Opened 9 years ago
Closed 9 years ago
#4873 closed defect (needs_more_info)
crashes in h264 decoder(decode_postinit)
Reported by: | zylthinking | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avcodec |
Version: | unspecified | Keywords: | h264 crash |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description (last modified by )
Summary of the bug:
I/DEBUG ( 7075): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** I/DEBUG ( 7075): Build fingerprint: 'Sony/L36h_1270-9104/L36h:4.2.2/10.3.1.A.2.67/vPd3rg:user/release-keys' I/DEBUG ( 7075): Revision: '0' I/DEBUG ( 7075): pid: 26530, tid: 26565, name: libmm.demo2 >>> libmm.demo2 <<< I/DEBUG ( 7075):''' signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000058''' I/DEBUG ( 7075): r0 77cb1020 r1 00000001 r2 00000002 r3 00000000 I/DEBUG ( 7075): r4 77cb1020 r5 00000000 r6 00000001 r7 77cb1e80 I/DEBUG ( 7075): r8 00000942 r9 77ab0c2c sl 6ef44620 fp 6e979dd0 I/DEBUG ( 7075): ip 00000000 sp 77ab0ac0 lr 75c98a68 pc 75c95408 cpsr 60000010 I/DEBUG ( 7075): I/DEBUG ( 7075): backtrace: I/DEBUG ( 7075): #00 pc 00163408 /data/app-lib/libmm.demo2-2/libmedia2.so (decode_postinit+48) I/DEBUG ( 7075): #01 pc 00166a64 /data/app-lib/libmm.demo2-2/libmedia2.so (h264_decode_frame+948) 001633d8 <decode_postinit>: 1633d8: e30b3968 movw r3, #47464 ; 0xb968 1633dc: e3403008 movt r3, #8 1633e0: e30b2d30 movw r2, #48432 ; 0xbd30 1633e4: e3402008 movt r2, #8 1633e8: e7903003 ldr r3, [r0, r3] 1633ec: e92d4ff0 push {r4, r5, r6, r7, r8, r9, sl, fp, lr} 1633f0: e3530000 cmp r3, #0 1633f4: e59055e0 ldr r5, [r0, #1504] ; 0x5e0 1633f8: e24dd014 sub sp, sp, #20 1633fc: e7902002 ldr r2, [r0, r2] 163400: e1a04000 mov r4, r0 163404: e1a06001 mov r6, r1 ''' 163408: e5852058 str r2, [r5, #88] ; 0x58 -------------------------- here''' if (h->next_output_pic) return; 16340c: 0a000001 beq 163418 <decode_postinit+0x40> 163410: e28dd014 add sp, sp, #20 163414: e8bd8ff0 pop {r4, r5, r6, r7, r8, r9, sl, fp, pc}
How to reproduce:
play video stream from rtmp://62.113.210.250:1935/medienasa-live/ok-magdeburg_high after some time, it crashes all the input stream seems to be roght, (having a correct nalu header at least)
Attachments (1)
Change History (17)
comment:1 by , 9 years ago
comment:2 by , 9 years ago
Keywords: | crash added |
---|---|
Priority: | critical → important |
Is the crash reproducible with current FFmpeg git head?
How can I reproduce the issue?
comment:3 by , 9 years ago
I can't to the reproduce because the rtmp source is hard to connect currently.
I meet this crash when I test my android demo which uses ffmpeg 2.6.1, if necessary, I can attach the app.
comment:4 by , 9 years ago
Currently, there is no information in this ticket that would allow the FFmpeg developers to fix an issue. I tested the stream for 5.5 hours and while I did see reception issues, I cannot reproduce a crash.
There are different ways to go on, I would suggest you port your application to a desktop environment to allow easier testing. Alternatives are to use gdb for debugging and / or recompilation with --disable-asm
to rule out an assembler optimization issue.
Finally, please understand that if there is an issue that we can reproduce it will be fixed in current FFmpeg git head, so at some point you will have to test it. If you either confirm that the issue is still reproducible or rule that out, it will speed up the process.
comment:5 by , 9 years ago
Description: | modified (diff) |
---|
by , 9 years ago
comment:6 by , 9 years ago
I trying to reproduce this at master head and does not reproduce it, but maybe just because of luck
then I retry it at n.2.6.1, and catched it.
the attachment is the nalu I feed into avcodec_decode_video2 which cause this crash.
comment:7 by , 9 years ago
I have restest the crashing nalu stream with the master head ffmpeg, and find no crashing while crashes every time with n2.6.1
So, it should have been fixed at master.
follow-up: 9 comment:8 by , 9 years ago
I am unable to reproduce the issue on Android with 2.6.1.
If you need a fix for your issue, please test versions 2.6.4, 2.7.2 and 2.8.
$ ./ffmpeg -i nalu -f null - ffmpeg version n2.6.1 Copyright (c) 2000-2015 the FFmpeg developers built with gcc 4.9 (GCC) 20140827 (prerelease) configuration: --cross-prefix=../android-ndk-r10e/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin/arm-linux-androideabi- --arch=arm --target-os=linux --sysroot=/mnt/cehoyos/android/android-ndk-r10e/platforms/android-17/arch-arm/ --enable-gpl --cpu=cortex-a8 libavutil 54. 20.100 / 54. 20.100 libavcodec 56. 26.100 / 56. 26.100 libavformat 56. 25.101 / 56. 25.101 libavdevice 56. 4.100 / 56. 4.100 libavfilter 5. 11.102 / 5. 11.102 libswscale 3. 1.101 / 3. 1.101 libswresample 1. 1.100 / 1. 1.100 libpostproc 53. 3.100 / 53. 3.100 Input #0, h264, from 'nalu': Duration: N/A, bitrate: N/A Stream #0:0: Video: h264 (Main), yuv420p(tv), 720x576 [SAR 64:45 DAR 16:9], 25 fps, 25 tbr, 1200k tbn, 50 tbc Output #0, null, to 'pipe:': Metadata: encoder : Lavf56.25.101 Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 720x576 [SAR 64:45 DAR 16:9], q=2-31, 200 kb/s, 25 fps, 25 tbn, 25 tbc Metadata: encoder : Lavc56.26.100 rawvideo Stream mapping: Stream #0:0 -> #0:0 (h264 (native) -> rawvideo (native)) Press [q] to stop, [?] for help [null @ 0x12369a0] Encoder did not produce proper pts, making some up. frame= 206 fps= 84 q=0.0 Lsize=N/A time=00:00:08.24 bitrate=N/A video:13kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: unknown
follow-up: 10 comment:9 by , 9 years ago
Replying to cehoyos:
I am unable to reproduce the issue on Android with 2.6.1.
If you need a fix for your issue, please test versions 2.6.4, 2.7.2 and 2.8.
$ ./ffmpeg -i nalu -f null - ffmpeg version n2.6.1 Copyright (c) 2000-2015 the FFmpeg developers built with gcc 4.9 (GCC) 20140827 (prerelease) configuration: --cross-prefix=../android-ndk-r10e/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin/arm-linux-androideabi- --arch=arm --target-os=linux --sysroot=/mnt/cehoyos/android/android-ndk-r10e/platforms/android-17/arch-arm/ --enable-gpl --cpu=cortex-a8
do you turn on the CODEC_FLAG_LOW_DELAY, CODEC_FLAG_TRUNCATED and CODEC_FLAG2_CHUNKS in the flags & flags2?
Ok, 2.8 have been tested and shows no crashing any more
libavutil 54. 20.100 / 54. 20.100
libavcodec 56. 26.100 / 56. 26.100
libavformat 56. 25.101 / 56. 25.101
libavdevice 56. 4.100 / 56. 4.100
libavfilter 5. 11.102 / 5. 11.102
libswscale 3. 1.101 / 3. 1.101
libswresample 1. 1.100 / 1. 1.100
libpostproc 53. 3.100 / 53. 3.100
Input #0, h264, from 'nalu':
Duration: N/A, bitrate: N/A
Stream #0:0: Video: h264 (Main), yuv420p(tv), 720x576 [SAR 64:45 DAR 16:9], 25 fps, 25 tbr, 1200k tbn, 50 tbc
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf56.25.101
Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 720x576 [SAR 64:45 DAR 16:9], q=2-31, 200 kb/s, 25 fps, 25 tbn, 25 tbc
Metadata:
encoder : Lavc56.26.100 rawvideo
Stream mapping:
Press [q] to stop, ? for help
[null @ 0x12369a0] Encoder did not produce proper pts, making some up.
frame= 206 fps= 84 q=0.0 Lsize=N/A time=00:00:08.24 bitrate=N/A
video:13kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: unknown
}}}
follow-up: 11 comment:10 by , 9 years ago
Replying to zylthinking:
Replying to cehoyos:
I am unable to reproduce the issue on Android with 2.6.1.
If you need a fix for your issue, please test versions 2.6.4, 2.7.2 and 2.8.
$ ./ffmpeg -i nalu -f null - ffmpeg version n2.6.1 Copyright (c) 2000-2015 the FFmpeg developers built with gcc 4.9 (GCC) 20140827 (prerelease) configuration: --cross-prefix=../android-ndk-r10e/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin/arm-linux-androideabi- --arch=arm --target-os=linux --sysroot=/mnt/cehoyos/android/android-ndk-r10e/platforms/android-17/arch-arm/ --enable-gpl --cpu=cortex-a8do you turn on the CODEC_FLAG_LOW_DELAY, CODEC_FLAG_TRUNCATED and CODEC_FLAG2_CHUNKS in the flags & flags2?
No, how would I have known that I should use them?
No crash here with these flags used:
$ ./ffmpeg -flags +low_delay+truncated -flags2 +chunks -i nalu -f null - ffmpeg version n2.6.1 Copyright (c) 2000-2015 the FFmpeg developers built with gcc 4.9 (GCC) 20140827 (prerelease) configuration: --cross-prefix=../android-ndk-r10e/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin/arm-linux-androideabi- --arch=arm --target-os=linux --sysroot=/mnt/cehoyos/android/android-ndk-r10e/platforms/android-17/arch-arm/ --enable-gpl --cpu=cortex-a8 libavutil 54. 20.100 / 54. 20.100 libavcodec 56. 26.100 / 56. 26.100 libavformat 56. 25.101 / 56. 25.101 libavdevice 56. 4.100 / 56. 4.100 libavfilter 5. 11.102 / 5. 11.102 libswscale 3. 1.101 / 3. 1.101 libswresample 1. 1.100 / 1. 1.100 libpostproc 53. 3.100 / 53. 3.100 Input #0, h264, from 'nalu': Duration: N/A, bitrate: N/A Stream #0:0: Video: h264 (Main), yuv420p(tv), 720x576 [SAR 64:45 DAR 16:9], 25 fps, 25 tbr, 1200k tbn, 50 tbc Output #0, null, to 'pipe:': Metadata: encoder : Lavf56.25.101 Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 720x576 [SAR 64:45 DAR 16:9], q=2-31, 200 kb/s, 25 fps, 25 tbn, 25 tbc Metadata: encoder : Lavc56.26.100 rawvideo Stream mapping: Stream #0:0 -> #0:0 (h264 (native) -> rawvideo (native)) Press [q] to stop, [?] for help [null @ 0x1236b90] Encoder did not produce proper pts, making some up. [h264 @ 0x136c300] Cannot parallelize slice decoding with deblocking filter type 1, decoding such frames in sequential order To parallelize slice decoding you need video encoded with disable_deblocking_filter_idc set to 2 (deblock only edges that do not cross slices). Setting the flags2 libavcodec option to +fast (-flags2 +fast) will disable deblocking across slices and enable parallel slice decoding but will generate non-standard-compliant output. frame= 206 fps= 57 q=0.0 Lsize=N/A time=00:00:08.24 bitrate=N/A video:13kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: unknown
Ok, 2.8 have been tested and shows no crashing any more
If you want this fixed, you will either have to explain how I can reproduce or run a bisect to find the change fixing the issue for you.
comment:11 by , 9 years ago
Replying to cehoyos:
I don't know why it only crashes on my site, while, my code shows here:
static void* ffmpeg_open(fourcc** in, fourcc** out) { ffmpeg_wrapper_t* wrapper = (ffmpeg_wrapper_t *) my_malloc(sizeof(ffmpeg_wrapper_t)); if (wrapper == NULL) { return NULL; } wrapper->in = to_video_format(in); wrapper->out = to_video_format(out); wrapper->id = media_id_unkown; wrapper->angle = 0; wrapper->last_pts = wrapper->last_seq = 0; wrapper->bytes = 0; wrapper->nr = wrapper->seq = 0; INIT_LIST_HEAD(&wrapper->pts_free); INIT_LIST_HEAD(&wrapper->pts_used); for (intptr_t i = 0; i < elements(wrapper->times); ++i) { list_add(&wrapper->times[i].entry, &wrapper->pts_free); } avcodec_register_all(); AVCodec* codec = avcodec_find_decoder(AV_CODEC_ID_H264); if (codec == NULL) { my_free(wrapper); return NULL; } my_assert(codec->capabilities & CODEC_CAP_DR1); AVCodecContext* context = avcodec_alloc_context3(codec); if (context == NULL) { my_free(wrapper); return NULL; } wrapper->context = context; AVFrame* frame_buffer = av_frame_alloc(); if(frame_buffer == NULL){ avcodec_free_context(&context); my_free(wrapper); return NULL; } wrapper->frame = frame_buffer; context->refcounted_frames = 1; context->opaque = (void *) wrapper; //context->flags |= CODEC_FLAG_LOW_DELAY | CODEC_FLAG_TRUNCATED; //context->flags2 |= CODEC_FLAG2_CHUNKS; if (0 != avcodec_open2(context, codec, NULL)) { av_frame_free(&frame_buffer); avcodec_free_context(&context); my_free(wrapper); return NULL; } return wrapper; } static struct my_buffer* replace(struct my_buffer* mbuf) { static FILE* file = NULL; static char buffer[1024 * 1024 * 64]; static int bytes = 0; static int nr = 0; if (file == NULL) { file = fopen("/sdcard/nalu", "rb"); bytes = (int) fread(buffer, 1, sizeof(buffer), file); fclose(file); } media_buffer* media = (media_buffer *) mbuf->ptr[0]; uint64_t seq = media->seq; uint64_t pts = media->pts; uint64_t id = media->id; mbuf->mop->free(mbuf); char code[] = {0, 0, 0, 1}; int nb = bytes; if (bytes < 4) { return NULL; } char* end = (char *) memmem(&buffer[nr + 4], bytes - 4, code, 4); if (end != NULL) { nb = (int) (end - &buffer[nr]); } mbuf = mbuf_alloc_2(nb + sizeof(media_buffer)); media = (media_buffer *) mbuf->ptr[0]; mbuf->ptr[1] = mbuf->ptr[0] + sizeof(media_buffer); mbuf->length -= sizeof(media_buffer); memcpy(mbuf->ptr[1], &buffer[nr], nb); nr += nb; bytes -= nb; memset(media->vp, 0, sizeof(media->vp)); media->vp[0].ptr = mbuf->ptr[1]; media->vp[0].type_stride = video_type_unkown; media->fragment[0] = media->fragment[1] = 1; media->angle = 0; media->pptr_cc = fourcc_get(codec_h264, 720, 576); media->seq = seq; media->pts = pts; media->id = id; return mbuf; } static int32_t ffmpeg_write(void* handle, struct my_buffer* mbuf, struct list_head* head) { media_buffer* media = NULL; ffmpeg_wrapper_t* wrapper = (ffmpeg_wrapper_t *) handle; if (wrapper->id == media_id_unkown) { if (mbuf == NULL) { return 0; } media = (media_buffer *) mbuf->ptr[0]; wrapper->id = media->id; } // ffmpeg will never modify avpkt. AVPacket avpkt; avpkt.data = NULL; avpkt.size = 0; if (mbuf != NULL) { mbuf = replace(mbuf); if (mbuf == NULL) { return 0; } media = (media_buffer *) mbuf->ptr[0]; av_init_packet(&avpkt); avpkt.data = (uint8_t *) media->vp[0].ptr; avpkt.size = (int) mbuf->length; } int32_t nr = 0; static int l = 0; while ((mbuf == NULL) || (avpkt.size > 0)) { int got = 0; mark("l == %d", l++); int consumed = avcodec_decode_video2(wrapper->context, wrapper->frame, &got, &avpkt); if (consumed < 0) { consumed = -consumed; char* pch = (char *) &consumed; mark("avcodec_decode_video2 failed %d(%c%c%c%c)\n", consumed, pch[0], pch[1], pch[2], pch[3]); my_assert(got == 0); break; } if (got != 0 && 0) { AVBufferRef* bufref = wrapper->frame->buf[0]; struct my_buffer* mbuf2 = (struct my_buffer *) av_buffer_get_opaque(bufref); // this works when ffmpeg won't try to reuse the buffer // instread of releasing the ref (if it does this, mbuf2 maybe writen unexpected). mbuf2 = mbuf2->mop->clone(mbuf2); av_frame_unref(wrapper->frame); if (mbuf2 != NULL) { media = (media_buffer *) mbuf2->ptr[0]; if (list_empty(&wrapper->pts_used)) { media->pts = wrapper->last_pts; media->seq = wrapper->last_seq; } else { frame_pts_pop(wrapper, media); } list_add_tail(&mbuf2->head, head); ++nr; } } else if (consumed == 0) { my_assert(mbuf == NULL); break; } if (mbuf != NULL) { avpkt.size -= consumed; avpkt.data += consumed; } else { my_assert(consumed == 0); } } if (mbuf != NULL) { mbuf->mop->free(mbuf); } return nr; }
when enable CODEC_FLAG_LOW_DELAY things:
E/zylthinking(11874): 410@ffmpeg_write tid 11923 l == 201
E/zylthinking(11874): 410@ffmpeg_write tid 11923 l == 202
E/zylthinking(11874): 410@ffmpeg_write tid 11923 l == 203
E/zylthinking(11874): 410@ffmpeg_write tid 11923 l == 204
I/DEBUG (14529): * * * * * * * * * * * * * * * *
I/DEBUG (14529): Build fingerprint: 'Sony/L36h_1270-9104/L36h:4.2.2/10.3.1.A.2.67/vPd3rg:user/release-keys'
I/DEBUG (14529): Revision: '0'
I/DEBUG (14529): pid: 11874, tid: 11923, name: libmm.demo2 >>> libmm.demo2 <<<
I/DEBUG (14529): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000058
I/DEBUG (14529): r0 70c3c020 r1 00000001 r2 00000002 r3 00000000
I/DEBUG (14529): r4 70c3c020 r5 00000000 r6 00000001 r7 70c3ce80
I/DEBUG (14529): r8 0000089f r9 7bbaec30 sl 6e0dcbe0 fp 6ef03620
I/DEBUG (14529): ip 00000000 sp 7bbaeab8 lr 75d990f4 pc 75d95a94 cpsr 60000010
I/DEBUG (14529): d0 ffffffffffffffff d1 ffffffffffffffff
I/DEBUG (14529): d2 ffffffffffffffff d3 ffffffffffffffff
I/DEBUG (14529): d4 ffffffffffffffff d5 ffffffffffffffff
I/DEBUG (14529): d6 ffffffffffffffff d7 ffffffffffffffff
I/DEBUG (14529): d8 0000000000000000 d9 0000000000000000
I/DEBUG (14529): d10 0000000000000000 d11 0000000000000000
I/DEBUG (14529): d12 0000000000000000 d13 0000000000000000
I/DEBUG (14529): d14 0000000000000000 d15 0000000000000000
I/DEBUG (14529): d16 ffffffffffffffff d17 ffffffffffffffff
I/DEBUG (14529): d18 ffffffffffffffff d19 ffffffffffffffff
I/DEBUG (14529): d20 ffffffffffffffff d21 ffffffffffffffff
I/DEBUG (14529): d22 ffffffffffffffff d23 ffffffffffffffff
I/DEBUG (14529): d24 0101010101010101 d25 ffffffffffffffff
I/DEBUG (14529): d26 ffffffffffffffff d27 1010101010101010
I/DEBUG (14529): d28 0080008000800080 d29 0080008000800080
I/DEBUG (14529): d30 0000000000000000 d31 0000000000000000
I/DEBUG (14529): scr 6800009e
I/DEBUG (14529):
I/DEBUG (14529): backtrace:
I/DEBUG (14529): #00 pc 00163a94 /data/app-lib/libmm.demo2-1/libmedia2.so (decode_postinit+48)
I/DEBUG (14529): #01 pc 001670f0 /data/app-lib/libmm.demo2-1/libmedia2.so (h264_decode_frame+948)
I/DEBUG (14529):
I/DEBUG (14529): stack:
I/DEBUG (14529): 7bbaea78 0000089f
I/DEBUG (14529): 7bbaea7c 00000007
I/DEBUG (14529): 7bbaea80 00000000
when disable CODEC_FLAG_LOW_DELAY things:
E/zylthinking(12190): 410@ffmpeg_write tid 12229 l == 202
E/zylthinking(12190): 410@ffmpeg_write tid 12229 l == 203
E/zylthinking(12190): 410@ffmpeg_write tid 12229 l == 204
report some thing error, though no crashing
E/zylthinking(12190): 416@ffmpeg_write tid 12229 avcodec_decode_video2 failed 1094995529(INDA)
the code is n2.6.1, the ffmpeg make script:
find * | grep "\.o$" | xargs rm
./configure --prefix=./zyl/android --arch=armv7 --cpu=cortex-a8 --target-os=linux --enable-optimizations --enable-asm --disable-armv5te --enable-lto --enable-cross-compile --enable-pic --disable-debug --disable-logging --disable-programs --disable-doc --disable-runtime-cpudetect --enable-version3 --disable-symver --disable-iconv --disable-bzlib --disable-zlib --disable-avdevice --disable-everything --enable-bsf=h264_mp4toannexb --enable-swscale --enable-network --enable-protocol=file --enable-protocol=http --enable-protocol=rtmp --enable-protocol=hls --enable-demuxer=hls --enable-demuxer=mpegts --enable-demuxer=mov --enable-demuxer=flv --enable-muxer=mp4 --enable-decoder=h264 --enable-decoder=aac --enable-parser=h264 --sysroot="/opt/android/ndk/platforms/android-15/arch-arm/" --sysinclude="/opt/android/ndk/platforms/android-15/arch-arm/usr/include/" --cross-prefix="/opt/android/ndk/toolchains/arm-linux-androideabi-4.8/prebuilt/darwin-x86_64/bin/arm-linux-androideabi-" --extra-cflags="-w -mvectorize-with-neon-quad -mfpu=neon -mfloat-abi=softfp" --extra-ldflags="-mfpu=neon -L/opt/android/ndk/platforms/android-15/arch-arm/usr/lib -nostdlib /opt/android/ndk/toolchains/arm-linux-androideabi-4.8/prebuilt/darwin-x86_64/lib/gcc/arm-linux-androideabi/4.8/crtbegin.o /opt/android/ndk/toolchains/arm-linux-androideabi-4.8/prebuilt/darwin-x86_64/lib/gcc/arm-linux-androideabi/4.8/crtend.o -lc -lm"
make
make install
follow-up: 15 comment:12 by , 9 years ago
How can I compile the code you provided? There are no includes and no main() function...
Could you also try with the configure line I provided? Or produce a backtrace with gdb that at least tells us where exactly the crash happens? You will have to remove --disable-debug
.
comment:13 by , 9 years ago
static void decode_postinit(H264Context *h, int setup_finished) { Picture *out = h->cur_pic_ptr; Picture *cur = h->cur_pic_ptr; int i, pics, out_of_order, out_idx; ''' h->cur_pic_ptr->f.pict_type = h->pict_type;''' crash here, due the crash log and the disassembly code, it should be h->cur_pic_ptr == NULL, there are some analyse below if (h->next_output_pic) return; ........................................ }
disassembly code for the function is:
1633f4: e59055e0 ldr r5, [r0, #1504] ; 0x5e0 ----------------- r5 is ldr from r0 add an offset, r0 should be H264Context *h, then r5 be a field of h 1633f8: e24dd014 sub sp, sp, #20 1633fc: e7902002 ldr r2, [r0, r2] 163400: e1a04000 mov r4, r0 163404: e1a06001 mov r6, r1 ''' 163408: e5852058 str r2, [r5, #88] ; 0x58 -------------------------- here then store r2 to address r5 + 0x58 '''
look the crash log:
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000058 here has a 0x58,
and the code after that is
16340c: 0a000001 beq 163418 <decode_postinit+0x40> 163410: e28dd014 add sp, sp, #20 163414: e8bd8ff0 pop {r4, r5, r6, r7, r8, r9, sl, fp, pc}
check something == 0, if not equal to 0, then return.
which is absolutely
if (h->next_output_pic)
return;
OK, we can say something write into memory before a potential returning; then check the c code; it is only
h->cur_pic_ptr->f.pict_type = h->pict_type; satisfy this.
OK, now we know this line crashes. while, because r5 is some filed of h; and str r2, [r5, #88] seems to be writing something to r5's field; then we can know r5 should be the h->cur_pic_ptr;
OK, the crashing address is 0x58, and str r2, [r5, #88] is writing to r5 + 0x58; we know r5 is 0;
e.g. h->cur_pic_ptr == NULL
comment:14 by , 9 years ago
You can use git bisect
to find the change fixing the problem for you, I will then backport it to the 2.6 release branch.
comment:15 by , 9 years ago
Replying to cehoyos:
OK, I will try to find it; but maybe a long time will be used to find out it
comment:16 by , 9 years ago
Resolution: | → needs_more_info |
---|---|
Status: | new → closed |
This can only be fixed if you either explain how the crash can be reproduced or tell us which change fixed the crash.
the version is n2.6.1