segv on high frequent register fetch

[tonobo]

Howdy, i tried my best to get into it but no idea what's actually wrong here.

What actually happend? I'm using this software to query some holding registers every 100ms. So probably my settings are worse, but ususally segfault indicates something doesn't behave correctly :D

I extracted the following backtrace:

06 Mar 2024 23:21:14 conn[10.100.6.176]: state now is CONN_HEADER
06 Mar 2024 23:21:14 conn[10.100.6.176]: state now is CONN_RQST_FUNC
06 Mar 2024 23:21:14 conn[10.100.6.176]: state now is CONN_RQST_TAIL
06 Mar 2024 23:21:14 conn[10.100.6.176]: request: [01][03][4a][38][00][4e]
06 Mar 2024 23:21:14 conn[10.100.6.176]: state now is CONN_TTY
06 Mar 2024 23:21:14 tty: state now is TTY_RQST
06 Mar 2024 23:21:14 tty: state now is TTY_RESP
06 Mar 2024 23:21:14 tty: estimated 161 bytes, waiting 64669 usec
06 Mar 2024 23:21:14 tty: rx offset is 0
06 Mar 2024 23:21:14 tty: read 161 bytes of 161, offset 0
06 Mar 2024 23:21:14 tty: state now is TTY_PROC
06 Mar 2024 23:21:14 tty: response read (total 161 bytes, offset 0 bytes)
06 Mar 2024 23:21:14 tty: response is correct
06 Mar 2024 23:21:14 conn[10.100.6.176]: state now is CONN_RESP
06 Mar 2024 23:21:14 tty: state now is TTY_PAUSE
06 Mar 2024 23:21:14 conn[10.100.6.176]: state now is CONN_HEADER
06 Mar 2024 23:21:14 tty: state now is TTY_READY
06 Mar 2024 23:21:14 conn[10.100.6.176]: state now is CONN_RQST_FUNC
06 Mar 2024 23:21:14 conn[10.100.6.176]: state now is CONN_RQST_TAIL
06 Mar 2024 23:21:14 conn[10.100.6.176]: request: [01][03][4a][38][00][4e]
06 Mar 2024 23:21:14 conn[10.100.6.176]: state now is CONN_TTY
06 Mar 2024 23:21:14 tty: state now is TTY_RQST
06 Mar 2024 23:21:14 tty: state now is TTY_RESP
06 Mar 2024 23:21:14 tty: estimated 161 bytes, waiting 64669 usec
06 Mar 2024 23:21:14 tty: rx offset is 0
06 Mar 2024 23:21:14 tty: read 9 bytes of 161, offset 0
06 Mar 2024 23:21:14 tty: response read (total 9 bytes, offset 0 bytes)
06 Mar 2024 23:21:14 tty: response is incorrect: [01][03][9c][43][69][4e][00][43][69]
06 Mar 2024 23:21:14 tty: attempt to retry request (1 of 10)
06 Mar 2024 23:21:14 tty: state now is TTY_RQST
06 Mar 2024 23:21:14 tty: state now is TTY_RESP
06 Mar 2024 23:21:14 tty: estimated 161 bytes, waiting 64669 usec
06 Mar 2024 23:21:14 tty: rx offset is 152
06 Mar 2024 23:21:14 tty: rx len changed from 161 to 104
06 Mar 2024 23:21:14 tty: read 161 bytes of 256, offset 152
06 Mar 2024 23:21:14 tty: read 163 bytes of 256, offset 152
06 Mar 2024 23:21:14 tty: read 0 bytes of 256, offset 152
06 Mar 2024 23:21:14 tty: read 57 bytes of 256, offset 152
06 Mar 2024 23:21:14 tty: response read (total 57 bytes, offset 152 bytes)

Program received signal SIGSEGV, Segmentation fault.
modbus_crc_calculate (frame=0xaaaaaaae4001 <error: Cannot access memory at address 0xaaaaaaae4001>, len=4294820493) at /root/mbusd/src/modbus.c:84
84	    crc = (unsigned short)(crc >> 8) ^ modbus_crc16_table[(crc ^ *frame++) & 0xff];
(gdb) bt full
#0  modbus_crc_calculate (frame=0xaaaaaaae4001 <error: Cannot access memory at address 0xaaaaaaae4001>, len=4294820493) at /root/mbusd/src/modbus.c:84
        crc = 8743
#1  0x0000aaaaaaaa8f4c in modbus_crc_correct (
    frame=0xaaaaaaac02ed <tty+589> "\001\003\234Ck\362\366CmgICk\361\240C\314\376\252C\315\004\254C\314@\334?\255J\252?\262\035\332?\304Ͳ?`\\\bÒ\377zÚ[\004è\a!\304j\260\320C\237\270\001C\245-\200C\265b\223D}$\n\301\v\276f\300Յ`\301#lp\301\314\366ÿ\177\343X\277\177\360п\177", len=4294967201)
    at /root/mbusd/src/modbus.c:98
No locals.
#2  0x0000aaaaaaaa63b4 in conn_loop () at /root/mbusd/src/conn.c:443
        rc = 0
        max_sd = 4
        len = -1
        min_timeout = 60
        i = 6
        sdsetrd = {__fds_bits = {0 <repeats 16 times>}}
        sdsetwr = {__fds_bits = {0 <repeats 16 times>}}
        ts = {tv_sec = 1709762732, tv_usec = 273984}
        tts = {tv_sec = 1709762732, tv_usec = 308680}
        t_out = {tv_sec = 0, tv_usec = 0}
        tval = 34696
        tout_sec = 0
        tout = 913870
        curconn = 0xaaaaaaac35f0
        t = "[01][03][9c][43][6b][f2]\00021][43][6d][6d][ee][43][6b][f7][b8][43][cd][05][33][43][cd][0b][36][43][cc][44][2a][3f][b3][21][cd][3f][b4][2f][7c][3f][c4][43][ba][3f][67][ec][e0][c3][97][bc][5f][c3][9c][3a]"...
        v = "[f2]"
#3  0x0000aaaaaaaa364c in main (argc=6, argv=0xfffffffff3c8) at /root/mbusd/src/main.c:426
        err = 0
        rc = -1
        err_line = 0
        exename = 0xfffffffff680 "mbusd"
        ttyparity = 0 '\000'
        end = 0xfffff7fcec24 <_dl_runtime_resolve+72> "\360\003"
        logfilenamevalue = 0xaaaaaaac32a0 "/etc/localtime"
        logfilename = 0xaaaaaaac32a0 "/etc/localtime"

My actual "workaround" is to disable retries. Which looks like the following.

06 Mar 2024 23:18:14 conn[10.100.6.176]: state now is CONN_RQST_FUNC
06 Mar 2024 23:18:14 conn[10.100.6.176]: state now is CONN_RQST_TAIL
06 Mar 2024 23:18:14 conn[10.100.6.176]: request: [01][03][4a][38][00][4e]
06 Mar 2024 23:18:14 conn[10.100.6.176]: state now is CONN_TTY
06 Mar 2024 23:18:14 tty: state now is TTY_RQST
06 Mar 2024 23:18:14 tty: state now is TTY_RESP
06 Mar 2024 23:18:14 tty: estimated 161 bytes, waiting 64669 usec
06 Mar 2024 23:18:14 tty: rx offset is 0
06 Mar 2024 23:18:14 tty: read 57 bytes of 161, offset 0
06 Mar 2024 23:18:14 tty: response read (total 57 bytes, offset 0 bytes)
06 Mar 2024 23:18:14 tty: response is incorrect: [01][03][9c][43][69][5c][9a][43][69][b3][68][43][68][d3][f6][43][ca][6b][f9][43][c9][fe][54][43][c9][b4][76][3f][d7][1d][58][3f][cb][19][47][3f][de][ad][70][3f][88][00][b6][c3][b2][60][87][c3][aa][22][aa][c3][b9][f8][a6][c4][85]
06 Mar 2024 23:18:14 tty: response is incorrect (57 of 161 bytes, offset 0), return error
06 Mar 2024 23:18:14 conn[10.100.6.176]: state now is CONN_RESP
06 Mar 2024 23:18:14 tty: state now is TTY_PAUSE
06 Mar 2024 23:18:14 conn[10.100.6.176]: state now is CONN_HEADER
06 Mar 2024 23:18:14 tty: state now is TTY_READY
06 Mar 2024 23:18:14 conn[10.100.6.176]: state now is CONN_RQST_FUNC
06 Mar 2024 23:18:14 conn[10.100.6.176]: state now is CONN_RQST_TAIL
06 Mar 2024 23:18:14 conn[10.100.6.176]: request: [01][03][4a][38][00][4e]
06 Mar 2024 23:18:14 conn[10.100.6.176]: state now is CONN_TTY
06 Mar 2024 23:18:14 tty: state now is TTY_RQST
06 Mar 2024 23:18:14 tty: state now is TTY_RESP
06 Mar 2024 23:18:14 tty: estimated 161 bytes, waiting 64669 usec
06 Mar 2024 23:18:14 tty: rx offset is 0
06 Mar 2024 23:18:14 tty: read 26 bytes of 161, offset 0
06 Mar 2024 23:18:14 tty: read 161 bytes of 161, offset 0
06 Mar 2024 23:18:14 tty: state now is TTY_PROC
06 Mar 2024 23:18:14 tty: response read (total 161 bytes, offset 0 bytes)
06 Mar 2024 23:18:14 tty: response is correct
06 Mar 2024 23:18:14 conn[10.100.6.176]: state n...

Configuration:

#############################################
#                                           #
#    Sample configuration file for mbusd    #
#                                           #
#############################################

########## Logging settings #############

# Logging verbosity level
loglevel = 5

# Logfile (fully-qualified path, or filename [stored at /var/log/] or - for STDOUT only)
logfile = -

########## Serial port settings #############

# Serial port device name
device = /dev/ttyUSB0

# Serial port speed
speed = 115200

# Serial port mode
mode = 8n1

# Enable RS-485 support for given serial port device (Linux only)
# enable_rs485 = no

# RS-485 data direction control type (addc, rts_0, rts/rts_1, sysfs_0, sysfs_1)
trx_control = addc

# Sysfs file to use to control data direction
# trx_sysfile =

############# TCP port settings #############

# TCP server address to bind
address = 0.0.0.0

# TCP server port number
port = 502

# Maximum number of simultaneous TCP connections
maxconn = 1

# Connection timeout value in seconds
timeout = 60

######### Request/response settings #########

# Maximum number of request retries
retries = 10

# Pause between requests in milliseconds
pause = 30

# Response wait time in milliseconds
wait = 50

# Reply on Broadcast
replyonbroadcast = no