search

SerenityOS / serenity

The Serenity Operating System 🐞
https://serenityos.org
BSD 2-Clause "Simplified" License
30.63k stars 3.19k forks source link

Buggy behavior with Assistant #11766

Closed stefanos82 closed 2 years ago

stefanos82 commented 2 years ago

Thanks to @AtkinsSJ that taught me Ctrl+Space Win+Space to start Assistant, I managed to crash it with a simple step: Open Assistant with the aforementioned hotkeys and don't type anything in it; just left-click on desktop surface with your mouse and you get it crashed immediately.

24.092 Assistant(37:37): Started thread "", tid = 38
24.175 [#0 Assistant(37:38)]: Unable to allocate 131080, expanding kmalloc heap
24.175 [#0 Assistant(37:38)]: Adding kmalloc subheap @ 0xc3400000 with size 1048576
24.227 [#0 Assistant(37:38)]: Unable to allocate 131080, expanding kmalloc heap
24.227 [#0 Assistant(37:38)]: Adding kmalloc subheap @ 0xc3500000 with size 1048576
24.279 [#0 Assistant(37:38)]: Unable to allocate 131080, expanding kmalloc heap
24.279 [#0 Assistant(37:38)]: Adding kmalloc subheap @ 0xc3600000 with size 1048576
24.318 [#0 Assistant(37:38)]: Unrecoverable page fault, write to address V0xa5a5a5a1
24.318 [#0 Assistant(37:38)]: Terminating Assistant(37) due to signal 11
24.324 [#0 FinalizerTask(4:4)]: 0xdeadc0de  Kernel::Processor::switch_context(Kernel::Thread*&, Kernel::Thread*&) + 0x31e
0xdeadc0de  Kernel::Scheduler::context_switch(Kernel::Thread*) [clone .localalias] + 0x222
0xdeadc0de  Kernel::Scheduler::pick_next() [clone .localalias] + 0x1df
0xdeadc0de  Kernel::Processor::check_invoke_scheduler() [clone .localalias] + 0x175
0xdeadc0de  Kernel::Thread::die_if_needed() [clone .localalias] + 0x40d
0xdeadc0de  Kernel::Thread::send_urgent_signal_to_self(unsigned char) + 0x274
0xdeadc0de  Kernel::handle_crash(Kernel::RegisterState const&, char const*, int, bool) [clone .localalias] + 0x3ac
0xdeadc0de  page_fault_handler + 0xe15
0xdeadc0de  page_fault_asm_entry + 0x26
0x26e4c38a  /bin/Assistant: .text + 0xa38a
0x26e4c60e  /bin/Assistant: .text + 0xa60e
0x2c2bbc15  libthreading.so.serenity: .text + 0xc15
0x2c2bc5f5  libthreading.so.serenity: .text + 0x15f5
0x1eec4876  libpthread.so: .text + 0x876

24.334 [#0 FinalizerTask(4:4)]: 0xdeadc0de  Kernel::Processor::switch_context(Kernel::Thread*&, Kernel::Thread*&) + 0x31e
0xdeadc0de  Kernel::Scheduler::context_switch(Kernel::Thread*) [clone .localalias] + 0x222
0xdeadc0de  Kernel::Scheduler::pick_next() [clone .localalias] + 0x1df
0xdeadc0de  Kernel::Processor::check_invoke_scheduler() [clone .localalias] + 0x175
0xdeadc0de  Kernel::Thread::die_if_needed() [clone .localalias] + 0x40d
0xdeadc0de  syscall_handler + 0x13a4
0xdeadc0de  syscall_asm_entry + 0x31
0x3cea110f  libc.so: .text + 0x2f10f
0x3e0ab637  libgfx.so.serenity: .text + 0x5637
0x554ec6bc  libgui.so.serenity: .text + 0x1b6bc
0x554ec7dc  libgui.so.serenity: .text + 0x1b7dc
0x3584d2a5  libcore.so.serenity: .text + 0x312a5
0x555f1398  libgui.so.serenity: .text + 0x120398
0x55552ce6  libgui.so.serenity: .text + 0x81ce6
0x554dce7d  libgui.so.serenity: .text + 0xbe7d
0x555ca239  libgui.so.serenity: .text + 0xf9239
0x555ba563  libgui.so.serenity: .text + 0xe9563
0x555ba68c  libgui.so.serenity: .text + 0xe968c
0x3584d2a5  libcore.so.serenity: .text + 0x312a5
0x555f1398  libgui.so.serenity: .text + 0x120398
0x55552d17  libgui.so.serenity: .text + 0x81d17
0x3584d2a5  libcore.so.serenity: .text + 0x312a5
0x556024f1  libgui.so.serenity: .text + 0x1314f1
0x5560265c  libgui.so.serenity: .text + 0x13165c
0x3584e0a7  libcore.so.serenity: .text + 0x320a7
0x358311db  libcore.so.serenity: .text + 0x151db
0x554f0de3  libgui.so.serenity: .text + 0x1fde3
0x554f106c  libgui.so.serenity: .text + 0x2006c
0x26e4da17  /bin/Assistant: .text + 0xba17
0x26e43198  /bin/Assistant: .text + 0x1198
0x26e4331d  /bin/Assistant: .text + 0x131d

24.345 [#0 FinalizerTask(4:4)]: Generating coredump for pid: 37
24.522 CrashDaemon(9:9): New coredump file: /tmp/coredump/Assistant_37_1641740228
24.641 CrashReporter(39:39): Started thread "", tid = 40
27.048 CrashReporter(39:40): Generating backtrace took 2406 ms
27.048 CrashReporter(39:40): --- Backtrace for thread #0 (TID 37) ---
27.048 CrashReporter(39:40): 0x36cb002e: [libsystem.so] syscall2 +0xe (syscall.cpp:25 => syscall.cpp:24)
27.048 CrashReporter(39:40): 0x3cea110e: [libc.so] munmap +0x1e (syscall.h:35 => mman.cpp:52)
27.048 CrashReporter(39:40): 0x3e0ab636: [libgfx.so.serenity] Gfx::Bitmap::~Bitmap() +0x76 (Bitmap.cpp:475)
27.048 CrashReporter(39:40): 0x554ec6bb: [libgui.so.serenity] GUI::Action::~Action() +0x1ab (RefCounted.h:70 => RefCounted.h:62 => NonnullRefPtr.h:38 => RefPtr.h:218 => RefPtr.h:104 => Action.cpp:113)
27.053 CrashReporter(39:40): 0x554ec7db: [libgui.so.serenity] GUI::Action::~Action() +0x1b (Action.cpp:113)
27.053 CrashReporter(39:40): 0x3584d2a4: [libcore.so.serenity] Core::Object::~Object() +0x164 (RefCounted.h:70 => NonnullRefPtr.h:38 => NonnullRefPtr.h:99 => Vector.h:353 => Vector.h:342 => Vector.h:101 => NonnullPtrVector.h:14 => NonnullRefPtrVector.h:15 => Object.cpp:56)
27.056 CrashReporter(39:40): 0x555f1397: [libgui.so.serenity] GUI::Widget::~Widget() +0x117 (Widget.cpp:188)
27.056 CrashReporter(39:40): 0x55552ce5: [libgui.so.serenity] GUI::Frame::~Frame() +0x25 (Frame.cpp:38)
27.056 CrashReporter(39:40): 0x554dce7c: [libgui.so.serenity] GUI::AbstractScrollableWidget::~AbstractScrollableWidget() +0x9c (AbstractScrollableWidget.cpp:42)
27.056 CrashReporter(39:40): 0x555ca238: [libgui.so.serenity] GUI::TextEditor::~TextEditor() +0x818 (TextEditor.cpp:73)
27.056 CrashReporter(39:40): 0x555ba562: [libgui.so.serenity] GUI::TextBox::~TextBox() +0x182 (TextBox.cpp:24)
27.060 CrashReporter(39:40): 0x555ba68b: [libgui.so.serenity] GUI::TextBox::~TextBox() [clone .localalias] +0x1b (TextBox.cpp:24)
27.060 CrashReporter(39:40): 0x3584d2a4: [libcore.so.serenity] Core::Object::~Object() +0x164 (RefCounted.h:70 => NonnullRefPtr.h:38 => NonnullRefPtr.h:99 => Vector.h:353 => Vector.h:342 => Vector.h:101 => NonnullPtrVector.h:14 => NonnullRefPtrVector.h:15 => Object.cpp:56)
27.064 CrashReporter(39:40): 0x555f1397: [libgui.so.serenity] GUI::Widget::~Widget() +0x117 (Widget.cpp:188)
27.064 CrashReporter(39:40): 0x55552d16: [libgui.so.serenity] GUI::Frame::~Frame() +0x26 (Frame.cpp:38)
27.064 CrashReporter(39:40): 0x3584d2a4: [libcore.so.serenity] Core::Object::~Object() +0x164 (RefCounted.h:70 => NonnullRefPtr.h:38 => NonnullRefPtr.h:99 => Vector.h:353 => Vector.h:342 => Vector.h:101 => NonnullPtrVector.h:14 => NonnullRefPtrVector.h:15 => Object.cpp:56)
27.064 CrashReporter(39:40): 0x556024f0: [libgui.so.serenity] GUI::Window::~Window() +0x5a0 (Window.cpp:99)
27.068 CrashReporter(39:40): 0x5560265b: [libgui.so.serenity] GUI::Window::~Window() +0x1b (Window.cpp:99)
27.068 CrashReporter(39:40): 0x3584e0a6: [libcore.so.serenity] Core::DeferredInvocationEvent::~DeferredInvocationEvent() +0x96 (RefCounted.h:70 => NonnullRefPtr.h:38 => NonnullRefPtr.h:99 => Object.cpp:173 => Function.h:139 => Function.h:156 => Function.h:206 => Function.h:61 => Event.h:50)
27.072 CrashReporter(39:40): 0x358311da: [libcore.so.serenity] Core::EventLoop::~EventLoop() +0x8a (NonnullOwnPtr.h:147 => NonnullOwnPtr.h:54 => EventLoop.cpp:807 => Vector.h:353 => Vector.h:342 => Vector.h:101 => EventLoop.cpp:304)
27.072 CrashReporter(39:40): 0x554f0de2: [libgui.so.serenity] GUI::Application::~Application() +0x2a2 (OwnPtr.h:108 => OwnPtr.h:44 => Application.cpp:115)
27.072 CrashReporter(39:40): 0x554f106b: [libgui.so.serenity] GUI::Application::~Application() [clone .localalias] +0x1b (Application.cpp:115)
27.076 CrashReporter(39:40): 0x26e4da16: [/bin/Assistant] AK::RefCounted<Core::Object>::unref() const [clone .isra.0] +0x36 (RefCounted.h:70)
27.076 CrashReporter(39:40): 0x26e43197: [/bin/Assistant] main +0x867 (NonnullRefPtr.h:38 => NonnullRefPtr.h:99 => main.cpp:324)
27.076 CrashReporter(39:40): 0x26e4331c: [/bin/Assistant] _entry +0x5c (crt0.cpp:46)
27.199 CrashReporter(39:40): Generating backtrace took 48 ms
27.203 CrashReporter(39:40): --- Backtrace for thread #1 (TID 38) ---
27.203 CrashReporter(39:40): 0x26e468eb: [/bin/Assistant] auto Assistant::FileProvider::build_filesystem_cache()::{lambda(auto:1&)#1}::operator()<Threading::BackgroundAction<int> >(Threading::BackgroundAction<int>&) const [clone .constprop.0] +0x5ab (RefPtr.h:60 => String.h:57 => Vector.h:532 => Vector.h:241 => Providers.cpp:191)
27.203 CrashReporter(39:40): 0x26e4c389: [/bin/Assistant] Threading::BackgroundAction<int>::BackgroundAction(AK::Function<int (Threading::BackgroundAction<int>&)>, AK::Function<void (int)>)::{lambda()#1}::operator()() const +0x89 (Function.h:151 => Function.h:91)
27.207 CrashReporter(39:40): 0x26e4c60d: [/bin/Assistant] AK::Function<void ()>::CallableWrapper<Threading::BackgroundAction<int>::BackgroundAction(AK::Function<int (Threading::BackgroundAction<int>&)>, AK::Function<void (int)>)::{lambda()#1}>::call() +0x1d (Function.h:151)
27.207 CrashReporter(39:40): 0x2c2bbc14: [libthreading.so.serenity] background_thread_func() +0x5d4 (Function.h:91)
27.207 CrashReporter(39:40): 0x2c2bc5f4: [libthreading.so.serenity] Threading::Thread::start()::{lambda(void*)#1}::_FUN(void*) +0x54 (Function.h:91)
27.207 CrashReporter(39:40): 0x1eec4875: [libpthread.so] pthread_create_helper +0x35 (pthread.cpp:48)
47.286 Taskbar(23:23): ShutdownDialog(0x00281fa0): Quit event loop with result 0
47.286 Taskbar(23:23): ShutdownDialog(0x00281fa0): Event loop returned with result 0
47.334 [#0 shutdown(41:41)]: acquiring FS locks...
47.334 [#0 shutdown(41:41)]: syncing mounted filesystems...
47.334 [#0 shutdown(41:41)]: attempting system shutdown...
Rummskartoffel commented 2 years ago

Seems like you don't even need to open it with the keyboard shortcut, opening it through the start menu also works.

stefanos82 commented 2 years ago

Seems like you don't even need to open it with the keyboard shortcut, opening it through the start menu also works.

The discussion I started in Discord was about existing hotkeys found in SerenityOS so I could use Assistant without depending on start menu to open it; thus the bug discovery by accident.

Rummskartoffel commented 2 years ago

I phrased my comment badly; what I meant was that the crash seems to happen regardless of how you opened Assistant.

stefanos82 commented 2 years ago

I phrased my comment badly; what I meant was that the crash seems to happen regardless of how you opened Assistant.

Ah that's good to know.

Rummskartoffel commented 2 years ago

After investigating a bit, I think what's happening here is that the background job in FileProvider::build_filesystem_cache() is still running after the main thread has exited and tries to access the main thread's freed memory. I don't know how to fix that, though.