Created
September 6, 2012 09:50
-
-
Save fischman/3654045 to your computer and use it in GitHub Desktop.
vdpau-driver use-after-free
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ================================================================= | |
| ==25091== ERROR: AddressSanitizer heap-use-after-free on address 0x7f1d93f98188 at pc 0x7f1d85f33161 bp 0x7f1d7bc16e30 sp 0x7f1d7bc16e28 | |
| READ of size 8 at 0x7f1d93f98188 thread T4 | |
| #0 0x7f1d85f33160 in render_thread /home/fischman/va-craxy/vdpau-driver/src/vdpau_video_x11.c:85 | |
| #1 0x7f1de231613b in __asan::AsanThread::ThreadStart() ??:0 | |
| 0x7f1d93f98188 is located 264 bytes inside of 2304-byte region [0x7f1d93f98080,0x7f1d93f98980) | |
| freed by thread T0 here: | |
| #0 0x7f1de23131b5 in __interceptor_realloc ??:0 | |
| #1 0x7f1d85f0e38a in object_heap_expand /home/fischman/va-craxy/vdpau-driver/src/object_heap.c:62 | |
| #2 0x7f1d85f0e63b in object_heap_allocate /home/fischman/va-craxy/vdpau-driver/src/object_heap.c:104 | |
| #3 0x7f1d85f328cb in output_surface_create /home/fischman/va-craxy/vdpau-driver/src/vdpau_video_x11.c:259 | |
| #4 0x7f1d85f352c8 in output_surface_ensure /home/fischman/va-craxy/vdpau-driver/src/vdpau_video_x11.c:475 | |
| #5 0x7f1d85f34fa8 in put_surface /home/fischman/va-craxy/vdpau-driver/src/vdpau_video_x11.c:852 | |
| #6 0x7f1d85f359bc in vdpau_PutSurface /home/fischman/va-craxy/vdpau-driver/src/vdpau_video_x11.c:944 | |
| #7 0x7f1da0763930 in content::VaapiH264Decoder::DecodeSurface::Sync() ninja/Debug/../../content/common/gpu/media/vaapi_h264_decoder.cc:295 | |
| #8 0x7f1da0795c27 in content::VaapiH264Decoder::PutPicToTexture(int) ninja/Debug/../../content/common/gpu/media/vaapi_h264_decoder.cc:1615 | |
| #9 0x7f1da081b118 in VaapiVideoDecodeAccelerator::SyncAndNotifyPictureReady(int, int) ninja/Debug/../../content/common/gpu/media/vaapi_video_decode_accelerator.cc:114 | |
| #10 0x7f1da08347a5 in base::internal::RunnableAdapter<void (VaapiVideoDecodeAccelerator::*)(int, int)>::Run(VaapiVideoDecodeAccelerator*, int const&, int const&) ninja/Debug/../../base/bind_internal.h:248 | |
| #11 0x7f1da0834053 in base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (VaapiVideoDecodeAccelerator::*)(int, int)>, void ()(base::WeakPtr<VaapiVideoDecodeAccelerator> const&, int const&, int const&)>::MakeItSo(base::internal::RunnableAdapter<void (VaapiVideoDecodeAccelerator::*)(int, int)>, base::WeakPtr<VaapiVideoDecodeAccelerator> const&, int const&, int const&) ninja/Debug/../../base/bind_internal.h:940 | |
| #12 0x7f1da0833b1f in base::internal::Invoker<3, base::internal::BindState<base::internal::RunnableAdapter<void (VaapiVideoDecodeAccelerator::*)(int, int)>, void ()(VaapiVideoDecodeAccelerator*, int, int), void ()(base::WeakPtr<VaapiVideoDecodeAccelerator>, int, int)>, void ()(VaapiVideoDecodeAccelerator*, int, int)>::Run(base::internal::BindStateBase*) ninja/Debug/../../base/bind_internal.h:1386 | |
| #13 0x7f1dc90d3a94 in base::Callback<void ()()>::Run() const ninja/Debug/../../base/callback.h:389 | |
| #14 0x7f1dc92f2bb9 in MessageLoop::RunTask(base::PendingTask const&) ninja/Debug/../../base/message_loop.cc:460 | |
| #15 0x7f1dc92f43ea in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) ninja/Debug/../../base/message_loop.cc:472 | |
| #16 0x7f1dc92f4be9 in MessageLoop::DoWork() ninja/Debug/../../base/message_loop.cc:648 | |
| #17 0x7f1dc9345909 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) ninja/Debug/../../base/message_pump_default.cc:28 | |
| #18 0x7f1dc92f12ec in MessageLoop::RunInternal() ninja/Debug/../../base/message_loop.cc:419 | |
| #19 0x7f1dc92f0e02 in MessageLoop::RunHandler() ninja/Debug/../../base/message_loop.cc:392 | |
| #20 0x7f1dc94acfd3 in base::RunLoop::Run() ninja/Debug/../../base/run_loop.cc:45 | |
| #21 0x7f1dc92eea86 in MessageLoop::Run() ninja/Debug/../../base/message_loop.cc:299 | |
| #22 0x7f1d9fc54a1c in GpuMain(content::MainFunctionParams const&) ninja/Debug/../../content/gpu/gpu_main.cc:206 | |
| #23 0x7f1d9d05293a in content::RunNamedProcessTypeMain(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) ninja/Debug/../../content/app/content_main_runner.cc:379 | |
| #24 0x7f1d9d057e89 in content::ContentMainRunnerImpl::Run() ninja/Debug/../../content/app/content_main_runner.cc:654 | |
| #25 0x7f1d9d04f370 in content::ContentMain(int, char const**, content::ContentMainDelegate*) ninja/Debug/../../content/app/content_main.cc:35 | |
| #26 0x7f1dd3436325 in ChromeMain ninja/Debug/../../chrome/app/chrome_main.cc:32 | |
| #27 0x7f1dd34360ae in main ninja/Debug/../../chrome/app/chrome_exe_main_aura.cc:17 | |
| #28 0x7f1d97a69c4d in __libc_start_main /build/buildd/eglibc-2.11.1/csu/libc-start.c:258 | |
| previously allocated by thread T0 here: | |
| #0 0x7f1de23131b5 in __interceptor_realloc ??:0 | |
| #1 0x7f1d85f0e38a in object_heap_expand /home/fischman/va-craxy/vdpau-driver/src/object_heap.c:62 | |
| #2 0x7f1d85f1a448 in vdpau_common_Initialize /home/fischman/va-craxy/vdpau-driver/src/vdpau_driver.c:256 | |
| #3 0x7f1d85f19385 in vdpau_Initialize_Current /home/fischman/va-craxy/vdpau-driver/src/./vdpau_driver_template.h:561 | |
| #4 0x7f1d93509c77 in va_openDriver /home/fischman/va-craxy/libva/va/va.c:247 | |
| #5 0x305f74696e497265 | |
| Thread T4 created by T0 here: | |
| #0 0x7f1de230f424 in __interceptor_pthread_create ??:0 | |
| #1 0x7f1d85f32c65 in output_surface_create /home/fischman/va-craxy/vdpau-driver/src/vdpau_video_x11.c:294 | |
| #2 0x7f1d85f352c8 in output_surface_ensure /home/fischman/va-craxy/vdpau-driver/src/vdpau_video_x11.c:475 | |
| #3 0x7f1d85f34fa8 in put_surface /home/fischman/va-craxy/vdpau-driver/src/vdpau_video_x11.c:852 | |
| #4 0x7f1d85f359bc in vdpau_PutSurface /home/fischman/va-craxy/vdpau-driver/src/vdpau_video_x11.c:944 | |
| #5 0x7f1da0763930 in content::VaapiH264Decoder::DecodeSurface::Sync() ninja/Debug/../../content/common/gpu/media/vaapi_h264_decoder.cc:295 | |
| #6 0x7f1da0795c27 in content::VaapiH264Decoder::PutPicToTexture(int) ninja/Debug/../../content/common/gpu/media/vaapi_h264_decoder.cc:1615 | |
| #7 0x7f1da081b118 in VaapiVideoDecodeAccelerator::SyncAndNotifyPictureReady(int, int) ninja/Debug/../../content/common/gpu/media/vaapi_video_decode_accelerator.cc:114 | |
| #8 0x7f1da08347a5 in base::internal::RunnableAdapter<void (VaapiVideoDecodeAccelerator::*)(int, int)>::Run(VaapiVideoDecodeAccelerator*, int const&, int const&) ninja/Debug/../../base/bind_internal.h:248 | |
| #9 0x7f1da0834053 in base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (VaapiVideoDecodeAccelerator::*)(int, int)>, void ()(base::WeakPtr<VaapiVideoDecodeAccelerator> const&, int const&, int const&)>::MakeItSo(base::internal::RunnableAdapter<void (VaapiVideoDecodeAccelerator::*)(int, int)>, base::WeakPtr<VaapiVideoDecodeAccelerator> const&, int const&, int const&) ninja/Debug/../../base/bind_internal.h:940 | |
| #10 0x7f1da0833b1f in base::internal::Invoker<3, base::internal::BindState<base::internal::RunnableAdapter<void (VaapiVideoDecodeAccelerator::*)(int, int)>, void ()(VaapiVideoDecodeAccelerator*, int, int), void ()(base::WeakPtr<VaapiVideoDecodeAccelerator>, int, int)>, void ()(VaapiVideoDecodeAccelerator*, int, int)>::Run(base::internal::BindStateBase*) ninja/Debug/../../base/bind_internal.h:1386 | |
| #11 0x7f1dc90d3a94 in base::Callback<void ()()>::Run() const ninja/Debug/../../base/callback.h:389 | |
| #12 0x7f1dc92f2bb9 in MessageLoop::RunTask(base::PendingTask const&) ninja/Debug/../../base/message_loop.cc:460 | |
| #13 0x7f1dc92f43ea in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) ninja/Debug/../../base/message_loop.cc:472 | |
| #14 0x7f1dc92f4be9 in MessageLoop::DoWork() ninja/Debug/../../base/message_loop.cc:648 | |
| #15 0x7f1dc9345909 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) ninja/Debug/../../base/message_pump_default.cc:28 | |
| #16 0x7f1dc92f12ec in MessageLoop::RunInternal() ninja/Debug/../../base/message_loop.cc:419 | |
| #17 0x7f1dc92f0e02 in MessageLoop::RunHandler() ninja/Debug/../../base/message_loop.cc:392 | |
| #18 0x7f1dc94acfd3 in base::RunLoop::Run() ninja/Debug/../../base/run_loop.cc:45 | |
| #19 0x7f1dc92eea86 in MessageLoop::Run() ninja/Debug/../../base/message_loop.cc:299 | |
| #20 0x7f1d9fc54a1c in GpuMain(content::MainFunctionParams const&) ninja/Debug/../../content/gpu/gpu_main.cc:206 | |
| #21 0x7f1d9d05293a in content::RunNamedProcessTypeMain(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) ninja/Debug/../../content/app/content_main_runner.cc:379 | |
| [25091:25091:88596620635:VERBOSE4:vaapi_video_decode_accelerator.cc(119)] Notifying output picture id 18 for input 18 is ready | |
| #22 0x7f1d9d057e89 in content::ContentMainRunnerImpl::Run() ninja/Debug/../../content/app/content_main_runner.cc:654 | |
| #23 0x7f1d9d04f370 in content::ContentMain(int, char const**, content::ContentMainDelegate*) ninja/Debug/../../content/app/content_main.cc:35 | |
| #24 0x7f1dd3436325 in ChromeMain ninja/Debug/../../chrome/app/chrome_main.cc:32 | |
| #25 0x7f1dd34360ae in main ninja/Debug/../../chrome/app/chrome_exe_main_aura.cc:17 | |
| #26 0x7f1d97a69c4d in __libc_start_main /build/buildd/eglibc-2.11.1/csu/libc-start.c:258 | |
| Shadow byte and word: | |
| 0x1fe3b27f3031: fd | |
| 0x1fe3b27f3030: fd fd fd fd fd fd fd fd | |
| More shadow bytes: | |
| 0x1fe3b27f3010: fd fd fd fd fd fd fd fd | |
| 0x1fe3b27f3018: fd fd fd fd fd fd fd fd | |
| 0x1fe3b27f3020: fd fd fd fd fd fd fd fd | |
| 0x1fe3b27f3028: fd fd fd fd fd fd fd fd | |
| =>0x1fe3b27f3030: fd fd fd fd fd fd fd fd | |
| 0x1fe3b27f3038: fd fd fd fd fd fd fd fd | |
| 0x1fe3b27f3040: fd fd fd fd fd fd fd fd | |
| 0x1fe3b27f3048: fd fd fd fd fd fd fd fd | |
| 0x1fe3b27f3050: fd fd fd fd fd fd fd fd | |
| Stats: 139M malloced (94M for red zones) by 59753 calls | |
| Stats: 0M realloced by 1551 calls | |
| Stats: 69M freed by 45421 calls | |
| Stats: 0M really freed by 0 calls | |
| Stats: 260M (66618 full pages) mmaped in 65 calls | |
| mmaps by size class: 8:65532; 9:8191; 10:4095; 11:2047; 12:1024; 13:512; 14:512; 15:128; 16:64; 17:32; 18:16; 19:104; 20:8; 21:66; 22:2; | |
| mallocs by size class: 8:50906; 9:4010; 10:2436; 11:1007; 12:333; 13:309; 14:422; 15:101; 16:41; 17:8; 18:7; 19:97; 20:8; 21:66; 22:2; | |
| frees by size class: 8:40487; 9:2040; 10:1889; 11:282; 12:207; 13:220; 14:143; 15:86; 16:14; 18:1; 19:9; 20:1; 21:44; | |
| rfrees by size class: | |
| Stats: malloc large: 188 small slow: 306 | |
| ==25091== ABORTING |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment