segfault in namehint API (valgrind aplay -L prints scary warnings)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
alsa-lib (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
valgrind reports a lot of scary errors when run on aplay -L , it looks like the alsa snd_device_
==30818== Memcheck, a memory error detector
==30818== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==30818== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==30818== Command: aplay -L
==30818==
==30818== Invalid read of size 8
==30818== at 0x50653F0: snd_config_
==30818== by 0x5070732: snd_device_
==30818== by 0x403DE8: ??? (in /usr/bin/aplay)
==30818== by 0x4094A8: ??? (in /usr/bin/aplay)
==30818== by 0x556576C: (below main) (libc-start.c:226)
==30818== Address 0x5e0c8f8 is 40 bytes inside a block of size 72 free'd
==30818== at 0x4C2A82E: free (in /usr/lib/
==30818== by 0x5065E94: snd_config_delete (conf.c:1850)
==30818== by 0x5066425: parse_defs (conf.c:1200)
==30818== by 0x50667E5: snd_config_load1 (conf.c:1661)
==30818== by 0x5066A0C: config_file_open (conf.c:3403)
==30818== by 0x506827D: snd_config_
==30818== by 0x64C8ACC: ???
==30818== by 0x5068EBC: snd_config_
==30818== by 0x50694C3: snd_config_
==30818== by 0x5069599: snd_config_
==30818== by 0x5069675: snd1_config_
==30818== by 0x50687A1: snd_config_
==30818==
==30818== Invalid read of size 8
==30818== at 0x506470E: snd_config_get_id (conf.c:1578)
==30818== by 0x50706F7: snd_device_
==30818== by 0x403DE8: ??? (in /usr/bin/aplay)
==30818== by 0x4094A8: ??? (in /usr/bin/aplay)
==30818== by 0x556576C: (below main) (libc-start.c:226)
==30818== Address 0x5e0c8d0 is 0 bytes inside a block of size 72 free'd
==30818== at 0x4C2A82E: free (in /usr/lib/
==30818== by 0x5065E94: snd_config_delete (conf.c:1850)
==30818== by 0x5066425: parse_defs (conf.c:1200)
==30818== by 0x50667E5: snd_config_load1 (conf.c:1661)
==30818== by 0x5066A0C: config_file_open (conf.c:3403)
==30818== by 0x506827D: snd_config_
==30818== by 0x64C8ACC: ???
==30818== by 0x5068EBC: snd_config_
==30818== by 0x50694C3: snd_config_
==30818== by 0x5069599: snd_config_
==30818== by 0x5069675: snd1_config_
==30818== by 0x50687A1: snd_config_
==30818==
==30818== Invalid read of size 1
==30818== at 0x558DDBA: vfprintf (vfprintf.c:1624)
==30818== by 0x564B403: __vsprintf_chk (vsprintf_chk.c:86)
==30818== by 0x564B34C: __sprintf_chk (sprintf_chk.c:33)
==30818== by 0x506F50F: try_config (stdio2.h:34)
==30818== by 0x5070722: snd_device_
==30818== by 0x403DE8: ??? (in /usr/bin/aplay)
==30818== by 0x4094A8: ??? (in /usr/bin/aplay)
==30818== by 0x556576C: (below main) (libc-start.c:226)
==30818== Address 0x5e0c820 is 0 bytes inside a block of size 8 free'd
==30818== at 0x4C2A82E: free (in /usr/lib/
==30818== by 0x5065E8C: snd_config_delete (conf.c:1849)
==30818== by 0x5066425: parse_defs (conf.c:1200)
==30818== by 0x50667E5: snd_config_load1 (conf.c:1661)
==30818== by 0x5066A0C: config_file_open (conf.c:3403)
==30818== by 0x506827D: snd_config_
==30818== by 0x64C8ACC: ???
==30818== by 0x5068EBC: snd_config_
==30818== by 0x50694C3: snd_config_
==30818== by 0x5069599: snd_config_
==30818== by 0x5069675: snd1_config_
==30818== by 0x50687A1: snd_config_
==30818==
==30818== Invalid read of size 1
==30818== at 0x55BFB98: _IO_default_xsputn (genops.c:480)
==30818== by 0x558DBED: vfprintf (vfprintf.c:1624)
==30818== by 0x564B403: __vsprintf_chk (vsprintf_chk.c:86)
==30818== by 0x564B34C: __sprintf_chk (sprintf_chk.c:33)
==30818== by 0x506F50F: try_config (stdio2.h:34)
==30818== by 0x5070722: snd_device_
==30818== by 0x403DE8: ??? (in /usr/bin/aplay)
==30818== by 0x4094A8: ??? (in /usr/bin/aplay)
==30818== by 0x556576C: (below main) (libc-start.c:226)
==30818== Address 0x5e0c820 is 0 bytes inside a block of size 8 free'd
==30818== at 0x4C2A82E: free (in /usr/lib/
==30818== by 0x5065E8C: snd_config_delete (conf.c:1849)
==30818== by 0x5066425: parse_defs (conf.c:1200)
==30818== by 0x50667E5: snd_config_load1 (conf.c:1661)
==30818== by 0x5066A0C: config_file_open (conf.c:3403)
==30818== by 0x506827D: snd_config_
==30818== by 0x64C8ACC: ???
==30818== by 0x5068EBC: snd_config_
==30818== by 0x50694C3: snd_config_
==30818== by 0x5069599: snd_config_
==30818== by 0x5069675: snd1_config_
==30818== by 0x50687A1: snd_config_
==30818==
==30818== Invalid read of size 1
==30818== at 0x55BFBA7: _IO_default_xsputn (genops.c:479)
==30818== by 0x558DBED: vfprintf (vfprintf.c:1624)
==30818== by 0x564B403: __vsprintf_chk (vsprintf_chk.c:86)
==30818== by 0x564B34C: __sprintf_chk (sprintf_chk.c:33)
==30818== by 0x506F50F: try_config (stdio2.h:34)
==30818== by 0x5070722: snd_device_
==30818== by 0x403DE8: ??? (in /usr/bin/aplay)
==30818== by 0x4094A8: ??? (in /usr/bin/aplay)
==30818== by 0x556576C: (below main) (libc-start.c:226)
==30818== Address 0x5e0c822 is 2 bytes inside a block of size 8 free'd
==30818== at 0x4C2A82E: free (in /usr/lib/
==30818== by 0x5065E8C: snd_config_delete (conf.c:1849)
==30818== by 0x5066425: parse_defs (conf.c:1200)
==30818== by 0x50667E5: snd_config_load1 (conf.c:1661)
==30818== by 0x5066A0C: config_file_open (conf.c:3403)
==30818== by 0x506827D: snd_config_
==30818== by 0x64C8ACC: ???
==30818== by 0x5068EBC: snd_config_
==30818== by 0x50694C3: snd_config_
==30818== by 0x5069599: snd_config_
==30818== by 0x5069675: snd1_config_
==30818== by 0x50687A1: snd_config_
==30818==
==30818== Invalid read of size 1
==30818== at 0x4C2E439: __strcpy_chk (in /usr/lib/
==30818== by 0x506F6BF: try_config (string3.h:105)
==30818== by 0x5070722: snd_device_
==30818== by 0x403DE8: ??? (in /usr/bin/aplay)
==30818== by 0x4094A8: ??? (in /usr/bin/aplay)
==30818== by 0x556576C: (below main) (libc-start.c:226)
==30818== Address 0x5e0c820 is 0 bytes inside a block of size 8 free'd
==30818== at 0x4C2A82E: free (in /usr/lib/
==30818== by 0x5065E8C: snd_config_delete (conf.c:1849)
==30818== by 0x5066425: parse_defs (conf.c:1200)
==30818== by 0x50667E5: snd_config_load1 (conf.c:1661)
==30818== by 0x5066A0C: config_file_open (conf.c:3403)
==30818== by 0x506827D: snd_config_
==30818== by 0x64C8ACC: ???
==30818== by 0x5068EBC: snd_config_
==30818== by 0x50694C3: snd_config_
==30818== by 0x5069599: snd_config_
==30818== by 0x5069675: snd1_config_
==30818== by 0x50687A1: snd_config_
==30818==
default
Playback/
null
Discard all samples (playback) or generate zero samples (capture)
pulse
PulseAudio Sound Server
default
Playback/
sysdefault:
Intel 82801AA-ICH, Intel 82801AA-ICH
Default Audio Device
front:CARD=
Intel 82801AA-ICH, Intel 82801AA-ICH
Front speakers
surround40:
Intel 82801AA-ICH, Intel 82801AA-ICH
4.0 Surround output to Front and Rear speakers
surround41:
Intel 82801AA-ICH, Intel 82801AA-ICH
4.1 Surround output to Front, Rear and Subwoofer speakers
surround50:
Intel 82801AA-ICH, Intel 82801AA-ICH
5.0 Surround output to Front, Center and Rear speakers
surround51:
Intel 82801AA-ICH, Intel 82801AA-ICH
5.1 Surround output to Front, Center, Rear and Subwoofer speakers
iec958:
Intel 82801AA-ICH, Intel 82801AA-ICH
IEC958 (S/PDIF) Digital Audio Output
dmix:CARD=
Intel 82801AA-ICH, Intel 82801AA-ICH
Direct sample mixing device
dsnoop:
Intel 82801AA-ICH, Intel 82801AA-ICH
Direct sample snooping device
hw:CARD=
Intel 82801AA-ICH, Intel 82801AA-ICH
Direct hardware device without any conversions
plughw:
Intel 82801AA-ICH, Intel 82801AA-ICH
Hardware device with all software conversions
==30818==
==30818== HEAP SUMMARY:
==30818== in use at exit: 32,284 bytes in 94 blocks
==30818== total heap usage: 16,469 allocs, 16,375 frees, 719,816 bytes allocated
==30818==
==30818== LEAK SUMMARY:
==30818== definitely lost: 0 bytes in 0 blocks
==30818== indirectly lost: 0 bytes in 0 blocks
==30818== possibly lost: 0 bytes in 0 blocks
==30818== still reachable: 32,284 bytes in 94 blocks
==30818== suppressed: 0 bytes in 0 blocks
==30818== Rerun with --leak-check=full to see details of leaked memory
==30818==
==30818== For counts of detected and suppressed errors, rerun with: -v
==30818== ERROR SUMMARY: 25 errors from 6 contexts (suppressed: 2 from 2)
Related branches
Changed in alsa-lib (Ubuntu): | |
status: | In Progress → Fix Committed |
summary: |
- valgrind aplay -L prints scary warnings + segfault in namehint API (valgrind aplay -L prints scary warnings) |
I can confirm this error. It looks like there is some iterator running, and when snd_config_ search_ definition runs, it changes the config tree, because there is some hook that does this.
So the iterator's pointing to already freed memory.
The iterator is probably the one in the add_card function, because it repeatedly runs try_config.