* Segmentation Fault in snd_pcm_rate_hw_free()
@ 2015-08-04 14:08 Valentin Corfu
2015-08-04 14:53 ` Takashi Iwai
0 siblings, 1 reply; 9+ messages in thread
From: Valentin Corfu @ 2015-08-04 14:08 UTC (permalink / raw)
To: alsa-devel
Hello ALSA developers,
I observed one segmentation fault in snd_pcm_rate_hw_free() function,
with the following BT:
(gdb) up
#1 0xb7554cc1 in raise (sig=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb)
#2 0xb75580ee in abort () at abort.c:92
92 raise (SIGABRT);
(gdb)
#3 0xb758a7dd in __libc_message (do_abort=2,
fmt=0xb766053c "*** glibc detected *** %s: %s: 0x%s ***\n")
at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
189 abort ();
(gdb)
#4 0xb7594a71 in malloc_printerr (action=<value optimized out>,
str=<value optimized out>, ptr=0x969ae98) at malloc.c:6283
6283 __libc_message (action & 2,
(gdb)
#5 0xb759636b in _int_free (av=<value optimized out>, p=0x969ae90)
at malloc.c:4795
4795 malloc_printerr (check_action, errstr, chunk2mem(p));
(gdb)
#6 0xb75994bd in __libc_free (mem=0x969ae98) at malloc.c:3738
3738 _int_free(ar_ptr, p);
(gdb)
#7 0xb76f3a81 in snd_pcm_rate_hw_free (pcm=0x9685d78) at pcm_rate.c:341
341 free(rate->pareas[0].addr);
(gdb)
#8 0xb76d045b in snd_pcm_hw_free (pcm=0x9685d78) at pcm.c:858
858 err = pcm->ops->hw_free(pcm->op_arg);
(gdb)
#9 0xb76f826e in snd_pcm_plug_hw_free (pcm=0x96856b0) at pcm_plug.c:1046
1046 int err = snd_pcm_hw_free(slave);
(gdb)
#10 0xb76d045b in snd_pcm_hw_free (pcm=0x96856b0) at pcm.c:858
858 err = pcm->ops->hw_free(pcm->op_arg);
(gdb)
#11 0x080492ad in main ()
Could you please give me some hints how to solve this issue?
I can provide you more info or the test application, if needed.
I can see the issue every time, and I also checked with latest version
of alsa-lib but I got the same results.
Thank you,
Valentin Corfu
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Segmentation Fault in snd_pcm_rate_hw_free()
2015-08-04 14:08 Segmentation Fault in snd_pcm_rate_hw_free() Valentin Corfu
@ 2015-08-04 14:53 ` Takashi Iwai
2015-08-04 15:02 ` Valentin Corfu
0 siblings, 1 reply; 9+ messages in thread
From: Takashi Iwai @ 2015-08-04 14:53 UTC (permalink / raw)
To: Valentin Corfu; +Cc: alsa-devel
On Tue, 04 Aug 2015 16:08:30 +0200,
Valentin Corfu wrote:
>
> Hello ALSA developers,
>
> I observed one segmentation fault in snd_pcm_rate_hw_free() function,
> with the following BT:
>
> (gdb) up
> #1 0xb7554cc1 in raise (sig=6) at
> ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> 64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
> (gdb)
> #2 0xb75580ee in abort () at abort.c:92
> 92 raise (SIGABRT);
> (gdb)
> #3 0xb758a7dd in __libc_message (do_abort=2,
> fmt=0xb766053c "*** glibc detected *** %s: %s: 0x%s ***\n")
> at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
> 189 abort ();
> (gdb)
> #4 0xb7594a71 in malloc_printerr (action=<value optimized out>,
> str=<value optimized out>, ptr=0x969ae98) at malloc.c:6283
> 6283 __libc_message (action & 2,
> (gdb)
> #5 0xb759636b in _int_free (av=<value optimized out>, p=0x969ae90)
> at malloc.c:4795
> 4795 malloc_printerr (check_action, errstr, chunk2mem(p));
> (gdb)
> #6 0xb75994bd in __libc_free (mem=0x969ae98) at malloc.c:3738
> 3738 _int_free(ar_ptr, p);
> (gdb)
> #7 0xb76f3a81 in snd_pcm_rate_hw_free (pcm=0x9685d78) at pcm_rate.c:341
> 341 free(rate->pareas[0].addr);
Could you check the content of rate->pareas[0] via gdb?
> (gdb)
> #8 0xb76d045b in snd_pcm_hw_free (pcm=0x9685d78) at pcm.c:858
> 858 err = pcm->ops->hw_free(pcm->op_arg);
> (gdb)
> #9 0xb76f826e in snd_pcm_plug_hw_free (pcm=0x96856b0) at pcm_plug.c:1046
> 1046 int err = snd_pcm_hw_free(slave);
> (gdb)
> #10 0xb76d045b in snd_pcm_hw_free (pcm=0x96856b0) at pcm.c:858
> 858 err = pcm->ops->hw_free(pcm->op_arg);
> (gdb)
> #11 0x080492ad in main ()
>
>
> Could you please give me some hints how to solve this issue?
>
> I can provide you more info or the test application, if needed.
> I can see the issue every time, and I also checked with latest version
> of alsa-lib but I got the same results.
I don't know of such an error, so far.
It smells like some memory corruption to me.
If a test case is a simple code, tracking the bug would be easy...
Takashi
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Segmentation Fault in snd_pcm_rate_hw_free()
2015-08-04 14:53 ` Takashi Iwai
@ 2015-08-04 15:02 ` Valentin Corfu
2015-08-04 15:15 ` Takashi Iwai
0 siblings, 1 reply; 9+ messages in thread
From: Valentin Corfu @ 2015-08-04 15:02 UTC (permalink / raw)
To: Takashi Iwai; +Cc: alsa-devel
On 04.08.2015 17:53, Takashi Iwai wrote:
> On Tue, 04 Aug 2015 16:08:30 +0200,
> Valentin Corfu wrote:
>> Hello ALSA developers,
>>
>> I observed one segmentation fault in snd_pcm_rate_hw_free() function,
>> with the following BT:
>>
>> (gdb) up
>> #1 0xb7554cc1 in raise (sig=6) at
>> ../nptl/sysdeps/unix/sysv/linux/raise.c:64
>> 64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
>> (gdb)
>> #2 0xb75580ee in abort () at abort.c:92
>> 92 raise (SIGABRT);
>> (gdb)
>> #3 0xb758a7dd in __libc_message (do_abort=2,
>> fmt=0xb766053c "*** glibc detected *** %s: %s: 0x%s ***\n")
>> at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
>> 189 abort ();
>> (gdb)
>> #4 0xb7594a71 in malloc_printerr (action=<value optimized out>,
>> str=<value optimized out>, ptr=0x969ae98) at malloc.c:6283
>> 6283 __libc_message (action & 2,
>> (gdb)
>> #5 0xb759636b in _int_free (av=<value optimized out>, p=0x969ae90)
>> at malloc.c:4795
>> 4795 malloc_printerr (check_action, errstr, chunk2mem(p));
>> (gdb)
>> #6 0xb75994bd in __libc_free (mem=0x969ae98) at malloc.c:3738
>> 3738 _int_free(ar_ptr, p);
>> (gdb)
>> #7 0xb76f3a81 in snd_pcm_rate_hw_free (pcm=0x9685d78) at pcm_rate.c:341
>> 341 free(rate->pareas[0].addr);
> Could you check the content of rate->pareas[0] via gdb?
(gdb) frame 7
#7 0xb76f3a81 in snd_pcm_rate_hw_free (pcm=0x9685d78) at pcm_rate.c:341
341 free(rate->pareas[0].addr);
(gdb) print rate->pareas[0]
$1 = {addr = 0x969ae98, first = 0, step = 16}
(gdb) print rate->pareas[0].addr
$2 = (void *) 0x969ae98
>> (gdb)
>> #8 0xb76d045b in snd_pcm_hw_free (pcm=0x9685d78) at pcm.c:858
>> 858 err = pcm->ops->hw_free(pcm->op_arg);
>> (gdb)
>> #9 0xb76f826e in snd_pcm_plug_hw_free (pcm=0x96856b0) at pcm_plug.c:1046
>> 1046 int err = snd_pcm_hw_free(slave);
>> (gdb)
>> #10 0xb76d045b in snd_pcm_hw_free (pcm=0x96856b0) at pcm.c:858
>> 858 err = pcm->ops->hw_free(pcm->op_arg);
>> (gdb)
>> #11 0x080492ad in main ()
>>
>>
>> Could you please give me some hints how to solve this issue?
>>
>> I can provide you more info or the test application, if needed.
>> I can see the issue every time, and I also checked with latest version
>> of alsa-lib but I got the same results.
> I don't know of such an error, so far.
> It smells like some memory corruption to me.
>
> If a test case is a simple code, tracking the bug would be easy...
I have paste it here:
http://pastebin.com/WJDTz6cE
>
> Takashi
Thank you,
Valentin
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Segmentation Fault in snd_pcm_rate_hw_free()
2015-08-04 15:02 ` Valentin Corfu
@ 2015-08-04 15:15 ` Takashi Iwai
2015-08-05 6:58 ` Valentin Corfu
0 siblings, 1 reply; 9+ messages in thread
From: Takashi Iwai @ 2015-08-04 15:15 UTC (permalink / raw)
To: Valentin Corfu; +Cc: alsa-devel
On Tue, 04 Aug 2015 17:02:26 +0200,
Valentin Corfu wrote:
>
>
>
> On 04.08.2015 17:53, Takashi Iwai wrote:
> > On Tue, 04 Aug 2015 16:08:30 +0200,
> > Valentin Corfu wrote:
> >> Hello ALSA developers,
> >>
> >> I observed one segmentation fault in snd_pcm_rate_hw_free() function,
> >> with the following BT:
> >>
> >> (gdb) up
> >> #1 0xb7554cc1 in raise (sig=6) at
> >> ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> >> 64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
> >> (gdb)
> >> #2 0xb75580ee in abort () at abort.c:92
> >> 92 raise (SIGABRT);
> >> (gdb)
> >> #3 0xb758a7dd in __libc_message (do_abort=2,
> >> fmt=0xb766053c "*** glibc detected *** %s: %s: 0x%s ***\n")
> >> at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
> >> 189 abort ();
> >> (gdb)
> >> #4 0xb7594a71 in malloc_printerr (action=<value optimized out>,
> >> str=<value optimized out>, ptr=0x969ae98) at malloc.c:6283
> >> 6283 __libc_message (action & 2,
> >> (gdb)
> >> #5 0xb759636b in _int_free (av=<value optimized out>, p=0x969ae90)
> >> at malloc.c:4795
> >> 4795 malloc_printerr (check_action, errstr, chunk2mem(p));
> >> (gdb)
> >> #6 0xb75994bd in __libc_free (mem=0x969ae98) at malloc.c:3738
> >> 3738 _int_free(ar_ptr, p);
> >> (gdb)
> >> #7 0xb76f3a81 in snd_pcm_rate_hw_free (pcm=0x9685d78) at pcm_rate.c:341
> >> 341 free(rate->pareas[0].addr);
> > Could you check the content of rate->pareas[0] via gdb?
> (gdb) frame 7
> #7 0xb76f3a81 in snd_pcm_rate_hw_free (pcm=0x9685d78) at pcm_rate.c:341
> 341 free(rate->pareas[0].addr);
> (gdb) print rate->pareas[0]
> $1 = {addr = 0x969ae98, first = 0, step = 16}
> (gdb) print rate->pareas[0].addr
> $2 = (void *) 0x969ae98
And accessing to pareas[0].addr is OK? This is a temporary sample
buffer allocated in alsa-lib rate plugin.
> >> (gdb)
> >> #8 0xb76d045b in snd_pcm_hw_free (pcm=0x9685d78) at pcm.c:858
> >> 858 err = pcm->ops->hw_free(pcm->op_arg);
> >> (gdb)
> >> #9 0xb76f826e in snd_pcm_plug_hw_free (pcm=0x96856b0) at pcm_plug.c:1046
> >> 1046 int err = snd_pcm_hw_free(slave);
> >> (gdb)
> >> #10 0xb76d045b in snd_pcm_hw_free (pcm=0x96856b0) at pcm.c:858
> >> 858 err = pcm->ops->hw_free(pcm->op_arg);
> >> (gdb)
> >> #11 0x080492ad in main ()
> >>
> >>
> >> Could you please give me some hints how to solve this issue?
> >>
> >> I can provide you more info or the test application, if needed.
> >> I can see the issue every time, and I also checked with latest version
> >> of alsa-lib but I got the same results.
> > I don't know of such an error, so far.
> > It smells like some memory corruption to me.
> >
> > If a test case is a simple code, tracking the bug would be easy...
> I have paste it here:
> http://pastebin.com/WJDTz6cE
It works fine on my system. How is your PCM setup? Does the same
problem occur for "plughw" PCM, too? Also, no external PCM rate
plugin is involved?
Takashi
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Segmentation Fault in snd_pcm_rate_hw_free()
2015-08-04 15:15 ` Takashi Iwai
@ 2015-08-05 6:58 ` Valentin Corfu
2015-08-05 7:13 ` Takashi Iwai
0 siblings, 1 reply; 9+ messages in thread
From: Valentin Corfu @ 2015-08-05 6:58 UTC (permalink / raw)
To: Takashi Iwai; +Cc: alsa-devel
Hello Takashi,
On 04.08.2015 18:15, Takashi Iwai wrote:
> On Tue, 04 Aug 2015 17:02:26 +0200,
> Valentin Corfu wrote:
>>
>>
>> On 04.08.2015 17:53, Takashi Iwai wrote:
>>> On Tue, 04 Aug 2015 16:08:30 +0200,
>>> Valentin Corfu wrote:
>>>> Hello ALSA developers,
>>>>
>>>> I observed one segmentation fault in snd_pcm_rate_hw_free() function,
>>>> with the following BT:
>>>>
>>>> (gdb) up
>>>> #1 0xb7554cc1 in raise (sig=6) at
>>>> ../nptl/sysdeps/unix/sysv/linux/raise.c:64
>>>> 64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
>>>> (gdb)
>>>> #2 0xb75580ee in abort () at abort.c:92
>>>> 92 raise (SIGABRT);
>>>> (gdb)
>>>> #3 0xb758a7dd in __libc_message (do_abort=2,
>>>> fmt=0xb766053c "*** glibc detected *** %s: %s: 0x%s ***\n")
>>>> at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
>>>> 189 abort ();
>>>> (gdb)
>>>> #4 0xb7594a71 in malloc_printerr (action=<value optimized out>,
>>>> str=<value optimized out>, ptr=0x969ae98) at malloc.c:6283
>>>> 6283 __libc_message (action & 2,
>>>> (gdb)
>>>> #5 0xb759636b in _int_free (av=<value optimized out>, p=0x969ae90)
>>>> at malloc.c:4795
>>>> 4795 malloc_printerr (check_action, errstr, chunk2mem(p));
>>>> (gdb)
>>>> #6 0xb75994bd in __libc_free (mem=0x969ae98) at malloc.c:3738
>>>> 3738 _int_free(ar_ptr, p);
>>>> (gdb)
>>>> #7 0xb76f3a81 in snd_pcm_rate_hw_free (pcm=0x9685d78) at pcm_rate.c:341
>>>> 341 free(rate->pareas[0].addr);
>>> Could you check the content of rate->pareas[0] via gdb?
>> (gdb) frame 7
>> #7 0xb76f3a81 in snd_pcm_rate_hw_free (pcm=0x9685d78) at pcm_rate.c:341
>> 341 free(rate->pareas[0].addr);
>> (gdb) print rate->pareas[0]
>> $1 = {addr = 0x969ae98, first = 0, step = 16}
>> (gdb) print rate->pareas[0].addr
>> $2 = (void *) 0x969ae98
> And accessing to pareas[0].addr is OK? This is a temporary sample
> buffer allocated in alsa-lib rate plugin.
>
Are you referring if the pointer is valid one?
How could I check this?
>>>> (gdb)
>>>> #8 0xb76d045b in snd_pcm_hw_free (pcm=0x9685d78) at pcm.c:858
>>>> 858 err = pcm->ops->hw_free(pcm->op_arg);
>>>> (gdb)
>>>> #9 0xb76f826e in snd_pcm_plug_hw_free (pcm=0x96856b0) at pcm_plug.c:1046
>>>> 1046 int err = snd_pcm_hw_free(slave);
>>>> (gdb)
>>>> #10 0xb76d045b in snd_pcm_hw_free (pcm=0x96856b0) at pcm.c:858
>>>> 858 err = pcm->ops->hw_free(pcm->op_arg);
>>>> (gdb)
>>>> #11 0x080492ad in main ()
>>>>
>>>>
>>>> Could you please give me some hints how to solve this issue?
>>>>
>>>> I can provide you more info or the test application, if needed.
>>>> I can see the issue every time, and I also checked with latest version
>>>> of alsa-lib but I got the same results.
>>> I don't know of such an error, so far.
>>> It smells like some memory corruption to me.
>>>
>>> If a test case is a simple code, tracking the bug would be easy...
>> I have paste it here:
>> http://pastebin.com/WJDTz6cE
> It works fine on my system. How is your PCM setup? Does the same
> problem occur for "plughw" PCM, too? Also, no external PCM rate
> plugin is involved?
In my setup it is involved the alsa jack plugin, so I'm using the pcm
jack when the segmentation fault is visible.
I can not reproduce the issue when I'm using "default" / "plughw" PCM.
For more info I have pasted the dump() & log at run:
http://pastebin.com/jyy7pP9e
It is involved here PCM rate conversion at 48000, but not external one.
>
> Takashi
Thank you,
Valentin
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Segmentation Fault in snd_pcm_rate_hw_free()
2015-08-05 6:58 ` Valentin Corfu
@ 2015-08-05 7:13 ` Takashi Iwai
2015-08-05 8:15 ` Valentin Corfu
0 siblings, 1 reply; 9+ messages in thread
From: Takashi Iwai @ 2015-08-05 7:13 UTC (permalink / raw)
To: Valentin Corfu; +Cc: alsa-devel
On Wed, 05 Aug 2015 08:58:16 +0200,
Valentin Corfu wrote:
>
> Hello Takashi,
>
>
> On 04.08.2015 18:15, Takashi Iwai wrote:
> > On Tue, 04 Aug 2015 17:02:26 +0200,
> > Valentin Corfu wrote:
> >>
> >>
> >> On 04.08.2015 17:53, Takashi Iwai wrote:
> >>> On Tue, 04 Aug 2015 16:08:30 +0200,
> >>> Valentin Corfu wrote:
> >>>> Hello ALSA developers,
> >>>>
> >>>> I observed one segmentation fault in snd_pcm_rate_hw_free() function,
> >>>> with the following BT:
> >>>>
> >>>> (gdb) up
> >>>> #1 0xb7554cc1 in raise (sig=6) at
> >>>> ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> >>>> 64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
> >>>> (gdb)
> >>>> #2 0xb75580ee in abort () at abort.c:92
> >>>> 92 raise (SIGABRT);
> >>>> (gdb)
> >>>> #3 0xb758a7dd in __libc_message (do_abort=2,
> >>>> fmt=0xb766053c "*** glibc detected *** %s: %s: 0x%s ***\n")
> >>>> at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
> >>>> 189 abort ();
> >>>> (gdb)
> >>>> #4 0xb7594a71 in malloc_printerr (action=<value optimized out>,
> >>>> str=<value optimized out>, ptr=0x969ae98) at malloc.c:6283
> >>>> 6283 __libc_message (action & 2,
> >>>> (gdb)
> >>>> #5 0xb759636b in _int_free (av=<value optimized out>, p=0x969ae90)
> >>>> at malloc.c:4795
> >>>> 4795 malloc_printerr (check_action, errstr, chunk2mem(p));
> >>>> (gdb)
> >>>> #6 0xb75994bd in __libc_free (mem=0x969ae98) at malloc.c:3738
> >>>> 3738 _int_free(ar_ptr, p);
> >>>> (gdb)
> >>>> #7 0xb76f3a81 in snd_pcm_rate_hw_free (pcm=0x9685d78) at pcm_rate.c:341
> >>>> 341 free(rate->pareas[0].addr);
> >>> Could you check the content of rate->pareas[0] via gdb?
> >> (gdb) frame 7
> >> #7 0xb76f3a81 in snd_pcm_rate_hw_free (pcm=0x9685d78) at pcm_rate.c:341
> >> 341 free(rate->pareas[0].addr);
> >> (gdb) print rate->pareas[0]
> >> $1 = {addr = 0x969ae98, first = 0, step = 16}
> >> (gdb) print rate->pareas[0].addr
> >> $2 = (void *) 0x969ae98
> > And accessing to pareas[0].addr is OK? This is a temporary sample
> > buffer allocated in alsa-lib rate plugin.
> >
>
> Are you referring if the pointer is valid one?
> How could I check this?
Look into it via gdb.
> >>>> (gdb)
> >>>> #8 0xb76d045b in snd_pcm_hw_free (pcm=0x9685d78) at pcm.c:858
> >>>> 858 err = pcm->ops->hw_free(pcm->op_arg);
> >>>> (gdb)
> >>>> #9 0xb76f826e in snd_pcm_plug_hw_free (pcm=0x96856b0) at pcm_plug.c:1046
> >>>> 1046 int err = snd_pcm_hw_free(slave);
> >>>> (gdb)
> >>>> #10 0xb76d045b in snd_pcm_hw_free (pcm=0x96856b0) at pcm.c:858
> >>>> 858 err = pcm->ops->hw_free(pcm->op_arg);
> >>>> (gdb)
> >>>> #11 0x080492ad in main ()
> >>>>
> >>>>
> >>>> Could you please give me some hints how to solve this issue?
> >>>>
> >>>> I can provide you more info or the test application, if needed.
> >>>> I can see the issue every time, and I also checked with latest version
> >>>> of alsa-lib but I got the same results.
> >>> I don't know of such an error, so far.
> >>> It smells like some memory corruption to me.
> >>>
> >>> If a test case is a simple code, tracking the bug would be easy...
> >> I have paste it here:
> >> http://pastebin.com/WJDTz6cE
> > It works fine on my system. How is your PCM setup? Does the same
> > problem occur for "plughw" PCM, too? Also, no external PCM rate
> > plugin is involved?
>
> In my setup it is involved the alsa jack plugin, so I'm using the pcm
> jack when the segmentation fault is visible.
> I can not reproduce the issue when I'm using "default" / "plughw" PCM.
That's the biggest missing piece. So, a possible bug in jack plugin
that has been rarely tested / debugged.
Takashi
> For more info I have pasted the dump() & log at run:
> http://pastebin.com/jyy7pP9e
> It is involved here PCM rate conversion at 48000, but not external one.
>
>
> >
> > Takashi
>
>
> Thank you,
> Valentin
>
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Segmentation Fault in snd_pcm_rate_hw_free()
2015-08-05 7:13 ` Takashi Iwai
@ 2015-08-05 8:15 ` Valentin Corfu
0 siblings, 0 replies; 9+ messages in thread
From: Valentin Corfu @ 2015-08-05 8:15 UTC (permalink / raw)
To: Takashi Iwai; +Cc: alsa-devel
On 05.08.2015 10:13, Takashi Iwai wrote:
> On Wed, 05 Aug 2015 08:58:16 +0200,
> Valentin Corfu wrote:
>> Hello Takashi,
>>
>>
>> On 04.08.2015 18:15, Takashi Iwai wrote:
>>> On Tue, 04 Aug 2015 17:02:26 +0200,
>>> Valentin Corfu wrote:
>>>>
>>>> On 04.08.2015 17:53, Takashi Iwai wrote:
>>>>> On Tue, 04 Aug 2015 16:08:30 +0200,
>>>>> Valentin Corfu wrote:
>>>>>> Hello ALSA developers,
>>>>>>
>>>>>> I observed one segmentation fault in snd_pcm_rate_hw_free() function,
>>>>>> with the following BT:
>>>>>>
>>>>>> (gdb) up
>>>>>> #1 0xb7554cc1 in raise (sig=6) at
>>>>>> ../nptl/sysdeps/unix/sysv/linux/raise.c:64
>>>>>> 64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
>>>>>> (gdb)
>>>>>> #2 0xb75580ee in abort () at abort.c:92
>>>>>> 92 raise (SIGABRT);
>>>>>> (gdb)
>>>>>> #3 0xb758a7dd in __libc_message (do_abort=2,
>>>>>> fmt=0xb766053c "*** glibc detected *** %s: %s: 0x%s ***\n")
>>>>>> at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
>>>>>> 189 abort ();
>>>>>> (gdb)
>>>>>> #4 0xb7594a71 in malloc_printerr (action=<value optimized out>,
>>>>>> str=<value optimized out>, ptr=0x969ae98) at malloc.c:6283
>>>>>> 6283 __libc_message (action & 2,
>>>>>> (gdb)
>>>>>> #5 0xb759636b in _int_free (av=<value optimized out>, p=0x969ae90)
>>>>>> at malloc.c:4795
>>>>>> 4795 malloc_printerr (check_action, errstr, chunk2mem(p));
>>>>>> (gdb)
>>>>>> #6 0xb75994bd in __libc_free (mem=0x969ae98) at malloc.c:3738
>>>>>> 3738 _int_free(ar_ptr, p);
>>>>>> (gdb)
>>>>>> #7 0xb76f3a81 in snd_pcm_rate_hw_free (pcm=0x9685d78) at pcm_rate.c:341
>>>>>> 341 free(rate->pareas[0].addr);
>>>>> Could you check the content of rate->pareas[0] via gdb?
>>>> (gdb) frame 7
>>>> #7 0xb76f3a81 in snd_pcm_rate_hw_free (pcm=0x9685d78) at pcm_rate.c:341
>>>> 341 free(rate->pareas[0].addr);
>>>> (gdb) print rate->pareas[0]
>>>> $1 = {addr = 0x969ae98, first = 0, step = 16}
>>>> (gdb) print rate->pareas[0].addr
>>>> $2 = (void *) 0x969ae98
>>> And accessing to pareas[0].addr is OK? This is a temporary sample
>>> buffer allocated in alsa-lib rate plugin.
>>>
>> Are you referring if the pointer is valid one?
>> How could I check this?
> Look into it via gdb.
>
(gdb) list
336
337 static int snd_pcm_rate_hw_free(snd_pcm_t *pcm)
338 {
339 snd_pcm_rate_t *rate = pcm->private_data;
340 if (rate->pareas) {
341 free(rate->pareas[0].addr);
342 free(rate->pareas);
343 rate->pareas = NULL;
344 rate->sareas = NULL;
345 }
(gdb) x rate->pareas[0].addr
0x969ae98: 0x019f0110
(gdb) x 0x019f0110
0x19f0110: Cannot access memory at address 0x19f0110
(gdb) print *(rate->pareas[0].addr)
Attempt to dereference a generic pointer.
(gdb) p /s *(char *)(rate->pareas[0].addr)
$6 = 16 '\020'
(gdb) p /s *(char **)(rate->pareas[0].addr)
$7 = 0x19f0110 <Address 0x19f0110 out of bounds>
>>>>>> (gdb)
>>>>>> #8 0xb76d045b in snd_pcm_hw_free (pcm=0x9685d78) at pcm.c:858
>>>>>> 858 err = pcm->ops->hw_free(pcm->op_arg);
>>>>>> (gdb)
>>>>>> #9 0xb76f826e in snd_pcm_plug_hw_free (pcm=0x96856b0) at pcm_plug.c:1046
>>>>>> 1046 int err = snd_pcm_hw_free(slave);
>>>>>> (gdb)
>>>>>> #10 0xb76d045b in snd_pcm_hw_free (pcm=0x96856b0) at pcm.c:858
>>>>>> 858 err = pcm->ops->hw_free(pcm->op_arg);
>>>>>> (gdb)
>>>>>> #11 0x080492ad in main ()
>>>>>>
>>>>>>
>>>>>> Could you please give me some hints how to solve this issue?
>>>>>>
>>>>>> I can provide you more info or the test application, if needed.
>>>>>> I can see the issue every time, and I also checked with latest version
>>>>>> of alsa-lib but I got the same results.
>>>>> I don't know of such an error, so far.
>>>>> It smells like some memory corruption to me.
>>>>>
>>>>> If a test case is a simple code, tracking the bug would be easy...
>>>> I have paste it here:
>>>> http://pastebin.com/WJDTz6cE
>>> It works fine on my system. How is your PCM setup? Does the same
>>> problem occur for "plughw" PCM, too? Also, no external PCM rate
>>> plugin is involved?
>> In my setup it is involved the alsa jack plugin, so I'm using the pcm
>> jack when the segmentation fault is visible.
>> I can not reproduce the issue when I'm using "default" / "plughw" PCM.
> That's the biggest missing piece. So, a possible bug in jack plugin
> that has been rarely tested / debugged.
>
>
> Takashi
>
>> For more info I have pasted the dump() & log at run:
>> http://pastebin.com/jyy7pP9e
>> It is involved here PCM rate conversion at 48000, but not external one.
>>
>>
>>> Takashi
>>
>> Thank you,
>> Valentin
>>
Best Regards,
Valentin
^ permalink raw reply [flat|nested] 9+ messages in thread
* Segmentation Fault in snd_pcm_rate_hw_free()
@ 2015-08-18 9:51 Alexandru Costache
2015-08-18 9:59 ` Takashi Iwai
0 siblings, 1 reply; 9+ messages in thread
From: Alexandru Costache @ 2015-08-18 9:51 UTC (permalink / raw)
To: alsa-devel
Hi,
I was reproducing the crash that Valentin Corfu reported earlier with his
test.
Valgrind and gdb show that
expand_linear_s16() is somehow corrupting the area used for memory
management by libc for rate->pareas[0].addr
More exactly, the line that seems to corrupt the heap in
static void expand_linear_s16() is:
*dst = (old_sample * old_weight + new_sample * new_weight) >> 16;
As Valgrind says:
==11161== Invalid write of size 2
==11161== at 0x40A8A82: linear_expand_s16 (pcm_rate_linear.c:179)
==11161== by 0x40A85A9: linear_convert (pcm_rate_linear.c:320)
==11161== by 0x40A6915: do_convert (pcm_rate.c:537)
==11161== by 0x40A6C7D: snd_pcm_rate_write_areas1 (pcm_rate.c:550)
==11161== by 0x40A6C7D: snd_pcm_rate_commit_area (pcm_rate.c:749)
==11161== by 0x40A7014: snd_pcm_rate_drain (pcm_rate.c:1105)
==11161== by 0x4084511: snd_pcm_drain (pcm.c:1122)
==11161== by 0x8049288: main (in /root/pcm_min_daisuke)
==11161== Address 0x43d6258 is 0 bytes after a block of size 86,016 alloc'd
==11161== at 0x40261B1: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==11161== by 0x4099801: snd_pcm_mmap (pcm_mmap.c:425)
==11161== by 0x4093CA7: sndrv_pcm_hw_params (pcm_params.c:2366)
==11161== by 0x409A59C: snd1_pcm_generic_hw_params (pcm_generic.c:104)
==11161== by 0x4091E7F: snd1_pcm_hw_params_slave (pcm_params.c:2250)
==11161== by 0x40A54AC: snd_pcm_rate_hw_params (pcm_rate.c:246)
==11161== by 0x4093AE3: sndrv_pcm_hw_params (pcm_params.c:2326)
==11161== by 0x40ABC37: snd_pcm_plug_hw_params (pcm_plug.c:1045)
==11161== by 0x4093AE3: sndrv_pcm_hw_params (pcm_params.c:2326)
==11161== by 0x4084281: snd_pcm_hw_params (pcm.c:830)
==11161== by 0x8048F84: main (in /root/pcm_min_daisuke)
==11161==
==11161== Invalid free() / delete / delete[] / realloc()
==11161== at 0x402726D: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==11161== by 0x40A53C0: snd_pcm_rate_hw_free (pcm_rate.c:344)
==11161== by 0x4083CDA: snd_pcm_hw_free (pcm.c:853)
==11161== by 0x40A9E8D: snd_pcm_plug_hw_free (pcm_plug.c:1061)
==11161== by 0x4083CDA: snd_pcm_hw_free (pcm.c:853)
==11161== by 0x80492AC: main (in /root/pcm_min_daisuke)
==11161== Address 0xe705004b is not stack'd, malloc'd or (recently) free'd
I'm not very familiar with alsa in general and was wondering if someone who
knows more on it can drop a look on this one?
Thank you,
Alexandru
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Segmentation Fault in snd_pcm_rate_hw_free()
2015-08-18 9:51 Alexandru Costache
@ 2015-08-18 9:59 ` Takashi Iwai
0 siblings, 0 replies; 9+ messages in thread
From: Takashi Iwai @ 2015-08-18 9:59 UTC (permalink / raw)
To: Alexandru Costache; +Cc: alsa-devel
On Tue, 18 Aug 2015 11:51:18 +0200,
Alexandru Costache wrote:
>
> Hi,
>
> I was reproducing the crash that Valentin Corfu reported earlier with his
> test.
>
> Valgrind and gdb show that
> expand_linear_s16() is somehow corrupting the area used for memory
> management by libc for rate->pareas[0].addr
>
> More exactly, the line that seems to corrupt the heap in
>
> static void expand_linear_s16() is:
>
> *dst = (old_sample * old_weight + new_sample * new_weight) >> 16;
>
>
> As Valgrind says:
>
> ==11161== Invalid write of size 2
> ==11161== at 0x40A8A82: linear_expand_s16 (pcm_rate_linear.c:179)
> ==11161== by 0x40A85A9: linear_convert (pcm_rate_linear.c:320)
> ==11161== by 0x40A6915: do_convert (pcm_rate.c:537)
> ==11161== by 0x40A6C7D: snd_pcm_rate_write_areas1 (pcm_rate.c:550)
> ==11161== by 0x40A6C7D: snd_pcm_rate_commit_area (pcm_rate.c:749)
> ==11161== by 0x40A7014: snd_pcm_rate_drain (pcm_rate.c:1105)
> ==11161== by 0x4084511: snd_pcm_drain (pcm.c:1122)
> ==11161== by 0x8049288: main (in /root/pcm_min_daisuke)
> ==11161== Address 0x43d6258 is 0 bytes after a block of size 86,016 alloc'd
> ==11161== at 0x40261B1: malloc (in
> /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
> ==11161== by 0x4099801: snd_pcm_mmap (pcm_mmap.c:425)
> ==11161== by 0x4093CA7: sndrv_pcm_hw_params (pcm_params.c:2366)
> ==11161== by 0x409A59C: snd1_pcm_generic_hw_params (pcm_generic.c:104)
> ==11161== by 0x4091E7F: snd1_pcm_hw_params_slave (pcm_params.c:2250)
> ==11161== by 0x40A54AC: snd_pcm_rate_hw_params (pcm_rate.c:246)
> ==11161== by 0x4093AE3: sndrv_pcm_hw_params (pcm_params.c:2326)
> ==11161== by 0x40ABC37: snd_pcm_plug_hw_params (pcm_plug.c:1045)
> ==11161== by 0x4093AE3: sndrv_pcm_hw_params (pcm_params.c:2326)
> ==11161== by 0x4084281: snd_pcm_hw_params (pcm.c:830)
> ==11161== by 0x8048F84: main (in /root/pcm_min_daisuke)
> ==11161==
> ==11161== Invalid free() / delete / delete[] / realloc()
> ==11161== at 0x402726D: free (in
> /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
> ==11161== by 0x40A53C0: snd_pcm_rate_hw_free (pcm_rate.c:344)
> ==11161== by 0x4083CDA: snd_pcm_hw_free (pcm.c:853)
> ==11161== by 0x40A9E8D: snd_pcm_plug_hw_free (pcm_plug.c:1061)
> ==11161== by 0x4083CDA: snd_pcm_hw_free (pcm.c:853)
> ==11161== by 0x80492AC: main (in /root/pcm_min_daisuke)
> ==11161== Address 0xe705004b is not stack'd, malloc'd or (recently) free'd
>
> I'm not very familiar with alsa in general and was wondering if someone who
> knows more on it can drop a look on this one?
This is very much dependent on the setup. Please clarify your setup
and the exact code you're using.
Takashi
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2015-08-18 9:59 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-04 14:08 Segmentation Fault in snd_pcm_rate_hw_free() Valentin Corfu
2015-08-04 14:53 ` Takashi Iwai
2015-08-04 15:02 ` Valentin Corfu
2015-08-04 15:15 ` Takashi Iwai
2015-08-05 6:58 ` Valentin Corfu
2015-08-05 7:13 ` Takashi Iwai
2015-08-05 8:15 ` Valentin Corfu
-- strict thread matches above, loose matches on Subject: below --
2015-08-18 9:51 Alexandru Costache
2015-08-18 9:59 ` Takashi Iwai
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.