#191 CoreDump at DiameterDeliveryRoutingNode::StoreRequestMessage

[Anonymous]

core file as below:

(dbx) where
[1] 0xff1ffbe8(0x6a, 0x1e77ad8, 0xfdfecbc0, 0xfdb02000, 0x16e2258, 0x0), at 0xff1ffbe7
[2] 0xff24d60c(0x6a, 0x1685908, 0x1e77ad8, 0x16e2250, 0xfdb02000, 0x0), at 0xff24d60b
[3] DiameterMsg::~DiameterMsg(0x6, 0x16e106c, 0xf91fa128, 0x4fb14c, 0xfdfe8284, 0xfdff09b0), at 0x4e60c4
[4] std::auto_ptr<DiameterMsg>::reset(this = 0x1ebfbe8, p = 0x1e9eb28), line 861 in "memory"
[5] std::auto_ptr<DiameterMsg>::operator=(this = 0x1ebfbe8, rhs = CLASS), line 825 in "memory"
[6] DiameterDeliveryRoutingNode<DiameterMsgRouter>::StoreRequestMessage(this = 0x16e1058, h2hId = 76490, msg = CLASS), line 266 in "aaa_route_framework.h"
=>[7] DiameterMsgRouter::DcForward::RequestMsg(this = 0x16e1058, msg = CLASS, source = (nil), dest = 0x16e1a58), line 574 in "aaa_route_msg_router.cpp"
[8] DiameterRequestRoutingNode<DiameterMsgRouter::DcForward,DiameterMsgRouter>::Process(this = 0x16e1048, msg = CLASS, p = CLASS, source = (nil), dest = 0x16e1a58), line 329 in "aaa_route_framework.h"
[9] DiameterRoutingNode::Route(this = 0x16e1048, msg = CLASS, source = (nil)), line 60 in "aaa_route_framework.h"
[10] DiameterRoutingNode::Route(this = 0x16e0fb8, msg = CLASS, source = (nil)), line 63 in "aaa_route_framework.h"
[11] DiameterRoutingChain::Route(this = 0x16e0fa0, msg = CLASS, source = (nil)), line 345 in "aaa_route_framework.h"
[12] DiameterRouterFramework::RequestMsg(this = 0x16e0f98, msg = CLASS, source = (nil)), line 404 in "aaa_route_framework.h"

(dbx) down
Current function is DiameterDeliveryRoutingNode<DiameterMsgRouter>::StoreRequestMessage
266 r->m_ReqMessage = msg;^M
(dbx) print *r
*r = {
m_OrigHH = 32
m_Source = 0x1ec89e0
m_Dest = (nil)
m_ReTxExpireTime = {
tv_ = {
tv_sec = 32555792
tv_usec = 32556416
}
zero = class ACE_Time_Value /* STATIC CLASS */
max_time = class ACE_Time_Value /* STATIC CLASS */
}
m_ReTxCount = 32545360U
m_ReqMessage = {
the_p = 0x6
}
}
(dbx) print h2hId
h2hId = 76490

We think that's a bug of open-diameter.

int StoreRequestMessage(int h2hId,
std::auto_ptr<DiameterMsg> &msg) {
DiameterRouterPendingReqPtr r = NULL;
if (m_ReqMap.Lookup(h2hId, r)) {
r->m_ReqMessage = msg;
return (0);
}
return (-1);
}

after Lookup, this thread a could be hang up, and another thread b could receive the response and delete r.
and then this thread a continue to operate on r, then, crash..

we modify the function to be like below:

int StoreRequestMessage(int h2hId,
std::auto_ptr<DiameterMsg> &msg) {
ACE_Write_Guard<ACE_RW_Mutex> guard(m_Lock);
DiameterRouterPendingReqPtr r = NULL;
if (m_ReqMap.Lookup(h2hId, r)) {
r->m_ReqMessage = msg;
return (0);
}
return (-1);
}