[FFmpeg-trac] #4749(avcodec:new): firefox crashes in ffmpeg code (2.7.2 and git versions)

FFmpeg trac at avcodec.org
Mon Aug 3 18:42:53 CEST 2015

#4749: firefox crashes in ffmpeg code (2.7.2 and git versions)
             Reporter:  zazdxscf    |                    Owner:
                 Type:  defect      |                   Status:  new
             Priority:  important   |                Component:  avcodec
              Version:  git-master  |               Resolution:
             Keywords:  crash aac   |               Blocked By:
             Blocking:              |  Reproduced by developer:  0
Analyzed by developer:  0           |

Comment (by zazdxscf):

 Finally managed to make it crash. I figure it would never crash this way
 unless I do some compilation in the background to "poison" the memory or
 something(else?): I started compiling gcc 5.2.0 (just to have something to
 compile) and after like 10 minutes, firefox crashed in the same place.

 I will attach backtrace_simple5.log (bt full) because it looks ugly if I
 just paste it here.

 This is the used ffmpeg version:
 $ ffmpeg -version
 ffmpeg started on 2015-08-03 at 18:12:18
 Report written to "ffmpeg-20150803-181218.log"
 ffmpeg version N-74201-g5bf8590 Copyright (c) 2000-2015 the FFmpeg
 built with gcc 5.1.0 (Gentoo 5.1.0 p1.2, pie-0.6.3)
 configuration: --prefix=/usr --libdir=/usr/lib64 --shlibdir=/usr/lib64
 --mandir=/usr/share/man --enable-shared --cc=x86_64-pc-linux-gnu-gcc
 --cxx=x86_64-pc-linux-gnu-g++ --ar=x86_64-pc-linux-gnu-ar --optflags=' '
 --disable-static --enable-avfilter --enable-avresample --disable-stripping
 --disable-indev=v4l2 --disable-outdev=v4l2 --disable-indev=alsa --disable-
 indev=oss --disable-indev=jack --disable-outdev=alsa --disable-outdev=oss
 --disable-outdev=sdl --enable-bzlib --disable-runtime-cpudetect --disable-
 debug --disable-doc --disable-gnutls --enable-gpl --enable-hardcoded-
 tables --enable-iconv --disable-lzma --enable-network --disable-openssl
 --enable-postproc --disable-libsmbclient --disable-ffplay --disable-vaapi
 --disable-vdpau --enable-xlib --disable-libxcb --disable-libxcb-shm
 --disable-libxcb-xfixes --enable-zlib --disable-libcdio --disable-
 libiec61883 --disable-libdc1394 --disable-libcaca --disable-openal
 --disable-opengl --disable-libv4l2 --enable-libpulse --disable-
 libopencore-amrwb --disable-libopencore-amrnb --disable-libfdk-aac
 --disable-libopenjpeg --disable-libbluray --disable-libcelt --disable-
 libgme --disable-libgsm --disable-libmodplug --disable-libopus --disable-
 libquvi --disable-librtmp --disable-libssh --disable-libschroedinger
 --disable-libspeex --disable-libvorbis --disable-libvpx --disable-libzvbi
 --disable-libbs2b --disable-libflite --disable-frei0r --disable-libfribidi
 --disable-fontconfig --disable-ladspa --disable-libass --disable-
 libfreetype --disable-libsoxr --enable-pthreads --disable-libvo-aacenc
 --disable-libvo-amrwbenc --disable-libmp3lame --disable-libaacplus
 --disable-libfaac --disable-libsnappy --disable-libtheora --disable-
 libtwolame --disable-libwavpack --disable-libwebp --disable-libx264
 --disable-libx265 --disable-libxvid --enable-x11grab --disable-avx
 --disable-avx2 --disable-fma3 --disable-fma4 --disable-ssse3 --disable-
 sse4 --disable-sse42 --disable-xop --cpu=host
 libavutil      54. 29.100 / 54. 29.100
 libavcodec     56. 56.101 / 56. 56.101
 libavformat    56. 40.101 / 56. 40.101
 libavdevice    56.  4.100 / 56.  4.100
 libavfilter     5. 30.100 /  5. 30.100
 libavresample   2.  1.  0 /  2.  1.  0
 libswscale      3.  1.101 /  3.  1.101
 libswresample   1.  2.101 /  1.  2.101
 libpostproc    53.  3.100 / 53.  3.100

 Thus the commit is 5bf8590 (titled:  "avfilter/avf_showvolume: stop making
 output fully transparent")
 and apply the two included patches from above to get the exact source code
 that was used in my ffmpeg version to which the backtrace log applies (to
 make sure the line numbers match)

 But to make it easier I reiterate here the important ones:

 #3  0x00007f77040262a1 in NEG_USR32 (s=<optimized out>, a=<optimized out>)
 at /usr/src/debug/media-
 #define NEG_USR32 NEG_USR32
 static inline uint32_t NEG_USR32(uint32_t a, int8_t s){
     __asm__ ("shrl %1, %0\n\t"  //<------ this is line 125
          : "+r" (a)
          : "ic" ((uint8_t)(-s))
     return a;

 #4  decode_spectrum_and_dequant (band_type=0x7f76c8181d7c,
 ics=0x7f76c8181100, pulse=0x7f76d0afcea0, pulse_present=0,
 sf=0x7f76c818215c, gb=0x7f76d0afd2a0, coef=0x7f76c81839c0,
 ac=0x7f76cc4f1000) at /usr/src/debug/media-
 do {
                             int code;
                             unsigned cb_idx;

                             UPDATE_CACHE(re, gb);
                             GET_VLC(code, re, gb, vlc_tab, 8, 2); //<----
 line 1681 is this*
                             cb_idx = cb_vector_idx[code];
                             cf = DEC_SPAIR(cf, cb_idx);
                             cf = VMUL2(cf, vq, cb_idx, sf + idx);
 #endif /* USE_FIXED */
                         } while (len -= 2);

 * note here that in my initial post(up top) I am now unsure if it really
 crashed in the above(UPDATE_CACHE) line or if I actually used an older
 coredump with updated sources! So it might've been the GET_VLC line all
 the time! But, it seems that UPDATE_CACHE is called in GET_VLC too and it
 eventually calls that NEG_USR32  so it might've been the case that it did
 crash in those 2 different close-by places after all just because the both
 reach NEG_USR32 through UPDATE_CACHE.

 #5  decode_ics (ac=ac at entry=0x7f76cc4f1000, sce=sce at entry=0x7f76c8181100,
 gb=gb at entry=0x7f76d0afd2a0, common_window=common_window at entry=1,
 scale_flag=0) at /usr/src/debug/media-
     if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present,
 //<---- this be line 1958
                                     &pulse, ics, sce->band_type) < 0)
         return AVERROR_INVALIDDATA;

 #6  0x00007f7704026e1c in decode_cpe (ac=ac at entry=0x7f76cc4f1000,
 gb=gb at entry=0x7f76d0afd2a0, cpe=cpe at entry=0x7f76c8173000) at
     if ((ret = decode_ics(ac, &cpe->ch[0], gb, common_window, 0)))
         return ret;
     if ((ret = decode_ics(ac, &cpe->ch[1], gb, common_window, 0))) //<----
 this be line 2084
         return ret;

 #7  0x00007f7704027cd8 in aac_decode_frame_int
 (avctx=avctx at entry=0x7f76e9a6fe00, data=data at entry=0x7f76d0afd4f0,
 got_frame_ptr=got_frame_ptr at entry=0x7f76d0afd868,
 gb=gb at entry=0x7f76d0afd2a0, avpkt=avpkt at entry=0x7f76d0afd350) at
         case TYPE_CPE:
             err = decode_cpe(ac, gb, che); //<--- this be line 2959
             audio_found = 1;

 #8  0x00007f7704028cfa in aac_decode_frame (avctx=0x7f76e9a6fe00,
 data=0x7f76d0afd4f0, got_frame_ptr=0x7f76d0afd868, avpkt=0x7f76d0afd350)
 at /usr/src/debug/media-
         err = aac_decode_frame_int(avctx, data, got_frame_ptr, &gb,
 avpkt); //<---- this is line 3136

 #9  0x00007f77043b8501 in avcodec_decode_audio4 (avctx=0x7f76e9a6fe00,
 frame=frame at entry=0x7f76d0afd4f0,
 got_frame_ptr=got_frame_ptr at entry=0x7f76d0afd868,
 avpkt=avpkt at entry=0x7f76d0afd420) at /usr/src/debug/media-
         else {
             ret = avctx->codec->decode(avctx, frame, got_frame_ptr, &tmp);
 //<--- this be line 2597
             av_assert0(ret <= tmp.size);
             frame->pkt_dts = avpkt->dts;

 #10 0x00007f77054d806d in gst_ffmpegauddec_audio_frame
 (ffmpegdec=ffmpegdec at entry=0x7f770c5fc2a0, data=data at entry=0x7f76caefff00
 <incomplete sequence \363\207>..., size=<optimized out>,
 have_data=have_data at entry=0x7f76d0afd868,
 outbuf=outbuf at entry=0x7f76d0afd7d0, ret=ret at entry=0x7f76d0afd86c,
 in_plugin=<optimized out>) at /usr/src/debug/media-plugins/gst-plugins-
 static gint
 gst_ffmpegauddec_audio_frame (GstFFMpegAudDec * ffmpegdec,
     AVCodec * in_plugin, guint8 * data, guint size, gint * have_data,
     GstBuffer ** outbuf, GstFlowReturn * ret)
   gint len = -1;
   AVPacket packet;
   AVFrame frame;

   GST_DEBUG_OBJECT (ffmpegdec, "size: %d", size);

   gst_avpacket_init (&packet, data, size);
   memset (&frame, 0, sizeof (frame));
   avcodec_get_frame_defaults (&frame);
   len = avcodec_decode_audio4 (ffmpegdec->context, &frame, have_data,
 &packet); // <--- this be line 475

   GST_DEBUG_OBJECT (ffmpegdec,
       "Decode audio: len=%d, have_data=%d", len, *have_data);

 #11 0x00007f77054d8622 in gst_ffmpegauddec_frame
 (ffmpegdec=ffmpegdec at entry=0x7f770c5fc2a0, data=data at entry=0x7f76caefff00
 <incomplete sequence \363\207>..., size=size at entry=256,
 have_data=have_data at entry=0x7f76d0afd868, ret=ret at entry=0x7f76d0afd86c) at
   *ret = GST_FLOW_OK;

   oclass = (GstFFMpegAudDecClass *) (G_OBJECT_GET_CLASS (ffmpegdec));

   len = //<---- this be line 632
       gst_ffmpegauddec_audio_frame (ffmpegdec, oclass->in_plugin, data,
       have_data, &outbuf, ret);


 Linux norm2 4.2.0-rc4-g45b4b78 #3 SMP Wed Jul 29 13:39:07 CEST 2015 x86_64
 AMD A6-3400M APU with Radeon(tm) HD Graphics AuthenticAMD GNU/Linux
 This gentoo no-multilib(and not hardened) which is running inside a
 firefox version is 39.0

 If you have any suggestions on what I should try next, I'd be more than
 happy to. Even if it's about code in gst-plugins-libav ... or anything
 really. (I don't know much btw, but willing to try)

Ticket URL: <https://trac.ffmpeg.org/ticket/4749#comment:6>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list