SIGSEGV on macOS during typing a search string in Navigator window

[nospam2000]

Steps to reproduce the problem

View of Navigator window is set to "Folders".
Music is playing a playlist.
Type a search string in the "Search" field of the Navigator window.

What's going on? Describe the problem in as much detail as possible.

Sometimes this causes a SIGSEGV. It happened to me around 5 times in the last week. Not so easy to reproduce.
I did not press enter, it happened during typing.

Here the last part of the call stack, full details see comments below

* thread #1, queue = 'MediaLibSyncQueue', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x00000001000969d0 DeaDBeeF`pl_meta_for_key + 18
    frame #1: 0x0000000100097214 DeaDBeeF`pl_find_meta_raw + 9
    frame #2: 0x000000010009ed4e DeaDBeeF`tf_eval_int + 6587
    frame #3: 0x00000001000a1df9 DeaDBeeF`tf_func_directory_path + 61
    frame #4: 0x000000010009d841 DeaDBeeF`tf_eval_int + 1198
    frame #5: 0x000000010009d1ee DeaDBeeF`tf_eval + 314
    frame #6: 0x0000000100086204 DeaDBeeF`qsort_cmp_func + 304
    frame #7: 0x00007ff8156a1d67 libsystem_c.dylib`mergesort + 374
    frame #8: 0x0000000100085cdf DeaDBeeF`plt_sort_internal + 526
    frame #9: 0x0000000100085a5a DeaDBeeF`plt_sort_v2 + 175
    frame #10: 0x00000001006de929 medialib.dylib`_create_item_tree_from_collection + 1010
    frame #11: 0x00000001006dbab5 medialib.dylib`__ml_create_item_tree_block_invoke + 32
    frame #12: 0x00007ff815642dbc libdispatch.dylib`_dispatch_client_callout + 8
    frame #13: 0x00007ff81564fd3c libdispatch.dylib`_dispatch_lane_barrier_sync_invoke_and_complete + 60
    frame #14: 0x00000001006db7e7 medialib.dylib`ml_create_item_tree + 117
    frame #15: 0x000000010002bd17 DeaDBeeF`-[MediaLibraryOutlineViewController initializeTreeView] + 483
    frame #16: 0x000000010002cecb DeaDBeeF`-[MediaLibraryOutlineViewController filterChanged] + 31
    frame #17: 0x000000010002f1b3 DeaDBeeF`-[MediaLibraryOutlineViewController searchFieldAction:] + 136

According to source code and register dump the pointer it is invalid when calling pl_meta_for_key.

Information about the software:

Deadbeef version: devel (9d13e9d)
OS: macOS Sonoma 14.4.1

MacOS Crash Reporter output:

Process:               DeaDBeeF [39070]
Path:                  /Applications/DeaDBeeF.app/Contents/MacOS/DeaDBeeF
Identifier:            com.deadbeef.DeaDBeeF
Version:               devel (9d13e9d)
Code Type:             X86-64 (Native)
Parent Process:        launchd [1]
User ID:               501

Date/Time:             2024-10-27 22:32:59.4251 +0100
OS Version:            macOS 14.4.1 (23E224)
Report Version:        12
Crashed Thread:        0  Dispatch queue: MediaLibSyncQueue

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000040
Exception Codes:       0x0000000000000001, 0x0000000000000040

Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process:   exc handler [39070]

VM Region Info: 0x40 is not in any region.  Bytes before following region: 4488007616
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                      10b819000-10b8e9000    [  832K] r-x/r-x SM=COW  /Applications/DeaDBeeF.app/Contents/MacOS/DeaDBeeF

Thread 0 Crashed::  Dispatch queue: MediaLibSyncQueue
**0   DeaDBeeF                      	       0x10b89ed01 plt_sort_internal + 560
1   DeaDBeeF                      	       0x10b89ea5a plt_sort_v2 + 175**
2   medialib.dylib                	       0x10bf46929 _create_item_tree_from_collection + 1010
3   medialib.dylib                	       0x10bf43ab5 __ml_create_item_tree_block_invoke + 32
4   libdispatch.dylib             	    0x7ff815642dbc _dispatch_client_callout + 8
5   libdispatch.dylib             	    0x7ff81564fd3c _dispatch_lane_barrier_sync_invoke_and_complete + 60
6   medialib.dylib                	       0x10bf437e7 ml_create_item_tree + 117
7   DeaDBeeF                      	       0x10b844d17 -[MediaLibraryOutlineViewController initializeTreeView] + 483
8   DeaDBeeF                      	       0x10b845ecb -[MediaLibraryOutlineViewController filterChanged] + 31
9   DeaDBeeF                      	       0x10b8481b3 -[MediaLibraryOutlineViewController searchFieldAction:] + 136
10  AppKit                        	    0x7ff8191132b6 -[NSApplication(NSResponder) sendAction:to:from:] + 337
11  AppKit                        	    0x7ff81911312b -[NSControl sendAction:to:] + 86
12  AppKit                        	    0x7ff8197c655d -[NSSearchField sendAction:to:] + 71
13  AppKit                        	    0x7ff81911305d __26-[NSCell _sendActionFrom:]_block_invoke + 131
14  AppKit                        	    0x7ff819112f66 -[NSCell _sendActionFrom:] + 171
15  AppKit                        	    0x7ff8197c91fd -[NSSearchFieldCell(NSSearchFieldCell_Local) _sendPartialString] + 211
16  Foundation                    	    0x7ff8168af814 __NSFireTimer + 67
17  CoreFoundation                	    0x7ff8158dbe6c __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
18  CoreFoundation                	    0x7ff8158dba1a __CFRunLoopDoTimer + 785
19  CoreFoundation                	    0x7ff8158db656 __CFRunLoopDoTimers + 285
20  CoreFoundation                	    0x7ff8158bf932 __CFRunLoopRun + 2104
21  CoreFoundation                	    0x7ff8158beb32 CFRunLoopRunSpecific + 557
22  HIToolbox                     	    0x7ff8202d0829 RunCurrentEventLoopInMode + 292
23  HIToolbox                     	    0x7ff8202d0466 ReceiveNextEventCommon + 201
24  HIToolbox                     	    0x7ff8202d0381 _BlockUntilNextEventMatchingListInModeWithFilter + 66
25  AppKit                        	    0x7ff818f26be5 _DPSNextEvent + 880
26  AppKit                        	    0x7ff819836fe9 -[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1273
27  AppKit                        	    0x7ff818f18005 -[NSApplication run] + 603
28  AppKit                        	    0x7ff818eebff1 NSApplicationMain + 816
29  DeaDBeeF                      	       0x10b841f48 cocoaui_start + 55
30  DeaDBeeF                      	       0x10b84a850 main + 2715
31  dyld                          	    0x7ff815458366 start + 1942

[nospam2000]

A new crash with a slightly different callstack:

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x000000000000004f
Exception Codes:       0x0000000000000001, 0x000000000000004f

Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process:   exc handler [41579]

VM Region Info: 0x4f is not in any region.  Bytes before following region: 4423954353
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                      107b03000-107bd3000    [  832K] r-x/r-x SM=COW  /Applications/DeaDBeeF.app/Contents/MacOS/DeaDBeeF

Thread 0 Crashed::  Dispatch queue: MediaLibSyncQueue
0   DeaDBeeF                      	       0x107b999d0 pl_meta_for_key + 18
1   DeaDBeeF                      	       0x107b9a214 pl_find_meta_raw + 9
2   DeaDBeeF                      	       0x107ba1d4e tf_eval_int + 6587
3   DeaDBeeF                      	       0x107ba4df9 tf_func_directory_path + 61
4   DeaDBeeF                      	       0x107ba0841 tf_eval_int + 1198
5   DeaDBeeF                      	       0x107ba01ee tf_eval + 314
6   DeaDBeeF                      	       0x107b89204 qsort_cmp_func + 304
7   libsystem_c.dylib             	    0x7ff8156a1d67 mergesort + 374
8   DeaDBeeF                      	       0x107b88cdf plt_sort_internal + 526
9   DeaDBeeF                      	       0x107b88a5a plt_sort_v2 + 175
10  medialib.dylib                	       0x108285929 _create_item_tree_from_collection + 1010
11  medialib.dylib                	       0x108282ab5 __ml_create_item_tree_block_invoke + 32
12  libdispatch.dylib             	    0x7ff815642dbc _dispatch_client_callout + 8
13  libdispatch.dylib             	    0x7ff81564fd3c _dispatch_lane_barrier_sync_invoke_and_complete + 60
14  medialib.dylib                	       0x1082827e7 ml_create_item_tree + 117
15  DeaDBeeF                      	       0x107b2ed17 -[MediaLibraryOutlineViewController initializeTreeView] + 483
16  DeaDBeeF                      	       0x107b2fecb -[MediaLibraryOutlineViewController filterChanged] + 31
17  DeaDBeeF                      	       0x107b321b3 -[MediaLibraryOutlineViewController searchFieldAction:] + 136
18  AppKit                        	    0x7ff8191132b6 -[NSApplication(NSResponder) sendAction:to:from:] + 337
19  AppKit                        	    0x7ff81911312b -[NSControl sendAction:to:] + 86
20  AppKit                        	    0x7ff8197c655d -[NSSearchField sendAction:to:] + 71
21  AppKit                        	    0x7ff81911305d __26-[NSCell _sendActionFrom:]_block_invoke + 131
22  AppKit                        	    0x7ff819112f66 -[NSCell _sendActionFrom:] + 171
23  AppKit                        	    0x7ff8197c91fd -[NSSearchFieldCell(NSSearchFieldCell_Local) _sendPartialString] + 211
24  Foundation                    	    0x7ff8168af814 __NSFireTimer + 67
25  CoreFoundation                	    0x7ff8158dbe6c __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
26  CoreFoundation                	    0x7ff8158dba1a __CFRunLoopDoTimer + 785
27  CoreFoundation                	    0x7ff8158db656 __CFRunLoopDoTimers + 285
28  CoreFoundation                	    0x7ff8158bf932 __CFRunLoopRun + 2104
29  CoreFoundation                	    0x7ff8158beb32 CFRunLoopRunSpecific + 557
30  HIToolbox                     	    0x7ff8202d0829 RunCurrentEventLoopInMode + 292
31  HIToolbox                     	    0x7ff8202d0466 ReceiveNextEventCommon + 201
32  HIToolbox                     	    0x7ff8202d0381 _BlockUntilNextEventMatchingListInModeWithFilter + 66
33  AppKit                        	    0x7ff818f26be5 _DPSNextEvent + 880
34  AppKit                        	    0x7ff819836fe9 -[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1273
35  AppKit                        	    0x7ff818f18005 -[NSApplication run] + 603
36  AppKit                        	    0x7ff818eebff1 NSApplicationMain + 816
37  DeaDBeeF                      	       0x107b2bf48 cocoaui_start + 55
38  DeaDBeeF                      	       0x107b34850 main + 2715
39  dyld                          	    0x7ff815458366 start + 1942

[nospam2000]

Now I was able to reproduce the issue during lldb attached and could even create a core-dump file for further analysis:

scan time: 30.563000 seconds (42109 tracks)
building index...
index build time: 0.224000 seconds
clearing index...
tree build time: 0.959000 seconds
tree build time: 0.589000 seconds
tree build time: 0.424000 seconds
tree build time: 0.282000 seconds
2024-10-27 23:23:27.281283+0100 DeaDBeeF[41795:690685] [general] *** -[NSKeyedUnarchiver validateAllowedClass:forKey:] allowed unarchiving safe plist type ''NSData' (0x7ff858d29538) [/System/Library/Frameworks/CoreFoundation.framework]' for key 'DdbPlaylistData', even though it was not explicitly included in the client allowed classes set: '{(
    "'NSArray' (0x7ff858d29470) [/System/Library/Frameworks/CoreFoundation.framework]"
)}'. This will be disallowed in the future.
2024-10-27 23:23:30.744221+0100 DeaDBeeF[41795:690685] [miscellany] CLIENT ERROR: TUINSRemoteViewController does not override -viewServiceDidTerminateWithError: and thus cannot react to catastrophic errors beyond logging them
Process 41795 stopped
* thread #1, queue = 'MediaLibSyncQueue', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x00000001000969d0 DeaDBeeF`pl_meta_for_key + 18
DeaDBeeF`pl_meta_for_key:
->  0x1000969d0 <+18>: movq   0x50(%rbx), %rbx
    0x1000969d4 <+22>: testq  %rbx, %rbx
    0x1000969d7 <+25>: je     0x1000969ee               ; <+48>
    0x1000969d9 <+27>: movq   0x8(%rbx), %rsi
Target 0: (DeaDBeeF) stopped.
(lldb) bt
* thread #1, queue = 'MediaLibSyncQueue', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x00000001000969d0 DeaDBeeF`pl_meta_for_key + 18
    frame #1: 0x0000000100097214 DeaDBeeF`pl_find_meta_raw + 9
    frame #2: 0x000000010009ed4e DeaDBeeF`tf_eval_int + 6587
    frame #3: 0x00000001000a1df9 DeaDBeeF`tf_func_directory_path + 61
    frame #4: 0x000000010009d841 DeaDBeeF`tf_eval_int + 1198
    frame #5: 0x000000010009d1ee DeaDBeeF`tf_eval + 314
    frame #6: 0x0000000100086204 DeaDBeeF`qsort_cmp_func + 304
    frame #7: 0x00007ff8156a1d67 libsystem_c.dylib`mergesort + 374
    frame #8: 0x0000000100085cdf DeaDBeeF`plt_sort_internal + 526
    frame #9: 0x0000000100085a5a DeaDBeeF`plt_sort_v2 + 175
    frame #10: 0x00000001006de929 medialib.dylib`_create_item_tree_from_collection + 1010
    frame #11: 0x00000001006dbab5 medialib.dylib`__ml_create_item_tree_block_invoke + 32
    frame #12: 0x00007ff815642dbc libdispatch.dylib`_dispatch_client_callout + 8
    frame #13: 0x00007ff81564fd3c libdispatch.dylib`_dispatch_lane_barrier_sync_invoke_and_complete + 60
    frame #14: 0x00000001006db7e7 medialib.dylib`ml_create_item_tree + 117
    frame #15: 0x000000010002bd17 DeaDBeeF`-[MediaLibraryOutlineViewController initializeTreeView] + 483
    frame #16: 0x000000010002cecb DeaDBeeF`-[MediaLibraryOutlineViewController filterChanged] + 31
    frame #17: 0x000000010002f1b3 DeaDBeeF`-[MediaLibraryOutlineViewController searchFieldAction:] + 136
    frame #18: 0x00007ff8191132b6 AppKit`-[NSApplication(NSResponder) sendAction:to:from:] + 337
    frame #19: 0x00007ff81911312b AppKit`-[NSControl sendAction:to:] + 86
    frame #20: 0x00007ff8197c655d AppKit`-[NSSearchField sendAction:to:] + 71
    frame #21: 0x00007ff81911305d AppKit`__26-[NSCell _sendActionFrom:]_block_invoke + 131
    frame #22: 0x00007ff819112f66 AppKit`-[NSCell _sendActionFrom:] + 171
    frame #23: 0x00007ff8197c91fd AppKit`-[NSSearchFieldCell(NSSearchFieldCell_Local) _sendPartialString] + 211
    frame #24: 0x00007ff8168af814 Foundation`__NSFireTimer + 67
    frame #25: 0x00007ff8158dbe6c CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
    frame #26: 0x00007ff8158dba1a CoreFoundation`__CFRunLoopDoTimer + 785
    frame #27: 0x00007ff8158db656 CoreFoundation`__CFRunLoopDoTimers + 285
    frame #28: 0x00007ff8158bf932 CoreFoundation`__CFRunLoopRun + 2104
    frame #29: 0x00007ff8158beb32 CoreFoundation`CFRunLoopRunSpecific + 557
    frame #30: 0x00007ff8202d0829 HIToolbox`RunCurrentEventLoopInMode + 292
    frame #31: 0x00007ff8202d0466 HIToolbox`ReceiveNextEventCommon + 201
    frame #32: 0x00007ff8202d0381 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 66
    frame #33: 0x00007ff818f26be5 AppKit`_DPSNextEvent + 880
    frame #34: 0x00007ff819836fe9 AppKit`-[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1273
    frame #35: 0x00007ff818f18005 AppKit`-[NSApplication run] + 603
    frame #36: 0x00007ff818eebff1 AppKit`NSApplicationMain + 816
    frame #37: 0x0000000100028f48 DeaDBeeF`cocoaui_start + 55
    frame #38: 0x0000000100031850 DeaDBeeF`main + 2715
    frame #39: 0x00007ff815458366 dyld`start + 1942

The content of register rbx (=register rdi=parameter it) is not a valid pointer, that's why movq 0x50(%rbx), %rbx (DB_metaInfo_t *m = it->meta;) will fail:

(lldb) disassemble --frame --context 20 --count 11
DeaDBeeF`pl_meta_for_key:
    0x1000969be <+0>:  pushq  %rbp
    0x1000969bf <+1>:  movq   %rsp, %rbp
    0x1000969c2 <+4>:  pushq  %r14
    0x1000969c4 <+6>:  pushq  %rbx
    0x1000969c5 <+7>:  movq   %rsi, %r14
    0x1000969c8 <+10>: movq   %rdi, %rbx
    0x1000969cb <+13>: callq  0x1000849b2               ; pl_ensure_lock
->  0x1000969d0 <+18>: movq   0x50(%rbx), %rbx   ; %rbx=param 'it' is 0xe0c69b6213000000 and not a valid pointer
    0x1000969d4 <+22>: testq  %rbx, %rbx
    0x1000969d7 <+25>: je     0x1000969ee               ; <+48>
    0x1000969d9 <+27>: movq   0x8(%rbx), %rsi
(lldb) register read
General Purpose Registers:
       rax = 0x0000000000000000
       rbx = 0xe0c69b6213000000
       rcx = 0x0000000000000014
       rdx = 0x00000001000c4fea  "albumartist"
       rdi = 0xe0c69b6213000000
       rsi = 0x00000001000c7ae0  ":URI"
       rbp = 0x00007ff7bfefb240
       rsp = 0x00007ff7bfefb230
        r8 = 0x0000000000000000
        r9 = 0x0000000000000310
       r10 = 0x0000000000010000
       r11 = 0x00001ff7b898aa13
       r12 = 0x0000000000000004
       r13 = 0x00007ff7bfefb270
       r14 = 0x00000001000c7ae0  ":URI"
       r15 = 0x00007ff7bfefb260
       rip = 0x00000001000969d0  DeaDBeeF`pl_meta_for_key + 18
    rflags = 0x0000000000000246
        cs = 0x000000000000002b
        fs = 0x0000000000000000
        gs = 0x0000000000000000

[nospam2000]

I was able to compile a Debug version and reproduce the bug.
I was playing a song for maybe 10 minutes and then tarted typing in the input field

Here the location of the crash:

DB_metaInfo_t *
pl_meta_for_key (playItem_t *it, const char *key) {
    pl_ensure_lock ();
    DB_metaInfo_t *m = it->meta; // << crash because it=-1

called from tf_eval_int()

// parameter values
// code	const char *	"path/"	0x0000600005de9ced
// size	int	4
tf_eval_int (ddb_tf_context_t *ctx, const char *code, int size, char *out, int outlen, int *bool_out, int fail_on_undef) {
    playItem_t *it = (playItem_t *)ctx->it; // Here 'it' is set to -1

content of ctx:

ctx	ddb_tf_context_t *	0x7ff7bc345120	0x00007ff7bc345120
_size	int	56
flags	uint32_t	65536
it	ddb_playItem_t *	0xffffffffffffffff
plt	ddb_playlist_t *	0x6000015c4f00	0x00006000015c4f00
idx	int	-1
id	int	-1
iter	int	0
update	int	0
dimmed	int	0
metadata_transformer	void (*)(ddb_tf_context_s *, char *, size_t)	NULL	0x0000000000000000

ctx.it comes from parameter a of pl_sort_compare_str (playItem_t *a, playItem_t *b) which is already -1.

The name of the array to be sorted is "Medialib Playlist".

TODO: check in plt_sort_internal() if the item-pointers are still ok (not -1 and not 0) after this loop:

    for (playItem_t *it = playlist->head[iter]; it; it = it->next[iter], idx++) {
        array[idx] = it;
    }

[Oleksiy-Yakovenko]

I have tried to reproduce this too over the last few days, and it didn't happen for me from using medialibrary search.
So I turned address sanitizer on (ASAN) and kept using deadbeef in that mode,
and yesterday I got a ASAN error after doing some unrelated stuff..
like, I just tried to play some folder or something like that.
There's definitely a reference counting bug somewhere, destroying some object and leaving a dangling pointer behind.

The main problem with this kind of bugs is they are not easy to fix even when you have a callstack pointing to the crash. Instead -- it requires finding the place which either over-released some object, or missed a retain, and that happens in some other time and place than the crash location.

[nospam2000]

I will keep collecting data here and keep track of it. It's not a high priority issue.

[Oleksiy-Yakovenko]

@nospam2000 can you check if this issue still occurs? I recently fixed a bug caused by search.. maybe related
(I still can't repro)

[nospam2000]

@Oleksiy-Yakovenko

I fetched the latest source version (commit 52935d9 (master, Date: Fri Nov 29 21:40:57 2024 +0100)

and built it using this command and started it from shell and attached XCode then for debugging:

xcodebuild -project osx/deadbeef.xcodeproj -target DeaDBeeF -configuration Debug -fsanitize=address -fsanitize=alignment -fsanitize=bounds -fsanitize=vptr -fsanitize=integer-divide-by-zero -fsanitize=float-divide-by-zero -fsanitize=null  -fsanitize=object-size -fsanitize=shift -fsanitize=signed-integer-overflow -fsanitize=vla-bound

After some minutes I was able to reproduce the issue.
There is a slight difference to the earlier issue. it in pl_meta_for_key() is now 0x7f5853bf13bc911d and no longer 0xffffffffffffffff, but it is not a legal memory area.

the part 0x58, 0x53 of the pointer =="XS" which could be part of a string.