PR #21089 opened by mkver URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21089 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21089.patch
6c7a344b65cb7476d1575cb1504e3a53bcbc83e7 made the VLCs shared between threads and did so in a way that was designed to support stream reconfigurations, so that the structure containing the VLCs was synced in update_thread_context. The idea was that the currently active VLCs would just be passed along between threads. Yet this was broken by 5acbdd2264d3b90dc11369f9e031e762f260882e: Before this commit, submit_packet() was a no-op during flushing for VP3, as it is a no-delay decoder, so it won't produce any output during flushing. This meant that prev_thread in pthread_frame.c contained the last dst thread that update_thread_context() was called for (so that these VLCs could be passed along between threads). Yet after said commit, submit_packet was no longer a no-op during flushing and changed prev_thread in such a way that it did not need to contain any VLCs at all*. When flushing, prev_thread is used to pass the current state to the first worker thread which is the one that is used to restart decoding. It could therefore happen that the decoding thread did not contain the VLCs at all any more after decoding restarts after flushing leading to a crash (this scenario was never anticipated and must not happen at all). There is a simple, easily backportable fix given that we do not support stream reconfigurations (yet) when using frame threading: Don't sync the VLCs in update_thread_context(), instead do it once during init. This fixes forgejo issue #20346 and trac issue #11592. (I don't know why 5acbdd2264d3b90dc11369f9e031e762f260882e changed submit_packet() to no longer be a no-op when draining no-delay decoders.) *: The exact condition for the crash is nb_threads > 2*nb_frames. Reviewed-by: Peter Ross <[email protected]> Signed-off-by: Andreas Rheinhardt <[email protected]> (cherry picked from commit 90551b7d80e39c2fcde67fc65e3623bbef12590c) >From c83d3b98b1f82b4b2e2157f265d97d679bdef497 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt <[email protected]> Date: Tue, 25 Nov 2025 21:02:11 +0100 Subject: [PATCH] avcodec/vp3: Sync VLCs once during init, fix crash 6c7a344b65cb7476d1575cb1504e3a53bcbc83e7 made the VLCs shared between threads and did so in a way that was designed to support stream reconfigurations, so that the structure containing the VLCs was synced in update_thread_context. The idea was that the currently active VLCs would just be passed along between threads. Yet this was broken by 5acbdd2264d3b90dc11369f9e031e762f260882e: Before this commit, submit_packet() was a no-op during flushing for VP3, as it is a no-delay decoder, so it won't produce any output during flushing. This meant that prev_thread in pthread_frame.c contained the last dst thread that update_thread_context() was called for (so that these VLCs could be passed along between threads). Yet after said commit, submit_packet was no longer a no-op during flushing and changed prev_thread in such a way that it did not need to contain any VLCs at all*. When flushing, prev_thread is used to pass the current state to the first worker thread which is the one that is used to restart decoding. It could therefore happen that the decoding thread did not contain the VLCs at all any more after decoding restarts after flushing leading to a crash (this scenario was never anticipated and must not happen at all). There is a simple, easily backportable fix given that we do not support stream reconfigurations (yet) when using frame threading: Don't sync the VLCs in update_thread_context(), instead do it once during init. This fixes forgejo issue #20346 and trac issue #11592. (I don't know why 5acbdd2264d3b90dc11369f9e031e762f260882e changed submit_packet() to no longer be a no-op when draining no-delay decoders.) *: The exact condition for the crash is nb_threads > 2*nb_frames. Reviewed-by: Peter Ross <[email protected]> Signed-off-by: Andreas Rheinhardt <[email protected]> (cherry picked from commit 90551b7d80e39c2fcde67fc65e3623bbef12590c) --- libavcodec/vp3.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index d03a1c9dbc..a021efd5d5 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -46,7 +46,6 @@ #include "decode.h" #include "get_bits.h" #include "hpeldsp.h" -#include "internal.h" #include "jpegquanttables.h" #include "mathops.h" #include "progressframe.h" @@ -2458,7 +2457,7 @@ static av_cold int vp3_decode_init(AVCodecContext *avctx) } } - if (!avctx->internal->is_copy) { + if (ff_thread_sync_ref(avctx, offsetof(Vp3DecodeContext, coeff_vlc)) != FF_THREAD_IS_COPY) { CoeffVLCs *vlcs = ff_refstruct_alloc_ext(sizeof(*s->coeff_vlc), 0, NULL, free_vlc_tables); if (!vlcs) @@ -2527,8 +2526,6 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * const Vp3DecodeContext *s1 = src->priv_data; int qps_changed = 0; - ff_refstruct_replace(&s->coeff_vlc, s1->coeff_vlc); - // copy previous frame data ref_frames(s, s1); if (!s1->current_frame.f || -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
