<p>I add some debug to t_msgbuilder.h:free_faked_req</p>

<p>inline static void free_faked_req(struct sip_msg *faked_req, struct cell *t)<br>
{<br>
        LM_DBG("free_faked_req 1 faked_req-&gt;req_lump=%p, t-&gt;uas.request-&gt;reply_lump=%p\n",faked_req-&gt;reply_lump,t-&gt;uas.request-&gt;reply_lump);<br>
        if (faked_req-&gt;new_uri.s) {<br>
                pkg_free(faked_req-&gt;new_uri.s);<br>
                faked_req-&gt;new_uri.s = NULL;<br>
        }<br>
        LM_DBG("free_faked_req 2 faked_req-&gt;req_lump=%p, t-&gt;uas.request-&gt;reply_lump=%p\n",faked_req-&gt;reply_lump,t-&gt;uas.request-&gt;reply_lump);<br>
        if (faked_req-&gt;dst_uri.s) {<br>
                pkg_free(faked_req-&gt;dst_uri.s);<br>
                faked_req-&gt;dst_uri.s = NULL;<br>
        }<br>
        LM_DBG("free_faked_req 3 faked_req-&gt;req_lump=%p, t-&gt;uas.request-&gt;reply_lump=%p\n",faked_req-&gt;reply_lump,t-&gt;uas.request-&gt;reply_lump);<br>
        if (faked_req-&gt;path_vec.s) {<br>
                pkg_free(faked_req-&gt;path_vec.s);<br>
                faked_req-&gt;path_vec.s = NULL;<br>
        }<br>
        LM_DBG("free_faked_req 4 faked_req-&gt;req_lump=%p, t-&gt;uas.request-&gt;reply_lump=%p\n",faked_req-&gt;reply_lump,t-&gt;uas.request-&gt;reply_lump);<br>
        if (faked_req-&gt;set_global_address.s) {<br>
                pkg_free(faked_req-&gt;set_global_address.s);<br>
                faked_req-&gt;set_global_address.s = NULL;<br>
        }<br>
        LM_DBG("free_faked_req 5 faked_req-&gt;req_lump=%p, t-&gt;uas.request-&gt;reply_lump=%p\n",faked_req-&gt;reply_lump,t-&gt;uas.request-&gt;reply_lump);<br>
        if (faked_req-&gt;set_global_port.s) {<br>
                pkg_free(faked_req-&gt;set_global_port.s);<br>
                faked_req-&gt;set_global_port.s = NULL;<br>
        }<br>
        LM_DBG("free_faked_req 6 faked_req-&gt;req_lump=%p, t-&gt;uas.request-&gt;reply_lump=%p\n",faked_req-&gt;reply_lump,t-&gt;uas.request-&gt;reply_lump);</p>

<pre><code>    /* SDP in not cloned into SHM, so if we have one, it means the SDP
     * was parsed in the fake environment, so we have to free it */
    if (faked_req-&gt;sdp)
            free_sdp(&amp;(faked_req-&gt;sdp));
    LM_DBG("free_faked_req 7 faked_req-&gt;req_lump=%p, t-&gt;uas.request-&gt;reply_lump=%p\n",faked_req-&gt;reply_lump,t-&gt;uas.request-&gt;reply_lump);

    if (faked_req-&gt;multi) {
            free_multi_body(faked_req-&gt;multi);
            faked_req-&gt;multi = NULL;
    }
    LM_DBG("free_faked_req 8 faked_req-&gt;req_lump=%p, t-&gt;uas.request-&gt;reply_lump=%p\n",faked_req-&gt;reply_lump,t-&gt;uas.request-&gt;reply_lump);

    if (faked_req-&gt;msg_cb) {
            msg_callback_process(faked_req, MSG_DESTROY, NULL);
    }
    LM_DBG("free_faked_req 9 faked_req-&gt;req_lump=%p, t-&gt;uas.request-&gt;reply_lump=%p\n",faked_req-&gt;reply_lump,t-&gt;uas.request-&gt;reply_lump);

    /* free all types of lump that were added in failure handlers */
    del_notflaged_lumps( &amp;(faked_req-&gt;add_rm), LUMPFLAG_SHMEM );
    LM_DBG("free_faked_req 10 faked_req-&gt;req_lump=%p, t-&gt;uas.request-&gt;reply_lump=%p\n",faked_req-&gt;reply_lump,t-&gt;uas.request-&gt;reply_lump);
    del_notflaged_lumps( &amp;(faked_req-&gt;body_lumps), LUMPFLAG_SHMEM );
    LM_DBG("free_faked_req 11 faked_req-&gt;req_lump=%p, t-&gt;uas.request-&gt;reply_lump=%p\n",faked_req-&gt;reply_lump,t-&gt;uas.request-&gt;reply_lump);
    del_nonshm_lump_rpl( &amp;(faked_req-&gt;reply_lump) );
    LM_DBG("free_faked_req 12 faked_req-&gt;req_lump=%p, t-&gt;uas.request-&gt;reply_lump=%p\n",faked_req-&gt;reply_lump,t-&gt;uas.request-&gt;reply_lump);
    if (faked_req-&gt;add_rm &amp;&amp; faked_req-&gt;add_rm != t-&gt;uas.request-&gt;add_rm)
            shm_free(faked_req-&gt;add_rm);
    LM_DBG("free_faked_req 13 faked_req-&gt;req_lump=%p, t-&gt;uas.request-&gt;reply_lump=%p\n",faked_req-&gt;reply_lump,t-&gt;uas.request-&gt;reply_lump);
    if (faked_req-&gt;body_lumps &amp;&amp; faked_req-&gt;body_lumps != t-&gt;uas.request-&gt;body_lumps)
            shm_free(faked_req-&gt;body_lumps);
    LM_DBG("free_faked_req 14 faked_req-&gt;req_lump=%p, t-&gt;uas.request-&gt;reply_lump=%p\n",faked_req-&gt;reply_lump,t-&gt;uas.request-&gt;reply_lump);
    if (faked_req-&gt;reply_lump &amp;&amp; faked_req-&gt;reply_lump != t-&gt;uas.request-&gt;reply_lump)
            shm_free(faked_req-&gt;reply_lump);

    clean_msg_clone( faked_req, t-&gt;uas.request, t-&gt;uas.end_request);
</code></pre>

<p>}</p>

<p>And I get in log this:</p>

<p>May  7 14:05:46 [29045] DBG<img class="emoji" title=":tm:" alt=":tm:" src="https://assets-cdn.github.com/images/icons/emoji/unicode/2122.png" height="20" width="20" align="absmiddle">free_faked_req: free_faked_req 1 faked_req-&gt;req_lump=(nil), t-&gt;uas.request-&gt;reply_lump=(nil)<br>
params(0x7f359e3a8010, 0x7f359e47da48), called from t_msgbuilder.h: free_faked_req(217)<br>
freeing frag. 0x7f359e47da18 alloc'ed from t_msgbuilder.h: fake_req(148)<br>
May  7 14:05:46 [29045] DBG<img class="emoji" title=":tm:" alt=":tm:" src="https://assets-cdn.github.com/images/icons/emoji/unicode/2122.png" height="20" width="20" align="absmiddle">free_faked_req: free_faked_req 2 faked_req-&gt;req_lump=(nil), t-&gt;uas.request-&gt;reply_lump=(nil)<br>
May  7 14:05:46 [29045] DBG<img class="emoji" title=":tm:" alt=":tm:" src="https://assets-cdn.github.com/images/icons/emoji/unicode/2122.png" height="20" width="20" align="absmiddle">free_faked_req: free_faked_req 3 faked_req-&gt;req_lump=(nil), t-&gt;uas.request-&gt;reply_lump=(nil)<br>
params(0x7f359e3a8010, 0x7f35969a77d0), called from t_msgbuilder.h: free_faked_req(227)<br>
May  7 14:05:46 [29045] CRITICAL:core:qm_free: bad pointer 0x7f35969a77d0 (out of memory block!) - aborting<br>
Aborted (core dumped)</p>

<p>#0  0x00007f359e5db625 in raise () from /lib64/libc.so.6<br>
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.149.el6_6.5.x86_64 keyutils-libs-1.4-5.el6.x86_64 krb5-libs-1.10.3-33.el6.x86_64 libcom_err-1.41.12-21.el6.x86_64 libselinux-2.0.94-5.8.el6.x86_64 mysql-libs-5.1.73-3.el6_5.x86_64 nss-softokn-freebl-3.14.3-22.el6_6.x86_64 openssl-1.0.1e-30.el6_6.7.x86_64 zlib-1.2.3-29.el6.x86_64<br>
(gdb) bt<br>
#0  0x00007f359e5db625 in raise () from /lib64/libc.so.6<br>
<a href="https://github.com/OpenSIPS/opensips/issues/1" class="issue-link" title="Dummy ticket">#1</a>  0x00007f359e5dce05 in abort () from /lib64/libc.so.6<br>
<a href="https://github.com/OpenSIPS/opensips/issues/2" class="issue-link" title="Dummy issue">#2</a>  0x00000000004e875b in qm_free (qm=, p=0x7f35969a77d0, file=0x7f359a222304 "t_msgbuilder.h", func=, line=) at mem/q_malloc.c:459<br>
<a href="https://github.com/OpenSIPS/opensips/pull/3" class="issue-link" title="Compilation problem under CentOS 6">#3</a>  0x00007f359a215524 in free_faked_req (faked_req=0x7f359a4345c0, t=0x7f35969a41a8) at t_msgbuilder.h:227<br>
<a href="https://github.com/OpenSIPS/opensips/pull/4" class="issue-link" title="Compilation problem under CentOS 6">#4</a>  0x00007f359a21a08c in run_failure_handlers (Trans=0x7f35969a41a8, new_code=, branch=, should_store=0x7fff227582f8, should_relay=0x7fff227582fc, cancel_bitmap=,<br>
    reply=0x7f359e47ec18) at t_reply.c:587<br>
<a href="https://github.com/OpenSIPS/opensips/pull/5" class="issue-link" title="spec file update to CentOS 6">#5</a>  t_should_relay_response (Trans=0x7f35969a41a8, new_code=, branch=, should_store=0x7fff227582f8, should_relay=0x7fff227582fc, cancel_bitmap=, reply=0x7f359e47ec18)<br>
    at t_reply.c:912<br>
<a href="https://github.com/OpenSIPS/opensips/issues/6" class="issue-link" title="Wrong password column used for authentication">#6</a>  0x00007f359a21b15c in relay_reply (t=0x7f35969a41a8, p_msg=0x7f359e47ec18, branch=0, msg_status=487, cancel_bitmap=0x7fff227583d8) at t_reply.c:1126<br>
<a href="https://github.com/OpenSIPS/opensips/pull/7" class="issue-link" title="b2bua: Add AVP-based authentication">#7</a>  0x00007f359a21c6c0 in reply_received (p_msg=0x7f359e47ec18) at t_reply.c:1506<br>
<a href="https://github.com/OpenSIPS/opensips/issues/8" class="issue-link" title="Flag to set string to lower for RURI/From/To/Contact">#8</a>  0x0000000000430adc in forward_reply (msg=0x7f359e47ec18) at forward.c:516<br>
<a href="https://github.com/OpenSIPS/opensips/issues/9" class="issue-link" title="segfault on fm_malloc">#9</a>  0x000000000047f646 in receive_msg (<br>
    buf=0x82e680 "SIP/2.0 487 Request Terminated\r\nVia: SIP/2.0/UDP 192.168.254.93:5060;received=192.168.254.93;rport=5060;branch=z9hG4bK161b.ba138443.0\r\nVia: SIP/2.0/UDP 192.168.254.92:5060;rport=5060;received=192.168."...,<br>
    len=, rcv_info=) at receive.c:243<br>
<a href="https://github.com/OpenSIPS/opensips/issues/10" class="issue-link" title="Set exchange and routing-key for event_rabbitmq module">#10</a> 0x000000000056c74a in udp_read_req (si=, bytes_read=) at net/proto_udp/proto_udp.c:189<br>
<a href="https://github.com/OpenSIPS/opensips/issues/11" class="issue-link" title="Set exchange and routing-key for the event_rabbitmq module">#11</a> 0x000000000056222c in handle_io (si=) at net/net_udp.c:253<br>
<a href="https://github.com/OpenSIPS/opensips/pull/12" class="issue-link" title="Install Notes">#12</a> io_wait_loop_epoll (si=) at net/../io_wait_loop.h:186<br>
<a href="https://github.com/OpenSIPS/opensips/pull/13" class="issue-link" title="1.8">#13</a> udp_rcv_loop (si=) at net/net_udp.c:301<br>
<a href="https://github.com/OpenSIPS/opensips/pull/14" class="issue-link" title="Added presence federation algorithm.">#14</a> 0x00000000005632ce in udp_start_nofork () at net/net_udp.c:367<br>
<a href="https://github.com/OpenSIPS/opensips/pull/15" class="issue-link" title="Ds better pua dialoginfo">#15</a> 0x00000000004397ea in main_loop (argc=, argv=) at main.c:665<br>
<a href="https://github.com/OpenSIPS/opensips/pull/16" class="issue-link" title="Fix PUA module so that it sends a final PUBLISH on expiration.">#16</a> main (argc=, argv=) at main.c:1248</p>

<p>Now it is crashed on pkg_free(faked_req-&gt;path_vec.s)</p>

<p>Vlad, I send you log with memory debug.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">&mdash;<br>Reply to this email directly or <a href="https://github.com/OpenSIPS/opensips/issues/484#issuecomment-99820861">view it on GitHub</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/AFOciZeZU8hXNV4TiSdYo0fPetSVWkXCks5oG0MJgaJpZM4ELmBx.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
  <div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
    <link itemprop="url" href="https://github.com/OpenSIPS/opensips/issues/484#issuecomment-99820861"></link>
    <meta itemprop="name" content="View Issue"></meta>
  </div>
  <meta itemprop="description" content="View this Issue on GitHub"></meta>
</div>