misc/189317: [chrome] [libffmpeg] SIGBUS in libffmpeg

Adrian Chadd adrian at freebsd.org
Sat May 3 16:40:00 UTC 2014 

>Number:         189317
>Category:       misc
>Synopsis:       [chrome] [libffmpeg] SIGBUS in libffmpeg
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 03 16:40:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     Adrian Chadd
>Release:        11-CURRENT
>Organization:
>Environment:
FreeBSD lucy-11i386 11.0-CURRENT FreeBSD 11.0-CURRENT #0 r265255: Fri May  2 23:16:44 PDT 2014     adrian at lucy-11i386:/usr/home/adrian/work/freebsd/head/obj/usr/home/adrian/work/freebsd/head/src/sys/LUCY_11_i386  i386

>Description:
I get bus errors in libffmeg when running inside Chrome.

Core was generated by `chrome'.
Program terminated with signal 10, Bus error.
#0  0x309fa3e2 in ff_deblock_v_luma_8_sse2 () from /usr/local/share/chromium/libffmpegsumo.so
(gdb) bt
#0  0x309fa3e2 in ff_deblock_v_luma_8_sse2 () from /usr/local/share/chromium/libffmpegsumo.so
#1  0xffffffff in ?? ()
#2  0x308aa2b1 in ?? () from /usr/local/share/chromium/libffmpegsumo.so
#3  0x308929f5 in ?? () from /usr/local/share/chromium/libffmpegsumo.so
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

(gdb) disassemble 0x309fa3e2
..
..
   0x309fa3e0 <+32>:	add    %eax,%esi
=> 0x309fa3e2 <+34>:	movdqa (%esi,%ecx,1),%xmm0
   0x309fa3e7 <+39>:	movdqa (%esi,%ecx,2),%xmm1
   0x309fa3ec <+44>:	movdqa (%eax),%xmm2
   0x309fa3f0 <+48>:	movdqa (%eax,%ecx,1),%xmm3


(gdb) info all-registers
eax            0xbf4d65c8	-1085446712
ecx            0x10	16
edx            0x7	7
ebx            0x2	2
esp            0xbf4d6548	0xbf4d6548
ebp            0xbf4d66cc	0xbf4d66cc
esi            0xbf4d6598	-1085446760
edi            0x380	896
eip            0x309fa3e2	0x309fa3e2 <ff_deblock_v_luma_8_sse2+34>
eflags         0x210283	[ CF SF IF RF ID ]
cs             0x33	51
ss             0x3b	59
ds             0xbfbf003b	-1078001605
es             0x3b	59
fs             0xbfbf003b	-1078001605
gs             0x1b	27
st0            -nan(0x2222222222222222)	(raw 0xffff2222222222222222)
st1            -nan(0x2323232323232323)	(raw 0xffff2323232323232323)
st2            -nan(0x2424242423232323)	(raw 0xffff2424242423232323)
st3            -nan(0x2424242424242424)	(raw 0xffff2424242424242424)
st4            -nan(0x202020201f1f1f1f)	(raw 0xffff202020201f1f1f1f)
st5            -nan(0x2222222222222222)	(raw 0xffff2222222222222222)
st6            -nan(0x2222222222222222)	(raw 0xffff2222222222222222)
st7            -nan(0x2222222222222222)	(raw 0xffff2222222222222222)
fctrl          0x127f	4735
fstat          0x20	32
ftag           0xaaff	43775
fiseg          0x33	51
fioff          0x309d253b	815605051
foseg          0x3b	59
fooff          0xbf4d6abc	-1085445444
fop            0x59c	1436
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {
    0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm1           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {
    0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm2           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {
    0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm3           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {
    0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm4           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {
    0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm5           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {
    0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {
    0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {
    0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
mxcsr          0x1f80	[ IM DM ZM OM UM PM ]
mm0            {uint64 = 0x2222222222222222, v2_int32 = {0x22222222, 0x22222222}, v4_int16 = {0x2222, 0x2222, 0x2222, 0x2222}, v8_int8 = {0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 
    0x22, 0x22}}
mm1            {uint64 = 0x2323232323232323, v2_int32 = {0x23232323, 0x23232323}, v4_int16 = {0x2323, 0x2323, 0x2323, 0x2323}, v8_int8 = {0x23, 0x23, 0x23, 0x23, 0x23, 0x23, 
---Type <return> to continue, or q <return> to quit--- 
    0x23, 0x23}}
mm2            {uint64 = 0x2424242423232323, v2_int32 = {0x23232323, 0x24242424}, v4_int16 = {0x2323, 0x2323, 0x2424, 0x2424}, v8_int8 = {0x23, 0x23, 0x23, 0x23, 0x24, 0x24, 
    0x24, 0x24}}
mm3            {uint64 = 0x2424242424242424, v2_int32 = {0x24242424, 0x24242424}, v4_int16 = {0x2424, 0x2424, 0x2424, 0x2424}, v8_int8 = {0x24, 0x24, 0x24, 0x24, 0x24, 0x24, 
    0x24, 0x24}}
mm4            {uint64 = 0x202020201f1f1f1f, v2_int32 = {0x1f1f1f1f, 0x20202020}, v4_int16 = {0x1f1f, 0x1f1f, 0x2020, 0x2020}, v8_int8 = {0x1f, 0x1f, 0x1f, 0x1f, 0x20, 0x20, 
    0x20, 0x20}}
mm5            {uint64 = 0x2222222222222222, v2_int32 = {0x22222222, 0x22222222}, v4_int16 = {0x2222, 0x2222, 0x2222, 0x2222}, v8_int8 = {0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 
    0x22, 0x22}}
mm6            {uint64 = 0x2222222222222222, v2_int32 = {0x22222222, 0x22222222}, v4_int16 = {0x2222, 0x2222, 0x2222, 0x2222}, v8_int8 = {0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 
    0x22, 0x22}}
mm7            {uint64 = 0x2222222222222222, v2_int32 = {0x22222222, 0x22222222}, v4_int16 = {0x2222, 0x2222, 0x2222, 0x2222}, v8_int8 = {0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 
    0x22, 0x22}}

. there's data at the given offset:

(gdb) x/32x $esi
0xbf4d6598:	0x2022201c	0x21212121	0x20202020	0x20202020
0xbf4d65a8:	0x2225221e	0x24242424	0x23232323	0x23232323
0xbf4d65b8:	0x2326241f	0x25252525	0x24242424	0x24242424
0xbf4d65c8:	0x2224221e	0x23232323	0x22222222	0x22222222
0xbf4d65d8:	0x2224221e	0x23232323	0x22222222	0x22222222
0xbf4d65e8:	0x2224221e	0x23232323	0x22222222	0x22222222
0xbf4d65f8:	0x00000000	0x3f0c9000	0x30a6cfac	0x308b5088
0xbf4d6608:	0x3f21e814	0x00000380	0x00000008	0x00000003

. however it looks like the source address isn't double quadword aligned.

So, what gives?
>How-To-Repeat:
Chrome; look at any news sites full of embedded video crap.
>Fix:
.. I'm not sure if it's a compiler generation bug or a dumb-source code bug.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list