Opened 4 years ago

Closed 4 years ago

#4873 closed defect (needs_more_info)

crashes in h264 decoder(decode_postinit)

Reported by: zylthinking Owned by:
Priority: important Component: avcodec
Version: unspecified Keywords: h264 crash
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description (last modified by Timothy_Gu)

Summary of the bug:

I/DEBUG   ( 7075): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   ( 7075): Build fingerprint: 'Sony/L36h_1270-9104/L36h:4.2.2/10.3.1.A.2.67/vPd3rg:user/release-keys'
I/DEBUG   ( 7075): Revision: '0'
I/DEBUG   ( 7075): pid: 26530, tid: 26565, name: libmm.demo2  >>> libmm.demo2 <<<
I/DEBUG   ( 7075):''' signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000058'''
I/DEBUG   ( 7075):     r0 77cb1020  r1 00000001  r2 00000002  r3 00000000
I/DEBUG   ( 7075):     r4 77cb1020  r5 00000000  r6 00000001  r7 77cb1e80
I/DEBUG   ( 7075):     r8 00000942  r9 77ab0c2c  sl 6ef44620  fp 6e979dd0
I/DEBUG   ( 7075):     ip 00000000  sp 77ab0ac0  lr 75c98a68  pc 75c95408  cpsr 60000010
I/DEBUG   ( 7075): 
I/DEBUG   ( 7075): backtrace:
I/DEBUG   ( 7075):     #00  pc 00163408  /data/app-lib/libmm.demo2-2/libmedia2.so (decode_postinit+48)
I/DEBUG   ( 7075):     #01  pc 00166a64  /data/app-lib/libmm.demo2-2/libmedia2.so (h264_decode_frame+948)


001633d8 <decode_postinit>:
  1633d8:	e30b3968 	movw	r3, #47464	; 0xb968
  1633dc:	e3403008 	movt	r3, #8
  1633e0:	e30b2d30 	movw	r2, #48432	; 0xbd30
  1633e4:	e3402008 	movt	r2, #8


  1633e8:	e7903003 	ldr	r3, [r0, r3]
  1633ec:	e92d4ff0 	push	{r4, r5, r6, r7, r8, r9, sl, fp, lr}
  1633f0:	e3530000 	cmp	r3, #0
  1633f4:	e59055e0 	ldr	r5, [r0, #1504]	; 0x5e0
  1633f8:	e24dd014 	sub	sp, sp, #20
  1633fc:	e7902002 	ldr	r2, [r0, r2]
  163400:	e1a04000 	mov	r4, r0
  163404:	e1a06001 	mov	r6, r1
 ''' 163408:	e5852058 	str	r2, [r5, #88]	; 0x58 -------------------------- here'''



    if (h->next_output_pic)
        return;
  16340c:	0a000001 	beq	163418 <decode_postinit+0x40>
  163410:	e28dd014 	add	sp, sp, #20
  163414:	e8bd8ff0 	pop	{r4, r5, r6, r7, r8, r9, sl, fp, pc}

How to reproduce:

play video stream from rtmp://62.113.210.250:1935/medienasa-live/ok-magdeburg_high
after some time, it crashes
all the input stream seems to be roght, (having a correct nalu header at least)

Attachments (1)

nalu (1.4 MB) - added by zylthinking 4 years ago.

Download all attachments as: .zip

Change History (17)

comment:1 Changed 4 years ago by zylthinking

the version is n2.6.1

comment:2 Changed 4 years ago by cehoyos

  • Keywords crash added
  • Priority changed from critical to important

Is the crash reproducible with current FFmpeg git head?
How can I reproduce the issue?

comment:3 Changed 4 years ago by zylthinking

I can't to the reproduce because the rtmp source is hard to connect currently.
I meet this crash when I test my android demo which uses ffmpeg 2.6.1, if necessary, I can attach the app.

comment:4 Changed 4 years ago by cehoyos

Currently, there is no information in this ticket that would allow the FFmpeg developers to fix an issue. I tested the stream for 5.5 hours and while I did see reception issues, I cannot reproduce a crash.
There are different ways to go on, I would suggest you port your application to a desktop environment to allow easier testing. Alternatives are to use gdb for debugging and / or recompilation with --disable-asm to rule out an assembler optimization issue.
Finally, please understand that if there is an issue that we can reproduce it will be fixed in current FFmpeg git head, so at some point you will have to update. If you could already now either confirm that the issue is still reproducible or rule that out, it will speed up the process.

Last edited 4 years ago by cehoyos (previous) (diff)

comment:5 Changed 4 years ago by Timothy_Gu

  • Description modified (diff)

Changed 4 years ago by zylthinking

comment:6 Changed 4 years ago by zylthinking

I trying to reproduce this at master head and does not reproduce it, but maybe just because of luck
then I retry it at n.2.6.1, and catched it.
the attachment is the nalu I feed into avcodec_decode_video2 which cause this crash.

comment:7 Changed 4 years ago by zylthinking

I have restest the crashing nalu stream with the master head ffmpeg, and find no crashing while crashes every time with n2.6.1
So, it should have been fixed at master.


Last edited 4 years ago by zylthinking (previous) (diff)

comment:8 follow-up: Changed 4 years ago by cehoyos

I am unable to reproduce the issue on Android with 2.6.1.
If you need a fix for your issue, please test versions 2.6.4, 2.7.2 and 2.8.

$ ./ffmpeg -i nalu -f null -
ffmpeg version n2.6.1 Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.9 (GCC) 20140827 (prerelease)
  configuration: --cross-prefix=../android-ndk-r10e/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin/arm-linux-androideabi- --arch=arm --target-os=linux --sysroot=/mnt/cehoyos/android/android-ndk-r10e/platforms/android-17/arch-arm/ --enable-gpl --cpu=cortex-a8
  libavutil      54. 20.100 / 54. 20.100
  libavcodec     56. 26.100 / 56. 26.100
  libavformat    56. 25.101 / 56. 25.101
  libavdevice    56.  4.100 / 56.  4.100
  libavfilter     5. 11.102 /  5. 11.102
  libswscale      3.  1.101 /  3.  1.101
  libswresample   1.  1.100 /  1.  1.100
  libpostproc    53.  3.100 / 53.  3.100
Input #0, h264, from 'nalu':
  Duration: N/A, bitrate: N/A
    Stream #0:0: Video: h264 (Main), yuv420p(tv), 720x576 [SAR 64:45 DAR 16:9], 25 fps, 25 tbr, 1200k tbn, 50 tbc
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf56.25.101
    Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 720x576 [SAR 64:45 DAR 16:9], q=2-31, 200 kb/s, 25 fps, 25 tbn, 25 tbc
    Metadata:
      encoder         : Lavc56.26.100 rawvideo
Stream mapping:
  Stream #0:0 -> #0:0 (h264 (native) -> rawvideo (native))
Press [q] to stop, [?] for help
[null @ 0x12369a0] Encoder did not produce proper pts, making some up.
frame=  206 fps= 84 q=0.0 Lsize=N/A time=00:00:08.24 bitrate=N/A
video:13kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: unknown

comment:9 in reply to: ↑ 8 ; follow-up: Changed 4 years ago by zylthinking

Replying to cehoyos:

I am unable to reproduce the issue on Android with 2.6.1.
If you need a fix for your issue, please test versions 2.6.4, 2.7.2 and 2.8.

$ ./ffmpeg -i nalu -f null -
ffmpeg version n2.6.1 Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.9 (GCC) 20140827 (prerelease)
  configuration: --cross-prefix=../android-ndk-r10e/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin/arm-linux-androideabi- --arch=arm --target-os=linux --sysroot=/mnt/cehoyos/android/android-ndk-r10e/platforms/android-17/arch-arm/ --enable-gpl --cpu=cortex-a8

do you turn on the CODEC_FLAG_LOW_DELAY, CODEC_FLAG_TRUNCATED and CODEC_FLAG2_CHUNKS in the flags & flags2?
Ok, 2.8 have been tested and shows no crashing any more

libavutil 54. 20.100 / 54. 20.100
libavcodec 56. 26.100 / 56. 26.100
libavformat 56. 25.101 / 56. 25.101
libavdevice 56. 4.100 / 56. 4.100
libavfilter 5. 11.102 / 5. 11.102
libswscale 3. 1.101 / 3. 1.101
libswresample 1. 1.100 / 1. 1.100
libpostproc 53. 3.100 / 53. 3.100

Input #0, h264, from 'nalu':

Duration: N/A, bitrate: N/A

Stream #0:0: Video: h264 (Main), yuv420p(tv), 720x576 [SAR 64:45 DAR 16:9], 25 fps, 25 tbr, 1200k tbn, 50 tbc

Output #0, null, to 'pipe:':

Metadata:

encoder : Lavf56.25.101
Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 720x576 [SAR 64:45 DAR 16:9], q=2-31, 200 kb/s, 25 fps, 25 tbn, 25 tbc
Metadata:

encoder : Lavc56.26.100 rawvideo

Stream mapping:

Stream #0:0 -> #0:0 (h264 (native) -> rawvideo (native))

Press [q] to stop, ? for help
[null @ 0x12369a0] Encoder did not produce proper pts, making some up.
frame= 206 fps= 84 q=0.0 Lsize=N/A time=00:00:08.24 bitrate=N/A
video:13kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: unknown
}}}

comment:10 in reply to: ↑ 9 ; follow-up: Changed 4 years ago by cehoyos

Replying to zylthinking:

Replying to cehoyos:

I am unable to reproduce the issue on Android with 2.6.1.
If you need a fix for your issue, please test versions 2.6.4, 2.7.2 and 2.8.

$ ./ffmpeg -i nalu -f null -
ffmpeg version n2.6.1 Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.9 (GCC) 20140827 (prerelease)
  configuration: --cross-prefix=../android-ndk-r10e/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin/arm-linux-androideabi- --arch=arm --target-os=linux --sysroot=/mnt/cehoyos/android/android-ndk-r10e/platforms/android-17/arch-arm/ --enable-gpl --cpu=cortex-a8

do you turn on the CODEC_FLAG_LOW_DELAY, CODEC_FLAG_TRUNCATED and CODEC_FLAG2_CHUNKS in the flags & flags2?

No, how would I have known that I should use them?
No crash here with these flags used:

$ ./ffmpeg -flags +low_delay+truncated -flags2 +chunks -i nalu -f null -
ffmpeg version n2.6.1 Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.9 (GCC) 20140827 (prerelease)
  configuration: --cross-prefix=../android-ndk-r10e/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin/arm-linux-androideabi- --arch=arm --target-os=linux --sysroot=/mnt/cehoyos/android/android-ndk-r10e/platforms/android-17/arch-arm/ --enable-gpl --cpu=cortex-a8
  libavutil      54. 20.100 / 54. 20.100
  libavcodec     56. 26.100 / 56. 26.100
  libavformat    56. 25.101 / 56. 25.101
  libavdevice    56.  4.100 / 56.  4.100
  libavfilter     5. 11.102 /  5. 11.102
  libswscale      3.  1.101 /  3.  1.101
  libswresample   1.  1.100 /  1.  1.100
  libpostproc    53.  3.100 / 53.  3.100
Input #0, h264, from 'nalu':
  Duration: N/A, bitrate: N/A
    Stream #0:0: Video: h264 (Main), yuv420p(tv), 720x576 [SAR 64:45 DAR 16:9], 25 fps, 25 tbr, 1200k tbn, 50 tbc
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf56.25.101
    Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 720x576 [SAR 64:45 DAR 16:9], q=2-31, 200 kb/s, 25 fps, 25 tbn, 25 tbc
    Metadata:
      encoder         : Lavc56.26.100 rawvideo
Stream mapping:
  Stream #0:0 -> #0:0 (h264 (native) -> rawvideo (native))
Press [q] to stop, [?] for help
[null @ 0x1236b90] Encoder did not produce proper pts, making some up.
[h264 @ 0x136c300] Cannot parallelize slice decoding with deblocking filter type 1, decoding such frames in sequential order
To parallelize slice decoding you need video encoded with disable_deblocking_filter_idc set to 2 (deblock only edges that do not cross slices).
Setting the flags2 libavcodec option to +fast (-flags2 +fast) will disable deblocking across slices and enable parallel slice decoding but will generate non-standard-compliant output.
frame=  206 fps= 57 q=0.0 Lsize=N/A time=00:00:08.24 bitrate=N/A
video:13kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: unknown

Ok, 2.8 have been tested and shows no crashing any more

If you want this fixed, you will either have to explain how I can reproduce or run a bisect to find the change fixing the issue for you.

comment:11 in reply to: ↑ 10 Changed 4 years ago by zylthinking

Replying to cehoyos:
I don't know why it only crashes on my site, while, my code shows here:

static void* ffmpeg_open(fourcc** in, fourcc** out)
{
    ffmpeg_wrapper_t* wrapper = (ffmpeg_wrapper_t *) my_malloc(sizeof(ffmpeg_wrapper_t));
    if (wrapper == NULL) {
        return NULL;
    }
    wrapper->in = to_video_format(in);
    wrapper->out = to_video_format(out);
    wrapper->id = media_id_unkown;
    wrapper->angle = 0;
    wrapper->last_pts = wrapper->last_seq = 0;
    wrapper->bytes = 0;
    wrapper->nr = wrapper->seq = 0;

    INIT_LIST_HEAD(&wrapper->pts_free);
    INIT_LIST_HEAD(&wrapper->pts_used);
    for (intptr_t i = 0; i < elements(wrapper->times); ++i) {
        list_add(&wrapper->times[i].entry, &wrapper->pts_free);
    }

    avcodec_register_all();
    AVCodec* codec = avcodec_find_decoder(AV_CODEC_ID_H264);
    if (codec == NULL) {
        my_free(wrapper);
        return NULL;
    }
    my_assert(codec->capabilities & CODEC_CAP_DR1);

    AVCodecContext* context = avcodec_alloc_context3(codec);
    if (context == NULL) {
        my_free(wrapper);
        return NULL;
    }
    wrapper->context = context;

    AVFrame* frame_buffer = av_frame_alloc();
    if(frame_buffer == NULL){
        avcodec_free_context(&context);
        my_free(wrapper);
        return NULL;
    }
    wrapper->frame = frame_buffer;

    context->refcounted_frames = 1;
    context->opaque = (void *) wrapper;
    //context->flags |= CODEC_FLAG_LOW_DELAY | CODEC_FLAG_TRUNCATED;
    //context->flags2 |= CODEC_FLAG2_CHUNKS;

    if (0 != avcodec_open2(context, codec, NULL)) {
        av_frame_free(&frame_buffer);
        avcodec_free_context(&context);
        my_free(wrapper);
        return NULL;
    }
    return wrapper;
}

static struct my_buffer* replace(struct my_buffer* mbuf)
{
    static FILE* file = NULL;
    static char buffer[1024 * 1024 * 64];
    static int bytes = 0;
    static int nr = 0;

    if (file == NULL) {
        file = fopen("/sdcard/nalu", "rb");
        bytes = (int) fread(buffer, 1, sizeof(buffer), file);
        fclose(file);

    }

    media_buffer* media = (media_buffer *) mbuf->ptr[0];
    uint64_t seq = media->seq;
    uint64_t pts = media->pts;
    uint64_t id = media->id;

    mbuf->mop->free(mbuf);
    char code[] = {0, 0, 0, 1};
    int nb = bytes;
    if (bytes < 4) {
        return NULL;
    }

    char* end = (char *) memmem(&buffer[nr + 4], bytes - 4, code, 4);
    if (end != NULL) {
        nb = (int) (end - &buffer[nr]);
    }

    mbuf = mbuf_alloc_2(nb + sizeof(media_buffer));
    media = (media_buffer *) mbuf->ptr[0];
    mbuf->ptr[1] = mbuf->ptr[0] + sizeof(media_buffer);
    mbuf->length -= sizeof(media_buffer);
    memcpy(mbuf->ptr[1], &buffer[nr], nb);
    nr += nb;
    bytes -= nb;

    memset(media->vp, 0, sizeof(media->vp));
    media->vp[0].ptr = mbuf->ptr[1];
    media->vp[0].type_stride = video_type_unkown;
    media->fragment[0] = media->fragment[1] = 1;
    media->angle = 0;
    media->pptr_cc = fourcc_get(codec_h264, 720, 576);
    media->seq = seq;
    media->pts = pts;
    media->id = id;
    return mbuf;
}

static int32_t ffmpeg_write(void* handle, struct my_buffer* mbuf, struct list_head* head)
{
    media_buffer* media = NULL;
    ffmpeg_wrapper_t* wrapper = (ffmpeg_wrapper_t *) handle;
    if (wrapper->id == media_id_unkown) {
        if (mbuf == NULL) {
            return 0;
        }
        media = (media_buffer *) mbuf->ptr[0];
        wrapper->id = media->id;
    }

    // ffmpeg will never modify avpkt.
    AVPacket avpkt;
    avpkt.data = NULL;
    avpkt.size = 0;
    if (mbuf != NULL) {
        mbuf = replace(mbuf);
        if (mbuf == NULL) {
            return 0;
        }

        media = (media_buffer *) mbuf->ptr[0];
        av_init_packet(&avpkt);
        avpkt.data = (uint8_t *) media->vp[0].ptr;
        avpkt.size = (int) mbuf->length;
    }

    int32_t nr = 0;
    static int l = 0;
    while ((mbuf == NULL) || (avpkt.size > 0)) {
        int got = 0;
        mark("l == %d", l++);
        int consumed = avcodec_decode_video2(wrapper->context, wrapper->frame, &got, &avpkt);
        if (consumed < 0) {
            consumed = -consumed;
            char* pch = (char *) &consumed;
            mark("avcodec_decode_video2 failed %d(%c%c%c%c)\n",
                 consumed, pch[0], pch[1], pch[2], pch[3]);
            my_assert(got == 0);
            break;
        }

        if (got != 0 && 0) {
            AVBufferRef* bufref = wrapper->frame->buf[0];
            struct my_buffer* mbuf2 = (struct my_buffer *) av_buffer_get_opaque(bufref);
            // this works when ffmpeg won't try to reuse the buffer
            // instread of releasing the ref (if it does this, mbuf2 maybe writen unexpected).
            mbuf2 = mbuf2->mop->clone(mbuf2);
            av_frame_unref(wrapper->frame);

            if (mbuf2 != NULL) {
                media = (media_buffer *) mbuf2->ptr[0];
                if (list_empty(&wrapper->pts_used)) {
                    media->pts = wrapper->last_pts;
                    media->seq = wrapper->last_seq;
                } else {
                    frame_pts_pop(wrapper, media);
                }
                list_add_tail(&mbuf2->head, head);
                ++nr;
            }
        } else if (consumed == 0) {
            my_assert(mbuf == NULL);
            break;
        }

        if (mbuf != NULL) {
            avpkt.size -= consumed;
            avpkt.data += consumed;
        } else {
            my_assert(consumed == 0);
        }
    }

    if (mbuf != NULL) {
        mbuf->mop->free(mbuf);
    }
    return nr;
}

when enable CODEC_FLAG_LOW_DELAY things:

E/zylthinking(11874): 410@ffmpeg_write tid 11923 l == 201
E/zylthinking(11874): 410@ffmpeg_write tid 11923 l == 202
E/zylthinking(11874): 410@ffmpeg_write tid 11923 l == 203
E/zylthinking(11874): 410@ffmpeg_write tid 11923 l == 204
I/DEBUG (14529): * * * * * * * * * * * * * * * *
I/DEBUG (14529): Build fingerprint: 'Sony/L36h_1270-9104/L36h:4.2.2/10.3.1.A.2.67/vPd3rg:user/release-keys'
I/DEBUG (14529): Revision: '0'
I/DEBUG (14529): pid: 11874, tid: 11923, name: libmm.demo2 >>> libmm.demo2 <<<
I/DEBUG (14529): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000058
I/DEBUG (14529): r0 70c3c020 r1 00000001 r2 00000002 r3 00000000
I/DEBUG (14529): r4 70c3c020 r5 00000000 r6 00000001 r7 70c3ce80
I/DEBUG (14529): r8 0000089f r9 7bbaec30 sl 6e0dcbe0 fp 6ef03620
I/DEBUG (14529): ip 00000000 sp 7bbaeab8 lr 75d990f4 pc 75d95a94 cpsr 60000010
I/DEBUG (14529): d0 ffffffffffffffff d1 ffffffffffffffff
I/DEBUG (14529): d2 ffffffffffffffff d3 ffffffffffffffff
I/DEBUG (14529): d4 ffffffffffffffff d5 ffffffffffffffff
I/DEBUG (14529): d6 ffffffffffffffff d7 ffffffffffffffff
I/DEBUG (14529): d8 0000000000000000 d9 0000000000000000
I/DEBUG (14529): d10 0000000000000000 d11 0000000000000000
I/DEBUG (14529): d12 0000000000000000 d13 0000000000000000
I/DEBUG (14529): d14 0000000000000000 d15 0000000000000000
I/DEBUG (14529): d16 ffffffffffffffff d17 ffffffffffffffff
I/DEBUG (14529): d18 ffffffffffffffff d19 ffffffffffffffff
I/DEBUG (14529): d20 ffffffffffffffff d21 ffffffffffffffff
I/DEBUG (14529): d22 ffffffffffffffff d23 ffffffffffffffff
I/DEBUG (14529): d24 0101010101010101 d25 ffffffffffffffff
I/DEBUG (14529): d26 ffffffffffffffff d27 1010101010101010
I/DEBUG (14529): d28 0080008000800080 d29 0080008000800080
I/DEBUG (14529): d30 0000000000000000 d31 0000000000000000
I/DEBUG (14529): scr 6800009e
I/DEBUG (14529):
I/DEBUG (14529): backtrace:
I/DEBUG (14529): #00 pc 00163a94 /data/app-lib/libmm.demo2-1/libmedia2.so (decode_postinit+48)
I/DEBUG (14529): #01 pc 001670f0 /data/app-lib/libmm.demo2-1/libmedia2.so (h264_decode_frame+948)
I/DEBUG (14529):
I/DEBUG (14529): stack:
I/DEBUG (14529): 7bbaea78 0000089f
I/DEBUG (14529): 7bbaea7c 00000007
I/DEBUG (14529): 7bbaea80 00000000

when disable CODEC_FLAG_LOW_DELAY things:

E/zylthinking(12190): 410@ffmpeg_write tid 12229 l == 202
E/zylthinking(12190): 410@ffmpeg_write tid 12229 l == 203
E/zylthinking(12190): 410@ffmpeg_write tid 12229 l == 204

report some thing error, though no crashing
E/zylthinking(12190): 416@ffmpeg_write tid 12229 avcodec_decode_video2 failed 1094995529(INDA)

the code is n2.6.1, the ffmpeg make script:

find * | grep "\.o$" | xargs rm
./configure --prefix=./zyl/android --arch=armv7 --cpu=cortex-a8 --target-os=linux --enable-optimizations --enable-asm --disable-armv5te --enable-lto --enable-cross-compile --enable-pic --disable-debug --disable-logging --disable-programs --disable-doc --disable-runtime-cpudetect --enable-version3 --disable-symver --disable-iconv --disable-bzlib --disable-zlib --disable-avdevice --disable-everything --enable-bsf=h264_mp4toannexb --enable-swscale --enable-network --enable-protocol=file --enable-protocol=http --enable-protocol=rtmp --enable-protocol=hls --enable-demuxer=hls --enable-demuxer=mpegts --enable-demuxer=mov --enable-demuxer=flv --enable-muxer=mp4 --enable-decoder=h264 --enable-decoder=aac --enable-parser=h264 --sysroot="/opt/android/ndk/platforms/android-15/arch-arm/" --sysinclude="/opt/android/ndk/platforms/android-15/arch-arm/usr/include/" --cross-prefix="/opt/android/ndk/toolchains/arm-linux-androideabi-4.8/prebuilt/darwin-x86_64/bin/arm-linux-androideabi-" --extra-cflags="-w -mvectorize-with-neon-quad -mfpu=neon -mfloat-abi=softfp" --extra-ldflags="-mfpu=neon -L/opt/android/ndk/platforms/android-15/arch-arm/usr/lib -nostdlib /opt/android/ndk/toolchains/arm-linux-androideabi-4.8/prebuilt/darwin-x86_64/lib/gcc/arm-linux-androideabi/4.8/crtbegin.o /opt/android/ndk/toolchains/arm-linux-androideabi-4.8/prebuilt/darwin-x86_64/lib/gcc/arm-linux-androideabi/4.8/crtend.o -lc -lm"
make
make install

Last edited 4 years ago by zylthinking (previous) (diff)

comment:12 follow-up: Changed 4 years ago by cehoyos

How can I compile the code you provided? There are no includes and no main() function...

Could you also try with the configure line I provided? Or produce a backtrace with gdb that at least tells us where exactly the crash happens? You will have to remove --disable-debug.

comment:13 Changed 4 years ago by zylthinking

static void decode_postinit(H264Context *h, int setup_finished)
{
    Picture *out = h->cur_pic_ptr;
    Picture *cur = h->cur_pic_ptr;
    int i, pics, out_of_order, out_idx;

   ''' h->cur_pic_ptr->f.pict_type = h->pict_type;''' 

     crash here, due the crash log and the disassembly code, it should be   h->cur_pic_ptr == NULL, there are some analyse below 

    if (h->next_output_pic)
        return;
........................................
}

disassembly code for the function is:

  1633f4:	e59055e0 	ldr	r5, [r0, #1504]	; 0x5e0      ----------------- r5 is ldr from r0 add an offset, r0 should be H264Context *h, then r5 be a field of h
  1633f8:	e24dd014 	sub	sp, sp, #20
  1633fc:	e7902002 	ldr	r2, [r0, r2]
  163400:	e1a04000 	mov	r4, r0
  163404:	e1a06001 	mov	r6, r1
 ''' 163408:	e5852058 	str	r2, [r5, #88]	; 0x58 -------------------------- here then  store r2 to address  r5 + 0x58  '''

look the crash log:
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000058 here has a 0x58,

and the code after that is

  16340c:	0a000001 	beq	163418 <decode_postinit+0x40>
  163410:	e28dd014 	add	sp, sp, #20
  163414:	e8bd8ff0 	pop	{r4, r5, r6, r7, r8, r9, sl, fp, pc}

check something == 0, if not equal to 0, then return.

which is absolutely

if (h->next_output_pic)

return;

OK, we can say something write into memory before a potential returning; then check the c code; it is only
h->cur_pic_ptr->f.pict_type = h->pict_type; satisfy this.

OK, now we know this line crashes. while, because r5 is some filed of h; and str r2, [r5, #88] seems to be writing something to r5's field; then we can know r5 should be the h->cur_pic_ptr;

OK, the crashing address is 0x58, and str r2, [r5, #88] is writing to r5 + 0x58; we know r5 is 0;
e.g. h->cur_pic_ptr == NULL

comment:14 Changed 4 years ago by cehoyos

You can use git bisect to find the change fixing the problem for you, I will then backport it to the 2.6 release branch.

comment:15 in reply to: ↑ 12 Changed 4 years ago by zylthinking

Replying to cehoyos:
OK, I will try to find it; but maybe a long time will be used to find out it

comment:16 Changed 4 years ago by cehoyos

  • Resolution set to needs_more_info
  • Status changed from new to closed

This can only be fixed if you either explain how the crash can be reproduced or tell us which change fixed the crash.

Note: See TracTickets for help on using tickets.