New issue
Advanced search Search tips

Issue 721872 link

Starred by 2 users
Status: Fixed
Owner:
jrumm...@chromium.org
Closed: Jun 2017
Cc:
dalecur...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug



Sign in to add a comment

FFmpeg: posix_memalign() is not compatible with realloc()

Project Member Reported by jrumm...@chromium.org, May 12 2017 
If I build the ffmpeg_regression_tests, the test Cr444539/FFmpegRegressionTest.BasicPlayback/0 crashes with:

realloc/memalign mismatch at 0xa65df2fb7c0: non-NULL pointers passed to realloc must be obtained from malloc, calloc, or realloc
Received signal 11 SEGV_MAPERR 000000000039
#0 0x7ff5476a77fb base::debug::StackTrace::StackTrace()
#1 0x7ff5476a64fc base::debug::StackTrace::StackTrace()
#2 0x7ff5476a730f base::debug::(anonymous namespace)::StackDumpSignalHandler()
#3 0x7ff5486ee330 <unknown>
#4 0x7ff54797b628 tcmalloc::Abort()
#5 0x7ff54798363a LogPrintf()
#6 0x7ff5479834bb RAW_VLOG()
#7 0x7ff5479d3d4a tc_realloc
#8 0x7ff547969fb5 (anonymous namespace)::TCRealloc()
#9 0x7ff547969be7 ShimRealloc
#10 0x7ff5479695f1 realloc
#11 0x7ff5448a1416 av_reallocp
#12 0x7ff5449a4d8f mov_read_extradata
#13 0x7ff544998da2 mov_read_default
#14 0x7ff54499ed0a mov_read_moov
#15 0x7ff544998da2 mov_read_default
#16 0x7ff5449992d3 mov_read_header
#17 0x7ff544863a6a avformat_open_input
#18 0x7ff547e7851b media::FFmpegGlue::OpenContext()

After investigating this a bit, FFmpeg as built for Chromium uses posix_memalign() when allocating the block [1], and calls realloc() to change the size [2]. The code is in libavformat/mov.c [3] uses both av_mallocz() and av_reallocp() when changing the memory for AVStream.AVCodecContext.extradata.

It appears posix_memalign() and realloc() don't work together.

Should we open a bug with FFmpeg? It seems strange to use one alignment when allocating, but a different one if realloc() is called.

[Interesting tidbit: Running this same test using ASAN does not crash.]


GN args:
  ffmpeg_branding="ChromeOS"
  proprietary_codecs=true
  use_goma=true
  enable_mse_mpeg2ts_stream_parser=true
  enable_hevc_demuxing =true

ninja -C out/asan ffmpeg_regression_tests
./out/asan/ffmpeg_regression_tests --gtest_filter=Cr444539/FFmpegRegressionTest.BasicPlayback/0
Note that the test file needs to be sync'd following the steps in [4].


[1] https://cs.chromium.org/chromium/src/third_party/ffmpeg/libavutil/mem.c?l=98
[2] https://cs.chromium.org/chromium/src/third_party/ffmpeg/libavutil/mem.c?l=169
[3] https://cs.chromium.org/chromium/src/third_party/ffmpeg/libavformat/mov.c?l=2388
[4] https://cs.chromium.org/chromium/src/media/ffmpeg/ffmpeg_regression_tests.cc?l=10

Comment 1 by jrumm...@chromium.org, May 12 2017 

Opened issue 721884 to track the problem with ASAN not complaining.

Comment 2 by dalecur...@chromium.org, May 15 2017

Labels: -Pri-3 M-60 Pri-1
Owner: jrumm...@chromium.org
Status: Assigned (was: Available)
I thought we fixed this in the past... Or at least I remember encountering it; I don't recall what we ended up doing though. Probably just a new issue; per a mailbox search there are a few ffmpeg threads on this; it shouldn't be done, so filing an upstream bug or fixing the usage sgtm.

Seems like this happens on a mp4 path, so fixing this is required for the roll.
Project Member

Comment 3 by bugdroid1@chromium.org, May 31 2017

Labels: merge-merged-merge-m60
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/824c9515cb40d3806408c13ee52cce120118328d

commit 824c9515cb40d3806408c13ee52cce120118328d
Author: John Rummell <jrummell@chromium.org>
Date: Wed May 31 22:47:56 2017

Always use av_realloc() for |extradata|

Chromium debug builds do not allow mixing calls to posix_memalign() and
realloc(). So always use realloc() when allocating |extradata|.

BUG= 721872 
TEST=Cr444539/FFmpegRegressionTest.BasicPlayback/0 test passes without ASAN

Change-Id: Ibfcf99b3c23656ee46dd471cea1c5831b9176872
Reviewed-on: https://chromium-review.googlesource.com/520342
Reviewed-by: Thomas Guilbert <tguilbert@chromium.org>

[modify] https://crrev.com/824c9515cb40d3806408c13ee52cce120118328d/libavformat/mov.c
[modify] https://crrev.com/824c9515cb40d3806408c13ee52cce120118328d/chromium/patches/README

Comment 4 by jrumm...@chromium.org, Jun 7 2017

Status: Fixed (was: Assigned)

Sign in to add a comment