[FFmpeg-devel] [PATCH 2/2] avcodec/v4l2: fix segmentation fault on codec exit

Fri Oct 6 23:01:52 EEST 2017

On 06/10/17 20:53, Mark Thompson wrote:
> On 06/10/17 08:52, Jorge Ramirez-Ortiz wrote:
>> It occurs when the codec is closed while buffer references still
>> exist. This is a regression from the original patchset where support
>> for this use-case was implemented.
>>
>> The regression occurred while cleaning the code for the last patchset
>> (decoding was tested only with ffplay which disposes of the buffer
>> straightaway hence the feature went in broken/untested)
>> ---
>>  libavcodec/v4l2_m2m.c | 6 ++++--
>>  1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/libavcodec/v4l2_m2m.c b/libavcodec/v4l2_m2m.c
>> index bd96a6d..5e85bcb 100644
>> --- a/libavcodec/v4l2_m2m.c
>> +++ b/libavcodec/v4l2_m2m.c
>> @@ -331,8 +331,10 @@ int ff_v4l2_m2m_codec_end(AVCodecContext *avctx)
>>  
>>      ff_v4l2_context_release(&s->output);
>>  
>> -    if (atomic_load(&s->refcount))
>> -        av_log(avctx, AV_LOG_ERROR, "ff_v4l2m2m_codec_end leaving pending buffers\n");
>> +    if (atomic_load(&s->refcount)) {
>> +        av_log(avctx, AV_LOG_DEBUG, "ff_v4l2m2m_codec_end leaving pending buffers\n");
>> +        return 0;
>> +    }
>>  
>>      ff_v4l2_context_release(&s->capture);
>>      sem_destroy(&s->refsync);
>>
> 
> Trying to test this, I segfault when decoding finishes with this patch applied (exynos s5p-mfc):
> 
> (gdb) r
> Starting program: /home/mrt/ffmpeg/v4l2/build/ffmpeg_g -threads 1 -v 55 -y -c:v h264_v4l2m2m -i /home/mrt/bbb_1080_264.mp4 -an -frames:v 100 -f null -
> ...
> Output file #0 (pipe:):
>   Output stream #0:0 (video): 100 frames encoded; 100 packets muxed (40000 bytes); 
>   Total: 100 packets (40000 bytes) muxed
> [h264_v4l2m2m @ 0x1403720] ff_v4l2m2m_codec_end leaving pending buffers
> 100 frames successfully decoded, 0 decoding errors
> ...
> Thread 1 "ffmpeg_g" received signal SIGSEGV, Segmentation fault.
> ff_v4l2_context_set_status (ctx=ctx at entry=0x10fc, cmd=1074026003) at src/libavcodec/v4l2_context.c:489
> 489         int type = ctx->type;
> (gdb) bt
> #0  ff_v4l2_context_set_status (ctx=ctx at entry=0x10fc, cmd=1074026003) at src/libavcodec/v4l2_context.c:489
> #1  0x00798c24 in ff_v4l2_m2m_codec_end (avctx=0x1403720) at src/libavcodec/v4l2_m2m.c:319
> #2  0x00835aba in buffer_replace (src=0x0, dst=<optimized out>) at src/libavutil/buffer.c:120
> #3  av_buffer_unref (buf=buf at entry=0x14d8b2c) at src/libavutil/buffer.c:130
> #4  0x008417ac in av_frame_unref (frame=frame at entry=0x14d8a30) at src/libavutil/frame.c:515
> #5  0x00841d58 in av_frame_unref (frame=<optimized out>) at src/libavutil/frame.c:147
> #6  av_frame_free (frame=frame at entry=0x1403d9c) at src/libavutil/frame.c:168
> #7  0x00082bce in ffmpeg_cleanup (ret=0) at src/fftools/ffmpeg.c:541
> #8  0x00079c42 in exit_program (ret=0) at src/fftools/cmdutils.c:138
> #9  0x0006efba in main (argc=<optimized out>, argv=<optimized out>) at src/fftools/ffmpeg.c:4793
> (gdb) p ctx
> $1 = (V4L2Context *) 0x10fc
> (gdb) f 1
> #1  0x00798c24 in ff_v4l2_m2m_codec_end (avctx=0x1403720) at src/libavcodec/v4l2_m2m.c:319
> 319         ret = ff_v4l2_context_set_status(&s->output, VIDIOC_STREAMOFF);
> (gdb) p s
> $2 = (V4L2m2mContext *) 0x0
> (gdb) 
> 

To clarify, it segfaults in the same way without the patch as well.

- Mark