Experimental Physics and
Industrial Control System

Mark Rivers via Tech-talk <tech-talk at aps.anl.gov> · Wed, 18 Nov 2020 14:50:10 +0000

Hi Adballa,

I have not looked in detail at your code.  But the first entry (last call) in the backtrace looks suspicious:

#0  recGblSetSevr (precord=precord@entry=0x3737382d20202020, new_stat=new_stat@entry=14, new_sevr=new_sevr@entry=3) at ../../../src/ioc/db/recGbl.c:219

Note that precord (the address of the record) is 0x3737382d20202020.  That hex string looks too long for an address,  If it is interpreted in ASCII it is :"778-     " i,e, 778- followed  by 4 space characters.. It looks to me as if a valid record address may have  been overwritten by an ASCII string.  So I suspect a buffer overflow problem.

This code in

asynStatus LiberaSpark::readOctet(asynUser *pasynUser, char *value, size_t maxChars, size_t *nActual, int *eomReason)

looks like it could be incorrect.

    char buffer[1000];
    memset(buffer, 0, sizeof(buffer));
    bytes = read(this->device_socket, buffer, sizeof(buffer));
    pthread_mutex_unlock(&device_mutex);
    if(bytes == -1)
    {
        perror("read");
        return asynError;
    }

    length = strlen(buffer);
    buffer[length - 1] = '\0';
    strncpy(value, buffer, length);

You create a 1000 byte buffer and potentially read 1000 characters into it.  There is no guarantee that the buffer is 0 terminated.  You then set length equal to strlen(buffer).  If the buffer is not 0 terminated that operation will go past the end of the buffer looking for a 0 byte.  You then set that character to 0, but it seems it was already 0 by definition.  You then copy length bytes from buffer to value.  value has a size of maxChars.  But when you copy to value you do not ensure that you have not copied more than maxChars bytes.  This is a potential buffer overflow problem.

Mark

________________________________
From: Abdalla Ahmad <Abdalla.Ahmad at sesame.org.jo>
Sent: Wednesday, November 18, 2020 3:08 AM
To: Mark Rivers; Michael Davidsaver; tech-talk at aps.anl.gov
Subject: Re: AsynPortDriver separate thread causes Segmentation fault with "dbGetLinkValue" error message

Hello Mark

Sorry for the late response. Attached is the backtrace and the database. The crash happens if I use any record other than the waveform record. Also attached the driver source code.

Thank you very much.
Abdalla.
________________________________
From: Mark Rivers <rivers at cars.uchicago.edu>
Sent: Thursday, November 5, 2020 6:55 PM
To: Abdalla Ahmad <Abdalla.Ahmad at sesame.org.jo>; Michael Davidsaver <mdavidsaver at gmail.com>; tech-talk at aps.anl.gov <tech-talk at aps.anl.gov>
Subject: Re: AsynPortDriver separate thread causes Segmentation fault with "dbGetLinkValue" error message

> Right now I can't get my machine to enable core dumps in order to view the gdb backtrace,

You don't need to enable core dumps.  You can run the IOC within gdb to start with, and then you just issue the backtrace command at the gdb prompt

gdb [path_to_IOC]
gdb> run st.cmd
[crash]
gdb> backtrace

Mark

________________________________
From: Abdalla Ahmad <Abdalla.Ahmad at sesame.org.jo>
Sent: Thursday, November 5, 2020 10:23 AM
To: Mark Rivers; Michael Davidsaver; tech-talk at aps.anl.gov
Subject: Re: AsynPortDriver separate thread causes Segmentation fault with "dbGetLinkValue" error message

Hi Mark

I meant is it possible to set the NORD field in asyn port driver? Right now I can't get my machine to enable core dumps in order to view the gdb backtrace, but I just found out that every time I request a large buffer, I get a received byte count of 1448 which is the maximum data size in a TCP packet. I'll try to handle such case and see what happens.

Best Regards,
Abdalla.
________________________________
From: Mark Rivers <rivers at cars.uchicago.edu>
Sent: Thursday, November 5, 2020 6:15 PM
To: Abdalla Ahmad <Abdalla.Ahmad at sesame.org.jo>; Michael Davidsaver <mdavidsaver at gmail.com>; tech-talk at aps.anl.gov <tech-talk at aps.anl.gov>
Subject: Re: AsynPortDriver separate thread causes Segmentation fault with "dbGetLinkValue" error message

> Regarding EPICS waveforms, what I meant is variable length from the client side;

> For example I set a buffer size in a PV and based on that PV value I read a specific length so that a plotter for example reads data with that specific length only.
> Does NORD achieve this?

NORD controls the maximum number of elements that can be read from the record.  It is the number of "available" elements.  You can request fewer elements in a read requests as well.

> If yes, how does asyn access individual record's fields?.

I am not sure what you mean by that question.

Have you been able to get a gdb traceback of your access violation problem?

Mark

________________________________
From: Abdalla Ahmad <Abdalla.Ahmad at sesame.org.jo>
Sent: Thursday, November 5, 2020 9:46 AM
To: Michael Davidsaver; Mark Rivers; tech-talk at aps.anl.gov
Subject: Re: AsynPortDriver separate thread causes Segmentation fault with "dbGetLinkValue" error message

Hi all.

Buffer size is 48 because the device sends waveform data in lines so I read each line separately by reading 48 bytes, If I request ADC 200 for example I receive 200 lines where each line is 48 bytes. I even did a test where I used a buffer size of 1M to receive the full 20000 lines and still got the same error.

Regarding EPICS waveforms, what I meant is variable length from the client side; For example I set a buffer size in a PV and based on that PV value I read a specific length so that a plotter for example reads data with that specific length only. Does NORD achieve this? If yes, how does asyn access individual record's fields?.

Best Regards,
Abdalla.
________________________________
From: Michael Davidsaver <mdavidsaver at gmail.com>
Sent: Tuesday, November 3, 2020 7:18 PM
To: Mark Rivers <rivers at cars.uchicago.edu>; Abdalla Ahmad <Abdalla.Ahmad at sesame.org.jo>; tech-talk at aps.anl.gov <tech-talk at aps.anl.gov>
Subject: Re: AsynPortDriver separate thread causes Segmentation fault with "dbGetLinkValue" error message

On 11/3/20 8:49 AM, Mark Rivers via Tech-talk wrote:
> -          I don’t think EPICS supports variable length waveform records.  You need to create the waveform record in dbLoadRecords with a size that is the largest you plan to use.  That is what areaDetector does with NDPluginStdArrays.

To clarify, waveform records have a _maximum_ size which is fixed
on initialization (eg. NELM).  Actually size (NORD) has long been
changeable at runtime in the range [0, NELM].

Some caveats about NORD==0 apply wrt. CA specifically (works fine with PVA).

Experimental Physics and Industrial Control System

Experimental Physics and
Industrial Control System