[jira] [Commented] (MYNEWT-765) os_mbuf memory corruption on native platform

[JIRA]

[ 
https://issues.apache.org/jira/browse/MYNEWT-765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16026068#comment-16026068
 ] 

Michał Narajowski commented on MYNEWT-765:
--

I tested this and it works now. Actually, it works event without the 
workarounds and with logs, so it probably was the double free issue. It works 
with another controller, but when using Mynewt controller I still have issues 
with freezing. We suspect it's related to flow control in UART as I see 
hardware error from the controller. I will keep it open until finding the root 
cause of that.

Thanks, Chris.

> os_mbuf memory corruption on native platform
> 
>
> Key: MYNEWT-765
> URL: https://issues.apache.org/jira/browse/MYNEWT-765
> Project: Mynewt
>  Issue Type: Bug
>  Security Level: Public(Viewable by anyone) 
> Environment: bsncent app on native 32-bit Ubuntu 17.04
>Reporter: Michał Narajowski
>Priority: Minor
>
> h4. General description:
> There is a segmentation fault error in function {{ble_hs_log_mbuf}} in file 
> {{net/nimble/host/src/ble_hs_log.c}} when receiving notifications at high 
> rate. Tested using *bsncent* app from 
> https://github.com/rymanluk/incubator-mynewt-core/tree/bsn and *bsnprph* also 
> from https://github.com/apache/incubator-mynewt-core/tree/bsnbranch
> Data from HCI command overwrites the os_mbuf struct instead of being written 
> to {{om->om_data}}. I tried to catch that memory violation earlier in code, 
> but somehow it is only triggered in the {{ble_hs_log_mbuf}} function.
> h4. How to reproduce:
> 1. Build and flash *bsnprph* app from 
> https://github.com/apache/incubator-mynewt-core/tree/bsnbranch with the 
> following configuration:
> {quote}
> app=@apache-mynewt-core/apps/bsnprph
> bsp=@apache-mynewt-core/hw/bsp/nrf52dk
> build_profile=optimized
> {quote}
> 2. Build *bsncent* app from 
> https://github.com/rymanluk/incubator-mynewt-core/tree/bsn with the following 
> configuration:
> {quote}
> app=@apache-mynewt-core/apps/bsncent
> bsp=@apache-mynewt-core/hw/bsp/native
> build_profile=debug
> syscfg=BLE_HS_DEBUG=1:BLE_MAX_CONNECTIONS=5:BLE_SM_BONDING=1:BLE_SM_IO_CAP=BLE_HS_IO_KEYBOARD_DISPLAY:BLE_SM_LEGACY=1:BLE_SM_MITM=1:BLE_SM_OUR_KEY_DIST=7:BLE_SM_SC=1:BLE_SOCK_LINUX_DEV=0:BLE_SOCK_USE_LINUX_BLUE=1:BLE_SOCK_USE_TCP=0:LOG_LEVEL=0:MCU_NATIVE_USE_SIGNALS=1:OS_MAIN_STACK_SIZE=512:SHELL_TASK=1
> {quote}
> 3. It is possible to reproduce it using Mynewt controller (but then another 
> issue shows up sometimes, described below) or some other controller like PTS 
> with some hacks in ble_hs_startup.c to start controller.
> 4. Run *bsncent* app from 32bit Ubuntu
> Here is the backtrace from GDB:
> {quote}
> Program received signal SIGSEGV, Segmentation fault.
> __memcpy_sse2_unaligned () at 
> ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:651
> 651 ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: No such file 
> or directory.
> (gdb) bt
> #0  __memcpy_sse2_unaligned () at 
> ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:651
> #1  0x80009fc0 in os_mbuf_copydata (m=0x8008fb6c, off=0, len=1, 
> dst=0x800746c7 ) at 
> repos/apache-mynewt-core/kernel/os/src/os_mbuf.c:722
> #2  0x8001fb5a in ble_hs_log_mbuf (om=0x8008fb6c)
> at repos/apache-mynewt-core/net/nimble/host/src/ble_hs_log.c:32
> #3  0x8001f18c in ble_hs_hci_evt_acl_process (om=0x8008fb6c)
> at repos/apache-mynewt-core/net/nimble/host/src/ble_hs_hci_evt.c:631
> #4  0x80018c1f in ble_hs_process_rx_data_queue ()
> at repos/apache-mynewt-core/net/nimble/host/src/ble_hs.c:195
> #5  0x80019020 in ble_hs_event_data (ev=0x80075aec )
> at repos/apache-mynewt-core/net/nimble/host/src/ble_hs.c:379
> #6  0x80007009 in os_eventq_run (evq=0x80074908 )
> at repos/apache-mynewt-core/kernel/os/src/os_eventq.c:172
> #7  0x80002308 in main (argc=0, argv=0x0) at 
> repos/apache-mynewt-core/apps/bsncent/src/main.c:457
> {quote}
> h4. Another issue
> Actually, there is also a second problem. When using *blehci* as the 
> controller the communication between central and peripheral freezes somewhere 
> around GATT discovery most of the time. It happens quiet randomly. 
> To reproduce it:
> 1. Build and flash *blehci* app from 
> https://github.com/apache/incubator-mynewt-core/tree/bsnbranch with the 
> following configuration:
> {quote}
> app=@apache-mynewt-core/apps/blehci
> bsp=@apache-mynewt-core/hw/bsp/nrf51dk
> build_profile=optimized  
> syscfg=BLE_HCI_UART_FLOW_CTL=0:BLE_LL_STRICT_CONN_SCHEDULING=0:BLE_MAX_CONNECTIONS=5:BLE_PUBLIC_DEV_ADDR=(uint8_t\[6\])\{0x0a,
>  0x0b, 0x09, 0x09, 0x09, 0x00\}
> {quote}
> It happens on both nrf51 and ntf52.
> 2. From 32bit Ubuntu use btattach to attach *blehci* controller
> {quote}
> sudo tools/btattach -N -B /dev/ttyUSB0 -S 100
> 

[jira] [Commented] (MYNEWT-765) os_mbuf memory corruption on native platform

[JIRA]

[ 
https://issues.apache.org/jira/browse/MYNEWT-765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16022635#comment-16022635
 ] 

Michał Narajowski commented on MYNEWT-765:
--

Unfortunately, the issue is still there. The same happens for value 0 and 1 of 
MCU_NATIVE_USE_SIGNALS.

> os_mbuf memory corruption on native platform
> 
>
> Key: MYNEWT-765
> URL: https://issues.apache.org/jira/browse/MYNEWT-765
> Project: Mynewt
>  Issue Type: Bug
> Environment: bsncent app on native 32-bit Ubuntu 17.04
>Reporter: Michał Narajowski
>Priority: Minor
>
> h4. General description:
> There is a segmentation fault error in function {{ble_hs_log_mbuf}} in file 
> {{net/nimble/host/src/ble_hs_log.c}} when receiving notifications at high 
> rate. Tested using *bsncent* app from 
> https://github.com/rymanluk/incubator-mynewt-core/tree/bsn and *bsnprph* also 
> from https://github.com/apache/incubator-mynewt-core/tree/bsnbranch
> Data from HCI command overwrites the os_mbuf struct instead of being written 
> to {{om->om_data}}. I tried to catch that memory violation earlier in code, 
> but somehow it is only triggered in the {{ble_hs_log_mbuf}} function.
> h4. How to reproduce:
> 1. Build and flash *bsnprph* app from 
> https://github.com/apache/incubator-mynewt-core/tree/bsnbranch with the 
> following configuration:
> {quote}
> app=@apache-mynewt-core/apps/bsnprph
> bsp=@apache-mynewt-core/hw/bsp/nrf52dk
> build_profile=optimized
> {quote}
> 2. Build *bsncent* app from 
> https://github.com/rymanluk/incubator-mynewt-core/tree/bsn with the following 
> configuration:
> {quote}
> app=@apache-mynewt-core/apps/bsncent
> bsp=@apache-mynewt-core/hw/bsp/native
> build_profile=debug
> syscfg=BLE_HS_DEBUG=1:BLE_MAX_CONNECTIONS=5:BLE_SM_BONDING=1:BLE_SM_IO_CAP=BLE_HS_IO_KEYBOARD_DISPLAY:BLE_SM_LEGACY=1:BLE_SM_MITM=1:BLE_SM_OUR_KEY_DIST=7:BLE_SM_SC=1:BLE_SOCK_LINUX_DEV=0:BLE_SOCK_USE_LINUX_BLUE=1:BLE_SOCK_USE_TCP=0:LOG_LEVEL=0:MCU_NATIVE_USE_SIGNALS=1:OS_MAIN_STACK_SIZE=512:SHELL_TASK=1
> {quote}
> 3. It is possible to reproduce it using Mynewt controller (but then another 
> issue shows up sometimes, described below) or some other controller like PTS 
> with some hacks in ble_hs_startup.c to start controller.
> 4. Run *bsncent* app from 32bit Ubuntu
> Here is the backtrace from GDB:
> {quote}
> Program received signal SIGSEGV, Segmentation fault.
> __memcpy_sse2_unaligned () at 
> ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:651
> 651 ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: No such file 
> or directory.
> (gdb) bt
> #0  __memcpy_sse2_unaligned () at 
> ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:651
> #1  0x80009fc0 in os_mbuf_copydata (m=0x8008fb6c, off=0, len=1, 
> dst=0x800746c7 ) at 
> repos/apache-mynewt-core/kernel/os/src/os_mbuf.c:722
> #2  0x8001fb5a in ble_hs_log_mbuf (om=0x8008fb6c)
> at repos/apache-mynewt-core/net/nimble/host/src/ble_hs_log.c:32
> #3  0x8001f18c in ble_hs_hci_evt_acl_process (om=0x8008fb6c)
> at repos/apache-mynewt-core/net/nimble/host/src/ble_hs_hci_evt.c:631
> #4  0x80018c1f in ble_hs_process_rx_data_queue ()
> at repos/apache-mynewt-core/net/nimble/host/src/ble_hs.c:195
> #5  0x80019020 in ble_hs_event_data (ev=0x80075aec )
> at repos/apache-mynewt-core/net/nimble/host/src/ble_hs.c:379
> #6  0x80007009 in os_eventq_run (evq=0x80074908 )
> at repos/apache-mynewt-core/kernel/os/src/os_eventq.c:172
> #7  0x80002308 in main (argc=0, argv=0x0) at 
> repos/apache-mynewt-core/apps/bsncent/src/main.c:457
> {quote}
> h4. Another issue
> Actually, there is also a second problem. When using *blehci* as the 
> controller the communication between central and peripheral freezes somewhere 
> around GATT discovery most of the time. It happens quiet randomly. 
> To reproduce it:
> 1. Build and flash *blehci* app from 
> https://github.com/apache/incubator-mynewt-core/tree/bsnbranch with the 
> following configuration:
> {quote}
> app=@apache-mynewt-core/apps/blehci
> bsp=@apache-mynewt-core/hw/bsp/nrf51dk
> build_profile=optimized  
> syscfg=BLE_HCI_UART_FLOW_CTL=0:BLE_LL_STRICT_CONN_SCHEDULING=0:BLE_MAX_CONNECTIONS=5:BLE_PUBLIC_DEV_ADDR=(uint8_t\[6\])\{0x0a,
>  0x0b, 0x09, 0x09, 0x09, 0x00\}
> {quote}
> It happens on both nrf51 and ntf52.
> 2. From 32bit Ubuntu use btattach to attach *blehci* controller
> {quote}
> sudo tools/btattach -N -B /dev/ttyUSB0 -S 100
> {quote}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (MYNEWT-765) os_mbuf memory corruption on native platform

[Christopher Collins (JIRA)]

[ 
https://issues.apache.org/jira/browse/MYNEWT-765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16021734#comment-16021734
 ] 

Christopher Collins commented on MYNEWT-765:


{quote}
2. Build bsncent app from 
https://github.com/rymanluk/incubator-mynewt-core/tree/bsn with the following 
configuration:

app=@apache-mynewt-core/apps/bsncent
bsp=@apache-mynewt-core/hw/bsp/native
build_profile=debug

syscfg=BLE_HS_DEBUG=1:BLE_MAX_CONNECTIONS=5:BLE_SM_BONDING=1:BLE_SM_IO_CAP=BLE_HS_IO_KEYBOARD_DISPLAY:BLE_SM_LEGACY=1:BLE_SM_MITM=1:BLE_SM_OUR_KEY_DIST=7:BLE_SM_SC=1:BLE_SOCK_LINUX_DEV=0:BLE_SOCK_USE_LINUX_BLUE=1:BLE_SOCK_USE_TCP=0:LOG_LEVEL=0:MCU_NATIVE_USE_SIGNALS=1:OS_MAIN_STACK_SIZE=512:SHELL_TASK=1
{quote}

MCU_NATIVE_USE_SIGNALS should probably be set to 0 here (not 1).  From 
{{hw/mcu/native/syscfg.yml}}:
{noformat}
MCU_NATIVE_USE_SIGNALS:
description: >
Whether to use POSIX signals to implement context switches.  Valid
values are as follows:
1: More correctness; less stability.  The OS tick timer will
   cause a high-priority task to preempt a low-priority task.
   This causes stability issues because a task can be preempted
   while it is in the middle of a system call, potentially
   causing deadlock or memory corruption.

0: Less correctness; more stability.  The OS tick timer only
   runs while the idle task is active.  Therefore, a sleeping
   high-priority task will not preempt a low-priority task due
   to a timing event (e.g., delay or callout expired).
   However, this version of sim does not suffer from the
   stability issues that affect the "signals" implementation.

Unit tests should use 1.  Long-running sim processes should use 0.
{noformat}

Setting this to 0 causes sim to use the new behavior implemented in 
{{9864f55e53df0b945fa3482d9b9ea63109c09123}}.

Hopefully this is the problem.  With this setting equal to 0, I have seen 
memory corruption like this (typically when mmap() or sbrk() gets longjmped out 
of (called via malloc()).

> os_mbuf memory corruption on native platform
> 
>
> Key: MYNEWT-765
> URL: https://issues.apache.org/jira/browse/MYNEWT-765
> Project: Mynewt
>  Issue Type: Bug
> Environment: bsncent app on native 32-bit Ubuntu 17.04
>Reporter: Michał Narajowski
>Priority: Minor
>
> h4. General description:
> There is a segmentation fault error in function {{ble_hs_log_mbuf}} in file 
> {{net/nimble/host/src/ble_hs_log.c}} when receiving notifications at high 
> rate. Tested using *bsncent* app from 
> https://github.com/rymanluk/incubator-mynewt-core/tree/bsn and *bsnprph* also 
> from https://github.com/apache/incubator-mynewt-core/tree/bsnbranch
> Data from HCI command overwrites the os_mbuf struct instead of being written 
> to {{om->om_data}}. I tried to catch that memory violation earlier in code, 
> but somehow it is only triggered in the {{ble_hs_log_mbuf}} function.
> h4. How to reproduce:
> 1. Build and flash *bsnprph* app from 
> https://github.com/apache/incubator-mynewt-core/tree/bsnbranch with the 
> following configuration:
> {quote}
> app=@apache-mynewt-core/apps/bsnprph
> bsp=@apache-mynewt-core/hw/bsp/nrf52dk
> build_profile=optimized
> {quote}
> 2. Build *bsncent* app from 
> https://github.com/rymanluk/incubator-mynewt-core/tree/bsn with the following 
> configuration:
> {quote}
> app=@apache-mynewt-core/apps/bsncent
> bsp=@apache-mynewt-core/hw/bsp/native
> build_profile=debug
> syscfg=BLE_HS_DEBUG=1:BLE_MAX_CONNECTIONS=5:BLE_SM_BONDING=1:BLE_SM_IO_CAP=BLE_HS_IO_KEYBOARD_DISPLAY:BLE_SM_LEGACY=1:BLE_SM_MITM=1:BLE_SM_OUR_KEY_DIST=7:BLE_SM_SC=1:BLE_SOCK_LINUX_DEV=0:BLE_SOCK_USE_LINUX_BLUE=1:BLE_SOCK_USE_TCP=0:LOG_LEVEL=0:MCU_NATIVE_USE_SIGNALS=1:OS_MAIN_STACK_SIZE=512:SHELL_TASK=1
> {quote}
> 3. It is possible to reproduce it using Mynewt controller (but then another 
> issue shows up sometimes, described below) or some other controller like PTS 
> with some hacks in ble_hs_startup.c to start controller.
> 4. Run *bsncent* app from 32bit Ubuntu
> Here is the backtrace from GDB:
> {quote}
> Program received signal SIGSEGV, Segmentation fault.
> __memcpy_sse2_unaligned () at 
> ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:651
> 651 ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: No such file 
> or directory.
> (gdb) bt
> #0  __memcpy_sse2_unaligned () at 
> ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:651
> #1  0x80009fc0 in os_mbuf_copydata (m=0x8008fb6c, off=0, len=1, 
> dst=0x800746c7 ) at 
> repos/apache-mynewt-core/kernel/os/src/os_mbuf.c:722
> #2  0x8001fb5a in