Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SIGSEGV on macOS during typing a search string in Navigator window #3139

Open
nospam2000 opened this issue Oct 27, 2024 · 7 comments
Open

SIGSEGV on macOS during typing a search string in Navigator window #3139

nospam2000 opened this issue Oct 27, 2024 · 7 comments
Labels

Comments

@nospam2000
Copy link

nospam2000 commented Oct 27, 2024

Steps to reproduce the problem

View of Navigator window is set to "Folders".
Music is playing a playlist.
Type a search string in the "Search" field of the Navigator window.

What's going on? Describe the problem in as much detail as possible.

Sometimes this causes a SIGSEGV. It happened to me around 5 times in the last week. Not so easy to reproduce.
I did not press enter, it happened during typing.

Here the last part of the call stack, full details see comments below

* thread #1, queue = 'MediaLibSyncQueue', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x00000001000969d0 DeaDBeeF`pl_meta_for_key + 18
    frame #1: 0x0000000100097214 DeaDBeeF`pl_find_meta_raw + 9
    frame #2: 0x000000010009ed4e DeaDBeeF`tf_eval_int + 6587
    frame #3: 0x00000001000a1df9 DeaDBeeF`tf_func_directory_path + 61
    frame #4: 0x000000010009d841 DeaDBeeF`tf_eval_int + 1198
    frame #5: 0x000000010009d1ee DeaDBeeF`tf_eval + 314
    frame #6: 0x0000000100086204 DeaDBeeF`qsort_cmp_func + 304
    frame #7: 0x00007ff8156a1d67 libsystem_c.dylib`mergesort + 374
    frame #8: 0x0000000100085cdf DeaDBeeF`plt_sort_internal + 526
    frame #9: 0x0000000100085a5a DeaDBeeF`plt_sort_v2 + 175
    frame #10: 0x00000001006de929 medialib.dylib`_create_item_tree_from_collection + 1010
    frame #11: 0x00000001006dbab5 medialib.dylib`__ml_create_item_tree_block_invoke + 32
    frame #12: 0x00007ff815642dbc libdispatch.dylib`_dispatch_client_callout + 8
    frame #13: 0x00007ff81564fd3c libdispatch.dylib`_dispatch_lane_barrier_sync_invoke_and_complete + 60
    frame #14: 0x00000001006db7e7 medialib.dylib`ml_create_item_tree + 117
    frame #15: 0x000000010002bd17 DeaDBeeF`-[MediaLibraryOutlineViewController initializeTreeView] + 483
    frame #16: 0x000000010002cecb DeaDBeeF`-[MediaLibraryOutlineViewController filterChanged] + 31
    frame #17: 0x000000010002f1b3 DeaDBeeF`-[MediaLibraryOutlineViewController searchFieldAction:] + 136

According to source code and register dump the pointer it is invalid when calling pl_meta_for_key.

Information about the software:

Deadbeef version: devel (9d13e9d)
OS: macOS Sonoma 14.4.1

MacOS Crash Reporter output:

Process:               DeaDBeeF [39070]
Path:                  /Applications/DeaDBeeF.app/Contents/MacOS/DeaDBeeF
Identifier:            com.deadbeef.DeaDBeeF
Version:               devel (9d13e9d)
Code Type:             X86-64 (Native)
Parent Process:        launchd [1]
User ID:               501

Date/Time:             2024-10-27 22:32:59.4251 +0100
OS Version:            macOS 14.4.1 (23E224)
Report Version:        12
Crashed Thread:        0  Dispatch queue: MediaLibSyncQueue

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000040
Exception Codes:       0x0000000000000001, 0x0000000000000040

Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process:   exc handler [39070]

VM Region Info: 0x40 is not in any region.  Bytes before following region: 4488007616
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                      10b819000-10b8e9000    [  832K] r-x/r-x SM=COW  /Applications/DeaDBeeF.app/Contents/MacOS/DeaDBeeF

Thread 0 Crashed::  Dispatch queue: MediaLibSyncQueue
**0   DeaDBeeF                      	       0x10b89ed01 plt_sort_internal + 560
1   DeaDBeeF                      	       0x10b89ea5a plt_sort_v2 + 175**
2   medialib.dylib                	       0x10bf46929 _create_item_tree_from_collection + 1010
3   medialib.dylib                	       0x10bf43ab5 __ml_create_item_tree_block_invoke + 32
4   libdispatch.dylib             	    0x7ff815642dbc _dispatch_client_callout + 8
5   libdispatch.dylib             	    0x7ff81564fd3c _dispatch_lane_barrier_sync_invoke_and_complete + 60
6   medialib.dylib                	       0x10bf437e7 ml_create_item_tree + 117
7   DeaDBeeF                      	       0x10b844d17 -[MediaLibraryOutlineViewController initializeTreeView] + 483
8   DeaDBeeF                      	       0x10b845ecb -[MediaLibraryOutlineViewController filterChanged] + 31
9   DeaDBeeF                      	       0x10b8481b3 -[MediaLibraryOutlineViewController searchFieldAction:] + 136
10  AppKit                        	    0x7ff8191132b6 -[NSApplication(NSResponder) sendAction:to:from:] + 337
11  AppKit                        	    0x7ff81911312b -[NSControl sendAction:to:] + 86
12  AppKit                        	    0x7ff8197c655d -[NSSearchField sendAction:to:] + 71
13  AppKit                        	    0x7ff81911305d __26-[NSCell _sendActionFrom:]_block_invoke + 131
14  AppKit                        	    0x7ff819112f66 -[NSCell _sendActionFrom:] + 171
15  AppKit                        	    0x7ff8197c91fd -[NSSearchFieldCell(NSSearchFieldCell_Local) _sendPartialString] + 211
16  Foundation                    	    0x7ff8168af814 __NSFireTimer + 67
17  CoreFoundation                	    0x7ff8158dbe6c __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
18  CoreFoundation                	    0x7ff8158dba1a __CFRunLoopDoTimer + 785
19  CoreFoundation                	    0x7ff8158db656 __CFRunLoopDoTimers + 285
20  CoreFoundation                	    0x7ff8158bf932 __CFRunLoopRun + 2104
21  CoreFoundation                	    0x7ff8158beb32 CFRunLoopRunSpecific + 557
22  HIToolbox                     	    0x7ff8202d0829 RunCurrentEventLoopInMode + 292
23  HIToolbox                     	    0x7ff8202d0466 ReceiveNextEventCommon + 201
24  HIToolbox                     	    0x7ff8202d0381 _BlockUntilNextEventMatchingListInModeWithFilter + 66
25  AppKit                        	    0x7ff818f26be5 _DPSNextEvent + 880
26  AppKit                        	    0x7ff819836fe9 -[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1273
27  AppKit                        	    0x7ff818f18005 -[NSApplication run] + 603
28  AppKit                        	    0x7ff818eebff1 NSApplicationMain + 816
29  DeaDBeeF                      	       0x10b841f48 cocoaui_start + 55
30  DeaDBeeF                      	       0x10b84a850 main + 2715
31  dyld                          	    0x7ff815458366 start + 1942
@nospam2000
Copy link
Author

nospam2000 commented Oct 27, 2024

A new crash with a slightly different callstack:

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x000000000000004f
Exception Codes:       0x0000000000000001, 0x000000000000004f

Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process:   exc handler [41579]

VM Region Info: 0x4f is not in any region.  Bytes before following region: 4423954353
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                      107b03000-107bd3000    [  832K] r-x/r-x SM=COW  /Applications/DeaDBeeF.app/Contents/MacOS/DeaDBeeF

Thread 0 Crashed::  Dispatch queue: MediaLibSyncQueue
0   DeaDBeeF                      	       0x107b999d0 pl_meta_for_key + 18
1   DeaDBeeF                      	       0x107b9a214 pl_find_meta_raw + 9
2   DeaDBeeF                      	       0x107ba1d4e tf_eval_int + 6587
3   DeaDBeeF                      	       0x107ba4df9 tf_func_directory_path + 61
4   DeaDBeeF                      	       0x107ba0841 tf_eval_int + 1198
5   DeaDBeeF                      	       0x107ba01ee tf_eval + 314
6   DeaDBeeF                      	       0x107b89204 qsort_cmp_func + 304
7   libsystem_c.dylib             	    0x7ff8156a1d67 mergesort + 374
8   DeaDBeeF                      	       0x107b88cdf plt_sort_internal + 526
9   DeaDBeeF                      	       0x107b88a5a plt_sort_v2 + 175
10  medialib.dylib                	       0x108285929 _create_item_tree_from_collection + 1010
11  medialib.dylib                	       0x108282ab5 __ml_create_item_tree_block_invoke + 32
12  libdispatch.dylib             	    0x7ff815642dbc _dispatch_client_callout + 8
13  libdispatch.dylib             	    0x7ff81564fd3c _dispatch_lane_barrier_sync_invoke_and_complete + 60
14  medialib.dylib                	       0x1082827e7 ml_create_item_tree + 117
15  DeaDBeeF                      	       0x107b2ed17 -[MediaLibraryOutlineViewController initializeTreeView] + 483
16  DeaDBeeF                      	       0x107b2fecb -[MediaLibraryOutlineViewController filterChanged] + 31
17  DeaDBeeF                      	       0x107b321b3 -[MediaLibraryOutlineViewController searchFieldAction:] + 136
18  AppKit                        	    0x7ff8191132b6 -[NSApplication(NSResponder) sendAction:to:from:] + 337
19  AppKit                        	    0x7ff81911312b -[NSControl sendAction:to:] + 86
20  AppKit                        	    0x7ff8197c655d -[NSSearchField sendAction:to:] + 71
21  AppKit                        	    0x7ff81911305d __26-[NSCell _sendActionFrom:]_block_invoke + 131
22  AppKit                        	    0x7ff819112f66 -[NSCell _sendActionFrom:] + 171
23  AppKit                        	    0x7ff8197c91fd -[NSSearchFieldCell(NSSearchFieldCell_Local) _sendPartialString] + 211
24  Foundation                    	    0x7ff8168af814 __NSFireTimer + 67
25  CoreFoundation                	    0x7ff8158dbe6c __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
26  CoreFoundation                	    0x7ff8158dba1a __CFRunLoopDoTimer + 785
27  CoreFoundation                	    0x7ff8158db656 __CFRunLoopDoTimers + 285
28  CoreFoundation                	    0x7ff8158bf932 __CFRunLoopRun + 2104
29  CoreFoundation                	    0x7ff8158beb32 CFRunLoopRunSpecific + 557
30  HIToolbox                     	    0x7ff8202d0829 RunCurrentEventLoopInMode + 292
31  HIToolbox                     	    0x7ff8202d0466 ReceiveNextEventCommon + 201
32  HIToolbox                     	    0x7ff8202d0381 _BlockUntilNextEventMatchingListInModeWithFilter + 66
33  AppKit                        	    0x7ff818f26be5 _DPSNextEvent + 880
34  AppKit                        	    0x7ff819836fe9 -[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1273
35  AppKit                        	    0x7ff818f18005 -[NSApplication run] + 603
36  AppKit                        	    0x7ff818eebff1 NSApplicationMain + 816
37  DeaDBeeF                      	       0x107b2bf48 cocoaui_start + 55
38  DeaDBeeF                      	       0x107b34850 main + 2715
39  dyld                          	    0x7ff815458366 start + 1942

@nospam2000
Copy link
Author

nospam2000 commented Oct 27, 2024

Now I was able to reproduce the issue during lldb attached and could even create a core-dump file for further analysis:

scan time: 30.563000 seconds (42109 tracks)
building index...
index build time: 0.224000 seconds
clearing index...
tree build time: 0.959000 seconds
tree build time: 0.589000 seconds
tree build time: 0.424000 seconds
tree build time: 0.282000 seconds
2024-10-27 23:23:27.281283+0100 DeaDBeeF[41795:690685] [general] *** -[NSKeyedUnarchiver validateAllowedClass:forKey:] allowed unarchiving safe plist type ''NSData' (0x7ff858d29538) [/System/Library/Frameworks/CoreFoundation.framework]' for key 'DdbPlaylistData', even though it was not explicitly included in the client allowed classes set: '{(
    "'NSArray' (0x7ff858d29470) [/System/Library/Frameworks/CoreFoundation.framework]"
)}'. This will be disallowed in the future.
2024-10-27 23:23:30.744221+0100 DeaDBeeF[41795:690685] [miscellany] CLIENT ERROR: TUINSRemoteViewController does not override -viewServiceDidTerminateWithError: and thus cannot react to catastrophic errors beyond logging them
Process 41795 stopped
* thread #1, queue = 'MediaLibSyncQueue', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x00000001000969d0 DeaDBeeF`pl_meta_for_key + 18
DeaDBeeF`pl_meta_for_key:
->  0x1000969d0 <+18>: movq   0x50(%rbx), %rbx
    0x1000969d4 <+22>: testq  %rbx, %rbx
    0x1000969d7 <+25>: je     0x1000969ee               ; <+48>
    0x1000969d9 <+27>: movq   0x8(%rbx), %rsi
Target 0: (DeaDBeeF) stopped.
(lldb) bt
* thread #1, queue = 'MediaLibSyncQueue', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x00000001000969d0 DeaDBeeF`pl_meta_for_key + 18
    frame #1: 0x0000000100097214 DeaDBeeF`pl_find_meta_raw + 9
    frame #2: 0x000000010009ed4e DeaDBeeF`tf_eval_int + 6587
    frame #3: 0x00000001000a1df9 DeaDBeeF`tf_func_directory_path + 61
    frame #4: 0x000000010009d841 DeaDBeeF`tf_eval_int + 1198
    frame #5: 0x000000010009d1ee DeaDBeeF`tf_eval + 314
    frame #6: 0x0000000100086204 DeaDBeeF`qsort_cmp_func + 304
    frame #7: 0x00007ff8156a1d67 libsystem_c.dylib`mergesort + 374
    frame #8: 0x0000000100085cdf DeaDBeeF`plt_sort_internal + 526
    frame #9: 0x0000000100085a5a DeaDBeeF`plt_sort_v2 + 175
    frame #10: 0x00000001006de929 medialib.dylib`_create_item_tree_from_collection + 1010
    frame #11: 0x00000001006dbab5 medialib.dylib`__ml_create_item_tree_block_invoke + 32
    frame #12: 0x00007ff815642dbc libdispatch.dylib`_dispatch_client_callout + 8
    frame #13: 0x00007ff81564fd3c libdispatch.dylib`_dispatch_lane_barrier_sync_invoke_and_complete + 60
    frame #14: 0x00000001006db7e7 medialib.dylib`ml_create_item_tree + 117
    frame #15: 0x000000010002bd17 DeaDBeeF`-[MediaLibraryOutlineViewController initializeTreeView] + 483
    frame #16: 0x000000010002cecb DeaDBeeF`-[MediaLibraryOutlineViewController filterChanged] + 31
    frame #17: 0x000000010002f1b3 DeaDBeeF`-[MediaLibraryOutlineViewController searchFieldAction:] + 136
    frame #18: 0x00007ff8191132b6 AppKit`-[NSApplication(NSResponder) sendAction:to:from:] + 337
    frame #19: 0x00007ff81911312b AppKit`-[NSControl sendAction:to:] + 86
    frame #20: 0x00007ff8197c655d AppKit`-[NSSearchField sendAction:to:] + 71
    frame #21: 0x00007ff81911305d AppKit`__26-[NSCell _sendActionFrom:]_block_invoke + 131
    frame #22: 0x00007ff819112f66 AppKit`-[NSCell _sendActionFrom:] + 171
    frame #23: 0x00007ff8197c91fd AppKit`-[NSSearchFieldCell(NSSearchFieldCell_Local) _sendPartialString] + 211
    frame #24: 0x00007ff8168af814 Foundation`__NSFireTimer + 67
    frame #25: 0x00007ff8158dbe6c CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
    frame #26: 0x00007ff8158dba1a CoreFoundation`__CFRunLoopDoTimer + 785
    frame #27: 0x00007ff8158db656 CoreFoundation`__CFRunLoopDoTimers + 285
    frame #28: 0x00007ff8158bf932 CoreFoundation`__CFRunLoopRun + 2104
    frame #29: 0x00007ff8158beb32 CoreFoundation`CFRunLoopRunSpecific + 557
    frame #30: 0x00007ff8202d0829 HIToolbox`RunCurrentEventLoopInMode + 292
    frame #31: 0x00007ff8202d0466 HIToolbox`ReceiveNextEventCommon + 201
    frame #32: 0x00007ff8202d0381 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 66
    frame #33: 0x00007ff818f26be5 AppKit`_DPSNextEvent + 880
    frame #34: 0x00007ff819836fe9 AppKit`-[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1273
    frame #35: 0x00007ff818f18005 AppKit`-[NSApplication run] + 603
    frame #36: 0x00007ff818eebff1 AppKit`NSApplicationMain + 816
    frame #37: 0x0000000100028f48 DeaDBeeF`cocoaui_start + 55
    frame #38: 0x0000000100031850 DeaDBeeF`main + 2715
    frame #39: 0x00007ff815458366 dyld`start + 1942

The content of register rbx (=register rdi=parameter it) is not a valid pointer, that's why movq 0x50(%rbx), %rbx (DB_metaInfo_t *m = it->meta;) will fail:

(lldb) disassemble --frame --context 20 --count 11
DeaDBeeF`pl_meta_for_key:
    0x1000969be <+0>:  pushq  %rbp
    0x1000969bf <+1>:  movq   %rsp, %rbp
    0x1000969c2 <+4>:  pushq  %r14
    0x1000969c4 <+6>:  pushq  %rbx
    0x1000969c5 <+7>:  movq   %rsi, %r14
    0x1000969c8 <+10>: movq   %rdi, %rbx
    0x1000969cb <+13>: callq  0x1000849b2               ; pl_ensure_lock
->  0x1000969d0 <+18>: movq   0x50(%rbx), %rbx   ; %rbx=param 'it' is 0xe0c69b6213000000 and not a valid pointer
    0x1000969d4 <+22>: testq  %rbx, %rbx
    0x1000969d7 <+25>: je     0x1000969ee               ; <+48>
    0x1000969d9 <+27>: movq   0x8(%rbx), %rsi
(lldb) register read
General Purpose Registers:
       rax = 0x0000000000000000
       rbx = 0xe0c69b6213000000
       rcx = 0x0000000000000014
       rdx = 0x00000001000c4fea  "albumartist"
       rdi = 0xe0c69b6213000000
       rsi = 0x00000001000c7ae0  ":URI"
       rbp = 0x00007ff7bfefb240
       rsp = 0x00007ff7bfefb230
        r8 = 0x0000000000000000
        r9 = 0x0000000000000310
       r10 = 0x0000000000010000
       r11 = 0x00001ff7b898aa13
       r12 = 0x0000000000000004
       r13 = 0x00007ff7bfefb270
       r14 = 0x00000001000c7ae0  ":URI"
       r15 = 0x00007ff7bfefb260
       rip = 0x00000001000969d0  DeaDBeeF`pl_meta_for_key + 18
    rflags = 0x0000000000000246
        cs = 0x000000000000002b
        fs = 0x0000000000000000
        gs = 0x0000000000000000

@nospam2000
Copy link
Author

nospam2000 commented Nov 3, 2024

I was able to compile a Debug version and reproduce the bug.
I was playing a song for maybe 10 minutes and then tarted typing in the input field

Here the location of the crash:

DB_metaInfo_t *
pl_meta_for_key (playItem_t *it, const char *key) {
    pl_ensure_lock ();
    DB_metaInfo_t *m = it->meta; // << crash because it=-1

called from tf_eval_int()

// parameter values
// code	const char *	"path/"	0x0000600005de9ced
// size	int	4
tf_eval_int (ddb_tf_context_t *ctx, const char *code, int size, char *out, int outlen, int *bool_out, int fail_on_undef) {
    playItem_t *it = (playItem_t *)ctx->it; // Here 'it' is set to -1

content of ctx:

ctx	ddb_tf_context_t *	0x7ff7bc345120	0x00007ff7bc345120
_size	int	56
flags	uint32_t	65536
it	ddb_playItem_t *	0xffffffffffffffff
plt	ddb_playlist_t *	0x6000015c4f00	0x00006000015c4f00
idx	int	-1
id	int	-1
iter	int	0
update	int	0
dimmed	int	0
metadata_transformer	void (*)(ddb_tf_context_s *, char *, size_t)	NULL	0x0000000000000000

ctx.it comes from parameter a of pl_sort_compare_str (playItem_t *a, playItem_t *b) which is already -1.

The name of the array to be sorted is "Medialib Playlist".

TODO: check in plt_sort_internal() if the item-pointers are still ok (not -1 and not 0) after this loop:

    for (playItem_t *it = playlist->head[iter]; it; it = it->next[iter], idx++) {
        array[idx] = it;
    }

@Oleksiy-Yakovenko
Copy link
Member

I have tried to reproduce this too over the last few days, and it didn't happen for me from using medialibrary search.
So I turned address sanitizer on (ASAN) and kept using deadbeef in that mode,
and yesterday I got a ASAN error after doing some unrelated stuff..
like, I just tried to play some folder or something like that.
There's definitely a reference counting bug somewhere, destroying some object and leaving a dangling pointer behind.

The main problem with this kind of bugs is they are not easy to fix even when you have a callstack pointing to the crash. Instead -- it requires finding the place which either over-released some object, or missed a retain, and that happens in some other time and place than the crash location.

@nospam2000
Copy link
Author

I will keep collecting data here and keep track of it. It's not a high priority issue.

@Oleksiy-Yakovenko
Copy link
Member

@nospam2000 can you check if this issue still occurs? I recently fixed a bug caused by search.. maybe related
(I still can't repro)

@nospam2000
Copy link
Author

nospam2000 commented Dec 4, 2024

@Oleksiy-Yakovenko

I fetched the latest source version (commit 52935d9 (master, Date: Fri Nov 29 21:40:57 2024 +0100)

and built it using this command and started it from shell and attached XCode then for debugging:

xcodebuild -project osx/deadbeef.xcodeproj -target DeaDBeeF -configuration Debug -fsanitize=address -fsanitize=alignment -fsanitize=bounds -fsanitize=vptr -fsanitize=integer-divide-by-zero -fsanitize=float-divide-by-zero -fsanitize=null  -fsanitize=object-size -fsanitize=shift -fsanitize=signed-integer-overflow -fsanitize=vla-bound

After some minutes I was able to reproduce the issue.
There is a slight difference to the earlier issue. it in pl_meta_for_key() is now 0x7f5853bf13bc911d and no longer 0xffffffffffffffff, but it is not a legal memory area.

the part 0x58, 0x53 of the pointer =="XS" which could be part of a string.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants