Possible String related crash

Tsuda Kageyu tsuda.kageyu at gmail.com
Sun Oct 13 00:13:51 UTC 2013 

After reading your report interestingly, I had a brief look at the code. 
Though I couldn't locate the problem, I found some functions which are 
possibly vulnerable for concurrent calls and made a pull request to fix 
it:
https://github.com/taglib/taglib/pull/300

Hope it can help you.

Kageyu.

>I've had this issue for around a year and i've traced basically every line
>of my code and cannot find any issues.  I've looked through the taglib code
>and cannot find the exact cause either, but for some reason once in awhile
>I'll get a stack trace that comes down to destroying a String
>
>This is on Android so the stack traces are not the greatest:
>
>#02 pc 000f9eff
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(operator delete(void*)+6)
>#03 pc 000f9f07
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(operator delete[](void*)+2)
>#04 pc 000d1eeb
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(TagLib::String::~String()+38)
>#05 pc 000e4fd9
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(TagLib::TagUnion::comment() const+48)
>#06 pc 00098b90
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(Java_gonemad_gmmp_taglibjni_Tag_scan+752)
>
>
>#02 pc 000fa6f0
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(std::__stl_throw_length_error(char const*)+8)
>#03 pc 000d224b
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(std::basic_string<wchar_t, std::char_traits<wchar_t>,
>std::allocator<wchar_t> >::_M_compute_next_size(unsigned int)+50)
>#04 pc 000d3287
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(std::basic_string<wchar_t, std::char_traits<wchar_t>,
>std::allocator<wchar_t> >::_M_append(wchar_t const*, wchar_t const*)+102)
>#05 pc 000d3365
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(TagLib::String::append(TagLib::String const&)+20)
>#06 pc 000d33bf
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(operator+(TagLib::String const&, TagLib::String const&)+14)
>#07 pc 000c2ad9
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(TagLib::ID3v1::genre(int)+36)
>#08 pc 000c3c77
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(TagLib::ID3v2::FrameFactory::updateGenre(TagLib::ID3v2::
>TextIdentificationFrame*)
>const+350)
>#09 pc 000c3ecf
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(TagLib::ID3v2::FrameFactory::createFrame(TagLib::ByteVector const&,
>TagLib::ID3v2::Header*) const+522)
>#10 pc 000c5291
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(TagLib::ID3v2::Tag::parse(TagLib::ByteVector const&)+164)
>#11 pc 000c544d
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(TagLib::ID3v2::Tag::read()+120)
>#12 pc 000c5503
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(TagLib::ID3v2::Tag::Tag(TagLib::File*, long, TagLib::ID3v2::FrameFactory
>const*)+102)
>#13 pc 000c106f
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(TagLib::MPEG::File::read(bool, TagLib::AudioProperties::ReadStyle)+50)
>#14 pc 000c12bb
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(TagLib::MPEG::File::File(char const*, bool,
>TagLib::AudioProperties::ReadStyle)+106)
>#15 pc 000e5a75
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(TagLib::FileRef::create(char const*, bool,
>TagLib::AudioProperties::ReadStyle)+252)
>#16 pc 000e60f1
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(TagLib::FileRef::FileRef(char const*, bool,
>TagLib::AudioProperties::ReadStyle)+20)
>#17 pc 000988ec
>/data/app-lib/com.jrtstudio.AnotherMusicPlayer-1/libgm_audioengine.so
>(Java_gonemad_gmmp_taglibjni_Tag_scan+76)
>
>
>#00  pc 0001183a  /system/lib/libc.so (dlfree+57)
>10-11 09:41:53.647 I/DEBUG   (303):     #01  pc 0000cf73
> /system/lib/libc.so (free+10)
>10-11 09:41:53.647 I/DEBUG   (303):     #02  pc 000faccb
> /data/app-lib/gonemad.gmmp-1/libgm_audioengine.so (operator
>delete(void*)+6)
>10-11 09:41:53.647 I/DEBUG   (303):     #03  pc 000d2c6d
> /data/app-lib/gonemad.gmmp-1/libgm_audioengine.so
>(TagLib::String::~String()+80)
>10-11 09:41:53.647 I/DEBUG   (303):     #04  pc 000c3241
> /data/app-lib/gonemad.gmmp-1/libgm_audioengine.so
>(TagLib::ID3v1::Tag::~Tag()+24)
>10-11 09:41:53.647 I/DEBUG   (303):     #05  pc 000c327d
> /data/app-lib/gonemad.gmmp-1/libgm_audioengine.so
>(TagLib::ID3v1::Tag::~Tag()+4)
>10-11 09:41:53.647 I/DEBUG   (303):     #06  pc 000e587d
> /data/app-lib/gonemad.gmmp-1/libgm_audioengine.so
>(TagLib::TagUnion::TagUnionPrivate::~TagUnionPrivate()+44)
>10-11 09:41:53.647 I/DEBUG   (303):     #07  pc 000e58b7
> /data/app-lib/gonemad.gmmp-1/libgm_audioengine.so
>(TagLib::TagUnion::~TagUnion()+22)
>10-11 09:41:53.647 I/DEBUG   (303):     #08  pc 000c15f9
> /data/app-lib/gonemad.gmmp-1/libgm_audioengine.so
>(TagLib::MPEG::File::~File()+36)
>10-11 09:41:53.647 I/DEBUG   (303):     #09  pc 000c1615
> /data/app-lib/gonemad.gmmp-1/libgm_audioengine.so
>(TagLib::MPEG::File::~File()+4)
>10-11 09:41:53.647 I/DEBUG   (303):     #10  pc 000e61e3
> /data/app-lib/gonemad.gmmp-1/libgm_audioengine.so
>(TagLib::FileRef::~FileRef()+42)
>10-11 09:41:53.647 I/DEBUG   (303):     #11  pc 000e61f9
> /data/app-lib/gonemad.gmmp-1/libgm_audioengine.so
>(TagLib::FileRef::~FileRef()+4)
>10-11 09:41:53.647 I/DEBUG   (303):     #12  pc 00099ae4
> /data/app-lib/gonemad.gmmp-1/libgm_audioengine.so
>(Java_gonemad_gmmp_taglibjni_Tag_scan+1396)
>
>And I have many more similar but in different parts of taglib.  The only
>common thing I can trace is the use of String::null.  The second trace i
>posted happens in this chunk of code adding 2 static strings
>
>String ID3v1::genre(int i)
>{
>  if(i >= 0 && i < genresSize)
>    return genres[i] + String::null; // always make a copy
>  return String::null;
>}
>
>Is there a possibility that String::null is somehow being deleted due to
>some race condition?  I am using taglib in multiple threads at the same
>time.  Any ideas?
>
>-- 
>-Kyle
>
>-------------------------------text/plain-------------------------------
>_______________________________________________
>taglib-devel mailing list
>taglib-devel at kde.org
>https://mail.kde.org/mailman/listinfo/taglib-devel

More information about the taglib-devel mailing list