Hang with fuzzed file when `--ao=null --ao-null-untimed` is set

owl0w1 commented 7 months ago

Version information

mpv version: mpv v0.37.0-481-g03bfd797f6
Linux Distribution and Version: Ubuntu 24.04
Source of the mpv binary: build from source
If known which version of mpv introduced the problem: unknown

Reproduction steps

Play the sample file with: ./mpv --no-config --vo=null --untimed --ao=null --ao-null-untimed 'id:000000,src:000798,time:76678,execs:24161,op:havoc,rep:13'

Expected behavior

Don't hang. The program can terminate correctly if --ao-null-untimed is removed:

user@laptop:~/mpv$ ./build/mpv --no-config --vo=null --untimed --ao=null --msg-level=all=trace '/home/user/Downloads/id:000000,src:000798,time:76678,execs:24161,op:havoc,rep:13'
[cplayer] Command line options: '--no-config' '--vo=null' '--untimed' '--ao=null' '--msg-level=all=trace' '/home/user/Downloads/id:000000,src:000798,time:76678,execs:24161,op:havoc,rep:13'
[cplayer] mpv v0.37.0-481-g03bfd797f6-dirty Copyright © 2000-2024 mpv/MPlayer/mplayer2 projects
[cplayer]  built on Mar  5 2024 21:30:56
[cplayer] libplacebo version: v6.338.2
[cplayer] FFmpeg version: 6.1.1-1ubuntu1
[cplayer] FFmpeg library versions:
[cplayer]    libavutil       58.29.100
[cplayer]    libavcodec      60.31.102
[cplayer]    libavformat     60.16.100
[cplayer]    libswscale      7.5.100
[cplayer]    libavfilter     9.12.100
[cplayer]    libswresample   4.12.100
[cplayer] 
[cplayer] Configuration: -Dlibmpv=true
[cplayer] List of enabled features: alsa av-channel-layout avif-muxer build-date caca cplugins cuda-hwaccel cuda-interop debug dmabuf-interop-gl dmabuf-wayland drm dvbin egl egl-drm egl-helpers egl-wayland egl-x11 ffmpeg ffnvcodec gbm gl glibc-thread-name glob glob-posix gpl iconv jack javascript jpeg jpegxl lavu-uuid lcms2 libarchive libass libavdevice libbluray libdl libm libplacebo librt linux-fstatfs lua52 memfd-create noexecstack pipewire posix posix-shm ppoll pthread-condattr-setclock pulse rubberband rubberband-3 sixel sndio sndio-1-9 threads uchardet vaapi vaapi-drm vaapi-wayland vaapi-x11 vdpau vector vk-khr-display vt.h vulkan vulkan-interop wayland wayland-protocols-1-27 wayland-protocols-1-31 wayland-protocols-1-32 x11 xv zimg zimg-st428 zlib
    ---- 8< ----
[demux] Detected file format: Matroska
[cplayer] Opening done: /home/user/Downloads/id:000000,src:000798,time:76678,execs:24161,op:havoc,rep:13
[find_files] Loading external files in /home/user/Downloads/
[cplayer] Running hook: ytdl_hook/on_preloaded
[cplayer] Running hook: auto_profiles/on_preloaded
[mkv] select track 0
[mkv] select track 1
 (+) Video --vid=1 (*) (h264 16x8 29.667fps)
 (+) Audio --aid=1 (*) (mp3 1ch 8000Hz)
[vd] Container reported FPS: 29.666667
[vd] Codec list:
[vd]     h264 - H.264 / AVC / MPEG-4 AVC / MPEG-4 part 10
[vd]     h264_v4l2m2m (h264) - V4L2 mem2mem H.264 decoder wrapper
[vd]     h264_qsv (h264) - H264 video (Intel Quick Sync Video acceleration)
[vd]     h264_cuvid (h264) - Nvidia CUVID H264 decoder
[vd] Opening decoder h264
[vd] No hardware decoding requested.
[vd] Using software decoding.
[ffmpeg] detected 32 logical cores
[vd] Detected 32 logical cores.
[vd] Requesting 16 threads for decoding.
[ffmpeg/video] h264: nal_unit_type: 7(SPS), nal_ref_idc: 3
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: SPS decoding failure, trying again with the complete NAL
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: SPS decoding failure, trying again after escaping the NAL
[ffmpeg/video] h264: nal_unit_type: 7(SPS), nal_ref_idc: 3
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: SPS decoding failure, trying again with the complete NAL
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: nal_unit_type: 8(PPS), nal_ref_idc: 3
[ffmpeg/video] h264: sps_id 0 out of range
[ffmpeg/video] h264: SPS decoding failure, trying again after escaping the NAL
[ffmpeg/video] h264: nal_unit_type: 8(PPS), nal_ref_idc: 3
[ffmpeg/video] h264: sps_id 0 out of range
[ffmpeg/video] h264: nal_unit_type: 6(SEI), nal_ref_idc: 0
[ffmpeg/video] h264: Invalid NAL unit size (1899835706 > 45).
[ffmpeg/video] h264: Error splitting the input into NAL units.
[vd] Selected codec: H.264 / AVC / MPEG-4 AVC / MPEG-4 part 10
[vf] User filter list:
[vf]   (empty)
[ad] Codec list:
[ad]     mp3float (mp3) - MP3 (MPEG audio layer 3)
[ad]     mp3 - MP3 (MPEG audio layer 3)
[ad] Opening decoder mp3float
[ad] Requesting 1 threads for decoding.
[ad] Selected codec: MP3 (MPEG audio layer 3)
[af] User filter list:
[af]   (empty)
[cplayer] Starting playback...
[cplayer] video_output_image: r=3/eof=0/st=syncing
[mkv] bytes=0, read_more=1 prefetch_more=0, refresh_more=0
[cplayer] video_output_image: r=3/eof=0/st=syncing
[mkv] append packet to audio: size=104 pts=0.000000 dts=-9223372036854775808.000000 pos=966 [num=1 size=656]
[mkv] bytes=656, read_more=1 prefetch_more=1, refresh_more=0
[mkv] append packet to audio: size=105 pts=0.052000 dts=-9223372036854775808.000000 pos=1077 [num=1 size=656]
[mkv] bytes=656, read_more=1 prefetch_more=1, refresh_more=0
[mkv] append packet to audio: size=104 pts=0.104000 dts=-9223372036854775808.000000 pos=1187 [num=>1 size=1312]
[mkv] bytes=1312, read_more=1 prefetch_more=1, refresh_more=0
[mkv] append packet to audio: size=105 pts=0.156000 dts=-9223372036854775808.000000 pos=1298 [num=>1 size=1968]
[mkv] bytes=1968, read_more=1 prefetch_more=1, refresh_more=0
[mkv] append packet to video: size=725 pts=0.303000 dts=-9223372036854775808.000000 pos=1305 [num=1 size=1280]
[mkv] bytes=3248, read_more=0 prefetch_more=1, refresh_more=0
[af] [in] 8000Hz mono 1ch floatp
[mkv] EOF reached.
[af] [userspeed] 8000Hz mono 1ch floatp
[af] [userspeed] (disabled)
[af] [convert] 8000Hz mono 1ch floatp
[ffmpeg/video] h264: nal_unit_type: 6(SEI), nal_ref_idc: 0
[ffmpeg/video] h264: Invalid NAL unit size (1899835706 > 45).
[ffmpeg/video] h264: Error splitting the input into NAL units.
Error while decoding frame!
[vf] filter input EOF
[vf] [userdeint] (disabled)
[vf] [autorotate] (disabled)
[vf] [convert] (disabled)
[vf] filter output EOF
[cplayer] video_output_image: r=0/eof=1/st=syncing
[cplayer] video EOF reached
[cplayer] video EOF (status=4)
[ao] Trying audio driver 'null'
[ao/null] requested format: 8000 Hz, mono channels, floatp
[ao/null] Channel layouts:
[ao/null]  - anything
[ao/null] result: mono
[ao/null] device buffer: 1536 samples.
[ao/null] using soft-buffer of 1600 samples.
AO: [null] 8000Hz mono 1ch floatp
[cplayer] AO: Description: Null audio output
[af] [convert] (disabled)
[af] [out] 8000Hz mono 1ch floatp
[af] [in] 11025Hz mono 1ch floatp
[af] [userspeed] 11025Hz mono 1ch floatp
[af] [convert] 11025Hz mono 1ch floatp
[cplayer] video_output_image: r=0/eof=1/st=eof
[cplayer] video EOF (status=4)
[cplayer] video_output_image: r=0/eof=1/st=eof
[cplayer] video EOF (status=4)
[cplayer] starting audio playback
[cplayer] playback restart complete @ 0.000000, audio=playing, video=eof
[cplayer] video_output_image: r=0/eof=1/st=eof
[cplayer] video EOF (status=4)
[ao/null] starting AO
[ao/null] in=576 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=768(768) pl=1, eof=0
[cplayer] video_output_image: r=0/eof=1/st=eof
[cplayer] video EOF (status=4)
[cplayer] video_output_image: r=0/eof=1/st=eof
[cplayer] video EOF (status=4)
[osc] rendering 
[osc] osc_init 
[cplayer] Set property: user-data/osc/margins={"l":0,"b":0,"r":0,"t":0} -> 1
[cplayer] video_output_image: r=0/eof=1/st=eof
[cplayer] video EOF (status=4)
[cplayer] video_output_image: r=0/eof=1/st=eof
[cplayer] video EOF (status=4)
[ao/null] in=0 space=1280(1280) pl=1, eof=0
[osc] rendering 
[ao/null] audio end or underrun
[ao] Trying audio driver 'null'
[ao/null] requested format: 11025 Hz, mono channels, floatp
[ao/null] Channel layouts:
[ao/null]  - anything
[ao/null] result: mono
[ao/null] device buffer: 2048 samples.
[ao/null] using soft-buffer of 2205 samples.
AO: [null] 11025Hz mono 1ch floatp
[cplayer] AO: Description: Null audio output
[af] [out] 11025Hz mono 1ch floatp
[ao/null] in=0 space=2048(2048) pl=1, eof=0
[ao/null] starting AO
[ao/null] in=576 space=2048(2048) pl=1, eof=0
[ao/null] in=0 space=1280(1280) pl=1, eof=0
[ao/null] in=576 space=1280(1280) pl=1, eof=0
[ao/null] in=576 space=768(768) pl=1, eof=0
[ao/null] in=0 space=256(256) pl=1, eof=0
[af] filter input EOF
[af] filter output EOF
[cplayer] audio filter EOF
[cplayer] video_output_image: r=0/eof=1/st=eof
[cplayer] video EOF (status=4)
[ao/null] in=0 space=256(256) pl=1, eof=1
[ao/null] audio end or underrun
[ao/null] in=0 space=256(256) pl=1, eof=0
[cplayer] audio draining
[cplayer] audio EOF reached
[cplayer] video_output_image: r=0/eof=1/st=eof
[cplayer] video EOF (status=4)
[cplayer] EOF code: 1  
[ad] Uninit decoder.
[vd] Uninit decoder.
[osc] rendering 
[cplayer] Terminating demuxers...
[cplayer] Done terminating demuxers.
AV: 00:00:00 / 00:00:01 (4%) A-V:  0.000
[cplayer] finished playback, success (reason 0)
Exiting... (End of file)
[console] Exiting...
[ytdl_hook] Exiting...
[cplayer] Run command: del, flags=64, args=[name="user-data/osc"]
[stats] Exiting...
[auto_profiles] Exiting...
[osc] Exiting...
[cplayer] draining left over audio
[ao/null] in=0 space=768(768) pl=1, eof=0
[ao/null] in=0 space=1280(1280) pl=1, eof=0
[ao/null] in=0 space=1792(1792) pl=1, eof=0
[ao/null] audio end or underrun

Actual behavior

The program hangs:

user@laptop:~/mpv$ ./build/mpv --no-config --vo=null --untimed --ao=null --ao-null-untimed --msg-level=all=trace '/home/user/Downloads/id:000000,src:000798,time:76678,execs:24161,op:havoc,rep:13'
[cplayer] Command line options: '--no-config' '--vo=null' '--untimed' '--ao=null' '--ao-null-untimed' '--msg-level=all=trace' '/home/user/Downloads/id:000000,src:000798,time:76678,execs:24161,op:havoc,rep:13'
[cplayer] mpv v0.37.0-481-g03bfd797f6-dirty Copyright © 2000-2024 mpv/MPlayer/mplayer2 projects
[cplayer]  built on Mar  5 2024 21:30:56
[cplayer] libplacebo version: v6.338.2
[cplayer] FFmpeg version: 6.1.1-1ubuntu1
[cplayer] FFmpeg library versions:
[cplayer]    libavutil       58.29.100
[cplayer]    libavcodec      60.31.102
[cplayer]    libavformat     60.16.100
[cplayer]    libswscale      7.5.100
[cplayer]    libavfilter     9.12.100
[cplayer]    libswresample   4.12.100
[cplayer] 
[cplayer] Configuration: -Dlibmpv=true
[cplayer] List of enabled features: alsa av-channel-layout avif-muxer build-date caca cplugins cuda-hwaccel cuda-interop debug dmabuf-interop-gl dmabuf-wayland drm dvbin egl egl-drm egl-helpers egl-wayland egl-x11 ffmpeg ffnvcodec gbm gl glibc-thread-name glob glob-posix gpl iconv jack javascript jpeg jpegxl lavu-uuid lcms2 libarchive libass libavdevice libbluray libdl libm libplacebo librt linux-fstatfs lua52 memfd-create noexecstack pipewire posix posix-shm ppoll pthread-condattr-setclock pulse rubberband rubberband-3 sixel sndio sndio-1-9 threads uchardet vaapi vaapi-drm vaapi-wayland vaapi-x11 vdpau vector vk-khr-display vt.h vulkan vulkan-interop wayland wayland-protocols-1-27 wayland-protocols-1-31 wayland-protocols-1-32 x11 xv zimg zimg-st428 zlib
    ---- 8< ----
[demux] Detected file format: Matroska
[cplayer] Opening done: /home/user/Downloads/id:000000,src:000798,time:76678,execs:24161,op:havoc,rep:13
[osd/libass] Using font provider fontconfig
[osd/libass] Done.
[osc] rendering 
[osc] osc_init 
[find_files] Loading external files in /home/user/Downloads/
[cplayer] Set property: user-data/osc/margins={"l":0,"b":0,"r":0,"t":0} -> 1
[cplayer] Running hook: ytdl_hook/on_preloaded
[cplayer] Run command: define-section, flags=64, args=[name="input_osc", contents="", flags="default"]
[cplayer] Run command: enable-section, flags=64, args=[name="input_osc", flags="allow-hide-cursor+allow-vo-dragging"]
[input] enable section 'input_osc'
[input] active section stack:
[input]  default 12
[input]  input_stats 12
[input]  input_forced_stats 12
[input]  input_console 12
[input]  input_forced_console 12
[input]  showhide 12
[input]  showhide_wc 12
[input]  input_osc 12
[cplayer] Run command: define-section, flags=64, args=[name="input_forced_osc", contents="", flags="force"]
[cplayer] Run command: enable-section, flags=64, args=[name="input_forced_osc", flags="allow-hide-cursor+allow-vo-dragging"]
[input] enable section 'input_forced_osc'
[input] active section stack:
[input]  default 12
[input]  input_stats 12
[input]  input_forced_stats 12
[input]  input_console 12
[input]  input_forced_console 12
[input]  showhide 12
[input]  showhide_wc 12
[input]  input_osc 12
[input]  input_forced_osc 12
[cplayer] Running hook: auto_profiles/on_preloaded
[mkv] select track 0
[mkv] select track 1
 (+) Video --vid=1 (*) (h264 16x8 29.667fps)
 (+) Audio --aid=1 (*) (mp3 1ch 8000Hz)
[vd] Container reported FPS: 29.666667
[vd] Codec list:
[vd]     h264 - H.264 / AVC / MPEG-4 AVC / MPEG-4 part 10
[vd]     h264_v4l2m2m (h264) - V4L2 mem2mem H.264 decoder wrapper
[vd]     h264_qsv (h264) - H264 video (Intel Quick Sync Video acceleration)
[vd]     h264_cuvid (h264) - Nvidia CUVID H264 decoder
[vd] Opening decoder h264
[vd] No hardware decoding requested.
[vd] Using software decoding.
[ffmpeg] detected 32 logical cores
[vd] Detected 32 logical cores.
[vd] Requesting 16 threads for decoding.
[ffmpeg/video] h264: nal_unit_type: 7(SPS), nal_ref_idc: 3
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: SPS decoding failure, trying again with the complete NAL
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: SPS decoding failure, trying again after escaping the NAL
[ffmpeg/video] h264: nal_unit_type: 7(SPS), nal_ref_idc: 3
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: SPS decoding failure, trying again with the complete NAL
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: nal_unit_type: 8(PPS), nal_ref_idc: 3
[ffmpeg/video] h264: sps_id 0 out of range
[ffmpeg/video] h264: SPS decoding failure, trying again after escaping the NAL
[ffmpeg/video] h264: nal_unit_type: 8(PPS), nal_ref_idc: 3
[ffmpeg/video] h264: sps_id 0 out of range
[ffmpeg/video] h264: nal_unit_type: 6(SEI), nal_ref_idc: 0
[ffmpeg/video] h264: Invalid NAL unit size (1899835706 > 45).
[ffmpeg/video] h264: Error splitting the input into NAL units.
[vd] Selected codec: H.264 / AVC / MPEG-4 AVC / MPEG-4 part 10
[vf] User filter list:
[vf]   (empty)
[ad] Codec list:
[ad]     mp3float (mp3) - MP3 (MPEG audio layer 3)
[ad]     mp3 - MP3 (MPEG audio layer 3)
[ad] Opening decoder mp3float
[ad] Requesting 1 threads for decoding.
[ad] Selected codec: MP3 (MPEG audio layer 3)
[af] User filter list:
[af]   (empty)
[cplayer] Starting playback...
[cplayer] video_output_image: r=3/eof=0/st=syncing
[mkv] bytes=0, read_more=1 prefetch_more=0, refresh_more=0
[cplayer] video_output_image: r=3/eof=0/st=syncing
[mkv] append packet to audio: size=104 pts=0.000000 dts=-9223372036854775808.000000 pos=966 [num=1 size=656]
[mkv] bytes=656, read_more=1 prefetch_more=1, refresh_more=0
[mkv] append packet to audio: size=105 pts=0.052000 dts=-9223372036854775808.000000 pos=1077 [num=>1 size=1312]
[mkv] bytes=1312, read_more=1 prefetch_more=1, refresh_more=0
[mkv] append packet to audio: size=104 pts=0.104000 dts=-9223372036854775808.000000 pos=1187 [num=>1 size=1968]
[mkv] bytes=1968, read_more=1 prefetch_more=1, refresh_more=0
[mkv] append packet to audio: size=105 pts=0.156000 dts=-9223372036854775808.000000 pos=1298 [num=>1 size=2624]
[mkv] bytes=2624, read_more=1 prefetch_more=1, refresh_more=0
[mkv] append packet to video: size=725 pts=0.303000 dts=-9223372036854775808.000000 pos=1305 [num=1 size=1280]
[mkv] bytes=3904, read_more=0 prefetch_more=1, refresh_more=0
[mkv] EOF reached.
[ffmpeg/video] h264: nal_unit_type: 6(SEI), nal_ref_idc: 0
[ffmpeg/video] h264: Invalid NAL unit size (1899835706 > 45).
[ffmpeg/video] h264: Error splitting the input into NAL units.
Error while decoding frame!
[vf] filter input EOF
[vf] [userdeint] (disabled)
[vf] [autorotate] (disabled)
[vf] [convert] (disabled)
[vf] filter output EOF
[af] [in] 8000Hz mono 1ch floatp
[af] [userspeed] 8000Hz mono 1ch floatp
[af] [userspeed] (disabled)
[af] [convert] 8000Hz mono 1ch floatp
[cplayer] video_output_image: r=0/eof=1/st=syncing
[cplayer] video EOF reached
[cplayer] video EOF (status=4)
[ao] Trying audio driver 'null'
[ao/null] requested format: 8000 Hz, mono channels, floatp
[ao/null] Channel layouts:
[ao/null]  - anything
[ao/null] result: mono
[ao/null] device buffer: 1536 samples.
[ao/null] using soft-buffer of 1600 samples.
AO: [null] 8000Hz mono 1ch floatp
[cplayer] AO: Description: Null audio output
[af] [convert] (disabled)
[af] [out] 8000Hz mono 1ch floatp
[af] [in] 11025Hz mono 1ch floatp
[af] [userspeed] 11025Hz mono 1ch floatp
[af] [convert] 11025Hz mono 1ch floatp
[cplayer] video_output_image: r=0/eof=1/st=eof
[cplayer] video EOF (status=4)
[cplayer] video_output_image: r=0/eof=1/st=eof
[cplayer] video EOF (status=4)
[cplayer] starting audio playback
[cplayer] playback restart complete @ 0.000000, audio=playing, video=eof
[ao/null] starting AO
[ao/null] in=576 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[cplayer] video_output_image: r=0/eof=1/st=eof
[cplayer] video EOF (status=4)
[osc] rendering 
[osc] osc_init 
[cplayer] Set property: user-data/osc/margins={"l":0,"b":0,"r":0,"t":0} -> 1
[cplayer] video_output_image: r=0/eof=1/st=eof
[cplayer] video EOF (status=4)
[cplayer] video_output_image: r=0/eof=1/st=eof
[cplayer] video EOF (status=4)
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[osc] rendering 
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[cplayer] video_output_image: r=0/eof=1/st=eof
[cplayer] video EOF (status=4)
[osc] rendering 
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[cplayer] video_output_image: r=0/eof=1/st=eof
[cplayer] video EOF (status=4)
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[cplayer] video_output_image: r=0/eof=1/st=eof
[cplayer] video EOF (status=4)
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
[ao/null] in=0 space=1536(1536) pl=1, eof=0
AV: 00:00:00 / 00:00:01 (5%) A-V:  0.000

It goes on forever with the line:

[ao/null] in=0 space=1536(1536) pl=1, eof=0

Log file

GDB backtrace:

user@laptop:~/mpv$ gdb --args ./build-debug/mpv --no-config --vo=null --untimed --ao=null --ao-null-untimed '/home/user/Downloads/id:000000,src:000798,time:76678,execs:24161,op:havoc,rep:13'
GNU gdb (Ubuntu 15.0.50.20240219-0ubuntu1) 15.0.50.20240219-git
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./build-debug/mpv...
(gdb) r
Starting program: /home/user/mpv/build-debug/mpv --no-config --vo=null --untimed --ao=null --ao-null-untimed /home/user/Downloads/id:000000,src:000798,time:76678,execs:24161,op:havoc,rep:13

This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.ubuntu.com>
Enable debuginfod for this session? (y or [n]) 
Debuginfod has been disabled.
To make this setting permanent, add 'set debuginfod enabled off' to .gdbinit.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe6a006c0 (LWP 162615)]
[New Thread 0x7fffe60006c0 (LWP 162616)]
[New Thread 0x7fffe56006c0 (LWP 162617)]
[New Thread 0x7fffe4c006c0 (LWP 162618)]
[New Thread 0x7fffdfe006c0 (LWP 162619)]
[New Thread 0x7fffdf4006c0 (LWP 162620)]
[New Thread 0x7fffdea006c0 (LWP 162621)]
[mkv] Invalid EBML length at position 125
[mkv] Next subelement content goes past end of containing element, will be truncated
[mkv] Next subelement content goes past end of containing element, will be truncated
[mkv] Error parsing element Tracks
[mkv] Expected element 0x1254c367 not found
[mkv] Expected element 0x1c53bb6b not found
[mkv] Invalid EBML length at position 2033
[mkv] Corrupt file detected. Trying to resync starting from position 2033...
[Thread 0x7fffdea006c0 (LWP 162621) exited]
[New Thread 0x7fffdea006c0 (LWP 162622)]
[New Thread 0x7fffde0006c0 (LWP 162623)]
 (+) Video --vid=1 (*) (h264 16x8 29.667fps)
 (+) Audio --aid=1 (*) (mp3 1ch 8000Hz)
[New Thread 0x7fffdd6006c0 (LWP 162624)]
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: SPS decoding failure, trying again after escaping the NAL
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: sps_id 32 out of range
[ffmpeg/video] h264: sps_id 0 out of range
[ffmpeg/video] h264: SPS decoding failure, trying again after escaping the NAL
[ffmpeg/video] h264: sps_id 0 out of range
[New Thread 0x7fffdcc006c0 (LWP 162625)]
[New Thread 0x7fffd3e006c0 (LWP 162626)]
[New Thread 0x7fffd34006c0 (LWP 162627)]
[New Thread 0x7fffd2a006c0 (LWP 162628)]
[New Thread 0x7fffd20006c0 (LWP 162629)]
[New Thread 0x7fffd16006c0 (LWP 162630)]
[New Thread 0x7fffd0c006c0 (LWP 162631)]
[New Thread 0x7fffc7e006c0 (LWP 162632)]
[New Thread 0x7fffc74006c0 (LWP 162633)]
[New Thread 0x7fffc6a006c0 (LWP 162634)]
[New Thread 0x7fffc60006c0 (LWP 162635)]
[New Thread 0x7fffc56006c0 (LWP 162636)]
[New Thread 0x7fffc4c006c0 (LWP 162637)]
[New Thread 0x7fffbbe006c0 (LWP 162638)]
[New Thread 0x7fffbb4006c0 (LWP 162639)]
[New Thread 0x7fffbaa006c0 (LWP 162640)]
[ffmpeg/video] h264: Invalid NAL unit size (1899835706 > 45).
[ffmpeg/video] h264: Error splitting the input into NAL units.
[ffmpeg/video] h264: Invalid NAL unit size (1899835706 > 45).
[ffmpeg/video] h264: Error splitting the input into NAL units.
Error while decoding frame!
[New Thread 0x7fffba0006c0 (LWP 162641)]
AO: [null] 8000Hz mono 1ch floatp
AV: 00:00:00 / 00:00:01 (5%) A-V:  0.000
Thread 1 "mpv" received signal SIGINT, Interrupt.
0x00007ffff3298d61 in __futex_abstimed_wait_common64 (private=21845, cancel=true, abstime=0x0, op=393, expected=0, futex_word=0x5555558aae34) at ./nptl/futex-internal.c:57
warning: 57 ./nptl/futex-internal.c: No such file or directory
(gdb) bt full
#0  0x00007ffff3298d61 in __futex_abstimed_wait_common64 (private=21845, cancel=true, abstime=0x0, op=393, expected=0, futex_word=0x5555558aae34) at ./nptl/futex-internal.c:57
        sc_cancel_oldtype = 0
        sc_ret = <optimized out>
        resultvar = <optimized out>
        __arg6 = <optimized out>
        __arg5 = <optimized out>
        __arg4 = <optimized out>
        __arg3 = <optimized out>
        __arg2 = <optimized out>
        __arg1 = <optimized out>
        _a6 = <optimized out>
        _a5 = <optimized out>
        _a4 = <optimized out>
        _a3 = <optimized out>
        _a2 = <optimized out>
        _a1 = <optimized out>
#1  __futex_abstimed_wait_common (cancel=true, private=21845, abstime=0x0, clockid=0, expected=0, futex_word=0x5555558aae34) at ./nptl/futex-internal.c:87
        err = <optimized out>
        clockbit = 256
        op = 393
        err = <optimized out>
        clockbit = <optimized out>
        op = <optimized out>
#2  __GI___futex_abstimed_wait_cancelable64 (futex_word=futex_word@entry=0x5555558aae34, expected=expected@entry=0, clockid=clockid@entry=0, abstime=abstime@entry=0x0, private=private@entry=0)
    at ./nptl/futex-internal.c:139
#3  0x00007ffff329b7dd in __pthread_cond_wait_common (abstime=0x0, clockid=0, mutex=0x5555558aade0, cond=0x5555558aae08) at ./nptl/pthread_cond_wait.c:503
        spin = 0
        buffer = {__routine = 0x7ffff329b4a0 <__condvar_cleanup_waiting>, __arg = 0x7fffffffd7d0, __canceltype = 5, __prev = 0x0}
        cbuffer = {wseq = 377, cond = 0x5555558aae08, mutex = 0x5555558aade0, private = 0}
        err = <optimized out>
        g = 1
        flags = <optimized out>
        g1_start = <optimized out>
        signals = <optimized out>
        result = 0
        wseq = 377
        seq = 188
        private = 0
        maxspin = <optimized out>
        err = <optimized out>
        result = <optimized out>
        wseq = <optimized out>
        g = <optimized out>
        seq = <optimized out>
        flags = <optimized out>
        private = <optimized out>
        signals = <optimized out>
        done = <optimized out>
        g1_start = <optimized out>
        spin = <optimized out>
        buffer = {__routine = <optimized out>, __arg = <optimized out>, __canceltype = <optimized out>, __prev = <optimized out>}
        cbuffer = {wseq = <optimized out>, cond = <optimized out>, mutex = <optimized out>, private = <optimized out>}
--Type <RET> for more, q to quit, c to continue without paging--
        s = <optimized out>
#4  ___pthread_cond_wait (cond=0x5555558aae08, mutex=0x5555558aade0) at ./nptl/pthread_cond_wait.c:627
#5  0x000055555561dcab in mp_cond_timedwait (cond=0x5555558aae08, mutex=0x5555558aade0, timeout=9223372035845138458) at ../osdep/threads-posix.h:196
        ts = {tv_sec = 140737488345200, tv_nsec = 93824993932231}
#6  0x000055555561d705 in mp_cond_timedwait_until (cond=0x5555558aae08, mutex=0x5555558aade0, until=9223372036854775807) at ../osdep/threads-posix.h:212
#7  0x000055555561d5da in mp_dispatch_queue_process (queue=0x5555558aadd0, timeout=inf) at ../misc/dispatch.c:313
#8  0x000055555566d682 in mp_wait_events (mpctx=0x5555558aa8e0) at ../player/playloop.c:63
        sleeping = true
#9  0x000055555566fd26 in run_playloop (mpctx=0x5555558aa8e0) at ../player/playloop.c:1260
#10 0x0000555555666da0 in play_current_file (mpctx=0x5555558aa8e0) at ../player/loadfile.c:1816
        opts = 0x5555558b5a20
        start_event = {playlist_entry_id = 1}
        end_event = {reason = MPV_END_FILE_REASON_EOF, error = 0, playlist_entry_id = 1, playlist_insert_id = 0, playlist_insert_num_entries = 0}
        watch_later = false
        play_start_pts = -9.2233720368547758e+18
        nothing_played = false
        playlist_prev_continue = false
#11 0x0000555555665cd7 in mp_play_files (mpctx=0x5555558aa8e0) at ../player/loadfile.c:1998
        new_entry = 0x5555558aa8e0
#12 0x0000555555669f57 in mpv_main (argc=7, argv=0x7fffffffdcf8) at ../player/main.c:431
        mpctx = 0x5555558aa8e0
        options = 0x7fffffffdd00
        r = 0
        rc = -212412512
        reason = 0x0
#13 0x0000555555758cb2 in main (argc=7, argv=0x7fffffffdcf8) at ../osdep/main-fn-unix.c:5

Sample files

AFL++ found 4000+ "unique" hangs, though I suspect they all have the same underlying cause, but AFL++ couldn't recognize them as the same due to stability issues. I am still in the process of de-duplicating these hangs with some quick scripting.

This is the file used in the demo above:

https://wormhole.app/OkrOJ#v7XS9ycj2Gi4dc9fSTDXFQ

owl0w1 commented 7 months ago

GDB backtrace of ao thread:

(gdb) thread 28
[Switching to thread 28 (Thread 0x7fffba0006c0 (LWP 208523))]
#0  0x00007ffff3298d61 in __futex_abstimed_wait_common64 (private=4, cancel=true, abstime=0x7fffb9fff090, op=137, expected=0, 
    futex_word=0x555555ad9d34) at ./nptl/futex-internal.c:57
57  in ./nptl/futex-internal.c
(gdb) bt full
#0  0x00007ffff3298d61 in __futex_abstimed_wait_common64
    (private=4, cancel=true, abstime=0x7fffb9fff090, op=137, expected=0, futex_word=0x555555ad9d34) at ./nptl/futex-internal.c:57
        sc_cancel_oldtype = 0
        sc_ret = <optimized out>
        resultvar = <optimized out>
        __arg6 = <optimized out>
        __arg5 = <optimized out>
        __arg4 = <optimized out>
        __arg3 = <optimized out>
        __arg2 = <optimized out>
        __arg1 = <optimized out>
        _a6 = <optimized out>
        _a5 = <optimized out>
        _a4 = <optimized out>
        _a3 = <optimized out>
        _a2 = <optimized out>
        _a1 = <optimized out>
#1  __futex_abstimed_wait_common (cancel=true, private=4, abstime=0x7fffb9fff090, clockid=0, expected=0, futex_word=0x555555ad9d34)
    at ./nptl/futex-internal.c:87
        err = <optimized out>
        clockbit = 256
        op = 137
        err = <optimized out>
        clockbit = <optimized out>
        op = <optimized out>
#2  __GI___futex_abstimed_wait_cancelable64
    (futex_word=futex_word@entry=0x555555ad9d34, expected=expected@entry=0, clockid=clockid@entry=1, abstime=abstime@entry=0x7fffb9fff090, private=private@entry=0) at ./nptl/futex-internal.c:139
#3  0x00007ffff329bc7e in __pthread_cond_wait_common (abstime=0x7fffb9fff090, clockid=1, mutex=0x555555ad9ce0, cond=0x555555ad9d08)
    at ./nptl/pthread_cond_wait.c:503
        spin = 0
        buffer = {__routine = 0x7ffff329b4a0 <__condvar_cleanup_waiting>, __arg = 0x7fffb9fff010, __canceltype = 1536, __prev = 0x0}
        cbuffer = {wseq = 45, cond = 0x555555ad9d08, mutex = 0x555555ad9ce0, private = 0}
        err = <optimized out>
        g = 1
--Type <RET> for more, q to quit, c to continue without paging--
        flags = <optimized out>
        g1_start = <optimized out>
        maxspin = 0
        signals = <optimized out>
        result = 0
        wseq = 45
        seq = 22
        private = 0
        maxspin = <optimized out>
        err = <optimized out>
        result = <optimized out>
        wseq = <optimized out>
        g = <optimized out>
        seq = <optimized out>
        flags = <optimized out>
        private = <optimized out>
        signals = <optimized out>
        done = <optimized out>
        g1_start = <optimized out>
        spin = <optimized out>
        buffer = {__routine = <optimized out>, __arg = <optimized out>, __canceltype = <optimized out>, __prev = <optimized out>}
        cbuffer = {wseq = <optimized out>, cond = <optimized out>, mutex = <optimized out>, private = <optimized out>}
        s = <optimized out>
#4  ___pthread_cond_timedwait64 (cond=0x555555ad9d08, mutex=0x555555ad9ce0, abstime=0x7fffb9fff090) at ./nptl/pthread_cond_wait.c:652
        flags = <optimized out>
        clockid = 1
#5  0x00005555555b3588 in mp_cond_timedwait (cond=0x555555ad9d08, mutex=0x555555ad9ce0, timeout=48000000) at ../osdep/threads-posix.h:207
        ts = {tv_sec = 9760, tv_nsec = 838368512}
#6  0x00005555555b3dac in playthread (arg=0x555555960cf0) at ../audio/out/buffer.c:718
        retry = false
        timeout = 48000000
        ao = 0x555555960cf0
        p = 0x555555ad9c80
#7  0x00007ffff329ca94 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:447
        ret = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--
        pd = <optimized out>
        out = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140736313951936, 4155121100175296595, 140736313951936, -400, 0, 140737488342816, 4155121100196268115, 4154958836905003091}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
#8  0x00007ffff3329c2c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

kasper93 commented 5 months ago

@ruihe774: Maybe you would be interested to look also at this AO EOF issue? Here is the sample: 13614.zip

mpv-player / mpv