Homebrew version of FreeCiv 2.6.0 crashes

You can get help here if Freeciv doesn't start on your computer, or if you keep getting fatal errors while playing etc.
tvleavitt
Posts: 6
Joined: Mon Jan 14, 2019 12:33 pm

Homebrew version of FreeCiv 2.6.0 crashes

Postby tvleavitt » Mon Jan 14, 2019 12:41 pm

I'm running OS X, Mojave, 10.14.12

I'm able to run the freeciv client, freeciv-gtk2, but as soon as I start a game (or right after, occasionally), it crashes out. The key here (which I've seen referenced in every crash, including crash reports submitted to Apple), is ERROR_CGDataProvider_BufferIsNotBigEnough

Here's the debug output:

Thomass-iMac:~ tvleavitt$ lldb /usr/local/bin/freeciv-gtk2
(lldb) target create "/usr/local/bin/freeciv-gtk2"
Current executable set to '/usr/local/bin/freeciv-gtk2' (x86_64).
(lldb) run
Process 14188 launched: '/usr/local/bin/freeciv-gtk2' (x86_64)
2019-01-14 04:06:54.812191-0800 freeciv-gtk2[14188:59883] no saved enable hardware sample rate converter preference found
2019-01-14 04:06:56.768299-0800 freeciv-gtk2[14188:59883] SecTaskLoadEntitlements failed error=22 cs_flags=20, pid=14188
2019-01-14 04:06:56.768373-0800 freeciv-gtk2[14188:59883] SecTaskCopyDebugDescription: freeciv-gtk2[14188]/0#-1 LF=0
2: Loading tileset "amplio2".
2: last message repeated 2 times
Process 14188 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x109c657ff)
frame #0: 0x00007fff3f78ef9b CoreGraphics`ERROR_CGDataProvider_BufferIsNotBigEnough + 43
CoreGraphics`ERROR_CGDataProvider_BufferIsNotBigEnough:
-> 0x7fff3f78ef9b <+43>: movb (%rax,%rcx), %al
0x7fff3f78ef9e <+46>: movb %al, -0x1(%rbp)
0x7fff3f78efa1 <+49>: addq $0x20, %rsp
0x7fff3f78efa5 <+53>: popq %rbp
Target 1: (freeciv-gtk2) stopped.

I dug around, and there's a discussion here:

https://forum.juce.com/t/crashes-with-j ... 2/29524/38

That seems to reference a similar issue, along with fixes, here:

https://github.com/WeAreROLI/JUCE/commi ... 7443de8081

Any insights?

tvleavitt
Posts: 6
Joined: Mon Jan 14, 2019 12:33 pm

Re: Homebrew version of FreeCiv 2.6.0 crashes

Postby tvleavitt » Mon Jan 14, 2019 12:50 pm


tvleavitt
Posts: 6
Joined: Mon Jan 14, 2019 12:33 pm

Re: Homebrew version of FreeCiv 2.6.0 crashes

Postby tvleavitt » Wed Jan 23, 2019 1:53 am

Speaking to someone at Apple:

So this CRASH location is actually a lot more prevalent than you may think. It occurs whenever a client uses a CGDataProvider to feed a CGImage and that CGDataProvider has been configured such that it’s “size” parameter is too big for the memory that is actually backing it. And I’m talking off-by-one here: even if the memory is one byte shorter than the size indicates, you can get this crash.

Now, the “client” in question may be another Apple library, or it may be the running application itself. I can’t really tell from the crashing snippet you’ve sent. But a common pattern leading to this bug is the client making certain assumptions about the memory layout of an image and those assumptions being incorrect. E.g. “this bitmap is 32-bits per pixel times 640 pixels, with 2-byte padding per row, times 640 rows” when the padding is wrong, or the image has no alpha channel, so each pixel is only 24-bits, or the width or height is wrong.

If you’re able to reproduce this bug on command, the best way to narrow down who is the responsible party is through a DTrace script. DTrace hooks into the running process and can log every time a function is called, it’s parameters, and (usually) it’s return value. Once I get to the office I can send you the script that helped figure out the issue in WebKit (which turned out to be a bug in CoreVideo.)

Here’s the Dtrace command I used to track down a similar crash in WebKit. Keep in mind that you’ll need to disable System Integrity Protection to use dtrace, since it requires kernel level privileges that are locked down when SIP is enabled. See: <https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html#//apple_ref/doc/uid/TP40016462-CH5-SW1>

sudo dtrace \
-n 'pid$target::CGDataProviderCreate*:return { printf("%p",arg1); ustack(20); }' \
-n 'pid$target::CGDataProviderCreateDirect:entry { printf("size: %d",arg1); ustack(20); }' \
-n 'pid$target::CGDataProviderCreateForDestination:entry { printf("src_proivder: %p",arg4); ustack(20); }' \
-n 'pid$target::CGDataProviderGetSizeOfData:entry { printf("%p", arg0); }' \
-n 'pid$target::CGDataProviderGetSizeOfData:return { printf("%d", arg1); }' \
-n 'pid$target::CGDataProviderRetainBytePtr:entry { printf("%p", arg0); ustack(10); }' \
-n 'pid$target::CVPixelBuffer*:entry' \
-n 'pid$target::CVPixelBuffer*getBaseAddress*:return { printf("%p", arg1); }' \
-n 'pid$target::CVPixelBuffer*getDataSize*:return { printf("%d", arg1); }' \
-p $( pgrep WebContent )

You’ll need to replace the “-p $( pgrep WebContent )" line with your own process ID. This should show you the pointer value for ever CGDataProvider created in that process, and should also show the size of the memory backing for each of those CGDataProviders. Once you have this data, you should be able to figure out who created the CGDataProvider that’s doing the crashing, what is the expected size of that data provider, etc.

Oh, one more piece of explanation. When CGDataProviderRetainBytePtr() is called, CoreGraphics will do two checks. It will attempt to read the first byte of the returned buffer, and then it will attempt to read the last byte in the returned buffer (basically, the pointer returned by CGDataProviderRetainBytePtr() + the size the provider was created with - 1 byte). That function which does the “read the last byte” check is called “ERROR_CGDataProvider_BufferIsNotBigEnough”, which is why your crash occurs there.

I'm happy to do the Dtrace mentioned.

tvleavitt
Posts: 6
Joined: Mon Jan 14, 2019 12:33 pm

Re: Homebrew version of FreeCiv 2.6.0 crashes

Postby tvleavitt » Fri Jan 25, 2019 3:59 am

Here's the dtrace output (last part of it at least). I clicked "Start" on the Tutorial scenario, and briefly saw something flash by, before the thing segfaulted. I have no way of interpreting this, or telling if this is useful enough to do anything with, or if I need to provide more output. I can repeat this at any time, and it always crashes (in this path) at the same point.

2 322688 CGDataProviderRetainBytePtr:entry 7ff6c077d9a0
CoreGraphics`CGDataProviderRetainBytePtr
CoreGraphics`CGDataProviderDirectGetBytesAtPositionInternal+0x47
CoreGraphics`provider_for_destination_get_bytes_at_position_inner+0x19d
CoreGraphics`CGDataProviderDirectGetBytesAtPositionInternal+0x103
CoreGraphics`get_chunks_direct+0xe8
CoreGraphics`img_raw_read+0x59a
CoreGraphics`img_data_lock+0x1f14
CoreGraphics`CGSImageDataLock+0x4c1
CoreGraphics`RIPImageDataInitializeShared+0xcc
CoreGraphics`RIPImageCacheGetRetained+0x29b

dtrace: error on enabled probe ID 12 (ID 322193: pid1892:CoreGraphics:CGDataProviderCreateWithData:return): invalid address (0x60) in action #2
dtrace: error on enabled probe ID 21 (ID 322684: pid1892:CoreGraphics:CGDataProviderCreateDirect:entry): invalid address (0x60) in action #2
dtrace: error on enabled probe ID 19 (ID 322186: pid1892:CoreGraphics:CGDataProviderCreateDirect:return): invalid address (0x60) in action #2
dtrace: error on enabled probe ID 11 (ID 322194: pid1892:CoreGraphics:CGDataProviderCreateWithDataInternal:return): invalid address (0x60) in action #2
2 322686 CGDataProviderGetSizeOfData:entry 7ff6c37a1e70
2 322687 CGDataProviderGetSizeOfData:return 165888
dtrace: error on enabled probe ID 22 (ID 322685: pid1892:CoreGraphics:CGDataProviderCreateForDestination:entry): invalid address (0x60) in action #2
2 322686 CGDataProviderGetSizeOfData:entry 7ff6c37a1e70
2 322687 CGDataProviderGetSizeOfData:return 165888
dtrace: error on enabled probe ID 15 (ID 322190: pid1892:CoreGraphics:CGDataProviderCreateDirectWithInternalCallbacks:return): invalid address (0x60) in action #2
dtrace: error on enabled probe ID 13 (ID 322192: pid1892:CoreGraphics:CGDataProviderCreateForDestination:return): invalid address (0x60) in action #2
2 322688 CGDataProviderRetainBytePtr:entry 7ff6c37a1e70
CoreGraphics`CGDataProviderRetainBytePtr
CoreGraphics`CGDataProviderRetainData+0x45
CoreGraphics`CGAccessSessionCreate+0x62
CoreGraphics`img_data_lock+0xacb
CoreGraphics`CGSImageDataLock+0x4c1
CoreGraphics`RIPImageDataInitializeShared+0xcc
CoreGraphics`RIPImageCacheGetRetained+0x29b
CoreGraphics`ripc_AcquireRIPImageData+0x143
CoreGraphics`ripc_DrawImage+0x382
CoreGraphics`CGContextDelegateDrawImage+0x2f

dtrace: pid 1892 has exited

[1]+ Segmentation fault: 11 freeciv-gtk2