Tracktion Software

madrang · Post by **madrang** » Mon Sep 10, 2018 3:30 pm

Gdb output

Starting program: /usr/bin/Waveform9 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000abc9b9 in ?? ()
(gdb) thread apply all bt

Thread 1 (Thread 0x7ffff7f96740 (LWP 29813)):
#0  0x0000000000abc9b9 in ?? ()
#1  0x0000000000abce13 in ?? ()
#2  0x0000000000ac169f in ?? ()
#3  0x0000000000ac188a in ?? ()
#4  0x0000000000ac1a8d in ?? ()
#5  0x0000000000ac1b80 in ?? ()
#6  0x0000000000af6e63 in ?? ()
#7  0x0000000000af7373 in ?? ()
#8  0x00000000008c15fc in ?? ()
#9  0x00000000005c4608 in ?? ()
#10 0x0000000000588b85 in ?? ()
#11 0x00007ffff5d06b97 in __libc_start_main (main=0x41d4e9, argc=1, argv=0x7fffffffdd28, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffdd18) at ../csu/libc-start.c:310
#12 0x00000000005a7199 in ?? ()

dRowAudio · Post by **dRowAudio** » Mon Sep 10, 2018 6:22 pm

I really don't know what that is. If that's the only thread running it's really early in the app's initialisation, way before any curl threads have started.

Are you able to test this in another environment? Maybe a VM/Docker/chroot etc?

madrang · Post by **madrang** » Tue Sep 11, 2018 5:30 am

Using Valgrind i was able to confirm that the Segfault comes from trying to open a null pointer.

Code: Select all

--17831--    object doesn't have a symbol table
--17831-- Reading syms from /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
--17831--    object doesn't have a symbol table
--17831-- Reading syms from /usr/lib/x86_64-linux-gnu/libGLX.so.0.0.0
--17831--    object doesn't have a symbol table
--17831-- Reading syms from /usr/lib/x86_64-linux-gnu/libGLdispatch.so.0.0.0
--17831--    object doesn't have a symbol table
--17831-- Reading syms from /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
--17831--   Considering /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0 ..
--17831--   .. CRC mismatch (computed 256f5df8 wanted 5d40ac88)
--17831--    object doesn't have a symbol table
--17831-- Reading syms from /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
--17831--    object doesn't have a symbol table
--17831-- Reading syms from /lib/x86_64-linux-gnu/libbsd.so.0.8.7
--17831--    object doesn't have a symbol table
--17831-- REDIR: 0x6bd9c70 (libc.so.6:memmove) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd8d40 (libc.so.6:strncpy) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd9f50 (libc.so.6:strcasecmp) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd8790 (libc.so.6:strcat) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd8d70 (libc.so.6:rindex) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bdb7c0 (libc.so.6:rawmemchr) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd9de0 (libc.so.6:mempcpy) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd9c10 (libc.so.6:bcmp) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd8d00 (libc.so.6:strncmp) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd8800 (libc.so.6:strcmp) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd9d40 (libc.so.6:memset) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bf70f0 (libc.so.6:wcschr) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd8ca0 (libc.so.6:strnlen) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd8870 (libc.so.6:strcspn) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd9fa0 (libc.so.6:strncasecmp) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd8840 (libc.so.6:strcpy) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bda0e0 (libc.so.6:memcpy@@GLIBC_2.14) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd8da0 (libc.so.6:strpbrk) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd87c0 (libc.so.6:index) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd8c70 (libc.so.6:strlen) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6be36c0 (libc.so.6:memrchr) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd9ff0 (libc.so.6:strcasecmp_l) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd9be0 (libc.so.6:memchr) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bf7eb0 (libc.so.6:wcslen) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd9050 (libc.so.6:strspn) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd9f20 (libc.so.6:stpncpy) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd9ef0 (libc.so.6:stpcpy) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bdb7f0 (libc.so.6:strchrnul) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bda040 (libc.so.6:strncasecmp_l) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6c6c8a0 (libc.so.6:__memcpy_chk) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6bd9b20 (libc.so.6:strstr) redirected to 0x4a2a6e0 (_vgnU_ifunc_wrapper)
--17831-- REDIR: 0x6cc93c0 (libc.so.6:__strrchr_avx2) redirected to 0x4c32730 (rindex)
--17831-- REDIR: 0x6cc9590 (libc.so.6:__strlen_avx2) redirected to 0x4c32cf0 (strlen)
--17831-- REDIR: 0x6bd5030 (libc.so.6:calloc) redirected to 0x4c31a70 (calloc)
--17831-- REDIR: 0x6bd2070 (libc.so.6:malloc) redirected to 0x4c2faa0 (malloc)
--17831-- REDIR: 0x6bd3c30 (libc.so.6:realloc) redirected to 0x4c31cb0 (realloc)
--17831-- REDIR: 0x6cc9ad0 (libc.so.6:__memcpy_avx_unaligned_erms) redirected to 0x4c366e0 (memmove)
--17831-- REDIR: 0x6cc5ba0 (libc.so.6:__memcmp_avx2_movbe) redirected to 0x4c35e00 (bcmp)
--17831-- REDIR: 0x6ca4d60 (libc.so.6:__strcmp_ssse3) redirected to 0x4c33da0 (strcmp)
--17831-- REDIR: 0x628a5f0 (libstdc++.so.6:operator new[](unsigned long)) redirected to 0x4c30830 (operator new[](unsigned long))
--17831-- REDIR: 0x6bd2950 (libc.so.6:free) redirected to 0x4c30cd0 (free)
--17831-- REDIR: 0x62885d0 (libstdc++.so.6:operator delete[](void*)) redirected to 0x4c316d0 (operator delete[](void*))
--17831-- REDIR: 0x6cc9f50 (libc.so.6:__memset_avx2_unaligned_erms) redirected to 0x4c365d0 (memset)
--17831-- REDIR: 0x628a530 (libstdc++.so.6:operator new(unsigned long)) redirected to 0x4c30110 (operator new(unsigned long))
--17831-- REDIR: 0x6cc0510 (libc.so.6:__strncmp_sse42) redirected to 0x4c33570 (__strncmp_sse42)
--17831-- REDIR: 0x6cc91d0 (libc.so.6:__strchrnul_avx2) redirected to 0x4c37020 (strchrnul)
--17831-- REDIR: 0x6c6cc70 (libc.so.6:__strcpy_chk) redirected to 0x4c37090 (__strcpy_chk)
--17831-- REDIR: 0x6bd9590 (libc.so.6:__GI_strstr) redirected to 0x4c37760 (__strstr_sse2)
--17831-- REDIR: 0x6cb8100 (libc.so.6:__strncpy_ssse3) redirected to 0x4c32fb0 (strncpy)
--17831-- Reading syms from /usr/lib/x86_64-linux-gnu/libXrandr.so.2.2.0
--17831--    object doesn't have a symbol table
--17831-- Reading syms from /usr/lib/x86_64-linux-gnu/libXrender.so.1.3.0
--17831--    object doesn't have a symbol table
--17922-- REDIR: 0x6cc8fa0 (libc.so.6:__strchr_avx2) redirected to 0x4c32950 (index)
--17831-- REDIR: 0x6cc9ab0 (libc.so.6:__mempcpy_avx_unaligned_erms) redirected to 0x4c37130 (mempcpy)
--17831-- REDIR: 0x62885a0 (libstdc++.so.6:operator delete(void*)) redirected to 0x4c311d0 (operator delete(void*))
--17923-- REDIR: 0x6cc8fa0 (libc.so.6:__strchr_avx2) redirected to 0x4c32950 (index)
--17924-- REDIR: 0x6cc8fa0 (libc.so.6:__strchr_avx2) redirected to 0x4c32950 (index)
--17925-- REDIR: 0x6cc8fa0 (libc.so.6:__strchr_avx2) redirected to 0x4c32950 (index)
==17831== Invalid read of size 8
==17831==    at 0xABC9B9: ??? (in /usr/bin/Waveform9)
==17831==    by 0xABCE12: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAC169E: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAC1889: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAC1A8C: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAC1B7F: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAF6E62: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAF7372: ??? (in /usr/bin/Waveform9)
==17831==    by 0x8C15FB: ??? (in /usr/bin/Waveform9)
==17831==    by 0x5C4607: ??? (in /usr/bin/Waveform9)
==17831==    by 0x588B84: ??? (in /usr/bin/Waveform9)
==17831==    by 0x6B5CB96: (below main) (libc-start.c:310)
==17831==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==17831== 
==17831== 
==17831== Process terminating with default action of signal 11 (SIGSEGV)
==17831==  Access not within mapped region at address 0x0
==17831==    at 0xABC9B9: ??? (in /usr/bin/Waveform9)
==17831==    by 0xABCE12: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAC169E: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAC1889: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAC1A8C: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAC1B7F: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAF6E62: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAF7372: ??? (in /usr/bin/Waveform9)
==17831==    by 0x8C15FB: ??? (in /usr/bin/Waveform9)
==17831==    by 0x5C4607: ??? (in /usr/bin/Waveform9)
==17831==    by 0x588B84: ??? (in /usr/bin/Waveform9)
==17831==    by 0x6B5CB96: (below main) (libc-start.c:310)

Note the memory address is at 0x0, ie: a null pointer.

Code: Select all

==17831== Invalid read of size 8
==17831==    at 0xABC9B9: ??? (in /usr/bin/Waveform9)
==17831==    by 0xABCE12: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAC169E: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAC1889: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAC1A8C: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAC1B7F: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAF6E62: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAF7372: ??? (in /usr/bin/Waveform9)
==17831==    by 0x8C15FB: ??? (in /usr/bin/Waveform9)
==17831==    by 0x5C4607: ??? (in /usr/bin/Waveform9)
==17831==    by 0x588B84: ??? (in /usr/bin/Waveform9)
==17831==    by 0x6B5CB96: (below main) (libc-start.c:310)
==17831==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==17831== 
==17831== 
==17831== Process terminating with default action of signal 11 (SIGSEGV)
==17831==  Access not within mapped region at address 0x0
==17831==    at 0xABC9B9: ??? (in /usr/bin/Waveform9)
==17831==    by 0xABCE12: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAC169E: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAC1889: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAC1A8C: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAC1B7F: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAF6E62: ??? (in /usr/bin/Waveform9)
==17831==    by 0xAF7372: ??? (in /usr/bin/Waveform9)
==17831==    by 0x8C15FB: ??? (in /usr/bin/Waveform9)
==17831==    by 0x5C4607: ??? (in /usr/bin/Waveform9)
==17831==    by 0x588B84: ??? (in /usr/bin/Waveform9)
==17831==    by 0x6B5CB96: (below main) (libc-start.c:310)

Gdb using "thread apply all bt full"

Code: Select all

#11 0x00007ffff5d06b97 in __libc_start_main (main=0x41d4e9, argc=1, 
    argv=0x7fffffffdd28, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffdd18) at ../csu/libc-start.c:310
        self = <optimized out>
        __self = <optimized out>
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 5286854593132128934, 5927280, 
                140737488346400, 0, 0, -5286856506679465306, -5286869326520489306}, 
              mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 
              0x7ffff7de5733 <_dl_init+259>, 0x7ffff7dcd370}, data = {prev = 0x0, 
              cleanup = 0x0, canceltype = -136423629}}}
        not_first_call = <optimized out>
#12 0x00000000005a7199 in ?? ()

Means that it's trying to return from main.
It tries to continue executing after
/* Run the program. */
result = main (argc, argv, __environ MAIN_AUXVEC_PARAM);
https://code.woboq.org/userspace/glibc/ ... art.c.html
But this code is not from Waveform, this is the system calling main on waveform.
VisualStudio Issue: https://github.com/Microsoft/vscode-cpp ... ssues/1123

So the part about libc-start.c can be ignored.

Code: Select all

access("/usr/bin/dconf", F_OK)          = 0
stat("/usr/bin/dconf", {st_mode=S_IFREG|0755, st_size=47096, ...}) = 0
pipe([6, 7])

https://pastebin.com/vYxZ0Y3d

The strace shows that the last file open was "/usr/bin/dconf" and right after piping to memory and closing this pointer that the crash occurs. Probably the next operation or trying to interpret the data received from dconf that is in memory.

dmesg shows ( https://stackoverflow.com/questions/217 ... ge/2179464 )

Code: Select all

[232474.766196] Waveform9[14804]: segfault at 0 ip 0000000000abc9b9 sp 00007ffd55640710 error 4 in Waveform9[400000+307f000]

Assembler function causing the crash

Code: Select all

  abc9b6:	00 
  abc9b7:	31 c0                	xor    %eax,%eax
  abc9b9:	48 8b 07             	mov    (%rdi),%rax
  abc9bc:	48 8d 7c 24 50       	lea    0x50(%rsp),%rdi
  abc9c1:	48 8d 70 04          	lea    0x4(%rax),%rsi
  abc9c5:	e8 aa 6e 05 00       	callq  b13874 <__gmon_start__@plt+0x705a04>
  abc9ca:	80 7b 08 00          	cmpb   $0x0,0x8(%rbx)
  abc9ce:	48 8b 03             	mov    (%rbx),%rax
  abc9d1:	f2 0f 10 40 30       	movsd  0x30(%rax),%xmm0
  abc9d6:	0f 85 04 01 00 00    	jne    abcae0 <__gmon_start__@plt+0x6aec70>
  abc9dc:	f2 0f 10 5c 24 60    	movsd  0x60(%rsp),%xmm3
  abc9e2:	48 8b 43 10          	mov    0x10(%rbx),%rax
  abc9e6:	48 8d 7c 24 70       	lea    0x70(%rsp),%rdi
  abc9eb:	f2 0f 10 54 24 68    	movsd  0x68(%rsp),%xmm2
  abc9f1:	f2 0f 5e d8          	divsd  %xmm0,%xmm3
  abc9f5:	48 8b 30             	mov    (%rax),%rsi
  abc9f8:	48 83 c6 04          	add    $0x4,%rsi
  abc9fc:	f2 0f 5e d0          	divsd  %xmm0,%xmm2
  abca00:	f2 0f 11 5c 24 08    	movsd  %xmm3,0x8(%rsp)
  abca06:	f2 0f 11 14 24       	movsd  %xmm2,(%rsp)
  abca0b:	e8 64 6e 05 00       	callq  b13874 <__gmon_start__@plt+0x705a04>
  abca10:	f2 0f 10 4c 24 50    	movsd  0x50(%rsp),%xmm1
  abca16:	f2 0f 10 74 24 60    	movsd  0x60(%rsp),%xmm6
  abca1c:	48 8b 43 10          	mov    0x10(%rbx),%rax
  abca20:	f2 0f 10 44 24 70    	movsd  0x70(%rsp),%xmm0
  abca26:	f2 0f 58 f1          	addsd  %xmm1,%xmm6
  abca2a:	f2 0f 10 14 24       	movsd  (%rsp),%xmm2
  abca2f:	48 8b 10             	mov    (%rax),%rdx
  abca32:	f2 0f 10 68 18       	movsd  0x18(%rax),%xmm5
  abca37:	f2 0f 10 5c 24 08    	movsd  0x8(%rsp),%xmm3
  abca3d:	66 0f 2e c6          	ucomisd %xmm6,%xmm0
  abca41:	f2 0f 10 62 30       	movsd  0x30(%rdx),%xmm4
  abca46:	7a 08                	jp     abca50 <__gmon_start__@plt+0x6aebe0>
  abca48:	75 06                	jne    abca50 <__gmon_start__@plt+0x6aebe0>
  abca4a:	f2 0f 5c eb          	subsd  %xmm3,%xmm5
  abca4e:	eb 16                	jmp    abca66 <__gmon_start__@plt+0x6aebf6>
  abca50:	f2 0f 58 84 24 80 00 	addsd  0x80(%rsp),%xmm0
  abca57:	00 00

Crash on this operation: abc9b9: 48 8b 07 mov (%rdi),%rax

Register information

Code: Select all

Program received signal SIGSEGV, Segmentation fault.
0x0000000000abc9b9 in ?? ()
(gdb) info registers rdi rax
rdi            0x0	0
rax            0x0	0
(gdb)

rdi & rax are 0 (Null) when executing mov.

I don't have a debug build, but with the address "abc9b9" and the command

Code: Select all

addr2line -e /usr/bin/Waveform9 abc9b9

It should help to find that missing null check, but with no debug symbols it will be hard....

dRowAudio · Post by **dRowAudio** » Tue Sep 11, 2018 9:00 am

Thanks for the info. Unfortunately I can't symbolicate that line with the current build.

However, the dconf is interesting. The only place I can see that used is to determine the scale factor of the current display.
We use it with the following command

Code: Select all

/usr/bin/dconf read /com/ubuntu/user-interface/scale-factor

.

Can you open the "/usr/bin/dconf" file and see if you have that "scale-factor" setting?

I can't see anything obvious that could crash after that but it might be that some garbage value is being returned?

madrang · Post by **madrang** » Tue Sep 11, 2018 3:25 pm

/usr/bin/dconf: file format elf64-x86-64

Code: Select all

madrang@ASTitan:~$ /usr/bin/dconf read /com/ubuntu/user-interface/scale-factor
{'DP-5': 8, 'DP-3': 8, 'DVI-I-1': 8, 'DP-1': 8}

Same value from strace, but it seams partial in the trace (missing ": 8, 'DP-1': 8}"), a fluke or a problem ???
It cuts at 32 chars, this does not seems random.....
read = 48 should indicate that it got everything. (probably just not printing the rest, but is in the buffer)
But we are close....

Code: Select all

restart_syscall(<... resuming interrupted nanosleep ...>) = 0
wait4(2950, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WNOHANG, NULL) = 2950
fcntl(6, F_GETFL)                       = 0 (flags O_RDONLY)
fstat(6, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
read(6, "{'DP-5': 8, 'DP-3': 8, 'DVI-I-1'"..., 4096) = 48
read(6, "", 4096)                       = 0
read(6, "", 4096)                       = 0
wait4(2950, 0x7ffded3a3004, WNOHANG, NULL) = -1 ECHILD (No child processes)
close(6)                                = 0
close(6)                                = -1 EBADF (Bad file descriptor)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
+++ killed by SIGSEGV (core dumped) +++

madrang · Post by **madrang** » Thu Oct 04, 2018 5:04 am

Any news on this crash ??

dRowAudio · Post by **dRowAudio** » Thu Oct 04, 2018 12:19 pm

Sorry, I was at a conference all last week.
Can you remind me, what version of Linux is this issue on? Ubuntu 18.04?

I'll be preparing a new beta this week which has some DPI changes in the framework. That might help...

madrang · Post by **madrang** » Fri Oct 05, 2018 4:14 am

Running Ubuntu 18.04.1 LTS

Tracktion Software

KVR Audio

New beta 9.3.0 on Linux crashes