[Serusers] Crash in SER - sr-users

21 Feb 2003


      Hi,
We've observed the following crash in ser. Do you have any ideas what
the cause could be?
I'm keeping corefile and binary compiled with debug symbols, so that
don't hesitate to contact me if any additional information is
necessary.
Thank you in advance!
-Maxim
Script started on Fri Feb 21 05:43:09 2003
bash-2.05a$ gdb ~/sip/ser/work/ser-0.8.10/ser ser.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 2627 in elfstab_build_psymtabs
Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 933 in fill_symbuf
Core was generated by `ser'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/local/lib/ser/modules/sl.so...done.
Reading symbols from /usr/local/lib/ser/modules/tm.so...done.
Reading symbols from /usr/local/lib/ser/modules/rr.so...done.
Reading symbols from /usr/local/lib/ser/modules/maxfwd.so...done.
Reading symbols from /usr/local/lib/ser/modules/usrloc.so...done.
Reading symbols from /usr/local/lib/ser/modules/registrar.so...done.
Reading symbols from /usr/local/lib/ser/modules/nathelper.so...done.
Reading symbols from /usr/local/lib/ser/modules/textops.so...done.
Reading symbols from /usr/local/lib/ser/modules/radius_auth.so...done.
Reading symbols from /usr/local/lib/libradiusclient.so.0...done.
Reading symbols from /usr/lib/libcrypt.so.2...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x807bdd3 in qm_status (qm=0x2816d000) at mem/q_malloc.c:447
447					f!=&(qm->free_hash[h].head); f=f->u.nxt_free, i++, j++);
(gdb) bt
#0  0x807bdd3 in qm_status (qm=0x2816d000) at mem/q_malloc.c:447
#1  0x8079a70 in qm_debug_frag (qm=0x2816d000, f=0x282fd0a4) at mem/q_malloc.c:109
#2  0x807ab37 in qm_free (qm=0x2816d000, p=0x282fd0bc, file=0x2a197a2d "t_reply.c", 
    func=0x2a197e28 "t_on_reply", line=826) at mem/q_malloc.c:359
#3  0x2a188000 in t_on_reply (p_msg=0x80dfe30) at t_reply.c:826
#4  0x805933a in forward_reply (msg=0x80dfe30) at forward.c:346
#5  0x806af1c in receive_msg (buf=0x80c3340 "SIP/2.0", len=360, src_su=0x81dafa0) at receive.c:161
#6  0x8077ff0 in udp_rcv_loop () at udp_server.c:336
#7  0x805eaa5 in main_loop () at main.c:618
#8  0x806197d in main (argc=1, argv=0xbfbffc04) at main.c:1383
#9  0x804c5bd in _start ()
(gdb) up
#1  0x8079a70 in qm_debug_frag (qm=0x2816d000, f=0x282fd0a4) at mem/q_malloc.c:109
109			qm_status(qm);
(gdb) l
104		};
105		if ((FRAG_END(f)->check1!=END_CHECK_PATTERN1)||
106			(FRAG_END(f)->check2!=END_CHECK_PATTERN2)){
107			LOG(L_CRIT, "BUG: qm_*: fragm. %p end overwritten(%x, %x)!\n",
108					f, FRAG_END(f)->check1, FRAG_END(f)->check2);
109			qm_status(qm);
110			abort();
111		}
112		if ((f>qm->first_frag)&&
113				((PREV_FRAG_END(f)->check1!=END_CHECK_PATTERN1) ||
(gdb) up
#2  0x807ab37 in qm_free (qm=0x2816d000, p=0x282fd0bc, file=0x2a197a2d "t_reply.c", 
    func=0x2a197e28 "t_on_reply", line=826) at mem/q_malloc.c:359
359		qm_debug_frag(qm, f);
(gdb) l
354			return;
355		}
356		prev=next=0;
357		f=(struct qm_frag*) ((char*)p-sizeof(struct qm_frag));
358	#ifdef DBG_QM_MALLOC
359		qm_debug_frag(qm, f);
360		if (f->u.is_free){
361			LOG(L_CRIT, "BUG: qm_free: freeing already freed pointer,"
362					" first free: %s: %s(%d) - aborting\n",
363					f->file, f->func, f->line);
(gdb) up
#3  0x2a188000 in t_on_reply (p_msg=0x80dfe30) at t_reply.c:826
826				shm_free(ack);
(gdb) l
821		/* acknowledge negative INVITE replies */	
822		if (t->is_invite && (msg_status>=300 || (t->local && msg_status>=200))) {
823			ack = build_ack( p_msg, t, branch , &ack_len);
824			if (ack) {
825				SEND_PR_BUFFER( &uac->request, ack, ack_len );
826				shm_free(ack);
827			}
828		} /* ack-ing negative INVITE replies */
829	
830		/* clean-up the transaction when transaction completed */
(gdb) up
#4  0x805933a in forward_reply (msg=0x80dfe30) at forward.c:346
346				if (mod->exports->response_f(msg)==0) goto skip;
(gdb) l
341		/* quick hack, slower for mutliple modules*/
342		for (mod=modules;mod;mod=mod->next){
343			if ((mod->exports) && (mod->exports->response_f)){
344				DBG("forward_reply: found module %s, passing reply to it\n",
345						mod->exports->name);
346				if (mod->exports->response_f(msg)==0) goto skip;
347			}
348		}
349	
350		/* we have to forward the reply stateless, so we need second via -bogdan*/
(gdb) print msg
$1 = (struct sip_msg *) 0x80dfe30
(gdb) print msg [1@*
$2 = {id = 1104, first_line = {type = 2, u = {request = {method = {s = 0x80c3340 "SIP/2.0", 
          len = 7}, uri = {s = 0x80c3348 "488", len = 3}, version = {
          s = 0x80c334c "Not Acceptable Here", len = 19}, method_value = 488}, reply = {version = {
          s = 0x80c3340 "SIP/2.0", len = 7}, status = {s = 0x80c3348 "488", len = 3}, reason = {
          s = 0x80c334c "Not Acceptable Here", len = 19}, statuscode = 488}}}, via1 = 0x80e27fc, 
  via2 = 0x80e2d1c, headers = 0x80e620c, last_header = 0x80e0b08, parsed_flag = 63, 
  h_via1 = 0x80e620c, h_via2 = 0x80e0b98, callid = 0x80e0008, to = 0x80e10ac, cseq = 0x80e0b08, 
  from = 0x80e0f2c, contact = 0x0, maxforwards = 0x0, route = 0x0, record_route = 0x0, 
  content_type = 0x0, content_length = 0x0, authorization = 0x0, expires = 0x0, proxy_auth = 0x0, 
  www_auth = 0x0, supported = 0x0, require = 0x0, proxy_require = 0x0, unsupported = 0x0, 
  allow = 0x0, event = 0x0, eoh = 0x0, unparsed = 0x80c3493 "Content-Length: 0\r\n\r\n", src_ip = {
    af = 2, len = 4, u = {addr32 = {1214690368, 0, 0, 0}, addr16 = {46144, 18534, 0, 0, 0, 0, 0, 
        0}, addr = "@╢fH", '\000' <repeats 11 times>}}, src_port_no = 5061, dst_ip = {af = 2, 
    len = 4, u = {addr32 = {1214690368, 0, 0, 0}, addr16 = {46144, 18534, 0, 0, 0, 0, 0, 0}, 
      addr = "@╢fH", '\000' <repeats 11 times>}}, 
  orig = 0x80e2a48 "SIP/2.0 488 Not Acceptable Here\r\nVia: SIP/2.0/UDP 64.180.102.72:5060;branch=z9hG4bKfa9f.17ad3774445fef6b70f18b74de26e0b2.0\r\nVia: SIP/2.0/UDP 172.17.1.127:5060;rport=5060\r\nTo: <sip:151@64.180.102.72;us"..., buf = 0x80c3340 "SIP/2.0", len = 360, new_uri = {s = 0x0, 
    len = 0}, parsed_uri_ok = 0, parsed_uri = {user = {s = 0x0, len = 0}, passwd = {s = 0x0, 
      len = 0}, host = {s = 0x0, len = 0}, port = {s = 0x0, len = 0}, params = {s = 0x0, len = 0}, 
    headers = {s = 0x0, len = 0}, port_no = 0}, add_rm = 0x0, repl_add_rm = 0x80e0514, 
  reply_lump = 0x0, add_to_branch_s = '\000' <repeats 54 times>, add_to_branch_len = 0, 
  hash_index = 0, flags = 0}
(gdb) up
#5  0x806af1c in receive_msg (buf=0x80c3340 "SIP/2.0", len=360, src_su=0x81dafa0) at receive.c:161
161			forward_reply(msg);
(gdb) l
156			gettimeofday( & tvb, &tz );
157			STATS_RX_RESPONSE ( msg->first_line.u.reply.statuscode / 100 );
158	#endif
159			
160			/* send the msg */
161			forward_reply(msg);
162	
163	#ifdef STATS
164			gettimeofday( & tve, &tz );
165			diff = (tve.tv_sec-tvb.tv_sec)*1000000+(tve.tv_usec-tvb.tv_usec);
(gdb) q
bash-2.05a$ exit
Script done on Fri Feb 21 05:44:36 2003