Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#801 closed defect (fixed)

test-srv_net_tcp: tqueue tests crash

Reported by: Jakub Jermář Owned by:
Priority: major Milestone: 0.11.1
Component: helenos/net/tcp Version: mainline
Keywords: Cc:
Blocker for: Depends on:
See also:

Description (last modified by Jakub Jermář)

When running the *ctrl_seg_teardown*, *test_new_data_fin* or *test_new_data_small_win* tests from the tqueue suite from test-srv_net_tcp, the test crashes:

Task /test/test-srv_net_tcp (72) killed due to an exception at program counter 0x000000000040c142.
cs =0x0000000000000023	rip=0x000000000040c142	rfl=0x0000000000210246	err=0x0000000000000004
ss =0x000000000000001b
rax=0x0000000000428510	rbx=0x0000000000428050	rcx=0x0000000070156ca7	rdx=0x0000000000000000
rsi=0x0000000070191517	rdi=0x00000000701a4850	rbp=0x0000000070141d00	rsp=0x0000000070141cb0
r8 =0x0000000000000000	r9 =0x0000000000000000	r10=0x0000000000000000	r11=0x0000000000200212
r12=0x0000000000416b10	r13=0x000000007003bfe3	r14=0x0000000000000002	r15=0x0000000000000002
0x0000000070141d00: 0x000000000040c142()
0x0000000070141d30: 0x000000000040f74e()
0x0000000070141d40: 0x000000000040f8a7()
0x0000000070141db0: 0x000000000040ec87()
0x0000000070141df0: 0x000000007015725b()
0x0000000070141e10: 0x000000000040d003()
0x0000000070141e20: 0x000000000040cf6b()
Kill message: Page fault: 0x0000000000428510.
[/srv/taskmon(16)] taskmon: Task 72 fault in thread 0xffffffff819bc7a0.
[/srv/taskmon(16)] taskmon: Executing /app/taskdump -t 72
[/app/taskdump(73)] Task Dump Utility
[/app/taskdump(73)] Dumping task '/test/test-srv_net_tcp' (task ID 72).
[/app/taskdump(73)] Loaded symbol table from /test/test-srv_net_tcp
[/app/taskdump(73)] Threads:
[/app/taskdump(73)]  [1] hash: 0xffffffff819bc7a0
[/app/taskdump(73)] Thread 0xffffffff819bc7a0: PC = 0x000000000040c142 (test_ctrl_seg_teardown+194). FP = 0x0000000070141d00
[/app/taskdump(73)]   0x0000000070141d00: 0x000000000040c142 (test_ctrl_seg_teardown+194)
[/app/taskdump(73)]   0x0000000070141d30: 0x000000000040f74e (run_test+206)
[/app/taskdump(73)]   0x0000000070141d40: 0x000000000040f8a7 (pcut_run_test_forked+39)
[/app/taskdump(73)]   0x0000000070141db0: 0x000000000040ec87 (pcut_main+1031)
[/app/taskdump(73)]   0x0000000070141df0: 0x000000007015725b (_end+1876133139)
[/app/taskdump(73)]   0x0000000070141e10: 0x000000000040d003 (__c_start+147)
[/app/taskdump(73)]   0x0000000070141e20: 0x000000000040cf6b (_start+12)
[/app/taskdump(73)] Address space areas:
[/app/taskdump(73)]  [1] flags: R-XC base: 0x0000000000400000 size: 90112
[/app/taskdump(73)]  [2] flags: RW-C base: 0x0000000000416000 size: 36864
[/app/taskdump(73)]  [3] flags: RW-C base: 0x000000000041f000 size: 4096
[/app/taskdump(73)]  [4] flags: RW-C base: 0x0000000000421000 size: 4096
[/app/taskdump(73)]  [5] flags: RW-C base: 0x0000000000423000 size: 4096
[/app/taskdump(73)]  [6] flags: RW-C base: 0x0000000000425000 size: 4096
[/app/taskdump(73)]  [7] flags: R--C base: 0x0000000000427000 size: 4096
[/app/taskdump(73)]  [8] flags: R-XC base: 0x0000000070000000 size: 94208
[/app/taskdump(73)]  [9] flags: RW-C base: 0x0000000070017000 size: 126976
[/app/taskdump(73)]  [10] flags: RW-C base: 0x0000000070036000 size: 4096
[/app/taskdump(73)]  [11] flags: RW-C base: 0x0000000070037000 size: 4096
[/app/taskdump(73)]  [12] flags: RW-C base: 0x0000000070039000 size: 4096
[/app/taskdump(73)]  [13] flags: RW-C base: 0x000000007003b000 size: 4096
[/app/taskdump(73)]  [14] flags: RW-C base: 0x000000007003d000 size: 4096
[/app/taskdump(73)]  [15] flags: R--C base: 0x000000007003f000 size: 4096
[/app/taskdump(73)]  [16] flags: RW-C base: 0x0000000070040000 size: 4096
[/app/taskdump(73)]  [17] flags: RW-C base: 0x0000000070042000 size: 1048576
[/app/taskdump(73)]  [18] flags: R-XC base: 0x0000000070143000 size: 385024
[/app/taskdump(73)]  [19] flags: RW-C base: 0x00000000701a1000 size: 131072
[/app/taskdump(73)]  [20] flags: RW-C base: 0x00007ffffff00000 size: 1048576
[/app/taskdump(73)] Failed dumping fibrils.

Change History (4)

comment:1 by Jakub Jermář, 5 years ago

Description: modified (diff)
Summary: test-srv_net_tcp: tqueue/ctrl_seg_teardown crashestest-srv_net_tcp: tqueue tests crash

comment:2 by Jiri Svoboda, 5 years ago

This is a bug in the tests. tqueue_test_transmit_seg records a copy of the pointer to the segment being transmitted and the segment is examined afterwards. But once a segment is transmitted, it is freed. That means the tests will access freed memory.

The solution is to duplicate the segment in tqueue_test_transmit_seg and free it once we are done processing it.

comment:3 by Jiri Svoboda, 5 years ago

Milestone: 0.9.2
Resolution: fixed
Status: newclosed

Fixed in changeset 3106054d4d858ffdc84fd8a04948c84f0832c541.

comment:4 by Jakub Jermář, 4 years ago

Milestone: 0.9.20.11.1

Milestone renamed

Note: See TracTickets for help on using tickets.