Context Navigation

#6268 closed defect (fixed)

Hang when processing corrupt .webm file with -threads > 1

Reported by:	Katie Holly	Owned by:
Priority:	important	Component:	avcodec
Version:	git-master	Keywords:	vp9 deadlock regression
Cc:		Blocked By:
Blocking:		Reproduced by developer:	yes
Analyzed by developer:	no

Description

corrupt.webm (File attached):

00000000  1a 45 df a3 01 00 00 00  00 00 00 1f 42 30 81 30  |.E..........B0.0|
00000010  42 30 81 30 42 30 81 30  42 30 81 30 42 30 84 30  |B0.0B0.0B0.0B0.0|
00000020  30 30 30 42 30 81 30 42  30 81 30 30 16 54 ae 6b  |000B0.0B0.00.T.k|
00000030  01 30 30 30 30 30 30 30  ae 01 00 00 00 00 00 00  |.0000000........|
00000040  30 d7 81 01 9c 81 30 30  30 30 83 30 30 30 86 85  |0.....0000.000..|
00000050  56 5f 56 50 39 83 81 01  30 30 30 84 30 30 30 30  |V_VP9...000.0000|
00000060  e0 01 00 00 00 00 00 00  0e b0 81 30 ba 81 30 54  |...........0..0T|
00000070  30 81 30 54 30 81 30 ae  01 30 30 30 30 30 30 30  |0.0T0.0..0000000|
00000080  d7 81 02 9c 81 30 9c 83  30 30 30 86 88 30 30 30  |.....0..000..000|
00000090  30 30 30 30 30 83 81 01  1f 43 b6 75 01 30 30 30  |00000....C.u.000|
000000a0  30 30 30 30 30 30 30 a3  30 30 30 30 30 30 30 30  |0000000.00000000|
000000b0  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
000000c0  30 30 30 30 30 30 30 30  30 30 30 a3 85 82 30 30  |00000000000...00|
000000d0  30 30 a3 a3 81 30 30 30  82 49 83 42 30 00 30 30  |00...000.I.B0.00|
000000e0  30 30 30 30 30 30 00 00  30 30 30 30 30 30 30 30  |000000..00000000|
000000f0  30 30 30 30 30 30 30 30  30 30 e0 30 30 30 30 30  |0000000000.00000|
00000100  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
00000150  30 30 30 30 30 30 30 30  30 30 30 30 30 30 c6 30  |00000000000000.0|
00000160  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
000001a0  30 30 30 30 30 30 30 30  95 30 30 30 30 30 30 30  |00000000.0000000|
000001b0  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
000001c0  30 95 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0.00000000000000|
000001d0  30 30 30 30 30 30 30 30  30 30 95 30 30 30 30 30  |0000000000.00000|
000001e0  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
000001f0  30 30 30 93 30 30 30 30  30 30 30 30 30 30 30 30  |000.000000000000|
00000200  30 30 30 30 30 30 30 a3  85 82 30 30 30 30 a3 93  |0000000...0000..|
00000210  81 30 30 30 97 30 30 0e  30 30 30 30 30 30 30 00  |.000.00.0000000.|
00000220  00 30 30 a3 85 82 30 30  30 30 a3 99 81 30 30 30  |.00...0000...000|
00000230  86 30 30 96 30 30 49 e0  00 03 30 30 30 30 30 30  |.00.00I...000000|
00000240  30 30 30 30 30                                    |00000|
00000245

ffmpeg -threads 2 -v quiet -i $filename -f null -

GDB:

Program received signal SIGINT, Interrupt.
pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
185     ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S: No such file or directory.
(gdb) bt
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x0000000000b6681e in ff_thread_decode_frame (avctx=0x22cc170, picture=0x22ca780, got_picture_ptr=0x7fffffffe114, avpkt=0x7fffffffe070) at libavcodec/pthread_frame.c:496
#2  0x0000000000c777a8 in avcodec_decode_video2 (avctx=0x22cc170, picture=0x22ca780, got_picture_ptr=0x7fffffffe114, avpkt=0x22cd7b0) at libavcodec/utils.c:2272
#3  0x0000000000c796b8 in do_decode (avctx=0x22cc170, pkt=0x22cd7b0) at libavcodec/utils.c:2822
#4  0x0000000000c79c2a in avcodec_receive_frame (avctx=0x22cc170, frame=0x22f2070) at libavcodec/utils.c:2949
#5  0x0000000000423348 in decode (avctx=0x22cc170, frame=0x22f2070, got_frame=0x7fffffffe39c, pkt=0x7fffffffe1d0) at ffmpeg.c:2256
#6  0x0000000000423ae1 in decode_video (ist=0x22c8d00, pkt=0x7fffffffe3a0, got_output=0x7fffffffe39c, eof=1, decode_failed=0x7fffffffe398) at ffmpeg.c:2393
#7  0x0000000000424a0d in process_input_packet (ist=0x22c8d00, pkt=0x0, no_eof=0) at ffmpeg.c:2628
#8  0x0000000000429aa6 in process_input (file_index=0) at ffmpeg.c:4171
#9  0x000000000042b4e3 in transcode_step () at ffmpeg.c:4481
#10 0x000000000042b603 in transcode () at ffmpeg.c:4535
#11 0x000000000042bce5 in main (argc=10, argv=0x7fffffffebc8) at ffmpeg.c:4740
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x7ffff76c602f to 0x7ffff76c606f:
   0x00007ffff76c602f <pthread_cond_wait@@GLIBC_2.3.2+159>:     add    %bh,0xca(%rax)
   0x00007ffff76c6035 <pthread_cond_wait@@GLIBC_2.3.2+165>:     syscall
   0x00007ffff76c6037 <pthread_cond_wait@@GLIBC_2.3.2+167>:     cmp    $0x0,%eax
   0x00007ffff76c603a <pthread_cond_wait@@GLIBC_2.3.2+170>:     sete   %r8b
   0x00007ffff76c603e <pthread_cond_wait@@GLIBC_2.3.2+174>:     jmp    0x7ffff76c604f <pthread_cond_wait@@GLIBC_2.3.2+191>
   0x00007ffff76c6040 <pthread_cond_wait@@GLIBC_2.3.2+176>:     mov    $0x80,%esi
   0x00007ffff76c6045 <pthread_cond_wait@@GLIBC_2.3.2+181>:     xor    %r8b,%r8b
   0x00007ffff76c6048 <pthread_cond_wait@@GLIBC_2.3.2+184>:     mov    $0xca,%eax
   0x00007ffff76c604d <pthread_cond_wait@@GLIBC_2.3.2+189>:     syscall
=> 0x00007ffff76c604f <pthread_cond_wait@@GLIBC_2.3.2+191>:     mov    (%rsp),%edi
   0x00007ffff76c6052 <pthread_cond_wait@@GLIBC_2.3.2+194>:     callq  0x7ffff76c8710 <__pthread_disable_asynccancel>
   0x00007ffff76c6057 <pthread_cond_wait@@GLIBC_2.3.2+199>:     mov    0x8(%rsp),%rdi
   0x00007ffff76c605c <pthread_cond_wait@@GLIBC_2.3.2+204>:     mov    $0x1,%esi
   0x00007ffff76c6061 <pthread_cond_wait@@GLIBC_2.3.2+209>:     xor    %eax,%eax
   0x00007ffff76c6063 <pthread_cond_wait@@GLIBC_2.3.2+211>:     lock cmpxchg %esi,(%rdi)
   0x00007ffff76c6067 <pthread_cond_wait@@GLIBC_2.3.2+215>:     jne    0x7ffff76c614d <pthread_cond_wait@@GLIBC_2.3.2+445>
   0x00007ffff76c606d <pthread_cond_wait@@GLIBC_2.3.2+221>:     mov    0x2c(%rdi),%edx
End of assembler dump.
(gdb) info all-registers
rax            0xfffffffffffffe00       -512
rbx            0x0      0
rcx            0xffffffffffffffff       -1
rdx            0x1      1
rsi            0x80     128
rdi            0x22caafc        36481788
rbp            0x7fffffffe020   0x7fffffffe020
rsp            0x7fffffffdf90   0x7fffffffdf90
r8             0x22cab00        36481792
r9             0x0      0
r10            0x0      0
r11            0x246    582
r12            0x404080 4210816
r13            0x7fffffffebc0   140737488350144
r14            0x0      0
r15            0x0      0
rip            0x7ffff76c604f   0x7ffff76c604f <pthread_cond_wait@@GLIBC_2.3.2+191>
eflags         0x246    [ PF ZF IF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
st0            0        (raw 0x00000000000000000000)
st1            0        (raw 0x00000000000000000000)
st2            0        (raw 0x00000000000000000000)
st3            0        (raw 0x00000000000000000000)
st4            0        (raw 0x00000000000000000000)
st5            0        (raw 0x00000000000000000000)
st6            0        (raw 0x00000000000000000000)
st7            0        (raw 0x00000000000000000000)
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x0, 0xff <repeats 15 times>}, v8_int16 = {0xff00, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, v4_int32 = {0xffffff00, 0xffffffff, 0xffffffff, 0xffffffff}, v2_int64 = {0xffffffffffffff00, 0xffffffffffffffff},
  uint128 = 0xffffffffffffffffffffffffffffff00}
xmm1           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm2           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm3           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm4           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0xff00, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0xff00, 0x0, 0x0}, v2_int64 = {0xff0000000000, 0x0}, uint128 = 0x00000000000000000000ff0000000000}
xmm5           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x6d, 0x70, 0x6c, 0x65, 0x20, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x20, 0x6f, 0x70, 0x74, 0x69}, v8_int16 = {0x706d, 0x656c, 0x6620, 0x6c69, 0x6574, 0x2072, 0x706f, 0x6974}, v4_int32 = {0x656c706d, 0x6c696620, 0x20726574,
    0x6974706f}, v2_int64 = {0x6c696620656c706d, 0x6974706f20726574}, uint128 = 0x6974706f207265746c696620656c706d}
xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x74, 0x73, 0x0, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x20, 0x61, 0x72, 0x65, 0x73, 0x61}, v8_int16 = {0x7374, 0x6400, 0x6665, 0x7561, 0x746c, 0x6120, 0x6572, 0x6173}, v4_int32 = {0x64007374, 0x75616665, 0x6120746c,
    0x61736572}, v2_int64 = {0x7561666564007374, 0x617365726120746c}, uint128 = 0x617365726120746c7561666564007374}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm8           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm9           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm10          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm11          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm12          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0xff, 0x0 <repeats 15 times>}, v8_int16 = {0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0xff, 0x0, 0x0, 0x0}, v2_int64 = {0xff, 0x0}, uint128 = 0x000000000000000000000000000000ff}
xmm13          {v4_float = {0x0, 0xffffffff, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0xf9, 0xc8, 0xde, 0xfc, 0xd1, 0x21, 0x89, 0xbf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xc8f9, 0xfcde, 0x21d1, 0xbf89, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0xfcdec8f9, 0xbf8921d1, 0x0, 0x0}, v2_int64 = {0xbf8921d1fcdec8f9, 0x0},
  uint128 = 0x0000000000000000bf8921d1fcdec8f9}
xmm14          {v4_float = {0x0, 0xffffffff, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0xf9, 0xc8, 0xde, 0xfc, 0xd1, 0x21, 0x89, 0xbf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xc8f9, 0xfcde, 0x21d1, 0xbf89, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0xfcdec8f9, 0xbf8921d1, 0x0, 0x0}, v2_int64 = {0xbf8921d1fcdec8f9, 0x0},
  uint128 = 0x0000000000000000bf8921d1fcdec8f9}
xmm15          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
mxcsr          0x1fa8   [ OE PE IM DM ZM OM UM PM ]
(gdb) up
#1  0x0000000000b6681e in ff_thread_decode_frame (avctx=0x22cc170, picture=0x22ca780, got_picture_ptr=0x7fffffffe114, avpkt=0x7fffffffe070) at libavcodec/pthread_frame.c:496
496                     pthread_cond_wait(&p->output_cond, &p->progress_mutex);
(gdb) l
 491             p = &fctx->threads[finished++];
 492
 493             if (atomic_load(&p->state) != STATE_INPUT_READY) {
 494                 pthread_mutex_lock(&p->progress_mutex);
 495                 while (atomic_load_explicit(&p->state, memory_order_relaxed) != STATE_INPUT_READY)
*496                     pthread_cond_wait(&p->output_cond, &p->progress_mutex);
 497                 pthread_mutex_unlock(&p->progress_mutex);
 498             }
 499
 500             av_frame_move_ref(picture, p->frame);
(gdb)

Valgrind:

==4185== HEAP SUMMARY:
==4185==     in use at exit: 400,453 bytes in 428 blocks
==4185==   total heap usage: 1,649 allocs, 1,221 frees, 889,427 bytes allocated
==4185==
==4185== 544 bytes in 2 blocks are possibly lost in loss record 143 of 176
==4185==    at 0x4C2AD10: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4185==    by 0x4010F91: allocate_dtv (dl-tls.c:296)
==4185==    by 0x401169D: _dl_allocate_tls (dl-tls.c:460)
==4185==    by 0x5342BE7: allocate_stack (allocatestack.c:589)
==4185==    by 0x5342BE7: pthread_create@@GLIBC_2.2.5 (pthread_create.c:495)
==4185==    by 0xB67661: ff_frame_thread_init (pthread_frame.c:810)
==4185==    by 0x115BCD4: ff_thread_init (pthread.c:77)
==4185==    by 0xC74B6C: avcodec_open2 (utils.c:1419)
==4185==    by 0x4257F9: init_input_stream (ffmpeg.c:2890)
==4185==    by 0x427F81: transcode_init (ffmpeg.c:3592)
==4185==    by 0x42B55F: transcode (ffmpeg.c:4506)
==4185==    by 0x42BCE4: main (ffmpeg.c:4740)
==4185==
==4185== 6,800 bytes in 25 blocks are possibly lost in loss record 170 of 176
==4185==    at 0x4C2AD10: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4185==    by 0x4010F91: allocate_dtv (dl-tls.c:296)
==4185==    by 0x401169D: _dl_allocate_tls (dl-tls.c:460)
==4185==    by 0x5342BE7: allocate_stack (allocatestack.c:589)
==4185==    by 0x5342BE7: pthread_create@@GLIBC_2.2.5 (pthread_create.c:495)
==4185==    by 0x469F35: thread_init_internal (pthread.c:179)
==4185==    by 0x46A004: ff_graph_thread_init (pthread.c:210)
==4185==    by 0x4515A5: avfilter_graph_alloc_filter (avfiltergraph.c:194)
==4185==    by 0x46831C: create_filter (graphparser.c:114)
==4185==    by 0x468533: parse_filter (graphparser.c:176)
==4185==    by 0x468D7E: avfilter_graph_parse2 (graphparser.c:411)
==4185==    by 0x41AC85: configure_filtergraph (ffmpeg_filter.c:1031)
==4185==    by 0x423184: ifilter_send_frame (ffmpeg.c:2194)
==4185==
==4185== LEAK SUMMARY:
==4185==    definitely lost: 0 bytes in 0 blocks
==4185==    indirectly lost: 0 bytes in 0 blocks
==4185==      possibly lost: 7,344 bytes in 27 blocks
==4185==    still reachable: 393,109 bytes in 401 blocks
==4185==         suppressed: 0 bytes in 0 blocks
==4185== Reachable blocks (those to which a pointer was found) are not shown.
==4185== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==4185==
==4185== For counts of detected and suppressed errors, rerun with: -v
==4185== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Killed

Attachments (1)

corrupt.webm (581 bytes ) - added by Katie Holly 8 years ago.

Download all attachments as: .zip

Change History (3)

by Katie Holly, 8 years ago

Attachment:	corrupt.webm added

comment:1 by Carl Eugen Hoyos, 8 years ago

Component:	ffmpeg → avcodec
Keywords:	vp9 deadlock regression added
Priority:	normal → important
Reproduced by developer:	set
Status:	new → open

For future tickets: Please always provide the command line you tested and the complete, uncut console output to make tickets valid.

Regression since 55d7371f

comment:2 by Carl Eugen Hoyos, 7 years ago

Resolution:	→ fixed
Status:	open → closed

Fixed by Michael in 5e03eea673a9da2253ed15152e46b1422b35d145

Note: See TracTickets for help on using tickets.

Download in other formats: