[FFmpeg-devel] [PATCH] Fix a crash when adding many video clips to a kdenlive project:

Mikko Rapeli mikko.rapeli at iki.fi
Fri Sep 23 21:35:20 CEST 2011 

On Wed, Aug 31, 2011 at 03:52:11PM +0200, Michael Niedermayer wrote:
> On Wed, Aug 31, 2011 at 04:04:30PM +0300, Mikko Rapeli wrote:
> > On Wed, Aug 31, 2011 at 02:38:31PM +0200, Michael Niedermayer wrote:
> > > > -    av_opt_free(avctx);
> > > >      av_freep(&avctx->priv_data);
> > > > +    av_opt_free(avctx);
> > > 
> > > Can you explain why you think the order of these 2 functions can
> > > trigger a bug ?
> > 
> > Granted, I did not dig too deep and don't know about ffmpeg much. I thought
> > av_opt_free was freeing also the priv_data pointer so glibc would call
> > it a free of an unallocated address.
> 
> av_opt_free() isnt supposed to free priv_data, also even if it did
> it would set it to NULL
> so this explanation doesnt look likely to me

This error has not reproduced without the patch until today, ffmpeg from
Sept 1st at git commit acc3c380cb010451e8e336b622e7ae446709d5c2. Unfortunately
it is hard to repeat and running valgrind isn't an option until I know
how to hit this.

I'm running latest mlt from git with a patch from
http://www.kdenlive.org/mantis/view.php?id=2296 and a slightly patched
kdenlive.

00000000 08:02 3695001    /var/cache/fontconfig/865f88548240fee46819705c6468c165-le32d4.cache-3
b7fd5000-b7fd7000 r-xp 00000000 08:02 2519663    /usr/lib/i386-linux-gnu/gconv/UTF-16.so
b7fd7000-b7fd8000 r--p 00001000 08:02 2519663    /usr/lib/i386-linux-gnu/gconv/UTF-16.so
b7fd8000-b7fd9000 rw-p 00002000 08:02 2519663    /usr/lib/i386-linux-gnu/gconv/UTF-16.so
b7fd9000-b7fe0000 r--s 00000000 08:02 2519737    /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
b7fe0000-b7fe2000 rw-p 00000000 00:00 0
b7fe2000-b7fe3000 r-xp 00000000 00:00 0          [vdso]
b7fe3000-b7ffe000 r-xp 00000000 08:02 634564     /lib/i386-linux-gnu/ld-2.13.so
b7ffe000-b7fff000 r--p 0001b000 08:02 634564     /lib/i386-linux-gnu/ld-2.13.so
b7fff000-b8000000 rw-p 0001c000 08:02 634564     /lib/i386-linux-gnu/ld-2.13.so
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]

Program received signal SIGABRT, Aborted.
[Switching to Thread 0xad1c3b70 (LWP 32333)]
0xb7fe2424 in __kernel_vsyscall ()
(gdb)
(gdb) bt full
#0  0xb7fe2424 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb5bf6911 in *__GI_raise (sig=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
        resultvar = <optimized out>
        pid = -1244520460
        selftid = 32333
#2  0xb5bf9d42 in *__GI_abort () at abort.c:92
        act = {__sigaction_handler = {
            sa_handler = 0xb7fff4e4 <_rtld_global+1220>,
            sa_sigaction = 0xb7fff4e4 <_rtld_global+1220>}, sa_mask = {
            __val = {851968, 2953987696, 2953919328, 2904303924, 3078,
              2904303892, 2953915648, 2953914460, 0, 77, 2904303736,
              3049852392, 9, 2904303820, 3050446836, 4, 2904305280,
              2904303940, 3049970916, 38, 2904303820, 9, 0, 2904303916,
              2904303928, 7, 3050301468, 3050301464, 3050296943, 3050297008,
              18, 2904303820}}, sa_flags = -1390663404,
          sa_restorer = 0xb5cffbf6}
        sigs = {__val = {32, 0 <repeats 31 times>}}
#3  0xb5c2c9d5 in __libc_message (do_abort=2,
    fmt=0xb5d01a90 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
        ap = <optimized out>
---Type <return> to continue, or q <return> to quit---
        fd = -1390663044
        on_2 = <optimized out>
        list = <optimized out>
        nlist = <optimized out>
        cp = <optimized out>
        written = false
#4  0xb5c36ac1 in malloc_printerr (action=<optimized out>,
    str=0x6 <Address 0x6 out of bounds>, ptr=0x72656972) at malloc.c:6283
        buf = "72656972"
        cp = <optimized out>
#5  0xb5c38328 in _int_free (av=<optimized out>, p=<optimized out>)
    at malloc.c:4795
        size = 0
        nextchunk = 0x7e4d
        nextsize = 3086629584
        prevsize = <optimized out>
        bck = <optimized out>
        fwd = <optimized out>
        errstr = 0x6 <Address 0x6 out of bounds>
        __func__ = "_int_free"
#6  0xb5c3b3dd in *__GI___libc_free (mem=0x72656972) at malloc.c:3738
        ar_ptr = 0xb5d233c0
        p = 0x6
---Type <return> to continue, or q <return> to quit---
#7  0xb011f632 in av_free (ptr=<optimized out>) at libavutil/mem.c:152
No locals.
#8  av_freep (arg=0x58be387c) at libavutil/mem.c:159
        ptr = 0x58be387c
#9  0xb01c31ba in avcodec_close (avctx=0x58be3800) at libavcodec/utils.c:890
No locals.
#10 0xb0e16735 in producer_set_up_audio (frame=0x7bf8d150, self=0x12d70510)
    at producer_avformat.c:2452
        producer = 0x126f1990
        context = <optimized out>
        properties = 0x126f1990
        frame_properties = 0x7bf8d150
        index = 1
#11 producer_get_frame (producer=0x126f1990, frame=0xad1c31b8, index=0)
    at producer_avformat.c:2530
        service = 0x126f1990
        cache_item = <optimized out>
        self = 0x12d70510
        position = <optimized out>
#12 0xb7fab70f in producer_get_frame (service=0x126f1990, frame=0xad1c31b8,
    index=0) at mlt_producer.c:584
        properties = 0x126f1990
        eof = <optimized out>
---Type <return> to continue, or q <return> to quit---
        speed = 0
        clone = <optimized out>
        result = 1
        self = 0x126f1990
#13 0xb7fa96ed in mlt_service_get_frame (self=0x126f1990, frame=0xad1c32ac,
    index=0) at mlt_service.c:481
        new_position = 0
        previous_frame = <optimized out>
        next_frame = <optimized out>
        properties = 0x6c3fae40
        in = 0
        out = 2394
        position = 0
        result = <optimized out>
#14 0xb7fa9874 in service_get_frame (self=0x8f5c3d8, frame=0xad1c32ac, index=0)
    at mlt_service.c:372
        producer = <optimized out>
        base = <optimized out>
#15 0xb7fa9620 in mlt_service_get_frame (self=0x8f5c3d8, frame=0xad1c32ac,
    index=0) at mlt_service.c:457
        properties = 0x8f5c3d8
        in = 0
        out = 0
---Type <return> to continue, or q <return> to quit---
        position = -1
        result = 0
#16 0xb7fb0666 in mlt_consumer_get_frame (self=0x8f5c3d8) at mlt_consumer.c:547
        frame = 0x6c3fae40
        service = 0x8f5c3d8
        properties = 0x8f5c3d8
#17 0xb13f2cf1 in consumer_thread (arg=0x8f5c3d8) at consumer_sdl_preview.c:301
        this = 0x8f5c3d8
        consumer = 0x8f5c3d8
        properties = 0x8f5c3d8
        frame = <optimized out>
        last_position = -1
        eos = 0
        eos_threshold = 45
        preview_off = 0
#18 0xb742cc39 in start_thread (arg=0xad1c3b70) at pthread_create.c:304
        __res = <optimized out>
        __ignore1 = <optimized out>
        __ignore2 = <optimized out>
        pd = 0xad1c3b70
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1220292620, 0, 4001536,
                -1390660552, 1449507475, -342161241}, mask_was_saved = 0}},
---Type <return> to continue, or q <return> to quit---
          priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0,
              cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#19 0xb5c9896e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Backtrace stopped: Not enough registers or memory available to unwind further

More information about the ffmpeg-devel mailing list