New submission from Ivan Kalvachev <[EMAIL PROTECTED]>:
The bug is caused by unaligned access in motion_est_mmx.c::sad16_sse2()
The function assumes that all inputs are aligned. This is true in the usual MPEG
encoding, but is not true for snow.c::get_block_rd()::2860 that calls it with
(-4,-4) offset.
The original bugreport came from MPlayer user (Mythos) who encoutered problem
with vf_mcdeint.c . That filter internally uses snow encoding and decoding.
Disabling the use of sad16_sse2() solved the issue.
I don't have sse2 cpu myself.
The original bugreport follows. In case somebody needs it.
//--------------------------------------------------------------------------------
Starting program: mplayer -field-dominance 0 -vf "yadif=1:1,mcdeint=2:1:10"
-demuxer lavf 'somewhere/VIDEO_TS/VTS_02_1.VOB'
[Thread debugging using libthread_db enabled]
[New Thread -1245800720 (LWP 24469)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1245800720 (LWP 24469)]
0x0856a899 in sad16_sse2 (v=0xb51d03c0, blk2=0x9232bdc, blk1=0x97ec44c,
stride=752, h=16) at i386/motion_est_mmx.c:94
94 asm volatile(
#0 0x0856a899 in sad16_sse2 (v=0xb51d03c0, blk2=0x9232bdc, blk1=0x97ec44c ,
stride=752, h=16) at i386/motion_est_mmx.c:94
#1 0x084e07ed in get_block_rd (s=0xb4fc4020, mb_x=0, mb_y=0, plane_index=0,
obmc_edged=0xbff2eff0 "") at snow.c:2860
#2 0x084e3577 in iterative_me (s=0xb4fc4020) at snow.c:2969
#3 0x084e5a98 in encode_blocks (s=0xb4fc4020, search=1) at snow.c:2074
#4 0x084e5dec in encode_frame (avctx=0x8ccb850,
buf=0xb496e008 , buf_size=4147200, data=0x8b92310) at snow.c:4268
#5 0x08325180 in avcodec_encode_video (avctx=0x8ccb850,
buf=0xb496e008 , buf_size=4147200, pict=0x8b92310) at utils.c:917
#6 0x081b365e in put_image (vf=0x8c0d300, mpi=0x8d48b38,
pts=0.42000000000000004) at vf_mcdeint.c:103
#7 0x081aedb6 in continue_buffered_image (vf=0x8c0cb68) at vf_yadif.c:443
#8 0x08182df2 in vf_output_queued_frame (vf=0x8c0cb68) at vf.c:580
#9 0x080b725d in main (argc=8, argv=0xbff33ea4) at mplayer.c:1743
Dump of assembler code for function sad16_sse2:
0x0856a870 <sad16_sse2+0>: push %ebp
0x0856a871 <sad16_sse2+1>: mov %esp,%ebp
0x0856a873 <sad16_sse2+3>: mov 0x10(%ebp),%ecx
0x0856a876 <sad16_sse2+6>: push %ebx
0x0856a877 <sad16_sse2+7>: mov 0x14(%ebp),%edx
0x0856a87a <sad16_sse2+10>: mov 0xc(%ebp),%ebx
0x0856a87d <sad16_sse2+13>: mov 0x18(%ebp),%eax
0x0856a880 <sad16_sse2+16>: pxor %xmm6,%xmm6
0x0856a884 <sad16_sse2+20>: lea 0x0(%esi),%esi
0x0856a88a <sad16_sse2+26>: lea 0x0(%edi),%edi
0x0856a890 <sad16_sse2+32>: movdqu (%ecx),%xmm0
0x0856a894 <sad16_sse2+36>: movdqu (%ecx,%edx,1),%xmm1
0x0856a899 <sad16_sse2+41>: psadbw (%ebx),%xmm0 <---- crash
0x0856a89d <sad16_sse2+45>: psadbw (%ebx,%edx,1),%xmm1
0x0856a8a2 <sad16_sse2+50>: paddw %xmm0,%xmm6
0x0856a8a6 <sad16_sse2+54>: paddw %xmm1,%xmm6
0x0856a8aa <sad16_sse2+58>: lea (%ecx,%edx,2),%ecx
0x0856a8ad <sad16_sse2+61>: lea (%ebx,%edx,2),%ebx
0x0856a8b0 <sad16_sse2+64>: sub $0x2,%eax
0x0856a8b3 <sad16_sse2+67>: jg 0x856a890 <sad16_sse2+32>
0x0856a8b5 <sad16_sse2+69>: movhlps %xmm6,%xmm0
0x0856a8b8 <sad16_sse2+72>: paddw %xmm0,%xmm6
0x0856a8bc <sad16_sse2+76>: movd %xmm6,%eax
0x0856a8c0 <sad16_sse2+80>: pop %ebx
0x0856a8c1 <sad16_sse2+81>: pop %ebp
0x0856a8c2 <sad16_sse2+82>: ret
End of assembler dump.
(gdb) print src
$1 = (uint8_t *) 0x92337a0
(gdb) print dst
$2 = (uint8_t *) 0x97ed010
(gdb) print sx
$3 = -4
(gdb) print sy
$4 = -4
gdb) print s->current_picture
$5 = {data = {0x97ed010 , 0x97a5328 , 0x96aae18 ., 0x0},
linesize = {752, 376, 376, 0},
base = {0x97ea100 , 0x97a4760, 0x96aa250, 0x0},
key_frame = 0, pict_type = 0, pts = 0, coded_picture_number = 0,
display_picture_number = 0, quality = 0, age = 1073741824, reference = 1,
qscale_table = 0x0, qstride = 0, mbskip_table = 0x0, motion_val = {0x0, 0x0},
mb_type = 0x0, motion_subsample_log2 = 0, opaque = 0x0, error = {0, 0, 0, 0},
type = 1, repeat_pict = 0, qscale_type = 0, interlaced_frame = 0,
top_field_first = 0, pan_scan = 0x0, palette_has_changed = 0, buffer_hints = 0,
dct_coeff = 0x0, ref_index = {0x0, 0x0}}
(gdb) print s->input_picture
$6 = {data = {0x92337a0 , 0x92a0e98 , 0x92bcd58, 0x0}, 0x9232bdc
linesize = {752, 376, 376, 0},
base = {0x9230890 , 0x92a02d0 , 0x92bc190 , 0x0},
key_frame = 0, pict_type = 0, pts = 0, coded_picture_number = 0,
display_picture_number = 0, quality = 0, age = 1073741824, reference = 0,
qscale_table = 0x0, qstride = 0, mbskip_table = 0x0, motion_val = {0x0, 0x0},
mb_type = 0x0, motion_subsample_log2 = 0, opaque = 0x0, error = {0, 0, 0, 0},
type = 1, repeat_pict = 0, qscale_type = 0, interlaced_frame = 0,
top_field_first = 0, pan_scan = 0x0, palette_has_changed = 0, buffer_hints = 0,
dct_coeff = 0x0, ref_index = {0x0, 0x0}}
----------
assignedto: michaelni
messages: 2094
nosy: iive, michaelni
priority: normal
status: new
substatus: analyzed
title: Snow encoder crashes on SSE2 capable CPU.
type: bug
______________________________________________________
FFmpeg issue tracker <[EMAIL PROTECTED]>
<https://roundup.mplayerhq.hu/roundup/ffmpeg/issue461>
______________________________________________________
