Bug 735952 – videorate: GstStructure refcount critical message

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 735952 - videorate: GstStructure refcount critical message


Summary:	videorate: GstStructure refcount critical message


Status:	RESOLVED FIXED

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-base
Version:	1.4.0
Hardware:	Other All

Importance:	Normal major
Target Milestone:	1.4.2
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Duplicates:	734271 (view as bug list)
Depends on:
Blocks:

Reported:	2014-09-03 06:50 UTC by Robert Swain
Modified:	2014-09-21 14:40 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
proposed patch (870 bytes, patch) 2014-09-03 09:54 UTC, Vineeth	committed	Details \| Review

Description Robert Swain 2014-09-03 06:50:04 UTC

When using videorate, I have encountered a 'critical' error.

(<unknown>:1327): GStreamer-CRITICAL **: void gst_structure_free(GstStructure *): assertion `GST_STRUCTURE_REFCOUNT (structure) == NULL' failed

Below is a little bit of GST_CAPS:5 and the thread backtrace:

0:00:11.767961000  1327    0x106076680 DEBUG               GST_CAPS gstreamer/gst/gstutils.c:2822:GstCaps *gst_pad_peer_query_caps(GstPad *, GstCaps *):<source-video-scale-0:src> peer query returned video/x-raw, width=(int)640, height=(int)480, framerate=(fraction)30/1, format=(string)BGRA; video/x-raw, width=(int)640, height=(int)480, framerate=(fraction)[ 0/1, 30/1 ], format=(string)BGRA; video/x-raw, width=(int)640, height=(int)480, format=(string)UYVY, framerate=(fraction)30/1; video/x-raw, width=(int)640, height=(int)480, format=(string)UYVY, framerate=(fraction)[ 0/1, 30/1 ]; video/x-raw, width=(int)640, height=(int)480, format=(string)YUY2, framerate=(fraction)30/1; video/x-raw, width=(int)640, height=(int)480, format=(string)YUY2, framerate=(fraction)[ 0/1, 30/1 ]; video/x-raw, width=(int)640, height=(int)480, format=(string)NV12, framerate=(fraction)30/1; video/x-raw, width=(int)640, height=(int)480, format=(string)NV12, framerate=(fraction)[ 0/1, 30/1 ]
0:00:11.768940000  1327    0x105808d20 DEBUG               GST_CAPS gstreamer/gst/gstutils.c:2769:GstCaps *gst_pad_query_caps(GstPad *, GstCaps *):<local-video-capture-source-bin-0:src_0_0> get pad caps with filter (NULL)
0:00:11.768930000  1327    0x106076680 DEBUG               GST_CAPS gstreamer/gst/gstutils.c:2822:GstCaps *gst_pad_peer_query_caps(GstPad *, GstCaps *):<source-video-rate-0:src> peer query returned video/x-raw, width=(int)640, height=(int)480, framerate=(fraction)30/1, format=(string)BGRA; video/x-raw, width=(int)640, height=(int)480, framerate=(fraction)[ 0/1, 30/1 ], format=(string)BGRA; video/x-raw, width=(int)640, height=(int)480, format=(string)UYVY, framerate=(fraction)30/1; video/x-raw, width=(int)640, height=(int)480, format=(string)UYVY, framerate=(fraction)[ 0/1, 30/1 ]; video/x-raw, width=(int)640, height=(int)480, format=(string)YUY2, framerate=(fraction)30/1; video/x-raw, width=(int)640, height=(int)480, format=(string)YUY2, framerate=(fraction)[ 0/1, 30/1 ]; video/x-raw, width=(int)640, height=(int)480, format=(string)NV12, framerate=(fraction)30/1; video/x-raw, width=(int)640, height=(int)480, format=(string)NV12, framerate=(fraction)[ 0/1, 30/1 ]
0:00:11.768975000  1327    0x105808d20 DEBUG               GST_CAPS gstreamer/gst/gstpad.c:2964:gboolean gst_pad_query_caps_default(GstPad *, GstQuery *):<local-video-capture-source-bin-0:src_0_0> query caps caps query: 0x1060766d0, GstQueryCaps, filter=(GstCaps)"NULL", caps=(GstCaps)"NULL";

(<unknown>:1327): GStreamer-CRITICAL **: void gst_structure_free(GstStructure *): assertion `GST_STRUCTURE_REFCOUNT (structure) == NULL' failed
Process 1327 stopped
* thread #27: tid = 0xe5ea4d, 0x0000000100ce5bd5 daemon`g_logv + 1397, stop reason = EXC_BREAKPOINT (code=EXC_I386_BPT, subcode=0x0)
    frame #0: 0x0000000100ce5bd5 daemon`g_logv + 1397
daemon`g_logv + 1397:
-> 0x100ce5bd5:  jmpq   0x100ce5bdf               ; g_logv + 1407
   0x100ce5bda:  callq  0x100fcea12               ; symbol stub for: abort
   0x100ce5bdf:  jmpq   0x100ce5be4               ; g_logv + 1412
   0x100ce5be4:  leaq   0x228f8a5(%rip), %rdi     ; g_log_depth
(lldb) thread backtrace
* thread #27: tid = 0xe5ea4d, 0x0000000100ce5bd5 daemon`g_logv + 1397, stop reason = EXC_BREAKPOINT (code=EXC_I386_BPT, subcode=0x0)
  * frame #0: 0x0000000100ce5bd5 daemon`g_logv + 1397
    frame #1: 0x0000000100ce5629 daemon`g_log + 361
    frame #2: 0x0000000100ce65f0 daemon`g_return_if_fail_warning + 64
    frame #3: 0x0000000100b25cc9 daemon`gst_structure_free(structure=0x000000010594c300) + 121 at gststructure.c:376
    frame #4: 0x0000000100aacf3a daemon`gst_caps_merge_structure(caps=0x0000000104804590, structure=0x000000010594c300) + 522 at gstcaps.c:706
    frame #5: 0x00000001008db988 daemon`gst_video_rate_transform_caps(trans=0x0000000106080800, direction=GST_PAD_SRC, caps=0x0000000104818850, filter=0x00000001048180f0) + 1064 at gstvideorate.c:434
    frame #6: 0x0000000100a76c60 daemon`gst_base_transform_transform_caps(trans=0x0000000106080800, direction=GST_PAD_SRC, caps=0x0000000104818850, filter=0x00000001048180f0) + 304 at gstbasetransform.c:523
    frame #7: 0x0000000100a7a15e daemon`gst_base_transform_query_caps(trans=0x0000000106080800, pad=0x00000001038f7af0, filter=0x00000001048180f0) + 1166 at gstbasetransform.c:732
    frame #8: 0x0000000100a77762 daemon`gst_base_transform_default_query(trans=0x0000000106080800, direction=GST_PAD_SINK, query=0x0000000104818320) + 1154 at gstbasetransform.c:1535
    frame #9: 0x00000001008def53 daemon`gst_video_rate_query(trans=0x0000000106080800, direction=GST_PAD_SINK, query=0x0000000104818320) + 3059 at gstvideorate.c:854
    frame #10: 0x0000000100a73b7f daemon`gst_base_transform_query(pad=0x00000001038f7af0, parent=0x0000000106080800, query=0x0000000104818320) + 95 at gstbasetransform.c:1561
    frame #11: 0x0000000100af4c7a daemon`gst_pad_query(pad=0x00000001038f7af0, query=0x0000000104818320) + 1242 at gstpad.c:3584
    frame #12: 0x0000000100af5dfd daemon`gst_pad_peer_query(pad=0x00000001038f5d80, query=0x0000000104818320) + 1197 at gstpad.c:3715
    frame #13: 0x0000000100b4a467 daemon`query_caps_func(pad=0x00000001038f5d80, data=0x0000000108a873e0) + 39 at gstutils.c:2488
    frame #14: 0x0000000100af3081 daemon`gst_pad_forward(pad=0x00000001038f5b50, forward=0x0000000100b4a440, user_data=0x0000000108a873e0) + 721 at gstpad.c:2796
    frame #15: 0x0000000100b4a3ba daemon`gst_pad_proxy_query_caps(pad=0x00000001038f5b50, query=0x0000000104818320) + 874 at gstutils.c:2538
    frame #16: 0x0000000100af3cfc daemon`gst_pad_query_caps_default(pad=0x00000001038f5b50, query=0x0000000104818320) + 156 at gstpad.c:2968
    frame #17: 0x0000000100af381b daemon`gst_pad_query_default(pad=0x00000001038f5b50, parent=0x00000001038f0c20, query=0x0000000104818320) + 571 at gstpad.c:3079
    frame #18: 0x00000001006920c6 daemon`gst_queue_handle_sink_query(pad=0x00000001038f5b50, parent=0x00000001038f0c20, query=0x0000000104818320) + 1286 at gstqueue.c:872
    frame #19: 0x0000000100af4c7a daemon`gst_pad_query(pad=0x00000001038f5b50, query=0x0000000104818320) + 1242 at gstpad.c:3584
    frame #20: 0x0000000100af5dfd daemon`gst_pad_peer_query(pad=0x000000010607a010, query=0x0000000104818320) + 1197 at gstpad.c:3715
    frame #21: 0x0000000100b4a467 daemon`query_caps_func(pad=0x000000010607a010, data=0x0000000108a87d80) + 39 at gstutils.c:2488
    frame #22: 0x0000000100af3081 daemon`gst_pad_forward(pad=0x00000001050a78f0, forward=0x0000000100b4a440, user_data=0x0000000108a87d80) + 721 at gstpad.c:2796
    frame #23: 0x0000000100b4a3ba daemon`gst_pad_proxy_query_caps(pad=0x00000001050a78f0, query=0x0000000104818320) + 874 at gstutils.c:2538
    frame #24: 0x0000000100af3cfc daemon`gst_pad_query_caps_default(pad=0x00000001050a78f0, query=0x0000000104818320) + 156 at gstpad.c:2968
    frame #25: 0x0000000100af381b daemon`gst_pad_query_default(pad=0x00000001050a78f0, parent=0x000000010486ae70, query=0x0000000104818320) + 571 at gstpad.c:3079
    frame #26: 0x00000001006ac9fa daemon`gst_tee_sink_query(pad=0x00000001050a78f0, parent=0x000000010486ae70, query=0x0000000104818320) + 42 at gsttee.c:551
    frame #27: 0x0000000100af4c7a daemon`gst_pad_query(pad=0x00000001050a78f0, query=0x0000000104818320) + 1242 at gstpad.c:3584
    frame #28: 0x0000000100af5dfd daemon`gst_pad_peer_query(pad=0x00000001050a76c0, query=0x0000000104818320) + 1197 at gstpad.c:3715
    frame #29: 0x0000000100b4b110 daemon`gst_pad_peer_query_caps(pad=0x00000001050a76c0, filter=0x00000001048180f0) + 432 at gstutils.c:2818
    frame #30: 0x0000000100a79fe3 daemon`gst_base_transform_query_caps(trans=0x00000001050b8390, pad=0x00000001050a7490, filter=0x00000001048182d0) + 787 at gstbasetransform.c:715
    frame #31: 0x0000000100a77762 daemon`gst_base_transform_default_query(trans=0x00000001050b8390, direction=GST_PAD_SINK, query=0x00000001048180a0) + 1154 at gstbasetransform.c:1535
    frame #32: 0x0000000100a73b7f daemon`gst_base_transform_query(pad=0x00000001050a7490, parent=0x00000001050b8390, query=0x00000001048180a0) + 95 at gstbasetransform.c:1561
    frame #33: 0x0000000100af4c7a daemon`gst_pad_query(pad=0x00000001050a7490, query=0x00000001048180a0) + 1242 at gstpad.c:3584
    frame #34: 0x0000000100af5dfd daemon`gst_pad_peer_query(pad=0x00000001050a7260, query=0x00000001048180a0) + 1197 at gstpad.c:3715
    frame #35: 0x0000000100b4b110 daemon`gst_pad_peer_query_caps(pad=0x00000001050a7260, filter=0x00000001048182d0) + 432 at gstutils.c:2818
    frame #36: 0x0000000100a6eb3e daemon`gst_base_src_default_negotiate(basesrc=0x000000010487a000) + 238 at gstbasesrc.c:3182
    frame #37: 0x0000000100a6976c daemon`gst_base_src_negotiate(basesrc=0x000000010487a000) + 140 at gstbasesrc.c:3246
    frame #38: 0x0000000100a68505 daemon`gst_base_src_loop(pad=0x00000001050a7260) + 277 at gstbasesrc.c:2683
    frame #39: 0x0000000100b3b1ab daemon`gst_task_func(task=0x00000001048177e0) + 747 at gsttask.c:317
    frame #40: 0x0000000100b3bdc7 daemon`default_func(tdata=0x000000010371b740, pool=0x0000000103812010) + 71 at gsttaskpool.c:68
    frame #41: 0x0000000100d0df60 daemon`g_thread_pool_thread_proxy + 128
    frame #42: 0x0000000100d0d0a8 daemon`g_thread_proxy + 152
    frame #43: 0x00007fff889e5899 libsystem_pthread.dylib`_pthread_body + 138
    frame #44: 0x00007fff889e572a libsystem_pthread.dylib`_pthread_start + 137

Comment 1 Sebastian Dröge (slomo) 2014-09-03 07:10:05 UTC

How can this be reproduced? Do you have a valgrind log?

Comment 2 Robert Swain 2014-09-03 07:20:15 UTC

I was trying to find a nice way to reproduce with a simple gst-launch pipeline like this:

gst-launch-1.0 videotestsrc ! "video/x-raw, width=640, height=480, format=UYVY, framerate=(fraction)[ 0/1, 30/1 ]" ! videorate ! fakesink

But it seems the caps grammar barfs on that:

0:00:00.025742000 20339    0x1006b5c90 ERROR           GST_PIPELINE ./grammar.y:796:int priv_gst_parse_yyparse(void *, graph_t *): could not parse caps "video/x-raw,\ width=640,\ height=480,\ format=UYVY,\ framerate=(fraction)[\ 0/1,\ 30/1\ ]"
WARNING: erroneous pipeline: could not parse caps "video/x-raw,\ width=640,\ height=480,\ format=UYVY,\ framerate=(fraction)[\ 0/1,\ 30/1\ ]"

I suspect it's the framerate list but the backtrace should be useful in identifying the code at least.

Comment 3 Robert Swain 2014-09-03 08:18:32 UTC

I just got a crash from the same issue:

(<unknown>:27061): GStreamer-CRITICAL **: void gst_structure_free(GstStructure *): assertion `GST_STRUCTURE_REFCOUNT (structure) == NULL' failed
daemon(27061,0x108a07000) malloc: *** error for object 0x10378cd00: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
Process 27061 stopped
* thread #30: tid = 0xe78a55, 0x00007fff91f39866 libsystem_kernel.dylib`__pthread_kill + 10, stop reason = signal SIGABRT
    frame #0: 0x00007fff91f39866 libsystem_kernel.dylib`__pthread_kill + 10
libsystem_kernel.dylib`__pthread_kill + 10:
-> 0x7fff91f39866:  jae    0x7fff91f39870            ; __pthread_kill + 20
   0x7fff91f39868:  movq   %rax, %rdi
   0x7fff91f3986b:  jmpq   0x7fff91f36175            ; cerror_nocancel
   0x7fff91f39870:  ret
(lldb) thread backtrace
* thread #30: tid = 0xe78a55, 0x00007fff91f39866 libsystem_kernel.dylib`__pthread_kill + 10, stop reason = signal SIGABRT
  * frame #0: 0x00007fff91f39866 libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x00007fff889e635c libsystem_pthread.dylib`pthread_kill + 92
    frame #2: 0x00007fff87ca9b1a libsystem_c.dylib`abort + 125
    frame #3: 0x00007fff8e48907f libsystem_malloc.dylib`free + 411
    frame #4: 0x0000000100ce45c7 daemon`g_free + 39
    frame #5: 0x0000000100c9fcc4 daemon`array_free + 148
    frame #6: 0x0000000100c9fdcd daemon`g_array_free + 109
    frame #7: 0x0000000100b25b36 daemon`gst_structure_free(structure=0x0000000103786280) + 278 at gststructure.c:386
    frame #8: 0x0000000100aacd0a daemon`gst_caps_merge_structure(caps=0x000000010487a940, structure=0x0000000103786280) + 522 at gstcaps.c:706
...



From:

daemon(27061,0x108a07000) malloc: *** error for object 0x10378cd00: pointer being freed was not allocated

It looks like it could be trying to free a pointer that has already been freed or something.

Comment 4 Vineeth 2014-09-03 09:43:46 UTC

Hi Robert/Sebastian,

   I was able to reproduce the issue with the following launch command

gst-launch-1.0 videotestsrc ! "video/x-raw, width=640, height=480, format=UYVY,framerate=30/1" ! videorate drop_only=TRUE ! fakesink

   in gst_video_rate_transform_caps() function when caps size is 2
   the for loop runs twice,
first time the below code gets executed
        if (min_num != 0 || min_denom != 1) {
          s3 = gst_structure_copy (s);
          gst_structure_set (s3, "framerate", GST_TYPE_FRACTION, 0, 1, NULL);
        }
and because of that
    if (s3 != NULL)
      ret = gst_caps_merge_structure (ret, s3);

Now when loop runs the second time, s3 is not getting copied, but 
    if (s3 != NULL)
      ret = gst_caps_merge_structure (ret, s3);
hence it gives critical crash.

   when i initialize s3 to NULL in the for loop, the crash does not occur
something like
    s1 = gst_structure_copy (s);
    s2 = gst_structure_copy (s);
    s3 = NULL;


  Can you please confirm if this is a proper fix, or is there any other way to fix the issue.

Regards,
Vineeth

Comment 5 Robert Swain 2014-09-03 09:51:22 UTC

Can you attach a patch so I can test it?

Comment 6 Vineeth 2014-09-03 09:54:51 UTC

Created attachment 285241 [details] [review]
proposed patch

Comment 7 Sebastian Dröge (slomo) 2014-09-03 09:55:31 UTC

Yes, that seems like the correct fix and in general it makes sense to set variables to NULL again after they became invalid. Will look closer later

Comment 8 Sebastian Dröge (slomo) 2014-09-03 09:57:34 UTC

Looked now ;) But will backport to 1.4 later

commit 302f123c62275e04deec532f28c3983a7f054751
Author: Vineeth T M <vineeth.tm@samsung.com>
Date:   Wed Sep 3 15:23:26 2014 +0530

    videorate: GstStructure refcount critical message
    
    s3 is not being initialized when run in a loop
    and the same was being freed, which resulted in the crash
    
    https://bugzilla.gnome.org/show_bug.cgi?id=735952

Comment 9 Matej Knopp 2014-09-21 14:40:55 UTC

*** Bug 734271 has been marked as a duplicate of this bug. ***