Crash with shout output with empty play queue

[s1shed]

Bug report

Describe the bug

Crash when using the shout output. The key part seems to be starting with an empty play queue. Adding tracks when there's a non-empty queue will not cause a crash.

I only see the crash with the shout output directed to an Icecast srever. I don't see crashes when the shout output is not enabled.

Expected Behavior

With an empty play queue, adding tracks and starting playback won't lead to a crash.

Actual Behavior

Crash when starting playback after adding tracks to an empty play queue..

I can reliably reproduce a crash by doing the following with the shout output enabled:

• Selecting Cantata's Play Now (And Replace Play Queue) option
• Selecting GMPC's Replace option
• Clearing the playlist, adding tracks, and starting playback

Version

I first saw the problem in Debian Unstable's 0.21.22-1+b1 but it's also reproducible in 0.21.25, as shown below.

Music Player Daemon 0.21.25 (0.21.25)
Copyright 2003-2007 Warren Dukes <warren.dukes@gmail.com>
Copyright 2008-2018 Max Kellermann <max.kellermann@gmail.com>
This is free software; see the source for copying conditions.  There is NO
warranty; not even MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Database plugins:
 simple proxy upnp

Storage plugins:
 local smbclient udisks nfs curl

Neighbor plugins:
 smbclient upnp udisks

Decoders plugins:
 [mad] mp3 mp2
 [mpg123] mp3
 [vorbis] ogg oga
 [oggflac] ogg oga
 [flac] flac
 [opus] opus ogg oga
 [sndfile] wav aiff aif au snd paf iff svx sf voc w64 pvf xi htk caf sd2
 [audiofile] wav au aiff aif
 [dsdiff] dff
 [dsf] dsf
 [hybrid_dsd] m4a
 [faad] aac
 [mpcdec] mpc
 [wavpack] wv
 [modplug] 669 amf ams dbm dfm dsm far it med mdl mod mtm mt2 okt s3m stm ult umx xm
 [mikmod] amf dsm far gdm imf it med mod mtm s3m stm stx ult uni xm
 [sidplay] sid mus str prg P00
 [wildmidi] mid
 [fluidsynth] mid
 [adplug] amd d00 hsc laa rad raw sa2
 [ffmpeg] 16sv 3g2 3gp 4xm 8svx aa3 aac ac3 adx afc aif aifc aiff al alaw amr anim apc ape asf atrac au aud avi avm2 avs bap bfi c93 cak cin cmv cpk daud dct divx dts dv dvd dxa eac3 film flac flc fli fll flx flv g726 gsm gxf iss m1v m2v m2t m2ts m4a m4b m4v mad mj2 mjpeg mjpg mka mkv mlp mm mmf mov mp+ mp1 mp2 mp3 mp4 mpc mpeg mpg mpga mpp mpu mve mvi mxf nc nsv nut nuv oga ogm ogv ogx oma ogg omg opus psp pva qcp qt r3d ra ram rl2 rm rmvb roq rpl rvc shn smk snd sol son spx str swf tak tgi tgq tgv thp ts tsp tta xa xvid uv uv2 vb vid vob voc vp6 vmd wav webm wma wmv wsaud wsvga wv wve
 [gme] ay gbs gym hes kss nsf nsfe sap spc vgm vgz
 [pcm]

Filters:
 libsamplerate soxr

Tag plugins:
 id3tag

Output plugins:
 shout null fifo sndio pipe alsa ao oss openal pulse jack httpd recorder

Encoder plugins:
 null vorbis opus lame wave flac

Archive plugins:
 [bz2] bz2
 [zzip] zip
 [iso] iso

Input plugins:
 file archive alsa tidal qobuz curl ffmpeg smbclient nfs mms cdio_paranoia

Playlist plugins:
 extm3u m3u pls xspf asx rss soundcloud flac cue embcue

Protocols:
 file:// alsa:// tidal:// qobuz:// http:// https:// gopher:// rtp:// rtsp:// rtmp:// rtmpt:// rtmps:// smb:// nfs:// mms:// mmsh:// mmst:// mmsu:// cdda://

Other features:
 avahi dbus udisks epoll icu inotify ipv6 systemd tcp un

Log

Jul 09 11:56 : client: [0] process command "find artist "John Zorn" album "Baphomet""
Jul 09 11:56 : client: [0] command returned 0
Jul 09 11:56 : client: [0] process command list
Jul 09 11:56 : client: process command "add "N-Z/Zorn, John/2020 Baphomet/01 Baphomet.ogg""
Jul 09 11:56 : client: command returned 0
Jul 09 11:56 : client: [0] process command list returned 0
Jul 09 11:56 : client: [0] process command "status"
Jul 09 11:56 : client: [0] command returned 0
Jul 09 11:56 : client: [0] process command "idle"
Jul 09 11:56 : client: [0] command returned 1
Jul 09 11:56 : client: [0] process command "playid "-1""
Jul 09 11:56 : playlist: play 0:"N-Z/Zorn, John/2020 Baphomet/01 Baphomet.ogg"
Jul 09 11:56 : decoder_thread: probing plugin vorbis
Jul 09 11:56 : decoder: audio_format=44100:f:2, seekable=true
Jul 09 11:56 : client: [0] command returned 0
Jul 09 11:56 : client: [0] process command "status"

Thread 6 "output:My Shout" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe2ffd700 (LWP 769470)]
0x00007ffff2c6ccac in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007ffff2c6ccac in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff51e3727 in ?? () from /usr/lib/x86_64-linux-gnu/libshout.so.3
#2  0x0000555555615e5b in EncoderToShout (buffer_size=32768, buffer=0x55555a83339c "OggS", encoder=..., shout_conn=0x55555a83b3b0) at ../src/output/plugins/ShoutOutputPlugin.cxx:256
#3  ShoutOutput::WritePage (this=0x55555a833370) at ../src/output/plugins/ShoutOutputPlugin.cxx:266
#4  0x000055555561629d in ShoutOutput::Open (this=0x55555a833370, audio_format=...) at ../src/output/plugins/ShoutOutputPlugin.cxx:319
#5  0x000055555560665f in FilteredAudioOutput::OpenOutputAndConvert (this=0x555555797ce0, desired_audio_format=...) at /usr/include/c++/9/bits/unique_ptr.h:360
#6  0x000055555560742e in AudioOutputControl::InternalOpen2 (in_audio_format=..., this=0x55555a83ba50) at /usr/include/c++/9/bits/unique_ptr.h:360
#7  AudioOutputControl::InternalOpen (this=this@entry=0x55555a83ba50, in_audio_format=..., pipe=...) at ../src/output/Thread.cxx:154
#8  0x0000555555607b6e in AudioOutputControl::Task (this=0x55555a83ba50) at ../src/output/Thread.cxx:434
#9  0x00005555555d6583 in BoundMethod<void ()>::operator()() const (this=0x55555a83baf8, this=0x55555a83baf8) at ../src/util/BindMethod.hxx:76
#10 Thread::Run (this=0x55555a83baf8) at ../src/thread/Thread.cxx:63
#11 Thread::ThreadProc (ctx=0x55555a83baf8) at ../src/thread/Thread.cxx:92
#12 0x00007ffff2cfaf27 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#13 0x00007ffff2c2c31f in clone () from /lib/x86_64-linux-gnu/libc.so.6

[MaxKellermann]

Can you install the dbgsym packages for libc6 and libshout as well? The crash happens inside those libraries, not in MPD - and without debug symbols, I can't see if it's MPD's fault, after all.

[s1shed]

Sorry about that (and thanks for the gentle nudging).

New backtrace:

#0  __memcpy_ssse3 () at ../sysdeps/x86_64/multiarch/memcpy-ssse3.S:2021
#1  0x00007ffff51e3727 in memcpy (__len=58, __src=0x55555a83339c, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#2  send_ogg (self=0x55555a83b3b0, data=0x55555a83339c "OggS", len=58) at format_ogg.c:95
#3  0x0000555555615e5b in EncoderToShout (buffer_size=32768, buffer=0x55555a83339c "OggS", encoder=..., shout_conn=0x55555a83b3b0) at ../src/output/plugins/ShoutOutputPlugin.cxx:256
#4  ShoutOutput::WritePage (this=0x55555a833370) at ../src/output/plugins/ShoutOutputPlugin.cxx:266
#5  0x000055555561629d in ShoutOutput::Open (this=0x55555a833370, audio_format=...) at ../src/output/plugins/ShoutOutputPlugin.cxx:319
#6  0x000055555560665f in FilteredAudioOutput::OpenOutputAndConvert (this=0x555555797ce0, desired_audio_format=...) at /usr/include/c++/9/bits/unique_ptr.h:360
#7  0x000055555560742e in AudioOutputControl::InternalOpen2 (in_audio_format=..., this=0x55555a83ba50) at /usr/include/c++/9/bits/unique_ptr.h:360
#8  AudioOutputControl::InternalOpen (this=this@entry=0x55555a83ba50, in_audio_format=..., pipe=...) at ../src/output/Thread.cxx:154
#9  0x0000555555607b6e in AudioOutputControl::Task (this=0x55555a83ba50) at ../src/output/Thread.cxx:434
#10 0x00005555555d6583 in BoundMethod<void ()>::operator()() const (this=0x55555a83baf8, this=0x55555a83baf8) at ../src/util/BindMethod.hxx:76
#11 Thread::Run (this=0x55555a83baf8) at ../src/thread/Thread.cxx:63
#12 Thread::ThreadProc (ctx=0x55555a83baf8) at ../src/thread/Thread.cxx:92
#13 0x00007ffff2cfaf27 in start_thread (arg=<optimized out>) at pthread_create.c:479
#14 0x00007ffff2c2c31f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

[MaxKellermann]

I cannot reproduce the problem. Your backtrace looks like it's a libshout bug. Which libshout version are you using?

[s1shed]

When I opened this issue I was using the version from Debian Unstable (2.4.3-1). After reading your comment I tried downgrading to 2.4.1-2 in Debian stable. I cannot reproduce the crash with this version.

I guess I'm hitting https://gitlab.xiph.org/xiph/icecast-libshout/-/issues/2312 which was also reported at https://github.com/MusicPlayerDaemon/MPD/issues/622

Apologies for wasting time by reporting something that's already known. :(