Bug #4134
Crash on getting EPG for IPTV VOD
Status:
Accepted
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
2016-12-11
Due date:
% Done:
100%
Estimated time:
Found in version:
4.1-2370~g0c506b4
Affected Versions:
Description
Hi,
here is my log with clang:
ASAN:SIGSEGV
=================================================================
==2130==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7ceb84c9da sp 0x7f7ce7550c48 bp 0x7f7ce75514b0 T9)
#0 0x7f7ceb84c9d9 (/lib/x86_64-linux-gnu/libc.so.6+0x889d9)
#1 0x7f7ceecf9005 in __interceptor_strdup (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4cf005)
#2 0x7f7cef9002d0 in iptv_auto_network_process_m3u_item /home/waldmeister/src/tvheadend/src/input/mpegts/iptv/iptv_auto.c:244
#3 0x7f7cef8fac30 in iptv_auto_network_process_m3u /home/waldmeister/src/tvheadend/src/input/mpegts/iptv/iptv_auto.c:316
#4 0x7f7cef8f91ff in iptv_auto_network_process /home/waldmeister/src/tvheadend/src/input/mpegts/iptv/iptv_auto.c:363
#5 0x7f7cef14dbcd in download_fetch_complete /home/waldmeister/src/tvheadend/src/download.c:123
#6 0x7f7cef134eb1 in http_client_finish /home/waldmeister/src/tvheadend/src/httpc.c:704
#7 0x7f7cef11cf22 in http_client_run0 /home/waldmeister/src/tvheadend/src/httpc.c:1011
#8 0x7f7cef11a570 in http_client_run /home/waldmeister/src/tvheadend/src/httpc.c:1180
#9 0x7f7cef1305c7 in http_client_thread /home/waldmeister/src/tvheadend/src/httpc.c:1442
#10 0x7f7ceedd9cf2 in thread_wrapper /home/waldmeister/src/tvheadend/src/wrappers.c:159
#11 0x7f7ced11b183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)
#12 0x7f7ceb8be37c (/lib/x86_64-linux-gnu/libc.so.6+0xfa37c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
Thread T9 (tvh:httpc) created by T0 here:
#0 0x7f7ceecf7312 in pthread_create (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4cd312)
#1 0x7f7ceedd970b in tvhthread_create /home/waldmeister/src/tvheadend/src/wrappers.c:177
#2 0x7f7cef12fa5e in http_client_init /home/waldmeister/src/tvheadend/src/httpc.c:1694
#3 0x7f7ceed33344 in main /home/waldmeister/src/tvheadend/src/main.c:1193
#4 0x7f7ceb7e5f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
==2130==ABORTING
And compiled with gcc / full bt:
[Thread 0x7fffcb7fe700 (LWP 2458) exited]
Program received signal SIGINT, Interrupt.
pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
238 ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S: Datei oder Verzeichnis nicht gefunden.
Undefined command: "exit". Try "help".
A debugging session is active.
Inferior 1 [process 2431] will be killed.
Quit anyway? (y or n) #0 bin2hex (dst=0x7f8a4d7f8b11 "", dst@entry=0x7f8a4d7f8b10 "\276", dstlen=dstlen@entry=33, src=0x140 <error: Cannot access memory at address 0x140>, srclen=srclen@entry=16) at src/uuid.c:83
No locals.
#1 0x00007f8ac59fdff9 in idnode_uuid_as_str (in=<optimized out>, uuid=uuid@entry=0x7f8a4d7f8b10 "\276") at src/idnode.c:227
No locals.
#2 0x00007f8ac5a17f74 in epg_episode_find_by_broadcast (ebc=ebc@entry=0x7f8a7f53b660, src=src@entry=0x7f8ac93422c0, create=create@entry=1, save=save@entry=0x7f8a4d7f95e0, changed=changed@entry=0x7f8a4d7f8c8c) at src/epg.c:956
uri = "\020\322\364\177\212\177\000\000\222\016V\205\000\000\000\000\340\225\177M\212\177\000\000\200\212\242}\212\177\000\000\000\353j\177\212\177\000\000`\266S\177\212\177\000\000\000\000\000\000\000\000\000\000\222\016V\205\212\177\000\000\340\225\177M\212\177\000\000\335n\244Ŋ\177\000\000`\266S"
ubuf = "\276\000\000\000\000\000\000\000*\247\fÊ\177\000\000\000\000\000\000\000\000\000\000\220\254\004|\212\177\000\000`"
#3 0x00007f8ac5acf97d in _eit_process_event_one (mod=mod@entry=0x7f8ac93422c0, tableid=tableid@entry=78, sect=sect@entry=0, svc=svc@entry=0x7f8ac9d3ab70, ch=<optimized out>, ptr=<optimized out>, ptr@entry=0x7f8a85560d86 "", len=256, len@entry=268, local=local@entry=0, resched=resched@entry=0x7f8a4d7f95e4, save=save@entry=0x7f8a4d7f95e0) at src/epggrab/module/eit.c:536
dllen = <optimized out>
save2 = 1
start = <optimized out>
stop = <optimized out>
eid = 89
dtag = <optimized out>
dlen = <optimized out>
running = 4 '\004'
ebc = 0x7f8a7f53b660
ee = 0x0
es = <optimized out>
run = <optimized out>
ev = {uri = '\000' <repeats 256 times>, suri = '\000' <repeats 256 times>, title = 0x7f8a7e9cd750, summary = 0x7f8a7eb3d020, desc = 0x7f8a7d6a5450, default_charset = 0x7f8ac86c9e20 "AUTO", extra = 0x0, genre = 0x7f8a7ca9b1a0, hd = 0 '\000', ws = 0 '\000', ad = 0 '\000', st = 0 '\000', ds = 0 '\000', bw = 0 '\000', parental = 0 '\000'}
changes2 = 1849
changes3 = 0
changes4 = 0
tm1 = "i\377\bÊ\177\000\000%\313xƊ\177\000\000#\313xƊ\177\000\000*\304\bÊ\177\000"
tm2 = "\000\000\000\000\000\000\000\000@\217\177M\212\177\000\000\000\000\177M\212\177\000\000ܦ\177M\212\177\000"
#4 0x00007f8ac5ad08a8 in _eit_process_event (save=0x7f8a4d7f95e0, resched=0x7f8a4d7f95e4, local=0, len=268, ptr=0x7f8a85560d86 "", svc=<optimized out>, sect=0, tableid=78, mod=0x7f8ac93422c0) at src/epggrab/module/eit.c:600
ilm = 0x7f8ac973e9a0
ch = <optimized out>
#5 _eit_callback (mt=0x7f8a85560d10, ptr=0x7f8a85560d86 "", len=268, tableid=78) at src/epggrab/module/eit.c:724
r = <optimized out>
sect = 0
last = 1
ver = 17
save = 1
resched = 1
seg = <optimized out>
onid = <optimized out>
tsid = 9900
sid = <optimized out>
extraid = <optimized out>
svc = <optimized out>
mm = <optimized out>
map = <optimized out>
mod = 0x7f8ac93422c0
ota = 0x7f8ac8740000
st = 0x7f8a7f4b37c0
ths = <optimized out>
ubuf = "86e91bee10196352fc02b09439651053"
#6 0x00007f8ac5ab6cf8 in mpegts_table_dispatch (sec=<optimized out>, r=<optimized out>, aux=0x7f8a85560d10) at src/input/mpegts/mpegts_table.c:105
tid = <optimized out>
len = <optimized out>
crc_len = <optimized out>
ret = <optimized out>
mt = 0x7f8a85560d10
#7 0x00007f8ac5aaf406 in mpegts_psi_section_reassemble0 (mt=mt@entry=0x7f8a85560d10, logpref=logpref@entry=0x7f8a4d7f99d0 "12692H in 13.0E Hotbird", data=data@entry=0x7f8a2c1d37a0 " la Martinique. Le Basque de Saint-Pierre-et-Miquelon. Le nouvel an chinois \340 La R\351union.T\002\224", len=len@entry=184, start=<optimized out>, crc=crc@entry=1, cb=cb@entry=0x7f8ac5ab6c60 <mpegts_table_dispatch>, opaque=opaque@entry=0x7f8a85560d10) at src/input/mpegts/dvb_psi_lib.c:122
p = 0x7f8a85560d78 "N\361\033\001\243", <incomplete sequence \343>
excess = 81
tsize = <optimized out>
#8 0x00007f8ac5aaf63e in mpegts_psi_section_reassemble (mt=mt@entry=0x7f8a85560d10, logprefix=logprefix@entry=0x7f8a4d7f99d0 "12692H in 13.0E Hotbird", tsb=tsb@entry=0x7f8a2c1d379c "G", crc=1, cb=0x7f8ac5ab6c60 <mpegts_table_dispatch>, opaque=opaque@entry=0x7f8a85560d10) at src/input/mpegts/dvb_psi_lib.c:169
pusi = <optimized out>
cc = <optimized out>
off = 4
r = <optimized out>
#9 0x00007f8ac5aa9639 in mpegts_input_table_dispatch (mm=mm@entry=0x7f8ac9d36070, logprefix=logprefix@entry=0x7f8a4d7f99d0 "12692H in 13.0E Hotbird", tsb=tsb@entry=0x7f8a2c1d36e0 "G@\022\034", tsb_len=940) at src/input/mpegts/mpegts_input.c:1185
i = <optimized out>
len = <optimized out>
c = <optimized out>
tsb2 = 0x7f8a2c1d379c "G"
tsb2_end = 0x7f8a2c1d3a8c "tant c'est ", <incomplete sequence \365>
pid = 18
mt = 0x7f8a85560d10
vec = 0x7f8a4d7f9880
__PRETTY_FUNCTION__ = "mpegts_input_table_dispatch"
#10 0x00007f8ac5aa9846 in mpegts_input_table_thread (aux=0x7f8a740099a0) at src/input/mpegts/mpegts_input.c:1576
mtf = 0x7f8a2c1d36c0
mm = 0x7f8ac9d36070
muxname = "12692H in 13.0E Hotbird", '\000' <repeats 232 times>
#11 0x00007f8ac5a06442 in thread_wrapper (p=0x7f8a8439a220) at src/wrappers.c:159
ts = 0x7f8a8439a220
set = {__val = {16388, 0 <repeats 15 times>}}
r = <optimized out>
#12 0x00007f8ac415a184 in start_thread (arg=0x7f8a4d7fa700) at pthread_create.c:312
__res = <optimized out>
pd = 0x7f8a4d7fa700
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140231982425856, -6082041186477309784, 0, 0, 140231982426560, 140231982425856, 6092426076892004520, 6092728080380690600}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
pagesize_m1 = <optimized out>
sp = <optimized out>
freesize = <optimized out>
__PRETTY_FUNCTION__ = "start_thread"
#13 0x00007f8ac313c37d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
No locals.
#2 0x00007f8ac5a17f74 in epg_episode_find_by_broadcast (ebc=ebc@entry=0x7f8a7f53b660, src=src@entry=0x7f8ac93422c0, create=create@entry=1, save=save@entry=0x7f8a4d7f95e0, changed=changed@entry=0x7f8a4d7f8c8c) at src/epg.c:956
956 snprintf(uri, sizeof(uri)-1, "tvh://channel-%s/bcast-%u/episode",
$1 = {{uri_link = {left = 0x7f8a7d8548c0, right = 0x7f8a7ecd0ab0, parent = 0x0, color = 0}, id_link = {left = 0x0, right = 0x0, parent = 0x7f8a93c4a3c0, color = 0}, un_link = {le_next = 0x0, le_prev = 0x7f8ac6c47480 <epg_object_unref>}, up_link = {le_next = 0x0, le_prev = 0x7f8adc140ac0}, type = EPG_BROADCAST, id = 992764, uri = 0x0, updated = 1480822372, _updated = 1 '\001', _created = 0 '\000', refcount = 0, grabber = 0x7f8ac93422c0, getref = 0x7f8ac5a130d0 <_epg_object_getref>, putref = 0x7f8ac5a14700 <_epg_object_putref>, destroy = 0x7f8ac5a15b00 <_epg_broadcast_destroy>, update = 0x7f8ac5a141d0 <_epg_broadcast_updated>}, dvb_eid = 89, start = 1480821000, stop = 1480822200, is_widescreen = 0 '\000', is_hd = 0 '\000', lines = 0, aspect = 0, is_deafsigned = 0 '\000', is_subtitled = 0 '\000', is_audio_desc = 0 '\000', is_new = 0 '\000', is_repeat = 0 '\000', running = 0 '\000', summary = 0x7f8a7d93fc10, description = 0x7f8a7f6aeb00, sched_link = {left = 0x0, right = 0x0, parent = 0x7f8adc140a70, color = 0}, ep_link = {le_next = 0x0, le_prev = 0x0}, episode = 0x0, sl_link = {le_next = 0x0, le_prev = 0x0}, serieslink = 0x0, channel = 0x140}
#0 lang_str_compare (ls1=0x6e6f696e6967617a, ls2=ls2@entry=0x7f68e01afe00) at src/lang_str.c:279
e = <optimized out>
r = <optimized out>
#1 0x00007f693b99dca0 in _epg_object_set_lang_str (o=0x7f68e00c9cf0, old=0x7f68e00c9dc8, str=0x7f68e01afe00, changed=<optimized out>, cflag=<optimized out>) at src/epg.c:353
No locals.
#2 0x00007f693ba5789c in _eit_process_event_one (mod=mod@entry=0x7f693e10bcc0, tableid=tableid@entry=79, sect=sect@entry=0, svc=svc@entry=0x7f693ecb8270, ch=<optimized out>, ptr=<optimized out>, ptr@entry=0x7f68fc4881d6 ":\231\341\177", len=461, len@entry=473, local=local@entry=0, resched=resched@entry=0x7f68c0ff8594, save=save@entry=0x7f68c0ff8590) at src/epggrab/module/eit.c:508
dllen = <optimized out>
save2 = 1
start = <optimized out>
stop = <optimized out>
eid = 15001
dtag = <optimized out>
dlen = <optimized out>
running = 4 '\004'
ebc = 0x7f68e00c9cf0
ee = 0x0
es = <optimized out>
run = <optimized out>
ev = {uri = '\000' <repeats 256 times>, suri = '\000' <repeats 256 times>, title = 0x7f68e00e4a30, summary = 0x0, desc = 0x7f68e01afe00, default_charset = 0x7f693d0d6d50 "AUTO", extra = 0x0, genre = 0x7f68e0111090, hd = 0 '\000', ws = 0 '\000', ad = 0 '\000', st = 0 '\000', ds = 0 '\000', bw = 0 '\000', parental = 0 '\000'}
changes2 = 25
changes3 = 0
changes4 = 0
tm1 = "i\177\001\071i\177\000\000%Kq<i\177\000\000#Kq<i\177\000\000*D\001\071i\177\000"
tm2 = "\360~\377\300h\177\000\000\360~\377\300h\177\000\000\360~\377\300h\177\000\000\372~\377\300h\177\000"
#3 0x00007f693ba588a8 in _eit_process_event (save=0x7f68c0ff8590, resched=0x7f68c0ff8594, local=0, len=473, ptr=0x7f68fc4881d6 ":\231\341\177", svc=<optimized out>, sect=0, tableid=79, mod=0x7f693e10bcc0) at src/epggrab/module/eit.c:600
ilm = 0x7f69428b96c0
ch = <optimized out>
#4 _eit_callback (mt=0x7f68fc488160, ptr=0x7f68fc4881d6 ":\231\341\177", len=473, tableid=79) at src/epggrab/module/eit.c:724
r = <optimized out>
sect = 0
last = 1
ver = 8
save = 1
resched = 1
seg = <optimized out>
onid = <optimized out>
tsid = 1000
sid = <optimized out>
extraid = <optimized out>
svc = <optimized out>
mm = <optimized out>
map = <optimized out>
mod = 0x7f693e10bcc0
ota = 0x0
st = 0x7f68e00c2220
ths = <optimized out>
ubuf = "a2613312e099cdbd8a155fba1a3a8ac1"
#5 0x00007f693ba3ecf8 in mpegts_table_dispatch (sec=<optimized out>, r=<optimized out>, aux=0x7f68fc488160) at src/input/mpegts/mpegts_table.c:105
tid = <optimized out>
len = <optimized out>
crc_len = <optimized out>
ret = <optimized out>
mt = 0x7f68fc488160
#6 0x00007f693ba37406 in mpegts_psi_section_reassemble0 (mt=mt@entry=0x7f68fc488160, logpref=logpref@entry=0x7f68c0ff89d0 "10892H in 13.0E Hotbird", data=data@entry=0x7f68e001e324 "ywa kulisy niewyja\266nionych wydarze\361 historycznych. Widzowie dowiedz\261 si\352, sk\261d si\352 wzi\261\263 orze\263 w godle Polski.T\002#\200U\004POL\004R5\027Y", '\377' <repeats 60 times>, "G@\022\033", len=len@entry=184, start=<optimized out>, crc=crc@entry=1, cb=cb@entry=0x7f693ba3ec60 <mpegts_table_dispatch>, opaque=opaque@entry=0x7f68fc488160) at src/input/mpegts/dvb_psi_lib.c:122
p = 0x7f68fc4881c8 "O\361\350\020\341", <incomplete sequence \321>
excess = 60
tsize = <optimized out>
#7 0x00007f693ba3763e in mpegts_psi_section_reassemble (mt=mt@entry=0x7f68fc488160, logprefix=logprefix@entry=0x7f68c0ff89d0 "10892H in 13.0E Hotbird", tsb=tsb@entry=0x7f68e001e320 "G", crc=1, cb=0x7f693ba3ec60 <mpegts_table_dispatch>, opaque=opaque@entry=0x7f68fc488160) at src/input/mpegts/dvb_psi_lib.c:169
pusi = <optimized out>
cc = <optimized out>
off = 4
r = <optimized out>
#8 0x00007f693ba31639 in mpegts_input_table_dispatch (mm=mm@entry=0x7f693e451700, logprefix=logprefix@entry=0x7f68c0ff89d0 "10892H in 13.0E Hotbird", tsb=tsb@entry=0x7f68e001e030 "G@\022\026", tsb_len=1316) at src/input/mpegts/mpegts_input.c:1185
i = <optimized out>
len = <optimized out>
c = <optimized out>
tsb2 = 0x7f68e001e320 "G"
tsb2_end = 0x7f68e001e554 "h\177"
pid = 18
mt = 0x7f68fc488160
vec = 0x7f68c0ff8830
__PRETTY_FUNCTION__ = "mpegts_input_table_dispatch"
#9 0x00007f693ba31846 in mpegts_input_table_thread (aux=0x7f690010dd00) at src/input/mpegts/mpegts_input.c:1576
mtf = 0x7f68e001e010
mm = 0x7f693e451700
muxname = "10892H in 13.0E Hotbird", '\000' <repeats 232 times>
#10 0x00007f693b98e442 in thread_wrapper (p=0x7f68fc3916d0) at src/wrappers.c:159
ts = 0x7f68fc3916d0
set = {__val = {16388, 0 <repeats 15 times>}}
r = <optimized out>
#11 0x00007f693a0e2184 in start_thread (arg=0x7f68c0ff9700) at pthread_create.c:312
__res = <optimized out>
pd = 0x7f68c0ff9700
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140087891302144, 8518836883025724521, 0, 0, 140087891302848, 140087891302144, -8581190185688071063, -8580895374122384279}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
pagesize_m1 = <optimized out>
sp = <optimized out>
freesize = <optimized out>
__PRETTY_FUNCTION__ = "start_thread"
#12 0x00007f69390c437d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
No locals.
#2 0x00007f693ba5789c in _eit_process_event_one (mod=mod@entry=0x7f693e10bcc0, tableid=tableid@entry=79, sect=sect@entry=0, svc=svc@entry=0x7f693ecb8270, ch=<optimized out>, ptr=<optimized out>, ptr@entry=0x7f68fc4881d6 ":\231\341\177", len=461, len@entry=473, local=local@entry=0, resched=resched@entry=0x7f68c0ff8594, save=save@entry=0x7f68c0ff8590) at src/epggrab/module/eit.c:508
508 *save |= epg_broadcast_set_description(ebc, ev.desc, &changes2);
$1 = {{uri_link = {left = 0x7f68e0007b70, right = 0x7f68e0062920, parent = 0x3a475250000000bc, color = 1038820272}, id_link = {left = 0x25b0000012004047, right = 0xe000000000c52504, parent = 0xf46f28b4f46e2810, color = -193976130}, un_link = {le_next = 0xf47328dcf47228d2, le_prev = 0xffffff6ae84551e6}, up_link = {le_next = 0xffffffffffffffff, le_prev = 0xffffffffffffffff}, type = 4294967295, id = 4294967295, uri = 0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, updated = -1, _updated = 255 '\377', _created = 255 '\377', refcount = -1, grabber = 0xffffffffffffffff, getref = 0xffffffffffffffff, putref = 0xffffffffffffffff, destroy = 0xffffffffffffffff, update = 0xffffffffffffffff}, dvb_eid = 65535, start = -1, stop = -1, is_widescreen = 255 '\377', is_hd = 255 '\377', lines = 65535, aspect = 65535, is_deafsigned = 255 '\377', is_subtitled = 255 '\377', is_audio_desc = 255 '\377', is_new = 255 '\377', is_repeat = 255 '\377', running = 255 '\377', summary = 0xffffffffffffffff, description = 0x6e6f696effffffff, sched_link = {left = 0x65697a6420686379, right = 0x51, parent = 0x7f68e01786b0, color = -536637472}, ep_link = {le_next = 0x616e7a, le_prev = 0x31}, episode = 0x7f68e008cd80, sl_link = {le_next = 0x7f68e0000098, le_prev = 0x0}, serieslink = 0x0, channel = 0x50}
#4 _eit_callback (mt=0x7f68fc488160, ptr=0x7f68fc4881d6 ":\231\341\177", len=473, tableid=79) at src/epggrab/module/eit.c:724
724 if ((r = _eit_process_event(mod, tableid, sect, svc, ptr, len,
No symbol "ilm" in current context.
No symbol "ilm" in current context.
#4 _eit_callback (mt=0x7f68fc488160, ptr=0x7f68fc4881d6 ":\231\341\177", len=473, tableid=79) at src/epggrab/module/eit.c:724
724 if ((r = _eit_process_event(mod, tableid, sect, svc, ptr, len,
A syntax error in expression, near `'.
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
No locals.
#1 0x00007f7a925a871e in __GI___strdup (s=0x0) at strdup.c:41
len = <optimized out>
new = <optimized out>
#2 0x00007f7a94fd22a3 in iptv_auto_network_process_m3u_item (in=in@entry=0x7f7a9980a4b0, last_url=last_url@entry=0x7f7a542b7561 "get.php", remove_args=remove_args@entry=0x7f7a88ff84c0, chnum=<optimized out>, chnum@entry=0, item=<optimized out>, total=total@entry=0x7f7a88ff84b8, count=count@entry=0x7f7a88ff84bc) at src/input/mpegts/iptv/iptv_auto.c:244
conf = <optimized out>
f = <optimized out>
mm = 0x7f7a99881170
im = 0x7f7a99881170
u = {scheme = 0x7f7a5427e120 "http", user = 0x0, pass = 0x0, host = 0x7f7a5427ffa0 "XXXXXXXXX", port = 8711, path = 0x7f7a5419cee0 "XXXXXXXXX/3476.ts", query = 0x0, frag = 0x0, raw = 0x7f7a545a4480 "XXXXXXXXX/3476.ts"}
change = 1
args = {tqh_first = 0x0, tqh_last = 0x7f7a88ff7f20}
ra1 = <optimized out>
ra2 = <optimized out>
ra2_next = <optimized out>
q = {hq_q = {tqh_first = 0x2, tqh_last = 0x7f7a00000032}, hq_size = 2298445728, hq_maxsize = 32634}
l = <optimized out>
chnum2 = <optimized out>
url = <optimized out>
name = <optimized out>
logo = <optimized out>
epgid = <optimized out>
tags = 0x0
url2 = "XXXXXXXXX/3476.ts\000\000\000\000\000\000\000\001\177\000w\205\200\377\377\006\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\061\000\000\000\000\000\000\000\000\201\377\210z\177", '\000' <repeats 14 times>, "[", '\000' <repeats 19 times>, "n\000\000\000w", '\000' <repeats 11 times>, "\377\200\377\210z\177\000\000|\000\000\000\000\000\000\000P\201\377\210z\177\000\000|\000\000\000\000\000\000\000\260^+Tz\177\000\000\000\000\000\000\000\000\000\000"...
custom = "\000}\000w\205\200\377\377\002\000\000\000\374\212\342\354\000\000\000\000\000\000\000\000\060\000\000\000\000\000\000\000\300\202\377\210z\177", '\000' <repeats 14 times>, "[", '\000' <repeats 19 times>, "n\000\000\000w", '\000' <repeats 11 times>, "\277\202\377\210z\177\000\000|\000\000\000z\177\000\000\300&Z\222z\177\000\000\000\000\000\000z\177\000\000@>\271\231z\177\000\000\071>\271\231z\177\000\000\214\360\v\224z\177\000\000pr\f\224z\177\000\000 \000\000Tz\177\000\000B\000\000\000\000\000\000\000 \000\000Tz\177\000\000p \000\000\000\000\000\000@\020\000Tz\177\000\000p\203\377\210z\177", '\000' <repeats 18 times>...
name2 = "get.php - -------- UK Sports ---------\000-----\000\000\000\000\001\000\000\000\000\000\000\000.\000\000\000\000\000\000\000`\200\377\210z\177\000\000\"\000\000\000\000\000\000\000p\200\377\210[\000\000\000\036", '\000' <repeats 15 times>, "\030\000\000\000\000\000\000\000\240\000\000\000\000\000\000\000\017\000\000\000\000\000\000"
buf = "\001\000\000\000\000\000\000\000U\000\000\000\000\000\000\000\321\177\000w\205\200\377\377K\000\000\000\000\000\000"
n = 0x7f7a88ff7fc0 "get.php - -------- UK Sports ---------"
#3 0x00007f7a94fd292a in iptv_auto_network_process_m3u (chnum=0, remove_args=0x7f7a88ff84c0, host_url=<optimized out>, last_url=0x7f7a542b7561 "get.php", data=<optimized out>, in=0x7f7a9980a4b0) at src/input/mpegts/iptv/iptv_auto.c:316
count = 0
m = 0x7f7a54001040
ret = 0
total = 775
items = <optimized out>
item = <optimized out>
f = 0x7f7a5401d0b0
#4 iptv_auto_network_process (aux=<optimized out>, last_url=0x7f7a542b7561 "get.php", host_url=<optimized out>, data=<optimized out>, len=<optimized out>) at src/input/mpegts/iptv/iptv_auto.c:363
ap = <optimized out>
in = 0x7f7a9980a4b0
mm = <optimized out>
mm2 = <optimized out>
r = -1
count = <optimized out>
n = <optimized out>
i = <optimized out>
remove_args = {tqh_first = 0x7f7a542b6620, tqh_last = 0x7f7a542b6640}
argv = {0x7f7a98aa5b40 "ticket", 0x7f7a583762e0 "", 0x7f7a88ff8aa0 "\360b7Xz\177", 0x7f7a583762e0 "", 0x7f7a88ff8630 "itle=\"XXXXXXXXX/8480.mp4", 0x7f7a88ff99c0 "\300\251\177\211z\177", 0x7f7a88ff9700 "", 0x7f7a94edc6b8 <_tvhlog+120> "H\201\304", <incomplete sequence \330>, 0x7f7a88ff8630 "itle=\"XXXXXXXXX/8480.mp4", 0xe1a9480cff7a7700 <error: Cannot access memory at address 0xe1a9480cff7a7700>}
#5 0x00007f7a94f3006a in download_fetch_complete (hc=0x7f7a583762e0) at src/download.c:123
dn = 0x7f7a9973f548
last_url = 0x7f7a542b7561 "get.php"
u = {scheme = 0x7f7a54000c40 "http", user = 0x0, pass = 0x0, host = 0x7f7a54000c60 "XXXXXXXXX", port = 8711, path = 0x7f7a542b7560 "/get.php", query = 0x7f7a542b7510 "XXXXXXXXX", frag = 0x0, raw = 0x7f7a54001260 "http://XXXXXXXXX&type=m3u_plus&output=mpegts"}
#6 0x00007f7a94f2da66 in http_client_finish (hc=hc@entry=0x7f7a583762e0) at src/httpc.c:704
wcmd = <optimized out>
res = <optimized out>
#7 0x00007f7a94f2e0fb in http_client_run0 (hc=hc@entry=0x7f7a583762e0) at src/httpc.c:1116
buf = 0x7f7a88ff8630 "itle=\"XXXXXXXXX\r\nhttp://XXXXXXXXX/8480.mp4"
saveptr = 0x7f7a54009810 ""
argv = {0x7f7a540096d0 "HTTP/1.1", 0x7f7a540096d9 "200", 0x7f7a540096dd "OK"}
d = <optimized out>
p = <optimized out>
ver = <optimized out>
res = <optimized out>
delimsize = <optimized out>
r = <optimized out>
len = <optimized out>
#8 0x00007f7a94f2e9a4 in http_client_run (hc=hc@entry=0x7f7a583762e0) at src/httpc.c:1180
r = <optimized out>
#9 0x00007f7a94f2eacb in http_client_thread (p=<optimized out>) at src/httpc.c:1442
n = <optimized out>
ev = {fd = 0, events = 1, data = {ptr = 0x7f7a583762e0, u64 = 140163442762464, u32 = 1480024800, fd = 1480024800}}
hc = 0x7f7a583762e0
c = 0 '\000'
#10 0x00007f7a94ee5792 in thread_wrapper (p=0x7f7a977abf50) at src/wrappers.c:159
ts = 0x7f7a977abf50
set = {__val = {16388, 0 <repeats 15 times>}}
r = <optimized out>
#11 0x00007f7a93638184 in start_thread (arg=0x7f7a88ff9700) at pthread_create.c:312
__res = <optimized out>
pd = 0x7f7a88ff9700
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140164261189376, -8086493907563697208, 0, 0, 140164261190080, 140164261189376, 8156600968642702280, 8156624092969315272}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
pagesize_m1 = <optimized out>
sp = <optimized out>
freesize = <optimized out>
__PRETTY_FUNCTION__ = "start_thread"
#12 0x00007f7a9261a37d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
No locals.
It seems for me, that tvh tries to get epg data from an IPTV VOD file.
Removing the whole iptv network solves this issue temporarily.
Files
History
Updated by Jaroslav Kysela almost 8 years ago
Updated by - Status changed from New to Fixed
- % Done changed from 0 to 100
Applied in changeset commit:tvheadend|3654c98e2a376480f16a56daa368c8b8b71b32ed.
Updated by Jaroslav Kysela almost 8 years ago
- Status changed from Fixed to Accepted
Only the clang reported issue is fixed in v4.1-2371-g3654c98 (two different things are reported). Could you reproduce the second issue in clang ?
Updated by C K almost 8 years ago
Updated by Really? Looked the same for me :-)
Okay will recompile with clang
Updated by C K almost 8 years ago
Still an issue, see attached gdb.txt
Updated by Jaroslav Kysela almost 8 years ago
The clang sanitizer does not report anything for this ? Also, provide log for '--trace epg,tbl-eit' (last 5000 lines prior the crash).
Updated by C K almost 8 years ago
Jaroslav Kysela wrote:
The clang sanitizer does not report anything for this ? Also, provide log for '--trace epg,tbl-eit' (last 5000 lines prior the crash).
Sorry perexg my fault, will compile with clang next time
Updated by C K almost 8 years ago
- File crash_screen.log crash_screen.log added
- File 4134_first10000.log 4134_first10000.log added
clang log and last 10'000 lines of trace
Updated by C K almost 8 years ago
C K wrote:
clang log and last 10'000 lines of trace
I this this does not relate to the issue. Nevermind, would be cool to see this fixed. Full Trace-Log is 16GB.
Updated by C K almost 8 years ago
Crash:
2016-12-16 23:10:01.798 [ INFO] mpegts: get.php - Boardwalk.Empire.S05E05 in IPTV: KingIPTV - tuning on IPTV
2016-12-16 23:10:01.836 [ INFO] epggrab: get.php - Boardwalk.Empire.S05E05 in IPTV: KingIPTV - registering mux for OTA EPG
2016-12-16 23:10:01.861 [ INFO] subscription: 0129: "scan" subscribing to mux "get.php - Boardwalk.Empire.S05E05", weight: 5, adapter: "IPTV", network: "IPTV: KingIPTV", service: "Raw PID Subscription"
=================================================================
==1539==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f57af903d40 at pc 0x7f57bbcf1da6 bp 0x7f57af903c10 sp 0x7f57af903be8
READ of size 39 at 0x7f57af903d40 thread T4 (tvh:save)
#0 0x7f57bbcf1da5 in __interceptor_strlen (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4d1da5)
#1 0x7f57bc00fb6e in htsmsg_add_str /home/waldmeister/src/tvheadend/src/htsmsg.c:357
#2 0x7f57bbdb4939 in prop_read_value /home/waldmeister/src/tvheadend/src/prop.c:342
#3 0x7f57bbdb16b4 in prop_read_values /home/waldmeister/src/tvheadend/src/prop.c:377
#4 0x7f57bbd806fd in idnode_read0 /home/waldmeister/src/tvheadend/src/idnode.c:1218
#5 0x7f57bc39e97d in dvr_entry_class_save /home/waldmeister/src/tvheadend/src/dvr/dvr_db.c:2189
#6 0x7f57bbd7e424 in idnode_savefn /home/waldmeister/src/tvheadend/src/idnode.c:1130
#7 0x7f57bbd99ad8 in save_thread /home/waldmeister/src/tvheadend/src/idnode.c:1901
#8 0x7f57bbdd30f2 in thread_wrapper /home/waldmeister/src/tvheadend/src/wrappers.c:159
#9 0x7f57ba111183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)
#10 0x7f57b88b437c (/lib/x86_64-linux-gnu/libc.so.6+0xfa37c)
Address 0x7f57af903d40 is located in stack of thread T4 (tvh:save) at offset 128 in frame
#0 0x7f57bc00f90f in htsmsg_add_str /home/waldmeister/src/tvheadend/src/htsmsg.c:355
This frame has 4 object(s):
[32, 40) ''
[96, 104) ''
[160, 168) '' <== Memory access at offset 128 partially underflows this variable
[224, 232) 'f'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
Thread T4 (tvh:save) created by T0 here:
#0 0x7f57bbcefdb2 in pthread_create (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4cfdb2)
#1 0x7f57bbdd2b0b in tvhthread_create /home/waldmeister/src/tvheadend/src/wrappers.c:177
#2 0x7f57bbd99442 in idnode_init /home/waldmeister/src/tvheadend/src/idnode.c:1950
#3 0x7f57bbd2b3de in main /home/waldmeister/src/tvheadend/src/main.c:1160
#4 0x7f57b87dbf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 __interceptor_strlen
Shadow bytes around the buggy address:
0x0feb75f18750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb75f18760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb75f18770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb75f18780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb75f18790: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4
=>0x0feb75f187a0: f2 f2 f2 f2 00 f4 f4 f4[f2]f2 f2 f2 00 f4 f4 f4
0x0feb75f187b0: f2 f2 f2 f2 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00
0x0feb75f187c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb75f187d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb75f187e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb75f187f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==1539==ABORTING
Updated by C K almost 8 years ago
- File 4134-6_100000lines.log 4134-6_100000lines.log added
- File crash_on_start.log crash_on_start.log added
Now tvh crashes on start. See attached files with --trace epg,tbl-eit and clang summary.
Updated by C K almost 8 years ago
- File 4134-7.short.log 4134-7.short.log added
Attached a log with --trace all
Updated by Jaroslav Kysela almost 8 years ago
Pls, apply the patch bellow and rerun tvh from cmd line. What's the last line with 'name = ' before the crash?
diff --git a/src/prop.c b/src/prop.c
index fb33d12..0fb61d0 100644
--- a/src/prop.c
+++ b/src/prop.c
@@ -338,9 +338,11 @@ prop_read_value
htsmsg_add_s64(m, name, atomic_get_s64((int64_t *)val));
break;
case PT_STR:
- if ((s = *(const char **)val))
+ if ((s = *(const char **)val)) {
+ printf("name = '%s', s = %p\n", name, s);
htsmsg_add_str(m, name, (optmask & PO_LOCALE) != 0 && lang ?
tvh_gettext_lang(lang, s) : s);
+ }
break;
case PT_DBL:
htsmsg_add_dbl(m, name, *(double*)val);
Updated by C K almost 8 years ago
Crash on exit (Ctrl-C in a screen session):
2016-12-18 18:07:45.895 [ INFO] mpegts: get.php - UK: Sky Sports F1 in IPTV: PlanetIPTV..cs (0x6190010d9c80) - deleting
2016-12-18 18:07:45.895 [ ERROR] mpegts: log buffer full
2016-12-18 18:07:53.562 [ INFO] subscription: 03B3: "DVR: American Dad" unsubscribing from "{name-not-set}"
name = 'channel', s = 0x7fa003c99890
name = 'channelname', s = 0x603003563230
name = 'config_name', s = 0x7fa003c99890
name = 'owner', s = 0x6020009fcff0
name = 'creator', s = 0x6020009fd010
name = 'autorec', s = 0x7fa003c99890
name = 'timerec', s = 0x7fa001e573a0
name = 'parent', s = 0x7fa001e573a0
name = 'child', s = 0x7fa001e573a0
name = 'comment', s = 0x604002cdd310
2016-12-18 18:07:54.292 [ INFO] capmt: rpi2-1 inactive
2016-12-18 18:07:54.325 [ INFO] capmt: rpi2-1: mode 5 IP address 192.168.178.37 port 9000 destroyed
=================================================================
==6510==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160006f3780 at pc 0x7fa00075f1b0 bp 0x7fffc39ae470 sp 0x7fffc39ae468
WRITE of size 8 at 0x6160006f3780 thread T0
==6510==WARNING: Can't read from symbolizer at fd 3
#0 0x7fa00075f1af in channel_delete /home/waldmeister/src/tvheadend/src/channels.c:1065
#1 0x7fa00076a8e4 in channel_done /home/waldmeister/src/tvheadend/src/channels.c:1172
#2 0x7fa00054b055 in main /home/waldmeister/src/tvheadend/src/main.c:1297
#3 0x7f9ffcff8f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#4 0x7fa000533a3c in _start (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4f6a3c)
0x6160006f3780 is located 256 bytes inside of 552-byte region [0x6160006f3680,0x6160006f38a8)
freed by thread T0 here:
#0 0x7fa00051d7d9 in __interceptor_free (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4e07d9)
#1 0x7fa000766f15 in channel_delete /home/waldmeister/src/tvheadend/src/channels.c:1092
#2 0x7fa00076a8e4 in channel_done /home/waldmeister/src/tvheadend/src/channels.c:1172
#3 0x7fa00054b055 in main /home/waldmeister/src/tvheadend/src/main.c:1297
#4 0x7f9ffcff8f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
previously allocated by thread T0 here:
#0 0x7fa00051da29 in calloc (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4e0a29)
#1 0x7fa000767be0 in channel_init /home/waldmeister/src/tvheadend/src/channels.c:1146
#2 0x7fa000549357 in main /home/waldmeister/src/tvheadend/src/main.c:1202
#3 0x7f9ffcff8f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: heap-use-after-free /home/waldmeister/src/tvheadend/src/channels.c:1065 channel_delete
Shadow bytes around the buggy address:
0x0c2c800d66a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c800d66b0: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
0x0c2c800d66c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c800d66d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c800d66e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2c800d66f0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c800d6700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c800d6710: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
0x0c2c800d6720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c800d6730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c800d6740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==6510==ABORTING
Updated by Jaroslav Kysela almost 8 years ago
I believe that the last one is fixed in v4.1-2390-gdc9238e . Thanks.