Opened 5 years ago

Closed 5 years ago

#713 closed defect (needs_more_info)

sws_scale crashes after deinterlacing with avpicture_deinterlace (only on recent versions of FFmpeg)

Reported by: Andrea3000 Owned by:
Priority: important Component: undetermined
Version: git-master Keywords: sws_scale avpicture_deinterlace
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

I use FFmpeg API in my Mac OS X application to decode video frames.
In case of interlaced frame I'm used to:
1) convert frame to YUV420P with sws_scale
2) deinterlace frame with avpicture_deinterlace
3) convert frame back to my required pixel format (UYVY422) with sws_scale
(I obviuosly use two different swscale context)

This has always worked fine with git development branch of FFmpeg
till end of october.

On 11th of november I updated FFmpeg to the latest version
available on git repository and since then (till today's version of FFmpeg)
my app crash while performing deinterlace and picture format conversion.

If I convert frame to YUV420P and then back to UYVY422 (without deinterlacing),
it works fine but frame is obviously interlaced.

If I convert frame to YUV420P and then deinterlace it (without back converting to
UYVY422), the app doesn't crash but the output is obviously only a green tint.

It's only the combination of all three steps (conversion, deinterlacing and back
conversion) which makes my app crash. Debugging the crash I discovered that
it is caused by yv12touyvy_MMX2 function but, unfortunately, that function has
not been changed from end of october till now..

It happens with every movie file.

Since I'm using FFmpeg as API, I'm not able to provide further informations..or I don't know how to do it at least..

Change History (9)

comment:1 follow-up: Changed 5 years ago by cehoyos

Please find the commit that introduced the problem and please provide backtrace etc. as explained on http://ffmpeg.org/bugreports.html

comment:2 in reply to: ↑ 1 Changed 5 years ago by Andrea3000

Replying to cehoyos:

Please find the commit that introduced the problem and please provide backtrace etc. as explained on http://ffmpeg.org/bugreports.html

Sorry for the delay but it tooks me hours to figure out which was the incriminated commit but finally I have found it!
This is the commit which introduced the issue: 13b7781ec8d475513c1ee40a6e481763b728a71e

Here is backtrace, disassembly and output:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x000000012b395000
[Switching to process 64984]
0x0000000100591c26 in yv12touyvy_MMX2 () at vector.tcc:300
300		  this->_M_impl._M_end_of_storage = __new_start + __len;
(gdb) bt
#0  0x0000000100591c26 in yv12touyvy_MMX2 () at vector.tcc:300
#1  0x0000000100581489 in planarToUyvyWrapper () at vector.tcc:300
#2  0x000000012b297400 in ?? ()
#3  0x4040404040404040 in ?? ()
Current language:  auto; currently objective-c++
(gdb) disass $pc-32,$pc+32
Dump of assembler code for function yv12touyvy_MMX2:
0x0000000100591bc0 <yv12touyvy_MMX2+0>:	push   %rbp
0x0000000100591bc1 <yv12touyvy_MMX2+1>:	push   %rbx
0x0000000100591bc2 <yv12touyvy_MMX2+2>:	mov    %r9d,%ebp
0x0000000100591bc5 <yv12touyvy_MMX2+5>:	sar    %r8d
0x0000000100591bc8 <yv12touyvy_MMX2+8>:	movslq %r8d,%r8
0x0000000100591bcb <yv12touyvy_MMX2+11>:	test   %r9d,%r9d
0x0000000100591bce <yv12touyvy_MMX2+14>:	jle    0x100591c7b <yv12touyvy_MMX2+187>
0x0000000100591bd4 <yv12touyvy_MMX2+20>:	movslq 0x18(%rsp),%r9
0x0000000100591bd9 <yv12touyvy_MMX2+25>:	movslq 0x28(%rsp),%r11
0x0000000100591bde <yv12touyvy_MMX2+30>:	xor    %r10d,%r10d
0x0000000100591be1 <yv12touyvy_MMX2+33>:	movslq 0x20(%rsp),%rbx
0x0000000100591be6 <yv12touyvy_MMX2+38>:	jmp    0x100591c02 <yv12touyvy_MMX2+66>
0x0000000100591be8 <yv12touyvy_MMX2+40>:	nopl   0x0(%rax,%rax,1)
0x0000000100591bf0 <yv12touyvy_MMX2+48>:	inc    %r10d
0x0000000100591bf3 <yv12touyvy_MMX2+51>:	cmp    %ebp,%r10d
0x0000000100591bf6 <yv12touyvy_MMX2+54>:	je     0x100591c7b <yv12touyvy_MMX2+187>
0x0000000100591bfc <yv12touyvy_MMX2+60>:	add    %r9,%rdi
0x0000000100591bff <yv12touyvy_MMX2+63>:	add    %r11,%rcx
0x0000000100591c02 <yv12touyvy_MMX2+66>:	xor    %rax,%rax
0x0000000100591c05 <yv12touyvy_MMX2+69>:	nopl   0x0(%rax,%rax,1)
0x0000000100591c0a <yv12touyvy_MMX2+74>:	nopw   0x0(%rax,%rax,1)
0x0000000100591c10 <yv12touyvy_MMX2+80>:	prefetchnta 0x20(%rdi,%rax,2)
0x0000000100591c15 <yv12touyvy_MMX2+85>:	prefetchnta 0x20(%rsi,%rax,1)
0x0000000100591c1a <yv12touyvy_MMX2+90>:	prefetchnta 0x20(%rdx,%rax,1)
0x0000000100591c1f <yv12touyvy_MMX2+95>:	movq   (%rsi,%rax,1),%mm0
0x0000000100591c23 <yv12touyvy_MMX2+99>:	movq   %mm0,%mm2
0x0000000100591c26 <yv12touyvy_MMX2+102>:	movq   (%rdx,%rax,1),%mm1
0x0000000100591c2a <yv12touyvy_MMX2+106>:	punpcklbw %mm1,%mm0
0x0000000100591c2d <yv12touyvy_MMX2+109>:	punpckhbw %mm1,%mm2
0x0000000100591c30 <yv12touyvy_MMX2+112>:	movq   (%rdi,%rax,2),%mm3
0x0000000100591c34 <yv12touyvy_MMX2+116>:	movq   0x8(%rdi,%rax,2),%mm5
0x0000000100591c39 <yv12touyvy_MMX2+121>:	movq   %mm0,%mm4
0x0000000100591c3c <yv12touyvy_MMX2+124>:	movq   %mm2,%mm6
0x0000000100591c3f <yv12touyvy_MMX2+127>:	punpcklbw %mm3,%mm0
0x0000000100591c42 <yv12touyvy_MMX2+130>:	punpckhbw %mm3,%mm4
0x0000000100591c45 <yv12touyvy_MMX2+133>:	punpcklbw %mm5,%mm2
0x0000000100591c48 <yv12touyvy_MMX2+136>:	punpckhbw %mm5,%mm6
0x0000000100591c4b <yv12touyvy_MMX2+139>:	movntq %mm0,(%rcx,%rax,4)
0x0000000100591c4f <yv12touyvy_MMX2+143>:	movntq %mm4,0x8(%rcx,%rax,4)
0x0000000100591c54 <yv12touyvy_MMX2+148>:	movntq %mm2,0x10(%rcx,%rax,4)
0x0000000100591c59 <yv12touyvy_MMX2+153>:	movntq %mm6,0x18(%rcx,%rax,4)
0x0000000100591c5e <yv12touyvy_MMX2+158>:	add    $0x8,%rax
0x0000000100591c62 <yv12touyvy_MMX2+162>:	cmp    %r8,%rax
0x0000000100591c65 <yv12touyvy_MMX2+165>:	jb     0x100591c10 <yv12touyvy_MMX2+80>
0x0000000100591c67 <yv12touyvy_MMX2+167>:	test   $0x1,%r10b
0x0000000100591c6b <yv12touyvy_MMX2+171>:	je     0x100591bf0 <yv12touyvy_MMX2+48>
0x0000000100591c6d <yv12touyvy_MMX2+173>:	add    %rbx,%rsi
0x0000000100591c70 <yv12touyvy_MMX2+176>:	add    %rbx,%rdx
0x0000000100591c73 <yv12touyvy_MMX2+179>:	inc    %r10d
0x0000000100591c76 <yv12touyvy_MMX2+182>:	cmp    %ebp,%r10d
0x0000000100591c79 <yv12touyvy_MMX2+185>:	jne    0x100591bfc <yv12touyvy_MMX2+60>
0x0000000100591c7b <yv12touyvy_MMX2+187>:	emms   
0x0000000100591c7d <yv12touyvy_MMX2+189>:	sfence 
0x0000000100591c80 <yv12touyvy_MMX2+192>:	pop    %rbx
0x0000000100591c81 <yv12touyvy_MMX2+193>:	pop    %rbp
0x0000000100591c82 <yv12touyvy_MMX2+194>:	retq   
0x0000000100591c83 <yv12touyvy_MMX2+195>:	nopw   0x0(%rax,%rax,1)
0x0000000100591c89 <yv12touyvy_MMX2+201>:	nopl   0x0(%rax)
End of assembler dump.
(gdb) info all-registers
rax            0x280	640
rbx            0x3c0	960
rcx            0x11dde6400	4796081152
rdx            0x12b394d80	5020142976
rsi            0x12b316480	5019624576
rdi            0x12b299200	5019111936
rbp            0x440	0x440
rsp            0x120e3aa98	0x120e3aa98
r8             0x3c0	960
r9             0x780	1920
r10            0x43c	1084
r11            0xf00	3840
r12            0x0	0
r13            0x1021ef800	4330551296
r14            0x11	17
r15            0x3c0	960
rip            0x100591c26	0x100591c26 <yv12touyvy_MMX2+102>
eflags         0x10287	66183
cs             0x2b	43
ss             0x0	0
ds             0x0	0
es             0x0	0
fs             0x23	35
gs             0xf	15
st0            -nan(0x7a7a7a7a7a7a7a7a)	(raw 0xffff7a7a7a7a7a7a7a7a)
st1            <invalid float value>	(raw 0xffff0000000000000000)
st2            -nan(0x7a7a7a7a7a7a7a7a)	(raw 0xffff7a7a7a7a7a7a7a7a)
st3            -nan(0x8e8e8e8e8e8e8e8e)	(raw 0xffff8e8e8e8e8e8e8e8e)
st4            -nan(0x8e008e7a8e008e7a)	(raw 0xffff8e008e7a8e008e7a)
st5            -nan(0x8e8e8e8e8e8e8e8f)	(raw 0xffff8e8e8e8e8e8e8e8f)
st6            -nan(0x8e008e7a8e008e7a)	(raw 0xffff8e008e7a8e008e7a)
st7            2	(raw 0x40008000000000000000)
fctrl          0x37f	895
fstat          0x4000	16384
ftag           0x2aaa	10922
fiseg          0x2b	43
fioff          0x8701692a	-2029950678
foseg          0x23	35
fooff          0x20e3a6b8	551790264
fop            0x55d	1373
xmm0           {
  v4_float = {0, 0, 4.53125, 0}, 
  v2_double = {0, 1088}, 
  v16_int8 = {0, 0, 0, 0, 0, 0, 0, 0, 64, -111, 0, 0, 0, 0, 0, 0}, 
  v8_int16 = {0, 0, 0, 0, 16529, 0, 0, 0}, 
  v4_int32 = {0, 0, 1083244544, 0}, 
  v2_int64 = {0, 4652499890050433024}, 
  uint128 = 37184
}	(raw 0x00000000000091400000000000000000)
xmm1           {
  v4_float = {0, 0, 4.53125, 0}, 
  v2_double = {0, 1088}, 
  v16_int8 = {0, 0, 0, 0, 0, 0, 0, 0, 64, -111, 0, 0, 0, 0, 0, 0}, 
  v8_int16 = {0, 0, 0, 0, 16529, 0, 0, 0}, 
  v4_int32 = {0, 0, 1083244544, 0}, 
  v2_int64 = {0, 4652499890050433024}, 
  uint128 = 37184
}	(raw 0x00000000000091400000000000000000)
xmm2           {
  v4_float = {0, 0, 5.2331543, 0}, 
  v2_double = {0, 3003}, 
  v16_int8 = {0, 0, 0, 0, 0, 0, 0, 0, 64, -89, 118, 0, 0, 0, 0, 0}, 
  v8_int16 = {0, 0, 0, 0, 16551, 30208, 0, 0}, 
  v4_int32 = {0, 0, 1084716544, 0}, 
  v2_int64 = {0, 4658822081910145024}, 
  uint128 = 7776064
}	(raw 0x000000000076a7400000000000000000)
xmm3           {
  v4_float = {1.30577099e+36, 2.1059141e+37, 2.09757384e+37, 1.30579135e+36}, 
  v2_double = {6.5386757897991892e+286, 2.9109276065644548e+296}, 
  v16_int8 = {123, 123, 123, 123, 125, 125, 125, 125, 125, 124, 124, 124, 123, 123, 124, 124}, 
  v8_int16 = {31611, 31611, 32125, 32125, 32124, 31868, 31611, 31868}, 
  v4_int32 = {2071690107, 2105376125, 2105310332, 2071690364}, 
  v2_int64 = {8897841259117116797, 9042239025942592636}, 
  uint128 = 0x7b7b7b7b7d7d7d7d7d7c7c7c7b7b7c7c
}	(raw 0x7c7c7b7b7c7c7c7d7d7d7d7d7b7b7b7b)
xmm4           {
  v4_float = {1.30577099e+36, 1.30577099e+36, 1.30577099e+36, 2.1059141e+37}, 
  v2_double = {6.5386757613253666e+286, 6.5386757897991892e+286}, 
  v16_int8 = {123 <repeats 12 times>, 125, 125, 125, 125}, 
  v8_int16 = {31611, 31611, 31611, 31611, 31611, 31611, 32125, 32125}, 
  v4_int32 = {2071690107, 2071690107, 2071690107, 2105376125}, 
  v2_int64 = {8897841259083430779, 8897841259117116797}, 
  uint128 = 0x7b7b7b7b7b7b7b7b7b7b7b7b7d7d7d7d
}	(raw 0x7d7d7d7d7b7b7b7b7b7b7b7b7b7b7b7b)
xmm5           {
  v4_float = {3.7956544e+25, 9.24099228e+23, 5.63560025e-06, -5.25562337e+32}, 
  v2_double = {3.3282210898181474e+202, 5.0971145433431912e-45}, 
  v16_int8 = {105, -5, 44, -29, 103, 67, -81, -123, 54, -67, 25, 112, -11, -49, 76, 60}, 
  v8_int16 = {27131, 11491, 26435, -20603, 14013, 6512, -2609, 19516}, 
  v4_int32 = {1778068707, 1732489093, 918362480, -170963908}, 
  v2_int64 = {7636746948338495365, 3944336821597457468}, 
  uint128 = 0x69fb2ce36743af8536bd1970f5cf4c3c
}	(raw 0x3c4ccff57019bd3685af4367e32cfb69)
xmm6           {
  v4_float = {-221650272, -1.19395729e-08, 2.05909728e-07, 0.000163621356}, 
  v2_double = {-3.1893469237096725e+64, 1.8539696798410024e-56}, 
  v16_int8 = {-51, 83, 97, -42, -78, 77, 30, -52, 52, 93, 24, 9, 57, 43, -111, -58}, 
  v8_int16 = {-12973, 25046, -19891, 7884, 13405, 6153, 14635, -28218}, 
  v4_int32 = {-850173482, -1303568692, 878516233, 959156678}, 
  v2_int64 = {-3651467298125046068, 3773198490699272646}, 
  uint128 = 0xcd5361d6b24d1ecc345d1809392b91c6
}	(raw 0xc6912b3909185d34cc1e4db2d66153cd)
xmm7           {
  v4_float = {9.25334131e+37, 348784.812, -2.42001909e-28, 6.92919744e+16}, 
  v2_double = {3.6469880178186947e+301, -6.8585696613434697e-224}, 
  v16_int8 = {126, -117, 58, -109, 72, -86, 78, 26, -111, -103, 99, 14, 91, 118, 44, -81}, 
  v8_int16 = {32395, 14995, 18602, 19994, -28263, 25358, 23414, 11439}, 
  v4_int32 = {2123053715, 1219120666, -1852218610, 1534471343}, 
  v2_int64 = {9118446274795425306, -7955218353458107217}, 
  uint128 = 0x7e8b3a9348aa4e1a9199630e5b762caf
}	(raw 0xaf2c765b0e6399911a4eaa48933a8b7e)
xmm8           {
  v4_float = {0, 0, 0, 0}, 
  v2_double = {0, 0}, 
  v16_int8 = {0 <repeats 16 times>}, 
  v8_int16 = {0, 0, 0, 0, 0, 0, 0, 0}, 
  v4_int32 = {0, 0, 0, 0}, 
  v2_int64 = {0, 0}, 
  uint128 = 0
}	(raw 0x00000000000000000000000000000000)
xmm9           {
  v4_float = {0, 0, 0, 0}, 
  v2_double = {0, 0}, 
  v16_int8 = {0 <repeats 16 times>}, 
  v8_int16 = {0, 0, 0, 0, 0, 0, 0, 0}, 
  v4_int32 = {0, 0, 0, 0}, 
  v2_int64 = {0, 0}, 
  uint128 = 0
}	(raw 0x00000000000000000000000000000000)
xmm10          {
  v4_float = {0, 0, 0, 0}, 
  v2_double = {0, 0}, 
  v16_int8 = {0 <repeats 16 times>}, 
  v8_int16 = {0, 0, 0, 0, 0, 0, 0, 0}, 
  v4_int32 = {0, 0, 0, 0}, 
  v2_int64 = {0, 0}, 
  uint128 = 0
}	(raw 0x00000000000000000000000000000000)
xmm11          {
  v4_float = {0, 0, 0, 0}, 
  v2_double = {0, 0}, 
  v16_int8 = {0 <repeats 16 times>}, 
  v8_int16 = {0, 0, 0, 0, 0, 0, 0, 0}, 
  v4_int32 = {0, 0, 0, 0}, 
  v2_int64 = {0, 0}, 
  uint128 = 0
}	(raw 0x00000000000000000000000000000000)
xmm12          {
  v4_float = {0, 0, 0, 0}, 
  v2_double = {0, 0}, 
  v16_int8 = {0 <repeats 16 times>}, 
  v8_int16 = {0, 0, 0, 0, 0, 0, 0, 0}, 
  v4_int32 = {0, 0, 0, 0}, 
  v2_int64 = {0, 0}, 
  uint128 = 0
}	(raw 0x00000000000000000000000000000000)
xmm13          {
  v4_float = {0, 0, 0, 0}, 
  v2_double = {0, 0}, 
  v16_int8 = {0 <repeats 16 times>}, 
  v8_int16 = {0, 0, 0, 0, 0, 0, 0, 0}, 
  v4_int32 = {0, 0, 0, 0}, 
  v2_int64 = {0, 0}, 
  uint128 = 0
}	(raw 0x00000000000000000000000000000000)
xmm14          {
  v4_float = {0, 0, 0, 0}, 
  v2_double = {0, 0}, 
  v16_int8 = {0 <repeats 16 times>}, 
  v8_int16 = {0, 0, 0, 0, 0, 0, 0, 0}, 
  v4_int32 = {0, 0, 0, 0}, 
  v2_int64 = {0, 0}, 
  uint128 = 0
}	(raw 0x00000000000000000000000000000000)
xmm15          {
  v4_float = {0, 0, 0, 0}, 
  v2_double = {0, 0}, 
  v16_int8 = {0 <repeats 16 times>}, 
  v8_int16 = {0, 0, 0, 0, 0, 0, 0, 0}, 
  v4_int32 = {0, 0, 0, 0}, 
  v2_int64 = {0, 0}, 
  uint128 = 0
}	(raw 0x00000000000000000000000000000000)
mxcsr          0x1fa0	8096
Last edited 5 years ago by Andrea3000 (previous) (diff)

comment:3 Changed 5 years ago by Andrea3000

Ok, I added gdb output, backtrace and disassembly

comment:4 follow-up: Changed 5 years ago by michael

You could try valgrind or provide a compileable testcase.

comment:5 in reply to: ↑ 4 Changed 5 years ago by Andrea3000

Replying to michael:

You could try valgrind or provide a compileable testcase.

I apologise in advanced if the informations I'm going to report aren't useful. I'm a newbie developer and I've still to learn a lot of stuff..
I paste here the relevant output from valgrind:

==27261== 1 errors in context 1 of 8:
==27261== Thread 1:
==27261== Use of uninitialised value of size 8
==27261==    at 0x1021E803D: ff_h264_decode_seq_parameter_set (in <path/to/my/app>/MyPlayer.app/Contents/Frameworks/libavcodec.dylib)
==27261==    by 0x7FFF5FBFDCAF: ???
==27261==    by 0x10820C8BF: ???
==27261==    by 0x7FFF5FBFDCB0: ???
==27261==    by 0x38003E9F: ???
==27261==    by 0x11B233E9F: ???
==27261== 
==27261== 
==27261== 1 errors in context 2 of 8:
==27261== Conditional jump or move depends on uninitialised value(s)
==27261==    at 0x1021E802B: ff_h264_decode_seq_parameter_set (in <path/to/my/app>/MyPlayer.app/Contents/Frameworks/libavcodec.dylib)
==27261==    by 0x7FFF5FBFDCAF: ???
==27261==    by 0x10820C8BF: ???
==27261==    by 0x7FFF5FBFDCB0: ???
==27261==    by 0x38003E9F: ???
==27261==    by 0x11B233E9F: ???
==27261== 
==27261== 
==27261== 1 errors in context 3 of 8:
==27261== Conditional jump or move depends on uninitialised value(s)
==27261==    at 0x1021E7FCA: ff_h264_decode_seq_parameter_set (in <path/to/my/app>/MyPlayer.app/Contents/Frameworks/libavcodec.dylib)
==27261==    by 0x7FFF5FBFDCAF: ???
==27261==    by 0x10820C8BF: ???
==27261==    by 0x7FFF5FBFDCB0: ???
==27261==    by 0x38003E9F: ???
==27261==    by 0x11B233E9F: ???
==27261== 
==27261== 
==27261== 1 errors in context 4 of 8:
==27261== Conditional jump or move depends on uninitialised value(s)
==27261==    at 0x1021E7F81: ff_h264_decode_seq_parameter_set (in <path/to/my/app>/MyPlayer.app/Contents/Frameworks/libavcodec.dylib)
==27261==    by 0x7FFF5FBFDCAF: ???
==27261==    by 0x10820C8BF: ???
==27261==    by 0x7FFF5FBFDCB0: ???
==27261==    by 0x38003E9F: ???
==27261==    by 0x11B233E9F: ???
==27261== 
==27261== 
==27261== 3786240 errors in context 5 of 8:
==27261== Thread 9:
==27261== Invalid read of size 8
==27261==    at 0x102C50D84: yv12touyvy_MMX2 (in <path/to/my/app>/MyPlayer.app/Contents/Frameworks/libswscale.dylib)
==27261==    by 0x43F: ???
==27261==  Address 0x12b9b6088 is 8 bytes inside a block of size 3,110,400 free'd
==27261==    at 0x1001A552D: free (vg_replace_malloc.c:430)
==27261==    by 0x10009A445: -[VideoTrack decodePacket] (in <path/to/my/app>/MyPlayer.app/Contents/MacOS/MyPlayer)
==27261==    by 0x10009AD7F: -[VideoTrack decodeThreadFunc:] (in <path/to/my/app>/MyPlayer.app/Contents/MacOS/MyPlayer)
==27261==    by 0x1001EA113: __NSThread__main__ (in /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation)
==27261==    by 0x102FFAFD5: _pthread_start (in /usr/lib/libSystem.B.dylib)
==27261==    by 0x102FFAE88: thread_start (in /usr/lib/libSystem.B.dylib)
==27261== 
==27261== 
==27261== 3786240 errors in context 6 of 8:
==27261== Invalid read of size 8
==27261==    at 0x102C50D80: yv12touyvy_MMX2 (in <path/to/my/app>/MyPlayer.app/Contents/Frameworks/libswscale.dylib)
==27261==    by 0x43F: ???
==27261==  Address 0x12b9b6080 is 0 bytes inside a block of size 3,110,400 free'd
==27261==    at 0x1001A552D: free (vg_replace_malloc.c:430)
==27261==    by 0x10009A445: -[VideoTrack decodePacket] (in <path/to/my/app>/MyPlayer.app/Contents/MacOS/MyPlayer)
==27261==    by 0x10009AD7F: -[VideoTrack decodeThreadFunc:] (in <path/to/my/app>/MyPlayer.app/Contents/MacOS/MyPlayer)
==27261==    by 0x1001EA113: __NSThread__main__ (in /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation)
==27261==    by 0x102FFAFD5: _pthread_start (in /usr/lib/libSystem.B.dylib)
==27261==    by 0x102FFAE88: thread_start (in /usr/lib/libSystem.B.dylib)
==27261== 
==27261== 
==27261== 3786240 errors in context 7 of 8:
==27261== Invalid read of size 8
==27261==    at 0x102C50D76: yv12touyvy_MMX2 (in <path/to/my/app>/MyPlayer.app/Contents/Frameworks/libswscale.dylib)
==27261==    by 0x43F: ???
==27261==  Address 0x12bc2ed80 is 2,592,000 bytes inside a block of size 3,110,400 free'd
==27261==    at 0x1001A552D: free (vg_replace_malloc.c:430)
==27261==    by 0x10009A445: -[VideoTrack decodePacket] (in <path/to/my/app>/MyPlayer.app/Contents/MacOS/MyPlayer)
==27261==    by 0x10009AD7F: -[VideoTrack decodeThreadFunc:] (in <path/to/my/app>/MyPlayer.app/Contents/MacOS/MyPlayer)
==27261==    by 0x1001EA113: __NSThread__main__ (in /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation)
==27261==    by 0x102FFAFD5: _pthread_start (in /usr/lib/libSystem.B.dylib)
==27261==    by 0x102FFAE88: thread_start (in /usr/lib/libSystem.B.dylib)
==27261== 
==27261== 
==27261== 3786240 errors in context 8 of 8:
==27261== Invalid read of size 8
==27261==    at 0x102C50D6F: yv12touyvy_MMX2 (in <path/to/my/app>/MyPlayer.app/Contents/Frameworks/libswscale.dylib)
==27261==    by 0x43F: ???
==27261==  Address 0x12bbb0480 is 2,073,600 bytes inside a block of size 3,110,400 free'd
==27261==    at 0x1001A552D: free (vg_replace_malloc.c:430)
==27261==    by 0x10009A445: -[VideoTrack decodePacket] (in <path/to/my/app>/MyPlayer.app/Contents/MacOS/MyPlayer)
==27261==    by 0x10009AD7F: -[VideoTrack decodeThreadFunc:] (in <path/to/my/app>/MyPlayer.app/Contents/MacOS/MyPlayer)
==27261==    by 0x1001EA113: __NSThread__main__ (in /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation)
==27261==    by 0x102FFAFD5: _pthread_start (in /usr/lib/libSystem.B.dylib)
==27261==    by 0x102FFAE88: thread_start (in /usr/lib/libSystem.B.dylib)


This output is the result of about 1 second of movie playback and it has been generated with:

valgrind -v --error-limit=no --dsymutil=yes --alignment=16 --leak-check=full <path/to/my/app>/MyPlayer.app/Contents/MacOS/MyPlayer

Are these the information you need or I have to run valgrind with different command line options?

comment:6 in reply to: ↑ description Changed 5 years ago by Andrea3000

I have discovered another "bug" and I'm quite sure that it is related to the bug explained in this ticket and can be the cause of it.

Take a look at this two picture which come from a progressive movie (therefore no deinterlacing and no crash):
1) Prior to incriminated commit: Image1
2) After incriminated commit: Image2

As you can see, after incriminated commit, height of the frame is 8 pixels bigger than the correct one (in this case 1088 against 1080), and a black border appears in the bottom part of the window/frame.
This happens with every h264 stream inside m2ts container and never happens with mkv container.
MPEG-2 and VC-1 streams don't have this issue.
This happens even with interlaced movie (with deinterlacing disabled).
When deinterlacing is enabled, that black border is yellow/green in the first frame and after that the app crash.

All of the interlaced movie file that I have are h264, but I'm quite sure that MPEG-2 and VC-1 video stream won't lead to any crash when deinterlacing.
I have deinterlaced progressive MPEG-2 and VC-1 (it's useless but possible, I think) and the app doesn't crash at all. On the contrary, if I try to deinterlace a progressive h264, the app crashes.

So I'm quite sure that the issue is related to the bug that add those 8 pixels in the height of h264 frames inside m2ts containers, since only those tracks make the app crashes when deinterlacing.

Last edited 5 years ago by Andrea3000 (previous) (diff)

comment:7 follow-up: Changed 5 years ago by michael

Valgrind indicates that you run sws on memory that has been freed.
Its output should be a bit more informative if the involved parts are compiled without optimizations and with debug symbols

comment:8 in reply to: ↑ 7 Changed 5 years ago by Andrea3000

Replying to michael:

Valgrind indicates that you run sws on memory that has been freed.
Its output should be a bit more informative if the involved parts are compiled without optimizations and with debug symbols

Thank you for your help. I have found the cause of this issue (but not the solution) and I have opened a specific ticket: https://ffmpeg.org/trac/ffmpeg/ticket/731
Have you got any hint on that bug?

comment:9 Changed 5 years ago by michael

  • Resolution set to needs_more_info
  • Status changed from new to closed

Closing ticket as Ticket731 has been closed 3 month ago, and this appears to be due to use of the wrong width/height fields by the user.
If some issue in ffmpeg remains, please reopen!

Note: See TracTickets for help on using tickets.