Crash when Rall playback and Tempo change do not align

[mproffitt]

Issue type

Crash or freeze

Bug description

When working on a medium sized score, MuseScore will consistently crash with a malloc(): invalid size (unsorted)

The source of the crash is coming from libMuseSamplerCoreLib.so and is detailed in the stack-trace below. It does not seem to occur in certain situations, (described below).

The cause of the crash appears to be a descrepancy between the tempo indicated by a rall... and the end tempo marking, where the rall sets the tempo below that of the marked tempo.

For example t = 132bpm - rall 90% to t = 120bpm, the rall sets the final tempo to 119bpm over 2 bars; approx 4 bars later, MuseScore will crash.

The workaround appears to be to set the % for the rall to 91% over 2 bars so the final tempo matches that of the marked tempo.

In trying to test this, it only appears to affect the Percussion set of which the score makes heavy use of vibraphone, celesta, orchestral bass drum, snare, timpani, it does not seemingly have an effect on strings although I can neither confirm nor guarantee this is the case.

To understand this issue, I have:

• Confirmed it in 4.0.1
• Tested it in the nightly build
• Built MuseScore from the 4.0.2 branch with debug symbols

Score instrumentation:

• Tubular bells
• Bass Guitar
• Timpani
• Vibraphone 1
• Vibraphone 2
• Vibraphone 3
• Bongos
• Bass Drum
• Snare Drum
• Cymbals (Platti)
• Celesta 1
• Celesta 2
• Violins 1a (section)
• Violins 1b (section)
• Violins 2 (section)
• Violas (section)
• Cellos (section)
• Contrabass (section)

Steps to reproduce

I am not entirely confident this will fail in exactly the same way each time but:

1. Create a score containing 200+ bars making heavy use of percussion and strings with an opening tempo of crotchet = 132
2. Add a rallentando at bar 101 spanning 2 bars
3. Set the playback tempo change property to 90%
4. add a new tempo marking at bar 103 to crotchet = 120

Screenshots/Screen recordings

No response

MuseScore Version

4.0.1 OS: Ubuntu 22.10, Arch.: x86_64, MuseScore version (64-bit): 4.0.1-230121751, revision: github-musescore-musescore-9b70a8c

Regression

No.

Operating system

Ubuntu Studio 22.10

Additional context

Full backtrace log: musescore-backtrace.txt

Specific backtrace from gdb (Backtrace created with MuseScore 4.0.2 git @ commit 48ac167c5e20b612a418d922a22db6e06ceb3c19)

(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimised out>) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=<optimised out>) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=<optimised out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff4e3bc46 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff4e227fc in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff4e850be in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff4fb95dc "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#6  0x00007ffff4e9c3fc in malloc_printerr (str=str@entry=0x7ffff4fbc708 "malloc(): invalid size (unsorted)") at ./malloc/malloc.c:5660
#7  0x00007ffff4e9f6fc in _int_malloc (av=av@entry=0x7ffc40000030, bytes=bytes@entry=1208) at ./malloc/malloc.c:3998
#8  0x00007ffff4ea06fd in __GI___libc_malloc (bytes=1208) at ./malloc/malloc.c:3323
#9  0x00007fffb7af452b in std::_Sp_counted_ptr_inplace<staffpad::audio::SignalData<float>, std::allocator<staffpad::audio::SignalData<float> >, (__gnu_cxx::_Lock_policy)2>::_Sp_counted_ptr_inplace<int&, int&>(std::allocator<staffpad::audio::SignalData<float> >, int&, int&) () at /lib/libMuseSamplerCoreLib.so
#10 0x00007fffb7b1c822 in staffpad::audio::Signal<float>::Signal(int, int) () at /lib/libMuseSamplerCoreLib.so
#11 0x00007fffb7b42b51 in staffpad::audio::Signal<float>::concatenate(staffpad::audio::Signal<float> const&, staffpad::audio::Signal<float> const&) () at /lib/libMuseSamplerCoreLib.so
#12 0x00007fffb7b61f8d in staffpad::vi::SfzVoice::generate(int) () at /lib/libMuseSamplerCoreLib.so
#13 0x00007fffb7b3575f in staffpad::vi::BaseInstrument::KeyData::generate(int, int) const () at /lib/libMuseSamplerCoreLib.so
#14 0x00007fffb7b325bf in staffpad::vi::BaseInstrument::processKeyEvents(staffpad::vi::BaseInstrument::KeyData&, staffpad::vi::VIEventList const&, staffpad::audio::Signal32&, bool) () at /lib/libMuseSamplerCoreLib.so
#15 0x00007fffb7b340f3 in staffpad::vi::BaseInstrument::process(double, staffpad::vi::VIEventList const&, staffpad::audio::Signal32&) () at /lib/libMuseSamplerCoreLib.so
#16 0x00007fffb7b2b308 in std::enable_if<is_invocable_r_v<staffpad::audio::Signal32, std::_Bind<staffpad::vi::PlaybackEngine::generate(double, staffpad::audio::Signal32&, std::optional<int>, staffpad::vi::PrerenderBuffer const*)::$_0 ()>&>, staffpad::audio::Signal32>::type std::__invoke_r<staffpad::audio::Signal32, std::_Bind<staffpad::vi::PlaybackEngine::generate(double, staffpad::audio::Signal32&, std::optional<int>, staffpad::vi::PrerenderBuffer const*)::$_0 ()>&>(std::_Bind<staffpad::vi::PlaybackEngine::generate(double, staffpad::audio::Signal32&, std::optional<int>, staffpad::vi::PrerenderBuffer const*)::$_0 ()>&) () at /lib/libMuseSamplerCoreLib.so
#17 0x00007fffb7b2b05e in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<staffpad::audio::Signal32>, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_state<std::_Bind<staffpad::vi::PlaybackEngine::generate(double, staffpad::audio::Signal32&, std::optional<int>, staffpad::vi::PrerenderBuffer const*)::$_0 ()>, std::allocator<int>, staffpad::audio::Signal32 ()>::_M_run()::{lambda()#1}, staffpad::audio::Signal32> >::_M_invoke(std::_Any_data const&) () at /lib/libMuseSamplerCoreLib.so
#18 0x00007fffb7a9bda7 in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) () at /lib/libMuseSamplerCoreLib.so
#19 0x00007ffff4e95577 in __pthread_once_slow (once_control=0x7ffc5000add8, init_routine=0x7ffff52dae30 <std::__once_proxy()>) at ./nptl/pthread_once.c:116
#20 0x00007fffb7b2ae71 in std::__future_base::_Task_state<std::_Bind<staffpad::vi::PlaybackEngine::generate(double, staffpad::audio::Signal32&, std::optional<int>, staffpad::vi::PrerenderBuffer const*)::$_0 ()>, std::allocator<int>, staffpad::audio::Signal32 ()>::_M_run() () at /lib/libMuseSamplerCoreLib.so
#21 0x00007fffb7ac33f5 in staffpad::ThreadPool::workerThreadFunction() () at /lib/libMuseSamplerCoreLib.so
#22 0x00007ffff52dc3a3 in std::execute_native_thread_routine(void*) (__p=0x7fffbb8aeae0) at ../../../../../src/libstdc++-v3/src/c++11/thread.cc:82
#23 0x00007ffff4e90402 in start_thread (arg=<optimised out>) at ./nptl/pthread_create.c:442
#24 0x00007ffff4f1f590 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

[mproffitt]

Missed this from the bug report:

To try confirm this I:

• Set all instruments to use Musescore Basic soundfont - No crash
• Set all percussion instruments to Musescore Basic soundfont, strings to MuseSounds - No crash, not confirmed by second run.
• Set Strings to Musescore basic, percussion to MuseSounds - Crash.