[srslte-users] Seg fault in scrambling_b_word
David Rupprecht
david.rupprecht at rub.de
Tue Jul 11 10:34:08 UTC 2017
Hello,
I think I found the issue. It is a race condition. While thread 1 tries
to access the not allocated c pointers, thread 2 currently fills the
them. The gdb output is attached. That leads me to the question if my pc
as not enough resources. That problem did not occur under the
srsLTE/srsUE 1.4 version.
Best Regards,
David
On 04.07.2017 12:12, Ismael Gomez wrote:
> Hi David,
>
> So if seq[0] ... seq[4] are non-empty it means that during
> srslte_pusch_set_rnti() there was some problem srslte_sequence_pusch()
> returned != 0 and it didn't properly initialize. But looking at that
> function it is not clear to me how that can happen. Can you insert
> breakpoints or print debug messages in those cases to confirm that is
> what is happening?
>
> Thank you
>
> On Mon, 3 Jul 2017 at 17:41 David Rupprecht <david.rupprecht at rub.de
> <mailto:david.rupprecht at rub.de>> wrote:
>
> Hello,
>
> I just had some time to dig into the problem. It looks like the
> calloc/malloc do not seems to be the problem, because the pointer for
> srslte_pusch_t the seems to be correct allocated. The error occurs
> because the pointer of the seq are not correctly allocated, because c (c
> = 0x0, c_bytes = 0x0, c_float = 0x0, c_short = 0x0) points to an invalid
> address (Interestingly is len=0). Now when using the calloc it points to
> Null as it can be seen below.
>
> $9 = {c = 0x7fa2dd4ba000 "", c_bytes = 0x7fa2dd4d2a00
> "^K\026\200\313\353q1\343k\253ݼ\247J\247\263z\367\356V\322蕕~\032<q
> \334,\213~\351a\366\035\214z\267_\243\330\372\350]q\t",
> c_float = 0x7fa2dd4d5c00,
> c_short = 0x7fa2dd538400, len = 100800}
> (gdb) p q->users[27460]->seq[4]
> $10 = {c = 0x7fa2dd569800 "", c_bytes = 0x7fa2dd582200
> ",\351\264\177[\033\207\065\t\301O\256<\240w*\263\"NxPO(", <incomplete
> sequence \337>, c_float = 0x7fa2dd585400, c_short = 0x7fa2dd5e7c00, len
> = 100800}
> (gdb) p q->users[27460]->seq[5]
> $11 = {c = 0x0, c_bytes = 0x0, c_float = 0x0, c_short = 0x0, len = 0}
> (gdb) p q->users[27460]->seq[6]
> $12 = {c = 0x0, c_bytes = 0x0, c_float = 0x0, c_short = 0x0, len = 0}
> (gdb) p q->users[27460]->seq[7]
> $13 = {c = 0x0, c_bytes = 0x0, c_float = 0x0, c_short = 0x0, len = 0}
> (gdb) p q->users[27460]->seq[8]
> $14 = {c = 0x0, c_bytes = 0x0, c_float = 0x0, c_short = 0x0, len = 0}
> (gdb) p q->users[27460]->seq[9]
> $15 = {c = 0x0, c_bytes = 0x0, c_float = 0x0, c_short = 0x0, len = 0}
>
> The initialization of the struct is done in srslte_pusch_set_rnti.
> The function is called in srslte_ue_ul_set_rnti. One the one hand, if
> srslte_pusch_set_rnti throws an error it is not caught in
> srslte_ue_ul_set_rnti. Or srslte_sequence_init does something wrong, but
> that looks fine for me. Maybe len=0 is also an indicator for the error.
>
> Best Regards,
> David
>
>
>
>
>
>
>
> On 30.06.2017 12:41, David Rupprecht wrote:
> > Hello,
> >
> > I have tested the patch a few times and unfortunately the same error
> > continues to occur.
> >
> > Regards,
> > David
> >
> > On 28.06.2017 17:00, David Rupprecht wrote:
> >> Hi,
> >>
> >> thank you for the patch. I will test it. Unfortunately, the error was
> >> not always triggered.
> >>
> >> Regards,
> >> David
> >>
> >> On 28.06.2017 15:03, Ismael Gomez wrote:
> >>> Hi David,
> >>>
> >>> You are completely right. Thanks very much for catching this and
> >>> providing us the exact hints. It was a malloc() that should be
> calloc()
> >>> instead. Apparently in most of the systems malloc() was
> returning zeroed
> >>> memory except in yours :).
> >>>
> >>> I just committed a fix to github. Would be great if you let us
> know if
> >>> it works.
> >>>
> >>> Regards
> >>>
> >>> On Wed, 28 Jun 2017 at 12:20 David Rupprecht
> <david.rupprecht at rub.de <mailto:david.rupprecht at rub.de>
> >>> <mailto:david.rupprecht at rub.de <mailto:david.rupprecht at rub.de>>>
> wrote:
> >>>
> >>> Hi,
> >>>
> >>> while running the ue stack I run into a seg fault in the
> function
> >>> scrambling_b_word. I compiled the ue with debug parameters
> and it looks
> >>> like the srslte_sequence_t struct is not correctly initiated
> (c=0x5400
> >>> <error: Cannot access memory at address 0x5400>). The whole
> struct looks
> >>> like:
> >>>
> >>> (gdb) p s
> >>> $8 = (srslte_sequence_t *) 0x7f8eb000b630
> >>> (gdb) print *s
> >>> $9 = {c = 0x4800 <error: Cannot access memory at address
> 0x4800>,
> >>> c_bytes = 0x5400 <error: Cannot access memory at address
> 0x5400>,
> >>> c_float = 0x6000, c_short = 0x6c00, len = 30720}
> >>>
> >>>
> >>> Do you have any suggestions where the problem might be?
> >>> I attached the gdb output.
> >>>
> >>> Best Regards,
> >>> David
> >>>
> >>> --
> >>> M.Sc. David Rupprecht
> >>>
> >>> Ruhr-University Bochum
> >>> Research Group Information Security
> >>> Universitätsstraße 150
> >>> ID 2/130
> >>> 44780 Bochum / Germany
> >>>
> >>> Phone: +49 234 / 32 - 23508 <tel:+49%20234%203223508>
> <tel:+49%20234%203223508>
> >>> Web: www.infsec.rub.de <http://www.infsec.rub.de>
> <http://www.infsec.rub.de>
> >>> _______________________________________________
> >>> srslte-users mailing list
> >>> srslte-users at lists.softwareradiosystems.com
> <mailto:srslte-users at lists.softwareradiosystems.com>
> >>> <mailto:srslte-users at lists.softwareradiosystems.com
> <mailto:srslte-users at lists.softwareradiosystems.com>>
> >>>
> http://www.softwareradiosystems.com/mailman/listinfo/srslte-users
> >>>
> >>
> >
>
> --
> M.Sc. David Rupprecht
>
> Ruhr-University Bochum
> Research Group Information Security
> Universitätsstraße 150
> ID 2/130
> 44780 Bochum / Germany
>
> Phone: +49 234 / 32 - 23508 <tel:+49%20234%203223508>
> Web: www.infsec.rub.de <http://www.infsec.rub.de>
>
--
M.Sc. David Rupprecht
Ruhr-University Bochum
Research Group Information Security
Universitätsstraße 150
ID 2/130
44780 Bochum / Germany
Phone: +49 234 / 32 - 23508
Web: www.infsec.rub.de
-------------- next part --------------
#0 0x000000000053fa65 in scrambling_b_word (c=0x0, data=0x7fa2e1409f00 "\026\023\263\200", len=216) at /home/david/srsLTE/lib/src/phy/scrambling/scrambling.c:75
75 x[i] = (x[i] ^ y[i]);
[Current thread is 1 (Thread 0x7fa2eb7fe700 (LWP 27104))]
(gdb) bt
#0 0x000000000053fa65 in scrambling_b_word (c=0x0, data=0x7fa2e1409f00 "\026\023\263\200", len=216) at /home/david/srsLTE/lib/src/phy/scrambling/scrambling.c:75
#1 0x000000000053fbc0 in srslte_scrambling_bytes (s=0x7fa2dc0bae90, data=0x7fa2e1409f00 "\026\023\263\200", len=1728) at /home/david/srsLTE/lib/src/phy/scrambling/scrambling.c:97
#2 0x000000000055aa57 in srslte_pusch_encode (q=0x7fa317086bc8, cfg=0x7fa31708525c, softbuffer=0x7fa30a2976b0, data=0x7675e30 ">\037", uci_data=..., rnti=27460, sf_symbols=0x7fa2e163b800)
at /home/david/srsLTE/lib/src/phy/phch/pusch.c:455
#3 0x00000000005427b7 in srslte_ue_ul_pusch_encode_rnti_softbuffer (q=0x7fa3170851b0, data=0x7675e30 ">\037", uci_data=..., softbuffer=0x7fa30a2976b0, rnti=27460, output_signal=0x7fa2e06fc900)
at /home/david/srsLTE/lib/src/phy/ue/ue_ul.c:397
#4 0x00000000004dd771 in srsue::phch_worker::encode_pusch (this=0x7fa317075010, grant=0x7fa2eb7fdbd8, payload=0x7675e30 ">\037", current_tx_nb=2, softbuffer=0x7fa30a2976b0, rv=3, rnti=27460, is_from_rar=false)
at /home/david/srsLTE/srsue/src/phy/phch_worker.cc:702
#5 0x00000000004da0d8 in srsue::phch_worker::work_imp (this=0x7fa317075010) at /home/david/srsLTE/srsue/src/phy/phch_worker.cc:259
#6 0x00000000005069cb in srslte::thread_pool::worker::run_thread (this=0x7fa317075010) at /home/david/srsLTE/lib/src/common/thread_pool.cc:61
#7 0x00000000004c66fa in thread::thread_function_entry (_this=0x7fa317075010) at /home/david/srsLTE/lib/include/srslte/common/threads.h:73
#8 0x00007fa316d2a6ba in start_thread (arg=0x7fa2eb7fe700) at pthread_create.c:333
#9 0x00007fa314e353dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb) ls -la
Undefined command: "ls". Try "help".
(gdb) bt
#0 0x000000000053fa65 in scrambling_b_word (c=0x0, data=0x7fa2e1409f00 "\026\023\263\200", len=216) at /home/david/srsLTE/lib/src/phy/scrambling/scrambling.c:75
#1 0x000000000053fbc0 in srslte_scrambling_bytes (s=0x7fa2dc0bae90, data=0x7fa2e1409f00 "\026\023\263\200", len=1728) at /home/david/srsLTE/lib/src/phy/scrambling/scrambling.c:97
#2 0x000000000055aa57 in srslte_pusch_encode (q=0x7fa317086bc8, cfg=0x7fa31708525c, softbuffer=0x7fa30a2976b0, data=0x7675e30 ">\037", uci_data=..., rnti=27460, sf_symbols=0x7fa2e163b800)
at /home/david/srsLTE/lib/src/phy/phch/pusch.c:455
#3 0x00000000005427b7 in srslte_ue_ul_pusch_encode_rnti_softbuffer (q=0x7fa3170851b0, data=0x7675e30 ">\037", uci_data=..., softbuffer=0x7fa30a2976b0, rnti=27460, output_signal=0x7fa2e06fc900)
at /home/david/srsLTE/lib/src/phy/ue/ue_ul.c:397
#4 0x00000000004dd771 in srsue::phch_worker::encode_pusch (this=0x7fa317075010, grant=0x7fa2eb7fdbd8, payload=0x7675e30 ">\037", current_tx_nb=2, softbuffer=0x7fa30a2976b0, rv=3, rnti=27460, is_from_rar=false)
at /home/david/srsLTE/srsue/src/phy/phch_worker.cc:702
#5 0x00000000004da0d8 in srsue::phch_worker::work_imp (this=0x7fa317075010) at /home/david/srsLTE/srsue/src/phy/phch_worker.cc:259
#6 0x00000000005069cb in srslte::thread_pool::worker::run_thread (this=0x7fa317075010) at /home/david/srsLTE/lib/src/common/thread_pool.cc:61
#7 0x00000000004c66fa in thread::thread_function_entry (_this=0x7fa317075010) at /home/david/srsLTE/lib/include/srslte/common/threads.h:73
#8 0x00007fa316d2a6ba in start_thread (arg=0x7fa2eb7fe700) at pthread_create.c:333
#9 0x00007fa314e353dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb) threads
Undefined command: "threads". Try "help".
(gdb) thread
[Current thread is 1 (Thread 0x7fa2eb7fe700 (LWP 27104))]
(gdb) show threads
Undefined show command: "threads". Try "help show".
(gdb) info threads
Id Target Id Frame
* 1 Thread 0x7fa2eb7fe700 (LWP 27104) 0x000000000053fa65 in scrambling_b_word (c=0x0, data=0x7fa2e1409f00 "\026\023\263\200", len=216) at /home/david/srsLTE/lib/src/phy/scrambling/scrambling.c:75
2 Thread 0x7fa2e9ffb700 (LWP 27107) srslte_bit_pack (bits=0x7fa2e9ffac98, nof_bits=8) at /home/david/srsLTE/lib/src/phy/utils/bit.c:294
3 Thread 0x7fa2f972c700 (LWP 27101) 0x00007fa314e2970d in poll () at ../sysdeps/unix/syscall-template.S:84
4 Thread 0x7fa2faf2f700 (LWP 27086) pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
5 Thread 0x7fa2ea7fc700 (LWP 27106) pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
6 Thread 0x7fa3170fc7c0 (LWP 27084) 0x00007fa314dfa30d in nanosleep () at ../sysdeps/unix/syscall-template.S:84
7 Thread 0x7fa2fa72e700 (LWP 27087) pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
8 Thread 0x7fa2f9f2d700 (LWP 27100) 0x00007fa314e2970d in poll () at ../sysdeps/unix/syscall-template.S:84
9 Thread 0x7fa2eaffd700 (LWP 27105) __lll_lock_wait () at ../sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135
10 Thread 0x7fa2e8ff9700 (LWP 27110) 0x00007fa314dfa30d in nanosleep () at ../sysdeps/unix/syscall-template.S:84
11 Thread 0x7fa2dbfff700 (LWP 27111) 0x00007fa314e2524d in read () at ../sysdeps/unix/syscall-template.S:84
12 Thread 0x7fa2e97fa700 (LWP 27108) pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
13 Thread 0x7fa2fb730700 (LWP 27085) 0x00007fa316d3351d in read () at ../sysdeps/unix/syscall-template.S:84
14 Thread 0x7fa2ebfff700 (LWP 27103) pthread_cond_timedwait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:225
15 Thread 0x7fa2daffd700 (LWP 27113) pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
16 Thread 0x7fa2f8d19700 (LWP 27102) pthread_cond_timedwait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:225
(gdb) thread 2
[Switching to thread 2 (Thread 0x7fa2e9ffb700 (LWP 27107))]
#0 srslte_bit_pack (bits=0x7fa2e9ffac98, nof_bits=8) at /home/david/srsLTE/lib/src/phy/utils/bit.c:294
294 for(i=0; i<nof_bits; i++) {
(gdb) bt
#0 srslte_bit_pack (bits=0x7fa2e9ffac98, nof_bits=8) at /home/david/srsLTE/lib/src/phy/utils/bit.c:294
#1 0x000000000053865f in srslte_bit_pack_vector (unpacked=0x7fa2dd579480 "\001\001\001", packed=0x7fa2dd582200 ",\351\264\177[\033\207\065\t\301O\256<\240w*\263\"NxPO(", <incomplete sequence \337>,
nof_bits=100800) at /home/david/srsLTE/lib/src/phy/utils/bit.c:281
#2 0x0000000000519a8a in srslte_sequence_LTE_pr (q=0x7fa2dc0badf0, len=100800, seed=449906835) at /home/david/srsLTE/lib/src/phy/common/sequence.c:84
#3 0x00000000005289fb in srslte_sequence_pusch (seq=0x7fa2dc0badf0, rnti=27460, nslot=8, cell_id=147, len=100800) at /home/david/srsLTE/lib/src/phy/phch/sequences.c:78
#4 0x000000000055a627 in srslte_pusch_set_rnti (q=0x7fa317086bc8, rnti=27460) at /home/david/srsLTE/lib/src/phy/phch/pusch.c:399
#5 0x00000000005419d2 in srslte_ue_ul_set_rnti (q=0x7fa3170851b0, rnti=27460) at /home/david/srsLTE/lib/src/phy/ue/ue_ul.c:162
#6 0x00000000004d98f6 in srsue::phch_worker::set_crnti (this=0x7fa317075010, rnti=27460) at /home/david/srsLTE/srsue/src/phy/phch_worker.cc:160
#7 0x00000000004e2529 in srsue::phy::set_crnti (this=0x7fa30a191200, rnti=27460) at /home/david/srsLTE/srsue/src/phy/phy.cc:309
#8 0x00000000004c4799 in srsue::mac::run_thread (this=0x7fa30a2959a8) at /home/david/srsLTE/srsue/src/mac/mac.cc:191
#9 0x00000000004c66fa in thread::thread_function_entry (_this=0x7fa30a2959c0) at /home/david/srsLTE/lib/include/srslte/common/threads.h:73
#10 0x00007fa316d2a6ba in start_thread (arg=0x7fa2e9ffb700) at pthread_create.c:333
#11 0x00007fa314e353dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb) frame 4
#4 0x000000000055a627 in srslte_pusch_set_rnti (q=0x7fa317086bc8, rnti=27460) at /home/david/srsLTE/lib/src/phy/phch/pusch.c:399
warning: Source file is more recent than executable.
399 if (srslte_sequence_pusch(&q->users[rnti]->seq[i], rnti, 2 * i, q->cell.id,
(gdb) bt
#0 srslte_bit_pack (bits=0x7fa2e9ffac98, nof_bits=8) at /home/david/srsLTE/lib/src/phy/utils/bit.c:294
#1 0x000000000053865f in srslte_bit_pack_vector (unpacked=0x7fa2dd579480 "\001\001\001", packed=0x7fa2dd582200 ",\351\264\177[\033\207\065\t\301O\256<\240w*\263\"NxPO(", <incomplete sequence \337>,
nof_bits=100800) at /home/david/srsLTE/lib/src/phy/utils/bit.c:281
#2 0x0000000000519a8a in srslte_sequence_LTE_pr (q=0x7fa2dc0badf0, len=100800, seed=449906835) at /home/david/srsLTE/lib/src/phy/common/sequence.c:84
#3 0x00000000005289fb in srslte_sequence_pusch (seq=0x7fa2dc0badf0, rnti=27460, nslot=8, cell_id=147, len=100800) at /home/david/srsLTE/lib/src/phy/phch/sequences.c:78
#4 0x000000000055a627 in srslte_pusch_set_rnti (q=0x7fa317086bc8, rnti=27460) at /home/david/srsLTE/lib/src/phy/phch/pusch.c:399
#5 0x00000000005419d2 in srslte_ue_ul_set_rnti (q=0x7fa3170851b0, rnti=27460) at /home/david/srsLTE/lib/src/phy/ue/ue_ul.c:162
#6 0x00000000004d98f6 in srsue::phch_worker::set_crnti (this=0x7fa317075010, rnti=27460) at /home/david/srsLTE/srsue/src/phy/phch_worker.cc:160
#7 0x00000000004e2529 in srsue::phy::set_crnti (this=0x7fa30a191200, rnti=27460) at /home/david/srsLTE/srsue/src/phy/phy.cc:309
#8 0x00000000004c4799 in srsue::mac::run_thread (this=0x7fa30a2959a8) at /home/david/srsLTE/srsue/src/mac/mac.cc:191
#9 0x00000000004c66fa in thread::thread_function_entry (_this=0x7fa30a2959c0) at /home/david/srsLTE/lib/include/srslte/common/threads.h:73
#10 0x00007fa316d2a6ba in start_thread (arg=0x7fa2e9ffb700) at pthread_create.c:333
#11 0x00007fa314e353dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb) frame 4
#4 0x000000000055a627 in srslte_pusch_set_rnti (q=0x7fa317086bc8, rnti=27460) at /home/david/srsLTE/lib/src/phy/phch/pusch.c:399
399 if (srslte_sequence_pusch(&q->users[rnti]->seq[i], rnti, 2 * i, q->cell.id,
(gdb) print i
$1 = 4
More information about the srsran-users
mailing list