search

fabmax / physx-jni

Java JNI bindings for Nvidia PhysX
MIT License
85 stars 8 forks source link

Segmentation fault on Linux #61

Closed astro-angelfish closed 9 months ago

astro-angelfish commented 11 months ago

The original issue is https://github.com/haubna/PhysicsMod/issues/709, but since it is a problem at JNI, so I guess I should report the problem here.

The trace from gdb is below:

pwndbg> conti
Continuing.
[New Thread 0x7ffe4e8fc6c0 (LWP 7728)]
[Thread 0x7ffe4e8fc6c0 (LWP 7728) exited]
[10:56:44] [Render thread/WARN]: Received passengers for unknown entity
[10:56:47] [Render thread/WARN]: Received passengers for unknown entity
[10:56:53] [Render thread/WARN]: Received passengers for unknown entity

Thread 2 "Render thread" received signal SIGSEGV, Segmentation fault.
0x00007ffef9ee9cbc in physx::NpRigidDynamic::wakeUp() () from /tmp/de.fabmax.physx-jni/2.1.0-pre1/libPhysXJniBindings_64.so
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────────
*RAX  0x0
*RBX  0x7ffed99b3370 —▸ 0x7ffff79ef738 —▸ 0x7ffff6a1eda0 ◂— endbr64 
*RCX  0x7ffed99e8b70 ◂— 0xffffffff00000024 /* '$' */
*RDX  0x7ffff3f38080 —▸ 0x7ffefa1e2c70 (vtable for physx::NpRigidDynamic+16) —▸ 0x7ffef9ee74f0 (physx::NpRigidDynamic::release()) ◂— push r15
*RDI  0x7ffff3f38080 —▸ 0x7ffefa1e2c70 (vtable for physx::NpRigidDynamic+16) —▸ 0x7ffef9ee74f0 (physx::NpRigidDynamic::release()) ◂— push r15
*RSI  0x7ffff7bd8c80 —▸ 0x66d027fb8 ◂— 0x12e9f8a219
*R8   0x2
*R9   0x0
*R10  0x7fffe10c2df9 ◂— vzeroupper  /* 0xc2df9ba4977f8c5 */
*R11  0x7fffe10c2dc0 ◂— mov dword ptr [rsp - 0x14000], eax /* 0x55fffec000248489 */
 R12  0x0
*R13  0x7ffff7bd8ca8 —▸ 0x7ffff3f38080 —▸ 0x7ffefa1e2c70 (vtable for physx::NpRigidDynamic+16) —▸ 0x7ffef9ee74f0 (physx::NpRigidDynamic::release()) ◂— push r15
*R14  0x7ffff7bd8c80 —▸ 0x66d027fb8 ◂— 0x12e9f8a219
 R15  0x7ffff001ade0 —▸ 0x7ffff79386d8 —▸ 0x7ffff6c5c570 ◂— endbr64 
*RBP  0x7ffff7bd8c90 —▸ 0x7ffff7bd8d00 —▸ 0x6629349a0 ◂— 0x31 /* '1' */
*RSP  0x7ffff7bd8c40 —▸ 0x7ffefa1e2c70 (vtable for physx::NpRigidDynamic+16) —▸ 0x7ffef9ee74f0 (physx::NpRigidDynamic::release()) ◂— push r15
*RIP  0x7ffef9ee9cbc (physx::NpRigidDynamic::wakeUp()+28) ◂— movss xmm0, dword ptr [rax + 0x1cb0]
───────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────────
 ► 0x7ffef9ee9cbc <physx::NpRigidDynamic::wakeUp()+28>                      movss  xmm0, dword ptr [rax + 0x1cb0]
   0x7ffef9ee9cc4 <physx::NpRigidDynamic::wakeUp()+36>                      add    rdi, 0x50
   0x7ffef9ee9cc8 <physx::NpRigidDynamic::wakeUp()+40>                      mov    esi, 1
   0x7ffef9ee9ccd <physx::NpRigidDynamic::wakeUp()+45>                      pop    rax
   0x7ffef9ee9cce <physx::NpRigidDynamic::wakeUp()+46>                      jmp    physx::Sc::BodyCore::setWakeCounter(float, bool)@plt                <physx::Sc::BodyCore::setWakeCounter(float, bool)@plt>
    ↓
   0x7ffef9c7cb50 <physx::Sc::BodyCore::setWakeCounter(float, bool)@plt>    jmp    qword ptr [rip + 0x574252]    <physx::Sc::BodyCore::setWakeCounter(float, bool)>
    ↓
   0x7ffef9f94f70 <physx::Sc::BodyCore::setWakeCounter(float, bool)>        push   rbp
   0x7ffef9f94f71 <physx::Sc::BodyCore::setWakeCounter(float, bool)+1>      push   rbx
   0x7ffef9f94f72 <physx::Sc::BodyCore::setWakeCounter(float, bool)+2>      push   rax
   0x7ffef9f94f73 <physx::Sc::BodyCore::setWakeCounter(float, bool)+3>      movss  dword ptr [rdi + 0x9c], xmm0
   0x7ffef9f94f7b <physx::Sc::BodyCore::setWakeCounter(float, bool)+11>     mov    rbx, qword ptr [rdi]
─────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffff7bd8c40 —▸ 0x7ffefa1e2c70 (vtable for physx::NpRigidDynamic+16) —▸ 0x7ffef9ee74f0 (physx::NpRigidDynamic::release()) ◂— push r15
01:0008│     0x7ffff7bd8c48 —▸ 0x7fffe10c2e71 ◂— vzeroupper  /* 0x37487c74177f8c5 */
02:0010│     0x7ffff7bd8c50 —▸ 0x7ffff7bd8cc0 —▸ 0x7ffed99b32c0 ◂— 0x9ed01ffb1001db8
03:0018│     0x7ffff7bd8c58 —▸ 0x7fffdfd54479 ◂— mov rsp, qword ptr [rbp - 0x10] /* 0xf045c748f0658b48 */
04:0020│     0x7ffff7bd8c60 ◂— 0x1c
05:0028│     0x7ffff7bd8c68 ◂— 0x8
06:0030│     0x7ffff7bd8c70 —▸ 0x6629349a0 ◂— 0x31 /* '1' */
07:0038│     0x7ffff7bd8c78 ◂— 0x7ffff7bd8c78
───────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────
 ► f 0   0x7ffef9ee9cbc physx::NpRigidDynamic::wakeUp()+28
   f 1   0x7fffe10c2e71
   f 2   0x7ffff7bd8cc0
   f 3   0x7fffdfd54479
   f 4             0x1c
   f 5              0x8
   f 6      0x6629349a0
   f 7   0x7ffff7bd8c78
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> disas
Dump of assembler code for function _ZN5physx14NpRigidDynamic6wakeUpEv:
   0x00007ffef9ee9ca0 <+0>:     push   rax
   0x00007ffef9ee9ca1 <+1>:     mov    rax,QWORD PTR [rdi+0x18]
   0x00007ffef9ee9ca5 <+5>:     test   rax,rax
   0x00007ffef9ee9ca8 <+8>:     je     0x7ffef9ee9cbc <physx::NpRigidDynamic::wakeUp()+28>
   0x00007ffef9ee9caa <+10>:    cmp    BYTE PTR [rax+0x4d2],0x0
   0x00007ffef9ee9cb1 <+17>:    je     0x7ffef9ee9cbc <physx::NpRigidDynamic::wakeUp()+28>
   0x00007ffef9ee9cb3 <+19>:    cmp    DWORD PTR [rax+0x1bec],0x2
   0x00007ffef9ee9cba <+26>:    jne    0x7ffef9ee9cd3 <physx::NpRigidDynamic::wakeUp()+51>
=> 0x00007ffef9ee9cbc <+28>:    movss  xmm0,DWORD PTR [rax+0x1cb0]
   0x00007ffef9ee9cc4 <+36>:    add    rdi,0x50
   0x00007ffef9ee9cc8 <+40>:    mov    esi,0x1
   0x00007ffef9ee9ccd <+45>:    pop    rax
   0x00007ffef9ee9cce <+46>:    jmp    0x7ffef9c7cb50 <physx::Sc::BodyCore::setWakeCounter(float, bool)@plt>
   0x00007ffef9ee9cd3 <+51>:    call   0x7ffef9c7d250 <PxGetFoundation@plt>
   0x00007ffef9ee9cd8 <+56>:    mov    rcx,QWORD PTR [rax]
   0x00007ffef9ee9cdb <+59>:    mov    r9,QWORD PTR [rcx+0x58]
   0x00007ffef9ee9cdf <+63>:    lea    rdx,[rip+0x22155a]        # 0x7ffefa10b240
   0x00007ffef9ee9ce6 <+70>:    lea    r8,[rip+0x221c98]        # 0x7ffefa10b985
   0x00007ffef9ee9ced <+77>:    mov    rdi,rax
   0x00007ffef9ee9cf0 <+80>:    mov    esi,0x8
   0x00007ffef9ee9cf5 <+85>:    mov    ecx,0x19a
   0x00007ffef9ee9cfa <+90>:    xor    eax,eax
   0x00007ffef9ee9cfc <+92>:    pop    r11
   0x00007ffef9ee9cfe <+94>:    jmp    r9
End of assembler dump.
pwndbg>

And according to the trace of gdb, it is a null pointer dereference problem and caused Minecraft to freeze

I'm not familiar in debugging C++ code so I'm sorry that I can't provide any more information.

fabmax commented 11 months ago

Sorry, but I don't think I can do anything here. It's most likely a problem caused by mis-usage of the library and not by PhysX itself. I would assume some object is freed before it was removed from the physics scene or something like this.