Bug #1367
segfault on opentv module
100%
Description
I'm using the git snapshot got on 2012/10/27. My tvheadend seems to crash during the import phase of the opentv-skyit module. It seems to depend on the parsing of the transmitted info: it could be not reproducible.
This is the log in debug mode:
ott 28 10:12:02 [DEBUG]:cwc: Sending ECM section=0/0, for service Alice (seqno: 4) PID 1284 ott 28 10:12:02 [DEBUG]:cwc: Received ECM reply for service "Alice" even: 00.00.00.00.00.00.00.00 odd: df.cc.a7.52.41.b3.f7.eb (seqno: 4 Req delay: 196 ms) ott 28 10:12:03 [DEBUG]:dvb: Configuration for mux "Sky: 12,207,000 kHz Horizontal (Default (Port 0, Universal LNB))" updated by automatic mux discovery ( PSK_8->QPSK, SYS_DVBS2->SYS_DVBS, ) ott 28 10:12:04 [DEBUG]:opentv-skyit: finish processing BAT ott 28 10:12:04 [DEBUG]:opentv-skyit: begin processing ott 28 10:12:04 [DEBUG]:epg: now/next 4500/5496 set on History +1 ott 28 10:12:04 [DEBUG]:epg: arm channel timer @ 1351416600 for History +1 ott 28 10:12:04 [DEBUG]:epg: now/next 0/5540 set on NationalGeo +1 ott 28 10:12:04 [DEBUG]:epg: arm channel timer @ 1351772700 for NationalGeo +1 ott 28 10:12:04 [DEBUG]:epg: now/next 4638/5564 set on Primafila 13 HD ott 28 10:12:04 [DEBUG]:epg: arm channel timer @ 1351419884 for Primafila 13 HD ott 28 10:12:04 [DEBUG]:epg: now/next 4922/5628 set on Sky Sport Extra HD ott 28 10:12:04 [DEBUG]:epg: arm channel timer @ 1351422000 for Sky Sport Extra HD ott 28 10:12:04 [DEBUG]:epg: now/next 0/5636 set on JimJam +1 ott 28 10:12:04 [DEBUG]:epg: arm channel timer @ 1351771200 for JimJam +1 [** CUT **] ott 28 10:12:06 [DEBUG]:epg: now/next 40163/40165 set on Primafila 19 ott 28 10:12:06 [DEBUG]:epg: arm channel timer @ 1351419554 for Primafila 19 ott 28 10:12:06 [DEBUG]:epg: arm channel timer @ 1351420162 for Primafila 15 ott 28 10:12:06 [DEBUG]:epg: now/next 5374/40257 set on Primafila 15 ott 28 10:12:06 [DEBUG]:epg: arm channel timer @ 1351420162 for Primafila 15 ott 28 10:12:06 [DEBUG]:epg: now/next 40556/23490 set on Sky Calcio 13 ott 28 10:12:06 [DEBUG]:epg: arm channel timer @ 1351443600 for Sky Calcio 13 ott 28 10:12:06 [DEBUG]:epg: inform HTSP of now event change on Sky Calcio 13 ott 28 10:12:06 [ALERT]:CRASH: Signal: 11 in PRG: tvheadend (3.3.111~gaecded7-dirty) [d4b1610259d6f1062e1e71afb08b3e5011ade19b] CWD: /home/user ott 28 10:12:06 [ALERT]:CRASH: Fault address (nil) (Address not mapped) ott 28 10:12:06 [ALERT]:CRASH: Loaded libraries: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 /lib/x86_64-linux-gnu/libz.so.1 /usr/lib/x86_64-linux-gnu/libavahi-common.so.3 /usr/lib/x86_64-linux-gnu/libavahi-client.so.3 /lib/x86_64-linux-gnu/librt.so.1 /lib/x86_64-linux-gnu/libdl.so.2 /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libdbus-1.so.3 /lib64/ld-linux-x86-64.so.2 ott 28 10:12:06 [ALERT]:CRASH: Register dump [23]: 00000000fffff94c 00007fe8286ad2a0 0000000000000000 0000000000000001 0000000002496040 00000000fffffffc 00000000fffffffe 00000000000000f2 00007fe85696d720 fffffffffffffffc 00007fe83801803d 0000000000000000 00007fe828000020 0000000000000000 0000000000000048 00007fe85536f970 0000000000432a40 0000000000010202 0000000000000033 0000000000000006 000000000000000e fffffffe7ffbfa17 0000000000000000 ott 28 10:12:06 [ALERT]:CRASH: STACKTRACE ott 28 10:12:06 [ALERT]:CRASH: /home/user/toolbox/src/tvheadend/tvheadend-git/src/trap.c:139 0x42662b ott 28 10:12:06 [ALERT]:CRASH: ??:0 0x7fe856983cb0 ott 28 10:12:07 [ALERT]:CRASH: /home/user/toolbox/src/tvheadend/tvheadend-git/src/epggrab/module/opentv.c:221 0x432a40 ott 28 10:12:07 [ALERT]:CRASH: /home/user/toolbox/src/tvheadend/tvheadend-git/src/epggrab/module/opentv.c:259 0x432fd6 ott 28 10:12:07 [ALERT]:CRASH: /home/user/toolbox/src/tvheadend/tvheadend-git/src/dvb/dvb_tables.c:112 0x4484a6 ott 28 10:12:07 [ALERT]:CRASH: /home/user/toolbox/src/tvheadend/tvheadend-git/src/psi.c:67 0x418e38 ott 28 10:12:07 [ALERT]:CRASH: /home/user/toolbox/src/tvheadend/tvheadend-git/src/psi.c:51 0x419102 ott 28 10:12:07 [ALERT]:CRASH: /home/user/toolbox/src/tvheadend/tvheadend-git/src/dvb/dvb_input_raw.c:118 0x451030 ott 28 10:12:07 [ALERT]:CRASH: /home/user/toolbox/src/tvheadend/tvheadend-git/src/dvb/dvb_input_raw.c:148 0x4510e7 ott 28 10:12:07 [ALERT]:CRASH: ??:0 0x7fe85697be9a ott 28 10:12:07 [ALERT]:CRASH: clone+0x6d (/lib/x86_64-linux-gnu/libc.so.6)
The backtrace on the coredump follows:
$ gdb /usr/bin/tvheadend ./core-tvheadend-11-1000-1000-7378-1351415527 GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04 Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://bugs.launchpad.net/gdb-linaro/>... Reading symbols from /usr/bin/tvheadend...Reading symbols from /usr/lib/debug/usr/bin/tvheadend...done. done. [New LWP 7382] [New LWP 7385] [New LWP 7384] [New LWP 7379] [New LWP 7387] [New LWP 7391] [New LWP 7389] [New LWP 7386] [New LWP 7399] [New LWP 7388] [New LWP 7392] [New LWP 7407] [New LWP 7409] [New LWP 7380] [New LWP 7411] [New LWP 7408] [New LWP 7410] [New LWP 7378] warning: Can't read pathname for load map: Input/output error. [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `tvheadend -d'. Program terminated with signal 11, Segmentation fault. #0 _opentv_parse_string ( buf=0x7fe83801803d "\304̃\331\366tv\216\366[7\335\032;d١j\366d\344\036Ο\260>\222\341\341\366\264\345U\343?\275ן>ٛ6ҿv\037\377\266\201\203\243e\371m3@)\233\060\033(\317W\262\335\214\034\245p\327<\375\364\371:\260a\242", len=-2, prov=<optimized out>) at /home/user/toolbox/src/tvheadend/tvheadend-git/src/epggrab/module/opentv.c:222 222 *ret = 0; (gdb) backtrace #0 _opentv_parse_string ( buf=0x7fe83801803d "\304̃\331\366tv\216\366[7\335\032;d١j\366d\344\036Ο\260>\222\341\341\366\264\345U\343?\275ן>ٛ6ҿv\037\377\266\201\203\243e\371m3@)\233\060\033(\317W\262\335\214\034\245p\327<\375\364\371:\260a\242", len=-2, prov=<optimized out>) at /home/user/toolbox/src/tvheadend/tvheadend-git/src/epggrab/module/opentv.c:222 #1 0x0000000000432fd6 in _opentv_parse_event_record (mjd=1351468800, len=<optimized out>, buf=<optimized out>, ev=0x7fe85536fa00, prov=0x2495fa0) at /home/user/toolbox/src/tvheadend/tvheadend-git/src/epggrab/module/opentv.c:259 #2 _opentv_parse_event (type=<optimized out>, ev=0x7fe85536fa00, mjd=1351468800, cid=<optimized out>, len=<optimized out>, buf=0x7fe838018030 "]\321\341\357\265\005\261\031\246\273=%\n\304̃\331\366tv\216\366[7\335\032;d١j\366d\344\036Ο\260>\222\341\341\366\264\345U\343?\275ן>ٛ6ҿv\037\377\266\201\203\243e\371m3@)\233\060\033(\317W\262\335\214\034\245p\327<\375\364\371:\260a\242", sta=0x7fe838005f40, prov=0x2495fa0) at /home/user/toolbox/src/tvheadend/tvheadend-git/src/epggrab/module/opentv.c:304 #3 _opentv_parse_event_section (mod=0x2495fa0, sta=0x7fe838005f40, buf=0x7fe838017df7 "\002", <incomplete sequence \347>, len=641, type=<optimized out>) at /home/user/toolbox/src/tvheadend/tvheadend-git/src/epggrab/module/opentv.c:343 #4 0x00000000004484a6 in dvb_table_dispatch (sec=0x7fe838017df4 "\250\362\205\002", <incomplete sequence \347>, r=645, tdt=0x7fe838017d80) at /home/user/toolbox/src/tvheadend/tvheadend-git/src/dvb/dvb_tables.c:112 #5 0x0000000000418e38 in psi_section_reassemble0 (ps=0x7fe838017dec, len=<optimized out>, crc=<optimized out>, cb=<optimized out>, opaque=<optimized out>, start=<optimized out>, data=<optimized out>) at /home/user/toolbox/src/tvheadend/tvheadend-git/src/psi.c:67 #6 0x0000000000419102 in psi_section_reassemble0 (opaque=0x7fe838017d80, cb=0x450eb0 <got_section>, crc=0, start=0, len=<optimized out>, data=<optimized out>, ps=0x7fe838017dec) at /home/user/toolbox/src/tvheadend/tvheadend-git/src/psi.c:51 #7 psi_section_reassemble (ps=0x7fe838017dec, tsb=0x7fe834088f30 "G@E\025\062;d١j\366d\344\036Ο\260>\222\341\341\366\264\345U\343?\275ן>ٛ6ҿv\037\377\266\201\203\243e\371m3@)\233\060\033(\317W\250\362\373\002", <incomplete sequence \337>, crc=0, cb=0x450eb0 <got_section>, opaque=0x7fe838017d80) at /home/user/toolbox/src/tvheadend/tvheadend-git/src/psi.c:95 #8 0x0000000000451030 in dvb_table_raw_dispatch (dtf=0x7fe834088f20, tdmi=<optimized out>) at /home/user/toolbox/src/tvheadend/tvheadend-git/src/dvb/dvb_input_raw.c:118 #9 0x00000000004510e7 in dvb_table_input (aux=0x2490ad0) at /home/user/toolbox/src/tvheadend/tvheadend-git/src/dvb/dvb_input_raw.c:148 #10 0x00007fe85697be9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #11 0x00007fe8566a94bd in clone () from /lib/x86_64-linux-gnu/libc.so.6 #12 0x0000000000000000 in ?? () (gdb)
History
Updated by Adam Sutton about 12 years ago
- Status changed from New to Need feedback
Interesting, you're not the first to report this. I had so far assumed this was the result of a memory leak, since the crash line appears to be a result of a NULL return from malloc().
I will have another look though. If you still have the coredump can you run "bt full" for me and attach the output. Since this is same arch as my machine it might be useful to have core and binary so I can do some digging myself (maybe you could mail those to me directly - address is on my profile).
Adam
Updated by Adam Sutton about 12 years ago
Oh!
Ok, obvious issue spotted, though not sure what exactly is causing it (missed it due to length of lines!) len=-2, so malloc is being called with -ve number. Obviously that's not going to work!
Need to figure out what happened to the protection code that stops that from happening!
Adam
Updated by Adam Sutton about 12 years ago
- Category set to EPG - Grabbers
- Status changed from Need feedback to Accepted
- Assignee set to Adam Sutton
- Target version set to 3.2
- Affected Versions 3.2, 3.4 added
Updated by Adam Sutton about 12 years ago
Yes, I see the mistake, I've subtracted 7 where it should have been 5 (I basically doubled counted the descriptor info bytes).
This means that for 0 length (or single char) strings, the len to opentv_get_string() will be -ve which will cause a crash.
I need to a) fix this initial bug and b) but a bit of extra protection in place.
Adam
Updated by Adam Sutton about 12 years ago
Hmm, ok, scratch that, it is -7, there are a few undecoded bytes in that descriptor. At least according to all the order implementation.
The problem may simply be that there is an error in the stream or the rev-eng of opentv. So I guess the best I can do is put protection in place to ensure it doesn't crash TVH.
Adam
Updated by Adam Sutton about 12 years ago
- Status changed from Accepted to Resolved
This should now be resolved in master and will be back ported to 3.2 for next patch release.
Adam
Updated by Adam Sutton about 12 years ago
- Status changed from Resolved to Fixed
- % Done changed from 0 to 100
Applied in changeset commit:e9fe361907a4e02ae896e6b9e247e4c329275fd9.