EPICS Controls Argonne National Laboratory

Experimental Physics and
Industrial Control System

1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  <20042005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  <20042005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024 
<== Date ==> <== Thread ==>

Subject: Re: EPICS Base Release 3.14.6
From: Marty Kraimer <[email protected]>
To: Dirk Zimoch <[email protected]>
Cc: Andrew Johnson <[email protected]>, EPICS tech-talk <[email protected]>
Date: Mon, 07 Jun 2004 06:54:15 -0500


Dirk Zimoch wrote:

Hi Andrew,

as I posted last week, there is a bug in dbAccess.c that can crash the ioc when DTYP is read via CA. The bug is still present in the newly released 3.14.6. I think it has been there from the very beginning of EPICS. As I tested today, a Linux ioc also crashes (segmentation fault). That there were no crashes on 68k processors seems to be coincidental (or just luck).

The problem is that for records without device support (calc, etc.) the dbDeviceMenu pointer is NULL. When it is dereferenced in get_enum_strs(), no check is done and pdbDeviceMenu->nChoice and pdbDeviceMenu->papChoice have arbitrary values.

Since I consider crashing an ioc with a read a major bug, I would be pleased to see this fixed in at least the latest version.


Your analysis is correct. The bug has been in base for years and appears in both 3.13 and 3.14.

I suggest a different fix that you since it will notify the user that an error occured. See below.

The correct fix is:

3.14.6
diff -c -r1.116.2.3 dbAccess.c
*** dbAccess.c 19 Feb 2004 01:17:39 -0000 1.116.2.3
--- dbAccess.c 7 Jun 2004 11:42:20 -0000
***************
*** 147,152 ****
--- 147,156 ----
goto choice_common;
case DBF_DEVICE:
pdbDeviceMenu = (dbDeviceMenu *)pdbFldDes->ftPvt;
+ if(!pdbDeviceMenu) {
+ *options = (*options)^DBR_ENUM_STRS;/*Turn off option*/
+ break;
+ }
no_str = pdbDeviceMenu->nChoice;
papChoice = pdbDeviceMenu->papChoice;
goto choice_common;



For 3.13 the fix is
diff -c -r1.89.4.8 dbAccess.c
*** dbAccess.c 12 Jul 2002 22:17:07 -0000 1.89.4.8
--- dbAccess.c 7 Jun 2004 11:40:05 -0000
***************
*** 129,134 ****
--- 129,138 ----
goto choice_common;
case DBF_DEVICE:
pdbDeviceMenu = (dbDeviceMenu *)pdbFldDes->ftPvt;
+ if(!pdbDeviceMenu) {
+ *options = (*options)^DBR_ENUM_STRS;/*Turn off option*/
+ break;
+ }
no_str = pdbDeviceMenu->nChoice;
papChoice = pdbDeviceMenu->papChoice;
goto choice_common;



This will be fixed in the next release of 3.13 and 3.14.
I did some greps and this appears to be the only place in base where pdbDeviceMenu is not checked for null before it is used.


Thanks!!!

Marty Kraimer



Dirk



Andrew Johnson wrote:


EPICS Base release 3.14.6 has been available for download since last Friday, but we didn't have the IOC Application Developers Guide in place until today, hence the delayed release announcement. This version of Base contains many minor enhancements and bug fixes, especially to the Channel Access client library, which is significantly more robust and reliable than R3.14.5 was.

There is a known problem with compiling this release against Tornado 2.2, although the failure happens when building a test program after everything required for normal use has been compiled, so this is benign. There may also be an issue when building some extensions using the solaris-sparc-gnu architecture, but that's unconfirmed at present (we hope Janet gets better soon).

Thanks to all the core development team.

- Andrew




Dirk Zimoch wrote:

Hi all,

at least on all EPICS releases 3.13.2 to 3.13.9, is a bug that causes crashes on PPC iocs. (I have not seen a 68k crash here.)

Bug:

When reading the DTYP field of "pure soft records" such as calc via CA, the CA_client task crashes and leaves the ioc in a state where no further access via CA is possible.

data access
Exception current instruction address: 0x01705f54
Machine Status Register: 0x0000b030
Data Access Register: 0xf0f0f0f0
Condition Register: 0x28000040
Data storage interrupt Register: 0x40000000
Task: 0x17c31f0 "CA_client"

tt

17807c vxTaskEntry +60 : camsgtask () 1727a44 camsgtask +2e4: camessage () 172a7f0 camessage +120: read_action () 17286bc read_action +e8 : read_reply () 17284b4 read_reply +144: db_get_field () 171f838 .L198 +40 : dbGetField () 1707650 dbGetField +164: dbGet () 1707760 dbGet +cc : getOptions () 17065d8 getOptions +208: get_enum_strs ()

Fix:

*** base/src/db/dbAccess.c.orig Thu Jun  3 18:04:26 2004
--- base/src/db/dbAccess.c      Thu Jun  3 18:10:33 2004
***************
*** 129,134 ****
--- 129,138 ----
                    goto choice_common;
                case DBF_DEVICE:
                    pdbDeviceMenu = (dbDeviceMenu *)pdbFldDes->ftPvt;
+                   if (pdbDeviceMenu == NULL) {
+                       no_str = 0;
+                       goto choice_common;
+                   }
                    no_str = pdbDeviceMenu->nChoice;
                    papChoice = pdbDeviceMenu->papChoice;
                    goto choice_common;


The fix I suggest provides the same semantics as the other cases in get_enum_strs.
That is the caller will receive an indication that the call failed.
Look at cases DBF_ENUM and default.




After this fix, calc records and the like report DTYP as 0.

Dirk







References:
EPICS Base Release 3.14.6 Andrew Johnson
Re: EPICS Base Release 3.14.6 Dirk Zimoch

Navigate by Date:
Prev: Re: EPICS Base Release 3.14.6 Dirk Zimoch
Next: Re: Question on transition modules W. T. Waggoner
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  <20042005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024 
Navigate by Thread:
Prev: Re: EPICS Base Release 3.14.6 Dirk Zimoch
Next: Question on transition modules Chestnut, Ronald P.
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  <20042005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024 
ANJ, 10 Aug 2010 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·