[Kamailio-Users] freeing innername from htable Re: perl module, "pv_sprintf: Memory exhausted!"

Christian Koch chri.koch.vier at googlemail.com
Wed Jun 3 14:01:33 CEST 2009 

Hi Henning, hi Daniel,

we did some more investigation and now we think, the problem may occur 
when accessing the "inner name" of pv's from htable.

We included a call to backtrace() in pv_parse_ht_name() (where most of 
the memory was allocated) to find out, which calling function would be 
responsible for freeing the allocated memory. First we thought it could 
be xlog, but more tests showed, the error also occurs when called from 
other modules.
pv_parse_ht_name() is set as the innername in the htable module:

static pv_export_t mod_pvs[] = {
    { {"sht", sizeof("sht")-1}, PVT_OTHER, pv_get_ht_cell, pv_set_ht_cell,
        pv_parse_ht_name, 0, 0, 0 },

pv_parse_ht_name() allocates some memory (line 121, ht_var.c), saves it 
in sp->pvp.pvn.u.dname (line 165) and sets the type to PV_NAME_PVAR. As 
"u" is a union we thought freeing the memory should depend on the type. 
We can not find any place, where type is checked for PV_NAME_PVAR and 
any memory is freed.

Could you give us any hints where this should happen? Maybe this is the 
only thing we have to add and the memory leak is gone.

By the way, when searching for PV_NAME_INTSTR we found a potential bug: 
In pvapi.c there is the follwoing piece of code (line 773 to 785):

    if(ip->pvn.type==PV_NAME_INTSTR)
    {
       [...]
    } else if(ip->pvn.type==PV_NAME_INTSTR) {
        /* pvar */

The second if also checks for PV_NAME_INTSTR so it will never be 
executed. Shouldn't this be PV_NAME_PVAR?

Regards,
Christian



Christian Koch schrieb:
> Hi Henning,
>
> Henning Westerholt schrieb:
>> Can you configure the kamailio server that it generates a core file? 
>> Then take a look to the backtrace where the invalid memory access was 
>> done, to verify if its really crashed in the core function, or 
>> perhaps some other parts has a problem here. Further informations: 
>> http://www.kamailio.org/dokuwiki/doku.php/troubleshooting:corefiles
>>
>>
> We generated a core file, the output of the backtrace is:
>
> (gdb) bt
> #0  0x00b237a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
> #1  0x00b64825 in raise () from /lib/tls/libc.so.6
> #2  0x00b66289 in abort () from /lib/tls/libc.so.6
> #3  0x080c4436 in qm_free (qm=0x81677e0, p=0x0, file=0x811728e 
> "proxy.c", func=0x811724e "hostent_cpy", line=187) at mem/q_malloc.c:444
> #4  0x0807e329 in hostent_cpy (dst=0x8266e28, src=0x8146134) at 
> proxy.c:187
> #5  0x0807ea16 in mk_proxy (name=0xbfe8f380, port=0, proto=0, 
> is_sips=0) at proxy.c:305
> #6  0x0023cf81 in add_uac (t=0xb61d6128, request=0x81bb218, 
> uri=0xbfe8f538, next_hop=0xbfe8f540, path=0x81bb538, proxy=0x0) at 
> ut.h:67
> #7  0x0023e74c in t_forward_nonack (t=0xb61d6128, p_msg=0x81bb218, 
> proxy=0x0) at t_fwd.c:630
> #8  0x0023a501 in t_relay_to (p_msg=0x81bb218, proxy=0x0, 
> flags=Variable "flags" is not available.
> ) at t_funcs.c:264
> #9  0x0024eb9f in w_t_relay (p_msg=0x81bb218, proxy=0x0, flags=0x0) at 
> tm.c:1002
> #10 0x080531ed in do_action (a=0x81a966c, msg=0x81bb218) at action.c:874
> #11 0x08055406 in run_action_list (a=0x81a966c, msg=0x81bb218) at 
> action.c:145
> #12 0x08094fb0 in eval_expr (e=0x81a96fc, msg=0x81bb218, val=0x0) at 
> route.c:1171
> #13 0x08095214 in eval_expr (e=0x81a974c, msg=0x81bb218, val=0x0) at 
> route.c:1488
> #14 0x08094b6f in eval_expr (e=0x81a979c, msg=0x81bb218, val=0x0) at 
> route.c:1493
> #15 0x080526d8 in do_action (a=0x81a9d7c, msg=0x81bb218) at action.c:729
> #16 0x08055406 in run_action_list (a=0x81a952c, msg=0x81bb218) at 
> action.c:145
> #17 0x08053ed9 in do_action (a=0x81a7efc, msg=0x81bb218) at action.c:120
> #18 0x08055406 in run_action_list (a=0x81a7efc, msg=0x81bb218) at 
> action.c:145
> #19 0x08054f85 in do_action (a=0x81a86ac, msg=0x81bb218) at action.c:746
> #20 0x08055406 in run_action_list (a=0x81a86ac, msg=0x81bb218) at 
> action.c:145
> #21 0x08054fbc in do_action (a=0x81a873c, msg=0x81bb218) at action.c:752
> #22 0x08055406 in run_action_list (a=0x81a246c, msg=0x81bb218) at 
> action.c:145
> #23 0x0805570e in run_top_route (a=0x81a246c, msg=0x81bb218) at 
> action.c:120
> #24 0x08087994 in receive_msg (
>    buf=0x8146ba0 "CANCEL sip:1001 at 212.59.42.187 
> SIP/2.0\r\nRecord-Route: 
> <sip:212.59.42.187;lr=on;ftag=ACU-6afbe8bb-f11cd9dc>\r\nRecord-Route: 
> <sip:212.59.42.187;lr=on;ftag=ACU-6afbe8bb-f11cd9dc>\r\nRecord-Route: 
> <sip:212.59"..., len=1499, rcv_info=0xbfe91240) at receive.c:175
> #25 0x080be606 in udp_rcv_loop () at udp_server.c:449
> #26 0x0806b361 in main (argc=3, argv=0xbfe914b4) at main.c:774
>
> This core file obviuosly only occurs, because there is no more pkg 
> memory. proxy.c:
>
>        dst->h_addr_list=(char**)pkg_malloc(sizeof(char*)*(len+1));
>        if (dst->h_addr_list==0){
>                ser_error=ret=E_OUT_OF_MEM;
>                pkg_free(dst->h_name);
>                for(r=0; dst->h_aliases[r]; r++)        
> pkg_free(dst->h_aliases[r]);
>                pkg_free(dst->h_aliases[r]);  <-- THIS IS LINE 187, 
> WHERE THE CORE FILE IS GENERATED
>                pkg_free(dst->h_aliases);
>                goto error;
>        }
>
> So, there may be an error in proxy.c, but perhaps the reason for our 
> problem is in modules/htable/ht_var.c in pv_parse_ht_name(), where the 
> variable hpv is not freed?
> Any comments on pv_parse_ht_name() are greatly appreciated. We could 
> try to fix this, but we're not sure about the sideeffects.
>
> Regards,
> Christian
>

More information about the sr-users mailing list