[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #25695] Segmentation fault in do_writemore(struct netc
|
From: |
Koen Deforche |
|
Subject: |
[lwip-devel] [bug #25695] Segmentation fault in do_writemore(struct netconn *conn) |
|
Date: |
Tue, 24 Feb 2009 16:11:40 +0000 |
|
User-agent: |
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6 |
URL:
<http://savannah.nongnu.org/bugs/?25695>
Summary: Segmentation fault in do_writemore(struct netconn
*conn)
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: kdeforche
Submitted on: Tue 24 Feb 2009 04:11:38 PM GMT
Category: TCP
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release:
lwIP version: 1.3.0
_______________________________________________________
Details:
Hey all,
Very occasionally we hit a segmentation fault in do_writemore(). A back-trace
shows the following stack trace:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
[Switching to process 54758 thread 0x3203]
0x000dfbb6 in do_writemore (conn=0x281394) at
lwip/lwip/src/api/api_msg.c:1001
1001 dataptr = (u8_t*)conn->write_msg->msg.w.dataptr + conn->write_offset;
(gdb) bt
#0 0x000dfbb6 in do_writemore (conn=0x281394) at
lwip/lwip/src/api/api_msg.c:1001
#1 0x000de8be in poll_tcp (arg=0x281394, pcb=0x27fd3c) at
lwip/lwip/src/api/api_msg.c:240
#2 0x000d2d6f in tcp_slowtmr () at lwip/lwip/src/core/tcp.c:746
#3 0x000d1aa2 in tcp_tmr () at lwip/lwip/src/core/tcp.c:98
#4 0x000e01d9 in tcpip_tcp_timer (arg=0x0) at lwip/lwip/src/api/tcpip.c:82
#5 0x000d16a2 in sys_sem_wait (sem=0x21bbf30) at
lwip/lwip/src/core/sys.c:158
#6 0x000ed9d7 in sys_mbox_trypost (mbox=0x100ee00, msg=0x281d8c) at
lwip/contrib/ports/unix/sys_arch.c:222
#7 0x000e0529 in tcpip_input (p=0x184e84, inp=0x184b00) at
lwip/lwip/src/api/tcpip.c:335
#8 0x000e3fb0 in loopif_output (netif=0x184b00, p=0x184e2c, ipaddr=0x27fd40)
at lwip/lwip/src/netif/loopif.c:160
#9 0x000dc4f3 in ip_output_if (p=0x184e2c, src=0x27fd3c, dest=0x27fd40,
ttl=255 '?', tos=0 '\0', proto=6 '\006', netif=0x184b00) at
lwip/lwip/src/core/ipv4/ip.c:536
#10 0x000dc571 in ip_output (p=0x184e2c, src=0x27fd3c, dest=0x27fd40, ttl=255
'?', tos=0 '\0', proto=6 '\006') at lwip/lwip/src/core/ipv4/ip.c:566
#11 0x000d7c8b in tcp_output_segment (seg=0x280b1c, pcb=0x27fd3c) at
lwip/lwip/src/core/tcp_out.c:672
#12 0x000d7863 in tcp_output (pcb=0x27fd3c) at
lwip/lwip/src/core/tcp_out.c:549
#13 0x000dfd43 in do_writemore (conn=0x281394) at
lwip/lwip/src/api/api_msg.c:1029
#14 0x000dfe49 in do_write (msg=0xb079c350) at
lwip/lwip/src/api/api_msg.c:1097
#15 0x000e0409 in tcpip_thread (arg=0x0) at lwip/lwip/src/api/tcpip.c:269
#16 0x9029a095 in _pthread_start ()
#17 0x90299f52 in thread_start ()
Current language: auto; currently c
The problem is: conn->write_msg = NULL. It is reset in stack frame #13,
before a call to tcp_output_nagle(). That this occurs rarely is because the
tcp slow timer needs to fire at exactly the right moment to trigger this wrong
behavior ?
A solution could be the patch below, which resets the conn->state before
calling tcp_output_nagle:
--- a/lwip/lwip/src/api/api_msg.c
+++ b/lwip/lwip/src/api/api_msg.c
@@ -1025,6 +1025,7 @@ do_writemore(struct netconn *conn)
write_finished = 1;
conn->write_msg = NULL;
conn->write_offset = 0;
+ conn->state = NETCONN_NONE; /* must before tcp_output_nagle() */
}
err = tcp_output_nagle(conn->pcb.tcp);
conn->err = err;
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?25695>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #25695] Segmentation fault in do_writemore(struct netconn *conn),
Koen Deforche <=