Skip to content

cover-thumbnailer: various multithreading crashes

Description

I'm seeing various crashes in curl and GLib code when I initiate multiple thumbnail requests via Thunar.

Steps to reproduce

  1. Follow the steps on the wiki to enable cover thumbnailing
    • Make sure to set an API key
  2. mkdir ~/movies
  3. Copy a video file into ~/movies and name it sesame.street.s01e01.mp4
  4. Navigate to the directory in Thunar
  5. In icon-view mode, rapidly zoom in and out to trigger different thumbnail requests
    • If you don't experience any crashes, you may have to clear out thumbnails from ~/.cache/thumbnails, close Thunar, and try again
    • You can also duplicate the file in the directory multiple times and zoom in and out while it's copying

Example backtraces

ERROR: AddressSanitizer: SEGV on unknown address 0x0000000003c8
The signal is caused by a READ memory access.
Hint: address points to the zero page.
    #0 0x7b2f8059b018 in http_header curl/lib/http.c:3480:14
    #1 0x7b2f8059b018 in http_rw_hd curl/lib/http.c:4116:12
    #2 0x7b2f8059b3ea in http_parse_headers curl/lib/http.c:4228:14
    #3 0x7b2f8059b3ea in Curl_http_write_resp_hds curl/lib/http.c:4285:14
    #4 0x7b2f805966d0 in Curl_http_write_resp curl/lib/http.c:4309:12
    #5 0x7b2f805d6778 in Curl_xfer_write_resp curl/lib/transfer.c:841:14
    #6 0x7b2f805d5a6e in sendrecv_dl curl/lib/transfer.c:344:14
    #7 0x7b2f805d5a6e in Curl_sendrecv curl/lib/transfer.c:420:14
    #8 0x7b2f805b614d in state_performing curl/lib/multi.c:1905:12
    #9 0x7b2f805b614d in multi_runsingle curl/lib/multi.c:2570:12
    #10 0x7b2f805b51b1 in curl_multi_perform curl/lib/multi.c:2756:18
    #11 0x7f2f82376700 in cover_thumbnailer_load_perform tumbler/plugins/cover-thumbnailer/cover-thumbnailer.c:254:14
    #12 0x7f2f8237473d in cover_thumbnailer_load_contents tumbler/plugins/cover-thumbnailer/cover-thumbnailer.c:368:9
    #13 0x7f2f8237473d in cover_thumbnailer_poster_url tumbler/plugins/cover-thumbnailer/cover-thumbnailer.c:520:10
    #14 0x7f2f8237473d in cover_thumbnailer_create tumbler/plugins/cover-thumbnailer/cover-thumbnailer.c:626:20
    #15 0x7f2f87753645 in tumbler_abstract_thumbnailer_create tumbler/tumbler/tumbler-abstract-thumbnailer.c:306:3
    #16 0x7f2f8775e468 in tumbler_thumbnailer_create tumbler/tumbler/tumbler-thumbnailer.c:142:3
    #17 0x56007577ac37 in tumbler_lifo_scheduler_thread tumbler/tumblerd/tumbler-lifo-scheduler.c:495:11
    #18 0x7f2f86446ce5 in g_thread_pool_thread_proxy glib/glib/gthreadpool.c:336:15
    #19 0x7f2f8644039e in g_thread_proxy glib/glib/gthread.c:893:20
    #20 0x7f2f86a9d0fc in asan_thread_start
ERROR: AddressSanitizer: heap-use-after-free on address 0x7c0c4251db40
READ of size 44 at 0x7c0c4251db40 thread T4
    #0 0x7fac47171059 in memcpy
    #1 0x7bac40992214 in Curl_headers_push curl/lib/headers.c:324:3
    #2 0x7bac40992574 in hds_cw_collect_write curl/lib/headers.c:368:23
    #3 0x7bac409c5581 in Curl_cwriter_write curl/lib/sendf.c:185:10
    #4 0x7bac409c5581 in cw_raw_write curl/lib/sendf.c:366:10
    #5 0x7bac409c3dee in Curl_cwriter_write curl/lib/sendf.c:185:10
    #6 0x7bac409c3dee in Curl_client_write curl/lib/sendf.c:93:12
    #7 0x7bac4099b08a in http_rw_hd curl/lib/http.c:4127:12
    #8 0x7bac4099b3ea in http_parse_headers curl/lib/http.c:4228:14
    #9 0x7bac4099b3ea in Curl_http_write_resp_hds curl/lib/http.c:4285:14
    #10 0x7bac409966d0 in Curl_http_write_resp curl/lib/http.c:4309:12
    #11 0x7bac409d6778 in Curl_xfer_write_resp curl/lib/transfer.c:841:14
    #12 0x7bac409d5a6e in sendrecv_dl curl/lib/transfer.c:344:14
    #13 0x7bac409d5a6e in Curl_sendrecv curl/lib/transfer.c:420:14
    #14 0x7bac409b614d in state_performing curl/lib/multi.c:1905:12
    #15 0x7bac409b614d in multi_runsingle curl/lib/multi.c:2570:12
    #16 0x7bac409b51b1 in curl_multi_perform curl/lib/multi.c:2756:18
    #17 0x7fac42941700 in cover_thumbnailer_load_perform tumbler/plugins/cover-thumbnailer/cover-thumbnailer.c:254:14
    #18 0x7fac4293f73d in cover_thumbnailer_load_contents tumbler/plugins/cover-thumbnailer/cover-thumbnailer.c:368:9
    #19 0x7fac4293f73d in cover_thumbnailer_poster_url tumbler/plugins/cover-thumbnailer/cover-thumbnailer.c:520:10
    #20 0x7fac4293f73d in cover_thumbnailer_create tumbler/plugins/cover-thumbnailer/cover-thumbnailer.c:626:20
    #21 0x7fac47c9f645 in tumbler_abstract_thumbnailer_create tumbler/tumbler/tumbler-abstract-thumbnailer.c:306:3
    #22 0x7fac47caa468 in tumbler_thumbnailer_create tumbler/tumbler/tumbler-thumbnailer.c:142:3
    #23 0x55f2c6d8cc37 in tumbler_lifo_scheduler_thread tumbler/tumblerd/tumbler-lifo-scheduler.c:495:11
    #24 0x7fac46a46ce5 in g_thread_pool_thread_proxy glib/glib/gthreadpool.c:336:15
    #25 0x7fac46a4039e in g_thread_proxy glib/glib/gthread.c:893:20
    #26 0x7fac4709d0fc in asan_thread_start /usr/src/debug/compiler-rt/compiler-rt-20.1.8.src/lib/asan/asan_interceptors.cpp:239:43
0x7c0c4251db40 is located 0 bytes inside of 64-byte region [0x7c0c4251db40,0x7c0c4251db80)
freed by thread T6 here:
    #0 0x7fac4717205d in free
    #1 0x7bac409f3ea4 in curlx_dyn_free curl/lib/curlx/dynbuf.c:64:3
    #2 0x7bac409d7af9 in Curl_close curl/lib/url.c:283:3
    #3 0x7bac409848f3 in curl_easy_cleanup curl/lib/easy.c:855:5
    #4 0x7fac42941921 in cover_thumbnailer_load_perform tumbler/plugins/cover-thumbnailer/cover-thumbnailer.c:286:3
    #5 0x7fac4293f73d in cover_thumbnailer_load_contents tumbler/plugins/cover-thumbnailer/cover-thumbnailer.c:368:9
    #6 0x7fac4293f73d in cover_thumbnailer_poster_url tumbler/plugins/cover-thumbnailer/cover-thumbnailer.c:520:10
    #7 0x7fac4293f73d in cover_thumbnailer_create tumbler/plugins/cover-thumbnailer/cover-thumbnailer.c:626:20
    #8 0x7fac47c9f645 in tumbler_abstract_thumbnailer_create tumbler/tumbler/tumbler-abstract-thumbnailer.c:306:3
    #9 0x7fac47caa468 in tumbler_thumbnailer_create tumbler/tumbler/tumbler-thumbnailer.c:142:3
    #10 0x55f2c6d8cc37 in tumbler_lifo_scheduler_thread tumbler/tumblerd/tumbler-lifo-scheduler.c:495:11
    #11 0x7fac46a46ce5 in g_thread_pool_thread_proxy glib/glib/gthreadpool.c:336:15
    #12 0x7fac46a4039e in g_thread_proxy glib/glib/gthread.c:893:20
    #13 0x7fac4709d0fc in asan_thread_start /usr/src/debug/compiler-rt/compiler-rt-20.1.8.src/lib/asan/asan_interceptors.cpp:239:43
previously allocated by thread T4 here:
    #0 0x7fac47172195 in realloc
    #1 0x7bac409f3ff2 in dyn_nappend curl/lib/curlx/dynbuf.c:111:15
    #2 0x7bac409f3ff2 in curlx_dyn_addn curl/lib/curlx/dynbuf.c:174:10
    #3 0x7bac4099b399 in http_parse_headers curl/lib/http.c:4194:14
    #4 0x7bac4099b399 in Curl_http_write_resp_hds curl/lib/http.c:4285:14
    #5 0x7bac409966d0 in Curl_http_write_resp curl/lib/http.c:4309:12
    #6 0x7bac409d6778 in Curl_xfer_write_resp curl/lib/transfer.c:841:14
    #7 0x7bac409d5a6e in sendrecv_dl curl/lib/transfer.c:344:14
    #8 0x7bac409d5a6e in Curl_sendrecv curl/lib/transfer.c:420:14
    #9 0x7bac409b614d in state_performing curl/lib/multi.c:1905:12
    #10 0x7bac409b614d in multi_runsingle curl/lib/multi.c:2570:12
    #11 0x7bac409b51b1 in curl_multi_perform curl/lib/multi.c:2756:18
    #12 0x7fac42941700 in cover_thumbnailer_load_perform tumbler/plugins/cover-thumbnailer/cover-thumbnailer.c:254:14
    #13 0x7fac4293f73d in cover_thumbnailer_load_contents tumbler/plugins/cover-thumbnailer/cover-thumbnailer.c:368:9
    #14 0x7fac4293f73d in cover_thumbnailer_poster_url tumbler/plugins/cover-thumbnailer/cover-thumbnailer.c:520:10
    #15 0x7fac4293f73d in cover_thumbnailer_create tumbler/plugins/cover-thumbnailer/cover-thumbnailer.c:626:20
    #16 0x7fac47c9f645 in tumbler_abstract_thumbnailer_create tumbler/tumbler/tumbler-abstract-thumbnailer.c:306:3
    #17 0x7fac47caa468 in tumbler_thumbnailer_create tumbler/tumbler/tumbler-thumbnailer.c:142:3
    #18 0x55f2c6d8cc37 in tumbler_lifo_scheduler_thread tumbler/tumblerd/tumbler-lifo-scheduler.c:495:11
    #19 0x7fac46a46ce5 in g_thread_pool_thread_proxy glib/glib/gthreadpool.c:336:15
    #20 0x7fac46a4039e in g_thread_proxy glib/glib/gthread.c:893:20
    #21 0x7fac4709d0fc in asan_thread_start /usr/src/debug/compiler-rt/compiler-rt-20.1.8.src/lib/asan/asan_interceptors.cpp:239:43
Thread T4 created by T0 here:
    #0 0x7fac47169c94 in pthread_create /usr/src/debug/compiler-rt/compiler-rt-20.1.8.src/lib/asan/asan_interceptors.cpp:250:3
    #1 0x7fac46a3ea54 in g_system_thread_new glib/glib/gthread-posix.c:762:9
    #2 0x7fac46a40889 in g_thread_new_internal glib/glib/gthread.c:997:22
    #3 0x7fac46a40889 in g_thread_try_new glib/glib/gthread.c:981:10
    #4 0x7fac46a44017 in g_thread_pool_start_thread glib/glib/gthreadpool.c:450:20
    #5 0x7fac46a43504 in g_thread_pool_new_full glib/glib/gthreadpool.c:656:16
    #6 0x7fac46a42fb2 in g_thread_pool_new glib/glib/gthreadpool.c:548:10
    #7 0x55f2c6d8b034 in tumbler_lifo_scheduler_init tumbler/tumblerd/tumbler-lifo-scheduler.c:142:21
    #8 0x7fac46d87ea3 in g_type_create_instance glib/gobject/gtype.c:1900:5
    #9 0x7fac46d26205 in g_object_new_internal glib/gobject/gobject.c:2664:24
    #10 0x7fac46d2575f in g_object_new_valist glib/gobject/gobject.c:3002:16
    #11 0x7fac46d2425b in g_object_new glib/gobject/gobject.c:2478:12
    #12 0x55f2c6d8ae22 in tumbler_lifo_scheduler_new tumbler/tumblerd/tumbler-lifo-scheduler.c:573:10
    #13 0x55f2c6da1b90 in tumbler_service_constructed tumbler/tumblerd/tumbler-service.c:249:15
    #14 0x7fac46d265e1 in g_object_new_internal glib/gobject/gobject.c:2714:5
    #15 0x7fac46d2575f in g_object_new_valist glib/gobject/gobject.c:3002:16
    #16 0x7fac46d2425b in g_object_new glib/gobject/gobject.c:2478:12
    #17 0x55f2c6da144e in tumbler_service_new tumbler/tumblerd/tumbler-service.c:694:10
    #18 0x55f2c6d7dd3e in main tumbler/tumblerd/main.c:200:13
Thread T6 created by T0 here:
    #0 0x7fac47169c94 in pthread_create /usr/src/debug/compiler-rt/compiler-rt-20.1.8.src/lib/asan/asan_interceptors.cpp:250:3
    #1 0x7fac46a3ea54 in g_system_thread_new glib/glib/gthread-posix.c:762:9
    #2 0x7fac46a40889 in g_thread_new_internal glib/glib/gthread.c:997:22
    #3 0x7fac46a40889 in g_thread_try_new glib/glib/gthread.c:981:10
    #4 0x7fac46a44017 in g_thread_pool_start_thread glib/glib/gthreadpool.c:450:20
    #5 0x7fac46a43504 in g_thread_pool_new_full glib/glib/gthreadpool.c:656:16
    #6 0x7fac46a42fb2 in g_thread_pool_new glib/glib/gthreadpool.c:548:10
    #7 0x55f2c6d8b034 in tumbler_lifo_scheduler_init tumbler/tumblerd/tumbler-lifo-scheduler.c:142:21
    #8 0x7fac46d87ea3 in g_type_create_instance glib/gobject/gtype.c:1900:5
    #9 0x7fac46d26205 in g_object_new_internal glib/gobject/gobject.c:2664:24
    #10 0x7fac46d2575f in g_object_new_valist glib/gobject/gobject.c:3002:16
    #11 0x7fac46d2425b in g_object_new glib/gobject/gobject.c:2478:12
    #12 0x55f2c6d8ae22 in tumbler_lifo_scheduler_new tumbler/tumblerd/tumbler-lifo-scheduler.c:573:10
    #13 0x55f2c6da1b90 in tumbler_service_constructed tumbler/tumblerd/tumbler-service.c:249:15
    #14 0x7fac46d265e1 in g_object_new_internal glib/gobject/gobject.c:2714:5
    #15 0x7fac46d2575f in g_object_new_valist glib/gobject/gobject.c:3002:16
    #16 0x7fac46d2425b in g_object_new glib/gobject/gobject.c:2478:12
    #17 0x55f2c6da144e in tumbler_service_new tumbler/tumblerd/tumbler-service.c:694:10
    #18 0x55f2c6d7dd3e in main tumbler/tumblerd/main.c:200:13
SUMMARY: AddressSanitizer: heap-use-after-free curl/lib/headers.c:324:3 in Curl_headers_push

Version info

  • fd32d11c compiled on Arch Linux
  • curl@952c929bdf70645
Edited by correctmost