Skip to content
This repository has been archived by the owner on Aug 8, 2023. It is now read-only.

constant crashing #816

Closed
ansis opened this issue Feb 4, 2015 · 15 comments
Closed

constant crashing #816

ansis opened this issue Feb 4, 2015 · 15 comments

Comments

@ansis
Copy link
Contributor

ansis commented Feb 4, 2015

Master (002a709) constantly crashes for me after a few seconds of zooming. The error message changes. Three separate crashes:

Mapbox GL(22239,0x7fff7889f310) malloc: *** error for object 0x7feb22e29790: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
make: *** [run-osx] Abort trap: 6
Mapbox GL(22266,0x11122f000) malloc: *** error for object 0x7fc388db53c0: double free
*** set a breakpoint in malloc_error_break to debug
make: *** [run-osx] Abort trap: 6
libc++abi.dylib: terminating with uncaught exception of type std::__1::bad_function_call: std::exception
make: *** [run-osx] Abort trap: 6
@ansis ansis added the bug label Feb 4, 2015
@ansis
Copy link
Contributor Author

ansis commented Feb 5, 2015

It looks like it's coming from the notify() in mbgl::Request::destruct(). @kkaefer can you take a look? It should be fairly easy to reproduce: just zoom around for a while until it crashes.

@kkaefer kkaefer added the crash label Feb 5, 2015
@kkaefer
Copy link
Contributor

kkaefer commented Feb 5, 2015

Unfortunately, I can't reproduce this issue :(

@ansis
Copy link
Contributor Author

ansis commented Feb 5, 2015

Hmm, sometimes it takes a while.

Weirdly, it seems to trigger a lot more easily with make osx run-osx than when building with xcode. I have no idea why that would be the case. I might be just imagining it.

I just saw these different ones:

Mapbox GL(71852,0x114e1d000) malloc: *** error for object 0x7fe69afd19f8: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
make: *** [run-osx] Abort trap: 6
Mapbox GL(63507,0x109bf7000) malloc: *** error for object 0x600000243b70: Heap corruption detected, free list canary is damaged
*** set a breakpoint in malloc_error_break to debug
make: *** [run-osx] Segmentation fault: 11

@mb12
Copy link

mb12 commented Feb 5, 2015

You can edit your scheme in xcode and enable scribble, guard malloc and guard edges. It might throw more light into this corruption issue.

@ljbade
Copy link
Contributor

ljbade commented Feb 6, 2015

Sounds like something trashing random memory.

@artemp
Copy link
Contributor

artemp commented Feb 10, 2015

Looks like related

make osx run-osx

turn on 'debug' mode to display tile boundaries and zoom in and out

Mapbox GL(32086,0x115212000) malloc: *** error for object 0x7fcf6a0c1f80: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
FPS: 60.14
FPS: 60.01
Process 41088 stopped
* thread #16: tid = 0x12ace, 0x0000000100189e63 Mapbox GL`std::__1::__murmur2_or_cityhash<unsigned long, 64ul>::operator()(void const*, unsigned long) [inlined] unsigned long std::__1::__loadword<unsigned long>(__p=0xffffffffffffffd8) + 7 at memory:3070, name = 'Tile Worker', stop reason = EXC_BAD_ACCESS (code=1, address=0xffffffffffffffd8)
    frame #0: 0x0000000100189e63 Mapbox GL`std::__1::__murmur2_or_cityhash<unsigned long, 64ul>::operator()(void const*, unsigned long) [inlined] unsigned long std::__1::__loadword<unsigned long>(__p=0xffffffffffffffd8) + 7 at memory:3070
   3067 __loadword(const void* __p)
   3068 {
   3069     _Size __r;
-> 3070     std::memcpy(&__r, __p, sizeof(__r));
   3071     return __r;
   3072 }
   3073 
(lldb) 

bt

* thread #16: tid = 0x12ace, 0x0000000100189e63 Mapbox GL`std::__1::__murmur2_or_cityhash<unsigned long, 64ul>::operator()(void const*, unsigned long) [inlined] unsigned long std::__1::__loadword<unsigned long>(__p=0xffffffffffffffd8) + 7 at memory:3070, name = 'Tile Worker', stop reason = EXC_BAD_ACCESS (code=1, address=0xffffffffffffffd8)
  * frame #0: 0x0000000100189e63 Mapbox GL`std::__1::__murmur2_or_cityhash<unsigned long, 64ul>::operator()(void const*, unsigned long) [inlined] unsigned long std::__1::__loadword<unsigned long>(__p=0xffffffffffffffd8) + 7 at memory:3070
    frame #1: 0x0000000100189e5c Mapbox GL`std::__1::__murmur2_or_cityhash<unsigned long, 64ul>::operator(this=0x000000010db07cc0, __key=0x0000000100ef2010, __len=18446744069398913008)(void const*, unsigned long) + 236 at memory:3254
    frame #2: 0x0000000100189d24 Mapbox GL`std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >::operator()(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) const [inlined] std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::data(this=0x0000000100e662d0, this=0x0000000100e662d0, this=0x0000000100e662d0, __p=0x0000000100ef2010, __e=0x0000000000000000) const + 22 at string:1090
    frame #3: 0x0000000100189d0e Mapbox GL`std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >::operator(this=0x0000000100a01648, __val=0x0000000100e662d0)(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) const + 798 at string:4133
    frame #4: 0x0000000100252ebf Mapbox GL`std::__1::__hash_iterator<std::__1::__hash_node<std::__1::__hash_value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::unique_ptr<mbgl::FontStack, std::__1::default_delete<mbgl::FontStack> > >, void*>*> std::__1::__hash_table<std::__1::__hash_value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::unique_ptr<mbgl::FontStack, std::__1::default_delete<mbgl::FontStack> > >, std::__1::__unordered_map_hasher<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::__hash_value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::unique_ptr<mbgl::FontStack, std::__1::default_delete<mbgl::FontStack> > >, std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, true>, std::__1::__unordered_map_equal<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::__hash_value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::unique_ptr<mbgl::FontStack, std::__1::default_delete<mbgl::FontStack> > >, std::__1::equal_to<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, true>, std::__1::allocator<std::__1::__hash_value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::unique_ptr<mbgl::FontStack, std::__1::default_delete<mbgl::FontStack> > > > >::find<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) [inlined] std::__1::__hash_table<std::__1::__hash_value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::unique_ptr<mbgl::FontStack, std::__1::default_delete<mbgl::FontStack> > >, std::__1::__unordered_map_hasher<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::__hash_value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::unique_ptr<mbgl::FontStack, std::__1::default_delete<mbgl::FontStack> > >, std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, true>, std::__1::__unordered_map_equal<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::__hash_value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::unique_ptr<mbgl::FontStack, std::__1::default_delete<mbgl::FontStack> > >, std::__1::equal_to<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, true>, std::__1::allocator<std::__1::__hash_value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::unique_ptr<mbgl::FontStack, std::__1::default_delete<mbgl::FontStack> > > > >::hash_function(this=0x0000000100a01630, this=0x0000000100a01648, __x=0x0000000100e662d0) + 159 at unordered_map:384
    frame #5: 0x0000000100252e9b Mapbox GL`std::__1::__hash_iterator<std::__1::__hash_node<std::__1::__hash_value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::unique_ptr<mbgl::FontStack, std::__1::default_delete<mbgl::FontStack> > >, void*>*> std::__1::__hash_table<std::__1::__hash_value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::unique_ptr<mbgl::FontStack, std::__1::default_delete<mbgl::FontStack> > >, std::__1::__unordered_map_hasher<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::__hash_value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::unique_ptr<mbgl::FontStack, std::__1::default_delete<mbgl::FontStack> > >, std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, true>, std::__1::__unordered_map_equal<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::__hash_value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::unique_ptr<mbgl::FontStack, std::__1::default_delete<mbgl::FontStack> > >, std::__1::equal_to<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, true>, std::__1::allocator<std::__1::__hash_value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::unique_ptr<mbgl::FontStack, std::__1::default_delete<mbgl::FontStack> > > > >::find<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >(this=0x0000000100a01630, __k=0x0000000100e662d0) + 123 at __hash_table:2020
    frame #6: 0x0000000100248047 Mapbox GL`mbgl::GlyphStore::createFontStack(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) [inlined] std::__1::unordered_map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::unique_ptr<mbgl::FontStack, std::__1::default_delete<mbgl::FontStack> >, std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, std::__1::equal_to<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const, std::__1::unique_ptr<mbgl::FontStack, std::__1::default_delete<mbgl::FontStack> > > > >::find(this=0x0000000100a01630, __k=0x0000000100e662d0) + 19 at unordered_map:968
    frame #7: 0x0000000100248034 Mapbox GL`mbgl::GlyphStore::createFontStack(this=0x0000000100a015e8, fontStack=0x0000000100e662d0) + 84 at glyph_store.cpp:276
    frame #8: 0x0000000100248b24 Mapbox GL`mbgl::GlyphStore::getFontStack(this=0x0000000100a015e8, fontStack=0x0000000100e662d0) + 100 at glyph_store.cpp:285
    frame #9: 0x000000010015a774 Mapbox GL`mbgl::SymbolBucket::addFeatures(this=0x00000001172560e0, layer=0x0000000100e94488, filter=0x0000000100e661f0, id=0x00000001147596b0, spriteAtlas=0x0000000100a016a0, sprite=0x0000000100e71e28, glyphAtlas=0x0000000100a01520, glyphStore=0x0000000100a015e8) + 676 at symbol_bucket.cpp:167
    frame #10: 0x00000001000c6729 Mapbox GL`mbgl::TileParser::createSymbolBucket(this=0x000000010db09b90, layer=0x0000000100e94488, filter=0x0000000100e661f0, symbol=0x0000000100e66268) + 345 at tile_parser.cpp:264
    frame #11: 0x00000001000c455b Mapbox GL`mbgl::TileParser::createBucket(this=0x000000010db09b90, bucket_desc=<unavailable>) + 2283 at tile_parser.cpp:210
    frame #12: 0x00000001000c3505 Mapbox GL`mbgl::TileParser::parseStyleLayers(this=0x000000010db09b90, group=<unavailable>) + 1157 at tile_parser.cpp:81
    frame #13: 0x00000001000c302a Mapbox GL`mbgl::TileParser::parse(this=0x000000010db09b90) + 74 at tile_parser.cpp:54
    frame #14: 0x00000001001141e9 Mapbox GL`mbgl::VectorTileData::parse(this=0x0000000114759698) + 777 at vector_tile_data.cpp:53
    frame #15: 0x00000001000bdeb2 Mapbox GL`mbgl::TileData::reparse(this=0x00000001008e4d88, tile=0x00000001008e4d70)>)::$_2::operator()(mbgl::util::ptr<mbgl::TileData>&) const + 66 at tile_data.cpp:99
    frame #16: 0x00000001000bdd59 Mapbox GL`std::__1::__function::__func<mbgl::TileData::reparse(uv::worker&, std::__1::function<void ()>)::$_2, std::__1::allocator<mbgl::TileData::reparse(uv::worker&, std::__1::function<void ()>)::$_2>, void (mbgl::util::ptr<mbgl::TileData>&)>::operator()(mbgl::util::ptr<mbgl::TileData>&) [inlined] decltype(this=0x00000001008e4d88, __f=0x00000001008e4d88, __args=0x00000001008e4d70)>)::$_2&>(fp)(std::__1::forward<mbgl::util::ptr<mbgl::TileData>&>(fp0))) std::__1::__invoke<mbgl::TileData::reparse(uv::worker&, std::__1::function<void ()>)::$_2&, mbgl::util::ptr<mbgl::TileData>&>(mbgl::TileData::reparse(uv::worker&, std::__1::function<void ()>)::$_2&&&, mbgl::util::ptr<mbgl::TileData>&&&) + 29 at __functional_base:413
    frame #17: 0x00000001000bdd3c Mapbox GL`std::__1::__function::__func<mbgl::TileData::reparse(this=0x00000001008e4d80, __arg=0x00000001008e4d70)>)::$_2, std::__1::allocator<mbgl::TileData::reparse(uv::worker&, std::__1::function<void ()>)::$_2>, void (mbgl::util::ptr<mbgl::TileData>&)>::operator()(mbgl::util::ptr<mbgl::TileData>&) + 76 at functional:1370
    frame #18: 0x00000001000c1aed Mapbox GL`std::__1::function<void (this=0x00000001008e4d80, __arg=0x00000001008e4d70)>::operator()(mbgl::util::ptr<mbgl::TileData>&) const + 205 at functional:1755
    frame #19: 0x00000001000c1978 Mapbox GL`uv::work<mbgl::util::ptr<mbgl::TileData> >::do_work(data=0x00000001008e4d70) + 56 at uv_detail.hpp:160
    frame #20: 0x000000010029d18e Mapbox GL`uv__worker_thread_loop(ptr=0x0000000100e0cba0) + 206 at uv-worker.c:86
    frame #21: 0x00000001002e67f7 Mapbox GL`uv__thread_start(ctx_v=0x0000000100e3e880) + 87 at uv-common.c:322
    frame #22: 0x00007fff89ad0268 libsystem_pthread.dylib`_pthread_body + 131
    frame #23: 0x00007fff89ad01e5 libsystem_pthread.dylib`_pthread_start + 176
    frame #24: 0x00007fff89ace41d libsystem_pthread.dylib`thread_start + 13

@artemp
Copy link
Contributor

artemp commented Feb 10, 2015

Another crash

Mapbox GL(41341,0x10c9ab000) malloc: *** error for object 0x103a14f10: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
Process 41341 stopped
* thread #16: tid = 0x12fe1, 0x00007fff863db286 libsystem_kernel.dylib`__pthread_kill + 10, name = 'Tile Worker', stop reason = signal SIGABRT
    frame #0: 0x00007fff863db286 libsystem_kernel.dylib`__pthread_kill + 10
libsystem_kernel.dylib`__pthread_kill + 10:
-> 0x7fff863db286:  jae    0x7fff863db290            ; __pthread_kill + 20
   0x7fff863db288:  movq   %rax, %rdi
   0x7fff863db28b:  jmp    0x7fff863d6c53            ; cerror_nocancel
   0x7fff863db290:  retq   
(lldb) bt
* thread #16: tid = 0x12fe1, 0x00007fff863db286 libsystem_kernel.dylib`__pthread_kill + 10, name = 'Tile Worker', stop reason = signal SIGABRT
  * frame #0: 0x00007fff863db286 libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x00007fff89ad242f libsystem_pthread.dylib`pthread_kill + 90
    frame #2: 0x00007fff8c53bb53 libsystem_c.dylib`abort + 129
    frame #3: 0x00007fff85658937 libsystem_malloc.dylib`free + 428
    frame #4: 0x0000000100201e01 Mapbox GL`mbgl::StyleBucketSymbol::'unnamed0'::~'unnamed0'(this=0x0000000100d3a510) + 49 at style_bucket.hpp:71
    frame #5: 0x0000000100201d03 Mapbox GL`mbgl::StyleBucketSymbol::'unnamed0'::~'unnamed0'(this=0x0000000100d3a510) + 35 at style_bucket.hpp:71
    frame #6: 0x0000000100201ca1 Mapbox GL`mbgl::StyleBucketSymbol::~StyleBucketSymbol(this=0x0000000100d3a4c8) + 49 at style_bucket.hpp:45
    frame #7: 0x0000000100201b23 Mapbox GL`mbgl::StyleBucketSymbol::~StyleBucketSymbol(this=0x0000000100d3a4c8) + 35 at style_bucket.hpp:45
    frame #8: 0x0000000100201ac8 Mapbox GL`mapbox::util::variant_helper<mbgl::StyleBucketSymbol, mbgl::StyleBucketRaster, mbgl::StyleBucketBackground, std::__1::integral_constant<bool, false> >::destroy(id=3, data=0x0000000100d3a4c8) + 56 at variant.hpp:183
    frame #9: 0x0000000100201a6e Mapbox GL`mapbox::util::variant_helper<mbgl::StyleBucketLine, mbgl::StyleBucketSymbol, mbgl::StyleBucketRaster, mbgl::StyleBucketBackground, std::__1::integral_constant<bool, false> >::destroy(id=3, data=0x0000000100d3a4c8) + 62 at variant.hpp:187
    frame #10: 0x0000000100201a0e Mapbox GL`mapbox::util::variant_helper<mbgl::StyleBucketFill, mbgl::StyleBucketLine, mbgl::StyleBucketSymbol, mbgl::StyleBucketRaster, mbgl::StyleBucketBackground, std::__1::integral_constant<bool, false> >::destroy(id=3, data=0x0000000100d3a4c8) + 62 at variant.hpp:187
    frame #11: 0x00000001000c9697 Mapbox GL`void mapbox::util::variant<mbgl::StyleBucketFill, mbgl::StyleBucketLine, mbgl::StyleBucketSymbol, mbgl::StyleBucketRaster, mbgl::StyleBucketBackground, std::__1::integral_constant<bool, false> >::set<mbgl::StyleBucketSymbol>(this=0x0000000100d3a4c0) + 55 at variant.hpp:618
    frame #12: 0x00000001000c4d31 Mapbox GL`void mbgl::TileParser::applyLayoutProperties<mbgl::SymbolProperties>(this=0x000000010c9aab90, bucket_desc=0x0000000100d3a408, z=8) + 65 at tile_parser.cpp:145
    frame #13: 0x00000001000c44f6 Mapbox GL`mbgl::TileParser::createBucket(this=0x000000010c9aab90, bucket_desc=<unavailable>) + 2182 at tile_parser.cpp:209
    frame #14: 0x00000001000c3505 Mapbox GL`mbgl::TileParser::parseStyleLayers(this=0x000000010c9aab90, group=<unavailable>) + 1157 at tile_parser.cpp:81
    frame #15: 0x00000001000c302a Mapbox GL`mbgl::TileParser::parse(this=0x000000010c9aab90) + 74 at tile_parser.cpp:54
    frame #16: 0x00000001001141e9 Mapbox GL`mbgl::VectorTileData::parse(this=0x0000000100e061a8) + 777 at vector_tile_data.cpp:53
    frame #17: 0x00000001000bdeb2 Mapbox GL`mbgl::TileData::reparse(this=0x0000000103976198, tile=0x0000000103976180)>)::$_2::operator()(mbgl::util::ptr<mbgl::TileData>&) const + 66 at tile_data.cpp:99
    frame #18: 0x00000001000bdd59 Mapbox GL`std::__1::__function::__func<mbgl::TileData::reparse(uv::worker&, std::__1::function<void ()>)::$_2, std::__1::allocator<mbgl::TileData::reparse(uv::worker&, std::__1::function<void ()>)::$_2>, void (mbgl::util::ptr<mbgl::TileData>&)>::operator()(mbgl::util::ptr<mbgl::TileData>&) [inlined] decltype(this=0x0000000103976198, __f=0x0000000103976198, __args=0x0000000103976180)>)::$_2&>(fp)(std::__1::forward<mbgl::util::ptr<mbgl::TileData>&>(fp0))) std::__1::__invoke<mbgl::TileData::reparse(uv::worker&, std::__1::function<void ()>)::$_2&, mbgl::util::ptr<mbgl::TileData>&>(mbgl::TileData::reparse(uv::worker&, std::__1::function<void ()>)::$_2&&&, mbgl::util::ptr<mbgl::TileData>&&&) + 29 at __functional_base:413
    frame #19: 0x00000001000bdd3c Mapbox GL`std::__1::__function::__func<mbgl::TileData::reparse(this=0x0000000103976190, __arg=0x0000000103976180)>)::$_2, std::__1::allocator<mbgl::TileData::reparse(uv::worker&, std::__1::function<void ()>)::$_2>, void (mbgl::util::ptr<mbgl::TileData>&)>::operator()(mbgl::util::ptr<mbgl::TileData>&) + 76 at functional:1370
    frame #20: 0x00000001000c1aed Mapbox GL`std::__1::function<void (this=0x0000000103976190, __arg=0x0000000103976180)>::operator()(mbgl::util::ptr<mbgl::TileData>&) const + 205 at functional:1755
    frame #21: 0x00000001000c1978 Mapbox GL`uv::work<mbgl::util::ptr<mbgl::TileData> >::do_work(data=0x0000000103976180) + 56 at uv_detail.hpp:160
    frame #22: 0x000000010029d18e Mapbox GL`uv__worker_thread_loop(ptr=0x0000000100850af0) + 206 at uv-worker.c:86
    frame #23: 0x00000001002e67f7 Mapbox GL`uv__thread_start(ctx_v=0x0000000100818b10) + 87 at uv-common.c:322
    frame #24: 0x00007fff89ad0268 libsystem_pthread.dylib`_pthread_body + 131
    frame #25: 0x00007fff89ad01e5 libsystem_pthread.dylib`_pthread_start + 176
    frame #26: 0x00007fff89ace41d libsystem_pthread.dylib`thread_start + 13
(lldb) 

@kkaefer - https://github.com/mapbox/mapbox-gl-native/blob/master/src/mbgl/style/style_bucket.hpp#L58-L90 -- I think using anonymous inner struct (which is C not C++) is asking for trouble.
ref: http://stackoverflow.com/questions/8622459/why-does-c11-not-support-anonymous-structs-while-c11-does

@mb12
Copy link

mb12 commented Feb 10, 2015

Double delete of "Request" object is happening because of a race between calls to Requst::notify and Request::cancel.

1.) Request::notify is called from a separate thread HttpRequestImpl.
2.) Request::cancel is called when a tile becomes obsolete when you zoom in. This is called from mapThread.

If you review notifyCallback and cancelCallback, both would delete Request object (via delete this). So access to Request::notify and Request::cancel need to be synchronized via a mutex.

@ljbade
Copy link
Contributor

ljbade commented Feb 10, 2015

Ah, @kkaefer I would add a endCallback (or deleteCallback) that adds a critical section.

@kkaefer
Copy link
Contributor

kkaefer commented Feb 10, 2015

@mb12 while the deletion order of the Request object is a little intricate, I believe it is nevertheless correct. Both notifyCallback and cancel are called in the map thread, but the notifyCallback doesn't delete the object if a destruct_async has been created, since in those cases, it'll be deleted in the cancelCallback. Request objects that don't have a notify_async object because the caller didn't supply a loop, cannot be canceled, so neither *Callback function will be called and the object will instead be deleted directly in notify.

If you remove all delete calls in request.cpp, the crash still occurs, so I'm lead to believe that the crash is elsewhere.

@mb12
Copy link

mb12 commented Feb 10, 2015

@kkaefer Thanks for the clarification.

I ran the Mac binary under valgrind. I have copy pasted the valgrind log here. It does show a few unrelated invalid read/writes. (My valgrind run did not reproduce the crash).

https://gist.githubusercontent.com/mb12/360d285425e61fd19c2d/raw/gistfile1.txt

@kkaefer
Copy link
Contributor

kkaefer commented Feb 11, 2015

Stopgap for this is in c452b21 and 01cb018.

@kkaefer
Copy link
Contributor

kkaefer commented Feb 13, 2015

Another fix in 018759450955ab36dfa25f5b11ef77eb0f21bc0f

@incanus incanus added this to the iOS Beta milestone Feb 13, 2015
@kkaefer
Copy link
Contributor

kkaefer commented Mar 4, 2015

This is incorporated into #879

@kkaefer kkaefer closed this as completed Mar 4, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

6 participants