Crash when processing some matroska files
We are experiencing crashes when processing some matroska files, the following pipeline, for example, produces the crash:
gst-launch-1.0 -vv filesrc location=xxxxxxxxxxxxxxx.mkv ! matroskademux ! avdec_h264 ! videorate ! videoscale ! video/x-raw,format=I420,width=1080,height=720,framerate=28/1 ! fakesink
#1 0x00007ffff7ae8859 in __GI_abort () at abort.c:79
#2 0x00007ffff7b533ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7c7d285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff7b5b47c in malloc_printerr (str=str@entry=0x7ffff7c7f690 "double free or corruption (!prev)") at malloc.c:5347
#4 0x00007ffff7b5d12c in _int_free (av=0x7ffff0000020, p=0x7ffff1be1d40, have_lock=<optimized out>) at malloc.c:4317
#5 0x00007ffff7efbb58 in _gst_memory_free (mem=0x7ffff1be1d50) at ../subprojects/gstreamer/gst/gstmemory.c:97
#6 0x00007ffff7ec4ac6 in gst_memory_unref (memory=<optimized out>) at ../subprojects/gstreamer/gst/gstmemory.h:352
#7 _gst_buffer_free (buffer=0x7ffff06c0a20) at ../subprojects/gstreamer/gst/gstbuffer.c:801
#8 0x00007ffff7eca75b in default_stop (pool=0x7ffff0204f00) at ../subprojects/gstreamer/gst/gstbufferpool.c:409
#9 0x00007ffff7eca0c8 in do_stop (pool=pool@entry=0x7ffff0204f00) at ../subprojects/gstreamer/gst/gstbufferpool.c:427
#10 0x00007ffff7ecb038 in gst_buffer_pool_set_active (pool=pool@entry=0x7ffff0204f00, active=active@entry=0) at ../subprojects/gstreamer/gst/gstbufferpool.c:535
#11 0x00007ffff7ecb0e8 in gst_buffer_pool_finalize (object=0x7ffff0204f00) at ../subprojects/gstreamer/gst/gstbufferpool.c:194
#12 0x00007ffff7cf1d0e in g_object_unref () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#13 0x00007ffff7ecc17c in gst_buffer_pool_release_buffer (pool=pool@entry=0x7ffff0204f00, buffer=buffer@entry=0x7ffff00066c0) at ../subprojects/gstreamer/gst/gstbufferpool.c:1382
#14 0x00007ffff7ec4ba3 in _gst_buffer_dispose (buffer=0x7ffff00066c0) at ../subprojects/gstreamer/gst/gstbuffer.c:761
#15 0x00007ffff7efcfaf in gst_mini_object_unref (mini_object=0x7ffff00066c0) at ../subprojects/gstreamer/gst/gstminiobject.c:656
#16 0x00007ffff66f1d19 in gst_ffmpegviddec_video_frame_free (frame=0x7ffff02036d0, ffmpegdec=0x5555557f2fd0) at ../subprojects/gst-libav/ext/libav/gstavviddec.c:633
#17 dummy_free_buffer (opaque=0x7ffff02036d0, data=<optimized out>) at ../subprojects/gst-libav/ext/libav/gstavviddec.c:647
#18 0x00007ffff4d9bbf6 in buffer_replace (dst=dst@entry=0x7fffb4015450, src=src@entry=0x0) at ../subprojects/FFmpeg/libavutil/buffer.c:120
#19 0x00007ffff4d9bee2 in av_buffer_unref (buf=buf@entry=0x7fffb4015450) at ../subprojects/FFmpeg/libavutil/buffer.c:130
#20 0x00007ffff4da3dfc in av_frame_unref (frame=0x7fffb4015330) at ../subprojects/FFmpeg/libavutil/frame.c:564
#21 0x00007ffff50d0a2a in release_delayed_buffers (p=0x7ffff002df30) at ../subprojects/FFmpeg/libavcodec/pthread_frame.c:385
#22 0x00007ffff50d0c7c in submit_packet (avpkt=0x7ffff002df30, user_avctx=0x5555557f3bc0, p=0x7ffff002df30) at ../subprojects/FFmpeg/libavcodec/pthread_frame.c:413
#23 ff_thread_decode_frame (avctx=avctx@entry=0x5555557f3bc0, picture=picture@entry=0x7ffff002bc50, got_picture_ptr=got_picture_ptr@entry=0x7ffff4cec620, avpkt=avpkt@entry=0x555555813440) at ../subprojects/FFmpeg/libavcodec/pthread_frame.c:501
#24 0x00007ffff50c2de2 in decode_simple_internal (frame=0x7ffff002bc50, avctx=0x5555557f3bc0) at ../subprojects/FFmpeg/libavcodec/decode.c:340
#25 decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>) at ../subprojects/FFmpeg/libavcodec/decode.c:538
#26 decode_receive_frame_internal (avctx=avctx@entry=0x5555557f3bc0, frame=0x7ffff002bc50) at ../subprojects/FFmpeg/libavcodec/decode.c:556
#27 0x00007ffff50c3680 in avcodec_send_packet (avctx=0x5555557f3bc0, avpkt=avpkt@entry=0x7ffff4cec700) at ../subprojects/FFmpeg/libavcodec/decode.c:614
#28 0x00007ffff66f54a4 in gst_ffmpegviddec_handle_frame (decoder=0x5555557f2fd0, frame=0x7ffff01ed150) at ../subprojects/gst-libav/ext/libav/gstavviddec.c:1919
#29 0x00007ffff68c06f2 in gst_video_decoder_decode_frame (decoder=decoder@entry=0x5555557f2fd0, frame=0x7ffff01ed150) at ../subprojects/gst-plugins-base/gst-libs/gst/video/gstvideodecoder.c:3705
#30 0x00007ffff68c0c28 in gst_video_decoder_chain_forward (decoder=decoder@entry=0x5555557f2fd0, buf=buf@entry=0x7ffff0006480, at_eos=at_eos@entry=0) at ../subprojects/gst-plugins-base/gst-libs/gst/video/gstvideodecoder.c:2340
#31 0x00007ffff68c2311 in gst_video_decoder_chain (pad=<optimized out>, parent=<optimized out>, buf=0x7ffff0006480) at ../subprojects/gst-plugins-base/gst-libs/gst/video/gstvideodecoder.c:2655
#32 0x00007ffff7f02602 in gst_pad_chain_data_unchecked (data=0x7ffff0006480, type=4112, pad=0x5555557a25b0) at ../subprojects/gstreamer/gst/gstpad.c:4399
#33 gst_pad_push_data (pad=pad@entry=0x5555557a3cd0, type=type@entry=4112, data=<optimized out>, data@entry=0x7ffff0006480) at ../subprojects/gstreamer/gst/gstpad.c:4655
#34 0x00007ffff7f0b032 in gst_pad_push (pad=0x5555557a3cd0, buffer=buffer@entry=0x7ffff0006480) at ../subprojects/gstreamer/gst/gstpad.c:4774
#35 0x00007ffff69906bb in gst_matroska_demux_parse_blockgroup_or_simpleblock (demux=demux@entry=0x5555557aa000, ebml=ebml@entry=0x7ffff4cecd00, cluster_time=<optimized out>, is_simpleblock=is_simpleblock@entry=1, cluster_offset=<optimized out>)
at ../subprojects/gst-plugins-good/gst/matroska/matroska-demux.c:4843
#36 0x00007ffff6997cea in gst_matroska_demux_parse_id (demux=demux@entry=0x5555557aa000, id=<optimized out>, length=<optimized out>, needed=<optimized out>) at ../subprojects/gst-plugins-good/gst/matroska/matroska-demux.c:5572
#37 0x00007ffff699e7c6 in gst_matroska_demux_loop (pad=<optimized out>) at ../subprojects/gst-plugins-good/gst/matroska/matroska-demux.c:5761
#38 0x00007ffff7f38ed1 in gst_task_func (task=0x5555557ac3b0) at ../subprojects/gstreamer/gst/gsttask.c:328
#39 0x00007ffff7db61d4 in () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#40 0x00007ffff7db5931 in () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#41 0x00007ffff7cbe609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#42 0x00007ffff7be5103 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95Removing the caps from the pipeline makes it run without crashes:
gst-launch-1.0 -vv filesrc location=xxxxxxxxxxxxxxx.mkv ! matroskademux ! avdec_h264 ! videorate ! videoscale ! ! fakesink
This is happening in master, but at least happens also in 1.16 and 1.8, with different stack traces.
Grepping the log file with the 0x7ffff00066c0 reference shown in #15 (closed):
0:00:28.558016352 118862 0x5555557b0860 LOG GST_BUFFER gstbuffer.c:851:gst_buffer_new: new 0x7ffff00066c0
0:00:28.558022022 118862 0x5555557b0860 LOG GST_BUFFER gstbuffer.c:457:_memory_add: buffer 0x7ffff00066c0, idx -1, mem 0x7ffff0d40690
0:00:28.558024542 118862 0x5555557b0860 TRACE GST_REFCOUNTING gstminiobject.c:1008:gst_mini_object_add_parent: adding parent 0x7ffff00066c0 to object 0x7ffff0d40690
0:00:28.558027722 118862 0x5555557b0860 LOG GST_BUFFER gstbuffer.c:907:gst_buffer_new_allocate: new buffer 0x7ffff00066c0 of size 1926144 from allocator (nil)
0:00:28.558043252 118862 0x5555557b0860 DEBUG bufferpool gstbufferpool.c:245:mark_meta_pooled:<videobufferpool12> marking meta 0x7ffff0698200 as POOLED in buffer 0x7ffff00066c0
0:00:28.558046072 118862 0x5555557b0860 LOG bufferpool gstbufferpool.c:287:do_alloc_buffer:<videobufferpool12> allocated buffer 3/0, 0x7ffff00066c0
0:00:28.558051792 118862 0x5555557b0860 TRACE GST_REFCOUNTING gstminiobject.c:723:gst_mini_object_replace: replace (nil) (0) with 0x7ffff00066c0 (1)
0:00:28.558054452 118862 0x5555557b0860 TRACE GST_REFCOUNTING gstminiobject.c:466:gst_mini_object_ref: 0x7ffff00066c0 ref 1->2
0:00:28.558057342 118862 0x5555557b0860 TRACE GST_REFCOUNTING gstminiobject.c:723:gst_mini_object_replace: replace 0x7ffff00066c0 (2) with (nil) (0)
0:00:28.558061662 118862 0x5555557b0860 TRACE GST_REFCOUNTING gstminiobject.c:648:gst_mini_object_unref: 0x7ffff00066c0 unref 2->1
0:00:28.558064982 118862 0x5555557b0860 LOG GST_BUFFER gstbuffer.c:1825:gst_buffer_map_range: buffer 0x7ffff00066c0, idx 0, length 1, flags 0003
0:00:28.558067682 118862 0x5555557b0860 LOG GST_BUFFER gstbuffer.c:301:_get_merged_memory: buffer 0x7ffff00066c0, idx 0, length 1
0:00:28.558075882 118862 0x5555557b0860 LOG GST_BUFFER gstbuffer.c:1825:gst_buffer_map_range: buffer 0x7ffff00066c0, idx 0, length 1, flags 0003
0:00:28.558078532 118862 0x5555557b0860 LOG GST_BUFFER gstbuffer.c:301:_get_merged_memory: buffer 0x7ffff00066c0, idx 0, length 1
0:00:28.558086793 118862 0x5555557b0860 LOG GST_BUFFER gstbuffer.c:1825:gst_buffer_map_range: buffer 0x7ffff00066c0, idx 0, length 1, flags 0003
0:00:28.558089413 118862 0x5555557b0860 LOG GST_BUFFER gstbuffer.c:301:_get_merged_memory: buffer 0x7ffff00066c0, idx 0, length 1
0:00:28.558097173 118862 0x5555557b0860 TRACE GST_REFCOUNTING gstminiobject.c:466:gst_mini_object_ref: 0x7ffff00066c0 ref 1->2
0:00:28.558120883 118862 0x5555557b0860 LOG libav gstavviddec.c:885:gst_ffmpegviddec_get_buffer2:<avdec_h264-0> returned frame 0x7ffff00066c0
0:00:28.736551635 118862 0x5555557b0860 TRACE GST_REFCOUNTING gstminiobject.c:723:gst_mini_object_replace: replace (nil) (0) with 0x7ffff00066c0 (2)
0:00:28.736554375 118862 0x5555557b0860 TRACE GST_REFCOUNTING gstminiobject.c:466:gst_mini_object_ref: 0x7ffff00066c0 ref 2->3
0:00:28.736557245 118862 0x5555557b0860 TRACE GST_REFCOUNTING gstminiobject.c:723:gst_mini_object_replace: replace 0x7ffff00066c0 (3) with (nil) (0)
0:00:28.736559925 118862 0x5555557b0860 TRACE GST_REFCOUNTING gstminiobject.c:648:gst_mini_object_unref: 0x7ffff00066c0 unref 3->2
0:00:28.737177607 118862 0x5555557b0860 TRACE GST_REFCOUNTING gstminiobject.c:648:gst_mini_object_unref: 0x7ffff00066c0 unref 2->1
0:00:28.828290983 118862 0x5555557b0860 TRACE GST_REFCOUNTING gstminiobject.c:648:gst_mini_object_unref: 0x7ffff00066c0 unref 1->0
0:00:28.828293603 118862 0x5555557b0860 TRACE GST_REFCOUNTING gstminiobject.c:466:gst_mini_object_ref: 0x7ffff00066c0 ref 0->1
0:00:28.828296123 118862 0x5555557b0860 LOG GST_BUFFER gstbuffer.c:760:_gst_buffer_dispose: release 0x7ffff00066c0 to pool 0x7ffff0204f00
0:00:28.828299573 118862 0x5555557b0860 LOG GST_BUFFER gstbuffer.c:1682:gst_buffer_resize_range: trim 0x7ffff00066c0 0-1926144 size:1926144 offs:0 max:1926175
0:00:28.828302383 118862 0x5555557b0860 LOG bufferpool gstbufferpool.c:1298:default_release_buffer:<videobufferpool12> released buffer 0x7ffff00066c0 0These other log lines before the new suggest that the crash is related to avdec_h264
0:00:28.557992432 118862 0x5555557b0860 DEBUG videodecoder gstvideodecoder.c:3862:gst_video_decoder_get_frame:<avdec_h264-0> frame_number : 5480
0:00:28.557995402 118862 0x5555557b0860 TRACE default gstvideoutils.c:115:gst_video_codec_frame_ref: 0x7ffff01ed6a0 ref 2->3
0:00:28.557997882 118862 0x5555557b0860 DEBUG libav gstavviddec.c:621:gst_ffmpegviddec_video_frame_new:<avdec_h264-0> new video frame 0x7ffff02036d0
0:00:28.558002362 118862 0x5555557b0860 DEBUG libav gstavviddec.c:827:gst_ffmpegviddec_get_buffer2:<avdec_h264-0> storing opaque 0x7ffff02036d0
0:00:28.558004922 118862 0x5555557b0860 LOG bufferpool gstbufferpool.c:1128:default_acquire_buffer:<videobufferpool12> no buffer, trying to allocate
0:00:28.558007362 118862 0x5555557b0860 DEBUG videopool gstvideopool.c:248:video_buffer_pool_alloc:<videobufferpool12> alloc 1926144
0:00:28.558010802 118862 0x5555557b0860 TRACE GST_REFCOUNTING gstobject.c:238:gst_object_ref:<allocatorsysmem0> 0x555555576840 ref 111->112
0:00:28.558014042 118862 0x5555557b0860 DEBUG GST_MEMORY gstmemory.c:140:gst_memory_init: new memory 0x7ffff0d40690, maxsize:1926175 offset:0 size:1926144
0:00:28.558016352 118862 0x5555557b0860 LOG GST_BUFFER gstbuffer.c:851:gst_buffer_new: new 0x7ffff00066c0Full log and stdout are attached.