[FFmpeg-trac] #4749(avcodec:new): firefox crashes in ffmpeg code (2.7.2 and git versions)
FFmpeg
trac at avcodec.org
Mon Aug 3 18:42:53 CEST 2015
#4749: firefox crashes in ffmpeg code (2.7.2 and git versions)
------------------------------------+-----------------------------------
Reporter: zazdxscf | Owner:
Type: defect | Status: new
Priority: important | Component: avcodec
Version: git-master | Resolution:
Keywords: crash aac | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
------------------------------------+-----------------------------------
Comment (by zazdxscf):
Finally managed to make it crash. I figure it would never crash this way
unless I do some compilation in the background to "poison" the memory or
something(else?): I started compiling gcc 5.2.0 (just to have something to
compile) and after like 10 minutes, firefox crashed in the same place.
I will attach backtrace_simple5.log (bt full) because it looks ugly if I
just paste it here.
This is the used ffmpeg version:
$ ffmpeg -version
ffmpeg started on 2015-08-03 at 18:12:18
Report written to "ffmpeg-20150803-181218.log"
ffmpeg version N-74201-g5bf8590 Copyright (c) 2000-2015 the FFmpeg
developers
built with gcc 5.1.0 (Gentoo 5.1.0 p1.2, pie-0.6.3)
configuration: --prefix=/usr --libdir=/usr/lib64 --shlibdir=/usr/lib64
--mandir=/usr/share/man --enable-shared --cc=x86_64-pc-linux-gnu-gcc
--cxx=x86_64-pc-linux-gnu-g++ --ar=x86_64-pc-linux-gnu-ar --optflags=' '
--disable-static --enable-avfilter --enable-avresample --disable-stripping
--disable-indev=v4l2 --disable-outdev=v4l2 --disable-indev=alsa --disable-
indev=oss --disable-indev=jack --disable-outdev=alsa --disable-outdev=oss
--disable-outdev=sdl --enable-bzlib --disable-runtime-cpudetect --disable-
debug --disable-doc --disable-gnutls --enable-gpl --enable-hardcoded-
tables --enable-iconv --disable-lzma --enable-network --disable-openssl
--enable-postproc --disable-libsmbclient --disable-ffplay --disable-vaapi
--disable-vdpau --enable-xlib --disable-libxcb --disable-libxcb-shm
--disable-libxcb-xfixes --enable-zlib --disable-libcdio --disable-
libiec61883 --disable-libdc1394 --disable-libcaca --disable-openal
--disable-opengl --disable-libv4l2 --enable-libpulse --disable-
libopencore-amrwb --disable-libopencore-amrnb --disable-libfdk-aac
--disable-libopenjpeg --disable-libbluray --disable-libcelt --disable-
libgme --disable-libgsm --disable-libmodplug --disable-libopus --disable-
libquvi --disable-librtmp --disable-libssh --disable-libschroedinger
--disable-libspeex --disable-libvorbis --disable-libvpx --disable-libzvbi
--disable-libbs2b --disable-libflite --disable-frei0r --disable-libfribidi
--disable-fontconfig --disable-ladspa --disable-libass --disable-
libfreetype --disable-libsoxr --enable-pthreads --disable-libvo-aacenc
--disable-libvo-amrwbenc --disable-libmp3lame --disable-libaacplus
--disable-libfaac --disable-libsnappy --disable-libtheora --disable-
libtwolame --disable-libwavpack --disable-libwebp --disable-libx264
--disable-libx265 --disable-libxvid --enable-x11grab --disable-avx
--disable-avx2 --disable-fma3 --disable-fma4 --disable-ssse3 --disable-
sse4 --disable-sse42 --disable-xop --cpu=host
libavutil 54. 29.100 / 54. 29.100
libavcodec 56. 56.101 / 56. 56.101
libavformat 56. 40.101 / 56. 40.101
libavdevice 56. 4.100 / 56. 4.100
libavfilter 5. 30.100 / 5. 30.100
libavresample 2. 1. 0 / 2. 1. 0
libswscale 3. 1.101 / 3. 1.101
libswresample 1. 2.101 / 1. 2.101
libpostproc 53. 3.100 / 53. 3.100
Thus the commit is 5bf8590 (titled: "avfilter/avf_showvolume: stop making
output fully transparent")
and apply the two included patches from above to get the exact source code
that was used in my ffmpeg version to which the backtrace log applies (to
make sure the line numbers match)
But to make it easier I reiterate here the important ones:
#3 0x00007f77040262a1 in NEG_USR32 (s=<optimized out>, a=<optimized out>)
at /usr/src/debug/media-
video/ffmpeg-9999/ffmpeg-9999/libavcodec/x86/mathops.h:125
{{{
#define NEG_USR32 NEG_USR32
static inline uint32_t NEG_USR32(uint32_t a, int8_t s){
__asm__ ("shrl %1, %0\n\t" //<------ this is line 125
: "+r" (a)
: "ic" ((uint8_t)(-s))
);
return a;
}
}}}
#4 decode_spectrum_and_dequant (band_type=0x7f76c8181d7c,
ics=0x7f76c8181100, pulse=0x7f76d0afcea0, pulse_present=0,
sf=0x7f76c818215c, gb=0x7f76d0afd2a0, coef=0x7f76c81839c0,
ac=0x7f76cc4f1000) at /usr/src/debug/media-
video/ffmpeg-9999/ffmpeg-9999/libavcodec/aacdec_template.c:1681
{{{
do {
int code;
unsigned cb_idx;
UPDATE_CACHE(re, gb);
GET_VLC(code, re, gb, vlc_tab, 8, 2); //<----
line 1681 is this*
cb_idx = cb_vector_idx[code];
#if USE_FIXED
cf = DEC_SPAIR(cf, cb_idx);
#else
cf = VMUL2(cf, vq, cb_idx, sf + idx);
#endif /* USE_FIXED */
} while (len -= 2);
}}}
* note here that in my initial post(up top) I am now unsure if it really
crashed in the above(UPDATE_CACHE) line or if I actually used an older
coredump with updated sources! So it might've been the GET_VLC line all
the time! But, it seems that UPDATE_CACHE is called in GET_VLC too and it
eventually calls that NEG_USR32 so it might've been the case that it did
crash in those 2 different close-by places after all just because the both
reach NEG_USR32 through UPDATE_CACHE.
#5 decode_ics (ac=ac at entry=0x7f76cc4f1000, sce=sce at entry=0x7f76c8181100,
gb=gb at entry=0x7f76d0afd2a0, common_window=common_window at entry=1,
scale_flag=0) at /usr/src/debug/media-
video/ffmpeg-9999/ffmpeg-9999/libavcodec/aacdec_template.c:1958
{{{
if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present,
//<---- this be line 1958
&pulse, ics, sce->band_type) < 0)
return AVERROR_INVALIDDATA;
}}}
#6 0x00007f7704026e1c in decode_cpe (ac=ac at entry=0x7f76cc4f1000,
gb=gb at entry=0x7f76d0afd2a0, cpe=cpe at entry=0x7f76c8173000) at
/usr/src/debug/media-
video/ffmpeg-9999/ffmpeg-9999/libavcodec/aacdec_template.c:2084
{{{
if ((ret = decode_ics(ac, &cpe->ch[0], gb, common_window, 0)))
return ret;
if ((ret = decode_ics(ac, &cpe->ch[1], gb, common_window, 0))) //<----
this be line 2084
return ret;
}}}
#7 0x00007f7704027cd8 in aac_decode_frame_int
(avctx=avctx at entry=0x7f76e9a6fe00, data=data at entry=0x7f76d0afd4f0,
got_frame_ptr=got_frame_ptr at entry=0x7f76d0afd868,
gb=gb at entry=0x7f76d0afd2a0, avpkt=avpkt at entry=0x7f76d0afd350) at
/usr/src/debug/media-
video/ffmpeg-9999/ffmpeg-9999/libavcodec/aacdec_template.c:2959
{{{
case TYPE_CPE:
err = decode_cpe(ac, gb, che); //<--- this be line 2959
audio_found = 1;
break;
}}}
#8 0x00007f7704028cfa in aac_decode_frame (avctx=0x7f76e9a6fe00,
data=0x7f76d0afd4f0, got_frame_ptr=0x7f76d0afd868, avpkt=0x7f76d0afd350)
at /usr/src/debug/media-
video/ffmpeg-9999/ffmpeg-9999/libavcodec/aacdec_template.c:3136
{{{
default:
err = aac_decode_frame_int(avctx, data, got_frame_ptr, &gb,
avpkt); //<---- this is line 3136
}
}}}
#9 0x00007f77043b8501 in avcodec_decode_audio4 (avctx=0x7f76e9a6fe00,
frame=frame at entry=0x7f76d0afd4f0,
got_frame_ptr=got_frame_ptr at entry=0x7f76d0afd868,
avpkt=avpkt at entry=0x7f76d0afd420) at /usr/src/debug/media-
video/ffmpeg-9999/ffmpeg-9999/libavcodec/utils.c:2597
{{{
else {
ret = avctx->codec->decode(avctx, frame, got_frame_ptr, &tmp);
//<--- this be line 2597
av_assert0(ret <= tmp.size);
frame->pkt_dts = avpkt->dts;
}
}}}
#10 0x00007f77054d806d in gst_ffmpegauddec_audio_frame
(ffmpegdec=ffmpegdec at entry=0x7f770c5fc2a0, data=data at entry=0x7f76caefff00
"!\032T\375\266\217\003R\233Hʩ\300*\n\216\005\205gF\242\301\352\260%\250\375M\230\063\371\"\026\260\203\350Y\302<~߹ם\353!q]\227\311\031\350\231@
饫1uv:\314z\251\223{\034\373l\205\364k\357ژ\034036\017P\210
&9\334)\221\004\204\230\217{Jq\310\004.\254\230(\216\060(\230B\\\210s\337\060\216v\250\223R\263\033\267SzkQ\027\274\362\231\257is\300gp\332\327\336/u\021%s\003\246\246\262\362@\311\022\247\005\064\355\367\362^\231D\252i\222\025\003\267\065\211\n\222\030\301aTC\234\224\230\232\340D\230\222\205\025\271R\022K(\250G:+\205h)\341\375M\023\266",
<incomplete sequence \363\207>..., size=<optimized out>,
have_data=have_data at entry=0x7f76d0afd868,
outbuf=outbuf at entry=0x7f76d0afd7d0, ret=ret at entry=0x7f76d0afd86c,
in_plugin=<optimized out>) at /usr/src/debug/media-plugins/gst-plugins-
libav-1.4.5-r1/gst-libav-1.4.5/ext/libav/gstavauddec.c:475
{{{
static gint
gst_ffmpegauddec_audio_frame (GstFFMpegAudDec * ffmpegdec,
AVCodec * in_plugin, guint8 * data, guint size, gint * have_data,
GstBuffer ** outbuf, GstFlowReturn * ret)
{
gint len = -1;
AVPacket packet;
AVFrame frame;
GST_DEBUG_OBJECT (ffmpegdec, "size: %d", size);
gst_avpacket_init (&packet, data, size);
memset (&frame, 0, sizeof (frame));
avcodec_get_frame_defaults (&frame);
len = avcodec_decode_audio4 (ffmpegdec->context, &frame, have_data,
&packet); // <--- this be line 475
GST_DEBUG_OBJECT (ffmpegdec,
"Decode audio: len=%d, have_data=%d", len, *have_data);
...
}}}
#11 0x00007f77054d8622 in gst_ffmpegauddec_frame
(ffmpegdec=ffmpegdec at entry=0x7f770c5fc2a0, data=data at entry=0x7f76caefff00
"!\032T\375\266\217\003R\233Hʩ\300*\n\216\005\205gF\242\301\352\260%\250\375M\230\063\371\"\026\260\203\350Y\302<~߹ם\353!q]\227\311\031\350\231@
饫1uv:\314z\251\223{\034\373l\205\364k\357ژ\034\036\07P\210
&9\334)\221\004\204\230\217{Jq\310\004.\254\230(\216\060(\230B\\\210s\337\060\216v\250\223R\263\033\267SzkQ\027\274\362\231\257is\300gp\332\327\336/u\021%s\003\246\246\262\362@\311\022\247\005\064\355\367\362^\231D\252i\222\025\003\267\065\211\n\222\030\301aTC\234\224\230\232\340D\230\222\205\025\271R\022K(\250G:+\205h)\341\375M\023\266",
<incomplete sequence \363\207>..., size=size at entry=256,
have_data=have_data at entry=0x7f76d0afd868, ret=ret at entry=0x7f76d0afd86c) at
/usr/src/debug/media-plugins/gst-plugins-libav-1.4.5-r1/gst-
libav-1.4.5/ext/libav/gstavauddec.c:632
{{{
*ret = GST_FLOW_OK;
ffmpegdec->context->frame_number++;
oclass = (GstFFMpegAudDecClass *) (G_OBJECT_GET_CLASS (ffmpegdec));
len = //<---- this be line 632
gst_ffmpegauddec_audio_frame (ffmpegdec, oclass->in_plugin, data,
size,
have_data, &outbuf, ret);
}}}
...
Linux norm2 4.2.0-rc4-g45b4b78 #3 SMP Wed Jul 29 13:39:07 CEST 2015 x86_64
AMD A6-3400M APU with Radeon(tm) HD Graphics AuthenticAMD GNU/Linux
This gentoo no-multilib(and not hardened) which is running inside a
virtualbox
firefox version is 39.0
If you have any suggestions on what I should try next, I'd be more than
happy to. Even if it's about code in gst-plugins-libav ... or anything
really. (I don't know much btw, but willing to try)
--
Ticket URL: <https://trac.ffmpeg.org/ticket/4749#comment:6>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list