#587 db_mysql crash

[Dragos Oancea]

Hi

I just found a core file generated by opensips on one of our servers which used to be pretty stable.

Core was generated by `/usr/sbin/opensips -P /var/run/opensips.pid -f /etc/opensips/opensips.cfg'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007fbf502448de in vfprintf () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install opensips-1.8.1-4.debug.el6.x86_64
(gdb) bt
#0 0x00007fbf502448de in vfprintf () from /lib64/libc.so.6
#1 0x00007fbf502fc2c0 in __vsnprintf_chk () from /lib64/libc.so.6
#2 0x00007fbf502fc1fa in __snprintf_chk () from /lib64/libc.so.6
#3 0x00000000004c44e9 in db_print_where ()
#4 0x00000000004c27f6 in db_do_delete ()
#5 0x00007fbf4ea32f54 in db_mysql_delete (_h=0x7fbf4ecf1558, _k=0x7fff682eaa20, _o=0x7fff682eaa10, _v=0x7fff682ea9d0, _n=2) at dbase.c:1061
#6 0x00007fbf4d18825d in db_timer_udomain (_d=0x7fbf28946f88) at udomain.c:612
#7 0x00007fbf4d1830e1 in synchronize_all_udomains () at dlist.c:591
#8 0x00007fbf4d18e408 in timer (ticks=<value optimized out>, param=<value optimized out>) at ul_mod.c:387
#9 0x000000000047d73a in start_timer_processes ()
#10 0x000000000042aa84 in main ()
(gdb) bt full
#0 0x00007fbf502448de in vfprintf () from /lib64/libc.so.6
No symbol table info available.
#1 0x00007fbf502fc2c0 in __vsnprintf_chk () from /lib64/libc.so.6
No symbol table info available.
#2 0x00007fbf502fc1fa in __snprintf_chk () from /lib64/libc.so.6
No symbol table info available.
#3 0x00000000004c44e9 in db_print_where ()
No symbol table info available.
#4 0x00000000004c27f6 in db_do_delete ()
No symbol table info available.
#5 0x00007fbf4ea32f54 in db_mysql_delete (_h=0x7fbf4ecf1558, _k=0x7fff682eaa20, _o=0x7fff682eaa10, _v=0x7fff682ea9d0, _n=2) at dbase.c:1061
ret = <value optimized out>
#6 0x00007fbf4d18825d in db_timer_udomain (_d=0x7fbf28946f88) at udomain.c:612
my_ps = 0x7fbf4ecf42f0
keys = {0x7fff682eaac0, 0x7fbf5029915d}
ops = {0x0, 0x7fbf4ecc77e8 "\001"}
vals = {{type = DB_DATETIME, nul = 0, free = 0, val = {int_val = 1353067975, bigint_val = 1353067975, double_val = 6.6850440293548263e-315, time_val = 1353067975, string_val = 0x50a62dc7 <Address 0x50a62dc7 out of bounds>,
str_val = {s = 0x50a62dc7 <Address 0x50a62dc7 out of bounds>, len = 100000}, blob_val = {s = 0x50a62dc7 <Address 0x50a62dc7 out of bounds>, len = 100000}, bitmap_val = 1353067975}}, {type = DB_DATETIME, nul = 0,
free = -10484703, val = {int_val = 0, bigint_val = 0, double_val = 0, time_val = 0, string_val = 0x0, str_val = {s = 0x0, len = 132100}, blob_val = {s = 0x0, len = 132100}, bitmap_val = 0}}}
__FUNCTION__ = "db_timer_udomain"
#7 0x00007fbf4d1830e1 in synchronize_all_udomains () at dlist.c:591
res = <value optimized out>
ptr = 0x7fbf28946f28
#8 0x00007fbf4d18e408 in timer (ticks=<value optimized out>, param=<value optimized out>) at ul_mod.c:387
__FUNCTION__ = "timer"
#9 0x000000000047d73a in start_timer_processes ()
No symbol table info available.
#10 0x000000000042aa84 in main ()

# opensips -V
version: opensips 1.8.1-tls (x86_64/linux)
flags: STATS: Off, USE_IPV6, USE_TCP, USE_TLS, DISABLE_NAGLE, USE_MCAST, SHM_MEM, SHM_MMAP, PKG_MALLOC, F_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
svnrevision: unknown
@(#) $Id: main.c 8772 2012-03-08 11:16:13Z bogdan_iancu $
main.c compiled on 15:18:52 Sep 28 2012 with gcc 4.4.6

I have no idea what happened. Maybe someone has a theory.

Regards,
Dragos

[Vladut-Stefan Paiu]

Hello,

Seems you had some sort of memory corruption there, as it seems that the values send to the db_mysql driver are invalid ?
Could you please give access to that core file, so we can look around through the memory dump to see what went wrong there ?

Regards,
Vlad