[MU4 Issue] Crash after openning-closing Mixer multiple times during playback (on big score)

[DmitryArefiev]

To Reproduce
Steps to reproduce the behavior:

1. Open Big_Score.zip
2. Open Mixer
3. Start Playback
4. Close-Open Mixer multiple times (see video below)

UPDATE (23 Mar 2022): Now it is harder to reproduce the crash: you need to close-open Mixer ~20 times instead of ~5.
Reducing priority.

Desktop:

• OS: Win10/Mac11
  (didn't try on Linux)

Additional context
Sometimes can happen after first closing of Mixer (on big scores)

[Tantacrul]

I have tested big score (which is a masterpiece, by the way) and rapidly opened and closed the mixer about 100 times and not experienced one crash.

Perhaps time to close the issue?

[DmitryArefiev]

I've tried on Win and Mac and still have the crash on Mac (M1 laptop)

crash.mac.mov

Maybe let's just low the priority to P3 and move to Beta 2? (since it's not regular workflow to open Mixer several times so quickly)

[AntonioBL]

Ciao.
When running under AddressSanitizer, just after closing the Mixer there is a heap-use-after-free error: something (the playback?) is trying to access a MixerChannelItem which was deleted when closing the Mixer.
Here is the backtrace of the log (note the freed by thread T0 and previously allocated by thread T0 sections):

=================================================================
==13688==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130008c4490 at pc 0x55556629ded5 bp 0x7fffffffc760 sp 0x7fffffffc750
READ of size 8 at 0x6130008c4490 thread T0
    #0 0x55556629ded4 in deto::async::AbstractInvoker::invokeCallback(int, deto::async::AbstractInvoker::CallBack const&, deto::async::NotifyData const&) ~/MuseScore/thirdparty/deto_async/async/internal/abstractinvoker.cpp:59
    #1 0x5555662dbe35 in deto::async::AbstractInvoker::QInvoker::invoke() (~/MuseScore/builds/Linux-Qt5.15.2-gcc_64-Make-Debug/install/bin/mscore+0x10d87e35)
    #2 0x55556629cc95 in operator() ~/MuseScore/thirdparty/deto_async/async/internal/abstractinvoker.cpp:49
    #3 0x5555662cccd5 in _M_invoke /usr/include/c++/9/bits/std_function.h:300
    #4 0x5555662f02ca in std::function<void ()>::operator()() const /usr/include/c++/9/bits/std_function.h:688
    #5 0x55556641355f in mu::framework::Invoker::doInvoke(void*) ~/MuseScore/src/framework/global/invoker.cpp:57
    #6 0x55556629b726 in mu::framework::Invoker::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) ~/MuseScore/builds/Linux-Qt5.15.2-gcc_64-Make-Debug/src/framework/global/global_autogen/EWIEGA46WW/moc_invoker.cpp:73
    #7 0x7ffff2be7da2 in QObject::event(QEvent*) (~/Qt/5.15.2/gcc_64/lib/libQt5Core.so.5+0x2ccda2)
    #8 0x7ffff3dac43b in QApplicationPrivate::notify_helper(QObject*, QEvent*) (~/Qt/5.15.2/gcc_64/lib/libQt5Widgets.so.5+0x16343b)
    #9 0x7ffff3db2f1f in QApplication::notify(QObject*, QEvent*) (~/Qt/5.15.2/gcc_64/lib/libQt5Widgets.so.5+0x169f1f)
    #10 0x7ffff2bb8807 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (~/Qt/5.15.2/gcc_64/lib/libQt5Core.so.5+0x29d807)
    #11 0x7ffff2bbb881 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (~/Qt/5.15.2/gcc_64/lib/libQt5Core.so.5+0x2a0881)
    #12 0x7ffff2c14b32 in postEventSourceDispatch(_GSource*, int (*)(void*), void*) (~/Qt/5.15.2/gcc_64/lib/libQt5Core.so.5+0x2f9b32)
    #13 0x7fffef55517c in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5217c)
    #14 0x7fffef5553ff  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x523ff)
    #15 0x7fffef5554a2 in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x524a2)
    #16 0x7ffff2c141cb in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (~/Qt/5.15.2/gcc_64/lib/libQt5Core.so.5+0x2f91cb)
    #17 0x7ffff2bb7219 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (~/Qt/5.15.2/gcc_64/lib/libQt5Core.so.5+0x29c219)
    #18 0x7ffff2bc01d2 in QCoreApplication::exec() (~/Qt/5.15.2/gcc_64/lib/libQt5Core.so.5+0x2a51d2)
    #19 0x555568bb50aa in mu::appshell::AppShell::run(int, char**) ~/MuseScore/src/appshell/appshell.cpp:230
    #20 0x55556628b074 in main ~/MuseScore/src/main/main.cpp:321
    #21 0x7ffff1a920b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    #22 0x555566289afd in _start (~/MuseScore/builds/Linux-Qt5.15.2-gcc_64-Make-Debug/install/bin/mscore+0x10d35afd)

0x6130008c4490 is located 16 bytes inside of 360-byte region [0x6130008c4480,0x6130008c45e8)
freed by thread T0 here:
    #0 0x7ffff7693c65 in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:177
    #1 0x55556af7794a in mu::playback::MixerChannelItem::~MixerChannelItem() ~/MuseScore/src/playback/view/internal/mixerchannelitem.cpp:69
    #2 0x7ffff2be47c2 in QObjectPrivate::deleteChildren() (~/Qt/5.15.2/gcc_64/lib/libQt5Core.so.5+0x2c97c2)

previously allocated by thread T0 here:
    #0 0x7ffff7692587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
    #1 0x55556afa228f in mu::playback::MixerPanelModel::buildTrackChannelItem(int const&, int const&) ~/MuseScore/src/playback/view/mixerpanelmodel.cpp:228
    #2 0x55556af9a3cf in mu::playback::MixerPanelModel::loadItems(int, std::vector<int, std::allocator<int> > const&) ~/MuseScore/src/playback/view/mixerpanelmodel.cpp:131
    #3 0x55556af96589 in operator() ~/MuseScore/src/playback/view/mixerpanelmodel.cpp:70
    #4 0x55556afefa5d in __invoke_impl<void, mu::playback::MixerPanelModel::load(const QVariant&)::<lambda(const TrackIdList&)>&, std::vector<int, std::allocator<int> > > /usr/include/c++/9/bits/invoke.h:60
    #5 0x55556afed36b in __invoke<mu::playback::MixerPanelModel::load(const QVariant&)::<lambda(const TrackIdList&)>&, std::vector<int, std::allocator<int> > > /usr/include/c++/9/bits/invoke.h:95
    #6 0x55556afe779f in __apply_impl<mu::playback::MixerPanelModel::load(const QVariant&)::<lambda(const TrackIdList&)>&, std::tuple<std::vector<int, std::allocator<int> > >, 0> /usr/include/c++/9/tuple:1684
    #7 0x55556afe7828 in apply<mu::playback::MixerPanelModel::load(const QVariant&)::<lambda(const TrackIdList&)>&, std::tuple<std::vector<int, std::allocator<int> > > > /usr/include/c++/9/tuple:1694
    #8 0x55556afe7a13 in resolved ~/MuseScore/thirdparty/deto_async/async/promise.h:135
    #9 0x555569208a4a in deto::async::Promise<std::vector<int, std::allocator<int> > >::PromiseInvoker::doInvoke(int, void*, deto::async::NotifyData const&) ~/MuseScore/thirdparty/deto_async/async/promise.h:181
    #10 0x55556629e1f4 in deto::async::AbstractInvoker::invokeCallback(int, deto::async::AbstractInvoker::CallBack const&, deto::async::NotifyData const&) ~/MuseScore/thirdparty/deto_async/async/internal/abstractinvoker.cpp:62
    #11 0x5555662dbe35 in deto::async::AbstractInvoker::QInvoker::invoke() (~/MuseScore/builds/Linux-Qt5.15.2-gcc_64-Make-Debug/install/bin/mscore+0x10d87e35)
    #12 0x55556629cc95 in operator() ~/MuseScore/thirdparty/deto_async/async/internal/abstractinvoker.cpp:49
    #13 0x5555662cccd5 in _M_invoke /usr/include/c++/9/bits/std_function.h:300
    #14 0x5555662f02ca in std::function<void ()>::operator()() const /usr/include/c++/9/bits/std_function.h:688
    #15 0x55556641355f in mu::framework::Invoker::doInvoke(void*) ~/MuseScore/src/framework/global/invoker.cpp:57
    #16 0x55556629b726 in mu::framework::Invoker::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) ~/MuseScore/builds/Linux-Qt5.15.2-gcc_64-Make-Debug/src/framework/global/global_autogen/EWIEGA46WW/moc_invoker.cpp:73
    #17 0x7ffff2be7da2 in QObject::event(QEvent*) (~/Qt/5.15.2/gcc_64/lib/libQt5Core.so.5+0x2ccda2)
    #18 0x7ffff3dac43b in QApplicationPrivate::notify_helper(QObject*, QEvent*) (~/Qt/5.15.2/gcc_64/lib/libQt5Widgets.so.5+0x16343b)

Ciao,
ABL

[AntonioBL]

The crash is happening when calling !c.receiver->isConnectedAsync() here

[lyrra]

1. select a note
2. close mixer
3. crash

gdb backtrace:
Thread 1 received signal SIGSEGV, Segmentation fault.
0x00007ff6cc384a0e in deto::async::Channel<unsigned char, mu::audio::AudioSignalVal>::ChannelInvoker::doInvoke (this=0x169e6cd2810, callKey=0x1, call=0x169e5af44a0, d=...) at src/framework/global/thirdparty/deto_async/async/channel.h:126
126 static_cast<IReceive*>(call)->received(d);
(gdb) ba
#0 0x00007ff6cc384a0e in deto::async::Channel<unsigned char, mu::audio::AudioSignalVal>::ChannelInvoker::doInvoke (this=0x169e6cd2810, callKey=0x1, call=0x169e5af44a0, d=...) at src/framework/global/thirdparty/deto_async/async/channel.h:126
#1 0x00007ff6cb33372c in deto::async::AbstractInvoker::invokeCallback (this=0x169e6cd2810, type=0x1, c=..., data=...) at src/framework/global/thirdparty/deto_async/async/internal/abstractinvoker.cpp:61
#2 0x00007ff6cc3790cc in deto::async::AbstractInvoker::QInvoker::invoke (this=0x169e9bf5ef0) at src/framework/global/thirdparty/deto_async/async/internal/abstractinvoker.h:134
#3 0x00007ff6cb333386 in operator() (__closure=0x169e31cd7d0) at src/framework/global/thirdparty/deto_async/async/internal/abstractinvoker.cpp:48
#4 0x00007ff6cb33cf78 in std::__invoke_impl<void, deto::async::AbstractInvoker::invoke(int, const deto::async::NotifyData&)::<lambda()>&>(std::__invoke_other, struct {...} &) (__f=...) at /mingw64/include/c++/12.1.0/bits/invoke.h:61
#5 0x00007ff6cb33c6c8 in std::__invoke_r<void, deto::async::AbstractInvoker::invoke(int, const deto::async::NotifyData&)::<lambda()>&>(struct {...} &) (__fn=...) at /mingw64/include/c++/12.1.0/bits/invoke.h:111
#6 0x00007ff6cb33c242 in std::_Function_handler<void(), deto::async::AbstractInvoker::invoke(int, const deto::async::NotifyData&)::<lambda()> >::_M_invoke(const std::_Any_data &) (__functor=...) at /mingw64/include/c++/12.1.0/bits/std_function.h:290
#7 0x00007ff6cc5b1252 in std::function<void ()>::operator()() const (this=0x169e31cd7d0) at /mingw64/include/c++/12.1.0/bits/std_function.h:591
#8 0x00007ff6cc0dc41b in mu::framework::Invoker::doInvoke (this=0x7ff6ce579580 <s_asyncInvoker>, ptr=0x169e31cd7d0) at src/framework/global/internal/invoker.cpp:57
#9 0x00007ff6cc0e0005 in mu::framework::Invoker::qt_static_metacall (_o=0x7ff6ce579580 <s_asyncInvoker>, _c=QMetaObject::InvokeMetaMethod, _id=0x0, _a=0x169ea0604c8) at builds/Win-Qt--Make-Debug/src/framework/global/global_autogen/EGDWYGFDBT/moc_invoker.cpp:73
#10 0x00007ffa5727371c in QObject::event(QEvent*) () from builds\Win-Qt--Make-Debug\install\bin\Qt5Core.dll
#11 0x00007ffa55257ec3 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from builds\Win-Qt--Make-Debug\install\bin\Qt5Widgets.dll
#12 0x00007ffa5724629d in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from builds\Win-Qt--Make-Debug\install\bin\Qt5Core.dll
#13 0x00007ffa5724c83b in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from builds\Win-Qt--Make-Debug\install\bin\Qt5Core.dll

tested at commit bdce152

Possible related issues:

• [MU4 Issue] Crash when closing a score after disabling/enabling mixer several times #12815
• [MU4 Issue] Crash after actions with Mixer #12549
• [MU4 Issue] Crash after openning-closing Mixer multiple times during playback (on big score) #9467

[DmitryArefiev]

The issue has change a little bit. Now, one additional step needed to have the crash: close during playback

1. Open Big_Score.mscz
2. Start playback
3. Open/close Mixer 5 times
4. Close score

bandicam.2022-10-19.19-56-57-800.mp4