[OpenSIPS-Users] OpenSIPS 3.1 - raise_event() crashes OpenSIPS with segmentation fault

Mark Allen mark at allenclan.co.uk
Tue Jul 28 13:56:57 EST 2020 

We're upgrading from 3.0 to 3.1. Everything seems ok except we get a weird
error. We subscribe a dynamic event...

    startup_route {
      subscribe_event("E_WFC_REGISTERED", "udp:127.0.0.1:8888");
    }

which we can see works from /var/log/syslog...

    event_datagram:mod_init: initializing module ...
    core:evi_publish_event: Registered event <E_WFC_REGISTERED(20)

and in the script we invoke it with...

    if(is_method("REGISTER")) {
        $avp(values) = "true";
        xlog("Raised E_WFC_REGISTERED $avp(values)");
        raise_event("E_WFC_REGISTERED",$avp(values));

When a phone registers, raise_event() is triggered and OpenSIPS crashes
with a segmentation fault - shown in /var/log/syslog...

    Raised E_WFC_REGISTERED true
    CRITICAL:core:sig_usr: segfault in process pid: 10525, id: 8
    segfault at 8 ip 000055cef821313f sp 00007ffcdf4d3410 error 4 in
opensips[55cef801a000+264000]
    kernel: [197593.785622] Code: 0e 00 4c 89 ef e8 1b 70 fc ff 49 63 74 24
08 49 8b 3c 24 e8 51 a1 fc ff 48 89 c2 48 8d 35 8f 0d 07 00 4c 89 ef e8 fb
6f fc ff <49> 8b 46 08 48 85 c0 74 0b 48 83 78 18 00 0f 84 a5 02 00 00 e8 34
    INFO:core:handle_sigs: child process 10525 exited by a signal 11
    INFO:core:handle_sigs: core was generated
    INFO:core:handle_sigs: terminating due to SIGCHLD

If I comment out the raise_event() line - OpenSIPS seems fine and doesn't
crash when passing through this code.



Running gdb to get core file backtrace we see...

Core was generated by `/usr/sbin/opensips -P /run/opensips/opensips.pid -f
/etc/opensips/opensips.cfg'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  evi_build_payload (params=0x0, method=0x7f931f5b6f08, id=id at entry=0,
extra_param_k=extra_param_k at entry=0x0,
    extra_param_v=extra_param_v at entry=0x0) at evi/evi_transport.c:159
159             if (params->first && !params->first->name.s) {
(gdb) bt full
#0  evi_build_payload (params=0x0, method=0x7f931f5b6f08, id=id at entry=0,
extra_param_k=extra_param_k at entry=0x0,
    extra_param_v=extra_param_v at entry=0x0) at evi/evi_transport.c:159
        param = <optimized out>
        param_obj = 0x0
        tmp = <optimized out>
        ret_obj = 0x7f9323135fe0
        payload = 0x0
        __FUNCTION__ = "evi_build_payload"
#1  0x00007f931b7d934f in datagram_raise (msg=<optimized out>,
ev_name=<optimized out>, sock=0x7f931f5c54c8, params=<optimized out>)
    at event_datagram.c:315
        ret = <optimized out>
        buf = <optimized out>
        __FUNCTION__ = "datagram_raise"
#2  0x000055cef82148fb in evi_raise_event_msg (msg=msg at entry=0x7f9323134890,
id=id at entry=20, params=params at entry=0x0)
    at evi/event_interface.c:208
        subs = 0x7f931f5c55a8
        prev = <optimized out>
        now = 1595943308
        flags = 1073741838
        pflags = 0
        ret = 0
        __FUNCTION__ = "evi_raise_event_msg"
#3  0x000055cef8216afb in evi_raise_script_event (msg=0x7f9323134890,
id=20, _a=<optimized out>, _v=<optimized out>)
    at evi/event_interface.c:430
        vals = <optimized out>
        attrs = <optimized out>
        v_avp = <optimized out>
        a_avp = <optimized out>
        err = <optimized out>
        val = {n = 587654904, s = {s = 0x7f932306e6f8 "\002", len =
-133061172}}
        attr = {n = 0, s = {s = 0x0, len = -133445686}}
        at = <optimized out>
        params = 0x0
        __FUNCTION__ = "evi_raise_script_event"
#4  0x000055cef8068c5f in w_raise_event (msg=<optimized out>,
ev_id=<optimized out>, attrs_avp=<optimized out>,
    vals_avp=<optimized out>) at core_cmds.c:1204
        __FUNCTION__ = "w_raise_event"
#5  0x000055cef8086199 in do_action (a=0x7f932304d020, msg=0x7f9323134890)
at action.c:972
        ret = <optimized out>
        v = <optimized out>
        i = <optimized out>
        len = <optimized out>
        cmatch = <optimized out>
        aitem = <optimized out>
        adefault = <optimized out>
        spec = <optimized out>
        val = {rs = {s = 0x7f932304c748 "\002", len = 0}, ri = -129751552,
flags = 21966}
        start = {tv_sec = 94347416839552, tv_usec = 140269924432168}
        end_time = <optimized out>
        cmd = 0x55cef832c550 <core_cmds+11280>
        acmd = <optimized out>
        cmdp = {0x14, 0x7f932304cf88, 0x0, 0x2, 0x7f9323134890,
0x55cef80bb253 <eval_elem+1256>, 0x1, 0xc}
        tmp_vals = {{rs = {s = 0x400000000 <error: Cannot access memory at
address 0x400000000>, len = 587509104}, ri = 18, flags = 0}, {rs = {s =
0x7f9323134890 "\001", len = 587509104}, ri = 588466320, flags = 32659},
{rs = {s = 0x55cef8442600 <_oser_err_info> "", len = -133061748}, ri =
-131568035, flags = 21966}, {rs = {s = 0x3 <error: Cannot access memory at
address 0x3>, len = 587512256}, ri = 3, flags = 0}, {rs = {s =
0x7ffcdf4d3790 "\220H\023#\223\177", len = 587509104}, ri = -131568035,
flags = 21966}, {rs = {s = 0x3 <error: Cannot access memory at address
0x3>, len = 0}, ri = 587655824, flags = 32659}, {rs = {s = 0x0, len =
588466320}, ri = 0, flags = 0}, {rs = {s = 0x55cef80baba7 <eval_expr+300>
"A\211\304D\213\005\277\355'", len = 593194504}, ri = 2, flags = 0}}
        sval = {s = 0x7ffcdf4d3730 "]n(\370\316U", len = 587515424}
        __FUNCTION__ = "do_action"

(full backtrace is available)

Build is taken from 3.1 branch on GitHub
Server is running Debian 10 (Buster)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20200728/53e1b1e9/attachment-0001.html>

More information about the Users mailing list