Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#2735 closed patch (fixed)

glibc "free(): invalid pointer" during tuning in mythtv-setup (mythtv-setup crashes)

Reported by: linux@… Owned by: Janne Grunau
Priority: minor Milestone: 0.21
Component: mythtv Version: head
Severity: medium Keywords:
Cc: Ticket locked: no

Description

While tuning for channels in mythtv-setup the following error appears somewhere in the process. The tuning procedure is never finished and mythtv-setup crashes.

It crashes on an Intel Core 2 Duo system, FC5, 2.6.18 kernel (CPU: E6600, 2.4GHZ, i965, Asus P5B motherboard) when both Cores are enabled. I have not seen it (yet) when only 1 core is used. (Limited at the kernel commandline with maxcpus=1, so same installation mythtv, OS etc). So, I expect timing is relevant.

Receiver card is a DVB-S Skystar 1 CI card.

I have seen the problem in versions 0.20 and Revision 11821 It is reproducible here, so I can do all the test and a lot of debug work.

Remy Böhmer

========================================================================================= * glibc detected * mythtv-setup: free(): invalid pointer: 0xb74a32c0 * ======= Backtrace: ========= /lib/libc.so.6[0x3b59a68] /lib/libc.so.6(libc_free+0x78)[0x3b5cf6f] /usr/lib/qt-3.3/lib/libqt-mt.so.3(_ZN7QGArrayD2Ev+0x46)[0x6e285f6] /usr/lib/qt-3.3/lib/libqt-mt.so.3(_ZN7QBufferD0Ev+0x3f)[0x6e11a7f] /usr/lib/qt-3.3/lib/libqt-mt.so.3(_ZN11QDataStreamD1Ev+0x35)[0x6e1b615] /usr/lib/qt-3.3/lib/libqt-mt.so.3(_ZNK11QTranslator11findMessageEPKcS1_S1_+0x413)[0x6b1e423] /usr/lib/qt-3.3/lib/libqt-mt.so.3(_ZNK12QApplication9translateEPKcS1_S1_NS_8EncodingE+0x97)[0x6acc257] /usr/lib/qt-3.3/lib/libqt-mt.so.3(_ZN7QObject2trEPKcS1_+0x52)[0x6eb8282] /usr/local/lib/libmythtv-0.20.so.0(_ZN6SIScan11HasTimedOutEv+0x12f)[0x9c5369] [0xb0e01460] [0xb0e00570] [0x1d] ======= Memory map: ======== 00110000-0018a000 r-xp 00000000 08:02 539858 /usr/local/lib/libmythavformat-0.20.so.0.20.0 0018a000-00191000 rw-p 00079000 08:02 539858 /usr/local/lib/libmythavformat-0.20.so.0.20.0 00191000-00195000 rw-p 00191000 00:00 0 00195000-0019a000 r-xp 00000000 08:02 539850 /usr/local/lib/libmythavutil-0.20.so.0.20.0 0019a000-0019b000 rw-p 00004000 08:02 539850 /usr/local/lib/libmythavutil-0.20.so.0.20.0 0019b000-0020e000 r-xp 00000000 08:02 539875 /usr/local/lib/libmythfreemheg-0.20.so.0.20.0 0020e000-00215000 rw-p 00073000 08:02 539875 /usr/local/lib/libmythfreemheg-0.20.so.0.20.0 00215000-0026d000 r-xp 00000000 08:02 539879 /usr/local/lib/libmythupnp-0.20.so.0.20.0 0026d000-0026f000 rw-p 00057000 08:02 539879 /usr/local/lib/libmythupnp-0.20.so.0.20.0 0026f000-00274000 r-xp 00000000 08:02 539113 /usr/lib/libartsc.so.0.0.0 00274000-00275000 rw-p 00005000 08:02 539113 /usr/lib/libartsc.so.0.0.0 00275000-00278000 r-xp 00000000 08:02 524461 /usr/lib/libgmodule-2.0.so.0.1000.3 00278000-00279000 rw-p 00002000 08:02 524461 /usr/lib/libgmodule-2.0.so.0.1000.3 00279000-0027b000 r-xp 00000000 08:02 525355 /usr/lib/libXinerama.so.1.0.0 0027b000-0027c000 rw-p 00001000 08:02 525355 /usr/lib/libXinerama.so.1.0.0 0027c000-0027d000 r-xp 0027c000 00:00 0 [vdso] 0027d000-00326000 r-xp 00000000 08:02 539883 /usr/local/lib/libmythlivemedia-0.20.so.0.20.0 00326000-00330000 rw-p 000a9000 08:02 539883 /usr/local/lib/libmythlivemedia-0.20.so.0.20.0 00330000-0033e000 rw-p 00330000 00:00 0 0033e000-00340000 r-xp 00000000 08:02 912299 /lib/libdl-2.4.so 00340000-00341000 r--p 00001000 08:02 912299 /lib/libdl-2.4.so 00341000-00342000 rw-p 00002000 08:02 912299 /lib/libdl-2.4.so 00342000-00346000 r-xp 00000000 08:02 529075 /usr/lib/libgthread-2.0.so.0.1000.3 00346000-00347000 rw-p 00003000 08:02 529075 /usr/lib/libgthread-2.0.so.0.1000.3 00347000-00355000 r-xp 00000000 08:02 540176 /usr/lib/libjack.so.0.0.23 00355000-00358000 rw-p 0000e000 08:02 540176 /usr/lib/libjack.so.0.0.23 00358000-00360000 rw-p 00358000 00:00 0 00360000-00366000 r-xp 00000000 08:02 538138 /usr/lib/libraw1394.so.8.1.1 00366000-00367000 rw-p 00005000 08:02 538138 /usr/lib/libraw1394.so.8.1.1 00367000-00374000 r-xp 00000000 08:02 539654 /usr/lib/libiec61883.so.0.0.0 00374000-00375000 rw-p 0000c000 08:02 539654 /usr/lib/libiec61883.so.0.0.0 00375000-00379000 r-xp 00000000 08:02 530194 /usr/lib/libavc1394.so.0.2.1 00379000-0037a000 rw-p 00003000 08:02 530194 /usr/lib/libavc1394.so.0.2.1 0037a000-0037e000 r-xp 00000000 08:02 525158 /usr/lib/libXv.so.1.0.0 0037e000-0037f000 rw-p 00003000 08:02 525158 /usr/lib/libXv.so.1.0.0 0037f000-00383000 r-xp 00000000 08:02 529273 /usr/lib/libXxf86vm.so.1.0.0 00383000-00384000 rw-p 00003000 08:02 529273 /usr/lib/libXxf86vm.so.1.0.0 00384000-00387000 r-xp 00000000 08:02 525074 /usr/lib/libXrandr.so.2.0.0 00387000-00388000 rw-p 00002000 08:02 525074 /usr/lib/libXrandr.so.2.0.0 00388000-0038c000 r-xp 00000000 08:02 524919 /usr/lib/libXvMCW.so.1.0.0 0038c000-0038d000 rw-p 00003000 08:02 524919 /usr/lib/libXvMCW.so.1.0.0 0038d000-00390000 r-xp 00000000 08:02 537232 /usr/lib/libXvMC.so.1.0.0 00390000-00391000 rw-p 00002000 08:02 537232 /usr/lib/libXvMC.so.1.0.0 00391000-003a0000 r-xp 00000000 08:02 524757 /usr/lib/libXext.so.6.4.0 003a0000-003a1000 rw-p 0000e000 08:02 524757 /usr/lib/libXext.so.6.4.0 003a1000-003a4000 r-xp 00000000 08:02 524803 /usr/lib/librom1394.so.0.2.1 003a4000-003a5000 rw-p 00002000 08:02 524803 /usr/lib/librom1394.so.0.2.1 003a5000-003be000 r-xp 00000000 08:02 912189 /lib/ld-2.4.so 003be000-003bf000 r--p 00018000 08:02 912189 /lib/ld-2.4.so 003bf000-003c0000 rw-p 00019000 08:02 912189 /lib/ld-2.4.so 003c0000-00d50000 r-xp 00000000 08:02 539867 /usr/local/lib/libmythtv-0.20.so.0.20.0 00d50000-00d77000 rw-p 00990000 08:02 539867 /usr/local/lib/libmythtv-0.20.so.0.20.0 00d77000-00d7b000 rw-p 00d77000 00:00 0 00d7b000-0119d000 r-xp 00000000 08:02 539854 /usr/local/lib/libmythavcodec-0.20.so.0.20.0 0119d000-011b6000 rw-p 00422000 08:02 539854 /usr/local/lib/libmythavcodec-0.20.so.0.20.0 011b6000-01221000 rw-p 011b6000 00:00 0 01221000-01229000 r-xp 00000000 08:02 525367 /usr/lib/libSM.so.6.0.0 01229000-0122a000 rw-p 00008000 08:02 525367 /usr/lib/libSM.so.6.0.0 0122a000-0122f000 r-xp 00000000 08:02 524735 /usr/lib/libXdmcp.so.6.0.0 0122f000-01230000 rw-p 00004000 08:02 524735 /usr/lib/libXdmcp.so.6.0.0 01230000-01234000 r-xp 00000000 08:02 525280 /usr/lib/libXfixes.so.3.0.0 01234000-01235000 rw-p 00003000 08:02 525280 /usr/lib/libXfixes.so.3.0.0 01235000-01254000 r-xp 00000000 08:02 912300 /lib/libexpat.so.0.5.0 01254000-01256000 rw-p 0001e000 08:02 912300 /lib/libexpat.so.0.5.0 01256000-01258000 r-xp 00000000 08:02 912308 /lib/libcom_err.so.2.1 01258000-01259000 rw-p 00001000 08:02 912308 /lib/libcom_err.so.2.1 01259000-0126e000Geannuleerd

Attachments (1)

siscan.diff (1.8 KB) - added by celston@… 13 years ago.
patch to libs/libmythtv/siscan.cpp

Download all attachments as: .zip

Change History (11)

comment:1 Changed 13 years ago by tino.keitel+mythtv@…

I had the same problem with an older SVN version. See my posting at http://mythtv.org/pipermail/mythtv-dev/2006-September/050517.html for a workaround that doesn't need system reconfiguration.

You could also try "echo 0 > /sys/devices/system/cpu/cpu1/online" to disable the second core system-wide.

comment:2 Changed 13 years ago by danielk

Owner: changed from Isaac Richards to danielk

comment:3 Changed 13 years ago by danielk

Resolution: invalid
Status: newclosed

Please reproduce this with the debug version of mythtv-setup from SVN head.

See the backtrace link in TicketHowTo on how to get a good backtrace..

comment:4 Changed 13 years ago by tino.keitel+mythtv@…

When I tried to get a backtrace, gdb itself crashes, so it was impossible to get a backtrace. This was also described in the ML link above: http://mythtv.org/pipermail/mythtv-dev/2006-September/050517.html

comment:5 Changed 13 years ago by celston@…

Resolution: invalid
Status: closedreopened
Version: 0.20head

I have also encountered this bug on a Core 2 Duo system, Fedora Core 6, latest svn myth. So I built myself a debug copy of qt 3.3.7 and reproduced the crash with gdb attached. Backtrace is:

(gdb) bt
#0  0x00000035aee301b5 in raise () from /lib64/libc.so.6
#1  0x00000035aee31b20 in abort () from /lib64/libc.so.6
#2  0x00000035aee6766b in __libc_message () from /lib64/libc.so.6
#3  0x00000035aee72276 in free () from /lib64/libc.so.6
#4  0x00002aaaadc47ad8 in ~QGArray (this=0x2aaab4001978) at tools/qgarray.cpp:174
#5  0x00002aaaaaece9db in ~QMemArray (this=0x2aaab4001978) at /usr/lib64/qt-3.3/include/qmemarray.h:61
#6  0x00002aaaadc30da6 in ~QBuffer (this=0x2aaab4001960) at tools/qbuffer.cpp:131
#7  0x00002aaaadc3b4bd in ~QDataStream (this=0x40a84810) at tools/qdatastream.cpp:324
#8  0x00002aaaad8a4fdd in QTranslator::findMessage (this=0x901a80, context=0x2aaaaddf3943 "QObject", sourceText=0x2aaaab3f3f18 "Timeout Scanning %1 -- no tables", comment=0x2aaaadd47100 "") at kernel/qtranslator.cpp:1021
#9  0x00002aaaad84cfc8 in QApplication::translate (this=0x7fff143e1310, context=0x2aaaaddf3943 "QObject", sourceText=0x2aaaab3f3f18 "Timeout Scanning %1 -- no tables", comment=0x0, encoding=QApplication::DefaultCodec) at kernel/qapplication.cpp:3056
#10 0x00002aaaadceb216 in QObject::tr (s=0x2aaaab3f3f18 "Timeout Scanning %1 -- no tables", c=0x0) at .moc/debug-shared-mt/moc_qobject.cpp:35
#11 0x00002aaaab202569 in SIScan::HasTimedOut (this=0x1634640) at siscan.cpp:611
#12 0x00002aaaab2060a3 in SIScan::HandleActiveScan (this=0x1634640) at siscan.cpp:646
#13 0x00002aaaab206538 in SIScan::RunScanner (this=0x1634640) at siscan.cpp:593
#14 0x00002aaaab20658d in SIScan::SpawnScanner (param=0x1634640) at siscan.cpp:568
#15 0x00000035b1e06305 in start_thread () from /lib64/libpthread.so.0
#16 0x00000035aeecd50d in clone () from /lib64/libc.so.6
#17 0x0000000000000000 in ?? ()
(gdb) 

Having stepped up and down through the stack in GDB trying to work out what's going on here, I'm pretty convinced that this is down to the QShared struct/class in QT not being reentrant. Please check out src/tools/qshared.h from the QT 3.3.7 distribution, I think there's a race on the reference count in the QShared structure, which is causing a repeated attempt to delete the shared data in QGArray::~QGArray. Note that in QT4, qshared.h has been replaced with qshareddata.cpp, in which the "count" member of QShared (which used to be an int in QT3) has been replaced with the memeber "ref" of type QAtomic - suggesting that race conditions on shared data was a problem, but has been fixed in QT4.

There's not a lot we can do about this from Myth, except looking at how we are using the translation functions and seeing if we can avoid reentrancy. Any hints in that direction?

Changed 13 years ago by celston@…

Attachment: siscan.diff added

patch to libs/libmythtv/siscan.cpp

comment:6 Changed 13 years ago by anonymous

The attached patch 'fixes' the problem on my system, i.e.: I am now able to run a scan to completion without limiting the system to single processor mode. All I've done is to move the translation calls (which cause a race condition in QT) inside the blocks of code in which the QStrings are actually used. I did some quick debug code which showed that previously, QString::tr was being called ~300,000 times for a scan on my system, with this patch it's only called 8 times. So whilst this patch won't fix the race in QT, it does make us very much more unlikely to encounter it. It should give a quicker runtime to all users too, at the expense of adding some repeated code.

comment:7 Changed 13 years ago by danielk

Milestone: unknown0.21
Type: defectpatch

comment:8 Changed 13 years ago by Janne Grunau

Owner: changed from danielk to Janne Grunau
Status: reopenednew

comment:9 Changed 13 years ago by Janne Grunau

Resolution: fixed
Status: newclosed

(In [13222]) Close #2735. Fix channel scanning crashes by avoiding calling QString::tr()

Applying patch from celston katalix com

comment:10 Changed 13 years ago by Janne Grunau

(In [13223]) Refs #2735. Backports [13222] to 0.20-fixes

Note: See TracTickets for help on using tickets.