Create codeql.yml #2
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kasper93
added a commit
that referenced
this pull request
Apr 2, 2025
Clients run in detached threads and are waited to signal when they are
finished with self mpv_destroy() call. Problem is that after detached
thread calls this function, mpv consider this client to be done and can
do whatever. One example is when mpv exits and wait for scripts to
finish we got race condition, because mpv (main thread) can exit first
and the detached thread calls ta_free() which crashes, because we are
we may already destoryed things that the thread depends on.
I've seen this crash in FreeBSD CI job (libmpv-lifetime test), where the
libmpv.so has been unloaded while the thread was still doing ta_free()
==5081==ERROR: AddressSanitizer: SEGV on unknoun address 0x000001111806 (pc 0x000001111806 bp 0x7fffdedf4e40 sp 0x7fffdedf4e08 T40)
==5081==The signal is caused by a READ memory access.
#0 0x1111806 (<unknown module>)
#1 0x803cd6900 in ta_free /home/runner/work/mpv/mpv/build/../ta/ta.c:243:5
#2 0x803a2fc87 in run_script /home/runner/work/mpv/mpv/build/../player/scripting.c:93:5
mpv-player#3 0x803a2ffe0 in script_thread /home/runner/work/mpv/mpv/build/../player/scripting.c:99:5
mpv-player#4 0x2c451a in asan_thread_start(void*) /usr/src/contrib/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
mpv-player#5 0x80034fb04 (/lib/libthr.so.3+0x10b04)
Note the 0x1111806 jump which is completelly bogus.
Fix this by doing mpv_destroy() as a last step in detached threads.
kasper93
added a commit
that referenced
this pull request
Apr 2, 2025
Clients run in detached threads and are waited to signal when they are
finished with self mpv_destroy() call. Problem is that after detached
thread calls this function, mpv consider this client to be done and can
do whatever. One example is when mpv exits and wait for scripts to
finish we got race condition, because mpv (main thread) can exit first
and the detached thread calls ta_free() which crashes, because we are
we may already destoryed things that the thread depends on.
I've seen this crash in FreeBSD CI job (libmpv-lifetime test), where the
libmpv.so has been unloaded while the thread was still doing ta_free()
```
==5081==ERROR: AddressSanitizer: SEGV on unknoun address 0x000001111806 (pc 0x000001111806 bp 0x7fffdedf4e40 sp 0x7fffdedf4e08 T40)
==5081==The signal is caused by a READ memory access.
#0 0x1111806 (<unknown module>)
#1 0x803cd6900 in ta_free /home/runner/work/mpv/mpv/build/../ta/ta.c:243:5
#2 0x803a2fc87 in run_script /home/runner/work/mpv/mpv/build/../player/scripting.c:93:5
mpv-player#3 0x803a2ffe0 in script_thread /home/runner/work/mpv/mpv/build/../player/scripting.c:99:5
mpv-player#4 0x2c451a in asan_thread_start(void*) /usr/src/contrib/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
mpv-player#5 0x80034fb04 (/lib/libthr.so.3+0x10b04)
```
Note the 0x1111806 jump which is completelly bogus.
Fix this by doing mpv_destroy() as a last step in detached threads.
kasper93
added a commit
that referenced
this pull request
Apr 2, 2025
Clients run in detached threads and are waited to signal when they are
finished with self mpv_destroy() call. Problem is that after detached
thread calls this function, mpv consider this client to be done and can
do whatever. One example is when mpv exits and wait for scripts to
finish we got race condition, because mpv (main thread) can exit first
and the detached thread calls ta_free() which crashes, because we may
have already destroyed things that the thread depends on.
I've seen this crash on FreeBSD CI job (libmpv-lifetime test), where the
libmpv.so has been unloaded while the thread was still doing ta_free()
```
==5081==ERROR: AddressSanitizer: SEGV on unknoun address 0x000001111806 (pc 0x000001111806 bp 0x7fffdedf4e40 sp 0x7fffdedf4e08 T40)
==5081==The signal is caused by a READ memory access.
#0 0x1111806 (<unknown module>)
#1 0x803cd6900 in ta_free /home/runner/work/mpv/mpv/build/../ta/ta.c:243:5
#2 0x803a2fc87 in run_script /home/runner/work/mpv/mpv/build/../player/scripting.c:93:5
mpv-player#3 0x803a2ffe0 in script_thread /home/runner/work/mpv/mpv/build/../player/scripting.c:99:5
mpv-player#4 0x2c451a in asan_thread_start(void*) /usr/src/contrib/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
mpv-player#5 0x80034fb04 (/lib/libthr.so.3+0x10b04)
```
Note the 0x1111806 jump which is completelly bogus.
Fix this by doing mpv_destroy() as a last step in detached threads.
kasper93
added a commit
that referenced
this pull request
Apr 3, 2025
Clients run in detached threads and are waited to signal when they are
finished with self mpv_destroy() call. Problem is that after detached
thread calls this function, mpv consider this client to be done and can
do whatever. One example is when mpv exits and wait for scripts to
finish we got race condition, because mpv (main thread) can exit first
and the detached thread calls ta_free() which crashes, because we may
have already destroyed things that the thread depends on.
I've seen this crash on FreeBSD CI job (libmpv-lifetime test), where the
libmpv.so has been unloaded while the thread was still doing ta_free()
```
==5081==ERROR: AddressSanitizer: SEGV on unknoun address 0x000001111806 (pc 0x000001111806 bp 0x7fffdedf4e40 sp 0x7fffdedf4e08 T40)
==5081==The signal is caused by a READ memory access.
#0 0x1111806 (<unknown module>)
#1 0x803cd6900 in ta_free /home/runner/work/mpv/mpv/build/../ta/ta.c:243:5
#2 0x803a2fc87 in run_script /home/runner/work/mpv/mpv/build/../player/scripting.c:93:5
mpv-player#3 0x803a2ffe0 in script_thread /home/runner/work/mpv/mpv/build/../player/scripting.c:99:5
mpv-player#4 0x2c451a in asan_thread_start(void*) /usr/src/contrib/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
mpv-player#5 0x80034fb04 (/lib/libthr.so.3+0x10b04)
```
Note the 0x1111806 jump which is completelly bogus.
Fix this by doing mpv_destroy() as a last step in detached threads.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Read this before you submit this pull request:
https://github.com/mpv-player/mpv/blob/master/DOCS/contribute.md
Reading this link and following the rules will get your pull request reviewed
and merged faster. Nobody wants lazy pull requests.