Project

General

Profile

Actions

Bug #4669

closed

mutex fix related use after free

Added by Hoernchen over 1 year ago. Updated over 1 year ago.

Status:
Rejected
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
07/17/2020
Due date:
% Done:

100%

Spec Reference:

Description

caused by http://cgit.osmocom.org/osmo-trx/commit/Transceiver52M/radioVector.cpp?id=8b0c5368f53b16a00206b64f319ff08cdf32d521


13:07:49: Debugging starts
Fri Jul 17 13:07:50 2020 DLSTATS <0010> stats.c:189 Stats timer started with interval 5 sec
Fri Jul 17 13:07:50 2020 DLGLOBAL <0007> telnet_interface.c:104 Available via telnet 127.0.0.1 4237
Fri Jul 17 13:07:50 2020 DLCTRL <000e> control_if.c:911 CTRL at 127.0.0.1 4236
Fri Jul 17 13:07:50 2020 DMAIN <0000> osmo-trx.cpp:484 [tid=140737316968384] Config Settings
   Log Level............... 0
   Device args............. ipc_msock=/tmp/ipc_sock0
   TRX Base Port........... 5700
   TRX Address............. 127.0.0.1
   GSM BTS Address......... 127.0.0.1
   Channels................ 2
   Tx Samples-per-Symbol... 4
   Rx Samples-per-Symbol... 4
   EDGE support............ 1
   Extended RACH support... 0
   Reference............... 1
   Filler Burst Type....... Empty bursts
   Filler Burst TSC........ 0
   Filler Burst RACH Delay. 0
   Multi-Carrier........... 0
   Tuning offset........... 0
   RSSI to dBm offset...... 28
   Swap channels........... 0
   Tx Antennas............. 'TX/RX' 'TX/RX'
   Rx Antennas............. 'RX2' 'RX2'

[INFO] [UHD] linux; Clang version 10.0.0 ; Boost_107100; UHD_4.0.0.0-0-3b59529e
Fri Jul 17 13:07:50 2020 DDEV <0005> UHDDevice.cpp:543 [tid=140737316968384] Using discovered UHD device type=b200,name=MyB210,serial=blabla,product=B210
Fri Jul 17 13:07:50 2020 DDEVDRV <0006> /xx/uhd/host/lib/usrp/b200/b200_impl.cpp:419 [tid=140737260812032] [B200] Detected Device: B210
Fri Jul 17 13:07:50 2020 DDEVDRV <0006> /xx/uhd/host/lib/usrp/b200/b200_impl.cpp:466 [tid=140737260812032] [B200] Operating over USB 3.
Fri Jul 17 13:07:50 2020 DDEVDRV <0006> /xx/uhd/host/lib/usrp/b200/b200_impl.cpp:616 [tid=140737260812032] [B200] Initialize CODEC control...
Fri Jul 17 13:07:50 2020 DDEVDRV <0006> /xx/uhd/host/lib/usrp/b200/b200_impl.cpp:685 [tid=140737260812032] [B200] Initialize Radio control...
Fri Jul 17 13:07:50 2020 DDEVDRV <0006> /xx/uhd/host/lib/usrp/b200/b200_impl.cpp:1023 [tid=140737260812032] [B200] Performing register loopback test... 
Fri Jul 17 13:07:50 2020 DDEVDRV <0006> /xx/uhd/host/lib/usrp/b200/b200_impl.cpp:1032 [tid=140737260812032] [B200] Register loopback test passed
Fri Jul 17 13:07:50 2020 DDEVDRV <0006> /xx/uhd/host/lib/usrp/b200/b200_impl.cpp:1023 [tid=140737260812032] [B200] Performing register loopback test... 
Fri Jul 17 13:07:50 2020 DDEVDRV <0006> /xx/uhd/host/lib/usrp/b200/b200_impl.cpp:1032 [tid=140737260812032] [B200] Register loopback test passed
Fri Jul 17 13:07:50 2020 DDEVDRV <0006> /xx/uhd/host/lib/usrp/b200/b200_impl.cpp:813 [tid=140737260812032] [B200] Setting master clock rate selection to 'automatic'.
Fri Jul 17 13:07:50 2020 DDEVDRV <0006> /xx/uhd/host/lib/usrp/b200/b200_impl.cpp:1073 [tid=140737260812032] [B200] Asking for clock rate 16.000000 MHz... 
Fri Jul 17 13:07:51 2020 DDEVDRV <0006> /xx/uhd/host/lib/usrp/b200/b200_impl.cpp:1086 [tid=140737260812032] [B200] Actually got clock rate 16.000000 MHz.
Fri Jul 17 13:07:51 2020 DMAIN <0000> UHDDevice.cpp:205 [tid=140737316968384] Antennas configured successfully
Fri Jul 17 13:07:51 2020 DDEVDRV <0006> /xx/uhd/host/lib/usrp/multi_usrp.cpp:526 [tid=140737260812032] [MULTI_USRP] Setting master clock rate selection to 'manual'.
Fri Jul 17 13:07:51 2020 DDEVDRV <0006> /xx/uhd/host/lib/usrp/b200/b200_impl.cpp:1073 [tid=140737260812032] [B200] Asking for clock rate 26.000000 MHz... 
Fri Jul 17 13:07:51 2020 DDEVDRV <0006> /xx/uhd/host/lib/usrp/b200/b200_impl.cpp:1086 [tid=140737260812032] [B200] Actually got clock rate 26.000000 MHz.
Fri Jul 17 13:07:52 2020 DDEV <0005> UHDDevice.cpp:332 [tid=140737316968384] Rates configured for B210 4 SPS
Fri Jul 17 13:07:52 2020 DDEV <0005> UHDDevice.cpp:292 [tid=140737316968384] Supported Tx gain range [0; 89.75]
Fri Jul 17 13:07:52 2020 DDEV <0005> UHDDevice.cpp:297 [tid=140737316968384] Supported Rx gain range [0; 76]
Fri Jul 17 13:07:52 2020 DDEV <0005> UHDDevice.cpp:301 [tid=140737316968384] Default setting Tx gain for channel 0 to 44.875
Fri Jul 17 13:07:52 2020 DDEV <0005> UHDDevice.cpp:301 [tid=140737316968384] Default setting Tx gain for channel 1 to 44.875
Fri Jul 17 13:07:52 2020 DDEV <0005> UHDDevice.cpp:308 [tid=140737316968384] Default setting Rx gain for channel 0 to 38
Fri Jul 17 13:07:52 2020 DDEV <0005> UHDDevice.cpp:308 [tid=140737316968384] Default setting Rx gain for channel 1 to 38
Fri Jul 17 13:07:52 2020 DDEV <0005> UHDDevice.cpp:642 [tid=140737316968384] Device configuration: Single USRP:
  Device: B-Series Device
  Mboard 0: B210
  RX Channel: 0
    RX DSP: 0
    RX Dboard: A
    RX Subdev: FE-RX2
  RX Channel: 1
    RX DSP: 1
    RX Dboard: A
    RX Subdev: FE-RX1
  TX Channel: 0
    TX DSP: 0
    TX Dboard: A
    TX Subdev: FE-TX2
  TX Channel: 1
    TX DSP: 1
    TX Dboard: A
    TX Subdev: FE-TX1
Fri Jul 17 13:07:52 2020 DMAIN <0000> osmo-trx.cpp:532 [tid=140737316968384] -- Transceiver active with 2 channel(s)
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=0] command is 'POWEROFF'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=0] response is 'RSP POWEROFF 0'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=0] command is 'RXTUNE 881000'
Fri Jul 17 13:08:01 2020 DDEV <0005> UHDDevice.cpp:1004 [tid=140737316968384][chan=0] set_freq(8.81e+08, Rx): Tune Result:
    Target RF  Freq: 881.000000 (MHz)
    Actual RF  Freq: 881.000000 (MHz)
    Target DSP Freq: -0.000000 (MHz)
    Actual DSP Freq: -0.000000 (MHz)

Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=0] response is 'RSP RXTUNE 0 881000'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=1] command is 'RXTUNE 880800'
Fri Jul 17 13:08:01 2020 DDEV <0005> UHDDevice.cpp:1004 [tid=140737316968384][chan=1] set_freq(8.808e+08, Rx): Tune Result:
    Target RF  Freq: 880.900000 (MHz)
    Actual RF  Freq: 880.900000 (MHz)
    Target DSP Freq: 0.100000 (MHz)
    Actual DSP Freq: 0.100000 (MHz)

Fri Jul 17 13:08:01 2020 DDEV <0005> UHDDevice.cpp:1024 [tid=140737316968384][chan=1] set_freq(8.808e+08, Rx): Tune Result:
    Target RF  Freq: 880.900000 (MHz)
    Actual RF  Freq: 880.900000 (MHz)
    Target DSP Freq: -0.100000 (MHz)
    Actual DSP Freq: -0.100000 (MHz)

Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=1] response is 'RSP RXTUNE 0 880800'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=0] command is 'TXTUNE 926000'
Fri Jul 17 13:08:01 2020 DDEV <0005> UHDDevice.cpp:1004 [tid=140737316968384][chan=0] set_freq(9.26e+08, Tx): Tune Result:
    Target RF  Freq: 926.000000 (MHz)
    Actual RF  Freq: 925.999999 (MHz)
    Target DSP Freq: 0.000001 (MHz)
    Actual DSP Freq: 0.000001 (MHz)

Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=0] response is 'RSP TXTUNE 0 926000'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=1] command is 'TXTUNE 925800'
Fri Jul 17 13:08:01 2020 DDEV <0005> UHDDevice.cpp:1004 [tid=140737316968384][chan=1] set_freq(9.258e+08, Tx): Tune Result:
    Target RF  Freq: 925.900000 (MHz)
    Actual RF  Freq: 925.899999 (MHz)
    Target DSP Freq: -0.099999 (MHz)
    Actual DSP Freq: -0.099999 (MHz)

Fri Jul 17 13:08:01 2020 DDEV <0005> UHDDevice.cpp:1024 [tid=140737316968384][chan=1] set_freq(9.258e+08, Tx): Tune Result:
    Target RF  Freq: 925.900000 (MHz)
    Actual RF  Freq: 925.899999 (MHz)
    Target DSP Freq: 0.100001 (MHz)
    Actual DSP Freq: 0.100001 (MHz)

Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=1] response is 'RSP TXTUNE 0 925800'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=0] command is 'NOMTXPOWER'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=0] response is 'RSP NOMTXPOWER 0 13'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=1] command is 'NOMTXPOWER'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=1] response is 'RSP NOMTXPOWER 0 13'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=0] command is 'SETTSC 7'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:937 [tid=140737316968384] Changing TSC from 0 to 7
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=0] response is 'RSP SETTSC 0 7'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=1] command is 'SETTSC 7'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:937 [tid=140737316968384] Changing TSC from 7 to 7
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=1] response is 'RSP SETTSC 0 7'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=0] command is 'SETFORMAT 1'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:958 [tid=140737316968384][chan=0] BTS requests TRXD version switch: 1
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:964 [tid=140737316968384][chan=0] switching to TRXD version 1
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=0] response is 'RSP SETFORMAT 1 1'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=1] command is 'SETFORMAT 1'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:958 [tid=140737316968384][chan=1] BTS requests TRXD version switch: 1
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:964 [tid=140737316968384][chan=1] switching to TRXD version 1
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=1] response is 'RSP SETFORMAT 1 1'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=0] command is 'POWERON'
Fri Jul 17 13:08:01 2020 DMAIN <0000> Transceiver.cpp:286 [tid=140737316968384] Starting the transceiver
Fri Jul 17 13:08:01 2020 DMAIN <0000> radioInterface.cpp:191 [tid=140737316968384] Starting radio device
Fri Jul 17 13:08:01 2020 DDEV <0005> UHDDevice.cpp:713 [tid=140737316968384] Starting USRP...
Fri Jul 17 13:08:01 2020 DMAIN <0000> Threads.cpp:119 [tid=140737235633920] Thread 140737235633920 (task 19931) set name: UHDAsyncEvent
Fri Jul 17 13:08:01 2020 DDEV <0005> UHDDevice.cpp:688 [tid=140737316968384] Initial timestamp 11485391
Fri Jul 17 13:08:01 2020 DDEV <0005> UHDDevice.cpp:730 [tid=140737316968384] The current time is 10.6041 seconds
Fri Jul 17 13:08:01 2020 DMAIN <0000> radioInterface.cpp:212 [tid=140737316968384] Radio started
Fri Jul 17 13:08:01 2020 DMAIN <0000> Threads.cpp:119 [tid=140737190344448] Thread 140737190344448 (task 19932) set name: TxLower
Fri Jul 17 13:08:01 2020 DMAIN <0000> Threads.cpp:119 [tid=140737205016320] Thread 140737205016320 (task 19933) set name: RxLower
Fri Jul 17 13:08:01 2020 DMAIN <0000> Threads.cpp:119 [tid=140737165166336] Thread 140737165166336 (task 19934) set name: RxUpper0
Fri Jul 17 13:08:01 2020 DMAIN <0000> Threads.cpp:119 [tid=140737156773632] Thread 140737156773632 (task 19935) set name: TxUpper0
Fri Jul 17 13:08:01 2020 DMAIN <0000> Threads.cpp:119 [tid=140737148380928] Thread 140737148380928 (task 19936) set name: RxUpper1
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=0] response is 'RSP POWERON 0'
Fri Jul 17 13:08:01 2020 DMAIN <0000> Threads.cpp:119 [tid=140737139988224] Thread 140737139988224 (task 19937) set name: TxUpper1
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=1] command is 'SETRXGAIN 10'
Fri Jul 17 13:08:01 2020 DDEV <0005> UHDDevice.cpp:345 [tid=140737316968384] Set RX gain to 10dB (asked for 10dB)
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=1] response is 'RSP SETRXGAIN 0 10'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=0] command is 'SETRXGAIN 10'
Fri Jul 17 13:08:01 2020 DDEV <0005> UHDDevice.cpp:345 [tid=140737316968384] Set RX gain to 10dB (asked for 10dB)
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=0] response is 'RSP SETRXGAIN 0 10'
Info: SSE3 support compiled in and supported by CPU
Info: SSE4.1 support compiled in and supported by CPU
LLLLFri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=1] command is 'SETSLOT 0 7'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=1] response is 'RSP SETSLOT 0 0 7'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=0] command is 'SETSLOT 0 5'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=0] response is 'RSP SETSLOT 0 0 5'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=1] command is 'SETSLOT 1 1'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=1] response is 'RSP SETSLOT 0 1 1'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=0] command is 'SETSLOT 1 7'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=0] response is 'RSP SETSLOT 0 1 7'
Fri Jul 17 13:08:01 2020 DTRXCLK <0001> Transceiver.cpp:1060 [tid=140737205016320] Sending CLOCK indications
Fri Jul 17 13:08:01 2020 DTRXCLK <0001> Transceiver.cpp:1177 [tid=140737205016320] sending IND CLOCK 67954
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=1] command is 'SETSLOT 2 1'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=1] response is 'RSP SETSLOT 0 2 1'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=0] command is 'SETSLOT 2 1'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=0] response is 'RSP SETSLOT 0 2 1'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=1] command is 'SETSLOT 3 3'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=1] response is 'RSP SETSLOT 0 3 3'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=0] command is 'SETSLOT 3 1'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=0] response is 'RSP SETSLOT 0 3 1'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=1] command is 'SETSLOT 4 13'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=1] response is 'RSP SETSLOT 0 4 13'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=0] command is 'SETSLOT 4 1'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=0] response is 'RSP SETSLOT 0 4 1'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=1] command is 'SETSLOT 5 13'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=1] response is 'RSP SETSLOT 0 5 13'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=0] command is 'SETSLOT 5 3'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=0] response is 'RSP SETSLOT 0 5 3'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=1] command is 'SETSLOT 6 13'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=1] response is 'RSP SETSLOT 0 6 13'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=0] command is 'SETSLOT 6 3'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=0] response is 'RSP SETSLOT 0 6 3'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=1] command is 'SETSLOT 7 13'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=1] response is 'RSP SETSLOT 0 7 13'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:832 [tid=140737316968384][chan=0] command is 'SETSLOT 7 3'
Fri Jul 17 13:08:01 2020 DTRXCTRL <0002> Transceiver.cpp:980 [tid=140737316968384][chan=0] response is 'RSP SETSLOT 0 7 3'
=================================================================
==19826==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000ca9d8 at pc 0x00000026b8f2 bp 0x7fffee3c7280 sp 0x7fffee3c7278
READ of size 4 at 0x6030000ca9d8 thread T21 (TxLower)
    #0 0x26b8f1 in GSM::Time::operator>(GSM::Time const&) const /xx/osmo-trx/Transceiver52M/../GSM/GSMCommon.h:192:18
    #1 0x26b8f1 in radioVector::operator>(radioVector const&) const /xx/osmo-trx/Transceiver52M/radioVector.cpp:58:15
    #2 0x26b8f1 in PointerCompare<radioVector>::operator()(radioVector const*, radioVector const*) /xx/osmo-trx/Transceiver52M/../CommonLibs/Interthread.h:567:17
    #3 0x26b8f1 in bool __gnu_cxx::__ops::_Iter_comp_val<PointerCompare<radioVector> >::operator()<__gnu_cxx::__normal_iterator<radioVector**, std::vector<radioVector*, std::allocator<radioVector*> > >, radioVector*>(__gnu_cxx::__normal_iterator<radioVector**, std::vector<radioVector*, std::allocator<radioVector*> > >, radioVector*&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/predefined_ops.h:177:16
    #4 0x26b8f1 in void std::__push_heap<__gnu_cxx::__normal_iterator<radioVector**, std::vector<radioVector*, std::allocator<radioVector*> > >, long, radioVector*, __gnu_cxx::__ops::_Iter_comp_val<PointerCompare<radioVector> > >(__gnu_cxx::__normal_iterator<radioVector**, std::vector<radioVector*, std::allocator<radioVector*> > >, long, long, radioVector*, __gnu_cxx::__ops::_Iter_comp_val<PointerCompare<radioVector> >&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_heap.h:133:42
    #5 0x26b8f1 in void std::__adjust_heap<__gnu_cxx::__normal_iterator<radioVector**, std::vector<radioVector*, std::allocator<radioVector*> > >, long, radioVector*, __gnu_cxx::__ops::_Iter_comp_iter<PointerCompare<radioVector> > >(__gnu_cxx::__normal_iterator<radioVector**, std::vector<radioVector*, std::allocator<radioVector*> > >, long, long, radioVector*, __gnu_cxx::__ops::_Iter_comp_iter<PointerCompare<radioVector> >) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_heap.h:237:7
    #6 0x26b3c9 in void std::__pop_heap<__gnu_cxx::__normal_iterator<radioVector**, std::vector<radioVector*, std::allocator<radioVector*> > >, __gnu_cxx::__ops::_Iter_comp_iter<PointerCompare<radioVector> > >(__gnu_cxx::__normal_iterator<radioVector**, std::vector<radioVector*, std::allocator<radioVector*> > >, __gnu_cxx::__normal_iterator<radioVector**, std::vector<radioVector*, std::allocator<radioVector*> > >, __gnu_cxx::__normal_iterator<radioVector**, std::vector<radioVector*, std::allocator<radioVector*> > >, __gnu_cxx::__ops::_Iter_comp_iter<PointerCompare<radioVector> >&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_heap.h:253:7
    #7 0x26b3c9 in void std::pop_heap<__gnu_cxx::__normal_iterator<radioVector**, std::vector<radioVector*, std::allocator<radioVector*> > >, PointerCompare<radioVector> >(__gnu_cxx::__normal_iterator<radioVector**, std::vector<radioVector*, std::allocator<radioVector*> > >, __gnu_cxx::__normal_iterator<radioVector**, std::vector<radioVector*, std::allocator<radioVector*> > >, PointerCompare<radioVector>) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_heap.h:320:4
    #8 0x26b3c9 in std::priority_queue<radioVector*, std::vector<radioVector*, std::allocator<radioVector*> >, PointerCompare<radioVector> >::pop() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_queue.h:665:2
    #9 0x26b3c9 in VectorQueue::getCurrentBurst(GSM::Time const&) /xx/osmo-trx/Transceiver52M/radioVector.cpp:141:6
    #10 0x27e15e in Transceiver::pushRadioVector(GSM::Time&) /xx/osmo-trx/Transceiver52M/Transceiver.cpp:441:39
    #11 0x28551f in Transceiver::driveTxFIFO() /xx/osmo-trx/Transceiver52M/Transceiver.cpp:1160:7
    #12 0x27c067 in TxLowerLoopAdapter(Transceiver*) /xx/osmo-trx/Transceiver52M/Transceiver.cpp:1231:18
    #13 0x7ffff7559608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477:8
    #14 0x7ffff641c102 in clone /build/glibc-YYA7BZ/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x6030000ca9d8 is located 24 bytes inside of 32-byte region [0x6030000ca9c0,0x6030000ca9e0)
freed by thread T21 (TxLower) here:
    #0 0x7ffff76698cd in operator delete(void*) (/usr/lib/llvm-10/lib/clang/10.0.1/lib/linux/libclang_rt.asan-x86_64.so+0xc68cd)
    #1 0x27e228 in Transceiver::pushRadioVector(GSM::Time&) /xx/osmo-trx/Transceiver52M/Transceiver.cpp:451:7
    #2 0x28551f in Transceiver::driveTxFIFO() /xx/osmo-trx/Transceiver52M/Transceiver.cpp:1160:7
    #3 0x27c067 in TxLowerLoopAdapter(Transceiver*) /xx/osmo-trx/Transceiver52M/Transceiver.cpp:1231:18
    #4 0x7ffff7559608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477:8

previously allocated by thread T24 (TxUpper0) here:
    #0 0x7ffff766906d in operator new(unsigned long) (/usr/lib/llvm-10/lib/clang/10.0.1/lib/linux/libclang_rt.asan-x86_64.so+0xc606d)
    #1 0x27d2c2 in Transceiver::addRadioVector(unsigned long, BitVector&, int, GSM::Time&) /xx/osmo-trx/Transceiver52M/Transceiver.cpp:397:17
    #2 0x281fe2 in Transceiver::driveTxPriorityQueue(unsigned long) /xx/osmo-trx/Transceiver52M/Transceiver.cpp:1043:3
    #3 0x27c98a in TxUpperLoopAdapter(TrxChanThParams*) /xx/osmo-trx/Transceiver52M/Transceiver.cpp:1249:15
    #4 0x7ffff7559608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477:8

Thread T21 (TxLower) created by T0 here:
    #0 0x7ffff764794a in pthread_create (/usr/lib/llvm-10/lib/clang/10.0.1/lib/linux/libclang_rt.asan-x86_64.so+0xa494a)
    #1 0x2bf753 in Thread::start(void* (*)(void*), void*) /xx/osmo-trx/CommonLibs/Threads.cpp:145:8
    #2 0x27b7dd in Transceiver::start() /xx/osmo-trx/Transceiver52M/Transceiver.cpp:301:23
    #3 0x276589 in Transceiver::ctrl_sock_handle_rx(int) /xx/osmo-trx/Transceiver52M/Transceiver.cpp:838:10
    #4 0x27565d in Transceiver::ctrl_sock_cb(osmo_fd*, unsigned int) /xx/osmo-trx/Transceiver52M/Transceiver.cpp:168:23
    #5 0x7ffff6ebb7bb in osmo_fd_disp_fds /xx/libosmocore/src/select.c:227:4
    #6 0x7ffff6ebb7bb in _osmo_select_main /xx/libosmocore/src/select.c:265:9
    #7 0x7ffff6ebb2fa in osmo_select_main /xx/libosmocore/src/select.c:274:11
    #8 0x22e3c6 in main /xx/osmo-trx/Transceiver52M/osmo-trx.cpp:649:3
    #9 0x7ffff63210b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16

Thread T24 (TxUpper0) created by T0 here:
    #0 0x7ffff764794a in pthread_create (/usr/lib/llvm-10/lib/clang/10.0.1/lib/linux/libclang_rt.asan-x86_64.so+0xa494a)
    #1 0x2bf753 in Thread::start(void* (*)(void*), void*) /xx/osmo-trx/CommonLibs/Threads.cpp:145:8
    #2 0x27baa0 in Transceiver::start() /xx/osmo-trx/Transceiver52M/Transceiver.cpp:319:44
    #3 0x276589 in Transceiver::ctrl_sock_handle_rx(int) /xx/osmo-trx/Transceiver52M/Transceiver.cpp:838:10
    #4 0x27565d in Transceiver::ctrl_sock_cb(osmo_fd*, unsigned int) /xx/osmo-trx/Transceiver52M/Transceiver.cpp:168:23
    #5 0x7ffff6ebb7bb in osmo_fd_disp_fds /xx/libosmocore/src/select.c:227:4
    #6 0x7ffff6ebb7bb in _osmo_select_main /xx/libosmocore/src/select.c:265:9
    #7 0x7ffff6ebb2fa in osmo_select_main /xx/libosmocore/src/select.c:274:11
    #8 0x22e3c6 in main /xx/osmo-trx/Transceiver52M/osmo-trx.cpp:649:3
    #9 0x7ffff63210b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /xx/osmo-trx/Transceiver52M/../GSM/GSMCommon.h:192:18 in GSM::Time::operator>(GSM::Time const&) const
Shadow bytes around the buggy address:
  0x0c06800114e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c06800114f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680011500: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c0680011510: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c0680011520: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
=>0x0c0680011530: fa fa fd fd fd fd fa fa fd fd fd[fd]fa fa 00 00
  0x0c0680011540: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c0680011550: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c0680011560: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c0680011570: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c0680011580: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==19826==ABORTING

Actions #1

Updated by laforge over 1 year ago

  • Priority changed from Normal to Urgent
Actions #2

Updated by Hoernchen over 1 year ago

  • Status changed from New to Rejected
  • Priority changed from Urgent to Normal
  • % Done changed from 0 to 100

Caused by messing up unrelated changes that broke everything and were therefore dropped to make it work at all which in turn left osmo-trx with half broken mutex changes.

Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)