Re: [FFmpeg-devel] [PATCH v3] avcodec/ffv1dec: Don't set ThreadFrame properties, fix race

2022-03-05 Thread Michael Niedermayer 
On Fri, Mar 04, 2022 at 04:40:54AM +0100, Andreas Rheinhardt wrote:
> Each FFV1 slice has its own SAR and picture structure encoded;
> when a slice header was parsed, the relevant fields of a ThreadFrame's
> AVFrame were directly set based upon the parsed values. This is
> a data race in case slice threading is in use because of the concurrent
> writes. In case of frame threading, it is also a data race because
> the writes happen after ff_thread_finish_setup(), so that the reads
> performed by ff_thread_ref_frame() are unsynchronized with the writes
> performed when parsing the header.
> 
> This commit fixes these issues by not writing to the ThreadFrame at all;
> instead the raw data is read into the each SliceContext first; after
> decoding the current frame and creating the actual output frame these
> values are compared to each other. If they are valid and coincide, the
> derived value is written directly to the output frame, not to the
> ThreadFrame, thereby avoiding data races; in case they are not valid
> or inconsistent the most commonly used valid value is used instead.
> 
> This fixes most FFV1 FATE-tests completely when using slice threading;
> the exceptions are fate-vsynth3-ffv1, vsynth3-ffv1-v3-yuv420p and
> vsynth3-ffv1-v3-yuv422p10. (In these tests the partitioning into slices
> does not honour chroma subsampling; as a result, chroma pixels at slice
> borders get set by more than one thread without any synchronization.)
> 
> Signed-off-by: Andreas Rheinhardt 
> ---
>  libavcodec/ffv1.h|   4 ++
>  libavcodec/ffv1dec.c | 130 ---
>  2 files changed, 114 insertions(+), 20 deletions(-)
> 
> diff --git a/libavcodec/ffv1.h b/libavcodec/ffv1.h
> index ac80fa85ce..f640d5a710 100644
> --- a/libavcodec/ffv1.h
> +++ b/libavcodec/ffv1.h
> @@ -91,6 +91,8 @@ typedef struct FFV1Context {
>  struct FFV1Context *fsrc;
>  
>  AVFrame *cur;
> +int picture_structure;
> +AVRational sample_aspect_ratio;
>  int plane_count;
>  int ac;  ///< 1=range coder <-> 0=golomb rice
>  int ac_byte_count;   ///< number of bytes used for AC 
> coding
> @@ -132,6 +134,8 @@ typedef struct FFV1Context {
>  int slice_coding_mode;
>  int slice_rct_by_coef;
>  int slice_rct_ry_coef;
> +
> +AVRational slice_sample_aspect_ratios[MAX_SLICES];
>  } FFV1Context;
>  
>  int ff_ffv1_common_init(AVCodecContext *avctx);
> diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
> index 201630167d..8a8ab90b2b 100644
> --- a/libavcodec/ffv1dec.c
> +++ b/libavcodec/ffv1dec.c
> @@ -167,7 +167,7 @@ static int decode_slice_header(const FFV1Context *f, 
> FFV1Context *fs)
>  {
>  RangeCoder *c = &fs->c;
>  uint8_t state[CONTEXT_SIZE];
> -unsigned ps, i, context_count;
> +unsigned i, context_count;
>  memset(state, 128, sizeof(state));
>  
>  av_assert0(f->version > 2);
> @@ -205,25 +205,17 @@ static int decode_slice_header(const FFV1Context *f, 
> FFV1Context *fs)
>  p->context_count = context_count;
>  }
>  
> -ps = get_symbol(c, state, 0);
> -if (ps == 1) {
> -f->cur->interlaced_frame = 1;
> -f->cur->top_field_first  = 1;
> -} else if (ps == 2) {
> -f->cur->interlaced_frame = 1;
> -f->cur->top_field_first  = 0;
> -} else if (ps == 3) {
> -f->cur->interlaced_frame = 0;
> -}
> -f->cur->sample_aspect_ratio.num = get_symbol(c, state, 0);
> -f->cur->sample_aspect_ratio.den = get_symbol(c, state, 0);
> -
> -if (av_image_check_sar(f->width, f->height,
> -   f->cur->sample_aspect_ratio) < 0) {
> +fs->picture_structure   = get_symbol(c, state, 0);
> +fs->sample_aspect_ratio.num = get_symbol(c, state, 0);
> +fs->sample_aspect_ratio.den = get_symbol(c, state, 0);
> +/* Num or den being zero means unknown for FFV1; our unknown is 0 / 1. */
> +if (fs->sample_aspect_ratio.num == 0 || fs->sample_aspect_ratio.den == 
> 0) {
> +fs->sample_aspect_ratio = (AVRational) { 0, 1 };
> +} else if (av_image_check_sar(f->width, f->height,
> +  fs->sample_aspect_ratio) < 0) {
>  av_log(f->avctx, AV_LOG_WARNING, "ignoring invalid SAR: %u/%u\n",
> -   f->cur->sample_aspect_ratio.num,
> -   f->cur->sample_aspect_ratio.den);
> -f->cur->sample_aspect_ratio = (AVRational){ 0, 1 };
> +   fs->sample_aspect_ratio.num, fs->sample_aspect_ratio.den);
> +fs->sample_aspect_ratio = (AVRational) { 0, 0 };
>  }
>  
>  if (fs->version > 3) {
> @@ -251,6 +243,9 @@ static int decode_slice(AVCodecContext *c, void *arg)
>  AVFrame * const p = f->cur;
>  int i, si;
>  
> +fs->picture_structure   = 0;
> +fs->sample_aspect_ratio = (AVRational){ 0, 0 };
> +
>  for( si=0; fs != f->slice_context[si]; si ++)
>  ;
>  

> @@ -831,6 +826,28 @@ static av_cold int decode_init(AVCodecCon

[FFmpeg-devel] [PATCH v3] avcodec/ffv1dec: Don't set ThreadFrame properties, fix race

2022-03-03 Thread Andreas Rheinhardt 
Each FFV1 slice has its own SAR and picture structure encoded;
when a slice header was parsed, the relevant fields of a ThreadFrame's
AVFrame were directly set based upon the parsed values. This is
a data race in case slice threading is in use because of the concurrent
writes. In case of frame threading, it is also a data race because
the writes happen after ff_thread_finish_setup(), so that the reads
performed by ff_thread_ref_frame() are unsynchronized with the writes
performed when parsing the header.

This commit fixes these issues by not writing to the ThreadFrame at all;
instead the raw data is read into the each SliceContext first; after
decoding the current frame and creating the actual output frame these
values are compared to each other. If they are valid and coincide, the
derived value is written directly to the output frame, not to the
ThreadFrame, thereby avoiding data races; in case they are not valid
or inconsistent the most commonly used valid value is used instead.

This fixes most FFV1 FATE-tests completely when using slice threading;
the exceptions are fate-vsynth3-ffv1, vsynth3-ffv1-v3-yuv420p and
vsynth3-ffv1-v3-yuv422p10. (In these tests the partitioning into slices
does not honour chroma subsampling; as a result, chroma pixels at slice
borders get set by more than one thread without any synchronization.)

Signed-off-by: Andreas Rheinhardt 
---
 libavcodec/ffv1.h|   4 ++
 libavcodec/ffv1dec.c | 130 ---
 2 files changed, 114 insertions(+), 20 deletions(-)

diff --git a/libavcodec/ffv1.h b/libavcodec/ffv1.h
index ac80fa85ce..f640d5a710 100644
--- a/libavcodec/ffv1.h
+++ b/libavcodec/ffv1.h
@@ -91,6 +91,8 @@ typedef struct FFV1Context {
 struct FFV1Context *fsrc;
 
 AVFrame *cur;
+int picture_structure;
+AVRational sample_aspect_ratio;
 int plane_count;
 int ac;  ///< 1=range coder <-> 0=golomb rice
 int ac_byte_count;   ///< number of bytes used for AC 
coding
@@ -132,6 +134,8 @@ typedef struct FFV1Context {
 int slice_coding_mode;
 int slice_rct_by_coef;
 int slice_rct_ry_coef;
+
+AVRational slice_sample_aspect_ratios[MAX_SLICES];
 } FFV1Context;
 
 int ff_ffv1_common_init(AVCodecContext *avctx);
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 201630167d..8a8ab90b2b 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -167,7 +167,7 @@ static int decode_slice_header(const FFV1Context *f, 
FFV1Context *fs)
 {
 RangeCoder *c = &fs->c;
 uint8_t state[CONTEXT_SIZE];
-unsigned ps, i, context_count;
+unsigned i, context_count;
 memset(state, 128, sizeof(state));
 
 av_assert0(f->version > 2);
@@ -205,25 +205,17 @@ static int decode_slice_header(const FFV1Context *f, 
FFV1Context *fs)
 p->context_count = context_count;
 }
 
-ps = get_symbol(c, state, 0);
-if (ps == 1) {
-f->cur->interlaced_frame = 1;
-f->cur->top_field_first  = 1;
-} else if (ps == 2) {
-f->cur->interlaced_frame = 1;
-f->cur->top_field_first  = 0;
-} else if (ps == 3) {
-f->cur->interlaced_frame = 0;
-}
-f->cur->sample_aspect_ratio.num = get_symbol(c, state, 0);
-f->cur->sample_aspect_ratio.den = get_symbol(c, state, 0);
-
-if (av_image_check_sar(f->width, f->height,
-   f->cur->sample_aspect_ratio) < 0) {
+fs->picture_structure   = get_symbol(c, state, 0);
+fs->sample_aspect_ratio.num = get_symbol(c, state, 0);
+fs->sample_aspect_ratio.den = get_symbol(c, state, 0);
+/* Num or den being zero means unknown for FFV1; our unknown is 0 / 1. */
+if (fs->sample_aspect_ratio.num == 0 || fs->sample_aspect_ratio.den == 0) {
+fs->sample_aspect_ratio = (AVRational) { 0, 1 };
+} else if (av_image_check_sar(f->width, f->height,
+  fs->sample_aspect_ratio) < 0) {
 av_log(f->avctx, AV_LOG_WARNING, "ignoring invalid SAR: %u/%u\n",
-   f->cur->sample_aspect_ratio.num,
-   f->cur->sample_aspect_ratio.den);
-f->cur->sample_aspect_ratio = (AVRational){ 0, 1 };
+   fs->sample_aspect_ratio.num, fs->sample_aspect_ratio.den);
+fs->sample_aspect_ratio = (AVRational) { 0, 0 };
 }
 
 if (fs->version > 3) {
@@ -251,6 +243,9 @@ static int decode_slice(AVCodecContext *c, void *arg)
 AVFrame * const p = f->cur;
 int i, si;
 
+fs->picture_structure   = 0;
+fs->sample_aspect_ratio = (AVRational){ 0, 0 };
+
 for( si=0; fs != f->slice_context[si]; si ++)
 ;
 
@@ -831,6 +826,28 @@ static av_cold int decode_init(AVCodecContext *avctx)
 return 0;
 }
 
+/* Macro to simplify comparisons of the rational values we deal with here.
+ * get_symbol() ensures that these fit into 32bits, so that one can just
+ * compare them in 64bits; they are also actually unsigned, so cast to that.
+ * Notice that av_image_check_sar() ch