ASTERISK-09892: Segmentation fault at channel.c:3275

[Home]

Summary: ASTERISK-09892: Segmentation fault at channel.c:3275

Reporter: Rajesh (rajeshcr) Labels:

Date Opened: 2007-07-17 11:01:44 Date Closed: 2007-08-20 11:25:00

Priority: Critical Regression? No

Status: Closed/Complete Components: Core/Channels

Versions: Frequency of
Occurrence

Related
Issues:

Environment: Attachments:

Description:
Hello,

Sometimes asterisk while getting channel information from the cli results in seg fault crash. So far it happened two times with a gap of nearly a month.

Every minute i run the cli command "show channels" and fetch the total number of active channels and calls for displaying purpose.

Occasionally asterisk crashes while getting this channel information. The gdb output showed it happened at channel.c:3275

The function at this location of channel.c is ast_bridged_channel and the line is,

if (bridged && bridged->tech->bridged_channel)
bridged = bridged->tech->bridged_channel(chan, bridged);

When i investigated the problem with gdb & asterisk's core dump during first crash,

the bridged->tech was null (0x0) and while accessing bridged->tech->bridged_channel got "Cannot access memory at address 0xb0"

In the second time crash (happened today),
bridged->tech was not null
(gdb) print bridged->tech
$15 = (const struct ast_channel_tech *) 0xa6b636174

But when tried to access bridged->tech->bridged_channel got similar error message,
"Cannot access memory at address 0xa6b636224"

Can anyone help me in solving this problem?

Thanks in advance
-Rajesh.

****** ADDITIONAL INFORMATION ******

Here is the backtrace of the recent core dump,

(gdb) bt
#0 0x000000000042b834 in ast_bridged_channel (chan=0x803910) at channel.c:3275
#1 0x0000000000471b2c in handle_chanlist (fd=76, argc=-1, argv=Variable "argv" is not available.
) at cli.c:447
#2 0x0000000000477d51 in ast_cli_command (fd=76, s=Variable "s" is not available.
) at cli.c:1364
#3 0x00000000004a16da in netconsole (vconsole=Variable "vconsole" is not available.
) at asterisk.c:555
#4 0x000000370750610a in start_thread () from /lib64/tls/libpthread.so.0
ASTERISK-1 0x0000003706cc5ee3 in clone () from /lib64/tls/libc.so.6
ASTERISK-2 0x0000000000000000 in ?? ()

(gdb) bt full
#0 0x000000000042b834 in ast_bridged_channel (chan=0x803910) at channel.c:3275
bridged = (struct ast_channel *) 0x7f5660
#1 0x0000000000471b2c in handle_chanlist (fd=76, argc=-1, argv=Variable "argv" is not available.
) at cli.c:447
c = (struct ast_channel *) 0x803910
bc = Variable "bc" is not available.

Please let me know if you need any other information.

Comments: By: Jason Parker (jparker) 2007-07-17 11:07:44

Can you please try to reproduce with the latest version of Asterisk? 1.2.14 is quite old now.
By: Rajesh (rajeshcr) 2007-07-19 11:11:57

Ok ... I tried with the latest version of asterisk 1.2.22. The same problem happened again. Using asterisk in pure VoIP env with SIP.

Now i'm able to reproduce it ... Here are the steps,

Caller calls a Queue
Caller gets connected to an agent
Agent conferences in with some other number.

During the time of conferencing if u execute the cmd "show channels". It'll crash.

Using MeetMe and create conferences dynamically.
Using AgentCallbackLogin for logging in agents into ACD.

Here all the gdb outputs,

Loaded symbols for /lib64/libgcc_s.so.1
#0 0x000000000041de84 in ast_bridged_channel (chan=0x7ec0d0) at channel.c:3299
3299 if (bridged && bridged->tech->bridged_channel)
(gdb)

(gdb) bt
#0 0x000000000041de84 in ast_bridged_channel (chan=0x7ec0d0) at channel.c:3299
#1 0x00000000004489d8 in handle_chanlist (fd=34, argc=0, argv=0x7ecb30)
at cli.c:447
#2 0x000000000044b0bc in ast_cli_command (fd=34,
s=0x7ec0d0 "SIP/to-bandwidth-sec-007f4530") at cli.c:1364
#3 0x000000000046c96a in netconsole (vconsole=0x7ec0d0) at asterisk.c:561
#4 0x00000037a09060da in start_thread () from /lib64/tls/libpthread.so.0
ASTERISK-1 0x00000037a00c54f3 in clone () from /lib64/tls/libc.so.6
ASTERISK-2 0x0000000000000000 in ?? ()

(gdb) bt full
#0 0x000000000041de84 in ast_bridged_channel (chan=0x7ec0d0) at channel.c:3299
bridged = (struct ast_channel *) 0x7ecb30
#1 0x00000000004489d8 in handle_chanlist (fd=34, argc=0, argv=0x7ecb30)
at cli.c:447
c = (struct ast_channel *) 0x7ec0d0
bc = (struct ast_channel *) 0x0
durbuf = "\000\000\000\000\000\000\000\000\000"
locbuf = "2471527118:smily@agent-conference:6\000\000\000\000"
appdata = "MeetMe(2471527118|dq)\000\000\000\200?<@", '\0' <repeats 11 times>
duration = 8306896
durh = 0
numchans = 4
concise = 0
#2 0x000000000044b0bc in ast_cli_command (fd=34,
s=0x7ec0d0 "SIP/to-bandwidth-sec-007f4530") at cli.c:1364
argv = {0x6612f0 "show", 0x6612f5 "channels", 0x0, 0x403cdf9a "ion\n",
0x403ce17f "eacxls0008", 0x403cdf80 "show channels",
0x403ce17f "eacxls0008", 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x78756e694c <Address 0x78756e694c out of bounds>, 0x0, 0x0,
0xffffffff <Address 0xffffffff out of bounds>, 0x0, 0x0, 0x0, 0x0,
0x3030736c78636100 <Address 0x3030736c78636100 out of bounds>,
0x37a022c5c0 "", 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
---Type <return> to continue, or q <return> to quit---
0x2d392e362e320000 <Address 0x2d392e362e320000 out of bounds>,
0x706d734c452e3131 <Address 0x706d734c452e3131 out of bounds>, 0x0, 0x0,
0x403ce180 "acxls0008", 0x5fa838 "\"", 0x403cdf80 "show channels",
0x40040100 "", 0x0, 0x37a0048031 "H\201??",
0x3000000030 <Address 0x3000000030 out of bounds>, 0x403cdf70 "\"",
0x403cdeb0 "", 0x0, 0x0, 0x0,
0x5f36387800000000 <Address 0x5f36387800000000 out of bounds>,
0x403ce180 "acxls0008", 0x265d <Address 0x265d out of bounds>,
0x4bf785 "1.2.22", 0x0, 0x0, 0x0, 0x0,
0x6f6e280000000000 <Address 0x6f6e280000000000 out of bounds>,
0x29656e <Address 0x29656e out of bounds>, 0x0, 0x0, 0x0, 0x0, 0x0,
0x37a090b0ad "H\213D$\bH\203?(H=\001???s\001?H\213\r?N\020"}
e = (struct ast_cli_entry *) 0x5e6c80
x = 2
dup = 0x6612f0 "show"
tws = 0
__PRETTY_FUNCTION__ = "ast_cli_command"
#3 0x000000000046c96a in netconsole (vconsole=0x7ec0d0) at asterisk.c:561
con = (struct console *) 0x5fa838
hostname = "acxls0008", '\0' <repeats 54 times>
tmp = "show channels\000\000NIX connection\n\000\000\000\000\000\000\000\000\000\000`?<@", '\0' <repeats 12 times>, "p?<@", '\0' <repeats 12 times>, "\200?<@", '\0' <repeats 92 times>, " \000?\232*\000\000\000??<@\000\000\000\000??<---Type <return> to continue, or q <return> to quit---
@\000\000\000\000`?<@\000\000\000\000 \000?\232*\000\000\000??<@\000\000\000\000??<@\000\000\000\000\200?<@\000\000\000\000\204\t?\232*\000\000\000\200\t?\232*\000\000\000?\211\006?7\000\000\000\002\000\000\000\000\000\000\000Ye[\232*\000\000\000\204?<@\000\000\000\000\002\000\000\000*\000"...
res = 926037297
fds = {{fd = 34, events = 1, revents = 1}, {fd = 35, events = 1,
revents = 0}}
__PRETTY_FUNCTION__ = "netconsole"
#4 0x00000037a09060da in start_thread () from /lib64/tls/libpthread.so.0
No symbol table info available.
ASTERISK-1 0x00000037a00c54f3 in clone () from /lib64/tls/libc.so.6
No symbol table info available.
ASTERISK-2 0x0000000000000000 in ?? ()
No symbol table info available.
By: Jason Parker (jparker) 2007-07-23 16:39:59

As a temporary fix, you could change the line
if (bridged && bridged->tech->bridged_channel)
to
if (bridged && bridged->tech && bridged->tech->bridged_channel)

However, the bigger issue here is why tech is NULL.

The use of AgentCallbackLogin was deprecated in 1.4 - partially due to bizarre locking (or, rather, not locking) issues such as you're seeing here. I would highly recommend avoiding its use.
By: Rajesh (rajeshcr) 2007-07-25 16:43:39

I have already handled that condition in my asterisk code but still it crashed asterisk which i mentioned in the description. Sometimes, eventhough bridged->tech is not NULL it crashed while accessing tech->bridged_channel.

Currently i've stopped running "show channels" command every min. For now asterisk is running without a problem for week.

Thanks.
By: Jason Parker (jparker) 2007-08-20 11:25:00

Since 1.2 is now in security maintenance mode, I'm going to close this out.

Please reopen if you are able to reproduce on 1.4.