lavc/h264: don't touch H264Context->ref_count[] during MB decoding.

The variable is copied to subsequent threads at the same time, so this may cause wrong ref_count[] values to be copied to subsequent threads. This bug was found using TSAN and Helgrind. Original patch by Ronald, adapted with a local_ref_count by Clément, following the suggestion of Michael Niedermayer. Signed-off-by: Clément Bœsch <clement.boesch@smartjog.com>

lavc/h264: don't touch H264Context->ref_count[] during MB decoding.
The variable is copied to subsequent threads at the same time, so this may cause wrong ref_count[] values to be copied to subsequent threads. This bug was found using TSAN and Helgrind. Original patch by Ronald, adapted with a local_ref_count by Clément, following the suggestion of Michael Niedermayer. Signed-off-by: Clément Bœsch <clement.boesch@smartjog.com>
2e59210e · Ronald S. Bultje · Clément Bœsch · 5cdd3b99 · 2e59210e · 2e59210e
Commit 2e59210e authored Oct 04, 2012 by Ronald S. Bultje Committed by Clément Bœsch Oct 05, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 40 deletions

h264_cabac.c libavcodec/h264_cabac.c +15 -21

h264_cavlc.c libavcodec/h264_cavlc.c +13 -19

No files found.
--- a/libavcodec/h264_cabac.c
+++ b/libavcodec/h264_cabac.c
@@ -1864,6 +1864,7 @@ int ff_h264_decode_mb_cabac(H264Context *h) {
    int dct8x8_allowed= h->pps.transform_8x8_mode;
    int decode_chroma = h->sps.chroma_format_idc == 1 || h->sps.chroma_format_idc == 2;
    const int pixel_shift = h->pixel_shift;
+    unsigned local_ref_count[2];
    mb_xy = h->mb_xy = s->mb_x + s->mb_y*s->mb_stride;
@@ -2004,10 +2005,8 @@ decode_intra_mb:
        return 0;
    }
-    if(MB_MBAFF){
+    local_ref_count[0] = h->ref_count[0] << MB_MBAFF;
-        h->ref_count[0] <<= 1;
+    local_ref_count[1] = h->ref_count[1] << MB_MBAFF;
-        h->ref_count[1] <<= 1;
-    }
    fill_decode_caches(h, mb_type);
@@ -2077,10 +2076,10 @@ decode_intra_mb:
                for( i = 0; i < 4; i++ ) {
                    if(IS_DIRECT(h->sub_mb_type[i])) continue;
                    if(IS_DIR(h->sub_mb_type[i], 0, list)){
-                        if( h->ref_count[list] > 1 ){
+                        if (local_ref_count[list] > 1) {
                            ref[list][i] = decode_cabac_mb_ref( h, list, 4*i );
-                            if(ref[list][i] >= (unsigned)h->ref_count[list]){
+                            if (ref[list][i] >= (unsigned)local_ref_count[list]) {
-                                av_log(s->avctx, AV_LOG_ERROR, "Reference %d >= %d\n", ref[list][i], h->ref_count[list]);
+                                av_log(s->avctx, AV_LOG_ERROR, "Reference %d >= %d\n", ref[list][i], local_ref_count[list]);
                                return -1;
                            }
                        }else
@@ -2163,10 +2162,10 @@ decode_intra_mb:
            for(list=0; list<h->list_count; list++){
                if(IS_DIR(mb_type, 0, list)){
                    int ref;
-                    if(h->ref_count[list] > 1){
+                    if (local_ref_count[list] > 1) {
                        ref= decode_cabac_mb_ref(h, list, 0);
-                        if(ref >= (unsigned)h->ref_count[list]){
+                        if (ref >= (unsigned)local_ref_count[list]) {
-                            av_log(s->avctx, AV_LOG_ERROR, "Reference %d >= %d\n", ref, h->ref_count[list]);
+                            av_log(s->avctx, AV_LOG_ERROR, "Reference %d >= %d\n", ref, local_ref_count[list]);
                            return -1;
                        }
                    }else
@@ -2191,10 +2190,10 @@ decode_intra_mb:
                    for(i=0; i<2; i++){
                        if(IS_DIR(mb_type, i, list)){
                            int ref;
-                            if(h->ref_count[list] > 1){
+                            if (local_ref_count[list] > 1) {
                                ref= decode_cabac_mb_ref( h, list, 8*i );
-                                if(ref >= (unsigned)h->ref_count[list]){
+                                if (ref >= (unsigned)local_ref_count[list]) {
-                                    av_log(s->avctx, AV_LOG_ERROR, "Reference %d >= %d\n", ref, h->ref_count[list]);
+                                    av_log(s->avctx, AV_LOG_ERROR, "Reference %d >= %d\n", ref, local_ref_count[list]);
                                    return -1;
                                }
                            }else
@@ -2226,10 +2225,10 @@ decode_intra_mb:
                    for(i=0; i<2; i++){
                        if(IS_DIR(mb_type, i, list)){ //FIXME optimize
                            int ref;
-                            if(h->ref_count[list] > 1){
+                            if (local_ref_count[list] > 1) {
                                ref= decode_cabac_mb_ref( h, list, 4*i );
-                                if(ref >= (unsigned)h->ref_count[list]){
+                                if (ref >= (unsigned)local_ref_count[list]) {
-                                    av_log(s->avctx, AV_LOG_ERROR, "Reference %d >= %d\n", ref, h->ref_count[list]);
+                                    av_log(s->avctx, AV_LOG_ERROR, "Reference %d >= %d\n", ref, local_ref_count[list]);
                                    return -1;
                                }
                            }else
@@ -2402,10 +2401,5 @@ decode_intra_mb:
    s->current_picture.f.qscale_table[mb_xy] = s->qscale;
    write_back_non_zero_count(h);
-    if(MB_MBAFF){
-        h->ref_count[0] >>= 1;
-        h->ref_count[1] >>= 1;
-    }
    return 0;
 }
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -700,6 +700,7 @@ int ff_h264_decode_mb_cavlc(H264Context *h){
    int dct8x8_allowed= h->pps.transform_8x8_mode;
    int decode_chroma = h->sps.chroma_format_idc == 1 || h->sps.chroma_format_idc == 2;
    const int pixel_shift = h->pixel_shift;
+    unsigned local_ref_count[2];
    mb_xy = h->mb_xy = s->mb_x + s->mb_y*s->mb_stride;
@@ -785,10 +786,8 @@ decode_intra_mb:
        return 0;
    }
-    if(MB_MBAFF){
+    local_ref_count[0] = h->ref_count[0] << MB_MBAFF;
-        h->ref_count[0] <<= 1;
+    local_ref_count[1] = h->ref_count[1] << MB_MBAFF;
-        h->ref_count[1] <<= 1;
-    }
    fill_decode_neighbors(h, mb_type);
    fill_decode_caches(h, mb_type);
@@ -869,7 +868,7 @@ decode_intra_mb:
        }
        for(list=0; list<h->list_count; list++){
-            int ref_count= IS_REF0(mb_type) ? 1 : h->ref_count[list];
+            int ref_count= IS_REF0(mb_type) ? 1 : local_ref_count[list];
            for(i=0; i<4; i++){
                if(IS_DIRECT(h->sub_mb_type[i])) continue;
                if(IS_DIR(h->sub_mb_type[i], 0, list)){
@@ -949,13 +948,13 @@ decode_intra_mb:
            for(list=0; list<h->list_count; list++){
                    unsigned int val;
                    if(IS_DIR(mb_type, 0, list)){
-                        if(h->ref_count[list]==1){
+                        if(local_ref_count[list]==1){
                            val= 0;
-                        }else if(h->ref_count[list]==2){
+                        }else if(local_ref_count[list]==2){
                            val= get_bits1(&s->gb)^1;
                        }else{
                            val= get_ue_golomb_31(&s->gb);
-                            if(val >= h->ref_count[list]){
+                            if(val >= local_ref_count[list]){
                                av_log(h->s.avctx, AV_LOG_ERROR, "ref %u overflow\n", val);
                                return -1;
                            }
@@ -979,13 +978,13 @@ decode_intra_mb:
                    for(i=0; i<2; i++){
                        unsigned int val;
                        if(IS_DIR(mb_type, i, list)){
-                            if(h->ref_count[list] == 1){
+                            if(local_ref_count[list] == 1){
                                val= 0;
-                            }else if(h->ref_count[list] == 2){
+                            }else if(local_ref_count[list] == 2){
                                val= get_bits1(&s->gb)^1;
                            }else{
                                val= get_ue_golomb_31(&s->gb);
-                                if(val >= h->ref_count[list]){
+                                if(val >= local_ref_count[list]){
                                    av_log(h->s.avctx, AV_LOG_ERROR, "ref %u overflow\n", val);
                                    return -1;
                                }
@@ -1016,13 +1015,13 @@ decode_intra_mb:
                    for(i=0; i<2; i++){
                        unsigned int val;
                        if(IS_DIR(mb_type, i, list)){ //FIXME optimize
-                            if(h->ref_count[list]==1){
+                            if(local_ref_count[list]==1){
                                val= 0;
-                            }else if(h->ref_count[list]==2){
+                            }else if(local_ref_count[list]==2){
                                val= get_bits1(&s->gb)^1;
                            }else{
                                val= get_ue_golomb_31(&s->gb);
-                                if(val >= h->ref_count[list]){
+                                if(val >= local_ref_count[list]){
                                    av_log(h->s.avctx, AV_LOG_ERROR, "ref %u overflow\n", val);
                                    return -1;
                                }
@@ -1162,10 +1161,5 @@ decode_intra_mb:
    s->current_picture.f.qscale_table[mb_xy] = s->qscale;
    write_back_non_zero_count(h);
-    if(MB_MBAFF){
-        h->ref_count[0] >>= 1;
-        h->ref_count[1] >>= 1;
-    }
    return 0;
 }