[Ffmpeg-devel] h264 playback crash

grenola ffmpeg
Fri May 5 11:28:52 CEST 2006


Hi there,

I have recently become aware of a bug in ffmpeg's h264 decoding 
routines. The bug is seemingly triggered when one piece of h264 is 
appended to another piece of h264 and the resulting output file fed to 
ffmpeg. The bug has been tested using appended samples created both 
using avidemux and VirtualDub, and the result is the same. The bug also 
affects playback using vlc and mplayer.

The following gdb trace was derived using a CVS snapshot from the 5th of 
May 2006. There follows a similar dump created using mplayer (compiled 
against the same ffmpeg CVS snapshot) which shows the bug a bit more 
clearly (in particular see the very end of this email).

Any workarounds (i.e. a way to append 264 video files that does not 
result in this bug being triggered) would be very helpful.

You may download a crashing testcase here:

http://www.ali1548.ukshells.co.uk/loller.avi

------

(gdb) run
Starting program: /grenola/ffmpeg-cvs-20060505/bin/ffmpeg -i 
/home/ali/Desktop/nate/loller.avi /home/ali/Desktop/nate/loller_enc.avi
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
FFmpeg version CVS, Copyright (c) 2000-2004 Fabrice Bellard
   configuration:  --prefix=/grenola/ffmpeg
   libavutil version: 49.0.0
   libavcodec version: 51.9.0
   libavformat version: 50.4.0
   built on May  5 2006 09:56:09, gcc: 4.0.2 20050808 (prerelease) 
(Ubuntu 4.0.1-4ubuntu9)
Input #0, avi, from '/home/ali/Desktop/nate/loller.avi':
   Duration: 00:00:05.9, start: 0.000000, bitrate: 251 kb/s
   Stream #0.0, 29.97 fps(r): Video: h264, yuv420p, 640x480
   Stream #0.1: Audio: mp3, 48000 Hz, stereo, 128 kb/s
Output #0, avi, to '/home/ali/Desktop/nate/loller_enc.avi':
   Stream #0.0, 29.97 fps(c): Video: mpeg4, yuv420p, 640x480, q=2-31, 
200 kb/s
   Stream #0.1: Audio: mp2, 48000 Hz, stereo, 64 kb/s
Stream mapping:
   Stream #0.0 -> #0.0
   Stream #0.1 -> #0.1
Press [q] to stop encoding
frame=   64 q=2.0 size=     346kB time=2.1 bitrate=1328.3kbits/s 
frame=  146 q=31.0 size=     609kB time=4.9 bitrate=1023.9kbits/s
Program received signal SIGSEGV, Segmentation fault.
0x0000000000599d84 in ff_h261_encode_mb ()
(gdb) bt
#0  0x0000000000599d84 in ff_h261_encode_mb ()
#1  0x000000000059f573 in ff_h261_encode_mb ()
#2  0x00000000005a0973 in ff_h261_encode_mb ()
#3  0x00000000005a1989 in ff_h261_encode_mb ()
#4  0x00000000005a2784 in ff_h261_encode_mb ()
#5  0x00000000004643b0 in avcodec_decode_video ()
#6  0x00000000004153d4 in parse_arg_file ()
#7  0x0000000000417b10 in main ()
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x599d64 to 0x599da4:
0x0000000000599d64 <ff_h261_encode_mb+109908>:	add    %al,(%rax)
0x0000000000599d66 <ff_h261_encode_mb+109910>:	cmp 
0xffffffffffffff94(%rsp),%esi
0x0000000000599d6a <ff_h261_encode_mb+109914>:	jl     0x59a0f0 
<ff_h261_encode_mb+110816>
0x0000000000599d70 <ff_h261_encode_mb+109920>:	sub 
0xffffffffffffff94(%rsp),%esi
0x0000000000599d74 <ff_h261_encode_mb+109924>:	mov 
0xffffffffffffff98(%rsp),%rcx
0x0000000000599d79 <ff_h261_encode_mb+109929>:	movslq %r12d,%rdx
0x0000000000599d7c <ff_h261_encode_mb+109932>:	mov    $0x20,%eax
0x0000000000599d81 <ff_h261_encode_mb+109937>:	mov    %esi,(%r10)
0x0000000000599d84 <ff_h261_encode_mb+109940>:	sub    (%rcx,%rdx,4),%eax
0x0000000000599d87 <ff_h261_encode_mb+109943>:	shr    $0x6,%eax
0x0000000000599d8a <ff_h261_encode_mb+109946>:	mov    %ax,(%r15,%rdx,2)
0x0000000000599d8f <ff_h261_encode_mb+109951>:	inc    %r14d
0x0000000000599d92 <ff_h261_encode_mb+109954>:	dec    %ebp
0x0000000000599d94 <ff_h261_encode_mb+109956>:	js     0x599b6c 
<ff_h261_encode_mb+109404>
0x0000000000599d9a <ff_h261_encode_mb+109962>:	xor    %eax,%eax
0x0000000000599d9c <ff_h261_encode_mb+109964>:	test   %r13d,%r13d
0x0000000000599d9f <ff_h261_encode_mb+109967>:	jne    0x599c45 
<ff_h261_encode_mb+109621>
End of assembler dump.
(gdb) info all-registers
rax            0x20	32
rbx            0x2b753eb5a010	47782563258384
rcx            0x1b00	6912
rdx            0x0	0
rsi            0xcbd0	52176
rdi            0x0	0
rbp            0x0	0x0
rsp            0x7fffffd67c68	0x7fffffd67c68
r8             0x3f	63
r9             0x2b753eb9bfd9	47782563528665
r10            0x2b753eb9bae8	47782563527400
r11            0x0	0
r12            0x0	0
r13            0x0	0
r14            0x1	1
r15            0x2b753eb9b7e8	47782563526632
rip            0x599d84	0x599d84 <ff_h261_encode_mb+109940>
eflags         0x10202	66050
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
st0            <invalid float value>	(raw 0xffff0000000000000000)
st1            -nan(0x1212121213131313)	(raw 0xffff1212121213131313)
st2            -nan(0x1313131313131313)	(raw 0xffff1313131313131313)
st3            <invalid float value>	(raw 0xffff0000000000000000)
st4            -nan(0xc0c0c0c0c0c0c0c)	(raw 0xffff0c0c0c0c0c0c0c0c)
st5            -nan(0x101010100000000)	(raw 0xffff0101010100000000)
st6            -nan(0x101010100000000)	(raw 0xffff0101010100000000)
st7            <invalid float value>	(raw 0xffff0000000000000000)
fctrl          0x37f	895
fstat          0x0	0
ftag           0xaaaa	43690
fiseg          0x0	0
fioff          0x0	0
foseg          0x0	0
fooff          0x0	0
fop            0x0	0
xmm0           {f = {0xfffffffe, 0xd, 0x0, 0x0}}	{f = {-2, 13.3261728, 
0, 0}}
xmm1           {f = {0x0, 0x3, 0x0, 0x0}}	{f = {0, 3.48828125, 0, 0}}
xmm2           {f = {0x0, 0x2, 0x0, 0x0}}	{f = {0.988000035, 2.34949994, 
-1.75331087e+38, -nan(0x90cdd)}}
xmm3           {f = {0x0, 0x2, 0x0, 0x0}}	{f = {1.53749397e-15, 
2.31072736, 1.24715563e-43, 1.2751816e-43}}
xmm4           {f = {0x0, 0xd, 0x0, 0xfffff904}}	{f = {-0, 13.1853304, 
-4.57506084e-21, -1788.73804}}
xmm5           {f = {0xc24b42, 0x0, 0x0, 0x0}}	{f = {12733250, 
1.97132904e-26, 2.06927913e-14, -2.28904872e+26}}
xmm6           {f = {0x0, 0x0, 0x0, 0x0}}	{f = {9.18354962e-41, 
9.18354962e-41, 9.18354962e-41, 9.18354962e-41}}
xmm7           {f = {0x0, 0x0, 0x0, 0x0}}	{f = {1.48485789e-39, 
9.2925342e-39, 5.08481607e-39, 9.30358484e-39}}
xmm8           {f = {0x0, 0x0, 0x0, 0x0}}	{f = {-7.4649608e-34, 
0.118344754, 0, 0}}
xmm9           {f = {0x0, 0x1, 0x0, 0x0}}	{f = {0, 1.75, 2.37215456e-12, 
-0.770097017}}
xmm10          {f = {0x0, 0x1, 0x0, 0x0}}	{f = {-3.40421439e+23, 
1.74999988, 4.73870248e-30, 0.672393799}}
xmm11          {f = {0x0, 0xd, 0x73a249, 0xffffffff}}	{f = {0, 
13.0393038, 7578185, -1.29953289}}
xmm12          {f = {0x0, 0x0, 0x0, 0x0}}	{f = {0, 0, 0, 0}}
---Type <return> to continue, or q <return> to quit---
xmm13          {f = {0x0, 0x1, 0x0, 0xffffffff}}	{f = {0, 1.15420532, 
-2.13419931e+15, -1.83225775}}
xmm14          {f = {0x0, 0x26, 0x0, 0x0}}	{f = {0, 38, 0, 0}}
xmm15          {f = {0x0, 0x2, 0x0, 0x0}}	{f = {1.60990027e-20, 
2.47653866, 0, 0}}
mxcsr          0x1fa0	8096
(gdb)



-------

This dump was created using mplayer compiled against the same ffmpeg CVS 
snapshot (5th May):

-------



(gdb) set args /home/ali/Desktop/loller.avi
(gdb) run
Starting program: /grenola/mplayer-cvs20060505-debug/bin/mplayer 
/home/ali/Desktop/loller.avi
[Thread debugging using libthread_db enabled]
[New Thread 47916107783232 (LWP 15164)]
MPlayer dev-CVS-060505-09:01-4.0.2 (C) 2000-2006 MPlayer Team
CPU: Advanced Micro Devices Athlon 64 Newcastle,Winchester,San 
Diego,Venice; Sempron Palermo (Family: 15, Stepping: 2)
CPUflags:  MMX: 1 MMX2: 1 3DNow: 1 3DNow2: 1 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 3DNow 3DNowEx SSE SSE2

Linux RTC init error in ioctl (rtc_irqp_set 1024): Permission denied
Try adding "echo 1024 > /proc/sys/dev/rtc/max-user-freq" to your system 
startup scripts.

Playing /home/ali/Desktop/loller.avi.
AVI file format detected.
VIDEO:  [H264]  640x480  24bpp  29.970 fps   99.4 kbps (12.1 kbyte/s)
==========================================================================
Opening audio decoder: [mp3lib] MPEG layer-2, layer-3
AUDIO: 48000 Hz, 2 ch, s16le, 128.0 kbit/8.33% (ratio: 16000->192000)
Selected audio codec: [mp3] afm: mp3lib (mp3lib MPEG layer-2, layer-3)
==========================================================================
==========================================================================
Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family
Selected video codec: [ffh264] vfm: ffmpeg (FFmpeg H.264)
==========================================================================
[AO OSS] audio_setup: Can't open audio device /dev/sound/dsp: No such 
file or directory
alsa-init: using device default
alsa-lib: confmisc.c:560:(snd_determine_driver) could not open control 
for card 2
alsa-lib: conf.c:3479:(_snd_config_evaluate) function 
snd_func_card_driver returned error: No such file or directory
alsa-lib: confmisc.c:392:(snd_func_concat) error evaluating strings
alsa-lib: conf.c:3479:(_snd_config_evaluate) function snd_func_concat 
returned error: No such file or directory
alsa-lib: confmisc.c:955:(snd_func_refer) error evaluating name
alsa-lib: conf.c:3479:(_snd_config_evaluate) function snd_func_refer 
returned error: No such file or directory
alsa-lib: conf.c:3948:(snd_config_expand) Evaluate error: No such file 
or directory
alsa-lib: pcm.c:2090:(snd_pcm_open_noupdate) Unknown PCM default
alsa-init: playback open error: No such file or directory
[AO ARTS] loading the aRts backend "/usr/lib/libartscbackend.la" failed
[AO ESD] esd_open_sound failed: No such file or directory
ao_nas: init(): Can't open nas audio server -> nosound
[AO SDL] Samplerate: 48000Hz Channels: Stereo Format s16le
[New Thread 1082132832 (LWP 15167)]
AO: [sdl] 48000Hz 2ch s16le (2 bytes per sample)
Starting playback...
A:   0.0 V:   0.0 A-V: -0.033 ct:  0.000   1/  1 ??% ??% ??,?% 0 0 [J 
VDec: vo config request - 640 x 480 (preferred colorspace: Planar YV12)
VDec: using Planar YV12 as output csp (no 0)
Movie-Aspect is undefined - no prescaling applied.
VO: [xv] 640x480 => 640x480 Planar YV12
New_Face failed. Maybe the font path is wrong.
Please supply the text font file (~/.mplayer/subfont.ttf).
subtitle font: load_sub_face failed.
A:   0.1 V:   0.1 A-V:  0.040 ct:  0.001   2/  2 ??% ??% ??,?% 0 0

[... snip ...]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47916107783232 (LWP 15164)]
0x00000000006d2f5a in decode_cabac_residual (h=0x2b9456aa0010, 
block=0x2b9456ae17e8, cat=5, n=0, scantable=0x2b9456ae21c8 "", 
qmul=0x1b00, max_coeff=64)
     at h264.c:5750
5750	                if( get_cabac_bypass( &h->cabac ) ) block[j] = 
(-qmul[j] + 32) >> 6;
(gdb) bt
#0  0x00000000006d2f5a in decode_cabac_residual (h=0x2b9456aa0010, 
block=0x2b9456ae17e8, cat=5, n=0, scantable=0x2b9456ae21c8 "", 
qmul=0x1b00, max_coeff=64)
     at h264.c:5750
#1  0x00000000006d72dd in decode_mb_cabac (h=0x2b9456aa0010) at h264.c:6224
#2  0x00000000006d8610 in decode_slice (h=Variable "h" is not available.
) at h264.c:6886
#3  0x00000000006d9139 in decode_nal_units (h=0x2b9456aa0010, 
buf=0xc3dc50 "", buf_size=759) at h264.c:7620
#4  0x00000000006d9e04 in decode_frame (avctx=0xc58330, data=0xc58210, 
data_size=0x7fffffe5407c, buf=0xc3dc50 "", buf_size=759) at h264.c:7763
#5  0x00000000005aa2e1 in avcodec_decode_video (avctx=0xc58330, 
picture=0xc58210, got_picture_ptr=0x7fffffe5407c, buf=0xc3dc50 "", 
buf_size=759)
     at utils.c:946
#6  0x00000000004c37bb in decode (sh=0xc3b590, data=0xc3dc50, len=759, 
flags=0) at vd_ffmpeg.c:819
#7  0x00000000004be4c4 in decode_video (sh_video=0xc3b590, 
start=0xc3dc50 "", in_size=759, drop_frame=0, 
pts=-9.2233720368547758e+18) at dec_video.c:315
#8  0x0000000000444892 in main (argc=0, argv=Variable "argv" is not 
available.
) at mplayer.c:3730
(gdb) info registers
rax            0x20	32
rbx            0x2b9456ae1ae8	47916109404904
rcx            0x1b00	6912
rdx            0x0	0
rsi            0xcbd0	52176
rdi            0x25800	153600
rbp            0x0	0x0
rsp            0x7fffffe53a20	0x7fffffe53a20
r8             0x2b9456ae21c8	47916109406664
r9             0x1b00	6912
r10            0x2	2
r11            0x5	5
r12            0x0	0
r13            0x40	64
r14            0x0	0
r15            0x2b9456aa0010	47916109135888
rip            0x6d2f5a	0x6d2f5a <decode_cabac_residual+842>
eflags         0x10202	66050
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) disass
Dump of assembler code for function decode_cabac_residual:

[... snip ...]

0x00000000006d2f31 <decode_cabac_residual+801>:	test   %sil,%sil
0x00000000006d2f34 <decode_cabac_residual+804>:	mov    %esi,(%rbx)
0x00000000006d2f36 <decode_cabac_residual+806>:	je     0x6d3215 
<decode_cabac_residual+1541>
0x00000000006d2f3c <decode_cabac_residual+812>:	mov    0x4(%rbx),%eax
0x00000000006d2f3f <decode_cabac_residual+815>:	cmp    %eax,%esi
0x00000000006d2f41 <decode_cabac_residual+817>:	jl     0x6d31d5 
<decode_cabac_residual+1477>
0x00000000006d2f47 <decode_cabac_residual+823>:	movslq 0x54(%rsp),%rdx
0x00000000006d2f4c <decode_cabac_residual+828>:	mov    0x8(%rsp),%rcx
0x00000000006d2f51 <decode_cabac_residual+833>:	sub    %eax,%esi
0x00000000006d2f53 <decode_cabac_residual+835>:	mov    %esi,(%rbx)
0x00000000006d2f55 <decode_cabac_residual+837>:	mov    $0x20,%eax
0x00000000006d2f5a <decode_cabac_residual+842>:	sub    (%rcx,%rdx,4),%eax
0x00000000006d2f5d <decode_cabac_residual+845>:	mov    0x20(%rsp),%rcx
0x00000000006d2f62 <decode_cabac_residual+850>:	shr    $0x6,%eax
0x00000000006d2f65 <decode_cabac_residual+853>:	mov    %ax,(%rcx,%rdx,2)
0x00000000006d2f69 <decode_cabac_residual+857>:	incl   0x30(%rsp)
---Type <return> to continue, or q <return> to quit---
0x00000000006d2f6d <decode_cabac_residual+861>:	decl   0x2c(%rsp)
0x00000000006d2f71 <decode_cabac_residual+865>:	js     0x6d2d46 
<decode_cabac_residual+310>
0x00000000006d2f77 <decode_cabac_residual+871>:	mov    0x34(%rsp),%r10d
0x00000000006d2f7c <decode_cabac_residual+876>:	xor    %eax,%eax
0x00000000006d2f7e <decode_cabac_residual+878>:	test   %r10d,%r10d
0x00000000006d2f81 <decode_cabac_residual+881>:	jne    0x6d2e88 
<decode_cabac_residual+632>
0x00000000006d2f87 <decode_cabac_residual+887>:	jmpq   0x6d2e77 
<decode_cabac_residual+615>
0x00000000006d2f8c <decode_cabac_residual+892>:	cmpl   $0x5,0x34(%rsp)
0x00000000006d2f91 <decode_cabac_residual+897>:	mov    $0x4,%eax

[... snip ...]

End of assembler dump.
(gdb) print qmul[j]
Cannot access memory at address 0x1b00
(gdb) print j
$1 = 0
(gdb) print qmul
$2 = (const uint32_t *) 0x1b00





More information about the ffmpeg-devel mailing list