[OpenSER-Devel] [ openser-Bugs-1921630 ] dialog: crash in dlg_timer_routine

SourceForge.net noreply at sourceforge.net
Tue Apr 15 16:33:46 CEST 2008


Bugs item #1921630, was opened at 2008-03-20 17:48
Message generated for change (Comment added) made by osas
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1921630&group_id=139143

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: ver 1.3.x
Status: Open
Resolution: None
Priority: 7
Private: No
Submitted By: Ovidiu Sas (osas)
Assigned to: Bogdan-Andrei Iancu (bogdan_iancu)
Summary: dialog: crash in dlg_timer_routine

Initial Comment:
openser 1.3.0
# openser -V
version: openser 1.3.0-notls (i386/linux)
flags: STATS: Off, USE_IPV6, USE_TCP, DISABLE_NAGLE, USE_MCAST, SHM_MEM, SHM_MMAP, PKG_MALLOC, F_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
svnrevision: 2:3907M
@(#) $Id: main.c 3590 2008-01-28 17:46:56Z bogdan_iancu $
main.c compiled on 20:43:57 Mar 10 2008 with gcc 4.1.2


(gdb) bt
#0  0x001c6622 in dlg_timer_routine (ticks=484221, attr=0x0) at dlg_timer.c:194
#1  0x080c84ca in start_timer_processes () at timer.c:275
#2  0x0806c0fb in main (argc=5, argv=0xbf904c64) at main.c:873
(gdb) list
189     
190             if (tl==end && d_timer->first.next->prev) {
191                     ret = 0;
192             } else {
193                     ret = d_timer->first.next;
194                     tl->prev->next = 0;
195                     d_timer->first.next = tl;
196                     tl->prev = &d_timer->first;
197             }
198     
(gdb) print tl
$1 = (struct dlg_tl *) 0x9897e8c8
(gdb) print tl->prev
$2 = (struct dlg_tl *) 0x0
(gdb) 


Regards,
Ovidiu Sas

----------------------------------------------------------------------

>Comment By: Ovidiu Sas (osas)
Date: 2008-04-15 10:33

Message:
Logged In: YES 
user_id=1395524
Originator: YES

I tested the patch attached to bug #1913465 - dialog from db fixes
I passed over 4,000,000 calls and it seems that it cures the problem (no
more crashes).
I think it is pretty safe to apply the patch and close both bugs.

Regards,
Ovidiu Sas

----------------------------------------------------------------------

Comment By: Ovidiu Sas (osas)
Date: 2008-04-08 16:07

Message:
Logged In: YES 
user_id=1395524
Originator: YES

And another one:

Program terminated with signal 11, Segmentation fault.
#0  0x001a458f in dlg_timer_routine (ticks=105130, attr=0x0) at
dlg_timer.c:184
184		while( tl!=end && tl->timeout <= time) {
(gdb) bt
#0  0x001a458f in dlg_timer_routine (ticks=105130, attr=0x0) at
dlg_timer.c:184
#1  0x080c84ca in start_timer_processes () at timer.c:275
#2  0x0806c0fb in main (argc=5, argv=0xbfbfc1a4) at main.c:873
(gdb) print tl
$1 = <value optimized out>
(gdb) list
179		lock_get( d_timer->lock);
180	
181		end = &d_timer->first;
182		tl = d_timer->first.next;
183		LM_DBG("start with %p (%d) at %d\n", tl,tl->timeout,time);
184		while( tl!=end && tl->timeout <= time) {
185			LM_DBG("getting %p with %d\n", tl,tl->timeout);
186			tl->prev = 0;
187			tl=tl->next;
188		}
(gdb) print tl->timeout
Cannot access memory at address 0x8
(gdb) 


----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2008-04-01 18:20

Message:
Logged In: NO 

another crash:
(gdb) bt
#0  0x004c6622 in dlg_timer_routine (ticks=337654, attr=0x0) at
dlg_timer.c:194
#1  0x080c84ca in start_timer_processes () at timer.c:275
#2  0x0806c0fb in main (argc=5, argv=0xbfe413f4) at main.c:873
(gdb) print tl
$1 = (struct dlg_tl *) 0x98a53068
(gdb) print tl->prev
$2 = (struct dlg_tl *) 0x0

----------------------------------------------------------------------

Comment By: Bogdan-Andrei Iancu (bogdan_iancu)
Date: 2008-03-31 06:31

Message:
Logged In: YES 
user_id=1275325
Originator: NO

Hi Ovidiu,

looks like some corruption of the dialog timer list - I will take a look
on this.

Thanks and regards,
Bogdan

----------------------------------------------------------------------

Comment By: Ovidiu Sas (osas)
Date: 2008-03-20 20:22

Message:
Logged In: YES 
user_id=1395524
Originator: YES

hmmm ... another crash:
Program terminated with signal 11, Segmentation fault.
#0  0x0094a58f in dlg_timer_routine (ticks=9816, attr=0x0) at
dlg_timer.c:184
184             while( tl!=end && tl->timeout <= time) {
(gdb) bt
#0  0x0094a58f in dlg_timer_routine (ticks=9816, attr=0x0) at
dlg_timer.c:184
#1  0x080c84ca in start_timer_processes () at timer.c:275
#2  0x0806c0fb in main (argc=5, argv=0xbfe11964) at main.c:873
(gdb) list
179             lock_get( d_timer->lock);
180     
181             end = &d_timer->first;
182             tl = d_timer->first.next;
183             LM_DBG("start with %p (%d) at %d\n",
tl,tl->timeout,time);
184             while( tl!=end && tl->timeout <= time) {
185                     LM_DBG("getting %p with %d\n", tl,tl->timeout);
186                     tl->prev = 0;
187                     tl=tl->next;
188             }
(gdb) print tl
$1 = <value optimized out>
(gdb) print tl->timeout
Cannot access memory at address 0x8

struct dlg_tl
{
        struct dlg_tl     *next;
        struct dlg_tl     *prev;
        volatile unsigned int  timeout;
};

It seems that tl is NULL.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1921630&group_id=139143



More information about the Devel mailing list