Opened 5 years ago

Closed 5 years ago

#782 closed defect (needs_more_info)

mpegaudiodec segfault

Reported by: bluepin Owned by:
Priority: normal Component: avcodec
Version: unspecified Keywords: crash
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

I have a rare and hardly reproducible error but I will take any suggestion on how to prevent it.

From what I understand from the coredumps : A mpeg layer 3 stream is detected as a layer 1 stream, then mp_decode_layer1 is called, followed by a segfault in UPDATE_CACHE(re, s). This could be indeed a bad stream, a random bit flip but ffmpeg should not segfault because of that.

Stack trace:
#0 0x08338083 in mp_decode_layer1 (s=0xa94707a0, samples=0x98b00040, buf=<value optimized out>, buf_size=256) at /opt/icecast/src/ffmpeg/libavcodec/get_bits.h:285
#1 mp_decode_frame (s=0xa94707a0, samples=0x98b00040, buf=<value optimized out>, buf_size=256) at /opt/icecast/src/ffmpeg/libavcodec/mpegaudiodec.c:1715
#2 0x08339bb7 in decode_frame (avctx=0x9a8e3c0, data=0x98b00040, data_size=0xacb3f5c, avpkt=0xb48b7228) at /opt/icecast/src/ffmpeg/libavcodec/mpegaudiodec.c:1816
#3 0x0841588e in avcodec_decode_audio3 (avctx=0x9a8e3c0, samples=0x98b00040, frame_size_ptr=0xacb3f5c, avpkt=0x2) at /opt/icecast/src/ffmpeg/libavcodec/utils.c:839

In Frame 1 : gdb: p *s yields:

{frame_size = 256, error_protection = 0, layer = 1, sample_rate = 48000, sample_rate_index = 1, bit_rate = 256000, nb_channels = 2, mode = 0, mode_ext = 2, lsf = 0,

last_buf = lots of other stuff?

{scfsi = 0 '\000', part2_3_length = 0, big_values = 0, global_gain = 0, scalefac_compress = 0, block_type = 0 '\000', switch_point = 0 '\000',

table_select = {0, 0, 0}, subblock_gain = {0, 0, 0}, scalefac_scale = 0 '\000', count1table_select = 0 '\000', region_size = {0, 0, 0}, preflag = 0, short_start = 0, long_end = 0,
scale_factors = '\000' <repeats 39 times>, sb_hybrid = {0 <repeats 576 times>}}}}, adu_mode = 0, dither_state = 14709380, error_recognition = 1, avctx = 0x9a8e3c0, mpadsp = {

apply_window_float = 0x84f5530 <apply_window_mp3>, apply_window_fixed = 0x8340600 <ff_mpadsp_apply_window_fixed>, dct32_float = 0x85a7180 <ff_dct32_float_sse2>,
dct32_fixed = 0x8555da0 <ff_dct32_fixed>}}

From the exact same stream a captured packet looked like :

{frame_size = 418, error_protection = 0, layer = 3, sample_rate = 44100, sample_rate_index = 0, bit_rate = 128000, nb_channels = 2, mode = 0, mode_ext = 0, lsf = 0, last_buf = '\000' <repeats 1047 times>, last_buf_size = 0, free_format_next_header = 0, gb = {buffer = 0x8d6f764 "\347\017\362\345 ك8bP
\244\033\060g\fJ\rh\251f\fቁ\256\025,\301\234\061\060\254\231\255\363\037÷\266\357\006X9\"p2X\251\322\006\212ڱV=\205\251R\236\257\267M\200 \214\207\031", buffer_end = 0x8d6f902 "", index = 0, size_in_bits = 3312}, in_gb = {buffer = 0x0, buffer_end = 0x0, index = 0, size_in_bits = 0}, synth_buf = {{0 <repeats 1024 times>}, {0 <repeats 1024 times>}}, synth_buf_offset = {0, 0}, sb_samples = 0 <repeats 32 times>} <repeats 36 times>}, {{0 <repeats 32 times>} <repeats 36 times>}}, mdct_buf = {{0 <repeats 576 times>}, {0 <repeats 576 times>}}, granules = {{{scfsi = 0 '\000', part2_3_length = 0, big_values = 0, global_gain = 0, scalefac_compress = 0, block_type = 0 '\000', switch_point = 0 '\000', table_select = {0, 0, 0}, subblock_gain = {0, 0, 0}, scalefac_scale = 0 '\000', count1table_select = 0 '\000', region_size = {0, 0, 0}, preflag = 0, short_start = 0, long_end = 0, scale_factors = '\000' <repeats 39 times>, sb_hybrid = {0 <repeats 576 times>}}, {scfsi = 0 '\000', part2_3_length = 0, big_values = 0, global_gain = 0, scalefac_compress = 0, block_type = 0 '\000', switch_point = 0 '\000', table_select = {0, 0, 0}, subblock_gain = {0, 0, 0}, scalefac_scale = 0 '\000', count1table_select = 0 '\000', region_size = {0, 0, 0}, preflag = 0, short_start = 0, long_end = 0, scale_factors = '\000' <repeats 39 times>, sb_hybrid = {0 <repeats 576 times>, {{scfsi = 0 '\000', part2_3_length = 0, big_values = 0, global_gain = 0, scalefac_compress = 0, block_type = 0 '\000', switch_point = 0 '\000', table_select = {0, 0, 0}, subblock_gain = {0, 0, 0}, scalefac_scale = 0 '\000', count1table_select = 0 '\000', region_size = {0, 0, 0}, preflag = 0, short_start = 0, long_end = 0, scale_factors = '\000' <repeats 39 times>, sb_hybrid = {0 <repeats 576 times>}}, {scfsi = 0 '\000', part2_3_length = 0, big_values = 0, global_gain = 0, scalefac_compress = 0, block_type = 0 '\000', switch_point = 0 '\000', table_select = {0, 0, 0}, subblock_gain = {0, 0, 0}, scalefac_scale = 0 '\000', count1table_select = 0 '\000', region_size = {0, 0, 0}, preflag = 0, short_start = 0, long_end = 0, scale_factors = '\000' <repeats 39 times>, sb_hybrid = {0 <repeats 576 times>}}}}, adu_mode = 0, dither_state = 0, error_recognition = 1, avctx = 0x8d6fb00, mpadsp = {apply_window_float = 0x85aa0c0 <apply_window_mp3>, apply_window_fixed = 0x83f3a40 <ff_mpadsp_apply_window_fixed>, dct32_float = 0x866c420 <ff_dct32_float_sse2>, dct32_fixed = 0x860b490 <ff_dct32_fixed>}}

I have 2 coredumps available with the same issue. If directed as such, I can extract more info from them.

Change History (4)

comment:1 Changed 5 years ago by cehoyos

Please provide complete, uncut console output and backtrace as explained on http://ffmpeg.org/bugreports.html and please provide a sample.

comment:2 Changed 5 years ago by bluepin

This is a transient error. The usage scenario is : A custom decoding application that uses programatically ffmpeg libraries to decode multiple streams at once. The application has several concurrent decoding threads ( 150+ ), decodes online streams-mostly mp3s. So far it broke three times under the same error after 1 to 3 weeks of continuous running (2 core dumps available).
I am unable to provide a sample that can reproduce the error. Unless I can reconstruct something out of the core dumps I have - but I may need some guidance on how to do that.

(gdb) bt
#0 0x08338083 in mp_decode_layer1 (s=0xa94707a0, samples=0x98b00040, buf=<value optimized out>, buf_size=256) at /opt/icecast/src/ffmpeg/libavcodec/get_bits.h:285
#1 mp_decode_frame (s=0xa94707a0, samples=0x98b00040, buf=<value optimized out>, buf_size=256) at /opt/icecast/src/ffmpeg/libavcodec/mpegaudiodec.c:1715
#2 0x08339bb7 in decode_frame (avctx=0x9a8e3c0, data=0x98b00040, data_size=0xacb3f5c, avpkt=0xb48b7228) at /opt/icecast/src/ffmpeg/libavcodec/mpegaudiodec.c:1816
#3 0x0841588e in avcodec_decode_audio3 (avctx=0x9a8e3c0, samples=0x98b00040, frame_size_ptr=0xacb3f5c, avpkt=0x2) at /opt/icecast/src/ffmpeg/libavcodec/utils.c:839
#4 0x08066c00 in ffmpegFetchDecodeResampleReencodeNext (ff=0xacb3f48, source=0xb710fe80) at ../../icecast/src/ffmpegIntegration.c:359
#5 0x08059d46 in source_main (source=0xb710fe80, ff=0xacb3f48) at ../../icecast/src/source.c:736
#6 0x080559b4 in start_ffmpegrelay_stream (arg=0x98f4138) at ../../icecast/src/slave.c:390
#7 0x08072fb8 in _start_routine (arg=0xb1037238) at ../../../icecast/src/thread/thread.c:660
#8 0x008f1832 in start_thread () from /lib/libpthread.so.0
#9 0x0083146e in clone () from /lib/libc.so.6

(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x8338063 to 0x83380a3:
0x08338063 <mp_decode_frame+1539>: xchg %eax,%ebp
0x08338064 <mp_decode_frame+1540>: add %al,(%eax)
0x08338066 <mp_decode_frame+1542>: add %cl,0xa82484(%ebx)
0x0833806c <mp_decode_frame+1548>: add %al,(%eax)
0x0833806e <mp_decode_frame+1550>: movzbl %cl,%edi
0x08338071 <mp_decode_frame+1553>: lea 0x1(%edi),%ebp
0x08338074 <mp_decode_frame+1556>: mov 0x8(%eax),%esi
0x08338077 <mp_decode_frame+1559>: mov (%eax),%eax
0x08338079 <mp_decode_frame+1561>: mov %esi,%edx
0x0833807b <mp_decode_frame+1563>: mov %esi,%ecx
0x0833807d <mp_decode_frame+1565>: shr $0x3,%edx
0x08338080 <mp_decode_frame+1568>: and $0x7,%ecx
0x08338083 <mp_decode_frame+1571>: mov (%eax,%edx,1),%ebx
0x08338086 <mp_decode_frame+1574>: mov 0xa8(%esp),%eax
0x0833808d <mp_decode_frame+1581>: mov 0xf4(%esp),%edx
0x08338094 <mp_decode_frame+1588>: bswap %ebx
0x08338096 <mp_decode_frame+1590>: shl %cl,%ebx
0x08338098 <mp_decode_frame+1592>: mov %ebp,%ecx
0x0833809a <mp_decode_frame+1594>: add %esi,%ebp
0x0833809c <mp_decode_frame+1596>: neg %ecx
0x0833809e <mp_decode_frame+1598>: mov %ebp,0x8(%eax)
0x083380a1 <mp_decode_frame+1601>: movzbl (%edx),%eax
End of assembler dump.

(gdb) info all-registers
eax 0xa8ec0caf -1460925265
ecx 0x2 2
edx 0x34e 846
ebx 0x4 4
esp 0xb48b6e30 0xb48b6e30
ebp 0x10 0x10
esi 0x1a72 6770
edi 0xf 15
eip 0x8338083 0x8338083 <mp_decode_frame+1571>
eflags 0x10202 [ IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0xc040007b -1069547397
es 0xc040007b -1069547397
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 3.00966351892338605583318567049389 (raw 0x4000c09e53bc6f5fc4b6)
st2 1.7699210388248127544851300025079555e-20 (raw 0x3fbda72a109a074f7a9f)
st3 3.00966351892338605583318567049389 (raw 0x4000c09e53bc6f5fc4b6)
st4 3.00966351892338605583318567049389 (raw 0x4000c09e53bc6f5fc4b6)
st5 3767.7300861597768091293403358577052 (raw 0x400aeb7bae6ed3380eda)
st6 0 (raw 0x00000000000000000000)
st7 433.959197998046875 (raw 0x4007d8fac70000000000)
fctrl 0x37f 895
fstat 0x4020 16416
ftag 0xffff 65535
fiseg 0x73 115
fioff 0x83aa99c 138062236
foseg 0x7b 123
fooff 0xb48b7110 -1265929968
fop 0x65f 1631
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0,

0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0,

0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0,

0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0,

0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0,

0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0,

0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0,

0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0,

0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm1 {uint64 = 0xc09e53bc6f5fc4b6, v2_int32 = {0x6f5fc4b6, 0xc09e53bc}, v4_int16 = {0xc4b6, 0x6f5f, 0x53bc, 0xc09e}, v8_int8 = {0xb6, 0xc4, 0x5f, 0x6f, 0xbc, 0x53, 0x9e, 0xc0}}
mm2 {uint64 = 0xa72a109a074f7a9f, v2_int32 = {0x74f7a9f, 0xa72a109a}, v4_int16 = {0x7a9f, 0x74f, 0x109a, 0xa72a}, v8_int8 = {0x9f, 0x7a, 0x4f, 0x7, 0x9a, 0x10, 0x2a, 0xa7}}
mm3 {uint64 = 0xc09e53bc6f5fc4b6, v2_int32 = {0x6f5fc4b6, 0xc09e53bc}, v4_int16 = {0xc4b6, 0x6f5f, 0x53bc, 0xc09e}, v8_int8 = {0xb6, 0xc4, 0x5f, 0x6f, 0xbc, 0x53, 0x9e, 0xc0}}
mm4 {uint64 = 0xc09e53bc6f5fc4b6, v2_int32 = {0x6f5fc4b6, 0xc09e53bc}, v4_int16 = {0xc4b6, 0x6f5f, 0x53bc, 0xc09e}, v8_int8 = {0xb6, 0xc4, 0x5f, 0x6f, 0xbc, 0x53, 0x9e, 0xc0}}
mm5 {uint64 = 0xeb7bae6ed3380eda, v2_int32 = {0xd3380eda, 0xeb7bae6e}, v4_int16 = {0xeda, 0xd338, 0xae6e, 0xeb7b}, v8_int8 = {0xda, 0xe, 0x38, 0xd3, 0x6e, 0xae, 0x7b, 0xeb}}
mm6 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm7 {uint64 = 0xd8fac70000000000, v2_int32 = {0x0, 0xd8fac700}, v4_int16 = {0x0, 0x0, 0xc700, 0xd8fa}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0xc7, 0xfa, 0xd8}}

comment:3 Changed 5 years ago by michael

Is this error still occuring? there have been several bug fixes in the mpegaudio code since this was reported.
If it still occurs maybe you could try to run the code under valgrind, this may produce more and earlier or more reproduceable things than just waiting for a crash.

comment:4 Changed 5 years ago by cehoyos

  • Keywords crash added
  • Resolution set to needs_more_info
  • Status changed from new to closed

Please reopen if this problem is still reproducible.

Note: See TracTickets for help on using tickets.