Summary:ASTERISK-14787: [patch] segfault when transferring a queue caller
Reporter:fhackenberger (fhackenberger)Labels:
Date Opened:2009-09-08 03:55:33Date Closed:2009-11-09 16:23:25.000-0600
Versions:Frequency of
Environment:Attachments:( 0) bt.txt
( 1) bt2.txt
( 2) bt3.txt
( 3) digium_bug_0015848
Description:The segfault happens after transferring (SIP re-invite) a queue call.

#0  0xb7d5da04 in __pthread_mutex_unlock_usercnt () from /lib/tls/i686/cmov/libpthread.so.0
#0  0xb7d5da04 in __pthread_mutex_unlock_usercnt () from /lib/tls/i686/cmov/libpthread.so.0
#1  0xb61ef779 in sip_hangup (ast=0xb3902a20) at /tmp/buildd/asterisk-
#2  0x08087eb9 in ast_do_masquerade (original=0x8722db8) at channel.c:4406
#3  0x0808b589 in ast_waitfor_nandfds (c=0xb41fa200, n=2, fds=0x0, nfds=0, exception=0x0, outfd=0x0, ms=0xb41fa214) at channel.c:2004
#4  0x0808bb4f in ast_waitfor_n (c=0xb41fa200, n=2, ms=0xb41fa214) at channel.c:2318
ASTERISK-1  0x0808e2d4 in ast_channel_bridge (c0=0x8722db8, c1=0x87407f8, config=0xb41fa61c, fo=0xb41fa2ec, rc=0xb41fa2e8) at channel.c:4733
ASTERISK-2  0x080b06b6 in ast_bridge_call (chan=0x8722db8, peer=0x87407f8, config=0xb41fa61c) at features.c:2538
ASTERISK-3  0xb5bfa2e9 in dial_exec_full (chan=0x8722db8, data=0xb41fd138, peerflags=0xb41fae90, continue_exec=0x0) at app_dial.c:1986
ASTERISK-4  0xb5bfc174 in dial_exec (chan=0x8722db8, data=0xb41fd138) at app_dial.c:2060
ASTERISK-5  0x080ddab5 in pbx_exec (c=0x8722db8, app=0x82b0d00, data=0xb41fd138) at pbx.c:960
ASTERISK-6 0x080e4632 in pbx_extension_helper (c=0x8722db8, con=0x0, context=0x8723028 "agents", exten=0x8723078 "972605572372450", priority=9,
   label=0x0, callerid=0x848d910 "0314224713906", action=E_SPAWN, found=0xb41ff244, combined_find_spawn=1) at pbx.c:3201
ASTERISK-7 0x080e6ecc in __ast_pbx_run (c=0x8722db8, args=0x0) at pbx.c:3745
ASTERISK-8 0x080e89d0 in pbx_thread (data=0x8722db8) at pbx.c:4032
ASTERISK-9 0x0811ca47 in dummy_start (data=0x86be7f8) at utils.c:968
ASTERISK-10 0xb7d5a4fb in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
ASTERISK-11 0xb6f7be5e in clone () from /lib/tls/i686/cmov/libc.so.6


The asterisk version I'm using is r209515 from the 1.6.1 branch. I did not use the version (which was the newest when I set up the system), because I needed the T.38 fixes which went in just after was released. If necessary, I can recompile and try to reproduce. But that would be quite some effort on the production system, especially as the segfault is not reproducible every time.
Comments:By: fhackenberger (fhackenberger) 2009-09-08 10:16:29

added 'bt; thread apply all bt' output

By: Leif Madsen (lmadsen) 2009-09-15 12:11:06

I'm seeing in your backtrace <value optimized out> which is indicative of not having DONT_OPTIMIZE enabled in the Compiler Flags section of menuselect. If you're able to recompile your current version of Asterisk with this flag enabled, then the backtrace will typically be a lot more useful for the developers.


By: fhackenberger (fhackenberger) 2009-09-30 04:42:47

Attached a new backtrace with a DONT_OPTIMIZE build.

By: fhackenberger (fhackenberger) 2009-09-30 07:29:19

I added another backtrace of the same segfault to aid with analysis.

By: Leif Madsen (lmadsen) 2009-09-30 10:39:20


By: triccyx (triccyx) 2009-10-10 03:47:09

Same problem with

By: triccyx (triccyx) 2009-10-10 03:48:39

#0  0xb7ce6a04 in __pthread_mutex_unlock_usercnt () from /lib/tls/i686/cmov/libpthread.so.0
(gdb) bt
#0  0xb7ce6a04 in __pthread_mutex_unlock_usercnt () from /lib/tls/i686/cmov/libpthread.so.0
#1  0xb7ebeee6 in pthread_mutex_unlock () from /lib/tls/i686/cmov/libc.so.6
#2  0xb7514228 in ast_mutex_unlock (pmutex=0x98) at /usr/src/asterisk_1.6.1.6/include/asterisk/lock.h:1708
#3  0xb752266a in sip_hangup (ast=0x853fd20) at chan_sip.c:5357
#4  0x08094c7d in ast_do_masquerade (original=0x84de880) at channel.c:4408
ASTERISK-1  0x0808dcd1 in ast_waitfor_nandfds (c=0xb6a14558, n=2, fds=0x0, nfds=0, exception=0x0, outfd=0x0, ms=0xb6a14554) at channel.c:2006
ASTERISK-2  0x0808e47c in ast_waitfor_n (c=0xb6a14558, n=2, ms=0xb6a14554) at channel.c:2320
ASTERISK-3  0x08095f58 in ast_generic_bridge (c0=0x84de880, c1=0x85c5658, config=0xb6a157e4, fo=0xb6a14a8c, rc=0xb6a14a88, bridge_end={tv_sec = 0, tv_usec = 0}) at channel.c:4735
ASTERISK-4  0x08097a26 in ast_channel_bridge (c0=0x84de880, c1=0x85c5658, config=0xb6a157e4, fo=0xb6a14a8c, rc=0xb6a14a88) at channel.c:5150
ASTERISK-5  0x080bcebf in ast_bridge_call (chan=0x84de880, peer=0x85c5658, config=0xb6a157e4) at features.c:2538
ASTERISK-6 0xb760ea5a in dial_exec_full (chan=0x84de880, data=0xb6a17cdc, peerflags=0xb6a15b68, continue_exec=0x0) at app_dial.c:1986
ASTERISK-7 0xb760f1da in dial_exec (chan=0x84de880, data=0xb6a17cdc) at app_dial.c:2060
ASTERISK-8 0x080e869c in pbx_exec (c=0x84de880, app=0x8247af8, data=0xb6a17cdc) at pbx.c:960
ASTERISK-9 0x080eee1c in pbx_extension_helper (c=0x84de880, con=0x0, context=0x84deaf0 "macro-call_generic_fork_tks", exten=0x84deb40 "s", priority=1, label=0x0,
   callerid=0x8598768 "5020000000697", action=E_SPAWN, found=0xb6a1a460, combined_find_spawn=1) at pbx.c:3201
ASTERISK-10 0x080f0071 in ast_spawn_extension (c=0x84de880, context=0x84deaf0 "macro-call_generic_fork_tks", exten=0x84deb40 "s", priority=1, callerid=0x8598768 "5020000000697",
   found=0xb6a1a460, combined_find_spawn=1) at pbx.c:3656
ASTERISK-11 0xb7503486 in _macro_exec (chan=0x84de880, data=0xb6a1ce8c, exclusive=0) at app_macro.c:342
ASTERISK-12 0xb750458f in macro_exec (chan=0x84de880, data=0xb6a1ce8c) at app_macro.c:505
ASTERISK-13 0x080e869c in pbx_exec (c=0x84de880, app=0x82289c8, data=0xb6a1ce8c) at pbx.c:960
ASTERISK-14 0x080eee1c in pbx_extension_helper (c=0x84de880, con=0x0, context=0x84deaf0 "macro-call_generic_fork_tks", exten=0x84deb40 "s", priority=2, label=0x0,
   callerid=0x8598768 "5020000000697", action=E_SPAWN, found=0xb6a1f2f0, combined_find_spawn=1) at pbx.c:3201
ASTERISK-15 0x080f0071 in ast_spawn_extension (c=0x84de880, context=0x84deaf0 "macro-call_generic_fork_tks", exten=0x84deb40 "s", priority=2, callerid=0x8598768 "5020000000697",
   found=0xb6a1f2f0, combined_find_spawn=1) at pbx.c:3656
ASTERISK-16 0x080f070c in __ast_pbx_run (c=0x84de880, args=0x0) at pbx.c:3745
ASTERISK-17 0x080f1b4c in pbx_thread (data=0x84de880) at pbx.c:4032
ASTERISK-18 0x0813db9e in dummy_start (data=0x81ec2a0) at utils.c:968
ASTERISK-19 0xb7ce34fb in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
ASTERISK-20 0xb7eb1e5e in clone () from /lib/tls/i686/cmov/libc.so.6

By: fhackenberger (fhackenberger) 2009-10-14 04:55:27

I should mention that we use attended transfer.

By: Thomas Schaefer (toms) 2009-10-14 05:06:27

I have the same problem with Asterisk using attended transfer via SIP-Phones (snom m3)

kern.log:Oct  9 17:28:57 pbx kernel: [90654.872004] asterisk[4828]: segfault at a4 ip b7c0efd4 sp b68b8bd4 error 4 in libpthread-2.7.so[b7c06000+15000]
kern.log:Oct 12 17:19:45 pbx kernel: [349302.452573] asterisk[7202]: segfault at a4 ip b7ca0fd4 sp b6af7fc4 error 4 in libpthread-2.7.so[b7c98000+15000]
kern.log:Oct 13 09:15:39 pbx kernel: [22498.700417] asterisk[3445]: segfault at a4 ip b7c72fd4 sp b6c77fc4 error 4 in libpthread-2.7.so[b7c6a000+15000]

By: fhackenberger (fhackenberger) 2009-10-14 05:12:09

I'm going to test the attached patch digium_bug_0015848

By: fhackenberger (fhackenberger) 2009-10-16 10:24:12

No segfault for the last two days, looks good.

By: fhackenberger (fhackenberger) 2009-10-19 02:42:14

Still up and running, I'd consider the patch ready for inclusion, although a second opinion would be great. TomS or triccyx, would you be willing to test the patch?

By: Thomas Schaefer (toms) 2009-10-24 16:53:52

fhackenberger, thanks for the patch.
I installed the patch today on our
Without the patch our last crashes where 10 days apart (1x Oct 13, 3x Oct 23)
So lets wait and see.

By: Michael J. Miller (shin-shoryuken) 2009-10-26 13:26:38

Same issue as documented above, with the following system:

OS: Debian Lenny (kernel 2.6.26-2-amd64)
Asterisk ver:
Sip hardware: Polycom 601 (firmware 2.2.2 and 3.1.2)

One or two segfaults a day, and I could cause them on command by making attended transfers back and forth to different queues/phones; since installing fhackenberger's patch on 2009-10-23, I haven't seen a single crash.  If you need a backtrace to confirm that it was the same issue, I can provide one.

By: Thomas Schaefer (toms) 2009-10-27 06:12:18

After 3 days with chan_sip-patch we had no more "transfer-crashes" yet ( on lenny).

Today the asterisk didn't accept incomming SIP-connections anymore.
I hadn't the chance to check for cause of the problem (its running in an production environment so i had to reboot immediately, sorry).
So this could have been an unfortunate coincidence and may had nothing to do with the patch. But I thought its better to mention it.

By: Atis Lezdins (atis) 2009-10-27 06:38:06

TomS: create a script if it happens next time:

asterisk -rx "core show locks" > locks.txt
killall -6 asterisk

also make sure that asterisk is compiled with DONT_OPTIMIZE and DEBUG_THREADS

So, the "kill -6" will make asterisk dump to core and if necessary you may get some debug out of it.

By: Thomas Schaefer (toms) 2009-10-29 10:05:14

Today we had the problem again (no sip-connections). I wasn't available for debugging, so the pbx was restarted manually.
I'm sorry, but i have to abort the test. That installation isn't suitable for testing.

I just saw: after applying the patch, we had 3 segfaults in the last 3 days (none of the tranfer-segfault with libpthread):
kern.log:Oct 27 13:53:35 pbx kernel: [ 9552.763000] asterisk[3488]: segfault at 56 ip b7c84c15 sp b6c83c6c error 6 in libc-2.7.so[b7c0d000+155000]
kern.log:Oct 28 10:54:18 pbx kernel: [28417.334776] asterisk[3657]: segfault at 703a7069 ip 0808ebd0 sp b6ce5ff0 error 4 in asterisk[8048000+156000]
kern.log:Oct 29 12:59:51 pbx kernel: [35951.025626] asterisk[3564]: segfault at 430a0d38 ip 0809d210 sp b6cabbc8 error 4 in asterisk[8048000+156000]

I have to downgrade to asterisk on this installation, sorry.

By: fhackenberger (fhackenberger) 2009-10-30 06:02:55

TomS: Judging from you comments, it seems that you upgraded to in order to apply the patch. Unfortunately that makes your test results unreliable, because that upgrade pulled in a lot of other, unrelated, changes. Have you been unable to apply it on your current installation? Can I help you with that?

By: Thomas Schaefer (toms) 2009-11-03 01:41:54.000-0600

fhackenberger: Our new problem with the lack of incomming SIP connections was not related with your patch. After downgrading from (with your patch) to and then to (because of hint-issues with .15) I didnt apply your patch since there is no known issue with transfers on the 1.6.0-tree.
The new problem with no sip connections reapeard on the downgraded system too.
Yesterday I replaced the asterisk-hardware and switch and downgraded to to get hopefully finally rid of all problems.

I would have liked to continue testing your patch which certenly changed the behavier of on transfers in a positive way, but the productive system was to important for longer tests.
My other (testing) platform with (without patch) hadn't any problems with transfers yet but on the other hand we use the transfer-function not very often there.

I just want to repeat: my problem with the missing incomming sip connections was not related to your patch.

By: Leif Madsen (lmadsen) 2009-11-03 09:09:30.000-0600

Thanks for clearing that up. Any other issues you have should be reported as separate bugs.

To clear this up for the developers, this issue is ready for review, and potentially ready for merging.

By: Leif Madsen (lmadsen) 2009-11-04 08:35:09.000-0600

Hmm, I just saw this same thing on the weekend. Perhaps I should try to reproduce the issue and test this patch today...

By: Alec Davis (alecdavis) 2009-11-05 19:54:16.000-0600

We may be seeing similar here. Twice today. No debug yet, just waiting for next crash, have recompiled with DON'T OPTIMIZE.

Asterisk SVN-branch-1.6.1-r226977

It's not reproducible, I've tried!
I believe the transfer is an attended trasnfer as you see the incomimg line (DAHDI/1-1) start music on hold, then the iaxtrunk, then they both stop music then seems to be all over.

console output is all I have so far.
<pre>!! Unknown IE 50 (cs5, Unknown Information Element)
   -- Executing [9340@incoming:1] NoOp("DAHDI/1-1", "Incoming call callingsubaddr= calledsubaddr=") in new stack
   -- Executing [9340@incoming:2] GotoIf("DAHDI/1-1", "1?internal,8801,1") in new stack
   -- Goto (internal,8801,1)
   -- Executing [8801@internal:1] NoOp("DAHDI/1-1", "queue 2 dialled callingsubaddr= calledsubaddr=") in new stack
   -- Executing [8801@internal:2] NoOp("DAHDI/1-1", "Queue_member logged=2 free=2") in new stack
   -- Executing [8801@internal:3] Ringing("DAHDI/1-1", "") in new stack
   -- Accepting call from '95551234' to '9340' on channel 0/1, span 1
   -- Executing [8801@internal:4] GotoIf("DAHDI/1-1", "0?nightservice") in new stack
   -- Executing [8801@internal:5] GotoIf("DAHDI/1-1", "1?noannounce") in new stack
   -- Goto (internal,8801,11)
   -- Executing [8801@internal:11] Queue("DAHDI/1-1", "queue2,rhH,,,90") in new stack
 == Using SIP RTP CoS mark 5
 == Using SIP RTP CoS mark 5
 == Extension Changed 8820[internal] new state Ringing for Notify User 9001
 == Extension Changed 8820[internal] new state Ringing for Notify User 9000
   -- SIP/9015-000003ef is ringing
   -- SIP/9001-000003f0 is ringing
 == Extension Changed 8820[internal] new state InUse for Notify User 9001
   -- SIP/9001-000003f0 answered DAHDI/1-1
 == Extension Changed 8820[internal] new state InUse for Notify User 9000
   -- Started music on hold, class 'default', on DAHDI/1-1
 == Using SIP RTP CoS mark 5
   -- Executing [5053@internal:1] Dial("SIP/9001-000003f1", "IAX2/siteb/5053,,r") in new stack
   -- Called siteb/5053
   -- Call accepted by 192.168.x.yy (format alaw)
   -- Format for call is alaw
   -- IAX2/siteb-21016 is proceeding passing it to SIP/9001-000003f1
   -- IAX2/siteb-21016 is ringing
   -- IAX2/siteb-21016 answered SIP/9001-000003f1
   -- Started music on hold, class 'default', on IAX2/siteb-21016
   -- Stopped music on hold on DAHDI/1-1
   -- Stopped music on hold on IAX2/siteb-21016
Disconnected from Asterisk server
Executing last minute cleanups
Asterisk cleanly ending (0).</pre>

By: Digium Subversion (svnbot) 2009-11-09 16:23:22.000-0600

Repository: asterisk
Revision: 229012

U   branches/1.6.2/channels/chan_sip.c

r229012 | dvossel | 2009-11-09 16:23:22 -0600 (Mon, 09 Nov 2009) | 12 lines

fixes segfault when transferring a queue caller

In sip_hangup we attempted to lock p->owner after we set it to NULL.
Thanks to fhackenberger for reporting the issue and submitting a patch.

(closes issue ASTERISK-14787)
Reported by: fhackenberger
     digium_bug_0015848 uploaded by fhackenberger (license 592)
Tested by: fhackenberger, lmadsen, TomS, shin-shoryuken, dvossel