Re: [FFmpeg-trac] #10628(avcodec:new): vulkan decoder crash after seek

Wed, 18 Oct 2023 10:08:11 -0700 

#10628: vulkan decoder crash after seek
-------------------------------------+-----------------------------------
             Reporter:  quinkblack   |                    Owner:  (none)
                 Type:  defect       |                   Status:  new
             Priority:  critical     |                Component:  avcodec
              Version:  unspecified  |               Resolution:
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  1
Analyzed by developer:  0            |
-------------------------------------+-----------------------------------
Description changed by quinkblack:

Old description:

> With this two patches, I got ffplay work with vulkan decoder and
> renderer.
>
> https://ffmpeg.org/pipermail/ffmpeg-devel/2023-October/315852.html
> https://ffmpeg.org/pipermail/ffmpeg-devel/2023-October/315853.html
>
> Then with this command:
>
> ./ffplay -hwaccel vulkan cctv.mp4
>
> The playback is fine. However, with seek there is a heap use after free
> crash:
>
> Seek to 35% ( 0:10:26) of total duration ( 0:29:59)       B f=0/0
> =================================================================
> ==274710==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x62100058eac8 at pc 0x559f471bf654 bp 0x7f977474c470 sp 0x7f977474c468
> READ of size 8 at 0x62100058eac8 thread T36 (av:h264:df15)
>     #0 0x559f471bf653 in ff_vk_unmap_buffers /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavutil/vulkan.c:1045:13
>     #1 0x559f49b0207c in ff_vk_unmap_buffer /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavutil/vulkan.h:419:12
>     #2 0x559f49b01f4e in free_data_buf /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/vulkan_video.c:206:5
>     #3 0x559f4adf47c8 in buffer_pool_flush /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavutil/buffer.c:302:9
>     #4 0x559f4adf4944 in buffer_pool_free /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavutil/buffer.c:313:5
>     #5 0x559f4adf4e96 in pool_release_buffer /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavutil/buffer.c:350:9
>     #6 0x559f4adf2fe6 in buffer_replace /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavutil/buffer.c:133:9
>     #7 0x559f4adf2d88 in av_buffer_unref /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavutil/buffer.c:144:5
>     #8 0x559f471b5001 in ff_vk_exec_discard_deps /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavutil/vulkan.c:549:9
>     #9 0x559f471b800c in ff_vk_exec_wait /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavutil/vulkan.c:506:5
>     #10 0x559f49ad3c86 in ff_vk_decode_frame /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/vulkan_decode.c:375:9
>     #11 0x559f49ae32d3 in vk_h264_end_frame /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/vulkan_h264.c:530:12
>     #12 0x559f4a26e74c in ff_h264_field_end /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/h264_picture.c:238:15
>     #13 0x559f4854d788 in h264_decode_frame /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/h264dec.c:1066:20
>     #14 0x559f48e5405c in frame_worker_thread /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/pthread_frame.c:223:21
>     #15 0x7f97d8094ac2 in start_thread nptl/./nptl/pthread_create.c:442:8
>     #16 0x7f97d8126a3f
> misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
>
> 0x62100058eac8 is located 456 bytes inside of 4296-byte region
> [0x62100058e900,0x62100058f9c8)
> freed by thread T37 here:
>     #0 0x559f4647cf12 in __interceptor_free (/home/quink/work/ffmpeg-
> ci/build/ffmpeg/ffplay+0x8b8f12) (BuildId:
> 5af246cc4f5d24a4baf349e77196a345b9331952)
>     #1 0x559f4ae99dc4 in av_free /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavutil/mem.c:241:5
>     #2 0x559f48f23abe in ff_refstruct_unref /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/refstruct.c:130:9
>     #3 0x559f48f23d5e in ff_refstruct_replace /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/refstruct.c:163:5
>     #4 0x559f49ad0117 in ff_vk_update_thread_context /home/quink/work
> /ffmpeg-ci/build/ffmpeg/src/libavcodec/vulkan_decode.c:93:5
>     #5 0x559f48e4eced in update_context_from_thread /home/quink/work
> /ffmpeg-ci/build/ffmpeg/src/libavcodec/pthread_frame.c:379:23
>     #6 0x559f48e4c39c in submit_packet /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/pthread_frame.c:471:15
>     #7 0x559f48e4b1e9 in ff_thread_decode_frame /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/pthread_frame.c:522:11
>     #8 0x559f481d18e6 in decode_simple_internal /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/decode.c:428:20
>     #9 0x559f481d0f54 in decode_simple_receive_frame /home/quink/work
> /ffmpeg-ci/build/ffmpeg/src/libavcodec/decode.c:609:15
>     #10 0x559f481bf11f in decode_receive_frame_internal /home/quink/work
> /ffmpeg-ci/build/ffmpeg/src/libavcodec/decode.c:637:15
>     #11 0x559f481bebf6 in avcodec_send_packet /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/decode.c:734:15
>     #12 0x559f464f945a in decoder_decode_frame /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/fftools/ffplay.c:667:17
>     #13 0x559f464fa2a2 in get_video_frame /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/fftools/ffplay.c:1776:24
>     #14 0x559f464f112b in video_thread /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/fftools/ffplay.c:2149:15
>     #15 0x7f97d9afac6d  (/lib/x86_64-linux-gnu/libSDL2-2.0.so.0+0x116c6d)
> (BuildId: 4d5b3c4d6ed820f4264d19e6b9dee40106d05359)
>
> previously allocated by thread T21 (av:h264:df0) here:
>     #0 0x559f4647dd37 in posix_memalign (/home/quink/work/ffmpeg-
> ci/build/ffmpeg/ffplay+0x8b9d37) (BuildId:
> 5af246cc4f5d24a4baf349e77196a345b9331952)
>     #1 0x559f4ae9998f in av_malloc /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavutil/mem.c:105:9
>     #2 0x559f48f234c3 in ff_refstruct_alloc_ext_c /home/quink/work
> /ffmpeg-ci/build/ffmpeg/src/libavcodec/refstruct.c:105:11
>     #3 0x559f49ade4d6 in ff_refstruct_alloc_ext /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/refstruct.h:97:12
>     #4 0x559f49ad738b in vulkan_decode_bootstrap /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/vulkan_decode.c:629:23
>     #5 0x559f49ad6c25 in ff_vk_frame_params /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/vulkan_decode.c:1011:11
>     #6 0x559f481c4e3e in avcodec_get_hw_frames_parameters
> /home/quink/work/ffmpeg-ci/build/ffmpeg/src/libavcodec/decode.c:1194:11
>     #7 0x559f481c464b in ff_decode_get_hw_frames_ctx /home/quink/work
> /ffmpeg-ci/build/ffmpeg/src/libavcodec/decode.c:1134:11
>     #8 0x559f49adbf94 in ff_vk_decode_init /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/vulkan_decode.c:1137:11
>     #9 0x559f481c6a1a in hwaccel_init /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/decode.c:1238:15
>     #10 0x559f481c6345 in ff_get_format /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/decode.c:1376:19
>     #11 0x559f4a2a9665 in get_pixel_format /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/h264_slice.c:911:12
>     #12 0x559f4a2a0e20 in h264_init_ps /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/h264_slice.c:1144:20
>     #13 0x559f4a28c77a in h264_field_start /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/h264_slice.c:1395:11
>     #14 0x559f4a287af4 in ff_h264_queue_decode_slice /home/quink/work
> /ffmpeg-ci/build/ffmpeg/src/libavcodec/h264_slice.c:2132:15
>     #15 0x559f485507d7 in decode_nal_units /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/h264dec.c:651:24
>     #16 0x559f4854d28c in h264_decode_frame /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/h264dec.c:1047:17
>     #17 0x559f48e5405c in frame_worker_thread /home/quink/work/ffmpeg-
> ci/build/ffmpeg/src/libavcodec/pthread_frame.c:223:21
>     #18 0x7f97d8094ac2 in start_thread nptl/./nptl/pthread_create.c:442:8

New description:

 With this two patches, I got ffplay work with vulkan decoder and renderer.

 https://ffmpeg.org/pipermail/ffmpeg-devel/2023-October/315852.html
 https://ffmpeg.org/pipermail/ffmpeg-devel/2023-October/315853.html

 Then with this command:

 ./ffplay -hwaccel vulkan cctv.mp4

 The playback is fine. However, with seek there is a heap use after free
 crash:


 {{{

 Seek to 35% ( 0:10:26) of total duration ( 0:29:59)       B f=0/0
 =================================================================
 ==274710==ERROR: AddressSanitizer: heap-use-after-free on address
 0x62100058eac8 at pc 0x559f471bf654 bp 0x7f977474c470 sp 0x7f977474c468
 READ of size 8 at 0x62100058eac8 thread T36 (av:h264:df15)
     #0 0x559f471bf653 in ff_vk_unmap_buffers /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavutil/vulkan.c:1045:13
     #1 0x559f49b0207c in ff_vk_unmap_buffer /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavutil/vulkan.h:419:12
     #2 0x559f49b01f4e in free_data_buf /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/vulkan_video.c:206:5
     #3 0x559f4adf47c8 in buffer_pool_flush /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavutil/buffer.c:302:9
     #4 0x559f4adf4944 in buffer_pool_free /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavutil/buffer.c:313:5
     #5 0x559f4adf4e96 in pool_release_buffer /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavutil/buffer.c:350:9
     #6 0x559f4adf2fe6 in buffer_replace /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavutil/buffer.c:133:9
     #7 0x559f4adf2d88 in av_buffer_unref /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavutil/buffer.c:144:5
     #8 0x559f471b5001 in ff_vk_exec_discard_deps /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavutil/vulkan.c:549:9
     #9 0x559f471b800c in ff_vk_exec_wait /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavutil/vulkan.c:506:5
     #10 0x559f49ad3c86 in ff_vk_decode_frame /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/vulkan_decode.c:375:9
     #11 0x559f49ae32d3 in vk_h264_end_frame /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/vulkan_h264.c:530:12
     #12 0x559f4a26e74c in ff_h264_field_end /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/h264_picture.c:238:15
     #13 0x559f4854d788 in h264_decode_frame /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/h264dec.c:1066:20
     #14 0x559f48e5405c in frame_worker_thread /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/pthread_frame.c:223:21
     #15 0x7f97d8094ac2 in start_thread nptl/./nptl/pthread_create.c:442:8
     #16 0x7f97d8126a3f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

 0x62100058eac8 is located 456 bytes inside of 4296-byte region
 [0x62100058e900,0x62100058f9c8)
 freed by thread T37 here:
     #0 0x559f4647cf12 in __interceptor_free (/home/quink/work/ffmpeg-
 ci/build/ffmpeg/ffplay+0x8b8f12) (BuildId:
 5af246cc4f5d24a4baf349e77196a345b9331952)
     #1 0x559f4ae99dc4 in av_free /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavutil/mem.c:241:5
     #2 0x559f48f23abe in ff_refstruct_unref /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/refstruct.c:130:9
     #3 0x559f48f23d5e in ff_refstruct_replace /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/refstruct.c:163:5
     #4 0x559f49ad0117 in ff_vk_update_thread_context /home/quink/work
 /ffmpeg-ci/build/ffmpeg/src/libavcodec/vulkan_decode.c:93:5
     #5 0x559f48e4eced in update_context_from_thread /home/quink/work
 /ffmpeg-ci/build/ffmpeg/src/libavcodec/pthread_frame.c:379:23
     #6 0x559f48e4c39c in submit_packet /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/pthread_frame.c:471:15
     #7 0x559f48e4b1e9 in ff_thread_decode_frame /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/pthread_frame.c:522:11
     #8 0x559f481d18e6 in decode_simple_internal /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/decode.c:428:20
     #9 0x559f481d0f54 in decode_simple_receive_frame /home/quink/work
 /ffmpeg-ci/build/ffmpeg/src/libavcodec/decode.c:609:15
     #10 0x559f481bf11f in decode_receive_frame_internal /home/quink/work
 /ffmpeg-ci/build/ffmpeg/src/libavcodec/decode.c:637:15
     #11 0x559f481bebf6 in avcodec_send_packet /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/decode.c:734:15
     #12 0x559f464f945a in decoder_decode_frame /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/fftools/ffplay.c:667:17
     #13 0x559f464fa2a2 in get_video_frame /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/fftools/ffplay.c:1776:24
     #14 0x559f464f112b in video_thread /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/fftools/ffplay.c:2149:15
     #15 0x7f97d9afac6d  (/lib/x86_64-linux-gnu/libSDL2-2.0.so.0+0x116c6d)
 (BuildId: 4d5b3c4d6ed820f4264d19e6b9dee40106d05359)

 previously allocated by thread T21 (av:h264:df0) here:
     #0 0x559f4647dd37 in posix_memalign (/home/quink/work/ffmpeg-
 ci/build/ffmpeg/ffplay+0x8b9d37) (BuildId:
 5af246cc4f5d24a4baf349e77196a345b9331952)
     #1 0x559f4ae9998f in av_malloc /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavutil/mem.c:105:9
     #2 0x559f48f234c3 in ff_refstruct_alloc_ext_c /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/refstruct.c:105:11
     #3 0x559f49ade4d6 in ff_refstruct_alloc_ext /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/refstruct.h:97:12
     #4 0x559f49ad738b in vulkan_decode_bootstrap /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/vulkan_decode.c:629:23
     #5 0x559f49ad6c25 in ff_vk_frame_params /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/vulkan_decode.c:1011:11
     #6 0x559f481c4e3e in avcodec_get_hw_frames_parameters /home/quink/work
 /ffmpeg-ci/build/ffmpeg/src/libavcodec/decode.c:1194:11
     #7 0x559f481c464b in ff_decode_get_hw_frames_ctx /home/quink/work
 /ffmpeg-ci/build/ffmpeg/src/libavcodec/decode.c:1134:11
     #8 0x559f49adbf94 in ff_vk_decode_init /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/vulkan_decode.c:1137:11
     #9 0x559f481c6a1a in hwaccel_init /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/decode.c:1238:15
     #10 0x559f481c6345 in ff_get_format /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/decode.c:1376:19
     #11 0x559f4a2a9665 in get_pixel_format /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/h264_slice.c:911:12
     #12 0x559f4a2a0e20 in h264_init_ps /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/h264_slice.c:1144:20
     #13 0x559f4a28c77a in h264_field_start /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/h264_slice.c:1395:11
     #14 0x559f4a287af4 in ff_h264_queue_decode_slice /home/quink/work
 /ffmpeg-ci/build/ffmpeg/src/libavcodec/h264_slice.c:2132:15
     #15 0x559f485507d7 in decode_nal_units /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/h264dec.c:651:24
     #16 0x559f4854d28c in h264_decode_frame /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/h264dec.c:1047:17
     #17 0x559f48e5405c in frame_worker_thread /home/quink/work/ffmpeg-
 ci/build/ffmpeg/src/libavcodec/pthread_frame.c:223:21
     #18 0x7f97d8094ac2 in start_thread nptl/./nptl/pthread_create.c:442:8
 }}}

--
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/10628#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
_______________________________________________
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac

To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to