AckingMac segfaults on printing packet i handleUpperPacket()

[dragos-bth]

Hi,

I am developing a MANET protocol that periodically and on-demand sends route updates. This is done using omnetpp-6.0rc1 and inet-4.3.7 on Mac M1 (Rosetta emulator). I encounter a segfault when running the simulation under Qtenv in Full animations mode or in Fast run mode. This happens far into the simulation so I have to run the simulator first in Express mode and then switch to Full or Fast mode. The segfault does not encounter if running the simulation under Express mode only.

I have not figured out how to get a a backtrace with lldb, but I managed to recreate the same behavior under an Ubuntu ARM VM. There I run the simulator from gdb and I got a backtrace. The full backtrace is shown at the end of this message. The second entry up the backtrace indicates that the segault occurs in AckingMac:

#1  0x0000fffff64276a0 in inet::AckingMac::handleUpperPacket (this=0x2c09760, packet=0x134c9620)
    at inet/linklayer/acking/AckingMac.cc:138

The handlerUpperPacket looks like:

33	void AckingMac::handleUpperPacket(Packet *packet)
134	{
(gdb) 
135	    EV << "Received " << packet << " for transmission\n";
136	    txQueue->enqueuePacket(packet);
137	    if (currentTxFrame || radio->getTransmissionState() == IRadio::TRANSMISSION_STATE_TRANSMITTING)
138	        EV << "Delaying transmission of << packet << ".\n";
139	    else if (!txQueue->isEmpty()) {
140	        popTxQueue();
141	        startTransmitting();
142	    }
143	}

On line 138 the EV tries to print the contents of the packet. However, the packet pointer is already used on line 136 by txQueue. txQueue in turn calls PacketQueue::pushPacket() which takes soft-ownership of the pointer through take(packet). In addition, under specific conditions dropPacket() gets called, which does delete the pointer.

I have changed the expression on line 138 to read EV << "Delaying transmission of \n"; // << packet << ".\n"; (packet pointer is not used) and indeed, the problem disappears.

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/aarch64-linux-gnu/libthread_db.so.1".
OMNeT++ Discrete Event Simulation  (C) 1992-2021 Andras Varga, OpenSim Ltd.
Version: 6.0rc1, build: 220207-90bb9e47dd, edition: Academic Public License -- NOT FOR COMMERCIAL USE
See the license for distribution terms and warranty disclaimer

Setting up Qtenv...

Loading NED files from .:  6
Loading NED files from ../inet-4.3.7/src:  997
Loading NED files from ../inet-4.3.7/examples:  181
Loading NED files from ../inet-4.3.7/tutorials:  20
Loading NED files from ../inet-4.3.7/showcases:  43

Loading images from '/home/nffp7/workspace_omnetpp-5.0pre15/nffp7_manet/images': *: 2 
Loading images from '/home/nffp7/workspace_omnetpp-5.0pre15/inet-4.3.7/images': *: 0  3d/*: 0  background/*: 1  block/*: 2  misc/*: 218  showcases/*: 9 
Loading images from '/home/nffp7/omnetpp-6.0rc1/images': *: 0  abstract/*: 90  background/*: 4  block/*: 325  device/*: 195  logo/*: 1  maps/*: 9  misc/*: 70  msg/*: 55  old/*: 111  status/*: 28 

[New Thread 0xffffeca10180 (LWP 51031)]
[New Thread 0xffffe6c94180 (LWP 51032)]
[New Thread 0xffffe6493180 (LWP 51033)]
[New Thread 0xffffe59f3180 (LWP 51034)]
[New Thread 0xffffe4b45180 (LWP 51036)]

Thread 1 "nffp7_manet_dbg" received signal SIGSEGV, Segmentation fault.
0x0000fffff616e1c0 in omnetpp::operator<< <inet::Packet> (os=..., p=0x134c9620)
    at /home/nffp7/omnetpp-6.0rc1/include/omnetpp/cobject.h:369
369	        return p->printOn(os);
(gdb) bt
#0  0x0000fffff616e1c0 in omnetpp::operator<< <inet::Packet> (os=..., p=0x134c9620)
    at /home/nffp7/omnetpp-6.0rc1/include/omnetpp/cobject.h:369
#1  0x0000fffff64276a0 in inet::AckingMac::handleUpperPacket (this=0x2c09760, packet=0x134c9620)
    at inet/linklayer/acking/AckingMac.cc:138
#2  0x0000fffff62d8dec in inet::LayeredProtocolBase::handleUpperMessage (this=0x2c09760, message=0x134c9620)
    at inet/common/LayeredProtocolBase.cc:42
#3  0x0000fffff62d8c5c in inet::LayeredProtocolBase::handleMessageWhenUp (this=0x2c09760, message=0x134c9620)
    at inet/common/LayeredProtocolBase.cc:29
#4  0x0000fffff6378d34 in inet::OperationalMixin<omnetpp::cSimpleModule>::handleMessage (this=0x2c09760, 
    message=0x134c9620) at ./inet/common/lifecycle/OperationalMixinImpl.h:68
#5  0x0000fffff331c3f0 in omnetpp::cSimpleModule::doMessageEvent (this=0x2c09760, msg=0x134c9620)
    at csimplemodule.cc:796
#6  0x0000fffff32bb238 in omnetpp::cMessage::execute (this=0x134c9620) at cmessage.cc:346
#7  0x0000fffff332028c in omnetpp::cSimulation::executeEvent (this=0x4d66e0, event=0x134c9620) at csimulation.cc:637
#8  0x0000fffff398d838 in omnetpp::qtenv::Qtenv::doRunSimulation (this=0x4c5250) at qtenv.cc:1008
#9  0x0000fffff398cf4c in omnetpp::qtenv::Qtenv::runSimulation (this=0x4c5250, mode=omnetpp::qtenv::RUNMODE_NORMAL, 
    until_time=..., until_eventnum=0, until_msg=0x0, until_module=0x0, stopOnMsgCancel=true) at qtenv.cc:858
#10 0x0000fffff38ee088 in omnetpp::qtenv::MainWindow::runSimulation (this=0x23b03d0, 
    runMode=omnetpp::qtenv::RUNMODE_NORMAL) at mainwindow.cc:516
#11 0x0000fffff38ee3e4 in omnetpp::qtenv::MainWindow::stopOrRunSimulation (this=0x23b03d0, 
    runMode=omnetpp::qtenv::RUNMODE_NORMAL) at mainwindow.cc:548
#12 0x0000fffff3a0bc9c in omnetpp::qtenv::MainWindow::on_actionRun_triggered (this=0x23b03d0) at ./mainwindow.h:98
#13 0x0000fffff3a0b5e0 in omnetpp::qtenv::MainWindow::qt_static_metacall (_o=0x23b03d0, 
    _c=QMetaObject::InvokeMetaMethod, _id=3, _a=0xffffffffcf88) at moc_mainwindow.cpp:297
#14 0x0000fffff3a0bbbc in omnetpp::qtenv::MainWindow::qt_metacall (this=0x23b03d0, _c=QMetaObject::InvokeMetaMethod, 
    _id=3, _a=0xffffffffcf88) at moc_mainwindow.cpp:400
#15 0x0000fffff1d13c9c in QMetaObject::activate(QObject*, int, int, void**) ()
   from /lib/aarch64-linux-gnu/libQt5Core.so.5
#16 0x0000fffff154f8a0 in QAction::triggered(bool) () from /lib/aarch64-linux-gnu/libQt5Widgets.so.5
#17 0x0000fffff15521e4 in QAction::activate(QAction::ActionEvent) () from /lib/aarch64-linux-gnu/libQt5Widgets.so.5
#18 0x0000fffff163d994 in ?? () from /lib/aarch64-linux-gnu/libQt5Widgets.so.5
#19 0x0000fffff163dbcc in QAbstractButton::mouseReleaseEvent(QMouseEvent*) ()
   from /lib/aarch64-linux-gnu/libQt5Widgets.so.5
#20 0x0000fffff17306d4 in QToolButton::mouseReleaseEvent(QMouseEvent*) ()
   from /lib/aarch64-linux-gnu/libQt5Widgets.so.5
#21 0x0000fffff1598470 in QWidget::event(QEvent*) () from /lib/aarch64-linux-gnu/libQt5Widgets.so.5
#22 0x0000fffff1730790 in QToolButton::event(QEvent*) () from /lib/aarch64-linux-gnu/libQt5Widgets.so.5
#23 0x0000fffff15564ac in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
   from /lib/aarch64-linux-gnu/libQt5Widgets.so.5
#24 0x0000fffff155ff08 in QApplication::notify(QObject*, QEvent*) () from /lib/aarch64-linux-gnu/libQt5Widgets.so.5
--Type <RET> for more, q to quit, c to continue without paging--
#25 0x0000fffff1ce6c0c in QCoreApplication::notifyInternal2(QObject*, QEvent*) ()
   from /lib/aarch64-linux-gnu/libQt5Core.so.5
#26 0x0000fffff155f100 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool, bool) () from /lib/aarch64-linux-gnu/libQt5Widgets.so.5
#27 0x0000fffff15b3bc4 in ?? () from /lib/aarch64-linux-gnu/libQt5Widgets.so.5
#28 0x0000fffff15b6578 in ?? () from /lib/aarch64-linux-gnu/libQt5Widgets.so.5
#29 0x0000fffff15564ac in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
   from /lib/aarch64-linux-gnu/libQt5Widgets.so.5
#30 0x0000fffff155fad8 in QApplication::notify(QObject*, QEvent*) () from /lib/aarch64-linux-gnu/libQt5Widgets.so.5
#31 0x0000fffff1ce6c0c in QCoreApplication::notifyInternal2(QObject*, QEvent*) ()
   from /lib/aarch64-linux-gnu/libQt5Core.so.5
#32 0x0000fffff20b8358 in QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*) ()
   from /lib/aarch64-linux-gnu/libQt5Gui.so.5
#33 0x0000fffff20b9594 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /lib/aarch64-linux-gnu/libQt5Gui.so.5
#34 0x0000fffff209469c in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /lib/aarch64-linux-gnu/libQt5Gui.so.5
#35 0x0000ffffed09d160 in ?? () from /lib/aarch64-linux-gnu/libQt5XcbQpa.so.5
#36 0x0000fffff0a38944 in g_main_context_dispatch () from /lib/aarch64-linux-gnu/libglib-2.0.so.0
#37 0x0000fffff0a38bb4 in ?? () from /lib/aarch64-linux-gnu/libglib-2.0.so.0
#38 0x0000fffff0a38c54 in g_main_context_iteration () from /lib/aarch64-linux-gnu/libglib-2.0.so.0
#39 0x0000fffff1d421cc in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /lib/aarch64-linux-gnu/libQt5Core.so.5
#40 0x0000fffff1ce53b8 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /lib/aarch64-linux-gnu/libQt5Core.so.5
#41 0x0000fffff1ceda5c in QCoreApplication::exec() () from /lib/aarch64-linux-gnu/libQt5Core.so.5
#42 0x0000fffff398a688 in omnetpp::qtenv::Qtenv::doRun (this=0x4c5250) at qtenv.cc:737
#43 0x0000fffff3b97338 in omnetpp::envir::EnvirBase::run (this=0x4c5260) at envirbase.cc:777
#44 0x0000fffff3b94a04 in omnetpp::envir::EnvirBase::run (this=0x4c5260, argc=13, argv=0xffffffffeaf8, 
    configobject=0x4c98b0) at envirbase.cc:358
#45 0x0000fffff3b8a258 in omnetpp::envir::setupUserInterface (argc=13, argv=0xffffffffeaf8) at startup.cc:284
#46 0x0000fffff3b8ce64 in evMain (argc=13, argv=0xffffffffeaf8) at evmain.cc:31
#47 0x000000000029a0b4 in main (argc=13, argv=0xffffffffeaf8) at main.cc:29

[levy]

Thanks for the bug report! Indeed, using the packet after it has been pushed into a queue is not a safe operation, because the packet may have been deleted.

[ZoltanBojthe]

fixed in 4.3.x topic