ASTERISK-12351: 1.4.21.1 crashes seg fault using console/dsp

[Home]

Summary: ASTERISK-12351: 1.4.21.1 crashes seg fault using console/dsp

Reporter: geisj (geisj) Labels:

Date Opened: 2008-07-09 15:17:58 Date Closed: 2008-08-20 13:59:35

Priority: Critical Regression? No

Status: Closed/Complete Components: Channels/chan_alsa

Versions: Frequency of
Occurrence

Related
Issues:

Environment: Attachments: ( 0) gdb.txt
( 1) running.txt

Description: Simple call into dialplan, dials console/dsp speaks message
every minute then hangs up. EVENTUALLY seg faults with below.
I am using alsa 1.0.16 with centos 4.6

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1215857760 (LWP 29590)]
__ast_read (chan=0x8ed5e08, dropaudio=0) at channel.c:2052
2052 f = AST_LIST_REMOVE_HEAD(&chan->readq, frame_list);
(gdb) where
#0 __ast_read (chan=0x8ed5e08, dropaudio=0) at channel.c:2052
#1 0x08087b69 in ast_channel_bridge (c0=0x8eca668, c1=0x8ed5e08,
config=0xb78720d0, fo=0xb7871ca0, rc=0xb7871ca4) at channel.c:2348
#2 0x002f4bad in ast_bridge_call (chan=0x8eca668, peer=0x8ed5e08,
config=0xb78720d0) at res_features.c:1422
#3 0x00cbf03a in dial_exec_full (chan=0x8eca668, data=) at app_dial.c:1699
#4 0x00cc1bd4 in dial_exec (chan=0xffffffff, data=0xffffffff)
at app_dial.c:1753
ASTERISK-1 0x080ca1d0 in pbx_extension_helper (c=0x8eca668, con=)
at /usr/src/digium/asterisk-1.4.21.1/include/asterisk/strings.h:35
ASTERISK-2 0x080ceb46 in __ast_pbx_run (c=0x8eca668) at pbx.c:2317
ASTERISK-3 0x080d097e in pbx_thread (data=0x8eca668) at pbx.c:2636
ASTERISK-4 0x080ff5e5 in dummy_start (data=0xffffffff) at utils.c:895
ASTERISK-5 0x005963cc in start_thread () from /lib/tls/libpthread.so.0
ASTERISK-6 0x004ef1ae in clone () from /lib/tls/libc.so.6
(gdb) q
The program is running. Quit anyway (and detach it)? (y or n) Detaching from program: /usr/sbin/asterisk, process 28404

****** ADDITIONAL INFORMATION ******

00:00.0 Host bridge: VIA Technologies, Inc. CX700 Host Bridge (rev 10)
00:00.1 Host bridge: VIA Technologies, Inc. CX700 Host Bridge
00:00.2 Host bridge: VIA Technologies, Inc. CX700 Host Bridge
00:00.3 Host bridge: VIA Technologies, Inc. CX700 Host Bridge
00:00.4 Host bridge: VIA Technologies, Inc. CX700 Host Bridge
00:00.7 Host bridge: VIA Technologies, Inc. CX700 Host Bridge
00:01.0 PCI bridge: VIA Technologies, Inc. VT8237 PCI Bridge
00:08.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10)
00:0f.0 IDE interface: VIA Technologies, Inc. CX700M2 IDE
00:10.0 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 90)
00:10.1 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 90)
00:10.4 USB Controller: VIA Technologies, Inc. USB 2.0 (rev 90)
00:11.0 ISA bridge: VIA Technologies, Inc. CX700 PCI to ISA Bridge
00:11.7 Host bridge: VIA Technologies, Inc. CX700 Internal Module Bus
00:13.0 PCI bridge: VIA Technologies, Inc. CX700 Host Bridge
01:00.0 VGA compatible controller: VIA Technologies, Inc. CX700M2 UniChrome PRO II Graphics (rev 03)
02:01.0 Audio device: VIA Technologies, Inc. VIA High Definition Audio Controller (rev 10)

Comments: By: Joshua C. Colp (jcolp) 2008-07-10 18:20:09

Thanks for filing an issue, someone will get to it as soon as possible.
By: geisj (geisj) 2008-07-21 11:53:27

What does pending release branch mean?
If I check out svn is there a fix in there?

THanks,

Jerry
By: Kevin P. Fleming (kpfleming) 2008-07-28 16:04:23

The change to 'pending release branch' was a mistake; ignore it. If someone had provided a solution to your problem, you'd get more direct notice of it :-)

Please attach backtraces as attachments to the bug instead of as comments, and follow the other instructions in doc/backtrace.txt to get an entire backtrace.

If you can *also* reproduce the problem while running in gdb as you've shown above, then provide an attachment with the output of the following commands once the segfault has occurred:

(gdb) p *chan
(gdb) p chan->readq

Thanks.
By: geisj (geisj) 2008-07-28 20:05:56

I attached 2 files.
running.txt is the output of asterisk as it was running.
gdb.txt is the information retrieved from the core file created
as from doc/backtrace.txt

hope this helps a bunch.

jerry
By: Kevin P. Fleming (kpfleming) 2008-07-30 17:52:53

The backtrace shows some definitely incorrect data in chan->readq, but there is more information needed.

Can you build Asterisk with DONT_OPTIMIZE enabled in menuselect and get the same crash output? That will provide the maximum possible detail in gdb. Thanks.
By: geisj (geisj) 2008-07-30 17:55:53

I did build with DONT_OPIMIZE (*) enabled.

jerry
By: Kevin P. Fleming (kpfleming) 2008-08-01 13:44:33

Well, there isn't much else to go on then; somehow the 'readq' field in the channel structure has been corrupted and contains incorrect pointer values, so when the code tries to get the next entry off the linked list that is supposedly there, it crashes because it is following an invalid pointer.

The next likely step to try to find out why that occurred would be run Asterisk inside valgrind and watch for memory usage warnings, but doing so is somewhat complex and will slow down Asterisk quite a bit. Instructions on how do this are in doc/valgrind.txt in the source tree. It's probably the shortest path to finding out why this is occurring.
By: geisj (geisj) 2008-08-01 14:46:58

Forgive me for placing this in the note BUT when trying to attache the file
I got errors. tried multiple times.

please note the malloc_debug.txt was empty.

==3496== Memcheck, a memory error detector.
==3496== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==3496== Using LibVEX rev 1854, a library for dynamic binary translation.
==3496== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==3496== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==3496== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==3496== For more details, rerun with: -v
==3496==
==3496== My PID = 3496, parent PID = 21920. Prog and args are:
==3496== asterisk
==3496== -vvvvvvcg
==3496==
==3496== Invalid read of size 4
==3496== at 0x52423D: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496== Address 0x4058520 is 24 bytes inside a block of size 630 free'd
==3496== at 0x40054A1: free (vg_replace_malloc.c:323)
==3496== by 0x524760: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496==
==3496== Invalid read of size 1
==3496== at 0x524240: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496== Address 0x4058700 is 504 bytes inside a block of size 630 free'd
==3496== at 0x40054A1: free (vg_replace_malloc.c:323)
==3496== by 0x524760: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496==
==3496== Invalid read of size 4
==3496== at 0x524253: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496== Address 0x4058684 is 380 bytes inside a block of size 630 free'd
==3496== at 0x40054A1: free (vg_replace_malloc.c:323)
==3496== by 0x524760: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496==
==3496== Invalid read of size 4
==3496== at 0x52497F: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496== Address 0x405850c is 4 bytes inside a block of size 630 free'd
==3496== at 0x40054A1: free (vg_replace_malloc.c:323)
==3496== by 0x524760: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496==
==3496== Invalid read of size 1
==3496== at 0x40065C4: strlen (mc_replace_strmem.c:243)
==3496== by 0x418367: _dl_signal_error (in /lib/ld-2.3.4.so)
==3496== by 0x524992: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496== Address 0x40584a8 is 0 bytes inside a block of size 42 free'd
==3496== at 0x40054A1: free (vg_replace_malloc.c:323)
==3496== by 0x5246D8: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496==
==3496== Invalid read of size 1
==3496== at 0x40065CD: strlen (mc_replace_strmem.c:243)
==3496== by 0x418367: _dl_signal_error (in /lib/ld-2.3.4.so)
==3496== by 0x524992: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496== Address 0x40584a9 is 1 bytes inside a block of size 42 free'd
==3496== at 0x40054A1: free (vg_replace_malloc.c:323)
==3496== by 0x5246D8: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496==
==3496== Invalid read of size 2
==3496== at 0x41EB8A: memcpy (in /lib/ld-2.3.4.so)
==3496== by 0x524992: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496== Address 0x40584a8 is 0 bytes inside a block of size 42 free'd
==3496== at 0x40054A1: free (vg_replace_malloc.c:323)
==3496== by 0x5246D8: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496==
==3496== Invalid read of size 4
==3496== at 0x41EB8C: memcpy (in /lib/ld-2.3.4.so)
==3496== by 0x524992: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496== Address 0x40584aa is 2 bytes inside a block of size 42 free'd
==3496== at 0x40054A1: free (vg_replace_malloc.c:323)
==3496== by 0x5246D8: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496==
==3496== Invalid read of size 1
==3496== at 0x41EB85: memcpy (in /lib/ld-2.3.4.so)
==3496== by 0x524992: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496== Address 0x4058bb0 is 0 bytes inside a block of size 41 free'd
==3496== at 0x40054A1: free (vg_replace_malloc.c:323)
==3496== by 0x5246D8: _dl_close (in /lib/tls/libc-2.3.4.so)
==3496== by 0x554D59: dlclose_doit (in /lib/libdl-2.3.4.so)
==3496== by 0x4185ED: _dl_catch_error (in /lib/ld-2.3.4.so)
==3496== by 0x5552BA: _dlerror_run (in /lib/libdl-2.3.4.so)
==3496== by 0x554D89: dlclose (in /lib/libdl-2.3.4.so)
==3496== by 0x80BEE55: load_dynamic_module (loader.c:389)
==3496== by 0x80BFC9A: load_resource (loader.c:654)
==3496== by 0x80C04B5: load_modules (loader.c:855)
==3496== by 0x80732F8: main (asterisk.c:3058)
==3496==
==3496== Syscall param ioctl(arg) contains uninitialised byte(s)
==3496== at 0x4E7249: ioctl (in /lib/tls/libc-2.3.4.so)
==3496== by 0x570977B: snd_pcm_prepare (pcm.c:1015)
==3496== by 0x570982D: snd_pcm_hw_params (pcm.c:818)
==3496== by 0x5740E51: snd1_pcm_direct_initialize_slave (pcm_direct.c:973)
==3496== by 0x573F1B1: snd_pcm_dsnoop_open (pcm_dsnoop.c:583)
==3496== by 0x573F4FE: _snd_pcm_dsnoop_open (pcm_dsnoop.c:790)
==3496== by 0x570B227: snd_pcm_open_conf (pcm.c:2114)
==3496== by 0x570B812: snd_pcm_open_noupdate (pcm.c:2152)
==3496== by 0x570BA00: snd1_pcm_open_named_slave (pcm.c:2239)
==3496== by 0x5742A15: _snd_pcm_asym_open (pcm_asym.c:112)
==3496== by 0x570B227: snd_pcm_open_conf (pcm.c:2114)
==3496== by 0x570B812: snd_pcm_open_noupdate (pcm.c:2152)
==3496==
==3496== Syscall param ioctl(arg) contains uninitialised byte(s)
==3496== at 0x4E7249: ioctl (in /lib/tls/libc-2.3.4.so)
==3496== by 0x5709C47: snd_pcm_start (pcm.c:1047)
==3496== by 0x5741178: snd1_pcm_direct_initialize_slave (pcm_direct.c:1045)
==3496== by 0x573F1B1: snd_pcm_dsnoop_open (pcm_dsnoop.c:583)
==3496== by 0x573F4FE: _snd_pcm_dsnoop_open (pcm_dsnoop.c:790)
==3496== by 0x570B227: snd_pcm_open_conf (pcm.c:2114)
==3496== by 0x570B812: snd_pcm_open_noupdate (pcm.c:2152)
==3496== by 0x570BA00: snd1_pcm_open_named_slave (pcm.c:2239)
==3496== by 0x5742A15: _snd_pcm_asym_open (pcm_asym.c:112)
==3496== by 0x570B227: snd_pcm_open_conf (pcm.c:2114)
==3496== by 0x570B812: snd_pcm_open_noupdate (pcm.c:2152)
==3496== by 0x570BA00: snd1_pcm_open_named_slave (pcm.c:2239)
==3496==
==3496== Syscall param ioctl(arg) contains uninitialised byte(s)
==3496== at 0x4E7249: ioctl (in /lib/tls/libc-2.3.4.so)
==3496== by 0x5709C47: snd_pcm_start (pcm.c:1047)
==3496== by 0x5741178: snd1_pcm_direct_initialize_slave (pcm_direct.c:1045)
==3496== by 0x573C18B: snd_pcm_dmix_open (pcm_dmix.c:1006)
==3496== by 0x573C772: _snd_pcm_dmix_open (pcm_dmix.c:1297)
==3496== by 0x570B227: snd_pcm_open_conf (pcm.c:2114)
==3496== by 0x570B812: snd_pcm_open_noupdate (pcm.c:2152)
==3496== by 0x570BA00: snd1_pcm_open_named_slave (pcm.c:2239)
==3496== by 0x5742A15: _snd_pcm_asym_open (pcm_asym.c:112)
==3496== by 0x570B227: snd_pcm_open_conf (pcm.c:2114)
==3496== by 0x570B812: snd_pcm_open_noupdate (pcm.c:2152)
==3496== by 0x570BA00: snd1_pcm_open_named_slave (pcm.c:2239)
==3496==
==3496== Thread 29:
==3496== Syscall param ioctl(arg) contains uninitialised byte(s)
==3496== at 0x4E7249: ioctl (in /lib/tls/libc-2.3.4.so)
==3496== by 0x570999B: snd_pcm_hwsync (pcm.c:932)
==3496== by 0x573E7CB: snd_pcm_dsnoop_start (pcm_dsnoop.c:268)
==3496== by 0x5709C47: snd_pcm_start (pcm.c:1047)
==3496== by 0x571AEF6: snd1_pcm_generic_start (pcm_generic.c:155)
==3496== by 0x5709C47: snd_pcm_start (pcm.c:1047)
==3496== by 0x572593F: snd_pcm_rate_start (pcm_rate.c:1131)
==3496== by 0x5709C47: snd_pcm_start (pcm.c:1047)
==3496== by 0x56B1993: ??? (chan_alsa.c:538)
==3496== by 0x808EA49: ast_call (channel.c:3042)
==3496== by 0x4528D8B: ??? (app_dial.c:1249)
==3496== by 0x452B792: ??? (app_dial.c:1753)
==3496==
==3496== Syscall param ioctl(arg) contains uninitialised byte(s)
==3496== at 0x4E7249: ioctl (in /lib/tls/libc-2.3.4.so)
==3496== by 0x574A649: snd_timer_start (timer.c:908)
==3496== by 0x573E7E8: snd_pcm_dsnoop_start (pcm_dsnoop.c:270)
==3496== by 0x5709C47: snd_pcm_start (pcm.c:1047)
==3496== by 0x571AEF6: snd1_pcm_generic_start (pcm_generic.c:155)
==3496== by 0x5709C47: snd_pcm_start (pcm.c:1047)
==3496== by 0x572593F: snd_pcm_rate_start (pcm_rate.c:1131)
==3496== by 0x5709C47: snd_pcm_start (pcm.c:1047)
==3496== by 0x56B1993: ??? (chan_alsa.c:538)
==3496== by 0x808EA49: ast_call (channel.c:3042)
==3496== by 0x4528D8B: ??? (app_dial.c:1249)
==3496== by 0x452B792: ??? (app_dial.c:1753)
==3496==
==3496== Syscall param ioctl(arg) contains uninitialised byte(s)
==3496== at 0x4E7249: ioctl (in /lib/tls/libc-2.3.4.so)
==3496== by 0x570999B: snd_pcm_hwsync (pcm.c:932)
==3496== by 0x573E3BD: snd_pcm_dsnoop_sync_ptr (pcm_dsnoop.c:127)
==3496== by 0x570999B: snd_pcm_hwsync (pcm.c:932)
==3496== by 0x571AEA6: snd1_pcm_generic_hwsync (pcm_generic.c:143)
==3496== by 0x570999B: snd_pcm_hwsync (pcm.c:932)
==3496== by 0x57245C8: snd_pcm_rate_hwsync (pcm_rate.c:624)
==3496== by 0x570999B: snd_pcm_hwsync (pcm.c:932)
==3496== by 0x570FDFA: snd1_pcm_read_areas (pcm.c:6376)
==3496== by 0x5719C5F: snd_pcm_mmap_readi (pcm_mmap.c:236)
==3496== by 0x570A139: snd_pcm_readi (pcm_local.h:521)
==3496== by 0x56B204E: ??? (chan_alsa.c:683)
==3496==
==3496== Syscall param ioctl(arg) contains uninitialised byte(s)
==3496== at 0x4E7249: ioctl (in /lib/tls/libc-2.3.4.so)
==3496== by 0x574A691: snd_timer_stop (timer.c:919)
==3496== by 0x574027D: snd1_pcm_direct_timer_stop (pcm_direct.c:542)
==3496== by 0x573AFA6: snd_pcm_dmix_drop (pcm_dmix.c:598)
==3496== by 0x5709297: snd_pcm_drop (pcm.c:1068)
==3496== by 0x571AF1E: snd1_pcm_generic_drop (pcm_generic.c:161)
==3496== by 0x5709297: snd_pcm_drop (pcm.c:1068)
==3496== by 0x571AF1E: snd1_pcm_generic_drop (pcm_generic.c:161)
==3496== by 0x5709297: snd_pcm_drop (pcm.c:1068)
==3496== by 0x56B1C7C: ??? (chan_alsa.c:604)
==3496== by 0x808DC91: ast_write (channel.c:2727)
==3496== by 0x809173A: ast_generic_bridge (channel.c:3859)
==3496==
==3496== Syscall param ioctl(arg) contains uninitialised byte(s)
==3496== at 0x4E7249: ioctl (in /lib/tls/libc-2.3.4.so)
==3496== by 0x570999B: snd_pcm_hwsync (pcm.c:932)
==3496== by 0x573AE60: snd_pcm_dmix_start_timer (pcm_dmix.c:562)
==3496== by 0x573AF27: snd_pcm_dmix_start (pcm_dmix.c:585)
==3496== by 0x5709C47: snd_pcm_start (pcm.c:1047)
==3496== by 0x571AEF6: snd1_pcm_generic_start (pcm_generic.c:155)
==3496== by 0x5709C47: snd_pcm_start (pcm.c:1047)
==3496== by 0x572593F: snd_pcm_rate_start (pcm_rate.c:1131)
==3496== by 0x5709C47: snd_pcm_start (pcm.c:1047)
==3496== by 0x5710074: snd1_pcm_write_areas (pcm.c:6483)
==3496== by 0x5719B9F: snd_pcm_mmap_writei (pcm_mmap.c:186)
==3496== by 0x5709F41: snd_pcm_writei (pcm_local.h:511)
==3496==
==3496== Syscall param ioctl(arg) contains uninitialised byte(s)
==3496== at 0x4E7249: ioctl (in /lib/tls/libc-2.3.4.so)
==3496== by 0x574A649: snd_timer_start (timer.c:908)
==3496== by 0x573AE75: snd_pcm_dmix_start_timer (pcm_dmix.c:564)
==3496== by 0x573AF27: snd_pcm_dmix_start (pcm_dmix.c:585)
==3496== by 0x5709C47: snd_pcm_start (pcm.c:1047)
==3496== by 0x571AEF6: snd1_pcm_generic_start (pcm_generic.c:155)
==3496== by 0x5709C47: snd_pcm_start (pcm.c:1047)
==3496== by 0x572593F: snd_pcm_rate_start (pcm_rate.c:1131)
==3496== by 0x5709C47: snd_pcm_start (pcm.c:1047)
==3496== by 0x5710074: snd1_pcm_write_areas (pcm.c:6483)
==3496== by 0x5719B9F: snd_pcm_mmap_writei (pcm_mmap.c:186)
==3496== by 0x5709F41: snd_pcm_writei (pcm_local.h:511)
==3496==
==3496== Syscall param ioctl(arg) contains uninitialised byte(s)
==3496== at 0x4E7249: ioctl (in /lib/tls/libc-2.3.4.so)
==3496== by 0x570999B: snd_pcm_hwsync (pcm.c:932)
==3496== by 0x573A9D6: snd_pcm_dmix_sync_ptr (pcm_dmix.c:398)
==3496== by 0x570999B: snd_pcm_hwsync (pcm.c:932)
==3496== by 0x571AEA6: snd1_pcm_generic_hwsync (pcm_generic.c:143)
==3496== by 0x570999B: snd_pcm_hwsync (pcm.c:932)
==3496== by 0x57245C8: snd_pcm_rate_hwsync (pcm_rate.c:624)
==3496== by 0x570999B: snd_pcm_hwsync (pcm.c:932)
==3496== by 0x570FF90: snd1_pcm_write_areas (pcm.c:6445)
==3496== by 0x5719B9F: snd_pcm_mmap_writei (pcm_mmap.c:186)
==3496== by 0x5709F41: snd_pcm_writei (pcm_local.h:511)
==3496== by 0x56B1D70: ??? (chan_alsa.c:624)
==3496==
==3496== Syscall param ioctl(arg) contains uninitialised byte(s)
==3496== at 0x4E7249: ioctl (in /lib/tls/libc-2.3.4.so)
==3496== by 0x574A691: snd_timer_stop (timer.c:919)
==3496== by 0x573AA6E: snd_pcm_dmix_sync_ptr (pcm_dmix.c:420)
==3496== by 0x570999B: snd_pcm_hwsync (pcm.c:932)
==3496== by 0x571AEA6: snd1_pcm_generic_hwsync (pcm_generic.c:143)
==3496== by 0x570999B: snd_pcm_hwsync (pcm.c:932)
==3496== by 0x57245C8: snd_pcm_rate_hwsync (pcm_rate.c:624)
==3496== by 0x570999B: snd_pcm_hwsync (pcm.c:932)
==3496== by 0x570FF90: snd1_pcm_write_areas (pcm.c:6445)
==3496== by 0x5719B9F: snd_pcm_mmap_writei (pcm_mmap.c:186)
==3496== by 0x5709F41: snd_pcm_writei (pcm_local.h:511)
==3496== by 0x56B1D70: ??? (chan_alsa.c:624)
==3496==
==3496== Syscall param ioctl(arg) contains uninitialised byte(s)
==3496== at 0x4E7249: ioctl (in /lib/tls/libc-2.3.4.so)
==3496== by 0x570999B: snd_pcm_hwsync (pcm.c:932)
==3496== by 0x573A9D6: snd_pcm_dmix_sync_ptr (pcm_dmix.c:398)
==3496== by 0x573B8A8: snd_pcm_dmix_avail_update (pcm_dmix.c:815)
==3496== by 0x570BC97: snd_pcm_avail_update (pcm.c:2361)
==3496== by 0x571BEB7: snd_pcm_plugin_avail_update (pcm_plugin.c:459)
==3496== by 0x570BC97: snd_pcm_avail_update (pcm.c:2361)
==3496== by 0x57250FF: snd_pcm_rate_avail_update (pcm_rate.c:991)
==3496== by 0x570BC97: snd_pcm_avail_update (pcm.c:2361)
==3496== by 0x570FFA5: snd1_pcm_write_areas (pcm.c:6449)
==3496== by 0x5719B9F: snd_pcm_mmap_writei (pcm_mmap.c:186)
==3496== by 0x5709F41: snd_pcm_writei (pcm_local.h:511)
==3496==
==3496== Syscall param ioctl(arg) contains uninitialised byte(s)
==3496== at 0x4E7249: ioctl (in /lib/tls/libc-2.3.4.so)
==3496== by 0x574A691: snd_timer_stop (timer.c:919)
==3496== by 0x573AA6E: snd_pcm_dmix_sync_ptr (pcm_dmix.c:420)
==3496== by 0x573B8A8: snd_pcm_dmix_avail_update (pcm_dmix.c:815)
==3496== by 0x570BC97: snd_pcm_avail_update (pcm.c:2361)
==3496== by 0x571BC39: snd_pcm_plugin_mmap_commit (pcm_plugin.c:402)
==3496== by 0x570FBC5: snd_pcm_mmap_commit (pcm.c:6306)
==3496== by 0x5724D48: snd_pcm_rate_commit_area (pcm_rate.c:737)
==3496== by 0x572504A: snd_pcm_rate_sync_playback_area (pcm_rate.c:823)
==3496== by 0x57250AB: snd_pcm_rate_mmap_commit (pcm_rate.c:975)
==3496== by 0x570FBC5: snd_pcm_mmap_commit (pcm.c:6306)
==3496== by 0x57199B1: snd_pcm_mmap_write_areas (pcm_mmap.c:123)
==3496==
==3496== Syscall param ioctl(arg) contains uninitialised byte(s)
==3496== at 0x4E7249: ioctl (in /lib/tls/libc-2.3.4.so)
==3496== by 0x570999B: snd_pcm_hwsync (pcm.c:932)
==3496== by 0x573A9D6: snd_pcm_dmix_sync_ptr (pcm_dmix.c:398)
==3496== by 0x573B7DF: snd_pcm_dmix_mmap_commit (pcm_dmix.c:796)
==3496== by 0x570FBC5: snd_pcm_mmap_commit (pcm.c:6306)
==3496== by 0x571BD5F: snd_pcm_plugin_mmap_commit (pcm_plugin.c:426)
==3496== by 0x570FBC5: snd_pcm_mmap_commit (pcm.c:6306)
==3496== by 0x5724D48: snd_pcm_rate_commit_area (pcm_rate.c:737)
==3496== by 0x572504A: snd_pcm_rate_sync_playback_area (pcm_rate.c:823)
==3496== by 0x57250AB: snd_pcm_rate_mmap_commit (pcm_rate.c:975)
==3496== by 0x570FBC5: snd_pcm_mmap_commit (pcm.c:6306)
==3496== by 0x57199B1: snd_pcm_mmap_write_areas (pcm_mmap.c:123)
==3496==
==3496== Syscall param ioctl(arg) contains uninitialised byte(s)
==3496== at 0x4E7249: ioctl (in /lib/tls/libc-2.3.4.so)
==3496== by 0x574A691: snd_timer_stop (timer.c:919)
==3496== by 0x573E87B: snd_pcm_dsnoop_drop (pcm_dsnoop.c:283)
==3496== by 0x5709297: snd_pcm_drop (pcm.c:1068)
==3496== by 0x571AF1E: snd1_pcm_generic_drop (pcm_generic.c:161)
==3496== by 0x5709297: snd_pcm_drop (pcm.c:1068)
==3496== by 0x571AF1E: snd1_pcm_generic_drop (pcm_generic.c:161)
==3496== by 0x5709297: snd_pcm_drop (pcm.c:1068)
==3496== by 0x56B1BBB: ??? (chan_alsa.c:582)
==3496== by 0x8089603: ast_hangup (channel.c:1485)
==3496== by 0x452AE7C: ??? (app_dial.c:1719)
==3496== by 0x452B792: ??? (app_dial.c:1753)
==3496==
==3496== Syscall param ioctl(arg) contains uninitialised byte(s)
==3496== at 0x4E7249: ioctl (in /lib/tls/libc-2.3.4.so)
==3496== by 0x570999B: snd_pcm_hwsync (pcm.c:932)
==3496== by 0x573E3BD: snd_pcm_dsnoop_sync_ptr (pcm_dsnoop.c:127)
==3496== by 0x573EC00: snd_pcm_dsnoop_avail_update (pcm_dsnoop.c:400)
==3496== by 0x570BC97: snd_pcm_avail_update (pcm.c:2361)
==3496== by 0x571BEB7: snd_pcm_plugin_avail_update (pcm_plugin.c:459)
==3496== by 0x570BC97: snd_pcm_avail_update (pcm.c:2361)
==3496== by 0x57250FF: snd_pcm_rate_avail_update (pcm_rate.c:991)
==3496== by 0x570BC97: snd_pcm_avail_update (pcm.c:2361)
==3496== by 0x570FDB4: snd1_pcm_read_areas (pcm.c:6380)
==3496== by 0x5719C5F: snd_pcm_mmap_readi (pcm_mmap.c:236)
==3496== by 0x570A139: snd_pcm_readi (pcm_local.h:521)
==3496==
==3496== Syscall param ioctl(arg) contains uninitialised byte(s)
==3496== at 0x4E7249: ioctl (in /lib/tls/libc-2.3.4.so)
==3496== by 0x570999B: snd_pcm_hwsync (pcm.c:932)
==3496== by 0x573E3BD: snd_pcm_dsnoop_sync_ptr (pcm_dsnoop.c:127)
==3496== by 0x573EBAC: snd_pcm_dsnoop_mmap_commit (pcm_dsnoop.c:383)
==3496== by 0x570FBC5: snd_pcm_mmap_commit (pcm.c:6306)
==3496== by 0x571C046: snd_pcm_plugin_avail_update (pcm_plugin.c:500)
==3496== by 0x570BC97: snd_pcm_avail_update (pcm.c:2361)
==3496== by 0x57250FF: snd_pcm_rate_avail_update (pcm_rate.c:991)
==3496== by 0x570BC97: snd_pcm_avail_update (pcm.c:2361)
==3496== by 0x570FDB4: snd1_pcm_read_areas (pcm.c:6380)
==3496== by 0x5719C5F: snd_pcm_mmap_readi (pcm_mmap.c:236)
==3496== by 0x570A139: snd_pcm_readi (pcm_local.h:521)
==3496==
==3496== Invalid read of size 4
==3496== at 0x808B369: __ast_read (channel.c:2052)
==3496== by 0x808C7BE: ast_read (channel.c:2348)
==3496== by 0x80914AF: ast_generic_bridge (channel.c:3800)
==3496== by 0x80926A1: ast_channel_bridge (channel.c:4114)
==3496== by 0x44C009D: ast_bridge_call (res_features.c:1422)
==3496== by 0x452AD86: ??? (app_dial.c:1699)
==3496== by 0x452B792: ??? (app_dial.c:1753)
==3496== by 0x80D0F63: pbx_exec (strings.h:35)
==3496== by 0x80D4A0B: pbx_extension_helper (pbx.c:1862)
==3496== by 0x80D5D83: ast_spawn_extension (pbx.c:2317)
==3496== by 0x80D6301: __ast_pbx_run (pbx.c:2419)
==3496== by 0x80D70EE: pbx_thread (pbx.c:2636)
==3496== Address 0xfff0001c is not stack'd, malloc'd or (recently) free'd
==3496==
==3496== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==3496== Access not within mapped region at address 0xFFF0001C
==3496== at 0x808B369: __ast_read (channel.c:2052)
==3496== by 0x808C7BE: ast_read (channel.c:2348)
==3496== by 0x80914AF: ast_generic_bridge (channel.c:3800)
==3496== by 0x80926A1: ast_channel_bridge (channel.c:4114)
==3496== by 0x44C009D: ast_bridge_call (res_features.c:1422)
==3496== by 0x452AD86: ??? (app_dial.c:1699)
==3496== by 0x452B792: ??? (app_dial.c:1753)
==3496== by 0x80D0F63: pbx_exec (strings.h:35)
==3496== by 0x80D4A0B: pbx_extension_helper (pbx.c:1862)
==3496== by 0x80D5D83: ast_spawn_extension (pbx.c:2317)
==3496== by 0x80D6301: __ast_pbx_run (pbx.c:2419)
==3496== by 0x80D70EE: pbx_thread (pbx.c:2636)
==3496==
==3496== ERROR SUMMARY: 7833 errors from 27 contexts (suppressed: 620 from 2)
==3496== malloc/free: in use at exit: 1,504,710 bytes in 7,832 blocks.
==3496== malloc/free: 13,688 allocs, 5,856 frees, 2,811,329 bytes allocated.
==3496== For counts of detected errors, rerun with: -v
==3496== searching for pointers to 7,832 not-freed blocks.
==3496== checked 17,994,672 bytes.
==3496==
==3496== LEAK SUMMARY:
==3496== definitely lost: 1,171 bytes in 31 blocks.
==3496== possibly lost: 15,304 bytes in 350 blocks.
==3496== still reachable: 1,488,235 bytes in 7,451 blocks.
==3496== suppressed: 0 bytes in 0 blocks.
==3496== Rerun with --leak-check=full to see details of leaked memory.
By: Kevin P. Fleming (kpfleming) 2008-08-20 13:59:31

User has told me via direct email that switching to a different Linux distribution solved his problem, so this is unlikely to be a problem in Asterisk itself.