Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mumble segfaults during recording. #2863

Closed
tatokis opened this issue Feb 22, 2017 · 1 comment · Fixed by #2864
Closed

Mumble segfaults during recording. #2863

tatokis opened this issue Feb 22, 2017 · 1 comment · Fixed by #2864

Comments

@tatokis
Copy link
Contributor

tatokis commented Feb 22, 2017
edited
Loading

Running Ubuntu 16.04 with the latest mumble from the unstable PPA (g289d0d4).
The way to reproduce the segfaults so far has been to just join a room with others and start a recording.
It seems to be happening on random occasions.

Attaching gdb and simulating conversation using push to talk with local clients revealed this backtrace.

Thread 6 "threaded-ml" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f47923cc700 (LWP 18813)]
0x00007f47b8176d98 in speex_bits_read_from (bits=bits@entry=0x7f477c0b6980, 
    chars=0x7f477c00cd58 "\274\373C", len=<optimized out>)
    at ../../libspeex/bits.c:139
139	../../libspeex/bits.c: Δεν υπάρχει τέτοιο αρχείο ή κατάλογος.
(gdb) bt full
#0  0x00007f47b8176d98 in speex_bits_read_from (bits=bits@entry=0x7f477c0b6980, chars=0x7f477c00cd58 "\274\373C", len=<optimized out>) at ../../libspeex/bits.c:139
        i = 0
        nchars = 2
#1  0x00005634a44c0ea3 in AudioOutputSpeech::needSamples (this=0x7f477c0b68d0, snum=480) at AudioOutputSpeech.cpp:308
        qba = {static MaxSize = 1073741800, d = 0x7f477c00cd40}
        update = <optimized out>
        avail = 1
        ts = 0
        decodedSamples = 480
        inlen = 2453444672
        outlen = 2080427328
        pOut = 0x7f477c0b9ea0
        nextalive = true
        tmp = <optimized out>
#2  0x00005634a44bb6ec in AudioOutput::mix (this=this@entry=0x5634a6ded3b0, outbuff=outbuff@entry=0x7f47923caa10, nsamp=nsamp@entry=480) at AudioOutput.cpp:372
        aop = 0x7f477c0b68d0
        qlMix = {<QListSpecialMethods<AudioOutputUser*>> = {<No data fields>}, {p = {static shared_null = {ref = {atomic = {_q_value = -1}}, alloc = 0, begin = 0, end = 0, array = {0x0}}, 
              d = 0x7f47b5f88580 <QListData::shared_null>}, d = 0x7f47b5f88580 <QListData::shared_null>}}
        qlDel = {<QListSpecialMethods<AudioOutputUser*>> = {<No data fields>}, {p = {static shared_null = {ref = {atomic = {_q_value = -1}}, alloc = 0, begin = 0, end = 0, array = {0x0}}, 
              d = 0x7f47b5f88580 <QListData::shared_null>}, d = 0x7f47b5f88580 <QListData::shared_null>}}
        mul = 1.5
        nchan = 4
        sh = {px = <optimized out>, pn = {pi_ = 0x5634a6f0d270}}
        recorder = {px = 0x5634a7186160, pn = {pi_ = 0x5634a6ea3320}}
        prioritySpeakerActive = false
        it = {i = 0x7f477c0b66b0}
#3  0x00005634a45f3969 in PulseAudioSystem::write_callback (s=<optimized out>, bytes=<optimized out>, userdata=<optimized out>) at PulseAudio.cpp:602
        pas = <optimized out>
        ao = {px = <optimized out>, pn = {pi_ = 0x5634a62886f0}}
        pao = 0x5634a6ded3b0
        buffer = <optimized out>
        pss = <optimized out>
        pcm = <optimized out>
        iSampleSize = 8
        samples = 480
        oldAttenuation = false
#4  0x00007f47b7231fce in ?? () from /usr/lib/x86_64-linux-gnu/libpulse.so.0
No symbol table info available.
#5  0x00007f47b3db0442 in pa_pdispatch_run () from /usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-8.0.so
No symbol table info available.
#6  0x00007f47b7214fce in ?? () from /usr/lib/x86_64-linux-gnu/libpulse.so.0
No symbol table info available.
#7  0x00007f47b3db2d5f in ?? () from /usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-8.0.so
No symbol table info available.
#8  0x00007f47b3db53db in ?? () from /usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-8.0.so
No symbol table info available.
#9  0x00007f47b3db5789 in ?? () from /usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-8.0.so
No symbol table info available.
#10 0x00007f47b3db601a in ?? () from /usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-8.0.so
No symbol table info available.
#11 0x00007f47b722a0b7 in pa_mainloop_dispatch () from /usr/lib/x86_64-linux-gnu/libpulse.so.0
No symbol table info available.
#12 0x00007f47b722a4bc in pa_mainloop_iterate () from /usr/lib/x86_64-linux-gnu/libpulse.so.0
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#13 0x00007f47b722a560 in pa_mainloop_run () from /usr/lib/x86_64-linux-gnu/libpulse.so.0
No symbol table info available.
#14 0x00007f47b72387a9 in ?? () from /usr/lib/x86_64-linux-gnu/libpulse.so.0
No symbol table info available.
#15 0x00007f47b3dc6078 in ?? () from /usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-8.0.so
No symbol table info available.
#16 0x00007f47b5a156ba in start_thread (arg=0x7f47923cc700) at pthread_create.c:333
        __res = <optimized out>
        pd = 0x7f47923cc700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139945372862208, -4217566306391312614, 0, 140724120748191, 139945372862912, 140724120749760, 4320946227129857818, 4321021910165600026}, 
              mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#17 0x00007f47b4e9482d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
No locals.
(gdb)

With the mumble client in a frozen state due to gdb, I can see that during the segfault, only a local client was transmitting audio, with the instance of mumble that crashed just recording (and not transmitting anything).
mkrautz added a commit to mkrautz/mumble that referenced this issue Feb 22, 2017
@mkrautz
AudioInput: check iTarget and iPrevTarget for errors before use in fl…
6f4d814 
…ushCheck().

@tatokis reported a voice recorder crash on IRC.
(Also filed as mumble-voip#2863)

The main culprit was missing error checking in flushCheck() for the values
of iTarget and iPrevTarget.

The problem is that iPrevTarget can be set to -1 in error situations,
when using voice target shortcuts. (Whispers and shouts.)

When that happens, the message type output by flushCheck() will be set
to an invalid value (7), because iPrevTarget is -1.

In flushCheck(), when the packet is a terminator, we set the packet's flags
to the value of iPrevTarget. However, in some error states, iPrevTarget is -1.
When flags is set to -1, all bits are high (say, 0xffffffff on 32-bit
systems). Since all bits are high, our attempt to set the message type in
the flags byte fail, because we attempt to splice it in there via binary
OR.

The result is a packet with an invalid message type of 7 gets into our
audio subsystem and wreaks havoc. Due to mistakes in other code in
AudioOutputSpeech, that invalid value could cause a crash. (The problem
was that we expected that all packets that weren't Opus or CELT to be
Speex. Even 'unknown' message types. This will be fixed in a separate
commit.)

Fixes mumble-voip#2863
@mkrautz
Copy link
Contributor

mkrautz commented Feb 22, 2017

Also of note: @tatokis mentioned that it is possible to trigger this crash by

  1. holding PTT
  2. while holding PTT, also hold a voice target that specifies an invalid user

in that case, g.iPrevTarget will be set to -1, which causes everything to break.

@mkrautz mkrautz mentioned this issue Feb 22, 2017
Merged
mkrautz added a commit to mkrautz/mumble that referenced this issue Feb 25, 2017
@mkrautz
AudioInput: check iTarget and iPrevTarget for errors before use in fl…
8294f2d 
…ushCheck().

@tatokis reported a voice recorder crash on IRC.
(Also filed as mumble-voip#2863)

The main culprit was missing error checking in flushCheck() for the values
of iTarget and iPrevTarget.

The problem is that iPrevTarget can be set to -1 in error situations,
when using voice target shortcuts. (Whispers and shouts.)

When that happens, the message type output by flushCheck() will be set
to an invalid value (7), because iPrevTarget is -1.

In flushCheck(), when the packet is a terminator, we set the packet's flags
to the value of iPrevTarget. However, in some error states, iPrevTarget is -1.
When flags is set to -1, all bits are high (say, 0xffffffff on 32-bit
systems). Since all bits are high, our attempt to set the message type in
the flags byte fail, because we attempt to splice it in there via binary
OR.

The result is a packet with an invalid message type of 7 gets into our
audio subsystem and wreaks havoc. Due to mistakes in other code in
AudioOutputSpeech, that invalid value could cause a crash. (The problem
was that we expected that all packets that weren't Opus or CELT to be
Speex. Even 'unknown' message types. This will be fixed in a separate
commit.)

Fixes mumble-voip#2863
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix crash when using the VoiceRecorder with voice target shortcuts mkrautz/mumble
2 participants
@mkrautz @tatokis