Experimental Physics and Industrial Control System
|
Dirk Zimoch wrote:
Hi Andrew,
as I posted last week, there is a bug in dbAccess.c that can crash the
ioc when DTYP is read via CA. The bug is still present in the newly
released 3.14.6. I think it has been there from the very beginning of
EPICS. As I tested today, a Linux ioc also crashes (segmentation
fault). That there were no crashes on 68k processors seems to be
coincidental (or just luck).
The problem is that for records without device support (calc, etc.)
the dbDeviceMenu pointer is NULL. When it is dereferenced in
get_enum_strs(), no check is done and pdbDeviceMenu->nChoice and
pdbDeviceMenu->papChoice have arbitrary values.
Since I consider crashing an ioc with a read a major bug, I would be
pleased to see this fixed in at least the latest version.
Your analysis is correct. The bug has been in base for years and
appears in both 3.13 and 3.14.
I suggest a different fix that you since it will notify the user that an
error occured. See below.
The correct fix is:
3.14.6
diff -c -r1.116.2.3 dbAccess.c
*** dbAccess.c 19 Feb 2004 01:17:39 -0000 1.116.2.3
--- dbAccess.c 7 Jun 2004 11:42:20 -0000
***************
*** 147,152 ****
--- 147,156 ----
goto choice_common;
case DBF_DEVICE:
pdbDeviceMenu = (dbDeviceMenu *)pdbFldDes->ftPvt;
+ if(!pdbDeviceMenu) {
+ *options = (*options)^DBR_ENUM_STRS;/*Turn off
option*/
+ break;
+ }
no_str = pdbDeviceMenu->nChoice;
papChoice = pdbDeviceMenu->papChoice;
goto choice_common;
For 3.13 the fix is
diff -c -r1.89.4.8 dbAccess.c
*** dbAccess.c 12 Jul 2002 22:17:07 -0000 1.89.4.8
--- dbAccess.c 7 Jun 2004 11:40:05 -0000
***************
*** 129,134 ****
--- 129,138 ----
goto choice_common;
case DBF_DEVICE:
pdbDeviceMenu = (dbDeviceMenu *)pdbFldDes->ftPvt;
+ if(!pdbDeviceMenu) {
+ *options = (*options)^DBR_ENUM_STRS;/*Turn off
option*/
+ break;
+ }
no_str = pdbDeviceMenu->nChoice;
papChoice = pdbDeviceMenu->papChoice;
goto choice_common;
This will be fixed in the next release of 3.13 and 3.14.
I did some greps and this appears to be the only place in base where
pdbDeviceMenu is not checked for null before it is used.
Thanks!!!
Marty Kraimer
Dirk
Andrew Johnson wrote:
EPICS Base release 3.14.6 has been available for download since last
Friday, but we didn't have the IOC Application Developers Guide in
place until today, hence the delayed release announcement. This
version of Base contains many minor enhancements and bug fixes,
especially to the Channel Access client library, which is
significantly more robust and reliable than R3.14.5 was.
There is a known problem with compiling this release against Tornado
2.2, although the failure happens when building a test program after
everything required for normal use has been compiled, so this is
benign. There may also be an issue when building some extensions
using the solaris-sparc-gnu architecture, but that's unconfirmed at
present (we hope Janet gets better soon).
Thanks to all the core development team.
- Andrew
Dirk Zimoch wrote:
Hi all,
at least on all EPICS releases 3.13.2 to 3.13.9, is a bug that causes
crashes on PPC iocs. (I have not seen a 68k crash here.)
Bug:
When reading the DTYP field of "pure soft records" such as calc via
CA, the CA_client task crashes and leaves the ioc in a state where no
further access via CA is possible.
data access
Exception current instruction address: 0x01705f54
Machine Status Register: 0x0000b030
Data Access Register: 0xf0f0f0f0
Condition Register: 0x28000040
Data storage interrupt Register: 0x40000000
Task: 0x17c31f0 "CA_client"
tt
17807c vxTaskEntry +60 : camsgtask ()
1727a44 camsgtask +2e4: camessage ()
172a7f0 camessage +120: read_action ()
17286bc read_action +e8 : read_reply ()
17284b4 read_reply +144: db_get_field ()
171f838 .L198 +40 : dbGetField ()
1707650 dbGetField +164: dbGet ()
1707760 dbGet +cc : getOptions ()
17065d8 getOptions +208: get_enum_strs ()
Fix:
*** base/src/db/dbAccess.c.orig Thu Jun 3 18:04:26 2004
--- base/src/db/dbAccess.c Thu Jun 3 18:10:33 2004
***************
*** 129,134 ****
--- 129,138 ----
goto choice_common;
case DBF_DEVICE:
pdbDeviceMenu = (dbDeviceMenu *)pdbFldDes->ftPvt;
+ if (pdbDeviceMenu == NULL) {
+ no_str = 0;
+ goto choice_common;
+ }
no_str = pdbDeviceMenu->nChoice;
papChoice = pdbDeviceMenu->papChoice;
goto choice_common;
The fix I suggest provides the same semantics as the other cases in
get_enum_strs.
That is the caller will receive an indication that the call failed.
Look at cases DBF_ENUM and default.
After this fix, calc records and the like report DTYP as 0.
Dirk
- References:
- EPICS Base Release 3.14.6 Andrew Johnson
- Re: EPICS Base Release 3.14.6 Dirk Zimoch
- Navigate by Date:
- Prev:
Re: EPICS Base Release 3.14.6 Dirk Zimoch
- Next:
Re: Question on transition modules W. T. Waggoner
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
<2004>
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: EPICS Base Release 3.14.6 Dirk Zimoch
- Next:
Question on transition modules Chestnut, Ronald P.
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
<2004>
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
|
ANJ, 10 Aug 2010 |
·
Home
·
News
·
About
·
Base
·
Modules
·
Extensions
·
Distributions
·
Download
·
·
Search
·
EPICS V4
·
IRMIS
·
Talk
·
Bugs
·
Documents
·
Links
·
Licensing
·
|