[FFmpeg-trac] #10628(avcodec:new): vulkan decoder crash after seek
FFmpeg
trac at avcodec.org
Wed Oct 18 20:00:41 EEST 2023
#10628: vulkan decoder crash after seek
-------------------------------------+-------------------------------------
Reporter: quinkblack | Type: defect
Status: new | Priority: critical
Component: avcodec | Version:
| unspecified
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 1
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
With this two patches, I got ffplay work with vulkan decoder and renderer.
https://ffmpeg.org/pipermail/ffmpeg-devel/2023-October/315852.html
https://ffmpeg.org/pipermail/ffmpeg-devel/2023-October/315853.html
Then with this command:
./ffplay -hwaccel vulkan cctv.mp4
The playback is fine. However, with seek there is a heap use after free
crash:
Seek to 35% ( 0:10:26) of total duration ( 0:29:59) B f=0/0
=================================================================
==274710==ERROR: AddressSanitizer: heap-use-after-free on address
0x62100058eac8 at pc 0x559f471bf654 bp 0x7f977474c470 sp 0x7f977474c468
READ of size 8 at 0x62100058eac8 thread T36 (av:h264:df15)
#0 0x559f471bf653 in ff_vk_unmap_buffers /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavutil/vulkan.c:1045:13
#1 0x559f49b0207c in ff_vk_unmap_buffer /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavutil/vulkan.h:419:12
#2 0x559f49b01f4e in free_data_buf /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/vulkan_video.c:206:5
#3 0x559f4adf47c8 in buffer_pool_flush /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavutil/buffer.c:302:9
#4 0x559f4adf4944 in buffer_pool_free /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavutil/buffer.c:313:5
#5 0x559f4adf4e96 in pool_release_buffer /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavutil/buffer.c:350:9
#6 0x559f4adf2fe6 in buffer_replace /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavutil/buffer.c:133:9
#7 0x559f4adf2d88 in av_buffer_unref /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavutil/buffer.c:144:5
#8 0x559f471b5001 in ff_vk_exec_discard_deps /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavutil/vulkan.c:549:9
#9 0x559f471b800c in ff_vk_exec_wait /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavutil/vulkan.c:506:5
#10 0x559f49ad3c86 in ff_vk_decode_frame /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/vulkan_decode.c:375:9
#11 0x559f49ae32d3 in vk_h264_end_frame /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/vulkan_h264.c:530:12
#12 0x559f4a26e74c in ff_h264_field_end /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/h264_picture.c:238:15
#13 0x559f4854d788 in h264_decode_frame /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/h264dec.c:1066:20
#14 0x559f48e5405c in frame_worker_thread /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/pthread_frame.c:223:21
#15 0x7f97d8094ac2 in start_thread nptl/./nptl/pthread_create.c:442:8
#16 0x7f97d8126a3f misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
0x62100058eac8 is located 456 bytes inside of 4296-byte region
[0x62100058e900,0x62100058f9c8)
freed by thread T37 here:
#0 0x559f4647cf12 in __interceptor_free (/home/quink/work/ffmpeg-
ci/build/ffmpeg/ffplay+0x8b8f12) (BuildId:
5af246cc4f5d24a4baf349e77196a345b9331952)
#1 0x559f4ae99dc4 in av_free /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavutil/mem.c:241:5
#2 0x559f48f23abe in ff_refstruct_unref /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/refstruct.c:130:9
#3 0x559f48f23d5e in ff_refstruct_replace /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/refstruct.c:163:5
#4 0x559f49ad0117 in ff_vk_update_thread_context /home/quink/work
/ffmpeg-ci/build/ffmpeg/src/libavcodec/vulkan_decode.c:93:5
#5 0x559f48e4eced in update_context_from_thread /home/quink/work
/ffmpeg-ci/build/ffmpeg/src/libavcodec/pthread_frame.c:379:23
#6 0x559f48e4c39c in submit_packet /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/pthread_frame.c:471:15
#7 0x559f48e4b1e9 in ff_thread_decode_frame /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/pthread_frame.c:522:11
#8 0x559f481d18e6 in decode_simple_internal /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/decode.c:428:20
#9 0x559f481d0f54 in decode_simple_receive_frame /home/quink/work
/ffmpeg-ci/build/ffmpeg/src/libavcodec/decode.c:609:15
#10 0x559f481bf11f in decode_receive_frame_internal /home/quink/work
/ffmpeg-ci/build/ffmpeg/src/libavcodec/decode.c:637:15
#11 0x559f481bebf6 in avcodec_send_packet /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/decode.c:734:15
#12 0x559f464f945a in decoder_decode_frame /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/fftools/ffplay.c:667:17
#13 0x559f464fa2a2 in get_video_frame /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/fftools/ffplay.c:1776:24
#14 0x559f464f112b in video_thread /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/fftools/ffplay.c:2149:15
#15 0x7f97d9afac6d (/lib/x86_64-linux-gnu/libSDL2-2.0.so.0+0x116c6d)
(BuildId: 4d5b3c4d6ed820f4264d19e6b9dee40106d05359)
previously allocated by thread T21 (av:h264:df0) here:
#0 0x559f4647dd37 in posix_memalign (/home/quink/work/ffmpeg-
ci/build/ffmpeg/ffplay+0x8b9d37) (BuildId:
5af246cc4f5d24a4baf349e77196a345b9331952)
#1 0x559f4ae9998f in av_malloc /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavutil/mem.c:105:9
#2 0x559f48f234c3 in ff_refstruct_alloc_ext_c /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/refstruct.c:105:11
#3 0x559f49ade4d6 in ff_refstruct_alloc_ext /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/refstruct.h:97:12
#4 0x559f49ad738b in vulkan_decode_bootstrap /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/vulkan_decode.c:629:23
#5 0x559f49ad6c25 in ff_vk_frame_params /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/vulkan_decode.c:1011:11
#6 0x559f481c4e3e in avcodec_get_hw_frames_parameters /home/quink/work
/ffmpeg-ci/build/ffmpeg/src/libavcodec/decode.c:1194:11
#7 0x559f481c464b in ff_decode_get_hw_frames_ctx /home/quink/work
/ffmpeg-ci/build/ffmpeg/src/libavcodec/decode.c:1134:11
#8 0x559f49adbf94 in ff_vk_decode_init /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/vulkan_decode.c:1137:11
#9 0x559f481c6a1a in hwaccel_init /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/decode.c:1238:15
#10 0x559f481c6345 in ff_get_format /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/decode.c:1376:19
#11 0x559f4a2a9665 in get_pixel_format /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/h264_slice.c:911:12
#12 0x559f4a2a0e20 in h264_init_ps /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/h264_slice.c:1144:20
#13 0x559f4a28c77a in h264_field_start /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/h264_slice.c:1395:11
#14 0x559f4a287af4 in ff_h264_queue_decode_slice /home/quink/work
/ffmpeg-ci/build/ffmpeg/src/libavcodec/h264_slice.c:2132:15
#15 0x559f485507d7 in decode_nal_units /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/h264dec.c:651:24
#16 0x559f4854d28c in h264_decode_frame /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/h264dec.c:1047:17
#17 0x559f48e5405c in frame_worker_thread /home/quink/work/ffmpeg-
ci/build/ffmpeg/src/libavcodec/pthread_frame.c:223:21
#18 0x7f97d8094ac2 in start_thread nptl/./nptl/pthread_create.c:442:8
--
Ticket URL: <https://trac.ffmpeg.org/ticket/10628>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list