(Filing a new bug as requested by @Tanu Kaskinen @ https://bugs.freedesktop.org/show_bug.cgi?id=93443#c28). PA 11.1 on Fedora 26 (pulseaudio-11.1-2.fc26.src.rpm) I can reproduce a crash reliably by restarting Chrome (Stable 62, 64-bit), playing a YouTube video, and then switching profiles from headset to speakers. The command that causes the crash is: pactl set-card-profile alsa_card.pci-0000_00_1b.0 output:analog-surround-40+input:analog-stereo This causes the crash. At this point Chrome continues to output audio correctly, but loses access to the mic. Subsequent switches between headset and speakers work fine, but Chrome's access to the mic remains broken. Once Chrome is restarted mic access is restored, but the crash can easily be reproduced again. Another interesting thing is that a switch in the opposite direction -- from speakers to headset -- does not cause a crash. I will attach the output of `pactl list` just before the set-card-profile command, as well as the abrt data which contains the back-trace.
Created attachment 135189 [details] pactl list just before crash command
Thanks! I'm marking this as a release blocker. You forgot to attach the abrt data, by the way.
Tanu, for some reason the coredump generated by abrt is always truncated: BFD: Warning: /var/spool/abrt/ccpp-2017-11-03-02:59:39.422477-24210/coredump is truncated: expected core file size >= 4670910464, found: 2147483648. When I try to reproduce the problem by running pulseaudio under gdb so I can get a backtrace, so far I have been unable to reproduce it -- though interestingly, if Zoiper with echo cancelling module is running, the actual switch doesn't work, there is no crash -- if Zoiper is not running then the switch (usually) works perfectly. Will report back with a backtrace if I can get one.
Abrt seems to be truncating the coredump at the 2gb boundary. Not sure why the pulseaudio coredump should be so large in the first place, but I'll look into it.
Here is the backtrace: (gdb) bt #0 0x00005555559ba140 in ?? () #1 0x00007ffff7b973f6 in pa_object_cast (o=0x555555992560) at pulsecore/object.h:62 #2 pa_source_assert_ref (o=0x555555992560) at pulsecore/source.h:254 #3 pa_source_set_volume (s=0x555555992560, volume=volume@entry=0x7fffffffcb20, send_msg=send_msg@entry=true, save=save@entry=false) at pulsecore/source.c:1605 #4 0x00007fffa4f4a131 in canceller_process_msg_cb (o=<optimized out>, code=<optimized out>, userdata=0x5555, offset=<optimized out>, chunk=<optimized out>) at modules/echo-cancel/module-echo-cancel.c:1565 #5 0x00007ffff7b995d3 in asyncmsgq_read_cb (api=0x55555576cb28, e=<optimized out>, fd=<optimized out>, events=<optimized out>, userdata=<optimized out>) at pulsecore/thread-mq.c:69 #6 0x00007ffff78fe888 in dispatch_pollfds (m=0x55555576cad0) at pulse/mainloop.c:655 #7 pa_mainloop_dispatch (m=m@entry=0x55555576cad0) at pulse/mainloop.c:898 #8 0x00007ffff78fec5e in pa_mainloop_iterate (m=0x55555576cad0, block=<optimized out>, retval=0x7fffffffcd38) at pulse/mainloop.c:929 #9 0x00007ffff78fece0 in pa_mainloop_run (m=0x55555576cad0, retval=0x7fffffffcd38) at pulse/mainloop.c:944 #10 0x000055555555b33e in main (argc=<optimized out>, argv=<optimized out>) at daemon/main.c:1142 (gdb) #0 0x00005555559ba140 in ?? () #1 0x00007ffff7b973f6 in pa_object_cast (o=0x555555992560) at pulsecore/object.h:62 #2 pa_source_assert_ref (o=0x555555992560) at pulsecore/source.h:254 #3 pa_source_set_volume (s=0x555555992560, volume=volume@entry=0x7fffffffcb20, send_msg=send_msg@entry=true, save=save@entry=false) at pulsecore/source.c:1605 #4 0x00007fffa4f4a131 in canceller_process_msg_cb (o=<optimized out>, code=<optimized out>, userdata=0x5555, offset=<optimized out>, chunk=<optimized out>) at modules/echo-cancel/module-echo-cancel.c:1565 #5 0x00007ffff7b995d3 in asyncmsgq_read_cb (api=0x55555576cb28, e=<optimized out>, fd=<optimized out>, events=<optimized out>, userdata=<optimized out>) at pulsecore/thread-mq.c:69 #6 0x00007ffff78fe888 in dispatch_pollfds (m=0x55555576cad0) at pulse/mainloop.c:655 #7 pa_mainloop_dispatch (m=m@entry=0x55555576cad0) at pulse/mainloop.c:898 #8 0x00007ffff78fec5e in pa_mainloop_iterate (m=0x55555576cad0, block=<optimized out>, retval=0x7fffffffcd38) at pulse/mainloop.c:929 #9 0x00007ffff78fece0 in pa_mainloop_run (m=0x55555576cad0, retval=0x7fffffffcd38) at pulse/mainloop.c:944 #10 0x000055555555b33e in main (argc=<optimized out>, argv=<optimized out>) at daemon/main.c:1142 (gdb) #0 0x00005555559ba140 in ?? () #1 0x00007ffff7b973f6 in pa_object_cast (o=0x555555992560) at pulsecore/object.h:62 #2 pa_source_assert_ref (o=0x555555992560) at pulsecore/source.h:254 #3 pa_source_set_volume (s=0x555555992560, volume=volume@entry=0x7fffffffcb20, send_msg=send_msg@entry=true, save=save@entry=false) at pulsecore/source.c:1605 #4 0x00007fffa4f4a131 in canceller_process_msg_cb (o=<optimized out>, code=<optimized out>, userdata=0x5555, offset=<optimized out>, chunk=<optimized out>) at modules/echo-cancel/module-echo-cancel.c:1565 #5 0x00007ffff7b995d3 in asyncmsgq_read_cb (api=0x55555576cb28, e=<optimized out>, fd=<optimized out>, events=<optimized out>, userdata=<optimized out>) at pulsecore/thread-mq.c:69 #6 0x00007ffff78fe888 in dispatch_pollfds (m=0x55555576cad0) at pulse/mainloop.c:655 #7 pa_mainloop_dispatch (m=m@entry=0x55555576cad0) at pulse/mainloop.c:898 #8 0x00007ffff78fec5e in pa_mainloop_iterate (m=0x55555576cad0, block=<optimized out>, retval=0x7fffffffcd38) at pulse/mainloop.c:929 #9 0x00007ffff78fece0 in pa_mainloop_run (m=0x55555576cad0, retval=0x7fffffffcd38) at pulse/mainloop.c:944 #10 0x000055555555b33e in main (argc=<optimized out>, argv=<optimized out>) at daemon/main.c:1142 (gdb) #0 0x00005555559ba140 in ?? () #1 0x00007ffff7b973f6 in pa_object_cast (o=0x555555992560) at pulsecore/object.h:62 #2 pa_source_assert_ref (o=0x555555992560) at pulsecore/source.h:254 #3 pa_source_set_volume (s=0x555555992560, volume=volume@entry=0x7fffffffcb20, send_msg=send_msg@entry=true, save=save@entry=false) at pulsecore/source.c:1605 #4 0x00007fffa4f4a131 in canceller_process_msg_cb (o=<optimized out>, code=<optimized out>, userdata=0x5555, offset=<optimized out>, chunk=<optimized out>) at modules/echo-cancel/module-echo-cancel.c:1565 #5 0x00007ffff7b995d3 in asyncmsgq_read_cb (api=0x55555576cb28, e=<optimized out>, fd=<optimized out>, events=<optimized out>, userdata=<optimized out>) at pulsecore/thread-mq.c:69 #6 0x00007ffff78fe888 in dispatch_pollfds (m=0x55555576cad0) at pulse/mainloop.c:655 #7 pa_mainloop_dispatch (m=m@entry=0x55555576cad0) at pulse/mainloop.c:898 #8 0x00007ffff78fec5e in pa_mainloop_iterate (m=0x55555576cad0, block=<optimized out>, retval=0x7fffffffcd38) at pulse/mainloop.c:929 #9 0x00007ffff78fece0 in pa_mainloop_run (m=0x55555576cad0, retval=0x7fffffffcd38) at pulse/mainloop.c:944 #10 0x000055555555b33e in main (argc=<optimized out>, argv=<optimized out>) at daemon/main.c:1142
It looks like u->source is being accessed after it has been freed. I found out one possible reason for that. I'll attach a patch, can you test it? I didn't try reproducing the crash myself yet, because setting up things takes some effort.
Created attachment 135300 [details] [review] 0001-echo-cancel-ignore-remaining-canceller-messages-afte.patch
I've tested the patch on top of pulseaudio-11.1-5.fc26 which is in Fedora updates-testing. So far I am unable to reproduce the crash, and everything is working great -- audio is switching between headset and speakers just as it should!
Great! Thanks for testing. I submitted the patch to the mailing list: https://patchwork.freedesktop.org/patch/187359/
The fix is now in master.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.