Project

General

Profile

Bug #4749

TVheadend crashes when switching to a powervu channel

Added by Eric Dec almost 7 years ago. Updated almost 7 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
Descrambling
Target version:
-
Start date:
2017-11-28
Due date:
% Done:

100%

Estimated time:
Found in version:
4.3-710~g41624278b
Affected Versions:

Description

First of all, this is the first time I am trying to use tvheadend with powervu. I used it in the past with viacess smartcard with no issue.
Versions are:
tvheadend : 4.3-710~g41624278b
oscam build r11392 with OSCam-Emu version 758
On Ubuntu 17.10 PC 64 bits.

My oscam.conf looks like:

[streamrelay]
stream_relay_enabled = 0

[dvbapi]
enabled = 1
pmt_mode = 4
listen_port = 9001
delayer = 80
user = dummy
boxtype = pc
extended_cw_api = 1

I have configured CA tvheadend with:
OSCam net protocol (rev >= 10389) and Extended (OE 2.2)

When I switch to a channel on 9 east with powervu encryption, tvheadend crashes.
Can you help?
Thanks.


Files

gdb.txt (6.13 KB) gdb.txt Eric Dec, 2017-11-28 22:50
tvh3.log (1.31 KB) tvh3.log Eric Dec, 2017-11-28 22:51
oscam.log (14.2 KB) oscam.log Eric Dec, 2017-11-28 22:55
2017_11_29_tvh_01.log (335 KB) 2017_11_29_tvh_01.log Eric Dec, 2017-11-29 09:20
2017_11_29_ocam_01.log (7.05 KB) 2017_11_29_ocam_01.log Eric Dec, 2017-11-29 09:20
2017_11_29_gdb_01.log (6.63 KB) 2017_11_29_gdb_01.log Eric Dec, 2017-11-29 09:20
2017_11_29_gdb_02.log (5.59 KB) 2017_11_29_gdb_02.log Eric Dec, 2017-11-29 12:20
2017_11_29_tvh_02.log (137 KB) 2017_11_29_tvh_02.log Eric Dec, 2017-11-29 12:20
2017_11_29_ocam_02.log (162 KB) 2017_11_29_ocam_02.log Eric Dec, 2017-11-29 12:21
tvhlog.txt (18 KB) tvhlog.txt Joe User, 2017-11-30 21:28
2017_12_01_Oscam.log (27 KB) 2017_12_01_Oscam.log Eric Dec, 2017-12-01 10:26
2017_12_01_tvh_01.log (25 KB) 2017_12_01_tvh_01.log Eric Dec, 2017-12-01 10:26
2017_12_01_gdb.log (6.59 KB) 2017_12_01_gdb.log Eric Dec, 2017-12-01 10:26
tvhlog_2.txt (167 KB) tvhlog_2.txt Joe User, 2017-12-01 11:05
tvhserver.log (18.3 KB) tvhserver.log Andrey Orlin, 2017-12-02 10:55

History

#1

Updated by Jaroslav Kysela almost 7 years ago

tvh: --trace descrambler,capmt - https://tvheadend.org/projects/tvheadend/wiki/Traces
oscam: enable log level 128

#2

Updated by Eric Dec almost 7 years ago

Jaroslav Kysela wrote:

tvh: --trace descrambler,capmt - https://tvheadend.org/projects/tvheadend/wiki/Traces
oscam: enable log level 128

find the 3 logs attached. (stamped with date of today 29 Nov.
Thanks in advance.
(you can ignore the disecq issues at the beginning of the log, there was a problem with a cable that I fixed after)

#3

Updated by Jaroslav Kysela almost 7 years ago

Could you retest with v4.3-720-g3af771188 ? The commit https://github.com/tvheadend/tvheadend/commit/1db6a4c39fed19f3525ab97e77182797d23a8407 should fix this issue.

#4

Updated by Eric Dec almost 7 years ago

Jaroslav Kysela wrote:

Could you retest with v4.3-720-g3af771188 ? The commit https://github.com/tvheadend/tvheadend/commit/1db6a4c39fed19f3525ab97e77182797d23a8407 should fix this issue.

I copy/paste descrambler.c and rebuilt tvheadend with make command.
I still get a crash, find logs attached (all suffixed with 02).
(is there a better way to get descrambler.c rather than clicking on "raw", select all and copy/paste?)
Thanks gain.

#5

Updated by Joe User almost 7 years ago

Not sure if it is the problem, but the caPMT does not match the real PMT and so oscam ends up sending index 6 and 7 whereas Tvheadend sent only 5 pids in the caPMT

11:10:53 60B87671 c   (dvbapi) capmt:
11:10:53 60B87671 c   (dvbapi)   03 00 05 01 00 19 01 82 02 00 00 81 08 00 00 00 
11:10:53 60B87671 c   (dvbapi)   00 00 01 00 09 84 02 13 8D 09 04 0E 00 17 75 02 
11:10:53 60B87671 c   (dvbapi)   06 18 00 00 04 05 F0 00 00 04 05 F2 00 00 04 05 
11:10:53 60B87671 c   (dvbapi)   FA 00 00 04 05 FC 00 00 
11:10:53 60B87671 c   (dvbapi) Receiver sends PMT command 3 for channel 0005
11:10:53 60B87671 c   (dvbapi) Receiver wants to demux srvid 0005 on adapter 0000 camask 0001 index 0000 pmtpid 0000
11:10:53 60B87671 c   (dvbapi) Demuxer 0 try to start new filter for caid: 0001, provid: 000001, pid: 0000
11:10:53 60B87671 c   (dvbapi) Sending packet to dvbapi client (fd=10):
11:10:53 60B87671 c   (dvbapi)   40 3C 6F 2B 00 00 00 00 00 00 00 00 00 00 00 00 
11:10:53 60B87671 c   (dvbapi)   00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 
11:10:53 60B87671 c   (dvbapi)   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
11:10:53 60B87671 c   (dvbapi)   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
11:10:53 60B87671 c   (dvbapi)   04 
11:10:53 60B87671 c   (dvbapi) Demuxer 0 Filter 1 started successfully (caid 0001 provid 000001 pid 0000)
11:10:53 60B87671 c   (dvbapi) Demuxer 0 found pmt type: 81 length: 8 (assuming enigma private descriptor: namespace 0000 tsid 01 onid 09)
11:10:53 60B87671 c   (dvbapi) Demuxer 0 ecmpid 0 CAID: 0E00 ECM_PID: 1775 PROVID: 000000 
11:10:53 60B87671 c   (dvbapi) Demuxer 0 stream Videostream (MPEG-2)(type: 02 pid: 0618 length: 0)
11:10:53 60B87671 c   (dvbapi) Demuxer 0 stream Audiostream (MPEG-2)(type: 04 pid: 05f0 length: 0)
11:10:53 60B87671 c   (dvbapi) Demuxer 0 stream Audiostream (MPEG-2)(type: 04 pid: 05f2 length: 0)
11:10:53 60B87671 c   (dvbapi) Demuxer 0 stream Audiostream (MPEG-2)(type: 04 pid: 05fa length: 0)
11:10:53 60B87671 c   (dvbapi) Demuxer 0 stream Audiostream (MPEG-2)(type: 04 pid: 05fc length: 0)
11:10:53 60B87671 c   (dvbapi) Demuxer 0 found 1 ECMpids and 5 STREAMpids in caPMT

11:10:54 60B87671 c   (dvbapi) pmt:
11:10:54 60B87671 c   (dvbapi)   02 B0 71 00 05 C3 00 00 E6 18 F0 0C 0F 04 53 41 
11:10:54 60B87671 c   (dvbapi)   50 53 09 04 0E 00 17 75 02 E6 18 F0 0A 86 08 1E 
11:10:54 60B87671 c   (dvbapi)   00 00 00 00 00 00 00 04 E5 F0 F0 00 04 E5 F2 F0 
11:10:54 60B87671 c   (dvbapi)   00 04 E5 FA F0 00 04 E5 FC F0 00 85 E4 28 F0 00 
11:10:54 60B87671 c   (dvbapi)   89 FB 6A F0 0B FE 09 12 02 3D 00 00 00 00 00 00 
11:10:54 60B87671 c   (dvbapi)   89 FB 71 F0 0B FE 09 19 02 14 00 00 00 00 00 00 
11:10:54 60B87671 c   (dvbapi)   89 FB 6F F0 0B FE 09 17 03 33 00 00 00 00 00 00 
11:10:54 60B87671 c   (dvbapi)   A5 EE 6E 4F 
11:10:54 60B87671 c   (dvbapi) Demuxer 0 stream Videostream (MPEG-2)(type: 02 pid: 0618 length: 10)
11:10:54 60B87671 c   (dvbapi) Demuxer 0 stream Audiostream (MPEG-2)(type: 04 pid: 05f0 length: 0)
11:10:54 60B87671 c   (dvbapi) Demuxer 0 stream Audiostream (MPEG-2)(type: 04 pid: 05f2 length: 0)
11:10:54 60B87671 c   (dvbapi) Demuxer 0 stream Audiostream (MPEG-2)(type: 04 pid: 05fa length: 0)
11:10:54 60B87671 c   (dvbapi) Demuxer 0 stream Audiostream (MPEG-2)(type: 04 pid: 05fc length: 0)
11:10:54 60B87671 c   (dvbapi) Demuxer 0 stream Audiostream (DTS 8)(type: 85 pid: 0428 length: 0)
11:10:54 60B87671 c   (dvbapi) Demuxer 0 stream Reserved(type: 89 pid: 1b6a length: 11)
11:10:54 60B87671 c   (dvbapi) Demuxer 0 stream Reserved(type: 89 pid: 1b71 length: 11)
11:10:54 60B87671 c   (dvbapi) Demuxer 0 found 1 ECMpids and 8 STREAMpids in PMT

I cheated when I wrote my code and stopped Tvheadend from sending the real PMT. This was especially useful when I use audio stream filters to only use the audio track I want (blocked the radio tracks...) For example for this channel I set the audio stream filter to use pid 1520 exclusively...

BTW - probably best to just do a "git pull" to get all the changes.

#6

Updated by Joe User almost 7 years ago

Also, older versions of oscam-emu did not parse all the PMT pids and would have matched the caPMT. But I am sorry I do not recall when it was changed.

#7

Updated by Eric Dec almost 7 years ago

Joe User wrote:

Also, older versions of oscam-emu did not parse all the PMT pids and would have matched the caPMT. But I am sorry I do not recall when it was changed.

Anything i can do to help?

#8

Updated by Joe User almost 7 years ago

If you are using the latest oscam-emu pathc, you can try setting "Max pids for extended CWs" to 5 (under config/DVB-api) and see if that helps.

#9

Updated by Eric Dec almost 7 years ago

Joe User wrote:

If you are using the latest oscam-emu pathc, you can try setting "Max pids for extended CWs" to 5 (under config/DVB-api) and see if that helps.

I have searched documentation, not too sure how to do that? What is the parameter name?

#10

Updated by Eric Dec almost 7 years ago

Eric Dec wrote:

Joe User wrote:

If you are using the latest oscam-emu pathc, you can try setting "Max pids for extended CWs" to 5 (under config/DVB-api) and see if that helps.

I have searched documentation, not too sure how to do that? What is the parameter name?

Ok, I found the parameter through the Oscam web Gui, I changed it to 5, restarted oscam, but same result, tvheadend is crashing.
Is there another way to get this working? Using the stream-relay? I found a post from yourself about that, but would I be able to use the latest tvheadend and latest oscam?

#11

Updated by Joe User almost 7 years ago

I am usually running my own version of Tvheadend because it has been quite stable and it includes some changes that I made for myself which are probably of no use to anyone else.

I tested the official version a few months ago and it was working with powervu, but today I tried the latest version form git and while it did not crash, it was not descrambling the channels. I ran it from valgrind and it did crash with the following errors:

==16655==
==16655== Process terminating with default action of signal 11 (SIGSEGV)
==16655==  Bad permissions for mapped region at address 0x0
==16655==    at 0x0: ???
==16655==    by 0x3C79B5: key_find_struct (descrambler.c:941)
==16655==    by 0x3CA3E6: descrambler_descramble (descrambler.c:1043)
==16655==    by 0x3D3D09: ts_recv_packet1 (tsdemux.c:340)
==16655==    by 0x3D1007: mpegts_input_process (mpegts_input.c:1419)
==16655==    by 0x3D1007: mpegts_input_thread (mpegts_input.c:1553)
==16655==    by 0x3239E3: thread_wrapper (wrappers.c:161)
==16655==    by 0x69D50A3: start_thread (pthread_create.c:309)
==16655==    by 0xBAE987C: clone (clone.S:111)
==16655==
==16655== HEAP SUMMARY:
==16655==     in use at exit: 20,723,906 bytes in 184,420 blocks
==16655==   total heap usage: 946,891 allocs, 762,471 frees, 248,752,049 bytes allocated
==16655==
==16655== LEAK SUMMARY:
==16655==    definitely lost: 6,479 bytes in 15 blocks
==16655==    indirectly lost: 549 bytes in 7 blocks
==16655==      possibly lost: 13,376 bytes in 38 blocks
==16655==    still reachable: 20,703,502 bytes in 184,360 blocks
==16655==         suppressed: 0 bytes in 0 blocks
==16655== Rerun with --leak-check=full to see details of leaked memory
==16655==
==16655== For counts of detected and suppressed errors, rerun with: -v
==16655== Use --track-origins=yes to see where uninitialised values come from
==16655== ERROR SUMMARY: 57 errors from 2 contexts (suppressed: 0 from 0)
==16655== could not unlink /tmp/vgdb-pipe-from-vgdb-to-16655-by-root-on-???
==16655== could not unlink /tmp/vgdb-pipe-to-vgdb-from-16655-by-root-on-???
==16655== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-16655-by-root-on-???

Sorry I do not have time to debug right now, but will try to look at it later.

#12

Updated by Jaroslav Kysela almost 7 years ago

Did you test v4.3-733-g295288821 ? There's another update for this issue.

#13

Updated by Joe User almost 7 years ago

Yes, I did a new clone tonight.

It looks like "key_find_struct" is crashing when it is called for pid 0.
I also see it is called for pid 18.
It should only be called for the video/audio pids I assume???

Sorry, I have not kept up with your new code and this section is new since I forked...

I just did some quick printf for debug:

static th_descrambler_key_t *
key_find_struct( th_descrambler_runtime_t *dr,
                 th_descrambler_key_t *tk_old,
                 const uint8_t *tsb,
                 service_t *t )
{
  th_descrambler_key_t *tk;
  int i, pid = extractpid(tsb);
  for (i = 0; i < DESCRAMBLER_MAX_KEYS; i++) {
printf ("xx i == %d   pid  = %d \n",i,pid);
    tk = &dr->dr_keys[i];
    if (tk->key_pid == pid) {
printf ("xxxx         i == %d   pid  = %d \n",i,pid);
      if (tk != tk_old && tk_old)
printf ("xxxxxxx                 i == %d   pid  = %d \n",i,pid);
        tk_old->key_csa.csa_flush(&tk_old->key_csa, (mpegts_service_t *)t);
      return tk;
    }
  }
  return NULL;
}

Output:

#14

Updated by Joe User almost 7 years ago

BTW - I set an audio filter to exclusively use pid 1520, that is why only pids 1560 and 1520 appear.
But, it crashes with or without the filter.

#15

Updated by Joe User almost 7 years ago

So I had it return null if pid == 0, and it still crashes.
But if I just comment out the failing line, it runs ok...

     //   tk_old->key_csa.csa_flush(&tk_old->key_csa, (mpegts_service_t *)t);

#16

Updated by Joe User almost 7 years ago

Ok, last comment tonight (need to concentrate on other things...)
After changing channels a few times. it did crash on pid == 0 even with the failing line commented out.
Sorry don't have time to debug further.

#17

Updated by Jaroslav Kysela almost 7 years ago

Another little fix is in v4.3-734-g4433c27d8 . The tk_old should be zero for PIDs which are not descrambled. And the point is, if (tsb3 & 0x80) == 0) (scrambling bit is not set) the key_find_struct() should not be called. The function ts_recv_packet0/ts_recv_packet2 should be called instead.

#18

Updated by Eric Dec almost 7 years ago

Jaroslav Kysela wrote:

Another little fix is in v4.3-734-g4433c27d8 . The tk_old should be zero for PIDs which are not descrambled. And the point is, if (tsb3 & 0x80) == 0) (scrambling bit is not set) the key_find_struct() should not be called. The function ts_recv_packet0/ts_recv_packet2 should be called instead.

I downloaded the whole tvheadend 4.3.734, recompiled, it is crashing as well
Find logs attached.
Thanks.

#19

Updated by Joe User almost 7 years ago

still crashes:

==27596== Thread 36 tvh:mi-main:
==27596== Jump to the invalid address stated on the next line
==27596==    at 0x0: ???
==27596==    by 0x3C7955: key_find_struct (descrambler.c:941)
==27596==    by 0x3CA381: descrambler_descramble (descrambler.c:1043)
==27596==    by 0x3D3C99: ts_recv_packet1 (tsdemux.c:340)
==27596==    by 0x3D0F97: mpegts_input_process (mpegts_input.c:1419)
==27596==    by 0x3D0F97: mpegts_input_thread (mpegts_input.c:1553)
==27596==    by 0x323983: thread_wrapper (wrappers.c:161)
==27596==    by 0x69D50A3: start_thread (pthread_create.c:309)
==27596==    by 0xBAE987C: clone (clone.S:111)
==27596==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==27596==
2017-12-01 10:30:00.260 [  ALERT] CRASH: Signal: 11 in PRG: /home/builder/tvheadend_official/tvheadend/build.linux/tvheadend (4.3-734~g4433c27) [a1fdbc4a4a4a785e765171a3bed458a17e5987f3] CWD: /root
2017-12-01 10:30:00.261 [  ALERT] CRASH: Fault address (nil) (Access error)
2017-12-01 10:30:00.262 [  ALERT] CRASH: Loaded libraries: /usr/lib/valgrind/vgpreload_core-amd64-linux.so /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so /usr/lib/libdvben50221.so /usr/lib/libdvbapi.so /usr/lib/libucsi.so /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 /lib/x86_64-linux-gnu/libz.so.1 /lib/x86_64-linux-gnu/libpcre.so.3 /usr/lib/liburiparser.so.1 /usr/lib/x86_64-linux-gnu/libavahi-common.so.3 /usr/lib/x86_64-linux-gnu/libavahi-client.so.3 /lib/x86_64-linux-gnu/libdbus-1.so.3 /lib/x86_64-linux-gnu/libdl.so.2 /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/libm.so.6 /lib/x86_64-linux-gnu/librt.so.1 /usr/lib/x86_64-linux-gnu/libvdpau.so.1 /usr/lib/x86_64-linux-gnu/libX11.so.6 /usr/lib/x86_64-linux-gnu/libxcb.so.1 /usr/lib/x86_64-linux-gnu/libxcb-xfixes.so.0 /usr/lib/x86_64-linux-gnu/libxcb-render.so.0 /usr/lib/x86_64-linux-gnu/libxcb-shape.so.0 /usr/lib/x86_64-linux-gnu/libasound.so.2 /usr/lib/x86_64-linux-gnu/libstdc++.so.6 /usr/lib/x86_64-linux-gnu/libx264.so.148 /usr/lib/
2017-12-01 10:30:00.263 [  ALERT] CRASH: Register dump [23]: 0000000000000618000000000000061800000000000002f00000000000000000000000001b0b00f00000000000000000000000001b602131000000001b5ff7f0000000001b5ff81000000000158e7b6000000000000000bc000000001b5ff6a00000000000000000000000001b5ff7f000000000158e7b60000000001f4075780000000000000000000000000000008100000000000000000000000000000000000000000000000000000000000000000000000000000000
2017-12-01 10:30:00.263 [  ALERT] CRASH: STACKTRACE
2017-12-01 10:30:00.340 [  ALERT] CRASH: /home/builder/tvheadend_official/tvheadend/src/trap.c:148 0x35e19a 0x108000
==27596==
==27596== Process terminating with default action of signal 11 (SIGSEGV)
==27596==  Bad permissions for mapped region at address 0x0
==27596==    at 0x0: ???
==27596==    by 0x3C7955: key_find_struct (descrambler.c:941)
==27596==    by 0x3CA381: descrambler_descramble (descrambler.c:1043)
==27596==    by 0x3D3C99: ts_recv_packet1 (tsdemux.c:340)
==27596==    by 0x3D0F97: mpegts_input_process (mpegts_input.c:1419)
==27596==    by 0x3D0F97: mpegts_input_thread (mpegts_input.c:1553)
==27596==    by 0x323983: thread_wrapper (wrappers.c:161)
==27596==    by 0x69D50A3: start_thread (pthread_create.c:309)
==27596==    by 0xBAE987C: clone (clone.S:111)
==27596==
==27596== HEAP SUMMARY:
==27596==     in use at exit: 19,497,618 bytes in 177,730 blocks
==27596==   total heap usage: 1,093,839 allocs, 916,109 frees, 296,925,147 bytes allocated
==27596==
==27596== LEAK SUMMARY:
==27596==    definitely lost: 7,019 bytes in 23 blocks
==27596==    indirectly lost: 6,000 bytes in 6 blocks
==27596==      possibly lost: 15,488 bytes in 44 blocks
==27596==    still reachable: 19,469,111 bytes in 177,657 blocks
==27596==         suppressed: 0 bytes in 0 blocks
==27596== Rerun with --leak-check=full to see details of leaked memory
==27596==
==27596== For counts of detected and suppressed errors, rerun with: -v
==27596== Use --track-origins=yes to see where uninitialised values come from
==27596== ERROR SUMMARY: 57 errors from 2 contexts (suppressed: 0 from 0)
==27596== could not unlink /tmp/vgdb-pipe-from-vgdb-to-27596-by-root-on-???
==27596== could not unlink /tmp/vgdb-pipe-to-vgdb-from-27596-by-root-on-???
==27596== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-27596-by-root-on-???
Killed

It is crashing on

tk_old->key_csa.csa_flush(&tk_old->key_csa, (mpegts_service_t *)t);

even with pids which are scrambled.

With these printfs:

  for (i = 0; i < DESCRAMBLER_MAX_KEYS; i++) {
    tk = &dr->dr_keys[i];
    if (tk->key_pid == pid) {
printf ("xxxx         i == %d    tk->key_pid == %d   pid  = %d \n",i,tk->key_pid,pid);
      if (tk != tk_old && tk_old) {
printf ("xxxxxxx                 i == %d   tk->key_pid == %d  pid  = %d \n",i,tk->key_pid,pid);
fflush(stdout);
        tk_old->key_csa.csa_flush(&tk_old->key_csa, (mpegts_service_t *)t);
      }
      return tk;
    }
  }
  return NULL;

this is the end of the output:

xxxx         i == 0    tk->key_pid == 1560   pid  = 1560
xxxx         i == 0    tk->key_pid == 1560   pid  = 1560
xxxx         i == 0    tk->key_pid == 1560   pid  = 1560
xxxx         i == 2    tk->key_pid == 0   pid  = 0
xxxx         i == 0    tk->key_pid == 1560   pid  = 1560
xxxxxxx                 i == 0   tk->key_pid == 1560  pid  = 1560
==30236== Thread 35 tvh:mi-main:
==30236== Jump to the invalid address stated on the next line
==30236==    at 0x0: ???
==30236==    by 0x3C7AA2: key_find_struct (descrambler.c:944)
==30236==    by 0x3CA3F1: descrambler_descramble (descrambler.c:1047)
==30236==    by 0x3D3D09: ts_recv_packet1 (tsdemux.c:340)
==30236==    by 0x3D1007: mpegts_input_process (mpegts_input.c:1419)
==30236==    by 0x3D1007: mpegts_input_thread (mpegts_input.c:1553)
==30236==    by 0x323983: thread_wrapper (wrappers.c:161)
==30236==    by 0x69D50A3: start_thread (pthread_create.c:309)
==30236==    by 0xBAE987C: clone (clone.S:111)
==30236==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==30236==
2017-12-01 10:58:45.685 [  ALERT] CRASH: Signal: 11 in PRG: /home/builder/tvheadend_official/tvheadend/build.linux/tvheadend (4.3-734~g4433c27-dirty) [a1fdbc4a4a4a785e765171a3bed458a17e597f3] CWD: /root
2017-12-01 10:58:45.686 [  ALERT] CRASH: Fault address (nil) (Access error)
2017-12-01 10:58:45.686 [  ALERT] CRASH: Loaded libraries: /usr/lib/valgrind/vgpreload_core-amd64-linux.so /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so /usr/lib/libdvben50221.so /ur/lib/libdvbapi.so /usr/lib/libucsi.so /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 /lib/x86_64-linux-gnu/libz.so.1 /lib/x86_64-linux-gnu/libpcreso.3 /usr/lib/liburiparser.so.1 /usr/lib/x86_64-linux-gnu/libavahi-common.so.3 /usr/lib/x86_64-linux-gnu/libavahi-client.so.3 /lib/x86_64-linux-gnu/libdbus-1.so.3 /lib/x86_64-linux-gnu/lidl.so.2 /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/libm.so.6 /lib/x86_64-linux-gnu/librt.so.1 /usr/lib/x86_64-linux-gnu/libvdpau.so.1 /usr/lib/x86_64-linux-gnu/libX11.so. /usr/lib/x86_64-linux-gnu/libxcb.so.1 /usr/lib/x86_64-linux-gnu/libxcb-xfixes.so.0 /usr/lib/x86_64-linux-gnu/libxcb-render.so.0 /usr/lib/x86_64-linux-gnu/libxcb-shape.so.0 /usr/lib/x86_6-linux-gnu/libasound.so.2 /usr/lib/x86_64-linux-gnu/libstdc++.so.6 /usr/lib/x86_64-linux-gnu/libx264.so.148 /usr/lib/
2017-12-01 10:58:45.687 [  ALERT] CRASH: Register dump [23]: 000000001f207700000000000ba4c99a000000000bda56a00000000000000000000000001518f460000000001518f6100000000000000000000000001518f40000000001518f630000000001583384000000000000006180000000000000000000000000000000000000000000000000000000000000041000000001f206538000000000000000000000000000000440000000000000000000000000000000000000000000000000000000000000000000000000000000
2017-12-01 10:58:45.687 [  ALERT] CRASH: STACKTRACE
2017-12-01 10:58:45.736 [  ALERT] CRASH: /home/builder/tvheadend_official/tvheadend/src/trap.c:148 0x35e19a 0x108000
==30236==
==30236== Process terminating with default action of signal 11 (SIGSEGV)
==30236==  Bad permissions for mapped region at address 0x0
==30236==    at 0x0: ???
==30236==    by 0x3C7AA2: key_find_struct (descrambler.c:944)
==30236==    by 0x3CA3F1: descrambler_descramble (descrambler.c:1047)
==30236==    by 0x3D3D09: ts_recv_packet1 (tsdemux.c:340)
==30236==    by 0x3D1007: mpegts_input_process (mpegts_input.c:1419)
==30236==    by 0x3D1007: mpegts_input_thread (mpegts_input.c:1553)
==30236==    by 0x323983: thread_wrapper (wrappers.c:161)
==30236==    by 0x69D50A3: start_thread (pthread_create.c:309)
==30236==    by 0xBAE987C: clone (clone.S:111)
==30236==
==30236== HEAP SUMMARY:
==30236==     in use at exit: 19,487,998 bytes in 177,730 blocks
==30236==   total heap usage: 1,080,330 allocs, 902,600 frees, 294,128,130 bytes allocated
==30236==
==30236== LEAK SUMMARY:
==30236==    definitely lost: 6,979 bytes in 22 blocks
==30236==    indirectly lost: 5,000 bytes in 5 blocks
==30236==      possibly lost: 15,136 bytes in 43 blocks
==30236==    still reachable: 19,460,883 bytes in 177,660 blocks
==30236==         suppressed: 0 bytes in 0 blocks
==30236== Rerun with --leak-check=full to see details of leaked memory
==30236==
==30236== For counts of detected and suppressed errors, rerun with: -v
==30236== Use --track-origins=yes to see where uninitialised values come from
==30236== ERROR SUMMARY: 57 errors from 2 contexts (suppressed: 0 from 0)
==30236== could not unlink /tmp/vgdb-pipe-from-vgdb-to-30236-by-root-on-???
==30236== could not unlink /tmp/vgdb-pipe-to-vgdb-from-30236-by-root-on-???
==30236== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-30236-by-root-on-???
Killed

longer output attached.
#20

Updated by Joe User almost 7 years ago

@Eric, if you comment out line 941 of src/descrambler/descrambler.c

//        tk_old->key_csa.csa_flush(&tk_old->key_csa, (mpegts_service_t *)t);

then it will work (for at least awhile), but not necessarily fixed. ;)

#21

Updated by Eric Dec almost 7 years ago

Joe User wrote:

@Eric, if you comment out line 941 of src/descrambler/descrambler.c
[...]

then it will work (for at least awhile), but not necessarily fixed. ;)

I commented the line as above, indeed it does not crash, but it does not decode.
(I tried on few releases I had downloaded)
What else could it be? My oscam emu (I also tried the very old one where your change request was implemented)

#22

Updated by Jaroslav Kysela almost 7 years ago

Joe Miller User : you should look why tk_old->key_csa.csa_flush is NULL. This code should be never reached. The key descramblers including callbacks should be set in descrambler_keys() - tvhcsa_set_type() calls.

#23

Updated by Joe User almost 7 years ago

Eric Dec wrote:

Joe User wrote:

@Eric, if you comment out line 941 of src/descrambler/descrambler.c
[...]

then it will work (for at least awhile), but not necessarily fixed. ;)

I commented the line as above, indeed it does not crash, but it does not decode.
(I tried on few releases I had downloaded)
What else could it be? My oscam emu (I also tried the very old one where your change request was implemented)

Sorry, I had added brackets after the if statement before to add the printf. It also crashed sometimes for pid == 0 so I ignore that case.
Try this change:

diff --git a/src/descrambler/descrambler.c b/src/descrambler/descrambler.c
index 80dbf24..d247100 100644
--- a/src/descrambler/descrambler.c
+++ b/src/descrambler/descrambler.c
@@ -936,9 +936,10 @@ key_find_struct( th_descrambler_runtime_t *dr,
   int i, pid = extractpid(tsb);
   for (i = 0; i < DESCRAMBLER_MAX_KEYS; i++) {
     tk = &dr->dr_keys[i];
-    if (tk->key_pid == pid) {
-      if (tk != tk_old && tk_old)
-        tk_old->key_csa.csa_flush(&tk_old->key_csa, (mpegts_service_t *)t);
+    if ( pid == 0 ) return NULL;
+    if (tk->key_pid == pid)  {
+     // if (tk != tk_old && tk_old)
+     //   tk_old->key_csa.csa_flush(&tk_old->key_csa, (mpegts_service_t *)t);
       return tk;
     }
   }
@@ -1035,7 +1036,7 @@ descrambler_descramble ( service_t *t,
       if (len2 == 0)
         goto dd_destroy;
       if ((tsb2[3] & 0x80) == 0) {
-        ts_recv_packet2((mpegts_service_t *)t, tsb2, len2);
+        ts_recv_packet0((mpegts_service_t *)t, st, tsb2, len2);
         goto dd_destroy;
       }
       if (dr->dr_key_multipid) {

Again, this is just a quick hack, not a real solution and may cause other problems (very limited testing - 2-3min...)

#24

Updated by Joe User almost 7 years ago

Jaroslav Kysela wrote:

Joe Miller User : you should look why tk_old->key_csa.csa_flush is NULL. This code should be never reached. The key descramblers including callbacks should be set in descrambler_keys() - tvhcsa_set_type() calls.

I will try, but probably will not have time to look at it again until next week...

#25

Updated by Eric Dec almost 7 years ago

Joe User wrote:

Eric Dec wrote:

Joe User wrote:

@Eric, if you comment out line 941 of src/descrambler/descrambler.c
[...]

then it will work (for at least awhile), but not necessarily fixed. ;)

I commented the line as above, indeed it does not crash, but it does not decode.
(I tried on few releases I had downloaded)
What else could it be? My oscam emu (I also tried the very old one where your change request was implemented)

Sorry, I had added brackets after the if statement before to add the printf. It also crashed sometimes for pid == 0 so I ignore that case.
Try this change:

[...]

Again, this is just a quick hack, not a real solution and may cause other problems (very limited testing - 2-3min...)

Joe? Guess what? It works!!!!!!!!!!!!!

I made the changes that you show in your message on v4.3-734-g4433c27d8 and I have picture and sound.
Thanks a lot.....

#26

Updated by Eric Dec almost 7 years ago

Oups, I have been talking too fast.
After 10mn tvheadend crashes again.

#27

Updated by Eric Dec almost 7 years ago

I am rerunning it with gdb in log mode....but does not want to crash anymore after 30mn.

#28

Updated by Joe User almost 7 years ago

I did another quick test to narrow down the problem, and this simplified patch seems to work ok. Still a hack that does not address the problem, but I am not sure why something with pid == 0 is there. Maybe a problem with extractpid?? The real pid 0 packet should not have its scrambled bit set.

diff --git a/src/descrambler/descrambler.c b/src/descrambler/descrambler.c
index 80dbf24..0096961 100644
--- a/src/descrambler/descrambler.c
+++ b/src/descrambler/descrambler.c
@@ -936,6 +936,7 @@ key_find_struct( th_descrambler_runtime_t *dr,
   int i, pid = extractpid(tsb);
   for (i = 0; i < DESCRAMBLER_MAX_KEYS; i++) {
     tk = &dr->dr_keys[i];
+    if ( pid == 0 ) return NULL;
     if (tk->key_pid == pid) {
       if (tk != tk_old && tk_old)
         tk_old->key_csa.csa_flush(&tk_old->key_csa, (mpegts_service_t *)t);

#29

Updated by Eric Dec almost 7 years ago

Joe User wrote:

I did another quick test to narrow down the problem, and this simplified patch seems to work ok. Still a hack that does not address the problem, but I am not sure why something with pid 0 is there. Maybe a problem with extractpid?? The real pid 0 packet should not have its scrambled bit set.

[...]

This means I roll back all previous changes and simply add the line " if ( pid 0 ) return NULL;" ?
By the way, in my test of yesterday, I have let it running few hours in debug mode, and it did not crash.
I will try your last change later today, tanks again.

#30

Updated by Andrey Orlin almost 7 years ago

I also have tvheadend crash with OScam
Versions:
OS: CentOS Linux release 7.4.1708 (Core)
TVH: 4.3-734~g4433c27
OScam: oscam-1.20-unstable_svn-r11388

oscam.conf:
[dvbapi]
enabled = 1
au = 1
pmt_mode = 4
request_mode = 1
delayer = 60
ecminfo_type = 1
user = tvh
read_sdt = 2
write_sdt_prov = 1
boxtype = pc-nodmx

tvheadend capmt:
Mode: OSCam pc-nodmx (rev >= 9756)
Socket: /tmp/camd.socket
CW mode: Standard/Auto

Dec  1 22:57:00 localhost tvheadend[9080]: capmt: shara: Starting CAPMT server for service "VIP Comedy" on adapter 2
Dec  1 22:57:00 localhost tvheadend[9080]: subscription: 0018: "HTTP" subscribing on channel "VIP Comedy", weight: 100, adapter: "Tmax TAS2101 #2 : DVB-S #0", network: "NTVPlus", mux: "11938.46R", provider: "HTB+", service: "VIP Comedy", profile="pass", hostname="::ffff:192.168.1.209", username="ea", client="TvhClient-TV/155 LibVLC/3.0.0-git" 
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: Signal: 6 in PRG: /usr/bin/tvheadend (4.3-734~g4433c27) [b8acf19680d6269a9b8f2627841acc09268c0a1d] CWD: /
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: Fault address 0x2378 (N/A)
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: Loaded libraries: /lib64/libdvben50221.so /lib64/libdvbapi.so /lib64/libucsi.so /lib64/libssl.so.10 /lib64/libcrypto.so.10 /lib64/libz.so.1 /lib64/libpcre2-8.so.0 /lib64/liburiparser.so.1 /lib64/libavahi-common.so.3 /lib64/libavahi-client.so.3 /lib64/libdbus-1.so.3 /lib64/libdl.so.2 /lib64/libpthread.so.0 /lib64/libm.so.6 /lib64/librt.so.1 /lib64/libstdc++.so.6 /lib64/libc.so.6 /lib64/libgssapi_krb5.so.2 /lib64/libkrb5.so.3 /lib64/libcom_err.so.2 /lib64/libk5crypto.so.3 /lib64/ld-linux-x86-64.so.2 /lib64/libgcc_s.so.1 /lib64/libkrb5support.so.0 /lib64/libkeyutils.so.1 /lib64/libresolv.so.2 /lib64/libselinux.so.1 /lib64/libpcre.so.1 /lib64/libnss_files.so.2
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: Register dump [23]: 00007f5f9eead70000000000000000200000000000000008000000000000020600005617ad197a5000007f5f940bce2000000000000042ce00000000000000830000000000002378000000000000239400000026950b214c00007f5f940bcf9800000000000000060000000000000000ffffffffffffffff00007f5f9eeab29800007f5fa9a671f70000000000000206000000000000003300000000000000000000000000000000fffffffe7ffbba130000000000000000
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: STACKTRACE
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/trap.c:148 0x5617ad0bd4da 0x5617ace69000
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: ??:0 0x7f5faa6165e0 0x7f5faa607000
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: gsignal+0x37  (/lib64/libc.so.6)
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: abort+0x148  (/lib64/libc.so.6)
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/tvheadend.h:101 0x5617ad0786c2 0x5617ace69000
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/descrambler/capmt.c:2319 0x5617ad196bfd 0x5617ace69000
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/descrambler/capmt.c:2356 0x5617ad197ec1 0x5617ace69000
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/descrambler/capmt.c:1057 0x5617ad197ffe 0x5617ace69000
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/descrambler/capmt.c:642 0x5617ad1980ed 0x5617ace69000
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/descrambler/capmt.c:736 0x5617ad198663 0x5617ace69000
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/descrambler/capmt.c:1627 0x5617ad19a6ac 0x5617ace69000
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/descrambler/capmt.c:1850 0x5617ad19a8b2 0x5617ace69000
Dec  1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/wrappers.c:161 0x5617ad082952 0x5617ace69000
Dec  1 22:57:00 localhost systemd: tvheadend.service: main process exited, code=killed, status=6/ABRT

P.S.
1) Capmt mode with TVHeadend v4.2.4 works perfectly
2) TVHeadend 4.3-734~g4433c27 -> CCcam -> Oscam works perfectly

#31

Updated by Jaroslav Kysela almost 7 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset commit:tvheadend|b2ef96cfca037cd8054913a5c8cc334d7239d765.

#32

Updated by Eric Dec almost 7 years ago

Jaroslav Kysela wrote:

Applied in changeset commit:tvheadend|b2ef96cfca037cd8054913a5c8cc334d7239d765.

You mean you did more changes than what joe was proposing?
I am asking, because today i did some try with joe fix on other poeervu channels, and it kept craching again or not descrambling.
I will try tomorrow your new version.
Thanks for your effort.

#33

Updated by Eric Dec almost 7 years ago

Jaroslav Kysela wrote:

Applied in changeset commit:tvheadend|b2ef96cfca037cd8054913a5c8cc334d7239d765.

I have tried this new version. It works fine on the channels i was trying before, but now it crashes on channels from another satellite (with powervu).
Should ii upload logs here or open another bug?

#34

Updated by Joe User almost 7 years ago

@Eric, I wrote my patch was just a quick hack, not a solution... :)
@Jaroslav. I built new version and some quick tests on extended_cw channels on 9E and 4.9E all worked. Did not test any other encryptions yet, maybe tomorrow.
Thanks

#35

Updated by Petar Ivanov almost 7 years ago

Still crash here with last TVH 4.3-741~g0b24fb883

gdb:

Thread 36 "tvh:mi-main" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe4be8700 (LWP 25933)]
0x0000555555831eba in key_valid (tk=0x0, ki=157 '\235') at src/descrambler/descrambler.c:876
876      return tk->key_valid & mask;
2017-12-03 04:47:12.199 [  ALERT] CRASH: Signal: 11 in PRG: /home/tvh/tvheadend/build.linux/tvheadend (4.3-741~g0b24fb883) [7908324f0ac08fe5b063e35f1e8f9e7fdd413838] CWD: /home/tvh/tvheadend
2017-12-03 04:47:12.199 [  ALERT] CRASH: Fault address 0x91 (Address not mapped)
2017-12-03 04:47:12.199 [  ALERT] CRASH: Loaded libraries: linux-vdso.so.1 /usr/lib/x86_64-linux-gnu/libssl.so.1.1 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 /lib/x86_64-linux-gnu/libz.so.1 /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0 /lib/x86_64-linux-gnu/libdl.so.2 /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/libm.so.6 /lib/x86_64-linux-gnu/librt.so.1 /usr/lib/x86_64-linux-gnu/libstdc++.so.6 /lib/x86_64-linux-gnu/libmvec.so.1 /lib/x86_64-linux-gnu/libgcc_s.so.1/lib/x86_64-linux-gnu/libc.so.6/lib64/ld-linux-x86-64.so.2
2017-12-03 04:47:12.199 [  ALERT] CRASH: Register dump [23]: 00005638bcd0c05825a5fd9e86d38a2d61b5d5b3f5642629038d83d28da80cb200007f477d5ef7ae00007f477d5ef7af00005638b762a44000007f475f5fa7000000000000000000000000000000009700007f475f5f951000000000000000000000000000000097000000000000000000007f474800865900007f475f5f951000005638b3e81eba0000000000010202002b0000000000330000000000000004000000000000000efffffffe7ffbba110000000000000091
2017-12-03 04:47:12.199 [  ALERT] CRASH: STACKTRACE
2017-12-03 04:47:12.240 [  ALERT] CRASH: /home/tvh/tvheadend/src/trap.c:148 0x5638b3de633a 0x5638b3ba4000
2017-12-03 04:47:12.295 [  ALERT] CRASH: ??:0 0x7f4785b653b0 0x7f4785b53000
2017-12-03 04:47:12.338 [  ALERT] CRASH: /home/tvh/tvheadend/src/descrambler/descrambler.c:876 0x5638b3e81eba 0x5638b3ba4000
2017-12-03 04:47:12.375 [  ALERT] CRASH: /home/tvh/tvheadend/src/descrambler/descrambler.c:1142 0x5638b3e82a30 0x5638b3ba4000
2017-12-03 04:47:12.415 [  ALERT] CRASH: /home/tvh/tvheadend/src/input/mpegts/tsdemux.c:340 0x5638b3e90daf 0x5638b3ba4000
2017-12-03 04:47:12.457 [  ALERT] CRASH: /home/tvh/tvheadend/src/input/mpegts/mpegts_input.c:1410 (discriminator 2) 0x5638b3e8d9e6 0x5638b3ba4000
2017-12-03 04:47:12.498 [  ALERT] CRASH: /home/tvh/tvheadend/src/input/mpegts/mpegts_input.c:1553 0x5638b3e8e019 0x5638b3ba4000
2017-12-03 04:47:12.538 [  ALERT] CRASH: /home/tvh/tvheadend/src/wrappers.c:161 0x5638b3d95f19 0x5638b3ba4000
2017-12-03 04:47:12.593 [  ALERT] CRASH: ??:0 0x7f4785b5a519 0x7f4785b53000
2017-12-03 04:47:12.593 [  ALERT] CRASH: clone+0x3f  (/lib/x86_64-linux-gnu/libc.so.6)
#36

Updated by Eric Dec almost 7 years ago

Joe User wrote:

@Eric, I wrote my patch was just a quick hack, not a solution... :)
@Jaroslav. I built new version and some quick tests on extended_cw channels on 9E and 4.9E all worked. Did not test any other encryptions yet, maybe tomorrow.
Thanks

You are right.
In fact the other crash i have does not seem to be powervu related, seems dealing with epg, i am not sure yet.
Thanks for having helped.

#37

Updated by Jaroslav Kysela almost 7 years ago

All descrambling related issues should be resolved in the latest master now. Please, create a new issue otherwise.

Also available in: Atom PDF