DeaDBeeF crashes after resuming paused track when FFT size is configured 16384 samples or above

[jieweix]

Here's the backtrace @Oleksiy-Yakovenko got: (https://github.com/DeaDBeeF-Player/deadbeef/issues/2845)

(gdb) bt
#0  __memmove_sse2_unaligned_erms ()
    at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:440
#1  0x00007ffff1cf666e in spectrum_wavedata_listener (ctx=0x6aee80, 
    data=0x7fffa40fcbf0) at spectrum.c:133
#2  0x00000000004355aa in ?? ()
#3  0x00007ffff7c31cb7 in _dispatch_call_block_and_release ()
   from /home/waker/Downloads/deadbeef-static_devel-1_x86_64/deadbeef-devel/lib/libdispatch.so.0
#4  0x00007ffff7c32a9d in _dispatch_queue_drain ()
   from /home/waker/Downloads/deadbeef-static_devel-1_x86_64/deadbeef-devel/lib/libdispatch.so.0
#5  0x00007ffff7c33393 in _dispatch_queue_invoke ()
   from /home/waker/Downloads/deadbeef-static_devel-1_x86_64/deadbeef-devel/lib/libdispatch.so.0
#6  0x00007ffff7c33878 in _dispatch_worker_thread ()
   from /home/waker/Downloads/deadbeef-static_devel-1_x86_64/deadbeef-devel/lib/libdispatch.so.0
#7  0x00007ffff7e48609 in start_thread (arg=<optimized out>)
    at pthread_create.c:477
#8  0x00007ffff7957293 in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

and here's my log:

jiewei@jiewei-ROG:~/deadbeef-devel$ ./deadbeef 
starting deadbeef devel [static] [portable]
server_start
We had a crash. Will not resume the saved session to avoid a crash cycle.
searching for GUI plugins in /home/jiewei/.local/lib64/deadbeef
searching for GUI plugins in /home/jiewei/.local/lib/deadbeef
searching for GUI plugins in /home/jiewei/deadbeef-devel/plugins
load_plugin_dir /home/jiewei/deadbeef-devel/plugins: scandir found 57 files
found gui plugin ddb_gui_GTK2.so
added GTK2 gui plugin
found gui plugin ddb_gui_GTK3.so
added GTK3 gui plugin
load gui plugin
checking GUI plugin: GTK2
found selected GUI plugin: GTK2
loading plugin /home/jiewei/deadbeef-devel/plugins/ddb_gui_GTK2.so
loading plugins from /home/jiewei/.local/lib64/deadbeef
loading plugins from /home/jiewei/.local/lib/deadbeef
loading plugins from /home/jiewei/deadbeef-devel/plugins
load_plugin_dir /home/jiewei/deadbeef-devel/plugins: scandir found 57 files
loading plugin /home/jiewei/deadbeef-devel/plugins/aac.so
loading plugin /home/jiewei/deadbeef-devel/plugins/adplug.so
loading plugin /home/jiewei/deadbeef-devel/plugins/alac.so
loading plugin /home/jiewei/deadbeef-devel/plugins/alsa.so
loading plugin /home/jiewei/deadbeef-devel/plugins/artwork.so
loading plugin /home/jiewei/deadbeef-devel/plugins/cdda.so
loading plugin /home/jiewei/deadbeef-devel/plugins/converter.so
loading plugin /home/jiewei/deadbeef-devel/plugins/converter_gtk2.so
loading plugin /home/jiewei/deadbeef-devel/plugins/converter_gtk3.so
loading plugin /home/jiewei/deadbeef-devel/plugins/dca.so
loading plugin /home/jiewei/deadbeef-devel/plugins/ddb_dumb.so
loading plugin /home/jiewei/deadbeef-devel/plugins/ddb_mono2stereo.so
loading plugin /home/jiewei/deadbeef-devel/plugins/ddb_shn.so
loading plugin /home/jiewei/deadbeef-devel/plugins/ddb_soundtouch.so
loading plugin /home/jiewei/deadbeef-devel/plugins/ddb_vis_musical_spectrum_GTK2.so
loading plugin /home/jiewei/deadbeef-devel/plugins/ddb_vis_musical_spectrum_GTK3.so
loading plugin /home/jiewei/deadbeef-devel/plugins/dsp_libsrc.so
loading plugin /home/jiewei/deadbeef-devel/plugins/ffap.so
loading plugin /home/jiewei/deadbeef-devel/plugins/ffmpeg.so
loading plugin /home/jiewei/deadbeef-devel/plugins/flac.so
loading plugin /home/jiewei/deadbeef-devel/plugins/gme.so
loading plugin /home/jiewei/deadbeef-devel/plugins/hotkeys.so
loading plugin /home/jiewei/deadbeef-devel/plugins/in_sc68.so
loading plugin /home/jiewei/deadbeef-devel/plugins/lastfm.so
loading plugin /home/jiewei/deadbeef-devel/plugins/m3u.so
loading plugin /home/jiewei/deadbeef-devel/plugins/mms.so
loading plugin /home/jiewei/deadbeef-devel/plugins/mp3.so
loading plugin /home/jiewei/deadbeef-devel/plugins/musepack.so
loading plugin /home/jiewei/deadbeef-devel/plugins/notify.so
loading plugin /home/jiewei/deadbeef-devel/plugins/nullout.so
loading plugin /home/jiewei/deadbeef-devel/plugins/opus.so
loading plugin /home/jiewei/deadbeef-devel/plugins/oss.so
loading plugin /home/jiewei/deadbeef-devel/plugins/pltbrowser_gtk2.so
loading plugin /home/jiewei/deadbeef-devel/plugins/pltbrowser_gtk3.so
loading plugin /home/jiewei/deadbeef-devel/plugins/psf.so
loading plugin /home/jiewei/deadbeef-devel/plugins/pulse.so
loading plugin /home/jiewei/deadbeef-devel/plugins/rg_scanner.so
loading plugin /home/jiewei/deadbeef-devel/plugins/shellexec.so
loading plugin /home/jiewei/deadbeef-devel/plugins/shellexecui_gtk2.so
loading plugin /home/jiewei/deadbeef-devel/plugins/shellexecui_gtk3.so
loading plugin /home/jiewei/deadbeef-devel/plugins/sid.so
loading plugin /home/jiewei/deadbeef-devel/plugins/sndfile.so
loading plugin /home/jiewei/deadbeef-devel/plugins/supereq.so
loading plugin /home/jiewei/deadbeef-devel/plugins/tta.so
loading plugin /home/jiewei/deadbeef-devel/plugins/vfs_curl.so
loading plugin /home/jiewei/deadbeef-devel/plugins/vfs_zip.so
loading plugin /home/jiewei/deadbeef-devel/plugins/vorbis.so
loading plugin /home/jiewei/deadbeef-devel/plugins/vtx.so
loading plugin /home/jiewei/deadbeef-devel/plugins/wavpack.so
loading plugin /home/jiewei/deadbeef-devel/plugins/wildmidi.so
loading plugin /home/jiewei/deadbeef-devel/plugins/wma.so
starting plugin GTK2 user interface
starting plugin AAC player
starting plugin Adplug player
starting plugin ALAC player
starting plugin ALSA output plugin
starting plugin Album Artwork
starting plugin Audio CD player
starting plugin Converter
starting plugin Converter UI
starting plugin Converter UI
starting plugin dts decoder
starting plugin DUMB module player
starting plugin Mono to stereo
starting plugin Shorten player
starting plugin Soundtouch
starting plugin Musical Spectrum
starting plugin Musical Spectrum
starting plugin Resampler (Secret Rabbit Code)
starting plugin Monkey's Audio (APE) decoder
starting plugin FLAC decoder
starting plugin Game-Music-Emu player
starting plugin Hotkey manager
starting plugin SC68 player (Atari ST SNDH YM2149)
starting plugin last.fm scrobbler
starting plugin M3U and PLS support
starting plugin mms vfs
starting plugin MP3 player
starting plugin MusePack decoder
starting plugin OSD Notify
starting plugin Null output plugin
starting plugin Opus player
starting plugin OSS output plugin
starting plugin Playlist Browser
starting plugin Playlist Browser
starting plugin PSF player using Audio Overload SDK
starting plugin PulseAudio output plugin
starting plugin ReplayGain Scanner
starting plugin Shell commands
starting plugin Shellexec UI
starting plugin Shellexec UI
starting plugin SID player
starting plugin WAV/PCM player
starting plugin SuperEQ
starting plugin tta decoder
starting plugin cURL vfs
starting plugin ZIP vfs
starting plugin Ogg Vorbis decoder
starting plugin VTX player
starting plugin WavPack decoder
starting plugin WildMidi player
starting plugin WMA player
starting plugin stdio vfs
starting plugin FFMPEG audio player
selected output plugin: ALSA output plugin
INFO: from file /home/jiewei/.config/deadbeef/playlists/0.dbpl
INFO: from file /home/jiewei/.config/deadbeef/playlists/1.dbpl
convgui: gtkui plugin not found
shellexecui: can't find gtkui plugin
resume: track 0 pos 21.455290 playlist 1
gtkui plugin compiled for gtk version: 2.16.0
Gtk-Message: 18:15:17.387: Failed to load module "canberra-gtk-module"
connecting button tray signals
Segmentation Fault
backtrace() returned 11 addresses
./deadbeef() [0x41e4c7]
/lib/x86_64-linux-gnu/libc.so.6(+0x43090) [0x7f1467019090]
/lib/x86_64-linux-gnu/libc.so.6(+0xbbd67) [0x7f1467091d67]
/home/jiewei/deadbeef-devel/plugins/ddb_vis_musical_spectrum_GTK2.so(+0x3598e) [0x7f1461b3598e]
./deadbeef() [0x4355aa]
/home/jiewei/deadbeef-devel/lib/libdispatch.so.0(_dispatch_call_block_and_release+0x7) [0x7f14673d2cb7]
/home/jiewei/deadbeef-devel/lib/libdispatch.so.0(_dispatch_queue_drain+0x17d) [0x7f14673d3a9d]
/home/jiewei/deadbeef-devel/lib/libdispatch.so.0(+0x6393) [0x7f14673d4393]
/home/jiewei/deadbeef-devel/lib/libdispatch.so.0(+0x6878) [0x7f14673d4878]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x8609) [0x7f14675e8609]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x43) [0x7f14670f5133]

When FFT size is configured 8192 samples or below, it doesn't crash but switches to the next track (if there's a next track; if there's only one track it just continues playing) after resuming a paused track (not always).

[cboxdoerfer]

I can't reproduce it on my system (DeaDBeeF 1.9.1). With resuming a paused track, do you mean simply hitting pause and then play again, or pausing a track, quitting DeaDBeeF (with session restore enabled) and then start playing where it was paused?

[Oleksiy-Yakovenko]

@cboxdoerfer It occurs on latest deadbeef master with the latest musical spectrum widget (binary from the plugins page). FFT size set to 16K. For me it crashes instantly when I press play. Maybe you need to press play a few times.

[jieweix]

I mean simply hitting pause and then play again. Actually it occurs on both 1.9.1 (installed by apt) and the latest master for me, exactly same situation

[cboxdoerfer]

@Oleksiy-Yakovenko, I already tried spamming the play/pause button, but no crash happend. I'll try the nightly builds and spectrum binary from the plugins page next.

I suppose you're both playing usual audio files, like no huge number of channels or something like that?

[jieweix]

Yes, 2-channel, 16-bit, 44.1-kHz FLAC files.

[cboxdoerfer]

Also no crash with DeaDBeeF Nightly build and the plugin from the plugin page. Were the spectrum plugin settings (except for the increased FFT size) modified in any way?

[jieweix]

I disabled Peaks and set Style to Solid instead of Musical.

[cboxdoerfer]

Also no crash with an Ubuntu 22.04 VM. Is the musical spectrum the only third party plugin installed?

[jieweix]

I also have Discord Rich Presence Plugin installed.

[Oleksiy-Yakovenko]

Also no crash with DeaDBeeF Nightly build and the plugin from the plugin page. Were the spectrum plugin settings (except for the increased FFT size) modified in any way?

I deleted the ~/.config/deadbeef folder before reproducing this bug. Maybe I switched between ALSA and Pulse plugins, can't remember.

[cboxdoerfer]

@jieweix, seems unlikely that this plugin could have an effect on this issue. Hm... I'm kind of out of ideas now, in terms of managing to reproduce it. Would you be willing to build the spectrum plugin from source and add some debug output to it, so I can get a better idea what might be going wrong?

[Oleksiy-Yakovenko]

@cboxdoerfer did you set FFT size of the musical spectrum plugin to 16K? strange if it didn't crash for me, it started crashing for me immediately.

[cboxdoerfer]

@cboxdoerfer did you set FFT size of the musical spectrum plugin to 16K? strange if it didn't crash for me, it started crashing for me immediately.

Yes, I tried 16k and 32k.

[cboxdoerfer]

Hm, so my first guess is that this might be a race condition. It's been quite a while since I've worked on this, but I'm kind of surprised why my vis_waveform_listen callback for the spectrum (https://github.com/cboxdoerfer/ddb_musical_spectrum/blob/master/spectrum.c#L123) has no mutex locking — it seems it should have.

[jieweix]

@Oleksiy-Yakovenko reminded me of different output plugins, namely PulseAudio and ALSA. I switched from ALSA to PulseAudio in preferences and the problem seemed to never occur again, and even the scratching sound and break disappeared.

[cboxdoerfer]

@jieweix yes indeed, with the ALSA plugin I can reproduce it in a VM, but not on my main system (might be because the ALSA backend is provided by pipewire there).

[cboxdoerfer]

@Oleksiy-Yakovenko @jieweix I think I've found the bug. It's seems to be that the plugin is fine and there's an issue within DeaDBeeF — I can trigger the same bug with the built-in scope visualizer.

The problem seems to be that under certain circumstances data in ddb_audio_data_t, which gets passed to the visualizers (https://github.com/DeaDBeeF-Player/deadbeef/blob/master/viz.c#L192), is too small for the reported nframes (or vice versa, nframes should be smaller to not exceed the size of data).

Here's the state of the parameters at the time of a crash in viz_process: data_size: 65536, fft_size: 4096, wave_size/nframes: 16383

So the scope and spectrum plugins see that there are supposedly 16383 frames and consequently think that data must at least be 16383 * num_channels * sizeof(float) large, i.e. 131064 bytes with 2 channels, when in fact it's only 65536 bytes. Hence the segfault when the plugins use memcpy on data: https://github.com/DeaDBeeF-Player/deadbeef/blob/master/scope/scope.c#L81

[Oleksiy-Yakovenko]

@cboxdoerfer thanks for digging into this. What circumstances do I need to create in order to trigger the bug?

[cboxdoerfer]

@Oleksiy-Yakovenko Basically the same I had to do to reproduce the crash with the spectrum plugin: have the scope/oscilloscope in the layout, use the ALSA output plugin, use a VM and hit play/pause a few times. Since you were able to trigger the crash with the musical spectrum plugin more easily on your PC, you probably just have to replace the spectrum with the scope and hit play/pause.

[cboxdoerfer]

The scope visualization also sometimes produces lots of visual noise on play/pause in the cases it doesn't crash:

That maybe comes from copying and visualizing those random memory regions outside of data.

Edit: I also have more luck to trigger the segfault right after starting DeaDBeeF.

[Oleksiy-Yakovenko]

ok.. this bug has been reported to me a few months ago, but I was never able to reproduce it. anyway, I guess if I can trigger it with musical spectrum -- I'll be able to figure out what's going onw.

[Oleksiy-Yakovenko]

I'll reopen the issue in deadbeef tracker, this one can be closed.

[cboxdoerfer]

Ok, thx.