SIGSEGV in SoundTouch

Bug #1577042 reported by Uwe Klotz on 2016-04-30
This bug affects 2 people
Affects Status Importance Assigned to Milestone
RJ Ryan

Bug Description

OS: Fedora 23 x86_64
Lib: soundtouch-1.9.2-3.fc23.x86_64

Branch: master (2.1.0-alpha-pre x64)
Key Lock enabled
Pitch at 0.00
  - not moved during the whole session (AutoDJ background music @home)
File plays fine after restart
  - same results
  - waveform generation is skipped now

Warning [AnalyzerQueue 1]: Recoverable MP3 frame decoding error: lost synchronization
Debug [AnalyzerQueue 1]: Waveform generation for track 92614 done 6 s
Debug [AnalyzerQueue 1]: ReplayGain 2.0 (libebur128) result is -2.78099 dB for "/home/uk/Music/Collection/nico/chelsea girl/01-02 nico these days.mp3"
Debug [AnalyzerQueue 1]: Beat Calculation complete
Debug [AnalyzerQueue 1]: Key Detection complete
Debug [AnalyzerQueue 1]: Key Histogram
Debug [AnalyzerQueue 1]: 6 : "F" 7.93267e+06
Debug [AnalyzerQueue 1]: 11 : "B♭" 1.47456e+06

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffee22d2700 (LWP 16845)]
0x00007ffff7891e90 in soundtouch::TDStretch::overlapStereo(float*, float const*) const () from /usr/lib64/
(gdb) bt
#0 0x00007ffff7891e90 in soundtouch::TDStretch::overlapStereo(float*, float const*) const () at /usr/lib64/
#1 0x00007ffff7893037 in soundtouch::TDStretch::processSamples() ()
    at /usr/lib64/
#2 0x00007ffff7891490 in soundtouch::SoundTouch::putSamples(float const*, unsigned int) () at /usr/lib64/
#3 0x00000000007cfc82 in EngineBufferScaleST::getScaled(float*, int) (this=0x20a9d00, pOutput=<optimized out>, buf_size=2048)
    at src/engine/enginebufferscalest.cpp:164
#4 0x00000000007cba11 in EngineBuffer::process(float*, int) (this=0x1fa1be0, pOutput=0x7fffc8792010, iBufferSize=2048) at src/engine/enginebuffer.cpp:983
#5 0x00000000007d1310 in EngineDeck::process(float*, int) (this=0x1f759d0, pOut=0x7fffc8792010, iBufferSize=2048) at src/engine/enginedeck.cpp:98
#6 0x00000000007dff4e in EngineMaster::processChannels(int) (this=this@entry=0x14fe100, iBufferSize=iBufferSize@entry=2048) at src/engine/enginemaster.cpp:318
#7 0x00000000007e8b50 in EngineMaster::process(int) (this=0x14fe100, iBufferSize=iBufferSize@entry=2048) at src/engine/enginemaster.cpp:350
#8 0x0000000000b47d5b in SoundManager::onDeviceOutputCallback(unsigned int) (this=<optimized out>, iFramesPerBuffer=iFramesPerBuffer@entry=1024)
    at src/soundio/soundmanager.cpp:548
#9 0x0000000000b44a36 in SoundDevicePortAudio::callbackProcessClkRef(unsigned int, float*, float const*, PaStreamCallbackTimeInfo const*, unsigned long) (this=0x1e337c0, framesPerBuffer=1024, out=0x4de4f2a0, in=<optimized out>, timeInfo=<o---Type <return> to continue, or q <return> to quit---
ptimized out>, statusFlags=<optimized out>)
    at src/soundio/sounddeviceportaudio.cpp:949
#10 0x00007ffff7459454 in AdaptingOutputOnlyProcess ()
    at /usr/lib64/
#11 0x00007ffff745aded in PaUtil_EndBufferProcessing ()
    at /usr/lib64/
#12 0x00007ffff746391b in CallbackThreadFunc () at /usr/lib64/
#13 0x00007ffff1d1e60a in start_thread () at /usr/lib64/
#14 0x00007fffeeeb5a4d in clone () at /usr/lib64/

Uwe Klotz (uklotzde) on 2016-04-30
description: updated
description: updated
Owen Williams (ywwg) wrote :

in the past we've had crashes when either soundtouch or rubberband were fed "crazy" rates, like 0 or 10000000000. So this might be a case where we aren't successfully detecting an invalid rate.

Uwe Klotz (uklotzde) wrote :

Before the crash it played for 2 hours without any issues so I don't think this is caused by some weird parameter. Looks more like a memory corruption issue.

description: updated
Uwe Klotz (uklotzde) wrote :

@rryan: Should we change the status to "Fix Committed"? I think your commit fixes this bug.

RJ Ryan (rryan) wrote :

Uwe -- I could never reproduce the segfault so I'm not sure if I fixed it. But maybe we can declare it fixed and reopen if someone sees it again.

I also enabled asan in our Travis builds so we should notice memory safety bugs like this in the future at PR-time.

RJ Ryan (rryan) wrote :

(assuming the tests exercise the code path :X)

Changed in mixxx:
status: New → Fix Committed
milestone: none → 2.1.0
importance: Undecided → Critical
assignee: nobody → RJ Ryan (rryan)
RJ Ryan (rryan) wrote :

The overflow was only at bootup though -- but maybe it trashed some internal soundtouch or engine state that caused your segfault.

Changed in mixxx:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers