****************************************************************************** ********************* IBIS GOLDEN PARSER BUG REPORT FORM ********************* ****************************************************************************** INSTRUCTIONS To report a bug in the IBIS golden parser. Please fill out the top part of the following form and send the complete form to info@ibis.org. A list of reported bugs is maintained at http://ibis.org/bugs/ibischk/ . ****************************************************************************** PARSER VERSION NUMBER: 6.1.3 PLATFORM (SPARC, HP700, PC, etc.): PC OS AND VERSION: Windows 10 (32-bit and 64-bit, Linux) REPORTED BY: Yingxin Sun, Cadence Design Systems and Bob Ross, Teraspeed Labs DATE: March 21, 2017 DESCRIPTION OF BUG: IBISCHK6 V6.1.3 Crashes or stops working when Model Selector Points to non-existent [Model]. Under 32-bit Windows, a pop-up message "ibischk6_32.exe has stopped working" appears. Under Linux, a Segmentation fault is issued. IBISCHK6 V6.1.2 works fine. The cause and fix for the crash has been identified as follows: In msel.c, if the model not defined, the return pointer tmp will be 0 at line 211 or 246. This is the cause of crash: BOOL MSEL_HasSeries(MSEL *pMsel) { MSELMODEL *pMselModel; MDL *pMdl; IBIS *pIbis; itrace("MSEL_HasSeries",""); iassert(pMsel); if (IBIS_GetIBIS(&pIbis) != SUCCESS) { return FALSE; } if (IBIS_GetMdls(pIbis, &pMdl) != SUCCESS ) { return FALSE; } pMselModel = pMsel->pMselModels; while( pMselModel ) { MDL *tmp; tmp = MDL_FindModel(pMselModel->sModel, pMdl); | <---- line 211 if( tmp->eType == SERIES ) { return TRUE; } pMselModel = pMselModel->pNext; } return(FALSE); } BOOL MSEL_HasSeriesSwitch(MSEL *pMsel) { MSELMODEL *pMselModel; MDL *pMdl; IBIS *pIbis; itrace("MSEL_HasSeriesSwitch",""); iassert(pMsel); if (IBIS_GetIBIS(&pIbis) != SUCCESS) { return FALSE; } if (IBIS_GetMdls(pIbis, &pMdl) != SUCCESS ) { return FALSE; } pMselModel = pMsel->pMselModels; while( pMselModel ) { MDL *tmp; tmp = MDL_FindModel(pMselModel->sModel, pMdl); | <---- line 246 if( tmp->eType == SERIES_SWITCH ) { return TRUE; } pMselModel = pMselModel->pNext; } return(FALSE); } Here is additional information from Mike LaBonte: ==26406== Invalid read of size 4 ==26406== at 0x808628C: MSEL_HasSeries (msel.c:212) ==26406== by 0x80900A4: PIN_TestList (pin.c:306) ==26406== by 0x806D333: s_testPins (cmpnt.c:1240) ==26406== by 0x806C09D: CMPNT_TestList (cmpnt.c:469) ==26406== by 0x807A7FA: IBIS_Test (ibis.c:723) ==26406== by 0x809E5F4: TEST (test.c:38) ==26406== by 0x807B72D: MAIN (main.c:80) ==26406== by 0x807AE96: main (ibis_chk.c:224) ==26406== Address 0x30 is not stack'd, malloc'd or (recently) free'd ==26406== ==26406== ==26406== Process terminating with default action of signal 11 (SIGSEGV) ==26406== Access not within mapped region at address 0x30 ==26406== at 0x808628C: MSEL_HasSeries (msel.c:212) ==26406== by 0x80900A4: PIN_TestList (pin.c:306) ==26406== by 0x806D333: s_testPins (cmpnt.c:1240) ==26406== by 0x806C09D: CMPNT_TestList (cmpnt.c:469) ==26406== by 0x807A7FA: IBIS_Test (ibis.c:723) ==26406== by 0x809E5F4: TEST (test.c:38) ==26406== by 0x807B72D: MAIN (main.c:80) ==26406== by 0x807AE96: main (ibis_chk.c:224) The crash happens because the [Model Selector] names a model Input_2 that does not exist in the file. This will be very easy to fix. ---- The suggest fix is Change the line if(tmp->eType == SERIES ) to if( tmp && tmp->eType == SERIES ) Do the same for the second function. Note, this BUG appears to have been introduced with the fix for BUG175. ---- INSERT IBIS FILE DEMONSTRATING THE BUG: ==> bug189.ibs <== [IBIS Ver] 3.2 [File Name] bug189.ibs [File Rev] 1.0 [Date] February 28, 2017 [Source] From Test Case from Yingxin Sun, Cadence Design Systems [Component] BUG189 [Manufacturer] XYZ, Inc. [Package] R_pkg 4.e-01 NA NA L_pkg 2.e-09 NA NA C_pkg 1.e-12 NA NA [Pin] signal_name model_name R_pin L_pin C_pin 1 A13 Input [Model Selector] Input Input_1 Input model 1 Input_2 Undefined yet [Model] Input_1 Model_type Input Vinl = 0.65V Vinh = 1.15V C_comp 1.0pF 1.0pF 1.0pF [Voltage Range] 1.8V 1.7V 1.9V [End] ****************************************************************************** ******************** BELOW FOR ADMINISTRATION AND TRACKING ******************* ****************************************************************************** BUG NUMBER: 189 SEVERITY: [FATAL, SEVERE, MODERATE, ANNOYING, ENHANCEMENT] SEVERE PRIORITY: [HIGH, MEDIUM, LOW] HIGH STATUS: [OPEN, CLOSED, WILL NOT FIX, NOT A BUG] CLOSED FIXED VERSION: 6.1.4 FIXED DATE: June 28, 2017 NOTES ON BUG FIX: Classified at the March 31, 2017 IBIS Open Forum meeting. To be fixed in the next release. June 28, 2917 Fatal failues eliminated. ****************************************************************************** ******************************************************************************