Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

With integer subset of ubsan on, Haruna sometimes crashes in libmpv #14643

Open
6 tasks done
triallax opened this issue Aug 6, 2024 · 2 comments
Open
6 tasks done

With integer subset of ubsan on, Haruna sometimes crashes in libmpv #14643

triallax opened this issue Aug 6, 2024 · 2 comments
Labels
os:linux

Comments

@triallax
Copy link

triallax commented Aug 6, 2024
edited
Loading

mpv Information

mpv 0.38.0 Copyright © 2000-2024 mpv/MPlayer/mplayer2 projects
libplacebo version: v7.349.0
FFmpeg version: 7.0.2
FFmpeg library versions:
   libavutil       59.8.100
   libavcodec      61.3.100
   libavformat     61.1.100
   libswscale      8.1.100
   libavfilter     10.1.100
   libswresample   5.1.100

Other Information

  • Linux version: Chimera Linux
  • Kernel Version: Linux satoru 6.6.44-0-generic #1 SMP PREEMPT_DYNAMIC Sat Aug 3 07:45:14 UTC 2024 x86_64
  • GPU Model: Intel Corporation WhiskeyLake-U GT2 [UHD Graphics 620] [8086:3ea0] (rev 02)
  • Mesa/GPU Driver Version: 4.6 (Compatibility Profile) Mesa 24.1.5
  • Window Manager and Version: mutter 46
  • Source mpv: distro package
  • Haruna version: 1.1.2
  • Introduced in version: no idea

Reproduction Steps

With the system mpv built, with -fsanitize=signed-integer-overflow,integer-divide-by-zero (which Chimera does for everything by default), play the attached video below, like so: haruna x.mkv

Expected Behavior

Haruna plays the file successfully

Actual Behavior

Haruna crashes on startup (sometimes, usually I can reproduce this quite consistently but sometimes it can be harder to get), with this backtrace:

* thread #1, name = 'haruna', stop reason = signal SIGILL: illegal operand
  * frame #0: 0x000071da2dd8321c libmpv.so.2`mp_get_src_dst_rects(log=0x000071da0f464920, opts=<unavailable>, vo_caps=<unavailable>, video=<unavailable>, window_w=<unavailable>, window_h=<unavailable>, monitor_par=<unavailable>, out_src=0x000071da0e8f38c0, out_dst=0x000071da0e8f38b0, out_osd=0x000071da0e8f38e0) at aspect.c:0
    frame #1: 0x000071da2ddb1110 libmpv.so.2`mpv_render_context_render(ctx=0x000071da22be8fb0, params=0x000071da0e8f3a00) at vo_libmpv.c:362:13
    frame #2: 0x000071da34241838 libMpvQt.so.1`MpvRenderer::render(this=0x000071da10d33580) at mpvrenderer.cpp:60:5
    frame #3: 0x000071da30226bc5 libQt6Quick.so.6`QSGFramebufferObjectNode::render(this=0x000071da0f3b7450) at qquickframebufferobject.cpp:210:23
    frame #4: 0x000071da2e9e1408 libQt6Core.so.6`void doActivate<false>(sender=0x000071da34147ef0, signal_index=27, argv=0x000071da0e8f3b18) at qobject.cpp:4098:21
    frame #5: 0x000071da30049e10 libQt6Quick.so.6`QQuickWindowPrivate::renderSceneGraph() [inlined] QQuickWindow::beforeRendering(this=0x000071da34147ef0) at moc_qquickwindow.cpp:625:5
    frame #6: 0x000071da30049dfa libQt6Quick.so.6`QQuickWindowPrivate::renderSceneGraph(this=0x000071da2293ac30) at qquickwindow.cpp:654:13
    frame #7: 0x000071da3022fb8b libQt6Quick.so.6`QSGRenderThread::run() [inlined] QSGRenderThread::syncAndRender(this=0x000071da2d337050) at qsgthreadedrenderloop.cpp:761:12
    frame #8: 0x000071da3022eee9 libQt6Quick.so.6`QSGRenderThread::run(this=0x000071da2d337050) at qsgthreadedrenderloop.cpp:974:13
    frame #9: 0x000071da2eb3d420 libQt6Core.so.6`QThreadPrivate::start(void*) [inlined] QThreadPrivate::start(void*)::$_0::operator()(this=<unavailable>) const at qthread_unix.cpp:326:14
    frame #10: 0x000071da2eb3d2ab libQt6Core.so.6`QThreadPrivate::start(void*) [inlined] void (anonymous namespace)::terminate_on_exception<QThreadPrivate::start(void*)::$_0>(t=<unavailable>) at qthread_unix.cpp:262:9
    frame #11: 0x000071da2eb3d2ab libQt6Core.so.6`QThreadPrivate::start(arg=0x000071da2d337050) at qthread_unix.cpp:285:5
    frame #12: 0x000071da34438cbb ld-musl-x86_64.so.1`start(p=0x000071da0e8f3dc0) at pthread_create.c:208:17
    frame #13: 0x000071da3443bacb ld-musl-x86_64.so.1`__clone + 47

i also noticed that i can reproduce this more consistently when i set my power mode to power saver, and less consistently when i set it to performance

Log File

(note: this is coming from haruna/libmpv, not mpv)

log.txt

Sample Files

https://github.com/user-attachments/files/16515494/video.zip

I carefully read all instruction and confirm that I did the following:

  • I tested with the latest mpv version to validate that the issue is not already fixed.
  • I provided all required information including system and mpv version.
  • I produced the log file with the exact same set of files, parameters, and conditions used in "Reproduction Steps", with the addition of --log-file=output.txt.
  • I produced the log file while the behaviors described in "Actual Behavior" were actively observed.
  • I attached the full, untruncated log file.
  • I attached the backtrace in the case of a crash.
@llyyr
Copy link
Contributor

llyyr commented Aug 6, 2024
edited
Loading

This was reported to #mpv before and the bug wasn't reproducible with a minimal sample client. Please report it to Haruna first.

frame #13: 0x000071da3443bacb ld-musl-x86_64.so.1`__clone + 47

Also you failed to mention that you were using musl when you reported this before, can you check if this also happens on glibc systems?

@q66
Copy link
Contributor

q66 commented Aug 7, 2024

likely haruna occasionally passes a junk value to libmpv which breaks

but also, libmpv could be fixed not to invoke UB in such cases (by using unsigned values)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
os:linux
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@q66 @llyyr @triallax