Hello list.
root@proxy:/# kamcmd core.version
kamailio 4.1.4 (i386/linux)
I'm getting a crash when I'm trying to simulate a ringing UAS from
kamailio config.
To achieve this I've added the next config actions:
if (is_method("INVITE") && !has_totag() && $rU =~ "^999") {
sl_send_reply("100", "Fake Trying");
sl_send_reply("180", "Fake Ringing");
t_set_fr(120000, 120000);
t_set_retr(65000, 65000);
t_set_auto_inv_100(0);
async_sleep("60");
send_reply("480", "Fake Temporary Unavailable");
t_release(); #<---
exit();
};
I expect to receive 180 reply immediately and 480 after 60 seconds. The
problem appears when a caller cancels a call after 60 seconds which is
equal to async_sleep() wait time.
I suppose there is a race condition happens between UDP worker that
processes CANCEL request and timer process which calls t_continue()
(tm's function). Calling t_newtran() explicitly doesn't change the
situation. The only way I found to avoid crash is to remove t_release()
call. In this case kamailio complains that "script write didn't release
transaction" but continues to process new calls.
With -DTIMER_DEBUG and -DDBG_QM_MALLOC I got next information:
/usr/sbin/kamailio[11307]: : <core> [mem/q_malloc.c:468]: qm_free():
BUG: qm_free: freeing already freed pointer (0xb1d8c520), called from
tm: h_table.c: free_cell(178), first free tm: h_table.c: free_cell(157)
- aborting
Crash mostly happens because of broken circular list of timers
(timer_ln->next == NULL), but one time I saw got abort() during CANCEL
request processing when tm tried to call free_cell() for an already
freed pointer.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
