OMNeT++/OMNEST Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000056OMNeT++runtime / Tkenvpublic2009-03-27 10:002010-05-06 09:41
Reporterbaumgart 
Assigned Toandras 
PrioritynormalSeveritycrashReproducibilitysometimes
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version4.1rc1 
Summary0000056: Tkenv segmentation fault in getObjectShortTypeName
DescriptionWe've recently seen various Tkenv crashes, which are hard to reproduce, but may be related to showing tooltips or bubbles in the GUI together with dynamically created and removed modules.

This is the backtrace of a crash:

Program terminated with signal 11, Segmentation fault.
[New process 19883]
[New process 19884]
#0 0xb7a5054e in __dynamic_cast () from /usr/lib/libstdc++.so.6
(gdb) bt
#0 0xb7a5054e in __dynamic_cast () from /usr/lib/libstdc++.so.6
0000001 0xb7e267f4 in getObjectShortTypeName (object=0xa3a8f40) at tkutil.cc:91
0000002 0xb7e0f4e2 in getObjectShortTypeName_cmd (interp=0x9033078, argc=2, argv=0xbfa2458c) at tkcmd.cc:649
0000003 0xb7662b6e in TclInvokeStringCommand () from /usr/lib/libtcl8.4.so.0
0000004 0xb7663e56 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so.0
0000005 0xb768ede7 in ?? () from /usr/lib/libtcl8.4.so.0
0000006 0xb768cf3f in TclCompEvalObj () from /usr/lib/libtcl8.4.so.0
0000007 0xb76650c4 in Tcl_EvalObjEx () from /usr/lib/libtcl8.4.so.0
0000008 0xb766d39e in Tcl_IfObjCmd () from /usr/lib/libtcl8.4.so.0
0000009 0xb7663e56 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so.0
0000010 0xb768ede7 in ?? () from /usr/lib/libtcl8.4.so.0
0000011 0xb768cf3f in TclCompEvalObj () from /usr/lib/libtcl8.4.so.0
0000012 0xb76c2cbd in TclObjInterpProc () from /usr/lib/libtcl8.4.so.0
0000013 0xb7663e56 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so.0
0000014 0xb768ede7 in ?? () from /usr/lib/libtcl8.4.so.0
0000015 0xb768cf3f in TclCompEvalObj () from /usr/lib/libtcl8.4.so.0
0000016 0xb76650c4 in Tcl_EvalObjEx () from /usr/lib/libtcl8.4.so.0
0000017 0xb766d39e in Tcl_IfObjCmd () from /usr/lib/libtcl8.4.so.0
0000018 0xb7663e56 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so.0
0000019 0xb768ede7 in ?? () from /usr/lib/libtcl8.4.so.0
0000020 0xb768cf3f in TclCompEvalObj () from /usr/lib/libtcl8.4.so.0
0000021 0xb76c2cbd in TclObjInterpProc () from /usr/lib/libtcl8.4.so.0
0000022 0xb7663e56 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so.0
0000023 0xb768ede7 in ?? () from /usr/lib/libtcl8.4.so.0
0000024 0xb768cf3f in TclCompEvalObj () from /usr/lib/libtcl8.4.so.0
0000025 0xb76c2cbd in TclObjInterpProc () from /usr/lib/libtcl8.4.so.0
0000026 0xb7663e56 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so.0
0000027 0xb7664c0e in Tcl_EvalEx () from /usr/lib/libtcl8.4.so.0
0000028 0xb770e611 in Tk_BindEvent () from /usr/lib/libtk8.4.so.0
0000029 0xb7714cfe in TkBindEventProc () from /usr/lib/libtk8.4.so.0
0000030 0xb771d067 in Tk_HandleEvent () from /usr/lib/libtk8.4.so.0
0000031 0xb771d90e in ?? () from /usr/lib/libtk8.4.so.0
0000032 0xb76b76a3 in Tcl_ServiceEvent () from /usr/lib/libtcl8.4.so.0
0000033 0xb76b7976 in Tcl_DoOneEvent () from /usr/lib/libtcl8.4.so.0
0000034 0xb77161fc in Tk_UpdateObjCmd () from /usr/lib/libtk8.4.so.0
0000035 0xb7663e56 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so.0
0000036 0xb7664c0e in Tcl_EvalEx () from /usr/lib/libtcl8.4.so.0
0000037 0xb7664f1c in Tcl_Eval () from /usr/lib/libtcl8.4.so.0
0000038 0xb766692c in Tcl_VarEvalVA () from /usr/lib/libtcl8.4.so.0
0000039 0xb7666987 in Tcl_VarEval () from /usr/lib/libtcl8.4.so.0
0000040 0xb7e22f30 in TGraphLayouterEnvironment::okToProceed (this=0xbfa269c0) at layouterenv.cc:122
0000041 0xb7cf9c0f in BasicSpringEmbedderLayout::execute (this=0xa2c31b8) at basicspringembedderlayout.cc:243
0000042 0xb7e1c600 in TGraphicalModWindow::refreshLayout (this=0xa33fad8) at modinsp.cc:591
0000043 0xb7e19b82 in TGraphicalModWindow::bubble (this=0xa33fad8, submod=0xa2bc700, text=0x8963348 "Enter INIT state.") at modinsp.cc:835
0000044 0xb7dfc5c5 in Tkenv::bubble (this=0x8c05cd8, component=0xa2bc700, text=0x8963348 "Enter INIT state.") at tkenv.cc:1794
0000045 0xb7b8806b in cComponent::bubble (this=0xa2bc700, text=0x8963348 "Enter INIT state.") at ccomponent.cc:209
0000046 0x084c2e93 in oversim::Chord::changeState (this=0xa2bebd8, toState=0) at overlay/chord/Chord.cc:187
0000047 0x084bb8da in oversim::Chord::joinOverlay (this=0xa2bebd8) at overlay/chord/Chord.cc:132
0000048 0x0848b964 in BaseOverlay::join (this=0xa2bebd8, [email protected]) at common/BaseOverlay.cc:562
0000049 0x084938c5 in BaseOverlay::initialize (this=0xa2bebd8, stage=12) at common/BaseOverlay.cc:268
0000050 0xb7bbc84c in cModule::initializeModules (this=0xa2bebe0, stage=12) at cmodule.cc:1116
0000051 0xb7bbc9bb in cModule::initializeModules (this=0xa2bdd48, stage=12) at cmodule.cc:1128
0000052 0xb7bbc9bb in cModule::initializeModules (this=0xa2bc700, stage=12) at cmodule.cc:1128
0000053 0xb7bbbac9 in cModule::callInitialize (this=0xa2bc700, stage=12) at cmodule.cc:1069
0000054 0x085b0357 in SimpleUnderlayConfigurator::createNode (this=0x9e126d0, [email protected], initialize=false)
    at underlay/simpleunderlay/SimpleUnderlayConfigurator.cc:197
0000055 0x08488056 in LifetimeChurn::createNode (this=0x9e1aa28, [email protected], initialize=false) at common/LifetimeChurn.cc:102
0000056 0x084884e5 in LifetimeChurn::handleMessage (this=0x9e1aa28, msg=0xa53e870) at common/LifetimeChurn.cc:90
---Type <return> to continue, or q <return> to quit---
0000057 0xb7bdccf0 in cSimulation::doOneEvent (this=0x8c05ee0, mod=0x9e1aa28) at csimulation.cc:627

Backtrace of another crash:

Program terminated with signal 11, Segmentation fault.
[New process 19880]
[New process 19881]
#0 0xb7b0455d in __dynamic_cast () from /usr/lib/libstdc++.so.6
(gdb) bt
#0 0xb7b0455d in __dynamic_cast () from /usr/lib/libstdc++.so.6
0000001 0xb7eda7f4 in getObjectShortTypeName (object=0x9daf660) at tkutil.cc:91
0000002 0xb7ec34e2 in getObjectShortTypeName_cmd (interp=0x902a328, argc=2, argv=0xbffeed3c) at tkcmd.cc:649
0000003 0xb7716b6e in TclInvokeStringCommand () from /usr/lib/libtcl8.4.so.0
0000004 0xb7717e56 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so.0
0000005 0xb7742de7 in ?? () from /usr/lib/libtcl8.4.so.0
0000006 0xb7740f3f in TclCompEvalObj () from /usr/lib/libtcl8.4.so.0
0000007 0xb77190c4 in Tcl_EvalObjEx () from /usr/lib/libtcl8.4.so.0
0000008 0xb772139e in Tcl_IfObjCmd () from /usr/lib/libtcl8.4.so.0
0000009 0xb7717e56 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so.0
0000010 0xb7742de7 in ?? () from /usr/lib/libtcl8.4.so.0
0000011 0xb7740f3f in TclCompEvalObj () from /usr/lib/libtcl8.4.so.0
0000012 0xb7776cbd in TclObjInterpProc () from /usr/lib/libtcl8.4.so.0
0000013 0xb7717e56 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so.0
0000014 0xb7742de7 in ?? () from /usr/lib/libtcl8.4.so.0
0000015 0xb7740f3f in TclCompEvalObj () from /usr/lib/libtcl8.4.so.0
0000016 0xb77190c4 in Tcl_EvalObjEx () from /usr/lib/libtcl8.4.so.0
0000017 0xb772139e in Tcl_IfObjCmd () from /usr/lib/libtcl8.4.so.0
0000018 0xb7717e56 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so.0
0000019 0xb7742de7 in ?? () from /usr/lib/libtcl8.4.so.0
0000020 0xb7740f3f in TclCompEvalObj () from /usr/lib/libtcl8.4.so.0
0000021 0xb7776cbd in TclObjInterpProc () from /usr/lib/libtcl8.4.so.0
0000022 0xb7717e56 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so.0
0000023 0xb7742de7 in ?? () from /usr/lib/libtcl8.4.so.0
0000024 0xb7740f3f in TclCompEvalObj () from /usr/lib/libtcl8.4.so.0
0000025 0xb7776cbd in TclObjInterpProc () from /usr/lib/libtcl8.4.so.0
0000026 0xb7717e56 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so.0
0000027 0xb7718c0e in Tcl_EvalEx () from /usr/lib/libtcl8.4.so.0
0000028 0xb77c2611 in Tk_BindEvent () from /usr/lib/libtk8.4.so.0
0000029 0xb77c8cfe in TkBindEventProc () from /usr/lib/libtk8.4.so.0
0000030 0xb77d1067 in Tk_HandleEvent () from /usr/lib/libtk8.4.so.0
0000031 0xb77d190e in ?? () from /usr/lib/libtk8.4.so.0
0000032 0xb776b6a3 in Tcl_ServiceEvent () from /usr/lib/libtcl8.4.so.0
0000033 0xb776ba32 in Tcl_DoOneEvent () from /usr/lib/libtcl8.4.so.0
0000034 0xb77ca1fc in Tk_UpdateObjCmd () from /usr/lib/libtk8.4.so.0
0000035 0xb7717e56 in TclEvalObjvInternal () from /usr/lib/libtcl8.4.so.0
0000036 0xb7718c0e in Tcl_EvalEx () from /usr/lib/libtcl8.4.so.0
0000037 0xb7718f1c in Tcl_Eval () from /usr/lib/libtcl8.4.so.0
0000038 0xb7eafa04 in Tkenv::idle (this=0x8bfcc68) at tkenv.cc:1124
0000039 0x085b43de in RealtimeScheduler::receiveUntil (this=0x8bfd3d8, [email protected]) at underlay/singlehostunderlay/realtimescheduler.cc:216
0000040 0x085b4917 in RealtimeScheduler::getNextEvent (this=0x8bfd3d8) at underlay/singlehostunderlay/realtimescheduler.cc:258
0000041 0xb7c9024d in cSimulation::selectNextModule (this=0x8bfce70) at csimulation.cc:475
0000042 0xb7eb5660 in Tkenv::doRunSimulation (this=0x8bfcc68) at tkenv.cc:506
Additional Informationomnetpp-4.0 on Ubuntu 8.04 with Tcl/Tk 8.4
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0000136)
andras (administrator)
2009-03-30 13:44

If you find a reproducible scenario, please post it. It would also be useful if you managed to debug it once, and look at the pointer that goes into getObjectShortTypeName().

The code of getObjectShortTypeName() is very simple, and cannot crash if it receives a non-NULL valid pointer. Besides getClassName() it only calls getComponentType() on the object, which cannot yield a NULL pointer either (that's checked in the getComponentType() function).
(0000137)
andras (administrator)
2009-03-30 14:19

Oh I see now :) It's inside Tkenv::idle() called from RealtimeScheduler::receiveUntil(). idle() unfortunately processes UI events without first updating the GUI, so you can click or hover over stale pointers (where the object not longer exists...)

Workaround: in Tkenv::idle() (tkenv.cc), insert updateInspectors() before the Tcl_Eval(interp, "update") line. This is likely a bit too CPU intensive though (calls updateInspectors() far too often).
(0000139)
baumgart (reporter)
2009-03-31 16:34

Should this also fix the issue with the first backtrace? Tkenv::idle() seems to be only involved in the second crash.
(0000255)
andras (administrator)
2010-04-26 22:28

These appear to be two distinct crashes.

For the first one, what appears to happen is this: in an event a large number of modules are created, followed by a bubble() call within the same event. bubble() includes a call to refreshLayout(), which (due to the number of new modules) takes a long time. During that time, if you hover a mouse over a deleted object (e.g. the cMessage the event just processed and deleted), getObjectShortTypeName() will crash while Tkenv tries to produce a tooltip text for the dead object. Normally, to prevent such situations, the mouse is restricted (a "grab" is in effect) while we do layouting, but for some reason the "grab" is only used with full layouting.

Would you mind trying the following patch:

src/tkenv/modinsp.cc:

@@ -566,18 +566,18 @@ void TGraphicalModWindow::refreshLayout()
             }
         }
     }
 
     bool isFullLayout = submodPosMap.empty();
- if (isFullLayout)
+// if (isFullLayout)
         Tcl_VarEval(interp, "layouter_startgrab ", windowName(), ".toolbar.stop", NULL);
 
     // layout the graph -- should be VERY fast if most nodes are fixed!
     Tcl_SetVar(interp, "stoplayouting", "0", TCL_GLOBAL_ONLY);
     layouter->execute();
 
- if (isFullLayout)
+// if (isFullLayout)
         Tcl_VarEval(interp, "layouter_releasegrab ", windowName(), ".toolbar.stop", NULL);
 
     // fill the map with the results
     submodPosMap.clear();
     for (cModule::SubmoduleIterator it(parentmodule); !it.end(); it++)

to see if it works out?
(0000256)
baumgart (reporter)
2010-04-27 10:13

The patch seems to fix the segmentation fault, but the STOP button (in the extra pop-up window) in express mode doesn't work any more. There are also no more tooltips during fast mode, but this may be intended behavior.
(0000269)
andras (administrator)
2010-05-03 13:12

Clarification: the second bug (crash within idle()) seems to occur in Fast mode only. In normal Run mode inspectors are refreshed right after each event so idle() cannot meet an out-of-date UI, and in Express mode all user interactions are disabled (except for the STOP button).
(0000278)
andras (administrator)
2010-05-06 09:41

For the 1st crash: grab the mouse so that only the STOP button is accessible during layouting, and nothing else (no tooltips either).

For the 2nd crash: when in Fast mode, refresh inspectors before processing UI events with Tk's "update" command.

- Issue History
Date Modified Username Field Change
2009-03-27 10:00 baumgart New Issue
2009-03-27 10:00 baumgart Assigned To => andras
2009-03-30 13:44 andras Note Added: 0000136
2009-03-30 14:19 andras Note Added: 0000137
2009-03-30 14:19 andras Status new => confirmed
2009-03-31 16:34 baumgart Note Added: 0000139
2010-04-26 22:28 andras Note Added: 0000255
2010-04-27 10:13 baumgart Note Added: 0000256
2010-05-03 13:12 andras Note Added: 0000269
2010-05-06 09:41 andras Note Added: 0000278
2010-05-06 09:41 andras Status confirmed => resolved
2010-05-06 09:41 andras Fixed in Version => 4.1rc1
2010-05-06 09:41 andras Resolution open => fixed


Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker