GNOME Bugzilla – Bug 570996
bpmdetect relibably crashes with SIGSEGV on particular file
Last modified: 2009-03-21 12:26:16 UTC
Steps to reproduce: Start banshee, go to 'edit track info->extra' for Skeletons by Art of Fighting. Hit the 'detect' button for BPM. Banshee will now crash. Stack trace: [Info 08:29:27.077] Running Banshee 1.4.2: [svn-checkout (linux-gnu, x86_64) @ 2009-02-09 08:12:16 EST] Assembly not found: Mono.Addins.CecilReflector, Version=0.4.0.0, Culture=neutral, PublicKeyToken=0738eb9f132ed756 [Debug 08:29:28.113] Bus.Session.RequestName ('org.bansheeproject.Banshee') replied with PrimaryOwner [Debug 08:29:28.121] Core service started (DBusServiceManager, 0.001628s) [Debug 08:29:28.124] Registering remote object /org/bansheeproject/Banshee/DBusCommandService (Banshee.ServiceStack.DBusCommandService) on org.bansheeproject.Banshee [Debug 08:29:28.134] Core service started (DBusCommandService, 0.012568s) [Debug 08:29:28.303] Opened SQLite connection to /home/chris/.config/banshee-1/banshee.db [Debug 08:29:28.304] Core service started (DbConnection, 0.169226s) [Debug 08:29:28.311] Database version 22 is up to date [Debug 08:29:28.342] Core service started (PreferenceService, 0.024713s) [Debug 08:29:28.344] Registering remote object /org/bansheeproject/Banshee/SourceManager (Banshee.Sources.SourceManager) on org.bansheeproject.Banshee [Debug 08:29:28.344] Core service started (SourceManager, 0.001342s) [Debug 08:29:28.819] Core service started (MediaProfileManager, 0.47497s) [Debug 08:29:28.820] Registering remote object /org/bansheeproject/Banshee/PlayerEngine (Banshee.MediaEngine.PlayerEngineService) on org.bansheeproject.Banshee [Debug 08:29:28.822] Core service started (PlayerEngine, 0.002873s) [Debug 08:29:28.828] Configuration client extension loaded (Banshee.GnomeBackend.GConfConfigurationClient) [Debug 08:29:28.888] IO provider extension loaded (Banshee.IO.Unix.Provider) [Debug 08:29:28.895] Core service started (TranscoderService, 0.009601s) [Debug 08:29:28.897] Registering remote object /org/bansheeproject/Banshee/PlaybackController (Banshee.PlaybackController.PlaybackControllerService) on org.bansheeproject.Banshee [Debug 08:29:28.897] Core service started (PlaybackController, 0.002711s) [Debug 08:29:28.898] Core service started (ImportSourceManager, 0.000585s) [Debug 08:29:28.904] Core service started (LibraryImportManager, 0.005476s) [Debug 08:29:28.904] Core service started (UserJobManager, 0.000382s) [Debug 08:29:28.916] Core service started (HardwareManager, 0.011996s) [Debug 08:29:28.919] Bus.Session.RequestName ('org.bansheeproject.CollectionIndexer') replied with PrimaryOwner [Debug 08:29:28.921] Registering remote object /org/bansheeproject/Banshee/CollectionIndexerService (Banshee.Collection.Indexer.CollectionIndexerService) on org.bansheeproject.CollectionIndexer [Debug 08:29:28.922] Core service started (CollectionIndexerService, 0.005591s) [Debug 08:29:28.939] Adding icon theme search path: /home/chris/Devel/Banshee/trunk/bin/share/banshee-1/icons [Debug 08:29:28.940] Core service started (GtkElementsService, 0.018022s) [Debug 08:29:29.001] Core service started (InterfaceActionService, 0.06063s) [Debug 08:29:29.003] Album artwork path set to /home/chris/.cache/album-art [Debug 08:29:29.003] Core service started (ArtworkManager, 0.002284s) [Debug 08:29:29.516] Registering remote object /org/bansheeproject/Banshee/ClientWindow (Nereid.PlayerInterface) on org.bansheeproject.Banshee [Debug 08:29:29.516] Core service started (NereidPlayerInterface, 0.51311s) [Debug 08:29:29.604] GStreamer pipeline does not run: audioconvert ! xingenc bitrate=128 ! id3v2mux [Debug 08:29:29.663] GStreamer pipeline does not run: audioconvert ! fluwmaenc bitrate=64000 vbr=false ! fluasfmux [Debug 08:29:29.664] Extension service started (GStreamerCoreService, 0.146744s) [Debug 08:29:29.669] (libbanshee:player) Using system (gst-plugins-good) equalizer element [Debug 08:29:29.680] (libbanshee:player) Created ClutterTexture: 0x39ae610 [Debug 08:29:29.683] Player state change: NotReady -> Ready [Debug 08:29:29.693] Player state change: Ready -> Idle [Debug 08:29:29.706] (libbanshee:player) Disabled ReplayGain [Debug 08:29:29.713] Extension service started (BpmService, 0.006633s) [Debug 08:29:29.717] Using GNOME 2.22 API for Multimedia Keys [Debug 08:29:29.717] Extension service started (MultimediaKeysService, 0.004193s) [Debug 08:29:29.926] Extension service started (PodcastService, 0.208354s) [Debug 08:29:29.927] Extension service started (DapService, 0.00053s) [Debug 08:29:29.928] Extension service started (DaapService, 0.001225s) [Debug 08:29:29.932] Extension service started (GnomeService, 0.003034s) [Debug 08:29:29.954] Extension service started (LastfmRecommendationService, 0.022557s) [Debug 08:29:29.989] Core service started (Network, 0.003621s) [Debug 08:29:29.990] Audioscrobbler state: connected [Debug 08:29:29.992] Extension service started (AudioscrobblerService, 0.037124s) [Debug 08:29:30.044] Extension service started (NotificationAreaService, 0.052268s) [Debug 08:29:30.056] Extension service started (BookmarksService, 0.011625s) [Debug 08:29:30.059] Extension service started (CoverArtService, 0.001956s) [Debug 08:29:30.100] Extension service started (AudioCdService, 0.041296s) [Info 08:29:30.101] All services are started 1.986855s [Debug 08:29:30.519] Registering remote object /org/bansheeproject/Banshee/SourceManager/PlayQueue (Banshee.PlayQueue.PlayQueueSource) on org.bansheeproject.Banshee System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.ApplicationException: Unsupported video display context at Banshee.NowPlaying.NowPlayingSource..ctor () [0x000eb] in /home/chris/Devel/Banshee/trunk/src/Extensions/Banshee.NowPlaying/Banshee.NowPlaying/NowPlayingSource.cs:68 at (wrapper managed-to-native) System.Reflection.MonoCMethod:InternalInvoke (object,object[],System.Exception&) at System.Reflection.MonoCMethod.Invoke (System.Object obj, BindingFlags invokeAttr, System.Reflection.Binder binder, System.Object[] parameters, System.Globalization.CultureInfo culture) [0x00000] --- End of inner exception stack trace --- at System.Reflection.MonoCMethod.Invoke (System.Object obj, BindingFlags invokeAttr, System.Reflection.Binder binder, System.Object[] parameters, System.Globalization.CultureInfo culture) [0x00000] at System.Reflection.MonoCMethod.Invoke (BindingFlags invokeAttr, System.Reflection.Binder binder, System.Object[] parameters, System.Globalization.CultureInfo culture) [0x00000] at System.Reflection.ConstructorInfo.Invoke (System.Object[] parameters) [0x00000] at System.Activator.CreateInstance (System.Type type, Boolean nonPublic) [0x00000] at System.Activator.CreateInstance (System.Type type) [0x00000] at Mono.Addins.TypeExtensionNode.CreateInstance () [0x00000] at Banshee.Sources.SourceManager.OnExtensionChanged (System.Object o, Mono.Addins.ExtensionNodeEventArgs args) [0x00035] in /home/chris/Devel/Banshee/trunk/src/Core/Banshee.Services/Banshee.Sources/SourceManager.cs:115 at Mono.Addins.ExtensionNode.add_ExtensionNodeChanged (Mono.Addins.ExtensionNodeEventHandler value) [0x00000] [Debug 08:29:30.707] Creating Pango.Layout, configuring Cairo.Context [Debug 08:29:30.741] Creating Pango.Layout, configuring Cairo.Context [Debug 08:29:30.760] Creating new surface cache for 9216 KB (max) images, capped at 1 MB (113 items) [Debug 08:29:30.802] Creating Pango.Layout, configuring Cairo.Context [Info 08:29:30.987] nereid Client Started [Debug 08:29:30.989] Delayed Initializating Banshee.Podcasting.PodcastService [Debug 08:29:31.002] Refreshing any podcasts that haven't been updated in over an hour [Debug 08:29:31.005] Delayed Initializating Banshee.Dap.DapService [Debug 08:29:31.022] Dap support extension loaded: Banshee.Dap.MassStorage [Debug 08:29:31.331] Dap support extension loaded: Banshee.Dap.Ipod [Debug 08:29:31.504] Dap support extension loaded: Banshee.Dap.Mtp [Debug 08:29:31.660] Delayed Initializating Banshee.Daap.DaapService ** (Nereid.exe:18764): WARNING **: Symbol file /usr/lib/mono/gac/Mono.Zeroconf/2.0.0.76__e60c4f4a95e1099e/Mono.Zeroconf.dll.mdb has incorrect version (expected 50.0, got 39) ** (Nereid.exe:18764): WARNING **: Symbol file /usr/lib/cli/mono-zeroconf-1.0/Mono.Zeroconf.Providers.Avahi.dll.mdb has incorrect version (expected 50.0, got 39) ** (Nereid.exe:18764): WARNING **: Symbol file /usr/lib/mono/gac/avahi-sharp/1.0.0.0__4d116c78973743f5/avahi-sharp.dll.mdb has incorrect version (expected 50.0, got 39) [Debug 08:29:51.235] GStreamer running beat detection on /home/chris/Music/Art of Fighting/Wires/01. Skeletons.wv Native stacktrace: /usr/bin/mono [0x429e65] /usr/bin/mono [0x53d3ad] /lib/libpthread.so.0 [0x2b841ec86080] Debug info from gdb: (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread 0x2b841f6bc0c0 (LWP 18764)] [New Thread 0x2aaac5ba9950 (LWP 18799)] [New Thread 0x2aaac28a0950 (LWP 18798)] [New Thread 0x2aaac1d67950 (LWP 18792)] [New Thread 0x2aaac263a950 (LWP 18791)] [New Thread 0x2aaac201b950 (LWP 18778)] [New Thread 0x2aaabc55f950 (LWP 18775)] [New Thread 0x2aaac10d6950 (LWP 18774)] [New Thread 0x2aaab88e5950 (LWP 18773)] [New Thread 0x2aaab8435950 (LWP 18770)] [New Thread 0x2aaaabbfe950 (LWP 18766)] [New Thread 0x2aaaab9ad950 (LWP 18765)] 0x00002b841f1f5596 in poll () from /lib/libc.so.6 12 Thread 0x2aaaab9ad950 (LWP 18765) 0x00002b841ec857e1 in nanosleep () from /lib/libpthread.so.0 11 Thread 0x2aaaabbfe950 (LWP 18766) 0x00002b841ec822e9 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0 10 Thread 0x2aaab8435950 (LWP 18770) 0x00002b841ec8256d in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0 9 Thread 0x2aaab88e5950 (LWP 18773) 0x00002b841ec8256d in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0 8 Thread 0x2aaac10d6950 (LWP 18774) 0x00002b841ec8256d in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0 7 Thread 0x2aaabc55f950 (LWP 18775) 0x00002b841ec8256d in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0 6 Thread 0x2aaac201b950 (LWP 18778) 0x00002b841f1f5596 in poll () from /lib/libc.so.6 5 Thread 0x2aaac263a950 (LWP 18791) 0x00002b841f1f5596 in poll () from /lib/libc.so.6 4 Thread 0x2aaac1d67950 (LWP 18792) 0x00002b841ec8515b in accept () from /lib/libpthread.so.0 3 Thread 0x2aaac28a0950 (LWP 18798) 0x00002b841ec822e9 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0 2 Thread 0x2aaac5ba9950 (LWP 18799) 0x00002b841ec84edb in read () from /lib/libpthread.so.0 1 Thread 0x2b841f6bc0c0 (LWP 18764) 0x00002b841f1f5596 in poll () from /lib/libc.so.6
+ Trace 212365
Thread 2 (Thread 0x2aaac5ba9950 (LWP 18799))
================================================================= Got a SIGSEGV while executing native code. This usually indicates a fatal error in the mono runtime or one of the native libraries used by your application. ================================================================= /bin/bash: line 2: 18764 Aborted (core dumped) /usr/bin/mono --debug Nereid.exe --debug --uninstalled Other information: I'll attach the song that kills Banshee.
Song that kills Banshee can be found here: https://dl.getdropbox.com/u/212189/01.%20Skeletons.wv
This is a bug in GStreamer: $ gst-launch -m filesrc location=~/Desktop/01.\ Skeletons.wv ! decodebin ! audioconvert ! bpmdetect ! fakesink Setting pipeline to PAUSED ... Pipeline is PREROLLING ... Got Message from element "fakesink1" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_NULL, new-state=(GstState)GST_STATE_READY, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "bpmdetect0" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_NULL, new-state=(GstState)GST_STATE_READY, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "audioconvert0" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_NULL, new-state=(GstState)GST_STATE_READY, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "fakesink" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_NULL, new-state=(GstState)GST_STATE_READY, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "typefind" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_NULL, new-state=(GstState)GST_STATE_READY, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "decodebin0" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_NULL, new-state=(GstState)GST_STATE_READY, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "filesrc0" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_NULL, new-state=(GstState)GST_STATE_READY, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "pipeline0" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_NULL, new-state=(GstState)GST_STATE_READY, pending-state=(GstState)GST_STATE_PAUSED; Got Message from element "bpmdetect0" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_READY, new-state=(GstState)GST_STATE_PAUSED, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "audioconvert0" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_READY, new-state=(GstState)GST_STATE_PAUSED, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "apedemux0" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_NULL, new-state=(GstState)GST_STATE_READY, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "wavpackparse0" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_NULL, new-state=(GstState)GST_STATE_READY, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "wavpackparse0" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_READY, new-state=(GstState)GST_STATE_PAUSED, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "apedemux0" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_READY, new-state=(GstState)GST_STATE_PAUSED, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "typefind" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_READY, new-state=(GstState)GST_STATE_PAUSED, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "apedemux0" (tag): taglist, album=(string)Wires, artist=(string)"Art\ of\ Fighting", title=(string)Skeletons, track-number=(guint)1; Got Message from element "filesrc0" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_READY, new-state=(GstState)GST_STATE_PAUSED, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "queue0" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_NULL, new-state=(GstState)GST_STATE_READY, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "wavpackdec0" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_NULL, new-state=(GstState)GST_STATE_READY, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "wavpackdec0" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_READY, new-state=(GstState)GST_STATE_PAUSED, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "queue0" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_READY, new-state=(GstState)GST_STATE_PAUSED, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "fakesink" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_PLAYING, new-state=(GstState)GST_STATE_PAUSED, pending-state=(GstState)GST_STATE_READY; Got Message from element "decodebin0" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_READY, new-state=(GstState)GST_STATE_PAUSED, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "fakesink" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_READY, new-state=(GstState)GST_STATE_READY, pending-state=(GstState)GST_STATE_NULL; Got Message from element "fakesink" (state-changed): GstMessageState, old-state=(GstState)GST_STATE_READY, new-state=(GstState)GST_STATE_NULL, pending-state=(GstState)GST_STATE_VOID_PENDING; Got Message from element "wavpackdec0" (tag): taglist, audio-codec=(string)Wavpack, bitrate=(guint)757802; Got Message from element "wavpackdec0" (tag): taglist, audio-codec=(string)Wavpack, bitrate=(guint)757802; Caught SIGSEGV accessing address (nil)
+ Trace 212385
These run fine: $ gst-launch playbin uri=file:///home/gabe/Desktop/01.\ Skeletons.wv $ gst-launch -m filesrc location=~/Desktop/01.\ Skeletons.wv ! decodebin ! audioconvert ! fakesink So it seems to be an issue with the bpmdetect element.
Installing debug packages now, I'll try to get a more informative trace
Hrm, no luck, must be missing something. Anyway, pretty sure you can reproduce it easily w/ the file Christopher linked to.
Yeah, easy to reproduce... and the stack is completely broken :) I'll take a look at this tomorrow
It crashes at line 215: bpm_detect->priv->detect->inputSamples (data, nsamples); directly after this line the stack is completely zeroed out and NULL is called...
This is a buffer overflow in soundtouch's BPM detection library: in ::inputSamples() it calles decimate() with a destination array of a fixed size but unfortunately it writes numSamples into this destination array. This breaks the stack and everything for large input buffers ;) I've contacted the author and will workaround it in the GStreamer element later...
commit 9a1d1cb91fa557f766485c430e9f4732a78f7365 Author: Sebastian Dröge <sebastian.droege@collabora.co.uk> Date: Tue Feb 10 10:17:43 2009 +0100 bpmdetect: Pass at most 2048 samples to SoundTouch's BPMDetect Internally BPMDetect assumes that at most 2048 samples are passed to it at once and stores those in a stack allocated static sized array. If we pass too many samples this will result in a buffer overflow resulting in heavy stack corruption and a crash. Fixes bug #570996.
*** Bug 572891 has been marked as a duplicate of this bug. ***