[OpenSIPS-Devel] [opensips] Opensips crash on CANCEL on unanswerd call. (2.1-rc2) (#484)

AVFedorov notifications at github.com
Thu May 7 13:24:57 CEST 2015 

I add some debug to t_msgbuilder.h:free_faked_req

inline static void free_faked_req(struct sip_msg *faked_req, struct cell *t)
{
        LM_DBG("free_faked_req 1 faked_req->req_lump=%p, t->uas.request->reply_lump=%p\n",faked_req->reply_lump,t->uas.request->reply_lump);
        if (faked_req->new_uri.s) {
                pkg_free(faked_req->new_uri.s);
                faked_req->new_uri.s = NULL;
        }
        LM_DBG("free_faked_req 2 faked_req->req_lump=%p, t->uas.request->reply_lump=%p\n",faked_req->reply_lump,t->uas.request->reply_lump);
        if (faked_req->dst_uri.s) {
                pkg_free(faked_req->dst_uri.s);
                faked_req->dst_uri.s = NULL;
        }
        LM_DBG("free_faked_req 3 faked_req->req_lump=%p, t->uas.request->reply_lump=%p\n",faked_req->reply_lump,t->uas.request->reply_lump);
        if (faked_req->path_vec.s) {
                pkg_free(faked_req->path_vec.s);
                faked_req->path_vec.s = NULL;
        }
        LM_DBG("free_faked_req 4 faked_req->req_lump=%p, t->uas.request->reply_lump=%p\n",faked_req->reply_lump,t->uas.request->reply_lump);
        if (faked_req->set_global_address.s) {
                pkg_free(faked_req->set_global_address.s);
                faked_req->set_global_address.s = NULL;
        }
        LM_DBG("free_faked_req 5 faked_req->req_lump=%p, t->uas.request->reply_lump=%p\n",faked_req->reply_lump,t->uas.request->reply_lump);
        if (faked_req->set_global_port.s) {
                pkg_free(faked_req->set_global_port.s);
                faked_req->set_global_port.s = NULL;
        }
        LM_DBG("free_faked_req 6 faked_req->req_lump=%p, t->uas.request->reply_lump=%p\n",faked_req->reply_lump,t->uas.request->reply_lump);

        /* SDP in not cloned into SHM, so if we have one, it means the SDP
         * was parsed in the fake environment, so we have to free it */
        if (faked_req->sdp)
                free_sdp(&(faked_req->sdp));
        LM_DBG("free_faked_req 7 faked_req->req_lump=%p, t->uas.request->reply_lump=%p\n",faked_req->reply_lump,t->uas.request->reply_lump);

        if (faked_req->multi) {
                free_multi_body(faked_req->multi);
                faked_req->multi = NULL;
        }
        LM_DBG("free_faked_req 8 faked_req->req_lump=%p, t->uas.request->reply_lump=%p\n",faked_req->reply_lump,t->uas.request->reply_lump);

        if (faked_req->msg_cb) {
                msg_callback_process(faked_req, MSG_DESTROY, NULL);
        }
        LM_DBG("free_faked_req 9 faked_req->req_lump=%p, t->uas.request->reply_lump=%p\n",faked_req->reply_lump,t->uas.request->reply_lump);

        /* free all types of lump that were added in failure handlers */
        del_notflaged_lumps( &(faked_req->add_rm), LUMPFLAG_SHMEM );
        LM_DBG("free_faked_req 10 faked_req->req_lump=%p, t->uas.request->reply_lump=%p\n",faked_req->reply_lump,t->uas.request->reply_lump);
        del_notflaged_lumps( &(faked_req->body_lumps), LUMPFLAG_SHMEM );
        LM_DBG("free_faked_req 11 faked_req->req_lump=%p, t->uas.request->reply_lump=%p\n",faked_req->reply_lump,t->uas.request->reply_lump);
        del_nonshm_lump_rpl( &(faked_req->reply_lump) );
        LM_DBG("free_faked_req 12 faked_req->req_lump=%p, t->uas.request->reply_lump=%p\n",faked_req->reply_lump,t->uas.request->reply_lump);
        if (faked_req->add_rm && faked_req->add_rm != t->uas.request->add_rm)
                shm_free(faked_req->add_rm);
        LM_DBG("free_faked_req 13 faked_req->req_lump=%p, t->uas.request->reply_lump=%p\n",faked_req->reply_lump,t->uas.request->reply_lump);
        if (faked_req->body_lumps && faked_req->body_lumps != t->uas.request->body_lumps)
                shm_free(faked_req->body_lumps);
        LM_DBG("free_faked_req 14 faked_req->req_lump=%p, t->uas.request->reply_lump=%p\n",faked_req->reply_lump,t->uas.request->reply_lump);
        if (faked_req->reply_lump && faked_req->reply_lump != t->uas.request->reply_lump)
                shm_free(faked_req->reply_lump);

        clean_msg_clone( faked_req, t->uas.request, t->uas.end_request);
}

And I get in log this:

May  7 14:05:46 [29045] DBG:tm:free_faked_req: free_faked_req 1 faked_req->req_lump=(nil), t->uas.request->reply_lump=(nil)
params(0x7f359e3a8010, 0x7f359e47da48), called from t_msgbuilder.h: free_faked_req(217)
freeing frag. 0x7f359e47da18 alloc'ed from t_msgbuilder.h: fake_req(148)
May  7 14:05:46 [29045] DBG:tm:free_faked_req: free_faked_req 2 faked_req->req_lump=(nil), t->uas.request->reply_lump=(nil)
May  7 14:05:46 [29045] DBG:tm:free_faked_req: free_faked_req 3 faked_req->req_lump=(nil), t->uas.request->reply_lump=(nil)
params(0x7f359e3a8010, 0x7f35969a77d0), called from t_msgbuilder.h: free_faked_req(227)
May  7 14:05:46 [29045] CRITICAL:core:qm_free: bad pointer 0x7f35969a77d0 (out of memory block!) - aborting
Aborted (core dumped)

#0  0x00007f359e5db625 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.149.el6_6.5.x86_64 keyutils-libs-1.4-5.el6.x86_64 krb5-libs-1.10.3-33.el6.x86_64 libcom_err-1.41.12-21.el6.x86_64 libselinux-2.0.94-5.8.el6.x86_64 mysql-libs-5.1.73-3.el6_5.x86_64 nss-softokn-freebl-3.14.3-22.el6_6.x86_64 openssl-1.0.1e-30.el6_6.7.x86_64 zlib-1.2.3-29.el6.x86_64
(gdb) bt
#0  0x00007f359e5db625 in raise () from /lib64/libc.so.6
#1  0x00007f359e5dce05 in abort () from /lib64/libc.so.6
#2  0x00000000004e875b in qm_free (qm=<value optimized out>, p=0x7f35969a77d0, file=0x7f359a222304 "t_msgbuilder.h", func=<value optimized out>, line=<value optimized out>) at mem/q_malloc.c:459
#3  0x00007f359a215524 in free_faked_req (faked_req=0x7f359a4345c0, t=0x7f35969a41a8) at t_msgbuilder.h:227
#4  0x00007f359a21a08c in run_failure_handlers (Trans=0x7f35969a41a8, new_code=<value optimized out>, branch=<value optimized out>, should_store=0x7fff227582f8, should_relay=0x7fff227582fc, cancel_bitmap=<value optimized out>,
    reply=0x7f359e47ec18) at t_reply.c:587
#5  t_should_relay_response (Trans=0x7f35969a41a8, new_code=<value optimized out>, branch=<value optimized out>, should_store=0x7fff227582f8, should_relay=0x7fff227582fc, cancel_bitmap=<value optimized out>, reply=0x7f359e47ec18)
    at t_reply.c:912
#6  0x00007f359a21b15c in relay_reply (t=0x7f35969a41a8, p_msg=0x7f359e47ec18, branch=0, msg_status=487, cancel_bitmap=0x7fff227583d8) at t_reply.c:1126
#7  0x00007f359a21c6c0 in reply_received (p_msg=0x7f359e47ec18) at t_reply.c:1506
#8  0x0000000000430adc in forward_reply (msg=0x7f359e47ec18) at forward.c:516
#9  0x000000000047f646 in receive_msg (
    buf=0x82e680 "SIP/2.0 487 Request Terminated\r\nVia: SIP/2.0/UDP 192.168.254.93:5060;received=192.168.254.93;rport=5060;branch=z9hG4bK161b.ba138443.0\r\nVia: SIP/2.0/UDP 192.168.254.92:5060;rport=5060;received=192.168."...,
    len=<value optimized out>, rcv_info=<value optimized out>) at receive.c:243
#10 0x000000000056c74a in udp_read_req (si=<value optimized out>, bytes_read=<value optimized out>) at net/proto_udp/proto_udp.c:189
#11 0x000000000056222c in handle_io (si=<value optimized out>) at net/net_udp.c:253
#12 io_wait_loop_epoll (si=<value optimized out>) at net/../io_wait_loop.h:186
#13 udp_rcv_loop (si=<value optimized out>) at net/net_udp.c:301
#14 0x00000000005632ce in udp_start_nofork () at net/net_udp.c:367
#15 0x00000000004397ea in main_loop (argc=<value optimized out>, argv=<value optimized out>) at main.c:665
#16 main (argc=<value optimized out>, argv=<value optimized out>) at main.c:1248

Now it is crashed on pkg_free(faked_req->path_vec.s)

Vlad, I send you log with memory debug.

---
Reply to this email directly or view it on GitHub:
https://github.com/OpenSIPS/opensips/issues/484#issuecomment-99820861
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/devel/attachments/20150507/3c220c9d/attachment-0001.htm>

More information about the Devel mailing list