GNOME Bugzilla – Bug 784434
scaletempo segfault
Last modified: 2017-07-03 20:31:26 UTC
This prevents totem from starting. Here is the backtrace I get from valgrind : ==29148== Invalid write of size 4 ==29148== at 0x20C164C0: output_overlap_float (gstscaletempo.c:215) ==29148== by 0x20C16BEA: gst_scaletempo_transform (gstscaletempo.c:502) ==29148== by 0xD595394: default_generate_output (gstbasetransform.c:2123) ==29148== by 0xD594C65: gst_base_transform_chain (gstbasetransform.c:2276) ==29148== by 0x7AC8316: gst_pad_chain_data_unchecked (gstpad.c:4205) ==29148== by 0x7AC8316: gst_pad_push_data (gstpad.c:4457) ==29148== by 0x7AD04B1: gst_pad_push (gstpad.c:4576) ==29148== by 0xD594D3F: gst_base_transform_chain (gstbasetransform.c:2312) ==29148== by 0x7AC8316: gst_pad_chain_data_unchecked (gstpad.c:4205) ==29148== by 0x7AC8316: gst_pad_push_data (gstpad.c:4457) ==29148== by 0x7AD04B1: gst_pad_push (gstpad.c:4576) ==29148== by 0x7AB70BA: gst_proxy_pad_chain_default (gstghostpad.c:127) ==29148== by 0x7AC8316: gst_pad_chain_data_unchecked (gstpad.c:4205) ==29148== by 0x7AC8316: gst_pad_push_data (gstpad.c:4457) ==29148== by 0x7AD04B1: gst_pad_push (gstpad.c:4576) ==29148== Address 0x1f4dac34 is 2,068 bytes inside a block of size 2,071 alloc'd ==29148== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==29148== by 0x6336028: g_malloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5200.3) ==29148== by 0x634E462: g_slice_alloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5200.3) ==29148== by 0x7A85B99: _sysmem_new_block (gstallocator.c:417) ==29148== by 0x7A91361: gst_buffer_new_allocate (gstbuffer.c:839) ==29148== by 0xD596B11: default_prepare_output_buffer (gstbasetransform.c:1639) ==29148== by 0xD5952A3: default_generate_output (gstbasetransform.c:2094) ==29148== by 0xD594C65: gst_base_transform_chain (gstbasetransform.c:2276) ==29148== by 0x7AC8316: gst_pad_chain_data_unchecked (gstpad.c:4205) ==29148== by 0x7AC8316: gst_pad_push_data (gstpad.c:4457) ==29148== by 0x7AD04B1: gst_pad_push (gstpad.c:4576) ==29148== by 0xD594D3F: gst_base_transform_chain (gstbasetransform.c:2312) ==29148== by 0x7AC8316: gst_pad_chain_data_unchecked (gstpad.c:4205) ==29148== by 0x7AC8316: gst_pad_push_data (gstpad.c:4457) ==29148== ==29148== Invalid write of size 8 ==29148== at 0x4C32643: memmove (vg_replace_strmem.c:1252) ==29148== by 0x20C16C0B: memcpy (string3.h:53) ==29148== by 0x20C16C0B: gst_scaletempo_transform (gstscaletempo.c:504) ==29148== by 0xD595394: default_generate_output (gstbasetransform.c:2123) ==29148== by 0xD594C65: gst_base_transform_chain (gstbasetransform.c:2276) ==29148== by 0x7AC8316: gst_pad_chain_data_unchecked (gstpad.c:4205) ==29148== by 0x7AC8316: gst_pad_push_data (gstpad.c:4457) ==29148== by 0x7AD04B1: gst_pad_push (gstpad.c:4576) ==29148== by 0xD594D3F: gst_base_transform_chain (gstbasetransform.c:2312) ==29148== by 0x7AC8316: gst_pad_chain_data_unchecked (gstpad.c:4205) ==29148== by 0x7AC8316: gst_pad_push_data (gstpad.c:4457) ==29148== by 0x7AD04B1: gst_pad_push (gstpad.c:4576) ==29148== by 0x7AB70BA: gst_proxy_pad_chain_default (gstghostpad.c:127) ==29148== by 0x7AC8316: gst_pad_chain_data_unchecked (gstpad.c:4205) ==29148== by 0x7AC8316: gst_pad_push_data (gstpad.c:4457) ==29148== by 0x7AD04B1: gst_pad_push (gstpad.c:4576) ==29148== Address 0x1f4dadb0 is 16 bytes before a block of size 5 free'd ==29148== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==29148== by 0x60CA3EF: g_value_unset (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5200.3) ==29148== by 0x7B15BAC: gst_value_subtract_list (gstvalue.c:5250) ==29148== by 0x7B15BAC: gst_value_subtract (gstvalue.c:5914) ==29148== by 0x7B15D40: gst_value_is_subset (gstvalue.c:4168) ==29148== by 0x7AF1039: gst_structure_foreach (gststructure.c:1128) ==29148== by 0x7A99B88: gst_caps_merge_structure_full (gstcaps.c:775) ==29148== by 0x7A9B7F4: gst_caps_intersect_first (gstcaps.c:1646) ==29148== by 0x7A9B7F4: gst_caps_intersect_full (gstcaps.c:1678) ==29148== by 0xD597A78: gst_base_transform_find_transform (gstbasetransform.c:1124) ==29148== by 0xD597A78: gst_base_transform_setcaps (gstbasetransform.c:1291) ==29148== by 0xD599A99: gst_base_transform_sink_eventfunc (gstbasetransform.c:1880) ==29148== by 0x7AC7056: gst_pad_send_event_unchecked (gstpad.c:5608) ==29148== by 0x7AC751D: gst_pad_push_event_unchecked (gstpad.c:5264) ==29148== by 0x7AC792F: push_sticky (gstpad.c:3807) ==29148== Block was alloc'd at ==29148== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==29148== by 0x6336028: g_malloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5200.3) ==29148== by 0x634FFCE: g_strdup (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.5200.3) ==29148== by 0x60CCE5C: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.5200.3) ==29148== by 0x7B15A12: gst_value_subtract (gstvalue.c:5926) ==29148== by 0x7B15BD4: gst_value_subtract_list (gstvalue.c:5245) ==29148== by 0x7B15BD4: gst_value_subtract (gstvalue.c:5914) ==29148== by 0x7B15D40: gst_value_is_subset (gstvalue.c:4168) ==29148== by 0x7AF1039: gst_structure_foreach (gststructure.c:1128) ==29148== by 0x7A99B88: gst_caps_merge_structure_full (gstcaps.c:775) ==29148== by 0x7A9B7F4: gst_caps_intersect_first (gstcaps.c:1646) ==29148== by 0x7A9B7F4: gst_caps_intersect_full (gstcaps.c:1678) ==29148== by 0xD597A78: gst_base_transform_find_transform (gstbasetransform.c:1124) ==29148== by 0xD597A78: gst_base_transform_setcaps (gstbasetransform.c:1291) ==29148== by 0xD599A99: gst_base_transform_sink_eventfunc (gstbasetransform.c:1880) ==29148==
How can it be reproduced? Which version of gst-plugins-good is this with? This looks like scaletempo just reads/writes to more or less random memory here.
Unfortunately I can't reproduce anymore :( It was with 1.12.1.