SegFault in stl_tree library when wiggle around play panel's position slider a lot while play engaged

• Feb 24, 2017 - 07:27

on 3.0-dev ea2cb6428 I was wiggling around the play panel slider a lot while play was engaged on My_First_Score, and I managed to segfault with the following stack trace:

1 _ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKiN2Ms10NPlayEventEEEE9constructIS6_IRKS6_EEEvPT_DpOT0_ new_allocator.h 120 0xdaa072
2 std::allocator_traits>>>::_S_construct const&>>(std::allocator>>&, std::allocator_traits>>>::__construct_helper *, (std::pair const&>&&)...) alloc_traits.h 253 0xe16947
3 std::allocator_traits>>>::construct const&>>(std::allocator>>&, std::pair const&> *, (std::pair const&>&&)...) alloc_traits.h 399 0xe16a1f
4 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_create_node const&> stl_tree.h 421 0xe65a22
5 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_clone_node stl_tree.h 445 0xe6588c
6 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_copy stl_tree.h 1207 0xe65e8e
7 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_copy stl_tree.h 1213 0xe65ec8
8 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_copy stl_tree.h 1213 0xe65ec8
9 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_copy stl_tree.h 1213 0xe65ec8
10 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_copy stl_tree.h 1223 0xe65f3c
11 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_copy stl_tree.h 1213 0xe65ec8
12 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_copy stl_tree.h 1213 0xe65ec8
13 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_copy stl_tree.h 1213 0xe65ec8
14 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_Rb_tree stl_tree.h 676 0xe66104
15 std::multimap::multimap stl_multimap.h 181 0xe7e209
16 Ms::EventMap::EventMap event.h 314 0xcf5839
17 Ms::Seq::updateSynthesizerState seq.cpp 1522 0x4db6f3
18 Ms::Seq::setPos seq.cpp 1043 0x4d9b63
19 Ms::Seq::processMessages seq.cpp 568 0x4d7b56
20 Ms::Seq::process seq.cpp 730 0x4d84c2

It should be noted that those stl_tree stuff is all standard library stuff, so I'm wondering if it is possible that there is a bug in the implementation (I'm on Windows 10).

Anyway, the bottom part of the musescore end is in Seq::updateSynthesizerState() when

      // Making a local copy of events to avoid touching it
      // from different threads at the same time
      EventMap ev = events;

And that EventMap is a std::multimap:

class EventMap : public std::multimap {};

I can't seem to reproduce it...might have been a rare event. I'm just filing here now in case I run into it again.

Comments

ericfontainejazz

• Feb 24, 2017 - 10:15

happened again while wiggling around slider...this time I didn't have play running:

1 _ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKiN2Ms10NPlayEventEEEE9constructIS6_IRKS6_EEEvPT_DpOT0_ new_allocator.h 120 0xdaa362
2 std::allocator_traits>>>::_S_construct const&>>(std::allocator>>&, std::allocator_traits>>>::__construct_helper *, (std::pair const&>&&)...) alloc_traits.h 253 0xe16c37
3 std::allocator_traits>>>::construct const&>>(std::allocator>>&, std::pair const&> *, (std::pair const&>&&)...) alloc_traits.h 399 0xe16d0f
4 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_create_node const&> stl_tree.h 421 0xe65d12
5 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_clone_node stl_tree.h 445 0xe65b7c
6 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_copy stl_tree.h 1207 0xe6617e
7 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_copy stl_tree.h 1213 0xe661b8
8 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_copy stl_tree.h 1213 0xe661b8
9 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_copy stl_tree.h 1213 0xe661b8
10 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_copy stl_tree.h 1213 0xe661b8
11 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_M_copy stl_tree.h 1213 0xe661b8
12 std::_Rb_tree, std::_Select1st>, std::less, std::allocator>>::_Rb_tree stl_tree.h 676 0xe663f4
13 std::multimap::multimap stl_multimap.h 181 0xe7e4f9
14 Ms::EventMap::EventMap event.h 314 0xcf5b29
15 Ms::Seq::updateSynthesizerState seq.cpp 1522 0x4db993
16 Ms::Seq::setPos seq.cpp 1043 0x4d9e03
17 Ms::Seq::processMessages seq.cpp 568 0x4d7df6
18 Ms::Seq::process seq.cpp 730 0x4d8762
19 Ms::paCallback pa.cpp 50 0x666fb3
20 NonAdaptingProcess 0x65344e3d
...

[DELETED] 5

• Feb 27, 2017 - 09:20

seq::process is called in a different thread than the UI, so it's likely that we are changing eventmap while iterating it... My understanding is that multimap is not supposed to be thread safe.

ABL

• Feb 27, 2017 - 17:24

Ciao.
I reproduced the segfault in a build with AddressSanitizer on.
I simply played around with the play panel slider.
Attached the logs of thread sanitizer and address sanitizer. Indeed, the address sanitizer log shows that thread T4 is accessing something previously allocated and deleted by thread T0.

The "runtime errors" are the output of undefined behavior sanitizer. They are at the moment not causing (visible) problems and are not related to this bug.

I hope this helps, since I don't really know how to interpret the output from thread sanitizer.
Ciao,
ABL

Attachment	Size
threadlog.txt	159.88 KB
addresslog.txt	18 KB

ericfontainejazz

• Feb 27, 2017 - 23:18

Thank you ABL and lasconic...you helped me narrow down the error. I fixed by enlarging two lock regions: https://github.com/musescore/MuseScore/pull/3030 so that I no longer experience the crash.