From fbd6c97f9ca858140df16dd07200ea0d4bdc1a83 Mon Sep 17 00:00:00 2001 From: wm4 Date: Fri, 14 Nov 2014 13:34:50 +0100 Subject: [PATCH] lavu: fix memory leaks by using a mutex instead of atomics The buffer pool has to atomically add and remove entries from the linked list of available buffers. This was done by removing the entire list with a CAS operation, working on it, and then setting it back again (using a retry-loop in case another thread was doing the same thing). This could effectively cause memory leaks: while a thread was working on the buffer list, other threads would allocate new buffers, increasing the pool's total size. There was no real leak, but since these extra buffers were not needed, but not free'd either (except when the buffer pool was destroyed), this had the same effects as a real leak. For some reason, growth was exponential, and could easily kill the process due to OOM in real-world uses. Fix this by using a mutex to protect the list operations. The fancy way atomics remove the whole list to work on it is not needed anymore, which also avoids the situation which was causing the leak. Signed-off-by: Anton Khirnov --- libavutil/buffer.c | 79 ++++++++++++------------------------- libavutil/buffer_internal.h | 6 ++- 2 files changed, 29 insertions(+), 56 deletions(-) diff --git a/libavutil/buffer.c b/libavutil/buffer.c index 2b38081e1d..1bc4a93f38 100644 --- a/libavutil/buffer.c +++ b/libavutil/buffer.c @@ -23,6 +23,7 @@ #include "buffer_internal.h" #include "common.h" #include "mem.h" +#include "thread.h" AVBufferRef *av_buffer_create(uint8_t *data, int size, void (*free)(void *opaque, uint8_t *data), @@ -199,6 +200,8 @@ AVBufferPool *av_buffer_pool_init(int size, AVBufferRef* (*alloc)(int size)) if (!pool) return NULL; + ff_mutex_init(&pool->mutex, NULL); + pool->size = size; pool->alloc = alloc ? alloc : av_buffer_alloc; @@ -220,6 +223,7 @@ static void buffer_pool_free(AVBufferPool *pool) buf->free(buf->opaque, buf->data); av_freep(&buf); } + ff_mutex_destroy(&pool->mutex); av_freep(&pool); } @@ -236,47 +240,16 @@ void av_buffer_pool_uninit(AVBufferPool **ppool) buffer_pool_free(pool); } -/* remove the whole buffer list from the pool and return it */ -static BufferPoolEntry *get_pool(AVBufferPool *pool) -{ - BufferPoolEntry *cur = NULL, *last = NULL; - - do { - FFSWAP(BufferPoolEntry*, cur, last); - cur = avpriv_atomic_ptr_cas((void * volatile *)&pool->pool, last, NULL); - if (!cur) - return NULL; - } while (cur != last); - - return cur; -} - -static void add_to_pool(BufferPoolEntry *buf) -{ - AVBufferPool *pool; - BufferPoolEntry *cur, *end = buf; - - if (!buf) - return; - pool = buf->pool; - - while (end->next) - end = end->next; - - while ((cur = avpriv_atomic_ptr_cas((void * volatile *)&pool->pool, NULL, buf))) { - /* pool is not empty, retrieve it and append it to our list */ - cur = get_pool(pool); - end->next = cur; - while (end->next) - end = end->next; - } -} - static void pool_release_buffer(void *opaque, uint8_t *data) { BufferPoolEntry *buf = opaque; AVBufferPool *pool = buf->pool; - add_to_pool(buf); + + ff_mutex_lock(&pool->mutex); + buf->next = pool->pool; + pool->pool = buf; + ff_mutex_unlock(&pool->mutex); + if (!avpriv_atomic_int_add_and_fetch(&pool->refcount, -1)) buffer_pool_free(pool); } @@ -306,8 +279,6 @@ static AVBufferRef *pool_alloc_buffer(AVBufferPool *pool) ret->buffer->opaque = buf; ret->buffer->free = pool_release_buffer; - avpriv_atomic_int_add_and_fetch(&pool->refcount, 1); - return ret; } @@ -316,22 +287,22 @@ AVBufferRef *av_buffer_pool_get(AVBufferPool *pool) AVBufferRef *ret; BufferPoolEntry *buf; - /* check whether the pool is empty */ - buf = get_pool(pool); - if (!buf) - return pool_alloc_buffer(pool); - - /* keep the first entry, return the rest of the list to the pool */ - add_to_pool(buf->next); - buf->next = NULL; - - ret = av_buffer_create(buf->data, pool->size, pool_release_buffer, - buf, 0); - if (!ret) { - add_to_pool(buf); - return NULL; + ff_mutex_lock(&pool->mutex); + buf = pool->pool; + if (buf) { + ret = av_buffer_create(buf->data, pool->size, pool_release_buffer, + buf, 0); + if (ret) { + pool->pool = buf->next; + buf->next = NULL; + } + } else { + ret = pool_alloc_buffer(pool); } - avpriv_atomic_int_add_and_fetch(&pool->refcount, 1); + ff_mutex_unlock(&pool->mutex); + + if (ret) + avpriv_atomic_int_add_and_fetch(&pool->refcount, 1); return ret; } diff --git a/libavutil/buffer_internal.h b/libavutil/buffer_internal.h index cce83c3cd1..1032a543e5 100644 --- a/libavutil/buffer_internal.h +++ b/libavutil/buffer_internal.h @@ -22,6 +22,7 @@ #include #include "buffer.h" +#include "thread.h" /** * The buffer is always treated as read-only. @@ -68,11 +69,12 @@ typedef struct BufferPoolEntry { void (*free)(void *opaque, uint8_t *data); AVBufferPool *pool; - struct BufferPoolEntry * volatile next; + struct BufferPoolEntry *next; } BufferPoolEntry; struct AVBufferPool { - BufferPoolEntry * volatile pool; + AVMutex mutex; + BufferPoolEntry *pool; /* * This is used to track when the pool is to be freed.