Bug 11841

Summary: firefox crash on ppc, glibc reports double free
Product: swfdec Reporter: Brian Tarricone <brian>
Component: libraryAssignee: Eric Anholt <eric>
Status: RESOLVED FIXED QA Contact: Eric Anholt <eric>
Severity: major    
Priority: medium CC: jaime.martin, morgoth6, otte
Version: unspecified   
Hardware: PowerPC   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Brian Tarricone 2007-08-03 23:12:38 UTC 
Happens when I activate any flash content (that is, after I click one to start it playing).  In this case I was visiting YouTube.  Here's the end of console output plus gdb backtrace.  Here I set MALLOC_CHECK_=2; without that I get console output saying glibc detected a double free().

SWFDEC: ERROR: swfdec_as_interpret.c(678): swfdec_action_call_method: no function named reset on object unknown
SWFDEC: ERROR: swfdec_as_interpret.c(678): swfdec_action_call_method: no function named onPlayMovie on object SwfdecSpriteMovie
Loading stream: http://74.125.15.102/get_video?video_id=QOD8kIFDVDo
SWFDEC: ERROR: swfdec_as_interpret.c(678): swfdec_action_call_method: no function named removeMovieClip on object unknown
SWFDEC: ERROR: swfdec_as_interpret.c(678): swfdec_action_call_method: no function named onDisplayMovie on object SwfdecSpriteMovie
[swscaler @ 0xc502b40]ALTIVEC: Color Space ARGB
[swscaler @ 0xc502b40]ALTIVEC: Color Space ARGB
SWFDEC: ERROR: swfdec_as_interpret.c(678): swfdec_action_call_method: no function named onDisplayMovie on object SwfdecSpriteMovie

Program received signal SIGABRT, Aborted.
[Switching to Thread 805465408 (LWP 3841)]
0x0f00d41c in raise () from /lib/libc.so.6
(gdb) bt
#0  0x0f00d41c in raise () from /lib/libc.so.6
#1  0x0f00ed4c in abort () from /lib/libc.so.6
#2  0x0f050b0c in ?? () from /lib/libc.so.6
#3  0x0f052560 in free () from /lib/libc.so.6
#4  0x0f57ddf8 in g_free () from /usr/lib/libglib-2.0.so.0
#5  0x0cdd62c4 in swfdec_buffer_free_mem (buffer=<value optimized out>, 
    priv=0xf01) at swfdec_buffer.c:100
#6  0x0cdd6218 in swfdec_buffer_unref (buffer=0x11304a08)
    at swfdec_buffer.c:285
#7  0x0f6a1a60 in ?? () from /usr/lib/libcairo.so.2
#8  0x0f6b6d38 in cairo_surface_destroy () from /usr/lib/libcairo.so.2
#9  0x0ce0b498 in swfdec_video_movie_new_image (movie=0x11059078, image=0x1)
    at swfdec_video_movie.c:158
#10 0x0cdefb40 in swfdec_net_stream_video_goto (stream=0x10e50178, timestamp=1)
    at swfdec_net_stream.c:92
#11 0x0cdf0a00 in swfdec_net_stream_timeout (timeout=<value optimized out>)
    at swfdec_net_stream.c:134
#12 0x0cdf7830 in swfdec_player_do_advance (player=0x10d331d0, 
    msecs=<value optimized out>, audio_samples=<value optimized out>)
    at swfdec_player.c:985
#13 0x0cde8e14 in swfdec_marshal_VOID__UINT_UINT (closure=0x10f2dd60, 
    return_value=<value optimized out>, n_param_values=<value optimized out>, 
    param_values=0x7fa92440, invocation_hint=<value optimized out>, 
    marshal_data=0xcdf75c8) at swfdec_marshal.c:203
#14 0x0f638b4c in ?? () from /usr/lib/libgobject-2.0.so.0
#15 0x0f63a6a4 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#16 0x0f64d9e0 in ?? () from /usr/lib/libgobject-2.0.so.0
#17 0x0f64eb5c in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#18 0x0f64ed30 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#19 0x0cdf548c in swfdec_player_advance (player=0x10d331d0, msecs=576)
    at swfdec_player.c:1703
#20 0x0ce52320 in swfdec_iterate_dispatch (source_=<value optimized out>, 
    callback=<value optimized out>, user_data=<value optimized out>)
    at swfdec_source.c:109
#21 0x0f575a9c in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#22 0x0f579438 in ?? () from /usr/lib/libglib-2.0.so.0
#23 0x0f5798a4 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#24 0x0fa73af4 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#25 0x0e6f6e28 in ?? ()
   from /usr/lib/mozilla-firefox/components/libwidget_gtk2.so
#26 0x0e5e4214 in ?? ()
   from /usr/lib/mozilla-firefox/components/libtoolkitcomps.so
#27 0x10007cbc in ?? ()
#28 0x1000379c in ?? ()
#29 0x0eff67e0 in ?? () from /lib/libc.so.6
#30 0x0eff6a0c in __libc_start_main () from /lib/libc.so.6
#31 0x00000000 in ?? ()
(gdb)
Comment 1 Jaime Martin 2007-08-05 17:58:37 UTC 
I have the same problem in my powerpc machine
Comment 2 Jaime Martin 2007-08-08 08:03:05 UTC 
It's a ffmpeg issue on ppc. If you use gstreamer instead of ffmpeg, swfdec doesn't crash.
Comment 3 Brian Tarricone 2007-08-08 09:17:30 UTC 
 (In reply to comment #2)
> It's a ffmpeg issue on ppc. If you use gstreamer instead of ffmpeg, swfdec
> doesn't crash.

Can you provide more information about that?  ffmpeg doesn't appear in the bt at all, and I have no problems using ffmpeg on its own or linked against other apps.  Just because using gstreamer doesn't trigger the bug, it doesn't mean it's not a bug in swfdec.

Besides, I don't have gstreamer installed, and would rather not install it unless I have to.
Comment 4 Benjamin Otte 2007-08-10 06:42:40 UTC 
I believe GStreamer disables the altivec optimizations. At least it used to do this back when I had a look at gstreamer's ffmpeg packages. I'd suggest using valgrind to look for potential issues. Try running this command in the swfdec build directory:
player/swfplay http://youtube.com/v/LHpZFilvHdM
or after that with valgrind:
valgrind player/.libs/lt-swfplay http://youtube.com/v/LHpZFilvHdM
That should work for reproducing. 

FWIW, I tested 0.5.2 (running Debian) on my G3 iBook and it worked fine.
Comment 5 Brian Tarricone 2007-08-10 21:30:56 UTC 
With 0.5.1, that doesn't work for me.  The window pops up, and it loads the YouTube player, but when I click on it, it says 'Loading...' for a second, and then goes to the 'replay' screen as if the movie had played (and the window layout gets messed up).  Doesn't crash, though.

Eh, same deal with current git, except a bunch more error messages to console.
Comment 6 Marcin Kurek 2007-09-01 06:13:29 UTC 
Same crash here, but it seems it's fixed in 0.5.2. I can enter youtube and play a movie without crash now, but it is dead slow here. 

I remember I used older version without any problems with speed, but current one gives me 100% cpu usage and dissorted sound. Hmm, I wonder how to profile a plugin :/
Comment 7 Benjamin Otte 2007-09-02 06:36:09 UTC 
I usually use oprofile to profile applications.

sudo opcontrol --reset && sudo opcontrol --start
to start it.
sudo opcontrol --stop && sudo opcontrol --dump
to stop it.
opreport -l
to get a report.
It requires debugging symbols to get a useful stack trace. 

What might be interesting to do as a quick check is disabling sound output (in the right-click menu) and see if that changes anything (I wouldn't expect it though). But usually it's X that takes all of the CPU.
Comment 8 Marcin Kurek 2007-09-02 12:47:57 UTC 
Hmmm, result is quite funny I must say. ~30% of the CPU is eaten in libfs.so from Xorg, ~12% eaten in libglib-2.0.so (I guess in malloc_int call), ~7% in libavcodec.so the swfdec and swfdec is only ~4% here.

Currently I have not enough time to recompile xorg with debug symbols to obtain more acurate results.

My system is Fedora 7 on Pegasos 2 machine, 1GHz G4 CPU, 1GB ram, Radeon 9100 128MB/128Bit.

xorg-x11-server-Xorg-1.3.0.0-9.fc7
glib2-2.12.13-1.fc7
ffmpeg-libs-0.4.9-0.37.20070503.lvn7
gstreamer-plugins-base-0.10.13-1.fc7
swfdec-0.5.2-1.fc7
kernel-2.6.22.5-71.fc7

I wonder have you any ideas what can cause so funny effect ?
Comment 9 Riccardo Magliocchetti 2007-12-19 12:03:40 UTC 
I'm closing this since the crash was confirmed as fixed in 0.5.2. Serious performance issues are maybe worth another bug.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.