I have a android app which inline hooked the read function in libc.so.
Before hook,the read function looks like:
.text:000000000006B1A0 MOV X8, #0x3F ; '?'
.text:000000000006B1A4 SVC 0
.text:000000000006B1A8 CMN X0, #1,LSL#12
.text:000000000006B1AC CINV X0, X0, HI
.text:000000000006B1B0 B.HI __set_errno_internal
.text:000000000006B1B4 RET
After the read hooked,the assembly code is like this:
0x7f800d2714: ldr x17, #0x7f800d271c
0x7f800d2718: br x17
0x7f800d271c: some data
0x7f800d2720: some data
The inline hook work fine in most times.
But sometimes it will caused a SIGILL crash in some special devices,crash informations looks like:
03-02 20:04:19.041 668-668/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
03-02 20:04:19.041 668-668/? A/DEBUG: Build fingerprint: 'Xiaomi/rolex/rolex:6.0.1/MMB29M/V10.2.2.0.MCCCNXM:user/release-keys'
03-02 20:04:19.041 668-668/? A/DEBUG: Revision: '0'
03-02 20:04:19.041 668-668/? A/DEBUG: ABI: 'arm64'
03-02 20:04:19.042 668-668/? A/DEBUG: pid: 31673, tid: 31686, name: FileObserver >>> com.nd.pptshell <<<
03-02 20:04:19.042 668-668/? A/DEBUG: signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x7f800d271c
03-02 20:04:19.060 668-668/? A/DEBUG: x0 0000000000000090 x1 0000007f7bb11e18 x2 0000000000000200 x3 0000000000570000
03-02 20:04:19.060 668-668/? A/DEBUG: x4 0000000000430000 x5 0000000000000000 x6 0000007f7cd93000 x7 0000007f7cd959c8
03-02 20:04:19.060 668-668/? A/DEBUG: x8 000000000000003f x9 000000559d4e6068 x10 0000000000000002 x11 0000007f7c87c8d0
03-02 20:04:19.060 668-668/? A/DEBUG: x12 0000000000000003 x13 0000000000000000 x14 0000007f7c87c9c0 x15 0000000000000000
03-02 20:04:19.060 668-668/? A/DEBUG: x16 0000007f803ddf40 x17 0000007f800d2714 x18 000000559d4e5ec0 x19 000000559d4defe0
03-02 20:04:19.061 668-668/? A/DEBUG: x20 0000007f803601cc x21 000000559d4e5ec0 x22 000000007012e6f0 x23 0000007f7bb12208
03-02 20:04:19.061 668-668/? A/DEBUG: x24 0000007f7bb122b8 x25 0000007f7bb11e18 x26 0000007f803ef000 x27 0000007f7bb12034
03-02 20:04:19.061 668-668/? A/DEBUG: x28 000000000000000e x29 0000007f7bb11da0 x30 0000007f8036022c
03-02 20:04:19.061 668-668/? A/DEBUG: sp 0000007f7bb11da0 pc 0000007f800d271c pstate 0000000020000000
03-02 20:04:19.063 668-668/? A/DEBUG: backtrace:
03-02 20:04:19.063 668-668/? A/DEBUG: #00 pc 000000000000071c /system/lib64/libc.so (offset 0x6a000)
03-02 20:04:19.063 668-668/? A/DEBUG: #01 pc 0000000000128228 /system/lib64/libandroid_runtime.so
03-02 20:04:19.063 668-668/? A/DEBUG: #02 pc 00000000727a4724 /data/dalvik-cache/arm64/system#framework#boot.oat (offset 0x2566000)
03-02 20:04:19.576 1383-31787/? W/ActivityManager: Force finishing activity com.nd.pptshell/.newui.HomeTabContainerActivity
03-02 20:04:19.576 668-668/? A/DEBUG: Tombstone written to: /data/tombstones/tombstone_02
03-02 20:04:19.576 668-668/? E/DEBUG: AM write failed: Broken pipe
I'm sure that the hooked read function has been execute many times before this crash, because I print some debug information and can see it in logcat.
From the crash information we can get that the pc jump from the libandroid_runtime.so by GOT table which used the x17 as the temporary register whose value is 0x7f800d2714 correspond to the read function start address.
The libandroid_runtime.so's relative code looks like:
text:000000000012821C loc_12821C ; fd
.text:000000000012821C MOV W0, W28
.text:0000000000128220 MOV X1, X25 ; buf
.text:0000000000128224 MOV X2, #0x200 ; nbytes
.text:0000000000128228 BL .read
.text:000000000012822C CMP W0, #0xF
.text:0000000000128230 MOV W22, W0
.text:0000000000128234 B.GT loc_128298
and the read entry:
.plt:0000000000086DC0 ; ssize_t read(int fd, void *buf, size_t nbytes)
.plt:0000000000086DC0 .read
.plt:0000000000086DC0 ADRP X16, #read_ptr#PAGE
.plt:0000000000086DC4 LDR X17, [X16,#read_ptr#PAGEOFF]
.plt:0000000000086DC8 ADD X16, X16, #read_ptr#PAGEOFF
.plt:0000000000086DCC BR X17
So if the instruction in 0x7f800d2714 was executed,the X17 register must be modified to other values.
Is it possible the CPU out-of-order execution fetch the data from 0x7f800d271c before the ldr x17, #0x7f800d271c?
Related
I have a WPEA-121N card connected to nitrogen SOM v2 with NXP i.MX 6 dual.
For handling WPEA-121N I'm using ath9k driver.
Linux version used: 18.04.3 and kernel version: 4.14
I need to receive data from the wireless interface in the ocb mode. The message is sent every 300ms.
In my program I use the read function:
read(mSocket, mPacket, sizeof(mPacket));
from <unistd.h>.
However my program doesn't receive any mesage for 2 seconds and then 7 messages come at onece (almost with the same timestamp).
When I run Wireshark on wireless interface I also see messages coming in those packets (7 messages every 2 seconds).
When I run strace on SOM v2 I receive one sendmsg message (ID - 54) and 4 times recvmsg messages (2 with ID 54 and two with ID - 53) and multiple gettimeofday messages.
This makes me think that the problem must be with ath9k driver. I tried to debug it but could not understand receive flow.
I also tried to run this program on Ubuntu on x86 architecture and it receives messages with a proper frequency.
UPDATE:
Block diagaram of i.MX 6
When I run: sudo lspci -vv
I get in PCI bridge:
DevCtl: Report errors: Correctable+ Non-Fatal+ Fatal+ Unsupported+
RlxdOrd+ ExtTag- PhantFunc- AuxPwr- NoSnoop-
MaxPayload 128 bytes, MaxReadReq 512 bytes
full result:
ubuntu#bionic-xfce:~$ sudo lspci -vv
00:00.0 PCI bridge: Synopsys, Inc. Device abcd (rev 01) (prog-if 00 [Normal decode])
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr+ Stepping- SERR+ FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupt: pin A routed to IRQ 309
Region 0: Memory at 01000000 (32-bit, non-prefetchable) [size=1M]
Bus: primary=00, secondary=01, subordinate=ff, sec-latency=0
Memory behind bridge: 01100000-011fffff
Prefetchable memory behind bridge: 01200000-012fffff
Secondary status: 66MHz- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- <SERR- <PERR-
[virtual] Expansion ROM at 01300000 [disabled] [size=64K]
BridgeCtl: Parity+ SERR- NoISA- VGA- MAbort- >Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: [40] Power Management version 3
Flags: PMEClk- DSI- D1+ D2- AuxCurrent=375mA PME(D0+,D1+,D2-,D3hot+,D3cold+)
Status: D0 NoSoftRst- PME-Enable- DSel=0 DScale=0 PME-
Capabilities: [50] MSI: Enable+ Count=1/1 Maskable+ 64bit+
Address: 0000000062040000 Data: 0000
Masking: 00000000 Pending: 00000000
Capabilities: [70] Express (v2) Root Port (Slot-), MSI 00
DevCap: MaxPayload 128 bytes, PhantFunc 0
ExtTag- RBE+
DevCtl: Report errors: Correctable+ Non-Fatal+ Fatal+ Unsupported+
RlxdOrd+ ExtTag- PhantFunc- AuxPwr- NoSnoop-
MaxPayload 128 bytes, MaxReadReq 512 bytes
DevSta: CorrErr+ UncorrErr- FatalErr- UnsuppReq- AuxPwr+ TransPend-
LnkCap: Port #0, Speed 5GT/s, Width x1, ASPM L0s L1, Exit Latency L0s <1us, L1 unlimited
ClockPM- Surprise- LLActRep+ BwNot- ASPMOptComp-
LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- CommClk+
ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
LnkSta: Speed 2.5GT/s, Width x1, TrErr- Train- SlotClk+ DLActive+ BWMgmt- ABWMgmt-
RootCtl: ErrCorrectable- ErrNon-Fatal- ErrFatal- PMEIntEna+ CRSVisible-
RootCap: CRSVisible-
RootSta: PME ReqID 0000, PMEStatus- PMEPending-
DevCap2: Completion Timeout: Range ABCD, TimeoutDis+, LTR-, OBFF Not Supported ARIFwd-
DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-, LTR-, OBFF Disabled ARIFwd-
LnkCtl2: Target Link Speed: 5GT/s, EnterCompliance- SpeedDis-
Transmit Margin: Normal Operating Range, EnterModifiedCompliance- ComplianceSOS-
Compliance De-emphasis: -6dB
LnkSta2: Current De-emphasis Level: -3.5dB, EqualizationComplete-, EqualizationPhase1-
EqualizationPhase2-, EqualizationPhase3-, LinkEqualizationRequest-
Capabilities: [100 v1] Advanced Error Reporting
UESta: DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
UEMsk: DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
UESvrt: DLP+ SDES+ TLP- FCP+ CmpltTO- CmpltAbrt- UnxCmplt- RxOF+ MalfTLP+ ECRC- UnsupReq- ACSViol-
CESta: RxErr+ BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr-
CEMsk: RxErr- BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr+
AERCap: First Error Pointer: 00, GenCap+ CGenEn- ChkCap+ ChkEn-
Capabilities: [140 v1] Virtual Channel
Caps: LPEVC=0 RefClk=100ns PATEntryBits=1
Arb: Fixed- WRR32- WRR64- WRR128-
Ctrl: ArbSelect=Fixed
Status: InProgress-
VC0: Caps: PATOffset=00 MaxTimeSlots=1 RejSnoopTrans-
Arb: Fixed- WRR32- WRR64- WRR128- TWRR128- WRR256-
Ctrl: Enable+ ID=0 ArbSelect=Fixed TC/VC=ff
Status: NegoPending- InProgress-
Kernel driver in use: pcieport
01:00.0 Network controller: Qualcomm Atheros AR93xx Wireless Network Adapter (rev 01)
Subsystem: Qualcomm Atheros AR93xx Wireless Network Adapter
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr+ Stepping- SERR+ FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx+
Latency: 0, Cache Line Size: 64 bytes
Interrupt: pin A routed to IRQ 341
Region 0: Memory at 01100000 (64-bit, non-prefetchable) [size=128K]
[virtual] Expansion ROM at 01200000 [disabled] [size=64K]
Capabilities: [40] Power Management version 3
Flags: PMEClk- DSI- D1+ D2- AuxCurrent=375mA PME(D0+,D1+,D2-,D3hot+,D3cold-)
Status: D0 NoSoftRst- PME-Enable- DSel=0 DScale=0 PME-
Capabilities: [50] MSI: Enable- Count=1/4 Maskable+ 64bit+
Address: 0000000000000000 Data: 0000
Masking: 00000000 Pending: 00000000
Capabilities: [70] Express (v2) Endpoint, MSI 00
DevCap: MaxPayload 128 bytes, PhantFunc 0, Latency L0s unlimited, L1 <64us
ExtTag- AttnBtn- AttnInd- PwrInd- RBE+ FLReset- SlotPowerLimit 0.000W
DevCtl: Report errors: Correctable- Non-Fatal- Fatal- Unsupported-
RlxdOrd+ ExtTag- PhantFunc- AuxPwr- NoSnoop-
MaxPayload 128 bytes, MaxReadReq 512 bytes
DevSta: CorrErr+ UncorrErr- FatalErr- UnsuppReq- AuxPwr- TransPend-
LnkCap: Port #0, Speed 2.5GT/s, Width x1, ASPM L0s L1, Exit Latency L0s <4us, L1 <64us
ClockPM- Surprise- LLActRep- BwNot- ASPMOptComp-
LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- CommClk+
ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
LnkSta: Speed 2.5GT/s, Width x1, TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-
DevCap2: Completion Timeout: Not Supported, TimeoutDis+, LTR-, OBFF Not Supported
DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-, LTR-, OBFF Disabled
LnkCtl2: Target Link Speed: 2.5GT/s, EnterCompliance- SpeedDis-
Transmit Margin: Normal Operating Range, EnterModifiedCompliance- ComplianceSOS-
Compliance De-emphasis: -6dB
LnkSta2: Current De-emphasis Level: -6dB, EqualizationComplete-, EqualizationPhase1-
EqualizationPhase2-, EqualizationPhase3-, LinkEqualizationRequest-
Capabilities: [100 v1] Advanced Error Reporting
UESta: DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
UEMsk: DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
UESvrt: DLP+ SDES+ TLP- FCP+ CmpltTO- CmpltAbrt- UnxCmplt- RxOF+ MalfTLP+ ECRC- UnsupReq- ACSViol-
CESta: RxErr+ BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr-
CEMsk: RxErr- BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr+
AERCap: First Error Pointer: 00, GenCap- CGenEn- ChkCap- ChkEn-
Capabilities: [140 v1] Virtual Channel
Caps: LPEVC=0 RefClk=100ns PATEntryBits=1
Arb: Fixed- WRR32- WRR64- WRR128-
Ctrl: ArbSelect=Fixed
Status: InProgress-
VC0: Caps: PATOffset=00 MaxTimeSlots=1 RejSnoopTrans-
Arb: Fixed- WRR32- WRR64- WRR128- TWRR128- WRR256-
Ctrl: Enable+ ID=0 ArbSelect=Fixed TC/VC=ff
Status: NegoPending- InProgress-
Capabilities: [300 v1] Device Serial Number 00-00-00-00-00-00-00-00
Kernel driver in use: ath9k
Kernel modules: ath9k
Do you know what does it mean?
WPEA-121N card: http://www.sparklan.com/p2-products-detail.php?PKey=25c0Ma0Cj9d7HopM4rLAPTAIGkPKeW3bIVVxmd7DnA&WPEA-121N
NitrogenSOMv2: https://boundarydevices.com/product/nitrogen6-som-v2/
9 break
10 else:
---> 11 result = pipeline(frame)
12 cv2.imshow("Frame", result)
13 key = cv2.waitKey(1) & 0xFF
<ipython-input-2-d9c587a1d603> in pipeline(image)
90 ### Draw lines and return final image
91 line_img = np.copy((image)*0)
---> 92 draw_lines(line_img, lines, thickness=10)
93
94 line_img = region_of_interest(line_img, v)
<ipython-input-2-d9c587a1d603> in draw_lines(image, lines, color, thickness)
26 def draw_lines(image, lines, color=[255, 0, 0], thickness=4):
27 for line in lines:
---> 28 for x1, y1, x2, y2 in line:
29 cv2.line(image, (x1, y1), (x2, y2), color, thickness)
30
TypeError: cannot unpack non-iterable numpy.float64 object
I want to have coordinates of the beginning and end of the lane from lane list those coordinates are mentioned as x1, y1, x2, y2. And also when i printed the line it has 8 float numbers containing.
x1, y1, x2, y2 = line
Unpack the line list into variables. What happens under the hood is
(x1, y1, x2, y2) = (0, 0, 5, 5)
And hence
x1 = 0
y1 = 0 and so on...
Remove for x1, y1, x2, y2 in line loop.
When I ran
qemu-arm -L /usr/arm-linux-gnueabi/ ./foo in a docker Linux 4.9.125-linuxkit #1 SMP Fri Sep 7 08:20:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux on MacOS 10.13,
then got this error:
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault
The qemu-arm version info is:
# qemu-arm --version
qemu-arm version 2.5.1, Copyright (c) 2003-2008 Fabrice Bellard
The foo binary info is:
ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=86eb0b9c5fb202aad4f915699afc36e7bd209743, not stripped
Then, I used gdb to debug the qemu-arm, got the detail:
gdb-peda$ r -L /usr/arm-linux-gnueabi/lib ./foo
Starting program: /qira/tracers/qemu/qemu-2.5.1/arm-linux-user/qemu-arm -L /usr/arm-linux-gnueabi/lib ./foo
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff65ab700 (LWP 1980)]
Thread 1 "qemu-arm" received signal SIGSEGV, Segmentation fault.
...
Stopped reason: SIGSEGV
__GI__IO_fwrite (buf=0x7ffff45c6720, size=size#entry=0x1, count=count#entry=0x8e0, fp=fp#entry=0x0) at iofwrite.c:37
37 iofwrite.c: No such file or directory.
gdb-peda$ bt
#0 __GI__IO_fwrite (buf=0x7ffff45c6720, size=size#entry=0x1, count=count#entry=0x8e0, fp=fp#entry=0x0) at iofwrite.c:37
#1 0x0000000000418470 in write_out_base (env=env#entry=0x2e128a0, id=0x0) at /qira/tracers/qemu/qemu-latest/tci.c:895
#2 0x0000000000419fb5 in tcg_qemu_tb_exec (env=env#entry=0x2e128a0, tb_ptr=0x7985f0 <static_code_gen_buffer> "\f\b") at /qira/tracers/qemu/qemu-latest/tci.c:947
#3 0x000000000040ccec in cpu_tb_exec (tb_ptr=<optimized out>, cpu=0x2e0a630) at /qira/tracers/qemu/qemu-latest/cpu-exec.c:157
#4 cpu_arm_exec (cpu=cpu#entry=0x2e0a630) at /qira/tracers/qemu/qemu-latest/cpu-exec.c:520
#5 0x000000000042e6e4 in cpu_loop (env=env#entry=0x2e128a0) at /qira/tracers/qemu/qemu-latest/linux-user/main.c:676
#6 0x0000000000409d63 in main (argc=argc#entry=0x4, argv=argv#entry=0x7fffffffe588, envp=<optimized out>) at /qira/tracers/qemu/qemu-latest/linux-user/main.c:4695
#7 0x00007ffff683c830 in __libc_start_main (main=0x409710 <main>, argc=0x4, argv=0x7fffffffe588, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe578)
at ../csu/libc-start.c:291
#8 0x000000000040a2e9 in _start ()
I googled a lot about this error but nothing helpful. Still can't run it correctly.
PS: On my colleague's Ubuntu-VM, the ./foo can run normally using qemu-arm with the same version, so I'm confused whether this segv is caused by docker environment? If not, how to run the ./foo correctly in my docker? Thanks!
===========
Update more info:
# qemu-arm -strace -L /usr/arm-linux-gnueabi/ ./foo
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault
# strace qemu-arm -L /usr/arm-linux-gnueabi/ ./foo
...(lots of logs)
rt_sigaction(SIGRT_25, {0x44aa80, ~[RTMIN RT_1], SA_RESTORER|SA_SIGINFO, 0x7f0f3f13d390}, NULL, 8) = 0
rt_sigaction(SIGRT_26, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGRT_26, {0x44aa80, ~[RTMIN RT_1], SA_RESTORER|SA_SIGINFO, 0x7f0f3f13d390}, NULL, 8) = 0
rt_sigaction(SIGRT_27, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGRT_27, {0x44aa80, ~[RTMIN RT_1], SA_RESTORER|SA_SIGINFO, 0x7f0f3f13d390}, NULL, 8) = 0
rt_sigaction(SIGRT_28, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGRT_28, {0x44aa80, ~[RTMIN RT_1], SA_RESTORER|SA_SIGINFO, 0x7f0f3f13d390}, NULL, 8) = 0
rt_sigaction(SIGRT_29, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGRT_29, {0x44aa80, ~[RTMIN RT_1], SA_RESTORER|SA_SIGINFO, 0x7f0f3f13d390}, NULL, 8) = 0
rt_sigaction(SIGRT_30, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGRT_30, {0x44aa80, ~[RTMIN RT_1], SA_RESTORER|SA_SIGINFO, 0x7f0f3f13d390}, NULL, 8) = 0
rt_sigaction(SIGRT_31, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGRT_31, {0x44aa80, ~[RTMIN RT_1], SA_RESTORER|SA_SIGINFO, 0x7f0f3f13d390}, NULL, 8) = 0
stat("/tmp/qira_logs/0", 0x7ffde8aed530) = -1 ENOENT (No such file or directory)
open("/tmp/qira_logs/0_env", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENOENT (No such file or directory)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0} ---
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
getrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=RLIM64_INFINITY}) = 0
getrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=RLIM64_INFINITY}) = 0
setrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=RLIM64_INFINITY}) = 0
futex(0x7f0f3f128880, FUTEX_WAKE_PRIVATE, 2147483647) = 0
write(2, "qemu: uncaught target signal 11 "..., 67qemu: uncaught target signal 11 (Segmentation fault) - core dumped
) = 67
rt_sigaction(SIGSEGV, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x7f0f3f13d390}, NULL, 8) = 0
kill(2035, SIGSEGV) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_USER, si_pid=2035, si_uid=0} ---
+++ killed by SIGSEGV +++
Segmentation fault
The whole log file is at strace-log.
I confirm that this problem is solved in qemu-user-static version 5.0-14,
I don't know why but it looks like this build of qemu-arm has been built with the tcg interpreter which has at times had a number of bugs in it. I would try with the current master and ideally don't enable the TCG interpreter if you don't need it.
I get this error when starting Matlab2016a on Ubuntu 15.10 64bit. How can I fix it?
MATLAB crash file:/home/jalal/matlab_crash_dump.8510-1:
------------------------------------------------------------------------
Segmentation violation detected at Wed Aug 31 20:50:17 2016
------------------------------------------------------------------------
Configuration:
Crash Decoding : Disabled
Crash Mode : continue (default)
Current Graphics Driver: Unknown hardware
Current Visual : 0x21 (class 4, depth 24)
Default Encoding : UTF-8
GNU C Library : 2.21 stable
Host Name : klein
MATLAB Architecture : glnxa64
MATLAB Root : /usr/local/MATLAB/R2016a
MATLAB Version : 9.0.0.341360 (R2016a)
OpenGL : hardware
Operating System : Linux 4.2.0-42-generic #49-Ubuntu SMP Tue Jun 28 21:26:26 UTC 2016 x86_64
Processor ID : x86 Family 6 Model 63 Stepping 2, GenuineIntel
Virtual Machine : Java 1.7.0_60-b19 with Oracle Corporation Java HotSpot(TM) 64-Bit Server VM mixed mode
Window System : The X.Org Foundation (11702000), display :0
Fault Count: 1
Abnormal termination:
Segmentation violation
Register State (from fault):
RAX = 0000000000000000 RBX = 00007f7a44573808
RCX = 0000000000000000 RDX = 0000000000000003
RSP = 00007f7b3bdf3cd0 RBP = 00007f7b3bdf3df0
RSI = 0000000000000000 RDI = 00007f7a4456f9e8
R8 = 0000000000000018 R9 = 0000000000000000
R10 = 00007f7a4456f000 R11 = 00007f7a44574450
R12 = 00007f7a4478ff80 R13 = 0000000000000006
R14 = 00007f7a44570cc0 R15 = 00007f7aa82b4a60
RIP = 00007f7b5ce778ca EFL = 0000000000010206
CS = 0033 FS = 0000 GS = 0000
Stack Trace (from fault):
[ 0] 0x00007f7b5ce778ca /lib64/ld-linux-x86-64.so.2+00051402
[ 1] 0x00007f7b5ce804c1 /lib64/ld-linux-x86-64.so.2+00087233
[ 2] 0x00007f7b5ce7b474 /lib64/ld-linux-x86-64.so.2+00066676
[ 3] 0x00007f7b5ce7f9b3 /lib64/ld-linux-x86-64.so.2+00084403
[ 4] 0x00007f7b5a528fc9 /lib/x86_64-linux-gnu/libdl.so.2+00004041
[ 5] 0x00007f7b5ce7b474 /lib64/ld-linux-x86-64.so.2+00066676
[ 6] 0x00007f7b5a52962d /lib/x86_64-linux-gnu/libdl.so.2+00005677
[ 7] 0x00007f7b5a529061 /lib/x86_64-linux-gnu/libdl.so.2+00004193 dlopen+00000049
[ 8] 0x00007f7b56d740b6 /usr/local/MATLAB/R2016a/bin/glnxa64/libut.so+00315574
[ 9] 0x00007f7b56d74c76 /usr/local/MATLAB/R2016a/bin/glnxa64/libut.so+00318582 _Z11utGetModuleRKSbIDsSt11char_traitsIDsESaIDsEEPi+00000022
[ 10] 0x00007f7b56d74d6b /usr/local/MATLAB/R2016a/bin/glnxa64/libut.so+00318827 utGetModule+00000171
[ 11] 0x00007f7b4a1f9d45 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_dispatcher.so+00482629
[ 12] 0x00007f7b4a1eceaf /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_dispatcher.so+00429743 _ZN13Mlm_MATLAB_fn8try_loadEv+00000031
[ 13] 0x00007f7b4a1e3e95 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_dispatcher.so+00392853 _ZN13Mlm_MATLAB_fn4loadEv+00000037
[ 14] 0x00007f7b4a1e15e9 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_dispatcher.so+00382441 _ZN13Mfh_MATLAB_fn11dispatch_fhEiPP11mxArray_tagiS2_+00000057
[ 15] 0x00007f7b472261c9 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+09232841
[ 16] 0x00007f7b47352dbf /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+10464703
[ 17] 0x00007f7b47348a5a /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+10422874
[ 18] 0x00007f7b47311911 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+10197265
[ 19] 0x00007f7b46ddfb2a /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+04750122
[ 20] 0x00007f7b46de0a4c /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+04753996
[ 21] 0x00007f7b46ddeebc /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+04746940
[ 22] 0x00007f7b46ddc9ea /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+04737514
[ 23] 0x00007f7b46ddcdb1 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+04738481
[ 24] 0x00007f7b46ddea63 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+04745827
[ 25] 0x00007f7b46ddebe9 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+04746217
[ 26] 0x00007f7b46e8f16f /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+05468527
[ 27] 0x00007f7b46e9222a /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+05481002
[ 28] 0x00007f7b47134543 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+08242499
[ 29] 0x00007f7b470fd07e /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+08015998
[ 30] 0x00007f7b47101058 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+08032344
[ 31] 0x00007f7b47101107 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+08032519
[ 32] 0x00007f7b4717732c /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+08516396
[ 33] 0x00007f7b4717770c /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_lxe.so+08517388
[ 34] 0x00007f7b49bfad7d /usr/local/MATLAB/R2016a/bin/glnxa64/libmwm_interpreter.so+03165565 _Z51inEvalCmdWithLocalReturnInDesiredWSAndPublishEventsRKSbIDsSt11char_traitsIDsESaIDsEEPibbP15inWorkSpace_tag+00000077
[ 35] 0x00007f7b4a8739e1 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwiqm.so+00825825 _ZNK3iqm18InternalEvalPlugin24inEvalCmdWithLocalReturnERKSbIDsSt11char_traitsIDsESaIDsEEP15inWorkSpace_tag+00000081
[ 36] 0x00007f7b4a873b58 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwiqm.so+00826200 _ZN3iqm18InternalEvalPlugin7executeEP15inWorkSpace_tagRN5boost10shared_ptrIN14cmddistributor17IIPCompletedEventEEE+00000120
[ 37] 0x00007f7afe767ee4 /usr/local/MATLAB/R2016a/bin/glnxa64/libnativejmi.so+00974564 _ZN9nativejmi21JmiInternalEvalPlugin7executeEP15inWorkSpace_tagRN5boost10shared_ptrIN14cmddistributor17IIPCompletedEventEEE+00000340
[ 38] 0x00007f7afe78dedd /usr/local/MATLAB/R2016a/bin/glnxa64/libnativejmi.so+01130205 _ZN3mcr3mvm27McrSwappingIqmPluginAdapterIN9nativejmi21JmiInternalEvalPluginEE7executeEP15inWorkSpace_tagRN5boost10shared_ptrIN14cmddistributor17IIPCompletedEventEEE+00000429
[ 39] 0x00007f7b4a866f98 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwiqm.so+00774040
[ 40] 0x00007f7b4a850c87 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwiqm.so+00683143
[ 41] 0x00007f7b496c87a9 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwbridge.so+00173993
[ 42] 0x00007f7b496c8c44 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwbridge.so+00175172
[ 43] 0x00007f7b496cf1a5 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwbridge.so+00201125
[ 44] 0x00007f7b496cf2ac /usr/local/MATLAB/R2016a/bin/glnxa64/libmwbridge.so+00201388
[ 45] 0x00007f7b496cf97b /usr/local/MATLAB/R2016a/bin/glnxa64/libmwbridge.so+00203131 _Z8mnParserv+00000715
[ 46] 0x00007f7b4a523c13 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwmcr.so+00695315
[ 47] 0x00007f7b5c80d81c /usr/local/MATLAB/R2016a/bin/glnxa64/libmwmvm.so+02410524 _ZNK5boost9function0IvEclEv+00000028
[ 48] 0x00007f7b4a525925 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwmcr.so+00702757
[ 49] 0x00007f7b4a526839 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwmcr.so+00706617 _ZN5boost6detail17task_shared_stateINS_3_bi6bind_tIvPFvRKNS_8functionIFvvEEEENS2_5list1INS2_5valueIS6_EEEEEEvE6do_runEv+00000025
[ 50] 0x00007f7b572ee8a0 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwms.so+03168416 _ZN5boost6detail22task_base_shared_stateIvE3runEv+00000064
[ 51] 0x00007f7b4a527717 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwmcr.so+00710423
[ 52] 0x00007f7b4a52375a /usr/local/MATLAB/R2016a/bin/glnxa64/libmwmcr.so+00694106
[ 53] 0x00007f7b4a896c06 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwiqm.so+00969734
[ 54] 0x00007f7b4a884b4c /usr/local/MATLAB/R2016a/bin/glnxa64/libmwiqm.so+00895820 _ZN5boost6detail8function21function_obj_invoker0ISt8functionIFNS_3anyEvEES4_E6invokeERNS1_15function_bufferE+00000028
[ 55] 0x00007f7b4a88521f /usr/local/MATLAB/R2016a/bin/glnxa64/libmwiqm.so+00897567 _ZNK5boost9function0INS_3anyEEclEv+00000031
[ 56] 0x00007f7b4a884993 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwiqm.so+00895379 _ZN3iqm18PackagedTaskPlugin7executeEP15inWorkSpace_tagRN5boost10shared_ptrIN14cmddistributor17IIPCompletedEventEEE+00000163
[ 57] 0x00007f7b4a53871d /usr/local/MATLAB/R2016a/bin/glnxa64/libmwmcr.so+00780061
[ 58] 0x00007f7b4a866f98 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwiqm.so+00774040
[ 59] 0x00007f7b4a8515af /usr/local/MATLAB/R2016a/bin/glnxa64/libmwiqm.so+00685487
[ 60] 0x00007f7b4a84e7e3 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwiqm.so+00673763
[ 61] 0x00007f7b5c1caa3a /usr/local/MATLAB/R2016a/bin/glnxa64/libmwservices.so+03443258
[ 62] 0x00007f7b5c1c98a7 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwservices.so+03438759
[ 63] 0x00007f7b5c1ca10c /usr/local/MATLAB/R2016a/bin/glnxa64/libmwservices.so+03440908 _Z25svWS_ProcessPendingEventsiib+00000092
[ 64] 0x00007f7b4a523ed2 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwmcr.so+00696018
[ 65] 0x00007f7b4a524211 /usr/local/MATLAB/R2016a/bin/glnxa64/libmwmcr.so+00696849
[ 66] 0x00007f7b4a510cfd /usr/local/MATLAB/R2016a/bin/glnxa64/libmwmcr.so+00617725
[ 67] 0x00007f7b5acff6aa /lib/x86_64-linux-gnu/libpthread.so.0+00030378
[ 68] 0x00007f7b5aa3513d /lib/x86_64-linux-gnu/libc.so.6+01077565 clone+00000109
[ 69] 0x0000000000000000 <unknown-module>+00000000
If this problem is reproducible, please submit a Service Request via:
http://www.mathworks.com/support/contact_us/
A technical support engineer might contact you with further information.
Thank you for your help.
Solved the problem this way using the instructions in MathWorks bug reports:
jalal#klein:~$ cd /usr/local/MATLAB/R2016a/
jalal#klein:/usr/local/MATLAB/R2016a$ cd sys/os/glnxa64/
jalal#klein:/usr/local/MATLAB/R2016a/sys/os/glnxa64$ sudo mv libstdc++.so.6 libstdc++.so.6.old
[sudo] password for jalal:
jalal#klein:/usr/local/MATLAB/R2016a/sys/os/glnxa64$ matlab
After installing matlab-support
I have to run sudo matlab -nodisplay
I am running the survcomp package and wonder about the y and z values. I have multiple clinical data:
> colnames(ClinicalDataHep)
[1] "follow_upTime"
[2] "RecurrenceTime"
[3] "Age"
[4] "OS"
[5] "Survival_dead0_alive1"
[6] "Tumour_size"
[7] "HVB_preop"
[8] "HCV_preop"
[9] "HBD_preop"
[10] "Cirrhosis_preop"
[11] "Status:_no_recurrence-0._recurrence-1_"
[12] "Surgery:_resection-1._tx-2;_rfa-3;_resection+rfa-4;tx+rfa-5"
[13] "new_time"
[14] "new_death"
[15] "death_event"
Is it corrent to use Overall Survival as the y-variable and dead/alive as the z variable?
cindexall.Hep.serum <- as.data.frame(t(apply(X=matrix_cpm, MARGIN=1, function(x, y, z) {
tt <- concordance.index(x=x, surv.time=y, surv.event=z, method="noether", na.rm=TRUE);
return(c("cindex"=tt$c.index, "cindex.se"=tt$se, "lower"=tt$lower, "upper"=tt$upper,"p.value"=tt$p.value)); },
y=ClinicalData$OS, z=ClinicalData$Survival_dead0_alive1)))