ff_h264_decode_nal crash on iOS 32/64 bit

[glip]

I'm using static linked ffmpeg in my app, while playing H.264 video files it crashes with EXE_BAD_ACCESS. It's hard to reproduce crash it happens randomly - might happen in a few hours, might in a couple minutes. Crash happens in h264.c, line 261 (first if in for)
#if HAVE_FAST_64BIT
for (i = 0; i + 1 < length; i += 9) {
if (!((~AV_RN64A(src + i) & <-- crash
(AV_RN64A(src + i) - 0x0100010001000101ULL)) &
0x8000800080008080ULL))
continue;
FIND_FIRST_ZERO;
STARTCODE_TEST;
i -= 7;
}
#else

ffmpeg version N-79632-g3ce1988 Copyright (c) 2000-2016 the FFmpeg developers
built with Apple LLVM version 7.3.0 (clang-703.0.29)
configuration: --prefix=build/macx64 --enable-gpl
libavutil 55. 22.101 / 55. 22.101
libavcodec 57. 38.100 / 57. 38.100
libavformat 57. 34.103 / 57. 34.103
libavdevice 57. 0.101 / 57. 0.101
libavfilter 6. 44.100 / 6. 44.100
libswscale 4. 1.100 / 4. 1.100
libswresample 2. 0.101 / 2. 0.101
libpostproc 54. 0.100 / 54. 0.100

[Carl Eugen Hoyos]

Replying to glip:

configuration: --prefix=build/macx64 --enable-gpl

This does not look like an iOS build.

Please either:

• provide the information required for crash reports as explained on https://ffmpeg.org/bugreports.html
• or explain how I can reproduce the issue.

[glip]

Why not? I builded it to folder to use in my app. I do not know who you can reproduce - my app playing 13 files simultaneously (all H.264), eventually it's crashing. When I run app in debugger this is the point where it crashes - h264.c, line 261

[glip]

Parts of Mac crash report

Version: ???
Code Type: X86-64 (Native)
Parent Process: Qt Creator [525]

Date/Time: 2016-05-02 08:56:34.610 -0400
OS Version: Mac OS X 10.11.4 (15E65)
Report Version: 11

Time Awake Since Boot: 4000 seconds

System Integrity Protection: enabled

Crashed Thread: 7 QThread

Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000012e0c6000
Exception Note: EXC_CORPSE_NOTIFY

VM Regions Near 0x12e0c6000:

MALLOC_LARGE 000000012dfcc000-000000012e0c6000 [ 1000K] rw-/rwx SM=PRV

-->

MALLOC_LARGE 000000012e1c2000-000000012e2b8000 [ 984K] rw-/rwx SM=PRV

Thread 7 Crashed:: QThread
0 com.yourcompany.app 0x000000010f3adf23 ff_h264_decode_nal + 131 (h264.c:261)

Thread 8:: QThread
0 com.yourcompany.app 0x000000010f3ba0ab get_cabac_noinline + 75 (cabac.h:192)

Thread 9:: QThread
0 com.yourcompany.app 0x000000010f3ba2fd fill_decode_caches + 141 (h264_mvpred.h:461)

Thread 10:: QThread
0 com.yourcompany.app 0x000000010f3ba5e5 fill_decode_caches + 885 (h264_mvpred.h:545)

[Carl Eugen Hoyos]

Please read https://ffmpeg.org/bugreports.html (again):
What is needed is the backtrace of the crashing thread, the disassembly of the current function and a register dump.

[glip]

If I use av_log_set_level(AV_LOG_TRACE) -last I see in app console output is:

[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f8ffa6e7800] stream 1, sample 877, dts 29262567
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f8ffa6e7800] stream 0, sample 1419, dts 30272000
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f8ffa6e7800] stream 1, sample 877, dts 29262567
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f90091d5400] stream 0, sample 4456, dts 148681867
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f8ffa29ca00] stream 0, sample 3076, dts 102635867
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f9003ff6400] stream 0, sample 5309, dts 113258667
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f9003ff6400] stream 1, sample 2807, dts 112280000
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f9003ff6400] stream 0, sample 5310, dts 113280000
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f9003ff6400] stream 1, sample 2807, dts 112280000
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f9003ff6400] stream 0, sample 5311, dts 113301333
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f9003ff6400] stream 1, sample 2807, dts 112280000
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f8ffa29ca00] stream 0, sample 3077, dts 102669233
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f8ffa004e00] stream 0, sample 3100, dts 103436667
[h264 @ 0x7f8ffa4ca600] user data:"����������������"
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f90037b1a00] stream 0, sample 2554, dts 85218467
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f90091d5400] stream 0, sample 4457, dts 148715233
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f9003cbe600] stream 0, sample 176, dts 7040000
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f9003cbe600] stream 1, sample 295, dts 6849887
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f90038c7400] stream 0, sample 2932, dts 97831067
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f8ffa4a6800] stream 0, sample 670, dts 14293333
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f8ffa4a6800] stream 1, sample 399, dts 13313300
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f8ffa4a6800] stream 0, sample 671, dts 14314667
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f8ffa4a6800] stream 1, sample 399, dts 13313300
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f9003d10e00] stream 0, sample 499, dts 19960000
[h264 @ 0x7f8ffd87a400] user data:"����������������"
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f9004c34c00] stream 0, sample 4538, dts 151417933
The program has unexpectedly finished.

[Carl Eugen Hoyos]

Please reopen this ticket if you can provide the missing information.

[glip]

I'm using lldb. This is crash of 32 bit version:

Crash:

• thread #17: tid = 0x7146, 0x00414092 app`ff_h264_decode_nal + 66, name = 'QThread', stop reason = EXC_BAD_ACCESS (code=1, address=0x26e05000)

frame #0: 0x00414092 spp`ff_h264_decode_nal + 66

app`ff_h264_decode_nal:
-> 0x414092 <+66>: movl (%esi,%ebp), %ecx

0x414095 <+69>: movl %ecx, %edx
0x414097 <+71>: notl %edx
0x414099 <+73>: leal -0x1000101(%ecx), %edi

(lldb) bt

• thread #17: tid = 0x7146, 0x00414092 app`ff_h264_decode_nal + 66, name = 'QThread', stop reason = EXC_BAD_ACCESS (code=1, address=0x26e05000)
  • frame #0: 0x00414092 app`ff_h264_decode_nal + 66 frame #1: 0x00415657 app`_lldb_unnamed_function8705$$app + 1623 frame #2: 0x00417cd1 app`_lldb_unnamed_function8709$$app + 897 frame #3: 0x00878cb2 app`avcodec_decode_video2 + 322 frame #4: 0x0087a70a app`_lldb_unnamed_function11569$$app + 106 frame #5: 0x0087a68d app`avcodec_send_packet + 173 frame #6: 0x00050898 app`VideoDecoder::work() + 4376 frame #7: 0x000445b7 app`_lldb_unnamed_function985$$app + 103 frame #8: 0x0004451d app`_lldb_unnamed_function983$$app + 77 frame #9: 0x00044450 app`QtPrivate::QSlotObject<void (VideoDecoder::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void, bool*) + 176 frame #10: 0x07372917 QtCore`QMetaCallEvent::placeMetaCall(QObject*) + 55 frame #11: 0x07374089 QtCore`QObject::event(QEvent*) + 121 frame #12: 0x062a2b04 QtWidgets`QApplicationPrivate::notify_helper(QObject*, QEvent*) + 228 frame #13: 0x062a405a QtWidgets`QApplication::notify(QObject*, QEvent*) + 522 frame #14: 0x07345a70 QtCore`QCoreApplication::notifyInternal2(QObject*, QEvent*) + 176 frame #15: 0x073467e4 QtCore`QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) + 852 frame #16: 0x073a0a8c QtCore`QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 60 frame #17: 0x07341adf QtCore`QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) + 447 frame #18: 0x07183a5c QtCore`QThread::exec() + 108 frame #19: 0x071876bb QtCore`_lldb_unnamed_function261$$QtCore + 379 frame #20: 0x96253780 libsystem_pthread.dylib`_pthread_body + 138 frame #21: 0x962536f6 libsystem_pthread.dylib`_pthread_start + 155 frame #22: 0x96250f7a libsystem_pthread.dylib`thread_start + 34

(lldb) disass -s $pc-32 -e $pc+32
app`ff_h264_decode_nal:

0x414072 <+34>: andl $0x1f, %eax
0x414075 <+37>: movl %eax, 0x32670(%ecx)
0x41407b <+43>: leal 0x1(%ebx), %esi
0x41407e <+46>: decl %edi
0x41407f <+47>: xorl %ebp, %ebp
0x414081 <+49>: cmpl $0x2, %edi
0x414084 <+52>: jl 0x41411e ; <+206>
0x41408a <+58>: nopw (%eax,%eax)
0x414090 <+64>: movl %edi, %eax

-> 0x414092 <+66>: movl (%esi,%ebp), %ecx

0x414095 <+69>: movl %ecx, %edx
0x414097 <+71>: notl %edx
0x414099 <+73>: leal -0x1000101(%ecx), %edi
0x41409f <+79>: andl %edx, %edi
0x4140a1 <+81>: testl $0x80008080, %edi ; imm = 0x80008080
0x4140a7 <+87>: je 0x414100 ; <+176>
0x4140a9 <+89>: cmpb $0x1, %cl
0x4140ac <+92>: sbbl %ecx, %ecx
0x4140ae <+94>: testl %ebp, %ebp

(lldb) register read --all
General Purpose Registers:

eax = 0x00055fe2 app`_lldb_unnamed_function1152$$app + 18
ebx = 0x26daf01c
ecx = 0x00055fe1 app`_lldb_unnamed_function1152$$app + 17
edx = 0xdba4a9d6
edi = 0x00055fe2 app`_lldb_unnamed_function1152$$app + 18
esi = 0x26daf01d
ebp = 0x00055fe0 app`_lldb_unnamed_function1152$$app + 16
esp = 0xb07ae360

ss = 0x00000023

eflags = 0x00010297 app`VideoServer::stopStreaming(unsigned int) + 7

eip = 0x00414092 app`ff_h264_decode_nal + 66

cs = 0x0000001b
ds = 0x00000023
es = 0x00000023
fs = 0x00000023
gs = 0x0000000f
ax = 0x5fe2
bx = 0xf01c
cx = 0x5fe1
dx = 0xa9d6
di = 0x5fe2
si = 0xf01d
bp = 0x5fe0
sp = 0xe360
ah = 0x5f
bh = 0xf0
ch = 0x5f
dh = 0xa9
al = 0xe2
bl = 0x1c
cl = 0xe1
dl = 0xd6

dil = 0xe2
sil = 0x1d
bpl = 0xe0
spl = 0x60

Floating Point Registers:

fctrl = 0x037f
fstat = 0x0000

ftag = 0x00

fop = 0x0000

fioff = 0x9d78b56a libsystem_m.dylib`llrint + 26
fiseg = 0x0000
fooff = 0xb07ae3f0
foseg = 0x0000
mxcsr = 0x00001fa0 app`_mh_execute_header + 4000

mxcsrmask = 0x0000ffff app`VideoServer::reopen() + 655

stmm0 = {0x80 0x80 0x80 0x80 0x7f 0x7f 0x7f 0x7f 0xff 0xff}
stmm1 = {0x81 0x81 0x80 0x80 0x81 0x81 0x80 0x80 0xff 0xff}
stmm2 = {0x80 0x80 0x80 0x80 0x80 0x80 0x80 0x80 0xff 0xff}
stmm3 = {0x80 0x80 0x80 0x80 0x80 0x80 0x80 0x80 0xff 0xff}
stmm4 = {0x81 0x81 0x80 0x80 0x81 0x81 0x80 0x80 0xff 0xff}
stmm5 = {0x81 0x81 0x80 0x80 0x81 0x81 0x80 0x80 0xff 0xff}
stmm6 = {0x80 0x80 0x80 0x80 0x80 0x80 0x80 0x80 0xff 0xff}
stmm7 = {0x01 0x01 0x00 0x00 0x01 0x01 0x00 0x00 0xff 0xff}

ymm0 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
ymm1 = {0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0x00 0xff 0xff 0xff 0x00 0xff 0x00 0xff 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
ymm2 = {0x81 0x81 0x81 0x81 0x81 0x81 0x81 0x81 0x80 0x80 0x80 0x80 0x80 0x80 0x80 0x80 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
ymm3 = {0x80 0x7f 0x7e 0x7e 0x7e 0x7e 0x7e 0x7e 0x80 0x80 0x80 0x80 0x7f 0x7f 0x7f 0x7f 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
ymm4 = {0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
ymm5 = {0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
ymm6 = {0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
ymm7 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
xmm0 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
xmm1 = {0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0x00 0xff 0xff 0xff 0x00 0xff 0x00 0xff}
xmm2 = {0x81 0x81 0x81 0x81 0x81 0x81 0x81 0x81 0x80 0x80 0x80 0x80 0x80 0x80 0x80 0x80}
xmm3 = {0x80 0x7f 0x7e 0x7e 0x7e 0x7e 0x7e 0x7e 0x80 0x80 0x80 0x80 0x7f 0x7f 0x7f 0x7f}
xmm4 = {0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80}
xmm5 = {0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80}
xmm6 = {0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80 0x01 0x00 0x00 0x80}
xmm7 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}

Exception State Registers:

trapno = 0x0000000e

err = 0x00000004

faultvaddr = 0x26e05000

(lldb)

[glip]

I'm not sure yet, but I think this crash might be caused by packet.data not containing extra AV_INPUT_BUFFER_PADDING_SIZE bytes.

[Carl Eugen Hoyos]

Yes, this is the usual explanation.