Kamailio service crashed occasionally on sock_cb
callback function of http_async_client
module
The crash happens occasionally, no specific conditions have been identified for this issue.
Program terminated with signal SIGSEGV, Segmentation fault.
(gdb) bt full
#0 0x0000ffff9f4205e4 in event_del_ () from /lib64/libevent-2.1.so.6
No symbol table info available.
#1 0x0000ffff9e7c9b24 in sock_cb (e=0xffffa2027ba8, s=9, what=4, cbp=0xffffa1c0fe58, sockp=0xffffa202d258) at http_multi.c:166
g = 0xffffa1c0fe58
cell = 0xffffa202d258
whatstr = {0xffff9e7eb508 "none", 0xffff9e7eb510 "IN", 0xffff9e7eb518 "OUT", 0xffff9e7eb520 "INOUT", 0xffff9e7eb528 "REMOVE"}
__func__ = "sock_cb"
#2 0x0000ffff9e73ffa8 in Curl_multi_closed () from /lib64/libcurl.so.4
No symbol table info available.
#3 0x0000ffff9e73d43c in Curl_closesocket () from /lib64/libcurl.so.4
No symbol table info available.
#4 0x0000ffff9e72c8f8 in conn_free.part () from /lib64/libcurl.so.4
No symbol table info available.
#5 0x0000ffff9e72d544 in Curl_disconnect () from /lib64/libcurl.so.4
No symbol table info available.
#6 0x0000ffff9e740948 in multi_done () from /lib64/libcurl.so.4
No symbol table info available.
#7 0x0000ffff9e742b10 in curl_multi_remove_handle () from /lib64/libcurl.so.4
No symbol table info available.
#8 0x0000ffff9e7c7f2c in event_cb (fd=59, kind=1, userp=0xffffa2027ba8) at http_multi.c:123
error = 0xffff9e7eac70 "TIMEOUT"
g = 0xffffa1c0fe58
rc = 1968268110
easy = 0xffffa2027ba8
cell = 0xffffa202d258
__func__ = "event_cb"
action = 0
#9 0x0000ffff9f423628 in event_process_active_single_queue () from /lib64/libevent-2.1.so.6
No symbol table info available.
#10 0x0000ffff9f423ee8 in event_base_loop () from /lib64/libevent-2.1.so.6
No symbol table info available.
#11 0x0000ffff9e7b7160 in async_http_run_worker (worker=0xffffa1606ed8) at async_http.c:95
ret = 65535
__func__ = "async_http_run_worker"
#12 0x0000ffff9e7dc364 in child_init (rank=0) at http_async_client_mod.c:380
pid = 0
i = 0
__func__ = "child_init"
#13 0x0000000000607fa8 in init_mod_child (m=0xffffb136c2f0, rank=0) at core/sr_module.c:899
--Type <RET> for more, q to quit, c to continue without paging--
ret = 0
__func__ = "init_mod_child"
#14 0x0000000000607b38 in init_mod_child (m=0xffffb136d018, rank=0) at core/sr_module.c:892
ret = 0
__func__ = "init_mod_child"
#15 0x0000000000607b38 in init_mod_child (m=0xffffb136ead0, rank=0) at core/sr_module.c:892
ret = 0
__func__ = "init_mod_child"
#16 0x0000000000607b38 in init_mod_child (m=0xffffb13a98f8, rank=0) at core/sr_module.c:892
ret = 0
__func__ = "init_mod_child"
#17 0x0000000000607b38 in init_mod_child (m=0xffffb140ab28, rank=0) at core/sr_module.c:892
ret = 0
__func__ = "init_mod_child"
#18 0x0000000000607b38 in init_mod_child (m=0xffffb145ebf8, rank=0) at core/sr_module.c:892
ret = 1
__func__ = "init_mod_child"
#19 0x00000000006089c4 in init_child (rank=0) at core/sr_module.c:953
ret = -783429656
type = 0x923dc0 "PROC_MAIN"
__func__ = "init_child"
#20 0x0000000000433030 in main_loop () at main.c:1843
i = 8
pid = 2823204
si = 0x0
si_desc = "udp receiver child=7 sock=[2605:84c0:48:205:1::6]:5080\000\000\220\036ٰ\377\377\000\000 \321M\321\377\377\000\000h\220\066\261\377\377\000\000\320\377\377\377\200\377\377\377\020\321M\321\377\377\000\000 \321M\321\377\377\000\000 \321M\321\377\377\000\000\360\320M\321\377\377\000\000\320\377\377\377\200\377\377\377"
nrprocs = 8
woneinit = 1
__func__ = "main_loop"
#21 0x000000000043f4e8 in main (argc=11, argv=0xffffd14dd6a8) at main.c:3086
cfg_stream = 0xc2502a0
c = -1
r = 0
tmp = 0xffffd14dfe34 ""
tmp_len = 0
port = 0
proto = 65535
ahost = 0x0
--Type <RET> for more, q to quit, c to continue without paging--
aport = 0
options = 0x8e7c08 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:"
ret = -1
seed = 203142350
rfd = 4
debug_save = 0
debug_flag = 0
dont_fork_cnt = 2
n_lst = 0xffffffff
p = 0xffffb3d34348 <__libc_start_main+160> ""
st = {st_dev = 25, st_ino = 18459, st_mode = 16877, st_nlink = 3, st_uid = 0, st_gid = 987, st_rdev = 0, __pad1 = 0, st_size = 80, st_blksize = 65536,
__pad2 = 0, st_blocks = 0, st_atim = {tv_sec = 1707863213, tv_nsec = 9999979}, st_mtim = {tv_sec = 1729635590, tv_nsec = 702238079}, st_ctim = {
tv_sec = 1729635598, tv_nsec = 32030431}, __glibc_reserved = {0, 0}}
tbuf = '\000' <repeats 56 times>, "x\376\b\264\377\377\000\000h\376\b\264\377\377\000\000\b\376\b\264\377\377\000\000(\376\b\264\377\377\000\000\070\376\b\264\377\377\000\000\250\376\b\264\377\377\000\000\270\376\b\264\377\377\000\000\310\376\b\264\377\377\000\000H\376\b\264\377\377\000\000X\376\b\264\377\377", '\000' <repeats 18 times>, "\330\375\b\264\377\377", '\000' <repeats 42 times>...
option_index = 12
long_options = {{name = 0x8e9fe0 "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x8e4e48 "version", has_arg = 0, flag = 0x0, val = 118}, {
name = 0x8e9fe8 "alias", has_arg = 1, flag = 0x0, val = 1024}, {name = 0x8e9ff0 "subst", has_arg = 1, flag = 0x0, val = 1025}, {name = 0x8e9ff8 "substdef",
has_arg = 1, flag = 0x0, val = 1026}, {name = 0x8ea008 "substdefs", has_arg = 1, flag = 0x0, val = 1027}, {name = 0x8ea018 "server-id", has_arg = 1,
flag = 0x0, val = 1028}, {name = 0x8ea028 "loadmodule", has_arg = 1, flag = 0x0, val = 1029}, {name = 0x8ea038 "modparam", has_arg = 1, flag = 0x0,
val = 1030}, {name = 0x8ea048 "log-engine", has_arg = 1, flag = 0x0, val = 1031}, {name = 0x8ea058 "debug", has_arg = 1, flag = 0x0, val = 1032}, {
name = 0x8ea060 "cfg-print", has_arg = 0, flag = 0x0, val = 1033}, {name = 0x8ea070 "atexit", has_arg = 1, flag = 0x0, val = 1034}, {
name = 0x8ea078 "all-errors", has_arg = 0, flag = 0x0, val = 1035}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
__func__ = "main"
(gdb) f 8
#8 0x0000ffff9e7c7f2c in event_cb (fd=59, kind=1, userp=0xffffa2027ba8) at http_multi.c:123
123 curl_multi_remove_handle(g->multi, easy);
(gdb) f 1
#1 0x0000ffff9e7c9b24 in sock_cb (e=0xffffa2027ba8, s=9, what=4, cbp=0xffffa1c0fe58, sockp=0xffffa202d258) at http_multi.c:166
166 event_del(cell->ev);
(gdb) p cell
$1 = (struct http_m_cell *) 0xffffa202d258
(gdb) p cell->ev
$2 = (struct event *) 0x92fbf0
(gdb) p *cell->ev
$3 = {type = 1701998435, name = {s = 0x615f7273752f6572 <error: Cannot access memory at address 0x615f7273752f6572>, len = 1663987830}, params = {hooks = {contact = {
expires = 0x7273752f65726f63, q = 0x632e7076615f, methods = 0x5b203e65726f633c, received = 0x7273752f65726f63, instance = 0x393a632e7076615f,
reg_id = 0x203a5d32, ob = 0x6f6e20646c756f63, flags = 0x61636f6c6c612074}, uri = {transport = 0x7273752f65726f63, lr = 0x632e7076615f, r2 = 0x5b203e65726f633c,
maddr = 0x7273752f65726f63, ttl = 0x393a632e7076615f, dstip = 0x203a5d32, dstport = 0x6f6e20646c756f63, ftag = 0x61636f6c6c612074, ob = 0x6572616873206574},
event_dialog = {call_id = 0x7273752f65726f63, from_tag = 0x632e7076615f, to_tag = 0x5b203e65726f633c, include_session_description = 0x7273752f65726f63,
sla = 0x393a632e7076615f, ma = 0x203a5d32}}, list = 0x79726f6d656d2064}}
As it's seen in the stack backtrace the cell
object is already released at the moment when event_del
with this object is called.
[centos@esrp-1b ~]$ kamailio -v
version: kamailio 5.7.2 (aarch64/linux) 968dbe
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT-NOSMP, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: 968dbe
compiled on 19:25:05 Nov 10 2023 with gcc 8.5.0
[centos@esrp-1b ~]$ cat /etc/centos-release
CentOS Stream release 8
[centos@esrp-1b ~]$ uname -a
Linux esrp-1b.fl.base911.com 4.18.0-536.el8.aarch64 #1 SMP Thu Jan 18 15:21:54 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.