Signal 8 crash (floating point) in playback of FLAC file

[dmolnar@…]

* Summary: I found a FLAC test case for mplayer built from the 12/25/2007 snapshot that causes a floating point exception and crash.
The mplayer output asked me to report the crash.

The test case is at
​http://www.cs.berkeley.edu/~dmolnar/38-snippet3.flac
(Warning: 600+ M in size)

A test case that DOES NOT exhibit the crash but is similar is at
​http://www.cs.berkeley.edu/~dmolnar/snippet3.flac

* mplayer output:

[dmolnar@koschei mplayertestflac1]$ /home/dmolnar/mplayer-svn/inst/bin/mplayer 38-snippet3.flac
/home/dmolnar/mplayer-svn/inst/bin/mplayer: /usr/lib/libtheora.so.0: no version information available (required by /home/dmolnar/mplayer-svn/inst/bin/mplayer)
MPlayer dev-SVN-r25524-3.4.5 (C) 2000-2007 MPlayer Team
CPU: Intel(R) Pentium(R) D CPU 3.00GHz (Family: 15, Model: 6, Stepping: 4)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 38-snippet3.flac.
libavformat file format detected.

MPlayer interrupted by signal 8 in module: demux_open

• MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
• MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

System information:

Red Hat Enterprise Linux 4, Pentium D 3GHz

[dmolnar@koschei mplayertestflac1]$ uname -a
Linux koschei.eecs.berkeley.edu 2.6.9-5.ELsmp #1 SMP Wed Jan 5 19:30:39 EST 2005 i686 i686 i386 GNU/Linux

[dmolnar@koschei ~]$ ls -l /lib/libc[.-]*
-rwxr-xr-x 1 root root 1438668 Feb 8 2006 /lib/libc-2.3.4.so
lrwxrwxrwx 1 root root 13 Jun 12 2006 /lib/libc.so.6 -> libc-2.3.4.so

[dmolnar@koschei ~]$ as --version
GNU assembler 2.15.92.0.2 20040927
Copyright 2002 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License. This program has absolutely no warranty.
This assembler was configured for a target of `i386-redhat-linux'.
[dmolnar@koschei ~]$

[dmolnar@koschei mplayertestflac1]$ gcc -v
Reading specs from /usr/lib/gcc/i386-redhat-linux/3.4.5/specs
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux
Thread model: posix
gcc version 3.4.5 20051201 (Red Hat 3.4.5-2)

[dmolnar@koschei ~]$ cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 15
model : 6
model name : Intel(R) Pentium(R) D CPU 3.00GHz
stepping : 4
cpu MHz : 2993.052
cache size : 2048 KB
physical id : 0
siblings : 2
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 6
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe lm pni monitor ds_cpl est cid xtpr
bogomips : 5931.00

processor : 1
vendor_id : GenuineIntel
cpu family : 15
model : 6
model name : Intel(R) Pentium(R) D CPU 3.00GHz
stepping : 4
cpu MHz : 2993.052
cache size : 2048 KB
physical id : 0
siblings : 2
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 6
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe lm pni monitor ds_cpl est cid xtpr
bogomips : 5980.16

* gdb session (backtrace, disassembly, registers)

Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread -1208101184 (LWP 12766)]
0x0855d6ac in divdi3 ()
(gdb) bt
#0 0x0855d6ac in divdi3 ()
#1 0x084a0448 in av_rescale_rnd (a=0, b=1000000, c=0, rnd=AV_ROUND_NEAR_INF)

at mathematics.c:65

#2 0x084a04d2 in av_rescale_q (a=1, bq={num = 0, den = 0}, cq=

{num = 1, den = 1000000}) at mathematics.c:111

#3 0x082093bc in av_update_stream_timings (ic=0x88f0530) at utils.c:1414
#4 0x0820aa6e in av_find_stream_info (ic=0x88f0530) at utils.c:1619
#5 0x081a9172 in demux_open_lavf (demuxer=0x88e65f0) at demux_lavf.c:461
#6 0x08156a15 in demux_open_stream (stream=0x88e5c58, file_format=17,

force=0, audio_id=-1, video_id=-1, dvdsub_id=-2,
filename=0x88d3bb8 "38-snippet3.flac") at demuxer.c:777

#7 0x08156bab in demux_open (vs=0x88e5c58, file_format=0, audio_id=-1,

video_id=-1, dvdsub_id=-2, filename=0x88d3bb8 "38-snippet3.flac")
at demuxer.c:872

#8 0x0808ee73 in main (argc=2, argv=0xbff9d444) at mplayer.c:2969
(gdb)
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x855d68c to 0x855d6cc:
0x0855d68c <divdi3+140>: (bad)
0x0855d68d <divdi3+141>: cmp %edx,0xffffffec(%ebp)
0x0855d690 <divdi3+144>: jb 0x855d654 <divdi3+84>
0x0855d692 <divdi3+146>: mov $0x1,%edi
0x0855d697 <divdi3+151>: jmp 0x855d654 <divdi3+84>
0x0855d699 <divdi3+153>: lea 0x0(%esi),%esi
0x0855d69c <divdi3+156>: mov 0xffffffe0(%ebp),%edi
0x0855d69f <divdi3+159>: test %edi,%edi
0x0855d6a1 <divdi3+161>: jne 0x855d6b1 <divdi3+177>
0x0855d6a3 <divdi3+163>: mov $0x1,%eax
0x0855d6a8 <divdi3+168>: xor %ecx,%ecx
0x0855d6aa <divdi3+170>: xor %edx,%edx
0x0855d6ac <divdi3+172>: div %ecx
0x0855d6ae <divdi3+174>: mov %eax,0xffffffe0(%ebp)
0x0855d6b1 <divdi3+177>: mov %esi,%eax
0x0855d6b3 <divdi3+179>: xor %edx,%edx
0x0855d6b5 <divdi3+181>: divl 0xffffffe0(%ebp)
0x0855d6b8 <divdi3+184>: mov %eax,0xffffffe8(%ebp)
0x0855d6bb <divdi3+187>: mov 0xffffffec(%ebp),%eax
0x0855d6be <divdi3+190>: divl 0xffffffe0(%ebp)
0x0855d6c1 <divdi3+193>: mov %eax,%edi
0x0855d6c3 <divdi3+195>: jmp 0x855d65b <divdi3+91>
---Type <return> to continue, or q <return> to quit---
0x0855d6c5 <divdi3+197>: lea 0x0(%esi),%esi
0x0855d6c8 <divdi3+200>: neg %eax
0x0855d6ca <divdi3+202>: adc $0x0,%edx
End of assembler dump.
(gdb)
(gdb) info all-registers
eax 0x1 1
ecx 0x0 0
edx 0x0 0
ebx 0x0 0
esp 0xbff9b848 0xbff9b848
ebp 0xbff9b868 0xbff9b868
esi 0x0 0
edi 0x0 0
eip 0x855d6ac 0x855d6ac
eflags 0x210246 2163270
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 1 (raw 0x3fff8000000000000000)
st5 1 (raw 0x3fff8000000000000000)
st6 inf (raw 0x7fff8000000000000000)
---Type <return> to continue, or q <return> to quit---
st7 inf (raw 0x7fff8000000000000000)
fctrl 0x37f 895
fstat 0x25 37
ftag 0xffff 65535
fiseg 0x73 115
fioff 0x8209df2 136355314
foseg 0x7b 123
fooff 0x88f3030 143601712
fop 0x1c9 457
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

---Type <return> to continue, or q <return> to quit---

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

mxcsr 0x1f80 8064
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm1 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

---Type <return> to continue, or q <return> to quit---
mm2 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm3 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm4 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},

v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x80}}

mm5 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},

v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x80}}

mm6 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},

v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x80}}

mm7 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},

v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x80}}

(gdb)

[dmolnar@…]

Forgot mplayer output - sorry!

dmolnar@s84:/work/dmolnar/wav-inline-6$ /work/dmolnar/mplayer-svn/inst/bin/mplayer ~/public_html/fpe-crash-11-informedconsent.wav
MPlayer dev-SVN-r25781-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Xeon(R) CPU E5345 @ 2.33GHz (Family: 6, Model: 15, Stepping: 7)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing /home/eecs/dmolnar/public_html/fpe-crash-11-informedconsent.wav.
Audio file file format detected.
Floating point exception

[dmolnar@…]

(In reply to comment #1)

Forgot mplayer output - sorry!

[output from a .wav file snipped]
Sorry, please disregard - meant for bug # 995.

[reimar]

This looks like a ffmpeg problem, can you test with ffplay/ffmpeg?

[dmolnar@…]

OK, will do and let you know.

[dmolnar@…]

(In reply to comment #3)

This looks like a ffmpeg problem, can you test with ffplay/ffmpeg?

ffmpeg also crashes with signal 8 nearby but not in the same place exactly. (In av_tree_destroy called from av_rescale_rnd). I will re-file bug with ffmpeg. Thanks for looking at this.

[reimar]

Seems to be fixed when using FFmpeg SVN.