Crashes or artifacts when playing a specific file/stream

[Rafał Hirsz]

Trying to stream ​http://s3.amazonaws.com/ffmpeg-testing/badaccess.mp4 using Chromium or VLC results in artifacts and/or crashes.

Why am I submitting this bug report here? Both apps' video playing capabilities are powered by ffmpeg, so I think that the issue lies here somewhere.

The problem is, I cannot reproduce this problem using just ffmpeg/ffplay. In addition to that, other videos encoded using the same software and settings are played back properly in all players, so I think that's not an issue with the video.

I tested several configurations of players and operating systems while trying to play both the stream and the downloaded file. These are my results:

	Local file	Stream
Chrome 33 / OS X	crashes tab	crashes tab
Chromium git-3ca16748 / OS X	crashes tab	crashes tab
Chrome 33 / Windows (Native)	works	works
Chrome 33 / Windows (VM on OS X)	crashes tab	crashes tab
Chrome 33 / Linux	not tested	sometimes plays with artifacts, sometimes crashes
VLC 2.1.4 / OS X	crashes	plays with artifacts, then crashes whole system
VLC 2.1.3 / Windows	crashes	crashes
ffplay git-31c21d2f	works	works (low framerate)
QuickTime / OS X	works	works
Firefox 28 / OS X	works	works
Safari 7.0.2 / OS X	works	works

I've managed to attach lldb to the Chromium tab process twice. One time I've got (sorry for not saving much information):

* thread #11: tid = 0x7eb97, 0x213cc453 ffmpegsumo.so`ff_put_h264_chroma_mc8_rnd_ssse3 + 67, stop reason = EXC_BAD_ACCESS (code=1, address=0x23c58160)

The other time I've got:

* thread #16: tid = 0x24989, 0x213eb082 ffmpegsumo.so`ff_pred8x8_vertical_8_mmx + 50, stop reason = EXC_BAD_ACCESS (code=1, address=0x22283160)
    frame #0: 0x213eb082 ffmpegsumo.so`ff_pred8x8_vertical_8_mmx + 50
ffmpegsumo.so`ff_pred8x8_vertical_8_mmx + 50:
-> 0x213eb082:  movq   %mm0, (%eax,%ecx,2)
   0x213eb086:  ret
   0x213eb087:  jmp    0x213eb090                ; ff_pred8x8_horizontal_8_mmx
   0x213eb089:  nop
(lldb) bt
* thread #16: tid = 0x24989, 0x213eb082 ffmpegsumo.so`ff_pred8x8_vertical_8_mmx + 50, stop reason = EXC_BAD_ACCESS (code=1, address=0x22283160)
  * frame #0: 0x213eb082 ffmpegsumo.so`ff_pred8x8_vertical_8_mmx + 50
    frame #1: 0x21264bdf ffmpegsumo.so`hl_decode_mb_simple_8(h=<unavailable>) + 1663 at h264_mb_template.c:162
    frame #2: 0x2126ceb6 ffmpegsumo.so`decode_slice(avctx=<unavailable>, arg=0xb0080db4) + 406 at h264.c:4485
    frame #3: 0x2126cbf2 ffmpegsumo.so`execute_decode_slices(h=0x24be0000, context_count=<unavailable>) + 82 at h264.c:4636
    frame #4: 0x2125a8ce ffmpegsumo.so`decode_nal_units(h=<unavailable>, buf=<unavailable>, buf_size=2118106720, parse_extradata=<unavailable>) + 2046 at h264.c:4999
    frame #5: 0x21268124 ffmpegsumo.so`decode_frame(avctx=<unavailable>, data=<unavailable>, got_frame=<unavailable>, avpkt=0x7e3fbebc) + 324 at h264.c:5136
    frame #6: 0x213533dc ffmpegsumo.so`frame_worker_thread(arg=0x7e3fbe00) + 492 at pthread_frame.c:153
    frame #7: 0x907bb5fb libsystem_pthread.dylib`_pthread_body + 144

I couldn't get more crash dumps out of Chromium, because suddenly the tabs started to close with status 0 without any crash reports that could be handled by lldb. :(

Also, I'd like to note that the local file VLC crash was also because of a EXC_BAD_ACCESS.

How to reproduce:

Open ​http://s3.amazonaws.com/ffmpeg-testing/badaccess.mp4 using Chromium, Chrome or VLC.

[Carl Eugen Hoyos]

Could you provide register content for the backtrace you made?

[Rafał Hirsz]

I made a new one.

* thread #53: tid = 0x14718, 0x26666082 ffmpegsumo.so`ff_pred8x8_vertical_8_mmx + 50, stop reason = EXC_BAD_ACCESS (code=1, address=0x33beb160)
    frame #0: 0x26666082 ffmpegsumo.so`ff_pred8x8_vertical_8_mmx + 50
ffmpegsumo.so`ff_pred8x8_vertical_8_mmx + 50:
-> 0x26666082:  movq   %mm0, (%eax,%ecx,2)
   0x26666086:  ret
   0x26666087:  jmp    0x26666090                ; ff_pred8x8_horizontal_8_mmx
   0x26666089:  nop

(lldb) bt
* thread #53: tid = 0x14718, 0x26666082 ffmpegsumo.so`ff_pred8x8_vertical_8_mmx + 50, stop reason = EXC_BAD_ACCESS (code=1, address=0x33beb160)
  * frame #0: 0x26666082 ffmpegsumo.so`ff_pred8x8_vertical_8_mmx + 50
    frame #1: 0x264dfbdf ffmpegsumo.so`hl_decode_mb_simple_8(h=<unavailable>) + 1663 at h264_mb_template.c:162
    frame #2: 0x264e7eb6 ffmpegsumo.so`decode_slice(avctx=<unavailable>, arg=0xbabdadb4) + 406 at h264.c:4485
    frame #3: 0x264e7bf2 ffmpegsumo.so`execute_decode_slices(h=0x2cfb5000, context_count=<unavailable>) + 82 at h264.c:4636
    frame #4: 0x264d58ce ffmpegsumo.so`decode_nal_units(h=<unavailable>, buf=<unavailable>, buf_size=535452056, parse_extradata=<unavailable>) + 2046 at h264.c:4999
    frame #5: 0x264e3124 ffmpegsumo.so`decode_frame(avctx=<unavailable>, data=<unavailable>, got_frame=<unavailable>, avpkt=0x1fea59f4) + 324 at h264.c:5136
    frame #6: 0x265ce3dc ffmpegsumo.so`frame_worker_thread(arg=0x1fea5938) + 492 at pthread_frame.c:153
    frame #7: 0x907bb5fb libsystem_pthread.dylib`_pthread_body + 144
    frame #8: 0x907bb485 libsystem_pthread.dylib`_pthread_start + 130

(lldb) disassemble --start-address 0x26666062 --end-address 0x266660A2
ffmpegsumo.so`ff_pred8x8_vertical_8_mmx + 18:
   0x26666062:  jg     0x26666068                ; ff_pred8x8_vertical_8_mmx + 24
   0x26666064:  decl   %eax
   0x26666065:  leal   (%eax,%ecx,2), %eax
   0x26666068:  movq   %mm0, (%eax,%ecx)
   0x2666606c:  movq   %mm0, (%eax,%ecx,2)
   0x26666070:  leal   (%eax,%ecx,2), %eax
   0x26666073:  movq   %mm0, (%eax,%ecx)
   0x26666077:  movq   %mm0, (%eax,%ecx,2)
   0x2666607b:  leal   (%eax,%ecx,2), %eax
   0x2666607e:  movq   %mm0, (%eax,%ecx)
-> 0x26666082:  movq   %mm0, (%eax,%ecx,2)
   0x26666086:  ret
   0x26666087:  jmp    0x26666090                ; ff_pred8x8_horizontal_8_mmx
   0x26666089:  nop
   0x2666608a:  nop
   0x2666608b:  nop
   0x2666608c:  nop
   0x2666608d:  nop
   0x2666608e:  nop
   0x2666608f:  nop

ffmpegsumo.so`ff_pred8x8_horizontal_8_mmx:
   0x26666090:  movl   0x4(%esp), %eax
   0x26666094:  movl   0x8(%esp), %ecx
   0x26666098:  movl   $0x4, %edx
   0x2666609d:  movd   -0x4(%eax), %mm0

(lldb) register read --all
General Purpose Registers:
       eax = 0x33beae20
       ebx = 0x000001a0
       ecx = 0x000001a0
       edx = 0x33bc5000
       edi = 0x33b9fa00
       esi = 0x2cfb5000
       ebp = 0xbabdad38
       esp = 0xbabdac6c
        ss = 0x00000023
    eflags = 0x00010206  Chromium Framework`(anonymous namespace)::SubprocessNeedsResourceBundle(std::string const&) + 278 at chrome_main_delegate.cc:258
       eip = 0x26666082  ffmpegsumo.so`ff_pred8x8_vertical_8_mmx + 50
        cs = 0x0000001b
        ds = 0x00000023
        es = 0x00000023
        fs = 0x00000023
        gs = 0x0000000f
        ax = 0xae20
        bx = 0x01a0
        cx = 0x01a0
        dx = 0x5000
        di = 0xfa00
        si = 0x5000
        bp = 0xad38
        sp = 0xac6c
        ah = 0xae
        bh = 0x01
        ch = 0x01
        dh = 0x50
        al = 0x20
        bl = 0xa0
        cl = 0xa0
        dl = 0x00
       dil = 0x00
       sil = 0x00
       bpl = 0x38
       spl = 0x6c

Floating Point Registers:
     fctrl = 0x037f
     fstat = 0x0000
      ftag = 0xff
       fop = 0x0000
     fioff = 0x00000000
     fiseg = 0x0000
     fooff = 0x00000000
     foseg = 0x0000
     mxcsr = 0x00001f80  Chromium`switches::kDisableThreadedHTMLParser + 18
  mxcsrmask = 0x0000ffff  Chromium Framework`(anonymous namespace)::InitializeUserDataDir() + 895 at chrome_main_delegate.cc:379
     stmm0 = {0x80 0x80 0x80 0x80 0x80 0x80 0x80 0x80 0xff 0xff}
     stmm1 = {0x80 0x80 0x80 0x80 0x80 0x80 0x80 0x80 0xff 0xff}
     stmm2 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xff 0xff}
     stmm3 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xff 0xff}
     stmm4 = {0xf8 0xff 0xf8 0xff 0x00 0x00 0x00 0x00 0xff 0xff}
     stmm5 = {0x80 0x80 0x80 0x80 0x80 0x80 0x80 0x80 0xff 0xff}
     stmm6 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xff 0xff}
     stmm7 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xff 0xff}
      xmm0 = {0x18 0x47 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm1 = {0x7f 0x7f 0x7f 0x7f 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm2 = {0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm3 = {0x01 0x00 0x01 0x00 0x01 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm4 = {0x80 0x80 0x80 0x80 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm5 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm6 = {0x00 0x00 0x01 0x01 0x00 0x01 0x00 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00}
      xmm7 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}

Exception State Registers:
    trapno = 0x0000000e
       err = 0x00000006
  faultvaddr = 0x33beb160

[pross]

Unable to reproduce using linux Chrome 35.0.1916.27 / VLC 2.0.8 / ffmpeg HEAD.

[Carl Eugen Hoyos]

Replying to pross:

Unable to reproduce using linux Chrome 35.0.1916.27 / VLC 2.0.8 / ffmpeg HEAD.

It was reported against vlc 2.1.3 (and is reproducible with the official Windows build using FFmpeg).

[Rafał Hirsz]

The movie plays properly on OS X Chrome 37.0.2000.0, so I presume the issue has been fixed by the Chromium guys somewhere between SVN revision 258919 and 271298.

Maybe it would be possible to somehow extract the fix for VLC from there?