Bug #3219
closedosmux_test2 fails on ubuntu 17.04 and 18.04
100%
Description
This can be seen in our OBS nightly builds, where libosmo-netif is marked as broken:
https://build.opensuse.org/project/monitor/network:osmocom:nightly
building by hand in a lxc container with ubuntu 18.04 and running a gdb backtrace on it:
(gdb) run Starting program: /tmp/libosmo-netif/tests/osmux/.libs/osmux_test2 ===test_output_consecutive=== sys={0.000000}, mono={0.000000}: clock_override_set sys={0.000000}, mono={0.000000}: dequeue: seq=50 ts=500 M enqueued=5 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff79aec7f in rb_set_parent (rb=0x7ffff7ffa268, p=0xfffffffc) at ../include/osmocom/core/linuxrbtree.h:124 124 rb->rb_parent_color = (rb->rb_parent_color & 3) | (unsigned long)p; (gdb) bt #0 0x00007ffff79aec7f in rb_set_parent (rb=0x7ffff7ffa268, p=0xfffffffc) at ../include/osmocom/core/linuxrbtree.h:124 #1 rb_erase (node=node@entry=0x7fffffffe0d0, root=root@entry=0x7ffff7bbd890 <timer_root>) at rbtree.c:270 #2 0x00007ffff79a36d6 in osmo_timer_del (timer=0x7fffffffe0d0) at timer.c:124 #3 0x00007ffff79a3709 in osmo_timer_add (timer=timer@entry=0x7fffffffe0d0) at timer.c:86 #4 0x00007ffff79a37f8 in osmo_timer_schedule (timer=timer@entry=0x7fffffffe0d0, seconds=0, microseconds=20000) at timer.c:111 #5 0x00007ffff778f642 in osmux_xfrm_output_trigger (data=data@entry=0x7fffffffe0c0) at osmux.c:245 #6 0x00007ffff778feea in osmux_xfrm_output_sched (h=0x7fffffffe0c0, osmuxh=0x555555759e18) at osmux.c:310 #7 0x00005555555554ea in test_output_consecutive () at osmux/osmux_test2.c:173 #8 main (argc=<optimized out>, argv=<optimized out>) at osmux/osmux_test2.c:370
while valgrind shows:
root@ubuntu1804:/tmp/libosmo-netif/tests/osmux/.libs# valgrind ./osmux_test2 ==517== Memcheck, a memory error detector ==517== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==517== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==517== Command: ./osmux_test2 ==517== ===test_output_consecutive=== sys={0.000000}, mono={0.000000}: clock_override_set ==517== Conditional jump or move depends on uninitialised value(s) ==517== at 0x54E4A41: vfprintf (vfprintf.c:1643) ==517== by 0x55BB168: __vsnprintf_chk (vsnprintf_chk.c:63) ==517== by 0x55BB094: __snprintf_chk (snprintf_chk.c:34) ==517== by 0x10A2BD: snprintf (stdio2.h:64) ==517== by 0x10A2BD: tx_cb (osmux_test2.c:140) ==517== by 0x527E5C4: osmux_xfrm_output_trigger (osmux.c:253) ==517== by 0x527EEE9: osmux_xfrm_output_sched (osmux.c:310) ==517== by 0x1094E9: test_output_consecutive (osmux_test2.c:173) ==517== by 0x1094E9: main (osmux_test2.c:370) ==517== ==517== Use of uninitialised value of size 8 ==517== at 0x4C32CF2: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==517== by 0x54E64D2: vfprintf (vfprintf.c:1643) ==517== by 0x55BB168: __vsnprintf_chk (vsnprintf_chk.c:63) ==517== by 0x55BB094: __snprintf_chk (snprintf_chk.c:34) ==517== by 0x10A2BD: snprintf (stdio2.h:64) ==517== by 0x10A2BD: tx_cb (osmux_test2.c:140) ==517== by 0x527E5C4: osmux_xfrm_output_trigger (osmux.c:253) ==517== by 0x527EEE9: osmux_xfrm_output_sched (osmux.c:310) ==517== by 0x1094E9: test_output_consecutive (osmux_test2.c:173) ==517== by 0x1094E9: main (osmux_test2.c:370) ==517== ==517== Use of uninitialised value of size 8 ==517== at 0x4C32D04: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==517== by 0x54E64D2: vfprintf (vfprintf.c:1643) ==517== by 0x55BB168: __vsnprintf_chk (vsnprintf_chk.c:63) ==517== by 0x55BB094: __snprintf_chk (snprintf_chk.c:34) ==517== by 0x10A2BD: snprintf (stdio2.h:64) ==517== by 0x10A2BD: tx_cb (osmux_test2.c:140) ==517== by 0x527E5C4: osmux_xfrm_output_trigger (osmux.c:253) ==517== by 0x527EEE9: osmux_xfrm_output_sched (osmux.c:310) ==517== by 0x1094E9: test_output_consecutive (osmux_test2.c:173) ==517== by 0x1094E9: main (osmux_test2.c:370) ==517== ==517== Use of uninitialised value of size 8 ==517== at 0x5517532: _IO_default_xsputn (genops.c:412) ==517== by 0x54E5FEA: vfprintf (vfprintf.c:1643) ==517== by 0x55BB168: __vsnprintf_chk (vsnprintf_chk.c:63) ==517== by 0x55BB094: __snprintf_chk (snprintf_chk.c:34) ==517== by 0x10A2BD: snprintf (stdio2.h:64) ==517== by 0x10A2BD: tx_cb (osmux_test2.c:140) ==517== by 0x527E5C4: osmux_xfrm_output_trigger (osmux.c:253) ==517== by 0x527EEE9: osmux_xfrm_output_sched (osmux.c:310) ==517== by 0x1094E9: test_output_consecutive (osmux_test2.c:173) ==517== by 0x1094E9: main (osmux_test2.c:370) ==517== sys={0.000000}, mono={0.000000}: dequeue: seq=50 ts=500 M enqueued=5 ==517== Conditional jump or move depends on uninitialised value(s) ==517== at 0x505A6B6: osmo_timer_del (timer.c:122) ==517== by 0x505A708: osmo_timer_add (timer.c:86) ==517== by 0x505A7F7: osmo_timer_schedule (timer.c:111) ==517== by 0x527E641: osmux_xfrm_output_trigger (osmux.c:245) ==517== by 0x527EEE9: osmux_xfrm_output_sched (osmux.c:310) ==517== by 0x1094E9: test_output_consecutive (osmux_test2.c:173) ==517== by 0x1094E9: main (osmux_test2.c:370) ==517== ==517== Conditional jump or move depends on uninitialised value(s) ==517== at 0x5065C65: rb_erase (rbtree.c:224) ==517== by 0x505A6D5: osmo_timer_del (timer.c:124) ==517== by 0x505A708: osmo_timer_add (timer.c:86) ==517== by 0x505A7F7: osmo_timer_schedule (timer.c:111) ==517== by 0x527E641: osmux_xfrm_output_trigger (osmux.c:245) ==517== by 0x527EEE9: osmux_xfrm_output_sched (osmux.c:310) ==517== by 0x1094E9: test_output_consecutive (osmux_test2.c:173) ==517== by 0x1094E9: main (osmux_test2.c:370) ==517== ==517== Conditional jump or move depends on uninitialised value(s) ==517== at 0x5065CDD: rb_erase (rbtree.c:269) ==517== by 0x505A6D5: osmo_timer_del (timer.c:124) ==517== by 0x505A708: osmo_timer_add (timer.c:86) ==517== by 0x505A7F7: osmo_timer_schedule (timer.c:111) ==517== by 0x527E641: osmux_xfrm_output_trigger (osmux.c:245) ==517== by 0x527EEE9: osmux_xfrm_output_sched (osmux.c:310) ==517== by 0x1094E9: test_output_consecutive (osmux_test2.c:173) ==517== by 0x1094E9: main (osmux_test2.c:370) ==517== ==517== Conditional jump or move depends on uninitialised value(s) ==517== at 0x5065C85: rb_erase (rbtree.c:271) ==517== by 0x505A6D5: osmo_timer_del (timer.c:124) ==517== by 0x505A708: osmo_timer_add (timer.c:86) ==517== by 0x505A7F7: osmo_timer_schedule (timer.c:111) ==517== by 0x527E641: osmux_xfrm_output_trigger (osmux.c:245) ==517== by 0x527EEE9: osmux_xfrm_output_sched (osmux.c:310) ==517== by 0x1094E9: test_output_consecutive (osmux_test2.c:173) ==517== by 0x1094E9: main (osmux_test2.c:370) ==517== ==517== Use of uninitialised value of size 8 ==517== at 0x5065C87: rb_erase (rbtree.c:273) ==517== by 0x505A6D5: osmo_timer_del (timer.c:124) ==517== by 0x505A708: osmo_timer_add (timer.c:86) ==517== by 0x505A7F7: osmo_timer_schedule (timer.c:111) ==517== by 0x527E641: osmux_xfrm_output_trigger (osmux.c:245) ==517== by 0x527EEE9: osmux_xfrm_output_sched (osmux.c:310) ==517== by 0x1094E9: test_output_consecutive (osmux_test2.c:173) ==517== by 0x1094E9: main (osmux_test2.c:370) ==517== ==517== Conditional jump or move depends on uninitialised value(s) ==517== at 0x5065C8B: rb_erase (rbtree.c:273) ==517== by 0x505A6D5: osmo_timer_del (timer.c:124) ==517== by 0x505A708: osmo_timer_add (timer.c:86) ==517== by 0x505A7F7: osmo_timer_schedule (timer.c:111) ==517== by 0x527E641: osmux_xfrm_output_trigger (osmux.c:245) ==517== by 0x527EEE9: osmux_xfrm_output_sched (osmux.c:310) ==517== by 0x1094E9: test_output_consecutive (osmux_test2.c:173) ==517== by 0x1094E9: main (osmux_test2.c:370) ==517== ==517== Use of uninitialised value of size 8 ==517== at 0x5065C95: rb_erase (rbtree.c:276) ==517== by 0x505A6D5: osmo_timer_del (timer.c:124) ==517== by 0x505A708: osmo_timer_add (timer.c:86) ==517== by 0x505A7F7: osmo_timer_schedule (timer.c:111) ==517== by 0x527E641: osmux_xfrm_output_trigger (osmux.c:245) ==517== by 0x527EEE9: osmux_xfrm_output_sched (osmux.c:310) ==517== by 0x1094E9: test_output_consecutive (osmux_test2.c:173) ==517== by 0x1094E9: main (osmux_test2.c:370) ==517== ==517== Conditional jump or move depends on uninitialised value(s) ==517== at 0x5065C9C: rb_erase (rbtree.c:282) ==517== by 0x505A6D5: osmo_timer_del (timer.c:124) ==517== by 0x505A708: osmo_timer_add (timer.c:86) ==517== by 0x505A7F7: osmo_timer_schedule (timer.c:111) ==517== by 0x527E641: osmux_xfrm_output_trigger (osmux.c:245) ==517== by 0x527EEE9: osmux_xfrm_output_sched (osmux.c:310) ==517== by 0x1094E9: test_output_consecutive (osmux_test2.c:173) ==517== by 0x1094E9: main (osmux_test2.c:370) ==517== ==517== Conditional jump or move depends on uninitialised value(s) ==517== at 0x505A6E1: osmo_timer_del (timer.c:126) ==517== by 0x505A708: osmo_timer_add (timer.c:86) ==517== by 0x505A7F7: osmo_timer_schedule (timer.c:111) ==517== by 0x527E641: osmux_xfrm_output_trigger (osmux.c:245) ==517== by 0x527EEE9: osmux_xfrm_output_sched (osmux.c:310) ==517== by 0x1094E9: test_output_consecutive (osmux_test2.c:173) ==517== by 0x1094E9: main (osmux_test2.c:370) ==517== ==517== Use of uninitialised value of size 8 ==517== at 0x505A6E7: __llist_del (linuxlist.h:114) ==517== by 0x505A6E7: llist_del_init (linuxlist.h:136) ==517== by 0x505A6E7: osmo_timer_del (timer.c:127) ==517== by 0x505A708: osmo_timer_add (timer.c:86) ==517== by 0x505A7F7: osmo_timer_schedule (timer.c:111) ==517== by 0x527E641: osmux_xfrm_output_trigger (osmux.c:245) ==517== by 0x527EEE9: osmux_xfrm_output_sched (osmux.c:310) ==517== by 0x1094E9: test_output_consecutive (osmux_test2.c:173) ==517== by 0x1094E9: main (osmux_test2.c:370) ==517== ==517== Invalid write of size 8 ==517== at 0x505A6E7: __llist_del (linuxlist.h:114) ==517== by 0x505A6E7: llist_del_init (linuxlist.h:136) ==517== by 0x505A6E7: osmo_timer_del (timer.c:127) ==517== by 0x505A708: osmo_timer_add (timer.c:86) ==517== by 0x505A7F7: osmo_timer_schedule (timer.c:111) ==517== by 0x527E641: osmux_xfrm_output_trigger (osmux.c:245) ==517== by 0x527EEE9: osmux_xfrm_output_sched (osmux.c:310) ==517== by 0x1094E9: test_output_consecutive (osmux_test2.c:173) ==517== by 0x1094E9: main (osmux_test2.c:370) ==517== Address 0x8 is not stack'd, malloc'd or (recently) free'd ==517== ==517== ==517== Process terminating with default action of signal 11 (SIGSEGV) ==517== Access not within mapped region at address 0x8 ==517== at 0x505A6E7: __llist_del (linuxlist.h:114) ==517== by 0x505A6E7: llist_del_init (linuxlist.h:136) ==517== by 0x505A6E7: osmo_timer_del (timer.c:127) ==517== by 0x505A708: osmo_timer_add (timer.c:86) ==517== by 0x505A7F7: osmo_timer_schedule (timer.c:111) ==517== by 0x527E641: osmux_xfrm_output_trigger (osmux.c:245) ==517== by 0x527EEE9: osmux_xfrm_output_sched (osmux.c:310) ==517== by 0x1094E9: test_output_consecutive (osmux_test2.c:173) ==517== by 0x1094E9: main (osmux_test2.c:370) ==517== If you believe this happened as a result of a stack ==517== overflow in your program's main thread (unlikely but ==517== possible), you can try to increase the size of the ==517== main thread stack using the --main-stacksize= flag. ==517== The main thread stack size used in this run was 8388608. ==517== ==517== HEAP SUMMARY: ==517== in use at exit: 4,659 bytes in 13 blocks ==517== total heap usage: 15 allocs, 2 frees, 5,944 bytes allocated ==517== ==517== LEAK SUMMARY: ==517== definitely lost: 0 bytes in 0 blocks ==517== indirectly lost: 0 bytes in 0 blocks ==517== possibly lost: 4,659 bytes in 13 blocks ==517== still reachable: 0 bytes in 0 blocks ==517== suppressed: 0 bytes in 0 blocks ==517== Rerun with --leak-check=full to see details of leaked memory ==517== ==517== For counts of detected and suppressed errors, rerun with: -v ==517== Use --track-origins=yes to see where uninitialised values come from ==517== ERROR SUMMARY: 17 errors from 15 contexts (suppressed: 0 from 0) Segmentation fault
Updated by laforge almost 6 years ago
- Assignee changed from pespin to laforge
- % Done changed from 0 to 50
the following diff makes it pass:
diff --git a/tests/osmux/osmux_test2.c b/tests/osmux/osmux_test2.c index ecd9296..b3e0aa4 100644 --- a/tests/osmux/osmux_test2.c +++ b/tests/osmux/osmux_test2.c @@ -159,6 +159,8 @@ static void test_output_consecutive(void) { struct osmux_out_handle h_output; + memset(&h_output, 0, sizeof(h_output)); + printf("===test_output_consecutive===\n"); clock_override_enable(true);
so somehow osmux_xfrm_output_init()
is not clearing the h_output ?
In Change-Id: I2efed6d726a1b8e77e686c7a5fe1940d3f4901a7 we're adding a new member to 'struct osmux_out_handle' which is not initialized....
Updated by laforge almost 6 years ago
- % Done changed from 50 to 80
patch in https://gerrit.osmocom.org/7948
Updated by laforge almost 6 years ago
- Status changed from New to In Progress
- Assignee changed from laforge to pespin
the build on 18.04 is now fixed, but 17.04 is still failing and debian9 is now also failing:
https://build.opensuse.org/package/live_build_log/network:osmocom:nightly/libosmo-netif/Debian_9.0/x86_64
handing back to pespin.
Updated by laforge almost 6 years ago
- Status changed from In Progress to Resolved
- Assignee changed from pespin to laforge
- % Done changed from 80 to 100
I accidentially triggered the last build before merging the patch. After merging it, all distros/architectures are building fine.