Summary:ASTERISK-08429: Stringfield pool corruption, segmentation fault during free.
Reporter:dlu (dlu)Labels:
Date Opened:2006-12-25 11:16:04.000-0600Date Closed:2007-02-21 15:02:31.000-0600
Versions:Frequency of
Environment:Attachments:( 0) gdbinfo.28829
Description:Random crash in the core. I attached a backtrace and a show config. I use 1.4.0.
Global Settings:
 SIP Port:               5060
 Videosupport:           Yes
 AutoCreatePeer:         No
 Allow unknown access:   Yes
 Allow subscriptions:    Yes
 Allow overlap dialing:  Yes
 Promsic. redir:         Yes
 SIP domain support:     No
 Call to non-local dom.: Yes
 URI user is phone no:   No
 Our auth realm          realm.org
 Realm. auth:            No
 Always auth rejects:    Yes
 Call limit peers only:  No
 User Agent:             Asterisk PBX
 MWI checking interval:  30 secs
 Reg. context:           (not set)
 Caller ID:              Anonymous
 From: Domain:           xxxxx.xxx
 Record SIP history:     On
 Call Events:            Off
 IP ToS SIP:             CS3
 IP ToS RTP audio:       EF
 IP ToS RTP video:       AF41
 T38 fax pt UDPTL:       No
 RFC2833 Compensation:   No
 SIP realtime:           Enabled

Global Signalling Settings:
 Codecs:                 alaw:20,ulaw:20
 T1 minimum:             100
 Relax DTMF:             Yes
 Compact SIP headers:    No
 RTP Keepalive:          0 (Disabled)
 RTP Timeout:            60
 RTP Hold Timeout:       300
 MWI NOTIFY mime type:   application/simple-message-summary
 DNS SRV lookup:         Yes
 Pedantic SIP support:   Yes
 Reg. min duration       60 secs
 Reg. max duration:      3600 secs
 Reg. default duration:  60 secs
 Outbound reg. timeout:  60 secs
 Outbound reg. attempts: 5
 Notify ringing state:   Yes
 Notify hold state:      No
 SIP Transfer mode:      open
 Max Call Bitrate:       384 kbps
 Auto-Framing:           No

Default Settings:
 Context:                incoming
 Nat:                    RFC3581
 DTMF:                   auto
 Qualify:                0
 Use ClientCode:         Yes
 Progress inband:        Yes
 Language:               de
 MOH Interpret:          default
 MOH Suggest:
 Voice Mail Extension:   vmail

Realtime SIP Settings:
 Realtime Peers:         Yes
 Realtime Users:         Yes
 Cache Friends:          Yes
 Update:                 No
 Ignore Reg. Expire:     No
 Save sys. name:         No
 Auto Clear:             120

(gdb) bt full
#0  0xb7238744 in __sip_destroy (p=0x8782ed0, lockowner=1) at chan_sip.c:2950
       this = (struct ast_string_field_pool *) 0x14ae0400
       prev = <value optimized out>
       cur = <value optimized out>
       cp = (struct sip_pkt *) 0x0
       __PRETTY_FUNCTION__ = "__sip_destroy"
#1  0xb7249988 in __sip_autodestruct (data=0x8782ed0) at chan_sip.c:3081
       p = (struct sip_pvt *) 0x14ae0400
       __PRETTY_FUNCTION__ = "__sip_autodestruct"
#2  0x080e1011 in ast_sched_runq (con=0x81bebf8) at sched.c:358
       numevents = 0
       res = <value optimized out>
#3  0xb7251562 in do_monitor (data=0x0) at chan_sip.c:14863
       prev = <value optimized out>
       res = 0
       sip = <value optimized out>
       t = 1167051329
       fastrestart = 0
       lastpeernum = -1
       curpeernum = 5300
       reloading = <value optimized out>
       __PRETTY_FUNCTION__ = "do_monitor"
#4  0x080ebdeb in dummy_start (data=0x81c1ef8) at utils.c:545
       __cancel_buf = {__cancel_jmp_buf = {{__cancel_jmp_buf = {136060680, 0, 0, -1222507416, -425608198, 1502413374}, __mask_was_saved = 0}}, __pad = {0xb72204a0, 0x0, 0x0, 0x0}}
       __cancel_arg = (void *) 0xb7220ba0
       not_first_call = <value optimized out>
       ret = <value optimized out>
ASTERISK-1  0xb7f8d34b in start_thread () from /lib/libpthread.so.0
No symbol table info available.
ASTERISK-2  0xb7dba65e in clone () from /lib/libc.so.6
No symbol table info available.

We have 4-5 crashes in 6 hours.

Many thanks

Comments:By: Joshua C. Colp (jcolp) 2006-12-25 21:53:07.000-0600

Would it be possible to get access to the box where the core file is? I need to examine the data structure for the stringfield pool. Thanks!

By: dlu (dlu) 2006-12-27 09:53:02.000-0600

sorry i cant obtain access but if you tell me what i must do i provide you the requested data.

By: Corne Cornelius (nobbie) 2007-01-24 14:04:55.000-0600

I seem to have encountered the same problem.

Files attached:
gdbinfo.28829 (backtrace info)
core.28829.bz (core file)

i used the asterisk-1.4.0.tar.gz file for compilation. Seems to be new SVN r48906

Unfortunately the DONT_OPTIMIZE and THREAD_DEBUG weren't enabled, i read about them too late.

my asterisk log file was truncated so no log output.

#0  0x00e849f7 in __sip_destroy (p=0x96a2f30, lockowner=1) at chan_sip.c:2950
2950            ast_string_field_free_pools(p);
(gdb) bt
#0  0x00e849f7 in __sip_destroy (p=0x96a2f30, lockowner=1) at chan_sip.c:2950
#1  0x00e9ee96 in __sip_autodestruct (data=0x96a2f30) at chan_sip.c:3081
#2  0x080e5cba in ast_sched_runq (con=0x9634ba8) at sched.c:358
#3  0x00ecbd5b in do_monitor (data=0x0) at chan_sip.c:14863
#4  0x080f1995 in dummy_start (data=0x96a2f30) at utils.c:545
ASTERISK-1  0x00d3d3ae in start_thread () from /lib/tls/libpthread.so.0
ASTERISK-2  0x00c96aee in clone () from /lib/tls/libc.so.6

By: Corne Cornelius (nobbie) 2007-01-24 14:16:21.000-0600

mmm, the core upload failed and would probably have been useless on it's own.
anything else i can do ?

By: Olle Johansson (oej) 2007-01-25 11:35:38.000-0600

Can you please check with the latest 1.4 from svn, not the 1.4.0 release? Thanks.

By: dlu (dlu) 2007-01-31 19:22:26.000-0600

hi olle. we will do it for a few hours in our productivity environment. please tell me what compilersettings for possible cores you need i switch on.

By: Serge Vecher (serge-v) 2007-02-05 10:39:00.000-0600

dlu, we need DONT_OPTIMIZE to be enabled -- this doesn't should be safe for production environments; not sure about THREAD_DEBUG.

By: Serge Vecher (serge-v) 2007-02-21 15:02:30.000-0600

no response for two weeks; please reopen if this is still an issue with the latest 1.4 svn branch.