Add AVIF plugin (decoder + encoder using libavif)

[fdintino]

Resolves #7983

This adds support for AVIF encoding and decoding, including AVIF image sequences.

I've added tests, and integrated libavif into the windows, linux, and mac CI builds. I haven't done anything to integrate with the docker-images repo.

I chose libavif rather than libheif because the former has been embraced by AOMedia and it's what Chromium uses. Packaging support is spotty at the moment, but I expect that to change soon (currently it's in Debian testing, Fedora rawhide, Ubuntu hirsute, and Alpine edge).

A few notes on the implementation here:

• The plugin currently only supports encoding 8-bit images, and all images are decoded to 8-bit RGB(A). I wasn't totally clear on how best to deal with higher bit depths (somewhat related issue: Add support for high bit depth multichannel images #1888)
• The RGB to YUV conversion isn't exposed to python at all. Chroma subsampling and the presence of an alpha channel make it non-trivial to return decoded images as YCbCr. It would not be difficult to permit encoding from a YCbCr source.
• Since there isn't a way to pass parameters to Image.open (Parameters for Image.open() #569), I'm using module globals in AvifImagePlugin.py to make decoder codec choice and chroma upsampling configurable. I suspect there's a better way to do this.

The star.avifs test file is licensed as CC-BY

I linted the C code with the new clang-format settings, but made the following change so that it didn't make PyObject_HEAD and the threading macros look wonky:

diff --git a/.clang-format b/.clang-format
index be32e6d1..300f8e54 100644
--- a/.clang-format
+++ b/.clang-format
@@ -18,3 +18,7 @@ SpaceBeforeParens: ControlStatements
 SpacesInParentheses: false
 TabWidth: 4
 UseTab: Never
+StatementMacros:
+  - PyObject_HEAD
+  - Py_BEGIN_ALLOW_THREADS
+  - Py_END_ALLOW_THREADS

[radarhere]

Did you want to talk about why you added this?

[fdintino]

I accidentally left this in here while I was debugging. I'll remove it.

[fdintino]

Actually, I realized now why I added this: without it the leak tests are non-deterministic. I could pad the memory limit to counteract the fact that it may not have hit the gc generation threshold before it checks the memory, but forcing garbage collection after each iteration ensures that the test is deterministic.

[wiredfool]

Please document in a comment that this is safe for r/w, and potentially add an explict check that the rgb_bytes/rgb.pixels is large enough.

[wiredfool]

Document here as well.

[fdintino]

I wasn't entirely sure what you wanted documented for this line. I added this, let me know if it's what you had in mind:

Pillow/src/_avif.c

Lines 484 to 485 in b84a8e0

	// We need to allocate storage for the decoder for the lifetime of the object
	// (avifDecoderSetIOMemory does not copy the data passed into it)

[fdintino]

I was able to avoid a memcpy here by having PyArg_ParseTuple pass in a PyBytesObject and incrementing the reference in the new / decrementing in the dealloc. That also avoids an unnecessary malloc during decoding.

[fdintino]

Realized it would probably be better to have you resolve these conversations, to confirm that the feedback has indeed been addressed.

[wiredfool]

Is this guaranteed to not overflow, even in the face of invalid input?

[fdintino]

libavif currently restricts images to a maximum of 2^28 pixels. If the dimensions are larger than 16384x16384 then the function that sets decoder->image->width and decoder->image->height fails. So I suppose that a 4-channel 16384x16384 8-bit image could overflow on a 32-bit platform. I'm not certain because the codecs used by libavif have their own overflow limit checks. For instance, dav1d enforces a maximum of 2^26 pixels on 32-bit systems. Should I add a check against PY_SSIZE_T_MAX to be sure? (edit: answering my own question and adding this check)

[fdintino]

Added here

Pillow/src/_avif.c

Lines 619 to 622 in b84a8e0

	if (rgb.height > PY_SSIZE_T_MAX / row_bytes) {
	PyErr_SetString(PyExc_MemoryError, "Integer overflow in pixel size");
	return NULL;
	}

[wiredfool]

Basically, I'm the one who will get a CVE on this if there's a problem, and I'd like really clear guidelines about what the assumptions are for sizes of things and where they come from for dangerous operations like memset, malloc, and pointer reads/writes. This isn't so much for now, but a couple years down the line, things need to be clear. This will be fuzzed, this will be run under valgrind, so hopefully there won't be problems.

I've basically had to reverse engineer how SgiRleDecode works over the last month or so, and I'd like to be preventing that sort of experience in the future.

[fdintino]

Does raising a MemoryError if rgb.height > PY_SSIZE_T_MAX / row_bytes (as I have in the latest PR push) suffice to address that concern?

[wiredfool]

Does meson need to be added to the requirements.txt?

[fdintino]

I don't think so. It's a build dependency of dav1d so it's used when building libavif in CI, but it's not otherwise required to run tests.

[wiredfool]

I'd prefer not iterating a leak test in the standard test suite, as that can be expensive from a time POV. It's ok for the initial cut, but I'd rather not have it long term.

[nulano]

Adding libavif to MSYS2 fails to compile due to a few missing defines (AVIF_CHROMA_UPSAMPLING_AUTOMATIC, AVIF_CHROMA_UPSAMPLING_FASTEST, AVIF_CHROMA_UPSAMPLING_BEST_QUALITY): https://github.com/nulano/Pillow/runs/1683386633?check_suite_focus=true#step:5:77

[fdintino]

@nulano it looks like those defines were only added in libavif 0.8.3. I'll figure some #if version checks around their usage.

[fdintino]

@nulano Is it okay if I cherry-pick your MSYS commit into this PR?

[nulano]

@nulano Is it okay if I cherry-pick your MSYS commit into this PR?

Of course, cherry-pick away!

I have a few nitpicks for winbuild/build_prepare, I haven't looked at the rest yet.

[nulano]

The last line of aom.cmd is cd ../.. which will never fail, so the errorlevel checks have absolutely no effect. The build fails on my system as I don't have git on PATH, yet it continues anyway. However, there should also be a "clean" step, probably cmd_rmdir, so that it is possible to re-run the generated scripts when debugging build_prepare locally.

Suggested change

	'cmd.exe /c "aom.cmd"',
	"if errorlevel 1 echo AOM build failed! && exit /B 1",
	'cmd.exe /c "dav1d.cmd"',
	"if errorlevel 1 echo dav1d build failed! && exit /B 1",
	cmd_rmdir("aom"),
	'cmd.exe /c "aom.cmd"',
	cmd_rmdir("dav1d"),
	'cmd.exe /c "dav1d.cmd"',

I would prefer to build these as separate steps (similar to libpng and freetype, or raqm and its dependencies), but AFAICT AOM can only be downloaded using git, so it's probably simpler this way. But the extra dependencies (git, meson, ninja) should at least be noted in the winbuild/build.rst and winbuild/readme.md documents as well as maybe docs/installation.rst (Bulding on Windows section). There should also be a way to disable these similar to the --no-imagequant and --no-raqm flags, such as --no-avif.

[fdintino]

@radarhere @wiredfool @nulano I think I've addressed all feedback (except for the requests for docs on building), but I've left it up to you all to resolve conversations (or not).

Is this PR generally on the right track? I've held off on writing docs until I've gotten a signal one way or the other.

[fdintino]

Since it's been a month since I asked my question without response, I'll try to reframe it as more specific questions that might be more answerable.

1. Is the general structure of this plugin acceptable? I tried to hew closely to the conventions elsewhere in the repo, so I assume so, but would appreciate confirmation.
2. Is the test coverage sufficient? The gaps are all in the error handling. I'd be happy to try to add test cases for those to make it more complete.
3. I'd appreciate feedback on the encoder settings. For instance: should yuv_format be renamed subsampling to be consistent with the Jpeg plugin? Should I offer a jpeg-like 0-100 quality setting that maps the min/max quantizer? (The colorist library has such a quality setting that still allows qmin/qmax as an advanced override option). Should I eliminate any options? (My vote would be to get rid of qmin_alpha and qmax_alpha).
4. What would you like to see, CI-wise, with this pull request? While waiting for feedback I worked on putting this plugin in its own package, which builds manylinux wheels in the same manner as the pillow-wheels repo. I setup builds for all the codecs supported by libavif, on all platforms, and also added cached dependencies (see pillow-avif-plugin-depends). That includes a crate vendor tarball for rav1e, as I've found crates.io to be too unreliable for frequent CI builds. Would you want to wait until this PR is wrapped up and merged before I opened a pull request against pillow-wheels?
   • Note: I think licensing shouldn't be an issue for anything: AOM, rav1e, dav1d, SVT-AV1 and libyuv are all BSD-2 licensed, libgav1 is Apache, and they all are covered under the Alliance for Open Media Patent License.
   • It might be overkill to include all codecs in the manylinux and windows wheels. In particular, SVT-AV1 is far from ready for prime-time. My recommendation would be to include AOM, dav1d, and rav1e by default. AOM, being the reference implementation, is the most complete and has the highest quality, while dav1d and rav1e are the fastest (setting aside SVT-AV1).

[radarhere]

This might be a libavif bug, but I find that if I run this PR, libavif has stopped working for macOS.

https://github.com/radarhere/Pillow/runs/2201531959#step:8:1174

/Users/runner/work/Pillow/Pillow/depends/libavif-0.8.4/ext/libyuv/include/libyuv/row.h:750:5: error: 'LIBYUV_UNLIMITED_DATA' is not defined, evaluates to 0 [-Werror,-Wundef]
#if LIBYUV_UNLIMITED_DATA
^
1 error generated.

LIBYUV_UNLIMITED_DATA was a change introduced in libyuv in the last month - https://chromium.googlesource.com/libyuv/libyuv/+/ba033a11e3948e4b3%5E%21/#F2

[wiredfool]

We're going to need to add the required libraries to the docker images as well, and we're going to need to add these to the oss-fuzz builder to get fuzzer support.

Might as well make a PR to the Pillow-wheels for whatever needs to happen on build. That will also be potentially helpful for getting the dependencies into oss-fuzz.

[fdintino]

@aclark4life I'm still around. I only pushed a rebase a week ago. I'll take a look at @radarhere's pull request.

[codingjoe]

@fdintino are you taking PayPal donations? I want to send over my love from the Django community.

[aclark4life]

@fdintino are you taking PayPal donations? I want to send over my love from the Django community.

@codingjoe Can you explain why this is good for Django? Would love to have a good answer I can point other folks too. Thank you 🙏

[codingjoe]

@fdintino are you taking PayPal donations? I want to send over my love from the Django community.

@codingjoe Can you explain why this is good for Django? Would love to have a good answer I can point other folks too. Thank you 🙏

Sure, I maintain django-pictures, a responsive cross-browser image library. I guess every good web engineer wants to serve fast, responsive, high-res images. And since AVIF is part of Baseline 2024, folks are eager to get started. I know I am 😁

[radarhere]

What is the relevance of this test?

[fdintino]

It is intended to test this bit of logic:

Pillow/src/PIL/AvifImagePlugin.py

Lines 36 to 44 in ee3c46a

	if major_brand in container_brands:
	# We accept files with AVIF container brands; we can't yet know if
	# the ftyp box has the correct compatible brands, but if it doesn't
	# then the plugin will raise a SyntaxError which Pillow will catch
	# before moving on to the next plugin that accepts the file.
	#
	# Also, because this file might not actually be an AVIF file, we
	# don't raise an error if AVIF support isn't properly compiled.
	return True

If the ftyp box is avif or avis then this is definitely an AVIF image, and so it is sensible to return a string from the accept function to trigger an error. But mif1 and msf1 are valid for both AVIF and HEIF, and the initial bytes passed to the accept function are not long enough to determine which of the two it is. In order to be interoperable with pyheif I cannot raise an error in the accept, and must instead raise a SyntaxError in _open if AVIF is not compiled. This would cause Pillow to failover to any other plugins that accept the file, or—if none are found—cause it to raise an UnidentifiedImageError. Perhaps the test would be clearer in purpose and more useful if instead I created a mock plugin that would serve as the failover, and then asserted that it is called.

[radarhere]

Isn't it possible that someone could build libavif with those strict flags enabled, and then build Pillow from source to use it? So in that scenario, this test would fail?

[fdintino]

strictFlags are passed at runtime, they're not set at compile time. By default it strictly enforces various specification rules, but two in particular are often found in the wild and so are regularly disabled:

Pillow/src/_avif.c

Lines 797 to 802 in 8b8bbba

	// Turn off libavif's 'clap' (clean aperture) property validation.
	self->decoder->strictFlags &= ~AVIF_STRICT_CLAP_VALID;
	// Allow the PixelInformationProperty ('pixi') to be missing in AV1 image
	// items. libheif v1.11.0 and older does not add the 'pixi' item property to
	// AV1 image items.
	self->decoder->strictFlags &= ~AVIF_STRICT_PIXI_REQUIRED;

Chromium disables these two flags and WebKit disables AVIF_STRICT_PIXI_REQUIRED.
The test_decoder_strict_flags test verifies that the strictFlags are set appropriately so that these somewhat common images can load without throwing an error.

[radarhere]

You're saving XMP and EXIF data from the info dictionary.

With the exception of JPEG and XMP, potentially to be reversed by #8483, none of our other plugins currently do this.

[radarhere]

As a reader, I find this (with the context of the lines before it) confusing. It makes me wonder if it I should pkg install libavif or depends/install_libavif.sh.

[fdintino]

@codingjoe I've never solicited donations for my open-source work, but I certainly wouldn't mind if someone was motivated to give something. The best place to send me personal messages and questions is fdintino@gmail.com, which is also what you can use to find me on PayPal. Thanks!

[sheecegardezi]

@fdintino are you taking PayPal donations? I want to send over my love from the Django community.

@codingjoe Can you explain why this is good for Django? Would love to have a good answer I can point other folks too. Thank you 🙏

literly every single embedded mapping library (think google maps) ... atm png and jpeg are defecto formats for the map tiles (chunks)