segment-fault happens when use pthread_mutex_trylock

**pooyair** · 09-13-2012

I have struggling a week to fix a program , in the begining i got SIGBUS , but after many attempts still the program gets SIGSEGV segment fault , In bellow i post the seg fault log + source codes. would really appreciate if experts help me to fix this segment fault error. any advice is highly appreciated.
Thanks in advance

Code:

    LL_NODE *ll_prepend(LLIST *l, void *obj)
    {
        if (l && obj) {
    //line bellow is module-datastruct-llist.c:167 
    //mentioned in segment-fault log as frame 3
     
          if (!ll_lock(l)) return NULL;
            LL_NODE *new;
            if(!cs_malloc(&new,sizeof(LL_NODE), -1)) return NULL;
            new->obj = obj;
            new->nxt = l->initial;
            l->initial = new;
            if (!l->last)
                l->last = l->initial;
            l->count++;
            ll_unlock(l);
            return new;
        }
        return NULL;
    }

Code:

int32_t ll_lock(LLIST *l)
    {
        int32_t res = 1;
       res=cs_trylock(&l->lock);
    
    //line bellow is module-datastruct-llist.c:51  
    //mentioned in segment-fault log as frame 2
    
      while (l && !l->flag && res) {
            cs_debug_mask(D_TRACE, "trylock ll_lock wait");
            cs_sleepms(fast_rnd()%5 + 1);
        }
        return !res;
    }

Code:

int32_t cs_trylock(pthread_mutex_t *mutex){
        
        if(!mutex) return -1;
            int32_t result, oldtype;
            /* Make sure that we won't get interrupted while getting the lock */
            pthread_setcanceltype(PTHREAD_CANCEL_DEFERRED, &oldtype);
        
    //line bellow is oscam-simples.c:1233  
    //mentioned in segment-fault log as frame 1
        
            if((result=pthread_mutex_trylock(mutex)) == 0){
        
                struct s_client *cl = cs_preparelock(cur_client(), mutex);
                if(cl)
                    cl->mutexstore_used++;
            }
            pthread_setcanceltype(oldtype, NULL);
            pthread_testcancel();
            return result;
        }

Code:

// in this function &l->lock is initialized   
    LLIST *ll_create()
    {
        LLIST *l = cs_malloc(&l, sizeof(LLIST), 0);
        pthread_mutex_init(&l->lock, NULL);
        return l;
    }

Segment fault log :
Program received signal SIGSEGV, Segmentation fault.
[Switching to LWP 1905]
0x2979b7ba in pthread_mutex_trylock () from /lib/libpthread.so.0
(gdb) bt
#0 0x2979b7ba in pthread_mutex_trylock () from /lib/libpthread.so.0
#1 0x00410d98 in cs_trylock (mutex=0x247373a4) at oscam-simples.c:1233
#2 0x0043d4aa in ll_lock (l=0x24737398) at module-datastruct-llist.c:51
#3 0x0043d956 in ll_prepend (l=0x24737398, obj=0x4a2410)
at module-datastruct-llist.c:167
#4 0x0040a66e in get_cw (client=0x4daa80, er=0x5063a0) at oscam.c:2645
#5 0x00439754 in dvbapi_process_input (demux_id=0, filter_num=0,
buffer=0x2a98bb60 "\201q=", len=320) at module-dvbapi.c:1634
#6 0x0043c866 in stapi_read_thread (sparam=0x4d1558) at module-dvbapi.c:2441
#7 0x29799486 in ?? () from /lib/libpthread.so.0
Backtrace stopped: frame did not save the PC
(gdb) info args
No symbol table info available.

if u need entire source codes:
module-datastruct-llist.c in trunk

oscam-simples.c in trunk

globals.h in trunk

my guess is the bug comes from pthread_mutex_trylock in oscam-simples.c : line 1233, i mean :

Code:

pthread_setcanceltype(PTHREAD_CANCEL_DEFERRED, &oldtype);
 /* Line 1233 */   if((result=pthread_mutex_trylock(mutex)) == 0){

any advice is highly apprecited.

**Salem** · 09-13-2012

> #3 0x0043d956 in ll_prepend (l=0x24737398, obj=0x4a2410) at module-datastruct-llist.c:167
> #4 0x0040a66e in get_cw (client=0x4daa80, er=0x5063a0) at oscam.c:2645
Actually, I think you should be looking in get_cw() to find out why it's calling the ll_prepend function with a garbage pointer.

One I might add, where 3 of the bytes are printable characters spelling "ss$".
To me, this smells badly of a buffer overrun somewhere.

**pooyair** · 09-13-2012

@Salem
Thank u so much for reply , Well , i just relook into get_cw code , but can't find anything wrong , i quote get_cw related codes , probably there is an issue i missed , would appreciate if u could take a look at :

// part of get_cw() in oscam.c :

Code:

    if(er->rc >= E_99) {
        er->reader_avail=0;
        struct s_reader *rdr;
        for (rdr=first_active_reader; rdr ; rdr=rdr->next) {
            if (matching_reader(er, rdr)) {
                if (rdr->fallback) {
                    if (er->fallback == NULL) //first fallbackreader to be added
                        er->fallback=ll_append(er->matching_rdr, rdr);
                    else
                        ll_append(er->matching_rdr, rdr);

                }
                else {
                    ll_prepend(er->matching_rdr, rdr);
                }
                                if (!rdr->fallback)
                    er->reader_avail++;
            }
        }

        LL_NODE *ptr;
        for (ptr = er->matching_rdr->initial; ptr && ptr != er->fallback; ptr = ptr->nxt)
            er->reader_count++;

        if (!ll_has_elements(er->matching_rdr)) { //no reader -> not found
                er->rc = E_NOTFOUND;
                if (!er->rcEx)
                    er->rcEx = E2_GROUP;
                snprintf(er->msglog, MSGLOGSIZE, "no matching reader");
        }
        else
            if (er->matching_rdr->initial == er->fallback) { //fallbacks only
                    er->fallback = NULL; //switch them
                    er->reader_count = er->reader_avail;
            }

        //we have to go through matching_reader() to check services!
        if (er->rc == E_UNHANDLED)
                er->rc = check_and_store_ecmcache(er, client->grp);
    }

if want to see entire oscam.c code , see from here :
www.streamboard.tv/oscam/browser/trunk/oscam.c?rev=5375

Any tip , and Advice ... is appreciated.
Thanks in advance.

**Salem** · 09-13-2012

Looking at bits of code where the problem shows up isn't going to help much. If it did, you would have found it by now.

The next thing you need to do is examine each er->matching_rdr to make sure it isn't corrupt.

For example, examine your data structures (such as ECM_REQUEST) to see if the corrupted fields are soon after a char array.

Code:

struct foo {
    char name[10];
    int value;
};

Copying "hello world" into name will likely trash the value.

But you won't find this out when it is trashed, only when you use it.

Your situation is similar. You have a trashed linked list pointer. You need to track back to find out HOW it got trashed.

Putting a breakpoint on
ll_prepend(er->matching_rdr, rdr);
and printing the whole of *er should tell you more.

**pooyair** · 09-13-2012

@Salem
Found it , You Are So Right , Thanks For your Perfect Troubleshooting (the way u troubleshoot , Shows me , how Professional u are ... ) The bug was Exactly as what u expected (told me) . in get_cw , there was trashed linked list pointer The Segment-fault was fixed.

Dear Salem , just completely unclear point to me :

> #3 0x0043d956 in ll_prepend (l=0x24737398, obj=0x4a2410) at module-datastruct-llist.c:167

One I might add, where 3 of the bytes are printable characters spelling "ss$"
.To me, this smells badly of a buffer overrun somewhere.

1. What info would tell u , when u find ie the hex 3 bytes of "l" is equal ?ss$" ? could u please explain.
How did u recognize this segment-fault cause by get_cw() in oscam.c , not in other frame? ,Or in other words , how Do u smell badly of a buffer overrun with the spelling of equal hex value?
Really interest to learn this.

Thank u so much again,
Cheers.

Thread: segment-fault happens when use pthread_mutex_trylock

Thread Tools

Search Thread

Display

segment-fault happens when use pthread_mutex_trylock

Similar Threads

Segment fault in the program

Segment Fault with shared memory set using mmap

segment fault with the program

Segment fault on double whammy char pointer

segment fault?

Tags for this Thread