Re: [SR-Users] CRASH on qm_free for simultaneous calls (V3.1.0)

Fri, 17 Dec 2010 14:09:57 -0800 

Hello,

On 12/17/10 12:58 AM, Jijo wrote:

Hi Daniel..

This was due to an error in our config file.
We were doing t_release and then t_relay. So we removed the t_release from config, which basically fixed the issue.
thanks for further troubleshooting and reporting, I will check it and try to prevent the crash -- even it is a misusage should be nicer dealt with printing an error message. 

Cheers,
Daniel
On Thu, Dec 16, 2010 at 2:16 PM, Jijo <realj...@gmail.com <mailto:realj...@gmail.com>> wrote: 

    Hi Daniel,

    Thanks..Please find the logs

    2010-12-17T10:29:04+00:00 [crit] sipserver: : <core>
    [mem/q_malloc.c:446]: BUG: qm_free: freeing already freed pointer,
    first free: tm: h_table.c: free_cell(141) - aborting
    2010-12-17T10:29:04+00:00 [crit] sipserver: : <core>
    [pass_fd.c:293]: ERROR: receive_fd: EOF on 11
    2010-12-17T10:29:04+00:00 [alert] sipserver: ALERT: <core>
    [main.c:741]: child process 14398 exited by a signal 6
    2010-12-17T10:29:04+00:00 [alert] sipserver: ALERT: <core>
    [main.c:744]: core was generated
    2010-12-17T10:29:04+00:00 [crit] sipserver: : <core>
    [mem/q_malloc.c:446]: BUG: qm_free: freeing already freed pointer,
    first free: tm: h_table.c: free_cell(141) - aborting


    Jijo


    On Thu, Dec 16, 2010 at 1:27 AM, Daniel-Constantin Mierla
    <mico...@gmail.com <mailto:mico...@gmail.com>> wrote:

        Hello,

        look into syslog file (/var/log/syslog or /var/log/messages if
        you didn't set a custom one) and search for a message like
        "BUG: qm_free: freeing already freed pointer ...".. Send it
        here, seems to be a double free of same pointer.

        Thanks,
        Daniel


        On 12/16/10 12:34 AM, Jijo wrote:

        I'm observing a crash on qm_free, when we made two outgoing
        calls to the same number. One SIP phone receives ring back
        tone and the other busy tone. The back trace is shown below
        which shows that it is crashed in abort(). How can the
        condition   if (f->u.is_free){ could be true?
        Please let me know if anybody observed this issue and let me
        know how to debug this isssue.

            f=(struct qm_frag*) ((char*)p-sizeof(struct qm_frag));
        #ifdef DBG_QM_MALLOC
            qm_debug_frag(qm, f);
            if (f->u.is_free){
                LOG(L_CRIT, "BUG: qm_free: freeing already freed
        pointer,"
                        " first free: %s: %s(%ld) - aborting\n",
                        f->file, f->func, f->line);*
                abort();*
            }
            MDBG("qm_free: freeing frag. %p alloc'ed from %s: %s(%ld)\n",
                    f, f->file, f->func, f->line);
        #endif


        BACKTRACE
        -------------------


        Program received signal SIGABRT, Aborted.
        0xb76fd7a5 in raise () from /lib/libc.so.6
        (gdb) bt full
        #0  0xb76fd7a5 in raise () from /lib/libc.so.6
        No symbol table info available.
        #1  0xb76ff070 in abort () from /lib/libc.so.6
        No symbol table info available.
        #2  0x081824d5 in qm_free (qm=0xaf7ee000, p=0xaf9ed758,
        file=0xb7659aed "tm: h_table.c", func=0xb7659c9c "free_cell",
        line=141) at mem/q_malloc.c:447
                f = <value optimized out>
                prev = <value optimized out>
                next = <value optimized out>
                size = <value optimized out>
        #3  0xb75ff6b9 in free_cell (dead_cell=0xaf9e7054) at
        h_table.c:141
                b = <value optimized out>
                i = <value optimized out>
                rpl = <value optimized out>
                tt = <value optimized out>
                foo = <value optimized out>
                cbs = <value optimized out>
                cbs_tmp = <value optimized out>
                __FUNCTION__ = "free_cell"
        #4  0xb7625eb0 in t_unref (p_msg=0x847bb10) at t_lookup.c:1553
                kr = <value optimized out>
        #5  0xb764b3ad in w_t_unref (foo=0x847bb10, flags=2147483649,
        bar=0x0) at tm.c:707
        No locals.
        #6  0x0811543a in exec_post_script_cb (msg=0x847bb10,
        type=REQUEST_CB_TYPE) at script_cb.c:195
                cb = 0x8867874
                flags = 2147483649
        #7  0x080e5a4e in receive_msg (
            buf=0x82a89e0 "ACK
        sip:0...@10.80.13.54:5060;transport=udp SIP/2.0\r\nVia:
        SIP/2.0/UDP
        10.200.3.39:5060;branch=z9hG4bK0a992e8d3052e85e5\r\nRoute:
        <sip:0...@10.200.0.31:5060;lr;transport=udp>\r\nMax-Forwards:
        69\r\nFrom: 554"..., len=<value optimized out>,
        rcv_info=0xbf95b7fc) at receive.c:221
                msg = 0x847bb10
                ctx = {rec_lev = 137434160, run_flags = 0,
        last_retcode = -1080707352, jmp_env = {{__jmpbuf =
        {-1224488143, 137089696, 137434092, 0, -1080707248,
                        -1080707304}, __mask_was_saved = 0,
        __saved_mask = {__val = {3079133424, 134556827, 3079002384,
        0, 3214260024, 3070479287, 137089696,
                          137434160, 3070572886, 3070573396, 228,
        137347864, 3214260056, 3077419768, 3079002384, 137089664,
        4294967295, 3079131124, 134556827,
                          134535424, 1, 3079058382, 3079133864,
        3079003192, 1, 1, 0, 134555968, 0, 136548964, 3077419768,
        142823652}}}}}
                ret = <value optimized out>
                inb = {
                  s = 0x82a89e0 "ACK
        sip:0...@10.80.13.54:5060;transport=udp SIP/2.0\r\nVia:
        SIP/2.0/UDP
        10.200.3.39:5060;branch=z9hG4bK0a992e8d3052e85e5\r\nRoute:
        <sip:0...@10.200.0.31:5060;lr;transport=udp>\r\nMax-Forwards:
        69\r\nFrom: 554"..., len = 457}
                __FUNCTION__ = "receive_msg"
        #8  0x08175cb6 in udp_rcv_loop () at udp_server.c:532
                len = <value optimized out>
                buf = "ACK sip:0...@10.80.13.54:5060;transport=udp
        SIP/2.0\r\nVia: SIP/2.0/UDP
        10.200.3.39:5060;branch=z9hG4bK0a992e8d3052e85e5\r\nRoute:
        <sip:0...@10.200.0.31:5060;lr;transport=udp>\r\nMax-Forwards:
        69\r\nFrom: 554"...
                from = 0x88350e4
                fromlen = 16
                ri = {src_ip = {af = 2, len = 4, u = {addrl =
        {654559242, 0, 3214260312, 3079002384}, addr32 = {654559242,
        0, 3214260312, 3079002384}, addr16 = {
                        51210, 9987, 0, 0, 47192, 49045, 55568,
        46981}, addr = "\n\310\003'\000\000\000\000X\270\225\277\020Ù
        \267"}}, dst_ip = {af = 2, len = 4,
                    u = {addrl = {520144906, 0, 0, 0}, addr32 =
        {520144906, 0, 0, 0}, addr16 = {51210, 7936, 0, 0, 0, 0, 0, 0},
                      addr = "\n\310\000\037", '\000' <repeats 11
        times>}}, src_port = 5060, dst_port = 5060, proto_reserved1 =
        0, proto_reserved2 = 0, src_su = {
                    s = {sa_family = 2, sa_data =
        "\023\304\n\310\003'\000\000\000\000\000\000\000"}, sin =
        {sin_family = 2, sin_port = 50195, sin_addr = {
                        s_addr = 654559242}, sin_zero =
        "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 2,
        sin6_port = 50195, sin6_flowinfo = 654559242,
                      sin6_addr = {__in6_u = {__u6_addr8 = '\000'
        <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0},
        __u6_addr32 = {0, 0, 0, 0}}},
                      sin6_scope_id = 0}}, bind_address = 0x82f4140,
        proto = 1 '\001'}
                __FUNCTION__ = "udp_rcv_loop"
        #9  0x080ac1d4 in main_loop () at main.c:1554
                i = <value optimized out>
        ---Type <return> to continue, or q <return> to quit---
                pid = <value optimized out>
                si = <value optimized out>
                si_desc = "udp receiver child=0 sock=10.200.0.31:5060
        <http://10.200.0.31:5060>\000\b
        A\206\b\002\000\000\000\004\000\000\000\n\310\000\037L
        
\225\257h\271\225\...@\030\207\267\020i\203\b\006\000\000\000\000\340~\257\001\000\000\000\001\000\000\000\000\000\000\000\000\340~\257\004\000\000\000?)\037\b\001\000\000\000\a\000\000\000\000\000\000\000H\271\225\277\350\353\017\b"
        #10 0x080af2ec in main (argc=9, argv=0xbf95ba84) at main.c:2398
                cfg_stream = 0x8cbe008
                c = <value optimized out>
                r = <value optimized out>
                tmp = 0xbf95cdc0 ""
                tmp_len = -1217394389
                port = <value optimized out>
                proto = <value optimized out>
                options = 0x81ef340
        ":f:cm:dVhEb:l:L:n:vrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:"
                ret = -1
                seed = 3337198521
                rfd = <value optimized out>
                debug_save = <value optimized out>
                debug_flag = <value optimized out>
                dont_fork_cnt = 0
                p = <value optimized out>

        Thanks
        Jijo


        _______________________________________________
        SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
        sr-users@lists.sip-router.org  <mailto:sr-users@lists.sip-router.org>
        http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla 
        Kamailio (OpenSER) Advanced Training
        Jan 24-26, 2011, Irvine, CA, USA
        http://www.asipto.com




_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users


--
Daniel-Constantin Mierla
Kamailio (OpenSER) Advanced Training
Jan 24-26, 2011, Irvine, CA, USA
http://www.asipto.com


_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

Reply via email to