We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 3488

Summary: Random crashes (because Memory overlap in audio converters detected by Valgrind)
Product: SDL Reporter: Vitaly Novichkov <admin>
Component: audioAssignee: Ryan C. Gordon <icculus>
Status: RESOLVED FIXED QA Contact: Sam Lantinga <slouken>
Severity: critical    
Priority: P2 CC: kai.sterker
Version: HG 2.1   
Hardware: All   
OS: All   
Attachments: Screenshot of Qt Creator with catched bug
Visualization of algorithm on the paper
Fix of the bug

Description Vitaly Novichkov 2016-11-12 14:04:07 UTC 
Created attachment 2614 [details]
Screenshot of Qt Creator with catched bug

Hello!
I tried (I had commit state 264f6495d712) use it, then I getting random crashes which happen while loading some Ogg files and crash after de-initializing application. 
Then I built SDL with -O0 and -g flags and tried Valgrind, then I released a reason why this happen: seems memory allocation is inaccurately calculated size of working memory block:

mono-to-stereo: -> x2
short-to-float: -> x2
resample-x4: -> x4
float-to-short: -> /2 (must NOT be applied)

I see that "len_mult" is 16 (right), but len_ratio is 8. Seems memory allocation was by wrong coefficient and therefore this was being caused.
Comment 1 Vitaly Novichkov 2016-11-12 17:14:44 UTC 
Seems allocation and required memory block calculation is fine.

Just tried to disable resampling by "cvt.freq = mixer.freq;" command, and crashes are gone. Seems, mistakes in the logic of resampling function which now I'm checking. If I will find some wired, I will try fix that myself
Comment 2 Vitaly Novichkov 2016-11-12 19:56:46 UTC 
Okay, when I researched code and algorithm, I tried to replace condition "while(dst >= target)" with "while(dst >= target)" and crashes are gone.
Seems on some moments it tries to write into the place before memory block begin, therefore phantom crashes appearing after some moments.
Comment 3 Vitaly Novichkov 2016-11-12 19:57:43 UTC 
OOps!
must be "while(dst > target)", in previous post just copy-pasted errored condition
Comment 4 Vitaly Novichkov 2016-11-12 20:12:20 UTC 
Created attachment 2615 [details]
Visualization of algorithm on the paper
Comment 5 Kai Sterker 2016-11-12 21:03:56 UTC 
I have seen the same issue, after upgrading SDL to latest hg rev. All of a sudden, frequent crashes, often right when starting my game.
Testing with different SDL revision, I can confirm that changeset 10575 is the culprit (though changeset 10578 was the first I could actually compile that showed the crashes).

Personally, I did not have much luck with getting valgrind to pick up anything (just dumped core), but electric fence picked up the issue when running with EF_PROTECT_BELOW enabled. Here's the debug session, using SDL2 rev 10578


kai@Britannia:~/adonthell/dev/SDL$ EF_PROTECT_BELOW=1 LD_PRELOAD=libefence.so.0.0 gdb adonthell-0.3 

  Electric Fence 2.2 Copyright (C) 1987-1999 Bruce Perens <bruce@perens.com>
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from adonthell-0.3...done.
(gdb) r wastesedge
Starting program: /usr/local/bin/adonthell-0.3 wastesedge
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

  Electric Fence 2.2 Copyright (C) 1987-1999 Bruce Perens <bruce@perens.com>
[New Thread 0x7fffe5589700 (LWP 31611)]
[New Thread 0x7fffeb44d700 (LWP 31613)]
Build format 8010->8010, channels 1->2, rate 22050->44100
Converting AUDIO_S16 to AUDIO_F32.
Converting mono to stereo.
Upsample (x2), 2 channels.

Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:126
126	../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0  __memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:126
#1  0x00007ffff78f5372 in SDL_memcpy_REAL (dst=0x7fffed118ff8, 
    src=0x7fffed119000, len=8)
    at /home/kai/adonthell/dev/SDL/src/stdlib/SDL_string.c:320
#2  0x00007ffff788e026 in SDL_Upsample_x2 (cvt=0x7fffffffd570, channels=2)
    at /home/kai/adonthell/dev/SDL/src/audio/SDL_audiotypecvt.c:328
#3  0x00007ffff788b946 in SDL_Upsample_x2_c2 (cvt=0x7fffffffd570, format=33056)
    at /home/kai/adonthell/dev/SDL/src/audio/SDL_audiocvt.c:395
#4  0x00007ffff788aa9a in SDL_ConvertStereo (cvt=0x7fffffffd570, format=33056)
    at /home/kai/adonthell/dev/SDL/src/audio/SDL_audiocvt.c:120
#5  0x00007ffff788d199 in SDL_Convert_S16_to_F32 (cvt=0x7fffffffd570, 
    format=32784)
    at /home/kai/adonthell/dev/SDL/src/audio/SDL_audiotypecvt.c:84
#6  0x00007ffff788aed2 in SDL_ConvertAudio_REAL (cvt=0x7fffffffd570)
    at /home/kai/adonthell/dev/SDL/src/audio/SDL_audiocvt.c:207
#7  0x00007ffff7897390 in SDL_ConvertAudio (a=0x7fffffffd570)
    at /home/kai/adonthell/dev/SDL/src/dynapi/SDL_dynapi_procs.h:124
#8  0x00007ffff6987f44 in Mix_LoadWAV_RW ()
   from /usr/local/lib/libSDL2_mixer-2.0.so.0
#9  0x0000000000421413 in audio::load_wave (slot=slot@entry=0, 
    filename=0x7fffe11dc594 "audio/select.wav") at audio.cc:254
#10 0x0000000000461b62 in _wrap_audio_load_wave (args=<optimised out>)
---Type <return> to continue, or q <return> to quit---


Same issue can be also reproduced with the playwave tool that comes with SDL mixer, so it's definitely something in SDL itself that is broken:

kai@Britannia:~/adonthell/dev/SDL_mixer$ EF_PROTECT_BELOW=1 LD_PRELOAD=libefence.so.0.0 gdb ./build/.libs/playwave

  Electric Fence 2.2 Copyright (C) 1987-1999 Bruce Perens <bruce@perens.com>
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./build/.libs/playwave...done.
(gdb) r -r 44100 -c 2 ~/adonthell/wastesedge-0.3/audio/select.wav
Starting program: /home/kai/adonthell/dev/SDL_mixer/build/.libs/playwave -r 44100 -c 2 ~/adonthell/wastesedge-0.3/audio/select.wav
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

  Electric Fence 2.2 Copyright (C) 1987-1999 Bruce Perens <bruce@perens.com>
[New Thread 0x7ffff7ece700 (LWP 31799)]
[New Thread 0x7ffff7fee700 (LWP 31800)]
Opened audio at 44100 Hz 16 bit stereo
Build format 8010->8010, channels 1->2, rate 22050->44100
Converting AUDIO_S16 to AUDIO_F32.
Converting mono to stereo.
Upsample (x2), 2 channels.

Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:126
126	../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0  __memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:126
#1  0x00007ffff76a8372 in SDL_memcpy_REAL (dst=0x7ffff00bfff8, 
    src=0x7ffff00c0000, len=8)
    at /home/kai/adonthell/dev/SDL/src/stdlib/SDL_string.c:320
#2  0x00007ffff7641026 in SDL_Upsample_x2 (cvt=0x7fffffffdc30, channels=2)
    at /home/kai/adonthell/dev/SDL/src/audio/SDL_audiotypecvt.c:328
#3  0x00007ffff763e946 in SDL_Upsample_x2_c2 (cvt=0x7fffffffdc30, format=33056)
    at /home/kai/adonthell/dev/SDL/src/audio/SDL_audiocvt.c:395
#4  0x00007ffff763da9a in SDL_ConvertStereo (cvt=0x7fffffffdc30, format=33056)
    at /home/kai/adonthell/dev/SDL/src/audio/SDL_audiocvt.c:120
#5  0x00007ffff7640199 in SDL_Convert_S16_to_F32 (cvt=0x7fffffffdc30, 
    format=32784)
    at /home/kai/adonthell/dev/SDL/src/audio/SDL_audiotypecvt.c:84
#6  0x00007ffff763ded2 in SDL_ConvertAudio_REAL (cvt=0x7fffffffdc30)
    at /home/kai/adonthell/dev/SDL/src/audio/SDL_audiocvt.c:207
#7  0x00007ffff764a390 in SDL_ConvertAudio (a=0x7fffffffdc30)
    at /home/kai/adonthell/dev/SDL/src/dynapi/SDL_dynapi_procs.h:124
#8  0x00007ffff798ff44 in Mix_LoadWAV_RW ()
   from /usr/local/lib/libSDL2_mixer-2.0.so.0
#9  0x0000000000400eac in main (argc=<optimised out>, argv=0x7fffffffde08)
    at playwave.c:451

Just in case the .wav file has something to do with it, it's available here:
http://git.savannah.gnu.org/cgit/adonthell/adonthell-wastesedge.git/plain/audio/select.wav

But I would assume any 22050Hz mono .wav played back at 44100 stereo should trigger the bug.

Kai
Comment 6 Vitaly Novichkov 2016-11-12 21:17:36 UTC 
Created attachment 2616 [details]
Fix of the bug

This patch must be applied to src/audio/SDL_audiotypecvt.c file
Comment 7 Kai Sterker 2016-11-12 21:28:00 UTC 
That fixes the problem :-)
Comment 8 Sam Lantinga 2016-11-13 08:09:23 UTC 
Good catch, thanks!
https://hg.libsdl.org/SDL/rev/8661c956c368