Project

General

Profile

Bug #2734

crash at startup

Added by C vH over 4 years ago. Updated over 4 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
Crashes
Target version:
-
Start date:
2015-03-24
Due date:
% Done:

100%

Estimated time:
Found in version:
2640
Affected Versions:

Description

If i start 3.9.2640, 3.9.2640, 3.9.2642 i got this at startup -> crash
tried with repo and self compiled files, same problem

tvheadend1576: START: HTS Tvheadend version 3.9.2642~g27382c2 started, running as PID:1576 UID:104 GID:44, CWD:/ CNF:/home/hts/.hts/tvheadend
tvheadend1576: CRASH: Signal: 11 in PRG: tvheadend (3.9.2642~g27382c2) [a1363a95e49ae02ad418c53fa0ea5be4a54ed680] CWD: /
tvheadend1576: CRASH: Fault address 0x7fd784007d85 (Address not mapped)
tvheadend1576: CRASH: Loaded libraries: /lib/x86_64-linux-gnu/libssl.so.1.0.0 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 /lib/x86_64-linux-gnu/libz.so.1 /usr/lib/liburiparser.so.1 /usr/lib/x86_64-linux-gnu/libavahi-common.so.3 /usr/lib/x86_64-linux-gnu/libavahi-client.so.3 /lib/x86_64-linux-gnu/libdbus-1.so.3 /lib/x86_64-linux-gnu/libdl.so.2 /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/libm.so.6 /lib/x86_64-linux-gnu/librt.so.1 /lib/x86_64-linux-gnu/libc.so.6 /lib64/ld-linux-x86-64.so.2 /lib/x86_64-linux-gnu/libnss_compat.so.2 /lib/x86_64-linux-gnu/libnsl.so.1 /lib/x86_64-linux-gnu/libnss_nis.so.2 /lib/x86_64-linux-gnu/libnss_files.so.2
tvheadend1576: CRASH: Register dump [23]: 00007fd77000110000007fd7700008f000007fd77000007800007fd77000007000000000ffffffff00007fd784ff879000007fd784ff886000007fd784ff88880000000000000000000000000000000a000000000000002000007fd77000112000007fd77000004000007fd784007d7d00007fd770000d0000007fd784ff87500000000000415a5c0000000000010246be500000000000330000000000000004000000000000000efffffffe7ffbba1300007fd784007d85
tvheadend1576: CRASH: STACKTRACE
kernel: [ 126.167845] tcp_server_star1654: segfault at 7fd7007d7d98 ip 0000000000415a5c sp 00007fd7857f9750 error 4 in tvheadend[400000+51c000]
kernel: [ 126.181172] init: tvheadend main process (1576) killed by SEGV signal
kernel: [ 126.181208] init: tvheadend main process ended, respawning

Associated revisions

Revision 75cad931 (diff)
Added by Jaroslav Kysela over 4 years ago

check all snprintf() callers and modify code to work correctly with the return value using tvh_strlcatf2() macro, fixes #2734

History

#1

Updated by Jaroslav Kysela over 4 years ago

Provide a backtrace - see wiki.

#2

Updated by B C over 4 years ago

can you try this with an empty .hts directory, so without any old configuration?

#3

Updated by B C over 4 years ago

stop, after 12 hours of trouble free running on 2641 it happens to me also as soon as the webif is involved. So I had no problems with crashes till right now, and currently I don't even get the epg overview. So maybe some data which was updated through the night causes these crashes. lets find out....

#4

Updated by B C over 4 years ago

backtrace here I am:

[New Thread 0x7fff8bfff700 (LWP 10097)]
2015-03-24 11:17:17.716 [ ERROR] iptv: poll() error Unterbrechung während des Betriebssystemaufrufs, sleeping 1 second

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff8bfff700 (LWP 10097)]
_strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:106
106 ../sysdeps/x86_64/multiarch/strcmp-sse42.S: Datei oder Verzeichnis nicht gefunden.
(gdb) info reg
rax 0xfffffffffffffaa8 -1368
rbx 0xe22780 14821248
rcx 0xffffffff 4294967295
rdx 0x74617a69726f6874 8386118574450632820
rsi 0xa1e859 10610777
rdi 0x7fff80000f00 140735340875520
rbp 0xe22810 0xe22810
rsp 0x7fff8bffe7b8 0x7fff8bffe7b8
r8 0x3 3
r9 0x48 72
r10 0x0 0
r11 0x0 0
r12 0x7fff80000f00 140735340875520
r13 0x7fff80000f00 140735340875520
r14 0x7fff8bffe8c0 140735542192320
r15 0x7fff8bffe8e8 140735542192360
rip 0x7ffff6135310 0x7ffff6135310 <
_strcasecmp_l_avx>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0

Dump of assembler code from 0x7ffff61352f0 to 0x7ffff6135330:
0x00007ffff61352f0 <__strspn_sse42+272>: jmpq 0x7ffff6097000 <__strspn_sse2>
0x00007ffff61352f5: nopw %cs:0x0(%rax,%rax,1)
0x00007ffff61352ff: nop
0x00007ffff6135300 <__strcasecmp_avx+0>: mov 0x280ab9(%rip),%rax # 0x7ffff63b5dc0
0x00007ffff6135307 <__strcasecmp_avx+7>: mov %fs:(%rax),%rdx
0x00007ffff613530b <__strcasecmp_avx+11>: nopl 0x0(%rax,%rax,1)
=> 0x00007ffff6135310 <__strcasecmp_l_avx+0>: mov (%rdx),%rax
0x00007ffff6135313 <__strcasecmp_l_avx+3>: testl $0x1,0x278(%rax)
0x00007ffff613531d <__strcasecmp_l_avx+13>: jne 0x7ffff60ad3e0 <__strcasecmp_l_nonascii>
0x00007ffff6135323 <__strcasecmp_l_avx+19>: mov %esi,%ecx
0x00007ffff6135325 <__strcasecmp_l_avx+21>: mov %edi,%eax
0x00007ffff6135327 <__strcasecmp_l_avx+23>: and $0x3f,%rcx
0x00007ffff613532b <__strcasecmp_l_avx+27>: and $0x3f,%rax
0x00007ffff613532f <__strcasecmp_l_avx+31>: vmovdqa 0x47fc9(%rip),%xmm4 # 0x7ffff617d300
End of assembler dump.

(gdb) bt full
#0 strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:106
No locals.
#1 0x000000000043962c in str2val0 (str=0x7fff80000f00 "GET", tab=0xa1e859, [email protected]=0xe22780 <HTTP_cmdtab>, l=1919903860, [email protected]=9)
at src/hts_strtab.h:39
No locals.
#2 0x000000000043afd7 in http_serve_requests ([email protected]=0x7fff8bffe870) at src/http.c:992
spill = {hq_q = {tqh_first = 0x7fff80000ce0, tqh_last = 0x7fff80000ce0}, hq_size = 948, hq_maxsize = 2147483647}
argv = {0x7fff80000f00 "GET", 0x7fff80000f04 "/static/extjs/adapter/ext/ext-base.js", 0x7fff80000f2a "HTTP/1.1"}
c = <optimized out>
cmdline = 0x7fff80000f00 "GET"
hdrline = <optimized out>
n = <optimized out>
r = <optimized out>
#3 0x000000000043b1e9 in http_serve (fd=46, opaque=0x7fffa0001018, peer=0x7fffa0001030, self=0x7fffa00010b0) at src/http.c:1073
hc = {hc_fd = 46, hc_peer = 0x7fffa0001030, hc_peer_ipstr = 0x7fff80000990 "\270\003", hc_self = 0x7fffa00010b0,
hc_representative = 0x7fff800009b0 "0\n", hc_paths = 0xe378c8 <http_paths>, hc_process = 0x43ad80 <http_process_request>,
hc_url = 0x7fff80000ce4 "", hc_url_orig = 0x7fff8bffe6e0 "/extjs.html?", hc_keep_alive = 1, hc_reply = {hq_q = {
tqh_first = 0x0, tqh_last = 0x7fff8bffe8c0}, hq_size = 0, hq_maxsize = 2147483647}, hc_args = {tqh_first = 0x0,
tqh_last = 0x7fff8bffe8d8}, hc_req_args = {tqh_first = 0x0, tqh_last = 0x7fff8bffe8e8}, hc_state = HTTP_CON_WAIT_REQUEST,
hc_cmd = HTTP_CMD_GET, hc_version = HTTP_VERSION_1_1, hc_username = 0x0, hc_password = 0x0, hc_access = 0x0,
hc_user_config = 0x0, hc_no_output = 0, hc_logout_cookie = 0, hc_shutdown = 0, hc_cseq = 0, hc_session = 0x0,
hc_post_data = 0x0, hc_post_len = 0}
#4 0x000000000043669d in tcp_server_start (aux=0x7fffa0000ff0) at src/tcp.c:542
tsl = 0x7fffa0000ff0
to = {tv_sec = 30, tv_usec = 0}
val = 1
c = 74 'J'
#5 0x0000000000433478 in thread_wrapper (p=0x7fffa0001170) at src/wrappers.c:145
ts = 0x7fffa0001170
set = {__val = {16388, 0 <repeats 15 times>}}
r = <optimized out>
#6 0x00007ffff68cd0a4 in start_thread (arg=0x7fff8bfff700) at pthread_create.c:309
__res = <optimized out>
pd = 0x7fff8bfff700
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140735542195968, 1656917674535265949, 1, 140737354125408, 4294967295,
140735542195968, -1656873693713946979, -1656936805776775523}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0},
data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
pagesize_m1 = <optimized out>
sp = <optimized out>
freesize = <optimized out>
__PRETTY_FUNCTION
= "start_thread"
#7 0x00007ffff60f904d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
No locals.

#5

Updated by B C over 4 years ago

I did try some more things. Old backup of data folder --> same troubles, so it's not data related. Next I tried a different browser --> everything fine, so it seems cookie related or what ever, currently do not want to clear my cache globally

#6

Updated by C K over 4 years ago

It's still there

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x91ddfb70 (LWP 5166)]
0xb7750b21 in vsnprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
(gdb) bt full
#0  0xb7750b21 in vsnprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
No symbol table info available.
#1  0xb7734bf2 in snprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
No symbol table info available.
#2  0x080c63fa in dump_request ([email protected]=0x91dded3c) at src/http.c:543
        buf = "{{Host=tvhserver.local:9981,User-Agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0,Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,Accept-Langua"...
        ra = 0x91dde270
        first = <optimized out>
        ptr = 7464
#3  0x080c7c3c in http_cmd_get ([email protected]=0x91dded3c) at src/http.c:568
        hp = <optimized out>
        remain = <optimized out>
        args = <optimized out>
#4  0x080c7cb4 in http_process_request (hc=<optimized out>, spill=<optimized out>) at src/http.c:659
No locals.
#5  http_process_request (hc=0x91dded3c, spill=0x91ddecf0) at src/http.c:649
No locals.
#6  0x080c7777 in process_request ([email protected]=0x91dded3c, [email protected]=0x91ddecf0) at src/http.c:747
        v = <optimized out>
        argv = {0x91ddecf0 "", 
          0xb784d410 "h.K\t8\206M\tH\034U\t\370\334Y\t\b\300^\[email protected]\212[\t\210W\313\n\310\001\\\th\027J\t\360\307M\tP\354E\t\360\316e\[email protected]\342\313\n0\334\313\n =l\tX\235k\t\320\036U\tȏZ\t\320\367d\t\370\322O\t\350\061T\t\350\177U\t`5f\t\230\327d\t\350\207V\t\[email protected]\t\330\341G\t\330\037U\t\200sJ\t\350'O\t\200Ԅ\267\200Ԅ\267\210Ԅ\267\210Ԅ\267\300\354\313\n"}
        n = <optimized out>
        rval = -1
        authbuf = "192.168.178.50\000ӄ\267\360\354ݑ(\354ݑ=\006v\267)\000\000\000\067\222\202\267\300ӄ\267\364\277\204\267\300ӄ\267\360\354ݑH\354ݑ=\006v\267\360ӄ\267\364\277\204\267\000\000\000\000\001\000\000\000*\002\000\000N\253\016\b\210\034U\t\210\034U\t\001\000\000\000\364\277\204\267\300ӄ\267\360\354ݑ\b\376\362\t\001\000\000\000p\361\362\t'qM\t!\000\000\000\000\000\000\000\b\376\362\t\360\354ݑ\344\354ݑ\352\065\f\b" 
#7  0x080c8009 in http_serve_requests ([email protected]=0x91dded3c) at src/http.c:1025
        spill = {hq_q = {tqh_first = 0x0, tqh_last = 0x91ddecf0}, hq_size = 0, hq_maxsize = 2147483647}
        argv = {0x94d7118 "", 0x94d7127 "max-age=0", 0x946e879 "HTTP/1.1"}
        c = <optimized out>
        cmdline = 0x946e868 "GET" 
        hdrline = 0x9f2fe08 "" 
        n = <optimized out>
        r = <optimized out>
#8  0x080c8108 in http_serve (fd=37, opaque=0xaca69c8, peer=0xaca69d4, self=0xaca6a54) at src/http.c:1068
        hc = {hc_fd = 37, hc_peer = 0xaca69d4, hc_peer_ipstr = 0x91ddeba0 "192.168.178.50", hc_self = 0xaca6a54, hc_representative = 0x91ddeba0 "192.168.178.50", hc_paths = 0x8ddda58, 
          hc_process = 0x80c7c90 <http_process_request>, hc_url = 0x946e86c "/extjs.html?", hc_url_orig = 0x91ddebc0 "/extjs.html?", hc_keep_alive = 1, hc_reply = {hq_q = {tqh_first = 0x0, 
              tqh_last = 0x91dded64}, hq_size = 0, hq_maxsize = 2147483647}, hc_args = {tqh_first = 0x9550a00, tqh_last = 0x9551d48}, hc_req_args = {tqh_first = 0x0, tqh_last = 0x91dded7c}, 
          hc_state = HTTP_CON_WAIT_REQUEST, hc_cmd = HTTP_CMD_GET, hc_version = HTTP_VERSION_1_1, hc_username = 0x0, hc_password = 0x0, hc_access = 0x0, hc_user_config = 0x0, hc_no_output = 0, 
          hc_logout_cookie = 0, hc_shutdown = 0, hc_cseq = 0, hc_session = 0x0, hc_post_data = 0x0, hc_post_len = 0}
#9  0x080c2f65 in tcp_server_start (aux=0xaca69b0) at src/tcp.c:542
        tsl = 0xaca69b0
        to = {tv_sec = 30, tv_usec = 0}
        val = 1
        c = 74 'J'
#10 0x080bfb45 in thread_wrapper (p=0x94c3fd0) at src/wrappers.c:145
        ts = 0x94c3fd0
        set = {__val = {16388, 0 <repeats 31 times>}}
        r = <optimized out>
#11 0xb7badc39 in start_thread () from /lib/i386-linux-gnu/i686/cmov/libpthread.so.0
No symbol table info available.
#12 0xb77c29fe in clone () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
No symbol table info available.
#7

Updated by Jaroslav Kysela over 4 years ago

It looks like a stack overflow. Could you try this change to determine the exact function?

diff --git a/Makefile b/Makefile
index ff598ad..dd28cf8 100644
--- a/Makefile
+++ b/Makefile
@@ -27,7 +27,7 @@ PROG    := $(BUILDDIR)/tvheadend
 # Common compiler flags
 #

-CFLAGS  += -g -O2 -Wunused-result
+CFLAGS  += -g -O0 -fstack-protector-all -Wunused-result
 CFLAGS  += -Wall -Werror -Wwrite-strings -Wno-deprecated-declarations
 CFLAGS  += -Wmissing-prototypes
 CFLAGS  += -fms-extensions -funsigned-char -fno-strict-aliasing

Recompile the whole tree after this change (make clean ; make).

#8

Updated by C vH over 4 years ago

http://pastebin.com/7PAsPZhJ

still crash (works as long you did not try to enter the webif)

#9

Updated by Jaroslav Kysela over 4 years ago

Christian Christian wrote:

http://pastebin.com/7PAsPZhJ

still crash (works as long you did not try to enter the webif)

The backtrace is for thread which is OK.

#10

Updated by C vH over 4 years ago

nothing else to show, still not working :)

#11

Updated by Mirko Di Paolo over 4 years ago

Jaroslav Kysela wrote:

It looks like a stack overflow. Could you try this change to determine the exact function?

[...]

Recompile the whole tree after this change (make clean ; make).

Bug introduced with commit 3f4002d9845705ae2543790a99aa772f8d4ac008

#12

Updated by Jaroslav Kysela over 4 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100
#13

Updated by Jaroslav Kysela over 4 years ago

You are right. The return value of snprintf() can exceed the output string buffer size, so all the 'pos += snprintf()' is broken. I fixed it now using new macro.

Also available in: Atom PDF