crash on vrml export in Fedora
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
KiCad |
Fix Released
|
High
|
Seth Hillbrand |
Bug Description
I made a simple board with two mounting pads and a solder wire pad and tried to export it as vrml. KiCad crashes without any message shown.
Attached the file that causes the crash for me.
---
Application: kicad
Version: 5.1.2-1.fc30, release build
Libraries:
wxWidgets 3.0.4
libcurl/7.65.3 OpenSSL/1.1.1c-fips zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.20.2 (+libidn2/2.0.5) libssh/
Platform: Linux 5.1.19-
Build Info:
wxWidgets: 3.0.4 (wchar_t,wx containers,
Boost: 1.69.0
OpenCASCADE Community Edition: 6.9.1
Curl: 7.64.0
Compiler: GCC 9.0.1 with C++ ABI 1013
Build settings:
USE_
USE_
KICAD_
KICAD_
KICAD_
KICAD_
KICAD_
KICAD_
BUILD_
KICAD_
KICAD_
KICAD_SPICE=ON
Rene Poeschl (poeschlr) wrote : | #1 |
Michael Kavanagh (michaelkavanagh) wrote : | #2 |
Changed in kicad: | |
status: | New → Incomplete |
tags: | added: export pcbnew vrml |
Rene Poeschl (poeschlr) wrote : | #3 |
- Screenshot from 2019-07-30 22-22-32.png Edit (35.1 KiB, image/png)
The only thing i changed from default is using mm instead of meter as the output unit. But meter also crashes so it is the same.
It must have something to do with the solder wire footprint. It seems any through hole footprint crashes my system. (I can easily export with only the mounting hole footprint or with a soic one. But the solder wire footprint and also a dip footprint do crash kicad on export.)
eelik (eelik) wrote : | #4 |
It doesn't crash on Windows, either.
Application: Pcbnew
Version: (5.1.3-
Libraries:
wxWidgets 3.0.4
libcurl/7.61.1 OpenSSL/1.1.1 (WinSSL) zlib/1.2.11 brotli/1.0.6 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) nghttp2/1.34.0
Platform: Windows 8 (build 9200), 64-bit edition, 64 bit, Little endian, wxMSW
Build Info:
wxWidgets: 3.0.4 (wchar_t,wx containers,
Boost: 1.68.0
OpenCASCADE Community Edition: 6.9.1
Curl: 7.61.1
Compiler: GCC 8.2.0 with C++ ABI 1013
Build settings:
USE_
USE_
KICAD_
KICAD_
KICAD_
KICAD_
KICAD_
KICAD_
BUILD_
KICAD_
KICAD_
KICAD_SPICE=ON
Rene Poeschl (poeschlr) wrote : | #5 |
Our build settings differ in WX_OVERLAY and PYTHON version. Could any of these two be responsible?
Otherwise it might be a dependency mismatch in the fedora packaging.
Wayne Stambaugh (stambaughw) wrote : | #6 |
@Rene, I wouldn't think so as the vrml exported doesn't use python or wxOverlay but I could be wrong. I cannot get this to crash on Debian testing.
Application: Pcbnew
Version: (5.1.3-
Libraries:
wxWidgets 3.0.4
libcurl/7.65.1 OpenSSL/1.1.1c zlib/1.2.11 libidn2/2.2.0 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.37.0 librtmp/2.3
Platform: Linux 4.19.0-5-amd64 x86_64, 64 bit, Little endian, wxGTK
Build Info:
wxWidgets: 3.0.4 (wchar_t,wx containers,
Boost: 1.62.0
OpenCASCADE Community Edition: 6.9.1
Curl: 7.65.1
Compiler: Clang 7.0.1 with C++ ABI 1002
Build settings:
USE_
USE_
KICAD_
KICAD_
KICAD_
KICAD_
KICAD_
KICAD_
BUILD_
KICAD_
KICAD_
KICAD_SPICE=ON
Nick Østergaard (nickoe) wrote : | #7 |
Is this something you built yourself or is it from fedora official repos?
Rene Poeschl (poeschlr) wrote : | #8 |
It is the official fedora package
output of dnf list kicad:
sudo dnf list kicad
Last metadata expiration check: 0:17:05 ago on Wed 31 Jul 2019 17:14:45 CEST.
Installed Packages
kicad.x86_64 1:5.1.2-1.fc30 @updates
Available Packages
kicad.i686 1:5.1.2-1.fc30 updates
Nick Østergaard (nickoe) wrote : | #9 |
Can you provide a backtrace?
Ian McInerney (imcinerney) wrote : | #10 |
I was just able to reproduce this on the Fedora release build for 5.1.2. I had to uncheck all the options, and it was set to meters. When I had the options checked it wouldn't crash. I tried briefly on the HEAD of the 5.1 branch, but it didn't crash. I was running that as a debug build though, so it could be this is release build specific.
It crashes on:
/usr/include/
The relevant backtrace is:
#0 0x00007ffff6cafe75 in raise () at /lib64/libc.so.6
#1 0x00007ffff6c9a895 in abort () at /lib64/libc.so.6
#2 0x00007fffd6cd8a28 in std::__
(__
at /usr/include/
#3 0x00007fffd6efbd94 in std::vector<int, std::allocator<int> >::operator[
#4 0x00007fffd6efbd94 in create_
at /usr/src/
#5 0x00007fffd6efc6e8 in write_layers(
..., aFileName=
at /usr/src/
#6 0x00007fffd6f0260a in PCB_EDIT_
(this=
at /usr/include/
#7 0x00007fffd6d611f8 in PCB_EDIT_
#8 0x00007ffff746df0b in wxEvtHandler:
#9 0x00007ffff746e013 in wxEventHashTabl
Rene Poeschl (poeschlr) wrote : | #11 |
- kicad-backtrace.txt Edit (68.4 KiB, text/plain)
I hope i did everything correctly (never created a backtrace before)
Seth Hillbrand (sethh) wrote : | #12 |
@SteveFalco- It looks like the fedora release is being built with debug symbols. These asserts should not be crashing releases. Other platforms had issues because they were being compiled with RelWithDebInfo instead of Release. This apparently enables the asserts.
We should still fix this. It appears that the VRML triangulation is failing to provide an indexPlane for some reason
Changed in kicad: | |
status: | Incomplete → Confirmed |
milestone: | none → 5.1.4 |
importance: | Undecided → Critical |
importance: | Critical → High |
summary: |
- crash on vrml export + crash on vrml export in Fedora |
KiCad Janitor (kicad-janitor) wrote : | #13 |
Fixed in revision ff28501d6d647a1
https:/
Changed in kicad: | |
status: | Confirmed → Fix Committed |
assignee: | nobody → Seth Hillbrand (sethh) |
Rene Poeschl (poeschlr) wrote : | #14 |
Regarding debug stuff: I installed debug symbols (It is a separate package under fedora) after this crash appeared to be able to make the backtrace. Might this be the reason for it appearing to have debug enabled?
Ian McInerney (imcinerney) wrote : | #15 |
@Seth, @SteveFalco - Fedora appears to enable building with the debug symbols by default (independent of the CMAKE type flag) by passing -g to the compiler in a system-level CFLAGS/CXXFLAGS (see here: https:/
Seth Hillbrand (sethh) wrote : | #16 |
@Rene- Got it. Perhaps I am mistaken then. My statement was based on the fact that this error is an assert and not a crash per se. When built for Release, CMake specifies NDEBUG=1, this makes the asserts into nop statements. When built for RelWithDebInfo, it doesn't set the NDEBUG flag and the asserts remain enabled.
Ian McInerney (imcinerney) wrote : | #17 |
@Seth, the assert is being generated in the standard library not KiCad so the NDEBUG flag from KiCad's cmake won't affect it since it is controlled by different flags. What seems to be happening is that Fedora is enabling the standard library asserts by passing "-D_GLIBCXX_
We need the Fedora build system to not send the "-D_GLIBCXX_
Seth Hillbrand (sethh) wrote : | #18 |
@Ian- Are you sure that the asserts in the header files aren't controlled by the KiCad flags?
Seth Hillbrand (sethh) wrote : | #19 |
Sorry for the noise, Ian, I see what you mean now
https:/
Steven Falco (stevenfalco) wrote : | #20 |
I'm not too familiar with this, but I do know that Fedora has recently been applying so-called "hardening" flags, in order to catch more run-time errors. The current flags are:
-O2 -g -pipe -Wall -Werror=
I could try adding:
%undefine _hardened_build
which should disable the hardening flags. Or I could experiment with overriding the %{optflags} macro, which should let me choose specific flags to include or omit. But I'd need some guidance on which flags we want.
But before I do that, I have to ask if we really want to override the hardening. I would have thought that the hardening was a desirable thing.
Please let me know how you'd like me to proceed.
Seth Hillbrand (sethh) wrote : | #21 |
Hi Steven-
Thanks for looking into this. The flag that we'd like to omit is "-Wp,-D_
Steven Falco (stevenfalco) wrote : | #22 |
I'm able to turn off the "-Wp,-D_
%define __global_
It is a bit ugly, because if Fedora ever changes the "__global_
I started the Fedora builds, but it will be a week or more before they become available, owing to the Fedora Karma requirements. If enough people test, the builds could pop out sooner, but historically that doesn't happen, so we will likely have to incur the 1 week Karma penalty.
I'm not sure if this change is also wanted for the nightly builds. Since those are debug builds, I don't think we want the change there, but please tell me if they should be changed too.
One thing bothers me - if the Fedora build had not crashed on @Rene, the underlying VRML bug would have gone unnoticed. That makes me wonder if we should really be adding "-Wp,-D_
Florian Weimer (fweimer) wrote : | #23 |
I agree with Steven.
Seth, the cause of these crashes are out-of-bounds std::vector accesses. C programmers would call these “buffer overflows”. I do not think it is a good idea to remove these checks. Unlike C, C++ standard containers can actually perform such checks and reduce exposure of security vulnerabilities.
Ian McInerney (imcinerney) wrote : | #24 |
The main problem with these assertions is they are turning problems that were non-fatal into fatal crashes (this is a good example, it didn't crash on every other platform that was tried, other than Fedora where the assertions were enabled). In release builds that is not usually desired.
I can see the utility of this for nightly and debug builds, so it might be worth adding this as an explicit flag we pass for debug release types and have the nightly builds add it, but I still don't think it belongs in the release builds.
Jeff Young (jeyjey) wrote : | #25 |
Removing the checks will indeed increase the vulnerability surface area. There are existing methods "out in the wild" of exploiting buffer overflows to execute malicious code. The checks therefore need to be run even on release builds.
Which makes we wonder why we aren't seeing this on other platforms. Do we have the std::container checks turned off or something?
Ian McInerney (imcinerney) wrote : | #26 |
@Jeff, these checks are off by default when compiled. They have to be explicitly enabled by passing the _GLIBCXX_ASSERTIONS flag to the preprocessor. So far only Fedora seems to pass that flag by default so it is the only build with these runtime checks.
Seth Hillbrand (sethh) wrote : | #27 |
I would advocate for adding the check to all systems for debug builds and removing it from release builds like we do for all other assertions.
Seth Hillbrand (sethh) wrote : | #28 |
Sent the previous message too quickly.
I have more concern about people losing work due to a crash than a malicious hack embedded in KiCad data files.
jean-pierre charras (jp-charras) wrote : | #29 |
I share the Seth's opinion.
@Seth,
Are you sure about your fix in "static void create_
It test idxSide.empty() and exit the function if true.
But unless I missed something, idxSide is a not used variable, and idxSide.empty() is always true.
So create_vrml_plane() is never executed.
Jeff Young (jeyjey) wrote : | #30 |
Just to be the devil's advocate, we felt the same way about PDF in the early days. When it caught up to us it was ugly (we lost a full 18-month development cycle and a lot of customer trust).
Seth Hillbrand (sethh) wrote : | #31 |
@Jeff- How about we start with enabling additional checks for the debug builds? I think we are all in agreement there. This gets us additional testing surface against the access errors.
@jp- Thanks. copy-paste error there. I've fixed it in master and 5.1
Jeff Young (jeyjey) wrote : | #32 |
@Seth, definitely.
Just to be clear, I'm a -0 on not enabling the checks on release (ie: I think it's the wrong decision, but I won't stand in the way of a consensus).
Seth Hillbrand (sethh) wrote : | #33 |
@Jeff, good to know, thanks. I wonder if there's a way we could re-direct the assertions to the crash reporter? If there's a useful bit of information to be gleaned from the assertion during normal use, I'm less opposed. It's just the crash+disappear with no message that I think is not helpful in production systems.
Andrew Lutsenko (qu1ck) wrote : | #34 |
I think we absolutely should enable all possible sanitizations and checks in all builds.
It's just pure luck that the bug is in vrml export and it's no big deal to ignore it. What if next time it will corrupt the project files? It's much better to "catch" that in a crash than silently ignore it.
KiCad doesn't have nearly enough automated test coverage so we rely heavily on user reports and there are not a lot of users running debug builds. I'm a dev and I only run debug build when I am triaging an issue because it's too slow for everyday use.
It's one thing to suppress gui library asserts because they are annoying and confusing in release build. But ignoring memory access violations can go very wrong very fast.
Wayne Stambaugh (stambaughw) wrote : | #35 |
The gcc assertions should be enabled in debug builds. If they were, this bug would have been found a long time ago. I am less convinced of their usefulness in release builds. Assertions are added as a form of defensive programming to find bugs before release not as a catch all to find bugs in release builds. I agree with Seth that users are going to be far more upset about loosing work due to an assertion crashing KiCad rather then a malformed vrml output file. If Fedora wants to do this, that is their prerogative but I don't want to force this on other platforms release builds.
Seth Hillbrand (sethh) wrote : | #36 |
OK.
I'm working on adding the following flags to the debug builds:
-D_GLIBCXX_
The GLIBCXX_DEBUG define gets the assertions as well as other debugging info for libstdc++. Compiling this way exposes quite a few shortcuts, so will take a while to sort out.
Ian McInerney (imcinerney) wrote : | #37 |
Seth, I would suggest making the sanitizer flags these to get nicer traces for any errors that appear (these are the flags I am currently running with):
-fsanitize=address -fno-optimize-
Also, if we wanted to we could add a -U_GLIBCXX_
Steven Falco (stevenfalco) wrote : | #38 |
I got curious, so I just checked the Fedora debug builds on Copr. They already have the _GLIBCXX_ASSERTIONS flag enabled, which is not surprising, given the similar infrastructure between Copr and the official release builder.
Then I went back to see when the change was introduced. It looks like that flag was added in Fedora 28 around January 2018.
The good news is that there must be very few of these bugs in the KiCAD code, or we would have seen more crashes by now. Either that or there are just not many users of KiCAD on Fedora. :-)
Seth Hillbrand (sethh) wrote : | #39 |
Thanks Ian. I'm going to make these an optional flag for now. Trying to run KiCad at the moment with GLIBCXX_DEBUG on is nigh-on impossible, so we're going to need to have some serious debugging before this gets into mainstream builds.
In more annoying news, it appears that -fsanitize=address exposes a gold linker bug[1] when used with our raw asm inlines. We can get around this by using the naked attribute in an explicit function call but that's a large testing project as we need to verify the builds for all platforms (and this is not automated at the moment).
I'm going to encourage devs to use the flags when they can. They do substantially slow KiCad, so it might not be an all-the-time thing. However, at the moment, even clicking a menu with all debug options on throws an assert, so we've got a few issues to sort here.
[1] https:/
Changed in kicad: | |
status: | Fix Committed → Fix Released |
Jonathan Wakely (jwakely) wrote : | #40 |
-D_GLIBCXX_DEBUG enables the full Debug Mode for GCC's standard library:
https:/
That enables a large number of checks, but alters the class layout for all standard library containers and also changes the algorithmic complexity of some standard library algorithms, e.g. an O(log N) algorithm might become O(N) or worse. It's a very heavyweight set of checks, and affects the ABI of the compiled code.
While testing sometimes with _GLIBCXX_DEBUG defined may be valuable, it's probably not suitable for the normal debug builds and for CI testing. For a start, it would mean that a debug build is ABI-incompatible with a release build, due to the class layout changes.
The _GLIBCXX_ASSERTIONS macro defines a subset of the _GLIBCXX_DEBUG checks, with no impact on class layout and minimal impact on runtime (and no changes in algorithmic complexity). It is intended to be suitable for both debug builds and release builds. If you don't want to use it for your release builds that's fine, but it's probably the macro you want to define for regaulr debug builds and for CI testing.
N.B. defining _GLIBCXX_ASSERTIONS for other compilers is pointless, it's a macro belonging to GCC's standard library (libstdc++) and will be completely ignored by Clang's libc++ and Visual Studio's standard library.
Seth Hillbrand (sethh) wrote : | #41 |
@Jonathan-
Thank you for the background. I didn't know you followed our bug tracker but it's always nice to get the definitive answer.
Jonathan Wakely (jwakely) wrote : | #42 |
I don't usually, but this issue was pointed out on the Fedora dev list, and since I'm responsible for adding the _GLIBCXX_ASSERTIONS checks to libstdc++ I thought I should comment.
@Rene, what are the VRML export settings you're using? I cannot reproduce on macOS using 5.1.2 or master.