-
Notifications
You must be signed in to change notification settings - Fork 447
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crash when closing the FreeDV Demodulator window #2315
Comments
Same issue with the FreeDV Demodulator. |
Tried compiling with address sanitizer - running FreeDV on Linux exits with: ==3217==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000ab0c00 at pc 0x79351341715f bp 0x7934e69fef80 sp 0x7934e69fef70 0x616000ab0c00 is located 0 bytes to the right of 640-byte region [0x616000ab0980,0x616000ab0c00) Thread T53 (QThread) created by T49 (QThread) here: Thread T49 (QThread) created by T0 here: SUMMARY: AddressSanitizer: heap-buffer-overflow /opt/build/sdrangel/plugins/channelrx/demodfreedv/freedvdemodsink.cpp:298 in FreeDVDemodSink::pushSampleToDV(short) Seems to relate to the following line of code:
Index i extends beyond size of m_speechOut. Size of m_speechOut is calculated from:
I think this should probably be:
|
That doesn't appear to be causing the crash though. I do see in the console:
Probably just need to call stop() |
Calling stop in FreeDVDemod::~FreeDVDemod fixes QThread: Destroyed while thread is still running Next problem is FreeDVDemod::stop is called after FreeDVDemod::~FreeDVDemod (i.e. after it's been deleted) from DSPDeviceSourceEngine::handleMessage (presumably handling a DSPRemoveBasebandSampleSink) |
I think the problem relates to the changes for #2159 and only happens when closing a demod window while device is running. It can probably happen to more than just the FreeDV demod, as it's a generic race condition. In the destructor for demods, we have:
This calls DSPDeviceSourceEngine::removeSink(), which sends a DSPRemoveBasebandSampleSink message to itself, which has:
Resulting in the demods::stop() method being called. Before the changes for #2159, DSPDeviceSourceEngine::removeSink() blocked while the message was handled, before returning to the demod's destructor. Now that isn't the case, it's possible that the call to sink->stop() occurs after the destructor has finished. (So we have a call to a method of a deleted object). We don't want to add blocking back in, so I think we probably want to prevent the DSPRemoveBasebandSampleSink handler from calling sink->stop(), when it has been called from a destructor. Is it even necessary to have that call to stop at all? Most of the destructors seem to call stop themselves. The other case where removeSink() is called is when removing device sets, and in that case stopAcquisition() should have been called first. Any thoughts @f4exb? |
Yes I suppose this is superfluous and may come from an old design. |
Was having a look for other paths that may call it, and there is another, from DeviceAPI::renumerateChannels(). However, it does actually appear to be problematic for that anyway. If we try to move a Channel between two Device Sets that are both running, then stopping the channel appears to cause SDRangel to get in to a bad state that can't be recovered from. Not stopping a channel that moves to a Device Set that isn't running doesn't seem to be a problem. But doesn't seem correct... |
If this is too problematic we have to remove the feature of moving channels between device sets. |
…ification in audio mods for f4exb#2336.
Should be fixed in 7.22.5 |
Closing the ADS-B Demodulator window causes SDRangel (version 7.22.2 on Linux x86_64) to crash.
SDRangel compiled with Qt6:
SDRangel compiled with Qt5:
The text was updated successfully, but these errors were encountered: