[vp8] race in row-based multi-threaded decoder may cause corruption / crash

v1.3.0-4102-g4ab2241

The following log is from an ASan build running a fuzzed file. From the looks 
of things any file that contains a frame resize may trigger this as the only 
signaling done is for the final row:

---
vp8/decoder/threading.c:mt_decode_mb_rows
    /* signal end of frame decoding if this thread processed the last mb_row */
    if (last_mb_row == (pc->mb_rows - 1))
        sem_post(&pbi->h_event_end_decoding);

---

This means earlier rows may still be processing when the frame is returned to 
the user or vp8mt_de_alloc_temp_buffers() is called.

$ vpxdec vp80-00-comprehensive-016.ivf.s38045_r01-05_b6-.ivf \
  --noblit --keep-going --threads=4

because this is timing related a while loop may be necessary to reproduce the
failure:

$ while vpxdec vp80-00-comprehensive-016.ivf.s38045_r01-05_b6-.ivf \
  --noblit --keep-going --threads=4; do :; done

=================================================================
==32434==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000a7c8 
at pc 0x5860b6 bp 0x7f259b5d6830 sp 0x7f259b5d6828
READ of size 8 at 0x60300000a7c8 thread T1
==32434==WARNING: Trying to symbolize code, but external symbolizer is not 
initialized!
    #0 0x5860b5 in mt_decode_mb_rows ../libvpx/vp8/decoder/threading.c:370
    #1 0x57eff4 in thread_decoding_proc ../libvpx/vp8/decoder/threading.c:641
    #2 0x7f25a40e8b4f in start_thread /home/aurel32/eglibc/eglibc-2.13/nptl/pthread_create.c:304

0x60300000a7cf is located 0 bytes to the right of 31-byte region 
[0x60300000a7b0,0x60300000a7cf)
freed by thread T0 here:
    #0 0x497fe9 in __interceptor_free _asan_rtl_
    #1 0x51bd54 in vpx_free ../libvpx/vpx_mem/vpx_mem.c:198
    #2 0x57f1e7 in vp8mt_de_alloc_temp_buffers ../libvpx/vp8/decoder/threading.c:712
    #3 0x57f701 in vp8mt_alloc_temp_buffers ../libvpx/vp8/decoder/threading.c:783
    #4 0x5790ef in vp8_decode ../libvpx/vp8/vp8_dx_iface.c:493
    #5 0x519f21 in vpx_codec_decode ../libvpx/vpx/src/vpx_decoder.c:122
    #6 0x4b58f5 in main_loop ../libvpx/vpxdec.c:827
    #7 0x4b82ba in main ../libvpx/vpxdec.c:1044
    #8 0x7f25a344ceac in __libc_start_main /home/aurel32/eglibc/eglibc-2.13/csu/libc-start.c:244

previously allocated by thread T0 here:
    #0 0x498169 in __interceptor_malloc _asan_rtl_
    #1 0x51bbd6 in vpx_memalign ../libvpx/vpx_mem/vpx_mem.c:125
    #2 0x57f888 in vp8mt_alloc_temp_buffers ../libvpx/vp8/decoder/threading.c:800
    #3 0x5790ef in vp8_decode ../libvpx/vp8/vp8_dx_iface.c:493
    #4 0x519f21 in vpx_codec_decode ../libvpx/vpx/src/vpx_decoder.c:122
    #5 0x4b58f5 in main_loop ../libvpx/vpxdec.c:827
    #6 0x4b82ba in main ../libvpx/vpxdec.c:1044
    #7 0x7f25a344ceac in __libc_start_main /home/aurel32/eglibc/eglibc-2.13/csu/libc-start.c:244

Thread T1 created by T0 here:
    #0 0x487622 in __interceptor_pthread_create _asan_rtl_
    #1 0x57ec95 in vp8_decoder_create_threads ../libvpx/vp8/decoder/threading.c:685
    #2 0x57e2be in vp8_create_decoder_instances ../libvpx/vp8/decoder/onyxd_if.c:465
    #3 0x5786be in vp8_decode ../libvpx/vp8/vp8_dx_iface.c:395
    #4 0x519f21 in vpx_codec_decode ../libvpx/vpx/src/vpx_decoder.c:122
    #5 0x4b58f5 in main_loop ../libvpx/vpxdec.c:827
    #6 0x4b82ba in main ../libvpx/vpxdec.c:1044
    #7 0x7f25a344ceac in __libc_start_main /home/aurel32/eglibc/eglibc-2.13/csu/libc-start.c:244

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c067fff94a0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff94b0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff94c0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff94d0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff94e0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
=>0x0c067fff94f0: fd fd fd fd fa fa fd fd fd[fd]fa fa fd fd fd fd
  0x0c067fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==32434==ABORTING
Original issue reported on code.google.com by jz...@google.com on 4 Sep 2014 at 1:07
Attachments:
vp80-00-comprehensive-016.ivf.s38045_r01-05_b6-.ivf
kleopatra999 / webm

[vp8] race in row-based multi-threaded decoder may cause corruption / crash #851
