[Bug]: segfault from some snprintf in generate_text_internal

[LinuxOnTheDesktop]

What happened?

Conky crashed. I am unsure what I was doing; I might have been editing a Cinnamon panel. I had another crash some days ago and I am afraid I am unsure what I was doing then. I do though have a stack trace for the most recent crash - see below. I found that trace within the system log.

My system

OS: Linux Mint wilma 22 x86_64
Host: Laptop 13 (AMD Ryzen 7040Series) (A5)
Display (NE135A1M-NY1): 2880x1920 @ 120 Hz in 13″
DE: Cinnamon 6.2.9
WM: Muffin (X11)
WM Theme: Mint-Y-Dark-Aqua (Mint-Y)
Theme: gtk2 [Qt], Mint-L-Dark-Teal [GTK2/3/4]
Icons: Paper [Qt], Paper [GTK2/3/4]
Font: qt5ct [Qt], Noto Sans (11pt) [GTK2/3/4]
Cursor: DMZ-Black (38px)
Terminal: GNOME Terminal 3.52.0
Terminal Font: Liberation Mono (14pt)
CPU: AMD Ryzen 5 7640U w/ Radeon 760M Graphics (1z GPU: AMD Phoenix1 [Integrated]
Memory: 5.46 GiB / 14.93 GiB (37%)
Swap: 1.50 MiB / 46.57 GiB (0%)
Disk (/): 11.53 GiB / 147.39 GiB (8%) - ext4
Disk (/home): 33.24 GiB / 384.42 GiB (9%) - ext4
Disk (/timeshift): 41.67 GiB / 293.11 GiB (14%) -4
Local IP (wlp1s0): 192.168.1.142/24
Battery (FRANGWA): 100% [AC Connected]
Locale: en_GB.UTF-8

Version

1.27.1.pre

Which OS/distro are you seeing the problem on?

Linux (other)

Conky config

home = os.getenv("HOME")
dofile(home .. "/<redacted>/Conky/config/config_F13.lua")
conky.config = configuration

-- Conky objects: http://conky.sourceforge.net/variables.html
-- Cannot without fuckery remove border from bars (as against from graphs).

-- To monitor cpu usage: top -p "$(pgrep conky)"

conky.text = [[
${offset 10}\
# -----------------------
# CPU usage and frequency
# -----------------------
# CPU
${color4}\
cpu\
# CPU usage
${offset 12}\
${color1}\
${cpubar cpu0 8,25}\
# Frequency
${offset 12}\
${color #6A7A6A}\
${freq_g}\
${offset 2}GHz\
#
# -----------------------------------------------------------------
# TEMPERATURE
# CPU (the mean of all cores).
# Seems to be no other useful sensor (only wifi & individual cores).
# Use monospace font.
# ------------------------------------------------------------------
#
# CPU TEMP
${offset 18}\
${lua_parse ryzenCpuTemp}°\
${color}\
# ------
# DRIVES
# ------
#
${goto 230}\
# ROOT
${color4}\
/\
${offset 12}\
${if_match ${fs_used_perc /} > 80}\
${color3}\
${else}\
${if_match ${fs_used_perc /} > 75}\
${color2}\
${else}\
${if_match ${fs_used_perc /} > 65}\
${color6}\
${else}\
${color1}\
${endif}\
${endif}\
${endif}\
${fs_used_perc /}%\
# HOME
${goto 310}\
${color4}\
~\
${offset 8}\
${if_match ${fs_used_perc /home} > 90}\
${color3}\
${else}\
${if_match ${fs_used_perc /home} > 85}\
${color2}\
${else}\
${if_match ${fs_used_perc /home} > 69}\
${color6}\
${else}\
${color1}\
${endif}\
${endif}\
${endif}\
${fs_used_perc /home}%\
# RAM
${goto 380}\
${color4}\
r\
${offset 8}\
${if_match ${memperc} > 90}\
${color3}\
${else}\
${if_match ${memperc} > 65}\
${color2}\
${else}\
${color1}\
${endif}\
${endif}\
${memperc}%\
${font}\
# SWAP
${goto 460}\
${color4}\
s\
${offset 8}\
${if_match ${swapperc} > 80}\
${color3}\
${else}${if_match ${swapperc} > 64}\
${color2}\
${else}${if_match ${swapperc} > 50}\
${color6}\
${else}\
${color1}\
${endif}${endif}${endif}\
${swapperc /swap}%\
${font}\
# --------
# NETWORK
# --------
${goto 540}\
${if_up enp0s31f6}\
# --------
# Ethernet
# --------
${lua_parse netIsUp}\
${color1}Ethernet${offset 12}${color7}${downspeedgraph enp0s31f6 12,18 93CC98 B6F51F 9765KiB -t}\
${offset 4}${upspeedgraph enp0s31f6 12,18 93CC98 B6F51F 9765KiB -t}\
${color}\
${offset 16}${lua_parse vpn}\
${offset 16}${lua_parse firewall}\
${else}\
# ----
# Wifi
# ----
${if_up wlp1s0}\
${lua_parse netIsUp}\
${if_match ${wireless_link_qual_perc wlp1s0}>69}\
${color5}\
${else}\
${if_match ${wireless_link_qual_perc wlp1s0}>49}\
${color6}\
${else}\
${if_match ${wireless_link_qual_perc wlp1s0}>29}\
${color2}\
${else}\
${color3}\
${endif}\
${endif}\
${endif}\
${execi 3.5 /home/<redacted>/scripts/conky/c/wifiName_F13_execi}\
${offset 12}${color7}${downspeedgraph wlp1s0 13,18 93CC98 B6F51F 9765KiB -t}\
${offset 4}${upspeedgraph wlp1s0 13,18 93CC98 B6F51F 9765KiB -t}\
${color}\
${offset 16}${lua_parse vpn}\
${offset 16}${lua_parse firewall}\
${else}\
${if_up bnep0}\
# ----
# Cell
# ----
${lua_parse netIsUp}\
${color1}CELL${offset 12}${color7}${downspeedgraph wlp1s0 13,18 93CC98 B6F51F 9765KiB -t}\
${offset 4}${upspeedgraph wlp1s0 13,18 93CC98 B6F51F 9765KiB -t}\
${color}\
${offset 16}${lua_parse vpn}\
${offset 16}${lua_parse firewall}\
${else}\
# ----
# USB
# ----
${if_up enp0s20f0u1}\
${offset 5}${color1}USB${offset 25}${color7}${downspeedgraph enp0s31f6 12,18 93CC98 B6F51F 9765KiB -t}\
${offset 5}${upspeedgraph enp0s31f6 12,18 93CC98 B6F51F 9765KiB -t}\
${color}\
${offset 16}${lua_parse vpn}\
${offset 16}${lua_parse firewall}\
${else}\
${color4}\
# ------
# No net
# ------
# The point of using lua here is to have a way of preventing *immediate* text display.
${lua_parse netIsDown}\
${endif}\
${endif}\
${endif}\
${endif}\
#
# ------
# POWER
# ------
${font}\
${goto 780}\
${if_match "${battery BAT1}"=="charged"}\
# Charged
${color5}\
+++\
${font}\
${else}\
# Either charging or discharging.
# NB: Script below sets colour.
# Conky's inbuilt battery support is inadequate.
${lua_parse battery}\
${endif}\
${color}\
# --------------------------------------------------------
# BRIGHTNESS & Redshift
# Use monospace font, together with a spacing-aware script.
# ---------------------------------------------------------
${goto 870}\
${font Symbola:size=12}\
⛯\
${font}\
${offset 5}\
# Set the colour..
${lua_parse redshift}\
# Now print brightness value. NB: Conky is about to add native functionality for this!
${lua_parse brightness}\
# Using lua as versus C saves 15% of CPU!
${color}\
${font}\
# ---------------
# VOLUME & SOURCE
# ---------------
${goto 960}\
${font Symbola:size=12:bold}\
${head ~/tmp/conkyRamdisk/soundSource 1 2}\
${font}\
${offset 6}\
${color1}\
# ${if_pa_sink_muted} is broken.
${exec /home/<redacted>/<redacted>/scripts/conky/c/volume_exec}\
${color}\
# --------------------------------------------------------
# DATE & TIME
# If use ${offset} here [at start?], get problems with right-aligning.
# So, use spaces, with different font size.
# For time syntax: https://linux.die.net/man/3/strftime
# --------------------------------------------------------
${goto 1054}\
${font Hack:size=10.5}\
${color4}\
# This (below) is the DAY, in full (e.g. 'Monday'), followed by a space.
${time %A} \
# This (below) is:
# The DAY NUMBER of the month (e.g.' 1');
# the MONTH (in text, abbreviated and followed by ' ', then as a number in parentheses and preceded by '#',)'
# the YEAR.
${time %-d} ${time %b} (\#${time %-m}) ${time %Y}\
# TIME (as against date), in this format: 12 hour clock, H:M AM/PM
${offset 10}\
${font Hack:size=10.5:bold}\
${time %l}\
:\
${time %M}\
# Seconds
${offset 5}\
${voffset -3}\
${font Hack:size=7}\
${color #CFD1CF}\
${time %S}\
${font}\
# This (below) is the AM / PM and timezone.
# NB: a peculiarity in my locale means that cannot get AM/PM in capitals by doing ${time %p},
# but ${time %^p} works.
${offset 6}\
${time %^p}\
${offset 11}\
${color #8D8F8D}\
${time %Z}\
${color}\
# --------------------------------------------
# SECOND ROW
# Note the lack of a slash after the 'voffset'.
# --------------------------------------------
${voffset 14}
${font Hack:size=8}\
# PC name, bios, OS, kernel, boot time.
${goto 41}\
${color #87B587}\
${no_update ${nodename_short}}\
${color #808080} · \
${color #BEBEBE}bios \
${color #87B587}\
${no_update ${head ~/tmp/conkyRamdisk/BIOS 1 60000}}\
${color #808080} · \
${color #87B587}\
${no_update ${head ~/tmp/conkyRamdisk/OS 1 60000}}\
${color #808080} · \
${color #87B587}\
${no_update ${kernel}}\
${color #808080}\
 · \
# 'head' syntax: <file> <num lines> <update multiplier>
${color #87B587}\
${no_update ${head ~/tmp/conkyRamdisk/boot 1 20000}}\
#
# *Conky version*
${offset 30}\
${color #BEBEBE}conky ${color #87B587}${no_update ${conky_version}}\
#
# *Log*
${offset 30}\
${color #BEBEBE}log \
${lua_parse log}\
#
# MAIL
# ----
${goto 870}\
${color white}\
${lua_parse mail}\
#
# *Services*
${goto 1040}\
${color #BEBEBE}\
services \
${lua_parse services}\
#
# *Syncthing*
${goto 1190}\
${color #BEBEBE}\
sync \
${lua_parse sync}\
${font}\
#
#
# --------------------------------------------
# THIRD ROW
# Note the lack of a slash after the 'voffset'.
# --------------------------------------------
${voffset 14}
${alignc}\
${color9}\
${font Hack:size=9}\
# LUA
${lua_parse row}\
${font}\
# This last line - any operation at all? - reduces flicker, for some reason. So does having a line of space, and no voffset, to start the row.
#
# --------------------------------------------
# FOURTH ROW
# Note the lack of a slash after the 'voffset'.
# --------------------------------------------
# MUSIC
#
${voffset 10}
${alignc}\
${font Hack:size=7.5}\
${execpi 5.8 /usr/bin/nice -n 3 /home/<redacted>/<redacted>/scripts/conky/c/song_execpi}\
${font}
#
# Comments of any kind after the closing brackets below causes problems.
#
# ---------------
# * * * END * * *
# ---------------
#
]]

Stack trace

06/10/2024 02:40	systemd-coredump	Process 175862 (conky) of user 1000 dumped core.

Stack trace of thread 175862:
#0  0x00007a2806f9b8dc __strlen_evex (libc.so.6 + 0x19b8dc)
#1  0x00007a2806e6ad98 __printf_buffer (libc.so.6 + 0x6ad98)
#2  0x00007a2806e8fcb6 __vsnprintf_internal (libc.so.6 + 0x8fcb6)
#3  0x00007a2806f37d9c ___snprintf_chk (libc.so.6 + 0x137d9c)
#4  0x000063e33544778a snprintf (conky + 0x7378a)
#5  0x000063e33541e0b9 _Z22generate_text_internalPci11text_object (conky + 0x4a0b9)
#6  0x000063e33541e3d7 _Z8evaluatePKcPci (conky + 0x4a3d7)
#7  0x000063e33545ef82 llua_conky_parse (conky + 0x8af82)
#8  0x00007a28077a1f7e n/a (liblua5.3.so.0 + 0x11f7e)
#9  0x00007a28077ac7f9 n/a (liblua5.3.so.0 + 0x1c7f9)
#10 0x00007a28077a24d8 n/a (liblua5.3.so.0 + 0x124d8)
#11 0x00007a280779a889 n/a (liblua5.3.so.0 + 0xa889)
#12 0x00007a28077bb9c5 n/a (liblua5.3.so.0 + 0x2b9c5)
#13 0x00007a28077a2385 lua_pcallk (liblua5.3.so.0 + 0x12385)
#14 0x000063e33545cba2 llua_do_call (conky + 0x88ba2)
#15 0x000063e33545cc99 llua_getstring (conky + 0x88c99)
#16 0x000063e33545edd7 _Z15print_lua_parseP11text_objectPcj (conky + 0x8add7)
#17 0x000063e33541e0b9 _Z22generate_text_internalPci11text_object (conky + 0x4a0b9)
#18 0x000063e33541e54d generate_text (conky + 0x4a54d)
#19 0x000063e335496e00 _ZN5conky18display_output_x1114main_loop_waitEd (conky + 0xc2e00)
#20 0x000063e33541f233 _Z9main_loopv (conky + 0x4b233)
#21 0x000063e335407a56 main (conky + 0x33a56)
#22 0x00007a2806e2a1ca __libc_start_call_main (libc.so.6 + 0x2a1ca)
#23 0x00007a2806e2a28b __libc_start_main_impl (libc.so.6 + 0x2a28b)
#24 0x000063e33540e665 _start (conky + 0x3a665)

Stack trace of thread 175865:
#0  0x00007a2806e98d61 __futex_abstimed_wait_common64 (libc.so.6 + 0x98d61)
#1  0x00007a2806ea4fa8 __new_sem_wait_slow64 (libc.so.6 + 0xa4fa8)
#2  0x000063e335460c5e _ZN9semaphore4waitEv (conky + 0x8cc5e)
#3  0x00007a28072eabb4 n/a (libstdc++.so.6 + 0xeabb4)
#4  0x00007a2806e9ca94 start_thread (libc.so.6 + 0x9ca94)
#5  0x00007a2806f29c3c __clone3 (libc.so.6 + 0x129c3c)

Stack trace of thread 175864:
#0  0x00007a2806e98d61 __futex_abstimed_wait_common64 (libc.so.6 + 0x98d61)
#1  0x00007a2806ea4fa8 __new_sem_wait_slow64 (libc.so.6 + 0xa4fa8)
#2  0x000063e335460c5e _ZN9semaphore4waitEv (conky + 0x8cc5e)
#3  0x00007a28072eabb4 n/a (libstdc++.so.6 + 0xeabb4)
#4  0x00007a2806e9ca94 start_thread (libc.so.6 + 0x9ca94)
#5  0x00007a2806f29c3c __clone3 (libc.so.6 + 0x129c3c)

Stack trace of thread 175869:
#0  0x00007a2806e98d61 __futex_abstimed_wait_common64 (libc.so.6 + 0x98d61)
#1  0x00007a2806ea4fa8 __new_sem_wait_slow64 (libc.so.6 + 0xa4fa8)
#2  0x000063e335460c5e _ZN9semaphore4waitEv (conky + 0x8cc5e)
#3  0x00007a28072eabb4 n/a (libstdc++.so.6 + 0xeabb4)
#4  0x00007a2806e9ca94 start_thread (libc.so.6 + 0x9ca94)
#5  0x00007a2806f29c3c __clone3 (libc.so.6 + 0x129c3c)

Stack trace of thread 175870:
#0  0x00007a2806e98d61 __futex_abstimed_wait_common64 (libc.so.6 + 0x98d61)
#1  0x00007a2806ea4fa8 __new_sem_wait_slow64 (libc.so.6 + 0xa4fa8)
#2  0x000063e335460c5e _ZN9semaphore4waitEv (conky + 0x8cc5e)
#3  0x00007a28072eabb4 n/a (libstdc++.so.6 + 0xeabb4)
#4  0x00007a2806e9ca94 start_thread (libc.so.6 + 0x9ca94)
#5  0x00007a2806f29c3c __clone3 (libc.so.6 + 0x129c3c)

Stack trace of thread 175871:
#0  0x00007a2806e98d61 __futex_abstimed_wait_common64 (libc.so.6 + 0x98d61)
#1  0x00007a2806ea4fa8 __new_sem_wait_slow64 (libc.so.6 + 0xa4fa8)
#2  0x000063e335460c5e _ZN9semaphore4waitEv (conky + 0x8cc5e)
#3  0x00007a28072eabb4 n/a (libstdc++.so.6 + 0xeabb4)
#4  0x00007a2806e9ca94 start_thread (libc.so.6 + 0x9ca94)
#5  0x00007a2806f29c3c __clone3 (libc.so.6 + 0x129c3c)

Stack trace of thread 175872:
#0  0x00007a2806e98d61 __futex_abstimed_wait_common64 (libc.so.6 + 0x98d61)
#1  0x00007a2806ea4fa8 __new_sem_wait_slow64 (libc.so.6 + 0xa4fa8)
#2  0x000063e335460c5e _ZN9semaphore4waitEv (conky + 0x8cc5e)
#3  0x00007a28072eabb4 n/a (libstdc++.so.6 + 0xeabb4)
#4  0x00007a2806e9ca94 start_thread (libc.so.6 + 0x9ca94)
#5  0x00007a2806f29c3c __clone3 (libc.so.6 + 0x129c3c)

Stack trace of thread 175868:
#0  0x00007a2806e98d61 __futex_abstimed_wait_common64 (libc.so.6 + 0x98d61)
#1  0x00007a2806ea4fa8 __new_sem_wait_slow64 (libc.so.6 + 0xa4fa8)
#2  0x000063e335460c5e _ZN9semaphore4waitEv (conky + 0x8cc5e)
#3  0x00007a28072eabb4 n/a (libstdc++.so.6 + 0xeabb4)
#4  0x00007a2806e9ca94 start_thread (libc.so.6 + 0x9ca94)
#5  0x00007a2806f29c3c __clone3 (libc.so.6 + 0x129c3c)
ELF object binary architecture: AMD x86-64

Relevant log output

No response

[Caellian]

Source of segmentation fault is some snprintf called by generate_text_internal. As that's the last location in stack trace before snprintf, and the function doesn't contain any, that means the compiler inlined some other called function (spaced_print, called by percent_print seem like good candidates?)

Can you send us your conky binary? I've never done it before, but I'm guessing it can be used to narrow down which snprintf is bad (the ones I linked above are just guesses).

[Caellian]

Thanks, I deleted your reply because I saw the binary contained paths you redacted in your config file as parts of debug statements.

The binary doesn't have spaced_print inlined, and the address from the dump points to the line after (*obj->callbacks.print)(obj, p, p_max_size); call, so I'm assuming that's it.

After eliminating variables by hand, I took another look at the stack trace - the cause is text produced by lua_parse, that is this snprintf crashes. This is called from several places in extract_variable_text_internal.

P.S. if_pa_sink_muted likely doesn't work if you're using PipeWire.