performance: explicit sleep in Mpp::get_frame #7
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Move msleep() to non MPP_POLL_BLOCK (cv wait) branch. Issue rockchip-linux/mpp#6
mcerveny
force-pushed
the
develop
branch
2 times, most recently
from
e982306 to
f16ec91
Compare
|
Pull not possible, maintainers deleting/creating branches. I will use only issues tracker. |
ydirson
referenced
this pull request
in BladeGroup/mpp
Sep 4, 2018
The soc_name we read from device-tree is NUL-separated so we need to
replace intervening NUL chars, but we don't want to replace the last
one, or the next call to strstr() will overflow the buffer.
Detected with address-sanitizer:
==3271==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f940026a0 at pc 0x7f97df7160 bp 0x7fee1fa8e0 sp 0x7fee1fa958
READ of size 97 at 0x7f940026a0 thread T0
#0 0x7f97df715f (/usr/lib/libasan.so.3+0x4215f)
#1 0x7f97df745b in __interceptor_strstr (/usr/lib/libasan.so.3+0x4245b)
#2 0x7f97d6b27b in MppPlatformService::MppPlatformService() (/usr/lib/librockchip_mpp.so.1+0x8727b)
#3 0x7f97d6b64f in mpp_get_vcodec_type (/usr/lib/librockchip_mpp.so.1+0x8764f)
#4 0x7f97d38da3 in hal_h264d_init (/usr/lib/librockchip_mpp.so.1+0x54da3)
0x7f940026a0 is located 0 bytes to the right of 96-byte region [0x7f94002640,0x7f940026a0)
allocated by thread T0 here:
#0 0x7f97e6445b in __interceptor_posix_memalign (/usr/lib/libasan.so.3+0xaf45b)
#1 0x7f97d6ed13 in os_malloc (/usr/lib/librockchip_mpp.so.1+0x8ad13)
#2 0x7f97d6e54b in mpp_osal_malloc (/usr/lib/librockchip_mpp.so.1+0x8a54b)
#3 0x7f97d6b1d7 in MppPlatformService::MppPlatformService() (/usr/lib/librockchip_mpp.so.1+0x871d7)
#4 0x7f97d6b64f in mpp_get_vcodec_type (/usr/lib/librockchip_mpp.so.1+0x8764f)
#5 0x7f97d38da3 in hal_h264d_init (/usr/lib/librockchip_mpp.so.1+0x54da3)
#6 0x7f97d387c7 in mpp_hal_init (/usr/lib/librockchip_mpp.so.1+0x547c7)
#7 0x7f97d02ad3 in mpp_dec_init (/usr/lib/librockchip_mpp.so.1+0x1ead3)
#8 0x7f97cfda3f in Mpp::init(MppCtxType, MppCodingType) (/usr/lib/librockchip_mpp.so.1+0x19a3f)
#9 0x7f97d0056f in mpp_init (/usr/lib/librockchip_mpp.so.1+0x1c56f)
#10 0x404347 in mpi_dec_test_decode (/home/root/rockchip-mpp-test/mpi_dec_test+0x404347)
#11 0x4057b3 in main (/home/root/rockchip-mpp-test/mpi_dec_test+0x4057b3)
#12 0x7f97bba563 in __libc_start_main (/lib/libc.so.6+0x1f563)
#13 0x402217 (/home/root/rockchip-mpp-test/mpi_dec_test+0x402217)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/libasan.so.3+0x4215f)
Shadow bytes around the buggy address:
0x1ff2800480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1ff2800490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1ff28004a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1ff28004b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1ff28004c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x1ff28004d0: 00 00 00 00[fa]fa fa fa fa fa fa fa 00 00 00 00
0x1ff28004e0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x1ff28004f0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x1ff2800500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1ff2800510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1ff2800520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Signed-off-by: Yann Dirson <[email protected]>
HermanChen
pushed a commit
that referenced
this pull request
Sep 5, 2018
The soc_name we read from device-tree is NUL-separated so we need to
replace intervening NUL chars, but we don't want to replace the last
one, or the next call to strstr() will overflow the buffer.
Detected with address-sanitizer:
==3271==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f940026a0 at pc 0x7f97df7160 bp 0x7fee1fa8e0 sp 0x7fee1fa958
READ of size 97 at 0x7f940026a0 thread T0
#0 0x7f97df715f (/usr/lib/libasan.so.3+0x4215f)
#1 0x7f97df745b in __interceptor_strstr (/usr/lib/libasan.so.3+0x4245b)
#2 0x7f97d6b27b in MppPlatformService::MppPlatformService() (/usr/lib/librockchip_mpp.so.1+0x8727b)
#3 0x7f97d6b64f in mpp_get_vcodec_type (/usr/lib/librockchip_mpp.so.1+0x8764f)
#4 0x7f97d38da3 in hal_h264d_init (/usr/lib/librockchip_mpp.so.1+0x54da3)
0x7f940026a0 is located 0 bytes to the right of 96-byte region [0x7f94002640,0x7f940026a0)
allocated by thread T0 here:
#0 0x7f97e6445b in __interceptor_posix_memalign (/usr/lib/libasan.so.3+0xaf45b)
#1 0x7f97d6ed13 in os_malloc (/usr/lib/librockchip_mpp.so.1+0x8ad13)
#2 0x7f97d6e54b in mpp_osal_malloc (/usr/lib/librockchip_mpp.so.1+0x8a54b)
#3 0x7f97d6b1d7 in MppPlatformService::MppPlatformService() (/usr/lib/librockchip_mpp.so.1+0x871d7)
#4 0x7f97d6b64f in mpp_get_vcodec_type (/usr/lib/librockchip_mpp.so.1+0x8764f)
#5 0x7f97d38da3 in hal_h264d_init (/usr/lib/librockchip_mpp.so.1+0x54da3)
#6 0x7f97d387c7 in mpp_hal_init (/usr/lib/librockchip_mpp.so.1+0x547c7)
#7 0x7f97d02ad3 in mpp_dec_init (/usr/lib/librockchip_mpp.so.1+0x1ead3)
#8 0x7f97cfda3f in Mpp::init(MppCtxType, MppCodingType) (/usr/lib/librockchip_mpp.so.1+0x19a3f)
#9 0x7f97d0056f in mpp_init (/usr/lib/librockchip_mpp.so.1+0x1c56f)
#10 0x404347 in mpi_dec_test_decode (/home/root/rockchip-mpp-test/mpi_dec_test+0x404347)
#11 0x4057b3 in main (/home/root/rockchip-mpp-test/mpi_dec_test+0x4057b3)
#12 0x7f97bba563 in __libc_start_main (/lib/libc.so.6+0x1f563)
#13 0x402217 (/home/root/rockchip-mpp-test/mpi_dec_test+0x402217)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/libasan.so.3+0x4215f)
Shadow bytes around the buggy address:
0x1ff2800480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1ff2800490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1ff28004a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1ff28004b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1ff28004c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x1ff28004d0: 00 00 00 00[fa]fa fa fa fa fa fa fa 00 00 00 00
0x1ff28004e0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x1ff28004f0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x1ff2800500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1ff2800510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1ff2800520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Change-Id: Ia529035847cc23c612e4039e3d445db9d014d31f
Signed-off-by: Yann Dirson <[email protected]>
HermanChen
pushed a commit
that referenced
this pull request
Nov 1, 2023
Fixed a crash issue in mpp_destroy stage caused by calling members of a recycled parser thread. crash backtrace: #00 pc 00084882 /apex/com.android.runtime/lib/bionic/libc.so (pthread_mutex_lock+6) #1 pc 00081434 /vendor/lib/libmpp.so (mpp_dec_notify_normal(MppDecImpl_t*, unsigned int)+32) #2 pc 0007d6cc /vendor/lib/libmpp.so (mpp_dec_callback_slot(char const*, void*, int, void*)+112) #3 pc 000937f0 /vendor/lib/libmpp.so (mpp_buf_slot_clr_flag+944) #4 pc 000da960 /vendor/lib/libmpp.so (mpp_hevc_unref_frame+168) #5 pc 000d1c50 /vendor/lib/libmpp.so (h265d_deinit+32) #6 pc 00081908 /vendor/lib/libmpp.so (mpp_parser_deinit+40) #7 pc 0007e24c /vendor/lib/libmpp.so (mpp_dec_deinit+548) #8 pc 0006b4f0 /vendor/lib/libmpp.so (Mpp::clear()+104) #9 pc 0006b61c /vendor/lib/libmpp.so (Mpp::~Mpp()+12) #10 pc 0006f7e0 /vendor/lib/libmpp.so (mpp_destroy+152) #11 pc 00003d1c /vendor/bin/mpi_dec_test (dec_decode+984) Change-Id: I985168aa6ef30a265fce17c2d9765c17a24075c8 Signed-off-by: Yanjun Liao <[email protected]>
Open
HermanChen
added a commit
that referenced
this pull request
Feb 6, 2024
BUG is reported from https://redmine.rock-chips.com/issues/464206 Thread 18 (LWP 2440): #0 __lll_lock_wait (futex=0x7f34000d48, private=0) at lowlevellock.c:52 #1 0x0000007fab5b1540 in __GI___pthread_mutex_lock (mutex=0x7f34000d48) at pthread_mutex_lock.c:115 #2 0x0000007fa9e0299c in dec_vproc_signal (ctx=0x7f34001260) at ../git/mpp/vproc/mpp_dec_vproc.cpp:929 #3 0x0000007fa9df5bdc in mpp_dec_notify (ctx=0x7f602be600, flag=1088) at ../git/mpp/codec/mpp_dec.cpp:956 #4 0x0000007fa9e0ef30 in mpp_buffer_ref_dec (buffer=0x7f6403f6c8, caller=caller@entry=0x7fa9ee300c "mpp_frame_deinit") at ../git/mpp/base/mpp_buffer_impl.cpp:509 #5 0x0000007fa9e0fb84 in mpp_buffer_put_with_caller (buffer=<optimized out>, caller=caller@entry=0x7fa9ee300c "mpp_frame_deinit") at ../git/mpp/base/mpp_buffer.cpp:105 #6 0x0000007fa9e11820 in mpp_frame_deinit (frame=frame@entry=0x7f602ec340) at ../git/mpp/base/mpp_frame.cpp:85 #7 0x0000007fabd6bf4c in rkmpp_release_frame (opaque=<optimized out>, data=0x7f602ba600 <error: Cannot access memory at address 0x7f602ba600>) at src/libavcodec/rkmppdec.c:339 #8 0x0000007fab9547dc in buffer_replace (src=0x0, dst=<optimized out>) at src/libavutil/buffer.c:133 #9 av_buffer_unref (buf=<optimized out>) at src/libavutil/buffer.c:144 #10 0x0000007fac714bb8 in mp_image_destructor (ptr=0x7f60252c80) at ../../../../../../sources/mpv/video/mp_image.c:209 #11 0x0000007fac748d40 in ta_free (ptr=0x7f60252c80) at ../../../../../../sources/mpv/ta/ta.c:244 #12 0x0000007fac715178 in mp_image_unrefp (p_img=p_img@entry=0x7f4c00bfc0) at ../../../../../../sources/mpv/video/mp_image.c:472 #13 0x0000007fac73396c in wlbuf_pool_entry_release (data=0x7f4c00bfa0, wl_buffer=<optimized out>) at ../../../../../../sources/mpv/video/out/wlbuf_pool.c:132 #14 0x0000007fb4cfe328 in ffi_call_SYSV () at ../libffi-3.3/src/aarch64/sysv.S:114 #15 0x0000007fb4cfdb44 in ffi_call_int (cif=cif@entry=0x7f70fdec80, fn=0x7f70fdeca0, orig_rvalue=orig_rvalue@entry=0x0, avalue=0x10, avalue@entry=0x7f70fded50, closure=0x200000001, closure@entry=0x0) at ../libffi-3.3/src/aarch64/ffi.c:747 #16 0x0000007fb4cfdf24 in ffi_call (cif=cif@entry=0x7f70fdec80, fn=<optimized out>, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7f70fded50) at ../libffi-3.3/src/aarch64/ffi.c:756 #17 0x0000007faa49c7c0 in wl_closure_invoke (closure=0x7f4c00bff0, flags=<optimized out>, target=<optimized out>, opcode=0, data=<optimized out>) at ../wayland-1.22.0/src/connection.c:1025 #18 0x0000007faa499df0 in dispatch_event (display=display@entry=0x7f4c001d40, queue=<optimized out>) at ../wayland-1.22.0/src/wayland-client.c:1644 #19 0x0000007faa49b2c8 in dispatch_queue (queue=0x7f4c001e30, display=0x7f4c001d40) at ../wayland-1.22.0/src/wayland-client.c:1790 #20 wl_display_dispatch_queue_pending (display=0x7f4c001d40, queue=0x7f4c001e30) at ../wayland-1.22.0/src/wayland-client.c:2032 #21 0x0000007faa49b2f4 in wl_display_dispatch_pending (display=<optimized out>) at ../wayland-1.22.0/src/wayland-client.c:2095 #22 0x0000007fac73e2cc in vo_wayland_dispatch_events (wl=0x7f4c000e40, nfds=nfds@entry=2, timeout=timeout@entry=100) at ../../../../../../sources/mpv/video/out/wayland_common.c:1933 #23 0x0000007fac741d7c in vo_wayland_wait_events_timeout (vo=vo@entry=0x7f600abed0, timeout_ms=timeout_ms@entry=100) at ../../../../../../sources/mpv/video/out/wayland_common.c:2594 #24 0x0000007fac73baf4 in draw_frame (vo=0x7f600abed0, frame=0x7f302063b0) at ../../../../../../sources/mpv/video/out/vo_dmabuf_wayland.c:1113 #25 0x0000007fac7360c4 in render_frame (vo=0x7f600abed0) at ../../../../../../sources/mpv/video/out/vo.c:984 #26 vo_thread (ptr=0x7f600abed0) at ../../../../../../sources/mpv/video/out/vo.c:1123 #27 0x0000007fab5af370 in start_thread (arg=0x7f72ffbe06) at pthread_create.c:477 #28 0x0000007fab51bedc in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78 Thread 14 (LWP 3455): #0 __lll_lock_wait (futex=0x7f60208040, private=0) at lowlevellock.c:52 #1 0x0000007fab5b1540 in __GI___pthread_mutex_lock (mutex=mutex@entry=0x7f60208040) at pthread_mutex_lock.c:115 #2 0x0000007fa9e0ef48 in mpp_buffer_ref_dec (buffer=0x7f6406fee8, caller=caller@entry=0x7fa9ee1ae7 "check_entry_unused") at ../git/mpp/base/mpp_buffer_impl.cpp:503 #3 0x0000007fa9e0fb84 in mpp_buffer_put_with_caller (buffer=<optimized out>, caller=caller@entry=0x7fa9ee1ae7 "check_entry_unused") at ../git/mpp/base/mpp_buffer.cpp:105 #4 0x0000007fa9e0bf1c in check_entry_unused (entry=0x7f601ef530, impl=0x7f60263ec0) at ../git/mpp/base/mpp_buf_slot.cpp:627 #5 mpp_buf_slot_clr_flag (slots=0x7f60263ec0, index=<optimized out>, type=type@entry=SLOT_QUEUE_USE) at ../git/mpp/base/mpp_buf_slot.cpp:919 #6 0x0000007fa9e00eb0 in dec_vproc_clr_prev0 (ctx=ctx@entry=0x7f34001260) at ../git/mpp/vproc/mpp_dec_vproc.cpp:149 #7 0x0000007fa9e00fd0 in dec_vproc_clr_prev (ctx=ctx@entry=0x7f34001260) at ../git/mpp/vproc/mpp_dec_vproc.cpp:180 #8 0x0000007fa9e012b8 in dec_vproc_thread (data=0x7f34001260) at ../git/mpp/vproc/mpp_dec_vproc.cpp:631 #9 0x0000007fab5af370 in start_thread (arg=0x7f47ffdf16) at pthread_create.c:477 #10 0x0000007fab51bedc in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78 Signed-off-by: Herman Chen <[email protected]> Change-Id: I742e55e745c46a4adb229e2f6f0e2a2c3498e369
HermanChen
added a commit
that referenced
this pull request
Sep 4, 2024
When another C++ static global object init before the mpp_mem service
the MppService service will be inited twice. Then on object destroy will
deinit service twice and cause mutex double delete issue.
On init
E mpp_mem : MppMemService start 0 0x7c536619e8
I mpp_mem : MppMemService mpp_mem_debug enabled 3 max node 1024
E mpp_mem : MppMemService start 1 0x5e8d724230
I mpp_mem : MppMemService mpp_mem_debug enabled 3 max node 1024
On destory
05-17 09:58:04.743 2576 2576 E mpp_mem : ~MppMemService enter 0 0x5e8d724230
05-17 09:58:04.743 2576 2576 E mpp_mem : ~MppMemService enter 1 0x7c536619e8
05-17 09:58:04.743 2576 2576 E mpp_mem : mpp_osal_free
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'rockchip/rk3576_t/rk3576_t:13/TQ3C.230805.001.B2/eng.kenjc.20240510.161710:userdebug/release-keys'
Revision: '0'
ABI: 'arm64'
Timestamp: 2024-05-17 09:58:04.800905936+0000
Process uptime: 1s
Cmdline: mpp_trie_test
pid: 2576, tid: 2576, name: mpp_trie_test >>> mpp_trie_test <<<
uid: 0
tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
Abort message: 'FORTIFY: pthread_mutex_lock called on a destroyed mutex (0x5e8d724230)'
x0 0000000000000000 x1 0000000000000a10 x2 0000000000000006 x3 0000007fd26f05d0
x4 0000000000008080 x5 0000000000008080 x6 0000000000008080 x7 8080000000000000
x8 00000000000000f0 x9 0000007c50d22a00 x10 0000000000000001 x11 0000007c50d60de4
x12 0101010101010101 x13 000000007fffffff x14 000000000001ffea x15 0000000000000078
x16 0000007c50dc5d58 x17 0000007c50da2c70 x18 0000007c55b38000 x19 0000000000000a10
x20 0000000000000a10 x21 00000000ffffffff x22 0000000000001000 x23 0000005e8d724230
x24 0000007c5489e010 x25 0000005e8d70c060 x26 0000000000000002 x27 0000007c513226e8
x28 0000000000000000 x29 0000007fd26f0650
lr 0000007c50d52968 sp 0000007fd26f05b0 pc 0000007c50d52994 pst 0000000000000000
backtrace:
#00 pc 0000000000051994 /apex/com.android.runtime/lib64/bionic/libc.so (abort+164) (BuildId: 4e07915368c859b1910c68c84a8de75f)
#1 pc 000000000005363c /apex/com.android.runtime/lib64/bionic/libc.so (__fortify_fatal(char const*, ...)+124) (BuildId: 4e07915368c859b1910c68c84a8de75f)
#2 pc 00000000000b74cc /apex/com.android.runtime/lib64/bionic/libc.so (HandleUsingDestroyedMutex(pthread_mutex_t*, char const*)+60) (BuildId: 4e07915368c859b1910c68c84a8de75f)
#3 pc 00000000000b735c /apex/com.android.runtime/lib64/bionic/libc.so (pthread_mutex_lock+240) (BuildId: 4e07915368c859b1910c68c84a8de75f)
#4 pc 0000000000048290 /system/bin/mpp_trie_test (mpp_osal_free+108) (BuildId: 55dca41ecc701b3ad16f0ef02270a45ce40533ff)
#5 pc 0000000000041080 /system/bin/mpp_trie_test (MppMemPoolService::~MppMemPoolService()+32) (BuildId: 55dca41ecc701b3ad16f0ef02270a45ce40533ff)
#6 pc 00000000000b9ca4 /apex/com.android.runtime/lib64/bionic/libc.so (__cxa_finalize+280) (BuildId: 4e07915368c859b1910c68c84a8de75f)
#7 pc 00000000000ac944 /apex/com.android.runtime/lib64/bionic/libc.so (exit+24) (BuildId: 4e07915368c859b1910c68c84a8de75f)
#8 pc 000000000004a1f8 /apex/com.android.runtime/lib64/bionic/libc.so (__libc_init+100) (BuildId: 4e07915368c859b1910c68c84a8de75f)
Signed-off-by: Herman Chen <[email protected]>
Change-Id: I81ead0f796ba6e26b520a87ae69cc8f7f6e816f4
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Move msleep() to non MPP_POLL_BLOCK (cv wait) branch.
Issue #6