[FFmpeg-trac] #1453(undetermined:new): Segfault when decoding H264 video
FFmpeg
trac at avcodec.org
Sat Jun 16 09:48:06 CEST 2012
#1453: Segfault when decoding H264 video
-------------------------------------+-------------------------------------
Reporter: kyl416 | Type: defect
Status: new | Priority: normal
Component: | Version: git-
undetermined | master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Summary of the bug: I'm still trying to track it down which git commit
started it, but I now get a segfault whenever I decode h264 video. If I go
back to the merge at commit c7b9eab2be7099b0d4f2fed4feaf69a7dda379f0 I no
longer have the issue.
{{{
ffmpeg -i rtsp://(hidden)
ffmpeg version N-41634-gc7bdfbe Copyright (c) 2000-2012 the FFmpeg
developers
built on Jun 16 2012 02:58:25 with gcc 4.6.3
configuration: --prefix=/usr --enable-gpl --enable-version3 --enable-
nonfree --enable-shared --enable-postproc --enable-libx264 --enable-frei0r
--enable-librtmp --enable-libopencore-amrnb --enable-libopencore-amrwb
--enable-libdc1394 --enable-libmp3lame --enable-libtheora --enable-
libopenjpeg --enable-libvpx --enable-libgsm --enable-libschroedinger
--enable-libspeex --enable-libvorbis --enable-libxvid --enable-libfaac
--cpu=amdfam10 --arch=x86_64 --enable-x11grab --enable-libxavs --enable-
libfreetype --e libavutil 51. 58.100 / 51. 58.100
libavcodec 54. 25.100 / 54. 25.100
libavformat 54. 6.101 / 54. 6.101
libavdevice 54. 0.100 / 54. 0.100
libavfilter 2. 80.100 / 2. 80.100
libswscale 2. 1.100 / 2. 1.100
libswresample 0. 15.100 / 0. 15.100
libpostproc 52. 0.100 / 52. 0.100
Segmentation fault (core dumped)
}}}
gdb backtrace:
{{{
run -i rtsp://(hidden)
Starting program: /usr/src/ffmpeg/ffmpeg_g -i rtsp://(hidden)
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffmpeg version N-41634-gc7bdfbe Copyright (c) 2000-2012 the FFmpeg
developers
built on Jun 16 2012 02:58:25 with gcc 4.6.3
configuration: --prefix=/usr --enable-gpl --enable-version3 --enable-
nonfree --enable-shared --enable-postproc --enable-libx264 --enable-frei0r
--enable-librtmp --enable-libopencore-amrnb --enable-libopencore-amrwb
--enable-libdc1394 --enable-libmp3lame --enable-libtheora --enable-
libopenjpeg --enable-libvpx --enable-libgsm --enable-libschroedinger
--enable-libspeex --enable-libvorbis --enable-libxvid --enable-libfaac
--cpu=amdfam10 --arch=x86_64 --enable-x11grab --enable-libxavs --enable-
libfreetype --e libavutil 51. 58.100 / 51. 58.100
libavcodec 54. 25.100 / 54. 25.100
libavformat 54. 6.101 / 54. 6.101
libavdevice 54. 0.100 / 54. 0.100
libavfilter 2. 80.100 / 2. 80.100
libswscale 2. 1.100 / 2. 1.100
libswresample 0. 15.100 / 0. 15.100
libpostproc 52. 0.100 / 52. 0.100
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff68e98b0 in ?? () from /usr/lib/libavcodec.so.54
(gdb) bt
#0 0x00007ffff68e98b0 in ?? () from /usr/lib/libavcodec.so.54
#1 0x00007ffff692f449 in ?? () from /usr/lib/libavcodec.so.54
#2 0x00007ffff6930245 in ?? () from /usr/lib/libavcodec.so.54
#3 0x00007ffff6953dd7 in ?? () from /usr/lib/libavcodec.so.54
#4 0x00007ffff6a9c1bd in av_parser_parse2 () from
/usr/lib/libavcodec.so.54
#5 0x00007ffff76c0f83 in ?? () from /usr/lib/libavformat.so.54
#6 0x00007ffff76c143c in ?? () from /usr/lib/libavformat.so.54
#7 0x00007ffff76c2e71 in avformat_find_stream_info ()
from /usr/lib/libavformat.so.54
#8 0x0000000000413156 in opt_input_file (o=0x7fffffffcf40,
opt=<optimized out>, filename=<optimized out>) at ffmpeg.c:4300
#9 0x0000000000419950 in parse_option (optctx=0x7fffffffcf40,
opt=0x7fffffffe3c3 "i",
arg=0x7fffffffe3c5 "rtsp://(hidden)",
options=0x6217a0) at cmdutils.c:311
#10 0x0000000000419af3 in parse_options (optctx=0x7fffffffcf40, argc=3,
argv=0x7fffffffe098, options=0x6217a0,
parse_arg_function=0x414780 <opt_output_file>) at cmdutils.c:344
#11 0x00000000004062d9 in main (argc=3, argv=0x7fffffffe098) at
ffmpeg.c:589
}}}
disass
{{{
Dump of assembler code from 0x7ffff68e9890 to 0x7ffff68e98d0:
0x00007ffff68e9890: push %r12
0x00007ffff68e9892: lea 0x1(%rsi),%r12
0x00007ffff68e9896: push %rbp
0x00007ffff68e9897: mov %rdx,%rbp
0x00007ffff68e989a: push %rbx
0x00007ffff68e989b: mov %rsi,%rbx
0x00007ffff68e989e: sub $0x18,%rsp
0x00007ffff68e98a2: movzbl (%rsi),%eax
0x00007ffff68e98a5: mov %rcx,0x8(%rsp)
0x00007ffff68e98aa: shr $0x5,%al
0x00007ffff68e98ad: movzbl %al,%eax
=> 0x00007ffff68e98b0: mov %eax,0x4cb48(%rdi)
0x00007ffff68e98b6: movzbl (%rsi),%eax
0x00007ffff68e98b9: and $0x1f,%eax
0x00007ffff68e98bc: cmp $0x1,%r15d
0x00007ffff68e98c0: mov %eax,0x4cb4c(%rdi)
0x00007ffff68e98c6: jle 0x7ffff68e996a
0x00007ffff68e98cc: movabs $0xfefffefffefffeff,%rdi
End of assembler dump.
}}}
info all-registers
{{{
rax 0x3 3
rbx 0x659984 6658436
rcx 0x7fffffffc4e8 140737488340200
rdx 0x7fffffffc4ec 140737488340204
rsi 0x659984 6658436
rdi 0x0 0
rbp 0x7fffffffc4ec 0x7fffffffc4ec
rsp 0x7fffffffc420 0x7fffffffc420
r8 0x27 39
r9 0x2b3 691
r10 0x8000000000000000 -9223372036854775808
r11 0x8000000000000000 -9223372036854775808
r12 0x659985 6658437
r13 0x0 0
r14 0x0 0
r15 0x26 38
rip 0x7ffff68e98b0 0x7ffff68e98b0
eflags 0x10216 [ PF AF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 -0.99999639682229436309264525295503745 (raw
0xbffeffffc38c783738b4)
st7 0.0026844631545961444225035895253320128 (raw
0x3ff6afedd174d0905b01)
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x2b020000, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x0}, v16_int8 = {0xfc, 0xa9, 0xf1, 0xd2, 0x4d, 0x62, 0x10, 0x3f, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xa9fc, 0xd2f1,
0x624d,
0x3f10, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0xd2f1a9fc, 0x3f10624d, 0x0,
0x0}, v2_int64 = {0x3f10624dd2f1a9fc, 0x0},
uint128 = 0x00000000000000003f10624dd2f1a9fc}
xmm1 {v4_float = {0x0, 0x6, 0x0, 0x0}, v2_double = {0x3e80,
0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0xcf, 0x40, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x4000, 0x40cf, 0x0, 0x0,
0x0,
0x0}, v4_int32 = {0x0, 0x40cf4000, 0x0, 0x0}, v2_int64 = {
0x40cf400000000000, 0x0}, uint128 =
0x000000000000000040cf400000000000}
xmm2 {v4_float = {0x0, 0x1, 0x0, 0x1}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xef, 0x3f, 0x0, 0x0, 0x0,
0x0,
0x0, 0xff, 0xef, 0x3f}, v8_int16 = {0x0, 0x0, 0xff00, 0x3fef, 0x0,
0x0,
0xff00, 0x3fef}, v4_int32 = {0x0, 0x3fefff00, 0x0, 0x3fefff00},
v2_int64 = {0x3fefff0000000000, 0x3fefff0000000000},
uint128 = 0x3fefff00000000003fefff0000000000}
xmm3 {v4_float = {0x0, 0x2, 0x0, 0x1}, v2_double = {0x2, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x10, 0xab, 0xef, 0x7, 0x40, 0x0, 0x0, 0x0,
0x20,
0xd6, 0xdf, 0xef, 0x3f}, v8_int16 = {0x0, 0x1000, 0xefab, 0x4007, 0x0,
0x2000, 0xdfd6, 0x3fef}, v4_int32 = {0x10000000, 0x4007efab,
0x20000000,
0x3fefdfd6}, v2_int64 = {0x4007efab10000000, 0x3fefdfd620000000},
uint128 = 0x3fefdfd6200000004007efab10000000}
xmm4 {v4_float = {0x0, 0x2, 0x0, 0x1}, v2_double = {0x2, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x88, 0x75, 0xf7, 0x7, 0x40, 0x0, 0x0, 0x0,
0x0,
0x0, 0xff, 0xef, 0x3f}, v8_int16 = {0x0, 0x8800, 0xf775, 0x4007, 0x0,
0x0,
0xff00, 0x3fef}, v4_int32 = {0x88000000, 0x4007f775, 0x0, 0x3fefff00},
v2_int64 = {0x4007f77588000000, 0x3fefff0000000000},
uint128 = 0x3fefff00000000004007f77588000000}
xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x6d, 0xe9, 0x9d, 0x37, 0x0 <repeats 12 times>}, v8_int16 =
{
0xe96d, 0x379d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x379de96d,
0x0, 0x0, 0x0}, v2_int64 = {0x379de96d, 0x0},
uint128 = 0x000000000000000000000000379de96d}
xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x23, 0xf0, 0x99, 0x3d, 0x0 <repeats 12 times>}, v8_int16 =
{
0xf023, 0x3d99, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x3d99f023,
0x0, 0x0, 0x0}, v2_int64 = {0x3d99f023, 0x0},
uint128 = 0x0000000000000000000000003d99f023}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0,
0x0},
uint128 = 0x00000000000000000000000000000000}
xmm8 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0,
0x0},
uint128 = 0x00000000000000000000000000000000}
xmm9 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0,
0x0},
uint128 = 0x00000000000000000000000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x8000, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x0, 0x80000000, 0x0, 0x0}, v2_int64 = {
0x8000000000000000, 0x0}, uint128 =
0x00000000000000008000000000000000}
xmm11 {v4_float = {0xffffcfa4, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x0}, v16_int8 = {0x16, 0x70, 0x41, 0xc6, 0x58, 0xac, 0x98, 0xb5, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x7016, 0xc641,
0xac58,
0xb598, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0xc6417016, 0xb598ac58, 0x0,
0x0}, v2_int64 = {0xb598ac58c6417016, 0x0},
uint128 = 0x0000000000000000b598ac58c6417016}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x8000, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x0, 0x80000000, 0x0, 0x0}, v2_int64 = {
0x8000000000000000, 0x0}, uint128 =
0x00000000000000008000000000000000}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0,
0x0},
uint128 = 0x00000000000000000000000000000000}
xmm14 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0,
0x0},
uint128 = 0x00000000000000000000000000000000}
xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xa0, 0x83, 0x47, 0x3, 0x1d, 0x3c, 0x8a, 0xb5, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x83a0, 0x347, 0x3c1d, 0xb58a,
0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x34783a0, 0xb58a3c1d, 0x0, 0x0}, v2_int64
= {
0xb58a3c1d034783a0, 0x0}, uint128 =
0x0000000000000000b58a3c1d034783a0}
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
}}}
Valgrind
{{{
valgrind ffmpeg -i rtsp://(hidden)
==31899== Memcheck, a memory error detector
==31899== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==31899== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright
info
==31899== Command: ffmpeg -i rtsp://(hidden)
==31899==
ffmpeg version N-41634-gc7bdfbe Copyright (c) 2000-2012 the FFmpeg
developers
built on Jun 16 2012 02:58:25 with gcc 4.6.3
configuration: --prefix=/usr --enable-gpl --enable-version3 --enable-
nonfree --enable-shared --enable-postproc --enable-libx264 --enable-frei0r
--enable-librtmp --enable-libopencore-amrnb --enable-libopencore-amrwb
--enable-libdc1394 --enable-libmp3lame --enable-libtheora --enable-
libopenjpeg --enable-libvpx --enable-libgsm --enable-libschroedinger
--enable-libspeex --enable-libvorbis --enable-libxvid --enable-libfaac
--cpu=amdfam10 --arch=x86_64 --enable-x11grab --enable-libxavs --enable-
libfreetype --e libavutil 51. 58.100 / 51. 58.100
libavcodec 54. 25.100 / 54. 25.100
libavformat 54. 6.101 / 54. 6.101
libavdevice 54. 0.100 / 54. 0.100
libavfilter 2. 80.100 / 2. 80.100
libswscale 2. 1.100 / 2. 1.100
libswresample 0. 15.100 / 0. 15.100
libpostproc 52. 0.100 / 52. 0.100
==31899== Invalid write of size 4
==31899== at 0x58808B0: ??? (in /usr/lib/libavcodec.so.54.25.100)
==31899== by 0x58C6448: ??? (in /usr/lib/libavcodec.so.54.25.100)
==31899== by 0x58C7244: ??? (in /usr/lib/libavcodec.so.54.25.100)
==31899== by 0x58EADD6: ??? (in /usr/lib/libavcodec.so.54.25.100)
==31899== by 0x5A331BC: av_parser_parse2 (in
/usr/lib/libavcodec.so.54.25.100)
==31899== by 0x53BCF82: ??? (in /usr/lib/libavformat.so.54.6.101)
==31899== by 0x53BD43B: ??? (in /usr/lib/libavformat.so.54.6.101)
==31899== by 0x53BEE70: avformat_find_stream_info (in
/usr/lib/libavformat.so.54.6.101)
==31899== by 0x413155: ??? (in /usr/bin/ffmpeg)
==31899== by 0x41994F: ??? (in /usr/bin/ffmpeg)
==31899== by 0x419AF2: ??? (in /usr/bin/ffmpeg)
==31899== by 0x4062D8: ??? (in /usr/bin/ffmpeg)
==31899== Address 0x4cb48 is not stack'd, malloc'd or (recently) free'd
==31899==
==31899==
==31899== Process terminating with default action of signal 11 (SIGSEGV)
==31899== Access not within mapped region at address 0x4CB48
==31899== at 0x58808B0: ??? (in /usr/lib/libavcodec.so.54.25.100)
==31899== by 0x58C6448: ??? (in /usr/lib/libavcodec.so.54.25.100)
==31899== by 0x58C7244: ??? (in /usr/lib/libavcodec.so.54.25.100)
==31899== by 0x58EADD6: ??? (in /usr/lib/libavcodec.so.54.25.100)
==31899== by 0x5A331BC: av_parser_parse2 (in
/usr/lib/libavcodec.so.54.25.100)
==31899== by 0x53BCF82: ??? (in /usr/lib/libavformat.so.54.6.101)
==31899== by 0x53BD43B: ??? (in /usr/lib/libavformat.so.54.6.101)
==31899== by 0x53BEE70: avformat_find_stream_info (in
/usr/lib/libavformat.so.54.6.101)
==31899== by 0x413155: ??? (in /usr/bin/ffmpeg)
==31899== by 0x41994F: ??? (in /usr/bin/ffmpeg)
==31899== by 0x419AF2: ??? (in /usr/bin/ffmpeg)
==31899== by 0x4062D8: ??? (in /usr/bin/ffmpeg)
==31899== If you believe this happened as a result of a stack
==31899== overflow in your program's main thread (unlikely but
==31899== possible), you can try to increase the size of the
==31899== main thread stack using the --main-stacksize= flag.
==31899== The main thread stack size used in this run was 8388608.
==31899==
==31899== HEAP SUMMARY:
==31899== in use at exit: 1,363,305 bytes in 2,866 blocks
==31899== total heap usage: 4,461 allocs, 1,595 frees, 1,524,406 bytes
allocated
==31899==
==31899== LEAK SUMMARY:
==31899== definitely lost: 61 bytes in 2 blocks
==31899== indirectly lost: 336 bytes in 4 blocks
==31899== possibly lost: 0 bytes in 0 blocks
==31899== still reachable: 1,362,908 bytes in 2,860 blocks
==31899== suppressed: 0 bytes in 0 blocks
==31899== Rerun with --leak-check=full to see details of leaked memory
==31899==
==31899== For counts of detected and suppressed errors, rerun with: -v
==31899== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 2 from 2)
Segmentation fault (core dumped)
}}}
For some reason my build configuration is truncated by the version of
libavutil, so here's the full line:
{{{
--prefix=/usr --enable-gpl --enable-version3 --enable-nonfree --enable-
shared --enable-postproc --enable-libx264 --enable-frei0r --enable-librtmp
--enable-libopencore-amrnb --enable-libopencore-amrwb --enable-libdc1394
--enable-libmp3lame --enable-libtheora --enable-libopenjpeg --enable-
libvpx --enable-libgsm --enable-libschroedinger --enable-libspeex
--enable-libvorbis --enable-libxvid --enable-libfaac --cpu=amdfam10
--arch=x86_64 --enable-x11grab --enable-libxavs --enable-libfreetype
--enable-libvo-aacenc --enable-libvo-amrwbenc --enable-libcelt --enable-
openal --enable-libcdio --enable-libaacplus --enable-libmodplug --enable-
libpulse --enable-gnutls --enable-openssl --enable-libv4l2 --enable-libass
--enable-static --enable-libbluray --enable-libutvideo --enable-avresample
}}}
For reference the stream is a rtsp url and the details of the streams in
it from a working build:
{{{
Input #0, rtsp, from 'rtsp://(hidden)':
Metadata:
title : (hidden)
comment : (hidden)
Duration: N/A, start: 0.018000, bitrate: N/A
Stream #0:0: Video: h264 (Constrained Baseline), yuv420p, 320x240 [SAR
1:1 DAR 4:3], 14.99 fps, 30.08 tbr, 90k tbn, 29.97 tbc
Stream #0:1: Audio: aac, 16000 Hz, mono, s16
}}}
Using Ubuntu 11.04 x86_64
--
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/1453>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list