`SoundEffects.cpp` example segfaults due to channel count mismatch

Question

`SoundEffects.cpp` example segfaults due to channel count mismatch

vittorioromeo opened this issue 4 months ago · comments

Prerequisite Checklist

I searched for existing issues to prevent duplicates
I searched for existing discussions on the forum to prevent duplicates
I am here to report an issue and not to just ask a question or look for help (use the forum or Discord instead)

Describe your issue here

The SoundEffects.cpp example segfaults on my machine, with invalid accesses at these lines. It seems like, in the first case, there is a mismatch in the size of filters (which is music.getChannelCount()) and the index channel (which goes up to frameChannelCount).

In my machine, music.getChannelCount() == 2 and frameChannelCount == 8.

// L926
    outputFrames[channel] = *enabled ? filters[channel](input) : input;
//                                     ^~~~~~~~~~~~~~~~

// L770
    outputFrames[channel] = *enabled ? yn : xn;
//  ^~~~~~~~~~~~~~~~~~~~~

Example stack trace

0x00007ff652f16e3c in Reverb::ReverbFilter<float>::operator() (this=0x9f75450, input=0) at C:/OHWorkspace/SFML/examples/sound_effects/SoundEffects.cpp:1011
1011                auto output = static_cast<T>(0.7f * input + m_feedbackGain * m_buffer[m_cursor]);
(gdb) bt
#0  0x00007ff652f16e3c in Reverb::ReverbFilter<float>::operator() (this=0x9f75450, input=0) at C:/OHWorkspace/SFML/examples/sound_effects/SoundEffects.cpp:1011
#1  0x00007ff652f6fbfa in Reverb::Reverb()::{lambda(float const*, unsigned int&, float*, unsigned int&, unsigned int)#1}::operator()(float const*, unsigned int&, float*, unsigned int&, unsigned int) (this=0x9f17c30, inputFrames=0x9f100e0,
    inputFrameCount=@0x9df66a4: 128, outputFrames=0x26f08e0, outputFrameCount=@0x9df66a0: 128, frameChannelCount=8) at C:/OHWorkspace/SFML/examples/sound_effects/SoundEffects.cpp:926
#2  0x00007ff652f6550c in std::__invoke_impl<void, Reverb::Reverb()::{lambda(float const*, unsigned int&, float*, unsigned int&, unsigned int)#1}&, float const*, unsigned int&, float*, unsigned int&, unsigned int>(std::__invoke_other, Reverb::Reverb()::{lambda(float const*, unsigned int&, float*, unsigned int&, unsigned int)#1}&, float const*&&, unsigned int&, float*&&, unsigned int&, unsigned int&&) (__f=..., __args=@0x9df6438: 8, __args=@0x9df6438: 8,
    __args=@0x9df6438: 8, __args=@0x9df6438: 8, __args=@0x9df6438: 8) at C:/msys64/mingw64/include/c++/14.1.0/bits/invoke.h:61
#3  0x00007ff652f61c04 in std::__invoke_r<void, Reverb::Reverb()::{lambda(float const*, unsigned int&, float*, unsigned int&, unsigned int)#1}&, float const*, unsigned int&, float*, unsigned int&, unsigned int>(Reverb::Reverb()::{lambda(float const*, unsigned int&, float*, unsigned int&, unsigned int)#1}&, float const*&&, unsigned int&, float*&&, unsigned int&, unsigned int&&) (__fn=..., __args=@0x9df6438: 8, __args=@0x9df6438: 8, __args=@0x9df6438: 8, __args=@0x9df6438: 8,
    __args=@0x9df6438: 8) at C:/msys64/mingw64/include/c++/14.1.0/bits/invoke.h:111
#4  0x00007ff652f3f4e3 in std::_Function_handler<void (float const*, unsigned int&, float*, unsigned int&, unsigned int), Reverb::Reverb()::{lambda(float const*, unsigned int&, float*, unsigned int&, unsigned int)#1}>::_M_invoke(std::_Any_data const&, float const*&&, unsigned int&, float*&&, unsigned int&, unsigned int&&) (__functor=..., __args=@0x9df6438: 8, __args=@0x9df6438: 8, __args=@0x9df6438: 8, __args=@0x9df6438: 8, __args=@0x9df6438: 8)
    at C:/msys64/mingw64/include/c++/14.1.0/bits/std_function.h:290
#5  0x00007ff652f260dc in std::function<void (float const*, unsigned int&, float*, unsigned int&, unsigned int)>::operator()(float const*, unsigned int&, float*, unsigned int&, unsigned int) const (this=0x9ec60c8, __args=8, __args=8,
    __args=8, __args=8, __args=8) at C:/msys64/mingw64/include/c++/14.1.0/bits/std_function.h:591
#6  0x00007ff652d8d38c in sf::priv::MiniaudioUtils::SoundBase::processEffect (this=0x9ec5b20, framesIn=0x9df6ec0, frameCountIn=@0x9df66a4: 128, framesOut=0x9df66d0, frameCountOut=@0x9df66a0: 128)
    at C:/OHWorkspace/SFML/src/SFML/Audio/MiniaudioUtils.cpp:219
#7  0x00007ff652d8d98c in sf::priv::MiniaudioUtils::SoundBase::initialize(void (*)(void*, ma_sound*))::$_0::operator()(void*, float const**, unsigned int*, float**, unsigned int*) const (this=0x9df6517, node=0x9ec5b80, framesIn=0x9df6ec0,
    frameCountIn=0x9df66a4, framesOut=0x9df66d0, frameCountOut=0x9df66a0) at C:/OHWorkspace/SFML/src/SFML/Audio/MiniaudioUtils.cpp:169
#8  0x00007ff652d8d930 in sf::priv::MiniaudioUtils::SoundBase::initialize(void (*)(void*, ma_sound*))::$_0::__invoke(void*, float const**, unsigned int*, float**, unsigned int*) (node=0x9ec5b80, framesIn=0x9df6ec0, frameCountIn=0x9df66a4,
    framesOut=0x9df66d0, frameCountOut=0x9df66a0) at C:/OHWorkspace/SFML/src/SFML/Audio/MiniaudioUtils.cpp:168
#9  0x00007ff652d83d82 in ma_node_process_pcm_frames_internal (pNode=0x9ec5b80, ppFramesIn=0x9df6ec0, pFrameCountIn=0x9df66a4, ppFramesOut=0x9df66d0, pFrameCountOut=0x9df66a0)
    at C:/OHWorkspace/SFML/extlibs/headers/miniaudio/miniaudio.h:72510
#10 0x00007ff652d4c60a in ma_node_read_pcm_frames (pNode=0x9ec5b80, outputBusIndex=0, pFramesOut=0x26f08e0, frameCount=128, pFramesRead=0x9df7748, globalTime=0) at C:/OHWorkspace/SFML/extlibs/headers/miniaudio/miniaudio.h:72822
#11 0x00007ff652d84052 in ma_node_input_bus_read_pcm_frames (pInputNode=0x26ec4a0, pInputBus=0x26ec4f8, pFramesOut=0x26f08e0, frameCount=480, pFramesRead=0x9df98d0, globalTime=0)
    at C:/OHWorkspace/SFML/extlibs/headers/miniaudio/miniaudio.h:71755
#12 0x00007ff652d4be70 in ma_node_read_pcm_frames (pNode=0x26ec4a0, outputBusIndex=0, pFramesOut=0x26f08e0, frameCount=480, pFramesRead=0x9df9988, globalTime=0) at C:/OHWorkspace/SFML/extlibs/headers/miniaudio/miniaudio.h:72632
#13 0x00007ff652d4b775 in ma_node_graph_read_pcm_frames (pNodeGraph=0x26ec338, pFramesOut=0x26f08e0, frameCount=480, pFramesRead=0x9df99f0) at C:/OHWorkspace/SFML/extlibs/headers/miniaudio/miniaudio.h:71289
#14 0x00007ff652d53ca2 in ma_engine_read_pcm_frames (pEngine=0x26ec338, pFramesOut=0x26f08e0, frameCount=480, pFramesRead=0x0) at C:/OHWorkspace/SFML/extlibs/headers/miniaudio/miniaudio.h:75264
#15 0x00007ff652cfe4c8 in sf::priv::AudioDevice::initialize()::$_0::operator()(ma_device*, void*, void const*, unsigned int) const (this=0x9df9abb, device=0x26eb640, output=0x26f08e0, frameCount=480)
    at C:/OHWorkspace/SFML/src/SFML/Audio/AudioDevice.cpp:491
#16 0x00007ff652cfe449 in sf::priv::AudioDevice::initialize()::$_0::__invoke(ma_device*, void*, void const*, unsigned int) (device=0x26eb640, output=0x26f08e0, frameCount=480) at C:/OHWorkspace/SFML/src/SFML/Audio/AudioDevice.cpp:485
#17 0x00007ff652d739ca in ma_device__on_data_inner (pDevice=0x26eb640, pFramesOut=0x26f08e0, pFramesIn=0x0, frameCount=480) at C:/OHWorkspace/SFML/extlibs/headers/miniaudio/miniaudio.h:18690
#18 0x00007ff652d73835 in ma_device__on_data (pDevice=0x26eb640, pFramesOut=0x9dfde10, pFramesIn=0x0, frameCount=96) at C:/OHWorkspace/SFML/extlibs/headers/miniaudio/miniaudio.h:18771
#19 0x00007ff652d7330e in ma_device__handle_data_callback (pDevice=0x26eb640, pFramesOut=0x9dfde10, pFramesIn=0x0, frameCount=96) at C:/OHWorkspace/SFML/extlibs/headers/miniaudio/miniaudio.h:18823
#20 0x00007ff652d0bd45 in ma_device__read_frames_from_client (pDevice=0x26eb640, frameCount=96, pFramesOut=0x9dfde10) at C:/OHWorkspace/SFML/extlibs/headers/miniaudio/miniaudio.h:18853
#21 0x00007ff652d7a7a0 in ma_device_audio_thread__default_read_write (pDevice=0x26eb640) at C:/OHWorkspace/SFML/extlibs/headers/miniaudio/miniaudio.h:19343
#22 0x00007ff652d0a032 in ma_worker_thread (pData=0x26eb640) at C:/OHWorkspace/SFML/extlibs/headers/miniaudio/miniaudio.h:40913
#23 0x00007ff652d64d5d in ma_thread_entry_proxy (pData=0x26ed000) at C:/OHWorkspace/SFML/extlibs/headers/miniaudio/miniaudio.h:16508
#24 0x00007fff73ac1fd7 in KERNEL32!BaseThreadInitThunk () from C:\WINDOWS\System32\kernel32.dll
#25 0x00007fff7571b66c in ntdll!RtlUserThreadStart () from C:\WINDOWS\SYSTEM32\ntdll.dll
#26 0x0000000000000000 in ?? ()§

Your Environment

OS / distro / window manager: Windows 11, MinGW x64 on MSYS2
SFML version: master branch
Compiler / toolchain: clang version 18.1.6, MinGW x64 on MSYS2
Special compiler / CMake flags: debug build mode

Steps to reproduce

Clone master,
Build
Run the built example from the examples/sound_effects working directory

Expected behavior

No segfault

Actual behavior

Yes segfault

Vittorio Romeo · Answer 1 · Sun Jun 09 2024 07:01:38 GMT+0800 (China Standard Time)

ASAN report on Arch Linux x64

=================================================================
==2243==ERROR: AddressSanitizer: stack-use-after-return on address 0x7f35807b2460 at pc 0x5918c676705e bp 0x7f35677f3a00 sp 0x7f35677f39f0
READ of size 8 at 0x7f35807b2460 thread T1
    #0 0x5918c676705d in sf::SoundStream::Impl::read(void*, void*, unsigned long long, unsigned long long*) /home/vromeo/OHW/SFML/src/SFML/Audio/SoundStream.cpp:99
    #1 0x5918c6862f7c in ma_data_source_read_pcm_frames_within_range /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:57220
    #2 0x5918c68635fe in ma_data_source_read_pcm_frames /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:57335
    #3 0x5918c68649b3 in ma_engine_node_process_pcm_frames__sound /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:74404
    #4 0x5918c6875671 in ma_node_process_pcm_frames_internal /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:72510
    #5 0x5918c6875671 in ma_node_read_pcm_frames /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:72614
    #6 0x5918c6877fb5 in ma_node_input_bus_read_pcm_frames /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:71758
    #7 0x5918c6875bf1 in ma_node_read_pcm_frames /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:72632
    #8 0x5918c68772b8 in ma_node_graph_read_pcm_frames /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:71289
    #9 0x5918c6888a31 in ma_engine_read_pcm_frames /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:75264
    #10 0x5918c679f397 in operator() /home/vromeo/OHW/SFML/src/SFML/Audio/AudioDevice.cpp:491
    #11 0x5918c679f397 in _FUN /home/vromeo/OHW/SFML/src/SFML/Audio/AudioDevice.cpp:495
    #12 0x5918c67f1b9f in ma_device__on_data_inner /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:18690
    #13 0x5918c67f1b9f in ma_device__on_data /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:18771
    #14 0x5918c67f1b9f in ma_device__on_data /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:18693
    #15 0x5918c67f4e5e in ma_device__handle_data_callback /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:18823
    #16 0x5918c6840f73 in ma_device__read_frames_from_client /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:18926
    #17 0x5918c684ae47 in ma_device_handle_backend_data_callback /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:42531
    #18 0x5918c684c7db in ma_device_write_to_stream__pulse /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:30145
    #19 0x5918c684cce4 in ma_device_on_write__pulse /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:30210
    #20 0x7f35702f7a96  (/usr/lib/../lib/libpulse.so+0x2ea96) (BuildId: 99ac242b45fb0058898c60b6933fa52e757e26d6)
    #21 0x7f35702856eb in pa_pdispatch_run (/usr/lib/pulseaudio/libpulsecommon-17.0.so+0x436eb) (BuildId: 75efa42c9e731da06beb0b7a3dac902c429a2b35)
    #22 0x7f35702dc253  (/usr/lib/../lib/libpulse.so+0x13253) (BuildId: 99ac242b45fb0058898c60b6933fa52e757e26d6)
    #23 0x7f357028a5d4  (/usr/lib/pulseaudio/libpulsecommon-17.0.so+0x485d4) (BuildId: 75efa42c9e731da06beb0b7a3dac902c429a2b35)
    #24 0x7f357028b46e  (/usr/lib/pulseaudio/libpulsecommon-17.0.so+0x4946e) (BuildId: 75efa42c9e731da06beb0b7a3dac902c429a2b35)
    #25 0x7f35702effc7 in pa_mainloop_dispatch (/usr/lib/../lib/libpulse.so+0x26fc7) (BuildId: 99ac242b45fb0058898c60b6933fa52e757e26d6)
    #26 0x7f35702f062a in pa_mainloop_iterate (/usr/lib/../lib/libpulse.so+0x2762a) (BuildId: 99ac242b45fb0058898c60b6933fa52e757e26d6)
    #27 0x5918c67b831a in ma_device_data_loop__pulse /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:30816
    #28 0x5918c68432f2 in ma_worker_thread /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:40910
    #29 0x7f358345cc79 in asan_thread_start /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_interceptors.cpp:234
    #30 0x7f3582aa6dec  (/usr/lib/libc.so.6+0x92dec) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
    #31 0x7f3582b2a0db  (/usr/lib/libc.so.6+0x1160db) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)

Address 0x7f35807b2460 is located in stack of thread T0 at offset 96 in frame
    #0 0x5918c69499bf in sf::Texture::create(sf::Vector2<unsigned int> const&, bool) /home/vromeo/OHW/SFML/src/SFML/Graphics/Texture.cpp:158

  This frame has 13 object(s):
    [32, 33) 'lock' (line 166)
    [48, 49) '<unknown>'
    [64, 65) '<unknown>'
    [80, 81) '<unknown>'
    [96, 97) '<unknown>' <== Memory access at offset 96 partially overflows this variable
    [112, 113) '__c' (line 157)
    [128, 129) '__c' (line 157)
    [144, 145) '__c' (line 157)
    [160, 164) 'glTexture' (line 185)
    [176, 180) 'save' (line 193)
    [192, 200) 'actualSize' (line 172)
    [224, 240) '<unknown>'
    [256, 312) 'texture' (line 190)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-return /home/vromeo/OHW/SFML/src/SFML/Audio/SoundStream.cpp:99 in sf::SoundStream::Impl::read(void*, void*, unsigned long long, unsigned long long*)
Shadow bytes around the buggy address:
  0x7f35807b2180: f5 f5 f5 f5 f5 f5 f5 f5 00 00 00 00 00 00 00 00
  0x7f35807b2200: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x7f35807b2280: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x7f35807b2300: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x7f35807b2380: f5 f5 f5 f5 f5 f5 f5 f5 00 00 00 00 00 00 00 00
=>0x7f35807b2400: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5[f5]f5 f5 f5
  0x7f35807b2480: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x7f35807b2500: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x7f35807b2580: f5 f5 f5 f5 f5 f5 f5 f5 00 00 00 00 00 00 00 00
  0x7f35807b2600: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x7f35807b2680: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Thread T1 created by T0 here:
    #0 0x7f35834f38fb in pthread_create /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_interceptors.cpp:245
    #1 0x5918c67c5b93 in ma_thread_create__posix /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:16167
    #2 0x5918c67c5b93 in ma_thread_create /home/vromeo/OHW/SFML/extlibs/headers/miniaudio/miniaudio.h:16542

Vittorio Romeo · Answer 2 · Sun Jun 09 2024 07:51:35 GMT+0800 (China Standard Time)

ASAN report on Arch Linux x64

Whoops, this one seems unrelated to the first report, and it was actually caused by my #3075 PR. Fixed this particular issue in #3084, but the first reported one (channel count mismatch segfault) still happens even with #3084.