GNOME Bugzilla – Bug 680558
rtpmparobustdepay: invalid memory access with mp3 rtsp stream
Last modified: 2012-08-06 13:38:53 UTC
URL: rtsp://dl.lib.brown.edu:554/areserves/1093545294660883.mp3 -base/tests/examples/playback $ ./playback-test 0 rtsp://dl.lib.brown.edu:554/areserves/1093545294660883.mp3 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Setting URI: rtsp://dl.lib.brown.edu:554/areserves/1093545294660883.mp3 Setting URI: (null) Window realize: video window XID = 44040203 PLAY pipeline [New Thread 0x7fffe6986700 (LWP 9880)] message from "playbin" (new-clock): GstMessageNewClock, clock=(GstClock)"\(GstSystemClock\)\ GstSystemClock"; [New Thread 0x7fffe6185700 (LWP 9881)] [New Thread 0x7fffe5165700 (LWP 9882)] [New Thread 0x7fffe4964700 (LWP 9883)] [New Thread 0x7fffe3f2c700 (LWP 9884)] [New Thread 0x7fffe34e5700 (LWP 9885)] [New Thread 0x7fffe2ce4700 (LWP 9886)] [Thread 0x7fffe6185700 (LWP 9881) exited] [New Thread 0x7fffe6185700 (LWP 9887)] [Thread 0x7fffe6185700 (LWP 9887) exited] [New Thread 0x7fffe6185700 (LWP 9888)] [Thread 0x7fffe6185700 (LWP 9888) exited] [New Thread 0x7fffe6185700 (LWP 9889)] [New Thread 0x7fffe0bd7700 (LWP 9890)] message from "audiosink-actual-sink-pulse" (tag): GstMessageTag, taglist=(taglist)"taglist\,\ audio-codec\=\(string\)\"MPEG\\\ 1\\\ Audio\\\,\\\ Layer\\\ 3\\\ \\\(MP3\\\)\"\,\ nominal-bitrate\=\(uint\)128000\;"; message from "audiosink-actual-sink-pulse" (tag): GstMessageTag, taglist=(taglist)"taglist\,\ has-crc\=\(boolean\)false\,\ channel-mode\=\(string\)joint-stereo\;"; [New Thread 0x7fffd7ffe700 (LWP 9891)] video 0, audio 1, text 0 setting current video track -1 audio 0: taglist, audio-codec=(string)"MPEG\ 1\ Audio\,\ Layer\ 3\ \(MP3\)", nominal-bitrate=(uint)128000, has-crc=(boolean)false, channel-mode=(string)joint-stereo, minimum-bitrate=(uint)127706, bitrate=(uint)128012, maximum-bitrate=(uint)128012; setting current audio track 0 setting current text track -1 message from "audiosink-actual-sink-pulse" (tag): GstMessageTag, taglist=(taglist)"taglist\,\ minimum-bitrate\=\(uint\)128012\,\ bitrate\=\(uint\)128012\,\ maximum-bitrate\=\(uint\)128012\;"; message from "rtpsession0" (element): application/x-rtp-source-sdes, cname=(string)430731928; message from "audiosink-actual-sink-pulse" (tag): GstMessageTag, taglist=(taglist)"taglist\,\ minimum-bitrate\=\(uint\)127706\;"; [Thread 0x7fffd7ffe700 (LWP 9891) exited] *** glibc detected *** /home/tpm/gst/0.11/gst-plugins-base/tests/examples/playback/.libs/playback-test: double free or corruption (!prev): 0x0000000000bea0c0 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x75b46)[0x7ffff4baab46] /lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7ffff4baf87c] /home/tpm/gst/0.11/gstreamer/gst/.libs/libgstreamer-1.0.so.0(+0x2cab9)[0x7ffff78d7ab9] /home/tpm/gst/0.11/gstreamer/gst/.libs/libgstreamer-1.0.so.0(+0x5b81d)[0x7ffff790681d] /home/tpm/gst/0.11/gstreamer/gst/.libs/libgstreamer-1.0.so.0(+0x35221)[0x7ffff78e0221] /home/tpm/gst/0.11/gst-plugins-base/gst-libs/gst/audio/.libs/libgstaudio-1.0.so.0(gst_audio_decoder_finish_frame+0x2a7)[0x7fffee0adfb7] /home/tpm/gst/0.11/gst-plugins-ugly/ext/mad/.libs/libgstmad.so(+0x24a8)[0x7fffe183b4a8] /home/tpm/gst/0.11/gst-plugins-base/gst-libs/gst/audio/.libs/libgstaudio-1.0.so.0(+0x198d0)[0x7fffee0a98d0] /home/tpm/gst/0.11/gst-plugins-base/gst-libs/gst/audio/.libs/libgstaudio-1.0.so.0(+0x1b404)[0x7fffee0ab404] /home/tpm/gst/0.11/gst-plugins-base/gst-libs/gst/audio/.libs/libgstaudio-1.0.so.0(+0x1a7a6)[0x7fffee0aa7a6] /home/tpm/gst/0.11/gst-plugins-base/gst-libs/gst/audio/.libs/libgstaudio-1.0.so.0(+0x1c688)[0x7fffee0ac688] /home/tpm/gst/0.11/gstreamer/gst/.libs/libgstreamer-1.0.so.0(+0x606c8)[0x7ffff790b6c8] /home/tpm/gst/0.11/gstreamer/libs/gst/base/.libs/libgstbase-1.0.so.0(gst_base_parse_push_frame+0x75f)[0x7ffff48fafcf] /home/tpm/gst/0.11/gstreamer/libs/gst/base/.libs/libgstbase-1.0.so.0(gst_base_parse_finish_frame+0x5e3)[0x7ffff48fe083] /home/tpm/gst/0.11/gst-plugins-good/gst/audioparsers/.libs/libgstaudioparsers.so(+0x10d8c)[0x7fffe207dd8c] /home/tpm/gst/0.11/gstreamer/libs/gst/base/.libs/libgstbase-1.0.so.0(+0x13d34)[0x7ffff48f8d34] /home/tpm/gst/0.11/gstreamer/libs/gst/base/.libs/libgstbase-1.0.so.0(+0x16b84)[0x7ffff48fbb84] /home/tpm/gst/0.11/gstreamer/gst/.libs/libgstreamer-1.0.so.0(+0x606c8)[0x7ffff790b6c8] /home/tpm/gst/0.11/gst-plugins-base/gst-libs/gst/rtp/.libs/libgstrtp-1.0.so.0(gst_rtp_base_depayload_push+0x2e)[0x7fffe740146e] /home/tpm/gst/0.11/gst-plugins-good/gst/rtp/.libs/libgstrtp.so(+0x10c23)[0x7fffe2298c23] /home/tpm/gst/0.11/gst-plugins-good/gst/rtp/.libs/libgstrtp.so(+0x12004)[0x7fffe229a004] /home/tpm/gst/0.11/gst-plugins-base/gst-libs/gst/rtp/.libs/libgstrtp-1.0.so.0(+0x10a37)[0x7fffe7401a37] /home/tpm/gst/0.11/gstreamer/gst/.libs/libgstreamer-1.0.so.0(+0x606c8)[0x7ffff790b6c8] ======= Memory map: ======== 00400000-00411000 r-xp 00000000 fe:00 4555500 /home/tpm/gst/0.11/gst-plugins-base/tests/examples/playback/.libs/playback-test 00611000-00612000 rw-p 00011000 fe:00 4555500 /home/tpm/gst/0.11/gst-plugins-base/tests/examples/playback/.libs/playback-test 00612000-00d52000 rw-p 00000000 00:00 0 [heap] 7fffd77fe000-7fffd77ff000 ---p 00000000 00:00 0 7fffd77ff000-7fffd7fff000 rw-p 00000000 00:00 0 7fffd7fff000-7fffdc000000 rw-s 00000000 00:11 22224445 /run/shm/pulse-shm-1001214978 7fffdc000000-7fffdc021000 rw-p 00000000 00:00 0 7fffdc021000-7fffe0000000 ---p 00000000 00:00 0 7fffe03d7000-7fffe03d8000 ---p 00000000 00:00 0 7fffe03d8000-7fffe0bd8000 rw-p 00000000 00:00 0 7fffe0bd8000-7fffe0bdf000 r-xp 00000000 fe:00 8457540 /usr/lib/x86_64-linux-gnu/liborc-test-0.4.so.0.16.0 7fffe0bdf000-7fffe0dde000 ---p 00007000 fe:00 8457540 /usr/lib/x86_64-linux-gnu/liborc-test-0.4.so.0.16.0 7fffe0dde000-7fffe0ddf000 r--p 00006000 fe:00 8457540 /usr/lib/x86_64-linux-gnu/liborc-test-0.4.so.0.16.0 7fffe0ddf000-7fffe0de0000 rw-p 00007000 fe:00 8457540 /usr/lib/x86_64-linux-gnu/liborc-test-0.4.so.0.16.0 7fffe0de0000-7fffe0def000 r-xp 00000000 fe:00 8113592 /home/tpm/gst/0.11/gst-plugins-base/gst/audioresample/.libs/libgstaudioresample.so 7fffe0def000-7fffe0fee000 ---p 0000f000 fe:00 8113592 /home/tpm/gst/0.11/gst-plugins-base/gst/audioresample/.libs/libgstaudioresample.so 7fffe0fee000-7fffe0ff0000 rw-p 0000e000 fe:00 8113592 /home/tpm/gst/0.11/gst-plugins-base/gst/audioresample/.libs/libgstaudioresample.so 7fffe0ff0000-7fffe1007000 r-xp 00000000 fe:00 8113539 /home/tpm/gst/0.11/gst-plugins-base/gst/audioconvert/.libs/libgstaudioconvert.so 7fffe1007000-7fffe1207000 ---p 00017000 fe:00 8113539 /home/tpm/gst/0.11/gst-plugins-base/gst/audioconvert/.libs/libgstaudioconvert.so 7fffe1207000-7fffe1208000 rw-p 00017000 fe:00 8113539 /home/tpm/gst/0.11/gst-plugins-base/gst/audioconvert/.libs/libgstaudioconvert.so 7fffe1208000-7fffe1210000 r-xp 00000000 fe:00 8113641 /home/tpm/gst/0.11/gst-plugins-base/gst/volume/.libs/libgstvolume.so 7fffe1210000-7fffe1410000 ---p 00008000 fe:00 8113641 /home/tpm/gst/0.11/gst-plugins-base/gst/volume/.libs/libgstvolume.so 7fffe1410000-7fffe1411000 rw-p 00008000 fe:00 8113641 /home/tpm/gst/0.11/gst-plugins-base/gst/volume/.libs/libgstvolume.so 7fffe1411000-7fffe1419000 r-xp 00000000 fe:00 2449783 /home/tpm/gst/0.11/gst-plugins-good/gst/autodetect/.libs/libgstautodetect.so 7fffe1419000-7fffe1619000 ---p 00008000 fe:00 2449783 /home/tpm/gst/0.11/gst-plugins-good/gst/autodetect/.libs/libgstautodetect.so 7fffe1619000-7fffe161a000 rw-p 00008000 fe:00 2449783 /home/tpm/gst/0.11/gst-plugins-good/gst/autodetect/.libs/libgstautodetect.so 7fffe161a000-7fffe1639000 r-xp 00000000 fe:00 8422139 /usr/lib/libmad.so.0.2.1 7fffe1639000-7fffe1838000 ---p 0001f000 fe:00 8422139 /usr/lib/libmad.so.0.2.1 7fffe1838000-7fffe1839000 rw-p 0001e000 fe:00 8422139 /usr/lib/libmad.so.0.2.1 7fffe1839000-7fffe183d000 r-xp 00000000 fe:00 8170154 /home/tpm/gst/0.11/gst-plugins-ugly/ext/mad/.libs/libgstmad.so 7fffe183d000-7fffe1a3c000 ---p 00004000 fe:00 8170154 /home/tpm/gst/0.11/gst-plugins-ugly/ext/mad/.libs/libgstmad.so Program received signal SIGABRT, Aborted.
+ Trace 230584
Thread 140736998557440 (LWP 9886)
valgrind: ==9907== Thread 8: ==9907== Invalid write of size 1 ==9907== at 0x4C2A88A: memcpy (mc_replace_strmem.c:838) ==9907== by 0x1D7393EC: gst_rtp_mpa_robust_depay_push_mp3_frames (gstbytewriter.h:255) ==9907== by 0x1D73A003: gst_rtp_mpa_robust_depay_process (gstrtpmparobustdepay.c:634) ==9907== by 0x18213A36: gst_rtp_base_depayload_chain (gstrtpbasedepayload.c:332) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x1AEBC6BA: gst_rtp_pt_demux_chain (gstrtpptdemux.c:436) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x1AEB7801: gst_rtp_jitter_buffer_loop (gstrtpjitterbuffer.c:1902) ==9907== Address 0xd2a76b3 is not stack'd, malloc'd or (recently) free'd ==9907== ==9907== Invalid read of size 1 ==9907== at 0x810D624: gst_byte_reader_masked_scan_uint32 (gstbytereader.c:840) ==9907== by 0x1D993A6A: gst_mpeg_audio_parse_handle_frame (gstmpegaudioparse.c:622) ==9907== by 0x80EAD33: gst_base_parse_handle_buffer (gstbaseparse.c:1770) ==9907== by 0x80EDB83: gst_base_parse_chain (gstbaseparse.c:2589) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x1821346D: gst_rtp_base_depayload_push (gstrtpbasedepayload.c:587) ==9907== by 0x1D738C22: gst_rtp_mpa_robust_depay_push_mp3_frames (gstrtpmparobustdepay.c:616) ==9907== by 0x1D73A003: gst_rtp_mpa_robust_depay_process (gstrtpmparobustdepay.c:634) ==9907== by 0x18213A36: gst_rtp_base_depayload_chain (gstrtpbasedepayload.c:332) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== Address 0xd2a7682 is 0 bytes after a block of size 418 alloc'd ==9907== at 0x4C28BED: malloc (vg_replace_malloc.c:263) ==9907== by 0x760ADE0: g_malloc (gmem.c:159) ==9907== by 0x810DBE9: gst_byte_writer_new_with_size (gstbytewriter.c:77) ==9907== by 0x1D73900D: gst_rtp_mpa_robust_depay_push_mp3_frames (gstrtpmparobustdepay.c:526) ==9907== by 0x1D73A003: gst_rtp_mpa_robust_depay_process (gstrtpmparobustdepay.c:634) ==9907== by 0x18213A36: gst_rtp_base_depayload_chain (gstrtpbasedepayload.c:332) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x1AEBC6BA: gst_rtp_pt_demux_chain (gstrtpptdemux.c:436) ==9907== ==9907== Invalid read of size 1 ==9907== at 0x4C2A884: memcpy (mc_replace_strmem.c:838) ==9907== by 0x50A46E8: gst_buffer_extract (gstbuffer.c:1497) ==9907== by 0x80E4475: copy_into_unchecked (gstadapter.c:298) ==9907== by 0x80E51AD: gst_adapter_map (gstadapter.c:502) ==9907== by 0x80EDB4E: gst_base_parse_chain (gstbaseparse.c:2582) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x1821346D: gst_rtp_base_depayload_push (gstrtpbasedepayload.c:587) ==9907== by 0x1D738C22: gst_rtp_mpa_robust_depay_push_mp3_frames (gstrtpmparobustdepay.c:616) ==9907== by 0x1D73A003: gst_rtp_mpa_robust_depay_process (gstrtpmparobustdepay.c:634) ==9907== by 0x18213A36: gst_rtp_base_depayload_chain (gstrtpbasedepayload.c:332) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== Address 0xd2a76b3 is not stack'd, malloc'd or (recently) free'd ==9907== message from "audiosink-actual-sink-pulse" (tag): GstMessageTag, taglist=(taglist)"taglist\,\ maximum-bitrate\=\(uint\)320031\;"; ==9907== Invalid write of size 2 ==9907== at 0x4C2A846: memcpy (mc_replace_strmem.c:838) ==9907== by 0x1D7393EC: gst_rtp_mpa_robust_depay_push_mp3_frames (gstbytewriter.h:255) ==9907== by 0x1D73A003: gst_rtp_mpa_robust_depay_process (gstrtpmparobustdepay.c:634) ==9907== by 0x18213A36: gst_rtp_base_depayload_chain (gstrtpbasedepayload.c:332) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x1AEBC6BA: gst_rtp_pt_demux_chain (gstrtpptdemux.c:436) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x1AEB7801: gst_rtp_jitter_buffer_loop (gstrtpjitterbuffer.c:1902) ==9907== Address 0xda6ce44 is not stack'd, malloc'd or (recently) free'd ==9907== --9907-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting --9907-- si_code=80; Faulting address: 0x0; sp: 0x40f334db0 valgrind: the 'impossible' happened: Killed by fatal signal ==9907== at 0x38057958: vgPlain_arena_malloc (m_mallocfree.c:285) ==9907== by 0x3802124C: vgMemCheck_new_block (mc_malloc_wrappers.c:248) ==9907== by 0x380213DA: vgMemCheck_malloc (mc_malloc_wrappers.c:285) ==9907== by 0x3808F3E6: vgPlain_scheduler (scheduler.c:1461) ==9907== by 0x3809E449: run_a_thread_NORETURN (syswrap-linux.c:98) ==9907== by 0x3809E6DA: vgModuleLocal_start_thread_NORETURN (syswrap-linux.c:268) ==9907== by 0x380B9E3D: ??? (in /usr/lib/valgrind/memcheck-amd64-linux) ==9907== by 0xDEADBEEFDEADBEEE: ??? ==9907== by 0xDEADBEEFDEADBEEE: ??? ==9907== by 0xDEADBEEFDEADBEEE: ??? sched status: running_tid=8 Thread 1: status = VgTs_WaitSys ==9907== at 0x7E21847: writev (writev.c:56) ==9907== by 0xB137184: ??? (in /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) ==9907== by 0xB1375FE: ??? (in /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) ==9907== by 0xB137683: xcb_writev (in /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0) ==9907== by 0x87ECD46: _XSend (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) ==9907== by 0x87ED0DF: _XFlush (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) ==9907== by 0x87CE839: XFlush (in /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0) ==9907== by 0x603322F: gdk_window_process_all_updates (in /usr/lib/x86_64-linux-gnu/libgdk-3.so.0.400.2) ==9907== by 0x5A6A235: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.400.2) ==9907== by 0x60168EF: ??? (in /usr/lib/x86_64-linux-gnu/libgdk-3.so.0.400.2) ==9907== by 0x7605204: g_main_context_dispatch (gmain.c:2539) ==9907== by 0x7605537: g_main_context_iterate.isra.23 (gmain.c:3146) ==9907== by 0x7605931: g_main_loop_run (gmain.c:3340) ==9907== by 0x5AF02C4: gtk_main (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.400.2) ==9907== by 0x4082F9: main (playback-test.c:3371) Thread 2: status = VgTs_WaitSys ==9907== at 0x7B3F2D4: pthread_cond_wait@@GLIBC_2.3.2 (pthread_cond_wait.S:162) ==9907== by 0x764142E: g_cond_wait (gthread-posix.c:746) ==9907== by 0x50FB38A: gst_task_func (gsttask.c:301) ==9907== by 0x76285F1: g_thread_pool_thread_proxy (gthreadpool.c:309) ==9907== by 0x7627DF4: g_thread_proxy (gthread.c:801) ==9907== by 0x7B3AB4F: start_thread (pthread_create.c:304) ==9907== by 0x7E286DC: clone (clone.S:112) Thread 3: status = VgTs_WaitSys ==9907== at 0x7E1DA93: poll (poll.c:87) ==9907== by 0x6511257: g_socket_condition_timed_wait (gsocket.c:3564) ==9907== by 0x1A293D1A: gst_udpsrc_create (gstudpsrc.c:390) ==9907== by 0x81005C1: gst_base_src_get_range (gstbasesrc.c:2313) ==9907== by 0x8101BB2: gst_base_src_loop (gstbasesrc.c:2558) ==9907== by 0x50FB1E0: gst_task_func (gsttask.c:316) ==9907== by 0x76285F1: g_thread_pool_thread_proxy (gthreadpool.c:309) ==9907== by 0x7627DF4: g_thread_proxy (gthread.c:801) ==9907== by 0x7B3AB4F: start_thread (pthread_create.c:304) ==9907== by 0x7E286DC: clone (clone.S:112) Thread 4: status = VgTs_WaitSys ==9907== at 0x7E1DA93: poll (poll.c:87) ==9907== by 0x6511257: g_socket_condition_timed_wait (gsocket.c:3564) ==9907== by 0x1A293D1A: gst_udpsrc_create (gstudpsrc.c:390) ==9907== by 0x81005C1: gst_base_src_get_range (gstbasesrc.c:2313) ==9907== by 0x8101BB2: gst_base_src_loop (gstbasesrc.c:2558) ==9907== by 0x50FB1E0: gst_task_func (gsttask.c:316) ==9907== by 0x76285F1: g_thread_pool_thread_proxy (gthreadpool.c:309) ==9907== by 0x7627DF4: g_thread_proxy (gthread.c:801) ==9907== by 0x7B3AB4F: start_thread (pthread_create.c:304) ==9907== by 0x7E286DC: clone (clone.S:112) Thread 5: status = VgTs_WaitSys ==9907== at 0x7E1DB61: ppoll (ppoll.c:57) ==9907== by 0x50DFC34: gst_poll_wait (gstpoll.c:1253) ==9907== by 0x50F3F9B: gst_system_clock_id_wait_jitter_unlocked (gstsystemclock.c:644) ==9907== by 0x50ADF73: gst_clock_id_wait (gstclock.c:512) ==9907== by 0x1AECD590: rtcp_thread (gstrtpsession.c:841) ==9907== by 0x7627DF4: g_thread_proxy (gthread.c:801) ==9907== by 0x7B3AB4F: start_thread (pthread_create.c:304) ==9907== by 0x7E286DC: clone (clone.S:112) Thread 6: status = VgTs_WaitSys ==9907== at 0x7B3CBE8: __pthread_mutex_lock_full (pthread_mutex_lock.c:303) ==9907== by 0x14D8652D: pa_mutex_lock (in /usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-2.0.so) ==9907== by 0x1354AE48: ??? (in /usr/lib/x86_64-linux-gnu/libpulse.so.0.14.2) ==9907== by 0x1353C39B: pa_mainloop_poll (in /usr/lib/x86_64-linux-gnu/libpulse.so.0.14.2) ==9907== by 0x1353C9F8: pa_mainloop_iterate (in /usr/lib/x86_64-linux-gnu/libpulse.so.0.14.2) ==9907== by 0x1353CAAF: pa_mainloop_run (in /usr/lib/x86_64-linux-gnu/libpulse.so.0.14.2) ==9907== by 0x1354ADEE: ??? (in /usr/lib/x86_64-linux-gnu/libpulse.so.0.14.2) ==9907== by 0x14D87422: ??? (in /usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-2.0.so) ==9907== by 0x7B3AB4F: start_thread (pthread_create.c:304) ==9907== by 0x7E286DC: clone (clone.S:112) Thread 7: status = VgTs_WaitSys ==9907== at 0x7B3F2D4: pthread_cond_wait@@GLIBC_2.3.2 (pthread_cond_wait.S:162) ==9907== by 0x764142E: g_cond_wait (gthread-posix.c:746) ==9907== by 0x50FB38A: gst_task_func (gsttask.c:301) ==9907== by 0x76285F1: g_thread_pool_thread_proxy (gthreadpool.c:309) ==9907== by 0x7627DF4: g_thread_proxy (gthread.c:801) ==9907== by 0x7B3AB4F: start_thread (pthread_create.c:304) ==9907== by 0x7E286DC: clone (clone.S:112) Thread 8: status = VgTs_Runnable ==9907== at 0x4C28BED: malloc (vg_replace_malloc.c:263) ==9907== by 0x760ADE0: g_malloc (gmem.c:159) ==9907== by 0x761F1C2: g_slice_alloc (gslice.c:1003) ==9907== by 0x50A24AE: gst_buffer_new (gstbuffer.c:576) ==9907== by 0x50A3586: gst_buffer_new_wrapped_full (gstbuffer.c:715) ==9907== by 0x80EDB6E: gst_base_parse_chain (gstbaseparse.c:2585) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x1821346D: gst_rtp_base_depayload_push (gstrtpbasedepayload.c:587) ==9907== by 0x1D738C22: gst_rtp_mpa_robust_depay_push_mp3_frames (gstrtpmparobustdepay.c:616) ==9907== by 0x1D73A003: gst_rtp_mpa_robust_depay_process (gstrtpmparobustdepay.c:634) ==9907== by 0x18213A36: gst_rtp_base_depayload_chain (gstrtpbasedepayload.c:332) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x1AEBC6BA: gst_rtp_pt_demux_chain (gstrtpptdemux.c:436) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x1AEB7801: gst_rtp_jitter_buffer_loop (gstrtpjitterbuffer.c:1902) ==9907== by 0x50FB1E0: gst_task_func (gsttask.c:316) ==9907== by 0x76285F1: g_thread_pool_thread_proxy (gthreadpool.c:309) ==9907== by 0x7627DF4: g_thread_proxy (gthread.c:801) ==9907== by 0x7B3AB4F: start_thread (pthread_create.c:304) ==9907== by 0x7E286DC: clone (clone.S:112) Thread 9: status = VgTs_WaitSys ==9907== at 0x7B3CBE8: __pthread_mutex_lock_full (pthread_mutex_lock.c:303) ==9907== by 0x14D8652D: pa_mutex_lock (in /usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-2.0.so) ==9907== by 0x1DBA72A2: gst_pulseringbuffer_commit (pulsesink.c:1376) ==9907== by 0x1095A865: gst_audio_base_sink_render (gstaudiobasesink.c:1845) ==9907== by 0x80FB4FB: gst_base_sink_chain_unlocked.isra.11 (gstbasesink.c:3187) ==9907== by 0x80FD02B: gst_base_sink_chain_main (gstbasesink.c:3295) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x810A1F9: gst_base_transform_chain (gstbasetransform.c:2190) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x810A1F9: gst_base_transform_chain (gstbasetransform.c:2190) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x50CD6C7: gst_pad_push_data (gstpad.c:3587) ==9907== by 0x1C103C79: gst_queue_loop (gstqueue.c:1045) ==9907== by 0x50FB1E0: gst_task_func (gsttask.c:316) ==9907== by 0x76285F1: g_thread_pool_thread_proxy (gthreadpool.c:309) ==9907== by 0x7627DF4: g_thread_proxy (gthread.c:801) ==9907== by 0x7B3AB4F: start_thread (pthread_create.c:304) ==9907== by 0x7E286DC: clone (clone.S:112) Didn't crash with 0.10, but there are lots of garbled bits in 0.10 as well, and mad switches back and forth from 128k to 320k and other things.
Results so far are that it sounds fine in 0.10, and that [0.11] gdppay-ing the data, and then gdpdepaying and depayloading works fine (as in, sounds fine, no valgrind complaints and constant 417/418 frame size hence bitrate). So I would tend to believe problem might be elsewhere (wherever that might be) ...
FWIW, other than running into some 'collateral issues' (e.g. [*]), have not been able to reproduce this so far: [*] http://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=a549b0bf2c03eba92e813e0ec24f7f8d5bfba04a
I can still reproduce it unfortunately (in 1.0). Simple rtspsrc ! fakesink works fine, but rtspsrc ! rtpmparobustdepay does not. These valgrind warnings look promising imho: tpm@zingle:~/gst/0.11/gst-plugins-base/tests/examples/playback$ G_SLICE=always-malloc valgrind ../../../../gstreamer/tools/.libs/lt-gst-launch-1.0 rtspsrc location=rtsp://dl.lib.brown.edu:554/areserves/1093545294660883.mp3 ! rtpmparobustdepay ! fakesink Setting pipeline to PLAYING ... New clock: GstSystemClock ==19743== Thread 8: ==19743== Invalid write of size 1 ==19743== at 0x4C2A88A: memcpy (mc_replace_strmem.c:838) ==19743== by 0xB0E33EC: gst_rtp_mpa_robust_depay_push_mp3_frames (gstbytewriter.h:255) ==19743== by 0xB0E4033: gst_rtp_mpa_robust_depay_process (gstrtpmparobustdepay.c:636) ==19743== by 0x8F60A36: gst_rtp_base_depayload_chain (gstrtpbasedepayload.c:332) ==19743== by 0x4E8F937: gst_pad_push_data (gstpad.c:3587) ==19743== by 0x4E8F937: gst_pad_push_data (gstpad.c:3587) ==19743== by 0x4E8F937: gst_pad_push_data (gstpad.c:3587) ==19743== by 0xDDE26BA: gst_rtp_pt_demux_chain (gstrtpptdemux.c:436) ==19743== by 0x4E8F937: gst_pad_push_data (gstpad.c:3587) ==19743== by 0xDDDD801: gst_rtp_jitter_buffer_loop (gstrtpjitterbuffer.c:1902) ==19743== by 0x4EBD620: gst_task_func (gsttask.c:316) ==19743== by 0x57E75F1: g_thread_pool_thread_proxy (gthreadpool.c:309) ==19743== Address 0x7a23e8d is 3 bytes before a block of size 112 free'd ==19743== at 0x4C27D4E: free (vg_replace_malloc.c:427) ==19743== by 0xDDDDEE0: gst_rtp_jitter_buffer_loop (gstrtpjitterbuffer.c:1780) ==19743== by 0x4EBD620: gst_task_func (gsttask.c:316) ==19743== by 0x57E75F1: g_thread_pool_thread_proxy (gthreadpool.c:309) ==19743== by 0x57E6DF4: g_thread_proxy (gthread.c:801) ==19743== by 0x5E83B4F: start_thread (pthread_create.c:304) ==19743== ==19743== Invalid write of size 1 ==19743== at 0x4C2A88A: memcpy (mc_replace_strmem.c:838) ==19743== by 0xB0E2B14: gst_rtp_mpa_robust_depay_push_mp3_frames (gstbytewriter.h:255) ==19743== by 0xB0E4033: gst_rtp_mpa_robust_depay_process (gstrtpmparobustdepay.c:636) ==19743== by 0x8F60A36: gst_rtp_base_depayload_chain (gstrtpbasedepayload.c:332) ==19743== by 0x4E8F937: gst_pad_push_data (gstpad.c:3587) ==19743== by 0x4E8F937: gst_pad_push_data (gstpad.c:3587) ==19743== by 0x4E8F937: gst_pad_push_data (gstpad.c:3587) ==19743== by 0xDDE26BA: gst_rtp_pt_demux_chain (gstrtpptdemux.c:436) ==19743== by 0x4E8F937: gst_pad_push_data (gstpad.c:3587) ==19743== by 0xDDDD801: gst_rtp_jitter_buffer_loop (gstrtpjitterbuffer.c:1902) ==19743== by 0x4EBD620: gst_task_func (gsttask.c:316) ==19743== by 0x57E75F1: g_thread_pool_thread_proxy (gthreadpool.c:309) ==19743== Address 0x7a23f3f is 1 bytes before a block of size 428 alloc'd ==19743== at 0x4C28BED: malloc (vg_replace_malloc.c:263) ==19743== by 0x57C9DE0: g_malloc (gmem.c:159) ==19743== by 0xD1B9DEA: gst_udpsrc_create (gstudpsrc.c:441) ==19743== by 0x8D295B1: gst_base_src_get_range (gstbasesrc.c:2313) ==19743== by 0x8D2ABA2: gst_base_src_loop (gstbasesrc.c:2558) ==19743== by 0x4EBD620: gst_task_func (gsttask.c:316) ==19743== by 0x57E75F1: g_thread_pool_thread_proxy (gthreadpool.c:309) ==19743== by 0x57E6DF4: g_thread_proxy (gthread.c:801) ==19743== by 0x5E83B4F: start_thread (pthread_create.c:304) ==19743== ==19743== Invalid write of size 2 ==19743== at 0x4C2A846: memcpy (mc_replace_strmem.c:838) ==19743== by 0xB0E33EC: gst_rtp_mpa_robust_depay_push_mp3_frames (gstbytewriter.h:255) ==19743== by 0xB0E4033: gst_rtp_mpa_robust_depay_process (gstrtpmparobustdepay.c:636) ==19743== by 0x8F60A36: gst_rtp_base_depayload_chain (gstrtpbasedepayload.c:332) ==19743== by 0x4E8F937: gst_pad_push_data (gstpad.c:3587) ==19743== by 0x4E8F937: gst_pad_push_data (gstpad.c:3587) ==19743== by 0x4E8F937: gst_pad_push_data (gstpad.c:3587) ==19743== by 0xDDE26BA: gst_rtp_pt_demux_chain (gstrtpptdemux.c:436) ==19743== by 0x4E8F937: gst_pad_push_data (gstpad.c:3587) ==19743== by 0xDDDD801: gst_rtp_jitter_buffer_loop (gstrtpjitterbuffer.c:1902) ==19743== by 0x4EBD620: gst_task_func (gsttask.c:316) ==19743== by 0x57E75F1: g_thread_pool_thread_proxy (gthreadpool.c:309) ==19743== Address 0x10a72d92 is not stack'd, malloc'd or (recently) free'd ==19743== --19743-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting --19743-- si_code=80; Faulting address: 0x0; sp: 0x407e9fdb0
So for one it looks like the byte writer is created with a fixed size, but then we put_data_unchecked() more data into it than we allocated: Invalid write of size 2 at 0x4C2A743: memcpy (mc_replace_strmem.c:838) by 0xB0E5D4B: gst_byte_writer_put_data_unchecked (gstbytewriter.h:255) by 0xB0E789A: gst_rtp_mpa_robust_depay_push_mp3_frames (gstrtpmparobustdepay.c:599) by 0xB0E79E7: gst_rtp_mpa_robust_depay_submit_adu (gstrtpmparobustdepay.c:636) by 0xB0E7E42: gst_rtp_mpa_robust_depay_process (gstrtpmparobustdepay.c:733) by 0x8F60A36: gst_rtp_base_depayload_chain (gstrtpbasedepayload.c:332) Address 0x6d612c4 is 1,044 bytes inside a block of size 1,045 alloc'd at 0x4C28BED: malloc (vg_replace_malloc.c:263) by 0x57C9DE0: g_malloc (gmem.c:159) by 0x8D36BD9: gst_byte_writer_new_with_size (gstbytewriter.c:77) by 0xB0E71E7: gst_rtp_mpa_robust_depay_push_mp3_frames (gstrtpmparobustdepay.c:528) by 0xB0E79E7: gst_rtp_mpa_robust_depay_submit_adu (gstrtpmparobustdepay.c:636) by 0xB0E7E42: gst_rtp_mpa_robust_depay_process (gstrtpmparobustdepay.c:733) by 0x8F60A36: gst_rtp_base_depayload_chain (gstrtpbasedepayload.c:332)
I've also seen GST_IS_BUFFER() criticals from gst_buffer_unmap() shortly before it blows up, but wasn't able to get a stack trace for the critical so far. I get stack traces from ca. line 750: gst_rtp_buffer_unmap (&rtp); and from gst_base_sink_set_last_buffer(), where it unrefs the previous buffer. Looks like there's a buffer unref too much somewhere, or a missing ref. ============================ Tried to add poisoning to GstBuffer and GstMemory, but doesn't seem to help much. Another puzzle piece: 395:gst_rtp_mpa_robust_depay_dequeue_frame:<rtpmparobustdepay0> dequeueing ADU frame 529:gst_rtp_mpa_robust_depay_push_mp3_frames:<rtpmparobustdepay0> setting up new MP3 frame of size 418, side_info 32 544:gst_rtp_mpa_robust_depay_push_mp3_frames:<rtpmparobustdepay0> current mp3 frame remaining: 382 546:gst_rtp_mpa_robust_depay_push_mp3_frames:<rtpmparobustdepay0> accumulated ADU frame data_size: 382 567:gst_rtp_mpa_robust_depay_push_mp3_frames:<rtpmparobustdepay0> current MP3 frame at position 36, starting new ADU frame data at offset 178 598:gst_rtp_mpa_robust_depay_push_mp3_frames:<rtpmparobustdepay0> adding to current MP3 frame 599:gst_rtp_mpa_robust_depay_push_mp3_frames:<rtpmparobustdepay0> byte writer set_pos 178 544:gst_rtp_mpa_robust_depay_push_mp3_frames:<rtpmparobustdepay0> current mp3 frame remaining: -110 546:gst_rtp_mpa_robust_depay_push_mp3_frames:<rtpmparobustdepay0> accumulated ADU frame data_size: 382 ERROR:gstrtpmparobustdepay.c:551:gst_rtp_mpa_robust_depay_push_mp3_frames: assertion failed: (map.size > rtpmpadepay->offset)
+ Trace 230626
Thread 140737283147520 (LWP 19643)
Thread 140737283147520 (LWP 19656)
Odd that you can't reproduce this.
OK, so with some further tries I can reproduce the original crash/abort, though not easily and iirc only with playback-test so far. It feels even more odd though that Comment #1 still stands, and that it valgrind-wise depayloads fine by itself. Will take some more putting these pieces together ... It does look like the unchecked bytewriter pushes are protected by some av = MIN (av, ...) construction, so this is only likely to go wrong if the ... part goes (seriously) wrong, due to some expected condition/assert there failing. Those in turn depend on buffer sizes and may therefore be going wrong if some buffer ref is bogus somewhere ...
Indeed, I also believe now that the main problem is buffer management going wrong somewhere. Btw, bugzilla combined my last two puzzle pieces into one stack trace (those are not separate threads, but two separate traces), so I'm reposting the last one again here (sorry for spam): And (with fakesink enable-last-sample=false): *** glibc detected *** /home/tpm/gst/0.11/gstreamer/tools/.libs/lt-gst-launch-1.0: munmap_chunk(): invalid pointer: 0x000000000068ecd0 *** Program received signal SIGSEGV, Segmentation fault.
+ Trace 230627
Another observation: it usually blows up right about when "current mp3 frame remaining:" shows a negative number. Don't know if this is cause or symptom though of course.
Have finally spotted something in the code that might be going wrong (with some unusual/bogus input data), though it is strange the same potential problem exists in 0.10 and does not seem to blow up there ...
Following should take care of this (AFAICS), any remaining garbled stuff is then likely due to packet loss (which probably triggered the buggy code paths in the first place): commit 31a1cb0a11ee0882073a2b3c03d5bd75ab2b3fbc Author: Mark Nauwelaerts <mark.nauwelaerts@collabora.co.uk> Date: Mon Aug 6 12:34:55 2012 +0200 rtpmparobustdepay: update available bytewriter space when repositioning ... and add some more assert to catch potential surprises early on. Fixes https://bugzilla.gnome.org/show_bug.cgi?id=680558 Btw, so as not to run into other problems, following one is useful as well: commit 1547fdbe5ab8f4a03ac45216cdcad906c0586ef0 Author: Mark Nauwelaerts <mark.nauwelaerts@collabora.co.uk> Date: Mon Aug 6 14:50:53 2012 +0200 rtpmparobustdepay: set correct data_size for generated dummy frame ... which prevents getting stuck in a loop if such one is needed.