Summary:ASTERISK-09967: Crash on ast_openstream on disconnected (at that moment) channel
Reporter:Anton Fedorov (datacompboy)Labels:
Date Opened:2007-07-26 23:52:17Date Closed:2007-10-29 14:56:19
Versions:Frequency of
Environment:Attachments:( 0) astcrash.log.bz2
(gdb) backtrace
#0  0x000000000044bb0d in ast_closestream ()
#1  0x000000000044be75 in ast_stopstream ()
#2  0x000000000044dbb5 in ast_openstream_full ()
#3  0x00002aaac3a64c45 in basic_play_sound (member=0x8075b0, file=0x8242c0 "ps/default/client-leave", mute=0)
   at conference.c:2807
#4  0x00002aaac3a61b54 in remove_member (member=0x824580, conf=0x8063e0) at conference.c:985
ASTERISK-1  0x00002aaac3a6aa09 in member_process_spoken_frames (conf=0x8063e0, member=0x824580, spoken_frames=0x4086f038,
   time_diff=23, listener_count=0x4086f030, speaker_count=0x4086f034) at member.c:3249
ASTERISK-2  0x00002aaac3a606c4 in conference_exec (conf=0x8063e0) at conference.c:206
ASTERISK-3  0x000000000049221c in ?? ()
ASTERISK-4  0x00002b8300296317 in start_thread () from /lib/libpthread.so.0
ASTERISK-5  0x00002b8300c6faad in clone () from /lib/libc.so.6
Comments:By: Anton Fedorov (datacompboy) 2007-07-26 23:53:16

i can attach core if that will help.
or see something if you say how

By: Joshua C. Colp (jcolp) 2007-07-27 11:26:54

I'm closing this bug out since it appears to be an issue with app_conference. Please follow up using their bug tracker.

By: Anton Fedorov (datacompboy) 2007-09-19 08:58:50

Sorry, but I still think that this issue relate to asterisk.
Let me describe:

#0  0x000000000044bb0d in ast_closestream (f=0x8557d0) at file.c:715
   cmd = <value optimized out>
   size = <value optimized out>
#1  0x000000000044d6bc in ast_filehelper (filename=0x4099ad80 "ps/default/client-leave", arg2=0x855730, fmt=0x0,
   action=ACTION_OPEN) at file.c:423
   bfile = (FILE *) 0x86d850
   s = (struct ast_filestream *) 0x8bd2e0
   f = (struct ast_format *) 0x817b70
   res = -1
   __PRETTY_FUNCTION__ = "ast_filehelper"
#2  0x000000000044dbf8 in ast_openstream_full (chan=0x855730, filename=0x842da0 "ps/default/client-leave",
   preflang=0x4ba54f "", asis=<value optimized out>) at file.c:569
   fmts = <value optimized out>
   res = <value optimized out>
   buflen = <value optimized out>
   buf = 0x855790 "\032"
   __PRETTY_FUNCTION__ = "ast_openstream_full"

was called ast_openstream_full when chan going to hangup.
file.c:715 is in
int ast_closestream(struct ast_filestream *f)
(called with non-zero, correct ast_filestrem!)
line 715 is
       if (f->fmt->format < AST_FORMAT_MAX_AUDIO) {
so, we have situation when f->fmt are now zero, while we have tested only
if (f->owner).

I think, there should be or check for f->fmt nonzero, or
<<  struct ast_format *fmt; /* need to write to the lock and usecnt */ >>
but there no lock used, as i see.

or i misunderstand something?

this situation ONLY when call to ast_openstream_full on channel that just going to hangup (but I have not get info about it).

I can provide core dumps (have 4 dumps).

Attached output of
gdb /usr/sbin/asterisk --se=/usr/lib/debug/usr/sbin/asterisk core.ps40-2007-09-19T08\:11\:08+0200 <<END >astcrash.log && bzip2 -9 astcrash.log && mv astcrash.log.bz2 /home/ps40
bt full
info thread
thread apply all bt full

By: Joshua C. Colp (jcolp) 2007-10-29 14:56:19

Like I said, this is an underlying issue in app_conference. It should not be calling ast_openstream on a channel like this without holding the channel lock (which would prevent the channel from going away while ast_openstream is being called on it). Simply checking for the presence of f->fmt is not the fix as it is not being protected.