[Tango-cs-bug-info] [tango-cs:bugs] #813 Segfault when pushing a change event with invalid quality

0 views
Skip to first unread message

tango-cs...@lists.sourceforge.net

unread,
Aug 10, 2016, 11:29:42 AM8/10/16
to Tango-cs...@lists.sf.net

[bugs:#813] Segfault when pushing a change event with invalid quality

Status: open
Labels: segfault server event
Created: Wed Aug 10, 2016 03:28 PM UTC by Vincent Michel
Last Updated: Wed Aug 10, 2016 03:28 PM UTC
Owner: nobody

I've been able to reproduce reliably a segfault that started to appear after our tango 9 migration. It turns out that pushing a change event with an invalid quality from the code can cause the device server to segfault (not everytime though). Here is the server code I used to reproduce the issue:

import time
from tango.server import Device, DeviceMeta, command, attribute
from tango import DevState, AttrQuality

class SegfaultTest(Device):
    __metaclass__ = DeviceMeta

    def init_device(self):
        self.set_change_event('value', True, False)
        self.set_state(DevState.ON)

    @command
    def push_invalid(self):
        print('pushing invalid...')
        self.push_change_event(
            'value', 0.0, time.time(), AttrQuality.ATTR_INVALID)
        print('pushed!')

    @attribute
    def value(self):
        return -1

if __name__ == '__main__':
    SegfaultTest.run_server()

And the client code:

import tango.utils
from time import sleep

def test():
    cb = tango.utils.EventCallBack()
    proxy = tango.DeviceProxy('test/vinmic/segfault')
    eid = proxy.subscribe_event('value', tango.EventType.CHANGE_EVENT, cb)
    proxy.push_invalid()
    proxy.unsubscribe_event(eid)

while True:
    test()
    sleep(0.5)

I've also been able to reproduce the segfault with a C++ device server, though it might take longer for the server to crash (the python version usually crashes at the first iteration of the client script). I'm using tango 9.2.2 with patch 922_1.

Let me know if you need more information,

Thanks
/Vincent

Sent from sourceforge.net because Tango-cs...@lists.sf.net is subscribed to https://sourceforge.net/p/tango-cs/bugs/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/tango-cs/admin/bugs/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.

message-footer.txt

tango-cs...@lists.sourceforge.net

unread,
Aug 16, 2016, 5:44:28 AM8/16/16
to Tango-cs...@lists.sf.net

Here's the back trace (same for python and C++ devices):

#0  copybuffer (newmax=5, this=0x7fffdc005970) at /usr/include/omniORB4/seqTemplatedecls.h:294
#1  _CORBA_Sequence<double>::get_buffer (this=0x7fffdc005970, orphan=<optimized out>)
    at /usr/include/omniORB4/seqTemplatedecls.h:184
#2  0x00007ffff78e0ce8 in Tango::DeviceImpl::data_into_net_object (this=<optimized out>, att=..., 
    aid=..., index=0, w_type=<optimized out>, del_seq=<optimized out>) at device.cpp:4910
#3  0x00007ffff7899dce in Tango::Attribute::Attribute_2_AttributeValue (this=this@entry=0x689a50, 
    ptr_5=ptr_5@entry=0x7fffdc006b60, d=0x685c50) at attribute.cpp:3422
#4  0x00007ffff78a4baa in Tango::Attribute::fire_change_event (this=this@entry=0x689a50, 
    except=except@entry=0x0) at attribute.cpp:3953
#5  0x00007ffff78c7d00 in Tango::DeviceImpl::push_change_event (this=<optimized out>, 
    attr_name="value", p_data=0x6897a0, t=..., qual=Tango::ATTR_INVALID, x=1, y=0, release=false)
    at dev_event.cpp:1123
message-footer.txt

tango-cs...@lists.sourceforge.net

unread,
Aug 16, 2016, 11:49:52 AM8/16/16
to Tango-cs...@lists.sf.net

I have compared the relevant code to version 8.1.2. There has been some refactoring there. In Tango 8, DeviceImpl::data_into_net_object is not called from Attribute::Attribute_2_AttributeValue if the quality is ATTR_INVALID.

Something like this seems to solve the problem:

diff --git a/server/attribute.cpp b/server/attribute.cpp
index c61d9ff..52bd92e 100644
--- a/server/attribute.cpp
+++ b/server/attribute.cpp
@@ -3389,7 +3389,7 @@ void Attribute::Attribute_2_AttributeValue(Tango::AttributeValue_4 *ptr_4,Tango:
        Tango::AttributeValueList_4 dummy_list(1,1,ptr_4,false);
        aid.data_4 = &dummy_list;

-       if ((name_lower != "state") && (name_lower != "status"))
+       if ((name_lower != "state") && (name_lower != "status") && (quality != Tango::ATTR_INVALID))
         d->data_into_net_object(*this,aid,0,writable,false);
 }

@@ -3417,7 +3417,7 @@ void Attribute::Attribute_2_AttributeValue(Tango::AttributeValue_5 *ptr_5,Tango:
        Tango::AttributeValueList_5 dummy_list(1,1,ptr_5,false);
        aid.data_5 = &dummy_list;

-       if ((name_lower != "state") && (name_lower != "status"))
+       if ((name_lower != "state") && (name_lower != "status") && (quality != Tango::ATTR_INVALID))
         d->data_into_net_object(*this,aid,0,writable,false);

        ptr_5->data_type = data_type;

[bugs:#813] Segfault when pushing a change event with invalid quality

Status: open
Labels: segfault server event
Created: Wed Aug 10, 2016 03:28 PM UTC by Vincent Michel

Last Updated: Tue Aug 16, 2016 09:43 AM UTC
Owner: nobody

message-footer.txt

tango-cs...@lists.sourceforge.net

unread,
Aug 31, 2016, 10:22:21 AM8/31/16
to Tango-cs...@lists.sf.net

Bug fixed in SVN.
Andreas: thank's for the bug fix but note that I had also to add another small change due to this bug
in file server/zmqeventsupplier.cpp. This is also in SVN for the same commit

Cheers

Emmanuel

[bugs:#813] Segfault when pushing a change event with invalid quality

Status: open
Labels: segfault server event
Created: Wed Aug 10, 2016 03:28 PM UTC by Vincent Michel

Last Updated: Tue Aug 16, 2016 03:48 PM UTC
Owner: nobody

message-footer.txt
Reply all
Reply to author
Forward
0 new messages