After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 731227 - crash bug in orc-0.4.19
crash bug in orc-0.4.19
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: orc
1.x
Other Linux
: Normal critical
: NONE
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2014-06-04 17:04 UTC by John Cupitt
Modified: 2014-06-05 15:10 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
crash orc 0.4.19 (118.22 KB, text/x-csrc)
2014-06-04 17:04 UTC, John Cupitt
  Details
shorter version of the crash program (23.82 KB, text/x-csrc)
2014-06-04 21:15 UTC, John Cupitt
  Details
orccodemem: fix list corruption when splitting memory chunks (998 bytes, patch)
2014-06-04 22:35 UTC, Tim-Philipp Müller
committed Details | Review

Description John Cupitt 2014-06-04 17:04:35 UTC
Created attachment 277890 [details]
crash orc 0.4.19

Hi, I'm seeing crashes in my image processing library with orc-0.4.19. I've made a test-case, attached. It's been generated automatically as a trace of the orc calls my library is making, so I'm afraid it's very long, sorry about that, but it does crash every time for me.

Sample run:

$ gcc -g -Wall orc-crash.c `pkg-config orc-0.4 --cflags --libs`
$ valgrind --db-attach=yes ./a.out
==21575== Memcheck, a memory error detector
==21575== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==21575== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==21575== Command: ./a.out
==21575== 
==21575== Invalid read of size 4
==21575==    at 0x4E4A168: orc_code_chunk_free (orccodemem.c:192)
==21575==    by 0x4E59E8D: orc_code_free (orccode.c:33)
==21575==    by 0x4E4A5EA: orc_program_free (orcprogram.c:175)
==21575==    by 0x40F72B: main (orc-crash.c:2238)
==21575==  Address 0x6b18e08 is 24 bytes inside a block of size 40 free'd
==21575==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21575==    by 0x4E4A17F: orc_code_chunk_free (orccodemem.c:190)
==21575==    by 0x4E59E8D: orc_code_free (orccode.c:33)
==21575==    by 0x4E4A5EA: orc_program_free (orcprogram.c:175)
==21575==    by 0x40F5F3: main (orc-crash.c:2210)

This is on Ubuntu 14.04 with orc-0.4.19 compiled from source. It seems to also crash on OS X. I've not tested other platforms. 

All orcs before 0.4.19 seem to work fine. 

This is only compiling code, no code is executed. 

The crash occurs when p[274] is freed, but I think the corruption of the orccodemem heap is happening some time before that. 

John
Comment 1 Sebastian Dröge (slomo) 2014-06-04 19:01:33 UTC
That's probably crashing now because all previous orc versions leaked quite some memory ;)
Comment 2 John Cupitt 2014-06-04 21:15:42 UTC
Created attachment 277908 [details]
shorter version of the crash program

trimmed the crash program down quite a bit
Comment 3 Tim-Philipp Müller 2014-06-04 22:35:44 UTC
Created attachment 277911 [details] [review]
orccodemem: fix list corruption when splitting memory chunks

When splitting orc memory chunks in two, the 'prev' pointer of the
new memory chunk to be inserted was wrong, causing invalid memory
access and double frees later down the line.
Comment 4 John Cupitt 2014-06-05 07:37:14 UTC
Confirming that this fix resolves my problems, everything valgrinds cleanly now.

Thank you very much Tim!
Comment 5 Tim-Philipp Müller 2014-06-05 15:09:42 UTC
commit 5763373b60ac970d4a9154de8cb3994b52e76efb
Author: Tim-Philipp Müller <tim@centricular.com>
Date:   Wed Jun 4 23:25:52 2014 +0100

    orccodemem: fix list corruption when splitting memory chunks in two
    
    When splitting orc memory chunks in two, the 'prev' pointer of the
    new memory chunk to be inserted was wrong, causing invalid memory
    access and double frees later down the line.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=731227