mpd: ../src/tag/Pool.cxx:157: void tag_pool_put_item(TagItem*): Assertion `slot->ref > 0' failed.

[hiqua]

Bug report

Describe the bug

mpd crashed with this last line in the logs:

mpd: ../src/tag/Pool.cxx:157: void tag_pool_put_item(TagItem*): Assertion `slot->ref > 0' failed.

I was:

• playing a song
• deleted a folder containing the song (which kept playing)
• initiated a database update (in a parent folder)
• mpd crashed

Note that unfortunately I cannot reproduce it reliably, I tried these steps after but mpd didn't crash.

Expected Behavior

mpd should keep playing (it's fine to delete opened files on linux) until the end, and in any case not crash.

Actual Behavior

crash

Version

Music Player Daemon 0.22.3 (0.22.3)
Copyright 2003-2007 Warren Dukes <warren.dukes@gmail.com>
Copyright 2008-2018 Max Kellermann <max.kellermann@gmail.com>
This is free software; see the source for copying conditions.  There is NO
warranty; not even MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Database plugins:
 simple proxy upnp

Storage plugins:
 local smbclient udisks nfs curl

Neighbor plugins:
 smbclient upnp udisks

Decoders plugins:
 [mad] mp3 mp2
 [mpg123] mp3
 [vorbis] ogg oga
 [oggflac] ogg oga
 [flac] flac
 [opus] opus ogg oga
 [sndfile] wav aiff aif au snd paf iff svx sf voc w64 pvf xi htk caf sd2
 [audiofile] wav au aiff aif
 [dsdiff] dff
 [dsf] dsf
 [hybrid_dsd] m4a
 [faad] aac
 [mpcdec] mpc
 [wavpack] wv
 [modplug] 669 amf ams dbm dfm dsm far it med mdl mod mtm mt2 okt s3m stm ult umx xm
 [mikmod] amf dsm far gdm imf it med mod mtm s3m stm stx ult uni xm
 [sidplay] sid mus str prg P00
 [wildmidi] mid
 [fluidsynth] mid
 [adplug] amd d00 hsc laa rad raw sa2
 [ffmpeg] 16sv 3g2 3gp 4xm 8svx aa3 aac ac3 adx afc aif aifc aiff al alaw amr anim apc ape asf atrac au aud avi avm2 avs bap bfi c93 cak cin cmv cpk daud dct divx dts dv dvd dxa eac3 film flac flc fli fll flx flv g726 gsm gxf iss m1v m2v m2t m2ts m4a m4b m4v mad mj2 mjpeg mjpg mka mkv mlp mm mmf mov mp+ mp1 mp2 mp3 mp4 mpc mpeg mpg mpga mpp mpu mve mvi mxf nc nsv nut nuv oga ogm ogv ogx oma ogg omg opus psp pva qcp qt r3d ra ram rl2 rm rmvb roq rpl rvc shn smk snd sol son spx str swf tak tgi tgq tgv thp ts tsp tta xa xvid uv uv2 vb vid vob voc vp6 vmd wav webm wma wmv wsaud wsvga wv wve rtp:// rtsp:// rtsps://
 [gme] ay gbs gym hes kss nsf nsfe sap spc vgm vgz
 [pcm]

Filters:
 libsamplerate soxr

Tag plugins:
 id3tag

Output plugins:
 shout null fifo sndio pipe alsa ao oss openal pulse jack httpd recorder

Encoder plugins:
 null vorbis opus lame wave flac

Archive plugins:
 [bz2] bz2
 [zzip] zip
 [iso] iso

Input plugins:
 file io_uring archive alsa tidal qobuz curl ffmpeg smbclient nfs mms cdio_paranoia

Playlist plugins:
 extm3u m3u pls xspf asx rss soundcloud flac cue embcue

Protocols:
 file:// alsa:// cdda:// ftp:// ftps:// gopher:// hls+http:// hls+https:// http:// https:// mms:// mmsh:// mmst:// mmsu:// nfs:// qobuz:// rtmp:// rtmps:// rtmpt:// rtmpts:// rtp:// rtsp:// rtsps:// scp:// sftp:// smb:// srtp:// tidal://

Other features:
 avahi dbus udisks epoll icu inotify ipv6 systemd tcp un

Log

mpd: ../src/tag/Pool.cxx:157: void tag_pool_put_item(TagItem*): Assertion `slot->ref > 0' failed.

[MaxKellermann]

Need backtrace.

[hiqua]

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff3051537 in __GI_abort () at abort.c:79
#2  0x00007ffff305140f in __assert_fail_base
    (fmt=0x7ffff31ba108 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5555556a714c "slot->ref > 0", file=0x5555556a7138 "../src/tag/Pool.cxx", line=157, function=<optimized out>) at assert.c:92
#3  0x00007ffff3060602 in __GI___assert_fail (assertion=0x5555556a714c "slot->ref > 0", file=0x5555556a7138 "../src/tag/Pool.cxx", line=157, function=0x5555556a7188 "void tag_pool_put_item(TagItem*)")
    at assert.c:101
#4  0x0000555555612266 in  ()
#5  0x00005555556105a1 in  ()
#6  0x0000555555648c73 in  ()
#7  0x0000555555648e57 in  ()
#8  0x0000555555648e26 in  ()
#9  0x0000555555648f0a in  ()
#10 0x00005555556495dd in  ()
#11 0x000055555564a07f in  ()
#12 0x000055555564a467 in  ()
#13 0x000055555564a71c in  ()
#14 0x000055555564a84e in  ()
#15 0x0000555555647e06 in  ()
#16 0x00005555555e0913 in  ()
#17 0x00007ffff31f9ea7 in start_thread (arg=<optimized out>) at pthread_create.c:477
#18 0x00007ffff3129d8f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

I've recompiled the last version from master with debug symbols and I'll post a new backtrace if it crashes.

[MaxKellermann]

Your backtrace is useless because your MPD build is stripped.

[hiqua]

Yes I realized only after the crash, hence the recompile.

[cebtenzzre]

I've seen this assertion failure several times - the backtrace seems to be different every time. Sometimes it crashes during exit and other times it crashes in the middle of a db update. I recently triggered it by running a rescan (which completed) followed by a SIGTERM (systemctl --user stop mpd). Here is a full backtrace from gdb:

>>> info threads
  Id   Target Id                          Frame 
* 1    Thread 0x7f246ff950c0 (LWP 595182) 0x00007f24809d9d22 in raise () from /usr/lib/libc.so.6
  2    Thread 0x7f246d7dd640 (LWP 595188) 0x00007f2480b7e8ca in __futex_abstimed_wait_common64 () from /usr/lib/libpthread.so.0
  3    Thread 0x7f246f3e0640 (LWP 595185) 0x00007f2480a9b92e in epoll_wait () from /usr/lib/libc.so.6
  4    LWP 595183                         0x0000000000000000 in ?? ()
  5    Thread 0x7f246cfdc640 (LWP 595189) 0x00007f2480a90b2f in poll () from /usr/lib/libc.so.6
  6    LWP 595190                         0x0000000000000000 in ?? ()
  7    Thread 0x7f246fbe1640 (LWP 595184) 0x00007f2480a9b92e in epoll_wait () from /usr/lib/libc.so.6
  8    LWP 595191                         0x0000000000000000 in ?? ()
>>> thread apply all bt

Thread 8 (LWP 595191):
#0  0x0000000000000000 in  ()

Thread 7 (Thread 0x7f246fbe1640 (LWP 595184)):
#0  0x00007f2480a9b92e in epoll_wait () at /usr/lib/libc.so.6
#1  0x0000559328833054 in EpollFD::Wait(epoll_event*, int, int) (timeout=<optimized out>, maxevents=16, events=0x7f246fbe03b0, this=0x7fff235f3e48) at ../src/system/EpollFD.hxx:55
#2  EpollBackend::ReadEvents(int) (timeout_ms=<optimized out>, this=0x7fff235f3e48) at ../src/event/EpollBackend.hxx:60
#3  EventLoop::Wait(std::chrono::duration<long, std::ratio<1l, 1000000000l> >) (timeout=..., this=0x7fff235f35b8) at ../src/event/Loop.cxx:241
#4  EventLoop::Run() (this=0x7fff235f35b8) at ../src/event/Loop.cxx:330
#5  0x000055932882daab in BoundMethod<void () noexcept>::operator()() const (this=0x7fff235f3e58, this=<optimized out>) at ../src/util/BindMethod.hxx:78
#6  Thread::Run() (this=0x7fff235f3e58) at ../src/thread/Thread.cxx:63
#7  Thread::ThreadProc(void*) (ctx=0x7fff235f3e58) at ../src/thread/Thread.cxx:92
#8  0x00007f2480b72259 in start_thread () at /usr/lib/libpthread.so.0
#9  0x00007f2480a9b5e3 in clone () at /usr/lib/libc.so.6

Thread 6 (LWP 595190):
#0  0x0000000000000000 in  ()

Thread 5 (Thread 0x7f246cfdc640 (LWP 595189)):
#0  0x00007f2480a90b2f in poll () at /usr/lib/libc.so.6
#1  0x00007f2482f85654 in  () at /usr/lib/libpulse.so.0
#2  0x00007f2482f6e9a9 in pa_mainloop_poll () at /usr/lib/libpulse.so.0
#3  0x00007f2482f79281 in pa_mainloop_iterate () at /usr/lib/libpulse.so.0
#4  0x00007f2482f79331 in pa_mainloop_run () at /usr/lib/libpulse.so.0
#5  0x00007f2482f897fe in  () at /usr/lib/libpulse.so.0
#6  0x00007f2471c535cc in  () at /usr/lib/pulseaudio/libpulsecommon-14.2.so
#7  0x00007f2480b72259 in start_thread () at /usr/lib/libpthread.so.0
#8  0x00007f2480a9b5e3 in clone () at /usr/lib/libc.so.6

Thread 4 (LWP 595183):
#0  0x0000000000000000 in  ()

Thread 3 (Thread 0x7f246f3e0640 (LWP 595185)):
#0  0x00007f2480a9b92e in epoll_wait () at /usr/lib/libc.so.6
#1  0x0000559328833054 in EpollFD::Wait(epoll_event*, int, int) (timeout=<optimized out>, maxevents=16, events=0x7f246f3df3b0, this=0x7fff235f4710) at ../src/system/EpollFD.hxx:55
#2  EpollBackend::ReadEvents(int) (timeout_ms=<optimized out>, this=0x7fff235f4710) at ../src/event/EpollBackend.hxx:60
#3  EventLoop::Wait(std::chrono::duration<long, std::ratio<1l, 1000000000l> >) (timeout=..., this=0x7fff235f3e80) at ../src/event/Loop.cxx:241
#4  EventLoop::Run() (this=0x7fff235f3e80) at ../src/event/Loop.cxx:330
#5  0x000055932882daab in BoundMethod<void () noexcept>::operator()() const (this=0x7fff235f4720, this=<optimized out>) at ../src/util/BindMethod.hxx:78
#6  Thread::Run() (this=0x7fff235f4720) at ../src/thread/Thread.cxx:63
#7  Thread::ThreadProc(void*) (ctx=0x7fff235f4720) at ../src/thread/Thread.cxx:92
#8  0x00007f2480b72259 in start_thread () at /usr/lib/libpthread.so.0
#9  0x00007f2480a9b5e3 in clone () at /usr/lib/libc.so.6

Thread 2 (Thread 0x7f246d7dd640 (LWP 595188)):
#0  0x00007f2480b7e8ca in __futex_abstimed_wait_common64 () at /usr/lib/libpthread.so.0
#1  0x00007f2480b78270 in pthread_cond_wait@@GLIBC_2.3.2 () at /usr/lib/libpthread.so.0
#2  0x00007f2480db5f01 in __gthread_cond_wait (__mutex=<optimized out>, __cond=0x5593294845f8) at /build/gcc/src/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/include/x86_64-pc-linux-gnu/bits/gthr-default.h:865
#3  std::__condvar::wait(std::mutex&) (__m=<optimized out>, this=0x5593294845f8) at /build/gcc/src/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/std_mutex.h:155
#4  std::condition_variable::wait(std::unique_lock<std::mutex>&) (this=this@entry=0x5593294845f8, __lock=...) at /build/gcc/src/gcc/libstdc++-v3/src/c++11/condition_variable.cc:41
#5  0x000055932886e90b in AudioOutputControl::Task() (this=0x559329484510) at ../src/output/Thread.cxx:455
#6  BindMethodDetail::BindMethodWrapperGenerator2<AudioOutputControl, true, void (AudioOutputControl::*)() noexcept, &AudioOutputControl::Task, void>::Invoke(void*) (_instance=0x559329484510) at ../src/util/BindMethod.hxx:152
#7  0x000055932882daab in BoundMethod<void () noexcept>::operator()() const (this=0x5593294845d8, this=<optimized out>) at ../src/util/BindMethod.hxx:78
#8  Thread::Run() (this=0x5593294845d8) at ../src/thread/Thread.cxx:63
#9  Thread::ThreadProc(void*) (ctx=0x5593294845d8) at ../src/thread/Thread.cxx:92
#10 0x00007f2480b72259 in start_thread () at /usr/lib/libpthread.so.0
#11 0x00007f2480a9b5e3 in clone () at /usr/lib/libc.so.6

Thread 1 (Thread 0x7f246ff950c0 (LWP 595182)):
#0  0x00007f24809d9d22 in raise () at /usr/lib/libc.so.6
#1  0x00007f24809c3862 in abort () at /usr/lib/libc.so.6
#2  0x00007f24809c3747 in _nl_load_domain.cold () at /usr/lib/libc.so.6
#3  0x00007f24809d2616 in  () at /usr/lib/libc.so.6
#4  0x000055932886195b in tag_pool_put_item(TagItem*) (item=<optimized out>) at ../src/tag/Pool.cxx:154
#5  tag_pool_put_item(TagItem*) (item=<optimized out>) at ../src/tag/Pool.cxx:149
#6  0x00005593288aac20 in Tag::Clear() (this=0x559329635a20) at ../src/tag/Tag.cxx:35
#7  Tag::~Tag() (this=0x559329635a20, this=<optimized out>) at ../src/tag/Tag.hxx:73
#8  Song::~Song() (this=0x559329635a10, this=<optimized out>) at ../src/db/plugins/simple/Song.hxx:45
#9  DeleteDisposer::operator()<Song>(Song*) (t=0x559329635a10, this=<synthetic pointer>) at ../src/util/DeleteDisposer.hxx:41
#10 boost::intrusive::list_impl<boost::intrusive::mhtraits<Song, boost::intrusive::list_member_hook<boost::intrusive::link_mode<(boost::intrusive::link_mode_type)0> >, &Song::siblings>, unsigned long, false, void>::clear_and_dispose<DeleteDisposer>(DeleteDisposer) (disposer=..., this=0x559329635960) at /usr/include/boost/intrusive/list.hpp:754
#11 Directory::~Directory() (this=0x559329635940, this=<optimized out>) at ../src/db/plugins/simple/Directory.cxx:55
#12 0x00005593288aacaf in DeleteDisposer::operator()<Directory>(Directory*) (t=0x559329635940, this=<synthetic pointer>) at ../src/util/DeleteDisposer.hxx:41
#13 boost::intrusive::list_impl<boost::intrusive::mhtraits<Directory, boost::intrusive::list_member_hook<boost::intrusive::link_mode<(boost::intrusive::link_mode_type)0> >, &Directory::siblings>, unsigned long, false, void>::clear_and_dispose<DeleteDisposer>(DeleteDisposer) (disposer=..., this=0x559329635850) at /usr/include/boost/intrusive/list.hpp:754
#14 Directory::~Directory() (this=0x559329635840, this=<optimized out>) at ../src/db/plugins/simple/Directory.cxx:56
#15 0x00005593288aacaf in DeleteDisposer::operator()<Directory>(Directory*) (t=0x559329635840, this=<synthetic pointer>) at ../src/util/DeleteDisposer.hxx:41
#16 boost::intrusive::list_impl<boost::intrusive::mhtraits<Directory, boost::intrusive::list_member_hook<boost::intrusive::link_mode<(boost::intrusive::link_mode_type)0> >, &Directory::siblings>, unsigned long, false, void>::clear_and_dispose<DeleteDisposer>(DeleteDisposer) (disposer=..., this=0x559329630910) at /usr/include/boost/intrusive/list.hpp:754
#17 Directory::~Directory() (this=0x559329630900, this=<optimized out>) at ../src/db/plugins/simple/Directory.cxx:56
#18 0x00005593288aacaf in DeleteDisposer::operator()<Directory>(Directory*) (t=0x559329630900, this=<synthetic pointer>) at ../src/util/DeleteDisposer.hxx:41
#19 boost::intrusive::list_impl<boost::intrusive::mhtraits<Directory, boost::intrusive::list_member_hook<boost::intrusive::link_mode<(boost::intrusive::link_mode_type)0> >, &Directory::siblings>, unsigned long, false, void>::clear_and_dispose<DeleteDisposer>(DeleteDisposer) (disposer=..., this=0x55932961f7b0) at /usr/include/boost/intrusive/list.hpp:754
#20 Directory::~Directory() (this=0x55932961f7a0, this=<optimized out>) at ../src/db/plugins/simple/Directory.cxx:56
#21 0x00005593288aacaf in DeleteDisposer::operator()<Directory>(Directory*) (t=0x55932961f7a0, this=<synthetic pointer>) at ../src/util/DeleteDisposer.hxx:41
#22 boost::intrusive::list_impl<boost::intrusive::mhtraits<Directory, boost::intrusive::list_member_hook<boost::intrusive::link_mode<(boost::intrusive::link_mode_type)0> >, &Directory::siblings>, unsigned long, false, void>::clear_and_dispose<DeleteDisposer>(DeleteDisposer) (disposer=..., this=0x5593294d3d00) at /usr/include/boost/intrusive/list.hpp:754
#23 Directory::~Directory() (this=0x5593294d3cf0, this=<optimized out>) at ../src/db/plugins/simple/Directory.cxx:56
#24 0x00005593288aacaf in DeleteDisposer::operator()<Directory>(Directory*) (t=0x5593294d3cf0, this=<synthetic pointer>) at ../src/util/DeleteDisposer.hxx:41
#25 boost::intrusive::list_impl<boost::intrusive::mhtraits<Directory, boost::intrusive::list_member_hook<boost::intrusive::link_mode<(boost::intrusive::link_mode_type)0> >, &Directory::siblings>, unsigned long, false, void>::clear_and_dispose<DeleteDisposer>(DeleteDisposer) (disposer=..., this=0x5593294672f0) at /usr/include/boost/intrusive/list.hpp:754
#26 Directory::~Directory() (this=0x5593294672e0, this=<optimized out>) at ../src/db/plugins/simple/Directory.cxx:56
#27 0x00005593288aae7f in SimpleDatabase::Close() (this=<optimized out>) at ../src/db/plugins/simple/SimpleDatabasePlugin.cxx:196
#28 0x000055932880a37b in Instance::~Instance() (this=0x7fff235f2d00, this=<optimized out>) at /usr/include/c++/11.1.0/bits/unique_ptr.h:413
#29 0x00005593287f456b in MainConfigured(options const&, ConfigData const&) (options=<optimized out>, raw_config=<optimized out>) at ../src/Main.cxx:564
#30 0x00005593287f4e82 in MainOrThrow(int, char**) (argc=<optimized out>, argv=0x7fff235f4d28) at ../src/Main.cxx:627
#31 0x00005593287ec5b0 in mpd_main(int, char**) (argv=<optimized out>, argc=<optimized out>) at ../src/Main.cxx:635
#32 main(int, char**) (argc=<optimized out>, argv=<optimized out>) at ../src/Main.cxx:649

I interrupted a rescan with ASAN enabled and it reported a heap-use-after-free:

simple_db: removing empty directories from DB
simple_db: sorting DB
simple_db: writing DB
update: finished
=================================================================
==604619==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000098d78 at pc 0x55fa64dbff3b bp 0x7ffca606bb80 sp 0x7ffca606bb70
READ of size 1 at 0x603000098d78 thread T0
    #0 0x55fa64dbff3a in tag_pool_put_item(TagItem*) ../src/tag/Pool.cxx:154
    #1 0x55fa64d9d160 in Tag::Clear() ../src/tag/Tag.cxx:35
    #2 0x55fa65214a88 in Tag::~Tag() ../src/tag/Tag.hxx:73
    #3 0x55fa65214a88 in Song::~Song() ../src/db/plugins/simple/Song.hxx:45
    #4 0x55fa65214a88 in void DeleteDisposer::operator()<Song>(Song*) ../src/util/DeleteDisposer.hxx:41
    #5 0x55fa65214a88 in void boost::intrusive::list_impl<boost::intrusive::mhtraits<Song, boost::intrusive::list_member_hook<boost::intrusive::link_mode<(boost::intrusive::link_mode_type)0> >, &Song::siblings>, unsigned long, false, void>::clear_and_dispose<DeleteDisposer>(DeleteDisposer) /usr/include/boost/intrusive/list.hpp:754
    #6 0x55fa65214a88 in Directory::~Directory() ../src/db/plugins/simple/Directory.cxx:55
    #7 0x55fa6521523f in void DeleteDisposer::operator()<Directory>(Directory*) ../src/util/DeleteDisposer.hxx:41
    #8 0x55fa6521523f in void boost::intrusive::list_impl<boost::intrusive::mhtraits<Directory, boost::intrusive::list_member_hook<boost::intrusive::link_mode<(boost::intrusive::link_mode_type)0> >, &Directory::siblings>, unsigned long, false, void>::clear_and_dispose<DeleteDisposer>(DeleteDisposer) /usr/include/boost/intrusive/list.hpp:754
    #9 0x55fa6521523f in Directory::~Directory() ../src/db/plugins/simple/Directory.cxx:56
    #10 0x55fa6521523f in void DeleteDisposer::operator()<Directory>(Directory*) ../src/util/DeleteDisposer.hxx:41
    #11 0x55fa6521523f in void boost::intrusive::list_impl<boost::intrusive::mhtraits<Directory, boost::intrusive::list_member_hook<boost::intrusive::link_mode<(boost::intrusive::link_mode_type)0> >, &Directory::siblings>, unsigned long, false, void>::clear_and_dispose<DeleteDisposer>(DeleteDisposer) /usr/include/boost/intrusive/list.hpp:754
    #12 0x55fa6521523f in Directory::~Directory() ../src/db/plugins/simple/Directory.cxx:56
    #13 0x55fa6521523f in void DeleteDisposer::operator()<Directory>(Directory*) ../src/util/DeleteDisposer.hxx:41
    #14 0x55fa6521523f in void boost::intrusive::list_impl<boost::intrusive::mhtraits<Directory, boost::intrusive::list_member_hook<boost::intrusive::link_mode<(boost::intrusive::link_mode_type)0> >, &Directory::siblings>, unsigned long, false, void>::clear_and_dispose<DeleteDisposer>(DeleteDisposer) /usr/include/boost/intrusive/list.hpp:754
    #15 0x55fa6521523f in Directory::~Directory() ../src/db/plugins/simple/Directory.cxx:56
    #16 0x55fa6521523f in void DeleteDisposer::operator()<Directory>(Directory*) ../src/util/DeleteDisposer.hxx:41
    #17 0x55fa6521523f in void boost::intrusive::list_impl<boost::intrusive::mhtraits<Directory, boost::intrusive::list_member_hook<boost::intrusive::link_mode<(boost::intrusive::link_mode_type)0> >, &Directory::siblings>, unsigned long, false, void>::clear_and_dispose<DeleteDisposer>(DeleteDisposer) /usr/include/boost/intrusive/list.hpp:754
    #18 0x55fa6521523f in Directory::~Directory() ../src/db/plugins/simple/Directory.cxx:56
    #19 0x55fa652524b1 in SimpleDatabase::Close() ../src/db/plugins/simple/SimpleDatabasePlugin.cxx:196
    #20 0x55fa6477a704 in Instance::~Instance() ../src/Instance.cxx:65
    #21 0x55fa6467facf in MainConfigured ../src/Main.cxx:564
    #22 0x55fa6468310d in MainOrThrow ../src/Main.cxx:627
    #23 0x55fa64684c1e in mpd_main(int, char**) ../src/Main.cxx:635
    #24 0x7f364b276b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #25 0x55fa6466f0ad in _start (/usr/bin/mpd+0x1f540ad)

0x603000098d78 is located 8 bytes inside of 20-byte region [0x603000098d70,0x603000098d84)
freed by thread T0 here:
    #0 0x7f3650cd5f19 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x55fa64d9d160 in Tag::Clear() ../src/tag/Tag.cxx:35
    #2 0x55fa65214a88 in Tag::~Tag() ../src/tag/Tag.hxx:73
    #3 0x55fa65214a88 in Song::~Song() ../src/db/plugins/simple/Song.hxx:45
    #4 0x55fa65214a88 in void DeleteDisposer::operator()<Song>(Song*) ../src/util/DeleteDisposer.hxx:41
    #5 0x55fa65214a88 in void boost::intrusive::list_impl<boost::intrusive::mhtraits<Song, boost::intrusive::list_member_hook<boost::intrusive::link_mode<(boost::intrusive::link_mode_type)0> >, &Song::siblings>, unsigned long, false, void>::clear_and_dispose<DeleteDisposer>(DeleteDisposer) /usr/include/boost/intrusive/list.hpp:754
    #6 0x55fa65214a88 in Directory::~Directory() ../src/db/plugins/simple/Directory.cxx:55
    #7 0x55fa6521523f in void DeleteDisposer::operator()<Directory>(Directory*) ../src/util/DeleteDisposer.hxx:41
    #8 0x55fa6521523f in void boost::intrusive::list_impl<boost::intrusive::mhtraits<Directory, boost::intrusive::list_member_hook<boost::intrusive::link_mode<(boost::intrusive::link_mode_type)0> >, &Directory::siblings>, unsigned long, false, void>::clear_and_dispose<DeleteDisposer>(DeleteDisposer) /usr/include/boost/intrusive/list.hpp:754
    #9 0x55fa6521523f in Directory::~Directory() ../src/db/plugins/simple/Directory.cxx:56
    #10 0x55fa6521523f in void DeleteDisposer::operator()<Directory>(Directory*) ../src/util/DeleteDisposer.hxx:41
    #11 0x55fa6521523f in void boost::intrusive::list_impl<boost::intrusive::mhtraits<Directory, boost::intrusive::list_member_hook<boost::intrusive::link_mode<(boost::intrusive::link_mode_type)0> >, &Directory::siblings>, unsigned long, false, void>::clear_and_dispose<DeleteDisposer>(DeleteDisposer) /usr/include/boost/intrusive/list.hpp:754
    #12 0x55fa6521523f in Directory::~Directory() ../src/db/plugins/simple/Directory.cxx:56
    #13 0x55fa6521523f in void DeleteDisposer::operator()<Directory>(Directory*) ../src/util/DeleteDisposer.hxx:41
    #14 0x55fa6521523f in void boost::intrusive::list_impl<boost::intrusive::mhtraits<Directory, boost::intrusive::list_member_hook<boost::intrusive::link_mode<(boost::intrusive::link_mode_type)0> >, &Directory::siblings>, unsigned long, false, void>::clear_and_dispose<DeleteDisposer>(DeleteDisposer) /usr/include/boost/intrusive/list.hpp:754
    #15 0x55fa6521523f in Directory::~Directory() ../src/db/plugins/simple/Directory.cxx:56
    #16 0x55fa6521523f in void DeleteDisposer::operator()<Directory>(Directory*) ../src/util/DeleteDisposer.hxx:41
    #17 0x55fa6521523f in void boost::intrusive::list_impl<boost::intrusive::mhtraits<Directory, boost::intrusive::list_member_hook<boost::intrusive::link_mode<(boost::intrusive::link_mode_type)0> >, &Directory::siblings>, unsigned long, false, void>::clear_and_dispose<DeleteDisposer>(DeleteDisposer) /usr/include/boost/intrusive/list.hpp:754
    #18 0x55fa6521523f in Directory::~Directory() ../src/db/plugins/simple/Directory.cxx:56
    #19 0x55fa652524b1 in SimpleDatabase::Close() ../src/db/plugins/simple/SimpleDatabasePlugin.cxx:196
    #20 0x55fa6477a704 in Instance::~Instance() ../src/Instance.cxx:65
    #21 0x55fa6467facf in MainConfigured ../src/Main.cxx:564
    #22 0x55fa6468310d in MainOrThrow ../src/Main.cxx:627
    #23 0x55fa64684c1e in mpd_main(int, char**) ../src/Main.cxx:635
    #24 0x7f364b276b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

previously allocated by thread T0 here:
    #0 0x7f3650cd6279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55fa649d4cf8 in xalloc(unsigned long) ../src/util/Alloc.cxx:39
    #2 0x55fa64dbed6d in TagPoolSlot* NewVarSize<TagPoolSlot, TagPoolSlot*&, TagType&, StringView&>(unsigned long, unsigned long, TagPoolSlot*&, TagType&, StringView&) ../src/util/VarSize.hxx:64
    #3 0x55fa64dbed6d in TagPoolSlot::Create(TagPoolSlot*, TagType, StringView) ../src/tag/Pool.cxx:61
    #4 0x55fa64dbed6d in tag_pool_get_item(TagType, StringView) ../src/tag/Pool.cxx:125
    #5 0x55fa64db2f3f in TagBuilder::AddItemUnchecked(TagType, StringView) ../src/tag/Builder.cxx:192
    #6 0x55fa64db4107 in TagBuilder::AddItemInternal(TagType, StringView) ../src/tag/Builder.cxx:207
    #7 0x55fa64db4107 in TagBuilder::AddItem(TagType, StringView) ../src/tag/Builder.cxx:218
    #8 0x55fa64db4107 in TagBuilder::AddItem(TagType, char const*) ../src/tag/Builder.cxx:229
    #9 0x55fa64891658 in song_load(TextFile&, char const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*) ../src/SongSave.cxx:108
    #10 0x55fa65474573 in directory_load(TextFile&, Directory&) ../src/db/plugins/simple/DirectorySave.cxx:172
    #11 0x55fa6547542d in directory_load_subdir ../src/db/plugins/simple/DirectorySave.cxx:145
    #12 0x55fa6547542d in directory_load(TextFile&, Directory&) ../src/db/plugins/simple/DirectorySave.cxx:163
    #13 0x55fa6547542d in directory_load_subdir ../src/db/plugins/simple/DirectorySave.cxx:145
    #14 0x55fa6547542d in directory_load(TextFile&, Directory&) ../src/db/plugins/simple/DirectorySave.cxx:163
    #15 0x55fa6547542d in directory_load_subdir ../src/db/plugins/simple/DirectorySave.cxx:145
    #16 0x55fa6547542d in directory_load(TextFile&, Directory&) ../src/db/plugins/simple/DirectorySave.cxx:163
    #17 0x55fa6547542d in directory_load_subdir ../src/db/plugins/simple/DirectorySave.cxx:145
    #18 0x55fa6547542d in directory_load(TextFile&, Directory&) ../src/db/plugins/simple/DirectorySave.cxx:163
    #19 0x55fa654701d7 in db_load_internal(TextFile&, Directory&) ../src/db/plugins/simple/DatabaseSave.cxx:130
    #20 0x55fa6525fdbc in SimpleDatabase::Load() ../src/db/plugins/simple/SimpleDatabasePlugin.cxx:157
    #21 0x55fa6526a064 in SimpleDatabase::Open() ../src/db/plugins/simple/SimpleDatabasePlugin.cxx:177
    #22 0x55fa64680214 in glue_db_init_and_load ../src/Main.cxx:211
    #23 0x55fa64680214 in InitDatabaseAndStorage ../src/Main.cxx:234
    #24 0x55fa64680214 in MainConfigured ../src/Main.cxx:435
    #25 0x55fa6468310d in MainOrThrow ../src/Main.cxx:627
    #26 0x55fa64684c1e in mpd_main(int, char**) ../src/Main.cxx:635
    #27 0x7f364b276b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: heap-use-after-free ../src/tag/Pool.cxx:154 in tag_pool_put_item(TagItem*)
Shadow bytes around the buggy address:
  0x0c068000b150: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fa fa
  0x0c068000b160: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c068000b170: fa fa fd fd fd fa fa fa fa fa fa fa fa fa fd fd
  0x0c068000b180: fd fa fa fa fa fa fa fa fa fa fd fd fd fa fa fa
  0x0c068000b190: fa fa fa fa fa fa fd fd fd fd fa fa fa fa fa fa
=>0x0c068000b1a0: fa fa fd fd fd fd fa fa 00 00 02 fa fa fa fd[fd]
  0x0c068000b1b0: fd fa fa fa fa fa fa fa fa fa fd fd fd fa fa fa
  0x0c068000b1c0: fa fa fa fa fa fa fd fd fd fa fa fa fa fa fa fa
  0x0c068000b1d0: fa fa fd fd fd fa fa fa fa fa fa fa fa fa fd fd
  0x0c068000b1e0: fd fd fa fa fa fa fa fa fa fa fd fd fd fd fa fa
  0x0c068000b1f0: fa fa fa fa fa fa fd fd fd fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==604619==ABORTING