Opened 4 years ago

Closed 4 years ago

#8972 closed defect (fixed)

Segfault looping PNG

Reported by: Yorwba Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: crash race png regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary of the bug:

Trying to create an MKV video by looping a PNG for a specified amount of time leads to a segmentation fault.

How to reproduce:

% ffmpeg -y -loop 1 -i black.png -t 10:00:00 -pix_fmt yuvj420p black.mkv
ffmpeg version N-99894-gb1d99ab Copyright (c) 2000-2020 the FFmpeg developers
  built with gcc 9 (Ubuntu 9.3.0-17ubuntu1~20.04)
  configuration: --prefix=/home/yorwba/ffmpeg_build --pkg-config-flags=--static --extra-cflags=-I/home/yorwba/ffmpeg_build/include --extra-ldflags=-L/home/yorwba/ffmpeg_build/lib --extra-libs='-lpthread -lm' --bindir=/home/yorwba/bin --enable-gpl --enable-libass --enable-libfreetype --enable-libx264 --enable-nonfree
  libavutil      56. 60.100 / 56. 60.100
  libavcodec     58.112.101 / 58.112.101
  libavformat    58. 64.100 / 58. 64.100
  libavdevice    58. 11.102 / 58. 11.102
  libavfilter     7. 89.100 /  7. 89.100
  libswscale      5.  8.100 /  5.  8.100
  libswresample   3.  8.100 /  3.  8.100
  libpostproc    55.  8.100 / 55.  8.100
Input #0, png_pipe, from 'black.png':
  Duration: N/A, bitrate: N/A
    Stream #0:0: Video: png, monob(pc), 2x2, 25 fps, 25 tbr, 25 tbn, 25 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (png (native) -> h264 (libx264))
Press [q] to stop, [?] for help
[swscaler @ 0x562e41ee3e40] deprecated pixel format used, make sure you did set range correctly
[libx264 @ 0x562e41e4cac0] using cpu capabilities: MMX2 SSE2Fast SSSE3 SSE4.2
[libx264 @ 0x562e41e4cac0] profile High, level 1.0
[libx264 @ 0x562e41e4cac0] 264 - core 155 r2917 0a84d98 - H.264/MPEG-4 AVC codec - Copyleft 2003-2018 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=1 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00
Output #0, matroska, to 'black.mkv':
  Metadata:
    encoder         : Lavf58.64.100
    Stream #0:0: Video: h264 (libx264) (H264 / 0x34363248), yuvj420p(pc, progressive), 2x2, q=-1--1, 25 fps, 1k tbn, 25 tbc
    Metadata:
      encoder         : Lavc58.112.101 libx264
    Side data:
      cpb: bitrate max/min/avg: 0/0/0 buffer size: 0 vbv_delay: N/A
Segmentation fault (core dumped)=      94kB time=00:03:12.40 bitrate=   4.0kbits/s speed=96.2x

The full log generated using FFREPORT=1 while debugging with GDB (see below) has 27000 lines, so I'll put it in an attachment.
black.png was generated using ImageMagick convert -size 2x2 xc:black black.png, but I'll also attach it.

The crash doesn't always happen at the same time, sometimes it's basically instant, sometimes only after an hour of video has been encoded. It seems to happen more often if the encoding speed is higher.

Output from GDB:

(gdb) bt
#0  0x00005555564aa730 in av_dict_get (m=m@entry=0x7fffe40073c0, key=key@entry=0x55555657b4dc "", prev=prev@entry=0x0, flags=flags@entry=2)
    at libavutil/dict.c:55
#1  0x00005555564aadca in av_dict_copy (dst=dst@entry=0x55555741c2f0, src=0x7fffe40073c0, flags=flags@entry=0) at libavutil/dict.c:221
#2  0x00005555564b17d5 in frame_copy_props (dst=dst@entry=0x55555741c140, src=src@entry=0x55555741eac0, force_copy=force_copy@entry=0)
    at libavutil/frame.c:390
#3  0x00005555564b1e6d in av_frame_ref (dst=0x55555741c140, src=0x55555741eac0) at libavutil/frame.c:470
#4  0x0000555555eec77b in ff_thread_ref_frame (dst=dst@entry=0x55555741bb70, src=src@entry=0x55555741e270) at libavcodec/utils.c:1883
#5  0x0000555555ddc411 in update_thread_context (dst=0x555557419a80, src=<optimized out>) at libavcodec/pngdec.c:1741
#6  0x0000555555defb43 in submit_packet (avpkt=<optimized out>, user_avctx=0x55555737ef40, p=0x555557419540) at libavcodec/pthread_frame.c:417
#7  ff_thread_decode_frame (avctx=avctx@entry=0x55555737ef40, picture=picture@entry=0x55555738ecc0, 
    got_picture_ptr=got_picture_ptr@entry=0x7fffffffd380, avpkt=avpkt@entry=0x55555738f380) at libavcodec/pthread_frame.c:494
#8  0x0000555555b75053 in decode_simple_internal (discarded_samples=<synthetic pointer>, frame=0x55555738ecc0, avctx=0x55555737ef40)
    at libavcodec/decode.c:350
#9  decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>) at libavcodec/decode.c:556
#10 decode_receive_frame_internal (avctx=avctx@entry=0x55555737ef40, frame=0x55555738ecc0) at libavcodec/decode.c:576
#11 0x0000555555b75a20 in avcodec_send_packet (avctx=0x55555737ef40, avpkt=0x7fffffffd510) at libavcodec/decode.c:634
#12 0x0000555555715cba in decode (pkt=0x7fffffffd510, got_frame=0x7fffffffd48c, frame=<optimized out>, avctx=0x55555737ef40) at fftools/ffmpeg.c:2261
#13 decode_video (decode_failed=<optimized out>, eof=<optimized out>, duration_pts=<optimized out>, got_output=<optimized out>, pkt=<optimized out>, 
    ist=<optimized out>) at fftools/ffmpeg.c:2403
#14 process_input_packet (ist=<optimized out>, pkt=0x7fffffffd6c0, no_eof=0) at fftools/ffmpeg.c:2644
#15 0x00005555557189a2 in process_input (file_index=<optimized out>) at fftools/ffmpeg.c:4570
#16 transcode_step () at fftools/ffmpeg.c:4705
#17 transcode () at fftools/ffmpeg.c:4759
#18 0x00005555556f2cae in main (argc=11, argv=0x7fffffffde38) at fftools/ffmpeg.c:4964
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x5555564aa710 to 0x5555564aa750:
   0x00005555564aa710 <av_dict_get+80>:	movb   $0xe3,-0x3eb6fe18(%rbx)
   0x00005555564aa717 <av_dict_get+87>:	add    $0x44,%al
   0x00005555564aa719 <av_dict_get+89>:	sub    %eax,%eax
   0x00005555564aa71b <av_dict_get+91>:	add    %rdx,%r11
   0x00005555564aa71e <av_dict_get+94>:	add    %rdi,%rax
   0x00005555564aa721 <av_dict_get+97>:	shl    $0x4,%rax
   0x00005555564aa725 <av_dict_get+101>:	lea    0x10(%rdx,%rax,1),%r13
   0x00005555564aa72a <av_dict_get+106>:	mov    (%r11),%r10
   0x00005555564aa72d <av_dict_get+109>:	mov    %r11,%r12
=> 0x00005555564aa730 <av_dict_get+112>:	movzbl (%r10),%edx
   0x00005555564aa734 <av_dict_get+116>:	test   %ebp,%ebp
   0x00005555564aa736 <av_dict_get+118>:	je     0x5555564aa7a0 <av_dict_get+224>
   0x00005555564aa738 <av_dict_get+120>:	cmp    %bl,%dl
   0x00005555564aa73a <av_dict_get+122>:	jne    0x5555564aa800 <av_dict_get+320>
   0x00005555564aa740 <av_dict_get+128>:	test   %r14b,%r14b
   0x00005555564aa743 <av_dict_get+131>:	je     0x5555564aa800 <av_dict_get+320>
   0x00005555564aa749 <av_dict_get+137>:	xor    %edi,%edi
   0x00005555564aa74b <av_dict_get+139>:	jmp    0x5555564aa754 <av_dict_get+148>
   0x00005555564aa74d <av_dict_get+141>:	nopl   (%rax)
End of assembler dump.
(gdb) info all-registers 
rax            0x10                16
rbx            0x0                 0
rcx            0x2                 2
rdx            0x5555573c2a20      93825024141856
rsi            0x55555657b4dc      93825009169628
rdi            0x0                 0
rbp            0x0                 0x0
rsp            0x7fffffffd198      0x7fffffffd198
r8             0x0                 0
r9             0x7ffff7016390      140737337451408
r10            0x0                 0
r11            0x5555573c2a20      93825024141856
r12            0x5555573c2a20      93825024141856
r13            0x5555573c2a40      93825024141888
r14            0x55555657b400      93825009169408
r15            0x55555737ebe0      93825023863776
rip            0x5555564aa730      0x5555564aa730 <av_dict_get+112>
eflags         0x10202             [ IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
st0            -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st1            -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st2            <invalid float value> (raw 0xffff0000000000000020)
st3            <invalid float value> (raw 0xffff0000000000000000)
st4            <invalid float value> (raw 0xffff0000000000000020)
st5            -nan(0xffb8ffb8ffb8ffb8) (raw 0xffffffb8ffb8ffb8ffb8)
st6            <invalid float value> (raw 0xffff0048004800480048)
st7            <invalid float value> (raw 0xffff0000000000000000)
fctrl          0x37f               895
fstat          0x0                 0
ftag           0xffff              65535
fiseg          0x0                 0
fioff          0x0                 0
foseg          0x0                 0
fooff          0x0                 0
fop            0x0                 0
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x95, 0x34, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x3495, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x3495, 0x0}, v2_int64 = {0x0, 0x3495}, uint128 = 0x34950000000000000000}
xmm1           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x95, 0x34, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x3495, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0}, v4_int32 = {0x3495, 0x0, 0x1, 0x0}, v2_int64 = {0x3495, 0x1}, uint128 = 0x10000000000003495}
xmm2           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x4, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x104, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0}, v4_int32 = {0x104, 0x0, 0x1, 0x0}, v2_int64 = {0x104, 0x1}, uint128 = 0x10000000000000104}
xmm3           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x0}
xmm4           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x1, 0x0 <repeats 15 times>}, v8_int16 = {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x1, 0x0, 0x0, 0x0}, v2_int64 = {0x1, 0x0}, uint128 = 0x1}
xmm5           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x1, 0x0 <repeats 15 times>}, v8_int16 = {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x1, 0x0, 0x0, 0x0}, v2_int64 = {0x1, 0x0}, uint128 = 0x1}
xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 12 times>, 0x55, 0x55, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5555, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x5555}, v2_int64 = {0x0, 0x555500000000}, uint128 = 0x5555000000000000000000000000}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x1, 0x0 <repeats 15 times>}, v8_int16 = {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x1, 0x0, 0x0, 0x0}, v2_int64 = {0x1, 0x0}, uint128 = 0x1}
xmm8           {v4_float = {0x7d791000, 0x0, 0x339, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x91, 0xd7, 0x27, 0x51, 0x0, 0x0, 0x0, 0x0, 0x49, 0x45, 0x4e, 0x44, 0xae, 0x42, 0x60, 0x82}, v8_int16 = {0xd791, 0x5127, 0x0, 0x0, 0x4549, 0x444e, 0x42ae, 0x8260}, v4_int32 = {0x5127d791, 0x0, 0x444e4549, 0x826042ae}, v2_int64 = {0x5127d791, 0x826042ae444e4549}, uint128 = 0x826042ae444e4549000000005127d791}
xmm9           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x0}
xmm10          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x0}
xmm11          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x0}
xmm12          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x1, 0xfb, 0x1, 0xfb, 0x1, 0xfb, 0x1, 0xfb, 0x1, 0xfb, 0x1, 0xfb, 0x1, 0xfb, 0x1, 0xfb}, v8_int16 = {0xfb01, 0xfb01, 0xfb01, 0xfb01, 0xfb01, 0xfb01, 0xfb01, 0xfb01}, v4_int32 = {0xfb01fb01, 0xfb01fb01, 0xfb01fb01, 0xfb01fb01}, v2_int64 = {0xfb01fb01fb01fb01, 0xfb01fb01fb01fb01}, uint128 = 0xfb01fb01fb01fb01fb01fb01fb01fb01}
xmm13          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x0}
xmm14          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x14 <repeats 16 times>}, v8_int16 = {0x1414, 0x1414, 0x1414, 0x1414, 0x1414, 0x1414, 0x1414, 0x1414}, v4_int32 = {0x14141414, 0x14141414, 0x14141414, 0x14141414}, v2_int64 = {0x1414141414141414, 0x1414141414141414}, uint128 = 0x14141414141414141414141414141414}
xmm15          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0, 0x4, 0x0, 0x4, 0x0, 0x4, 0x0, 0x4, 0x0, 0x4, 0x0, 0x4, 0x0, 0x4, 0x0, 0x4}, v8_int16 = {0x400, 0x400, 0x400, 0x400, 0x400, 0x400, 0x400, 0x400}, v4_int32 = {0x4000400, 0x4000400, 0x4000400, 0x4000400}, v2_int64 = {0x400040004000400, 0x400040004000400}, uint128 = 0x4000400040004000400040004000400}
mxcsr          0x1fa8              [ OE PE IM DM ZM OM UM PM ]

I didn't manage to reproduce the crash while using valgrind. The speed seemed to be capped at 4x for some reason, maybe that's related. Here's the output:

==1774166== Memcheck, a memory error detector
==1774166== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1774166== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1774166== Command: /home/yorwba/ffmpeg_sources/ffmpeg/ffmpeg_g -y -loop 1 -i black.png -t 10:00:00 -pix_fmt yuvj420p black.mkv
==1774166== 
ffmpeg version N-99894-gb1d99ab Copyright (c) 2000-2020 the FFmpeg developers
  built with gcc 9 (Ubuntu 9.3.0-17ubuntu1~20.04)
  configuration: --prefix=/home/yorwba/ffmpeg_build --pkg-config-flags=--static --extra-cflags=-I/home/yorwba/ffmpeg_build/include --extra-ldflags=-L/home/yorwba/ffmpeg_build/lib --extra-libs='-lpthread -lm' --bindir=/home/yorwba/bin --enable-gpl --enable-libass --enable-libfreetype --enable-libx264 --enable-nonfree
  libavutil      56. 60.100 / 56. 60.100
  libavcodec     58.112.101 / 58.112.101
  libavformat    58. 64.100 / 58. 64.100
  libavdevice    58. 11.102 / 58. 11.102
  libavfilter     7. 89.100 /  7. 89.100
  libswscale      5.  8.100 /  5.  8.100
  libswresample   3.  8.100 /  3.  8.100
  libpostproc    55.  8.100 / 55.  8.100
Input #0, png_pipe, from 'black.png':
  Duration: N/A, bitrate: N/A
    Stream #0:0: Video: png, monob(pc), 2x2, 25 fps, 25 tbr, 25 tbn, 25 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (png (native) -> h264 (libx264))
Press [q] to stop, [?] for help
[swscaler @ 0x6a1fac0] deprecated pixel format used, make sure you did set range correctly
[libx264 @ 0x68ea840] using cpu capabilities: MMX2 SSE2Fast SSSE3 SSE4.2
[libx264 @ 0x68ea840] profile High, level 1.0
[libx264 @ 0x68ea840] 264 - core 155 r2917 0a84d98 - H.264/MPEG-4 AVC codec - Copyleft 2003-2018 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=1 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00
Output #0, matroska, to 'black.mkv':
  Metadata:
    encoder         : Lavf58.64.100
    Stream #0:0: Video: h264 (libx264) (H264 / 0x34363248), yuvj420p(pc, progressive), 2x2, q=-1--1, 25 fps, 1k tbn, 25 tbc
    Metadata:
      encoder         : Lavc58.112.101 libx264
    Side data:
      cpb: bitrate max/min/avg: 0/0/0 buffer size: 0 vbv_delay: N/A
frame=900000 fps= 99 q=28.0 Lsize=   17780kB time=09:59:59.88 bitrate=   4.0kbits/s speed=3.95x    
video:12309kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: 44.447735%
[libx264 @ 0x68ea840] frame I:3600  Avg QP: 6.00  size:    19
[libx264 @ 0x68ea840] frame P:226800 Avg QP: 9.06  size:    18
[libx264 @ 0x68ea840] frame B:669600 Avg QP:12.67  size:    13
[libx264 @ 0x68ea840] consecutive B-frames:  0.8%  0.0%  0.0% 99.2%
[libx264 @ 0x68ea840] mb I  I16..4: 100.0%  0.0%  0.0%
[libx264 @ 0x68ea840] mb P  I16..4:  0.0%  0.0%  0.0%  P16..4:  0.0%  0.0%  0.0%  0.0%  0.0%    skip:100.0%
[libx264 @ 0x68ea840] mb B  I16..4:  0.0%  0.0%  0.0%  B16..8:  0.0%  0.0%  0.0%  direct: 0.0%  skip:100.0%
[libx264 @ 0x68ea840] 8x8 transform intra:0.0%
[libx264 @ 0x68ea840] coded y,uvDC,uvAC intra: 0.0% 0.0% 0.0% inter: 0.0% 0.0% 0.0%
[libx264 @ 0x68ea840] i16 v,h,dc,p:  0%  0% 100%  0%
[libx264 @ 0x68ea840] i8c dc,h,v,p: 100%  0%  0%  0%
[libx264 @ 0x68ea840] Weighted P-Frames: Y:0.0% UV:0.0%
[libx264 @ 0x68ea840] kb/s:2.80
==1774166== 
==1774166== HEAP SUMMARY:
==1774166==     in use at exit: 18,612 bytes in 6 blocks
==1774166==   total heap usage: 115,205,412 allocs, 115,205,406 frees, 45,138,345,718 bytes allocated
==1774166== 
==1774166== LEAK SUMMARY:
==1774166==    definitely lost: 0 bytes in 0 blocks
==1774166==    indirectly lost: 0 bytes in 0 blocks
==1774166==      possibly lost: 0 bytes in 0 blocks
==1774166==    still reachable: 18,612 bytes in 6 blocks
==1774166==         suppressed: 0 bytes in 0 blocks
==1774166== Rerun with --leak-check=full to see details of leaked memory
==1774166== 
==1774166== For lists of detected and suppressed errors, rerun with: -s
==1774166== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

Attachments (2)

ffmpeg-20201112-000513.log (1.3 MB ) - added by Yorwba 4 years ago.
The full log exceeds the upload limit, so I kept only the first 9999 lines
black.png (260 bytes ) - added by Yorwba 4 years ago.

Download all attachments as: .zip

Change History (12)

by Yorwba, 4 years ago

Attachment: ffmpeg-20201112-000513.log added

The full log exceeds the upload limit, so I kept only the first 9999 lines

by Yorwba, 4 years ago

Attachment: black.png added

comment:1 by Carl Eugen Hoyos, 4 years ago

Keywords: crash race added
Priority: normalimportant
Version: unspecifiedgit-master

comment:2 by mkver, 4 years ago

ASAN crashes right after start for me (with null output).

comment:3 by Marton Balint, 4 years ago

Component: undeterminedavcodec
Keywords: png threads added
Reproduced by developer: set

comment:4 by Carl Eugen Hoyos, 4 years ago

Keywords: threads removed

We use threads for the option, I would like to use race for cases like this.

comment:5 by Balling, 4 years ago

It does not happen on Windows... All 10 hours are encoded, no problem. Also there is a recommendation for you: use -pix_fmt yuv420p -color_range 2

Version 0, edited 4 years ago by Balling (next)

comment:6 by Carl Eugen Hoyos, 4 years ago

Keywords: regression added
Summary: Segfault looping PNG into MKVSegfault looping PNG

I thought this is a regression since 0a771e6b32429f9195d431415bf707c28ef31fff but with a simplified command line, I was able to reproduce with 2ac6eedac5e576bb98c9ba6573cfcd4782b175b0

$ ffmpeg -loop 1 -i black.png -vcodec rawvideo -f null -

comment:7 by Carl Eugen Hoyos, 4 years ago

$ valgrind ./ffmpeg_g -loop 1 -i black.png -vcodec rawvideo -f null -      
==26730== Memcheck, a memory error detector
==26730== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==26730== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==26730== Command: ./ffmpeg_g -loop 1 -i black.png -vcodec rawvideo -f null -
==26730== 
ffmpeg version N-101634-g4892060f50 Copyright (c) 2000-2021 the FFmpeg developers
  built with gcc 10 (SUSE Linux)
  configuration: --enable-gpl
  libavutil      56. 69.100 / 56. 69.100
  libavcodec     58.133.100 / 58.133.100
  libavformat    58. 75.100 / 58. 75.100
  libavdevice    58. 12.100 / 58. 12.100
  libavfilter     7.109.100 /  7.109.100
  libswscale      5.  8.100 /  5.  8.100
  libswresample   3.  8.100 /  3.  8.100
  libpostproc    55.  8.100 / 55.  8.100
Input #0, png_pipe, from 'black.png':
  Duration: N/A, bitrate: N/A
  Stream #0:0: Video: png, monob(pc), 2x2, 25 fps, 25 tbr, 25 tbn, 25 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (png (native) -> rawvideo (native))
Press [q] to stop, [?] for help
The bitrate parameter is set too low. It takes bits/s as argument, not kbits/s
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf58.75.100
  Stream #0:0: Video: rawvideo (B0W1 / 0x31573042), monob(pc, progressive), 2x2, q=2-31, 0 kb/s, 25 fps, 25 tbn
    Metadata:
      encoder         : Lavc58.133.100 rawvideo
==26730== Invalid read of size 8
==26730==    at 0x120EDA3: av_dict_copy (dict.c:222)
==26730==    by 0x12159F7: frame_copy_props (frame.c:390)
==26730==    by 0x12170C8: av_frame_ref (frame.c:457)
==26730==    by 0xC73756: ff_thread_ref_frame (utils.c:910)
==26730==    by 0xB73568: update_thread_context (pngdec.c:1622)
==26730==    by 0xB86A92: submit_packet (pthread_frame.c:434)
==26730==    by 0xB86A92: ff_thread_decode_frame (pthread_frame.c:515)
==26730==    by 0x923042: decode_simple_internal (decode.c:325)
==26730==    by 0x923042: decode_simple_receive_frame (decode.c:526)
==26730==    by 0x923042: decode_receive_frame_internal (decode.c:546)
==26730==    by 0x9238D7: avcodec_send_packet (decode.c:608)
==26730==    by 0x4B5CC0: decode (ffmpeg.c:2285)
==26730==    by 0x4B5CC0: decode_video (ffmpeg.c:2425)
==26730==    by 0x4B5CC0: process_input_packet (ffmpeg.c:2672)
==26730==    by 0x4B871E: process_input (ffmpeg.c:4606)
==26730==    by 0x4B871E: transcode_step (ffmpeg.c:4746)
==26730==    by 0x4B871E: transcode (ffmpeg.c:4800)
==26730==    by 0x49519D: main (ffmpeg.c:5005)
==26730==  Address 0x1e68cf70 is 0 bytes inside a block of size 16 free'd
==26730==    at 0x4840D7B: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==26730==    by 0x120E70A: av_dict_set (dict.c:106)
==26730==    by 0xB73730: decode_text_chunk.isra.0 (pngdec.c:555)
==26730==    by 0xB749FD: decode_frame_common (pngdec.c:1293)
==26730==    by 0xB77769: decode_frame_png (pngdec.c:1495)
==26730==    by 0xB873AE: frame_worker_thread (pthread_frame.c:211)
==26730==    by 0x4E98298: start_thread (in /lib64/libpthread-2.33.so)
==26730==    by 0x4FB0AF2: clone (in /lib64/libc-2.33.so)
==26730==  Block was alloc'd at
==26730==    at 0x483E6AF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==26730==    by 0x120E70A: av_dict_set (dict.c:106)
==26730==    by 0xB73730: decode_text_chunk.isra.0 (pngdec.c:555)
==26730==    by 0xB749FD: decode_frame_common (pngdec.c:1293)
==26730==    by 0xB77769: decode_frame_png (pngdec.c:1495)
==26730==    by 0xB873AE: frame_worker_thread (pthread_frame.c:211)
==26730==    by 0x4E98298: start_thread (in /lib64/libpthread-2.33.so)
==26730==    by 0x4FB0AF2: clone (in /lib64/libc-2.33.so)
==26730== 
==26730== Invalid read of size 8
==26730==    at 0x120EDA6: av_dict_copy (dict.c:222)
==26730==    by 0x12159F7: frame_copy_props (frame.c:390)
==26730==    by 0x12170C8: av_frame_ref (frame.c:457)
==26730==    by 0xC73756: ff_thread_ref_frame (utils.c:910)
==26730==    by 0xB73568: update_thread_context (pngdec.c:1622)
==26730==    by 0xB86A92: submit_packet (pthread_frame.c:434)
==26730==    by 0xB86A92: ff_thread_decode_frame (pthread_frame.c:515)
==26730==    by 0x923042: decode_simple_internal (decode.c:325)
==26730==    by 0x923042: decode_simple_receive_frame (decode.c:526)
==26730==    by 0x923042: decode_receive_frame_internal (decode.c:546)
==26730==    by 0x9238D7: avcodec_send_packet (decode.c:608)
==26730==    by 0x4B5CC0: decode (ffmpeg.c:2285)
==26730==    by 0x4B5CC0: decode_video (ffmpeg.c:2425)
==26730==    by 0x4B5CC0: process_input_packet (ffmpeg.c:2672)
==26730==    by 0x4B871E: process_input (ffmpeg.c:4606)
==26730==    by 0x4B871E: transcode_step (ffmpeg.c:4746)
==26730==    by 0x4B871E: transcode (ffmpeg.c:4800)
==26730==    by 0x49519D: main (ffmpeg.c:5005)
==26730==  Address 0x1e68cf78 is 8 bytes inside a block of size 16 free'd
==26730==    at 0x4840D7B: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==26730==    by 0x120E70A: av_dict_set (dict.c:106)
==26730==    by 0xB73730: decode_text_chunk.isra.0 (pngdec.c:555)
==26730==    by 0xB749FD: decode_frame_common (pngdec.c:1293)
==26730==    by 0xB77769: decode_frame_png (pngdec.c:1495)
==26730==    by 0xB873AE: frame_worker_thread (pthread_frame.c:211)
==26730==    by 0x4E98298: start_thread (in /lib64/libpthread-2.33.so)
==26730==    by 0x4FB0AF2: clone (in /lib64/libc-2.33.so)
==26730==  Block was alloc'd at
==26730==    at 0x483E6AF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==26730==    by 0x120E70A: av_dict_set (dict.c:106)
==26730==    by 0xB73730: decode_text_chunk.isra.0 (pngdec.c:555)
==26730==    by 0xB749FD: decode_frame_common (pngdec.c:1293)
==26730==    by 0xB77769: decode_frame_png (pngdec.c:1495)
==26730==    by 0xB873AE: frame_worker_thread (pthread_frame.c:211)
==26730==    by 0x4E98298: start_thread (in /lib64/libpthread-2.33.so)
==26730==    by 0x4FB0AF2: clone (in /lib64/libc-2.33.so)
(gdb) bt
#0  0x00007ffff7830d0a in __strlen_sse2 () from /lib64/libc.so.6
#1  0x0000000001223a04 in av_strdup (s=s@entry=0x7ff827fc8901 <error: Cannot access memory at address 0x7ff827fc8901>) at libavutil/mem.c:257
#2  0x000000000120f2a0 in av_dict_set (flags=0, value=0x7fffd80025d0 "\006", key=0x7ff827fc8901 <error: Cannot access memory at address 0x7ff827fc8901>, 
    pm=0x208db70) at libavutil/dict.c:83
#3  av_dict_copy (dst=dst@entry=0x208db70, src=0x7fffd8008880, flags=flags@entry=0) at libavutil/dict.c:222
#4  0x0000000001215d48 in frame_copy_props (dst=dst@entry=0x208d9c0, src=src@entry=0x208c700, force_copy=force_copy@entry=0) at libavutil/frame.c:390
#5  0x0000000001217419 in av_frame_ref (dst=0x208d9c0, src=0x208c700) at libavutil/frame.c:457
#6  0x0000000000c73357 in ff_thread_ref_frame (dst=dst@entry=0x208d430, src=src@entry=0x208bed0) at libavcodec/utils.c:1727
#7  0x0000000000b713a9 in update_thread_context (dst=<optimized out>, src=<optimized out>) at libavcodec/pngdec.c:1622
#8  0x0000000000b847e3 in submit_packet (avpkt=<optimized out>, user_avctx=0x1fe7440, p=0x2083d60) at libavcodec/pthread_frame.c:434
#9  ff_thread_decode_frame (avctx=avctx@entry=0x1fe7440, picture=picture@entry=0x2082ec0, got_picture_ptr=got_picture_ptr@entry=0x7fffffffd3c8, 
    avpkt=avpkt@entry=0x1febcc0) at libavcodec/pthread_frame.c:515
#10 0x0000000000920e83 in decode_simple_internal (discarded_samples=<synthetic pointer>, frame=0x2082ec0, avctx=0x1fe7440) at libavcodec/decode.c:325
#11 decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>) at libavcodec/decode.c:526
#12 decode_receive_frame_internal (avctx=avctx@entry=0x1fe7440, frame=0x2082ec0) at libavcodec/decode.c:546
#13 0x0000000000921718 in avcodec_send_packet (avctx=avctx@entry=0x1fe7440, avpkt=avpkt@entry=0x208f880) at libavcodec/decode.c:608
#14 0x00000000004b5cd1 in decode (pkt=0x208f880, got_frame=0x7fffffffd4bc, frame=<optimized out>, avctx=0x1fe7440) at fftools/ffmpeg.c:2285
#15 decode_video (decode_failed=<optimized out>, eof=<optimized out>, duration_pts=<optimized out>, got_output=<optimized out>, pkt=<optimized out>, 
    ist=<optimized out>) at fftools/ffmpeg.c:2425
#16 process_input_packet (ist=ist@entry=0x1fe6bc0, pkt=pkt@entry=0x207e040, no_eof=no_eof@entry=0) at fftools/ffmpeg.c:2672
#17 0x00000000004b872f in process_input (file_index=<optimized out>) at fftools/ffmpeg.c:4606
#18 transcode_step () at fftools/ffmpeg.c:4746
#19 transcode () at fftools/ffmpeg.c:4800
#20 0x00000000004951ae in main (argc=10, argv=0x7fffffffdc88) at fftools/ffmpeg.c:5005

comment:8 by Carl Eugen Hoyos, 4 years ago

valgrind also shows a leak:

==3618==    at 0x4840EB8: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==3618==    by 0x4840FEE: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==3618==    by 0x1223141: av_malloc (mem.c:86)
==3618==    by 0x120B1C7: av_bprint_finalize (bprint.c:248)
==3618==    by 0xB74563: decode_frame_common (pngdec.c:1352)
==3618==    by 0xB77769: decode_frame_png (pngdec.c:1495)
==3618==    by 0xB873AE: frame_worker_thread (pthread_frame.c:211)
==3618==    by 0x4E98298: start_thread (in /lib64/libpthread-2.33.so)
==3618==    by 0x4FB0AF2: clone (in /lib64/libc-2.33.so)

comment:9 by Balling, 4 years ago

This should be fixed in 8d74baccff59192d395735036cd40a131a140391, but you said it was introduced even before 5663301560d77486c7f7c03c1aa5f542fab23c24 in 2017??

BTW, looks like gAMA is exported, nice! Also it is not mastering display metadata. https://github.com/FFmpeg/FFmpeg/commit/8e4390de48b22cf6dd2307f0c29a3fef7016ef4c#diff-a3bda6216522f5daa7cbc2a5a3b2a3dd261df44c49a6a3f4939028b8aa76a319R36 It is actually alá ICC profile, except it is in D65 adapted in 2° observer, not D50 adapted 2° observer like in ICC! (ICCv5 MAX of course added any adaptation you want with any observer you wanna even the super crazy modern one.) Also if iCCP chunk with ICC profile or sRGB chunk of any rendering intent are present, it overwrites cHRM. Because well, sRGB IS NOT 2.2 gamma. It is piecewise and in ICCv2 you need to use 1DLUT, while ICCv4 you can use parametric curve encoding. But you can simply use sRGB chuck. Yeah.

Last edited 4 years ago by Balling (previous) (diff)

comment:10 by Carl Eugen Hoyos, 4 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.