Experimental Physics and
Industrial Control System

Heinz Junkes via Tech-talk <[email protected]> · Thu, 14 Feb 2019 08:59:36 +0100

Hi Mark,

I had the same impression when I saw the code. But I thought, since it is part of the ip module and
probably used for many years with APS, I must have missed something.
I will try to fix the code and report back. 
Heinz

> On 14. Feb 2019, at 00:56, Mark Rivers <[email protected]> wrote:
> 
> Hi Heinz,
>  
> It is crashing in the readSi function:
>  
>     rtnSize = strlen(pPvt->recBuf);
>     switch (pPvt->command) {
>         case GetID:
>             cloc =strchr(pPvt->recBuf, ',');
>             if (pPvt->address == 1) {
>                 ploc = pPvt->recBuf;
>                 *cloc = 0;    CRASHING HERE
>                 strcpy(pvalue,ploc);
>             } else {
>                 ploc  = cloc+1;
>                 strcpy(pvalue,ploc);
>             }
>         break;
>     }
>  
> There are so many things wrong with this code I don’t know where to start!
>  
> devTPG261Callback is where the actual I/O to the device is done. 
>  
> It does store the return status of the I/O operation in pPvt->status, but then this status is never checked anywhere!
>  
> The number of characters read is only in a local variable, not in pPvt, so the readSi function does not know that no characters were read.
>  
> The read buffer pPvt->recBuf is not 0 filled before the I/O, so rtnSize above will not be zero if the read failed, which it should be.
>  
> The code above does not check if strchr returned 0 into cloc, which it apparently did in your case, and hence it is dereferencing a null pointer, causing the crash.
>  
> The code is pretty simple, and it would not be hard to make it much more robust.  Want to volunteer?
>  
> Mark
>  
>  
> From: [email protected] <[email protected]> On Behalf Of Heinz Junkes via Tech-talk
> Sent: Wednesday, February 13, 2019 12:59 PM
> To: tech-talk <[email protected]>
> Subject: Fwd: ioc crash with ip module (synaps) TPG261 message too small=0
>  
> 
> 
> From: Heinz Junkes <[email protected]>
> Subject: Re: ioc crash with ip module (synaps) TPG261 message too small=0
> Date: 13. February 2019 at 19:57:28 CET
> To: Mark Rivers <[email protected]>
>  
> Thank you MArk,
> as fast as always. Sorry for the delay on my side but it took me a while to get the dump read on modern ubuntu
> 
> (Had to go via apport, just for record
>  sudo service apport start
>  sudo apt install apport-retrace
>  apport-unpack /var/crash/_opt_epics_FHI_IOCINFRA_bin_linux-x86_64_IOCINFRA.1000.crash crash
>  cd crash; gdb `cat ExecutablePath` CoreDump
> }
> 
> but as a result it shows:
> 
> [New LWP 20486]
> [New LWP 20479]
> [New LWP 20492]
> [New LWP 20474]
> [New LWP 20496]
> [New LWP 20473]
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> Core was generated by `../../bin/linux-x86_64/IOCINFRA ./st.cmd'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  readSi (pr=0x16521c8) at ../devTPG261.c:484
> 484                     *cloc = 0;
> [Current thread is 1 (Thread 0x7fb4a975e700 (LWP 20477))] 
> 
> 
> Heinz
> 
> On 13. Feb 2019, at 18:48, Mark Rivers <[email protected]> wrote:
> 
> Hi Heinz,
> 
> I just looked at the code.  The relevant parts are these:
> 
>    if (nread < 1 ) {
>        asynPrint(pasynUser, ASYN_TRACE_ERROR,
>                  "devTPG261::devTPG261Callback Cmd %s message too small=%d\n",
>                  pr->name, nread);
>        recGblSetSevr(pr, READ_ALARM, INVALID_ALARM);
>        goto finish;
>    }
> ...
>    /* Process the record. This will result in the readX or writeX routine
>       being called again, but with pact=1 */
> finish:
>    dbScanLock(pr);
>    (*prset->process)(pr);
>    dbScanUnlock(pr);
> }
> 
> I don’t see anything obvious wrong there.  Can you get a stack trace to see where it is actually crashing?
> 
> Mark
> 
> -----Original Message-----
> From: [email protected] <[email protected]> On Behalf Of Heinz Junkes via Tech-talk
> Sent: Wednesday, February 13, 2019 11:35 AM
> To: Tech-talk <[email protected]>
> Subject: ioc crash with ip module (synaps) TPG261 message too small=0
> 
> Using epics7
> asyn Release 4-34
> ip Release 2-20 XXX, 2018
> 
> if there is no TPG261 connected to the serial port, the ioc chrashes with
> 
> 2019/02/13 18:23:58.277 devTPG261::devTPG261Callback Val trARPES:HHG:ID message too small=0
> 
> is called in the st.cmd like
> 
> drvAsynIPPortConfigure("MOXA_9", "172.24.192.29:4009", 0, 0, 0)
> asynSetTraceIOMask("MOXA_9", 0, 0x2)
> asynSetTraceMask("MOXA_9", 0, 255)
> dbLoadRecords("$(IP)/ipApp/Db/TPG261.db", "P=trARPES:, ADDR=1,TIMEOUT=5, GAUGE=HHG, PORT=MOXA_9")
> 
> 
> Heinz
> 
> 
> ############################################################################
> ## EPICS R7.0.1.2-DEV
> ## EPICS Base built Oct 14 2018
> ############################################################################
> 2019/02/13 18:23:53.767 devTPG261::initCommon name=trARPES:HHG:SUNIT; command string=SET_UNIT command=3 address=1
> 2019/02/13 18:23:53.767 devTPG261::initCommon name=trARPES:HHG:ID; command string=GET_ID command=0 address=1
> 2019/02/13 18:23:53.767 devTPG261::initCommon name=trARPES:HHG:UNIT; command string=GET_UNIT command=2 address=1
> 2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:PRES; command string=GET_PRESSURE command=1 address=1
> 2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:SP1V; command string=GET_SPVAL1 command=6 address=1
> 2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:SP2V; command string=GET_SPVAL2 command=9 address=1
> 2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:START; command string=SET_SENSOR command=5 address=1
> 2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:SET1; command string=SET_SP1 command=8 address=1
> 2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:SET2; command string=SET_SP2 command=11 address=1
> 2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:STATUS; command string=GET_SENSOR command=4 address=1
> 2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:SP1S; command string=GET_SPS1 command=7 address=1
> 2019/02/13 18:23:53.768 devTPG261::initCommon name=trARPES:HHG:SP2S; command string=GET_SPS2 command=10 address=1
> |019/02/13 18:23:54.269 devTPG261::buildCommand trARPES:HHG:ID len=4 string=|TID
> 2019/02/13 18:23:54.269 MOXA_9 addr -1 queueRequest priority 0 not lockHolder
> 2019/02/13 18:23:54.269 asynManager::portThread port=MOXA_9 callback
> 2019/02/13 18:23:54.269 MOXA_9 set Eos 2
> \r\n
> 2019/02/13 18:23:54.269 172.24.192.29:4009 write.
> 2019/02/13 18:23:54.270 172.24.192.29:4009 write 4
> TID\r
> 2019/02/13 18:23:54.270 wrote 4 to 172.24.192.29:4009, return asynSuccess.
> 2019/02/13 18:23:54.270 MOXA_9 wrote
> TID\r
> ]019/02/13 18:23:54.270 devTPG261::devTPG261Callback Cmd trARPES:HHG:ID nwrite=4, output=[TID
> 2019/02/13 18:23:54.270 172.24.192.29:4009 read.
> 2019/02/13 18:23:54.270 172.24.192.29:4009 read 15
> \377\373\001\377\373\003\377\373\000\377\375\001\377\375\000
> 2019/02/13 18:23:54.271 MOXA_9 read 15 bytes eom=0
> \377\373\001\377\373\003\377\373\000iocRun: All initialization complete
> \377\375\001\377\375\000
> ################################################# Create autosave monitor sets
> 2019/02/13 18:23:54.272 create_monitor_set("iocIOCINFRA_0.req", 5, "P=iocIOCINFRA:")
> 172.24.192.29:4009 read.
> st.cmd line 64: Command create_monitor_set not found.
> create_monitor_set("iocIOCINFRA_1.req", 30, "P=iocIOCINFRA:")
> st.cmd line 65: Command create_monitor_set not found.
> ## Report Installed and Configured I/O-Hardware Information
> dbior 0 1 > /epics/iocs/log/Database/iocIOCINFRA.dbior
> dbhcr     > /epics/iocs/log/Database/iocIOCINFRA.dbhcr
> dbl       > /epics/iocs/log/Database/iocIOCINFRA.dbl
> ## Start any sequence programs
> #seq sncxxx,"user=epics"
> |pics> 2019/02/13 18:23:55.768 devTPG261::buildCommand trARPES:HHG:PRES len=4 string=|PR1
> 2019/02/13 18:23:55.768 MOXA_9 addr -1 queueRequest priority 0 not lockHolder
> 2019/02/13 18:23:56.275 MOXA_9 read from low-level driver returned 1
> 2019/02/13 18:23:56.275 devTPG261::devTPG261Callback Cmd trARPES:HHG:ID nread=15, input=[������]
> 2019/02/13 18:23:56.275 172.24.192.29:4009 write.
> 2019/02/13 18:23:56.275 172.24.192.29:4009 write 1
> \005
> 2019/02/13 18:23:56.275 wrote 1 to 172.24.192.29:4009, return asynSuccess.
> 2019/02/13 18:23:56.275 MOXA_9 wrote
> \005
> 2019/02/13 18:23:56.275 devTPG261::devTPG261Callback Val trARPES:HHG:ID nwrite=1, output=[P]
> 2019/02/13 18:23:56.275 172.24.192.29:4009 read.
> 2019/02/13 18:23:58.277 MOXA_9 read from low-level driver returned 1
> 2019/02/13 18:23:58.277 devTPG261::devTPG261Callback Val trARPES:HHG:ID nread=0, input=[]
> 2019/02/13 18:23:58.277 devTPG261::devTPG261Callback Val trARPES:HHG:ID message too small=0
> 
> @@@ @@@ @@@ @@@ @@@
> @@@ Received a sigChild for process 19516. The process was killed by signal 11
> @@@ Current time: Wed Feb 13 18:23:58 2019
> @@@ Child process is shutting down, auto restart is disabled
> @@@ ^R or ^X restarts the child, ^Q quits the server
> ------------------------------------------------------------------------------
> Fritz-Haber-Institut    | Phone:         (+49 30) 8413-4270
> Heinz Junkes             | Fax (G3+G4):   (+49 30) 8413-5900
> Faradayweg 4-6        | 
> D - 14195 Berlin        | E-Mail:        [email protected]
> ------------------------------------------------------------------------------

Experimental Physics and Industrial Control System

Experimental Physics and
Industrial Control System