Hi,

this seems similar to this bug report - http://sip-router.org/tracker/index.php?do=details&task_id=400

I will have a look as soon as I get a chance.

cheers
Jason


On Fri, Feb 28, 2014 at 1:09 PM, Tuan Viet Nguyen <ntvietvn@gmail.com> wrote:
Hello,

I have a crash with the following scenario:
I try to route an INVITE to a remote host, it fails, I route to the second suing the dispatcher module. It fails the second time and I stop the call. It seems that I did not release the transaction in this case

93454 Feb 28 11:39:08 kamailio23 /usr/local/sbin/kamailio[20225]: WARNING: tm [t_lookup.c:1536]: t_unref(): WARNING: script writer didn't release transaction

And then, Kamailio receives BYE of other dialogs and it crashes

Here is core bt of 2 kamailio processes (4.1.1)

(gdb) bt full
#0  0x0000000000534e4e in timer_list_expire (t=1283469267, h=0x7ff9219e99b8, slow_l=0x7ff9219e9c88, slow_mark=12) at timer.c:883
        tl = 0x7ff921c6b8f0
        ret = 32767
#1  0x00000000005351ba in timer_handler () at timer.c:959
        saved_ticks = 1283469267
        run_slow_timer = 0
        i = 12
        __FUNCTION__ = "timer_handler"
#2  0x0000000000535453 in timer_main () at timer.c:998
No locals.
#3  0x000000000046efa2 in main_loop () at main.c:1688
        i = 8
        pid = 0
        si = 0x0
        si_desc = "udp receiver child=7 sock=91.213.79.31:5060\000\001", '\000' <repeats 19 times>, "\020\000\000\000\000\000\000\000\243Mgf\000\000\000\000\260vA\000\000\000\000\000\020\201\351a\377\177", '\000' <repeats 18 times>, "P\177\351a\377\177\000\000\002\266K\000\000\000\000"
        nrprocs = 8
        __FUNCTION__ = "main_loop"
#4  0x0000000000471c38 in main (argc=5, argv=0x7fff61e98118) at main.c:2533
        cfg_stream = 0x1970010
        c = -1
        r = 0
        tmp = 0x7fff61e98148 "\211\236\351a\377\177"
        tmp_len = 0
        port = 5
        proto = 0
        options = 0x5de800 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:"
        ret = -1
        seed = 519948236
        rfd = 4
        debug_save = 0
        debug_flag = 0
        dont_fork_cnt = 0
        n_lst = 0xbf
        p = 0x416bd9 "H\203\304\b\303" <Address 0x416bde out of bounds>
        __FUNCTION__ = "main"

(gdb) bt full
#0  0x00007ff92abf3475 in raise () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#1  0x00007ff92abf66f0 in abort () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#2  0x0000000000548253 in qm_free (qm=0x7ff921970000, p=0x7ff921c3b940, file=0x7ff92925362d "tm: h_table.c", func=0x7ff9292537d8 "free_cell", line=178) at mem/q_malloc.c:470
        f = 0x7ff921c3b910
        size = 5600
        next = 0x7fff61e97ac0
        prev = 0x7ff9291e571e
        __FUNCTION__ = "qm_free"
#3  0x00007ff9291e64a9 in free_cell (dead_cell=0x7ff921c6b870) at h_table.c:178
        b = 0x0
        i = 1
        rpl = 0x0
        tt = 0x0
        foo = 0x5000548a29
        cbs = 0x0
        cbs_tmp = 0x7ff921c3b940
        __FUNCTION__ = "free_cell"
#4  0x00007ff9291e7480 in free_hash_table () at h_table.c:441
        p_cell = 0x7ff921c6b870
        tmp_cell = 0x7ff921a159f0
        i = 37066
        __FUNCTION__ = "free_hash_table"
#5  0x00007ff9291fad35 in tm_shutdown () at t_funcs.c:122
        __FUNCTION__ = "tm_shutdown"
#6  0x00000000004f8101 in destroy_modules () at sr_module.c:817
        t = 0x7ff92a807d50
        foo = 0x7ff92a807588
        __FUNCTION__ = "destroy_modules"
#7  0x00000000004689b2 in cleanup (show_status=1) at main.c:560
        memlog = 32761
        __FUNCTION__ = "cleanup"
#8  0x0000000000469aab in shutdown_children (sig=15, show_status=1) at main.c:702
        __FUNCTION__ = "shutdown_children"
#9  0x000000000046b146 in handle_sigs () at main.c:793
        chld = 0
        chld_status = 139
        memlog = 0
        __FUNCTION__ = "handle_sigs"
#10 0x000000000046f549 in main_loop () at main.c:1746
        i = 8
        pid = 20250
        si = 0x0
        si_desc = "udp receiver child=7 sock=91.213.79.31:5060\000\001", '\000' <repeats 19 times>, "\020\000\000\000\000\000\000\000\243Mgf\000\000\000\000\260vA\000\000\000\000\000\020\201\351a\377\177", '\000' <repeats 18 times>, "P\177\351a\377\177\000\000\002\266K\000\000\000\000"
        nrprocs = 8
        __FUNCTION__ = "main_loop"
#11 0x0000000000471c38 in main (argc=5, argv=0x7fff61e98118) at main.c:2533
        cfg_stream = 0x1970010
        c = -1
        r = 0
        tmp = 0x7fff61e98148 "\211\236\351a\377\177"
        tmp_len = 0
        port = 5
        proto = 0
        options = 0x5de800 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:"
        ret = -1
        seed = 519948236
        rfd = 4
        debug_save = 0
        debug_flag = 0
        dont_fork_cnt = 0
        n_lst = 0xbf
        p = 0x416bd9 "H\203\304\b\303" <Address 0x416bde out of bounds>
        __FUNCTION__ = "main"

Thank you for your help

_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users




--

Jason Penton
Senior Manager: Applications and Services
Smile Communications Pty (Ltd)
Mobile: +27 (0) 83 283 7000
Skype: jason.barry.penton
jason.penton@smilecoms.com
www.smilecoms.com



This email is subject to the disclaimer of Smile Communications at http://www.smilecoms.com/home/email-disclaimer/
This email is subject to the disclaimer of Smile Communications at http://www.smilecoms.com/disclaimer