View Issue Details

IDCategoryLast Update
0008555bugs2021-01-27 13:13
ReporterfeaneronAssigned To 
Status newResolutionopen 
PlatformArchOSLinuxOS Version(any)
Product Version6.5 
Fixed in Version 
Summary0008555: Crash when changing buffer size with JACK
DescriptionWhen I run Ardour with the JACK backend, using the pipewire-jack replacement libraries, and I try and change the buffer size, Ardour crashes with the following backtrace:


double free or corruption (!prev)

Thread 18 "ardour" received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffe0a9b700 (LWP 94)]
0x00007ffff49f7775 in raise () from /usr/lib/x86_64-linux-gnu/
(gdb) bt
#0 0x00007ffff49f7775 in raise () at /usr/lib/x86_64-linux-gnu/
0000001 0x00007ffff49e0855 in abort () at /usr/lib/x86_64-linux-gnu/
#2 0x00007ffff4a3b277 in __libc_message () at /usr/lib/x86_64-linux-gnu/
#3 0x00007ffff4a4279c in () at /usr/lib/x86_64-linux-gnu/
0000004 0x00007ffff4a43dec in _int_free () at /usr/lib/x86_64-linux-gnu/
0000005 0x00007ffff758886d in ARDOUR::AudioBuffer::~AudioBuffer() () at /app/lib/ardour6/
#6 0x00007ffff758888d in ARDOUR::AudioBuffer::~AudioBuffer() () at /app/lib/ardour6/
#7 0x00007ffff760cde3 in ARDOUR::BufferSet::ensure_buffers(ARDOUR::DataType, unsigned long, unsigned long) () at /app/lib/ardour6/
0000008 0x00007ffff7bd9d38 in ARDOUR::ThreadBuffers::ensure_buffers(ARDOUR::ChanCount, unsigned long) () at /app/lib/ardour6/
0000009 0x00007ffff760b78f in ARDOUR::BufferManager::ensure_buffers(ARDOUR::ChanCount, unsigned long) () at /app/lib/ardour6/
0000010 0x00007ffff7bdb4c4 in ARDOUR::Track::set_block_size(unsigned int) () at /app/lib/ardour6/
0000011 0x00007ffff7ab38d7 in ARDOUR::Session::set_block_size(unsigned int) () at /app/lib/ardour6/
0000012 0x00007ffff75b96e1 in ARDOUR::AudioEngine::buffer_size_change(unsigned int) () at /app/lib/ardour6/
0000013 0x00007ffff04159bb in ARDOUR::JACKAudioBackend::jack_bufsize_callback(unsigned int) () at /app/lib/ardour6/backends/
0000014 0x00007ffff03d15ff in do_buffer_frames () at /usr/lib/x86_64-linux-gnu/
#15 0x00007ffff0310868 in flush_items () at /usr/lib/x86_64-linux-gnu/spa-0.2/support/
0000016 0x00007ffff0310742 in source_event_func () at /usr/lib/x86_64-linux-gnu/spa-0.2/support/
#17 0x00007ffff0311043 in loop_iterate () at /usr/lib/x86_64-linux-gnu/spa-0.2/support/
0000018 0x00007ffff0387426 in do_loop () at /usr/lib/x86_64-linux-gnu/
0000019 0x00007ffff54c84d2 in start_thread () at /usr/lib/x86_64-linux-gnu/
0000020 0x00007ffff4abc2a3 in clone () at /usr/lib/x86_64-linux-gnu/


It seems that the `ARDOUR::AudioBuffer::~AudioBuffer()` destructor is being called twice. By inspecting the code at, it seems `_owns_data` is not set to `false` after freeing the data, which would allow for a double-free in the above scenario.
Steps To Reproduce - Run Ardour with `$ pw-jack ardour6`
 - Open a project with JACK
 - Play any audio
 - Change the buffer size (might need to change a few times until it crashes)
Additional InformationI understand this is an exotic setup, and don't expect


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2021-01-27 13:13 feaneron New Issue
2021-01-27 13:13 feaneron Tag Attached: 6.5