You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000000000050656b in hp_frag_detach (hpb=0x7f257e4c5000, frag=0x7f25805bdbe8, frag=0x7f25805bdbe8) at mem/hp_malloc.c:220
220 *pf = frag->u.nxt_free;
(gdb) bt full
#0 0x000000000050656b in hp_frag_detach (hpb=0x7f257e4c5000, frag=0x7f25805bdbe8, frag=0x7f25805bdbe8) at mem/hp_malloc.c:220
pf = 0x0
#1 hp_shm_malloc (hpb=0x7f257e4c5000, size=size@entry=8) at mem/hp_malloc.c:1017
---Type to continue, or q to quit--- #10 relay_reply (t=0x7f25826f30e8, p_msg=0x7f26413179a8, branch=, msg_status=403, cancel_bitmap=) at t_reply.c:1125
#15 0x000000000059c38a in handle_io (idx=, event_type=, fm=) at net/net_udp.c:259
read = 1056008232
fm = <optimized out>
#16 io_wait_loop_epoll (h=, t=, repeat=) at net/../io_wait_loop.h:225
ret = <optimized out>
e = <optimized out>
n = 1
r = 0
#17 udp_rcv_loop (si=si@entry=0x7f263efd2640) at net/net_udp.c:308
__FUNCTION__ = "udp_rcv_loop"
#18 0x000000000059d8ea in udp_start_processes (chd_rank=chd_rank@entry=0x819680 <chd_rank>, startup_done=startup_done@entry=0x7f257eb63f20) at net/net_udp.c:372
si = 0x7f263efd2640
load_p = 0x7f257eb63f40
pid = <optimized out>
i = <optimized out>
__FUNCTION__ = "udp_start_processes"
---Type to continue, or q to quit--- #19 0x00000000004195a1 in main_loop () at main.c:671
@46labs , this is a generic memory corruption, for sure a result of the bogus dialog refcounting (investigated by @liviuchircu). I will rename this ticket, just to have a reference to that crash.
bogdan-iancu
changed the title
Segfault in hp_malloc.c:220
Segfault due wrong dialog ref counting
Apr 20, 2016
version: opensips 2.3.0-dev (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, HP_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
git revision: 0546c94
main.c compiled on 11:22:17 Apr 12 2016 with gcc 4.8
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000000000050656b in hp_frag_detach (hpb=0x7f257e4c5000, frag=0x7f25805bdbe8, frag=0x7f25805bdbe8) at mem/hp_malloc.c:220
220 *pf = frag->u.nxt_free;
(gdb) bt full
#0 0x000000000050656b in hp_frag_detach (hpb=0x7f257e4c5000, frag=0x7f25805bdbe8, frag=0x7f25805bdbe8) at mem/hp_malloc.c:220
#1 hp_shm_malloc (hpb=0x7f257e4c5000, size=size@entry=8) at mem/hp_malloc.c:1017
#2 0x00007f2578f00bc8 in shm_malloc (size=8) at ../tm/../../mem/shm_mem.h:390
#3 w_do_acc_3 (msg=0x7f257d862e60 <faked_req>, type_p=, flags_p=, table_p=0x0) at acc_logic.c:988
#4 0x000000000041cc59 in do_action (a=a@entry=0x7f263ef8a0b0, msg=msg@entry=0x7f257d862e60 <faked_req>) at action.c:1845
---Type to continue, or q to quit---
s = 0x7f2578ef8b84 <acc_evi_request+3565> "\205\300\017\211e\370\377\377H\213\r-\343 ", len = 2031255216}, u_name = {{s = 0x7f250000003b <error: Cannot access memory at address 0x7f250000003b>, len = 2}, {
s = 0x420000001d <error: Cannot access memory at address 0x420000001d>, len = 0}, {s = 0x7f257dea835d <move_bavp_dlg+41> "I\211\307H\205\300\017\204\274", len = 0}, {
s = 0x505bfc <hp_pkg_malloc+201> "I\215D$\030H\203\304\030[]A\A]Ã\301\001\201\371\063\b", len = 2}, {s = 0x505bfc <hp_pkg_malloc+201> "I\215D$\030H\203\304\030[]A\A]Ã\301\001\201\371\063\b", len = 0}, {
s = 0x7f257d862e60 <faked_req> "\374;\005", len = 2031288832}, {s = 0x7f26413179a8 "\373;\005", len = 1093753736}, {s = 0x0, len = -2123403088}, {s = 0x7f2578efe43a <tmcb_func+2737> "I\213\027H\276\004", len = -550502776}, {
s = 0x27 <error: Cannot access memory at address 0x27>, len = 0}}, u_val = {{s = 0x400000000 <error: Cannot access memory at address 0x400000000>, len = 38}, {s = 0x815360 <log_level> "\020r\265~%\177", len = 2125820432}, {
s = 0x505bfc <hp_pkg_malloc+201> "I\215D$\030H\203\304\030[]A\A]Ã\301\001\201\371\063\b", len = 38}, {s = 0x7f26413157d8 "\004", len = 8743179}, {s = 0x0, len = -550502656}, {s = 0x7f260000002f "", len = -550502672}, {
s = 0x20 <error: Cannot access memory at address 0x20>, len = -2106642200}, {s = 0x7ffddf2ffe90 "", len = -2106642200}, {s = 0x7f257fadb4c0 "\001", len = -550502776}, {
s = 0x7f257d6233bb <run_trans_callbacks+403> "H\203\304h[]A\A]A^A_\303AWAVAUATUSH\203\354xH\211\375H\211\363A\211\324\061\300\350X\026\375\377H\211D$ H\211$@h\307D$H", len = 0}}, u_params_no = 57984}
u =
port =
cmatch =
aitem =
adefault =
spec =
model =
val = {rs = {s = 0x7f263ef99998 "\017", len = 4337252}, ri = 2028984713, flags = 32549}
pve =
name_s = {s = 0x7f263ef99cd8 "\001", len = 1093761448}
start = {tv_sec = 0, tv_usec = 4860143}
aux_counter = 1093761448
FUNCTION = "do_action"
#5 0x0000000000423035 in run_action_list (msg=, a=) at action.c:172
#6 run_actions (msg=0x7f257d862e60 <faked_req>, a=) at action.c:137
#7 run_top_route (a=, msg=msg@entry=0x7f257d862e60 <faked_req>) at action.c:204
#8 0x00007f257d648931 in run_failure_handlers (t=0x7f25826f30e8) at t_reply.c:581
#9 t_should_relay_response (reply=0x7f26413179a8, cancel_bitmap=, should_relay=, should_store=, branch=, new_code=403, Trans=0x7f25826f30e8) at t_reply.c:911
---Type to continue, or q to quit---
#10 relay_reply (t=0x7f25826f30e8, p_msg=0x7f26413179a8, branch=, msg_status=403, cancel_bitmap=) at t_reply.c:1125
#11 0x00007f257d64b83e in reply_received (p_msg=0x7f26413179a8) at t_reply.c:1505
#12 0x000000000043b1a9 in forward_reply (msg=msg@entry=0x7f26413179a8) at forward.c:467
#13 0x000000000048d011 in receive_msg (
#14 0x00000000005a930d in udp_read_req (si=, bytes_read=) at net/proto_udp/proto_udp.c:190
#15 0x000000000059c38a in handle_io (idx=, event_type=, fm=) at net/net_udp.c:259
#16 io_wait_loop_epoll (h=, t=, repeat=) at net/../io_wait_loop.h:225
#17 udp_rcv_loop (si=si@entry=0x7f263efd2640) at net/net_udp.c:308
#18 0x000000000059d8ea in udp_start_processes (chd_rank=chd_rank@entry=0x819680 <chd_rank>, startup_done=startup_done@entry=0x7f257eb63f20) at net/net_udp.c:372
---Type to continue, or q to quit---
#19 0x00000000004195a1 in main_loop () at main.c:671
#20 main (argc=, argv=) at main.c:1252
The text was updated successfully, but these errors were encountered: