Re: [sr-dev] Crash bug

19 Mar 2015

Hello,

why do you think it is a problem in frame 5?

Send the bt full for at least the first 3 frames.

Cheers,
Daniel

On 19/03/15 19:49, Alex Balashov wrote:
...
  Hello,

 I'm running kamailio:4.2:df86f2a9a09339687af5914b85fe8bd8f8f1f575 and
 am getting a periodic crash, once every few days, in response to a
 CANCEL message.

 The basic back trace is like this:

 (gdb) where
 #0  0x000000000044fed2 in del_nonshm_lump (lump_list=0x7f48f5681440)
     at data_lump.c:677
 #1  0x00007f48f5404a15 in free_faked_req (faked_req=0x7f48f5680ea0,
     t=0x7f46ee6faeb0) at t_reply.c:975
 #2  0x00007f48f5405bdf in run_failure_handlers (t=0x7f46ee6faeb0,
     rpl=0xffffffffffffffff, code=487, extra_flags=0) at t_reply.c:1061
 #3  0x00007f48f54084e4 in t_should_relay_response (Trans=0x7f46ee6faeb0,
     new_code=487, branch=0, should_store=0x7fffce5605e0,
     should_relay=0x7fffce5605e4, cancel_data=0x7fffce5606b0,
     reply=0xffffffffffffffff) at t_reply.c:1406
 #4  0x00007f48f540b045 in relay_reply (t=0x7f46ee6faeb0,
     p_msg=0xffffffffffffffff, branch=0, msg_status=487,
     cancel_data=0x7fffce5606b0, do_put_on_wait=1) at t_reply.c:1809
 #5  0x00007f48f5386832 in cancel_branch (t=0x7f46ee6faeb0, branch=0,
     reason=0x0, flags=10) at t_cancel.c:276
 #6  0x00007f48f53aff4a in e2e_cancel (cancel_msg=0x7f48f68d69d8,
     t_cancel=0x7f46ee8d9c30, t_invite=0x7f46ee6faeb0) at t_fwd.c:1373
 #7  0x00007f48f53b4bd0 in t_relay_cancel (p_msg=0x7f48f68d69d8) at
 t_fwd.c:1967
 #8  0x00007f48f53deaa7 in w_t_relay_cancel (p_msg=0x7f48f68d69d8,
 _foo=0x0,
     _bar=0x0) at tm.c:1743
 #9  0x000000000041d364 in do_action (h=0x7fffce560fc0, a=0x7f48f6689f70,
     msg=0x7f48f68d69d8) at action.c:1088
 #10 0x0000000000429a7a in run_actions (h=0x7fffce560fc0,
 a=0x7f48f6689f70,
     msg=0x7f48f68d69d8) at action.c:1583
 #11 0x000000000042a0df in run_actions_safe (h=0x7fffce5622b0,
     a=0x7f48f6689f70, msg=0x7f48f68d69d8) at action.c:1648
 #12 0x0000000000541158 in rval_get_int (h=0x7fffce5622b0,
 msg=0x7f48f68d69d8,
     i=0x7fffce561498, rv=0x7f48f668a1e0, cache=0x0) at rvalue.c:924
 #13 0x0000000000545390 in rval_expr_eval_int (h=0x7fffce5622b0,
     msg=0x7f48f68d69d8, res=0x7fffce561498, rve=0x7f48f668a1d8)
     at rvalue.c:1918
 #14 0x0000000000545786 in rval_expr_eval_int (h=0x7fffce5622b0,
     msg=0x7f48f68d69d8, res=0x7fffce561920, rve=0x7f48f668a948)
     at rvalue.c:1926
 #15 0x000000000041ce4e in do_action (h=0x7fffce5622b0, a=0x7f48f668c260,
     msg=0x7f48f68d69d8) at action.c:1064
 #16 0x0000000000429a7a in run_actions (h=0x7fffce5622b0,
 a=0x7f48f6689808,
     msg=0x7f48f68d69d8) at action.c:1583
 #17 0x000000000041d2cd in do_action (h=0x7fffce5622b0, a=0x7f48f668c960,
     msg=0x7f48f68d69d8) at action.c:1079
 #18 0x0000000000429a7a in run_actions (h=0x7fffce5622b0,
 a=0x7f48f667c628,
     msg=0x7f48f68d69d8) at action.c:1583
 #19 0x000000000042a1a7 in run_top_route (a=0x7f48f667c628,
 msg=0x7f48f68d69d8,
     c=0x0) at action.c:1669
 #20 0x0000000000507e1a in receive_msg (
     buf=0xa6f760 "CANCEL sip:yyy@xxx:5060 SIP/2.0\r\nVia: SIP
 /2.0/UDP xxx:5060;branch=z9hG4bK08f.3dc6f0e1.0\r\nFrom: \"yyy\"
 <sip:yyy@xxx>;tag=D78eD8FB3SDgc\r\nCall-ID:
 e5e48a99-48dd-1233-96b7-782bcb13da6a\r\nTo:
 <sip:xxx@xxx:5060>\r\nCSeq: 73049624 CANCEL\r\nMax-Forwards:
 32\r\nUser-Agent: OpenSIPS (1.9.1-notls
 (x86_64/linux))\r\nContent-Length: 0\r\n\r\n", len=394,
 rcv_info=0x7fffce5625a0)
     at receive.c:216
 #21 0x00000000006074ae in udp_rcv_loop () at udp_server.c:521
 #22 0x00000000004a5f0b in main_loop () at main.c:1629
 #23 0x00000000004ab8bf in main (argc=11, argv=0x7fffce5629c8) at
 main.c:2578

 I'll send a 'thread apply all bt full' privately due to the amount of
 private addresses in there, but a quick glance suggests a possible
 problem is here:

 #5  0x00007f48f5386832 in cancel_branch (t=0x7f46ee6faeb0, branch=0,
     reason=0x0, flags=10) at t_cancel.c:276
         cancel = 0x1 <Address 0x1 out of bounds>
         len = 32584
         crb = 0x7f46ee6fb0b0
         irb = 0x7f46ee6fb028
         ret = 1
         tmp_cd = {cancel_bitmap = 0, reason = {cause = 0, u = {text = {
                 s = 0x0, len = 0}, e2e_cancel = 0x0, packed_hdrs = {s
 = 0x0,
                 len = 0}}}}
         pcbuf = 0x7f46ee6fb0c0
         __FUNCTION__ = "cancel_branch"
 #6  0x00007f48f53aff4a in e2e_cancel (cancel_msg=0x7f48f68d69d8,
     t_cancel=0x7f46ee8d9c30, t_invite=0x7f46ee6faeb0) at t_fwd.c:1373
         cancel_bm = 1
         reason = 0x0
         free_reason = 0
         i = 0
         lowest_error = 0
         ret = 32584
         tmcb = {req = 0x137f66ce710, rpl = 0x7f48f68d69d8, param =
 0xf48ab828,
           code = -158504488, flags = 32584, branch = 0,
           t_rbuf = 0xf80f668f9a0, dst = 0xce5622b0, send_buf = {
             s = 0x1ffffffff <Address 0x1ffffffff out of bounds>,
             len = -304107664}}
         __FUNCTION__ = "e2e_cancel"
 #7  0x00007f48f53b4bd0 in t_relay_cancel (p_msg=0x7f48f68d69d8) at
 t_fwd.c:1967
         t_invite = 0x7f46ee6faeb0
         t = 0x7f46ee8d9c30
         ret = -323705680
         new_tran = 1

 Thanks,

 -- Alex

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Re: [sr-dev] Crash bug