[OpenSIPS-Devel] [ opensips-Bugs-3003968 ] n->prev 0 in fm_remove_free: segfault

SourceForge.net noreply at sourceforge.net
Fri May 21 13:12:11 CEST 2010


Bugs item #3003968, was opened at 2010-05-19 11:27
Message generated for change (Comment added) made by csollet
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3003968&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: core
Group: 1.6.x
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Walter Doekes (wdoekes)
Assigned to: Nobody/Anonymous (nobody)
Summary: n->prev 0 in fm_remove_free: segfault

Initial Comment:
Hi there,

I've got a segfault during SUBSCRIBE activity. (Actually, I've received several similar ones, not always with the same backtrace, but always ending in fm_remove_free.)

Core was generated by `/usr/local/sbin/opensips -P /var/run/opensips/opensips.pid -m 2048 -u opensips'.
Program terminated with signal 11, Segmentation fault.
[New process 20308]
#0  0x000000000048a4d4 in fm_remove_free (qm=0x76dd20, n=0x7ba868) at mem/f_malloc.c:172
172		*pf=n->u.nxt_free;
(gdb) back
#0  0x000000000048a4d4 in fm_remove_free (qm=0x76dd20, n=0x7ba868) at mem/f_malloc.c:172
#1  0x000000000048a341 in fm_malloc (qm=0x76dd20, size=32, file=0x7f95af42a7a8 "utils_func.h", func=0x7f95af42a79b "uandd_to_uri", line=52) at mem/f_malloc.c:378
#2  0x00007f95af4032f5 in uandd_to_uri (user=
      {s = 0x74b1b5 "040055003 at sip.gntel.nl>;tag=882a6ada466d39dd\r\nTo: <sip:040055001 at sip.gntel.nl>\r\nCall-ID: aeb0385e-96d42a29 at 10.101.10.45\r\nCSeq: 55364 SUBSCRIBE\r\nMax-Forwards: 70\r\nProxy-Authorization: Digest username=\""..., len = 9}, domain=
      {s = 0x74b1bf "sip.gntel.nl>;tag=882a6ada466d39dd\r\nTo: <sip:040055001 at sip.gntel.nl>\r\nCall-ID: aeb0385e-96d42a29 at 10.101.10.45\r\nCSeq: 55364 SUBSCRIBE\r\nMax-Forwards: 70\r\nProxy-Authorization: Digest username=\"040055003\""..., len = 12}, out=0x7bc040) at utils_func.h:52
#3  0x00007f95af407195 in build_dlg_t (subs=0x7fffffffb470) at notify.c:1334
#4  0x00007f95af40a0a2 in send_notify_request (subs=0x7fffffffb470, watcher_subs=0x0, n_body=0x0, force_null_body=0) at notify.c:1928
#5  0x00007f95af40a87b in notify (subs=0x7fffffffb470, watcher_subs=0x0, n_body=0x0, force_null_body=0) at notify.c:2040
#6  0x00007f95af41df89 in update_subscription (msg=0x7b8078, subs=0x7fffffffb470, init_req=1) at subscribe.c:446
#7  0x00007f95af41edb6 in handle_subscribe (msg=0x7b8078, force_active_param=0x0, str2=0x0) at subscribe.c:654
#8  0x0000000000411d96 in do_action (a=0x78d308, msg=0x7b8078) at action.c:967
<snip>

#24 0x000000000040e90a in run_top_route (a=0x77d938, msg=0x7b8078) at action.c:180
#25 0x000000000044d669 in receive_msg (
    buf=0x74b140 "SUBSCRIBE sip:040055001 at sip.gntel.nl SIP/2.0\r\nVia: SIP/2.0/UDP 10.101.10.45:5060;branch=z9hG4bK-137f1b83\r\nFrom: <sip:040055003 at sip.gntel.nl>;tag=882a6ada466d39dd\r\nTo: <sip:040055001 at sip.gntel.nl>\r\nCal"..., 
    len=666, rcv_info=0x7fffffffd610) at receive.c:162
#26 0x00000000004860df in udp_rcv_loop () at udp_server.c:492
#27 0x00000000004241c6 in main_loop () at main.c:818
#28 0x00000000004262b1 in main (argc=9, argv=0x7fffffffd888) at main.c:1388


(gdb) info locals
pf = (struct fm_frag **) 0x0
hash = 8
(gdb) list
167	
168		pf = n->prev;
169		hash = GET_HASH( n->size );
170	
171		/* detach */
172		*pf=n->u.nxt_free;
173	
174		if( n->u.nxt_free )
175			n->u.nxt_free->prev = pf;
176	
(gdb) print *n
$6 = {size = 64, u = {nxt_free = 0x7ba868, reserved = 8104040}, prev = 0x0, file = 0x7f95af42a7a8 "utils_func.h", func = 0x7f95af42a79b "uandd_to_uri", line = 52, check = 4042322160}

(gdb) up
#1  0x000000000048a341 in fm_malloc (qm=0x76dd20, size=32, file=0x7f95af42a7a8 "utils_func.h", func=0x7f95af42a79b "uandd_to_uri", line=52) at mem/f_malloc.c:378
378		fm_remove_free(qm,frag);
(gdb) print *frag
$14 = {size = 64, u = {nxt_free = 0x7ba868, reserved = 8104040}, prev = 0x0, file = 0x7f95af42a7a8 "utils_func.h", func = 0x7f95af42a79b "uandd_to_uri", line = 52, check = 4042322160}
(gdb) list 328
323		
324		/*search for a suitable free frag*/
325	
326		for(hash=GET_HASH(size);hash<F_HASH_SIZE;hash++){
327			frag=qm->free_hash[hash].first;
328			for( ; frag; frag = frag->u.nxt_free )
329				if ( frag->size >= size ) goto found;
330			/* try in a bigger bucket */
331		}
332		/* not found, bad! */
(gdb) list 378
373			
374	
375	found:
376		/* we found it!*/
377		
378		fm_remove_free(qm,frag);
379		
380		/*see if we'll use full frag, or we'll split it in 2*/
381		
382		#ifdef DBG_F_MALLOC
(gdb) print *frag
$15 = {size = 64, u = {nxt_free = 0x7ba868, reserved = 8104040}, prev = 0x0, file = 0x7f95af42a7a8 "utils_func.h", func = 0x7f95af42a79b "uandd_to_uri", line = 52, check = 4042322160}
(gdb) print hash
$16 = 8
(gdb) print *qm
$17 = {size = 1048576, large_space = 728080, large_limit = 81920, used = 320280, real_used = 438208, max_real_used = 438208, first_frag = 0x776090, last_frag = 0x86dce8, free_hash = {{first = 0x0, no = 0}, {first = 0x0, no = 0}, {
      first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x7ba868, no = 2}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x7bbe40, 
      no = 1}, {first = 0x0, no = 0} <repeats 2042 times>, {first = 0x7bc0d8, no = 1}, {first = 0x0, no = 0} <repeats 44 times>}}
(gdb) print size
$18 = 32


Is this helpful enough?


Regards,
Walter Doekes
OSSO B.V.

----------------------------------------------------------------------

Comment By: Christophe Sollet (csollet)
Date: 2010-05-21 13:12

Message:
Oops, sorry...
So I just confirm that the patch fix the issue ;)

Christophe

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2010-05-21 12:15

Message:
Hi Christophe,

you're mislead by the top-posting sourceforce comment order ;-)

----------------------------------------------------------------------

Comment By: Christophe Sollet (csollet)
Date: 2010-05-21 11:24

Message:
Hello Andrei,

I've faced the same issue and after enabling DDBG_QM_MALLOC, I got a
"double free" error in presentity.c / contains_presence().
The attached patch should fix this issue. Another way would be to add
"result = NULL" after each pa_dbf.free_result(pa_db, result);. It's the way
i've used to avoid the crash.

So, I don't understand your answer about the fact the patch is not helpful
as it's may be a double free (indeed it is) since this patch fix the double
free issue.

Thanks for your help,
Christophe.

----------------------------------------------------------------------

Comment By: Walter Doekes (wdoekes)
Date: 2010-05-19 13:38

Message:
I've attached a patch that should fix a double free. (At the done: label,
the result is always freed, so we can skip the early frees.)

----------------------------------------------------------------------

Comment By: Andrei Dragus (andreidragus)
Date: 2010-05-19 11:41

Message:
This isn't really helpful, this means that there is a memory corruption
somewhere ( or a double free).
The only way to find out where it is, is to compile with memory debugging
and reproduce the bug.

See http://www.opensips.org/Resources/DocsTsMem steps 1-4 from "How to
handle it".

If you could try this it would be great,
Thanks.
 

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3003968&group_id=232389



More information about the Devel mailing list