<div dir="ltr"><div><div><div><div>Hello,<br><br></div>I have another kamailio crash with 4.1.1. The scenario is simple:<br></div>+ call a number, fail<br></div>+ retry on another peer, fails<br><br></div>In this case, I use t_reply("404", "Not found") then exit. It seems that we have a double qm_free.<br>
<div><div><br>Log file<br>Feb 28 13:15:56 kamailio23 /usr/local/sbin/kamailio[29595]: WARNING: tm [t_lookup.c:1536]: t_unref(): WARNING: script writer didn't release transaction<br>Feb 28 13:15:56 kamailio23 /usr/local/sbin/kamailio[29583]: : <core> [mem/q_malloc.c:468]: qm_free(): BUG: qm_free: freeing already freed pointer (0x7f9dedb3e110), called from tm: h_table.c: free_cell(157), first free tm: h_table.c: free_cell(157) - aborting<br>
Feb 28 13:15:56 kamailio23 /usr/local/sbin/kamailio[29627]: : <core> [pass_fd.c:293]: receive_fd(): ERROR: receive_fd: EOF on 19 <br>Feb 28 13:15:56 kamailio23 /usr/local/sbin/kamailio[29576]: ALERT: <core> [main.c:775]: handle_sigs(): child process 29583 exited by a signal 6<br>
Feb 28 13:15:56 kamailio23 /usr/local/sbin/kamailio[29576]: ALERT: <core> [main.c:778]: handle_sigs(): core was generated<br><br><span style="color:rgb(255,0,0)">core.kamailio.29583</span><br></div><div><span style="color:rgb(255,0,0)">(gdb) bt full</span> <br>
#0 0x00007f9df6afb475 in raise () from /lib/x86_64-linux-gnu/libc.so.6<br>No symbol table info available.<br>#1 0x00007f9df6afe6f0 in abort () from /lib/x86_64-linux-gnu/libc.so.6<br>No symbol table info available.<br>
#2 0x0000000000548253 in qm_free (qm=0x7f9ded878000, p=0x7f9dedb3e110, file=0x7f9df515b62d "tm: h_table.c", func=0x7f9df515b7d8 "free_cell", line=157) at mem/q_malloc.c:470<br>
f = 0x7f9dedb3e0e0<br> size = 140316274568736<br> next = 0x0<br> prev = 0x0<br> __FUNCTION__ = "qm_free"<br>#3 0x00007f9df50ee2b3 in free_cell (dead_cell=0x7f9dedb39490) at h_table.c:157<br>
b = 0x0<br> i = 2<br> rpl = 0x0<br> tt = 0x177dd596e30<br> foo = 0x7fffdd597400<br> cbs = 0x7f9dedb39490<br> cbs_tmp = 0x7fffdd596f10<br> __FUNCTION__ = "free_cell"<br>
#4 0x00007f9df511c662 in t_unref (p_msg=0x7f9df68bfdb0) at t_lookup.c:1546<br> kr = 12<br> __FUNCTION__ = "t_unref"<br>#5 0x00007f9df5146f4d in w_t_unref (foo=0x7f9df68bfdb0, flags=2147483649, bar=0x0) at tm.c:765<br>
No locals.<br>#6 0x00000000004d6f27 in exec_post_script_cb (msg=0x7f9df68bfdb0, type=REQUEST_CB_TYPE) at script_cb.c:195<br> cb = 0x7f9df68a97d0<br> flags = 2147483649<br>#7 0x00000000004a6e24 in receive_msg (buf=0x921620 "ACK <a href="mailto:sip%3A0123456789@10.100.8.7" target="_blank">sip:0123456789@10.100.8.7</a> SIP/2.0\r\nVia: SIP/2.0/UDP 10.100.8.94;branch=z9hG4bKbcd8.9b0d4b2682a07fefaa22406761659624.0\r\nMax-Forwards: 15\r\nFrom: \"via_test\" <<a href="mailto:sip%3A0310193301@10.100.8.12" target="_blank">sip:0310193301@10.100.8.12</a>>;tag=as4d03043"..., <br>
len=375, rcv_info=0x7fffdd5970d0) at receive.c:228<br> msg = 0x7f9df68bfdb0<br> ctx = {rec_lev = -581341280, run_flags = 32767, last_retcode = 5, jmp_env = {{__jmpbuf = {8857080, 0, 0, 0, 0, 140316433164786, 17179869189, 0}, __mask_was_saved = 8856992, __saved_mask = {__val = {1, 140316271892032, 1656210553, 3713626240, 1024, 8008593472, <br>
140316271892032, 140736907014208, 5472467, 1577608202, 140316271892032, 50195, 140316271892032, 140316426284544, 8282899704, 140736907014272}}}}}<br> ret = 0<br> inb = {s = 0x921620 "ACK <a href="mailto:sip%3A0123456789@10.100.8.7" target="_blank">sip:0123456789@10.100.8.7</a> SIP/2.0\r\nVia: SIP/2.0/UDP 10.100.8.94;branch=z9hG4bKbcd8.9b0d4b2682a07fefaa22406761659624.0\r\nMax-Forwards: 15\r\nFrom: \"via_test\" <<a href="mailto:sip%3A0310193301@10.100.8.12" target="_blank">sip:0310193301@10.100.8.12</a>>;tag=as4d03043"..., len = 375}<br>
__FUNCTION__ = "receive_msg"<br>#8 0x000000000053c0d8 in udp_rcv_loop () at udp_server.c:536<br> len = 375<br> buf = "ACK <a href="mailto:sip%3A0123456789@10.100.8.7" target="_blank">sip:0123456789@10.100.8.7</a> SIP/2.0\r\nVia: SIP/2.0/UDP 10.100.8.94;branch=z9hG4bKbcd8.9b0d4b2682a07fefaa22406761659624.0\r\nMax-Forwards: 15\r\nFrom: \"via_test\" <<a href="mailto:sip%3A0310193301@10.100.8.12" target="_blank">sip:0310193301@10.100.8.12</a>>;tag=as4d03043"...<br>
tmp = 0x13e0751a0eb8aa4f <Address 0x13e0751a0eb8aa4f out of bounds><br> from = 0x7f9df68a5408<br> fromlen = 16<br> ri = {src_ip = {af = 2, len = 4, u = {addrl = {1577608202, 4290224}, addr32 = {1577608202, 0, 4290224, 0}, addr16 = {25610, 24072, 0, 0, 30384, 65, 0, 0}, addr = "\nd\b^\000\000\000\000\260vA\000\000\000\000"}}, dst_ip = {af = 2, len = 4, u = {addrl = {<br>
117990410, 0}, addr32 = {117990410, 0, 0, 0}, addr16 = {25610, 1800, 0, 0, 0, 0, 0, 0}, addr = "\nd\b\a", '\000' <repeats 11 times>}}, src_port = 5060, dst_port = 5060, proto_reserved1 = 0, proto_reserved2 = 0, src_su = {s = {sa_family = 2, <br>
sa_data = "\023\304\nd\b^\000\000\000\000\000\000\000"}, sin = {sin_family = 2, sin_port = 50195, sin_addr = {s_addr = 1577608202}, sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 2, sin6_port = 50195, sin6_flowinfo = 1577608202, <br>
sin6_addr = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, bind_address = 0x7f9df6704da8, proto = 1 '\001'}<br>
__FUNCTION__ = "udp_rcv_loop"<br>#9 0x000000000046ec98 in main_loop () at main.c:1617<br> i = 5<br> pid = 0<br> si = 0x7f9df6704da8<br> si_desc = "udp receiver child=5 sock=<a href="http://10.100.8.7:5060" target="_blank">10.100.8.7:5060</a>\000\000\000\001", '\000' <repeats 19 times>, "\020\000\000\000\000\000\000\000y\304\267b\000\000\000\000\260vA\000\000\000\000\000\000tY\335\377\177", '\000' <repeats 18 times>, "@rY\335\377\177\000\000\002\266K\000\000\000\000"<br>
nrprocs = 8<br> __FUNCTION__ = "main_loop"<br>#10 0x0000000000471c38 in main (argc=5, argv=0x7fffdd597408) at main.c:2533<br> cfg_stream = 0x164c010<br> c = -1<br> r = 0<br> tmp = 0x7fffdd597438 "\211~Y\335\377\177"<br>
tmp_len = 0<br> port = 5<br> proto = 0<br> options = 0x5de800 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:"<br> ret = -1<br> seed = 4192398120<br> rfd = 4<br>
debug_save = 0<br> debug_flag = 0<br> dont_fork_cnt = 0<br> n_lst = 0xbf<br> p = 0x416bd9 "H\203\304\b\303" <Address 0x416bde out of bounds><br> __FUNCTION__ = "main"<br>
<br><br><span style="color:rgb(255,0,0)">core.kamailio.29576</span><br>(gdb) bt full<br>#0 0x00007f9df6afb475 in raise () from /lib/x86_64-linux-gnu/libc.so.6<br>No symbol table info available.<br>#1 0x00007f9df6afe6f0 in abort () from /lib/x86_64-linux-gnu/libc.so.6<br>
No symbol table info available.<br>#2 0x0000000000548253 in qm_free (qm=0x7f9ded878000, p=0x7f9dedb3e110, file=0x7f9df515b62d "tm: h_table.c", func=0x7f9df515b7d8 "free_cell", line=157) at mem/q_malloc.c:470<br>
f = 0x7f9dedb3e0e0<br> size = 140316274568736<br> next = 0x0<br> prev = 0x0<br> __FUNCTION__ = "qm_free"<br>#3 0x00007f9df50ee2b3 in free_cell (dead_cell=0x7f9dedb39490) at h_table.c:157<br>
b = 0x7f9df464b480 "dialog: dlg_cb.c"<br> i = 0<br> rpl = 0x7f9df464b8e0<br> tt = 0x7f9df4a8cc75<br> foo = 0x5000548a29<br> cbs = 0xd000000001<br> cbs_tmp = 0x1edb086c8<br>
__FUNCTION__ = "free_cell"<br>#4 0x00007f9df50ef480 in free_hash_table () at h_table.c:441<br> p_cell = 0x7f9dedb39490<br> tmp_cell = 0x7f9deda23d90<br> i = 36299<br> __FUNCTION__ = "free_hash_table"<br>
#5 0x00007f9df5102d35 in tm_shutdown () at t_funcs.c:122<br> __FUNCTION__ = "tm_shutdown"<br>#6 0x00000000004f8101 in destroy_modules () at sr_module.c:817<br> t = 0x7f9df670fd50<br> foo = 0x7f9df670f588<br>
__FUNCTION__ = "destroy_modules"<br>#7 0x00000000004689b2 in cleanup (show_status=1) at main.c:560<br> memlog = 32669<br> __FUNCTION__ = "cleanup"<br>#8 0x0000000000469aab in shutdown_children (sig=15, show_status=1) at main.c:702<br>
__FUNCTION__ = "shutdown_children"<br>#9 0x000000000046b146 in handle_sigs () at main.c:793<br> chld = 0<br> chld_status = 134<br> memlog = 0<br> __FUNCTION__ = "handle_sigs"<br>
#10 0x000000000046f549 in main_loop () at main.c:1746<br> i = 8<br> pid = 29627<br> si = 0x0<br> si_desc = "udp receiver child=7 sock=<a href="http://91.213.79.31:5060" target="_blank">91.213.79.31:5060</a>\000\001", '\000' <repeats 19 times>, "\020\000\000\000\000\000\000\000y\304\267b\000\000\000\000\260vA\000\000\000\000\000\000tY\335\377\177", '\000' <repeats 18 times>, "@rY\335\377\177\000\000\002\266K\000\000\000\000"<br>
nrprocs = 8<br> __FUNCTION__ = "main_loop"<br>#11 0x0000000000471c38 in main (argc=5, argv=0x7fffdd597408) at main.c:2533<br> cfg_stream = 0x164c010<br> c = -1<br> r = 0<br> tmp = 0x7fffdd597438 "\211~Y\335\377\177"<br>
tmp_len = 0<br> port = 5<br> proto = 0<br> options = 0x5de800 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:"<br> ret = -1<br> seed = 4192398120<br> rfd = 4<br>
debug_save = 0<br> debug_flag = 0<br> dont_fork_cnt = 0<br> n_lst = 0xbf<br> p = 0x416bd9 "H\203\304\b\303" <Address 0x416bde out of bounds><br> __FUNCTION__ = "main"<br>
<br><br></div><div>Thanks for your help<br>
</div></div></div>