[Bug 709734] New: Double-free corruption when "speed" effect is enabled
GStreamer (bugzilla.gnome.org)
bugzilla at gnome.org
Wed Oct 9 16:12:14 CEST 2013
https://bugzilla.gnome.org/show_bug.cgi?id=709734
GStreamer | common | 1.0.10
Summary: Double-free corruption when "speed" effect is enabled
Classification: Platform
Product: GStreamer
Version: 1.0.10
OS/Version: Linux
Status: UNCONFIRMED
Severity: normal
Priority: Normal
Component: common
AssignedTo: gstreamer-bugs at lists.freedesktop.org
ReportedBy: dvratil at redhat.com
QAContact: gstreamer-bugs at lists.freedesktop.org
GNOME version: ---
I get a crash in my application which uses GStreamer backend when I start
playing a track with the "speed" effect enabled.
The value was set to 1.0, but apparently it crashes with any settings.
Disabling the effect solves the problem.
Backtrace:
(gdb) bt
#0 0x000000359dc35a19 in __GI_raise (sig=sig at entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x000000359dc37128 in __GI_abort () at abort.c:90
#2 0x000000359dc75d47 in __libc_message (do_abort=do_abort at entry=2,
fmt=fmt at entry=0x359dd7e628 "*** Error in `%s': %s: 0x%s ***\n") at
../sysdeps/unix/sysv/linux/libc_fatal.c:196
#3 0x000000359dc7d0e8 in malloc_printerr (ptr=<optimized out>,
str=0x359dd7e750 "free(): invalid next size (fast)", action=3) at malloc.c:4937
#4 _int_free (av=0x7fffa4000020, p=<optimized out>, have_lock=0) at
malloc.c:3789
#5 0x00000035a084d9af in g_free (mem=0x7fffa40088a0) at gmem.c:252
#6 0x00000035a2c33893 in g_value_unset (value=value at entry=0x7fffc1bcde80) at
gvalue.c:274
#7 0x00000035ada9b0b6 in gst_value_intersect_list (dest=0x7fffc1bcdf00,
value2=0xfe18a8, value1=<optimized out>) at gstvalue.c:3505
#8 0x00000035ada7d01d in gst_structure_intersect_field1 (id=52,
val1=0x7fffa4003808, data=0x7fffc1bcdf80) at gststructure.c:3025
#9 0x00000035ada7d631 in gst_structure_foreach (structure=0x7fffa4002080,
func=0x35ada7cfd0 <gst_structure_intersect_field1>, user_data=0x7fffc1bcdf80)
at gststructure.c:1122
#10 0x00000035ada800c8 in gst_structure_intersect
(struct1=struct1 at entry=0x7fffa4002080, struct2=0xfc0d20) at gststructure.c:3072
#11 0x00000035ada3b803 in gst_caps_intersect_first (caps2=0xfcb6d0,
caps1=0x7fffa4002940) at gstcaps.c:1268
#12 gst_caps_intersect_full (caps1=caps1 at entry=0x7fffa4002940,
caps2=caps2 at entry=0xfcb6d0, mode=mode at entry=GST_CAPS_INTERSECT_FIRST) at
gstcaps.c:1298
#13 0x00000035ade2ed28 in gst_base_transform_query_caps (filter=0x0,
pad=0xfae060, trans=0xfe1e90) at gstbasetransform.c:724
#14 gst_base_transform_default_query (trans=0xfe1e90, direction=<optimized
out>, query=0x7fffa4002b70) at gstbasetransform.c:1487
#15 0x00000035ada6051c in gst_pad_query (pad=pad at entry=0xfae060,
query=query at entry=0x7fffa4002b70) at gstpad.c:3419
#16 0x00000035ada60b00 in gst_pad_peer_query (pad=pad at entry=0xfaf1e0,
query=query at entry=0x7fffa4002b70) at gstpad.c:3550
#17 0x00000035ada911d4 in gst_pad_peer_query_caps (pad=pad at entry=0xfaf1e0,
filter=filter at entry=0x0) at gstutils.c:2811
#18 0x00000035ade2ef5c in gst_base_transform_query_caps (filter=0x0,
pad=0xfaefb0, trans=0xff5000) at gstbasetransform.c:696
#19 gst_base_transform_default_query (trans=0xff5000, direction=GST_PAD_SINK,
query=0x7fffa4002a30) at gstbasetransform.c:1487
#20 0x00000035ada6051c in gst_pad_query (pad=pad at entry=0xfaefb0,
query=query at entry=0x7fffa4002a30) at gstpad.c:3419
#21 0x00000035ada60b00 in gst_pad_peer_query (pad=pad at entry=0xfae6f0,
query=query at entry=0x7fffa4002a30) at gstpad.c:3550
#22 0x00000035ada911d4 in gst_pad_peer_query_caps (pad=pad at entry=0xfae6f0,
filter=filter at entry=0x0) at gstutils.c:2811
#23 0x00000035ade2ef5c in gst_base_transform_query_caps (filter=0x0,
pad=0xfae4c0, trans=0xfa7570) at gstbasetransform.c:696
#24 gst_base_transform_default_query (trans=0xfa7570, direction=GST_PAD_SINK,
query=0x7fffa4002c50) at gstbasetransform.c:1487
#25 0x00000035ada6051c in gst_pad_query (pad=pad at entry=0xfae4c0,
query=query at entry=0x7fffa4002c50) at gstpad.c:3419
#26 0x00000035ada60b00 in gst_pad_peer_query (pad=pad at entry=0xfaed80,
query=0x7fffa4002c50) at gstpad.c:3550
#27 0x00000035ada8c498 in query_caps_func (pad=pad at entry=0xfaed80,
data=data at entry=0x7fffc1bce7c0) at gstutils.c:2481
#28 0x00000035ada5f887 in gst_pad_forward (pad=pad at entry=0xfaeb50,
forward=forward at entry=0x35ada8c480 <query_caps_func>,
user_data=user_data at entry=0x7fffc1bce7c0) at gstpad.c:2674
#29 0x00000035ada8e67a in gst_pad_proxy_query_caps (pad=pad at entry=0xfaeb50,
query=query at entry=0x7fffa4002c50) at gstutils.c:2531
#30 0x00000035ada5fe33 in gst_pad_query_caps_default (query=0x7fffa4002c50,
pad=0xfaeb50) at gstpad.c:2838
#31 gst_pad_query_default (pad=0xfaeb50, parent=<optimized out>,
query=0x7fffa4002c50) at gstpad.c:2949
#32 0x00000035ada6051c in gst_pad_query (pad=pad at entry=0xfaeb50,
query=query at entry=0x7fffa4002c50) at gstpad.c:3419
#33 0x00000035ada60b00 in gst_pad_peer_query (pad=pad at entry=0xffa010,
query=0x7fffa4002c50) at gstpad.c:3550
#34 0x00000035ada8c498 in query_caps_func (pad=pad at entry=0xffa010,
data=data at entry=0x7fffc1bceaf0) at gstutils.c:2481
#35 0x00000035ada5f887 in gst_pad_forward (pad=pad at entry=0xff8000,
forward=forward at entry=0x35ada8c480 <query_caps_func>,
user_data=user_data at entry=0x7fffc1bceaf0) at gstpad.c:2674
#36 0x00000035ada8e67a in gst_pad_proxy_query_caps (pad=pad at entry=0xff8000,
query=query at entry=0x7fffa4002c50) at gstutils.c:2531
#37 0x00000035ada5fe33 in gst_pad_query_caps_default (query=0x7fffa4002c50,
pad=0xff8000) at gstpad.c:2838
#38 gst_pad_query_default (pad=0xff8000, parent=<optimized out>,
query=0x7fffa4002c50) at gstpad.c:2949
#39 0x00000035ada6051c in gst_pad_query (pad=pad at entry=0xff8000,
query=query at entry=0x7fffa4002c50) at gstpad.c:3419
#40 0x00000035ada60b00 in gst_pad_peer_query (pad=pad at entry=0xffb690,
query=0x7fffa4002c50) at gstpad.c:3550
#41 0x00000035ada8c498 in query_caps_func (pad=pad at entry=0xffb690,
data=data at entry=0x7fffc1bcee20) at gstutils.c:2481
#42 0x00000035ada5f887 in gst_pad_forward (pad=pad at entry=0x1002780,
forward=forward at entry=0x35ada8c480 <query_caps_func>,
user_data=user_data at entry=0x7fffc1bcee20) at gstpad.c:2674
#43 0x00000035ada8e67a in gst_pad_proxy_query_caps (pad=pad at entry=0x1002780,
query=query at entry=0x7fffa4002c50) at gstutils.c:2531
#44 0x00000035ada5fe33 in gst_pad_query_caps_default (query=0x7fffa4002c50,
pad=0x1002780) at gstpad.c:2838
#45 gst_pad_query_default (pad=0x1002780, parent=<optimized out>,
query=0x7fffa4002c50) at gstpad.c:2949
#46 0x00000035ada6051c in gst_pad_query (pad=pad at entry=0x1002780,
query=query at entry=0x7fffa4002c50) at gstpad.c:3419
#47 0x00000035ada60b00 in gst_pad_peer_query (pad=pad at entry=0xff8720,
query=0x7fffa4002c50) at gstpad.c:3550
#48 0x00000035ada8c498 in query_caps_func (pad=pad at entry=0xff8720,
data=data at entry=0x7fffc1bcf150) at gstutils.c:2481
#49 0x00000035ada5f887 in gst_pad_forward (pad=pad at entry=0xffab50,
forward=forward at entry=0x35ada8c480 <query_caps_func>,
user_data=user_data at entry=0x7fffc1bcf150) at gstpad.c:2674
#50 0x00000035ada8e67a in gst_pad_proxy_query_caps (pad=pad at entry=0xffab50,
query=query at entry=0x7fffa4002c50) at gstutils.c:2531
#51 0x00000035ada5fe33 in gst_pad_query_caps_default (query=0x7fffa4002c50,
pad=0xffab50) at gstpad.c:2838
#52 gst_pad_query_default (pad=0xffab50, parent=<optimized out>,
query=0x7fffa4002c50) at gstpad.c:2949
#53 0x00000035ada6051c in gst_pad_query (pad=pad at entry=0xffab50,
query=query at entry=0x7fffa4002c50) at gstpad.c:3419
#54 0x00000035ada60b00 in gst_pad_peer_query (pad=pad at entry=0x10036d0,
query=0x7fffa4002c50) at gstpad.c:3550
#55 0x00000035ada8c498 in query_caps_func (pad=pad at entry=0x10036d0,
data=data at entry=0x7fffc1bcf480) at gstutils.c:2481
#56 0x00000035ada5f887 in gst_pad_forward (pad=pad at entry=0x10034a0,
forward=forward at entry=0x35ada8c480 <query_caps_func>,
user_data=user_data at entry=0x7fffc1bcf480) at gstpad.c:2674
#57 0x00000035ada8e67a in gst_pad_proxy_query_caps (pad=pad at entry=0x10034a0,
query=query at entry=0x7fffa4002c50) at gstutils.c:2531
#58 0x00000035ada5fe33 in gst_pad_query_caps_default (query=0x7fffa4002c50,
pad=0x10034a0) at gstpad.c:2838
#59 gst_pad_query_default (pad=0x10034a0, parent=<optimized out>,
query=0x7fffa4002c50) at gstpad.c:2949
---Type <return> to continue, or q <return> to quit---
#60 0x00000035ada6051c in gst_pad_query (pad=pad at entry=0x10034a0,
query=query at entry=0x7fffa4002c50) at gstpad.c:3419
#61 0x00000035ada60b00 in gst_pad_peer_query (pad=pad at entry=0x1003270,
query=query at entry=0x7fffa4002c50) at gstpad.c:3550
#62 0x00000035ada911d4 in gst_pad_peer_query_caps (pad=pad at entry=0x1003270,
filter=filter at entry=0x0) at gstutils.c:2811
#63 0x00000035ade2ef5c in gst_base_transform_query_caps (filter=0x0,
pad=0x1003040, trans=0xfddcb0) at gstbasetransform.c:696
#64 gst_base_transform_default_query (trans=0xfddcb0, direction=GST_PAD_SINK,
query=0x7fffa4002a80) at gstbasetransform.c:1487
#65 0x00000035ada6051c in gst_pad_query (pad=pad at entry=0x1003040,
query=query at entry=0x7fffa4002a80) at gstpad.c:3419
#66 0x00000035ada8eda4 in gst_pad_query_caps (pad=0x1003040,
filter=filter at entry=0x0) at gstutils.c:2765
#67 0x00000035ade2f1e3 in gst_base_transform_acceptcaps_default
(trans=0xfddcb0, direction=GST_PAD_SINK, caps=0x7fffac0a4400) at
gstbasetransform.c:1242
#68 0x00000035ade2ee41 in gst_base_transform_default_query (trans=0xfddcb0,
direction=GST_PAD_SINK, query=0x7fffa4002ca0) at gstbasetransform.c:1475
#69 0x00000035ada6051c in gst_pad_query (pad=pad at entry=0x1003040,
query=query at entry=0x7fffa4002ca0) at gstpad.c:3419
#70 0x00000035ada913b6 in gst_pad_query_accept_caps (pad=pad at entry=0x1003040,
caps=<optimized out>) at gstutils.c:2848
#71 0x00000035ada59a6a in pre_eventfunc_check (event=0x7fff9c0045e0,
pad=0x1003040) at gstpad.c:4701
#72 gst_pad_send_event_unchecked (pad=pad at entry=0x1003040,
event=event at entry=0x7fff9c0045e0,
type=type at entry=GST_PAD_PROBE_TYPE_EVENT_DOWNSTREAM) at gstpad.c:4815
#73 0x00000035ada5a194 in gst_pad_push_event_unchecked
(pad=pad at entry=0x1002e10, event=0x7fff9c0045e0,
type=type at entry=GST_PAD_PROBE_TYPE_EVENT_DOWNSTREAM) at gstpad.c:4515
#74 0x00000035ada5a52b in push_sticky (pad=0x1002e10, ev=0x7fffc1bcfc40,
user_data=0x7fffc1bcfcb0) at gstpad.c:3286
#75 0x00000035ada58af2 in events_foreach (pad=pad at entry=0x1002e10,
func=func at entry=0x35ada5a470 <push_sticky>,
user_data=user_data at entry=0x7fffc1bcfcb0) at gstpad.c:514
#76 0x00000035ada625d9 in check_sticky (pad=0x1002e10) at gstpad.c:3334
#77 gst_pad_push_event (pad=0x1002e10, event=event at entry=0x7fff9c0045e0) at
gstpad.c:4636
#78 0x00007fffe8bc643d in gst_queue_push_one (queue=0xfe68c0) at
gstqueue.c:1105
#79 gst_queue_loop (pad=<optimized out>) at gstqueue.c:1170
#80 0x00000035ada879d9 in gst_task_func (task=0x11dcc60) at gsttask.c:316
#81 0x00000035a086cb46 in g_thread_pool_thread_proxy (data=<optimized out>) at
gthreadpool.c:309
#82 0x00000035a086c185 in g_thread_proxy (data=0x7fffac0a45e0) at gthread.c:798
#83 0x000000359e807c53 in start_thread (arg=0x7fffc1bd0700) at
pthread_create.c:308
#84 0x000000359dcf5e1d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:113
Valgrind:
==14860== Thread 15:
==14860== Invalid read of size 4
==14860== at 0x35C5813450: orc_code_region_allocate_codemem_dual_map
(orccodemem.c:219)
==14860== by 0x35C58136C1: orc_code_region_allocate_codemem
(orccodemem.c:293)
==14860== by 0x35C5813764: orc_code_region_new (orccodemem.c:64)
==14860== by 0x35C5813820: orc_code_region_get_free_chunk (orccodemem.c:136)
==14860== by 0x35C58138CA: orc_code_allocate_codemem (orccodemem.c:160)
==14860== by 0x35C581712A: orc_program_compile_full (orccompiler.c:341)
==14860== by 0x1A5D05C4: audio_convert_orc_pack_s32_float (tmp-orc.c:4737)
==14860== by 0x1A5C5A7F: audio_convert_convert (audioconvert.c:807)
==14860== by 0x1A5C3461: gst_audio_convert_transform (gstaudioconvert.c:813)
==14860== by 0x35ADE313C6: gst_base_transform_handle_buffer
(gstbasetransform.c:2069)
==14860== by 0x35ADE31C20: gst_base_transform_chain
(gstbasetransform.c:2176)
==14860== by 0x35ADA5AEE9: gst_pad_push_data (gstpad.c:3655)
==14860== Address 0x131fba60 is 16 bytes inside a block of size 19 alloc'd
==14860== at 0x4A06409: malloc (vg_replace_malloc.c:270)
==14860== by 0x35C58133D8: orc_code_region_allocate_codemem_dual_map
(orccodemem.c:204)
==14860== by 0x35C58136C1: orc_code_region_allocate_codemem
(orccodemem.c:293)
==14860== by 0x35C5813764: orc_code_region_new (orccodemem.c:64)
==14860== by 0x35C5813820: orc_code_region_get_free_chunk (orccodemem.c:136)
==14860== by 0x35C58138CA: orc_code_allocate_codemem (orccodemem.c:160)
==14860== by 0x35C581712A: orc_program_compile_full (orccompiler.c:341)
==14860== by 0x1A5D05C4: audio_convert_orc_pack_s32_float (tmp-orc.c:4737)
==14860== by 0x1A5C5A7F: audio_convert_convert (audioconvert.c:807)
==14860== by 0x1A5C3461: gst_audio_convert_transform (gstaudioconvert.c:813)
==14860== by 0x35ADE313C6: gst_base_transform_handle_buffer
(gstbasetransform.c:2069)
==14860== by 0x35ADE31C20: gst_base_transform_chain
(gstbasetransform.c:2176)
==14860==
==14860== Invalid read of size 4
==14860== at 0x1A7DA147: speed_chain (gstspeed.c:488)
==14860== by 0x35ADA5AEE9: gst_pad_push_data (gstpad.c:3655)
==14860== by 0x35ADE31E2A: gst_base_transform_chain
(gstbasetransform.c:2212)
==14860== by 0x35ADA5AEE9: gst_pad_push_data (gstpad.c:3655)
==14860== by 0x1EA040DA: gst_queue_loop (gstqueue.c:1054)
==14860== by 0x35ADA879D8: gst_task_func (gsttask.c:316)
==14860== by 0x35A086CB45: g_thread_pool_thread_proxy (gthreadpool.c:309)
==14860== by 0x35A086C184: g_thread_proxy (gthread.c:798)
==14860== by 0x359E807C52: start_thread (pthread_create.c:308)
==14860== by 0x359DCF5E1C: clone (clone.S:113)
==14860== Address 0x282ca808 is 1 bytes after a block of size 9,367 alloc'd
==14860== at 0x4A06409: malloc (vg_replace_malloc.c:270)
==14860== by 0x35A084D89E: g_malloc (gmem.c:159)
==14860== by 0x35A086344D: g_slice_alloc (gslice.c:1003)
==14860== by 0x35ADA2A11C: _default_mem_new_block (gstallocator.c:410)
==14860== by 0x35ADA33401: gst_buffer_new_allocate (gstbuffer.c:621)
==14860== by 0x35ADE2F7DC: default_prepare_output_buffer
(gstbasetransform.c:1594)
==14860== by 0x35ADE312DA: gst_base_transform_handle_buffer
(gstbasetransform.c:2040)
==14860== by 0x35ADE31C20: gst_base_transform_chain
(gstbasetransform.c:2176)
==14860== by 0x35ADA5AEE9: gst_pad_push_data (gstpad.c:3655)
==14860== by 0x1EA040DA: gst_queue_loop (gstqueue.c:1054)
==14860== by 0x35ADA879D8: gst_task_func (gsttask.c:316)
==14860== by 0x35A086CB45: g_thread_pool_thread_proxy (gthreadpool.c:309)
==14860==
==14860== Invalid write of size 4
==14860== at 0x1A7DA155: speed_chain (gstspeed.c:486)
==14860== by 0x35ADA5AEE9: gst_pad_push_data (gstpad.c:3655)
==14860== by 0x35ADE31E2A: gst_base_transform_chain
(gstbasetransform.c:2212)
==14860== by 0x35ADA5AEE9: gst_pad_push_data (gstpad.c:3655)
==14860== by 0x1EA040DA: gst_queue_loop (gstqueue.c:1054)
==14860== by 0x35ADA879D8: gst_task_func (gsttask.c:316)
==14860== by 0x35A086CB45: g_thread_pool_thread_proxy (gthreadpool.c:309)
==14860== by 0x35A086C184: g_thread_proxy (gthread.c:798)
==14860== by 0x359E807C52: start_thread (pthread_create.c:308)
==14860== by 0x359DCF5E1C: clone (clone.S:113)
==14860== Address 0x28346d78 is 1 bytes after a block of size 9,367 alloc'd
==14860== at 0x4A06409: malloc (vg_replace_malloc.c:270)
==14860== by 0x35A084D89E: g_malloc (gmem.c:159)
==14860== by 0x35A086344D: g_slice_alloc (gslice.c:1003)
==14860== by 0x35ADA2A11C: _default_mem_new_block (gstallocator.c:410)
==14860== by 0x35ADA33401: gst_buffer_new_allocate (gstbuffer.c:621)
==14860== by 0x1A7D9E5E: speed_chain (gstspeed.c:594)
==14860== by 0x35ADA5AEE9: gst_pad_push_data (gstpad.c:3655)
==14860== by 0x35ADE31E2A: gst_base_transform_chain
(gstbasetransform.c:2212)
==14860== by 0x35ADA5AEE9: gst_pad_push_data (gstpad.c:3655)
==14860== by 0x1EA040DA: gst_queue_loop (gstqueue.c:1054)
==14860== by 0x35ADA879D8: gst_task_func (gsttask.c:316)
==14860== by 0x35A086CB45: g_thread_pool_thread_proxy (gthreadpool.c:309)
==14860==
==14860== Invalid read of size 4
==14860== at 0x1A7DA163: speed_chain (gstspeed.c:490)
==14860== by 0x35ADA5AEE9: gst_pad_push_data (gstpad.c:3655)
==14860== by 0x35ADE31E2A: gst_base_transform_chain
(gstbasetransform.c:2212)
==14860== by 0x35ADA5AEE9: gst_pad_push_data (gstpad.c:3655)
==14860== by 0x1EA040DA: gst_queue_loop (gstqueue.c:1054)
==14860== by 0x35ADA879D8: gst_task_func (gsttask.c:316)
==14860== by 0x35A086CB45: g_thread_pool_thread_proxy (gthreadpool.c:309)
==14860== by 0x35A086C184: g_thread_proxy (gthread.c:798)
==14860== by 0x359E807C52: start_thread (pthread_create.c:308)
==14860== by 0x359DCF5E1C: clone (clone.S:113)
==14860== Address 0x282ca808 is 1 bytes after a block of size 9,367 alloc'd
==14860== at 0x4A06409: malloc (vg_replace_malloc.c:270)
==14860== by 0x35A084D89E: g_malloc (gmem.c:159)
==14860== by 0x35A086344D: g_slice_alloc (gslice.c:1003)
==14860== by 0x35ADA2A11C: _default_mem_new_block (gstallocator.c:410)
==14860== by 0x35ADA33401: gst_buffer_new_allocate (gstbuffer.c:621)
==14860== by 0x35ADE2F7DC: default_prepare_output_buffer
(gstbasetransform.c:1594)
==14860== by 0x35ADE312DA: gst_base_transform_handle_buffer
(gstbasetransform.c:2040)
==14860== by 0x35ADE31C20: gst_base_transform_chain
(gstbasetransform.c:2176)
==14860== by 0x35ADA5AEE9: gst_pad_push_data (gstpad.c:3655)
==14860== by 0x1EA040DA: gst_queue_loop (gstqueue.c:1054)
==14860== by 0x35ADA879D8: gst_task_func (gsttask.c:316)
==14860== by 0x35A086CB45: g_thread_pool_thread_proxy (gthreadpool.c:309)
==14860==
--
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.
More information about the gstreamer-bugs
mailing list