media_addon_server crashes on shutdown

[bonefish]

hrev36539

Occasionally media_addon_server crashes when shutting down Haiku.

vm_soft_fault: va 0x6c9000 not covered by area in address space                                                                              
vm_page_fault: vm_soft_fault returned error 'Bad address' on fault at 0x6c9e30, ip 0x4f3d90, write 0, user 1, thread 0x9d                    
vm_page_fault: thread "Audio Mixer control" (157) in team "media_addon_server" (114) tried to read address 0x6c9e30, ip 0x4f3d90 ("libmedia.so_seg0ro" +0x4bd90)                                                                                                                                
debug_server: Thread 157 entered the debugger: Segment violation                                                                                
stack trace, current PC 0x4f3d90  WaitForMessage__10BMediaNodexUlPv + 0x44:
  (0x70102e9c)  0x4ee562  ControlLoop__17BMediaEventLooper + 0x1d2
  (0x70102f6c)  0x4eea13  _ControlThreadStart__17BMediaEventLooperPv + 0x37
  (0x70102fac)  0x5d50b2  thread_entry + 0x36

kdebug> teams
team           id  parent      name
0x82820000      1  0x00000000  kernel_team
0x8287da00     65  0x82820000  sshd
0x82820400     68  0x82820e00  input_server
0x82820800     40  0x82820000  registrar
0x82820a00     45  0x82820000  debug_server
0x82820e00     49  0x82820000  app_server
0x82820600    114  0x82820000  media_addon_server
0x82820c00    178  0x82820a00  Terminal
0x82820200    182  0x82820c00  gdb
kdebug> threads 114
thread         id  state     wait for   object  cpu pri  stack      team  name
0xcd124800    157  waiting   cvar   0x81305d78    - 120  0x815f5000  114  Audio Mixer control
0xcd0f1800    135  waiting   cvar   0x81306bec    -  12  0x81de0000  114  System clock control
0xcd149000    173  waiting   cvar   0x81305d14    -  10  0x81d60000  114  team 114 debug task
0xcd0f8800    114  waiting   cvar   0x81305fd0    -  10  0x81dac000  114  media_addon_server

kdebug> sc 114
stack trace for thread 114 "media_addon_server"
    kernel stack: 0x81dac000 to 0x81db0000
      user stack: 0x7efef000 to 0x7ffef000
frame               caller     <image>:function + offset
 0 81daf794 (+  48) 8006f50f   <kernel_x86> context_switch(thread*: 0xcd0f8800, thread*: 0xcd167000) + 0x003f
 1 81daf7c4 (+  96) 8006f8e0   <kernel_x86> reschedule() + 0x038c
 2 81daf824 (+  64) 80043ae9   <kernel_x86> ConditionVariableEntry<0x81daf898>::Wait(uint32: 0x20 (32), int64: 0) + 0x01a1
 3 81daf864 (+  80) 80056489   <kernel_x86>:read_port_etc + 0x018d
 4 81daf8b4 (+1440) 8007fef2   <kernel_x86> debug_debugger_message::thread_hit_debug_event_internal(NULL, int32: -2116354292, true, 0x6e72e601) + 0x0322
 5 81dafe54 (+  96) 8008016e   <kernel_x86> debug_debugger_message::thread_hit_debug_event(NULL, int32: -2116354292, true) + 0x002e
 6 81dafeb4 (+  48) 8008021a   <kernel_x86> debug_debugger_message::thread_hit_serious_debug_event(NULL, int32: -2116354292) + 0x002a
 7 81dafee4 (+  64) 80080534   <kernel_x86>:user_debug_stop_thread + 0x00a8
 8 81daff24 (+  32) 800643a5   <kernel_x86>:_user_exit_team + 0x0059
 9 81daff44 (+ 100) 80107e02   <kernel_x86>:handle_syscall + 0x00af
user iframe at 0x81daffa8 (end = 0x81db0000)
 eax 0x24           ebx 0x67427c        ecx 0x7ffeef40   edx 0xffff0114
 esi 0x678900       edi 0x7ffef540      ebp 0x7ffeef6c   esp 0x81daffdc
 eip 0xffff0114  eflags 0x207      user esp 0x7ffeef40
 vector: 0x63, error code: 0x0
10 81daffa8 (+   0) ffff0114   <commpage>:commpage_syscall + 0x0004
11 7ffeef6c (+  64) 00208b04   <_APP_>:_start + 0x0064
12 7ffeefac (+  48) 00105d62   </boot/system/runtime_loader@0x00100000>:unknown + 0x5d62
13 7ffeefdc (+   0) 7ffeefec   1949:media_addon_server_main_stack@0x7efef000 + 0xffffec

kdebug> sc 157
stack trace for thread 157 "Audio Mixer control"
    kernel stack: 0x815f5000 to 0x815f9000
      user stack: 0x700c3000 to 0x70103000
frame               caller     <image>:function + offset
 0 815f876c (+  48) 8006f50f   <kernel_x86> context_switch(thread*: 0xcd124800, thread*: 0x83063000) + 0x003f
 1 815f879c (+  96) 8006f8e0   <kernel_x86> reschedule() + 0x038c
 2 815f87fc (+  64) 80043ae9   <kernel_x86> ConditionVariableEntry<0x815f8870>::Wait(uint32: 0x20 (32), int64: 0) + 0x01a1
 3 815f883c (+  80) 80056489   <kernel_x86>:read_port_etc + 0x018d
 4 815f888c (+1440) 8007fef2   <kernel_x86> debug_debugger_message::thread_hit_debug_event_internal(0x8, int32: -2124443928, true, 0x1) + 0x0322
 5 815f8e2c (+  96) 8008016e   <kernel_x86> debug_debugger_message::thread_hit_debug_event(0x8, int32: -2124443928, true) + 0x002e
 6 815f8e8c (+  48) 8008021a   <kernel_x86> debug_debugger_message::thread_hit_serious_debug_event(0x8, int32: -2124443928) + 0x002a
 7 815f8ebc (+  80) 80080405   <kernel_x86>:user_debug_exception_occurred + 0x0045
 8 815f8f0c (+  64) 800e4dc2   <kernel_x86>:vm_page_fault + 0x0262
 9 815f8f4c (+  80) 80100e06   <kernel_x86> page_fault_exception(iframe*: 0x815f8fa8) + 0x017a
10 815f8f9c (+  12) 80107c36   <kernel_x86>:int_bottom_user + 0x005a
user iframe at 0x815f8fa8 (end = 0x815f9000)
 eax 0x700fee98     ebx 0x548d20        ecx 0x180520ac   edx 0x6c9e20
 esi 0x18052224     edi 0x7fffffff      ebp 0x70102e9c   esp 0x815f8fdc
 eip 0x4f3d90    eflags 0x10203    user esp 0x700fee4c
 vector: 0xe, error code: 0x4
11 815f8fa8 (+   0) 004f3d90   <libmedia.so> BMediaNode<0x18052224>::WaitForMessage(int64: 9223372036854775807, uint32: 0x0 (0), NULL) + 0x0044
12 70102e9c (+ 208) 004ee562   <libmedia.so> BMediaEventLooper<0x18052088>::ControlLoop(0x0) + 0x01d2
13 70102f6c (+  64) 004eea13   <libmedia.so> BMediaEventLooper<0x18052088>::_ControlThreadStart(NULL) + 0x0037
14 70102fac (+  48) 005d50b2   <libroot.so>:_get_next_team_info (nearest) + 0x0072
15 70102fdc (+   0) 70102fec   2322:Audio Mixer control_157_stack@0x700c3000 + 0x3ffec

kdebug> in_context 157 dis -b 20
0x004f3d55:               57    push %edi
0x004f3d56:               56    push %esi
0x004f3d57:               53    push %ebx
0x004f3d58:       e800000000    call 0x4f3d5d
0x004f3d5d:               5b    pop %ebx
0x004f3d5e:     81c3c34f0500    add $0x54fc3, %ebx
0x004f3d64:           8b7508    mov 0x8(%ebp), %esi
0x004f3d67:           83c4fc    add $0xfc, %esp
0x004f3d6a:           8b450c    mov 0xc(%ebp), %eax
0x004f3d6d:           8b5510    mov 0x10(%ebp), %edx
0x004f3d70:               52    push %edx
0x004f3d71:               50    push %eax
0x004f3d72:             6a10    push $0x10
0x004f3d74:       6800400000    push $0x4000
0x004f3d79:     8d8500c0ffff    lea 0xffffc000(%ebp), %eax
0x004f3d7f:               50    push %eax
0x004f3d80:     8d85fcbfffff    lea 0xffffbffc(%ebp), %eax
0x004f3d86:               50    push %eax
0x004f3d87:           83c4f4    add $0xf4, %esp
0x004f3d8a:     8b96a0000000    mov 0xa0(%esi), %edx
0x004f3d90:         0fbf4210    movsxw 0x10(%edx), %eax
0x004f3d94:             01f0    add %esi, %eax
0x004f3d96:               50    push %eax
0x004f3d97:           8b4214    mov 0x14(%edx), %eax
0x004f3d9a:             ffd0    call %eax
0x004f3d9c:           83c410    add $0x10, %esp
0x004f3d9f:               50    push %eax
0x004f3da0:       e8dfdcfeff    call 0x4e1a84
0x004f3da5:     8985f8bfffff    mov %eax, 0xffffbff8(%ebp)
0x004f3dab:           83c420    add $0x20, %esp

The main thread is already calling exit() while there are still other threads -- generally not a good idea. The thread in question (Audio Mixer control) is preparing to call ControlPort() (resolving the object pointer for the call):

0x004f3d64:           8b7508    mov 0x8(%ebp), %esi
[...]
0x004f3d8a:     8b96a0000000    mov 0xa0(%esi), %edx
0x004f3d90:         0fbf4210    movsxw 0x10(%edx), %eax

Apparently the object isn't fully valid anymore.

[luroh]

Looks like the same crash as in #5385.

[bonefish]

(In #5385) Not idea how I missed this ticket. Closing as duplicate of #5863 which has more info attached.

[Disreali]

Experienced on hrev40230-2h on real hw. Could not save backtrace.

Is there a way to get back to a desktop if the Shutdown process has been stopped as when the media_addon_server crashes?

[jonas.kirilla]

(I'm sorry if this warrants a new ticket. I wasn't sure if I should create another one.)

Lately I've been seeing the media_addon_server crash at shutdown in _atomic_or1. ​http://haiku.it.su.se:8180/source/xref/src/system/libroot/os/arch/x86/atomic.S#58

called from BTimeSource::GetTime() ​http://haiku.it.su.se:8180/source/xref/src/kits/media/TimeSource.cpp#187 I'm guessing fBuf is NULL or gone.

Is it expected that _atomic_or1 is blamed for the seg fault here? I would have expected BTimeSource::GetTime() to be blamed.

BTW, would _atomic_read(p) be better defined as using atomic_get? ​http://haiku.it.su.se:8180/source/xref/src/kits/media/TimeSource.cpp#24

[Disreali]

Experienced again on hrev40968-4h. Attaching backtrace.

[Disreali]

Still occurring on hrev41241-4h. Same backtrace as before.

[pulkomandy]

Is it still hapenning ? I haven't seen this for a long time...

[bonefish]

Yep, it still happens. AFAIK no one has worked on it yet.

[Freeman]

Hi, I'm using Vbox on hrevr1alpha4-44702 and I've never gotten this bug. Have you recently encountered this bug again?

[Disreali]

I've only experienced the issue on real hardware.

[scottmc]

This one is still with us. I see it still with R1/Alpha4.

[Giova84]

hrev46154 This bug still occurs

Debug report attached

[Giova84]

Media_addon_server crash on Haiku hrev46154

[anevilyak]

Had this crash occur while using debug versions of the server + kit, hopefully the extra information in the report helps in some way.

[anevilyak]

(In #10091) Duplicate of #5863. In the future by the way, please simply attach the crash report file rather than copy/pasting its contents into the ticket.

[korli]

To reproduce the crash easily: kill the media server, then ask the media_addon server to quit, it will then crash. I understand that two things would be to be fixed:

1. the media_addon server crash shouldn't happen
2. the media server should effectively wait for the media_addon server to be terminated on shutdown (the code had been working at least on BeOS, maybe registrar behavior is different).

[korli]

hrev46259 should avoid the media_addon server crash. Though it's no magic wand here as the lack of media_server prevents to clean up in the correct and documented way.

[Giova84]

hrev46276

Seems that hrev46259 has solved the situation, since i no longer seen media_addon_server crashing on reboot/shutdown.

[diver]

I've just got this crash at shutdown in hrev46281 (x86_64). I don't know if it's related or not.

[diver]

There is already a ticket for the last crash - #5391. Let's close this one then.

[tqh]

If it's a duplicate please don't close as fixed but as duplicate. Fixed means someone solved it.

[korli]

Replying to tqh:

If it's a duplicate please don't close as fixed but as duplicate. Fixed means someone solved it.

As explained, the original reported problem (crash in running addons threads) is fixed. The remaining problem which then appears is covered by another ticket.