mlt
mlt copied to clipboard
Published
20 hours ago •
mltframework
mltframework
Crash using the tremolo audio effect
I have added the tremolo effect to a slowed down audio clip with the reverse option enabled. When setting a value I get a crash:
Full log: tremolo_crash.txt
Thread 85 (Thread 0x7fff4dffb700 (LWP 90420)): #0 0x00007ffff1c47355 in raise () at /usr/lib/libc.so.6 #1 0x00007ffff1c30853 in abort () at /usr/lib/libc.so.6 #2 0x00007ffff1c8a878 in __libc_message () at /usr/lib/libc.so.6 #3 0x00007ffff1c91d3a in () at /usr/lib/libc.so.6 #4 0x00007ffff1c92f9c in _int_free () at /usr/lib/libc.so.6 #5 0x00007ffff1c958a5 in _int_memalign () at /usr/lib/libc.so.6 #6 0x00007ffff1c9686c in _mid_memalign () at /usr/lib/libc.so.6 #7 0x00007ffff1c97ea6 in posix_memalign () at /usr/lib/libc.so.6 #8 0x00007fffd9c7b126 in av_malloc () at /usr/lib/libavutil.so.56 #9 0x00007fffd9c7b32b in av_mallocz () at /usr/lib/libavutil.so.56 #10 0x00007fffd96fe8d8 in avfilter_graph_config () at /usr/lib/libavfilter.so.7 #11 0x00007fffdb42a469 in init_audio_filtergraph (channels=1308599392, frequency=, format= , filter=0x55555cc78760) at filter_avfilter.c:276 pdata = 0x555567330110 abuffersrc = 0x7fffd99435c0 abuffersink = 0x7fffd99434c0 sample_fmts = {1, -1} ret = sample_rates = {48000, -1} channel_counts = {2, -1} channel_layouts = {3, -1} channel_layout_str = "stereo\000\000 !)W\376\177\000\000\300(P\004\377\177\000\000a\000\000\000\000\000\000\000\300\063)W\376\177\000\000\000s\023\367\377\177\000\000H\247\377M\377\177\000\000_\301\021\367\377\177\000" filter = 0x55555cc78760 pdata = 0x555567330110 fps = samplepos = 843200 bufsize = 6400 ret = #12 filter_get_audio (frame=frame@entry=0x7fff045028c0, buffer=buffer@entry=0x7fff4dffa760, format=format@entry=0x555558e7aac0, frequency=frequency@entry=0x7fff4dffa748, channels=channels@entry=0x7fff4dffa750, samples=samples@entry=0x7fff4dffa758) at filter_avfilter.c:588 filter = 0x55555cc78760 pdata = 0x555567330110 fps = samplepos = 843200 bufsize = 6400 ret = #13 0x00007ffff711445a in mlt_frame_get_audio (self=self@entry=0x7fff045028c0, buffer=buffer@entry=0x7fff4dffa760, format=format@entry=0x555558e7aac0, frequency=frequency@entry=0x7fff4dffa748, channels=channels@entry=0x7fff4dffa750, samples=samples@entry=0x7fff4dffa758) at mlt_frame.c:738 get_audio = 0x7fffdb429fb0 properties = 0x7fff045028c0 hide = requested_format = #14 0x00007ffff712e61b in producer_get_audio (self=self@entry=0x7fff04200ba0, buffer=buffer@entry=0x7fff4dffa760, format=format@entry=0x555558e7aac0, frequency=frequency@entry=0x7fff4dffa748, channels=channels@entry=0x7fff4dffa750, samples=samples@entry=0x7fff4dffa758) at mlt_tractor.c:420 properties = 0x7fff04200ba0 frame = 0x7fff045028c0 frame_properties = 0x7fff045028c0 #15 0x00007ffff711445a in mlt_frame_get_audio (self=self@entry=0x7fff04200ba0, buffer=buffer@entry=0x7fff4dffa760, format=format@entry=0x555558e7aac0, frequency=frequency@entry=0x7fff4dffa748, channels=channels@entry=0x7fff4dffa750, samples=samples@entry=0x7fff4dffa758) at mlt_frame.c:738 get_audio = 0x7ffff712e590 properties = 0x7fff04200ba0 hide = requested_format = #16 0x00007fffd65e12a8 in filter_get_audio (frame=frame@entry=0x7fff04200ba0, buffer=buffer@entry=0x7fff4dffa760, format=format@entry=0x555558e7aac0, frequency=frequency@entry=0x7fff4dffa748, channels=channels@entry=0x7fff4dffa750, samples=samples@entry=0x7fff4dffa758) at filter_audiolevel.c:65 filter = 0x55555c4f9100 filter_props = 0x55555c4f9100 iec_scale = 0 error = num_channels = num_samples = num_oversample = c = s = key = "\240\v \004\377\177\000\000\071\000\000\000\000\000\000\000а\206\235\376\177\000\000\000s\023\367\377\177\000\000H\247\377M\377\177\000\000_\301\021\367\377\177\000\000P\261" pcm = #17 0x00007ffff711445a in mlt_frame_get_audio (self=self@entry=0x7fff04200ba0, buffer=buffer@entry=0x7fff4dffa760, format=format@entry=0x555558e7aac0, frequency=frequency@entry=0x7fff4dffa748, channels=channels@entry=0x7fff4dffa750, samples=samples@entry=0x7fff4dffa758) at mlt_frame.c:738 get_audio = 0x7fffd65e1230 properties = 0x7fff04200ba0 hide = requested_format = #18 0x00007fffd64001b6 in transition_get_audio (frame_a=frame_a@entry=0x7ffe571653e0, buffer=buffer@entry=0x7fff4dffa8a8, format=format@entry=0x555558e7aac0, frequency=frequency@entry=0x7fff4dffa88c, channels=channels@entry=0x7fff4dffa894, samples=samples@entry=0x7fff4dffa89c) at transition_mix.c:141 frame_b = transition = 0x55555ac904c0 b_props = 0x7fff04200ba0 self = 0x555569d35960 buffer_b = 0x7ffe9d9516f0 buffer_a = 0x7ffe9d9a40f0 frequency_b = 48000 frequency_a = 48000 channels_b = 2 channels_a = 2 samples_b = 1600 samples_a = 1600 silent = bytes = #19 0x00007ffff711445a in mlt_frame_get_audio (self=self@entry=0x7ffe571653e0, buffer=buffer@entry=0x7fff4dffa8a8, format=format@entry=0x555558e7aac0, frequency=frequency@entry=0x7fff4dffa88c, channels=channels@entry=0x7fff4dffa894, samples=samples@entry=0x7fff4dffa89c) at mlt_frame.c:738 get_audio = 0x7fffd6400110 properties = 0x7ffe571653e0 hide = requested_format = #20 0x00007fffd64001d6 in transition_get_audio (frame_a=frame_a@entry=0x7ffe571653e0, buffer=buffer@entry=0x7fff4dffa9e8, format=format@entry=0x555558e7aac0, frequency=frequency@entry=0x7fff4dffa9cc, channels=channels@entry=0x7fff4dffa9d4, samples=samples@entry=0x7fff4dffa9dc) at transition_mix.c:142 frame_b = transition = 0x55555ceff0f0 b_props = 0x7ffe9d95b1e0 self = 0x55556a5ff980 buffer_b = 0x7ffe5738fb90 buffer_a = 0x7ffe9d9a40f0 frequency_b = 48000 frequency_a = 48000 channels_b = 2 channels_a = 2 samples_b = 1600 samples_a = 1600 silent = bytes = #21 0x00007ffff711445a in mlt_frame_get_audio (self=self@entry=0x7ffe571653e0, buffer=buffer@entry=0x7fff4dffa9e8, format=format@entry=0x555558e7aac0, frequency=frequency@entry=0x7fff4dffa9cc, channels=channels@entry=0x7fff4dffa9d4, samples=samples@entry=0x7fff4dffa9dc) at mlt_frame.c:738 get_audio = 0x7fffd6400110 properties = 0x7ffe571653e0 hide = requested_format = #22 0x00007fffd64001d6 in transition_get_audio (frame_a=frame_a@entry=0x7ffe571653e0, buffer=buffer@entry=0x7fff4dfface0, format=format@entry=0x555558e7aac0, frequency=frequency@entry=0x555558e7abe4, channels=channels@entry=0x555558e7abe0, samples=samples@entry=0x7fff4dffacdc) at transition_mix.c:142 frame_b = transition = 0x55555cd4c100 b_props = 0x7fff0401f920 self = 0x55556aec99a0 buffer_b = 0x7fff0418a4c0 buffer_a = 0x7ffe9d9a40f0 frequency_b = 48000 frequency_a = 48000 channels_b = 2 channels_a = 2 samples_b = 1600 samples_a = 1600 silent = bytes = #23 0x00007ffff711445a in mlt_frame_get_audio (self=self@entry=0x7ffe571653e0, buffer=buffer@entry=0x7fff4dfface0, format=format@entry=0x555558e7aac0, frequency=frequency@entry=0x555558e7abe4, channels=channels@entry=0x555558e7abe0, samples=samples@entry=0x7fff4dffacdc) at mlt_frame.c:738 get_audio = 0x7fffd6400110 properties = 0x7ffe571653e0 hide = requested_format = #24 0x00007ffff712e61b in producer_get_audio (self=self@entry=0x7fff072d9820, buffer=buffer@entry=0x7fff4dfface0, format=format@entry=0x555558e7aac0, frequency=frequency@entry=0x555558e7abe4, channels=channels@entry=0x555558e7abe0, samples=samples@entry=0x7fff4dffacdc) at mlt_tractor.c:420 properties = 0x7fff072d9820 frame = 0x7ffe571653e0 frame_properties = 0x7ffe571653e0 #25 0x00007ffff711445a in mlt_frame_get_audio (self=self@entry=0x7fff072d9820, buffer=buffer@entry=0x7fff4dfface0, format=format@entry=0x555558e7aac0, frequency=frequency@entry=0x555558e7abe4, channels=channels@entry=0x555558e7abe0, samples=samples@entry=0x7fff4dffacdc) at mlt_frame.c:738 get_audio = 0x7ffff712e590 properties = 0x7fff072d9820 hide = requested_format = #26 0x00007fffd65e12a8 in filter_get_audio (frame=frame@entry=0x7fff072d9820, buffer=buffer@entry=0x7fff4dfface0, format=format@entry=0x555558e7aac0, frequency=frequency@entry=0x555558e7abe4, channels=channels@entry=0x555558e7abe0, samples=samples@entry=0x7fff4dffacdc) at filter_audiolevel.c:65 filter = 0x55555cdec040 filter_props = 0x55555cdec040 iec_scale = 0 error = num_channels = num_samples = num_oversample = c = s = key = " \230-\a\377\177\000\000[\000\000\000\000\000\000\000\300\201\r\216\376\177\000\000\000s\023\367\377\177\000\000\344\253\347XUU\000\000_\301\021\367\377\177\000\000\020W" pcm = #27 0x00007ffff711445a in mlt_frame_get_audio (self=self@entry=0x7fff072d9820, buffer=buffer@entry=0x7fff4dfface0, format=format@entry=0x555558e7aac0, frequency=frequency@entry=0x555558e7abe4, channels=channels@entry=0x555558e7abe0, samples=samples@entry=0x7fff4dffacdc) at mlt_frame.c:738 get_audio = 0x7fffd65e1230 properties = 0x7fff072d9820 hide = requested_format = #28 0x00007ffff712b471 in consumer_read_ahead_thread (arg= ) at mlt_consumer.c:886 buffer = 31 time_current = self = priv = 0x555558e7aab0 properties = width = 480 height = 270 video_off = preview_off = preview_format = samples = 1600 audio = 0x7ffe9d8714a0 audio_off = frame = 0x7fff072d9820 image = 0x7fff788516f0 "}~{kw~vkv~vku~wj{~\177i\202~\210i\215\177\221h\226\177\230g\231\177\232g\234\200\236f\237\200\240f\240\200\240f\240\177\237f\236\177\235f\234\177\233g\232\177\231h\231\177\231h\231\177\232h\235\177\237h\240\177\244h\245\177\245h\246~\247i\250}\250i\250}\250i\251~\251j\251~\251j\252~\252j\252~\252j\251}\251i\247}\245i\242}\235j\233~\232j\231~\230j\230~\231j\233}\233i\233}\231i\224~\206jz~oj^}UkR~OkE~>l=~=l>~?mA\177CnF\177InJ\177KnL\177NnP\177RnU\177Xn`~en"... ante = {tv_sec = 1594761323, tv_usec = 711074} count = skipped = time_process = skip_next = pos = start_pos = last_pos = frame_duration = drop_max = #29 0x0000555555a02bd1 in RenderThread::run() (this=0x7fff10000b80) at /home/farid/kdenlive/src/monitor/glwidget.cpp:1450 #30 0x00007ffff21eee0f in () at /usr/lib/libQt5Core.so.5 #31 0x00007ffff16c5422 in start_thread () at /usr/lib/libpthread.so.0 #32 0x00007ffff1d0abf3 in clone () at /usr/lib/libc.so.6
Can you get the console output as well, showing the abort message?
I'm assuming it's some memory corruption detected by glibc, but just to make sure.
Thanks, hope this helps:
MLT: "[filter swresample ] swr_convert() failed. Alloc: 1600\tIn: 9\tOut: 0"
=================================================================
==64447==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c0028601f8 at pc 0x5615f10f0175 bp 0x7f952d1e90d0 sp 0x7f952d1e8880
READ of size 6400 at 0x60c0028601f8 thread T2023 (RenderThread)
#0 0x5615f10f0174 in __interceptor_memcpy.part.0 (/usr/bin/kdenlive+0x3f7174)
#1 0x7f95554e3789 in memcpy /usr/include/bits/string_fortified.h:34:10
#2 0x7f95554e3789 in filter_get_audio /usr/src/debug/mlt/src/modules/avformat/filter_avfilter.c:620:4
#3 0x7f957d144459 in mlt_frame_get_audio /usr/src/debug/mlt/src/framework/mlt_frame.c:738:3
#4 0x7f957d15e6ba in producer_get_audio /usr/src/debug/mlt/src/framework/mlt_tractor.c:420:2
#5 0x7f957d144459 in mlt_frame_get_audio /usr/src/debug/mlt/src/framework/mlt_frame.c:738:3
#6 0x7f95611e22a7 in filter_get_audio /usr/src/debug/mlt/src/modules/normalize/filter_audiolevel.c:65:14
#7 0x7f957d144459 in mlt_frame_get_audio /usr/src/debug/mlt/src/framework/mlt_frame.c:738:3
#8 0x7f95606677d5 in transition_get_audio /usr/src/debug/mlt/src/modules/core/transition_mix.c:141:2
#9 0x7f957d144459 in mlt_frame_get_audio /usr/src/debug/mlt/src/framework/mlt_frame.c:738:3
#10 0x7f957d15e6ba in producer_get_audio /usr/src/debug/mlt/src/framework/mlt_tractor.c:420:2
#11 0x7f957d144459 in mlt_frame_get_audio /usr/src/debug/mlt/src/framework/mlt_frame.c:738:3
#12 0x7f95611e22a7 in filter_get_audio /usr/src/debug/mlt/src/modules/normalize/filter_audiolevel.c:65:14
#13 0x7f957d144459 in mlt_frame_get_audio /usr/src/debug/mlt/src/framework/mlt_frame.c:738:3
#14 0x7f957d15b4f0 in consumer_read_ahead_thread /usr/src/debug/mlt/src/framework/mlt_consumer.c:886:4
#15 0x5615f1dad1b0 in RenderThread::run() /home/farid/kdenlive/src/monitor/glwidget.cpp:1443:5
#16 0x7f95737dff0e (/usr/lib/libQt5Core.so.5+0xcdf0e)
#17 0x7f95733c63e8 in start_thread (/usr/lib/libpthread.so.0+0x93e8)
#18 0x7f95732cd292 in clone (/usr/lib/libc.so.6+0x100292)
0x60c0028601f8 is located 0 bytes to the right of 120-byte region [0x60c002860180,0x60c0028601f8)
allocated by thread T0 here:
#0 0x5615f112cd01 in calloc (/usr/bin/kdenlive+0x433d01)
#1 0x7f957d147d76 in mlt_property_init /usr/src/debug/mlt/src/framework/mlt_property.c:92:22
Thread T2023 (RenderThread) created by T2022 here:
#0 0x5615f10a2504 in pthread_create (/usr/bin/kdenlive+0x3a9504)
#1 0x7f95737df9a2 in QThread::start(QThread::Priority) (/usr/lib/libQt5Core.so.5+0xcd9a2)
Thread T2022 created by T0 here:
#0 0x5615f10a2504 in pthread_create (/usr/bin/kdenlive+0x3a9504)
#1 0x7f95624be301 in consumer_start /usr/src/debug/mlt/src/modules/sdl2/consumer_sdl2_audio.c:191:3
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/kdenlive+0x3f7174) in __interceptor_memcpy.part.0
Shadow bytes around the buggy address:
0x0c1880503fe0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1880503ff0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c1880504000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c1880504010: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1880504020: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
=>0x0c1880504030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
0x0c1880504040: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1880504050: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c1880504060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c1880504070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1880504080: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==64447==ABORTING
MLT: "[filter swresample ] swr_convert() failed. Alloc: 1600\tIn: 9\tOut: 0" looks like maybe it is out of memory?
Ok, seems like what is happening is that mlt_frame_get_audio() calls *buffer = mlt_properties_get_data( properties, "audio", NULL ); to get the buffer to write into.
and then filter_get_audio() in filter_avfilter.c assumes that the size of that is mlt_audio_format_size( *format, *samples, *channels ); which apparently isn't true.
If mlt_property_s is 120 byte long (based on where it was allocated), located 0 bytes to the right of 120-byte region makes it seem like the buffer is pointing to the end of the mlt_property somehow? which confuses me to no end, but might be because of the memory pool stuff.
It might actually be a use-after-free that is "hidden" from asan because of the memory pool.
edit: I think this actually might be another issue, it's just asan triggering "too early" (i. e. there's one memory corruption which leads to asan stopping execution before it hits the issue originally reported)
if you define USE_MLT_POOL=0 when compiling framework, you can use standard memory inspection tools
Which version of MLT do you reproduce this with?
Does it crash every time, or intermittently?
Can you offer an MLT command or simple XML file that reproduces the crash?
Which version of MLT do you reproduce this with?
I am always on master,
Does it crash every time, or intermittently?
First time I reported it would happen always. Last time I tried had to really keep messing aroung to get the crash.
Can you offer an MLT command or simple XML file that reproduces the crash?
Sorry I did it using Kdenlive.