Ubuntu
mythtv package

mythfrontend crashes when switching live TV channels (during malloc)

Bug #70197 reported by Malcolm Parsons
4
Affects Status Importance Assigned to Milestone
mythtv (Ubuntu)
Fix Released
Low
Kees Cook

Bug Description

When changing channel in livetv, mythfrontend aborted.

Program received signal SIGABRT, Aborted.
[Switching to Thread 1099422032 (LWP 10878)]
0x00002adddde5247b in raise () from /lib/libc.so.6
(gdb) bt
#0 0x00002adddde5247b in raise () from /lib/libc.so.6
#1 0x00002adddde53da0 in abort () from /lib/libc.so.6
#2 0x00002adddde8953b in __libc_message () from /lib/libc.so.6
#3 0x00002adddde8eab3 in malloc_consolidate () from /lib/libc.so.6
#4 0x00002adddde90f9d in _int_malloc () from /lib/libc.so.6
#5 0x00002adddde926dd in malloc () from /lib/libc.so.6
#6 0x00002adddda4fe8d in operator new () from /usr/lib/libstdc++.so.6
#7 0x00002adddda4ffa9 in operator new[] () from /usr/lib/libstdc++.so.6
#8 0x00002adddcd392d0 in QGDict::init () from /usr/lib/libqt-mt.so.3
#9 0x00002adddcd394a0 in QGDict::QGDict () from /usr/lib/libqt-mt.so.3
#10 0x00002adddcc9ea35 in QIntDict<int>::QIntDict () from /usr/lib/libqt-mt.so.3
#11 0x00002adddcd5475c in QRegExpEngine::QRegExpEngine () from /usr/lib/libqt-mt.so.3
#12 0x00002adddcd54931 in QRegExpEngine::QRegExpEngine () from /usr/lib/libqt-mt.so.3
#13 0x00002adddcd54eff in QRegExp::prepareEngine () from /usr/lib/libqt-mt.so.3
#14 0x00002adddcd54f59 in QRegExp::prepareEngineForMatch () from /usr/lib/libqt-mt.so.3
#15 0x00002adddcd5510e in QRegExp::search () from /usr/lib/libqt-mt.so.3
#16 0x00002adddcd551be in QRegExp::search () from /usr/lib/libqt-mt.so.3
#17 0x00002adddcd5ef0b in QString::find () from /usr/lib/libqt-mt.so.3
#18 0x00002addd94339a6 in ProgramInfo::ToMap () from /usr/lib/libmythtv-0.20.so.0
#19 0x00002addd96d0576 in TV::UpdateOSDProgInfo () from /usr/lib/libmythtv-0.20.so.0
#20 0x00002addd96d495d in TV::UnpauseLiveTV () from /usr/lib/libmythtv-0.20.so.0
#21 0x00002addd96e44d6 in TV::ChangeChannel () from /usr/lib/libmythtv-0.20.so.0
#22 0x00002addd96e4c66 in TV::CommitQueuedInput () from /usr/lib/libmythtv-0.20.so.0
#23 0x00002addd96f2224 in TV::RunTV () from /usr/lib/libmythtv-0.20.so.0
#24 0x00002addd96f257d in TV::EventThread () from /usr/lib/libmythtv-0.20.so.0
#25 0x00002adddd8823ca in start_thread () from /lib/libpthread.so.0
#26 0x00002addddeef55d in clone () from /lib/libc.so.6
#27 0x0000000000000000 in ?? ()

As it's a malloc abort, I'll try valgrind next.

Revision history for this message
Malcolm Parsons (malcolm-parsons) wrote :
Download full text (6.6 KiB)

Another abort, not inside gdb this time.

2006-11-04 20:23:58.312 DPMS Deactivated
2006-11-04 20:24:56.991 TV: Attempting to change from WatchingPreRecorded to None
2006-11-04 20:24:57.436 TV: Changing from WatchingPreRecorded to None
2006-11-04 20:24:57.767 DPMS Reactivated.
*** glibc detected *** mythfrontend: munmap_chunk(): invalid pointer: 0x00002aaaaae5274f ***
*** glibc detected *** mythfrontend: munmap_chunk(): invalid pointer: 0x00002aaaaae5274f ***
======= Backtrace: =========
/lib/libc.so.6(__libc_free+0x17a)[0x2ac9137969aa]
/usr/lib/libqt-mt.so.3(_ZN7QGArrayD2Ev+0x76)[0x2ac91263aef8]
/usr/lib/libmythtv-0.20.so.0(_ZN9QMemArrayIcED1Ev+0x27)[0x2ac90ee67719]
/usr/lib/libqt-mt.so.3(_ZN7QBufferD0Ev+0x2b)[0x2ac912628031]
/usr/lib/libqt-mt.so.3(_ZN11QDataStreamD1Ev+0x53)[0x2ac912630b83]
/usr/lib/libqt-mt.so.3(_ZNK11QTranslator11findMessageEPKcS1_S1_+0x49b)[0x2ac91234bdc1]
/usr/lib/libqt-mt.so.3(_ZNK12QApplication9translateEPKcS1_S1_NS_8EncodingE+0xe5)[0x2ac9122fca31]
/usr/lib/libqt-mt.so.3(_ZN7QObject2trEPKcS1_+0x4e)[0x2ac9126cce56]
/usr/lib/libmythtv-0.20.so.0(_ZNK11ProgramInfo5ToMapER4QMapI7QStringS1_Eb+0x1cb0)[0x2ac90ed3b476]
mythfrontend[0x462e1f]
mythfrontend[0x463faa]
mythfrontend[0x464504]
/usr/lib/libqt-mt.so.3(_ZN7QWidget5eventEP6QEvent+0x5ca)[0x2ac912394932]
/usr/lib/libqt-mt.so.3(_ZN12QApplication14internalNotifyEP7QObjectP6QEvent+0x25e)[0x2ac9122fb2d6]
/usr/lib/libqt-mt.so.3(_ZN12QApplication6notifyEP7QObjectP6QEvent+0xd40)[0x2ac9122fdb4a]
/usr/lib/libqt-mt.so.3(_ZN12QApplication20sendSpontaneousEventEP7QObjectP6QEvent+0x5e)[0x2ac91228deb4]
/usr/lib/libqt-mt.so.3(_ZN9QETWidget19translatePaintEventEPK7_XEvent+0x3d4)[0x2ac91227d648]
/usr/lib/libqt-mt.so.3(_ZN12QApplication15x11ProcessEventEP7_XEvent+0xc78)[0x2ac91228ad20]
/usr/lib/libqt-mt.so.3(_ZN10QEventLoop13processEventsEj+0x110)[0x2ac9122a156a]
/usr/lib/libqt-mt.so.3(_ZN10QEventLoop9enterLoopEv+0x73)[0x2ac91231480b]
/usr/lib/libqt-mt.so.3(_ZN12QApplication10enter_loopEv+0x22)[0x======= Backtrace: =========
/lib/libc.so.6(__libc_free+0x17a)[0x2ac9137969aa]
2ac9122fcd3a]
/usr/lib/libqt-mt.so.3(_ZN7QGArrayD2Ev+0x76)[0x2ac91263aef8]
/usr/lib/libmyth-0.20.so.0(_ZN10MythDialog4execEv+0x73)[0x2ac91060a3ff]
/usr/lib/libmythtv-0.20.so.0(_ZN9QMemArrayIcED1Ev+0x27)[0x2ac90ee67719]
/usr/lib/libqt-mt.so.3(_ZN7QBufferD0Ev+0x2b)[0x2ac912628031]
mythfrontend[0x437da0]
/usr/lib/libqt-mt.so.3mythfrontend[0x438cfe]
(_ZN11QDataStreamD1Ev+0x53)[0x2ac912630b83/usr/lib/libmythui-0.20.so.0(_ZN21MythThemedMenuPrivate12handleActionERK7QString+0x107a)[0x2ac91091f2f0]
]
/usr/lib/libmythui-0.20.so.0(_ZN21MythThemedMenuPrivate10keyHandlerER11QStringListb+0x5be)[0x2ac91091f8c8]
/usr/lib/libmythui-0.20.so.0(_ZN21MythThemedMenuPrivate15keyPressHandlerEP9QKeyEvent+0x92)[0x2ac910920022]
/usr/lib/libmythui-0.20.so.0(_ZN14MythThemedMenu13keyPressEventEP9QKeyEvent+0x53)[0x2ac9109200af]
/usr/lib/libmythui-0.20.so.0(_ZN14MythMainWindow11eventFilterEP7QObjectP6QEvent+0x221)[0x2ac9108d969b]
/usr/lib/libqt-mt.so.3(_ZN7QObject16activate_filtersEP6QEvent+0x6b)[0x2ac91235f375]
/usr/lib/libqt-mt.so.3(_ZN7QObject5eventEP6QEvent+0x42)[0x2ac91235f3ee]
/usr/lib/libqt-mt.so.3(_ZN7QWidget5eventEP6QEvent+0x2d)[0x2ac912394395]
...

Read more...

Revision history for this message
Malcolm Parsons (malcolm-parsons) wrote :
Download full text (4.1 KiB)

maybe irrelevant valgrind output:

2006-11-04 21:14:10.386 Opening OSS audio device '/dev/dsp'.
2006-11-04 21:14:10.371 msg: On same multiplex...
2006-11-04 21:14:10.752 NVP: Enabling Audio
==29230==
==29230== Thread 8:
==29230== Invalid read of size 1
==29230== at 0x6970031: RemoteFile::SetTimeout(bool) (remotefile.cpp:295)
==29230== by 0x5152EE9: RingBuffer::ReadAheadThread() (RingBuffer.cpp:780)
==29230== by 0x5153390: RingBuffer::StartReader(void*) (RingBuffer.cpp:711)
==29230== by 0x956B3C9: start_thread (in /usr/lib/debug/libpthread-2.4.so)
==29230== by 0x9BD655C: clone (in /usr/lib/debug/libc-2.4.so)
==29230== Address 0xDB88FC0 is 24 bytes inside a block of size 88 free'd
==29230== at 0x4A20135: operator delete(void*) (vg_replace_malloc.c:244)
==29230== by 0x515400E: RingBuffer::OpenFile(QString const&, unsigned) (RingBuffer.cpp:155)
==29230== by 0x5421F33: NuppelVideoPlayer::JumpToProgram() (NuppelVideoPlayer.cpp:2927)
==29230== by 0x5425CA7: NuppelVideoPlayer::StartPlaying() (NuppelVideoPlayer.cpp:3152)
==29230== by 0x53F128E: SpawnDecode(void*) (tv_play.cpp:256)
==29230== by 0x956B3C9: start_thread (in /usr/lib/debug/libpthread-2.4.so)
==29230== by 0x9BD655C: clone (in /usr/lib/debug/libc-2.4.so)
==29230==
==29230== Invalid read of size 8
==29230== at 0x697042A: RemoteFile::Read(void*, int) (remotefile.cpp:187)
==29230== by 0x5151F67: RingBuffer::safe_read(RemoteFile*, void*, unsigned) (RingBuffer.cpp:472)
==29230== by 0x5152F1A: RingBuffer::ReadAheadThread() (RingBuffer.cpp:783)
==29230== by 0x5153390: RingBuffer::StartReader(void*) (RingBuffer.cpp:711)
==29230== by 0x956B3C9: start_thread (in /usr/lib/debug/libpthread-2.4.so)
==29230== by 0x9BD655C: clone (in /usr/lib/debug/libc-2.4.so)
==29230== Address 0xDB88FF0 is 72 bytes inside a block of size 88 free'd
==29230== at 0x4A20135: operator delete(void*) (vg_replace_malloc.c:244)
==29230== by 0x515400E: RingBuffer::OpenFile(QString const&, unsigned) (RingBuffer.cpp:155)
==29230== by 0x5421F33: NuppelVideoPlayer::JumpToProgram() (NuppelVideoPlayer.cpp:2927)
==29230== by 0x5425CA7: NuppelVideoPlayer::StartPlaying() (NuppelVideoPlayer.cpp:3152)
==29230== by 0x53F128E: SpawnDecode(void*) (tv_play.cpp:256)
==29230== by 0x956B3C9: start_thread (in /usr/lib/debug/libpthread-2.4.so)
==29230== by 0x9BD655C: clone (in /usr/lib/debug/libc-2.4.so)
2006-11-04 21:14:25.467 RingBuf(myth://127.0.0.1:6543/1004_20061104211414.mpg) Error: RingBuffer::safe_read(RemoteFile* ...): read failed
==29230==
==29230== Invalid read of size 8
==29230== at 0x6971686: RemoteFile::Seek(long long, int, long long) (remotefile.cpp:145)
==29230== by 0x5152183: RingBuffer::safe_read(RemoteFile*, void*, unsigned) (RingBuffer.cpp:478)
==29230== by 0x5152F1A: RingBuffer::ReadAheadThread() (RingBuffer.cpp:783)
==29230== by 0x5153390: RingBuffer::StartReader(void*) (RingBuffer.cpp:711)
==29230== by 0x956B3C9: start_thread (in /usr/lib/debug/libpthread-2.4.so)
==29230== by 0x9BD655C: clone (in /usr/lib/debug/libc-2.4.so)
==29230== Address 0xDB88FF0 is 72 bytes inside a block of size 88 free'd
==29230== at 0x4A20135: operato...

Read more...

Revision history for this message
Timothy Smith (tas50) wrote :

Can you post a lspci so we can see what cards you are using. If possible can you test this issue on Feisty.

Revision history for this message
Malcolm Parsons (malcolm-parsons) wrote :

lspci:

00:00.0 Memory controller: nVidia Corporation CK804 Memory Controller (rev a3)
00:01.0 ISA bridge: nVidia Corporation CK804 ISA Bridge (rev a3)
00:01.1 SMBus: nVidia Corporation CK804 SMBus (rev a2)
00:02.0 USB Controller: nVidia Corporation CK804 USB Controller (rev a2)
00:02.1 USB Controller: nVidia Corporation CK804 USB Controller (rev a3)
00:04.0 Multimedia audio controller: nVidia Corporation CK804 AC'97 Audio Controller (rev a2)
00:06.0 IDE interface: nVidia Corporation CK804 IDE (rev f2)
00:07.0 IDE interface: nVidia Corporation CK804 Serial ATA Controller (rev f3)
00:08.0 IDE interface: nVidia Corporation CK804 Serial ATA Controller (rev f3)
00:09.0 PCI bridge: nVidia Corporation CK804 PCI Bridge (rev a2)
00:0a.0 Bridge: nVidia Corporation CK804 Ethernet Controller (rev a3)
00:0b.0 PCI bridge: nVidia Corporation CK804 PCIE Bridge (rev a3)
00:0c.0 PCI bridge: nVidia Corporation CK804 PCIE Bridge (rev a3)
00:0d.0 PCI bridge: nVidia Corporation CK804 PCIE Bridge (rev a3)
00:0e.0 PCI bridge: nVidia Corporation CK804 PCIE Bridge (rev a3)
00:18.0 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] HyperTransport Technology Configuration
00:18.1 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Address Map
00:18.2 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] DRAM Controller
00:18.3 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Miscellaneous Control
01:00.0 VGA compatible controller: nVidia Corporation NV43 [GeForce 6600] (rev a2)
05:07.0 Multimedia video controller: Conexant CX23880/1/2/3 PCI Video and Audio Decoder (rev 05)
05:07.2 Multimedia controller: Conexant CX23880/1/2/3 PCI Video and Audio Decoder [MPEG Port] (rev 05)
05:07.4 Multimedia controller: Conexant CX23880/1/2/3 PCI Video and Audio Decoder [IR Port] (rev 05)

I'm still running edgy.
This bug is hard to reproduce, so if I upgrade it will take a few weeks of testing to see if it still crashes.

Revision history for this message
Kees Cook (kees) wrote :

Can you see if this crash still happens with the latest mythtv from Feisty?

Changed in mythtv:
assignee: nobody → keescook
importance: Undecided → Low
status: Unconfirmed → Needs Info
Revision history for this message
Malcolm Parsons (malcolm-parsons) wrote :

mythfrontend seems stable in feisty.

Revision history for this message
Kees Cook (kees) wrote :

This bug report is being closed due to your last comment regarding this being fixed with an update. Thanks again for taking the time to report this bug and helping to make Ubuntu better. Please do not hesitate to submit any future bugs you may find.

Changed in mythtv:
status: Needs Info → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.