FULLPIPE: Irregular crash when starting

[windlepoons]

When start the German version of Full Pipe sometimes ScummVM crash before/when run the intro.

WARNING: SDL mixer output buffer size: 705 differs from desired: 2048!
User picked target 'fullpipe-de' (gameid 'fullpipe')...
  Looking for a plugin supporting this gameid... Fullpipe Engine
  Starting 'Full Pipe'
scummvm: ../../src-master/src/audio/decoders/mp3.cpp:208: void Audio::BaseMP3Stream::readMP3Data(Common::ReadStream&): Assertion `remaining < BUFFER_SIZE' failed.
Aborted

Game: Full Pipe (Windows/German)

ScummVM 1.10.0git1025-g9913c91 (Dec 3 2016 05:01:00)
Features compiled in: TAINTED Vorbis FLAC MP3 ALSA SEQ TiMidity RGB zLib MPEG2 FluidSynth Theora AAC FreeType2 JPEG PNG cloud (servers, local)

OS: Siduction (Debian/sid) 64bit

[bgK]

I got that one once too. Here is a backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007ff55f4c2bf0 in mad_frame_decode () from /usr/lib/libmad.so.0

Thread 2 (Thread 0x7ff560697140 (LWP 11665)):
#0  0x000000000206dfa7 in Graphics::convertYUV410ToRGB<unsigned int> (dstPtr=0xcfa4284 "\002\001\002", dstPitch=2560, lookup=0xcc18390, colorTab=0xcb94060, ySrc=0xcd573ad '\021' <repeats 200 times>..., 
    uSrc=0xd08ef00 '\201' <repeats 160 times>, '\200' <repeats 40 times>..., vSrc=0xd0c7310 '\201' <repeats 160 times>, '\200' <repeats 40 times>..., yWidth=640, yHeight=360, yPitch=640, uvPitch=640) at ../graphics/yuv_to_rgb.cpp:355
#1  0x000000000206cb1f in Graphics::YUVToRGBManager::convert410 (this=0xcb94050, dst=0x7ffd0e5d12d0, scale=Graphics::YUVToRGBManager::kScaleITU, ySrc=0xcd202c0 '\021' <repeats 200 times>..., 
    uSrc=0xd08ef00 '\201' <repeats 160 times>, '\200' <repeats 40 times>..., vSrc=0xd0c7310 '\201' <repeats 160 times>, '\200' <repeats 40 times>..., yWidth=640, yHeight=360, yPitch=640, uvPitch=640) at ../graphics/yuv_to_rgb.cpp:383
#2  0x00000000020d0347 in Image::Indeo::IndeoDecoderBase::decodeIndeoFrame (this=0xce469c0) at ../image/codecs/indeo/indeo.cpp:605
#3  0x00000000020bec38 in Image::Indeo5Decoder::decodeFrame (this=0xce469c0, stream=...) at ../image/codecs/indeo5.cpp:91
#4  0x0000000001fed76b in Video::AVIDecoder::AVIVideoTrack::decodeFrame (this=0xcb76f10, stream=0x444e390) at ../video/avi_decoder.cpp:853
#5  0x0000000001fec261 in Video::AVIDecoder::handleNextPacket (this=0xca586f0, status=...) at ../video/avi_decoder.cpp:524
#6  0x0000000001febda9 in Video::AVIDecoder::readNextPacket (this=0xca586f0) at ../video/avi_decoder.cpp:435
#7  0x0000000002009f20 in Video::VideoDecoder::decodeNextFrame (this=0xca586f0) at ../video/video_decoder.cpp:178
#8  0x000000000096ed95 in Fullpipe::ModalVideoPlayer::play (this=0x48c21c0, filename=0x2334380 "intro.avi") at ../engines/fullpipe/modal.cpp:253
#9  0x000000000096e5c8 in Fullpipe::ModalIntro::init (this=0xca59410, counterdiff=42) at ../engines/fullpipe/modal.cpp:110
#10 0x0000000000953527 in Fullpipe::FullpipeEngine::updateScreen (this=0x4446fb0) at ../engines/fullpipe/fullpipe.cpp:518
#11 0x000000000095293b in Fullpipe::FullpipeEngine::run (this=0x4446fb0) at ../engines/fullpipe/fullpipe.cpp:330
#12 0x000000000040edd6 in runGame (plugin=0x40f15e0, system=..., edebuglevels=...) at ../base/main.cpp:263
#13 0x000000000040ffc5 in scummvm_main (argc=1, argv=0x7ffd0e6181a8) at ../base/main.cpp:529
#14 0x000000000040d103 in main (argc=1, argv=0x7ffd0e6181a8) at ../backends/platform/sdl/posix/posix-main.cpp:45

Thread 1 (Thread 0x7ff558dcf700 (LWP 11673)):
#0  0x00007ff55f4c2bf0 in mad_frame_decode () from /usr/lib/libmad.so.0
#1  0x00000000020fc76f in Audio::BaseMP3Stream::decodeMP3Data (this=0xcb7cf10, stream=...) at ../audio/decoders/mp3.cpp:166
#2  0x00000000020fcd85 in Audio::BaseMP3Stream::fillBuffer (this=0xcb7cf10, stream=..., buffer=0xcb97db6, numSamples=512) at ../audio/decoders/mp3.cpp:322
#3  0x00000000020fdec0 in Audio::PacketizedMP3Stream::readBuffer (this=0xcb7cf10, buffer=0xcb97c48, numSamples=512) at ../audio/decoders/mp3.cpp:469
#4  0x0000000002137083 in Audio::LinearRateConverter<true, false>::flow (this=0xcb97c40, input=..., obuf=0x4384790, osamp=2048, vol_l=256, vol_r=256) at ../audio/rate.cpp:237
#5  0x00000000020f3d98 in Audio::Channel::mix (this=0xcb77590, data=0x4382d70, len=2048) at ../audio/mixer.cpp:621
#6  0x00000000020f2880 in Audio::MixerImpl::mixCallback (this=0x438ded0, samples=0x4382d70 "", len=2048) at ../audio/mixer.cpp:293
#7  0x0000000001fb83d7 in SdlMixerManager::callbackHandler (this=0x40ad090, samples=0x4382d70 "", len=8192) at ../backends/mixer/sdl/sdl-mixer.cpp:164
#8  0x0000000001fb8433 in SdlMixerManager::sdlCallback (this_=0x40ad090, samples=0x4382d70 "", len=8192) at ../backends/mixer/sdl/sdl-mixer.cpp:171
#9  0x00007ff55ffac842 in ?? () from /usr/lib/libSDL2-2.0.so.0
#10 0x00007ff56000f2dc in ?? () from /usr/lib/libSDL2-2.0.so.0
#11 0x00007ff56005e8a9 in ?? () from /usr/lib/libSDL2-2.0.so.0
#12 0x00007ff55cef5454 in start_thread () from /usr/lib/libpthread.so.0
#13 0x00007ff55d3f77df in clone () from /usr/lib/libc.so.6

I can provide the core dump if needed.

[criezy]

Today I reproduced the crash while running the fullpipe german demo with valgrind. I am using up to date code from master (dd749854). I have attached the valgrind errors I get.

The crash is random, and when it does not occur none of these valgrind errors occur either. Thus I am suspecting a thread race issue (otherwise I don't really see why a variable would be initialise is some runs and not initialised in others).

I also suspect this might not be specific to fullpipe as a few weeks ago I got a crash starting drascula on iOS and the crash was also in mad_frame_decode().

[criezy]

Valgrind errors when reproducing the crash during fullpipe start

[csnover]

Raising crashes on startup and memory leaks in this new engine to release blocker status.

[csnover]

ThreadSan finds the data race, so I am looking into this now.

Just in case anyone is curious about the reports:

WARNING: ThreadSanitizer: data race (pid=1031)
  Write of size 4 at 0x7bc00012000c by main thread (mutexes: write M50205):
  * #0 Audio::PacketizedMP3Stream::queuePacket(Common::SeekableReadStream*) mp3.cpp:507 (scummvm:x86_64+0x10085a59f)
    #1 non-virtual thunk to Audio::PacketizedMP3Stream::queuePacket(Common::SeekableReadStream*) mp3.cpp (scummvm:x86_64+0x10085a60f)
    #2 Video::AVIDecoder::AVIAudioTrack::queueSound(Common::SeekableReadStream*) avi_decoder.cpp:1053 (scummvm:x86_64+0x101be56b1)
    #3 Video::AVIDecoder::handleNextPacket(Video::AVIDecoder::TrackStatus&) avi_decoder.cpp:557 (scummvm:x86_64+0x101bd2031)
    #4 Video::AVIDecoder::readNextPacket() avi_decoder.cpp:486 (scummvm:x86_64+0x101bcf01f)
    #5 Video::VideoDecoder::decodeNextFrame() video_decoder.cpp:188 (scummvm:x86_64+0x101ced9e5)
    #6 Video::AVIDecoder::decodeNextFrame() avi_decoder.cpp:151 (scummvm:x86_64+0x101bb5313)
    #7 Fullpipe::ModalVideoPlayer::play(char const*) modal.cpp:395 (scummvm:x86_64+0x100562e92)
    #8 Fullpipe::ModalIntro::init(int) modal.cpp:110 (scummvm:x86_64+0x10055d25a)
    #9 Fullpipe::FullpipeEngine::updateScreen() fullpipe.cpp:484 (scummvm:x86_64+0x1003f84e1)
    #10 Fullpipe::FullpipeEngine::run() fullpipe.cpp:303 (scummvm:x86_64+0x1003ef4b6)
    #11 runGame(Plugin const*, OSystem&, Common::String const&) main.cpp:264 (scummvm:x86_64+0x100e61c52)
    #12 scummvm_main main.cpp:530 (scummvm:x86_64+0x100e59e11)
    #13 main macosx-main.cpp:45 (scummvm:x86_64+0x100dcbb5b)

  Previous read of size 4 at 0x7bc00012000c by thread T5 (mutexes: write M1650, write M1849):
  * #0 Audio::BaseMP3Stream::endOfData() const mp3.cpp:56 (scummvm:x86_64+0x10085b304)
    #1 Audio::Channel::mix(short*, unsigned int) mixer.cpp:614 (scummvm:x86_64+0x100c49cbc)
    #2 Audio::MixerImpl::mixCallback(unsigned char*, unsigned int) mixer.cpp:293 (scummvm:x86_64+0x100c4972b)
    #3 SdlMixerManager::callbackHandler(unsigned char*, int) sdl-mixer.cpp:198 (scummvm:x86_64+0x100dc917a)
    #4 SdlMixerManager::sdlCallback(void*, unsigned char*, int) sdl-mixer.cpp:205 (scummvm:x86_64+0x100dc8db5)
    #5 outputCallback <null>:1606397392 (libSDL2-2.0.0.dylib:x86_64+0x84e5f)

  Issue is caused by frames marked with "*".

  Location is heap block of size 63784 at 0x7bc000120000 allocated by main thread:
    #0 operator new(unsigned long) <null>:1606397408 (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x69bee)
    #1 Audio::makePacketizedMP3Stream(unsigned int, unsigned int) mp3.cpp:549 (scummvm:x86_64+0x10085aeb1)
    #2 Video::AVIDecoder::AVIAudioTrack::createAudioStream() avi_decoder.cpp:1118 (scummvm:x86_64+0x101be7b1c)
    #3 Video::AVIDecoder::handleStreamHeader(unsigned int) avi_decoder.cpp:346 (scummvm:x86_64+0x101bc4ef5)
    #4 Video::AVIDecoder::parseNextChunk() avi_decoder.cpp:202 (scummvm:x86_64+0x101bba027)
    #5 Video::AVIDecoder::handleList(unsigned int) avi_decoder.cpp:261 (scummvm:x86_64+0x101bbb509)
    #6 Video::AVIDecoder::parseNextChunk() avi_decoder.cpp:184 (scummvm:x86_64+0x101bb70d5)
    #7 Video::AVIDecoder::handleList(unsigned int) avi_decoder.cpp:261 (scummvm:x86_64+0x101bbb509)
    #8 Video::AVIDecoder::parseNextChunk() avi_decoder.cpp:184 (scummvm:x86_64+0x101bb70d5)
    #9 Video::AVIDecoder::loadStream(Common::SeekableReadStream*) avi_decoder.cpp:401 (scummvm:x86_64+0x101bca443)
    #10 Video::VideoDecoder::loadFile(Common::String const&) video_decoder.cpp:93 (scummvm:x86_64+0x101ce63d9)
    #11 Fullpipe::ModalVideoPlayer::play(char const*) modal.cpp:385 (scummvm:x86_64+0x100561cbc)
    #12 Fullpipe::ModalIntro::init(int) modal.cpp:110 (scummvm:x86_64+0x10055d25a)
    #13 Fullpipe::FullpipeEngine::updateScreen() fullpipe.cpp:484 (scummvm:x86_64+0x1003f84e1)
    #14 Fullpipe::FullpipeEngine::run() fullpipe.cpp:303 (scummvm:x86_64+0x1003ef4b6)
    #15 runGame(Plugin const*, OSystem&, Common::String const&) main.cpp:264 (scummvm:x86_64+0x100e61c52)
    #16 scummvm_main main.cpp:530 (scummvm:x86_64+0x100e59e11)
    #17 main macosx-main.cpp:45 (scummvm:x86_64+0x100dcbb5b)

  Mutex M50205 (0x7b1000119dc0) created at:
    #0 pthread_mutex_init <null>:1606397280 (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x29c93)
    #1 SDL_CreateMutex_REAL <null>:1606397280 (libSDL2-2.0.0.dylib:x86_64+0x83f53)
    #2 ModularBackend::createMutex() modular-backend.cpp:234 (scummvm:x86_64+0x100e20133)
    #3 Common::Mutex::Mutex() mutex.cpp:31 (scummvm:x86_64+0x100f72197)
    #4 Common::Mutex::Mutex() mutex.cpp:29 (scummvm:x86_64+0x100f72259)
    #5 Audio::PacketizedMP3Stream::PacketizedMP3Stream(unsigned int, unsigned int) mp3.cpp:433 (scummvm:x86_64+0x10085730b)
    #6 Audio::makePacketizedMP3Stream(unsigned int, unsigned int) mp3.cpp:549 (scummvm:x86_64+0x10085af07)
    #7 Video::AVIDecoder::AVIAudioTrack::createAudioStream() avi_decoder.cpp:1118 (scummvm:x86_64+0x101be7b1c)
    #8 Video::AVIDecoder::handleStreamHeader(unsigned int) avi_decoder.cpp:346 (scummvm:x86_64+0x101bc4ef5)
    #9 Video::AVIDecoder::parseNextChunk() avi_decoder.cpp:202 (scummvm:x86_64+0x101bba027)
    #10 Video::AVIDecoder::handleList(unsigned int) avi_decoder.cpp:261 (scummvm:x86_64+0x101bbb509)
    #11 Video::AVIDecoder::parseNextChunk() avi_decoder.cpp:184 (scummvm:x86_64+0x101bb70d5)
    #12 Video::AVIDecoder::handleList(unsigned int) avi_decoder.cpp:261 (scummvm:x86_64+0x101bbb509)
    #13 Video::AVIDecoder::parseNextChunk() avi_decoder.cpp:184 (scummvm:x86_64+0x101bb70d5)
    #14 Video::AVIDecoder::loadStream(Common::SeekableReadStream*) avi_decoder.cpp:401 (scummvm:x86_64+0x101bca443)
    #15 Video::VideoDecoder::loadFile(Common::String const&) video_decoder.cpp:93 (scummvm:x86_64+0x101ce63d9)
    #16 Fullpipe::ModalVideoPlayer::play(char const*) modal.cpp:385 (scummvm:x86_64+0x100561cbc)
    #17 Fullpipe::ModalIntro::init(int) modal.cpp:110 (scummvm:x86_64+0x10055d25a)
    #18 Fullpipe::FullpipeEngine::updateScreen() fullpipe.cpp:484 (scummvm:x86_64+0x1003f84e1)
    #19 Fullpipe::FullpipeEngine::run() fullpipe.cpp:303 (scummvm:x86_64+0x1003ef4b6)
    #20 runGame(Plugin const*, OSystem&, Common::String const&) main.cpp:264 (scummvm:x86_64+0x100e61c52)
    #21 scummvm_main main.cpp:530 (scummvm:x86_64+0x100e59e11)
    #22 main macosx-main.cpp:45 (scummvm:x86_64+0x100dcbb5b)

  Mutex M1650 (0x7b1000027f00) created at:
    #0 pthread_mutex_init <null>:1606397280 (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x29c93)
    #1 SDL_CreateMutex_REAL <null>:1606397280 (libSDL2-2.0.0.dylib:x86_64+0x83f53)
    #2 OSystem_SDL::initBackend() sdl.cpp:262 (scummvm:x86_64+0x100ddd869)
    #3 OSystem_POSIX::initBackend() posix.cpp:76 (scummvm:x86_64+0x100dcf468)
    #4 OSystem_MacOSX::initBackend() macosx.cpp:79 (scummvm:x86_64+0x100dcc922)
    #5 scummvm_main main.cpp:437 (scummvm:x86_64+0x100e58d3d)
    #6 main macosx-main.cpp:45 (scummvm:x86_64+0x100dcbb5b)

  Mutex M1849 (0x7b1000027f40) created at:
    #0 pthread_mutex_init <null>:1606397280 (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x29c93)
    #1 SDL_CreateMutex_REAL <null>:1606397280 (libSDL2-2.0.0.dylib:x86_64+0x83f53)
    #2 ModularBackend::createMutex() modular-backend.cpp:234 (scummvm:x86_64+0x100e20133)
    #3 Common::Mutex::Mutex() mutex.cpp:31 (scummvm:x86_64+0x100f72197)
    #4 Common::Mutex::Mutex() mutex.cpp:29 (scummvm:x86_64+0x100f72259)
    #5 Audio::MixerImpl::MixerImpl(OSystem*, unsigned int) mixer.cpp:178 (scummvm:x86_64+0x100c45f02)
    #6 Audio::MixerImpl::MixerImpl(OSystem*, unsigned int) mixer.cpp:178 (scummvm:x86_64+0x100c464b5)
    #7 SdlMixerManager::init() sdl-mixer.cpp:121 (scummvm:x86_64+0x100dc7a81)
    #8 OSystem_SDL::initBackend() sdl.cpp:262 (scummvm:x86_64+0x100ddd869)
    #9 OSystem_POSIX::initBackend() posix.cpp:76 (scummvm:x86_64+0x100dcf468)
    #10 OSystem_MacOSX::initBackend() macosx.cpp:79 (scummvm:x86_64+0x100dcc922)
    #11 scummvm_main main.cpp:437 (scummvm:x86_64+0x100e58d3d)
    #12 main macosx-main.cpp:45 (scummvm:x86_64+0x100dcbb5b)

  Thread T5 (tid=4341031, running) created by main thread at:
    #0 pthread_create <null>:1606397472 (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x28dcd)
    #1 SDL_SYS_CreateThread <null>:1606397472 (libSDL2-2.0.0.dylib:x86_64+0x83b5d)
    #2 OSystem_SDL::initBackend() sdl.cpp:262 (scummvm:x86_64+0x100ddd869)
    #3 OSystem_POSIX::initBackend() posix.cpp:76 (scummvm:x86_64+0x100dcf468)
    #4 OSystem_MacOSX::initBackend() macosx.cpp:79 (scummvm:x86_64+0x100dcc922)
    #5 scummvm_main main.cpp:437 (scummvm:x86_64+0x100e58d3d)
    #6 main macosx-main.cpp:45 (scummvm:x86_64+0x100dcbb5b)

SUMMARY: ThreadSanitizer: data race mp3.cpp:507 in Audio::PacketizedMP3Stream::queuePacket(Common::SeekableReadStream*)

WARNING: ThreadSanitizer: data race (pid=1031)
  Read of size 4 at 0x7bc00012000c by thread T5 (mutexes: write M1650, write M1849):
  * #0 Audio::BaseMP3Stream::endOfData() const mp3.cpp:56 (scummvm:x86_64+0x10085b304)
    #1 Audio::PacketizedMP3Stream::endOfStream() const mp3.cpp:488 (scummvm:x86_64+0x100859c14)
    #2 Audio::Channel::isFinished() const mixer.cpp:64 (scummvm:x86_64+0x100c49993)
    #3 Audio::MixerImpl::mixCallback(unsigned char*, unsigned int) mixer.cpp:289 (scummvm:x86_64+0x100c48df5)
    #4 SdlMixerManager::callbackHandler(unsigned char*, int) sdl-mixer.cpp:198 (scummvm:x86_64+0x100dc917a)
    #5 SdlMixerManager::sdlCallback(void*, unsigned char*, int) sdl-mixer.cpp:205 (scummvm:x86_64+0x100dc8db5)
    #6 outputCallback <null>:3199456 (libSDL2-2.0.0.dylib:x86_64+0x84e5f)

  Previous write of size 4 at 0x7bc00012000c by main thread (mutexes: write M50205):
  * #0 Audio::PacketizedMP3Stream::queuePacket(Common::SeekableReadStream*) mp3.cpp:507 (scummvm:x86_64+0x10085a59f)
    #1 non-virtual thunk to Audio::PacketizedMP3Stream::queuePacket(Common::SeekableReadStream*) mp3.cpp (scummvm:x86_64+0x10085a60f)
    #2 Video::AVIDecoder::AVIAudioTrack::queueSound(Common::SeekableReadStream*) avi_decoder.cpp:1053 (scummvm:x86_64+0x101be56b1)
    #3 Video::AVIDecoder::handleNextPacket(Video::AVIDecoder::TrackStatus&) avi_decoder.cpp:557 (scummvm:x86_64+0x101bd2031)
    #4 Video::AVIDecoder::readNextPacket() avi_decoder.cpp:486 (scummvm:x86_64+0x101bcf01f)
    #5 Video::VideoDecoder::decodeNextFrame() video_decoder.cpp:188 (scummvm:x86_64+0x101ced9e5)
    #6 Video::AVIDecoder::decodeNextFrame() avi_decoder.cpp:151 (scummvm:x86_64+0x101bb5313)
    #7 Fullpipe::ModalVideoPlayer::play(char const*) modal.cpp:395 (scummvm:x86_64+0x100562e92)
    #8 Fullpipe::ModalIntro::init(int) modal.cpp:110 (scummvm:x86_64+0x10055d25a)
    #9 Fullpipe::FullpipeEngine::updateScreen() fullpipe.cpp:484 (scummvm:x86_64+0x1003f84e1)
    #10 Fullpipe::FullpipeEngine::run() fullpipe.cpp:303 (scummvm:x86_64+0x1003ef4b6)
    #11 runGame(Plugin const*, OSystem&, Common::String const&) main.cpp:264 (scummvm:x86_64+0x100e61c52)
    #12 scummvm_main main.cpp:530 (scummvm:x86_64+0x100e59e11)
    #13 main macosx-main.cpp:45 (scummvm:x86_64+0x100dcbb5b)

  Issue is caused by frames marked with "*".

  Location is heap block of size 63784 at 0x7bc000120000 allocated by main thread:
    #0 operator new(unsigned long) <null>:3199472 (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x69bee)
    #1 Audio::makePacketizedMP3Stream(unsigned int, unsigned int) mp3.cpp:549 (scummvm:x86_64+0x10085aeb1)
    #2 Video::AVIDecoder::AVIAudioTrack::createAudioStream() avi_decoder.cpp:1118 (scummvm:x86_64+0x101be7b1c)
    #3 Video::AVIDecoder::handleStreamHeader(unsigned int) avi_decoder.cpp:346 (scummvm:x86_64+0x101bc4ef5)
    #4 Video::AVIDecoder::parseNextChunk() avi_decoder.cpp:202 (scummvm:x86_64+0x101bba027)
    #5 Video::AVIDecoder::handleList(unsigned int) avi_decoder.cpp:261 (scummvm:x86_64+0x101bbb509)
    #6 Video::AVIDecoder::parseNextChunk() avi_decoder.cpp:184 (scummvm:x86_64+0x101bb70d5)
    #7 Video::AVIDecoder::handleList(unsigned int) avi_decoder.cpp:261 (scummvm:x86_64+0x101bbb509)
    #8 Video::AVIDecoder::parseNextChunk() avi_decoder.cpp:184 (scummvm:x86_64+0x101bb70d5)
    #9 Video::AVIDecoder::loadStream(Common::SeekableReadStream*) avi_decoder.cpp:401 (scummvm:x86_64+0x101bca443)
    #10 Video::VideoDecoder::loadFile(Common::String const&) video_decoder.cpp:93 (scummvm:x86_64+0x101ce63d9)
    #11 Fullpipe::ModalVideoPlayer::play(char const*) modal.cpp:385 (scummvm:x86_64+0x100561cbc)
    #12 Fullpipe::ModalIntro::init(int) modal.cpp:110 (scummvm:x86_64+0x10055d25a)
    #13 Fullpipe::FullpipeEngine::updateScreen() fullpipe.cpp:484 (scummvm:x86_64+0x1003f84e1)
    #14 Fullpipe::FullpipeEngine::run() fullpipe.cpp:303 (scummvm:x86_64+0x1003ef4b6)
    #15 runGame(Plugin const*, OSystem&, Common::String const&) main.cpp:264 (scummvm:x86_64+0x100e61c52)
    #16 scummvm_main main.cpp:530 (scummvm:x86_64+0x100e59e11)
    #17 main macosx-main.cpp:45 (scummvm:x86_64+0x100dcbb5b)

  Mutex M1650 (0x7b1000027f00) created at:
    #0 pthread_mutex_init <null>:3199344 (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x29c93)
    #1 SDL_CreateMutex_REAL <null>:3199344 (libSDL2-2.0.0.dylib:x86_64+0x83f53)
    #2 OSystem_SDL::initBackend() sdl.cpp:262 (scummvm:x86_64+0x100ddd869)
    #3 OSystem_POSIX::initBackend() posix.cpp:76 (scummvm:x86_64+0x100dcf468)
    #4 OSystem_MacOSX::initBackend() macosx.cpp:79 (scummvm:x86_64+0x100dcc922)
    #5 scummvm_main main.cpp:437 (scummvm:x86_64+0x100e58d3d)
    #6 main macosx-main.cpp:45 (scummvm:x86_64+0x100dcbb5b)

  Mutex M1849 (0x7b1000027f40) created at:
    #0 pthread_mutex_init <null>:3199344 (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x29c93)
    #1 SDL_CreateMutex_REAL <null>:3199344 (libSDL2-2.0.0.dylib:x86_64+0x83f53)
    #2 ModularBackend::createMutex() modular-backend.cpp:234 (scummvm:x86_64+0x100e20133)
    #3 Common::Mutex::Mutex() mutex.cpp:31 (scummvm:x86_64+0x100f72197)
    #4 Common::Mutex::Mutex() mutex.cpp:29 (scummvm:x86_64+0x100f72259)
    #5 Audio::MixerImpl::MixerImpl(OSystem*, unsigned int) mixer.cpp:178 (scummvm:x86_64+0x100c45f02)
    #6 Audio::MixerImpl::MixerImpl(OSystem*, unsigned int) mixer.cpp:178 (scummvm:x86_64+0x100c464b5)
    #7 SdlMixerManager::init() sdl-mixer.cpp:121 (scummvm:x86_64+0x100dc7a81)
    #8 OSystem_SDL::initBackend() sdl.cpp:262 (scummvm:x86_64+0x100ddd869)
    #9 OSystem_POSIX::initBackend() posix.cpp:76 (scummvm:x86_64+0x100dcf468)
    #10 OSystem_MacOSX::initBackend() macosx.cpp:79 (scummvm:x86_64+0x100dcc922)
    #11 scummvm_main main.cpp:437 (scummvm:x86_64+0x100e58d3d)
    #12 main macosx-main.cpp:45 (scummvm:x86_64+0x100dcbb5b)

  Mutex M50205 (0x7b1000119dc0) created at:
    #0 pthread_mutex_init <null>:3199344 (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x29c93)
    #1 SDL_CreateMutex_REAL <null>:3199344 (libSDL2-2.0.0.dylib:x86_64+0x83f53)
    #2 ModularBackend::createMutex() modular-backend.cpp:234 (scummvm:x86_64+0x100e20133)
    #3 Common::Mutex::Mutex() mutex.cpp:31 (scummvm:x86_64+0x100f72197)
    #4 Common::Mutex::Mutex() mutex.cpp:29 (scummvm:x86_64+0x100f72259)
    #5 Audio::PacketizedMP3Stream::PacketizedMP3Stream(unsigned int, unsigned int) mp3.cpp:433 (scummvm:x86_64+0x10085730b)
    #6 Audio::makePacketizedMP3Stream(unsigned int, unsigned int) mp3.cpp:549 (scummvm:x86_64+0x10085af07)
    #7 Video::AVIDecoder::AVIAudioTrack::createAudioStream() avi_decoder.cpp:1118 (scummvm:x86_64+0x101be7b1c)
    #8 Video::AVIDecoder::handleStreamHeader(unsigned int) avi_decoder.cpp:346 (scummvm:x86_64+0x101bc4ef5)
    #9 Video::AVIDecoder::parseNextChunk() avi_decoder.cpp:202 (scummvm:x86_64+0x101bba027)
    #10 Video::AVIDecoder::handleList(unsigned int) avi_decoder.cpp:261 (scummvm:x86_64+0x101bbb509)
    #11 Video::AVIDecoder::parseNextChunk() avi_decoder.cpp:184 (scummvm:x86_64+0x101bb70d5)
    #12 Video::AVIDecoder::handleList(unsigned int) avi_decoder.cpp:261 (scummvm:x86_64+0x101bbb509)
    #13 Video::AVIDecoder::parseNextChunk() avi_decoder.cpp:184 (scummvm:x86_64+0x101bb70d5)
    #14 Video::AVIDecoder::loadStream(Common::SeekableReadStream*) avi_decoder.cpp:401 (scummvm:x86_64+0x101bca443)
    #15 Video::VideoDecoder::loadFile(Common::String const&) video_decoder.cpp:93 (scummvm:x86_64+0x101ce63d9)
    #16 Fullpipe::ModalVideoPlayer::play(char const*) modal.cpp:385 (scummvm:x86_64+0x100561cbc)
    #17 Fullpipe::ModalIntro::init(int) modal.cpp:110 (scummvm:x86_64+0x10055d25a)
    #18 Fullpipe::FullpipeEngine::updateScreen() fullpipe.cpp:484 (scummvm:x86_64+0x1003f84e1)
    #19 Fullpipe::FullpipeEngine::run() fullpipe.cpp:303 (scummvm:x86_64+0x1003ef4b6)
    #20 runGame(Plugin const*, OSystem&, Common::String const&) main.cpp:264 (scummvm:x86_64+0x100e61c52)
    #21 scummvm_main main.cpp:530 (scummvm:x86_64+0x100e59e11)
    #22 main macosx-main.cpp:45 (scummvm:x86_64+0x100dcbb5b)

  Thread T5 (tid=4341031, running) created by main thread at:
    #0 pthread_create <null>:3199536 (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x28dcd)
    #1 SDL_SYS_CreateThread <null>:3199536 (libSDL2-2.0.0.dylib:x86_64+0x83b5d)
    #2 OSystem_SDL::initBackend() sdl.cpp:262 (scummvm:x86_64+0x100ddd869)
    #3 OSystem_POSIX::initBackend() posix.cpp:76 (scummvm:x86_64+0x100dcf468)
    #4 OSystem_MacOSX::initBackend() macosx.cpp:79 (scummvm:x86_64+0x100dcc922)
    #5 scummvm_main main.cpp:437 (scummvm:x86_64+0x100e58d3d)
    #6 main macosx-main.cpp:45 (scummvm:x86_64+0x100dcbb5b)

SUMMARY: ThreadSanitizer: data race mp3.cpp:56 in Audio::BaseMP3Stream::endOfData() const

[csnover]

After fixing the data race I now find the MP3 decoder usually doing an out-of-bounds read and crash:

1. The _synth.pcm.length size is larger than the fixed-size buffers in mad_pcm so using that unchecked in BaseMP3Stream::fillBuffer causes an out-of-bounds read of the sample buffers.
2. libmad itself is crashing at frame.c:453 with an out-of-bounds read because it does no bounds checking and has apparently a bad value for the header’s layer type that is out of range. Not sure yet if this is because the header has not been properly initialised or because it has been initialised with bad data.

Investigation is ongoing…

[csnover]

Thanks for your report! A patch for this issue has been added in commit e42ade073cc1f013eae739dc37464630f1104813 and will be available in daily builds 1.10.0git-5480 and later.

If the audio thread happened to request data before a packet was ever added to the stream, it would cause the stream to never initialise the decoder’s structs and so they would contain uninitialised memory and crash.