[srslte-users] Seg fault in scrambling_b_word

David Rupprecht david.rupprecht at rub.de
Tue Jul 11 10:34:08 UTC 2017


Hello,

I think I found the issue. It is a race condition. While thread 1 tries
to access the not allocated c pointers, thread 2 currently fills the
them. The gdb output is attached. That leads me to the question if my pc
as not enough resources. That problem did not occur under the
srsLTE/srsUE 1.4 version.

Best Regards,
David



On 04.07.2017 12:12, Ismael Gomez wrote:
> Hi David, 
> 
> So if seq[0] ... seq[4] are non-empty it means that during
> srslte_pusch_set_rnti() there was some problem srslte_sequence_pusch()
> returned != 0 and it didn't properly initialize. But looking at that
> function it is not clear to me how that can happen. Can you insert
> breakpoints or print debug messages in those cases to confirm that is
> what is happening? 
> 
> Thank you
> 
> On Mon, 3 Jul 2017 at 17:41 David Rupprecht <david.rupprecht at rub.de
> <mailto:david.rupprecht at rub.de>> wrote:
> 
>     Hello,
> 
>     I just had some time to dig into the problem. It looks like the
>     calloc/malloc do not seems to be the problem, because the pointer for
>     srslte_pusch_t the seems to be correct allocated. The error occurs
>     because the pointer of the seq are not correctly allocated, because c (c
>     = 0x0, c_bytes = 0x0, c_float = 0x0, c_short = 0x0) points to an invalid
>     address (Interestingly is len=0). Now when using the calloc it points to
>     Null as it can be seen below.
> 
>     $9 = {c = 0x7fa2dd4ba000 "", c_bytes = 0x7fa2dd4d2a00
>     "^K\026\200\313\353q1\343k\253ݼ\247J\247\263z\367\356V\322蕕~\032<q
>     \334,\213~\351a\366\035\214z\267_\243\330\372\350]q\t",
>     c_float = 0x7fa2dd4d5c00,
>       c_short = 0x7fa2dd538400, len = 100800}
>     (gdb) p q->users[27460]->seq[4]
>     $10 = {c = 0x7fa2dd569800 "", c_bytes = 0x7fa2dd582200
>     ",\351\264\177[\033\207\065\t\301O\256<\240w*\263\"NxPO(", <incomplete
>     sequence \337>, c_float = 0x7fa2dd585400, c_short = 0x7fa2dd5e7c00, len
>     = 100800}
>     (gdb) p q->users[27460]->seq[5]
>     $11 = {c = 0x0, c_bytes = 0x0, c_float = 0x0, c_short = 0x0, len = 0}
>     (gdb) p q->users[27460]->seq[6]
>     $12 = {c = 0x0, c_bytes = 0x0, c_float = 0x0, c_short = 0x0, len = 0}
>     (gdb) p q->users[27460]->seq[7]
>     $13 = {c = 0x0, c_bytes = 0x0, c_float = 0x0, c_short = 0x0, len = 0}
>     (gdb) p q->users[27460]->seq[8]
>     $14 = {c = 0x0, c_bytes = 0x0, c_float = 0x0, c_short = 0x0, len = 0}
>     (gdb) p q->users[27460]->seq[9]
>     $15 = {c = 0x0, c_bytes = 0x0, c_float = 0x0, c_short = 0x0, len = 0}
> 
>     The initialization of the struct is done in srslte_pusch_set_rnti.
>     The function is called in srslte_ue_ul_set_rnti. One the one hand, if
>     srslte_pusch_set_rnti throws an error it is not caught in
>     srslte_ue_ul_set_rnti. Or srslte_sequence_init does something wrong, but
>     that looks fine for me. Maybe len=0 is also an indicator for the error.
> 
>     Best Regards,
>     David
> 
> 
> 
> 
> 
> 
> 
>     On 30.06.2017 12:41, David Rupprecht wrote:
>     > Hello,
>     >
>     > I have tested the patch a few times and unfortunately the same error
>     > continues to occur.
>     >
>     > Regards,
>     > David
>     >
>     > On 28.06.2017 17:00, David Rupprecht wrote:
>     >> Hi,
>     >>
>     >> thank you for the patch. I will test it. Unfortunately, the error was
>     >> not always triggered.
>     >>
>     >> Regards,
>     >> David
>     >>
>     >> On 28.06.2017 15:03, Ismael Gomez wrote:
>     >>> Hi David,
>     >>>
>     >>> You are completely right. Thanks very much for catching this and
>     >>> providing us the exact hints. It was a malloc() that should be
>     calloc()
>     >>> instead. Apparently in most of the systems malloc() was
>     returning zeroed
>     >>> memory except in yours :).
>     >>>
>     >>> I just committed a fix to github. Would be great if you let us
>     know if
>     >>> it works.
>     >>>
>     >>> Regards
>     >>>
>     >>> On Wed, 28 Jun 2017 at 12:20 David Rupprecht
>     <david.rupprecht at rub.de <mailto:david.rupprecht at rub.de>
>     >>> <mailto:david.rupprecht at rub.de <mailto:david.rupprecht at rub.de>>>
>     wrote:
>     >>>
>     >>>     Hi,
>     >>>
>     >>>     while running the ue stack I run into a seg fault in the
>     function
>     >>>     scrambling_b_word. I compiled the ue with debug parameters
>     and it looks
>     >>>     like the srslte_sequence_t struct is not correctly initiated
>     (c=0x5400
>     >>>     <error: Cannot access memory at address 0x5400>). The whole
>     struct looks
>     >>>     like:
>     >>>
>     >>>     (gdb) p s
>     >>>     $8 = (srslte_sequence_t *) 0x7f8eb000b630
>     >>>     (gdb) print *s
>     >>>     $9 = {c = 0x4800 <error: Cannot access memory at address
>     0x4800>,
>     >>>     c_bytes = 0x5400 <error: Cannot access memory at address
>     0x5400>,
>     >>>     c_float = 0x6000, c_short = 0x6c00, len = 30720}
>     >>>
>     >>>
>     >>>     Do you have any suggestions where the problem might be?
>     >>>     I attached the gdb output.
>     >>>
>     >>>     Best Regards,
>     >>>     David
>     >>>
>     >>>     --
>     >>>     M.Sc. David Rupprecht
>     >>>
>     >>>     Ruhr-University Bochum
>     >>>     Research Group Information Security
>     >>>     Universitätsstraße 150
>     >>>     ID 2/130
>     >>>     44780 Bochum / Germany
>     >>>
>     >>>     Phone: +49 234 / 32 - 23508 <tel:+49%20234%203223508>
>     <tel:+49%20234%203223508>
>     >>>     Web: www.infsec.rub.de <http://www.infsec.rub.de>
>     <http://www.infsec.rub.de>
>     >>>     _______________________________________________
>     >>>     srslte-users mailing list
>     >>>     srslte-users at lists.softwareradiosystems.com
>     <mailto:srslte-users at lists.softwareradiosystems.com>
>     >>>     <mailto:srslte-users at lists.softwareradiosystems.com
>     <mailto:srslte-users at lists.softwareradiosystems.com>>
>     >>>   
>      http://www.softwareradiosystems.com/mailman/listinfo/srslte-users
>     >>>
>     >>
>     >
> 
>     --
>     M.Sc. David Rupprecht
> 
>     Ruhr-University Bochum
>     Research Group Information Security
>     Universitätsstraße 150
>     ID 2/130
>     44780 Bochum / Germany
> 
>     Phone: +49 234 / 32 - 23508 <tel:+49%20234%203223508>
>     Web: www.infsec.rub.de <http://www.infsec.rub.de>
> 

-- 
M.Sc. David Rupprecht

Ruhr-University Bochum
Research Group Information Security
Universitätsstraße 150
ID 2/130
44780 Bochum / Germany

Phone: +49 234 / 32 - 23508
Web: www.infsec.rub.de
-------------- next part --------------
#0  0x000000000053fa65 in scrambling_b_word (c=0x0, data=0x7fa2e1409f00 "\026\023\263\200", len=216) at /home/david/srsLTE/lib/src/phy/scrambling/scrambling.c:75
75      x[i] = (x[i] ^ y[i]);
[Current thread is 1 (Thread 0x7fa2eb7fe700 (LWP 27104))]
(gdb) bt 
#0  0x000000000053fa65 in scrambling_b_word (c=0x0, data=0x7fa2e1409f00 "\026\023\263\200", len=216) at /home/david/srsLTE/lib/src/phy/scrambling/scrambling.c:75
#1  0x000000000053fbc0 in srslte_scrambling_bytes (s=0x7fa2dc0bae90, data=0x7fa2e1409f00 "\026\023\263\200", len=1728) at /home/david/srsLTE/lib/src/phy/scrambling/scrambling.c:97
#2  0x000000000055aa57 in srslte_pusch_encode (q=0x7fa317086bc8, cfg=0x7fa31708525c, softbuffer=0x7fa30a2976b0, data=0x7675e30 ">\037", uci_data=..., rnti=27460, sf_symbols=0x7fa2e163b800)
    at /home/david/srsLTE/lib/src/phy/phch/pusch.c:455
#3  0x00000000005427b7 in srslte_ue_ul_pusch_encode_rnti_softbuffer (q=0x7fa3170851b0, data=0x7675e30 ">\037", uci_data=..., softbuffer=0x7fa30a2976b0, rnti=27460, output_signal=0x7fa2e06fc900)
    at /home/david/srsLTE/lib/src/phy/ue/ue_ul.c:397
#4  0x00000000004dd771 in srsue::phch_worker::encode_pusch (this=0x7fa317075010, grant=0x7fa2eb7fdbd8, payload=0x7675e30 ">\037", current_tx_nb=2, softbuffer=0x7fa30a2976b0, rv=3, rnti=27460, is_from_rar=false)
    at /home/david/srsLTE/srsue/src/phy/phch_worker.cc:702
#5  0x00000000004da0d8 in srsue::phch_worker::work_imp (this=0x7fa317075010) at /home/david/srsLTE/srsue/src/phy/phch_worker.cc:259
#6  0x00000000005069cb in srslte::thread_pool::worker::run_thread (this=0x7fa317075010) at /home/david/srsLTE/lib/src/common/thread_pool.cc:61
#7  0x00000000004c66fa in thread::thread_function_entry (_this=0x7fa317075010) at /home/david/srsLTE/lib/include/srslte/common/threads.h:73
#8  0x00007fa316d2a6ba in start_thread (arg=0x7fa2eb7fe700) at pthread_create.c:333
#9  0x00007fa314e353dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb) ls -la
Undefined command: "ls".  Try "help".
(gdb) bt
#0  0x000000000053fa65 in scrambling_b_word (c=0x0, data=0x7fa2e1409f00 "\026\023\263\200", len=216) at /home/david/srsLTE/lib/src/phy/scrambling/scrambling.c:75
#1  0x000000000053fbc0 in srslte_scrambling_bytes (s=0x7fa2dc0bae90, data=0x7fa2e1409f00 "\026\023\263\200", len=1728) at /home/david/srsLTE/lib/src/phy/scrambling/scrambling.c:97
#2  0x000000000055aa57 in srslte_pusch_encode (q=0x7fa317086bc8, cfg=0x7fa31708525c, softbuffer=0x7fa30a2976b0, data=0x7675e30 ">\037", uci_data=..., rnti=27460, sf_symbols=0x7fa2e163b800)
    at /home/david/srsLTE/lib/src/phy/phch/pusch.c:455
#3  0x00000000005427b7 in srslte_ue_ul_pusch_encode_rnti_softbuffer (q=0x7fa3170851b0, data=0x7675e30 ">\037", uci_data=..., softbuffer=0x7fa30a2976b0, rnti=27460, output_signal=0x7fa2e06fc900)
    at /home/david/srsLTE/lib/src/phy/ue/ue_ul.c:397
#4  0x00000000004dd771 in srsue::phch_worker::encode_pusch (this=0x7fa317075010, grant=0x7fa2eb7fdbd8, payload=0x7675e30 ">\037", current_tx_nb=2, softbuffer=0x7fa30a2976b0, rv=3, rnti=27460, is_from_rar=false)
    at /home/david/srsLTE/srsue/src/phy/phch_worker.cc:702
#5  0x00000000004da0d8 in srsue::phch_worker::work_imp (this=0x7fa317075010) at /home/david/srsLTE/srsue/src/phy/phch_worker.cc:259
#6  0x00000000005069cb in srslte::thread_pool::worker::run_thread (this=0x7fa317075010) at /home/david/srsLTE/lib/src/common/thread_pool.cc:61
#7  0x00000000004c66fa in thread::thread_function_entry (_this=0x7fa317075010) at /home/david/srsLTE/lib/include/srslte/common/threads.h:73
#8  0x00007fa316d2a6ba in start_thread (arg=0x7fa2eb7fe700) at pthread_create.c:333
#9  0x00007fa314e353dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb) threads
Undefined command: "threads".  Try "help".
(gdb) thread
[Current thread is 1 (Thread 0x7fa2eb7fe700 (LWP 27104))]
(gdb) show threads
Undefined show command: "threads".  Try "help show".
(gdb) info threads
  Id   Target Id         Frame 
* 1    Thread 0x7fa2eb7fe700 (LWP 27104) 0x000000000053fa65 in scrambling_b_word (c=0x0, data=0x7fa2e1409f00 "\026\023\263\200", len=216) at /home/david/srsLTE/lib/src/phy/scrambling/scrambling.c:75
  2    Thread 0x7fa2e9ffb700 (LWP 27107) srslte_bit_pack (bits=0x7fa2e9ffac98, nof_bits=8) at /home/david/srsLTE/lib/src/phy/utils/bit.c:294
  3    Thread 0x7fa2f972c700 (LWP 27101) 0x00007fa314e2970d in poll () at ../sysdeps/unix/syscall-template.S:84
  4    Thread 0x7fa2faf2f700 (LWP 27086) pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
  5    Thread 0x7fa2ea7fc700 (LWP 27106) pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
  6    Thread 0x7fa3170fc7c0 (LWP 27084) 0x00007fa314dfa30d in nanosleep () at ../sysdeps/unix/syscall-template.S:84
  7    Thread 0x7fa2fa72e700 (LWP 27087) pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
  8    Thread 0x7fa2f9f2d700 (LWP 27100) 0x00007fa314e2970d in poll () at ../sysdeps/unix/syscall-template.S:84
  9    Thread 0x7fa2eaffd700 (LWP 27105) __lll_lock_wait () at ../sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135
  10   Thread 0x7fa2e8ff9700 (LWP 27110) 0x00007fa314dfa30d in nanosleep () at ../sysdeps/unix/syscall-template.S:84
  11   Thread 0x7fa2dbfff700 (LWP 27111) 0x00007fa314e2524d in read () at ../sysdeps/unix/syscall-template.S:84
  12   Thread 0x7fa2e97fa700 (LWP 27108) pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
  13   Thread 0x7fa2fb730700 (LWP 27085) 0x00007fa316d3351d in read () at ../sysdeps/unix/syscall-template.S:84
  14   Thread 0x7fa2ebfff700 (LWP 27103) pthread_cond_timedwait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:225
  15   Thread 0x7fa2daffd700 (LWP 27113) pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
  16   Thread 0x7fa2f8d19700 (LWP 27102) pthread_cond_timedwait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:225
(gdb) thread 2 
[Switching to thread 2 (Thread 0x7fa2e9ffb700 (LWP 27107))]
#0  srslte_bit_pack (bits=0x7fa2e9ffac98, nof_bits=8) at /home/david/srsLTE/lib/src/phy/utils/bit.c:294
294     for(i=0; i<nof_bits; i++) {
(gdb) bt 
#0  srslte_bit_pack (bits=0x7fa2e9ffac98, nof_bits=8) at /home/david/srsLTE/lib/src/phy/utils/bit.c:294
#1  0x000000000053865f in srslte_bit_pack_vector (unpacked=0x7fa2dd579480 "\001\001\001", packed=0x7fa2dd582200 ",\351\264\177[\033\207\065\t\301O\256<\240w*\263\"NxPO(", <incomplete sequence \337>, 
    nof_bits=100800) at /home/david/srsLTE/lib/src/phy/utils/bit.c:281
#2  0x0000000000519a8a in srslte_sequence_LTE_pr (q=0x7fa2dc0badf0, len=100800, seed=449906835) at /home/david/srsLTE/lib/src/phy/common/sequence.c:84
#3  0x00000000005289fb in srslte_sequence_pusch (seq=0x7fa2dc0badf0, rnti=27460, nslot=8, cell_id=147, len=100800) at /home/david/srsLTE/lib/src/phy/phch/sequences.c:78
#4  0x000000000055a627 in srslte_pusch_set_rnti (q=0x7fa317086bc8, rnti=27460) at /home/david/srsLTE/lib/src/phy/phch/pusch.c:399
#5  0x00000000005419d2 in srslte_ue_ul_set_rnti (q=0x7fa3170851b0, rnti=27460) at /home/david/srsLTE/lib/src/phy/ue/ue_ul.c:162
#6  0x00000000004d98f6 in srsue::phch_worker::set_crnti (this=0x7fa317075010, rnti=27460) at /home/david/srsLTE/srsue/src/phy/phch_worker.cc:160
#7  0x00000000004e2529 in srsue::phy::set_crnti (this=0x7fa30a191200, rnti=27460) at /home/david/srsLTE/srsue/src/phy/phy.cc:309
#8  0x00000000004c4799 in srsue::mac::run_thread (this=0x7fa30a2959a8) at /home/david/srsLTE/srsue/src/mac/mac.cc:191
#9  0x00000000004c66fa in thread::thread_function_entry (_this=0x7fa30a2959c0) at /home/david/srsLTE/lib/include/srslte/common/threads.h:73
#10 0x00007fa316d2a6ba in start_thread (arg=0x7fa2e9ffb700) at pthread_create.c:333
#11 0x00007fa314e353dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb) frame 4
#4  0x000000000055a627 in srslte_pusch_set_rnti (q=0x7fa317086bc8, rnti=27460) at /home/david/srsLTE/lib/src/phy/phch/pusch.c:399
warning: Source file is more recent than executable.
399         if (srslte_sequence_pusch(&q->users[rnti]->seq[i], rnti, 2 * i, q->cell.id,
(gdb) bt 
#0  srslte_bit_pack (bits=0x7fa2e9ffac98, nof_bits=8) at /home/david/srsLTE/lib/src/phy/utils/bit.c:294
#1  0x000000000053865f in srslte_bit_pack_vector (unpacked=0x7fa2dd579480 "\001\001\001", packed=0x7fa2dd582200 ",\351\264\177[\033\207\065\t\301O\256<\240w*\263\"NxPO(", <incomplete sequence \337>, 
    nof_bits=100800) at /home/david/srsLTE/lib/src/phy/utils/bit.c:281
#2  0x0000000000519a8a in srslte_sequence_LTE_pr (q=0x7fa2dc0badf0, len=100800, seed=449906835) at /home/david/srsLTE/lib/src/phy/common/sequence.c:84
#3  0x00000000005289fb in srslte_sequence_pusch (seq=0x7fa2dc0badf0, rnti=27460, nslot=8, cell_id=147, len=100800) at /home/david/srsLTE/lib/src/phy/phch/sequences.c:78
#4  0x000000000055a627 in srslte_pusch_set_rnti (q=0x7fa317086bc8, rnti=27460) at /home/david/srsLTE/lib/src/phy/phch/pusch.c:399
#5  0x00000000005419d2 in srslte_ue_ul_set_rnti (q=0x7fa3170851b0, rnti=27460) at /home/david/srsLTE/lib/src/phy/ue/ue_ul.c:162
#6  0x00000000004d98f6 in srsue::phch_worker::set_crnti (this=0x7fa317075010, rnti=27460) at /home/david/srsLTE/srsue/src/phy/phch_worker.cc:160
#7  0x00000000004e2529 in srsue::phy::set_crnti (this=0x7fa30a191200, rnti=27460) at /home/david/srsLTE/srsue/src/phy/phy.cc:309
#8  0x00000000004c4799 in srsue::mac::run_thread (this=0x7fa30a2959a8) at /home/david/srsLTE/srsue/src/mac/mac.cc:191
#9  0x00000000004c66fa in thread::thread_function_entry (_this=0x7fa30a2959c0) at /home/david/srsLTE/lib/include/srslte/common/threads.h:73
#10 0x00007fa316d2a6ba in start_thread (arg=0x7fa2e9ffb700) at pthread_create.c:333
#11 0x00007fa314e353dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb) frame 4
#4  0x000000000055a627 in srslte_pusch_set_rnti (q=0x7fa317086bc8, rnti=27460) at /home/david/srsLTE/lib/src/phy/phch/pusch.c:399
399         if (srslte_sequence_pusch(&q->users[rnti]->seq[i], rnti, 2 * i, q->cell.id,
(gdb) print i
$1 = 4


More information about the srslte-users mailing list