jump or move depends on uninitialised value(s)
==9556== at 0x681F10C: (within /usr/lib/libasound.so.2.0.0)
==9556== by 0x6818117: snd_pcm_dmix_open (in /usr/lib/libasound.so.2.0.0)
==9556== by 0x6818884: _snd_pcm_dmix_open (in
/usr/lib/libasound.so.2.0.0)
==9556== by 0x67E6E31: (within /usr/lib/libasound.so.2.0.0)
==9556== by 0x67E74D6: (within /usr/lib/libasound.so.2.0.0)
==9556== by 0x67E75A0: (within /usr/lib/libasound.so.2.0.0)
==9556== by 0x68226F7: _snd_pcm_softvol_open (in
/usr/lib/libasound.so.2.0.0)
==9556== by 0x67E6E31: (within /usr/lib/libasound.so.2.0.0)
==9556== by 0x67E75E7: (within /usr/lib/libasound.so.2.0.0)
==9556== by 0x6801F57: _snd_pcm_plug_open (in
/usr/lib/libasound.so.2.0.0)
==9556== by 0x67E6E31: (within /usr/lib/libasound.so.2.0.0)
==9556== by 0x67E75E7: (within /usr/lib/libasound.so.2.0.0)
==9556==
==9556== Conditional jump or move depends on uninitialised value(s)
==9556== at 0x6816BC7: (within /usr/lib/libasound.so.2.0.0)
==9556== by 0x6818AEA: (within /usr/lib/libasound.so.2.0.0)
==9556== by 0x67E7984: snd_pcm_close (in /usr/lib/libasound.so.2.0.0)
==9556== by 0x6821FD7: (within /usr/lib/libasound.so.2.0.0)
==9556== by 0x682287F: (within /usr/lib/libasound.so.2.0.0)
==9556== by 0x67E7984: snd_pcm_close (in /usr/lib/libasound.so.2.0.0)
==9556== by 0x68022DC: (within /usr/lib/libasound.so.2.0.0)
==9556== by 0x67E7984: snd_pcm_close (in /usr/lib/libasound.so.2.0.0)
==9556== by 0x9DA1CEB: Probe (alsa.c:235)
==9556== by 0x9DA2984: Open (alsa.c:376)
==9556== by 0x50D90FA: __module_need (modules.c:583)
==9556== by 0x50C8304: aout_OutputNew (output.c:57)
==9556==
==9556== Conditional jump or move depends on uninitialised value(s)
==9556== at 0x681EF1E: (within /usr/lib/libasound.so.2.0.0)
==9556== by 0x6818AF2: (within /usr/lib/libasound.so.2.0.0)
==9556== by 0x67E7984: snd_pcm_close (in /usr/lib/libasound.so.2.0.0)
==9556== by 0x6821FD7: (within /usr/lib/libasound.so.2.0.0)
==9556== by 0x682287F: (within /usr/lib/libasound.so.2.0.0)
==9556== by 0x67E7984: snd_pcm_close (in /usr/lib/libasound.so.2.0.0)
==9556== by 0x68022DC: (within /usr/lib/libasound.so.2.0.0)
==9556== by 0x67E7984: snd_pcm_close (in /usr/lib/libasound.so.2.0.0)
==9556== by 0x9DA1CEB: Probe (alsa.c:235)
==9556== by 0x9DA2984: Open (alsa.c:376)
==9556== by 0x50D90FA: __module_need (modules.c:583)
==9556== by 0x50C8304: aout_OutputNew (output.c:57)
==9556==
==9556== Jump to the invalid address stated on the next line
==9556== at 0x3FF89CF0: ???
==9556== by 0x5781458: start_thread (in /lib/libpthread-2.9.so)
==9556== by 0x5F04FCC: clone (in /lib/libc-2.9.so)
==9556== Address 0x3ff89cf0 is not stack'd, malloc'd or (recently) free'd
vex amd64->IR: unhandled instruction bytes: 0x3F 0x0 0x0 0x0 0x0 0x65
==9556== valgrind: Unrecognised instruction at address 0x3ff89d3b.
==9556== Your program just tried to execute an instruction that Valgrind
==9556== did not recognise. There are two possible reasons for this.
==9556== 1. Your program has a bug and erroneously jumped to a non-code
==9556== location. If you are running Memcheck and you just saw a
==9556== warning about a bad jump, it's probably your program's fault.
==9556== 2. The instruction is legitimate but Valgrind doesn't handle it,
==9556== i.e. it's Valgrind's fault. If you think this is the case or
==9556== you are not sure, please let us know and we'll try to fix it.
==9556== Either way, Valgrind will now raise a SIGILL signal which will
==9556== probably kill your program.
==9556==
==9556== Process terminating with default action of signal 4 (SIGILL)
==9556== Illegal opcode at address 0x3FF89D3B
==9556== at 0x3FF89D3B: ???
==9556== by 0x31682827: ???
==9556== by 0x5781458: start_thread (in /lib/libpthread-2.9.so)
==9556== by 0x5F04FCC: clone (in /lib/libc-2.9.so)
==9556==
==9556== ERROR SUMMARY: 10 errors from 5 contexts (suppressed: 6335 from 6)
==9556== malloc/free: in use at exit: 30,511,588 bytes in 116,400 blocks.
==9556== malloc/free: 540,744 allocs, 424,344 frees, 387,440,639 bytes
allocated.
==9556== For counts of detected errors, rerun with: -v
==9556== Use --track-origins=yes to see where uninitialised values come from
==9556== searching for pointers to 116,400 not-freed blocks.
==9556== checked 37,894,208 bytes.
==9556==
==9556== LEAK SUMMARY:
==9556== definitely lost: 29,092 bytes in 721 blocks.
==9556== possibly lost: 270,772 bytes in 1,351 blocks.
==9556== still reachable: 30,211,724 bytes in 114,328 blocks.
==9556== suppressed: 0 bytes in 0 blocks.
==9556== Rerun with --leak-check=full to see details of leaked memory.
Killed
Second where I only stop the playback:
$ valgrind vlc
==10371== Memcheck, a memory error detector.
==10371== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==10371== Using LibVEX rev 1884, a library for dynamic binary translation.
==10371== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==10371== Using valgrind-3.4.1-Debian, a dynamic binary instrumentation
framework.
==10371== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==10371== For more details, rerun with: -v
==10371==
VLC media player 1.1.0-git Yellow Bastard
[0x61b5138] main libvlc: Running vlc with the default interface. Use
'cvlc' to use vlc without interface.
==10371== Thread 6:
==10371== Syscall param write(buf) points to uninitialised byte(s)
==10371== at 0x5787E5B: (within /lib/libpthread-2.9.so)
==10371== by 0x1DA3CEFE: (within /usr/lib/libICE.so.6.3.0)
==10371== by 0x1DA40787: _IceWrite (in /usr/lib/libICE.so.6.3.0)
==10371== by 0x1DA40863: IceFlush (in /usr/lib/libICE.so.6.3.0)
==10371== by 0x1E9BA31C: (within /usr/lib/libQtGui.so.4.5.0)
==10371== by 0x1E9BE32F: (within /usr/lib/libQtGui.so.4.5.0)
==10371== by 0x1E9C2236: (within /usr/lib/libQtGui.so.4.5.0)
==10371== by 0x1E9C2F59: (within /usr/lib/libQtGui.so.4.5.0)
==10371== by 0x1D8306F6: _SmcProcessMessage (in /usr/lib/libSM.so.6.0.0)
==10371== by 0x1DA44BDF: IceProcessMessages (in /usr/lib/libICE.so.6.3.0)
==10371== by 0x1E9BA948: (within /usr/lib/libQtGui.so.4.5.0)
==10371== by 0x1F5311F1: QMetaObject::activate(QObject*, int, int,
void**) (in /usr/lib/libQtCore.so.4.5.0)
==10371== Address 0x314697fc is 12 bytes inside a block of size 1,024
alloc'd
==10371== at 0x4C25684: calloc (vg_replace_malloc.c:397)
==10371== by 0x24CF213E: (within /usr/lib/libGL.so.180.44)
==10371== by 0x30D8163F: ???
==10371== by 0x7FF0009B1: ???
==10371== by 0x4: ???
==10371== by 0x263E2ACC: (within /usr/lib/tls/libnvidia-tls.so.180.44)
==10371== by 0x1DA39373: IceOpenConnection (in /usr/lib/libICE.so.6.3.0)
==10371== by 0x1D82CA00: SmcOpenConnection (in /usr/lib/libSM.so.6.0.0)
==10371== by 0x1E9C157D:
QSessionManager::QSessionManager(QApplication*, QString&, QString&) (in
/usr/lib/libQtGui.so.4.5.0)
==10371== by 0x1E963267: QApplicationPrivate::initialize() (in
/usr/lib/libQtGui.so.4.5.0)
==10371== by 0x1E963378: QApplicationPrivate::construct(_XDisplay*,
unsigned long, unsigned long) (in /usr/lib/libQtGui.so.4.5.0)
==10371== by 0x1E963F97: QApplication::QApplication(int&, char**,
bool, int) (in /usr/lib/libQtGui.so.4.5.0)
[0x30cd2128] access_http access: Raw-audio server found, mp3 demuxer
selected
[0x1c08a850] main demux error: no meta reader module matched "any"
==10383== Warning: invalid file descriptor 1014 in syscall close()
I: caps.c: Limited capabilities successfully to CAP_SYS_NICE.
I: caps.c: Dropping root privileges.
I: caps.c: Limited capabilities successfully to CAP_SYS_NICE.
==10371==
==10371== Thread 8:
==10371== Conditional jump or move depends on uninitialised value(s)
==10371== at 0x681F10C: (within /usr/lib/libasound.so.2.0.0)
==10371== by 0x6818117: snd_pcm_dmix_open (in
/usr/lib/libasound.so.2.0.0)
==10371== by 0x6818884: _snd_pcm_dmix_open (in
/usr/lib/libasound.so.2.0.0)
==10371== by 0x67E6E31: (within /usr/lib/libasound.so.2.0.0)
==10371== by 0x67E74D6: (within /usr/lib/libasound.so.2.0.0)
==10371== by 0x67E75A0: (within /usr/lib/libasound.so.2.0.0)
==10371== by 0x68226F7: _snd_pcm_softvol_open (in
/usr/lib/libasound.so.2.0.0)
==10371== by 0x67E6E31: (within /usr/lib/libasound.so.2.0.0)
==10371== by 0x67E75E7: (within /usr/lib/libasound.so.2.0.0)
==10371== by 0x6801F57: _snd_pcm_plug_open (in
/usr/lib/libasound.so.2.0.0)
==10371== by 0x67E6E31: (within /usr/lib/libasound.so.2.0.0)
==10371== by 0x67E75E7: (within /usr/lib/libasound.so.2.0.0)
==10371==
==10371== Conditional jump or move depends on uninitialised value(s)
==10371== at 0x6816BC7: (within /usr/lib/libasound.so.2.0.0)
==10371== by 0x6818AEA: (within /usr/lib/libasound.so.2.0.0)
==10371== by 0x67E7984: snd_pcm_close (in /usr/lib/libasound.so.2.0.0)
==10371== by 0x6821FD7: (within /usr/lib/libasound.so.2.0.0)
==10371== by 0x682287F: (within /usr/lib/libasound.so.2.0.0)
==10371== by 0x67E7984: snd_pcm_close (in /usr/lib/libasound.so.2.0.0)
==10371== by 0x68022DC: (within /usr/lib/libasound.so.2.0.0)
==10371== by 0x67E7984: snd_pcm_close (in /usr/lib/libasound.so.2.0.0)
==10371== by 0x9DA1CEB: Probe (alsa.c:235)
==10371== by 0x9DA2984: Open (alsa.c:376)
==10371== by 0x50D90FA: __module_need (modules.c:583)
==10371== by 0x50C8304: aout_OutputNew (output.c:57)
==10371==
==10371== Conditional jump or move depends on uninitialised value(s)
==10371== at 0x681EF1E: (within /usr/lib/libasound.so.2.0.0)
==10371== by 0x6818AF2: (within /usr/lib/libasound.so.2.0.0)
==10371== by 0x67E7984: snd_pcm_close (in /usr/lib/libasound.so.2.0.0)
==10371== by 0x6821FD7: (within /usr/lib/libasound.so.2.0.0)
==10371== by 0x682287F: (within /usr/lib/libasound.so.2.0.0)
==10371== by 0x67E7984: snd_pcm_close (in /usr/lib/libasound.so.2.0.0)
==10371== by 0x68022DC: (within /usr/lib/libasound.so.2.0.0)
==10371== by 0x67E7984: snd_pcm_close (in /usr/lib/libasound.so.2.0.0)
==10371== by 0x9DA1CEB: Probe (alsa.c:235)
==10371== by 0x9DA2984: Open (alsa.c:376)
==10371== by 0x50D90FA: __module_need (modules.c:583)
==10371== by 0x50C8304: aout_OutputNew (output.c:57)
==10371==
==10371== Jump to the invalid address stated on the next line
==10371== at 0x3BB9ECF0: ???
==10371== by 0x5781458: start_thread (in /lib/libpthread-2.9.so)
==10371== by 0x5F04FCC: clone (in /lib/libc-2.9.so)
==10371== Address 0x3bb9ecf0 is not stack'd, malloc'd or (recently) free'd
==10371==
==10371== Invalid read of size 4
==10371== at 0x3BB9ED39: ???
==10371== by 0x30F6286F: ???
==10371== by 0x5781458: start_thread (in /lib/libpthread-2.9.so)
==10371== by 0x5F04FCC: clone (in /lib/libc-2.9.so)
==10371== Address 0x3c is not stack'd, malloc'd or (recently) free'd
==10371==
==10371== Process terminating with default action of signal 11 (SIGSEGV)
==10371== Access not within mapped region at address 0x3C
==10371== at 0x3BB9ED39: ???
==10371== by 0x30F6286F: ???
==10371== by 0x5781458: start_thread (in /lib/libpthread-2.9.so)
==10371== by 0x5F04FCC: clone (in /lib/libc-2.9.so)
==10371== If you believe this happened as a result of a stack overflow
in your
==10371== program's main thread (unlikely but possible), you can try to
increase
==10371== the size of the main thread stack using the --main-stacksize=
flag.
==10371== The main thread stack size used in this run was 8388608.
==10371==
==10371== ERROR SUMMARY: 11 errors from 6 contexts (suppressed: 6364 from 6)
==10371== malloc/free: in use at exit: 21,598,827 bytes in 49,423 blocks.
==10371== malloc/free: 403,740 allocs, 354,317 frees, 328,195,177 bytes
allocated.
==10371== For counts of detected errors, rerun with: -v
==10371== Use --track-origins=yes to see where uninitialised values come
from
==10371== searching for pointers to 49,423 not-freed blocks.
==10371== checked 28,737,360 bytes.
==10371==
==10371== LEAK SUMMARY:
==10371== definitely lost: 30,404 bytes in 715 blocks.
==10371== possibly lost: 270,860 bytes in 1,339 blocks.
==10371== still reachable: 21,297,563 bytes in 47,369 blocks.
==10371== suppressed: 0 bytes in 0 blocks.
==10371== Rerun with --leak-check=full to see details of leaked memory.
Killed
Regards,
Denis
More information about the vlc-devel
mailing list