Project

General

Profile

Actions

Bug #2349

closed

osmo-bts-octphy: segfault in l1_if.c

Added by dexter over 6 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
07/04/2017
Due date:
% Done:

100%

Spec Reference:

Description

The current master of osmo-bts segfaults when used with osmo-bts-octphy:

Tue Jul  4 11:40:01 2017 <0006> l1_oml.c:385 (bts=0,trx=0,ts=2,ss=0) MPH-ACTIVATE.conf (FACCH/F RX_BTS_MS(UL))
Tue Jul  4 11:40:01 2017 <0006> l1_oml.c:250 (bts=0,trx=0,ts=2,ss=0): lchan2lch_par tch_mode=0x00
Tue Jul  4 11:40:01 2017 <0006> l1_oml.c:452 (bts=0,trx=0,ts=2,ss=0) MPH-ACTIVATE.req (SACCH TX_BTS_MS(DL))
Tue Jul  4 11:40:01 2017 <0006> l1_oml.c:385 (bts=0,trx=0,ts=2,ss=0) MPH-ACTIVATE.conf (SACCH TX_BTS_MS(DL))
Tue Jul  4 11:40:01 2017 <0006> l1_oml.c:250 (bts=0,trx=0,ts=2,ss=0): lchan2lch_par tch_mode=0x00
Tue Jul  4 11:40:01 2017 <0006> l1_oml.c:452 (bts=0,trx=0,ts=2,ss=0) MPH-ACTIVATE.req (SACCH RX_BTS_MS(UL))
Tue Jul  4 11:40:01 2017 <0006> l1_oml.c:385 (bts=0,trx=0,ts=2,ss=0) MPH-ACTIVATE.conf (SACCH RX_BTS_MS(UL))
Tue Jul  4 11:40:01 2017 <0007> l1sap.c:545 activate confirm chan_nr=0x0a trx=0
Tue Jul  4 11:40:01 2017 <0000> rsl.c:595 (bts=0,trx=0,ts=2,ss=0) Tx CHAN ACT ACK
Tue Jul  4 11:40:01 2017 <0006> l1_oml.c:859 (bts=0,trx=0,ts=2,ss=0) End of queue encountered. Now empty? 1
Tue Jul  4 11:40:01 2017 <0000> rsl.c:2386 (bts=0,trx=0,ts=0,ss=0) Rx RSL IMM_ASS_CMD

Program received signal SIGSEGV, Segmentation fault.
bts_model_l1sap_down (trx=trx@entry=0x7ffff7ef2070, l1sap=l1sap@entry=0x7fffffffdff0) at l1_if.c:705
705            rc = ph_tch_req(trx, msg, l1sap);
(gdb) bt
#0  bts_model_l1sap_down (trx=trx@entry=0x7ffff7ef2070, l1sap=l1sap@entry=0x7fffffffdff0) at l1_if.c:705
#1  0x000000000041f050 in l1sap_down (trx=trx@entry=0x7ffff7ef2070, l1sap=l1sap@entry=0x7fffffffdff0) at l1sap.c:1195
#2  0x000000000041fa4d in l1sap_tch_rts_ind (l1sap=<optimized out>, rts_ind=<optimized out>, rts_ind=<optimized out>, trx=0x7ffff7ef2070) at l1sap.c:863
#3  l1sap_up (trx=trx@entry=0x7ffff7ef2070, l1sap=<optimized out>) at l1sap.c:1160
#4  0x00000000004083d3 in handle_ph_rach_ind (fl1=<optimized out>, l1p_msg=<optimized out>, ra_ind=<optimized out>) at l1_if.c:1180
#5  rx_gsm_trx_rach_ind (msg=<optimized out>) at l1_if.c:1370
#6  rx_octvc1_notif (msg_id=<optimized out>, msg=<optimized out>) at l1_if.c:1408
#7  rx_octvc1_event_msg (msg=<optimized out>) at l1_if.c:1449
#8  rx_octvc1_data_f_msg (msg=<optimized out>) at l1_if.c:1557
#9  rx_octphy_msg (msg=<optimized out>) at l1_if.c:1609
#10 octphy_read_cb (ofd=<optimized out>) at l1_if.c:1661
#11 0x00007ffff79b99b3 in osmo_wqueue_bfd_cb (fd=0x6e8de8, what=1) at write_queue.c:49
#12 0x00007ffff79b5d9f in osmo_fd_disp_fds (_eset=0x7fffffffe2a0, _wset=0x7fffffffe220, _rset=0x7fffffffe1a0) at select.c:178
#13 osmo_select_main (polling=polling@entry=0) at select.c:218
#14 0x0000000000422365 in bts_main (argc=<optimized out>, argv=<optimized out>) at main.c:359
#15 0x00007ffff6756f45 in __libc_start_main (main=0x404700 <main>, argc=3, argv=0x7fffffffe498, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe488) at libc-start.c:287
#16 0x000000000040472e in _start ()
(gdb)
Actions #1

Updated by dexter over 6 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

The problem was caused the following two patches:

5047fbe3b8b9e1e2404c7c8952ae2ac7a0ada662 octphy: initalize nmsg only when needed
521ab50dcc95a7f0626340b76f9803805ee09bfc octphy: octphy: initalize l1msg and only when needed

nmsg and lmsg are still used by the else branch. However, the problem gets solved by the following patch, which is still in review:

https://gerrit.osmocom.org/#/c/3060/ octphy: do not send empty frames to phy

This patch removes the else branch almost completely so that nmsg/l1msg are not accessed anymore outside the if branch. For development I can revert the two mentioned patches. When 3060 is merged, things will be back to normal.

Actions #2

Updated by laforge over 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)