[FFmpeg-devel] [PATCH] png: split header state and data state in two separate variables.

Michael Niedermayer michael at niedermayer.cc
Sat Apr 1 01:53:40 EEST 2017 

On Fri, Mar 31, 2017 at 09:49:52AM -0400, Ronald S. Bultje wrote:
> Fixes a reported (but false) race condition in tsan for fate-apng.
> ---
>  libavcodec/png.h    |  5 ----
>  libavcodec/pngdec.c | 68 +++++++++++++++++++++++++++++++----------------------
>  2 files changed, 40 insertions(+), 33 deletions(-)
> 

this causes a segfault
ill send you the sample privatly

==29980== Thread 10:
==29980== Invalid write of size 8
==29980==    at 0x4C2E164: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:877)
==29980==    by 0xBBF4AC: png_filter_row (pngdec.c:258)
==29980==    by 0xBBFFCD: png_handle_row (pngdec.c:335)
==29980==    by 0xBC059A: png_decode_idat (pngdec.c:420)
==29980==    by 0xBC1F6A: decode_idat_chunk (pngdec.c:754)
==29980==    by 0xBC4525: decode_frame_common (pngdec.c:1204)
==29980==    by 0xBC50CE: decode_frame_png (pngdec.c:1357)
==29980==    by 0xBD932D: frame_worker_thread (pthread_frame.c:199)
==29980==    by 0x777BE99: start_thread (pthread_create.c:308)
==29980==    by 0x7A872EC: clone (clone.S:112)
==29980==  Address 0xfb01288 is 20,520 bytes inside a block of size 20,527 alloc'd
==29980==    at 0x4C2A6C5: memalign (vg_replace_malloc.c:727)
==29980==    by 0x4C2A760: posix_memalign (vg_replace_malloc.c:876)
==29980==    by 0x15AE5B7: av_malloc (mem.c:87)
==29980==    by 0x159A0F1: av_buffer_alloc (buffer.c:72)
==29980==    by 0x159A156: av_buffer_allocz (buffer.c:85)
==29980==    by 0x159A856: pool_alloc_buffer (buffer.c:312)
==29980==    by 0x159A984: av_buffer_pool_get (buffer.c:349)
==29980==    by 0xCED638: video_get_buffer (utils.c:682)
==29980==    by 0xCED9A6: avcodec_default_get_buffer2 (utils.c:740)
==29980==    by 0x42A868: get_buffer (ffmpeg.c:2858)
==29980==    by 0xCEE255: get_buffer_internal (utils.c:941)
==29980==    by 0xCEE2D7: ff_get_buffer (utils.c:956)
==29980==
==29980== Invalid write of size 8
==29980==    at 0x13833B9: ff_add_bytes_l2_sse2 (pngdsp.asm:90)
==29980==    by 0xBBFFCD: png_handle_row (pngdec.c:335)
==29980==    by 0xBC059A: png_decode_idat (pngdec.c:420)
==29980==    by 0xBC1F6A: decode_idat_chunk (pngdec.c:754)
==29980==    by 0xBC4525: decode_frame_common (pngdec.c:1204)
==29980==    by 0xBC50CE: decode_frame_png (pngdec.c:1357)
==29980==    by 0xBD932D: frame_worker_thread (pthread_frame.c:199)
==29980==    by 0x777BE99: start_thread (pthread_create.c:308)
==29980==    by 0x7A872EC: clone (clone.S:112)
==29980==  Address 0xfb01808 is 1,064 bytes inside a block of size 1,071 alloc'd
==29980==    at 0x4C2A6C5: memalign (vg_replace_malloc.c:727)
==29980==    by 0x4C2A760: posix_memalign (vg_replace_malloc.c:876)
==29980==    by 0x15AE5B7: av_malloc (mem.c:87)
==29980==    by 0x159A0F1: av_buffer_alloc (buffer.c:72)
==29980==    by 0x159A156: av_buffer_allocz (buffer.c:85)
==29980==    by 0x159A856: pool_alloc_buffer (buffer.c:312)
==29980==    by 0x159A984: av_buffer_pool_get (buffer.c:349)
==29980==    by 0xCED638: video_get_buffer (utils.c:682)
==29980==    by 0xCED9A6: avcodec_default_get_buffer2 (utils.c:740)
==29980==    by 0x42A868: get_buffer (ffmpeg.c:2858)
==29980==    by 0xCEE255: get_buffer_internal (utils.c:941)
==29980==    by 0xCEE2D7: ff_get_buffer (utils.c:956)
==29980==
==29980== Invalid write of size 8
==29980==    at 0x13833BF: ff_add_bytes_l2_sse2 (pngdsp.asm:90)
==29980==    by 0xBBFFCD: png_handle_row (pngdec.c:335)
==29980==    by 0xBC059A: png_decode_idat (pngdec.c:420)
==29980==    by 0xBC1F6A: decode_idat_chunk (pngdec.c:754)
==29980==    by 0xBC4525: decode_frame_common (pngdec.c:1204)
==29980==    by 0xBC50CE: decode_frame_png (pngdec.c:1357)
==29980==    by 0xBD932D: frame_worker_thread (pthread_frame.c:199)
==29980==    by 0x777BE99: start_thread (pthread_create.c:308)
==29980==    by 0x7A872EC: clone (clone.S:112)
==29980==  Address 0xfb01810 is 1 bytes after a block of size 1,071 alloc'd
==29980==    at 0x4C2A6C5: memalign (vg_replace_malloc.c:727)
==29980==    by 0x4C2A760: posix_memalign (vg_replace_malloc.c:876)
==29980==    by 0x15AE5B7: av_malloc (mem.c:87)
==29980==    by 0x159A0F1: av_buffer_alloc (buffer.c:72)
==29980==    by 0x159A156: av_buffer_allocz (buffer.c:85)
==29980==    by 0x159A856: pool_alloc_buffer (buffer.c:312)
==29980==    by 0x159A984: av_buffer_pool_get (buffer.c:349)
==29980==    by 0xCED638: video_get_buffer (utils.c:682)
==29980==    by 0xCED9A6: avcodec_default_get_buffer2 (utils.c:740)
==29980==    by 0x42A868: get_buffer (ffmpeg.c:2858)
==29980==    by 0xCEE255: get_buffer_internal (utils.c:941)
==29980==    by 0xCEE2D7: ff_get_buffer (utils.c:956)
==29980==
==29980== Invalid write of size 1
==29980==    at 0xBBF877: png_filter_row (pngdec.c:281)
==29980==    by 0xBBFFCD: png_handle_row (pngdec.c:335)
==29980==    by 0xBC059A: png_decode_idat (pngdec.c:420)
==29980==    by 0xBC1F6A: decode_idat_chunk (pngdec.c:754)
==29980==    by 0xBC4525: decode_frame_common (pngdec.c:1204)
==29980==    by 0xBC50CE: decode_frame_png (pngdec.c:1357)
==29980==    by 0xBD932D: frame_worker_thread (pthread_frame.c:199)
==29980==    by 0x777BE99: start_thread (pthread_create.c:308)
==29980==    by 0x7A872EC: clone (clone.S:112)
==29980==  Address 0xfb018a0 is not stack'd, malloc'd or (recently) free'd
==29980==
==29980== Invalid read of size 1
==29980==    at 0xBBF88F: png_filter_row (pngdec.c:284)
==29980==    by 0xBBFFCD: png_handle_row (pngdec.c:335)
==29980==    by 0xBC059A: png_decode_idat (pngdec.c:420)
==29980==    by 0xBC1F6A: decode_idat_chunk (pngdec.c:754)
==29980==    by 0xBC4525: decode_frame_common (pngdec.c:1204)
==29980==    by 0xBC50CE: decode_frame_png (pngdec.c:1357)
==29980==    by 0xBD932D: frame_worker_thread (pthread_frame.c:199)
==29980==    by 0x777BE99: start_thread (pthread_create.c:308)
==29980==    by 0x7A872EC: clone (clone.S:112)
==29980==  Address 0xfb018a0 is not stack'd, malloc'd or (recently) free'd
==29980==
==29980== Invalid write of size 1
==29980==    at 0xBBF8D8: png_filter_row (pngdec.c:284)
==29980==    by 0xBBFFCD: png_handle_row (pngdec.c:335)
==29980==    by 0xBC059A: png_decode_idat (pngdec.c:420)
==29980==    by 0xBC1F6A: decode_idat_chunk (pngdec.c:754)
==29980==    by 0xBC4525: decode_frame_common (pngdec.c:1204)
==29980==    by 0xBC50CE: decode_frame_png (pngdec.c:1357)
==29980==    by 0xBD932D: frame_worker_thread (pthread_frame.c:199)
==29980==    by 0x777BE99: start_thread (pthread_create.c:308)
==29980==    by 0x7A872EC: clone (clone.S:112)
==29980==  Address 0xfb018a1 is not stack'd, malloc'd or (recently) free'd
==29980==
==29980== Invalid read of size 1
==29980==    at 0xBBF8AD: png_filter_row (pngdec.c:284)
==29980==    by 0xBBFFCD: png_handle_row (pngdec.c:335)
==29980==    by 0xBC059A: png_decode_idat (pngdec.c:420)
==29980==    by 0xBC1F6A: decode_idat_chunk (pngdec.c:754)
==29980==    by 0xBC4525: decode_frame_common (pngdec.c:1204)
==29980==    by 0xBC50CE: decode_frame_png (pngdec.c:1357)
==29980==    by 0xBD932D: frame_worker_thread (pthread_frame.c:199)
==29980==    by 0x777BE99: start_thread (pthread_create.c:308)
==29980==    by 0x7A872EC: clone (clone.S:112)
==29980==  Address 0xfb0180f is 0 bytes after a block of size 1,071 alloc'd
==29980==    at 0x4C2A6C5: memalign (vg_replace_malloc.c:727)
==29980==    by 0x4C2A760: posix_memalign (vg_replace_malloc.c:876)
==29980==    by 0x15AE5B7: av_malloc (mem.c:87)
==29980==    by 0x159A0F1: av_buffer_alloc (buffer.c:72)
==29980==    by 0x159A156: av_buffer_allocz (buffer.c:85)
==29980==    by 0x159A856: pool_alloc_buffer (buffer.c:312)
==29980==    by 0x159A984: av_buffer_pool_get (buffer.c:349)
==29980==    by 0xCED638: video_get_buffer (utils.c:682)
==29980==    by 0xCED9A6: avcodec_default_get_buffer2 (utils.c:740)
==29980==    by 0x42A868: get_buffer (ffmpeg.c:2858)
==29980==    by 0xCEE255: get_buffer_internal (utils.c:941)
==29980==    by 0xCEE2D7: ff_get_buffer (utils.c:956)
==29980==
==29980== Invalid read of size 4
==29980==    at 0x159A1DB: av_buffer_ref (buffer.c:102)
==29980==    by 0x15A36C3: av_frame_ref (frame.c:423)
==29980==    by 0xBC5140: decode_frame_png (pngdec.c:1366)
==29980==    by 0xBD932D: frame_worker_thread (pthread_frame.c:199)
==29980==    by 0x777BE99: start_thread (pthread_create.c:308)
==29980==    by 0x7A872EC: clone (clone.S:112)
==29980==  Address 0xb9b0aa926b509e76 is not stack'd, malloc'd or (recently) free'd
==29980==
==29980==
==29980== Process terminating with default action of signal 11 (SIGSEGV)
==29980==  General Protection Fault
==29980==    at 0x159A1DB: av_buffer_ref (buffer.c:102)
==29980==    by 0x15A36C3: av_frame_ref (frame.c:423)
==29980==    by 0xBC5140: decode_frame_png (pngdec.c:1366)
==29980==    by 0xBD932D: frame_worker_thread (pthread_frame.c:199)
==29980==    by 0x777BE99: start_thread (pthread_create.c:308)
==29980==    by 0x7A872EC: clone (clone.S:112)

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Asymptotically faster algorithms should always be preferred if you have
asymptotical amounts of data
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170401/c246e858/attachment.sig>

More information about the ffmpeg-devel mailing list