NetBSD Problem Report #52195
From Manuel.Bouyer@lip6.fr Tue Apr 25 21:10:53 2017
Return-Path: <Manuel.Bouyer@lip6.fr>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 718AD7A111
for <gnats-bugs@gnats.NetBSD.org>; Tue, 25 Apr 2017 21:10:53 +0000 (UTC)
Message-Id: <20170425211047.EE879A93B@armandeche.soc.lip6.fr>
Date: Tue, 25 Apr 2017 23:10:47 +0200 (MEST)
From: bouyer@antioche.eu.org
Reply-To: bouyer@antioche.eu.org
To: gnats-bugs@NetBSD.org
Subject: segfault in audio_fill_silence()
X-Send-Pr-Version: 3.95
>Number: 52195
>Category: kern
>Synopsis: segfault in audio_fill_silence()
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: nat
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Apr 25 21:15:00 +0000 2017
>Closed-Date: Wed May 03 11:10:25 +0000 2017
>Last-Modified: Wed May 03 11:10:25 +0000 2017
>Originator: Manuel Bouyer
>Release: HEAD as of 21 Apr
>Organization:
--
Manuel Bouyer <bouyer@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--
>Environment:
System: NetBSD chartplotter 7.99.70 NetBSD 7.99.70 (CHARTPLOTTER) #7: Fri Apr 21 18:57:58 MEST 2017 evbarm
Architecture: earmv7hf
Machine: evbarm
>Description:
Playing a .wav with audioplay, and then with mplayer,
I ended up with a trap fault in audio_fill_silence().
This is after the useland program claused the device.
Last message was (hand-copied):
audio_drain: chan=1, used=9600, drops=0
uvm_fault(...)
stopped in pid 0.30 at netbsd:audio_fill_silence+0x80
backtrace is:
audio_fill_silence+0x80
audio_mix.part.27+0x61c
audio_play_thread+0x90
audio_fill_silence+0x80 translates to:
0x802074a4 is in audio_fill_silence (/local/armandeche1/can/src/sys/dev/audio.c:2686).
2681 auzero0 = 0;
2682 break;
2683 }
2684 if (nfill == 1) {
2685 while (--n >= 0)
2686 *p++ = auzero0; /* XXX memset */
2687 } else /* nfill must no longer be 2 */ {
2688 if (params->encoding == AUDIO_ENCODING_ULINEAR_LE) {
2689 int k = nfill;
2690 while (--k > 0)
>How-To-Repeat:
audioplay a
RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 22050 Hz
with audioplay, and then mplayer. It may not be reproductible;
I'll try to reproduce with a serial console.
>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->nat
Responsible-Changed-By: nat@NetBSD.org
Responsible-Changed-When: Tue, 25 Apr 2017 22:11:20 +0000
Responsible-Changed-Why:
Take.
From: Nathanial Sloss <nat@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/52195 (segfault in audio_fill_silence())
Date: Wed, 26 Apr 2017 08:15:42 +1000
Hi,
What is the offending portion of code in the previos function of the backtrace.
The audio_mix.part.27+0x61c?
Best regards,
Nat
From: Manuel Bouyer <bouyer@antioche.eu.org>
To: gnats-bugs@netbsd.org
Cc: nat@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: kern/52195 (segfault in audio_fill_silence())
Date: Wed, 26 Apr 2017 09:13:30 +0200
On Tue, Apr 25, 2017 at 10:20:01PM +0000, Nathanial Sloss wrote:
> The following reply was made to PR kern/52195; it has been noted by GNATS.
>
> From: Nathanial Sloss <nat@netbsd.org>
> To: gnats-bugs@netbsd.org
> Cc:
> Subject: Re: kern/52195 (segfault in audio_fill_silence())
> Date: Wed, 26 Apr 2017 08:15:42 +1000
>
> Hi,
>
> What is the offending portion of code in the previos function of the backtrace.
>
> The audio_mix.part.27+0x61c?
gdb tells me:
(gdb) l *(audio_mix+0x61c)
0x8020a6d4 is in audio_mix (/local/armandeche1/can/src/sys/dev/audio_if.h:107).
102 static __inline uint8_t *
103 audio_stream_add_inp(audio_stream_t *s, uint8_t *v, int diff)
104 {
105 s->used += diff;
106 v += diff;
107 if (v >= s->end)
108 v -= s->end - s->start;
109 return v;
110 }
but this doesn't make much sense. nm shows that audio_mix.part.27 is at
0x8020a0b8, but 0x8020a0b8+0x61c points to the same place in code.
Maybe this is better:
(gdb) l *(audio_mix+0x618)
0x8020a6d0 is in audio_mix (/local/armandeche1/can/src/sys/dev/audio.c:3531).
3526 } else {
3527 vc->sc_sil_start = inp;
3528 vc->sc_sil_count = cc;
3529 DPRINTFN(5, ("audio_pint_silence: start fill %p %d\n",
3530 inp, cc));
3531 audio_fill_silence(&cb->s.param, inp, cc);
3532 }
3533 }
--
Manuel Bouyer <bouyer@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--
From: Robert Elz <kre@munnari.OZ.AU>
To: Manuel Bouyer <bouyer@antioche.eu.org>
Cc: gnats-bugs@netbsd.org, nat@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: kern/52195 (segfault in audio_fill_silence())
Date: Wed, 26 Apr 2017 15:23:16 +0700
Date: Wed, 26 Apr 2017 09:13:30 +0200
From: Manuel Bouyer <bouyer@antioche.eu.org>
Message-ID: <20170426071330.GA1937@antioche.eu.org>
| but this doesn't make much sense. nm shows that audio_mix.part.27 is at
| 0x8020a0b8, but 0x8020a0b8+0x61c points to the same place in code.
It is an inline function, it will be duplicated.
kre
From: Manuel Bouyer <bouyer@antioche.eu.org>
To: Robert Elz <kre@munnari.OZ.AU>
Cc: gnats-bugs@netbsd.org, nat@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: kern/52195 (segfault in audio_fill_silence())
Date: Wed, 26 Apr 2017 10:27:52 +0200
On Wed, Apr 26, 2017 at 03:23:16PM +0700, Robert Elz wrote:
> Date: Wed, 26 Apr 2017 09:13:30 +0200
> From: Manuel Bouyer <bouyer@antioche.eu.org>
> Message-ID: <20170426071330.GA1937@antioche.eu.org>
>
> | but this doesn't make much sense. nm shows that audio_mix.part.27 is at
> | 0x8020a0b8, but 0x8020a0b8+0x61c points to the same place in code.
>
> It is an inline function, it will be duplicated.
Sure, my point is that 0x8020a0b8+0x61c or audio_mix+0x61c both points to
a place in the code that doesn't match the stack trace and the panic.
audio_mix+0x618 and 0x8020a0b8+0x618 matches much better.
--
Manuel Bouyer <bouyer@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--
From: "Nathanial Sloss" <nat@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52195 CVS commit: src/sys/dev
Date: Wed, 26 Apr 2017 11:32:04 +0000
Module Name: src
Committed By: nat
Date: Wed Apr 26 11:32:04 UTC 2017
Modified Files:
src/sys/dev: audio.c
Log Message:
Improved blksize calculation.
audio_fill_silence instead of audio_pint_silence for the mix ring.
Addresses PR kern/52195.
To generate a diff of this commit:
cvs rdiff -u -r1.327 -r1.328 src/sys/dev/audio.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->feedback
State-Changed-By: nat@NetBSD.org
State-Changed-When: Wed, 03 May 2017 03:36:03 +0000
State-Changed-Why:
Due to changes in audio.c this should be fixed.
OK to close?
From: Manuel Bouyer <bouyer@antioche.eu.org>
To: gnats-bugs@NetBSD.org
Cc: nat@NetBSD.org, netbsd-bugs@netbsd.org, gnats-admin@netbsd.org
Subject: Re: kern/52195 (segfault in audio_fill_silence())
Date: Wed, 3 May 2017 09:55:38 +0200
On Wed, May 03, 2017 at 03:36:03AM +0000, nat@NetBSD.org wrote:
> Synopsis: segfault in audio_fill_silence()
>
> State-Changed-From-To: open->feedback
> State-Changed-By: nat@NetBSD.org
> State-Changed-When: Wed, 03 May 2017 03:36:03 +0000
> State-Changed-Why:
> Due to changes in audio.c this should be fixed.
> OK to close?
Yes, it's OK for me.
--
Manuel Bouyer <bouyer@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--
State-Changed-From-To: feedback->closed
State-Changed-By: nat@NetBSD.org
State-Changed-When: Wed, 03 May 2017 11:10:25 +0000
State-Changed-Why:
Confirmed fixed.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home