100 – Crash when starting acquisition

Bug 100 - Crash when starting acquisition

Summary: Crash when starting acquisition

Status:	RESOLVED FIXED

Alias:	None

Product:	libsigrok
Classification:	Unclassified
Component:	Driver: openbench-logic-sniffer (show other bugs)
Version:	unreleased development snapshot
Hardware:	All All

Importance:	Normal normal
Target Milestone:	---
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	45
	Show dependency tree / graph

Reported:	2013-04-20 15:54 CEST by Joel Holdsworth
Modified:	2013-04-22 13:42 CEST (History)
CC List:	1 user (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joel Holdsworth 2013-04-20 15:54:31 CEST

Crash when starting acquisition in PulseView:

    ....
sr: ols: Sending cmd 0x00.
sr: ols: Sending cmd 0x00.
sr: ols: Sending cmd 0x00.
sr: ols: Sending cmd 0x02.
sr: ols: Sending cmd 0x04.
sr: ols: Got metadata key 0x01 value 'Open Logic Sniffer v1.01'.
sr: ols: Got metadata key 0x02 value '3.07'.
sr: ols: Got metadata key 0x21 value 0x00006000.
sr: ols: Got metadata key 0x23 value 0x0bebc200.
sr: ols: Got metadata key 0x40 value 0x20.
sr: ols: Got metadata key 0x41 value 0x02.
[New Thread 0x7fffe2d6e700 (LWP 4053)]
sr: session: Starting.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe2d6e700 (LWP 4053)]
0x00007ffff65f6f89 in hw_dev_acquisition_start (sdi=0x87a1d0, cb_data=0x87a1d0) at api.c:399
399             if (devc->trigger_mask[0]) {
(gdb) bt
#0  0x00007ffff65f6f89 in hw_dev_acquisition_start (sdi=0x87a1d0, cb_data=0x87a1d0) at api.c:399
#1  0x00007ffff65d2874 in sr_session_start () at session.c:350
#2  0x000000000045f520 in pv::SigSession::sample_thread_proc(sr_dev_inst*, unsigned long, boost::function<void (QString
)>) (this=0x7fffffffdcc8, sdi=0x87a1d0, record_length=1000000, error_handler=...)
    at /home/joel/workspace/sigrok/sigrok/pulseview/pv/sigsession.cpp:181
#3  0x0000000000466b4e in boost::_mfi::mf3<void, pv::SigSession, sr_dev_inst*, unsigned long, boost::function<void (QSt
ring)> >::operator()(pv::SigSession*, sr_dev_inst*, unsigned long, boost::function<void (QString)>) const (
    this=0xb4acf8, p=0x7fffffffdcc8, a1=0x87a1d0, a2=1000000, a3=...)
    at /usr/include/boost/bind/mem_fn_template.hpp:393
#4  0x000000000046690e in boost::_bi::list4<boost::_bi::value<pv::SigSession*>, boost::_bi::value<sr_dev_inst*>, boost:
:_bi::value<unsigned long>, boost::_bi::value<boost::function<void (QString)> > >::operator()<boost::_mfi::mf3<void, pv
::SigSession, sr_dev_inst*, unsigned long, boost::function<void (QString)> >, boost::_bi::list0>(boost::_bi::type<void>
, boost::_mfi::mf3<void, pv::SigSession, sr_dev_inst*, unsigned long, boost::function<void (QString)> >&, boost::_bi::l
ist0&, int) (this=0xb4ad08, f=..., a=...) at /usr/include/boost/bind/bind.hpp:457
#5  0x00000000004667fb in boost::_bi::bind_t<void, boost::_mfi::mf3<void, pv::SigSession, sr_dev_inst*, unsigned long, 
boost::function<void (QString)> >, boost::_bi::list4<boost::_bi::value<pv::SigSession*>, boost::_bi::value<sr_dev_inst*
>, boost::_bi::value<unsigned long>, boost::_bi::value<boost::function<void (QString)> > > >::operator()() (
    this=0xb4acf8) at /usr/include/boost/bind/bind_template.hpp:20
#6  0x0000000000466498 in boost::detail::thread_data<boost::_bi::bind_t<void, boost::_mfi::mf3<void, pv::SigSession, sr
_dev_inst*, unsigned long, boost::function<void (QString)> >, boost::_bi::list4<boost::_bi::value<pv::SigSession*>, boo
st::_bi::value<sr_dev_inst*>, boost::_bi::value<unsigned long>, boost::_bi::value<boost::function<void (QString)> > > >
 >::run() (this=0xb4ab70) at /usr/include/boost/thread/detail/thread.hpp:62
#7  0x00007ffff7bcc6c9 in ?? () from /usr/lib/libboost_thread.so.1.49.0
#8  0x00007ffff79a8e9a in start_thread (arg=0x7fffe2d6e700) at pthread_create.c:308
#9  0x00007ffff57ebcbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#10 0x0000000000000000 in ?? ()

Comment 1 Joel Holdsworth 2013-04-21 18:09:31 CEST

Taken from api.c:

---------------- 8< -----------------

	/*
	 * Limit readcount to prevent reading past the end of the hardware
	 * buffer.
	 */
	readcount = MIN(devc->max_samples / num_channels, devc->limit_samples) / 4;

	memset(trigger_config, 0, 16);
	printf("%d: devc = %p\n", __LINE__, devc);
	trigger_config[devc->num_stages - 1] |= 0x08;
	printf("%d: devc = %p\n", __LINE__, devc);
	if (devc->trigger_mask[0]) {
		delaycount = readcount * (1 - devc->capture_ratio / 100.0);
		devc->trigger_at = (readcount - delaycount) * 4 - devc->num_stages;

--------------- >8 -------------------

Output:

399: devc = 0xd0d5d0 
401: devc = 0x800d0d5d0

...the code then crashes when devc is dereferenced on the "if (devc->trigger_mask[0])" line.

Comment 2 Bert Vermeulen 2013-04-22 13:42:05 CEST

Fixed in 2e5b73c00c732