[Ffmpeg-devel] Segmentation fault on h264.c

Dario Andrade dario
Fri Jul 29 18:56:32 CEST 2005 

 

Hi,

 

Unfortunatelly I don't have a saved bitstream somewhere neither I am working
with ffmpeg utility, instead this came from a live decoding using lavc api
directly.

 

The exact line that it happened was (marked with an arrow):

 

        if(cur->reference == 0)

            cur->reference = 1;

 

        for(i=0; h->delayed_pic[i]; i++)

            if(h->delayed_pic[i]->key_frame || h->delayed_pic[i]->poc==0)
<------- (*)

                cross_idr = 1;

 

        out = h->delayed_pic[0];

        for(i=1; h->delayed_pic[i] && !h->delayed_pic[i]->key_frame; i++)

 

It does happen on high latency (perhaps high packet loss) transmissions. So
my guess would be that it

is referencing an invalid 'delayed_pic[i]" member.

 

Here are the extra info:

 

Program received signal SIGSEGV, Segmentation fault.

[Switching to thread 1688.0xac8]

decode_frame (avctx=0xe56c60, data=0x4fffd70, data_size=0x4fffd6c,

    buf=0x61dfde4 "", buf_size=381) at h264.c:7478

7478                if(h->delayed_pic[i]->key_frame ||
h->delayed_pic[i]->poc==0)

 

(gdb) info line

Line 7478 of "h264.c" starts at address 0x655a04e6 <decode_frame+470>

   and ends at 0x655a04f7 <decode_frame+487>. 

 

(gdb) bt

#0  decode_frame (avctx=0xe56c60, data=0x4fffd70, data_size=0x4fffd6c,

    buf=0x61dfde4 "", buf_size=381) at h264.c:7478

#1  0x6548380a in avcodec_decode_video (avctx=0xe56c60, picture=0x4fffd70,

    got_picture_ptr=0x4fffd6c, buf=0x61dfde4 "", buf_size=381) at
utils.c:747

#2  0x0061042f in ?? ()

#3  0x00660378 in ?? ()

#4  0x00661146 in ?? ()

#5  0x0065a885 in ?? ()

#6  0x00626e76 in ?? ()

#7  0x00626b3c in ?? ()

#8  0x7c80b50b in $R000000 ()

 

(gdb) disass $pc-32 $pc+32

Dump of assembler code from 0x655a04c6 to 0x655a0506:

0x655a04c6 <decode_frame+438>:  out    %al,(%dx)

0x655a04c7 <decode_frame+439>:  add    %eax,(%eax)

0x655a04c9 <decode_frame+441>:  inc    %esi

0x655a04ca <decode_frame+442>:  mov    %esi,0xffffffd8(%ebp)

0x655a04cd <decode_frame+445>:  test   %ecx,%ecx

0x655a04cf <decode_frame+447>:  jne    0x655a04d8 <decode_frame+456>

0x655a04d1 <decode_frame+449>:  movl   $0x1,0x50(%eax)

0x655a04d8 <decode_frame+456>:  mov    0x1ee18(%ebx),%eax

0x655a04de <decode_frame+462>:  xor    %ecx,%ecx

0x655a04e0 <decode_frame+464>:  test   %eax,%eax

0x655a04e2 <decode_frame+466>:  je     0x655a050a <decode_frame+506>

0x655a04e4 <decode_frame+468>:  mov    %eax,%esi

0x655a04e6 <decode_frame+470>:  mov    0x30(%esi),%edx

0x655a04e9 <decode_frame+473>:  test   %edx,%edx

0x655a04eb <decode_frame+475>:  jne    0x655a04f7 <decode_frame+487>

0x655a04ed <decode_frame+477>:  mov    0xe4(%esi),%edi

0x655a04f3 <decode_frame+483>:  test   %edi,%edi

0x655a04f5 <decode_frame+485>:  jne    0x655a04fe <decode_frame+494>

0x655a04f7 <decode_frame+487>:  movl   $0x1,0xffffffd4(%ebp)

0x655a04fe <decode_frame+494>:  inc    %ecx

0x655a04ff <decode_frame+495>:  mov    0x1ee18(%ebx,%ecx,4),%esi

End of assembler dump.

 

(gdb) info all-registers

eax            0x3e11860        65083488

ecx            0x11     17

edx            0x0      0

ebx            0x41f5b50        69163856

esp            0x4fffa9c        0x4fffa9c

ebp            0x4fffad4        0x4fffad4

esi            0x1      1

edi            0x6      6

eip            0x655a04e6       0x655a04e6

eflags         0x210202 2163202

cs             0x1b     27

ss             0x23     35

ds             0x23     35

es             0x23     35

fs             0x3b     59

gs             0x0      0

st0            -nan(0x8181818181818181) (raw 0xffff8181818181818181)

st1            -nan(0x8181818181818181) (raw 0xffff8181818181818181)

st2            -nan(0x818181818080807f) (raw 0xffff818181818080807f)

st3            -nan(0x81008100810081)   (raw 0xffff0081008100810081)

st4            0        (raw 0xffff0000000000000000)

st5            0        (raw 0xffff0000000000000000)

st6            0        (raw 0xffff0000000000000000)

---Type <return> to continue, or q <return> to quit---

st7            0        (raw 0xffff0000000000000000)

fctrl          0xffff027f       -64897

fstat          0xffff0000       -65536

ftag           0xffffffff       -1

fiseg          0x8      8

fioff          0xbfa333f4       -1079823372

foseg          0xffff0010       -65520

fooff          0xee77ebd0       -294130736

fop            0x475    1141

 

(gdb) info frame

Stack level 0, frame at 0x4fffad4:

 eip = 0x655a04e6 in decode_frame (h264.c:7478); saved eip 0x6548380a

 called by frame at 0x4fffb14

 source language c.

 Arglist at 0x4fffad4, args: avctx=0xe56c60, data=0x4fffd70,

    data_size=0x4fffd6c, buf=0x61dfde4 "", buf_size=381

 Locals at 0x4fffad4, Previous frame's sp is 0x0

 Saved registers:

  ebx at 0x4fffac8, ebp at 0x4fffad4, esi at 0x4fffacc, edi at 0x4fffad0,

  eip at 0x4fffad8

 

(gdb) info locals

out = (Picture *) 0xcccccccc

cur = (Picture *) 0x3e12eb0

prev = (Picture *) 0x3e12d18

out_idx = 0

pics = 16

cross_idr = 0

dropped_frame = 0

s = (MpegEncContext *) 0x41f5b50

buf_index = 381

buf_index = 381

 

(gdb) print i

$1 = 1

 

(gdb) print h

$2 = (H264Context *) 0x3e11860

 

(gdb) print h->delayed_pic[1]

$3 = (Picture *) 0x80808080           (INVALID!)

 

(gdb) print h->delayed_pic[0]

$4 = (Picture *) 0x80808080

 

(gdb) print h->delayed_pic

$5 = {0x80808080, 0x80808080, 0x80808080, 0x7f7f7f7f, 0x7f7f7f7f,
0x7f7f7f7f,

  0x81818181, 0x81818181, 0x797c8181, 0x84756f78, 0x80807f82, 0x786c5c7a,

  0x7a7b7b7b, 0x7c7b7a79, 0x7e7e7e7d, 0x7d7d7e7e}

 

(gdb) print cur

$6 = (Picture *) 0x3e12eb0

 

(gdb) print cur->reference

$7 = 3

 

(gdb) print s->current_picture_ptr

$8 = (Picture *) 0x3e12eb0

 

(gdb) print h->delayed_output_pic

$9 = (Picture *) 0x7e7d7d7c

 

 

That segmentation fault is happenning very often.

 

Thanks a lot,

-- 

 

Dario Andrade

Executive Director

DATSCOM

Mobile +55.21.9453.5005

Office +55.21.2141.9525

More information about the ffmpeg-devel mailing list