Memory Corruption in Pa_StopStream

Memotech-Bill commented 10 months ago

Describe the bug Program abort with the message "memory clobbered before allocated block"

To Reproduce Call Pa_StopStream

Expected behavior Subroutine return

Actual behavior GDB transcript:

Thread 1 "memu-x" hit Breakpoint 1, snd_term () at /home/pi/pico/MEMU2/src/memu/snd.c:400
400         if ( snd_emu & SNDEMU_PORTAUDIO )
(gdb) info threads
  Id   Target Id                             Frame 
* 1    Thread 0xf7fe6040 (LWP 1013) "memu-x" snd_term () at /home/pi/pico/MEMU2/src/memu/snd.c:400
  3    Thread 0xf76ec440 (LWP 1017) "memu-x" __GI___poll (timeout=12, nfds=1, fds=0x243bc8) at ../sysdeps/unix/sysv/linux/poll.c:29
(gdb) thread 3
[Switching to thread 3 (Thread 0xf76ec440 (LWP 1017))]
#0  __GI___poll (timeout=12, nfds=1, fds=0x243bc8) at ../sysdeps/unix/sysv/linux/poll.c:29
29  ../sysdeps/unix/sysv/linux/poll.c: No such file or directory.
(gdb) bt
#0  __GI___poll (timeout=12, nfds=1, fds=0x243bc8) at ../sysdeps/unix/sysv/linux/poll.c:29
#1  __GI___poll (fds=0x243bc8, nfds=1, timeout=12) at ../sysdeps/unix/sysv/linux/poll.c:26
#2  0xf7f6ced0 in ?? () from /lib/arm-linux-gnueabihf/libportaudio.so.2
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) thread 1
[Switching to thread 1 (Thread 0xf7fe6040 (LWP 1013))]
#0  snd_term () at /home/pi/pico/MEMU2/src/memu/snd.c:400
400         if ( snd_emu & SNDEMU_PORTAUDIO )
(gdb) s
406             Pa_StopStream(snd_paStream);
(gdb) x/12xw 0xf6b00458
0xf6b00458: Cannot access memory at address 0xf6b00458
(gdb) s
memory clobbered before allocated block

Thread 3 "memu-x" received signal SIGABRT, Aborted.
[Switching to Thread 0xf76ec440 (LWP 1017)]
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0xf7c8c364 in __GI_abort () at abort.c:79
#2  0xf7cde654 in __libc_message (action=action@entry=do_abort, fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:155
#3  0xf7cde69c in __GI___libc_fatal (message=0xf7da9a14 "memory clobbered before allocated block\n") at ../sysdeps/posix/libc_fatal.c:164
#4  0xf7cecbec in mabort (status=<optimized out>) at mcheck.c:360
#5  0xf7cecce4 in checkhdr (hdr=hdr@entry=0xf6b00458) at mcheck.c:111
#6  0xf7ced120 in checkhdr (hdr=0xf6b00458) at mcheck.c:86
#7  freehook (ptr=0xf6b00470, caller=0xf7dac998) at mcheck.c:184
#8  0xf7ceb668 in tcache_thread_shutdown () at malloc.c:2968
#9  __malloc_arena_thread_freeres () at arena.c:951
#10 0xf7ceefb0 in __libc_thread_freeres () at thread-freeres.c:38
#11 0xf7b40324 in start_thread (arg=0xf76ec440) at pthread_create.c:491
#12 0xf7d50da8 in ?? () at ../sysdeps/unix/sysv/linux/arm/clone.S:73 from /lib/arm-linux-gnueabihf/libc.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) x/12xw 0xf6b00458
0xf6b00458: 0x00000000  0x00000001  0x00021000  0x00021000
0xf6b00468: 0x00000000  0x0000018d  0x00000000  0x00000000
0xf6b00478: 0x00000000  0x00000000  0x00000000  0x00000000
(gdb) thread 1
[Switching to thread 1 (Thread 0xf7fe6040 (LWP 1013))]
#0  __pthread_clockjoin_ex (threadid=4151231552, thread_return=0xfffdeef0, clockid=clockid@entry=0, abstime=abstime@entry=0x0, 
    block=block@entry=true) at pthread_join_common.c:145
145 pthread_join_common.c: No such file or directory.
(gdb) bt
#0  __pthread_clockjoin_ex (threadid=4151231552, thread_return=0xfffdeef0, clockid=clockid@entry=0, abstime=abstime@entry=0x0, 
    block=block@entry=true) at pthread_join_common.c:145
#1  0xf7b417ac in __pthread_join (threadid=<optimized out>, thread_return=<optimized out>) at pthread_join.c:24
#2  0xf7f7872c in ?? () from /lib/arm-linux-gnueabihf/libportaudio.so.2
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

On stepping into Pa_StopStream, the program terminates with SIGABRT after outputting the error message "memory clobbered before allocated block".

Looking at the back trace, there is #6 0xf7ced120 in checkhdr (hdr=0xf6b00458) at mcheck.c:86.

A copy of mcheck.c can be found here.

From this hdr=0xf6b00458 should point to a struct hdr

However, the contents of the memory at that location after the SIGABRT are clearly not what would be expected for that structure.

Note that prior to stepping into Pa_StopStream, that memory location is not even mapped into the process, so it cannot be my code that is responsible for the corruption.

Desktop (please complete the following information): Linux raspberrypi 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux

portaudio19-dev/oldstable,now 19.6.0-1.1 armhf [installed] Portable audio I/O - development files

philburk commented 9 months ago

@Memotech-Bill - Thanks for reporting this.

Is the crash reproducible?

that memory location is not even mapped into the process, so it cannot be my code

Is it possible that the pointer to that memory location was corrupted and that pointer is in your process?

I will try to reproduce this on an RPi running a 64-bit Raspbian.

philburk commented 7 months ago

I have been using PortAudio on Raspbian 64-bit and have not seen this crash.

Close as not reproducible.

PortAudio / portaudio

Memory Corruption in Pa_StopStream #842