[Devel] Bug in TM/timer.c:590

Eliot Gable egable at broadvox.net
Wed Jan 10 21:05:44 CET 2007 

I have another bug in the TM/timer.c file:

Program received signal SIGSEGV, Segmentation fault.
0xb79d24d7 in insert_timer_unsafe (timer_list=0x7773718c, tl=0x89b1b468,
time_out=2975) at timer.c:621
621       if ((ptr->time_out != TIMER_DELETED) && (ptr->time_out <=
time_out))
(gdb) where
#0  0xb79d24d7 in insert_timer_unsafe (timer_list=0x7773718c,
tl=0x89b1b468, time_out=2975) at timer.c:621
#1  0xb79d2916 in set_timer (new_tl=0x89b1b468, list_id=RT_T1_TO_1,
ext_timeout=0x0) at timer.c:782
#2  0xb79c1b21 in _set_fr_retr (rb=0x89b1b434, retr=1) at t_funcs.h:132
#3  0xb79c1ad5 in start_retr (rb=0x89b1b434) at t_funcs.h:148
#4  0xb79c3ca2 in t_forward_nonack (t=0x89b1b33c, p_msg=0x8b26058,
proxy=0x0) at t_fwd.c:697
#5  0xb79c0e87 in t_relay_to (p_msg=0x8b26058, proxy=0x0, replicate=0)
at t_funcs.c:255
#6  0xb79d6738 in w_t_relay (p_msg=0x8b26058, proxy=0x0, foo=0x0) at
tm.c:956
#7  0x080524f1 in do_action (a=0x816b884, msg=0x8b26058) at action.c:701
#8  0x080506b0 in run_action_list (a=0x816b884, msg=0x8b26058) at
action.c:89
#9  0x0807d30c in eval_elem (e=0x816b8d8, msg=0x8b26058) at route.c:624
#10 0x0807e9c9 in eval_expr (e=0x816b8d8, msg=0x8b26058) at route.c:676
#11 0x0807ea96 in eval_expr (e=0x816b91c, msg=0x8b26058) at route.c:692
#12 0x0805211e in do_action (a=0x816ba64, msg=0x8b26058) at action.c:617
#13 0x080506b0 in run_action_list (a=0x816a880, msg=0x8b26058) at
action.c:89
#14 0x080521e4 in do_action (a=0x816bab8, msg=0x8b26058) at action.c:635
#15 0x080506b0 in run_action_list (a=0x816bab8, msg=0x8b26058) at
action.c:89
#16 0x08050834 in run_actions (a=0x816bab8, msg=0x8b26058) at
action.c:123
#17 0x080514c5 in do_action (a=0x816a4dc, msg=0x8b26058) at action.c:378
#18 0x080506b0 in run_action_list (a=0x816a090, msg=0x8b26058) at
action.c:89
#19 0x080521e4 in do_action (a=0x816a530, msg=0x8b26058) at action.c:635
#20 0x080506b0 in run_action_list (a=0x81689e8, msg=0x8b26058) at
action.c:89
#21 0x08050834 in run_actions (a=0x81689e8, msg=0x8b26058) at
action.c:123
#22 0x08050733 in run_top_route (a=0x81689e8, msg=0x8b26058) at
action.c:151
#23 0x08078ec2 in receive_msg (
    buf=0x80ff7a0 "INVITE sip:2163734656 at 64.158.177.106:5060
SIP/2.0\r\nVia: SIP/2.0/UDP 64.158.177.106:5061\r\nFrom: Sip_Tester
<sip:2163734699 at 64.158.177.106:5061>;tag=20549\r\nTo: 2163734656
<sip:2163734656 at 64.158.177.106:"..., len=547, rcv_info=0xbfc6b0cc) at
receive.c:155
#24 0x08095fa0 in udp_rcv_loop () at udp_server.c:465
#25 0x08068741 in main_loop () at main.c:808
#26 0x0806a04b in main (argc=1, argv=0xbfc6b2b4) at main.c:1477
(gdb) print ptr
$1 = (struct timer_link *) 0x0
(gdb) print timer_list
$2 = (struct timer *) 0x7773718c
(gdb) print timer_list->last_tl
$3 = {next_tl = 0x0, prev_tl = 0x7773718c, time_out = 4294967295,
timer_list = 0x0, tg = TG_FR}

I generated both of these by doing the following:

Build openser-1.1.0-notls in full debug mode (QM_DEBUG, EXTRA_DEBUG,
etc). Turn on all debugging output and log it to stderr. Turn off
forking and redirect output to openser.log. Execute openser from within
gdb. Use sipp to max out the calls per second that openser can handle,
then add a few more. It starts hitting timers like crazy. After 30,000+
calls go through, it cores in the timer code. 

Eliot Gable
Operations Engineer
CCNA, CWNA, CWSP, Network+, Security+
Broadvox, LLC
1228 Euclid Avenue
Suite 390
Cleveland, OH 44115-1800
216-373-4808
 
 

> -----Original Message-----
> From: devel-bounces at openser.org 
> [mailto:devel-bounces at openser.org] On Behalf Of Eliot Gable
> Sent: Wednesday, January 10, 2007 10:18 AM
> To: devel at openser.org
> Subject: [Devel] Bug in TM/timer.c:590
> 
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0xb7a82376 in remove_timer_unsafe (tl=0x815674c8) at timer.c:590
> 590       tl->prev_tl->next_tl = tl->next_tl;
> (gdb) where
> #0  0xb7a82376 in remove_timer_unsafe (tl=0x815674c8) at timer.c:590
> #1  0xb7a82803 in set_timer (new_tl=0x815674c8,
> list_id=FR_INV_TIMER_LIST, ext_timeout=0x0) at timer.c:768
> #2  0xb7a7fab0 in reply_received (p_msg=0x8b26058) at t_reply.c:1326
> #3  0x0805c76c in forward_reply (msg=0x8b26058) at forward.c:449
> #4  0x0807918e in receive_msg (
>     buf=0x80ff7a0 "SIP/2.0 180 Ringing\r\nVia: SIP/2.0/UDP
> 64.158.177.106;branch=z9hG4bKc544.2468f945.0\r\nVia: SIP/2.0/UDP
> 64.158.177.106:5061\r\nFrom: Sip_Tester
> <sip:2163734699 at 64.158.177.106:5061>;tag=36881\r\nTo: 216373465"...,
> len=374, rcv_info=0xbfb7f7dc) at receive.c:194
> #5  0x08095fa0 in udp_rcv_loop () at udp_server.c:465
> #6  0x08068741 in main_loop () at main.c:808
> #7  0x0806a04b in main (argc=1, argv=0xbfb7f9c4) at main.c:1477
> (gdb) print tl
> $1 = (struct timer_link *) 0x815674c8
> (gdb) print tl->prev_tl
> $2 = (struct timer_link *) 0x0
> (gdb) print is_in_timer_list2(tl)
> $3 = 1
> (gdb)
> 
> I have a core file I can send as well, but it is 13MB compressed, so I
> will have to send off-list.
> 
> 
> Eliot Gable
> Operations Engineer
> CCNA, CWNA, CWSP, Network+, Security+
> Broadvox, LLC
> 1228 Euclid Avenue
> Suite 390
> Cleveland, OH 44115-1800
> 216-373-4808
>  
> 
> _______________________________________________
> Devel mailing list
> Devel at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/devel
>

More information about the Devel mailing list