[SR-Users] Crash after async_sleep().
Vitaliy Aleksandrov
vitalik.voip at gmail.com
Fri Oct 24 11:54:55 CEST 2014
Hello list.
root at proxy:/# kamcmd core.version
kamailio 4.1.4 (i386/linux)
I'm getting a crash when I'm trying to simulate a ringing UAS from
kamailio config.
To achieve this I've added the next config actions:
> if (is_method("INVITE") && !has_totag() && $rU =~ "^999") {
> sl_send_reply("100", "Fake Trying");
> sl_send_reply("180", "Fake Ringing");
>
> t_set_fr(120000, 120000);
> t_set_retr(65000, 65000);
> t_set_auto_inv_100(0);
>
> async_sleep("60");
> send_reply("480", "Fake Temporary Unavailable");
>
> t_release(); #<---
>
> exit();
> };
I expect to receive 180 reply immediately and 480 after 60 seconds. The
problem appears when a caller cancels a call after 60 seconds which is
equal to async_sleep() wait time.
I suppose there is a race condition happens between UDP worker that
processes CANCEL request and timer process which calls t_continue()
(tm's function). Calling t_newtran() explicitly doesn't change the
situation. The only way I found to avoid crash is to remove t_release()
call. In this case kamailio complains that "script write didn't release
transaction" but continues to process new calls.
With -DTIMER_DEBUG and -DDBG_QM_MALLOC I got next information:
/usr/sbin/kamailio[11307]: : <core> [mem/q_malloc.c:468]: qm_free():
BUG: qm_free: freeing already freed pointer (0xb1d8c520), called from
tm: h_table.c: free_cell(178), first free tm: h_table.c: free_cell(157)
- aborting
Crash mostly happens because of broken circular list of timers
(timer_ln->next == NULL), but one time I saw got abort() during CANCEL
request processing when tm tried to call free_cell() for an already
freed pointer.
More information about the sr-users
mailing list