ASTERISK-14933: [patch] crash in ast_frame_free / ast_generic

[Home]

Summary: ASTERISK-14933: [patch] crash in ast_frame_free / ast_generic_bridge

Reporter: Atis Lezdins (atis) Labels:

Date Opened: 2009-10-02 12:35:39 Date Closed: 2009-11-13 14:51:43.000-0600

Priority: Critical Regression? No

Status: Closed/Complete Components: Core/General

Versions: Frequency of
Occurrence

Related
Issues:

Environment: Attachments: ( 0) 20091105__issue16013.diff.txt
( 1) bt.asterisk-dev-mc-2009-10-02T19:01:06+0300.27152.txt
( 2) bt.asterisk-dev-mc-2009-11-06T15:03:57+0200.1995_2.txt
( 3) gdb_cms_001.txt
( 4) gdb.txt
( 5) jpeeler-gdb.txt

Description: I have this crash sometimes on 1.6.1 branch

# 0 0x00000000004abe46 in ast_frame_free (frame=0x323931203a6d6f72, cache=1) at frame.c:379
# 1 0x000000000046600c in ast_generic_bridge (c0=0x2aaaac272818, c1=0x2aaad4079fb8, config=0x44065120, fo=0x44064278, rc=0x44064270, bridge_end={tv_sec = 0, tv_usec = 0}) at channel.c:4855
# 2 0x0000000000467e2e in ast_channel_bridge (c0=0x2aaaac272818, c1=0x2aaad4079fb8, config=0x44065120, fo=0x44064278, rc=0x44064270) at channel.c:5187
# 3 0x000000000049d00a in ast_bridge_call (chan=0x2aaaac272818, peer=0x2aaad4079fb8, config=0x44065120) at features.c:2540
# 4 0x00002aaab333b026 in dial_exec_full (chan=0x2aaaac272818, data=0x44067890, peerflags=0x44065680, continue_exec=0x0) at app_dial.c:1986
# 5 0x00002aaab333b863 in dial_exec (chan=0x2aaaac272818, data=0x44067890) at app_dial.c:2060

Comments: By: Tilghman Lesher (tilghman) 2009-11-05 15:48:34.000-0600

What is the output of:

(gdb) p *frame
By: Tilghman Lesher (tilghman) 2009-11-05 15:54:54.000-0600

Secondarily, can you reproduce this crash with SVN branch 1.6.1 revision 224858 or later? I diagnosed a similar frame corruption problem and the fix was in that revision.
By: Jeff Peeler (jpeeler) 2009-11-05 16:04:50.000-0600

The gdb.txt output is from 1.6.1 r228193.
By: Chris Stone (habile) 2009-11-05 17:19:08.000-0600

Hello forgive the intrusion (and my possible ignorance) but I've had this for a while, I'm up to 227448. Can reproduce at will. Although I see this could be different, hence my possible ignorance.

See https://issues.asterisk.org/view.php?id=15842

By: Tilghman Lesher (tilghman) 2009-11-05 18:24:35.000-0600

Patch uploaded for testing.
By: Chris Stone (habile) 2009-11-06 02:23:03.000-0600

Still crashes for me. Attached gdb output gdb_cms_001.txt. Thanks.

By: Atis Lezdins (atis) 2009-11-06 07:38:40.000-0600

Attached backtrace while using r228147 + 20091105__issue16013.diff.txt

(gdb) p *frame
Cannot access memory at address 0x756d2f656d6f682f

(gdb) frame 1
# 1 0x0000000000460cdf in ast_write (chan=0x2aaac8133b68, fr=0x23b97f0) at channel.c:3582
3582 ast_frfree(f);
(gdb) p *f
$1 = {frametype = AST_FRAME_DTMF_END, subclass = 0, datalen = 0, samples = 0, mallocd = -670184184, mallocd_hdr_len = 0, offset = -559038737, src = 0xc0 <Address 0xc0 out of bounds>, data = {ptr = 0xc4, uint32 = 196, pad = "?\000\000\000\000\000\000"}, delivery = {tv_sec = 46913257589472, tv_usec = 32}, frame_list = {next = 0x756d2f656d6f682f}, flags = 1630496370, ts = 3329899763270906729, len = 7002937344469577521, seqno = 1700754547}

By: Tilghman Lesher (tilghman) 2009-11-10 16:37:32.000-0600

Please attempt to replicate this issue when using revision 228695 or greater, as a fix went into 1.6.1 as of that revision number that fixed certain audiohook crashes. This may also solve this issue.
By: Atis Lezdins (atis) 2009-11-13 08:39:54.000-0600

No crash on r229569 (with only difference --enable-dev-mode and DO_CRASH)
By: Tilghman Lesher (tilghman) 2009-11-13 14:51:39.000-0600

Appears to be fixed with David Vossell's change in revision 228695.