Re: [Sofia-sip-devel] Crash in 1.12.10

[Michael Jerris]

Are these crashes reliably reproducable?  If so, could you try to use the 
sofia-sip lib in the svn trunk of the freeswitch tree 
(http://svn.freeswitch.org/svn/freeswitch/trunk/libs/sofia-sip  

This is mostly the current darcs of sofia-sip plus a couple other patches that 
I have not gotten merged back in yet and I know we are not seeing this issue.

Mike



On Dec 9, 2009, at 5:14 AM, Fabio Margarido wrote:

> Just an update, I've found a similar error in what looks to be a
> different situation:
> 
> ==2714==
> ==2714== Thread 11:
> ==2714== Invalid read of size 4
> ==2714==    at 0x40A67D3: nua_server_request_destroy (nua_stack.c:1488)
> ==2714==    by 0x40BE3AE: process_ack (nua_session.c:2573)
> ==2714==    by 0x40BDCBB: process_ack_or_cancel (nua_session.c:2477)
> ==2714==    by 0x408CE3C: incoming_call_callback (nta.c:6117)
> ==2714==    by 0x408CAD3: incoming_ack (nta.c:6009)
> ==2714==    by 0x40852BD: agent_recv_request (nta.c:2891)
> ==2714==    by 0x4084478: agent_recv_message (nta.c:2722)
> ==2714==    by 0x4111903: tport_base_deliver (tport.c:3013)
> ==2714==    by 0x4111896: tport_deliver (tport.c:3002)
> ==2714==    by 0x4111456: tport_parse (tport.c:2919)
> ==2714==    by 0x4111101: tport_recv_event (tport.c:2861)
> ==2714==    by 0x4110D7D: tport_base_wakeup (tport.c:2763)
> ==2714==  Address 0x5451cb4 is 68 bytes inside a block of size 72 free'd
> ==2714==    at 0x401A61F: free (m_replacemalloc/vg_replace_malloc.c:323)
> ==2714==    by 0x40F7464: su_free (su_alloc.c:838)
> ==2714==    by 0x40A688F: nua_server_request_destroy (nua_stack.c:1504)
> ==2714==    by 0x40BB93A: nua_session_usage_shutdown (nua_session.c:1575)
> ==2714==    by 0x40AC554: nua_dialog_usage_shutdown (nua_dialog.c:603)
> ==2714==    by 0x40AA6DA: nua_base_client_response (nua_stack.c:3257)
> ==2714==    by 0x40BA5BB: nua_session_client_response (nua_session.c:1007)
> ==2714==    by 0x40B99FB: nua_invite_client_response (nua_session.c:865)
> ==2714==    by 0x40A98D7: nua_client_response (nua_stack.c:2914)
> ==2714==    by 0x40A9646: nua_client_return (nua_stack.c:2835)
> ==2714==    by 0x40B931C: nua_invite_client_init (nua_session.c:745)
> ==2714==    by 0x40A87DE: nua_client_init_request0 (nua_stack.c:2448)
> ==2714==
> ==2714== Invalid read of size 4
> ==2714==    at 0x40A67EE: nua_server_request_destroy (nua_stack.c:1491)
> ==2714==    by 0x40BE3AE: process_ack (nua_session.c:2573)
> ==2714==    by 0x40BDCBB: process_ack_or_cancel (nua_session.c:2477)
> ==2714==    by 0x408CE3C: incoming_call_callback (nta.c:6117)
> ==2714==    by 0x408CAD3: incoming_ack (nta.c:6009)
> ==2714==    by 0x40852BD: agent_recv_request (nta.c:2891)
> ==2714==    by 0x4084478: agent_recv_message (nta.c:2722)
> ==2714==    by 0x4111903: tport_base_deliver (tport.c:3013)
> ==2714==    by 0x4111896: tport_deliver (tport.c:3002)
> ==2714==    by 0x4111456: tport_parse (tport.c:2919)
> ==2714==    by 0x4111101: tport_recv_event (tport.c:2861)
> ==2714==    by 0x4110D7D: tport_base_wakeup (tport.c:2763)
> ==2714==  Address 0x5451c84 is 20 bytes inside a block of size 72 free'd
> ==2714==    at 0x401A61F: free (m_replacemalloc/vg_replace_malloc.c:323)
> ==2714==    by 0x40F7464: su_free (su_alloc.c:838)
> ==2714==    by 0x40A688F: nua_server_request_destroy (nua_stack.c:1504)
> ==2714==    by 0x40BB93A: nua_session_usage_shutdown (nua_session.c:1575)
> ==2714==    by 0x40AC554: nua_dialog_usage_shutdown (nua_dialog.c:603)
> ==2714==    by 0x40AA6DA: nua_base_client_response (nua_stack.c:3257)
> ==2714==    by 0x40BA5BB: nua_session_client_response (nua_session.c:1007)
> ==2714==    by 0x40B99FB: nua_invite_client_response (nua_session.c:865)
> ==2714==    by 0x40A98D7: nua_client_response (nua_stack.c:2914)
> ==2714==    by 0x40A9646: nua_client_return (nua_stack.c:2835)
> ==2714==    by 0x40B931C: nua_invite_client_init (nua_session.c:745)
> ==2714==    by 0x40A87DE: nua_client_init_request0 (nua_stack.c:2448)
> ==2714==
> ==2714== Invalid read of size 4
> ==2714==    at 0x40A6812: nua_server_request_destroy (nua_stack.c:1494)
> ==2714==    by 0x40BE3AE: process_ack (nua_session.c:2573)
> ==2714==    by 0x40BDCBB: process_ack_or_cancel (nua_session.c:2477)
> ==2714==    by 0x408CE3C: incoming_call_callback (nta.c:6117)
> ==2714==    by 0x408CAD3: incoming_ack (nta.c:6009)
> ==2714==    by 0x40852BD: agent_recv_request (nta.c:2891)
> ==2714==    by 0x4084478: agent_recv_message (nta.c:2722)
> ==2714==    by 0x4111903: tport_base_deliver (tport.c:3013)
> ==2714==    by 0x4111896: tport_deliver (tport.c:3002)
> ==2714==    by 0x4111456: tport_parse (tport.c:2919)
> ==2714==    by 0x4111101: tport_recv_event (tport.c:2861)
> ==2714==    by 0x4110D7D: tport_base_wakeup (tport.c:2763)
> ==2714==  Address 0x5451c88 is 24 bytes inside a block of size 72 free'd
> ==2714==    at 0x401A61F: free (m_replacemalloc/vg_replace_malloc.c:323)
> ==2714==    by 0x40F7464: su_free (su_alloc.c:838)
> ==2714==    by 0x40A688F: nua_server_request_destroy (nua_stack.c:1504)
> ==2714==    by 0x40BB93A: nua_session_usage_shutdown (nua_session.c:1575)
> ==2714==    by 0x40AC554: nua_dialog_usage_shutdown (nua_dialog.c:603)
> ==2714==    by 0x40AA6DA: nua_base_client_response (nua_stack.c:3257)
> ==2714==    by 0x40BA5BB: nua_session_client_response (nua_session.c:1007)
> ==2714==    by 0x40B99FB: nua_invite_client_response (nua_session.c:865)
> ==2714==    by 0x40A98D7: nua_client_response (nua_stack.c:2914)
> ==2714==    by 0x40A9646: nua_client_return (nua_stack.c:2835)
> ==2714==    by 0x40B931C: nua_invite_client_init (nua_session.c:745)
> ==2714==    by 0x40A87DE: nua_client_init_request0 (nua_stack.c:2448)
> ==2714==
> ==2714== Invalid read of size 4
> ==2714==    at 0x40A6836: nua_server_request_destroy (nua_stack.c:1497)
> ==2714==    by 0x40BE3AE: process_ack (nua_session.c:2573)
> ==2714==    by 0x40BDCBB: process_ack_or_cancel (nua_session.c:2477)
> ==2714==    by 0x408CE3C: incoming_call_callback (nta.c:6117)
> ==2714==    by 0x408CAD3: incoming_ack (nta.c:6009)
> ==2714==    by 0x40852BD: agent_recv_request (nta.c:2891)
> ==2714==    by 0x4084478: agent_recv_message (nta.c:2722)
> ==2714==    by 0x4111903: tport_base_deliver (tport.c:3013)
> ==2714==    by 0x4111896: tport_deliver (tport.c:3002)
> ==2714==    by 0x4111456: tport_parse (tport.c:2919)
> ==2714==    by 0x4111101: tport_recv_event (tport.c:2861)
> ==2714==    by 0x4110D7D: tport_base_wakeup (tport.c:2763)
> ==2714==  Address 0x5451c90 is 32 bytes inside a block of size 72 free'd
> ==2714==    at 0x401A61F: free (m_replacemalloc/vg_replace_malloc.c:323)
> ==2714==    by 0x40F7464: su_free (su_alloc.c:838)
> ==2714==    by 0x40A688F: nua_server_request_destroy (nua_stack.c:1504)
> ==2714==    by 0x40BB93A: nua_session_usage_shutdown (nua_session.c:1575)
> ==2714==    by 0x40AC554: nua_dialog_usage_shutdown (nua_dialog.c:603)
> ==2714==    by 0x40AA6DA: nua_base_client_response (nua_stack.c:3257)
> ==2714==    by 0x40BA5BB: nua_session_client_response (nua_session.c:1007)
> ==2714==    by 0x40B99FB: nua_invite_client_response (nua_session.c:865)
> ==2714==    by 0x40A98D7: nua_client_response (nua_stack.c:2914)
> ==2714==    by 0x40A9646: nua_client_return (nua_stack.c:2835)
> ==2714==    by 0x40B931C: nua_invite_client_init (nua_session.c:745)
> ==2714==    by 0x40A87DE: nua_client_init_request0 (nua_stack.c:2448)
> ==2714==
> ==2714== Invalid read of size 4
> ==2714==    at 0x40A685A: nua_server_request_destroy (nua_stack.c:1500)
> ==2714==    by 0x40BE3AE: process_ack (nua_session.c:2573)
> ==2714==    by 0x40BDCBB: process_ack_or_cancel (nua_session.c:2477)
> ==2714==    by 0x408CE3C: incoming_call_callback (nta.c:6117)
> ==2714==    by 0x408CAD3: incoming_ack (nta.c:6009)
> ==2714==    by 0x40852BD: agent_recv_request (nta.c:2891)
> ==2714==    by 0x4084478: agent_recv_message (nta.c:2722)
> ==2714==    by 0x4111903: tport_base_deliver (tport.c:3013)
> ==2714==    by 0x4111896: tport_deliver (tport.c:3002)
> ==2714==    by 0x4111456: tport_parse (tport.c:2919)
> ==2714==    by 0x4111101: tport_recv_event (tport.c:2861)
> ==2714==    by 0x4110D7D: tport_base_wakeup (tport.c:2763)
> ==2714==  Address 0x5451c74 is 4 bytes inside a block of size 72 free'd
> ==2714==    at 0x401A61F: free (m_replacemalloc/vg_replace_malloc.c:323)
> ==2714==    by 0x40F7464: su_free (su_alloc.c:838)
> ==2714==    by 0x40A688F: nua_server_request_destroy (nua_stack.c:1504)
> ==2714==    by 0x40BB93A: nua_session_usage_shutdown (nua_session.c:1575)
> ==2714==    by 0x40AC554: nua_dialog_usage_shutdown (nua_dialog.c:603)
> ==2714==    by 0x40AA6DA: nua_base_client_response (nua_stack.c:3257)
> ==2714==    by 0x40BA5BB: nua_session_client_response (nua_session.c:1007)
> ==2714==    by 0x40B99FB: nua_invite_client_response (nua_session.c:865)
> ==2714==    by 0x40A98D7: nua_client_response (nua_stack.c:2914)
> ==2714==    by 0x40A9646: nua_client_return (nua_stack.c:2835)
> ==2714==    by 0x40B931C: nua_invite_client_init (nua_session.c:745)
> ==2714==    by 0x40A87DE: nua_client_init_request0 (nua_stack.c:2448)
> ==2714==
> ==2714== Invalid read of size 4
> ==2714==    at 0x40A6863: nua_server_request_destroy (nua_stack.c:1502)
> ==2714==    by 0x40BE3AE: process_ack (nua_session.c:2573)
> ==2714==    by 0x40BDCBB: process_ack_or_cancel (nua_session.c:2477)
> ==2714==    by 0x408CE3C: incoming_call_callback (nta.c:6117)
> ==2714==    by 0x408CAD3: incoming_ack (nta.c:6009)
> ==2714==    by 0x40852BD: agent_recv_request (nta.c:2891)
> ==2714==    by 0x4084478: agent_recv_message (nta.c:2722)
> ==2714==    by 0x4111903: tport_base_deliver (tport.c:3013)
> ==2714==    by 0x4111896: tport_deliver (tport.c:3002)
> ==2714==    by 0x4111456: tport_parse (tport.c:2919)
> ==2714==    by 0x4111101: tport_recv_event (tport.c:2861)
> ==2714==    by 0x4110D7D: tport_base_wakeup (tport.c:2763)
> ==2714==  Address 0x5451c74 is 4 bytes inside a block of size 72 free'd
> ==2714==    at 0x401A61F: free (m_replacemalloc/vg_replace_malloc.c:323)
> ==2714==    by 0x40F7464: su_free (su_alloc.c:838)
> ==2714==    by 0x40A688F: nua_server_request_destroy (nua_stack.c:1504)
> ==2714==    by 0x40BB93A: nua_session_usage_shutdown (nua_session.c:1575)
> ==2714==    by 0x40AC554: nua_dialog_usage_shutdown (nua_dialog.c:603)
> ==2714==    by 0x40AA6DA: nua_base_client_response (nua_stack.c:3257)
> ==2714==    by 0x40BA5BB: nua_session_client_response (nua_session.c:1007)
> ==2714==    by 0x40B99FB: nua_invite_client_response (nua_session.c:865)
> ==2714==    by 0x40A98D7: nua_client_response (nua_stack.c:2914)
> ==2714==    by 0x40A9646: nua_client_return (nua_stack.c:2835)
> ==2714==    by 0x40B931C: nua_invite_client_init (nua_session.c:745)
> ==2714==    by 0x40A87DE: nua_client_init_request0 (nua_stack.c:2448)
> ==2714==
> ==2714== Invalid read of size 4
> ==2714==    at 0x40A6869: nua_server_request_destroy (nua_stack.c:1502)
> ==2714==    by 0x40BE3AE: process_ack (nua_session.c:2573)
> ==2714==    by 0x40BDCBB: process_ack_or_cancel (nua_session.c:2477)
> ==2714==    by 0x408CE3C: incoming_call_callback (nta.c:6117)
> ==2714==    by 0x408CAD3: incoming_ack (nta.c:6009)
> ==2714==    by 0x40852BD: agent_recv_request (nta.c:2891)
> ==2714==    by 0x4084478: agent_recv_message (nta.c:2722)
> ==2714==    by 0x4111903: tport_base_deliver (tport.c:3013)
> ==2714==    by 0x4111896: tport_deliver (tport.c:3002)
> ==2714==    by 0x4111456: tport_parse (tport.c:2919)
> ==2714==    by 0x4111101: tport_recv_event (tport.c:2861)
> ==2714==    by 0x4110D7D: tport_base_wakeup (tport.c:2763)
> ==2714==  Address 0x5451c70 is 0 bytes inside a block of size 72 free'd
> ==2714==    at 0x401A61F: free (m_replacemalloc/vg_replace_malloc.c:323)
> ==2714==    by 0x40F7464: su_free (su_alloc.c:838)
> ==2714==    by 0x40A688F: nua_server_request_destroy (nua_stack.c:1504)
> ==2714==    by 0x40BB93A: nua_session_usage_shutdown (nua_session.c:1575)
> ==2714==    by 0x40AC554: nua_dialog_usage_shutdown (nua_dialog.c:603)
> ==2714==    by 0x40AA6DA: nua_base_client_response (nua_stack.c:3257)
> ==2714==    by 0x40BA5BB: nua_session_client_response (nua_session.c:1007)
> ==2714==    by 0x40B99FB: nua_invite_client_response (nua_session.c:865)
> ==2714==    by 0x40A98D7: nua_client_response (nua_stack.c:2914)
> ==2714==    by 0x40A9646: nua_client_return (nua_stack.c:2835)
> ==2714==    by 0x40B931C: nua_invite_client_init (nua_session.c:745)
> ==2714==    by 0x40A87DE: nua_client_init_request0 (nua_stack.c:2448)
> ==2714==
> ==2714== Invalid read of size 4
> ==2714==    at 0x40A6888: nua_server_request_destroy (nua_stack.c:1504)
> ==2714==    by 0x40BE3AE: process_ack (nua_session.c:2573)
> ==2714==    by 0x40BDCBB: process_ack_or_cancel (nua_session.c:2477)
> ==2714==    by 0x408CE3C: incoming_call_callback (nta.c:6117)
> ==2714==    by 0x408CAD3: incoming_ack (nta.c:6009)
> ==2714==    by 0x40852BD: agent_recv_request (nta.c:2891)
> ==2714==    by 0x4084478: agent_recv_message (nta.c:2722)
> ==2714==    by 0x4111903: tport_base_deliver (tport.c:3013)
> ==2714==    by 0x4111896: tport_deliver (tport.c:3002)
> ==2714==    by 0x4111456: tport_parse (tport.c:2919)
> ==2714==    by 0x4111101: tport_recv_event (tport.c:2861)
> ==2714==    by 0x4110D7D: tport_base_wakeup (tport.c:2763)
> ==2714==  Address 0x5451c7c is 12 bytes inside a block of size 72 free'd
> ==2714==    at 0x401A61F: free (m_replacemalloc/vg_replace_malloc.c:323)
> ==2714==    by 0x40F7464: su_free (su_alloc.c:838)
> ==2714==    by 0x40A688F: nua_server_request_destroy (nua_stack.c:1504)
> ==2714==    by 0x40BB93A: nua_session_usage_shutdown (nua_session.c:1575)
> ==2714==    by 0x40AC554: nua_dialog_usage_shutdown (nua_dialog.c:603)
> ==2714==    by 0x40AA6DA: nua_base_client_response (nua_stack.c:3257)
> ==2714==    by 0x40BA5BB: nua_session_client_response (nua_session.c:1007)
> ==2714==    by 0x40B99FB: nua_invite_client_response (nua_session.c:865)
> ==2714==    by 0x40A98D7: nua_client_response (nua_stack.c:2914)
> ==2714==    by 0x40A9646: nua_client_return (nua_stack.c:2835)
> ==2714==    by 0x40B931C: nua_invite_client_init (nua_session.c:745)
> ==2714==    by 0x40A87DE: nua_client_init_request0 (nua_stack.c:2448)
> ==2714==
> ==2714== Invalid free() / delete / delete[]
> ==2714==    at 0x401A61F: free (m_replacemalloc/vg_replace_malloc.c:323)
> ==2714==    by 0x40F7464: su_free (su_alloc.c:838)
> ==2714==    by 0x40A688F: nua_server_request_destroy (nua_stack.c:1504)
> ==2714==    by 0x40BE3AE: process_ack (nua_session.c:2573)
> ==2714==    by 0x40BDCBB: process_ack_or_cancel (nua_session.c:2477)
> ==2714==    by 0x408CE3C: incoming_call_callback (nta.c:6117)
> ==2714==    by 0x408CAD3: incoming_ack (nta.c:6009)
> ==2714==    by 0x40852BD: agent_recv_request (nta.c:2891)
> ==2714==    by 0x4084478: agent_recv_message (nta.c:2722)
> ==2714==    by 0x4111903: tport_base_deliver (tport.c:3013)
> ==2714==    by 0x4111896: tport_deliver (tport.c:3002)
> ==2714==    by 0x4111456: tport_parse (tport.c:2919)
> ==2714==  Address 0x5451c70 is 0 bytes inside a block of size 72 free'd
> ==2714==    at 0x401A61F: free (m_replacemalloc/vg_replace_malloc.c:323)
> ==2714==    by 0x40F7464: su_free (su_alloc.c:838)
> ==2714==    by 0x40A688F: nua_server_request_destroy (nua_stack.c:1504)
> ==2714==    by 0x40BB93A: nua_session_usage_shutdown (nua_session.c:1575)
> ==2714==    by 0x40AC554: nua_dialog_usage_shutdown (nua_dialog.c:603)
> ==2714==    by 0x40AA6DA: nua_base_client_response (nua_stack.c:3257)
> ==2714==    by 0x40BA5BB: nua_session_client_response (nua_session.c:1007)
> ==2714==    by 0x40B99FB: nua_invite_client_response (nua_session.c:865)
> ==2714==    by 0x40A98D7: nua_client_response (nua_stack.c:2914)
> ==2714==    by 0x40A9646: nua_client_return (nua_stack.c:2835)
> ==2714==    by 0x40B931C: nua_invite_client_init (nua_session.c:745)
> ==2714==    by 0x40A87DE: nua_client_init_request0 (nua_stack.c:2448)
> 
> Help is much appreciated.
> Thanks.
> 
> On Thu, Dec 3, 2009 at 09:41, Fabio Margarido <fabiomargar...@gmail.com> 
> wrote:
>> Hi there,
>> 
>> we've been observing recurring crashes in one of our clients'
>> applications and all the information we could gather pointed to
>> Sofia's address space, but we couldn't pinpoint exactly where.
>> Yesterday, after a bit of digging around and successfully setting up
>> the client's environment to run valgrind, we were able to obtain the
>> following backtrace for the problem:
>> 
>> ==2608==
>> ==2608== Thread 11:
>> ==2608== Invalid read of size 4
>> ==2608==    at 0x40BEE93: nua_prack_server_report (nua_session.c:2893)
>> ==2608==    by 0x40A74CE: nua_server_report (nua_stack.c:1827)
>> ==2608==    by 0x40A6AC3: nua_stack_respond (nua_stack.c:1633)
>> ==2608==    by 0x40A45BF: nua_stack_signal (nua_stack.c:650)
>> ==2608==    by 0x40FF0B3: su_base_port_execute_msgs (su_base_port.c:276)
>> ==2608==    by 0x40FEE1F: su_base_port_getmsgs (su_base_port.c:198)
>> ==2608==    by 0x40FF175: su_base_port_run (su_base_port.c:331)
>> ==2608==    by 0x40FCFCA: su_port_run (su_port.h:310)
>> ==2608==    by 0x40FC2BF: su_root_run (su_root.c:689)
>> ==2608==    by 0x40FFCF7: su_pthread_port_clone_main (su_pthread_port.c:321)
>> ==2608==    by 0x41B30CD: pthread_start_thread (manager.c:291)
>> ==2608==    by 0x4321739: clone (in /lib/libc-2.2.4.so)
>> ==2608==  Address 0x4c3d67c is 68 bytes inside a block of size 72 free'd
>> ==2608==    at 0x401A61F: free (m_replacemalloc/vg_replace_malloc.c:323)
>> ==2608==    by 0x40F7464: su_free (su_alloc.c:838)
>> ==2608==    by 0x40A688F: nua_server_request_destroy (nua_stack.c:1504)
>> ==2608==    by 0x40BE3AE: process_ack (nua_session.c:2573)
>> ==2608==    by 0x40BDCBB: process_ack_or_cancel (nua_session.c:2477)
>> ==2608==    by 0x408CE3C: incoming_call_callback (nta.c:6117)
>> ==2608==    by 0x408CAD3: incoming_ack (nta.c:6009)
>> ==2608==    by 0x40852BD: agent_recv_request (nta.c:2891)
>> ==2608==    by 0x4084478: agent_recv_message (nta.c:2722)
>> ==2608==    by 0x4111903: tport_base_deliver (tport.c:3013)
>> ==2608==    by 0x4111896: tport_deliver (tport.c:3002)
>> ==2608==    by 0x4111456: tport_parse (tport.c:2919)
>> 
>> If I'm reading this correctly, it seems the application is trying to
>> do something strange (send a PRACK after receiving and ACK, is that
>> what it is?). Nevertheless, I believe the stack should detect this
>> situation and be protected from the crash.
>> Could anybody please help me figure out how to correct this? Is this
>> by any chance already caught and corrected in the latest darcs?
>> Thanks in advance.
>> 
>> Fabio
>> 
> 
> ------------------------------------------------------------------------------
> Return on Information:
> Google Enterprise Search pays you back
> Get the facts.
> http://p.sf.net/sfu/google-dev2dev
> _______________________________________________
> Sofia-sip-devel mailing list
> Sofia-sip-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sofia-sip-devel


------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev
_______________________________________________
Sofia-sip-devel mailing list
Sofia-sip-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sofia-sip-devel