Actions
Bug #4029
closedosmo-pcu: several runtime errors detected by ASan
Start date:
05/27/2019
Due date:
% Done:
100%
Spec Reference:
Description
Seen today while operating my network locally (master as of date of today, osmo-pcu eb64d43922f48901ea4fc872b5c2d65b9e334221)
osmo-pcu/src/tbf_ul.cpp:392 LLC [PCU -> SGSN] TBF(TFI=0 TLLI=0xd6f1f98f DIR=UL STATE=FLOW) len=16 include/osmocom/core/msgb.h:543:2: runtime error: variable length array bound evaluates to non-positive value -1
And another different one:
20190527190229251 DTBFUL <000a> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf_ul.cpp:295 TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=FLOW) Decoded premier TLLI=0x00000000 of UL DATA TFI=0. 20190527190229251 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf_ul.cpp:392 LLC [PCU -> SGSN] TBF(TFI=0 TLLI=0xcf38987f DIR=UL STATE=FLOW) len=10 20190527190229252 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:189 LLC [SGSN -> PCU] = TLLI: 0xcf38987f IMSI: 901700000015254 len: 8 20190527190229252 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:1071 Allocating DL TBF: MS_CLASS=0/0 20190527190229252 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:540 TBF(TFI=0 TLLI=0x00000000 DIR=DL STATE=NULL) Setting Control TS 6 20190527190229252 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:925 TBF(TFI=0 TLLI=0xcf38987f DIR=DL STATE=NULL) Allocated: trx = 0, ul_slots = 40, dl_slots = 40 20190527190229252 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/bts.cpp:814 TBF(TFI=0 TLLI=0xcf38987f DIR=DL STATE=ASSIGN) TX: START Immediate Assignment Downlink (PCH) 20190527190229270 DRLCMACMEAS <0007> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_ms.cpp:645 Unable to update UL (M)CS CS-2 because we don't have link quality measurements. 20190527190229293 DRLCMACMEAS <0007> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_ms.cpp:645 Unable to update UL (M)CS CS-2 because we don't have link quality measurements. 20190527190229311 DRLCMACMEAS <0007> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_ms.cpp:645 Unable to update UL (M)CS CS-2 because we don't have link quality measurements. 20190527190229328 DRLCMACMEAS <0007> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_ms.cpp:645 Unable to update UL (M)CS CS-2 because we don't have link quality measurements. 20190527190229352 DRLCMACMEAS <0007> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_ms.cpp:645 Unable to update UL (M)CS CS-2 because we don't have link quality measurements. 20190527190229371 DRLCMACMEAS <0007> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_ms.cpp:645 Unable to update UL (M)CS CS-2 because we don't have link quality measurements. 20190527190229390 DRLCMACMEAS <0007> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_ms.cpp:645 Unable to update UL (M)CS CS-2 because we don't have link quality measurements. 20190527190229413 DRLCMACMEAS <0007> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_ms.cpp:645 Unable to update UL (M)CS CS-2 because we don't have link quality measurements. 20190527190229430 DRLCMACMEAS <0007> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_ms.cpp:645 Unable to update UL (M)CS CS-2 because we don't have link quality measurements. 20190527190229490 DRLCMACMEAS <0007> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_rlcmac_meas.cpp:106 UL RSSI of TLLI=0xcf38987f: -35 dBm 20190527190229490 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:484 TBF(TFI=0 TLLI=0xcf38987f DIR=UL STATE=FINISHED) free /home/pespin/dev/sysmocom/git/osmo-pcu/src/bts.cpp:554:19: runtime error: left shift of 220 by 28 places cannot be represented in type 'int'
Updated by pespin over 4 years ago
- Assignee set to 4368
Seen again while starting PCU together with the whole 2G network:
20190723154714063 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:125 Sending activate request: trx=0 ts=6 20190723154714063 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:569 PDCH: trx=0 ts=6 20190723154714063 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:125 Sending activate request: trx=0 ts=7 20190723154714063 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:569 PDCH: trx=0 ts=7 20190723154714063 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:1355 NSVCI=1800 Rx NS RESET ACK (NSEI=1800, NSVCI=1800) 20190723154714063 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:704 NSEI=1800 Tx NS UNBLOCK (NSVCI=1800) 20190723154714064 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:1805 NSEI=1800 Rx NS UNBLOCK ACK 20190723154714064 DPCU <000d> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:537 NS-VC 1800 is unblocked. 20190723154714064 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:816 Sending reset on BVCI 0 20190723154714064 DBSSGP <000c> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_bssgp_bss.c:300 BSSGP (BVCI=0) Tx BVC-RESET CAUSE=O&M intervention 20190723154714064 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:282 Rx BSSGP BVCI=-1 (SIGN) BVC_RESET_ACK 20190723154714064 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:824 Sending reset on BVCI 1800 20190723154714064 DBSSGP <000c> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_bssgp_bss.c:300 BSSGP (BVCI=1800) Tx BVC-RESET CAUSE=O&M intervention 20190723154714064 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:282 Rx BSSGP BVCI=-1 (SIGN) BVC_RESET_ACK 20190723154714064 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:832 Sending unblock on BVCI 1800 20190723154714064 DBSSGP <000c> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_bssgp_bss.c:280 BSSGP (BVCI=1800) Tx BVC-UNBLOCK 20190723154714064 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:293 Rx BSSGP BVCI=-1 (SIGN) BVC_UNBLOCK_ACK 20190723154715034 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:390 RACH request received: sapi=1 qta=0, ra=120, fn=2270537, cur_fn=2270541, is_11bit=0 20190723154715034 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:979 Allocating UL TBF: MS_CLASS=0/0 20190723154715034 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:540 TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=NULL) Setting Control TS 6 20190723154715034 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:925 TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=NULL) Allocated: trx = 0, ul_slots = 40, dl_slots = 00 20190723154715034 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/bts.cpp:762 TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=FLOW) set ass. type CCCH [prev CCCH:0, PACCH:0] 20190723154715034 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/bts.cpp:770 TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=FLOW) TX: START Immediate Assignment Uplink (AGCH) 20190723154715287 DTBFUL <000a> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf_ul.cpp:295 TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=FLOW) Decoded premier TLLI=0x00000000 of UL DATA TFI=0. 20190723154715310 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf_ul.cpp:392 LLC [PCU -> SGSN] TBF(TFI=0 TLLI=0xd01d83b2 DIR=UL STATE=FLOW) len=51 /home/pespin/dev/sysmocom/build/new/out/include/osmocom/core/msgb.h:543:2: runtime error: variable length array bound evaluates to non-positive value -1 <-------------------- 20190723154715311 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:160 LLC [SGSN -> PCU] = TLLI: 0xd01d83b2 IMSI: len: 12 20190723154715311 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:1071 Allocating DL TBF: MS_CLASS=0/0 20190723154715311 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:540 TBF(TFI=0 TLLI=0x00000000 DIR=DL STATE=NULL) Setting Control TS 6 20190723154715311 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:925 TBF(TFI=0 TLLI=0xd01d83b2 DIR=DL STATE=NULL) Allocated: trx = 0, ul_slots = 40, dl_slots = c0
Updated by Hoernchen over 4 years ago
This actually ubsan, exporting UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1 should help.
Updated by pespin over 4 years ago
20190723185650062 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:390 RACH request received: sapi=1 qta=0, ra=123, fn=750980, cur_fn=750984, is_11bit=0 20190723185650062 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:979 Allocating UL TBF: MS_CLASS=0/0 20190723185650063 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:540 TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=NULL) Setting Control TS 6 20190723185650063 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:925 TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=NULL) Allocated: trx = 0, ul_slots = 40, dl_slots = 00 20190723185650063 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/bts.cpp:762 TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=FLOW) set ass. type CCCH [prev CCCH:0, PACCH:0] 20190723185650063 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/bts.cpp:770 TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=FLOW) TX: START Immediate Assignment Uplink (AGCH) 20190723185650375 DTBFUL <000a> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf_ul.cpp:295 TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=FLOW) Decoded premier TLLI=0x00000000 of UL DATA TFI=0. 20190723185650417 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf_ul.cpp:392 LLC [PCU -> SGSN] TBF(TFI=0 TLLI=0x7f4d37b5 DIR=UL STATE=FLOW) len=54 /home/pespin/dev/sysmocom/build/new/out/include/osmocom/core/msgb.h:543:2: runtime error: variable length array bound evaluates to non-positive value -1 #0 0x559e4a77f2ed in msgb_alloc_headroom /home/pespin/dev/sysmocom/build/new/out/include/osmocom/core/msgb.h:543 #1 0x559e4a785a3b in gprs_rlcmac_ul_tbf::snd_ul_ud() /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf_ul.cpp:399 #2 0x559e4a78042a in gprs_rlcmac_ul_tbf::assemble_forward_llc(gprs_rlc_data const*) /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf_ul.cpp:98 #3 0x559e4a784637 in gprs_rlcmac_ul_tbf::rcv_data_block_acknowledged(gprs_rlc_data_info const*, unsigned char*, pcu_l1_meas*) /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf_ul.cpp:318 #4 0x559e4a7b3db3 in gprs_rlcmac_pdch::rcv_data_block(unsigned char*, unsigned char, unsigned int, pcu_l1_meas*, GprsCodingScheme) /home/pespin/dev/sysmocom/git/osmo-pcu/src/pdch.cpp:812 #5 0x559e4a7b401c in gprs_rlcmac_pdch::rcv_block_gprs(unsigned char*, unsigned char, unsigned int, pcu_l1_meas*, GprsCodingScheme) /home/pespin/dev/sysmocom/git/osmo-pcu/src/pdch.cpp:825 #6 0x559e4a7b3129 in gprs_rlcmac_pdch::rcv_block(unsigned char*, unsigned char, unsigned int, pcu_l1_meas*) /home/pespin/dev/sysmocom/git/osmo-pcu/src/pdch.cpp:745 #7 0x559e4a747871 in pcu_rx_data_ind_pdtch /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:253 #8 0x559e4a74892f in pcu_rx_data_ind /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:300 #9 0x559e4a751583 in pcu_rx(unsigned char, gsm_pcu_if*) /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:629 #10 0x559e4a7e060f in pcu_sock_read /home/pespin/dev/sysmocom/git/osmo-pcu/src/osmobts_sock.cpp:162 #11 0x559e4a7e0ce3 in pcu_sock_cb /home/pespin/dev/sysmocom/git/osmo-pcu/src/osmobts_sock.cpp:229 #12 0x7f59a98a7893 in osmo_fd_disp_fds /home/pespin/dev/sysmocom/git/libosmocore/src/select.c:223 #13 0x7f59a98a7bb9 in osmo_select_main /home/pespin/dev/sysmocom/git/libosmocore/src/select.c:263 #14 0x559e4a71a369 in main /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_main.cpp:361 #15 0x7f59a87c7ce2 in __libc_start_main (/usr/lib/libc.so.6+0x23ce2) #16 0x559e4a716c7d in _start (/home/pespin/dev/sysmocom/build/new/out/bin/osmo-pcu+0x1efc7d)
Updated by pespin over 4 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 90
Should be fixed by https://gerrit.osmocom.org/c/libosmocore/+/15607 msgb: Allow size==headroom in msgb_alloc_headroom*()
Once merged the ticket can be closed.
Updated by pespin over 4 years ago
The other runtime issue was already fixed by Hoernchen in osmo-pcu.git ab8b01effdce38a19385e6a58e3b719a57710b02
Updated by pespin over 4 years ago
- Status changed from Feedback to Resolved
- % Done changed from 90 to 100
Merged, closing.
Actions