Opened 10 years ago

Closed 8 years ago

#3637 closed defect (needs_more_info)

AAC encoder segfault on OS X 10.9.2

Reported by: zulkis Owned by:
Priority: normal Component: avcodec
Version: git-master Keywords: crash aac
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Very similar to this: https://trac.ffmpeg.org/ticket/2447
But i guess i have more information:
There are several cases that that bug happens:
1st stacktrace:
(int) curidx = -2147483644
And trying to get ff_aac_spectral_bits[cb-1][curidx];

* thread #4: tid = 0x62892d, 0x000000010049a20f libavcodec.55.dylib`quantize_and_encode_band_cost_SPAIR [inlined] quantize_and_encode_band_cost_template(s=0x00000001020a3600, pb=0x0000000000000000, in=0x000000010cbb8a00, scaled=0x00000001020a3e60, size=8, scale_idx=199, cb=5, lambda=1, uplim=+Inf, bits=0x0000000102b7ff80, BT_ZERO=0, BT_UNSIGNED=0, BT_PAIR=1, BT_ESC=0) + 787 at aaccoder.c:153, queue = 'com.streamingclient.captureVideoDataOutput', stop reason = EXC_BAD_ACCESS (code=1, address=0x80e27224)
    frame #0: 0x000000010049a20f libavcodec.55.dylib`quantize_and_encode_band_cost_SPAIR [inlined] quantize_and_encode_band_cost_template(s=0x00000001020a3600, pb=0x0000000000000000, in=0x000000010cbb8a00, scaled=0x00000001020a3e60, size=8, scale_idx=199, cb=5, lambda=1, uplim=+Inf, bits=0x0000000102b7ff80, BT_ZERO=0, BT_UNSIGNED=0, BT_PAIR=1, BT_ESC=0) + 787 at aaccoder.c:153
    frame #1: 0x0000000100499efc libavcodec.55.dylib`quantize_and_encode_band_cost_SPAIR(s=0x00000001020a3600, pb=0x0000000000000000, in=0x000000010cbb8a00, scaled=0x00000001020a3e60, size=8, scale_idx=199, cb=5, lambda=1, uplim=+Inf, bits=0x0000000102b7ff80) + 380 at aaccoder.c:226
    frame #2: 0x00000001004978a5 libavcodec.55.dylib`quantize_band_cost(s=0x00000001020a3600, in=0x000000010cbb8a00, scaled=0x00000001020a3e60, size=8, scale_idx=199, cb=5, lambda=1, uplim=+Inf, bits=0x0000000102b7ff80) + 133 at aaccoder.c:262
    frame #3: 0x0000000100495f2f libavcodec.55.dylib`search_for_quantizers_twoloop(avctx=0x0000000102079e00, s=0x00000001020a3600, sce=0x000000010cbb70a0, lambda=144.90567) + 2223 at aaccoder.c:797
    frame #4: 0x00000001004aba98 libavcodec.55.dylib`aac_encode_frame(avctx=0x0000000102079e00, avpkt=0x0000000102832b70, frame=0x00000001028414c0, got_packet_ptr=0x0000000102b80b60) + 2120 at aacenc.c:597
  * frame #5: 0x0000000100b30ffd libavcodec.55.dylib`avcodec_encode_audio2(avctx=0x0000000102079e00, avpkt=0x0000000102832b70, frame=0x00000001028414c0, got_packet_ptr=0x0000000102b80b60) + 813 at utils.c:1778
    frame #6: 0x000000010000cd09 Tunemelt`-[SCStreamer sendPCMAudio:pts:duration:](self=0x0000600000138380, _cmd=0x0000000100089cac, sampleBuffer=0x000000010283e860, pts=<unavailable>, duration=<unavailable>) + 1529 at SCStreamer.m:401
    frame #7: 0x0000000100032b08 Tunemelt`-[SCCaptureSession captureOutput:didOutputSampleBuffer:fromConnection:](self=0x00006180000ce5b0, _cmd=0x00007fff91133d93, captureOutput=0x000061000023d460, sampleBuffer=0x000000010283e860, connection=0x00006080002208e0) + 1240 at SCCaptureSession.m:283
    frame #8: 0x00007fff910d0ad2 AVFoundation`__ConsumerRender_block_invoke + 141
    frame #9: 0x00007fff884ad1d7 libdispatch.dylib`_dispatch_call_block_and_release + 12
    frame #10: 0x00007fff884aa2ad libdispatch.dylib`_dispatch_client_callout + 8
    frame #11: 0x00007fff884ac68f libdispatch.dylib`_dispatch_queue_drain + 451
    frame #12: 0x00007fff884ad9dd libdispatch.dylib`_dispatch_queue_invoke + 110
    frame #13: 0x00007fff884abfa3 libdispatch.dylib`_dispatch_root_queue_drain + 75
    frame #14: 0x00007fff884ad193 libdispatch.dylib`_dispatch_worker_thread2 + 40
    frame #15: 0x00007fff88e0aef8 libsystem_pthread.dylib`_pthread_wqthread + 314

2.
Calling static int find_min_book(float maxval, int sf)
with sf = -2147483648 again non-positive number.

* thread #5: tid = 0x62a400, 0x000000010049c352 libavcodec.55.dylib`find_min_book(maxval=1.92100652E+18, sf=-2147483648) + 50 at aaccoder.c:286, queue = 'com.streamingclient.captureVideoDataOutput', stop reason = EXC_BAD_ACCESS (code=1, address=0xffffffff00ff72a0)
  * frame #0: 0x000000010049c352 libavcodec.55.dylib`find_min_book(maxval=1.92100652E+18, sf=-2147483648) + 50 at aaccoder.c:286
    frame #1: 0x0000000100495e5e libavcodec.55.dylib`search_for_quantizers_twoloop(avctx=0x000000010400e000, s=0x00000001040d3800, sce=0x000000010c5aa0a0, lambda=120) + 2014 at aaccoder.c:794
    frame #2: 0x00000001004aba98 libavcodec.55.dylib`aac_encode_frame(avctx=0x000000010400e000, avpkt=0x0000000103400dd0, frame=0x0000000103402b20, got_packet_ptr=0x0000000103780b60) + 2120 at aacenc.c:597
    frame #3: 0x0000000100b30ffd libavcodec.55.dylib`avcodec_encode_audio2(avctx=0x000000010400e000, avpkt=0x0000000103400dd0, frame=0x0000000103402b20, got_packet_ptr=0x0000000103780b60) + 813 at utils.c:1778
    frame #4: 0x000000010000cd09 Tunemelt`-[SCStreamer sendPCMAudio:pts:duration:](self=0x0000600000135180, _cmd=0x0000000100089cac, sampleBuffer=0x0000000103606880, pts=<unavailable>, duration=<unavailable>) + 1529 at SCStreamer.m:401
    frame #5: 0x0000000100032b08 Tunemelt`-[SCCaptureSession captureOutput:didOutputSampleBuffer:fromConnection:](self=0x00006000002d3e80, _cmd=0x00007fff91133d93, captureOutput=0x000060000022de00, sampleBuffer=0x0000000103606880, connection=0x00006100000326a0) + 1240 at SCCaptureSession.m:283
    frame #6: 0x00007fff910d0ad2 AVFoundation`__ConsumerRender_block_invoke + 141
    frame #7: 0x00007fff884ad1d7 libdispatch.dylib`_dispatch_call_block_and_release + 12
    frame #8: 0x00007fff884aa2ad libdispatch.dylib`_dispatch_client_callout + 8
    frame #9: 0x00007fff884ac68f libdispatch.dylib`_dispatch_queue_drain + 451
    frame #10: 0x00007fff884ad9dd libdispatch.dylib`_dispatch_queue_invoke + 110
    frame #11: 0x00007fff884abfa3 libdispatch.dylib`_dispatch_root_queue_drain + 75
    frame #12: 0x00007fff884ad193 libdispatch.dylib`_dispatch_worker_thread2 + 40
    frame #13: 0x00007fff88e0aef8 libsystem_pthread.dylib`_pthread_wqthread + 314

ffmpeg configuration:

--enable-protocol=file --enable-avformat --enable-avcodec --enable-swscale --enable-demuxer=mp3 --enable-demuxer=aac --enable-demuxer=image2 --enable-demuxer=mov --enable-decoder=rawvideo --enable-demuxer=h264 --enable-decoder=mp3 --enable-decoder=aac --enable-decoder=mjpeg --enable-decoder=h264 --enable-decoder=mpeg4 --enable-encoder=mp3 --enable-encoder=aac --enable-encoder=mjpeg --enable-encoder=h264 --enable-encoder=mpeg4 --enable-parser=mp3 --enable-parser=aac --enable-parser=h264 --enable-pic --enable-libx264 --enable-gpl --disable-optimizations --disable-static --enable-shared --disable-stripping --disable-ssse3 --enable-debug=3 --extra-cflags="-O0 -fno-inline"

Change History (10)

comment:1 by zulkis, 10 years ago

Component: undeterminedavcodec

comment:2 by Carl Eugen Hoyos, 10 years ago

Keywords: crash added; aac encoder avcodec_encode_audio2 removed
Priority: criticalimportant

#2447 is a hardware issue on old (broken) hardware.
To make this a valid ticket, please recompile without --enable-shared and provide your crashing command line including the needed input file and provide all information as explained on https://ffmpeg.org/bugreports.html

comment:3 by zulkis, 10 years ago

Thank you for this fast answer!

I am using dynamic libraries to stream audio source from capturing devices...
How to provide testing info from video camera/microphone?
Try to dump all this raw data into the file and after that try to reproduce same behaviour with ffmpeg invoked from command line?

Last edited 10 years ago by zulkis (previous) (diff)

comment:4 by Carl Eugen Hoyos, 10 years ago

I only see now you are already using --disable-stripping - please provide the missing debug information as explained on https://ffmpeg.org/bugreports.html

comment:5 by zulkis, 10 years ago

I dont know why, but i cannot reproduce 1st crash(ff_aac_spectral_bits). Only 2nd crashing all the time.

2nd crash case(find_min_book) lldb info(dont have gdb):

disass --pc
libavcodec.55.dylib`find_min_book + 50 at aaccoder.c:286:
-> 0x10049c352:  movss  (%rax,%rdx,4), %xmm0
   0x10049c357:  movss  %xmm0, -0xc(%rbp)
   0x10049c35c:  movss  -0xc(%rbp), %xmm0
   0x10049c361:  movss  -0xc(%rbp), %xmm2

General Purpose Registers:
       rax = 0x0000000100ff6de0  libavcodec.55.dylib`ff_aac_pow2sf_tab
       rbx = 0x0000000000000000
       rcx = 0x0000000080000130
       rdx = 0xffffffff80000130
       rdi = 0x0000000080000000
       rsi = 0x00000001082c60a0
       rbp = 0x000000010337ff20
       rsp = 0x000000010337ff20
        r8 = 0x00000001033803e0
        r9 = 0xfc005c4266c891f1
       r10 = 0x0000000000001800
       r11 = 0x0000000000001200
       r12 = 0x00007fff8bf6b304  "isEnabled"
       r13 = 0x0000000101f3fa90
       r14 = 0x00000001004b72a0  libavcodec.55.dylib`psy_lame_window at aacpsy.c:824
       r15 = 0x00007fff78cd04b0  { /usr/lib/libobjc.A.dylib`objc_msgSend_fixedup, "respondsToSelector:" }
       rip = 0x000000010049c352  libavcodec.55.dylib`find_min_book + 50 at aaccoder.c:286
    rflags = 0x0000000000010286
        cs = 0x000000000000002b
        fs = 0x0000000000000000
        gs = 0x0000000000ff0000
       eax = 0x00ff6de0
       ebx = 0x00000000
       ecx = 0x80000130
       edx = 0x80000130
       edi = 0x80000000
       esi = 0x082c60a0
       ebp = 0x0337ff20
       esp = 0x0337ff20
       r8d = 0x033803e0
       r9d = 0x66c891f1
      r10d = 0x00001800
      r11d = 0x00001200
      r12d = 0x8bf6b304
      r13d = 0x01f3fa90
      r14d = 0x004b72a0
      r15d = 0x78cd04b0
        ax = 0x6de0
        bx = 0x0000
        cx = 0x0130
        dx = 0x0130
        di = 0x0000
        si = 0x60a0
        bp = 0xff20
        sp = 0xff20
       r8w = 0x03e0
       r9w = 0x91f1
      r10w = 0x1800
      r11w = 0x1200
      r12w = 0xb304
      r13w = 0xfa90
      r14w = 0x72a0
      r15w = 0x04b0
        ah = 0x6d
        bh = 0x00
        ch = 0x01
        dh = 0x01
        al = 0xe0
        bl = 0x00
        cl = 0x30
        dl = 0x30
       dil = 0x00
       sil = 0xa0
       bpl = 0x20
       spl = 0x20
       r8l = 0xe0
       r9l = 0xf1
      r10l = 0x00
      r11l = 0x00
      r12l = 0x04
      r13l = 0x90
      r14l = 0xa0
      r15l = 0xb0

Floating Point Registers:
     fctrl = 0x037f
     fstat = 0x0000
      ftag = 0x00
       fop = 0x0000
     fioff = 0x93a967d6
     fiseg = 0x002b
     fooff = 0x03380ca0
     foseg = 0x0023
     mxcsr = 0x00001fbb
  mxcsrmask = 0x0000ffff
     stmm0 = {0x25 0x26 0x27 0x27 0x26 0x26 0x28 0x29 0xff 0xff}
     stmm1 = {0x2d 0x2d 0x2e 0x2e 0x2d 0x2c 0x2c 0x2b 0xff 0xff}
     stmm2 = {0x2c 0x2c 0x2c 0x2e 0x2e 0x2d 0x29 0x26 0xff 0xff}
     stmm3 = {0x28 0x29 0x2a 0x29 0x28 0x28 0x2a 0x2c 0xff 0xff}
     stmm4 = {0x2e 0x2e 0x2d 0x2c 0x2b 0x29 0x27 0x26 0xff 0xff}
     stmm5 = {0x26 0x24 0x24 0x27 0x2b 0x2f 0x32 0x32 0xff 0xff}
     stmm6 = {0x2d 0x2b 0x29 0x28 0x29 0x2a 0x2b 0x2a 0xff 0xff}
     stmm7 = {0x2a 0x2b 0x2c 0x2b 0x29 0x29 0x28 0x28 0xff 0xff}
      ymm0 = {0x00 0x00 0x80 0x7f 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm1 = {0x97 0x90 0xcf 0x3e 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm2 = {0x00 0x00 0x6c 0x42 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm3 = {0x00 0x00 0x80 0x3f 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm4 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm5 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm6 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm7 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm8 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm9 = {0x00 0x00 0x00 0xa8 0xc3 0xd9 0x61 0x3d 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     ymm10 = {0x00 0x00 0x00 0x00 0xf1 0x68 0xf6 0x3d 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     ymm11 = {0x00 0x00 0x00 0x98 0x5b 0x9d 0xbd 0x3d 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     ymm12 = {0x00 0x00 0x80 0xe9 0xca 0x7d 0x77 0xbd 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     ymm13 = {0x61 0xa4 0x81 0x15 0x4a 0x9a 0x77 0x3c 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     ymm14 = {0x00 0x00 0xc0 0x47 0xe3 0x8b 0xd2 0x3b 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     ymm15 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm0 = {0x00 0x00 0x80 0x7f 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm1 = {0x97 0x90 0xcf 0x3e 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm2 = {0x00 0x00 0x6c 0x42 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm3 = {0x00 0x00 0x80 0x3f 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm4 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm5 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm6 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm7 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm8 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm9 = {0x00 0x00 0x00 0xa8 0xc3 0xd9 0x61 0x3d 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     xmm10 = {0x00 0x00 0x00 0x00 0xf1 0x68 0xf6 0x3d 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     xmm11 = {0x00 0x00 0x00 0x98 0x5b 0x9d 0xbd 0x3d 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     xmm12 = {0x00 0x00 0x80 0xe9 0xca 0x7d 0x77 0xbd 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     xmm13 = {0x61 0xa4 0x81 0x15 0x4a 0x9a 0x77 0x3c 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     xmm14 = {0x00 0x00 0xc0 0x47 0xe3 0x8b 0xd2 0x3b 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     xmm15 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}

Exception State Registers:
    trapno = 0x0000000e
       err = 0x00000004
  faultvaddr = 0xffffffff00ff72a0

comment:6 by Carl Eugen Hoyos, 10 years ago

Could you print the value of the variable sf when find_min_book() is called?

Did you already try to reproduce the issue with ffmpeg (the application)?
If capture input is absolutely necessary, there is a patch that allows to use it:
http://thread.gmane.org/gmane.comp.video.ffmpeg.devel/177006

comment:7 by zulkis, 10 years ago

As I mentioned before - the sf variable is just non positive.
No, I did not try that... RIght now I am working just with code using the dylibs generated with ffmpeg --shared flag
I made my own input capturing. I did a few tests with different devices and only one of it (Logitech HD Webcam C615) have got such problems with audio device in it...

Last edited 10 years ago by zulkis (previous) (diff)

comment:8 by Michael Niedermayer, 10 years ago

Priority: importantnormal

When this isnt reproduceable with any software that one can obtain then it isnt really important. Nor is there much chance it could get fixed.
Also i suspect this is caused by invalid out of range, inf or NaN input. Iam happy to make the encoder more robust against such input but i need a reproduceable testcase for it.

comment:9 by Carl Eugen Hoyos, 9 years ago

Keywords: aac added

comment:10 by Elon Musk, 8 years ago

Resolution: needs_more_info
Status: newclosed

Please reopen if this still happen.

Note: See TracTickets for help on using tickets.