Bug 272543 - comms/gqrx: segfault on WFM
Summary: comms/gqrx: segfault on WFM
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Ganael LAPLANCHE
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-17 12:20 UTC by Edward Tomasz Napierala
Modified: 2023-11-14 11:11 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (martymac)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Edward Tomasz Napierala freebsd_committer freebsd_triage 2023-07-17 12:20:52 UTC 
With gqrx receiving from an RTL-SDR dongle, it crashes about a second after switching the demodulation from AM to WFM, either mono or stereo.
Comment 1 Ganael LAPLANCHE freebsd_committer freebsd_triage 2023-07-17 17:12:04 UTC 
Hello !

Thanks for your report. I am currently AFK, I'll have a look at that ASAP.

Best regards,
Ganael
Comment 2 commit-hook freebsd_committer freebsd_triage 2023-07-24 14:59:03 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ef05a498904a506f6cbdfe33613e7ae7b1acc909

commit ef05a498904a506f6cbdfe33613e7ae7b1acc909
Author:     Ganael LAPLANCHE <martymac@FreeBSD.org>
AuthorDate: 2023-07-24 14:52:39 +0000
Commit:     Ganael LAPLANCHE <martymac@FreeBSD.org>
CommitDate: 2023-07-24 14:58:43 +0000

    comms/gqrx: Always build with Qt5

    Gqrx crashes when built with Qt6, e.g. when selecting demodulator:

      0  memcpy () at /usr/src/lib/libc/amd64/string/memmove.S:306
      1  0x000000080140edd9 in ?? () from /usr/local/lib/qt6/libQt6Gui.so.6
      2  0x0000000801416193 in QRasterPaintEngine::drawImage(QPointF const&, QImage const&) () from /usr/local/lib/qt6/libQt6Gui.so.6
      3  0x00000000003569ba in ?? ()
      4  0x0000000800b3c555 in QWidget::event(QEvent*) () from /usr/local/lib/qt6/libQt6Widgets.so.6
      5  0x0000000800bcf37b in QFrame::event(QEvent*) () from /usr/local/lib/qt6/libQt6Widgets.so.6
      6  0x0000000800ae943a in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/lib/qt6/libQt6Widgets.so.6
      7  0x0000000800aea526 in QApplication::notify(QObject*, QEvent*) () from /usr/local/lib/qt6/libQt6Widgets.so.6
      8  0x0000000801cd3d43 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /usr/local/lib/qt6/libQt6Core.so.6
      9  0x0000000800b2d681 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) () from /usr/local/lib/qt6/libQt6Widgets.so.6
      10 0x0000000800b4d3ae in QWidgetRepaintManager::paintAndFlush() () from /usr/local/lib/qt6/libQt6Widgets.so.6
      11 0x0000000800b4d820 in QWidgetRepaintManager::sync() () from /usr/local/lib/qt6/libQt6Widgets.so.6
      12 0x0000000800b3c784 in QWidget::event(QEvent*) () from /usr/local/lib/qt6/libQt6Widgets.so.6
      13 0x0000000800c76a69 in QMainWindow::event(QEvent*) () from /usr/local/lib/qt6/libQt6Widgets.so.6
      14 0x0000000800ae943a in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/lib/qt6/libQt6Widgets.so.6
      15 0x0000000800aea526 in QApplication::notify(QObject*, QEvent*) () from /usr/local/lib/qt6/libQt6Widgets.so.6
      16 0x0000000801cd3d43 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /usr/local/lib/qt6/libQt6Core.so.6
      17 0x0000000801cd4e16 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/local/lib/qt6/libQt6Core.so.6
      18 0x0000000801f47578 in ?? () from /usr/local/lib/qt6/libQt6Core.so.6
      19 0x00000008034a7034 in g_main_context_dispatch () from /usr/local/lib/libglib-2.0.so.0
      20 0x00000008034a7373 in ?? () from /usr/local/lib/libglib-2.0.so.0
      21 0x00000008034a7418 in g_main_context_iteration () from /usr/local/lib/libglib-2.0.so.0
      22 0x0000000801f46f89 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/lib/qt6/libQt6Core.so.6
      23 0x0000000801cdd407 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/lib/qt6/libQt6Core.so.6
      24 0x0000000801cd4491 in QCoreApplication::exec() () from /usr/local/lib/qt6/libQt6Core.so.6

    This patch avoids Qt6 detection. We will switch to Qt6 later, following
    comms/gnuradio dependency (that still depends on Qt5).

    PR:     272543
    Reported by:    trasz

 comms/gqrx/Makefile                         |  2 +-
 comms/gqrx/files/patch-CMakeLists.txt (new) | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)
Comment 3 Ganael LAPLANCHE freebsd_committer freebsd_triage 2023-07-24 15:09:44 UTC 
Hi Edward,

There are apparently multiple problems.

The first one is the port is building against Qt6 if it is found on the machine, but gqrx is then unstable (and crashes when selecting the demodulator, even when DSP is off). This is probably *not* exactly related to what you found, but I've patched that first problem.

I am still investigating other crashes when switching demodulation modes with DSP on ; it is not obvious as I get several different backtraces.

I'll let you know what I find, but I am currently on holidays, so don't expect that very soon, sorry, I'll do my best...

Meanwhile, can you tell me on what FreeBSD version you found the problem, please ? Also, did you build the port yourself ?

Best regards,

Ganael.
Comment 4 Ganael LAPLANCHE freebsd_committer freebsd_triage 2023-07-24 17:23:19 UTC 
For the record, here are the different backtraces I get, with associated scenarios :

1) Start DSP with WFM (stereo), stop DSP then close gqrx :

Program terminated with signal SIGSEGV, Segmentation fault.
Address not mapped to object.
#0  _thr_mutex_destroy (mutex=0x80c24f890) at /usr/src/lib/libthr/thread/thr_mutex.c:489

warning: Source file is more recent than executable.
489                     if (PMUTEX_OWNER_ID(m) != 0 &&
[Current thread is 1 (LWP 102029)]
(gdb) bt
#0  _thr_mutex_destroy (mutex=0x80c24f890) at /usr/src/lib/libthr/thread/thr_mutex.c:489
#1  0x00000008028be9d9 in std::__1::__libcpp_mutex_destroy (__m=0x80c24f890) at /usr/src/contrib/llvm-project/libcxx/include/__threading_support:318
#2  std::__1::mutex::~mutex (this=0x80c24f890) at /usr/src/contrib/llvm-project/libcxx/src/mutex_destructor.cpp:46
#3  0x00000000002ebb86 in ?? ()
#4  0x00000000002ebbbe in ?? ()
#5  0x0000000801b9a915 in ?? () from /usr/local/lib/libgnuradio-runtime.so.3.8.4
#6  0x0000000801ba553b in gr::hier_block2_detail::disconnect_all() () from /usr/local/lib/libgnuradio-runtime.so.3.8.4
#7  0x0000000801b9d4f4 in gr::hier_block2::~hier_block2() () from /usr/local/lib/libgnuradio-runtime.so.3.8.4
#8  0x0000000801bbfbbe in gr::top_block::~top_block() () from /usr/local/lib/libgnuradio-runtime.so.3.8.4

2) Start DSP with WFM (stereo) then switch to AM :

Program terminated with signal SIGSEGV, Segmentation fault.
Address not mapped to object.
#0  free_tls (tcbalign=<optimized out>, tls=<optimized out>, tcbsize=<optimized out>) at /usr/src/libexec/rtld-elf/rtld.c:5478

warning: Source file is more recent than executable.
5478        dtv = ((Elf_Addr **)tls)[1];
[Current thread is 1 (LWP 102035)]
(gdb) bt
#0  free_tls (tcbalign=<optimized out>, tls=<optimized out>, tcbsize=<optimized out>) at /usr/src/libexec/rtld-elf/rtld.c:5478
#1  _rtld_free_tls (tcb=0x8120f6170, tcbsize=<optimized out>, tcbalign=<optimized out>) at /usr/src/libexec/rtld-elf/rtld.c:5605
#2  0x000000080259fef4 in _thr_free (curthread=curthread@entry=0x804412000, thread=0x812c0c000) at /usr/src/lib/libthr/thread/thr_list.c:200
#3  0x000000080259fe58 in _thr_gc (curthread=curthread@entry=0x804412000) at /usr/src/lib/libthr/thread/thr_list.c:130
#4  0x00000008025a0168 in _thr_alloc (curthread=0x804412000) at /usr/src/lib/libthr/thread/thr_list.c:142
#5  0x000000080259d20f in _pthread_create (thread=0x80c2d4da8, attr=0x0, start_routine=0x802577ce0, arg=0x80c2d4d80) at /usr/src/lib/libthr/thread/thr_create.c:80
#6  0x0000000802577c74 in boost::thread::start_thread_noexcept() () from /usr/local/lib/libboost_thread.so.1.82.0
#7  0x0000000801bccbe8 in ?? () from /usr/local/lib/libgnuradio-runtime.so.3.8.4
#8  0x0000000801bcc4dc in gr::thread::thread_group::create_thread(boost::function0<void> const&) () from /usr/local/lib/libgnuradio-runtime.so.3.8.4
#9  0x0000000801bba10a in gr::scheduler_tpb::scheduler_tpb(boost::shared_ptr<gr::flat_flowgraph>, int) () from /usr/local/lib/libgnuradio-runtime.so.3.8.4
#10 0x0000000801bb9aae in gr::scheduler_tpb::make(boost::shared_ptr<gr::flat_flowgraph>, int) () from /usr/local/lib/libgnuradio-runtime.so.3.8.4
#11 0x0000000801bc3977 in ?? () from /usr/local/lib/libgnuradio-runtime.so.3.8.4
#12 0x0000000801bc361e in gr::top_block_impl::start(int) () from /usr/local/lib/libgnuradio-runtime.so.3.8.4
#13 0x0000000801bbfd24 in gr::top_block::start(int) () from /usr/local/lib/libgnuradio-runtime.so.3.8.4
#14 0x00000000002be25e in ?? ()
#15 0x00000000002b0b63 in ?? ()
#16 0x0000000801a642d8 in ?? () from /usr/local/lib/qt5/libQt5Core.so.5
#17 0x00000000002a07ff in ?? ()
#18 0x00000000002a0e6e in ?? ()
#19 0x0000000801a64175 in ?? () from /usr/local/lib/qt5/libQt5Core.so.5
#20 0x0000000800b8d3a9 in ?? () from /usr/local/lib/qt5/libQt5Widgets.so.5
#21 0x0000000800b92709 in ?? () from /usr/local/lib/qt5/libQt5Widgets.so.5
#22 0x0000000801a642d8 in ?? () from /usr/local/lib/qt5/libQt5Core.so.5
#23 0x0000000800b9050c in QComboBoxPrivateContainer::eventFilter(QObject*, QEvent*) () from /usr/local/lib/qt5/libQt5Widgets.so.5
#24 0x0000000801a2fd79 in QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) () from /usr/local/lib/qt5/libQt5Core.so.5
#25 0x0000000800a9bcb4 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/lib/qt5/libQt5Widgets.so.5
#26 0x0000000800a9ecc3 in QApplication::notify(QObject*, QEvent*) () from /usr/local/lib/qt5/libQt5Widgets.so.5
#27 0x0000000801a2fa20 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /usr/local/lib/qt5/libQt5Core.so.5
#28 0x0000000800a9c63c in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool, bool) () from /usr/local/lib/qt5/libQt5Widgets.so.5
#29 0x0000000800af2e98 in ?? () from /usr/local/lib/qt5/libQt5Widgets.so.5
#30 0x0000000800af18c1 in ?? () from /usr/local/lib/qt5/libQt5Widgets.so.5
#31 0x0000000800a9bcc9 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/lib/qt5/libQt5Widgets.so.5
#32 0x0000000800a9d0a0 in QApplication::notify(QObject*, QEvent*) () from /usr/local/lib/qt5/libQt5Widgets.so.5
#33 0x0000000801a2fa20 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /usr/local/lib/qt5/libQt5Core.so.5
#34 0x00000008010aa828 in QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*) () from /usr/local/lib/qt5/libQt5Gui.so.5
#35 0x000000080108ed3c in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/lib/qt5/libQt5Gui.so.5
#36 0x0000000806949adf in ?? () from /usr/local/lib/qt5/libQt5XcbQpa.so.5
#37 0x000000080374a034 in g_main_context_dispatch () from /usr/local/lib/libglib-2.0.so.0
#38 0x000000080374a373 in ?? () from /usr/local/lib/libglib-2.0.so.0
#39 0x000000080374a418 in g_main_context_iteration () from /usr/local/lib/libglib-2.0.so.0
#40 0x0000000801a85650 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/lib/qt5/libQt5Core.so.5
#41 0x0000000801a2c336 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/lib/qt5/libQt5Core.so.5
#42 0x0000000801a300be in QCoreApplication::exec() () from /usr/local/lib/qt5/libQt5Core.so.5

3) Start DSP with AM then switch to WFM (stereo). It works and crashes after a few seconds :

Program terminated with signal SIGSEGV, Segmentation fault.
Address not mapped to object.
#0  memcpy () at /usr/src/lib/libc/amd64/string/memmove.S:306

warning: Source file is more recent than executable.
--Type <RET> for more, q to quit, c to continue without paging--
306             MEMMOVE erms=0 overlap=1 begin=MEMMOVE_BEGIN end=MEMMOVE_END
[Current thread is 1 (LWP 103762)]
(gdb) bt
#0  memcpy () at /usr/src/lib/libc/amd64/string/memmove.S:306
#1  0x00000000002eebda in ?? ()
#2  0x0000000801bbcae9 in gr::sync_block::general_work(int, std::__1::vector<int, std::__1::allocator<int> >&, std::__1::vector<void const*, std::__1::allocator<void const*> >&, std::__1::vector<void*, std::__1::allocator<void*> >&) ()
   from /usr/local/lib/libgnuradio-runtime.so.3.8.4
#3  0x0000000801b7bfda in gr::block_executor::run_one_iteration() () from /usr/local/lib/libgnuradio-runtime.so.3.8.4
#4  0x0000000801bc5556 in gr::tpb_thread_body::tpb_thread_body(boost::shared_ptr<gr::block>, boost::shared_ptr<boost::barrier>, int) () from /usr/local/lib/libgnuradio-runtime.so.3.8.4
#5  0x0000000801bbbb18 in ?? () from /usr/local/lib/libgnuradio-runtime.so.3.8.4
#6  0x0000000801bbb97a in ?? () from /usr/local/lib/libgnuradio-runtime.so.3.8.4
#7  0x0000000802577d88 in ?? () from /usr/local/lib/libboost_thread.so.1.82.0
#8  0x000000080259da7a in thread_start (curthread=0x80c3f7d00) at /usr/src/lib/libthr/thread/thr_create.c:292

Stay tuned.

Best regards,

Ganael.
Comment 5 Ganael LAPLANCHE freebsd_committer freebsd_triage 2023-08-31 10:35:43 UTC 
Hi Edward,

Digging into the problem, I could not reproduce the backtraces above.

The only one that remains for me (in Gqrx v2.16 and in master branch upstream) is the following :

Thread 14 received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
[Switching to LWP 105501 of process 12505]
memcpy () at /usr/src/lib/libc/amd64/string/memmove.S:306
warning: Source file is more recent than executable.
306             MEMMOVE erms=0 overlap=1 begin=MEMMOVE_BEGIN end=MEMMOVE_END
(gdb) bt full
#0  memcpy () at /usr/src/lib/libc/amd64/string/memmove.S:306
No locals.
#1  0x00000000003446c5 in rx_meter_c::work (this=0x804bf2c00, noutput_items=512, input_items=std::vector of length 1 = {...}, output_items=std::vector of length 0) at /usr/ports/comms/gqrx/work/gqrx-2.16/src/dsp/rx_meter.cpp:73
        lock = {__m_ = @0x804bf2e40}
        in = 0x80df7b710
        items_to_copy = 512
#2  0x0000000801fe9c59 in gr::sync_block::general_work(int, std::__1::vector<int, std::__1::allocator<int> >&, std::__1::vector<void const*, std::__1::allocator<void const*> >&, std::__1::vector<void*, std::__1::allocator<void*> >&) ()
   from /usr/local/lib/libgnuradio-runtime.so.3.10.7

obtained when starting DSP with any of the 3 WFM modes.

It is related to the use of GNU Radio buffers (introduced in d3f42df upstream, so the last version *not* having any buffer-related problems in ports is v2.15.2).

I tried to use a fixed buffer size in src/dsp/rx_meter.cpp (inspired by commit 8d03fd1 upstream) and it fixed the problem (basically, I increased the number of items when calling gr::make_buffer()).

The patch probably requires more changes to have something clean so I'll hand the problem to the upstream so they can help us with that.

Best regards,

Ganael.
Comment 6 Ganael LAPLANCHE freebsd_committer freebsd_triage 2023-08-31 10:42:38 UTC 
Problem reported upstream here: https://github.com/gqrx-sdr/gqrx/issues/1275
Comment 7 Ganael LAPLANCHE freebsd_committer freebsd_triage 2023-09-05 10:27:15 UTC 
Hello,

We got a reply from Gqrx dev and it seems the bug is not related to Gqrx itself but to GNURadio.

I'll leave that PR opened, we need to investigate further on the GNURadio side...

Ganael.
Comment 8 commit-hook freebsd_committer freebsd_triage 2023-09-20 10:42:39 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=35f73836d156fc5bcec6eb9d8d3cd60c81c453af

commit 35f73836d156fc5bcec6eb9d8d3cd60c81c453af
Author:     Ganael LAPLANCHE <martymac@FreeBSD.org>
AuthorDate: 2023-09-20 10:28:48 +0000
Commit:     Ganael LAPLANCHE <martymac@FreeBSD.org>
CommitDate: 2023-09-20 10:28:48 +0000

    comms/gnuradio: Fix crash with GNU Radio buffers

    This patch is a backport of ca44241 from upstream:
    runtime: Use MAP_FIXED flag to ensure buffer halves are contiguous

    It fixes SIGSEGV observed with GNU Radio buffers consumers such as
    comms/gqrx.

    Discussed here:
      https://github.com/gqrx-sdr/gqrx/issues/1275
      https://github.com/gnuradio/gnuradio/pull/6854

    PR:     272543
    Reported by:    trasz
    Obtained from:  GNU Radio team (GH pull request: 6854)
    MFH:    2023Q3

 comms/gnuradio/Makefile                            |  2 +-
 ...io-runtime-lib-vmcircbuf_mmap_shm_open.cc (new) | 28 ++++++++++++++
 ...dio-runtime-lib-vmcircbuf_mmap_tmpfile.cc (new) | 44 ++++++++++++++++++++++
 3 files changed, 73 insertions(+), 1 deletion(-)
Comment 9 commit-hook freebsd_committer freebsd_triage 2023-09-20 10:46:40 UTC 
A commit in branch 2023Q3 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c89a246a7dfa8d60803076dfef09deab3c7a9ae7

commit c89a246a7dfa8d60803076dfef09deab3c7a9ae7
Author:     Ganael LAPLANCHE <martymac@FreeBSD.org>
AuthorDate: 2023-09-20 10:28:48 +0000
Commit:     Ganael LAPLANCHE <martymac@FreeBSD.org>
CommitDate: 2023-09-20 10:45:07 +0000

    comms/gnuradio: Fix crash with GNU Radio buffers

    This patch is a backport of ca44241 from upstream:
    runtime: Use MAP_FIXED flag to ensure buffer halves are contiguous

    It fixes SIGSEGV observed with GNU Radio buffers consumers such as
    comms/gqrx.

    Discussed here:
      https://github.com/gqrx-sdr/gqrx/issues/1275
      https://github.com/gnuradio/gnuradio/pull/6854

    PR:     272543
    Reported by:    trasz
    Obtained from:  GNU Radio team (GH pull request: 6854)
    MFH:    2023Q3

    (cherry picked from commit 35f73836d156fc5bcec6eb9d8d3cd60c81c453af)

 comms/gnuradio/Makefile                            |  2 +-
 ...io-runtime-lib-vmcircbuf_mmap_shm_open.cc (new) | 28 ++++++++++++++
 ...dio-runtime-lib-vmcircbuf_mmap_tmpfile.cc (new) | 44 ++++++++++++++++++++++
 3 files changed, 73 insertions(+), 1 deletion(-)
Comment 10 Ganael LAPLANCHE freebsd_committer freebsd_triage 2023-09-20 10:52:22 UTC 
Hello Edward,

There was indeed a bug in GNU Radio buffers management. The port has been fixed using a backport of the patch available upstream.

Thanks again for your report!

Ganael.
Comment 11 Edward Tomasz Napierala freebsd_committer freebsd_triage 2023-11-14 10:14:11 UTC 
Hello.  Just tested it and it works perfectly.  Thank you :)
Comment 12 Ganael LAPLANCHE freebsd_committer freebsd_triage 2023-11-14 11:11:14 UTC 
You're welcome :)
Thanks for the feedback !