Benny Prijono wrote: > On Tue, Aug 12, 2008 at 2:26 PM, Pedro Gon?alves > <pedro.pandre at gmail.com <mailto:pedro.pandre at gmail.com>> wrote: > > > > > Actually the stack trace is wrong. The dlg->remote.contact->uri is > > never initialized like the stack trace shows, since it should have > > come from pjsip_contact_hdr_clone() instead. So you're watching the > > wrong variable. > > > > -benny > Sorry, maybe I didn't make myself clear. > I'm not saying that dlg->remote.contact->uri is initialized this way. > I am saying that dlg->remote.contact->uri gets corrupted by the > mentioned stack trace. > > > I see. > > > I can reproduce this behaviour all the time. > > > That's the problem, since I can't reproduce it here. Can you reproduce > it with pjsua or simpleua? > > > It seems to me that the problem starts in pjsip_contact_hdr_create(), > where a pj_pool_alloc() is made. > > > This is the one called by the parser, right? > > > I set a breakpoint there, and I can see that this instruction: > void *mem = pj_pool_alloc(pool, sizeof(pjsip_contact_hdr)); > makes mem point to 0x0d9a9d88. > The problem is that SIPEngine::instance->dlg->remote.contact->uri > points > to 0x0d9a9d98. > > This way, mem will be overlapped with > SIPEngine::instance->dlg->remote.contact->uri, thus corrupting it when > writing to its location (which happens in init_hdr). > > > I see. > > > > > Any idea why this happens? > > > The only possibility that I can think of is if you set > dlg->remote.contact->uri yourself. > > > > Why does pj_pool_alloc return a pointer to an occupied zone? > > > It can't. A more plausible explanation is that > dlg->remote.contact->uri is a stale pointer, or it was allocated using > rdata->tp_info.pool rather than dlg->pool. I checked the code in > sip_dialog.c and nothing does this. > > > Do you think that for some reason the pool where > SIPEngine::instance->dlg->remote.contact->uri is (is it > SIPEngine::instance->dlg->pool?) was released?! > > > I don't think so. If dlg->pool has been released then all the pointers > in the dialog will become stale and the program would crash before > that. Does the application ever touched dlg->remote.contact or > dlg->remote.contact->uri at all? > > -benny Hi! Great news! With the help from an expert friend, we achieved, a few minutes before your mail, *exactly* the same conclusion you told! There was, in fact, a zone in our code where this was being made: pjsip_contact_hdr *contact_hdr; contact_hdr = (pjsip_contact_hdr*)pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_CONTACT, NULL); if (contact_hdr != NULL) { dlg->remote.contact->uri = contact_hdr->uri; } We replaced dlg->remote.contact->uri = contact_hdr->uri; with dlg->remote.contact->uri = (pjsip_uri*) pjsip_uri_clone(dlg->pool, contact_hdr->uri); This way, dlg is kept in its own pool, thus removing this thread's problem! Best regards and once again, thanks for all your help Pedro Gon?alves
