Hi, We've observed the following crash in ser. Do you have any ideas what the cause could be? I'm keeping corefile and binary compiled with debug symbols, so that don't hesitate to contact me if any additional information is necessary. Thank you in advance! -Maxim Script started on Fri Feb 21 05:43:09 2003 bash-2.05a$ gdb ~/sip/ser/work/ser-0.8.10/ser ser.core GNU gdb 4.18 (FreeBSD) Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"...Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 2627 in elfstab_build_psymtabs Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 933 in fill_symbuf Core was generated by `ser'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libc.so.4...done. Reading symbols from /usr/local/lib/ser/modules/sl.so...done. Reading symbols from /usr/local/lib/ser/modules/tm.so...done. Reading symbols from /usr/local/lib/ser/modules/rr.so...done. Reading symbols from /usr/local/lib/ser/modules/maxfwd.so...done. Reading symbols from /usr/local/lib/ser/modules/usrloc.so...done. Reading symbols from /usr/local/lib/ser/modules/registrar.so...done. Reading symbols from /usr/local/lib/ser/modules/nathelper.so...done. Reading symbols from /usr/local/lib/ser/modules/textops.so...done. Reading symbols from /usr/local/lib/ser/modules/radius_auth.so...done. Reading symbols from /usr/local/lib/libradiusclient.so.0...done. Reading symbols from /usr/lib/libcrypt.so.2...done. Reading symbols from /usr/libexec/ld-elf.so.1...done. #0 0x807bdd3 in qm_status (qm=0x2816d000) at mem/q_malloc.c:447 447 f!=&(qm->free_hash[h].head); f=f->u.nxt_free, i++, j++); (gdb) bt #0 0x807bdd3 in qm_status (qm=0x2816d000) at mem/q_malloc.c:447 #1 0x8079a70 in qm_debug_frag (qm=0x2816d000, f=0x282fd0a4) at mem/q_malloc.c:109 #2 0x807ab37 in qm_free (qm=0x2816d000, p=0x282fd0bc, file=0x2a197a2d "t_reply.c", func=0x2a197e28 "t_on_reply", line=826) at mem/q_malloc.c:359 #3 0x2a188000 in t_on_reply (p_msg=0x80dfe30) at t_reply.c:826 #4 0x805933a in forward_reply (msg=0x80dfe30) at forward.c:346 #5 0x806af1c in receive_msg (buf=0x80c3340 "SIP/2.0", len=360, src_su=0x81dafa0) at receive.c:161 #6 0x8077ff0 in udp_rcv_loop () at udp_server.c:336 #7 0x805eaa5 in main_loop () at main.c:618 #8 0x806197d in main (argc=1, argv=0xbfbffc04) at main.c:1383 #9 0x804c5bd in _start () (gdb) up #1 0x8079a70 in qm_debug_frag (qm=0x2816d000, f=0x282fd0a4) at mem/q_malloc.c:109 109 qm_status(qm); (gdb) l 104 }; 105 if ((FRAG_END(f)->check1!=END_CHECK_PATTERN1)|| 106 (FRAG_END(f)->check2!=END_CHECK_PATTERN2)){ 107 LOG(L_CRIT, "BUG: qm_*: fragm. %p end overwritten(%x, %x)!\n", 108 f, FRAG_END(f)->check1, FRAG_END(f)->check2); 109 qm_status(qm); 110 abort(); 111 } 112 if ((f>qm->first_frag)&& 113 ((PREV_FRAG_END(f)->check1!=END_CHECK_PATTERN1) || (gdb) up #2 0x807ab37 in qm_free (qm=0x2816d000, p=0x282fd0bc, file=0x2a197a2d "t_reply.c", func=0x2a197e28 "t_on_reply", line=826) at mem/q_malloc.c:359 359 qm_debug_frag(qm, f); (gdb) l 354 return; 355 } 356 prev=next=0; 357 f=(struct qm_frag*) ((char*)p-sizeof(struct qm_frag)); 358 #ifdef DBG_QM_MALLOC 359 qm_debug_frag(qm, f); 360 if (f->u.is_free){ 361 LOG(L_CRIT, "BUG: qm_free: freeing already freed pointer," 362 " first free: %s: %s(%d) - aborting\n", 363 f->file, f->func, f->line); (gdb) up #3 0x2a188000 in t_on_reply (p_msg=0x80dfe30) at t_reply.c:826 826 shm_free(ack); (gdb) l 821 /* acknowledge negative INVITE replies */ 822 if (t->is_invite && (msg_status>=300 || (t->local && msg_status>=200))) { 823 ack = build_ack( p_msg, t, branch , &ack_len); 824 if (ack) { 825 SEND_PR_BUFFER( &uac->request, ack, ack_len ); 826 shm_free(ack); 827 } 828 } /* ack-ing negative INVITE replies */ 829 830 /* clean-up the transaction when transaction completed */ (gdb) up #4 0x805933a in forward_reply (msg=0x80dfe30) at forward.c:346 346 if (mod->exports->response_f(msg)==0) goto skip; (gdb) l 341 /* quick hack, slower for mutliple modules*/ 342 for (mod=modules;mod;mod=mod->next){ 343 if ((mod->exports) && (mod->exports->response_f)){ 344 DBG("forward_reply: found module %s, passing reply to it\n", 345 mod->exports->name); 346 if (mod->exports->response_f(msg)==0) goto skip; 347 } 348 } 349 350 /* we have to forward the reply stateless, so we need second via -bogdan*/ (gdb) print msg $1 = (struct sip_msg *) 0x80dfe30 (gdb) print msg [1@* $2 = {id = 1104, first_line = {type = 2, u = {request = {method = {s = 0x80c3340 "SIP/2.0", len = 7}, uri = {s = 0x80c3348 "488", len = 3}, version = { s = 0x80c334c "Not Acceptable Here", len = 19}, method_value = 488}, reply = {version = { s = 0x80c3340 "SIP/2.0", len = 7}, status = {s = 0x80c3348 "488", len = 3}, reason = { s = 0x80c334c "Not Acceptable Here", len = 19}, statuscode = 488}}}, via1 = 0x80e27fc, via2 = 0x80e2d1c, headers = 0x80e620c, last_header = 0x80e0b08, parsed_flag = 63, h_via1 = 0x80e620c, h_via2 = 0x80e0b98, callid = 0x80e0008, to = 0x80e10ac, cseq = 0x80e0b08, from = 0x80e0f2c, contact = 0x0, maxforwards = 0x0, route = 0x0, record_route = 0x0, content_type = 0x0, content_length = 0x0, authorization = 0x0, expires = 0x0, proxy_auth = 0x0, www_auth = 0x0, supported = 0x0, require = 0x0, proxy_require = 0x0, unsupported = 0x0, allow = 0x0, event = 0x0, eoh = 0x0, unparsed = 0x80c3493 "Content-Length: 0\r\n\r\n", src_ip = { af = 2, len = 4, u = {addr32 = {1214690368, 0, 0, 0}, addr16 = {46144, 18534, 0, 0, 0, 0, 0, 0}, addr = "@╢fH", '\000' <repeats 11 times>}}, src_port_no = 5061, dst_ip = {af = 2, len = 4, u = {addr32 = {1214690368, 0, 0, 0}, addr16 = {46144, 18534, 0, 0, 0, 0, 0, 0}, addr = "@╢fH", '\000' <repeats 11 times>}}, orig = 0x80e2a48 "SIP/2.0 488 Not Acceptable Here\r\nVia: SIP/2.0/UDP 64.180.102.72:5060;branch=z9hG4bKfa9f.17ad3774445fef6b70f18b74de26e0b2.0\r\nVia: SIP/2.0/UDP 172.17.1.127:5060;rport=5060\r\nTo: <sip:151@64.180.102.72;us"..., buf = 0x80c3340 "SIP/2.0", len = 360, new_uri = {s = 0x0, len = 0}, parsed_uri_ok = 0, parsed_uri = {user = {s = 0x0, len = 0}, passwd = {s = 0x0, len = 0}, host = {s = 0x0, len = 0}, port = {s = 0x0, len = 0}, params = {s = 0x0, len = 0}, headers = {s = 0x0, len = 0}, port_no = 0}, add_rm = 0x0, repl_add_rm = 0x80e0514, reply_lump = 0x0, add_to_branch_s = '\000' <repeats 54 times>, add_to_branch_len = 0, hash_index = 0, flags = 0} (gdb) up #5 0x806af1c in receive_msg (buf=0x80c3340 "SIP/2.0", len=360, src_su=0x81dafa0) at receive.c:161 161 forward_reply(msg); (gdb) l 156 gettimeofday( & tvb, &tz ); 157 STATS_RX_RESPONSE ( msg->first_line.u.reply.statuscode / 100 ); 158 #endif 159 160 /* send the msg */ 161 forward_reply(msg); 162 163 #ifdef STATS 164 gettimeofday( & tve, &tz ); 165 diff = (tve.tv_sec-tvb.tv_sec)*1000000+(tve.tv_usec-tvb.tv_usec); (gdb) q bash-2.05a$ exit Script done on Fri Feb 21 05:44:36 2003