<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>OK, I will wait a bit and then backport.</p>
<p>Thanks for testing and assisting with troubleshooting.</p>
<p>Daniel<br>
</p>
<br>
<div class="moz-cite-prefix">On 06.09.17 14:29, Vitaliy Aleksandrov
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CANz6d4Lp8oF8paanmf-tQnc-BXnxE7+-89tgyB=K+VC4x7VKUQ@mail.gmail.com">
<div dir="ltr">Thanks for the quick fix.
<div><br>
</div>
<div>Installed the latest 5.0 branch with the mentioned patch
and had no crashes so far.
<div>Will do an additional testing and inform if find any
issues.</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 6, 2017 at 12:25 PM,
Daniel-Constantin Mierla <span dir="ltr"><<a
href="mailto:miconda@gmail.com" target="_blank"
moz-do-not-send="true">miconda@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>I think I caught the issue and fixed with commit
b672d8ef63715cf816390a05ce7a44<wbr>1377c3e468 in master
branch.</p>
<p>It was caused by not resetting the T_ASYNC_CONTINUE
flag after t_continue(), which caused other parts of
code to not reset the reply field of any branch. The
reply field could have been set by another process, so
at the time of destroying the transaction, the pointer
could have been to memory zone of another process, so
access it caused the crash.</p>
<p>Along with this fix, I added few other safety checks in
my way to investigate the issue.</p>
<p>Can you cherry pick this commit and test in branch 5.0?
I want to be sure there is no obvious side effect before
porting it.</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div>
<div class="h5"> <br>
<div class="m_4057521748387470043moz-cite-prefix">On
05.09.17 11:02, Daniel-Constantin Mierla wrote:<br>
</div>
<blockquote type="cite">
<p>Hello,</p>
<p>does it happen to have the pcap (or ngrep) with
the sip traffic for the call? It will be useful to
see the flow with requests/replies/<wbr>retransmissions
and their timestamps...<br>
</p>
<p>Is this version the snapshot of 5.0.2 release or
a build from branch 5.0?</p>
<p>Cheers,<br>
Daniel<br>
</p>
<br>
<div class="m_4057521748387470043moz-cite-prefix">On
05.09.17 10:01, Vitaliy Aleksandrov wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello kamailio list,
<div><br>
</div>
<div>Recently found a problem in my
configuration that uses async_route()
functionality.</div>
<div>It crashes after several calls when
wait_timer fires.</div>
<div><br>
</div>
<div>
<div>#0 0xb74a8556 in raise () from
/lib/libc.so.6</div>
<div>#1 0xb74a9d78 in abort () from
/lib/libc.so.6</div>
<div>#2 0x08293ae2 in qm_free
(qmp=0xad65d000, p=0x3d64692d,
file=0xb6216a16 "tm: h_table.c",
func=0xb621663c <__FUNCTION__.18751>
"free_cell_helper", line=187,
mname=0xb621664d "tm") at
core/mem/q_malloc.c:471</div>
<div>#3 0xb613f103 in free_cell_helper
(dead_cell=0xae2cd210, silent=0,
fname=0xb6239ea5 "timer.c", fline=655) at
h_table.c:187</div>
<div>#4 0xb61e7758 in wait_handler
(ti=557858937, wait_tl=0xae2cd258,
data=0xae2cd210) at timer.c:655</div>
<div>#5 0x0826a2cc in timer_list_expire
(t=557858937, h=0xad6b9668,
slow_l=0xad6ba144, slow_mark=312) at
core/timer.c:874</div>
<div>#6 0x08267cb1 in timer_handler () at
core/timer.c:939</div>
<div>#7 0x0826a4d3 in timer_main () at
core/timer.c:978</div>
<div>#8 0x08069575 in main_loop () at
main.c:1721</div>
<div>#9 0x080707ca in main (argc=11,
argv=0xbf85f044) at main.c:2723</div>
<div><br>
</div>
<div>When crash happens, kamailio prints the
following message:</div>
<div>Sep 4 16:15:38 [18938]: : <core>
[core/mem/q_malloc.c:469]: qm_free(): BUG:
qm_free: bad pointer 0x70707553 (out of
memory block!) called from tm: h_table.c:
free_cell_helper(187) - aborting</div>
</div>
<div><br>
</div>
<div>Also had a few crashes in
retransmission_handler():<br>
</div>
<div>
<div><br>
</div>
<div>#0 0xb750b556 in raise () from
/lib/libc.so.6</div>
<div>#1 0xb750cd78 in abort () from
/lib/libc.so.6</div>
<div>#2 0xb6249b5a in retransmission_handler
(r_buf=0xae036674) at timer.c:367</div>
<div>#3 0xb6247558 in retr_buf_handler
(ticks=1234464444, tl=0xae036688, p=0x1f40)
at timer.c:594</div>
<div>#4 0x0826a2cc in timer_list_expire
(t=1234464444, h=0xad71c668,
slow_l=0xad71cd44, slow_mark=2232) at
core/timer.c:874</div>
<div>#5 0x08267cb1 in timer_handler () at
core/timer.c:939</div>
<div>#6 0x0826a4d3 in timer_main () at
core/timer.c:978</div>
<div>#7 0x08069575 in main_loop () at
main.c:1721</div>
<div>#8 0x080707ca in main (argc=11,
argv=0xbff64134) at main.c:2723</div>
<div><br>
</div>
<div>ERROR: tm [timer.c:366]:
retransmission_handler(): transaction
0xae0365e0 scheduled for deletion and called
from RETR timer (flags 6d)</div>
</div>
<div><br>
</div>
<div>Both timers fired for an INVITE transaction
that was previously suspended by
async_route(), then resumed, sent out and
received a 4xx reply (407).</div>
<div><br>
</div>
<div>This configuration worked fine with
kamailio 4.2.x and problem appeared after
upgrading to 5.0.2.</div>
<div><br>
</div>
<div>Trying to figure out how to narrow down the
problem. Any input is appreciated.</div>
</div>
<br>
<fieldset
class="m_4057521748387470043mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
Kamailio (SER) - Users Mailing List
<a class="m_4057521748387470043moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org" target="_blank" moz-do-not-send="true">sr-users@lists.kamailio.org</a>
<a class="m_4057521748387470043moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" target="_blank" moz-do-not-send="true">https://lists.kamailio.org/<wbr>cgi-bin/mailman/listinfo/sr-<wbr>users</a>
</pre>
</blockquote>
<br>
<pre class="m_4057521748387470043moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="m_4057521748387470043moz-txt-link-abbreviated" href="http://www.twitter.com/miconda" target="_blank" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a class="m_4057521748387470043moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda" target="_blank" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - <a class="m_4057521748387470043moz-txt-link-abbreviated" href="http://www.asipto.com" target="_blank" moz-do-not-send="true">www.asipto.com</a>
Kamailio World Conference - <a class="m_4057521748387470043moz-txt-link-abbreviated" href="http://www.kamailioworld.com" target="_blank" moz-do-not-send="true">www.kamailioworld.com</a></pre>
</blockquote>
<br>
<pre class="m_4057521748387470043moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="m_4057521748387470043moz-txt-link-abbreviated" href="http://www.twitter.com/miconda" target="_blank" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a class="m_4057521748387470043moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda" target="_blank" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - <a class="m_4057521748387470043moz-txt-link-abbreviated" href="http://www.asipto.com" target="_blank" moz-do-not-send="true">www.asipto.com</a>
Kamailio World Conference - <a class="m_4057521748387470043moz-txt-link-abbreviated" href="http://www.kamailioworld.com" target="_blank" moz-do-not-send="true">www.kamailioworld.com</a></pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
Kamailio World Conference - <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com">www.kamailioworld.com</a></pre>
</body>
</html>