mpv icon indicating copy to clipboard operation
mpv copied to clipboard

Published 20 hours ago • verified publisher icon mpv-player

With integer subset of ubsan on, Haruna sometimes crashes in libmpv

Open triallax opened this issue 1 year ago • 2 comments

mpv Information

mpv 0.38.0 Copyright © 2000-2024 mpv/MPlayer/mplayer2 projects
libplacebo version: v7.349.0
FFmpeg version: 7.0.2
FFmpeg library versions:
   libavutil       59.8.100
   libavcodec      61.3.100
   libavformat     61.1.100
   libswscale      8.1.100
   libavfilter     10.1.100
   libswresample   5.1.100

Other Information

  • Linux version: Chimera Linux
  • Kernel Version: Linux satoru 6.6.44-0-generic #1 SMP PREEMPT_DYNAMIC Sat Aug 3 07:45:14 UTC 2024 x86_64
  • GPU Model: Intel Corporation WhiskeyLake-U GT2 [UHD Graphics 620] [8086:3ea0] (rev 02)
  • Mesa/GPU Driver Version: 4.6 (Compatibility Profile) Mesa 24.1.5
  • Window Manager and Version: mutter 46
  • Source mpv: distro package
  • Haruna version: 1.1.2
  • Introduced in version: no idea

Reproduction Steps

With the system mpv built, with -fsanitize=signed-integer-overflow,integer-divide-by-zero (which Chimera does for everything by default), play the attached video below, like so: haruna x.mkv

Expected Behavior

Haruna plays the file successfully

Actual Behavior

Haruna crashes on startup (sometimes, usually I can reproduce this quite consistently but sometimes it can be harder to get), with this backtrace:

* thread #1, name = 'haruna', stop reason = signal SIGILL: illegal operand
  * frame #0: 0x000071da2dd8321c libmpv.so.2`mp_get_src_dst_rects(log=0x000071da0f464920, opts=<unavailable>, vo_caps=<unavailable>, video=<unavailable>, window_w=<unavailable>, window_h=<unavailable>, monitor_par=<unavailable>, out_src=0x000071da0e8f38c0, out_dst=0x000071da0e8f38b0, out_osd=0x000071da0e8f38e0) at aspect.c:0
    frame #1: 0x000071da2ddb1110 libmpv.so.2`mpv_render_context_render(ctx=0x000071da22be8fb0, params=0x000071da0e8f3a00) at vo_libmpv.c:362:13
    frame #2: 0x000071da34241838 libMpvQt.so.1`MpvRenderer::render(this=0x000071da10d33580) at mpvrenderer.cpp:60:5
    frame #3: 0x000071da30226bc5 libQt6Quick.so.6`QSGFramebufferObjectNode::render(this=0x000071da0f3b7450) at qquickframebufferobject.cpp:210:23
    frame #4: 0x000071da2e9e1408 libQt6Core.so.6`void doActivate<false>(sender=0x000071da34147ef0, signal_index=27, argv=0x000071da0e8f3b18) at qobject.cpp:4098:21
    frame #5: 0x000071da30049e10 libQt6Quick.so.6`QQuickWindowPrivate::renderSceneGraph() [inlined] QQuickWindow::beforeRendering(this=0x000071da34147ef0) at moc_qquickwindow.cpp:625:5
    frame #6: 0x000071da30049dfa libQt6Quick.so.6`QQuickWindowPrivate::renderSceneGraph(this=0x000071da2293ac30) at qquickwindow.cpp:654:13
    frame #7: 0x000071da3022fb8b libQt6Quick.so.6`QSGRenderThread::run() [inlined] QSGRenderThread::syncAndRender(this=0x000071da2d337050) at qsgthreadedrenderloop.cpp:761:12
    frame #8: 0x000071da3022eee9 libQt6Quick.so.6`QSGRenderThread::run(this=0x000071da2d337050) at qsgthreadedrenderloop.cpp:974:13
    frame #9: 0x000071da2eb3d420 libQt6Core.so.6`QThreadPrivate::start(void*) [inlined] QThreadPrivate::start(void*)::$_0::operator()(this=<unavailable>) const at qthread_unix.cpp:326:14
    frame #10: 0x000071da2eb3d2ab libQt6Core.so.6`QThreadPrivate::start(void*) [inlined] void (anonymous namespace)::terminate_on_exception<QThreadPrivate::start(void*)::$_0>(t=<unavailable>) at qthread_unix.cpp:262:9
    frame #11: 0x000071da2eb3d2ab libQt6Core.so.6`QThreadPrivate::start(arg=0x000071da2d337050) at qthread_unix.cpp:285:5
    frame #12: 0x000071da34438cbb ld-musl-x86_64.so.1`start(p=0x000071da0e8f3dc0) at pthread_create.c:208:17
    frame #13: 0x000071da3443bacb ld-musl-x86_64.so.1`__clone + 47

i also noticed that i can reproduce this more consistently when i set my power mode to power saver, and less consistently when i set it to performance

Log File

(note: this is coming from haruna/libmpv, not mpv)

log.txt

Sample Files

https://github.com/user-attachments/files/16515494/video.zip

I carefully read all instruction and confirm that I did the following:

  • [X] I tested with the latest mpv version to validate that the issue is not already fixed.
  • [X] I provided all required information including system and mpv version.
  • [X] I produced the log file with the exact same set of files, parameters, and conditions used in "Reproduction Steps", with the addition of --log-file=output.txt.
  • [X] I produced the log file while the behaviors described in "Actual Behavior" were actively observed.
  • [X] I attached the full, untruncated log file.
  • [X] I attached the backtrace in the case of a crash.

triallax avatar Aug 06 '24 21:08 triallax

This was reported to #mpv before and the bug wasn't reproducible with a minimal sample client. Please report it to Haruna first.

frame #13: 0x000071da3443bacb ld-musl-x86_64.so.1`__clone + 47

Also you failed to mention that you were using musl when you reported this before, can you check if this also happens on glibc systems?

llyyr avatar Aug 06 '24 21:08 llyyr

likely haruna occasionally passes a junk value to libmpv which breaks

but also, libmpv could be fixed not to invoke UB in such cases (by using unsigned values)

q66 avatar Aug 07 '24 19:08 q66