EPICS Home EPICS Controls Argonne National Laboratory

Experimental Physics and
Industrial Control System

Format page
for printing


Search Tech-talk
1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  <20192020  2021  2022  2023  2024  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  <20192020  2021  2022  2023  2024 
<== Date ==> <== Thread ==>
Subject: RE: ioc crash with ip module (synaps) TPG261 message too small=0
From: Mark Rivers via Tech-talk <[email protected]>
To: 'Heinz Junkes' <[email protected]>
Cc: "'[email protected]'" <[email protected]>
Date: Wed, 13 Feb 2019 23:56:57 +0000

Hi Heinz,

 

It is crashing in the readSi function:

 

    rtnSize = strlen(pPvt->recBuf);

    switch (pPvt->command) {

        case GetID:

            cloc =strchr(pPvt->recBuf, ',');

            if (pPvt->address == 1) {

                ploc = pPvt->recBuf;

                *cloc = 0;    CRASHING HERE

                strcpy(pvalue,ploc);

            } else {

                ploc  = cloc+1;

                strcpy(pvalue,ploc);

            }

        break;

    }

 

There are so many things wrong with this code I don’t know where to start!

 

devTPG261Callback is where the actual I/O to the device is done. 

 

It does store the return status of the I/O operation in pPvt->status, but then this status is never checked anywhere!

 

The number of characters read is only in a local variable, not in pPvt, so the readSi function does not know that no characters were read.

 

The read buffer pPvt->recBuf is not 0 filled before the I/O, so rtnSize above will not be zero if the read failed, which it should be.

 

The code above does not check if strchr returned 0 into cloc, which it apparently did in your case, and hence it is dereferencing a null pointer, causing the crash.

 

The code is pretty simple, and it would not be hard to make it much more robust.  Want to volunteer?

 

Mark

 

 

From: [email protected] <[email protected]> On Behalf Of Heinz Junkes via Tech-talk
Sent: Wednesday, February 13, 2019 12:59 PM
To: tech-talk <[email protected]>
Subject: Fwd: ioc crash with ip module (synaps) TPG261 message too small=0

 



From: Heinz Junkes <[email protected]>

Subject: Re: ioc crash with ip module (synaps) TPG261 message too small=0

Date: 13. February 2019 at 19:57:28 CET

To: Mark Rivers <[email protected]>

 

Thank you MArk,
as fast as always. Sorry for the delay on my side but it took me a while to get the dump read on modern ubuntu

(Had to go via apport, just for record
 sudo service apport start
 sudo apt install apport-retrace
 apport-unpack /var/crash/_opt_epics_FHI_IOCINFRA_bin_linux-x86_64_IOCINFRA.1000.crash crash
 cd crash; gdb `cat ExecutablePath` CoreDump
}

but as a result it shows:

[New LWP 20486]
[New LWP 20479]
[New LWP 20492]
[New LWP 20474]
[New LWP 20496]
[New LWP 20473]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `../../bin/linux-x86_64/IOCINFRA ./st.cmd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  readSi (pr=0x16521c8) at ../devTPG261.c:484
484                     *cloc = 0;
[Current thread is 1 (Thread 0x7fb4a975e700 (LWP 20477))]


Heinz

On 13. Feb 2019, at 18:48, Mark Rivers <[email protected]> wrote:

Hi Heinz,

I just looked at the code.  The relevant parts are these:

   if (nread < 1 ) {
       asynPrint(pasynUser, ASYN_TRACE_ERROR,
                 "devTPG261::devTPG261Callback Cmd %s message too small=%d\n",
                 pr->name, nread);
       recGblSetSevr(pr, READ_ALARM, INVALID_ALARM);
       goto finish;
   }
...
   /* Process the record. This will result in the readX or writeX routine
      being called again, but with pact=1 */
finish:
   dbScanLock(pr);
   (*prset->process)(pr);
   dbScanUnlock(pr);
}

I don’t see anything obvious wrong there.  Can you get a stack trace to see where it is actually crashing?

Mark

-----Original Message-----
From: [email protected] <[email protected]> On Behalf Of Heinz Junkes via Tech-talk
Sent: Wednesday, February 13, 2019 11:35 AM
To: Tech-talk <[email protected]>
Subject: ioc crash with ip module (synaps) TPG261 message too small=0

Using epics7
asyn Release 4-34
ip Release 2-20 XXX, 2018

if there is no TPG261 connected to the serial port, the ioc chrashes with

2019/02/13 18:23:58.277 devTPG261::devTPG261Callback Val trARPES:HHG:ID message too small=0

is called in the st.cmd like

drvAsynIPPortConfigure("MOXA_9", "172.24.192.29:4009", 0, 0, 0)
asynSetTraceIOMask("MOXA_9", 0, 0x2)
asynSetTraceMask("MOXA_9", 0, 255)
dbLoadRecords("$(IP)/ipApp/Db/TPG261.db", "P=trARPES:, ADDR=1,TIMEOUT=5, GAUGE=HHG, PORT=MOXA_9")


Heinz


############################################################################
## EPICS R7.0.1.2-DEV
## EPICS Base built Oct 14 2018
############################################################################
2019/02/13 18:23:53.767 devTPG261::initCommon name=trARPES:HHG:SUNIT; command string=SET_UNIT command=3 address=1
2019/02/13 18:23:53.767 devTPG261::initCommon name=trARPES:HHG:ID; command string=GET_ID command=0 address=1
2019/02/13 18:23:53.767 devTPG261::initCommon name=trARPES:HHG:UNIT; command string=GET_UNIT command=2 address=1
2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:PRES; command string=GET_PRESSURE command=1 address=1
2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:SP1V; command string=GET_SPVAL1 command=6 address=1
2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:SP2V; command string=GET_SPVAL2 command=9 address=1
2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:START; command string=SET_SENSOR command=5 address=1
2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:SET1; command string=SET_SP1 command=8 address=1
2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:SET2; command string=SET_SP2 command=11 address=1
2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:STATUS; command string=GET_SENSOR command=4 address=1
2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:SP1S; command string=GET_SPS1 command=7 address=1
2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:SP2S; command string=GET_SPS2 command=10 address=1
|019/02/13 18:23:54.269 devTPG261::buildCommand trARPES:HHG:ID len=4 string=|TID
2019/02/13 18:23:54.269 MOXA_9 addr -1 queueRequest priority 0 not lockHolder
2019/02/13 18:23:54.269 asynManager::portThread port=MOXA_9 callback
2019/02/13 18:23:54.269 MOXA_9 set Eos 2
\r\n
2019/02/13 18:23:54.269 172.24.192.29:4009 write.
2019/02/13 18:23:54.270 172.24.192.29:4009 write 4
TID\r
2019/02/13 18:23:54.270 wrote 4 to 172.24.192.29:4009, return asynSuccess.
2019/02/13 18:23:54.270 MOXA_9 wrote
TID\r
]019/02/13 18:23:54.270 devTPG261::devTPG261Callback Cmd trARPES:HHG:ID nwrite=4, output=[TID
2019/02/13 18:23:54.270 172.24.192.29:4009 read.
2019/02/13 18:23:54.270 172.24.192.29:4009 read 15
\377\373\001\377\373\003\377\373\000\377\375\001\377\375\000
2019/02/13 18:23:54.271 MOXA_9 read 15 bytes eom=0
\377\373\001\377\373\003\377\373\000iocRun: All initialization complete
\377\375\001\377\375\000
################################################# Create autosave monitor sets
2019/02/13 18:23:54.272 create_monitor_set("iocIOCINFRA_0.req", 5, "P=iocIOCINFRA:")
172.24.192.29:4009 read.
st.cmd line 64: Command create_monitor_set not found.
create_monitor_set("iocIOCINFRA_1.req", 30, "P=iocIOCINFRA:")
st.cmd line 65: Command create_monitor_set not found.
## Report Installed and Configured I/O-Hardware Information
dbior 0 1 > /epics/iocs/log/Database/iocIOCINFRA.dbior
dbhcr     > /epics/iocs/log/Database/iocIOCINFRA.dbhcr
dbl       > /epics/iocs/log/Database/iocIOCINFRA.dbl
## Start any sequence programs
#seq sncxxx,"user=epics"
|pics> 2019/02/13 18:23:55.768 devTPG261::buildCommand trARPES:HHG:PRES len=4 string=|PR1
2019/02/13 18:23:55.768 MOXA_9 addr -1 queueRequest priority 0 not lockHolder
2019/02/13 18:23:56.275 MOXA_9 read from low-level driver returned 1
2019/02/13 18:23:56.275 devTPG261::devTPG261Callback Cmd trARPES:HHG:ID nread=15, input=[������]
2019/02/13 18:23:56.275 172.24.192.29:4009 write.
2019/02/13 18:23:56.275 172.24.192.29:4009 write 1
\005
2019/02/13 18:23:56.275 wrote 1 to 172.24.192.29:4009, return asynSuccess.
2019/02/13 18:23:56.275 MOXA_9 wrote
\005
2019/02/13 18:23:56.275 devTPG261::devTPG261Callback Val trARPES:HHG:ID nwrite=1, output=[P]
2019/02/13 18:23:56.275 172.24.192.29:4009 read.
2019/02/13 18:23:58.277 MOXA_9 read from low-level driver returned 1
2019/02/13 18:23:58.277 devTPG261::devTPG261Callback Val trARPES:HHG:ID nread=0, input=[]
2019/02/13 18:23:58.277 devTPG261::devTPG261Callback Val trARPES:HHG:ID message too small=0

@@@ @@@ @@@ @@@ @@@
@@@ Received a sigChild for process 19516. The process was killed by signal 11
@@@ Current time: Wed Feb 13 18:23:58 2019
@@@ Child process is shutting down, auto restart is disabled
@@@ ^R or ^X restarts the child, ^Q quits the server
------------------------------------------------------------------------------
Fritz-Haber-Institut    | Phone:         (+49 30) 8413-4270
Heinz Junkes             | Fax (G3+G4):   (+49 30) 8413-5900
Faradayweg 4-6        |
D - 14195 Berlin        | E-Mail:        [email protected]
------------------------------------------------------------------------------

 

 

Replies:
Re: ioc crash with ip module (synaps) TPG261 message too small=0 Heinz Junkes via Tech-talk
References:
Fwd: ioc crash with ip module (synaps) TPG261 message too small=0 Heinz Junkes via Tech-talk
Navigate by Date:
Prev: Re: trying to find information on mvme5100 battery Maren Purves via Tech-talk
Next: Re: ioc crash with ip module (synaps) TPG261 message too small=0 Heinz Junkes via Tech-talk
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  <20192020  2021  2022  2023  2024 
Navigate by Thread:
Prev: Fwd: ioc crash with ip module (synaps) TPG261 message too small=0 Heinz Junkes via Tech-talk
Next: Re: ioc crash with ip module (synaps) TPG261 message too small=0 Heinz Junkes via Tech-talk
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  <20192020  2021  2022  2023  2024 
ANJ, 14 Feb 2019 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·