AV1 10-bit files crashing tabs |
|||||
Issue descriptionChrome Version: Google Chrome 73.0.3642.0 (Official Build) dev (64-bit) Revision e581247c6782059ec062f68e412a3628ccdf8821-refs/branch-heads/3642@{#1} OS Linux What steps will reproduce the problem? (1) Attempt to play a 10-bit AV1 file (2) Aw Snap Beta works: Google Chrome 72.0.3626.28 (Official Build) beta (64-bit) Revision 997b1040b63bac324e815797ba52be0cd8f616ed-refs/branch-heads/3626@{#461} OS Linux So does stable: Google Chrome 71.0.3578.98 (Official Build) (64-bit) Revision 15234034d19b85dcd9a03b164ae89d04145d8368-refs/branch-heads/3578@{#897} OS Linux This reproduces using the 10-bit bears[1][2] that (should) be decoded when the pipeline integration tests run. Assigned to Dale for now because we're unsure how this can happen-- the commit queue should have bailed out due to test failure. Notes: - I omitted the real links below to avoid crashing people using the crashing version of Chrome. - This does not reproduce with aomdec at HEAD (8634e61b1be0f66cf51ef136334b03f42e6b717c) or what's in DEPS for 3642.0 (98dae942edd3032c89b0e8bae9b4d50398931405) [1] src/media/test/data/bear-av1-320x180-10bit.webm [2] src/media/test/data/bear-av1-320x180-10bit.mp4
,
Dec 19
I'm about to be OOO so can't really pick this up.
,
Dec 19
,
Dec 19
Not crashing on mac.
,
Dec 19
Crash IDs: d683116288d44aee 9ff251e67ac0b1c2 d65ec4c77924f4af f1009f3f8829e0a3 6fe8dd7ac34392aa
,
Dec 19
Definitely dying in libaom per crash dump (for 6fe8dd7ac34392aa anyway).
,
Dec 19
Doesn't seem like a CFI crash, instead illegal operation? 0x000055a71b11be4b (chrome -reconintra.c ) av1_predict_intra_block 0x000055a71b11bf82 (chrome -reconintra.c:1640 ) av1_predict_intra_block_facade 0x000055a71b1323a1 (chrome -decodeframe.c:225 ) predict_and_reconstruct_intra_block 0x000055a71b137933 (chrome -decodeframe.c:1158 ) decode_token_recon_block 0x000055a71b1356e3 (chrome -decodeframe.c:1829 ) decode_partition 0x000055a71b1355a4 (chrome -decodeframe.c:1814 ) decode_partition 0x000055a71b1355a4 (chrome -decodeframe.c:1814 ) decode_partition 0x000055a71b135564 (chrome -decodeframe.c:1812 ) decode_partition 0x000055a71b131d4f (chrome -decodeframe.c:3036 ) row_mt_worker_hook 0x000055a71b160a72 (chrome -aom_thread.c:163 ) <name omitted> Maybe still CFI related since this isn't in a simd function, but might also just be using some invalid instruction.. I'm about to be OOO so can't pick this up though, so since it's in libaom, back to tom.
,
Dec 19
Dale: I agree with Tom that this is very likely a CFI crash. I have found at least two AVX2 functions with a function prototype mismatch between declaration and definition. Do you have the setup to do a Linux CFI build of Chrome?
,
Dec 19
https://bugs.chromium.org/p/chromium/issues/detail?id=883004#c12 from the last time. https://www.chromium.org/developers/testing/control-flow-integrity is probably up to date too.
,
Dec 19
There are instructions for running clang-tidy to find mismatches: https://bugs.chromium.org/p/webm/issues/detail?id=1444 There is a bug open to do the same for aomedia but I haven't prioritized it: https://bugs.chromium.org/p/aomedia/issues/detail?id=2228
,
Dec 20
Thanks to Dale, Johann, and Tom for your help. I have reproduced the crash using the following commands: gn gen out/cfi '--args=is_debug=false is_cfi=true use_cfi_icall=true use_cfi_cast=true use_thin_lto=true' --check ninja -C out/cfi media_unittests out/cfi/media_unittests --gtest_filter=*MSEPipelineIntegrationTest.BasicPlayback_AV1_10bit* Note: I found the unit test names by searching for "bear-av1-320x180-10bit" in Chromium's src/media/ directory. I wrote a CL at https://aomedia-review.googlesource.com/c/aom/+/77182. I verified it fixed the crash. I identified the functions by inspecting the generated header files in my recent Chromium libaom DEPS roll CL: https://chromium-review.googlesource.com/c/chromium/src/+/1372630 I found the .c files that define the new functions. I made sure those .c files include the .h file that declares the new functions. This allowed me to detect which functions have function prototype mismatch between declaration and definition. This is a labor-intensive process. We should supplement it with adding a CFI build to libaom's CL verification tests or nightly Jenkins tests.
,
Dec 20
The following revision refers to this bug: https://aomedia.googlesource.com/aom/+/54f9711972d478363a53d7be1acf5b8d394919aa commit 54f9711972d478363a53d7be1acf5b8d394919aa Author: Wan-Teh Chang <wtc@google.com> Date: Wed Dec 19 23:44:00 2018 Fix function prototype mismatch. Include config/av1_rtcd.h to detect function prototype mismatch between declarations and definitions. Fix two incorrect function prototypes detected this way. BUG= chromium:916767 Change-Id: If241bf8312aad860727d616eab7d9480af40a950 [modify] https://crrev.com/54f9711972d478363a53d7be1acf5b8d394919aa/aom_dsp/x86/intrapred_avx2.c [modify] https://crrev.com/54f9711972d478363a53d7be1acf5b8d394919aa/av1/common/av1_txfm.c
,
Dec 20
We have an open bug for CFI: https://bugs.chromium.org/p/webm/issues/detail?id=1564
,
Dec 20
Re: Johann's comment 10: > There are instructions for running clang-tidy to find mismatches: > https://bugs.chromium.org/p/webm/issues/detail?id=1444 The -Wmissing-declarations gcc compiler warning can also be used to detect function prototype mismatch, but last time I tried it, it would require a lot of changes to libaom. So I think your suggestion of clang-tidy is a better idea.
,
Dec 20
clang-tidy is currently super difficult to use. If -Wmissing-declarations can help catch this issue it would be good to open a libaom bug and see just how much work that would require. It would be much easier to keep the library clean with that.
,
Dec 20
Johann: We can start with only using -Wmissing-declarations on the files in the aom_dsp/x86/ and similar directories, because in my experience this kind of function prototype mismatch often occurs in those SIMD-optimized functions. I also found that the readability-inconsistent-declaration-parameter-name clang-tidy check does not catch the two functions that caused this bug. Perhaps this clang-tidy check requires the header to be included in the first place.
,
Dec 21
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c4917cca6a971da66826ba0c83d5f966572244ec commit c4917cca6a971da66826ba0c83d5f966572244ec Author: Wan-Teh Chang <wtc@google.com> Date: Fri Dec 21 21:21:14 2018 Roll src/third_party/libaom/source/libaom/ 98dae942e..f90004a14 (80 commits) https://aomedia.googlesource.com/aom.git/+log/98dae942edd3..f90004a14ea8 $ git log 98dae942e..f90004a14 --date=short --no-merges --format='%ad %ae %s' 2018-12-20 debargha Complete renaming jnt_comp into dist_wtd_comp 2018-12-20 wenyao.liu combine the same branch in encode_b 2018-12-19 elliottk code-cleanup: delete mode_map 2018-12-20 wtc __rdtscp() in Visual Studio takes one argument. 2018-12-20 huisu Properly set skip flag in inter transform search 2018-12-19 huisu Refac code about intraBC transform RD search 2018-12-19 elliottk Fix monochrome raw output 2018-12-19 elliottk Combine ref-frame and mode masks 2018-12-19 sarahparker Restore functionality to FINAL_PASS_TRELLIS_OPT 2018-12-19 sarahparker Correctly initialize top_est_rd 2018-12-10 niva213 AVX2 dr prediction full version - lbd & hbd, Z1,Z2,Z3 2018-12-19 huisu Expand select_inter_block_yrd() 2018-12-19 wtc Fix function prototype mismatch. 2018-11-29 chiyotsai Introduce simple_motion_search_prune_rect 2018-12-18 chiyotsai Set square_partition_only_threshold on speed 2 2018-12-19 wtc Update stale comment that mentions ref_cnt_fb. 2018-12-19 huisu Refactor try_tx_block_split() 2018-12-19 huisu Refactor select_inter_block_yrd() 2018-12-19 huisu Refactor select_tx_size_fix_type() 2018-12-19 huisu Add a comment for tx_type_rd() (...) Created with: roll-dep src/third_party/libaom/source/libaom R=tomfinegan@chromium.org,johannkoenig@google.com,jzern@chromium.org Bug: 916767 Change-Id: I6e5f71ea162c09980e096d0c422fd6451a73b2da Reviewed-on: https://chromium-review.googlesource.com/c/1388656 Reviewed-by: Tom Finegan <tomfinegan@chromium.org> Commit-Queue: Wan-Teh Chang <wtc@google.com> Cr-Commit-Position: refs/heads/master@{#618603} [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/DEPS [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/README.chromium [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/libaom_srcs.gni [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/config/aom_version.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/arm-neon-cpu-detect/config/aom_config.asm [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/arm-neon-cpu-detect/config/aom_config.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/arm-neon-cpu-detect/config/av1_rtcd.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/arm-neon/config/aom_config.asm [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/arm-neon/config/aom_config.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/arm-neon/config/av1_rtcd.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/arm/config/aom_config.asm [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/arm/config/aom_config.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/arm/config/av1_rtcd.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/arm64/config/aom_config.asm [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/arm64/config/aom_config.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/arm64/config/av1_rtcd.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/generic/config/aom_config.asm [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/generic/config/aom_config.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/generic/config/av1_rtcd.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/ia32/config/aom_config.asm [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/ia32/config/aom_config.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/ia32/config/av1_rtcd.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/x64/config/aom_config.asm [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/x64/config/aom_config.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/linux/x64/config/av1_rtcd.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/win/ia32/config/aom_config.asm [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/win/ia32/config/aom_config.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/win/ia32/config/av1_rtcd.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/win/x64/config/aom_config.asm [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/win/x64/config/aom_config.h [modify] https://crrev.com/c4917cca6a971da66826ba0c83d5f966572244ec/third_party/libaom/source/config/win/x64/config/av1_rtcd.h
,
Dec 21
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by dalecur...@chromium.org
, Dec 19