[sr-dev] a new master crash in tm module

Daniel-Constantin Mierla miconda at gmail.com
Wed Sep 23 11:46:21 CEST 2015 

It turns out that the frament to be freed has size 0, which should not
happen -- maybe another invalid memset somewhere.

Can you get:

frame 3
info locals
p *dead_cell
p dead_cell->uac[i]
p dead_cell->uac[i].request.buffer

Daniel

On 23/09/15 10:33, Juha Heinanen wrote:
> Daniel-Constantin Mierla writes:
>
>> I am investigating. Can you get the following:
>>
>> frame 0
>> info locals
>> p *qm
>> p *frag
>> frame 1
>> info locals
>> p *f
>> p *n
> below, juha
>
> (gdb) where
> #0  0x0000000000641acc in fm_extract_free (qm=0x7f28c8dd4000, 
>     frag=0x7f28c958e4a0) at mem/f_malloc.c:181
> #1  0x0000000000643689 in fm_join_frag (qm=0x7f28c8dd4000, f=0x7f28c958e468)
>     at mem/f_malloc.c:556
> #2  0x00000000006445ac in fm_free (qmp=0x7f28c8dd4000, p=0x7f28c958e4a0, 
>     file=0x7f28ce687f1d "tm: h_table.c", 
>     func=0x7f28ce6881bb <__FUNCTION__.9593> "free_cell", line=162)
>     at mem/f_malloc.c:624
> #3  0x00007f28ce5c1c12 in free_cell (dead_cell=0x7f28c95eb6c0) at h_table.c:162
> #4  0x00007f28ce64449e in wait_handler (ti=1463515017, wait_tl=0x7f28c95eb740, 
>     data=0x7f28c95eb6c0) at timer.c:648
> #5  0x00000000004aaf88 in timer_list_expire (t=1463515017, h=0x7f28c8e21360, 
>     slow_l=0x7f28c8e21e38, slow_mark=153) at timer.c:873
> #6  0x00000000004ab3e5 in timer_handler () at timer.c:938
> #7  0x00000000004ab853 in timer_main () at timer.c:977
> #8  0x000000000052f690 in main_loop () at main.c:1650
> #9  0x00000000005354e8 in main (argc=17, argv=0x7ffcfb5ef7a8) at main.c:2566
> (gdb) frame 0
> #0  0x0000000000641acc in fm_extract_free (qm=0x7f28c8dd4000, 
>     frag=0x7f28c958e4a0) at mem/f_malloc.c:181
> 181	in mem/f_malloc.c
> (gdb) info locals
> hash = 0
> (gdb) p *qm
> $1 = {type = 0, size = 33554432, used = 9897648, real_used = 12086720, 
>   max_real_used = 14388152, ffrags = 458, first_frag = 0x7f28c8ddc478, 
>   last_frag = 0x7f28cadd3fc8, free_bitmap = {16744946372034692092, 
>     1120719044992065561, 9339679536520168981, 14286416929179686995, 
>     5188168829682976772, 72568841176608, 2199023255697, 2305983746702065672, 
>     4400193994756, 1152921504607044097, 9225638267758575627, 6825836904710912, 
>     720584873920708608, 1125904211148800, 2594108569737560064, 207248951816, 
>     289356276595425280, 8, 283673999966208, 0, 1125968626319360, 
>     18014398931009538, 281477258412032, 289360674110316552, 72057600811729160, 
>     9277486150884524064, 549793563782, 72092778410573824, 2314850345907519488, 
>     1152930300699869184, 70368744177674, 9223372036854780096, 2054}, 
>   free_hash = {{first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x7f28c9522710, no = 2}, {first = 0x7f28c97a0b38, no = 5}, {
>       first = 0x7f28c952a888, no = 2}, {first = 0x7f28c95227b0, no = 3}, {
>       first = 0x7f28c970ff08, no = 1}, {first = 0x7f28c95e7eb0, no = 1}, {
>       first = 0x7f28c952a348, no = 1}, {first = 0x7f28c95b1258, no = 1}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x7f28c96e3730, no = 1}, {first = 0x7f28c952f1d8, no = 1}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x7f28c97391d8, no = 1}, {first = 0x7f28c955d0b8, no = 1}, {
> ---Type <return> to continue, or q <return> to quit---
>       first = 0x7f28c96a6008, no = 6}, {first = 0x0, 
>       no = 0} <repeats 16 times>, {first = 0x7f28c957b590, no = 1}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x7f28c9752fd0, no = 1}, {first = 0x7f28c95db260, no = 1}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x0, no = 0}, {first = 0x7f28c9789cc0, no = 1}, {first = 0x0, 
>       no = 0}, {first = 0x7f28c97a06e0, no = 1}, {first = 0x7f28c96a6140, 
>       no = 3}, {first = 0x7f28c9769bd8, no = 2}, {first = 0x7f28c97a0900, 
>       no = 1}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x7f28c95e8280, no = 1}, {first = 0x7f28c9769e08, no = 1}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x7f28c966cec0, 
>       no = 9}, {first = 0x7f28c9602d30, no = 2}, {first = 0x0, no = 0}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x7f28c976a060, 
>       no = 1}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, 
>       no = 0}, {first = 0x7f28c95eb3a0, no = 14}, {first = 0x7f28c9577ef8, 
>       no = 4}, {first = 0x7f28c97ca3b0, no = 1}, {first = 0x0, no = 0}, {
>       first = 0x0, no = 0}, {first = 0x7f28c95b1788, no = 1}, {
>       first = 0x7f28c9744960, no = 1}, {first = 0x0, no = 0}, {first = 0x0, 
>       no = 0}, {first = 0x7f28c97a7f98, no = 1}, {first = 0x0, no = 0}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x7f28c96c44f0, 
>       no = 2}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, 
>       no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, 
> ---Type <return> to continue, or q <return> to quit---
>       no = 0}, {first = 0x0, no = 0}, {first = 0x7f28c97a7c08, no = 1}, {
>       first = 0x7f28c96c3870, no = 4}, {first = 0x0, no = 0}, {first = 0x0, 
>       no = 0}, {first = 0x7f28c9605e20, no = 7}, {first = 0x7f28c97921b0, 
>       no = 1}, {first = 0x0, no = 0}, {first = 0x7f28c97e85c0, no = 1}, {
>       first = 0x7f28c95e84d0, no = 1}, {first = 0x0, no = 0}, {first = 0x0, 
>       no = 0}, {first = 0x0, no = 0}, {first = 0x7f28c9717828, no = 3}, {
>       first = 0x7f28c95b1390, no = 1}, {first = 0x7f28c96061d0, no = 5}, {
>       first = 0x7f28c96481a0, no = 2}, {first = 0x7f28c96e2b20, no = 12}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x0, no = 0}, {first = 0x7f28c9707648, no = 1}, {first = 0x0, 
>       no = 0}, {first = 0x7f28c9734ed0, no = 2}, {first = 0x0, no = 0}, {
>       first = 0x7f28c9718698, no = 2}, {first = 0x0, no = 0}, {first = 0x0, 
>       no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x7f28c97a84c0, no = 1}, {first = 0x7f28c96dade0, no = 3}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x7f28c97ce2b0, 
>       no = 1}, {first = 0x0, no = 0}, {first = 0x7f28c959cba0, no = 9}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x7f28c97bf110, no = 2}, {first = 0x0, no = 0}, {first = 0x0, 
>       no = 0}, {first = 0x7f28c96f8410, no = 1}, {first = 0x0, no = 0}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x7f28c9798e30, no = 1}, {first = 0x7f28c9577370, no = 17}, {
>       first = 0x7f28c96b56d0, no = 8}, {first = 0x0, no = 0}, {first = 0x0, 
> ---Type <return> to continue, or q <return> to quit---
>       no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x7f28c96ddf70, no = 3}, {first = 0x0, no = 0}, {
>       first = 0x7f28c97cdb30, no = 3}, {first = 0x0, no = 0}, {
>       first = 0x7f28c9779298, no = 1}, {first = 0x7f28c975aa68, no = 1}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x7f28c97e4bd8, 
>       no = 2}, {first = 0x0, no = 0}, {first = 0x7f28c95c05a8, no = 1}, {
>       first = 0x7f28c9771490, no = 1}, {first = 0x7f28c9633350, no = 1}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x7f28c9746450, 
>       no = 3}, {first = 0x7f28c96c3c08, no = 1}, {first = 0x0, no = 0}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x7f28c96a0710, 
>       no = 3}, {first = 0x7f28c95ead68, no = 10}, {first = 0x7f28c95778b8, 
>       no = 4}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x7f28c95e8f40, no = 1}, {first = 0x0, no = 0}, {
>       first = 0x7f28c9771a60, no = 1}, {first = 0x0, no = 0}, {first = 0x0, 
>       no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {
>       first = 0x7f28c96a3e58, no = 2}, {first = 0x7f28c97bea78, no = 2}, {
>       first = 0x0, no = 0}...}}
> (gdb) p *frag
> $2 = {size = 3, u = {nxt_free = 0x7f28c958d833, reserved = 139813153462323}, 
>   prv_free = 0x25, file = 0x0, 
>   func = 0x5 <error: Cannot access memory at address 0x5>, 
>   line = 139813153462362, check = 4}
> (gdb) frame 1
> #1  0x0000000000643689 in fm_join_frag (qm=0x7f28c8dd4000, f=0x7f28c958e468)
>     at mem/f_malloc.c:556
> 556	in mem/f_malloc.c
> (gdb) info locals
> n = 0x7f28c958e4a0
> (gdb) p *f
> $3 = {size = 0, u = {nxt_free = 0x0, reserved = 0}, prv_free = 0x0, 
>   file = 0x7f28ce687f1d "tm: h_table.c", 
>   func = 0x7f28ce6881bb <__FUNCTION__.9593> "free_cell", line = 162, 
>   check = 139813153462319}
> (gdb) p *n
> $4 = {size = 3, u = {nxt_free = 0x7f28c958d833, reserved = 139813153462323}, 
>   prv_free = 0x25, file = 0x0, 
>   func = 0x5 <error: Cannot access memory at address 0x5>, 
>   line = 139813153462362, check = 4}
> (gdb) 

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Book: SIP Routing With Kamailio - http://www.asipto.com
Kamailio Advanced Training, Sep 28-30, 2015, in Berlin - http://asipto.com/u/kat

More information about the sr-dev mailing list