Open anthonybilinski opened 4 years ago
zoff99
commented
4 years ago @anthonybilinski its the known crash in friend_not_valid() reported a long time ago. can you please try to compile qTox with: https://github.com/TokTok/c-toxcore/pull/1431 and see if the bug still persists?
zoff99
commented
4 years ago 
anthonybilinski
commented
4 years ago I still hit a segfault using #1431 but with a different backtrace:
(gdb) bt
#0 __GI___pthread_mutex_trylock (mutex=0x3200000043) at ../nptl/pthread_mutex_trylock.c:42
#1 0x00007ffff62c9dbf in msi_hangup (call=0x5555579b64f0) at ../toxav/msi.c:257
#2 0x00007ffff62d0464 in toxav_call_control (av=0x555556737800, friend_number=2, control=TOXAV_CALL_CONTROL_CANCEL, error=0x0) at ../toxav/toxav.c:554@anthonybilinski can u also upload the stacktrace of the other threads please?
zoff99
commented
4 years ago also does qTox lock ToxAV api calls against each other? ToxAV is not thread safe
anthonybilinski
commented
4 years ago Still using #1431, no other threads are in toxcore, but one thread that has something to do with audio in qTox:
Thread 25 (Thread 0x7fff909bf700 (LWP 12870)):
#0 futex_wait_cancelable (private=<optimized out>, expected=0, futex_word=0x5555565aad00) at ../sysdeps/nptl/futex-internal.h:183
#1 __pthread_cond_wait_common (abstime=0x0, clockid=0, mutex=0x5555565aacb0, cond=0x5555565aacd8) at pthread_cond_wait.c:508
#2 __pthread_cond_wait (cond=0x5555565aacd8, mutex=0x5555565aacb0) at pthread_cond_wait.c:638
#3 0x00007ffff4e0ab0f in QWaitCondition::wait(QMutex*, QDeadlineTimer) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#4 0x00007ffff4e0ac01 in QWaitCondition::wait(QMutex*, unsigned long) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#5 0x00007ffff4e057a6 in () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#6 0x00007ffff4e05af6 in () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#7 0x00007ffff4e06358 in QReadWriteLock::tryLockForRead(int) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#8 0x00005555558143e0 in QReadLocker::relock() (this=0x7fff909bddc0) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qreadwritelock.h:106
#9 0x00005555558144b4 in QReadLocker::QReadLocker(QReadWriteLock*) (this=0x7fff909bddc0, areadWriteLock=0x5555567fe5f0) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qreadwritelock.h:125
#10 0x0000555555811521 in CoreAV::sendCallAudio(unsigned int, short const*, unsigned long, unsigned char, unsigned int) const (this=0x5555567fe560, callId=2, pcm=0x555556ab8e00, samples=960, chans=2 '\002', rate=48000) at ../src/core/coreav.cpp:334
#11 0x0000555555833eaf in ToxFriendCall::<lambda(const int16_t*, size_t, uint8_t, uint32_t)>::operator()(const int16_t *, size_t, uint8_t, uint32_t) const (__closure=0x555556958f20, pcm=0x555556ab8e00, samples=960, chans=2 '\002', rate=48000) at ../src/core/toxcall.cpp:128
#12 0x000055555583717f in QtPrivate::FunctorCall<QtPrivate::IndexesList<0, 1, 2, 3>, QtPrivate::List<short int const*, long unsigned int, unsigned char, unsigned int>, void, ToxFriendCall::ToxFriendCall(uint32_t, bool, CoreAV&, IAudioControl&)::<lambda(const int16_t*, size_t, uint8_t, uint32_t)> >::call(ToxFriendCall::<lambda(const int16_t*, size_t, uint8_t, uint32_t)> &, void **) (f=..., arg=0x7fff88002ee0) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:146
#13 0x0000555555836ceb in QtPrivate::Functor<ToxFriendCall::ToxFriendCall(uint32_t, bool, CoreAV&, IAudioControl&)::<lambda(const int16_t*, size_t, uint8_t, uint32_t)>, 4>::call<QtPrivate::List<short const*, unsigned long, unsigned char, unsigned int>, void>(ToxFriendCall::<lambda(const int16_t*, size_t, uint8_t, uint32_t)> &, void *, void **) (f=..., arg=0x7fff88002ee0) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:256
#14 0x00005555558364bd in QtPrivate::QFunctorSlotObject<ToxFriendCall::ToxFriendCall(uint32_t, bool, CoreAV&, IAudioControl&)::<lambda(const int16_t*, size_t, uint8_t, uint32_t)>, 4, QtPrivate::List<short int const*, long unsigned int, unsigned char, unsigned int>, void>::impl(int, QtPrivate::QSlotObjectBase *, QObject *, void **, bool *) (which=1, this_=0x555556958f10, r=0x55555696f4d0, a=0x7fff88002ee0, ret=0x0) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:439
#15 0x00007ffff4ff8d5a in QObject::event(QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#16 0x00007ffff5ba7a66 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#17 0x00007ffff5bb10f0 in QApplication::notify(QObject*, QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#18 0x00007ffff4fcc93a in QCoreApplication::notifyInternal2(QObject*, QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#19 0x00007ffff4fcf5b8 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#20 0x00007ffff5024f67 in () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#21 0x00007ffff387cfbd in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#22 0x00007ffff387d240 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#23 0x00007ffff387d2e3 in g_main_context_iteration () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#24 0x00007ffff5024565 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#25 0x00007ffff4fcb4db in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#26 0x00007ffff4e03785 in QThread::exec() () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#27 0x00007ffff4e049d2 in () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#28 0x00007ffff365d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#29 0x00007ffff485c103 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Thread 1 (Thread 0x7fffe8cd5100 (LWP 12841)):
#0 __GI___pthread_mutex_trylock (mutex=0x3200000043) at ../nptl/pthread_mutex_trylock.c:42
#1 0x00007ffff62c9dbf in msi_hangup (call=0x5555579b64f0) at ../toxav/msi.c:257
#2 0x00007ffff62d0464 in toxav_call_control (av=0x555556737800, friend_number=2, control=TOXAV_CALL_CONTROL_CANCEL, error=0x0) at ../toxav/toxav.c:554
#3 0x00005555558111b7 in CoreAV::cancelCall(unsigned int) (this=0x5555567fe560, friendNum=2) at ../src/core/coreav.cpp:299
#4 0x000055555591b987 in ChatForm::onCallTriggered() (this=0x555556f3c670) at ../src/widget/form/chatform.cpp:383
#5 0x0000555555922e2e in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (ChatForm::*)()>::call(void (ChatForm::*)(), ChatForm*, void**) (f=(void (ChatForm::*)(class ChatForm * const)) 0x55555591b8fa <ChatForm::onCallTriggered()>, o=0x555556f3c670, arg=0x7fffffffcc80) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:152
#6 0x0000555555922587 in QtPrivate::FunctionPointer<void (ChatForm::*)()>::call<QtPrivate::List<>, void>(void (ChatForm::*)(), ChatForm*, void**) (f=(void (ChatForm::*)(class ChatForm * const)) 0x55555591b8fa <ChatForm::onCallTriggered()>, o=0x555556f3c670, arg=0x7fffffffcc80) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:185
#7 0x0000555555921a5c in QtPrivate::QSlotObject<void (ChatForm::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (which=1, this_=0x555557accf80, r=0x555556f3c670, a=0x7fffffffcc80, ret=0x0) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:414
#8 0x00007ffff4ff8458 in QMetaObject::activate(QObject*, int, int, void**) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#9 0x00005555557c8428 in ChatFormHeader::callTriggered() (this=0x5555579997e0) at qtox_static_autogen/WFD7YQQOTJ/moc_chatformheader.cpp:212
#10 0x00005555558fff14 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (ChatFormHeader::*)()>::call(void (ChatFormHeader::*)(), ChatFormHeader*, void**) (f=(void (ChatFormHeader::*)(class ChatFormHeader * const)) 0x5555557c83ec <ChatFormHeader::callTriggered()>, o=0x5555579997e0, arg=0x7fffffffcee0) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:152
#11 0x00005555558ffc11 in QtPrivate::FunctionPointer<void (ChatFormHeader::*)()>::call<QtPrivate::List<>, void>(void (ChatFormHeader::*)(), ChatFormHeader*, void**) (f=(void (ChatFormHeader::*)(class ChatFormHeader * const)) 0x5555557c83ec <ChatFormHeader::callTriggered()>, o=0x5555579997e0, arg=0x7fffffffcee0) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:185
#12 0x00005555558ff866 in QtPrivate::QSlotObject<void (ChatFormHeader::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (which=1, this_=0x5555579c8850, r=0x5555579997e0, a=0x7fffffffcee0, ret=0x0) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:414
#13 0x00007ffff4ff8458 in QMetaObject::activate(QObject*, int, int, void**) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#14 0x00007ffff5c9c806 in QAbstractButton::clicked(bool) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#15 0x00007ffff5c9ca2e in () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#16 0x00007ffff5c9de73 in () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#17 0x00007ffff5c9e035 in QAbstractButton::mouseReleaseEvent(QMouseEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#18 0x00007ffff5bea2b6 in QWidget::event(QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#19 0x00007ffff5ba7a66 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#20 0x00007ffff5bb1343 in QApplication::notify(QObject*, QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#21 0x00007ffff4fcc93a in QCoreApplication::notifyInternal2(QObject*, QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#22 0x00007ffff5bb0457 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool, bool) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#23 0x00007ffff5c0635d in () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#24 0x00007ffff5c091ec in () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#25 0x00007ffff5ba7a66 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#26 0x00007ffff5bb10f0 in QApplication::notify(QObject*, QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#27 0x00007ffff4fcc93a in QCoreApplication::notifyInternal2(QObject*, QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#28 0x00007ffff55767d3 in QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#29 0x00007ffff557810b in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#30 0x00007ffff555235b in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#31 0x00007fffe861532e in () at /usr/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5
#32 0x00007ffff387cfbd in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#33 0x00007ffff387d240 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#34 0x00007ffff387d2e3 in g_main_context_iteration () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#35 0x00007ffff5024565 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#36 0x00007ffff4fcb4db in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#37 0x00007ffff4fd3246 in QCoreApplication::exec() () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#38 0x00005555557ac7b1 in main(int, char**) (argc=1, argv=0x7fffffffdf68) at ../src/main.cpp:441there's another bunch of threads waiting in Qt, but none seem at all relevant.
Yes qTox locks all accesses, which is why Thread 25 is currently waiting before calling toxav_audio_send_frame.
zoff99
commented
4 years ago I still hit a segfault using #1431 but with a different backtrace:
(gdb) bt #0 __GI___pthread_mutex_trylock (mutex=0x3200000043) at ../nptl/pthread_mutex_trylock.c:42 #1 0x00007ffff62c9dbf in msi_hangup (call=0x5555579b64f0) at ../toxav/msi.c:257 #2 0x00007ffff62d0464 in toxav_call_control (av=0x555556737800, friend_number=2, control=TOXAV_CALL_CONTROL_CANCEL, error=0x0) at ../toxav/toxav.c:554
why does it crash at https://github.com/zoff99/c-toxcore/blob/zoff99/toxav_public_api_part_009_big_change/toxav/msi.c#L257 ? call and mutex seem to be valid.
zoff99
commented
4 years ago could be a lurking issue in ToxAV, there are many of those. maybe as a workaround don't allow "calling toxav_call and toxav_call_control in rapid succession"
anthonybilinski
commented
4 years ago session is invalid in that context:
(gdb) frame
#1 0x00007ffff62c9dbf in msi_hangup (call=0x5555579b64f0) at ../toxav/msi.c:257
257 if (pthread_mutex_trylock(session->mutex) != 0) {
(gdb) p *session
Cannot access memory at address 0x3200000023so the lock just causes the crash because it's dereferencing the already invalid variable.
iphydf
commented
2 years ago Does this still happen?
n4skx
commented
8 months ago Yes, this bug still happens.
For me, the circumstances are similar: A friend call you multiple times and you reject a call twice, then qTox crashes.
Back trace:
#0 ___pthread_mutex_trylock (mutex=0x7ff89bf75496) at ./nptl/pthread_mutex_trylock.c:33
#1 0x00007ffff59555ab in msi_hangup () at /usr/local/lib/libtoxcore.so.2
#2 0x00007ffff595ac33 in call_control_handle_cancel () at /usr/local/lib/libtoxcore.so.2
#3 0x00007ffff595aecc in call_control_handle () at /usr/local/lib/libtoxcore.so.2
#4 0x00007ffff595af8e in call_control () at /usr/local/lib/libtoxcore.so.2
#5 0x00007ffff595afca in toxav_call_control () at /usr/local/lib/libtoxcore.so.2
#6 0x00005555555cd915 in CoreAV::cancelCall(unsigned int) (this=0x555556928cc0, friendNum=0) at /home/user/Vulns/qTox/src/core/coreav.cpp:320
#7 0x000055555566c292 in Widget::onRejectCall(unsigned int) (this=0x555556604370, friendId=0) at /home/user/Vulns/qTox/src/widget/widget.cpp:1156
#8 0x00005555556a4aa7 in QtPrivate::FunctorCall<QtPrivate::IndexesList<0>, QtPrivate::List<unsigned int>, void, void (Widget::*)(unsigned int)>::call(void (Widget::*)(unsigned int), Widget*, void**)
(f=(void (Widget::*)(class Widget * const, unsigned int)) 0x55555566c24c <Widget::onRejectCall(unsigned int)>, o=0x555556604370, arg=0x7fffffffcb20) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:152
#9 0x000055555569ef3a in QtPrivate::FunctionPointer<void (Widget::*)(unsigned int)>::call<QtPrivate::List<unsigned int>, void>(void (Widget::*)(unsigned int), Widget*, void**)
(f=(void (Widget::*)(class Widget * const, unsigned int)) 0x55555566c24c <Widget::onRejectCall(unsigned int)>, o=0x555556604370, arg=0x7fffffffcb20) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:185
#10 0x0000555555697c0c in QtPrivate::QSlotObject<void (Widget::*)(unsigned int), QtPrivate::List<unsigned int>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (which=1, this_=0x555556f46160, r=0x555556604370, a=0x7fffffffcb20, ret=0x0)
at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:418
#11 0x00007ffff4ae8f4f in () at /lib/x86_64-linux-gnu/libQt5Core.so.5
#12 0x00005555556c77d7 in ChatForm::rejectCall(unsigned int) (this=0x555556a61ee0, _t1=0) at /home/user/Vulns/qTox/qtox_static_autogen/SLJ37JTCO3/moc_chatform.cpp:392
#13 0x00005555557c0a69 in ChatForm::onRejectCallTriggered() (this=0x555556a61ee0) at /home/user/Vulns/qTox/src/widget/form/chatform.cpp:415
#14 0x00005555556a4e94 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (ChatForm::*)()>::call(void (ChatForm::*)(), ChatForm*, void**)
(f=(void (ChatForm::*)(class ChatForm * const)) 0x5555557c0a06 <ChatForm::onRejectCallTriggered()>, o=0x555556a61ee0, arg=0x7fffffffcce0) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:152
#15 0x000055555569f1c7 in QtPrivate::FunctionPointer<void (ChatForm::*)()>::call<QtPrivate::List<>, void>(void (ChatForm::*)(), ChatForm*, void**)
(f=(void (ChatForm::*)(class ChatForm * const)) 0x5555557c0a06 <ChatForm::onRejectCallTriggered()>, o=0x555556a61ee0, arg=0x7fffffffcce0) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:185
#16 0x0000555555698088 in QtPrivate::QSlotObject<void (ChatForm::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (which=1, this_=0x555556eb7d00, r=0x555556a61ee0, a=0x7fffffffcce0, ret=0x0)
at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:418
#17 0x00007ffff4ae8f4f in () at /lib/x86_64-linux-gnu/libQt5Core.so.5
#18 0x00005555556c5008 in ChatFormHeader::callRejected() (this=0x555556eaaf20) at /home/user/Vulns/qTox/qtox_static_autogen/WFD7YQQOTJ/moc_chatformheader.cpp:254
#19 0x00005555557a3098 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (ChatFormHeader::*)()>::call(void (ChatFormHeader::*)(), ChatFormHeader*, void**)
(f=(void (ChatFormHeader::*)(class ChatFormHeader * const)) 0x5555556c4fd0 <ChatFormHeader::callRejected()>, o=0x555556eaaf20, arg=0x7fffffffcec0) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:152
#20 0x00005555557a2cfd in QtPrivate::FunctionPointer<void (ChatFormHeader::*)()>::call<QtPrivate::List<>, void>(void (ChatFormHeader::*)(), ChatFormHeader*, void**)
(f=(void (ChatFormHeader::*)(class ChatFormHeader * const)) 0x5555556c4fd0 <ChatFormHeader::callRejected()>, o=0x555556eaaf20, arg=0x7fffffffcec0) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:185
#21 0x00005555557a28fa in QtPrivate::QSlotObject<void (ChatFormHeader::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (which=1, this_=0x555556701940, r=0x555556eaaf20, a=0x7fffffffcec0, ret=0x0)
at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:418
#22 0x00007ffff4ae8f4f in () at /lib/x86_64-linux-gnu/libQt5Core.so.5
#23 0x00005555556d0482 in CallConfirmWidget::rejected() (this=0x555556666650) at /home/user/Vulns/qTox/qtox_static_autogen/WBKIXDY36D/moc_callconfirmwidget.cpp:157
#24 0x00005555558490ed in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (CallConfirmWidget::*)()>::call(void (CallConfirmWidget::*)(), CallConfirmWidget*, void**)
(f=(void (CallConfirmWidget::*)(class CallConfirmWidget * const)) 0x5555556d044a <CallConfirmWidget::rejected()>, o=0x555556666650, arg=0x7fffffffd0a0) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:152
#25 0x0000555555848fd8 in QtPrivate::FunctionPointer<void (CallConfirmWidget::*)()>::call<QtPrivate::List<>, void>(void (CallConfirmWidget::*)(), CallConfirmWidget*, void**)
(f=(void (CallConfirmWidget::*)(class CallConfirmWidget * const)) 0x5555556d044a <CallConfirmWidget::rejected()>, o=0x555556666650, arg=0x7fffffffd0a0) at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:185
#26 0x0000555555848ea2 in QtPrivate::QSlotObject<void (CallConfirmWidget::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (which=1, this_=0x5555566445c0, r=0x555556666650, a=0x7fffffffd0a0, ret=0x0)
at /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:418
#27 0x00007ffff4ae8f4f in () at /lib/x86_64-linux-gnu/libQt5Core.so.5
#28 0x00007ffff78fe860 in () at /lib/x86_64-linux-gnu/libQt5Widgets.so.5
#29 0x00007ffff4ae8f7c in () at /lib/x86_64-linux-gnu/libQt5Core.so.5
#30 0x00007ffff7854fc2 in QAbstractButton::clicked(bool) () at /lib/x86_64-linux-gnu/libQt5Widgets.so.5
#31 0x00007ffff785522a in () at /lib/x86_64-linux-gnu/libQt5Widgets.so.5
#32 0x00007ffff7856db8 in () at /lib/x86_64-linux-gnu/libQt5Widgets.so.5
#33 0x00007ffff7856fd7 in QAbstractButton::mouseReleaseEvent(QMouseEvent*) () at /lib/x86_64-linux-gnu/libQt5Widgets.so.5
#34 0x00007ffff77a4db8 in QWidget::event(QEvent*) () at /lib/x86_64-linux-gnu/libQt5Widgets.so.5
#35 0x00007ffff7762fae in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /lib/x86_64-linux-gnu/libQt5Widgets.so.5
#36 0x00007ffff776b552 in QApplication::notify(QObject*, QEvent*) () at /lib/x86_64-linux-gnu/libQt5Widgets.so.5
#37 0x00007ffff4ab16f8 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () at /lib/x86_64-linux-gnu/libQt5Core.so.5
#38 0x00007ffff776965e in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool, bool) () at /lib/x86_64-linux-gnu/libQt5Widgets.so.5
#39 0x00007ffff77bdbd8 in () at /lib/x86_64-linux-gnu/libQt5Widgets.so.5
#40 0x00007ffff77c0f60 in () at /lib/x86_64-linux-gnu/libQt5Widgets.so.5
#41 0x00007ffff7762fae in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /lib/x86_64-linux-gnu/libQt5Widgets.so.5
#42 0x00007ffff4ab16f8 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () at /lib/x86_64-linux-gnu/libQt5Core.so.5
#43 0x00007ffff513d3ed in QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*) () at /lib/x86_64-linux-gnu/libQt5Gui.so.5
#44 0x00007ffff5111cac in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /lib/x86_64-linux-gnu/libQt5Gui.so.5
#45 0x00007fffe58fbeca in () at /lib/x86_64-linux-gnu/libQt5XcbQpa.so.5
#46 0x00007ffff3d557a9 in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#47 0x00007ffff3d55a38 in () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#48 0x00007ffff3d55acc in g_main_context_iteration () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#49 0x00007ffff4b09836 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /lib/x86_64-linux-gnu/libQt5Core.so.5
#50 0x00007ffff4ab017b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /lib/x86_64-linux-gnu/libQt5Core.so.5
#51 0x00007ffff4ab82d6 in QCoreApplication::exec() () at /lib/x86_64-linux-gnu/libQt5Core.so.5
#52 0x00005555555b3a78 in AppManager::run() (this=0x7fffffffdf40) at /home/user/Vulns/qTox/src/appmanager.cpp:403
#53 0x00005555555b004a in main(int, char**) (argc=1, argv=0x7fffffffe0b8) at /home/user/Vulns/qTox/src/main.cpp:28
#54 0x00007ffff464624a in __libc_start_call_main (main=main@entry=0x5555555afff9 <main(int, char**)>, argc=argc@entry=1, argv=argv@entry=0x7fffffffe0b8) at ../sysdeps/nptl/libc_start_call_main.h:58
#55 0x00007ffff4646305 in __libc_start_main_impl (main=0x5555555afff9 <main(int, char**)>, argc=1, argv=0x7fffffffe0b8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe0a8) at ../csu/libc-start.c:360
#56 0x00005555555aff31 in _start () Call stack:
0 0x7ffff46ac173 pthread_mutex_trylock+19
1 0x7ffff59555ab msi_hangup+68
2 0x7ffff595ac33 call_control_handle_cancel+49
3 0x7ffff595aecc call_control_handle+100
4 0x7ffff595af8e call_control+129
5 0x7ffff595afca toxav_call_control+58
6 0x5555555cd915 CoreAV::cancelCall(unsigned int)+329
7 0x55555566c292 Widget::onRejectCall(unsigned int)+70Frame:
#0 ___pthread_mutex_trylock (mutex=0x7ff89bf75496) at ./nptl/pthread_mutex_trylock.c:33
33 in ./nptl/pthread_mutex_trylock.c@n4skx does this only happen with qTox (which is archived on github https://github.com/qTox/qTox) or also with qTox_enhanced (https://github.com/Zoxcore/qTox_enhanced) ? both qtox versions have some issues and should be used only with caution.
n4skx
commented
8 months ago I did not tested with qTox_enhanced, i will test tomorrow
I've only see this when two friends are clicking the call button in qTox as fast as they can at the same time, which translates to both friends calling
toxav_callandtoxav_call_controlin rapid succession.The full backtrace:
In frame 0 the friendlist is:
I don't think qTox is corrupting the tox struct because it looks like we're properly mutex protecting its access.
The issue is easily reproducible in about 10s of spam clicking on both sides. It seems like about half the time both friends crash and half only one of them crashes.
I wasn't able to reproduce it switching windows between two profiles locally, so if someone needs help reproing let me know.