Segmentation fault mrcp_start_line_init (message/src/mrcp_start_line.c:321)
Opened this issue · 0 comments
laurencehardman commented
We are noting unimrcpserver exiting with SIGSEGV frequently (using customised plugin for dgmrcp speechrecog - forked from https://github.com/deepgram/dgmrcp)
The underlying cause is not clear at this stage, but it appears to be memory related - potentially as a result of failed allocation by apr_palloc
Log file:
segfault.log
Core dump:
core.7.2805T1120
Download here
ISSUE SUMMARY
Logs:
2024-05-28 09:20:49:885070 [INFO] Receive MRCPv2 Data 10.83.20.27:1544 <-> 10.18.4.182:38178 [286 bytes]
MRCP/2.0 286 RECOGNIZE 4
Channel-Identifier: 82ff9d541cd311ef@speechrecog
cache-control: max-age=0
cancel-if-queue: true
confidence-threshold: 0.500000
content-type: text/uri-list
fetch-timeout: 15000
save-waveform: false
start-input-timers: true
Content-length: 9
session:1
2024-05-28 09:20:49:885241 [INFO] Process RECOGNIZE Request <82ff9d541cd311ef@speechrecog> [4]
**2024-05-28 09:20:49:885575 [INFO] [DG::dgmrcp::channel_machine] got channel message message="ProcessRequest(Message { inner: 0x7fbfb09e6248 })"**
2024-05-28 09:20:49:885689 [INFO] [DG::dgmrcp::channel_machine] processing request method_id="Recognize"
2024-05-28 09:20:49:885802 [INFO] [DG::dgmrcp::channel_machine] setting noinput_timeout timeout=15000
2024-05-28 09:20:49:885887 [INFO] [DG::dgmrcp::channel_machine] setting sensitivity sensitivity=0.5
2024-05-28 09:20:49:885968 [INFO] [DG::dgmrcp::channel_machine] got request grammar request_grammar="session:1"
2024-05-28 09:20:49:886146 [INFO] [DG::dgmrcp::channel_machine] got vendor headers vendor_headers="VendorHeaders { headers: {\"com.elerianai.user_id\": \"\\\"10001546591716888023\\\"\", \"swi.rec.logValue\": \"\\\"ANII=0615228705|DNIS=0219165000\\\"\"} }"
2024-05-28 09:20:49:886333 [INFO] [DG::dgmrcp::channel_machine] adding headers to request valid_headers="[(\".user_id\", \"\\\"10001546591716888023\\\"\")]"
2024-05-28 09:20:49:886493 [NOTICE] [DG::dgmrcp::channel_machine] building request to url="ws://elerianai-ws.sanlam.co.za/stream/asr?encoding=linear16&sample_rate=8000&user_id=%2210001546591716888023%22"
2024-05-28 09:20:49:886832 [INFO] [DG::dgmrcp::channel_machine] finished channel message
2024-05-28 09:20:49:887668 [INFO] Process RECOGNIZE Response <82ff9d541cd311ef@speechrecog> [4]
2024-05-28 09:20:49:887710 [INFO] State Transition IDLE -> RECOGNIZING <82ff9d541cd311ef@speechrecog>
2024-05-28 09:20:49:887782 [INFO] Send MRCPv2 Data 10.83.20.27:1544 <-> 10.18.4.182:38178 [83 bytes]
MRCP/2.0 83 4 200 IN-PROGRESS
Channel-Identifier: 82ff9d541cd311ef@speechrecog
2024-05-28 09:20:49:892514 [INFO] [DG::dgmrcp::channel_machine] ignoring received frame since machine is not ready yet
2024-05-28 09:20:49:897593 [INFO] Receive MRCPv2 Data 10.83.20.27:1544 <-> 10.18.4.182:38178 [72 bytes]
MRCP/2.0 72 STOP 5
Channel-Identifier: 82ff9d541cd311ef@speechrecog
2024-05-28 09:20:49:897708 [INFO] Process STOP Request <82ff9d541cd311ef@speechrecog> [5]
2024-05-28 09:20:49:898000 [INFO] [DG::dgmrcp::channel_machine] got channel message message="ProcessRequest(Message { inner: 0x7fbfb09e7520 })"
2024-05-28 09:20:49:898136 [INFO] [DG::dgmrcp::channel_machine] processing request method_id="Stop"
2024-05-28 09:20:49:898271 [INFO] [DG::dgmrcp::channel_machine] finished channel message
2024-05-28 09:20:49:898394 [INFO] Process STOP Response <82ff9d541cd311ef@speechrecog> [5]
2024-05-28 09:20:49:898414 [INFO] State Transition RECOGNIZING -> IDLE <82ff9d541cd311ef@speechrecog>
2024-05-28 09:20:49:898553 [INFO] Send MRCPv2 Data 10.83.20.27:1544 <-> 10.18.4.182:38178 [108 bytes]
MRCP/2.0 108 5 200 COMPLETE
Channel-Identifier: 82ff9d541cd311ef@speechrecog
Active-Request-Id-List: 4
2024-05-28 09:20:49:900630 [INFO] [DG::dgmrcp::channel_machine] ignoring received frame since machine has finished the recognizing state
2024-05-28 09:20:49:900681 [INFO] TCP/MRCPv2 Peer Disconnected 10.83.20.27:1544 <-> 10.18.4.182:38178
2024-05-28 09:20:49:900647 [INFO] [DG::dgmrcp::channel_machine] ignoring received frame since machine is not ready yet
2024-05-28 09:20:49:901352 [INFO] Receive SIP Event [nua_i_bye] Status 200 Session Terminated [SIP-Agent-1]
2024-05-28 09:20:49:901376 [INFO] Receive SIP Event [nua_i_state] Status 200 Session Terminated [SIP-Agent-1]
2024-05-28 09:20:49:901385 [NOTICE] SIP Call State 0x7fbfac2c7428 [terminated]
2024-05-28 09:20:49:901402 [INFO] Receive SIP Event [nua_i_terminated] Status 200 Session Terminated [SIP-Agent-1]
2024-05-28 09:20:49:901422 [INFO] Deactivate Session 0x7fbfac2c7428 <82ff9d541cd311ef>
2024-05-28 09:20:49:901427 [INFO] Terminate Session 0x7fbfac2c7428 <82ff9d541cd311ef>
2024-05-28 09:20:49:901509 [INFO] Remove Control Channel <82ff9d541cd311ef@speechrecog> [0]
2024-05-28 09:20:49:901652 [INFO] [DG::dgmrcp::channel_machine] got channel message message="Close"
2024-05-28 09:20:49:901711 [INFO] [DG::dgmrcp::channel_machine] closing a stopped channel
2024-05-28 09:20:49:901744 [INFO] [DG::dgmrcp::channel_machine] finished channel message
**2024-05-28 09:20:49:901858 [INFO] [DG::dgmrcp::client] received ws msg msg="Ok(Ping([57, 117, 200, 208]))"
2024-05-28 09:20:49:901976 [WARN] [DG::dgmrcp::client] unhandled WS message type message="Binary Data<length=4>"**
2024-05-28 09:20:49:909815 [INFO] Close RTP Receiver 10.83.20.27:5362 <- 10.18.4.182:29512 [r:0 l:0 j:0 p:50 d:0 i:0]
2024-05-28 09:20:49:909922 [INFO] Remove RTP Session 10.83.20.27:5362
2024-05-28 09:20:49:910148 [INFO] [DG::dgmrcp::channel_machine] got channel message message="StreamClose"
2024-05-28 09:20:49:910160 [NOTICE] Destroy TCP/MRCPv2 Connection 10.83.20.27:1544 <-> 10.18.4.182:38178
2024-05-28 09:20:49:910227 [NOTICE] Remove Session <82ff9d541cd311ef>
2024-05-28 09:20:49:910233 [INFO] [DG::dgmrcp::channel_machine] finished channel message
2024-05-28 09:20:49:910281 [INFO] [DG::dgmrcp::channel_machine] got channel message message="Destroy"
2024-05-28 09:20:49:910322 [NOTICE] [DG::dgmrcp::ffi] closing channel
2024-05-28 09:20:49:911586 [INFO] [DG::dgmrcp::channel_machine] ignoring received frame since machine is not ready yet
2024-05-28 09:20:49:910235 [INFO] Session Terminated 0x7fbfac2c7428 <82ff9d541cd311ef>
2024-05-28 09:20:49:911795 [NOTICE] Destroy Session <82ff9d541cd311ef>
2024-05-28 09:20:49:916438 [INFO] [DG::dgmrcp::client] begin writing to websocket
2024-05-28 09:20:49:916921 [INFO] [DG::dgmrcp::client] done writing to websocket
**2024-05-28 09:20:49:917209 [WARN] [DG::dgmrcp::channel_machine] got error from WebSocket error="ChannelClose"**Backtrace:
Core was generated by `/usr/local/unimrcp/bin/unimrcpserver -r /usr/local/unimrcp -o 2 -w -l 6'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 mrcp_start_line_init (start_line=start_line@entry=0x0) at message/src/mrcp_start_line.c:321
[Current thread is 1 (Thread 0x7fbfbebcf700 (LWP 9))]
(gdb) bt
#0 mrcp_start_line_init (start_line=start_line@entry=0x0)
at message/src/mrcp_start_line.c:321
#1 0x00007fbfc0dd4bde in mrcp_message_create (pool=0x7fbfa406e008)
at message/src/mrcp_message.c:102
#2 0x00007fbfc0dd4d32 in mrcp_event_create (request_message=0x7fbfb09e6248, event_id=1, pool=<optimized out>)
at message/src/mrcp_message.c:143
#3 0x00007fbfbeff8d51 in dgmrcp::ffi::Message::create_event (self=0x7fbfbebc3690, event_id=1)
at src/ffi.rs:636
#4 0x00007fbfbeff8df4 in dgmrcp::ffi::Message::send_failure (self=..., channel=..., reason=...)
at src/ffi.rs:652
#5 0x00007fbfbef8f239 in <dgmrcp::channel_machine::OpenedState as dgmrcp::channel_machine::State>::next::{{closure}}::{{closure}}::{{closure}} ()
at src/channel_machine.rs:531
#6 0x00007fbfbefe5515 in <tracing::instrument::Instrumented<T> as core::future::future::Future>::poll (self=..., cx=0x7fbfbebcd930)
at /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/tracing-0.1.37/src/instrument.rs:272
#7 0x00007fbfbef8e417 in <dgmrcp::channel_machine::OpenedState as dgmrcp::channel_machine::State>::next::{{closure}}::{{closure}} ()
at src/channel_machine.rs:534Frame 0 (unimrcpserver):
#0 mrcp_start_line_init (start_line=start_line@entry=0x0) at message/src/mrcp_start_line.c:321
321 start_line->message_type = MRCP_MESSAGE_TYPE_UNKNOWN;
(gdb) list
316 }
317
318 /** Initialize MRCP start-line */
319 MRCP_DECLARE(void) mrcp_start_line_init(mrcp_start_line_t *start_line)
320 {
321 start_line->message_type = MRCP_MESSAGE_TYPE_UNKNOWN;
322 start_line->version = MRCP_VERSION_UNKNOWN;
323 start_line->length = 0;
324 start_line->request_id = 0;
325 apt_string_reset(&start_line->method_name);
(gdb) info locals
No locals.
(gdb) info args
start_line = **0x0**Frame 1 (unimrcpserver):
#1 0x00007fbfc0dd4bde in mrcp_message_create (pool=0x7fbfa406e008)
at message/src/mrcp_message.c:102
(gdb) info locals
message = **0x0**Frame 3 (libdgmrcp):
#3 0x00007fbfbeff8d51 in dgmrcp::ffi::Message::create_event (self=0x7fbfbebc3690, event_id=1)
at src/ffi.rs:636
636 let message = unsafe {
(gdb) info args
self = 0x7fbfbebc3690
event_id = 1
(gdb) x/a self
0x7fbfbebc3690: **0x7fbfb09e6248**
(gdb) x/s 0x7fbfb09e6248
0x7fbfb09e6248: **"\001"**Frame 4 (libdgmrcp):
#4 0x00007fbfbeff8df4 in dgmrcp::ffi::Message::send_failure (self=..., channel=..., reason=...)
at src/ffi.rs:652
652 pub fn send_failure(self, channel: Channel, reason: &str) {
(gdb) info args
self = dgmrcp::ffi::Message {inner: 0x7fbfb09e6248}
channel = dgmrcp::ffi::Channel {inner: 0x7fbfac2c82a8}
reason = "The send channel closed"Frame 5 (libdgmrcp):
#5 0x00007fbfbef8f239 in <dgmrcp::channel_machine::OpenedState as dgmrcp::channel_machine::State>::next::{{closure}}::{{closure}}::{{closure}} ()
at src/channel_machine.rs:531
531 request_thread.send_failure(channel_thread, reason);
(gdb) info locals
reason = "The send channel closed"
err = dgmrcp::client::RecognizeError::ChannelClose
result = core::result::Result<dgmrcp::client::StreamingResponse, dgmrcp::client::RecognizeError>::Err(dgmrcp::client::RecognizeError::ChannelClose)
client = dgmrcp::client::Client {rx: tokio::sync::mpsc::unbounded::UnboundedReceiver<alloc::vec::Vec<u8, alloc::alloc::Global>> {chan: tokio::sync::mpsc::chan::Rx<alloc::vec::Vec<u8, alloc::alloc::Global>, tokio::sync::mpsc::unbounded::Semaphore> {inner: alloc::sync::Arc<tokio::sync::mpsc::chan::Chan<alloc::vec::Vec<u8, alloc::alloc::Global>, tokio::sync::mpsc::unbounded::Semaphore>> {ptr: core::ptr::non_null::NonNull<alloc::sync::ArcInner<tokio::sync::mpsc::chan::Chan<alloc::vec::Vec<u8, alloc::alloc::Global>, tokio::sync::mpsc::unbounded::Semaphore>>> {pointer: 0x7fbfb8b962c0}, phantom: core::marker::PhantomData<alloc::sync::ArcInner<tokio::sync::mpsc::chan::Chan<alloc::vec::Vec<u8, alloc::alloc::Global>, tokio::sync::mpsc::unbounded::Semaphore>>>}}}}
url = url::Url {serialization: alloc::string::String {vec: alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: core::ptr::non_null::NonNull<u8> {pointer: 0x7fbfb127d870 " |\f\260\277\177\000"}, _marker: core::marker::PhantomData<u8>}, cap: 164, alloc: alloc::alloc::Global}, len: 111}}, scheme_end: 2, username_end: 5, host_start: 5, host_end: 30, host: <error reading variable>, port: <error reading variable>, path_start: 30, query_start: <error reading variable>, fragment_start: <error reading variable>}
config_thread = dgmrcp::engine::Config {brain_url: url::Url {serialization: alloc::string::String {vec: alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: core::ptr::non_null::NonNull<u8> {pointer: 0x7fbfb0393340 "ws://elerianai-ws.sanlam.co.za/stream/asr]ser_id\": \"et\000"}, _marker: core::marker::PhantomData<u8>}, cap: 41, alloc: alloc::alloc::Global}, len: 41}}, scheme_end: 2, username_end: 5, host_start: 5, host_end: 30, host: <error reading variable>, port: <error reading variable>, path_start: 30, query_start: <error reading variable>, fragment_start: <error reading variable>}, chunk_size: 4000, stream_results: false, json_response: false, is_nuance: true, json_instance: true, sensitivity_level: <error reading variable>, vendor_prefix: alloc::string::String {vec: alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: core::ptr::non_null::NonNull<u8> {pointer: 0x7fbfb01d4310 "com.elerianai\177\000"}, _marker: core::marker::PhantomData<u8>}, cap: 13, alloc: alloc::alloc::Global}, len: 13}}, encoding: alloc::string::String {vec: alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: core::ptr::non_null::NonNull<u8> {pointer: 0x7fbfb16f7c40 "linear16@\024Q\260\277\177\000"}, _marker: core::marker::PhantomData<u8>}, cap: 8, alloc: alloc::alloc::Global}, len: 8}}, sample_rate: 8000}
user_id = core::option::Option<alloc::string::String>::Some(alloc::string::String {vec: alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: core::ptr::non_null::NonNull<u8> {pointer: 0x7fbfb00e84c0 "\"10001546591716888023\"\000"}, _marker: core::marker::PhantomData<u8>}, cap: 22, alloc: alloc::alloc::Global}, len: 22}})
channel_thread = dgmrcp::ffi::Channel {inner: 0x7fbfac2c82a8}
request_thread = dgmrcp::ffi::Message {inner: 0x7fbfb09e6248}
request_grammar = core::option::Option<alloc::string::String>::Some(alloc::string::String {vec: alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: core::ptr::non_null::NonNull<u8> {pointer: 0x7fbfb07f1ae0 "session:1\000"}, _marker: core::marker::PhantomData<u8>}, cap: 9, alloc: alloc::alloc::Global}, len: 9}})
_task_context = 0x7fbfbebcd930What’s happening?
- (from the logs) We receive a message:
- 2024-05-28 09:20:49:885575 [INFO] [DG::dgmrcp::channel_machine] got channel message message="ProcessRequest(Message { inner: 0x7fbfb09e6248 })"
- (from coredump) We can read the memory at this address:
- 0x7fbfb09e6248: 0x200000001 (as an address)
- 0x7fbfb09e6248: "\001” (as a string)
- We call
mrcp_event_create - This goes up the call stack, until the top frame (
mrcp_start_line_init),- We use the value in
apr_pallocto create a pointermessage- We do not check if this call fails
- It seems to have failed, since message is a null pointer (0x0)
- Hence,
start_line->message_typeexits with a Segmentation fault
- We use the value in
- You can see this in the MRCP source code here and here
