segfault in ogg_page_serialno ()

[reactorcoremeltdown]

Starting program: /home/buckstabu/dev/dhewm3/build/dhewm3 +set r_fullscreen 0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffed594700 (LWP 23492)]
[New Thread 0x7fffea4cf700 (LWP 23503)]
[New Thread 0x7fffe9cce700 (LWP 23504)]
[Thread 0x7fffe9cce700 (LWP 23504) exited]
[New Thread 0x7fffe9cce700 (LWP 23505)]
[Thread 0x7fffe9cce700 (LWP 23505) exited]
[New Thread 0x7fffe9cce700 (LWP 23506)]
[New Thread 0x7ffff7f9b700 (LWP 23507)]

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7979c03 in ogg_page_serialno () from /usr/lib/x86_64-linux-gnu/libogg.so.0
#0  0x00007ffff7979c03 in ogg_page_serialno () from /usr/lib/x86_64-linux-gnu/libogg.so.0
#1  0x00007ffff7773b1d in ov_pcm_seek_page () from /usr/lib/x86_64-linux-gnu/libvorbisfile.so.3
#2  0x00007ffff7773d7c in ov_pcm_seek () from /usr/lib/x86_64-linux-gnu/libvorbisfile.so.3
#3  0x00000000005ed180 in idSampleDecoderLocal::DecodeOGG (this=this@entry=0xe990f70, sample=sample@entry=0xc82d180, sampleOffset44k=sampleOffset44k@entry=4096, 
    sampleCount44k=sampleCount44k@entry=400, dest=dest@entry=0x7fffffffd530) at /home/buckstabu/dev/dhewm3/neo/sound/snd_decoder.cpp:540
#4  0x00000000005ed424 in idSampleDecoderLocal::Decode (this=0xe990f70, sample=0xc82d180, sampleOffset44k=4096, sampleCount44k=400, dest=0x7fffffffd530)
    at /home/buckstabu/dev/dhewm3/neo/sound/snd_decoder.cpp:451
#5  0x00000000005f31af in idSoundChannel::GatherChannelSamples (this=0xe976a00, sampleOffset44k=<optimized out>, sampleCount44k=<optimized out>, dest=<optimized out>)
    at /home/buckstabu/dev/dhewm3/neo/sound/snd_emitter.cpp:289
#6  0x00000000005fa10c in idSoundWorldLocal::FindAmplitude (sound=sound@entry=0xe9769a0, localTime=1007616, listenerPosition=listenerPosition@entry=0x0, 
    channel=channel@entry=0, shakesOnly=shakesOnly@entry=false, this=<optimized out>) at /home/buckstabu/dev/dhewm3/neo/sound/snd_world.cpp:2071
#7  0x00000000005ff41a in idSoundWorldLocal::FindAmplitude (this=<optimized out>, sound=sound@entry=0xe9769a0, localTime=<optimized out>, 
    listenerPosition=listenerPosition@entry=0x0, channel=channel@entry=0, shakesOnly=shakesOnly@entry=false) at /home/buckstabu/dev/dhewm3/neo/sound/snd_world.cpp:1973
#8  0x00000000005f1c9b in idSoundEmitterLocal::CurrentAmplitude (this=0xe9769a0) at /home/buckstabu/dev/dhewm3/neo/sound/snd_emitter.cpp:1063
#9  0x000000000043ff33 in idMaterial::EvaluateRegisters (this=this@entry=0xc845990, registers=registers@entry=0x68970a4, shaderParms=shaderParms@entry=0xfbdc300, 
    view=<optimized out>, soundEmitter=0xe9769a0) at /home/buckstabu/dev/dhewm3/neo/renderer/Material.cpp:2460
#10 0x00000000004a13cc in R_AddLightSurfaces () at /home/buckstabu/dev/dhewm3/neo/renderer/tr_light.cpp:913
#11 0x00000000004a8139 in R_RenderView (parms=0x7fffffffd290, parms@entry=0x6891de4) at /home/buckstabu/dev/dhewm3/neo/renderer/tr_main.cpp:1134
#12 0x0000000000484e26 in idRenderWorldLocal::RenderScene (this=0x6eedb30, renderView=0x7fffffffe7e0) at /home/buckstabu/dev/dhewm3/neo/renderer/RenderWorld.cpp:758
#13 0x00007fffdf597611 in idPlayerView::SingleView (this=0x7fffffffd290, hud=0xc74bd9c, view=0x3f80000000000000)
    at /home/buckstabu/dev/dhewm3/neo/game/PlayerView.cpp:455
#14 0x00007fffdf5986d5 in idPlayerView::RenderPlayerView (this=0x6edcb4c, hud=0xea19120) at /home/buckstabu/dev/dhewm3/neo/game/PlayerView.cpp:717
#15 0x00007fffdf51a122 in idGameLocal::Draw (this=<optimized out>, clientNum=<optimized out>) at /home/buckstabu/dev/dhewm3/neo/game/Game_local.cpp:2454
#16 0x000000000053b662 in idSessionLocal::Draw (this=0xdbca80 <sessLocal>) at /home/buckstabu/dev/dhewm3/neo/framework/Session.cpp:2407
#17 0x000000000053cf1a in idSessionLocal::UpdateScreen (this=0xdbca80 <sessLocal>, outOfSequence=<optimized out>)
    at /home/buckstabu/dev/dhewm3/neo/framework/Session.cpp:2495
#18 0x00000000004dc9cc in idCommonLocal::Frame (this=0xd454c0 <commonLocal>) at /home/buckstabu/dev/dhewm3/neo/framework/Common.cpp:2393
#19 0x0000000000411cfd in main (argc=4, argv=<optimized out>) at /home/buckstabu/dev/dhewm3/neo/sys/linux/main.cpp:298

[DanielGibson]

can you provide more information?

• when does this happen? (on startup, on loading a level? if so, which one? during a level? which one, where? ...)
• what linux distribution do you use? 32bit or 64bit?
• what version of libogg and libvorbis are used?

[reactorcoremeltdown]

1. During first level, at Departure Lounge
2. Linux nb-crunchbang 3.16-3-amd64 #1 SMP Debian 3.16.5-1 (2014-10-10) x86_64 GNU/Linux
3. • libogg0:amd64 1.3.2-1
   • libvorbis0a:amd64 1.3.4-2

[bk138]

Same here:

Program received signal SIGSEGV, Segmentation fault.
0x00007f8e37aa8c03 in ogg_page_serialno ()
   from /usr/lib/x86_64-linux-gnu/libogg.so.0
(gdb) bt
#0  0x00007f8e37aa8c03 in ogg_page_serialno ()
   from /usr/lib/x86_64-linux-gnu/libogg.so.0
#1  0x00007f8e378a2b1d in ov_pcm_seek_page ()
   from /usr/lib/x86_64-linux-gnu/libvorbisfile.so.3
#2  0x00007f8e378a2d7c in ov_pcm_seek ()
   from /usr/lib/x86_64-linux-gnu/libvorbisfile.so.3
#3  0x00000000005ed050 in idSampleDecoderLocal::DecodeOGG (
    this=this@entry=0x6d22fe0, sample=sample@entry=0x60a5470, 
    sampleOffset44k=sampleOffset44k@entry=8192, 
    sampleCount44k=sampleCount44k@entry=512, dest=dest@entry=0x7fffe9f84a50)
    at /tmp/dhewm3/neo/sound/snd_decoder.cpp:540
#4  0x00000000005ed2f4 in idSampleDecoderLocal::Decode (this=0x6d22fe0, 
    sample=0x60a5470, sampleOffset44k=8192, sampleCount44k=512, 
    dest=0x7fffe9f84a50) at /tmp/dhewm3/neo/sound/snd_decoder.cpp:451
#5  0x00000000005f307f in idSoundChannel::GatherChannelSamples (
    this=0x6ced040, sampleOffset44k=<optimized out>, 
    sampleCount44k=<optimized out>, dest=<optimized out>)
    at /tmp/dhewm3/neo/sound/snd_emitter.cpp:289
#6  0x00000000005f9fdc in idSoundWorldLocal::FindAmplitude (
    sound=sound@entry=0x6cecfe0, localTime=5771264, 
    listenerPosition=listenerPosition@entry=0x0, channel=channel@entry=0, 
    shakesOnly=shakesOnly@entry=false, this=<optimized out>)
    at /tmp/dhewm3/neo/sound/snd_world.cpp:2071
---Type <return> to continue, or q <return> to quit---
#7  0x00000000005ff2ea in idSoundWorldLocal::FindAmplitude (
    this=<optimized out>, sound=sound@entry=0x6cecfe0, 
    localTime=<optimized out>, listenerPosition=listenerPosition@entry=0x0, 
    channel=channel@entry=0, shakesOnly=shakesOnly@entry=false)
    at /tmp/dhewm3/neo/sound/snd_world.cpp:1973
#8  0x00000000005f1b6b in idSoundEmitterLocal::CurrentAmplitude (
    this=0x6cecfe0) at /tmp/dhewm3/neo/sound/snd_emitter.cpp:1063
#9  0x000000000043fdf3 in idMaterial::EvaluateRegisters (
    this=this@entry=0xae1c560, registers=registers@entry=0x50c6844, 
    shaderParms=shaderParms@entry=0xae52940, view=<optimized out>, 
    soundEmitter=0x6cecfe0) at /tmp/dhewm3/neo/renderer/Material.cpp:2460
#10 0x00000000004a128c in R_AddLightSurfaces ()
    at /tmp/dhewm3/neo/renderer/tr_light.cpp:913
#11 0x00000000004a7ff9 in R_RenderView (parms=0x7fffe9f847b0, 
    parms@entry=0x50bce54) at /tmp/dhewm3/neo/renderer/tr_main.cpp:1134
#12 0x0000000000484ce6 in idRenderWorldLocal::RenderScene (this=0x5711680, 
    renderView=0x1535f08 <sessLocal+7839624>)
    at /tmp/dhewm3/neo/renderer/RenderWorld.cpp:758
#13 0x000000000053b38d in idSessionLocal::Draw (this=0xdbbf80 <sessLocal>)
    at /tmp/dhewm3/neo/framework/Session.cpp:2399
#14 0x000000000053cdea in idSessionLocal::UpdateScreen (
    this=0xdbbf80 <sessLocal>, outOfSequence=<optimized out>)
    at /tmp/dhewm3/neo/framework/Session.cpp:2495
---Type <return> to continue, or q <return> to quit---
#15 0x00000000004dc88c in idCommonLocal::Frame (this=0xd449c0 <commonLocal>)
    at /tmp/dhewm3/neo/framework/Common.cpp:2393
#16 0x0000000000411bbd in main (argc=2, argv=<optimized out>)
    at /tmp/dhewm3/neo/sys/linux/main.cpp:298

can be reproduced by

timedemo demo1

libogg 1.3.2, libvorbis 1.3.4, running debian jessie, amd64. Note that the crash did not occur on wheezy, which has libogg 1.3.0, libvorbis 1.3.2.

[DanielGibson]

oh awesome.. and I'm still on wheezy. :hurtrealbad:

Thanks for the additional information anyway, will look into that later this week, hopefully.

Of course I'd also be glad about a pull-request with a fix ;-)

[bk138]

I can try and downgrade the libs to see which one it is...

[bk138]

Same crash and bracktrace with libogg-1.3.0:

Program received signal SIGSEGV, Segmentation fault.
0x00007f5d16f44e03 in ogg_page_serialno ()
   from /usr/lib/x86_64-linux-gnu/libogg.so.0
(gdb) bt
#0  0x00007f5d16f44e03 in ogg_page_serialno ()
   from /usr/lib/x86_64-linux-gnu/libogg.so.0
#1  0x00007f5d16d3eb1d in ov_pcm_seek_page ()
   from /usr/lib/x86_64-linux-gnu/libvorbisfile.so.3
#2  0x00007f5d16d3ed7c in ov_pcm_seek ()
   from /usr/lib/x86_64-linux-gnu/libvorbisfile.so.3
#3  0x00000000005ed050 in idSampleDecoderLocal::DecodeOGG (
    this=this@entry=0x6ef4b60, sample=sample@entry=0x61bc3d0, 
    sampleOffset44k=sampleOffset44k@entry=39230, 
    sampleCount44k=sampleCount44k@entry=512, dest=dest@entry=0x7fff375b0d60)
    at /tmp/dhewm3/neo/sound/snd_decoder.cpp:540
#4  0x00000000005ed2f4 in idSampleDecoderLocal::Decode (this=0x6ef4b60, 
    sample=0x61bc3d0, sampleOffset44k=39230, sampleCount44k=512, 
    dest=0x7fff375b0d60) at /tmp/dhewm3/neo/sound/snd_decoder.cpp:451
#5  0x00000000005f2fd6 in idSoundChannel::GatherChannelSamples (
    this=0x6f49e80, sampleOffset44k=39230, sampleCount44k=<optimized out>, 
    dest=<optimized out>) at /tmp/dhewm3/neo/sound/snd_emitter.cpp:323
#6  0x00000000005f9fdc in idSoundWorldLocal::FindAmplitude (
    sound=sound@entry=0x6f49e20, localTime=3801088, 
    listenerPosition=listenerPosition@entry=0x0, channel=channel@entry=0, 
    shakesOnly=shakesOnly@entry=false, this=<optimized out>)
    at /tmp/dhewm3/neo/sound/snd_world.cpp:2071
#7  0x00000000005ff2ea in idSoundWorldLocal::FindAmplitude (
---Type <return> to continue, or q <return> to quit---
    this=<optimized out>, sound=sound@entry=0x6f49e20, 
    localTime=<optimized out>, listenerPosition=listenerPosition@entry=0x0, 
    channel=channel@entry=0, shakesOnly=shakesOnly@entry=false)
    at /tmp/dhewm3/neo/sound/snd_world.cpp:1973
#8  0x00000000005f1b6b in idSoundEmitterLocal::CurrentAmplitude (
    this=0x6f49e20) at /tmp/dhewm3/neo/sound/snd_emitter.cpp:1063
#9  0x000000000043fdf3 in idMaterial::EvaluateRegisters (
    this=this@entry=0x9e9ed10, registers=registers@entry=0x5370794, 
    shaderParms=shaderParms@entry=0xa4dff10, view=<optimized out>, 
    soundEmitter=0x6f49e20) at /tmp/dhewm3/neo/renderer/Material.cpp:2460
#10 0x00000000004a128c in R_AddLightSurfaces ()
    at /tmp/dhewm3/neo/renderer/tr_light.cpp:913
#11 0x00000000004a7ff9 in R_RenderView (parms=0x7fff375b0ac0, 
    parms@entry=0x536ee14) at /tmp/dhewm3/neo/renderer/tr_main.cpp:1134
#12 0x0000000000484ce6 in idRenderWorldLocal::RenderScene (this=0x59c2e30, 
    renderView=0x1535f08 <sessLocal+7839624>)
    at /tmp/dhewm3/neo/renderer/RenderWorld.cpp:758
#13 0x000000000053b38d in idSessionLocal::Draw (this=0xdbbf80 <sessLocal>)
    at /tmp/dhewm3/neo/framework/Session.cpp:2399
#14 0x000000000053cdea in idSessionLocal::UpdateScreen (
    this=0xdbbf80 <sessLocal>, outOfSequence=<optimized out>)
    at /tmp/dhewm3/neo/framework/Session.cpp:2495
#15 0x00000000004dc88c in idCommonLocal::Frame (this=0xd449c0 <commonLocal>)
---Type <return> to continue, or q <return> to quit---
    at /tmp/dhewm3/neo/framework/Common.cpp:2393
#16 0x0000000000411bbd in main (argc=1, argv=<optimized out>)
    at /tmp/dhewm3/neo/sys/linux/main.cpp:298

[bk138]

Baam, with libvorbisfile 1.3.2 timedemo runs through, libogg at up-to-date 1.3.2.

[DanielGibson]

I installed Linux Mint 17.1 on my PC and can't reproduce the issue. libogg0: 1.3.1-1ubuntu1 libvorbis0a: 1.3.2-1.3ubuntu1 libvorbisfile3: 1.3.2-1.3ubuntu1

but this seems to be consistent with your observations. What version of libvorbisfile did cause the trouble?

And was is libvorbisfile or libvorbis? (i.e. does libvorbisfile 1.3.4 work for you, or did you use 1.3.2 of that as well?)

[DanielGibson]

I downloaded libvorbis 1.3.4 and built it myself (so I ended up with both libvorbis and libvorbisfile at 1.3.4) => still couldn't reproduce.

I downloaded libvorbis0a and libvorbisfilefile3 packages from debian jessie, unpacked them and made the game use it via LD_LIBRARY_PATH => BAMM! Furthermore, I narrowed it down to libvorbisfile3 - using debians libvorbisfile makes the game crash, using debians libvorbis0a doesn't.

So it's probably something with their patches or maybe build options/compiler/... I don't really feel like debugging that - can you file a bug at debian's bugtracker?

[DanielGibson]

Ok, one additional information: I actually build a libvorbis 1.3.4-2 debian package (using the sources from https://packages.debian.org/source/jessie/libvorbis) - just to make sure the same build flags etc are used. However, the resulting library still doesn't crash. Hints towards a compilerbug in whatever compiler debian used to create that package. (But of course it could still be that debhelper or whatever sets different defaults on my system than on their buildsystem or whatever). Compiler used here: gcc-4.8 4.8.2-19ubuntu1 from Ubuntu 14.04 (trusty)

Information for others to reproduce:
Start game, pass the security scan, the next room is the "Departure Lounge" (it makes sense to quicksave when entering that room for faster later reproduction). There is a display (opposite to the door used to first enter the room) showing a video telling you what UAC does to make your life on Mars safe and awesome. Around "Goal number one is the safety and wellbeing of all ..." it usually segfaults (with debian's libvorbisfile.so.3).

If you're running in gdb, it makes sense to disable mousegrab, so you can use your mouse once the segfault makes the game break into gdb.
This can be done by opening the console (with the ^ or ~ key - the one under Esc) and entering in_nograb 1.
That makes playing a bit painful (looking around with the mouse does only partly work), but for the last few steps from the security bioscanner to that display it should be ok.

[bk138]

For the record: Built from http://ftp.de.debian.org/debian/pool/main/libv/libvorbis/libvorbis_1.3.4-2.dsc on Jessie, same crash. Compiler: gcc (Debian 4.9.1-19) 4.9.1.

But also crashing when building with gcc-4.8.

[DanielGibson]

As mentioned in #109, an easier way to reproduce the problem is to just start the map "delta3" and go a few steps forward.

it can be loaded by opening the console and entering map game/delta3

The easiest way to reproduce the bug is now:
./dhewm3 +set in_nograb 1 +map game/delta3
if you have the buggy libvorbisfile3 from debian jessie, it should crash pretty quickly, between immediately and the second door.

[coldtobi]

As you asked in #106: I can reproduce it with the timedemo...

gdb --args dhewm3 +timedemoquit demo1

[DanielGibson]

Hmm there is no debian bugreport for the issue yet - I didn't create one because I don't know how to reproduce the problem without dhewm3 (i.e. without owning the game). I tried extracting an .ogg file from the game that seems affected, but just running oggdec on it doesn't crash (and in fact the crash seems to happen when seeking). (And I don't even use an affected version of Debian myself, I could only reproduce it by LD_PRELOAD-ing the lib from jessie)

Do you have any idea how to best get it fixed?

[bk138]

I tried to isolate the bug and it crashes upon loading a specific file - unfortunately, oggdec decodes this one just fine. I think the Debian guys need a way to reproduce this without needing dhewm3 :-(

[coldtobi]

bk138, do you have more details? like which file in chokes on? (and maybe where it is located)... This could help trying to debug into it or trying to create a testcase. I'm not too deep into the engine, but maybe we can "patch" it to only load that particular file or just adding some ifs to be able to set a breakpoint...

Thanks!

[Eleuin]

@coldtobi i think it would be better to actually fix the problem instead of coding a hack for the bug, because its just one version of libvorbisfile from the debian repos that are affected

[DanielGibson]

I think he was talking about reproducing it in a hopefully simple testcase for a bugreport to the libvorbisfile debian maintainers

[DanielGibson]

anyway, I think the file that causes the crash in delta3 is sound/lights/loop_hum_07.ogg from pak003.pk4

I couldn't reproduce it by just throwing that file into oggdec, though. but in the dhewm3 crash the backtrace shows that it happens during seeking, so maybe custom code that seeks within that file (maybe to that specific position) can reproduce the problem.

[coldtobi]

Am Dienstag, den 24.03.2015, 10:54 -0700 schrieb Daniel Gibson:

I think he was talking about reproducing it in a hopefully simple testcase for a bugreport to the libvorbisfile debian maintainers

Yes, exactly.

[coldtobi]

Mmm, I was now debugging into it. Weird: When I add debug messages (brute force, via std::cerr) then the demo runs through... Could it be a timing issue or race condition?

Diff for the debug code here: https://gist.github.com/coldtobi/9a5ddfbe38ae72dc01f2

I'll keep trying to pinpoint the crash, using the timing demo.

First simpler debug code showed that it crashes on different files here... (sorry, didn't remember which exact file)..

[coldtobi]

coming closer.. running the demo, when crashing, my crash is always here:

sound/lights/light_flicker101.wav off44k=39230 count44=512

Debugging into it... However, I'm not a vorbis / ogg expert, so I just describing my observations.

in ov_pcm_seek_page() an object of ogg_page is created (libvorbis, vorbisfile.c:1444) but not initialized. I guess it usually should be initialized in _get_next_page() (line 1468), but it isn't, as its call to ogg_sync_pageseek() returns 0 -- the test bytes<27 at line framing.c:686 (libogg!) fails. In the end the function _get_next_page returns OV_EOF (==-2). now, at vorbisfile.c:1471 this is handled and the while starting at line 1468 left, with best == -1 (handled at line 1548...)

Well, at line 1555 ogg_page_serialno is called with og (and there fore og.header) still unitialized. ... SIGSEGV...

As said, only observations, I don't know the cause...

[coldtobi]

Bug reported at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782831

[DanielGibson]

Cool, thanks a lot!

[DanielGibson]

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782831#10 Seems like one of the vorbis maintainers found a way to reproduce the problem without dhewm3, so it indeed seems to be an internal libvorbis problem.

I guess we should still keep this report open until the problem is fixed in debian, so other people that run into the crash don't create new bugreports

[coldtobi]

Two updates: Wesnoth seems also be affected: https://bugs.debian.org/780853

I locally built the latest libvorbis and with that one the timedemo completes. (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782831#30 )

[coldtobi]

https://bugs.debian.org/780853 is now closed and the segfault seems to be gone. (timedemo now completes as it should...)

Tobi

[DanielGibson]

Awesome, I guess we can close this then.