Rocrail

Analyser crash.

Bug #732693 reported by Rocrail on 2011-03-10

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Rocrail	Fix Released	Medium	Unassigned

Bug Description

Backtrace:

Program received signal SIGABRT, Aborted.
0x0012e416 in __kernel_vsyscall ()
(gdb) backtrace
#0 0x0012e416 in __kernel_vsyscall ()
#1 0x00177941 in raise () from /lib/libc.so.6
#2 0x0017ae42 in abort () from /lib/libc.so.6
#3 0x001af305 in ?? () from /lib/libc.so.6
#4 0x00232970 in __fortify_fail () from /lib/libc.so.6
#5 0x0023291a in __stack_chk_fail () from /lib/libc.so.6
#6 0x0814c734 in __stack_chk_fail_local ()
#7 0x0813fccd in _fmt (fmt=0x3adf0f "%s%s%s") at impl/str.c:167
#8 0x00373b53 in __analyseList (inst=0x8b64b64) at impl/analyse.c:1981
#9 0x003741b2 in _analyse (o=0x8b64b64) at impl/analyse.c:2084
#10 0x0808609e in _analyse (inst=0x81e029c, CleanRun=False) at impl/model.c:2961
#11 0x080516f1 in __checkConsole (data=0x81c219c) at impl/app.c:522
#12 0x08052f5c in _Main (inst=0x81c20ec, argc=4, argv=0xbffff324) at impl/app.c:871
#13 0x08078bdd in main (argc=4, argv=0xbffff324) at impl/main.c:199

Tags:

Revision history for this message

Rocrail (r.j.versluis) wrote on 2011-03-10:

#1

workspace.zip Edit (69.5 KiB, application/zip)

Changed in rocrail:
assignee:	nobody → jmfischer (jmfischer)

Revision history for this message

Rocrail (r.j.versluis) wrote on 2011-03-10:

#2

The analyzer crashes in an endless loop with the attached layout.

Revision history for this message

jmfischer (jmfischer) wrote on 2011-03-10:

#3

this plan is a nightmare again (spaghetti) ... but I'll do my very best.

Revision history for this message

jmfischer (jmfischer) wrote on 2011-03-10:

#4

        if( prevrouteids != NULL) {
          iOStrTok tok = StrTokOp.inst( prevrouteids, ',' );
          // check if id is allready in the list
          Boolean isInList = False;
          while ( StrTokOp.hasMoreTokens( tok )) {
            const char * token = StrTokOp.nextToken( tok );
            if( StrOp.equals( token, wRoute.getid( newRoute))) {
              isInList = True;
            }
          }
          TraceOp.trc( name, TRCLEVEL_INFO, __LINE__, 9999, "PIEP");
          TraceOp.trc( name, TRCLEVEL_INFO, __LINE__, 9999, "PIEP %s", prevrouteids);

-->

20110310.191324.000 r9999I main OAnalyse 1852 [tk][tk20030915010709250][ ]
20110310.191324.000 r9999I main OAnalyse 1983 PIEP
*** stack smashing detected ***: /home/jmf/roc/Rocrail/unxbin/rocrail terminated

what is in prevrouteids? it leads to the crash

Revision history for this message

jmfischer (jmfischer) wrote on 2011-03-10:

#5

if the lines near 1986 are commented out it will run through:

          if( !isInList && doIt) {
              char* newval = StrOp.fmt( "%s%s%s", prevrouteids, StrOp.len(prevrouteids)>0?",":"", wRoute.getid( newRoute) );
              wItem.setrouteids(tracknode, newval );
              StrOp.free(newval);
          }

it has something to do with the StrOp.fmt ...

so it is somthing around the "prevrouteids".

Revision history for this message

ron&bram (ronaldestherbram) wrote on 2011-03-11:

#6

This plan generates so much routes that sometimes the 4096 array size for StrOp.fmt in str.c gets "blown".
I did following in analyse.c:

        if( prevrouteids != NULL) {
          TraceOp.trc( name, TRCLEVEL_WARNING, __LINE__, 9999, "IDS length %d", StrOp.len(prevrouteids) );
          iOStrTok tok = StrTokOp.inst( prevrouteids, ',' );
          // check if id is allready in the list
          Boolean isInList = False;
          while ( StrTokOp.hasMoreTokens( tok )) {
            const char * token = StrTokOp.nextToken( tok );
            if( StrOp.equals( token, wRoute.getid( newRoute))) {
              isInList = True;
            }
          }

if( !isInList && doIt && StrOp.len(prevrouteids) < 4000 ) {

The warning trace showed several occurences of a length of prevrouteids of 4082. With the addition of the test on string length the analyser ran through the plan (but not all routes end up in the routeids). Shall I commit a version without the trace line?

Revision history for this message

Rocrail (r.j.versluis) wrote on 2011-03-11:

#7

If a trace line is expected to be very large it should be restricted with:

"%-80.80s"

Or what ever length you want.

But in this case it make not much sense to trace it out.

Revision history for this message

jmfischer (jmfischer) wrote on 2011-03-11:

#8

yup, this is it!

if( !isInList && doIt && StrOp.len(prevrouteids) < 4000 ) {

> Shall I commit a version without the trace line?

yep!

Revision history for this message

ron&bram (ronaldestherbram) wrote on 2011-03-11:

#9

You missed the point.
The trace line just writes the length of prevrouteids.
With the plan in question, the length of prevrouteids can exceed the defined size (4096) of the char array in the StrOp.fmt call. This causes the crash.
The fix I made is to only add more route ID's to the routeids of a track when the length of prevrouteids does not exceed 4000:

if( !isInList && doIt && StrOp.len(prevrouteids) < 4000 ) {

I suggested to comment this fix, but first to remove the trace line, because it was for debugging only. Commit?

Revision history for this message

jmfischer (jmfischer) wrote on 2011-03-11:

#10

Hi Ronald commit it like this: I think it's okay if the traceline stays there commented out, kind of comment :)

if( prevrouteids != NULL) {
          /*TraceOp.trc( name, TRCLEVEL_WARNING, __LINE__, 9999, "IDS length %d", StrOp.len(prevrouteids) );*/
          iOStrTok tok = StrTokOp.inst( prevrouteids, ',' );
          // check if id is allready in the list
          Boolean isInList = False;
          while ( StrTokOp.hasMoreTokens( tok )) {
            const char * token = StrTokOp.nextToken( tok );
            if( StrOp.equals( token, wRoute.getid( newRoute))) {
              isInList = True;
            }
          }

if( !isInList && doIt && StrOp.len(prevrouteids) < 4000 ) {

Revision history for this message

Rocrail (r.j.versluis) wrote on 2011-03-11:

#11

The StrOp.fmt() could be replaced with StrOp.cat() in case of a csv string to be able to grow and grow.
To check if the csv length is not exceeding a certain range will reduce the functionality of the analyzer.

Revision history for this message

ron&bram (ronaldestherbram) wrote on 2011-03-11:

#12

Yes, but does it make sense to have numeroues pieces of track with each a routeids string of more then 4000 characters, that all have to be evaluated when a route is set. There is a point where the response on lighting th e track will become sluggish. With JMF happy, I committed this version.

Changed in rocrail:
status:	Confirmed → Fix Committed

Revision history for this message

jmfischer (jmfischer) wrote on 2011-03-11:

#13

it will lead to really really huge plan files if there is no "stopping" at some point. of course we could use StrOp.cat() because at the point where the crash occured the analyser is finished and is collecting the results. so it can't grow to infinity.

Revision history for this message

jmfischer (jmfischer) wrote on 2011-03-12:

#14

in 2441 it's working with StrOp.cat() so no route entries will be discarded.

Changed in rocrail:
status:	Fix Committed → Fix Released

Revision history for this message

ron&bram (ronaldestherbram) wrote on 2011-03-12:

#15

Tested moni3.xml with 2441, no crash, largest routeids I found contains 4305 characters {wow ;-)}.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

workspace.zip Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.