segfault on skin change

In frame #3,

#3 0x0000000100091a2e in ControlDoublePrivate::setInner (this=0x10a95ea20, value=0, pSender=0x7fff5fbfe350) at src/control/control.cpp:137

ControlDoublePrivate::m_key is [Master],num_samplers.

The invalid memory access is at:

0x000000015fbfe108

in this expression:

case 5: _t->slotValueChanged((*reinterpret_cast< double(*)>(_a[1])),(*reinterpret_cast< QObject*(*)>(_a[2]))); break;

_a[1] is 0x000000015fbfe108 (a pointer to the double value argument of slotValueChanged).

Walking up to the signal call in ControlDoublePrivate, where _a is defined on the stack:

void *_a[] = { 0, const_cast<void*>(reinterpret_cast<const void*>(&_t1)), const_cast<void*>(reinterpret_cast<const void*>(&_t2)) };

_a[1] is indeed still 0x000000015fbfe108, but _a[1] is defined here as the address of _t1 and &_t1 is 0x7fff5fbfe108.

So it looks like we have some memory corruption here.

_a[1] was initialized to 0x7fff5fbfe108 and then became 0x15fbfe108 sometime between stack frames #2 and #0. Something wrote a 1 to the high-order DWORD of _a[1]. _a[0] and _a[2] have their expected values, though _a[0] is just 0 so that's not a very good canary.

&_a[1] is 0x7fff5fbfe0e8.

Looking for possible candidates that could have written there. All the other threads appear to be polling though maybe they weren't just before this happened. Another theory is that this is just one of several slots fired for this signal and that the slot invoked before this one did the damage.

For me it looks like we call a slot on of an already deleted Object.

From Qt Docu:
> All signals to and from the object are automatically disconnected, and any pending posted events for the object are removed from the event queue. However, it is often safer to use deleteLater() rather than deleting a QObject subclass directly.

Is there a "Slave" object lightening to [Master],num_samplers which is deleted together with the old skin?

We have
 <attribute config_key="[Master],num_samplers">0</attribute>
in the skins

Or is it here:
https://github.com/mixxxdj/mixxx/blob/7905a7e6454d77f635b97f94758f269ba0e911fb/src/widget/wtracktableview.cpp#L110

If it turns out that this is the problem, we should switch all COs to SmartPointers with a deleteLater()

Hm, I think you're right. From frame #0:

(gdb) print *(((QObject*)_t)->d_ptr.d)
$66 = {
  _vptr$QObjectData = 0xc00000012,
  q_ptr = 0xd00000000000000c,
  parent = 0x1083216da,
  children = {
    {
      p = {
        d = 0x6d0075006e7620
      },
      d = 0x6d0075006e7620
    }
  },
  isWidget = 1,
  pendTimer = 1,
  blockSig = 1,
  wasDeleted = 1,
  ownObjectName = 1,
  sendChildEvents = 0,
  receiveChildEvents = 1,
  inEventHandler = 0,
  inThreadChangeEvent = 0,
  hasGuards = 0,
  unused = 7360,
  postedEvents = 7143521,
  metaObject = 0x720065006c0070

See wasDeleted. Though I'm still confused about this invalid memory access that has one DWORD set to 0x1. And shouldn't the meta object not invoke a slot on a wasDeleted QObject? Maybe valgrind would help.

Also, a slot that runs before this crash is this one:
https://github.com/mixxxdj/mixxx/blob/master/src/playermanager.cpp#L189

Here are the log lines leading up to the invalid memory access:
Debug [Main]: Now in rebootMixxxView...
Debug [Main]: ~WTrackTableView()
Debug [Main]: ~DlgTrackInfo()
Debug [Main]: ~WLibraryTableView
Debug [Main]: ~WTrackTableView()
Debug [Main]: ~DlgTrackInfo()
Debug [Main]: ~WLibraryTableView
Debug [Main]: ~DlgAutoDJ()
Debug [Main]: ~WTrackTableView()
Debug [Main]: ~DlgTrackInfo()
Debug [Main]: ~WLibraryTableView
Debug [Main]: ~WTrackTableView()
Debug [Main]: ~DlgTrackInfo()
Debug [Main]: ~WLibraryTableView
Debug [Main]: ~WTrackTableView()
Debug [Main]: ~DlgTrackInfo()
Debug [Main]: ~WLibraryTableView
Debug [Main]: ~WTrackTableView()
Debug [Main]: ~DlgTrackInfo()
Debug [Main]: ~WLibraryTableView
Debug [Main]: Ignoring request to reduce the number of samplers to 0

We also delete the skin instead of calling deleteLater() on its root object now:
https://github.com/mixxxdj/mixxx/blob/master/src/mixxx.cpp#L1516

Hm, though it is marked isWidget true which is false for a COT.

The ControlDoublePrivate looks normal:

(gdb) print *(((QObject*)this)->d_ptr.d)
$68 = {
  _vptr$QObjectData = 0x1013e6e70,
  q_ptr = 0x10a95ea20,
  parent = 0x0,
  children = {
    {
      p = {
        d = 0x1013e2f80
      },
      d = 0x1013e2f80
    }
  },
  isWidget = 0,
  pendTimer = 0,
  blockSig = 0,
  wasDeleted = 0,
  ownObjectName = 0,
  sendChildEvents = 1,
  receiveChildEvents = 1,
  inEventHandler = 0,
  inThreadChangeEvent = 0,
  hasGuards = 0,
  unused = 0,
  postedEvents = 0,
  metaObject = 0x0
}

Actually, I think the COT QObjectData is invalid:

wasDeleted and blockSig won't both be 1 if the QObject destructor ran properly (it sets blockSig to 0 and wasDeleted to 1).

And the ControlObjectThread from the skin attribute (stack frame #6) also looks fine:

$94 = {
  _vptr$QObjectData = 0x1013e6e70,
  q_ptr = 0x7fff5fbfe350,
  parent = 0x0,
  children = {
    {
      p = {
        d = 0x1013e2f80
      },
      d = 0x1013e2f80
    }
  },
  isWidget = 0,
  pendTimer = 0,
  blockSig = 0,
  wasDeleted = 0,
  ownObjectName = 0,
  sendChildEvents = 1,
  receiveChildEvents = 1,
  inEventHandler = 0,
  inThreadChangeEvent = 0,
  hasGuards = 0,
  unused = 65806,
  postedEvents = 0,
  metaObject = 0x0
}

So, to re-cap -- these are all the num_samplers COs in existence:

CO PlayerManager::m_pCONumSamplers
PlayerManager::slotNumSamplersControlChanged
- immediately sets the CO back to the true number of samplers

COS DlgPrefControls::m_pNumSamplers
DlgPrefControls::slotNumSamplersChanged
- immediately returns since 0 is less than the configured number of samplers

COT LibraryControl::m_numSamplers
LibraryControl::slotNumSamplersChanged
- does nothing since it loops 0 times

COT WTrackTableView::m_pNumSamplers
no attached slot

WTrackTableView is the only class that is created and destroyed with every skin reload.

I'm assuming everything is single-threaded and in the main thread.

1) Developer reload hotkey calls MixxxApp::rebootMixxxView()

2) Old skin is deleted. QObject hierarchy for skin is immediately deleted (QObject::deleteChildren() immediately deletes, it does not call deleteLater()), including WTrackTableView and its m_pNumSamplers COT. Log messages definitively show 6 WTrackTableView destructors running.

All WTrackTableView::m_pNumSamplers COs are deleted at this point and should be removed from all connection lists as per the QObject destructor!

3) LegacySkinParser invoked to load the skin.
4) LegacySkinParses created a stack COT to set num_samplers to 0 as per skin attribute.
5) COT::set(0) -> CDP::set(0, CDP) -> slots fire for valueChanged on all connected CO, COT, COS
6) CO::valueChanged fires, PlayerManager::slotNumSamplersChanged is invoked
4) CO::set(4) -> CDP::set(4, CO)

5) invoke CO/COT/COS slots, including LegacySkinParser's stack-based COT
- PlayerManager CO will emit valueChangedFromEngine which is unused.
- LibraryControl should do nothing
- DlgPrefControls should do nothing
- WTrackTableViews are all deleted at this point so their COTs should not be in the CDP connection list.

6) CO::set(4) exits

A COT, presumably the next (or a subsequent) connection in the CDP's connect list after the CO is invoked:

7) COT::qt_static_metacall is invoked by the CDP QMetaObject.

_a[1] is corrupt, so *_a[1] segfaults.

It doesn't make sense that the WTrackTableView COT is the one that we crash delivering the signal to. That COT is deleted before we even call LegacySkinParser and it is removed from connection lists and event queues by its destructor.

Luckily, we have the Library in stack frame #8.

print &pLibrary->m_pLibraryControl->m_numSamplers
$100 = (ControlObjectThread *) 0x10831e828

This is indeed the address of the COT that we are delivering the valueChanged signal to when we crash.

Looking at LibraryControl::m_numDecks and LibraryControl::m_numSamplers, m_numSamplers has definitely been trampled somehow. In particular, its parent should be 0x0 like m_numDecks (m_numSamplers never gets a parent). Its vptr and q_ptr fields look corrupt.

(gdb) print *pLibrary->m_pLibraryControl->m_numDecks.d_ptr.d
$110 = {
  _vptr$QObjectData = 0x1013e6e70,
  q_ptr = 0x10831e7f8,
  parent = 0x0,
  children = {
    {
      p = {
        d = 0x1013e2f80
      },
      d = 0x1013e2f80
    }
  },
  isWidget = 0,
  pendTimer = 0,
  blockSig = 0,
  wasDeleted = 0,
  ownObjectName = 0,
  sendChildEvents = 1,
  receiveChildEvents = 1,
  inEventHandler = 0,
  inThreadChangeEvent = 0,
  hasGuards = 0,
  unused = 139266,
  postedEvents = 0,
  metaObject = 0x0
}
(gdb) print *pLibrary->m_pLibraryControl->m_numSamplers.d_ptr.d
$111 = {
  _vptr$QObjectData = 0xc00000012,
  q_ptr = 0xd00000000000000c,
  parent = 0x1083216da,
  children = {
    {
      p = {
        d = 0x6d0075006e7620
      },
      d = 0x6d0075006e7620
    }
  },
  isWidget = 1,
  pendTimer = 1,
  blockSig = 1,
  wasDeleted = 1,
  ownObjectName = 1,
  sendChildEvents = 0,
  receiveChildEvents = 1,
  inEventHandler = 0,
  inThreadChangeEvent = 0,
  hasGuards = 0,
  unused = 7360,
  postedEvents = 7143521,
  metaObject = 0x720065006c0070
}

Well, it's 100%-ish reproducible for me using Owen's sync skin and hitting the reload hotkey.

Adding print-lines to ControlObjet and ControlObjectThread causes it to go away but it confirms my sequence of events above:

the prints go: this, group, item, value, setter

Debug [Main]: ControlObject::privateValueChanged ControlObject(0x106b212f0) "[Master]" "num_samplers" 0 ControlObjectThread(0x7fff5fbfe350)
Debug [Main]: ControlObject::privateValueChanged ControlObject(0x106b212f0) "[Master]" "num_samplers" 4 ControlObject(0x106b212f0)
Debug [Main]: ControlObjectThread::slotValueChanged ControlObjectThread(0x104272e98) "[Master]" "num_samplers" 4 ControlObject(0x106b212f0)
Debug [Main]: LibraryControl::slotNumSamplersChanged 4
Debug [Main]: ControlObjectThread::slotValueChanged ControlObjectThread(0x7fff5fbfe350) "[Master]" "num_samplers" 4 ControlObject(0x106b212f0)
Debug [Main]: Ignoring request to reduce the number of samplers to 0
Debug [Main]: ControlObjectThread::slotValueChanged ControlObjectThread(0x104272e98) "[Master]" "num_samplers" 0 ControlObjectThread(0x7fff5fbfe350)
Debug [Main]: LibraryControl::slotNumSamplersChanged 0
Debug [Main]: ControlObjectThread::slotValueChanged ControlObjectThread(0x7fff5fbfe350) "[Master]" "num_samplers" 0 ControlObjectThread(0x7fff5fbfe350)

LegacySkinParser COT: 0x7fff5fbfe350
PlayerManager CO: 0x106b212f0
LibraryControl COT: 0x104272e98

(These addresses are for a new run from the one I was originally discussing which is why they are different)

Hm, I just got a similar segfault:

Thread 45 (process 56199):
#0 0x00007fff90228686 in mach_msg_trap ()
#1 0x00007fff90227c42 in mach_msg ()
#2 0x00007fff913c170c in HALB_MachPort::SendMessageWithReply ()
#3 0x00007fff913c169a in HALB_MachPort::SendSimpleMessageWithSimpleReply ()
#4 0x00007fff913bfad9 in HALC_ProxyIOContext::IOWorkLoop ()
#5 0x00007fff913bf5bf in HALC_ProxyIOContext::IOThreadEntry ()
#6 0x00007fff913bf497 in HALB_IOThread::Entry ()
#7 0x00007fff87f0a772 in _pthread_start ()
#8 0x00007fff87ef71a1 in thread_start ()

Thread 41 (process 56199):
#0 0x00007fff9022a0fa in __psynch_cvwait ()
#1 0x00007fff87f0efb9 in _pthread_cond_wait ()
#2 0x000000010122819c in QWaitConditionPrivate::wait ()
#3 0x0000000101227ea5 in QWaitCondition::wait ()
#4 0x0000000101223db3 in QSemaphore::acquire ()
#5 0x0000000100086cb6 in CachingReaderWorker::run (this=0x131d38390) at src/cachingreaderworker.cpp:124
#6 0x000000010122746a in QThreadPrivate::start ()
#7 0x00007fff87f0a772 in _pthread_start ()
#8 0x00007fff87ef71a1 in thread_start ()

Thread 40 (process 56199):
#0 0x00007fff9022a0fa in __psynch_cvwait ()
#1 0x00007fff87f0efb9 in _pthread_cond_wait ()
#2 0x000000010122819c in QWaitConditionPrivate::wait ()
#3 0x0000000101227ea5 in QWaitCondition::wait ()
#4 0x0000000101223db3 in QSemaphore::acquire ()
#5 0x0000000100086cb6 in CachingReaderWorker::run (this=0x13024b050) at src/cachingreaderworker.cpp:124
#6 0x000000010122746a in QThreadPrivate::start ()
#7 0x00007fff87f0a772 in _pthread_start ()
#8 0x00007fff87ef71a1 in thread_start ()

Thread 39 (process 56199):
#0 0x00007fff9022a0fa in __psynch_cvwait ()
#1 0x00007fff87f0efb9 in _pthread_cond_wait ()
#2 0x000000010122819c in QWaitConditionPrivate::wait ()
#3 0x0000000101227ea5 in QWaitCondition::wait ()
#4 0x0000000101223db3 in QSemaphore::acquire ()
#5 0x0000000100086cb6 in CachingReaderWorker::run (this=0x12a23a460) at src/cachingreaderworker.cpp:124
#6 0x000000010122746a in QThreadPrivate::start ()
#7 0x00007fff87f0a772 in _pthread_start ()
#8 0x00007fff87ef71a1 in thread_start ()

Thread 38 (process 56199):
#0 0x00007fff9022a0fa in __psynch_cvwait ()
#1 0x00007fff87f0efb9 in _pthread_cond_wait ()
#2 0x000000010122819c in QWaitConditionPrivate::wait ()
#3 0x0000000101227ea5 in QWaitCondition::wait ()
#4 0x0000000101223db3 in QSemaphore::acquire ()
#5 0x0000000100086cb6 in CachingReaderWorker::run (this=0x12f22fdf0) at src/cachingreaderworker.cpp:124
#6 0x000000010122746a in QThreadPrivate::start ()
#7 0x00007fff87f0a772 in _pthread_start ()
#8 0x00007fff87ef71a1 in thread_start ()

Thread 37 (process 56199):
#0 0x00007fff9022a0fa in __psynch_cvwait ()
#1 0x00007fff87f0efb9 in _pthread_cond_wait ()
#2 0x000000010122819c in QWaitConditionPrivate::wait ()
#3 0x0000000101227ea5 in QWaitCondition::wait ()
#4 0x0000000101223db3 in QSemaphore::acquire ()
#5 0x0000000100086cb6 in CachingReaderWorker::run (this=0x12dd43bb0) at src/cachingreaderworker.cpp:124
#6 0x000000010122746a in QThreadPrivate::start ()
#7 0x00007fff87f0a772 in _pthread_start ()
#8 0x00007fff87ef71a1 in thread_start ()

Thread 36 (process 56199):
#0 0x00007fff9022a0fa in __ps...

I was dragging a track from the library to deck 2.

And it happened on releasing the mouse.

Ugh, changing my compiler has an affect on this bug:

Using OS X 10.8.5 XCode 5.0.2 with command line tools.

Repro steps:

1) Load Owen's LateNight Sync skin: https://github.com/ywwg/mixxx/tree/mastersync_skins/res/skins/LateNight1920x1080-4Deck-WXGA
2) Reload with developer-mode reload shortcut.

Segfault happens immediately.

$ clang --version
Apple LLVM version 5.0 (clang-500.2.79) (based on LLVM 3.3svn)
Target: x86_64-apple-darwin12.5.0
Thread model: posix

The built-in version of clang triggers the segfault with the above steps 100% of the time.

$ llvm-gcc --version
i686-apple-darwin11-llvm-gcc-4.2 (GCC) 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.11.00)
Copyright (C) 2007 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

The built-in version of llvm-gcc does NOT trigger the segfault using the repro steps.

I installed the HEAD version of clang from the latest LLVM/Clang git repos:

$ /usr/local/homebrew/opt/llvm/bin/clang --version
clang version 3.5
Target: x86_64-apple-darwin12.5.0
Thread model: posix

And the segfault no longer triggers with the above repro steps. Ugh.

Except from https://bugs.launchpad.net/mixxx/+bug/1269559
I have never seen your segfault on Linux .

did you confirm this is a clang issue? can we close this?

I still have no clue. I'm seeing the same bug elsewhere now.

I also have never seen anything like this on linux

(Have you run memcheck?)

Yea, I'm fairly sure this is specific to my setup. I can still reproduce it but I think it's caused by a mix of different toolchains / LLVM versions.

Mixxx now uses GitHub for bug tracking. This bug has been migrated to:
https://github.com/mixxxdj/mixxx/issues/7266