[Tracker] crash in BList::ItemAt ()

[diver]

Tracker crashed after downloading a file in BeZilla to Desktop.

Thread 139 caused an exception: Segment violation
Reading symbols from /boot/system/runtime_loader...done.
Loaded symbols for /boot/system/runtime_loader
Reading symbols from /boot/system/lib/libbe.so...done.
Loaded symbols for /boot/system/lib/libbe.so
Reading symbols from /boot/system/lib/libtracker.so...done.
Loaded symbols for /boot/system/lib/libtracker.so
Reading symbols from /boot/system/lib/libroot.so...done.
Loaded symbols for /boot/system/lib/libroot.so
Reading symbols from /boot/system/lib/libstdc++.r4.so...done.
Loaded symbols for /boot/system/lib/libstdc++.r4.so
Reading symbols from /boot/system/lib/libtranslation.so...done.
Loaded symbols for /boot/system/lib/libtranslation.so
Reading symbols from /boot/system/lib/libtextencoding.so...done.
Loaded symbols for /boot/system/lib/libtextencoding.so
Reading symbols from /boot/system/apps/Workspaces...done.
Loaded symbols for /boot/system/apps/Workspaces
Reading symbols from /boot/system/add-ons/Translators/BMPTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/BMPTranslator
Reading symbols from /boot/system/add-ons/Translators/EXRTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/EXRTranslator
Reading symbols from /boot/system/lib/libilmimf.so...done.
Loaded symbols for /boot/system/lib/libilmimf.so
Reading symbols from /boot/system/lib/libz.so...done.
Loaded symbols for /boot/system/lib/libz.so
Reading symbols from /boot/system/add-ons/Translators/GIFTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/GIFTranslator
Reading symbols from /boot/system/add-ons/Translators/JPEG2000Translator...done.
Loaded symbols for /boot/system/add-ons/Translators/JPEG2000Translator
Reading symbols from /boot/system/add-ons/Translators/JPEGTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/JPEGTranslator
Reading symbols from /boot/system/add-ons/Translators/PCXTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/PCXTranslator
Reading symbols from /boot/system/add-ons/Translators/PNGTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/PNGTranslator
Reading symbols from /boot/system/add-ons/Translators/PPMTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/PPMTranslator
Reading symbols from /boot/system/add-ons/Translators/RAWTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/RAWTranslator
Reading symbols from /boot/system/add-ons/Translators/RTF-Translator...done.
Loaded symbols for /boot/system/add-ons/Translators/RTF-Translator
Reading symbols from /boot/system/add-ons/Translators/SGITranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/SGITranslator
Reading symbols from /boot/system/add-ons/Translators/STXTTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/STXTTranslator
Reading symbols from /boot/system/add-ons/Translators/TGATranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/TGATranslator
Reading symbols from /boot/system/add-ons/Translators/TIFFTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/TIFFTranslator
Reading symbols from /boot/system/add-ons/Translators/WonderBrushTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/WonderBrushTranslator
[tcsetpgrp failed in terminal_inferior: Invalid Argument]
[Switching to team /boot/system/Tracker (84) thread w>/boot/home/Desktop (139)]
0x003e24f6 in BList::ItemAt () from /boot/system/lib/libbe.so
(gdb) bt
#0  0x003e24f6 in BList::ItemAt () from /boot/system/lib/libbe.so
#1  0x005ac851 in BPrivate::BPose::WidgetFor ()
   from /boot/system/lib/libtracker.so
#2  0x005ad14d in BPrivate::BPose::CalcRect ()
   from /boot/system/lib/libtracker.so
#3  0x005ca1ef in BPrivate::BPoseView::ClearSelection ()
   from /boot/system/lib/libtracker.so
#4  0x005c74ca in BPrivate::BPoseView::AddRemoveSelectionRange ()
   from /boot/system/lib/libtracker.so
#5  0x005c42d9 in BPrivate::BPoseView::MouseDown ()
   from /boot/system/lib/libtracker.so
#6  0x00384aeb in BWindow::DispatchMessage () from /boot/system/lib/libbe.so
#7  0x003892cc in BWindow::task_looper () from /boot/system/lib/libbe.so
#8  0x002c67e3 in BLooper::_task0_ () from /boot/system/lib/libbe.so
#9  0x0069f124 in thread_entry () from /boot/system/lib/libroot.so
#10 0x70184fec in ?? ()
(gdb) 

After taking screenshot and saving to Desktop:

Thread 141 caused an exception: Segment violation
Reading symbols from /boot/system/runtime_loader...done.
Loaded symbols for /boot/system/runtime_loader
Reading symbols from /boot/system/lib/libbe.so...done.
Loaded symbols for /boot/system/lib/libbe.so
Reading symbols from /boot/system/lib/libtracker.so...done.
Loaded symbols for /boot/system/lib/libtracker.so
Reading symbols from /boot/system/lib/libroot.so...done.
Loaded symbols for /boot/system/lib/libroot.so
Reading symbols from /boot/system/lib/libstdc++.r4.so...done.
Loaded symbols for /boot/system/lib/libstdc++.r4.so
Reading symbols from /boot/system/lib/libtranslation.so...done.
Loaded symbols for /boot/system/lib/libtranslation.so
Reading symbols from /boot/system/lib/libtextencoding.so...done.
Loaded symbols for /boot/system/lib/libtextencoding.so
Reading symbols from /boot/system/apps/Workspaces...done.
Loaded symbols for /boot/system/apps/Workspaces
Reading symbols from /boot/system/add-ons/Translators/BMPTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/BMPTranslator
Reading symbols from /boot/system/add-ons/Translators/EXRTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/EXRTranslator
Reading symbols from /boot/system/lib/libilmimf.so...done.
Loaded symbols for /boot/system/lib/libilmimf.so
Reading symbols from /boot/system/lib/libz.so...done.
Loaded symbols for /boot/system/lib/libz.so
Reading symbols from /boot/system/add-ons/Translators/GIFTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/GIFTranslator
Reading symbols from /boot/system/add-ons/Translators/JPEG2000Translator...done.
Loaded symbols for /boot/system/add-ons/Translators/JPEG2000Translator
Reading symbols from /boot/system/add-ons/Translators/JPEGTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/JPEGTranslator
Reading symbols from /boot/system/add-ons/Translators/PCXTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/PCXTranslator
Reading symbols from /boot/system/add-ons/Translators/PNGTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/PNGTranslator
Reading symbols from /boot/system/add-ons/Translators/PPMTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/PPMTranslator
Reading symbols from /boot/system/add-ons/Translators/RAWTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/RAWTranslator
Reading symbols from /boot/system/add-ons/Translators/RTF-Translator...done.
Loaded symbols for /boot/system/add-ons/Translators/RTF-Translator
Reading symbols from /boot/system/add-ons/Translators/SGITranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/SGITranslator
Reading symbols from /boot/system/add-ons/Translators/STXTTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/STXTTranslator
Reading symbols from /boot/system/add-ons/Translators/TGATranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/TGATranslator
Reading symbols from /boot/system/add-ons/Translators/TIFFTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/TIFFTranslator
Reading symbols from /boot/system/add-ons/Translators/WonderBrushTranslator...done.
Loaded symbols for /boot/system/add-ons/Translators/WonderBrushTranslator
[tcsetpgrp failed in terminal_inferior: Invalid Argument]
[Switching to team /boot/system/Tracker (82) thread w>/boot/home/Desktop (141)]
0x003e2772 in BList::ItemAt () from /boot/system/lib/libbe.so
(gdb) bt 
#0  0x003e2772 in BList::ItemAt () from /boot/system/lib/libbe.so
#1  0x005ac869 in BPrivate::BPose::WidgetFor ()
   from /boot/system/lib/libtracker.so
#2  0x005ad165 in BPrivate::BPose::CalcRect ()
   from /boot/system/lib/libtracker.so
#3  0x005b95af in BPrivate::BPoseView::SlotOccupied ()
   from /boot/system/lib/libtracker.so
#4  0x005b8b72 in BPrivate::BPoseView::PlacePose ()
   from /boot/system/lib/libtracker.so
#5  0x005b36ab in BPrivate::BPoseView::CreatePoses ()
   from /boot/system/lib/libtracker.so
#6  0x005b2c9a in BPrivate::BPoseView::CreatePose ()
   from /boot/system/lib/libtracker.so
#7  0x005bf3cf in BPrivate::BPoseView::EntryCreated ()
   from /boot/system/lib/libtracker.so
#8  0x005bea39 in BPrivate::BPoseView::FSNotification ()
   from /boot/system/lib/libtracker.so
#9  0x0053ff45 in BPrivate::DesktopPoseView::FSNotification ()
   from /boot/system/lib/libtracker.so
#10 0x005b4b6c in BPrivate::BPoseView::MessageReceived ()
   from /boot/system/lib/libtracker.so
#11 0x002c538b in BLooper::DispatchMessage () from /boot/system/lib/libbe.so
#12 0x00385749 in BWindow::DispatchMessage () from /boot/system/lib/libbe.so
#13 0x003894ac in BWindow::task_looper () from /boot/system/lib/libbe.so
---Type <return> to continue, or q <return> to quit---
#14 0x002c68e7 in BLooper::_task0_ () from /boot/system/lib/libbe.so
#15 0x0069f124 in thread_entry () from /boot/system/lib/libroot.so
#16 0x70184fec in ?? ()
(gdb) 

I'm trying to find a reproducible test case.

Tested with hrev32638 in VirtualBox 3.0.4

[diver]

Taking a screenshot and saving it to Desktop seems to always crash it.

[diver]

This is tricky one. It seems that these crashes could only be reproduced in 48x48 desktop icon mode only. Backup your Desktop to some place and unzip attached Desktop.zip like this:

rm -rf Desktop; unzip Desktop.zip; sleep 1; /system/Tracker &

Now save the following script as "crasher.sh" in your /boot/home

#!/bin/sh
cd
cd Desktop
for i in `seq 1 50`; do touch Trackerfile1 Trackerfile2; rm Trackerfile*; done

Open Terminal and type sh -x crasher.sh (sh -x is used here to slow down output as it seems to have some influence)
Now if you start clicking on desktop while these files being created you'll get all sort of different tracker crashes (I already saw 4 or 5 different ones).

Tested with hrev34735 ​http://haiku-files.org/vmware/haiku-nightly-r34735-x86gcc2-vmware.zip in VirtualBox 3.0.12

[anevilyak]

(In #5780) Replying to diver:

#4322 could be related.

Indeed, that looks to be the same problem. Marking this one as a duplicate.

[anevilyak]

diver: are you still able to replicate this? At least with the above Desktop.zip + shell script I've not managed to reproduce a crash as described so far.

[diver]

Yes, I was able to reproduce it using that shell script on hrev36430 in VirtualBox.

[anevilyak]

Hm...will see what I can do...on my desktop that script executes in somewhere around half a second, with no real chance to see or touch those files.

[diver]

It takes around 30 seconds in vbox and you could actually see/click those files.

[anevilyak]

Any particular revision of vbox? Will have to see if I can set that up here somewhere, I almost never use VMs normally.

[diver]

VirtualBox 3.0.12. is the latest version which works on my old Fedora 8.

[Karvjorm]

Tickets #5755 and #5788 case 2 can be the same problem.

[anevilyak]

Replying to Karvjorm:

Tickets #5755 and #5788 case 2 can be the same problem.

Negative, those have nothing to do with this particular issue, this is mem corruption specific to Tracker, not an actual issue in the list classes.

[anevilyak]

diver: Can you try with hrev36455 please?

[diver]

This is with hrev36455:

Thread 134 caused an exception: Segment violation
[...]
[Switching to team /boot/system/Tracker (106) thread w>/boot/home/Desktop (134)]
0x003ef516 in BList::ItemAt () from /boot/system/lib/libbe.so
(gdb) bt
#0  0x003ef516 in BList::ItemAt () from /boot/system/lib/libbe.so
#1  0x005abf65 in BPrivate::BPose::WidgetFor ()
   from /boot/system/lib/libtracker.so
#2  0x005ac861 in BPrivate::BPose::CalcRect ()
   from /boot/system/lib/libtracker.so
#3  0x005b91f7 in BPrivate::BPoseView::SlotOccupied ()
   from /boot/system/lib/libtracker.so
#4  0x005b87ba in BPrivate::BPoseView::PlacePose ()
   from /boot/system/lib/libtracker.so
#5  0x005b3355 in BPrivate::BPoseView::CreatePoses ()
   from /boot/system/lib/libtracker.so
#6  0x005b28d2 in BPrivate::BPoseView::CreatePose ()
   from /boot/system/lib/libtracker.so
#7  0x005bee93 in BPrivate::BPoseView::EntryCreated ()
   from /boot/system/lib/libtracker.so
#8  0x005be4a7 in BPrivate::BPoseView::FSNotification ()
   from /boot/system/lib/libtracker.so
#9  0x00549b52 in BPrivate::DesktopPoseView::FSNotification ()
   from /boot/system/lib/libtracker.so
#10 0x005b4790 in BPrivate::BPoseView::MessageReceived ()
   from /boot/system/lib/libtracker.so
#11 0x002ca5e3 in BLooper::DispatchMessage () from /boot/system/lib/libbe.so
#12 0x0038e059 in BWindow::DispatchMessage () from /boot/system/lib/libbe.so
#13 0x003921ec in BWindow::task_looper () from /boot/system/lib/libbe.so
---Type <return> to continue, or q <return> to quit---
#14 0x002cbb3f in BLooper::_task0_ () from /boot/system/lib/libbe.so
#15 0x0069d0b2 in thread_entry () from /boot/system/lib/libroot.so
#16 0x70184fec in ?? ()
(gdb)

[anevilyak]

Debugging patch

[anevilyak]

Since you seem to be able to replicate this much more easily than me, can you see if you still crash it with the above patch applied to Tracker? If so, please save the resulting Terminal output and attach to ticket.

[diver]

Sure, here you are:

[Switching to team /boot/system/Tracker (107) thread w>/boot/home/Desktop (131)]
0x003ef516 in BList::ItemAt () from /boot/system/lib/libbe.so
(gdb) bt
#0  0x003ef516 in BList::ItemAt () from /boot/system/lib/libbe.so
#1  0x005abf91 in BPrivate::BPose::WidgetFor () from /boot/system/lib/libtracker.so
#2  0x005ac8e1 in BPrivate::BPose::CalcRect () from /boot/system/lib/libtracker.so
#3  0x005b929b in BPrivate::BPoseView::SlotOccupied () from /boot/system/lib/libtracker.so
#4  0x005b883a in BPrivate::BPoseView::PlacePose () from /boot/system/lib/libtracker.so
#5  0x005b33d5 in BPrivate::BPoseView::CreatePoses () from /boot/system/lib/libtracker.so
#6  0x005b2952 in BPrivate::BPoseView::CreatePose () from /boot/system/lib/libtracker.so
#7  0x005bef37 in BPrivate::BPoseView::EntryCreated () from /boot/system/lib/libtracker.so
#8  0x005be54b in BPrivate::BPoseView::FSNotification () from /boot/system/lib/libtracker.so
#9  0x00549b52 in BPrivate::DesktopPoseView::FSNotification () from /boot/system/lib/libtracker.so
#10 0x005b4810 in BPrivate::BPoseView::MessageReceived () from /boot/system/lib/libtracker.so
#11 0x002ca5e3 in BLooper::DispatchMessage () from /boot/system/lib/libbe.so
#12 0x0038e059 in BWindow::DispatchMessage () from /boot/system/lib/libbe.so
#13 0x003921ec in BWindow::task_looper () from /boot/system/lib/libbe.so
#14 0x002cbb3f in BLooper::_task0_ () from /boot/system/lib/libbe.so
#15 0x0069d0b2 in thread_entry () from /boot/system/lib/libroot.so
#16 0x70184fec in ?? ()

Thanks for looking into it!

[anevilyak]

Thanks! It looks like the most likely cause of this is an already deleted pose somehow managed to remain in the pose list...will have to dig around to see how that could have happened, will let you know if/when I have more tests for you to run.

[anevilyak]

Could you try running Tracker with LD_PRELOAD=libroot_debug.so /system/Tracker and see if you get any different output by any chance? That might help confirm if it's indeed accessing already freed memory.

[aldeck]

Tried a few months ago but wasn't able to reproduce either (real hardware). Diver, is it reproducible for you on a fresh image, first boot? how crowded is your desktop? did you re-arange the icons somehow?

[diver]

It's a fresh image, but with my settings added via UserBuildConfig. Desktop is not crowded at all (see screenshot). First boot, yes. Looks like It doesn't matter if I re-arrange them or not. I'll try to reproduce it using nightly image.

[diver]

Yep, reproducible with ​http://haiku-files.org/vmware/haiku-r1a2-rc-r36511-x86gcc2hybrid-vmware.zip + above script + 48x48 icon size + VirtualBox. No need for Desktop.zip.

[diver]

Also reproducible with ​http://haiku-files.org/anyboot/haiku-r1a2-rc-r36542-x86gcc2hybrid-anyboot.zip + above script + 48x48 icon size + qemu.

[aldeck]

Tenacity pays! Finally found a reproducible testcase (still a bit random, but enough to work on it, here at least, real hardware)

Duplicating a file on desktop with alt+D many times (holding the key down) and alt+Z a few times. It seems it happens more often with iconsize 40 here, mysteriously. Been working on it a bit, will update you whether i find the problem/fix before going to sleep, otherwise go ahead Rene :)

[anevilyak]

Replying to aldeck:

Duplicating a file on desktop with alt+D many times (holding the key down) and alt+Z a few times. It seems it happens more often with iconsize 40 here, mysteriously. Been working on it a bit, will update you whether i find the problem/fix before going to sleep, otherwise go ahead Rene :)

Go for it, I've had very little success replicating it over here :)

[aldeck]

Spent many hours on it, but i must be on a wrong track and cant't seem to nail it down. Won't be able to work on it today and neither tomorrow probably. Considering its high priority, i don't feel like holding progress while i'm not on it, so i'm releasing the ticket if someone feels motivated. Will take it back when i'm really back at it, if no one else beat me to it that is :)

[aldeck]

Fixed in hrev36592. Please confirm :)

[diver]

Confirmed, no more crashes. Thanks a lot!