[OpenSIPS-Devel] [ opensips-Bugs-2937441 ] opensips crashes on reply recieved to b2bua

SourceForge.net noreply at sourceforge.net
Wed Feb 17 01:48:40 CET 2010


Bugs item #2937441, was opened at 2010-01-22 20:06
Message generated for change (Comment added) made by nobody
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=2937441&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: 1.6.x
Status: Closed
Resolution: Invalid
Priority: 5
Private: No
Submitted By: Richard Revels (rrevels)
Assigned to: Anca Vamanu (anca_vamanu)
Summary: opensips crashes on reply recieved to b2bua

Initial Comment:
using opensips 1.6 revision 6526

Here are a couple of backtraces from two core files.  I am seeing this on every call using top hiding in b2bua.  If is simply route the calls without b2bua opensips doesn't crash.

Crash with two processing threads.  Using media proxy on outbound leg.

[New process 29632]
#0  __dialog_confirmed (dlg=0x2af97535b6b0, type=<value optimized out>, _params=0x2af9709346a0) at nat_traversal.c:968
968	    snprintf(uri, 64, "sip:%s:%d", ip_addr2a(&msg->rcv.src_ip), msg->rcv.src_port);
(gdb) bt
#0  __dialog_confirmed (dlg=0x2af97535b6b0, type=<value optimized out>, _params=0x2af9709346a0) at nat_traversal.c:968
#1  0x00002af970708e44 in run_dlg_callbacks (type=8, dlg=0x2af97535b6b0, msg=<value optimized out>, dir=1966453448, dlg_data=0x0) at dlg_cb.c:253
#2  0x00002af97071683a in dlg_onreply (t=0x2af97535bc78, type=<value optimized out>, param=<value optimized out>) at dlg_handlers.c:407
#3  0x00002af96e3ea02b in run_trans_callbacks (type=128, trans=0x2af97535bc78, req=0x2af97535d628, rpl=0xffffffffffffffff, code=<value optimized out>) at t_hooks.c:208
#4  0x00002af96e40333b in _reply_light (trans=0x2af97535bc78, 
    buf=0x862bf8 "SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP 10.1.71.226:53239;rport=4609;branch=z9hG4bKPjufub93nobQZJjltsV8VEofSrwBOh3qDb;received=192.168.230.200\r\nFrom: \"Richard Revels\" <sip:+19195551212 at 59.229.150.203.sta.inet.co.th>;t"..., len=824, code=200, to_tag=<value optimized out>, to_tag_len=<value optimized out>, lock=1, bm=0x7fff7ccec800) at t_reply.c:384
#5  0x00002af96e4035a3 in t_reply_with_body (trans=0x2af97535bc78, code=200, text=0x860e70, body=<value optimized out>, new_header=<value optimized out>, to_tag=0x2af9753611d0) at t_reply.c:1607
#6  0x00002af97471369e in b2b_send_reply (et=<value optimized out>, b2b_key=0x2af9753611d0, code=200, text=0x860e70, body=0x7fff7ccecb00, extra_headers=0x7fff7ccecaf0) at dlg.c:803
#7  0x00002af974926803 in b2b_logic_notify (src=1, msg=0x860e40, key=0x2af97535f4e8, type=1, param=<value optimized out>) at logic.c:444
#8  0x00002af9747150e0 in b2b_tm_cback (htable=0x2af97533e928, ps=<value optimized out>) at dlg.c:1515
#9  0x00002af96e3ea02b in run_trans_callbacks (type=512, trans=0x2af97535f528, req=0x0, rpl=0x860e40, code=<value optimized out>) at t_hooks.c:208
#10 0x00002af96e4026e9 in local_reply (t=0x2af97535f528, p_msg=0x2af96e626d38, branch=<value optimized out>, msg_status=<value optimized out>, cancel_bitmap=0x2af975311f48) at t_reply.c:1339
#11 0x00002af96e405009 in reply_received (p_msg=0x860e40) at t_reply.c:1484
#12 0x00000000004213f8 in forward_reply (msg=0x860e40) at forward.c:559
#13 0x0000000000456202 in receive_msg (
    buf=0x754f40 "SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP 203.150.229.59;branch=z9hG4bK25c3.26e79485.0\r\nRecord-Route: <sip:192.168.225.202;lr;ftag=5e133d1dcbcfa06f788b415da1ea9e73-f19a>,<sip:203.150.229.59;lr;ftag=5e133d1dcbcfa06f788b"..., len=1007, rcv_info=0x7fff7cced080) at receive.c:200
#14 0x000000000049a2d4 in udp_rcv_loop () at udp_server.c:492
#15 0x0000000000429bbd in main (argc=9, argv=<value optimized out>) at main.c:818

Crash with two processing threads and stun on client - no media proxy.

[New process 30101]
#0  b2b_send_reply (et=<value optimized out>, b2b_key=0x2ad29f4fa058, code=183, text=0x860938, body=0x7fffe9fc4fd0, extra_headers=0x7fffe9fc4fc0) at dlg.c:762
762		to_tag = &get_to(msg)->tag_value;
(gdb) bt
#0  b2b_send_reply (et=<value optimized out>, b2b_key=0x2ad29f4fa058, code=183, text=0x860938, body=0x7fffe9fc4fd0, extra_headers=0x7fffe9fc4fc0) at dlg.c:762
#1  0x00002ad29eabf803 in b2b_logic_notify (src=1, msg=0x860908, key=0x2ad29f4f8368, type=1, param=<value optimized out>) at logic.c:444
#2  0x00002ad29e8ae0e0 in b2b_tm_cback (htable=0x2ad29f4d7928, ps=<value optimized out>) at dlg.c:1515
#3  0x00002ad29858302b in run_trans_callbacks (type=1024, trans=0x2ad29f4f83a8, req=0x0, rpl=0x860908, code=<value optimized out>) at t_hooks.c:208
#4  0x00002ad29859b4ee in local_reply (t=0x2ad29f4f83a8, p_msg=0x860908, branch=<value optimized out>, msg_status=<value optimized out>, cancel_bitmap=0x7fffe9fc5468)
    at t_reply.c:1333
#5  0x00002ad29859e009 in reply_received (p_msg=0x860908) at t_reply.c:1484
#6  0x00000000004213f8 in forward_reply (msg=0x860908) at forward.c:559
#7  0x0000000000456202 in receive_msg (
    buf=0x754f40 "SIP/2.0 183 Session Progress\r\nVia: SIP/2.0/UDP 203.150.229.59;branch=z9hG4bK58dc.5578968.0\r\nRecord-Route: <sip:192.168.225.202;lr;ftag=5e133d1dcbcfa06f788b415da1ea9e73-fe8b>,<sip:203.150.229.59;lr;ftag=5e133d1"..., len=921, rcv_info=0x7fffe9fc5550) at receive.c:200
#8  0x000000000049a2d4 in udp_rcv_loop () at udp_server.c:492
#9  0x0000000000429bbd in main (argc=9, argv=<value optimized out>) at main.c:818


----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2010-02-17 00:48

Message:
I moved the create_dialog to the outbound side of the b2bua and then
removed it altogether.  Still unable to use nat_traversal module due to
core dump on 200 received.

Feb 17 00:38:59 guinea-pig1 osips-log[10944]: Checking on request domain
with value pig1.bandwidth.com 
Feb 17 00:38:59 guinea-pig1 osips-log[10944]: In route block that inits
b2bua 
Feb 17 00:38:59 guinea-pig1 osips-log[10944]:
INFO:b2b_logic:b2bl_insert_new: pointer [0x2b74f87eaf88]
Feb 17 00:38:59 guinea-pig1 osips-log[10944]:
INFO:b2b_logic:b2bl_create_new_entity: address: 0x2b74f87eb6d8
Feb 17 00:38:59 guinea-pig1 osips-log[10944]:
INFO:b2b_logic:b2bl_create_new_entity: address: 0x2b74f87ed708
Feb 17 00:38:59 guinea-pig1 osips-log[10946]:
WARNING:dispatcher:ds_select_dst: algo 99 not implemented - using first
entry...
Feb 17 00:39:00 guinea-pig1 osips-log[10947]: b2b_reply (B2B.194.7949799)
with 183
Feb 17 00:39:02 guinea-pig1 osips-log[10946]: b2b_reply (B2B.194.7949799)
with 180
Feb 17 00:39:02 guinea-pig1 osips-log[10946]:
ERROR:nat_traversal:__dialog_confirmed: FAKED reply - exit
Feb 17 00:39:07 guinea-pig1 osips-log[10935]: INFO:core:handle_sigs: child
process 10946 exited by a signal 11
Feb 17 00:39:07 guinea-pig1 osips-log[10935]: INFO:core:handle_sigs: core
was generated


----------------------------------------------------------------------

Comment By: Anca Vamanu (anca_vamanu)
Date: 2010-02-15 09:48

Message:
Hi Richard,

The problem is that you create dialog for INVITE that will be handled by
b2b. Dialog module is not meant to deal with dialogs that are terminated at
the server, so it won't work this way. 
Of course that the proxy should not crash in this case, so I added some
checks to prevent this. But the functionality is not available as dialog
module can not be used with b2b.

Regards,
Anca

----------------------------------------------------------------------

Comment By: Richard Revels (rrevels)
Date: 2010-02-13 15:20

Message:
Maybe I should close this and open a new bug tracker.  The original issue
of opensips crashing on various replies has been resolved by previous code
changes and updates.  The proxy only crashes on the 200 being received now.

----------------------------------------------------------------------

Comment By: Richard Revels (rrevels)
Date: 2010-02-13 15:02

Message:
Okay, removing the nat_traversal module and all references to functions
from that module keeps b2bua from core dumping on the 200 Ok (answer) being
recieved.  This time, I'm sure the call went through the b2bua and worked
without the far end nat support from nat_traversal.  I have full logging
and the core file from my last call before removing all this "stuff" if you
would like to see it.

----------------------------------------------------------------------

Comment By: Richard Revels (rrevels)
Date: 2010-02-13 12:32

Message:
Stupid mistake on my part.  In my config, I bypass the top hiding when not
using the dns domain to send the call.  My comment on the 11th is invalid.

----------------------------------------------------------------------

Comment By: Richard Revels (rrevels)
Date: 2010-02-11 13:49

Message:
If I register to the proxy and make calls using the IP address as the
domain, opensips does not core dump.  If I register to the proxy and make
calls using a dns name, opensips core dumps when the 200 (answer) is being
processed on every call.  The dns name I am using is set as an alias in the
config and is defined in the host file on the server.

----------------------------------------------------------------------

Comment By: Richard Revels (rrevels)
Date: 2010-02-01 19:31

Message:
Okay, I have pulled the latest updates from SVN and am still seeing
opensips crash on 200 response.  Here is a new backtrace.  I didn't save
the older core files.

Program terminated with signal 11, Segmentation fault.
[New process 18558]
#0  __dialog_confirmed (dlg=0x2add12c83178, type=<value optimized out>,
_params=0x2add0e2576a0) at nat_traversal.c:968
968         snprintf(uri, 64, "sip:%s:%d", ip_addr2a(&msg->rcv.src_ip),
msg->rcv.src_port);
(gdb) bt
#0  __dialog_confirmed (dlg=0x2add12c83178, type=<value optimized out>,
_params=0x2add0e2576a0) at nat_traversal.c:968
#1  0x00002add0e02be44 in run_dlg_callbacks (type=8, dlg=0x2add12c83178,
msg=<value optimized out>, dir=315117424, dlg_data=0x0) at dlg_cb.c:253
#2  0x00002add0e03982a in dlg_onreply (t=0x2add12c83658, type=<value
optimized out>, param=<value optimized out>) at dlg_handlers.c:407
#3  0x00002add0bd0d05b in run_trans_callbacks (type=128,
trans=0x2add12c83658, req=0x2add12c85110, rpl=0xffffffffffffffff,
code=<value optimized out>) at t_hooks.c:208
#4  0x00002add0bd263ab in _reply_light (trans=0x2add12c83658,    
buf=0x862b80 "SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP
10.1.70.118:55574;rport=31208;branch=z9hG4bKPjINqzY-CUGGO1FcaA0YtTWsCaqrAAVshu;received=10.1.71.118\r\nFrom:
\"Richard Revels\" <sip:+19193558982 at 59.229.150.203.sta.inet.co.th>;"...,
len=818, code=200, to_tag=<value optimized out>, to_tag_len=<value
optimized out>, lock=1, bm=0x7ffff31f94c0)
    at t_reply.c:384
#5  0x00002add0bd26613 in t_reply_with_body (trans=0x2add12c83658,
code=200, text=0x8609f8, body=<value optimized out>, new_header=<value
optimized out>, 
    to_tag=0x2add12c87350) at t_reply.c:1607
#6  0x00002add1203882e in b2b_send_reply (et=<value optimized out>,
b2b_key=0x2add12c87350, code=200, text=0x8609f8, body=0x7ffff31f9790,
extra_headers=0x7ffff31f9780, 
    dlginfo=0x2add12c87410) at dlg.c:960
#7  0x00002add1224d7bb in b2b_logic_notify (src=1, msg=0x8609c8,
key=<value optimized out>, type=1, param=<value optimized out>) at
logic.c:577
#8  0x00002add1203aaae in b2b_tm_cback (htable=0x2add12c66928, ps=0x16) at
dlg.c:1778
#9  0x00002add0bd0d05b in run_trans_callbacks (type=512,
trans=0x2add12c876b8, req=0x0, rpl=0x8609c8, code=<value optimized out>) at
t_hooks.c:208
#10 0x00002add0bd25759 in local_reply (t=0x2add12c876b8,
p_msg=0x2add0bf49d38, branch=<value optimized out>, msg_status=<value
optimized out>, cancel_bitmap=0x2add12c39f48)
    at t_reply.c:1339
#11 0x00002add0bd28079 in reply_received (p_msg=0x8609c8) at
t_reply.c:1484
#12 0x00000000004213f8 in forward_reply (msg=0x8609c8) at forward.c:559
#13 0x0000000000456202 in receive_msg (    buf=0x754f40 "SIP/2.0 200
OK\r\nVia: SIP/2.0/UDP
203.150.229.59;branch=z9hG4bKc0ff.c115e7d.0\r\nRecord-Route:
<sip:192.168.225.202;lr;ftag=40xGtnvkWkljw4b5Fo1SZSIK-KiLk15axMxXMHd5m.eA-oaRsb6To0dy7IVlcXSz>,<sip:203.150.229.59;lr"...,
len=1085, rcv_info=0x7ffff31f9d50) at receive.c:200
#14 0x000000000049a2e4 in udp_rcv_loop () at udp_server.c:492
#15 0x0000000000429bbd in main (argc=9, argv=<value optimized out>) at
main.c:818


I believe the value you want is also in frame one on this back trace but
the compiler appears to have passed this pointer in a register.  gdb
doesn't want to display it.

I can tell you that all values in the function calls look good until the
call to run_trans_callbacks in frame 4 with FAKED_REPLY as the 4th
argument.  After that, values in frames 3 and 2 having to do with msg or
rpl are borked.

Let me know if it would be helpful to have access to the shell on this
proxy.

Here is the information on the source directory I am working from :
[root at guinea-pig1 opensips_16_release]# svn info
Path: .
URL: https://opensips.svn.sourceforge.net/svnroot/opensips/branches/1.6
Repository Root: https://opensips.svn.sourceforge.net/svnroot/opensips
Repository UUID: 689a6050-402a-0410-94f2-e92a70836424
Revision: 6556
Node Kind: directory
Schedule: normal
Last Changed Author: anca_vamanu
Last Changed Rev: 6556
Last Changed Date: 2010-02-01 14:49:11 +0000 (Mon, 01 Feb 2010)


----------------------------------------------------------------------

Comment By: Anca Vamanu (anca_vamanu)
Date: 2010-01-29 10:29

Message:
Hi Richard,

I can not realize from the trace that you sent the exact problem for the
crash. If you still have the core file can you please run 'print *msg' in
frame 1 and print here the output?
I have analyzed the code, and found a possible cause for the crash, but I
am not sure it is the right one. I have committed a fix for it, so you can
update and try with the new version.

Regards,
Anca

----------------------------------------------------------------------

Comment By: elitas (elitas)
Date: 2010-01-26 11:05

Message:
Opensips: 1.6.1-notls

Same problem for me. 
It goes into top hiding scenario then opensips seems to hang, crashes
after a few seconds and a coredump is created. I thought this was a problem
of misconfiguration but it seems to be an issue with opensips --> although
i am wondering why most people dont seem to experience this problem?

#0  fm_status (qm=0xa7809000) at mem/f_malloc.c:606
#1  0x0806a602 in cleanup (show_status=1) at main.c:367
#2  0x0806b061 in handle_sigs () at main.c:533
#3  0x0806e05e in main (argc=9, argv=0xbfbc2ed4) at main.c:913


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=2937441&group_id=232389



More information about the Devel mailing list