From nobody Mon Nov 24 00:19:56 2025 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dF60F13nNz6Hh8t for ; Mon, 24 Nov 2025 00:19:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dF60D74hcz48PF for ; Mon, 24 Nov 2025 00:19:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1763943597; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BTZWUOFTLDms/cce1KsqOvMasE6kaoVPkXnNqAt0tlg=; b=XVi1Vx+ITCWwffh/exMoXpMwznkM1Ez06iUN9pQDF5SOaoaKM/O3iFemti0ypS+tCcmVru klOFx8hOgK7FIsvfApVv5YtXfcl6xhpu/LAF5Eqz9FkFKlqp7X5Zv+wSfrbKduYnpx+Xwq XQuBWCITSGXtaGkvL4dzcyfyP4W7OT+7+7GdLGCjWx3i7DeAWT4c1eTUg9e5YXkHWjCB7Z hrHPTSuT/Xt43bNyJ6JwDeEWvwo/t324KK3SImRSLrxHXy+XSoefh+00UkxOGhbT0lod/U 95UCsfw7MW+D3qsM1ToeKNZpg/h+6Zi7CuOibEi8zD58b+nTHX/y7vzNBlEaMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1763943597; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BTZWUOFTLDms/cce1KsqOvMasE6kaoVPkXnNqAt0tlg=; b=HK4ncCOJLr3Lg7XlgR4ji3hZaZ0DJ+5Ywix03J3U/QTEWmmRurqyDgSd4i9uRRqG8NLLXc ZZFO2GeSi0hkdNlukvm/PQMdiqcwCUpscxl+ZMlQkO9YnAL4v5Xp2YrSzkCAkBWDFgINcj A3nI0LhCkjsIxw6sFacYjIdzpvK1AxGJx0Rq0JxUO0iJTLdFbxWd5e40HSiofcEBJKt2VS /rmpPynX6xLXPBeY5eGn9sYcEsy7DKE+Ie6Heay1U9/xf/rxbGtPZsnp4Ev3pb9EvpNhsM ZUWBOz1i7Eai0P9ftEqs5687Npe8gPhVGyGstmyVzZ3WvazS5rUh6ow7phF/Rg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1763943597; a=rsa-sha256; cv=none; b=a0+CfOtNcWbh1yvsNkLU/MNuiEOpGlUP693xf4KLfB321sSbcHhcf+0+YkuDQloWiSBsNY 3OckUHVeA6t89OVpMt6TX4YBhs5LSPBXKB2YDAE56xouY7PWvMFv2yRJLGN1XuHzJT8IjL m6fc+JtZRzBgFNU21IJ91LtwzkVkgHhSvJvgtbd91VLSv4Lono9loTT11m0EeKlXx8xh1S cSpG4A0fwUj0fZecrPQd5DtumYf0QTZqFN7b9SPZmnZwF5pW8I5HsiOWMIILwrFQbzBu3/ edqRW372ZbW4RPOWjxOsIPKnTFXe7LpsKjpx+2ceqNA16pL0qFqFDlXpV8lO2w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4dF60D6gnQzrkG for ; Mon, 24 Nov 2025 00:19:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 5AO0Jupl005336 for ; Mon, 24 Nov 2025 00:19:56 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 5AO0Jue6005335 for bugs@FreeBSD.org; Mon, 24 Nov 2025 00:19:56 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 290958] ctfmerge: random Segmentation fault: 11 for `make buildkernel' on macOS Date: Mon, 24 Nov 2025 00:19:56 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 16.0-CURRENT X-Bugzilla-Keywords: crash X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: mp@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: mp@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to cc attachments.created Message-ID: In-Reply-To: References: Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D290958 Mark Peek changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |mp@FreeBSD.org CC| |mp@FreeBSD.org --- Comment #2 from Mark Peek --- Created attachment 265610 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D265610&action= =3Dedit Patch for missing locking around ctfmerge fifo operations I was able to reproduce this issue when run in a loop and then simplified i= t by just running the cftmerge command in a loop from the last crash. This would fail fairly quickly in a loop to 100. (lldb) bt all thread #1 frame #0: 0x00000001978ca4f8 libsystem_kernel.dylib`__psynch_cvwait + 8 frame #1: 0x000000019790a0dc libsystem_pthread.dylib`_pthread_cond_wait= + 984 frame #2: 0x0000000104eefca0 ctfmerge`main + 1736 frame #3: 0x0000000197541d54 dyld`start + 7184 thread #2 frame #0: 0x00000001978c99c8 libsystem_kernel.dylib`__psynch_mutexwait = + 8 frame #1: 0x0000000197906e3c libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_wait + 84 frame #2: 0x0000000197904868 libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_slow + 220 frame #3: 0x0000000104ef05dc ctfmerge`worker_thread + 980 frame #4: 0x0000000197909c08 libsystem_pthread.dylib`_pthread_start + 1= 36 * thread #3, stop reason =3D ESR_EC_DABORT_EL0 (fault address: 0x17f5) * frame #0: 0x0000000104ef093c ctfmerge`fifo_len + 16 frame #1: 0x0000000104ef06d4 ctfmerge`worker_thread + 1228 frame #2: 0x0000000197909c08 libsystem_pthread.dylib`_pthread_start + 1= 36 thread #4 frame #0: 0x00000001978ca4f8 libsystem_kernel.dylib`__psynch_cvwait + 8 frame #1: 0x000000019790a0dc libsystem_pthread.dylib`_pthread_cond_wait= + 984 frame #2: 0x0000000104ef06e8 ctfmerge`worker_thread + 1248 frame #3: 0x0000000197909c08 libsystem_pthread.dylib`_pthread_start + 1= 36 Fixed the above occurrence by locking around the fifo_len() call and then received this at another location fifo_len() call: (lldb) bt all thread #1 frame #0: 0x00000001978ca4f8 libsystem_kernel.dylib`__psynch_cvwait + 8 frame #1: 0x000000019790a0dc libsystem_pthread.dylib`_pthread_cond_wait= + 984 frame #2: 0x0000000102317ca0 ctfmerge`main(argc=3D, argv=3D) at ctfmerge.c:928:3 [opt] frame #3: 0x0000000197541d54 dyld`start + 7184 thread #2 frame #0: 0x00000001978c99c8 libsystem_kernel.dylib`__psynch_mutexwait = + 8 frame #1: 0x0000000197906e3c libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_wait + 84 frame #2: 0x0000000197904868 libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_slow + 220 frame #3: 0x000000019790a168 libsystem_pthread.dylib`_pthread_cond_wait= + 1124 frame #4: 0x00000001023186f8 ctfmerge`worker_runphase2(wq=3D0x0000000102344968) at ctfmerge.c:472:4 [opt] [inlined] frame #5: 0x0000000102318624 ctfmerge`worker_thread(wq=3D0x000000010234= 4968) at ctfmerge.c:544:2 [opt] frame #6: 0x0000000197909c08 libsystem_pthread.dylib`_pthread_start + 1= 36 thread #3 frame #0: 0x00000001978c99c8 libsystem_kernel.dylib`__psynch_mutexwait = + 8 frame #1: 0x0000000197906e3c libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_wait + 84 frame #2: 0x0000000197904868 libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_slow + 220 frame #3: 0x000000019790a168 libsystem_pthread.dylib`_pthread_cond_wait= + 1124 frame #4: 0x00000001023186f8 ctfmerge`worker_runphase2(wq=3D0x0000000102344968) at ctfmerge.c:472:4 [opt] [inlined] frame #5: 0x0000000102318624 ctfmerge`worker_thread(wq=3D0x000000010234= 4968) at ctfmerge.c:544:2 [opt] frame #6: 0x0000000197909c08 libsystem_pthread.dylib`_pthread_start + 1= 36 * thread #4, stop reason =3D ESR_EC_DABORT_EL0 (fault address: 0x2176) * frame #0: 0x000000010231894c ctfmerge`fifo_len + 16 frame #1: 0x00000001023186e4 ctfmerge`worker_runphase2(wq=3D0x0000000102344968) at ctfmerge.c:471:7 [opt] [inlined] frame #2: 0x0000000102318624 ctfmerge`worker_thread(wq=3D0x000000010234= 4968) at ctfmerge.c:544:2 [opt] frame #3: 0x0000000197909c08 libsystem_pthread.dylib`_pthread_start + 1= 36 thread #5 frame #0: 0x00000001978c99c8 libsystem_kernel.dylib`__psynch_mutexwait = + 8 frame #1: 0x0000000197906e3c libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_wait + 84 frame #2: 0x0000000197904868 libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_slow + 220 frame #3: 0x0000000102318578 ctfmerge`worker_thread(wq=3D0x000000010234= 4968) at ctfmerge.c:532:3 [opt] frame #4: 0x0000000197909c08 libsystem_pthread.dylib`_pthread_start + 1= 36 thread #6 frame #0: 0x00000001978ca4f8 libsystem_kernel.dylib`__psynch_cvwait + 8 frame #1: 0x000000019790a0dc libsystem_pthread.dylib`_pthread_cond_wait= + 984 frame #2: 0x00000001023186f8 ctfmerge`worker_runphase2(wq=3D0x0000000102344968) at ctfmerge.c:472:4 [opt] [inlined] frame #3: 0x0000000102318624 ctfmerge`worker_thread(wq=3D0x000000010234= 4968) at ctfmerge.c:544:2 [opt] frame #4: 0x0000000197909c08 libsystem_pthread.dylib`_pthread_start + 1= 36 Fixed the second one and then found another by reviewing all the fifo_*() c= alls for the attached patch. I ran this twice in a loop to 10000 without an issu= e. Note to get a core dump on MacOS and lldb backtrace: 1. Change /cores to be writable by the user "chmod 777 /cores" 2. Set core limit "ulimit -c unlimited" 3. codesign the ctfmerge binary to give it a core dump entitlement: /usr/libexec/PlistBuddy -c "Add :com.apple.security.get-task-allow bool true" tmp.entitlements codesign -s - -f --entitlements tmp.entitlements /path/to/ctfmerge Then run lldb: lldb -c /cores/core. -f /path/to/ctfmerge (lldb) bt all --=20 You are receiving this mail because: You are the assignee for the bug.=