pink-pony: Segfault on startup

[smcv]

Prerequisites:

• Debian testing (Debian 12 alpha)
• Video: GNOME 43 in Wayland mode (with Mesa 22.2.0 on AMD Vega, if it matters)
• Audio: Pipewire 0.3.59, with pipewire-pulse emulating PulseAudio
• apt install phlipple (Debian package version 0.8.5-5.1+b1)
• Some relevant libraries:
  • libsdl1.2-compat either 1.2.58-1 (packaged in Debian experimental) or commit 63e4393 (locally built)
  • libsdl2-2.0-0 version 2.24.1+dfsg-1
  • libsdl-image1.2 version 1.2.12-13+b1
  • libsdl-mixer1.2 version 1.2.12-17+b2
  • libsdl1.2debian (real SDL 1.2) version 1.2.15+dfsg2-8

To reproduce:

• pink-pony
• LD_LIBRARY_PATH=.../sdl12-compat/_build pink-pony
• SDL_VIDEODRIVER=wayland LD_LIBRARY_PATH=.../sdl12-compat/_build pink-pony

Expected result: it runs

Actual result: Real SDL 1.2 works. With sdl12-compat it segfaults during startup:

(gdb) thread apply all bt

Thread 3 (Thread 0x7fa562bff640 (LWP 20903)):
#0  0x00007fa56d2fe426 in __ppoll (fds=0x557f41263d70, nfds=2, timeout=<optimized out>, sigmask=sigmask@entry=0x0) at ../sysdeps/unix/sysv/linux/ppoll.c:42
#1  0x00007fa56c4b1029 in ppoll (__ss=0x0, __timeout=<optimized out>, __nfds=<optimized out>, __fds=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/poll2.h:64
#2  pa_mainloop_poll (m=m@entry=0x557f41291270) at ../src/pulse/mainloop.c:871
#3  0x00007fa56c4b1606 in pa_mainloop_iterate (m=0x557f41291270, block=<optimized out>, retval=0x0) at ../src/pulse/mainloop.c:945
#4  0x00007fa56c711422 in PULSEAUDIO_PlayDevice (this=0x557f41290cf0) at ./src/audio/pulseaudio/SDL_pulseaudio.c:399
#5  0x00007fa56c643f5d in SDL_RunAudio (devicep=devicep@entry=0x557f41290cf0) at ./src/audio/SDL_audio.c:781
#6  0x00007fa56c6ade65 in SDL_RunThread (thread=0x557f41290da0) at ./src/thread/SDL_thread.c:303
#7  0x00007fa56c745c49 in RunThread (data=<optimized out>) at ./src/thread/pthread/SDL_systhread.c:77
#8  0x00007fa56d28784a in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#9  0x00007fa56d30b2cc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Thread 2 (Thread 0x7fa56afff640 (LWP 20902)):
#0  0x00007fa56d2fe426 in __ppoll (fds=0x557f412638b0, nfds=2, timeout=<optimized out>, sigmask=sigmask@entry=0x0) at ../sysdeps/unix/sysv/linux/ppoll.c:42
#1  0x00007fa56c4b1029 in ppoll (__ss=0x0, __timeout=<optimized out>, __nfds=<optimized out>, __fds=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/poll2.h:64
#2  pa_mainloop_poll (m=m@entry=0x557f41261910) at ../src/pulse/mainloop.c:871
#3  0x00007fa56c4b1606 in pa_mainloop_iterate (m=m@entry=0x557f41261910, block=block@entry=1, retval=retval@entry=0x0) at ../src/pulse/mainloop.c:945
#4  0x00007fa56c4b16b0 in pa_mainloop_run (m=0x557f41261910, retval=0x0) at ../src/pulse/mainloop.c:963
#5  0x00007fa56c7117ef in HotplugThread (data=data@entry=0x0) at ./src/audio/pulseaudio/SDL_pulseaudio.c:841
#6  0x00007fa56c6ade65 in SDL_RunThread (thread=0x557f41291070) at ./src/thread/SDL_thread.c:303
#7  0x00007fa56c745c49 in RunThread (data=<optimized out>) at ./src/thread/pthread/SDL_systhread.c:77
#8  0x00007fa56d28784a in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#9  0x00007fa56d30b2cc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Thread 1 (Thread 0x7fa56b2f7880 (LWP 20901)):
#0  _dlfo_mappings_segment_count_allocated (seg=0xbdb2b000bd979000) at ./elf/dl-find_object.c:151
#1  _dl_find_object_update_1 (count=<optimized out>, loaded=0x557f4124c370) at ./elf/dl-find_object.c:667
#2  _dl_find_object_update (new_map=new_map@entry=0x557f41315230) at ./elf/dl-find_object.c:805
#3  0x00007fa56e3e85c8 in dl_open_worker_begin (a=a@entry=0x7ffefcebafb0) at ./elf/dl-open.c:735
#4  0x00007fa56d350e70 in __GI__dl_catch_exception (exception=exception@entry=0x7ffefcebae10, operate=operate@entry=0x7fa56e3e8200 <dl_open_worker_begin>, args=args@entry=0x7ffefcebafb0) at ./elf/dl-error-skeleton.c:208
#5  0x00007fa56e3e7a66 in dl_open_worker (a=a@entry=0x7ffefcebafb0) at ./elf/dl-open.c:782
#6  0x00007fa56d350e70 in __GI__dl_catch_exception (exception=exception@entry=0x7ffefcebaf90, operate=operate@entry=0x7fa56e3e7a30 <dl_open_worker>, args=args@entry=0x7ffefcebafb0) at ./elf/dl-error-skeleton.c:208
#7  0x00007fa56e3e7e48 in _dl_open (file=<optimized out>, mode=<optimized out>, caller_dlopen=0x7fa56af83e8e <loader_open_driver_lib+190>, nsid=-2, argc=2, argv=0x7ffefcebddd8, env=0x7ffefcebddf0) at ./elf/dl-open.c:886
#8  0x00007fa56d2839e8 in dlopen_doit (a=a@entry=0x7ffefcebb220) at ./dlfcn/dlopen.c:56
#9  0x00007fa56d350e70 in __GI__dl_catch_exception (exception=exception@entry=0x7ffefcebb180, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:208
#10 0x00007fa56d350f2f in __GI__dl_catch_error (objname=0x7ffefcebb1d8, errstring=0x7ffefcebb1e0, mallocedp=0x7ffefcebb1d7, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:227
#11 0x00007fa56d2834c6 in _dlerror_run (operate=operate@entry=0x7fa56d283990 <dlopen_doit>, args=args@entry=0x7ffefcebb220) at ./dlfcn/dlerror.c:138
#12 0x00007fa56d283aa1 in dlopen_implementation (dl_caller=<optimized out>, mode=<optimized out>, file=<optimized out>) at ./dlfcn/dlopen.c:71
#13 ___dlopen (file=<optimized out>, mode=<optimized out>) at ./dlfcn/dlopen.c:81
#14 0x00007fa56af83e8e in loader_open_driver_lib (driver_name=driver_name@entry=0x557f4131d300 "radeonsi", lib_suffix=lib_suffix@entry=0x7fa56af90a40 "_dri", search_path_vars=search_path_vars@entry=0x7fa56afa4790 <search_path_vars>, default_search_path=default_search_path@entry=0x7fa56af909a0 "/usr/lib/x86_64-linux-gnu/dri:\\$${ORIGIN}/dri:/usr/lib/dri", warn_on_fail=warn_on_fail@entry=true) at ../src/loader/loader.c:636
#15 0x00007fa56af84029 in loader_open_driver (driver_name=driver_name@entry=0x557f4131d300 "radeonsi", out_driver_handle=out_driver_handle@entry=0x557f412e29a8, search_path_vars=search_path_vars@entry=0x7fa56afa4790 <search_path_vars>) at ../src/loader/loader.c:679
#16 0x00007fa56af62e40 in driOpenDriver (driverName=driverName@entry=0x557f4131d300 "radeonsi", out_driver_handle=out_driver_handle@entry=0x557f412e29a8) at ../src/glx/dri_common.c:86
#17 0x00007fa56af792ea in dri3_create_screen (screen=0, priv=0x557f412e0460) at ../src/glx/dri3_glx.c:889
#18 0x00007fa56af6ada9 in AllocAndFetchScreenConfigs (priv=0x557f412e0460, dpy=0x557f412373c0) at ../src/glx/glxext.c:839
#19 __glXInitialize (dpy=dpy@entry=0x557f412373c0) at ../src/glx/glxext.c:973
#20 0x00007fa56af67657 in GetGLXPrivScreenConfig (ppsc=<synthetic pointer>, ppriv=<synthetic pointer>, scrn=0, dpy=0x557f412373c0) at ../src/glx/glxcmds.c:173
#21 glXQueryExtensionsString (dpy=0x557f412373c0, screen=0) at ../src/glx/glxcmds.c:1323
#22 0x00007fa56e25faa7 in extensionSupportedGLX (extension=0x7fa56e283526 "GLX_EXT_swap_control") at ./src/glx_context.c:211
#23 _glfwInitGLX () at ./src/glx_context.c:362
#24 0x00007fa56e25c4e5 in _glfwPlatformCreateWindow (window=window@entry=0x557f412bc030, wndconfig=wndconfig@entry=0x7ffefcebc540, ctxconfig=ctxconfig@entry=0x7ffefcebc4b0, fbconfig=fbconfig@entry=0x7ffefcebc4f0) at ./src/x11_window.c:1971
#25 0x00007fa56e2541ac in glfwCreateWindow (width=800, height=600, title=<optimized out>, monitor=0x0, share=<optimized out>) at ./src/window.c:218
#26 0x0000557f3fb18419 in main(int, char**) (argc=<optimized out>, argv=<optimized out>) at src/main.cc:57

[icculus]

This one is using glfw to create a window (and is failing because it's trying to use glX...?) ... maybe it only uses SDL for audio?

[smcv]

I think I was getting a segfault whether I used SDL_VIDEODRIVER=wayland or not, although possibly not exactly the same backtrace.

[smcv]

maybe it only uses SDL for audio?

Looks that way. I wonder why real SDL 1.2 vs. sdl12-compat even matters here?

[icculus]

Looks like SDL is corrupting memory right near what glfw is using:

==489511== Invalid write of size 8
==489511==    at 0x5D7F18A: _mm_store_ps (xmmintrin.h:976)
==489511==    by 0x5D7F18A: SDL_Convert_S16_to_F32_SSE2 (SDL_audiotypecvt.c:444)
==489511==    by 0x5D7B21F: SDL_ConvertAudio_REAL (SDL_audiocvt.c:275)
==489511==    by 0x5D91A35: SDL_ConvertAudio (SDL_dynapi_procs.h:123)
==489511==    by 0x4E73CB7: SDL_ConvertAudio (SDL12_compat.c:9355)
==489511==    by 0x4E10884: mad_getSamples (in /usr/lib/x86_64-linux-gnu/libSDL_mixer-1.2.so.0.12.0)
==489511==    by 0x4E09C2D: music_mixer (in /usr/lib/x86_64-linux-gnu/libSDL_mixer-1.2.so.0.12.0)
==489511==    by 0x4E03097: ??? (in /usr/lib/x86_64-linux-gnu/libSDL_mixer-1.2.so.0.12.0)
==489511==    by 0x4E72D97: AudioCallbackWrapper (SDL12_compat.c:9005)
==489511==    by 0x5D71001: SDL_RunAudio (SDL_audio.c:755)
==489511==    by 0x5E224B7: SDL_RunThread (SDL_thread.c:305)
==489511==    by 0x5FFDDBB: RunThread (SDL_systhread.c:77)
==489511==    by 0x5270B42: start_thread (pthread_create.c:442)
==489511==  Address 0x70281f0 is 16 bytes before a block of size 2,968 alloc'd
==489511==    at 0x484DA83: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==489511==    by 0x4D64506: glfwCreateWindow (in /usr/lib/x86_64-linux-gnu/libglfw.so.3.3)
==489511==    by 0x115D97: main (in /usr/lib/pink-pony/pink-pony.bin)

(and several more of those.)

I'll need to look at this more closely, but that's the likely culprit.

[slouken]

We have an audio conversion corruption on the list to look at for 2.26, right @icculus? I think we should probably look at this soon and get it out for 2.24.2 if we can.

[icculus]

Agreed.

[smcv]

Confirmed fixed in 1.2.64.