You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nuttx.apache.org by GitBox <gi...@apache.org> on 2022/10/31 11:39:20 UTC
[GitHub] [incubator-nuttx] fjpanag opened a new issue, #7488: Kasan error when exiting task.
fjpanag opened a new issue, #7488:
URL: https://github.com/apache/incubator-nuttx/issues/7488
I just got a KASan error, when a task is exited.
I am using the simulator for this test.
It seems related to the semaphores.
I may not be able to further troubleshoot this today, but here is a stack trace in case anyone has any ideas:
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-nuttx] fjpanag commented on issue #7488: Kasan error when exiting task.
Posted by GitBox <gi...@apache.org>.
fjpanag commented on issue #7488:
URL: https://github.com/apache/incubator-nuttx/issues/7488#issuecomment-1308546367
The issue is within `nxsem_freeholder()` were there is a NULL-pointer dereference.
I see that `pholder->htcb` is NULL, but the code tries to use `pholder->htcb->holdsem` directly, without a check.
I am not sure if a check is missing here, or indeed this field shouldn't be NULL (and thus the root cause is elsewhere).
@pkarashchenko This issue may be of interest to you.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nuttx] fjpanag commented on issue #7488: Kasan error when exiting task.
Posted by "fjpanag (via GitHub)" <gi...@apache.org>.
fjpanag commented on issue #7488:
URL: https://github.com/apache/nuttx/issues/7488#issuecomment-1503595511
This is fixed in 8c52633 (so that's why it is not reproducible on the latest master).
Closing...
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nuttx] fjpanag commented on issue #7488: Kasan error when exiting task.
Posted by "fjpanag (via GitHub)" <gi...@apache.org>.
fjpanag commented on issue #7488:
URL: https://github.com/apache/nuttx/issues/7488#issuecomment-1503463630
I finally got it!
The semaphore is freed before its holder is released!
Later on when the holder is to be released, as it still has a reference to the (now deallocated) semaphore, KASAN throws an error.
*I am currently testing on 59416af3e697ab89a85f8598751654422f63d46c, as it is one of the revisions that reproduce the issue easily.*
So, what I did is to add the following to `mm_free()`:
```c
extern dq_queue_t g_readytorun;
struct tcb_s *rtcb = g_readytorun.head;
if (rtcb->holdsem && rtcb->holdsem->sem == mem)
{
DEBUGASSERT(0);
}
```
This is to indicate me that a semaphore is to be freed, while it is still being referenced by this task's holder.
The assertion indeed fires, and KASAN is right to complain later on.
The stack trace at the time of the failure is this:
To my understanding the issue is that the file is locked at fs_tmpfs.c line 1418, and then deallocated at line 1446 without it being unlocked first.
And thus, the lock causes a holder to be allocated for this task which ends up pointing to a destroyed object.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nuttx] fjpanag commented on issue #7488: Kasan error when exiting task.
Posted by "fjpanag (via GitHub)" <gi...@apache.org>.
fjpanag commented on issue #7488:
URL: https://github.com/apache/nuttx/issues/7488#issuecomment-1503474869
Hmm, there is also this note:
```c
/* Free the file object while we hold the lock? Weird but this
* should be safe because the object is unlinked and could not
* have any other references.
*/
```
The original author made a false assumption as they didn't take into account priority inheritance.
Can someone comment on the "correct" way to fix this?
I am tempted to unlock the file just prior to freeing it, but this may cause other concurrency issues?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-nuttx] xiaoxiang781216 commented on issue #7488: Kasan error when exiting task.
Posted by GitBox <gi...@apache.org>.
xiaoxiang781216 commented on issue #7488:
URL: https://github.com/apache/incubator-nuttx/issues/7488#issuecomment-1296983988
Can you try CONFIG_SIM_ASAN which could report more detailed info
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-nuttx] pkarashchenko commented on issue #7488: Kasan error when exiting task.
Posted by GitBox <gi...@apache.org>.
pkarashchenko commented on issue #7488:
URL: https://github.com/apache/incubator-nuttx/issues/7488#issuecomment-1309395484
I did a brief look and see the 3 calls of `nxsem_freeholder` are done from `nxsem_foreachholder` loop that has `DEBUGASSERT(pholder->htcb != NULL);` and the only other call of `nxsem_freeholder` is from `nxsem_release_all` that is called from `nxsem_recover`. Based on your log it is a case of `nxsem_recover` that is called from `nxtask_recover`. We need to debug how it happens that `htcb->holdsem->htcb != htcb` and is actually `NULL`.
I'm filling like `nxsem_recover` has a bug. Do you have any sample code that can help me to reproduce an issue?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-nuttx] fjpanag commented on issue #7488: Kasan error when exiting task.
Posted by GitBox <gi...@apache.org>.
fjpanag commented on issue #7488:
URL: https://github.com/apache/incubator-nuttx/issues/7488#issuecomment-1297040643
Here is the original output:
```
[31/10/22 12:03:25] [28] [ EMERG] kasan_report: kasan detected a read access error, address at 0x7f2b469d2100, size is 8
```
After enabling `CONFIG_SIM_ASAN`:
```
==1011658==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fe3870de878 at pc 0x7fe38a2710c9 bp 0x7fe3870de830 sp 0x7fe3870ddff0
WRITE of size 128 at 0x7fe3870de878 thread T0
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nuttx] fjpanag closed issue #7488: Kasan error when exiting task.
Posted by "fjpanag (via GitHub)" <gi...@apache.org>.
fjpanag closed issue #7488: Kasan error when exiting task.
URL: https://github.com/apache/nuttx/issues/7488
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-nuttx] fjpanag commented on issue #7488: Kasan error when exiting task.
Posted by GitBox <gi...@apache.org>.
fjpanag commented on issue #7488:
URL: https://github.com/apache/incubator-nuttx/issues/7488#issuecomment-1310196914
@pkarashchenko Unfortunately I haven't been able to create a minimum working example.
My code runs Lua in a pthread, and executes the Lua tests suite (which is quite complex, and exercises lots of APIs).
After exiting this pthread, the error is triggered.
I am trying to narrow it down more...
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-nuttx] pkarashchenko commented on issue #7488: Kasan error when exiting task.
Posted by GitBox <gi...@apache.org>.
pkarashchenko commented on issue #7488:
URL: https://github.com/apache/incubator-nuttx/issues/7488#issuecomment-1309369301
Yes. I will try to take a look into it as soon as I can. Most probably this weekend
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org