Bug in TmPacketStoredPusC #478

New Issue

Closed

opened 2021-09-15 18:41:19 +02:00 by muellerr · 5 comments

muellerr commented 2021-09-15 18:41:19 +02:00

Owner

Copy Link

I found a bug which causes the FSFW to crash.

TmPacketStoredPusC::TmPacketStoredPusC(uint16_t apid, uint8_t service,
        uint8_t subservice, uint16_t packetSubcounter, SerializeIF *content,
        SerializeIF *header, uint16_t destinationId, uint8_t timeRefField) :
        TmPacketPusC(nullptr) {
    storeAddress.raw = StorageManagerIF::INVALID_ADDRESS;
    if (not TmPacketStoredBase::checkAndSetStore()) {
        return;
    }
    size_t sourceDataSize = 0;
    if (content != NULL) {
        sourceDataSize += content->getSerializedSize();
    }
    if (header != NULL) {
        sourceDataSize += header->getSerializedSize();
    }
    uint8_t *p_data = NULL;
    ReturnValue_t returnValue = store->getFreeElement(&storeAddress,
            (getPacketMinimumSize() + sourceDataSize), &p_data);
    if (returnValue != store->RETURN_OK) {
        TmPacketStoredBase::checkAndReportLostTm();
    }
    setData(p_data);
    initializeTmPacket(apid, service, subservice, packetSubcounter, destinationId, timeRefField);
    uint8_t *putDataHere = getSourceData();
    size_t size = 0;
    if (header != NULL) {
        header->serialize(&putDataHere, &size, sourceDataSize,
                SerializeIF::Endianness::BIG);
    }
    if (content != NULL) {
        content->serialize(&putDataHere, &size, sourceDataSize,
                SerializeIF::Endianness::BIG);
    }
    setPacketDataLength(
            sourceDataSize + sizeof(PUSTmDataFieldHeaderPusC) + CRC_SIZE - 1);
}

If getFreeElement fails, a nullptr is passed into initializeTmPacket.
The problem is, this is a constructor.. Im investigating whether returning prematurely solves the issue

I found a bug which causes the FSFW to crash. ```cpp TmPacketStoredPusC::TmPacketStoredPusC(uint16_t apid, uint8_t service, uint8_t subservice, uint16_t packetSubcounter, SerializeIF *content, SerializeIF *header, uint16_t destinationId, uint8_t timeRefField) : TmPacketPusC(nullptr) { storeAddress.raw = StorageManagerIF::INVALID_ADDRESS; if (not TmPacketStoredBase::checkAndSetStore()) { return; } size_t sourceDataSize = 0; if (content != NULL) { sourceDataSize += content->getSerializedSize(); } if (header != NULL) { sourceDataSize += header->getSerializedSize(); } uint8_t *p_data = NULL; ReturnValue_t returnValue = store->getFreeElement(&storeAddress, (getPacketMinimumSize() + sourceDataSize), &p_data); if (returnValue != store->RETURN_OK) { TmPacketStoredBase::checkAndReportLostTm(); } setData(p_data); initializeTmPacket(apid, service, subservice, packetSubcounter, destinationId, timeRefField); uint8_t *putDataHere = getSourceData(); size_t size = 0; if (header != NULL) { header->serialize(&putDataHere, &size, sourceDataSize, SerializeIF::Endianness::BIG); } if (content != NULL) { content->serialize(&putDataHere, &size, sourceDataSize, SerializeIF::Endianness::BIG); } setPacketDataLength( sourceDataSize + sizeof(PUSTmDataFieldHeaderPusC) + CRC_SIZE - 1); } ``` If `getFreeElement` fails, a `nullptr` is passed into `initializeTmPacket`. The problem is, this is a constructor.. Im investigating whether returning prematurely solves the issue

muellerr added the

bug

label 2021-09-15 18:41:54 +02:00

muellerr commented 2021-09-15 18:51:59 +02:00

Author

Owner

Copy Link

Returning prematurely fixes the issue for the specific call here where an event was generated. The subsequent serialize call failed. However, the object is still invalid and other methods might cause issues.

Returning prematurely fixes the issue for the specific call here where an event was generated. The subsequent `serialize` call failed. However, the object is still invalid and other methods might cause issues.

gaisser commented 2021-09-16 10:28:30 +02:00

Owner

Copy Link

Hm this is one of those examples were a Constructor is able to fail and the object is in an invalid state. Calling initializeTmPacket if getFreeElement failed is a bug (and the serialize calls as well). We could change that to be an initialize function which is able to return instead of doing all this stuff in the constructor. This will make the API less clear unfortunately.

But one could argue that this should never happen as the TmStore needs to be large enough. This would be a risky argument because this might happen on very special occasions which are difficult to test.

I think failing here should not result in a crash. The TmPacket will be lost but that is reported.

Hm this is one of those examples were a Constructor is able to fail and the object is in an invalid state. Calling ``initializeTmPacket`` if `` getFreeElement`` failed is a bug (and the serialize calls as well). We could change that to be an initialize function which is able to return instead of doing all this stuff in the constructor. This will make the API less clear unfortunately. But one could argue that this should never happen as the TmStore needs to be large enough. This would be a risky argument because this might happen on very special occasions which are difficult to test. I think failing here should not result in a crash. The TmPacket will be lost but that is reported.

muellerr referenced a pull request that will close this issue 2021-09-27 11:10:19 +02:00

Increased TM stack robustness #483

gaisser commented 2021-09-27 22:09:36 +02:00

Owner

Copy Link

Ok I have checked the old FLP Implementation and the current fsfw:

ReturnValue_t TmPacketStoredBase::sendPacket(MessageQueueId_t destination,
        MessageQueueId_t sentFrom, bool doErrorReporting) {
    if (getAllTmData() == nullptr) {
        //SHOULDDO: More decent code.
        return HasReturnvaluesIF::RETURN_FAILED;
    }
	....
}

As long as the child implementation returns a nullptr for getAllTmData() this is safe to call. However, we should think about resolving the SHOULDDO.

Ok I have checked the old FLP Implementation and the current fsfw: ``` c++ ReturnValue_t TmPacketStoredBase::sendPacket(MessageQueueId_t destination, MessageQueueId_t sentFrom, bool doErrorReporting) { if (getAllTmData() == nullptr) { //SHOULDDO: More decent code. return HasReturnvaluesIF::RETURN_FAILED; } .... } ``` As long as the child implementation returns a nullptr for getAllTmData() this is safe to call. However, we should think about resolving the SHOULDDO.

gaisser commented 2021-09-27 22:18:41 +02:00

Owner

Copy Link

PusA and PusC share a lot of Code in TmPacketStoredPusX. This seems unreasonable to me.

PusA and PusC share a lot of Code in TmPacketStoredPusX. This seems unreasonable to me.

muellerr referenced a pull request that will close this issue 2021-10-11 16:39:21 +02:00

Increased TM stack robustness #501

mohr closed this issue 2021-10-11 18:00:46 +02:00

mohr commented 2021-10-11 18:01:29 +02:00

Owner

Copy Link

@muellerr checked that combining A and C is not reasonable atm, so we're staying with the duality for now.

@muellerr checked that combining A and C is not reasonable atm, so we're staying with the duality for now.

gaisser added this to the v2.0.1 milestone 2021-11-15 16:43:13 +01:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

development

mohr/romeo

development-doc-deployment

development-doc-test0

switch-doc-theme-to-rtd

action-update

obj-manager-tweak

mohr_introspection

mohr/windows

mohr/GCC13

mohr/timetag_fix

mohr/relsease_helper

mohr/warnings

mohr/rtems

mohr/freeRTOS

mueller/new-cfdp-update-with-handlers

mohr/dhb2normal

mueller/obj-man-remove-weird-proc-func

mohr/documentation_ci

mueller/fsfw-from-zero

mueller/data-wrapper

mueller/dhb-handle-device-tm

mueller/refactor-tmtc-stack-with-retval-refactoring

mueller/refactor-logging-with-fmt

meier/upstream-pus-distributor-bugfix

mueller/clang-improvements

docker_d12

docker_d11

docker_d10

v6.0.0

docker_d9

docker_d8

docker_d7

docker_d6

docker_d5

docker_d4

v5.0.0

docker_d3

docker_d2

v4.0.0

docker_d1

v3.0.1

v3.0.0

v2.0.1

v2.0.0

ASTP_1.1.0

ASTP_1.0.0

ASTP_0.0.1

Labels

Clear labels   

API Change

Changes the API, so Users need to adapted

  

Breaking API Change

Changes the API in a non backwards compatible way

  

bug

Something is not working

  

build

Issues related to the buildsystem, including CI

  

cosmetics

Small change most users won't notice

  

Documentation

Improvement of code documentation

  

duplicate

This issue or pull request already exists

  

feature

New feature

  

help wanted

Need some help

  

hotfix

Quick or important fix that is merged directly into master, causing a new revision

  

invalid

#worksforme

  

question

More information is needed

  

Refactor

Contains a refactoring of some code

  

Tests

Issues related to testing code

  

wontfix

This won't be fixed

No Label

API Change

Breaking API Change

bug

build

cosmetics

Documentation

duplicate

feature

help wanted

hotfix

invalid

question

Refactor

Tests

wontfix

Milestone

Clear milestone

No items

No Milestone

v2.0.1

Assignees

Clear assignees

No Assignees

3 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: fsfw/fsfw#478

No description provided.