Download raw body.
ffmpeg: ILL_BTCFI in ff_vp9_idct_4x4_internal_avx2() via tdesktop
ffmpeg: ILL_BTCFI in ff_vp9_idct_4x4_internal_avx2() via tdesktop
On Fri, 12 Jun 2026 21:48:56 +0200,
Klemens Nanni <kn@openbsd.org> wrote:
>
> Yesterday I updated my packages and built new tdesktop,
> now it crashes when opening chats; no reproducer yet.
>
> ffmpeg-8.1.1v1 audio/video converter and streamer
> tdesktop-6.9.1 Telegram Desktop messenger
>
> 81826 Telegram PSIG SIGILL SIG_DFL code=ILL_BTCFI addr=0x397a1703911 trapno=21
>
> Core was generated by `Telegram'.
> Program terminated with signal SIGILL, Illegal instruction.
> #0 0x00000397a1703911 in ff_vp9_idct_4x4_internal_avx2.pass2 () from /usr/local/lib/libavcodec.so.27.2
> [Current thread is 1 (process 317345)]
> #0 0x00000397a1703911 in ff_vp9_idct_4x4_internal_avx2.pass2 () from /usr/local/lib/libavcodec.so.27.2
> #1 0x00000397a14c1cee in ff_vp9_intra_recon_8bpp () from /usr/local/lib/libavcodec.so.27.2
> #2 0x00000397a1450b10 in ff_vp9_decode_block () from /usr/local/lib/libavcodec.so.27.2
> #3 0x00000397a1447ac1 in decode_sb () from /usr/local/lib/libavcodec.so.27.2
> #4 0x00000397a1447f39 in decode_sb () from /usr/local/lib/libavcodec.so.27.2
> #5 0x00000397a1447e9b in decode_sb () from /usr/local/lib/libavcodec.so.27.2
> #6 0x00000397a1447e9b in decode_sb () from /usr/local/lib/libavcodec.so.27.2
> #7 0x00000397a1440d12 in vp9_decode_frame () from /usr/local/lib/libavcodec.so.27.2
> #8 0x00000397a0defe41 in ff_decode_receive_frame_internal () from /usr/local/lib/libavcodec.so.27.2
> #9 0x00000397a0df0573 in decode_receive_frame_internal () from /usr/local/lib/libavcodec.so.27.2
> #10 0x00000397a0df04f2 in avcodec_send_packet () from /usr/local/lib/libavcodec.so.27.2
> #11 0x000003973e8583eb in try_decode_frame () from /usr/local/lib/libavformat.so.24.2
> #12 0x000003973e856477 in avformat_find_stream_info () from /usr/local/lib/libavformat.so.24.2
> #13 0x00000394c50e89f6 in ?? ()
> #14 0x00000394c50ea4e7 in ?? ()
> #15 0x00000394c763a009 in ?? ()
> #16 0x00000394cba638f1 in ?? ()
> #17 0x00000396e40ba5d5 in _dispatch_worker_thread () from /usr/local/lib/libdispatch.so.0.0
> #18 0x0000039707398c92 in _rthread_start (v=0x397a0b431e0 <pw_m8423x2>) at /usr/src/lib/librthread/rthread.c:99
> #19 0x00000396e8237eca in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:87
>
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: 12th Gen Intel(R) Core(TM) i7-1270P, 2095.31 MHz, 06-9a-03, patch 0000043b
> cpu0: cpuid 1 edx=bfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE> ecx=77fafbff<SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND>
> cpu0: cpuid 6 eax=df8ff7<SENSOR,ARAT,PTS> ecx=409<EFFFREQ>
> cpu0: cpuid 7.0 ebx=239c27eb<FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,PT,SHA> ecx=98c027ac<UMIP,PKU,WAITPKG,PKS> edx=fc1cc410<MD_CLEAR,IBT,IBRS,IBPB,STIBP,L1DF,SSBD>
>
May I ask you to test this diff?
I think I had found all needed places for IBT/BTI.
Index: Makefile
===================================================================
RCS file: /home/cvs/ports/graphics/ffmpeg/Makefile,v
diff -u -p -r1.258 Makefile
--- Makefile 21 May 2026 16:24:15 -0000 1.258
+++ Makefile 13 Jun 2026 00:13:28 -0000
@@ -2,6 +2,7 @@ COMMENT= audio/video converter and strea
# keep it synced with x11/mplayer
V= 8.1.1
+REVISION= 0
DISTNAME= ffmpeg-${V}
CATEGORIES= graphics multimedia
SITES= https://ffmpeg.org/releases/
Index: patches/patch-libavcodec_x86_vp9itxfm_16bpp_avx512_asm
===================================================================
RCS file: patches/patch-libavcodec_x86_vp9itxfm_16bpp_avx512_asm
diff -N patches/patch-libavcodec_x86_vp9itxfm_16bpp_avx512_asm
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-libavcodec_x86_vp9itxfm_16bpp_avx512_asm 13 Jun 2026 00:08:12 -0000
@@ -0,0 +1,19 @@
+Index: libavcodec/x86/vp9itxfm_16bpp_avx512.asm
+--- libavcodec/x86/vp9itxfm_16bpp_avx512.asm.orig
++++ libavcodec/x86/vp9itxfm_16bpp_avx512.asm
+@@ -375,6 +375,7 @@ cglobal vp9_idct_16x16_internal_10, 0, 7, 22, dst, str
+ TRANSPOSE_4D 4, 5, 6, 7, 16
+ jmp tx2q
+ .pass2:
++ _CET_ENDBR
+ test eobd, eobd
+ jl .pass2_fast
+ call .main_part1
+@@ -603,6 +604,7 @@ cglobal vp9_iadst_16x16_internal_10, 0, 7, 22, dst, st
+ WRAP_YMM IADST16_PASS1_END
+ jmp m(vp9_idct_16x16_internal_10).pass1_fast_end
+ .pass2:
++ _CET_ENDBR
+ test eobd, eobd
+ jl .pass2_fast
+ call .main_part1
Index: patches/patch-libavcodec_x86_vp9itxfm_avx2_asm
===================================================================
RCS file: patches/patch-libavcodec_x86_vp9itxfm_avx2_asm
diff -N patches/patch-libavcodec_x86_vp9itxfm_avx2_asm
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-libavcodec_x86_vp9itxfm_avx2_asm 13 Jun 2026 00:08:12 -0000
@@ -0,0 +1,51 @@
+Index: libavcodec/x86/vp9itxfm_avx2.asm
+--- libavcodec/x86/vp9itxfm_avx2.asm.orig
++++ libavcodec/x86/vp9itxfm_avx2.asm
+@@ -336,6 +336,7 @@ cglobal vp9_idct_4x4_internal, 0, 5, 6, dst, stride, c
+ pshufb m1, m3, m2
+ jmp tx2q
+ .pass2:
++ _CET_ENDBR
+ call .main
+ .pass2_end:
+ vpbroadcastd m2, [o(pw_2048)]
+@@ -382,6 +383,7 @@ cglobal vp9_iadst_4x4_internal, 0, 5, 6, dst, stride,
+ call .main
+ jmp m(vp9_idct_4x4_internal).pass1_end
+ .pass2:
++ _CET_ENDBR
+ call .main
+ jmp m(vp9_idct_4x4_internal).pass2_end
+ ALIGN function_align
+@@ -481,6 +483,7 @@ cglobal vp9_idct_8x8_internal, 0, 5, 8, dst, stride, c
+ vperm2i128 m3, m5, m3, 0x31
+ jmp tx2q
+ .pass2:
++ _CET_ENDBR
+ call .main
+ vpbroadcastd m4, [o(pw_1024)]
+ vpermq m1, m1, q2031
+@@ -553,6 +556,7 @@ cglobal vp9_iadst_8x8_internal, 0, 5, 8, dst, stride,
+ vinserti128 m1, m4, xm1, 1
+ jmp tx2q
+ .pass2:
++ _CET_ENDBR
+ pshufd m4, m0, q1032
+ pshufd m5, m1, q1032
+ call .main
+@@ -923,6 +927,7 @@ cglobal vp9_idct_16x16_internal, 0, 5, 16, 32*6, dst,
+ call .transpose_8x8
+ jmp tx2q
+ .pass2:
++ _CET_ENDBR
+ test eobd, eobd
+ jl .pass2_fast
+ call .main
+@@ -1039,6 +1044,7 @@ cglobal vp9_iadst_16x16_internal, 0, 5, 16, 32*6, dst,
+ mova xm0, [rsp+32*0]
+ jmp m(vp9_idct_16x16_internal).pass1_fast_end
+ .pass2:
++ _CET_ENDBR
+ test eobd, eobd
+ jl .pass2_fast
+ call .main
Index: patches/patch-libavcodec_x86_vp9itxfm_avx512_asm
===================================================================
RCS file: patches/patch-libavcodec_x86_vp9itxfm_avx512_asm
diff -N patches/patch-libavcodec_x86_vp9itxfm_avx512_asm
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-libavcodec_x86_vp9itxfm_avx512_asm 13 Jun 2026 00:08:12 -0000
@@ -0,0 +1,19 @@
+Index: libavcodec/x86/vp9itxfm_avx512.asm
+--- libavcodec/x86/vp9itxfm_avx512.asm.orig
++++ libavcodec/x86/vp9itxfm_avx512.asm
+@@ -524,6 +524,7 @@ cglobal vp9_idct_16x16_internal, 0, 5, 16, dst, stride
+ punpckldq m0, m4 ; 0-1
+ jmp tx2q
+ .pass2:
++ _CET_ENDBR
+ test eobd, eobd
+ jl .pass2_fast
+ call .main
+@@ -771,6 +772,7 @@ cglobal vp9_iadst_16x16_internal, 0, 5, 16, dst, strid
+ vpermt2q m3, m5, m4
+ jmp tx2q
+ .pass2:
++ _CET_ENDBR
+ pshufd m1, m1, q1032
+ pshufd m3, m3, q1032
+ test eobd, eobd
Index: patches/patch-libavcodec_x86_vvc_mc_asm
===================================================================
RCS file: patches/patch-libavcodec_x86_vvc_mc_asm
diff -N patches/patch-libavcodec_x86_vvc_mc_asm
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-libavcodec_x86_vvc_mc_asm 13 Jun 2026 00:08:12 -0000
@@ -0,0 +1,69 @@
+Index: libavcodec/x86/vvc/mc.asm
+--- libavcodec/x86/vvc/mc.asm.orig
++++ libavcodec/x86/vvc/mc.asm
+@@ -41,7 +41,7 @@ SECTION_RODATA
+ %xdefine %%prefix mangle(private_prefix %+ _vvc_%1_%3_%4)
+ %%table:
+ %rep %0 - 4
+- dd %%prefix %+ .w%5 - %%base
++ dd %%prefix %+ .w%5_ibt - %%base
+ %rotate 1
+ %endrep
+ %endmacro
+@@ -75,6 +75,8 @@ SECTION .text
+
+ %if %3
+ INIT_XMM cpuname
++.w2_ibt:
++ _CET_ENDBR
+ .w2:
+ movd xm0, [src0q]
+ pinsrd xm0, [src0q + AVG_SRC_STRIDE], 1
+@@ -84,6 +86,8 @@ INIT_XMM cpuname
+ AVG_SAVE_W2 %1
+ AVG_LOOP_END .w2
+
++.w4_ibt:
++ _CET_ENDBR
+ .w4:
+ movq xm0, [src0q]
+ pinsrq xm0, [src0q + AVG_SRC_STRIDE], 1
+@@ -95,6 +99,8 @@ INIT_XMM cpuname
+ AVG_LOOP_END .w4
+
+ INIT_YMM cpuname
++.w8_ibt:
++ _CET_ENDBR
+ .w8:
+ movu xm0, [src0q]
+ movu xm1, [src1q]
+@@ -105,21 +111,29 @@ INIT_YMM cpuname
+
+ AVG_LOOP_END .w8
+
++.w16_ibt:
++ _CET_ENDBR
+ .w16:
+ AVG_W16_FN %1, %2, 1
+
+ AVG_LOOP_END .w16
+
++.w32_ibt:
++ _CET_ENDBR
+ .w32:
+ AVG_W16_FN %1, %2, 2
+
+ AVG_LOOP_END .w32
+
++.w64_ibt:
++ _CET_ENDBR
+ .w64:
+ AVG_W16_FN %1, %2, 4
+
+ AVG_LOOP_END .w64
+
++.w128_ibt:
++ _CET_ENDBR
+ .w128:
+ AVG_W16_FN %1, %2, 8
+
Index: patches/patch-libswscale_x86_ops_int_asm
===================================================================
RCS file: patches/patch-libswscale_x86_ops_int_asm
diff -N patches/patch-libswscale_x86_ops_int_asm
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-libswscale_x86_ops_int_asm 13 Jun 2026 00:08:12 -0000
@@ -0,0 +1,11 @@
+Index: libswscale/x86/ops_int.asm
+--- libswscale/x86/ops_int.asm.orig
++++ libswscale/x86/ops_int.asm
+@@ -106,6 +106,7 @@ IF %1 > 3, mov out3q, [execq + SwsOpExec.out3]
+ %endif
+ align function_align
+ current_function %+ _return:
++ _CET_ENDBR
+
+ ; op chain always returns back here
+ mov implq, [rsp + 8]
--
wbr, Kirill
ffmpeg: ILL_BTCFI in ff_vp9_idct_4x4_internal_avx2() via tdesktop
ffmpeg: ILL_BTCFI in ff_vp9_idct_4x4_internal_avx2() via tdesktop