Summary: | ASTERISK-15138: ast_rtp_destroy causes segmentation violation | ||
Reporter: | J.W.F. Thirion (thirionjwf) | Labels: | |
Date Opened: | 2009-11-14 02:34:27.000-0600 | Date Closed: | 2011-06-07 14:00:59 |
Priority: | Major | Regression? | No |
Status: | Closed/Complete | Components: | Core/RTP |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ||
Description: | I have an application that communicates to a Nuance Media Server/Text-to-speech engine via UniMRCP (0.8.0)/SofiaSIP (SVN head of FreeSwitch, 1.2.10devel). Audio is played backed successfully, but after the speech channel is destroyed, and the application hangs up, asterisk segfaults. From the traces of gdb, it looks like it happens when I get: WARNING[5131]: res_rtp_asterisk.c:1884 ast_rtp_read: RTP Read error: Socket operation on non-socket. Hanging up. my application closes all speech resources and after that was done successfully, and asterisk hangs up, the crash occurs (the call is then still not hung up, so it must happen in the Hangup function). Attached is the full trace of what happened. Any help would be appreciated! ****** ADDITIONAL INFORMATION ****** == Spawn extension (default, 1003, 3) exited non-zero on 'SIP/derik-00000002' *** glibc detected *** asterisk: free(): invalid pointer: 0x09fa2770 *** ======= Backtrace: ========= /lib/libc.so.6[0x528595] /lib/libc.so.6(cfree+0x59)[0x5289d9] /usr/lib/asterisk/modules/res_rtp_asterisk.so[0xb4d2df] asterisk[0x8123399] asterisk[0x807b447] asterisk(ast_rtp_instance_destroy+0x19)[0x8122c99] /usr/lib/asterisk/modules/chan_sip.so[0x1bfb0b0] asterisk[0x807b447] /usr/lib/asterisk/modules/chan_sip.so[0x1bc007a] /usr/lib/asterisk/modules/chan_sip.so[0x1bc097b] asterisk[0x807c3b1] asterisk(__ao2_callback+0x4a)[0x807ccca] /usr/lib/asterisk/modules/chan_sip.so[0x1c03d16] asterisk[0x815999b] /lib/libpthread.so.0[0x63a5ab] /lib/libc.so.6(clone+0x5e)[0x590cfe] ======= Memory map: ======== 00110000-00115000 r-xp 00000000 09:01 111871340 /usr/lib/asterisk/modules/res_monitor.so 00115000-00116000 rw-p 00004000 09:01 111871340 /usr/lib/asterisk/modules/res_monitor.so 00116000-00121000 r-xp 00000000 09:01 111871343 /usr/lib/asterisk/modules/res_odbc.so 00121000-00122000 rw-p 0000a000 09:01 111871343 /usr/lib/asterisk/modules/res_odbc.so 00122000-0018c000 r-xp 00000000 09:01 111812238 /usr/lib/libodbc.so.1.0.0 0018c000-00190000 rw-p 00069000 09:01 111812238 /usr/lib/libodbc.so.1.0.0 00190000-00191000 rw-p 00190000 00:00 0 00191000-0019b000 r-xp 00000000 09:01 111871326 /usr/lib/asterisk/modules/res_calendar.so 0019b000-0019c000 rw-p 00009000 09:01 111871326 /usr/lib/asterisk/modules/res_calendar.so 0019c000-001a0000 r-xp 00000000 09:01 111871335 /usr/lib/asterisk/modules/res_crypto.so 001a0000-001a1000 rw-p 00003000 09:01 111871335 /usr/lib/asterisk/modules/res_crypto.so 001a1000-001c4000 r-xp 00000000 09:01 111905995 /usr/lib/asterisk/modules/app_queue.so 001c4000-001c5000 rw-p 00023000 09:01 111905995 /usr/lib/asterisk/modules/app_queue.so 001c5000-001c7000 r-xp 00000000 09:01 111871339 /usr/lib/asterisk/modules/res_limit.so 001c7000-001c8000 rw-p 00001000 09:01 111871339 /usr/lib/asterisk/modules/res_limit.so 001c8000-001ca000 r-xp 00000000 09:01 111906045 /usr/lib/asterisk/modules/format_vox.so 001ca000-001cb000 rw-p 00001000 09:01 111906045 /usr/lib/asterisk/modules/format_vox.so 001cb000-001cd000 r-xp 00000000 09:01 77496328 /usr/lib/asterisk/modules/pbx_ael.so 001cd000-001ce000 rw-p 00001000 09:01 77496328 /usr/lib/asterisk/modules/pbx_ael.so 001ce000-001d3000 r-xp 00000000 09:01 111905966 /usr/lib/asterisk/modules/app_directory.so 001d3000-001d4000 rw-p 00004000 09:01 111905966 /usr/lib/asterisk/modules/app_directory.so 001d4000-001d6000 r-xp 00000000 09:01 111906050 /usr/lib/asterisk/modules/cdr_custom.so 001d6000-001d7000 rw-p 00001000 09:01 111906050 /usr/lib/asterisk/modules/cdr_custom.so 001d7000-001db000 r-xp 00000000 09:01 77496336 /usr/lib/asterisk/modules/app_alarmreceiver.so 001db000-001dc000 rw-p 00003000 09:01 77496336 /usr/lib/asterisk/modules/app_alarmreceiver.so 001dc000-001de000 r-xp 00000000 09:01 111871101 /usr/lib/asterisk/modules/func_audiohookinherit.so 001de000-001df000 rw-p 00001000 09:01 111871101 /usr/lib/asterisk/modules/func_audiohookinherit.so 001df000-001e2000 r-xp 00000000 09:01 111871287 /usr/lib/asterisk/modules/func_callerid.so 001e2000-001e3000 rw-p 00002000 09:01 111871287 /usr/lib/asterisk/modules/func_callerid.so 001e3000-001e7000 r-xp 00000000 09:01 111906008 /usr/lib/asterisk/modules/app_stack.so 001e7000-001e8000 rw-p 00003000 09:01 111906008 /usr/lib/asterisk/modules/app_stack.so 001e8000-001f3000 r-xp 00000000 09:01 77496329 /usr/lib/asterisk/modules/pbx_config.so 001f3000-001f4000 rw-p 0000a000 09:01 77496329 /usr/lib/asterisk/modules/pbx_config.so 001f4000-001f9000 r-xp 00000000 09:01 77496334 /usr/lib/asterisk/modules/pbx_spool.so 001f9000-001fa000 rw-p 00004000 09:01 77496334 /usr/lib/asterisk/modules/pbx_spool.so 001fa000-001fe000 r-xp 00000000 09:01 77496337 /usr/lib/asterisk/modules/app_amd.so 001fe000-001ff000 rw-p 00003000 09:01 77496337 /usr/lib/asterisk/modules/app_amd.so 001ff000-00208000 r-xp 00000000 09:01 111871309 /usr/lib/asterisk/modules/func_odbc.so 00208000-00209000 rw-p 00009000 09:01 111871309 /usr/lib/asterisk/modules/func_odbc.so 00209000-0020b000 r-xp 00000000 09:01 1Aborted (core dumped) #0 0x00a64410 in __kernel_vsyscall () #1 0x004e7df0 in raise () from /lib/libc.so.6 #2 0x004e9701 in abort () from /lib/libc.so.6 #3 0x0052028b in __libc_message () from /lib/libc.so.6 #4 0x00528595 in _int_free () from /lib/libc.so.6 ASTERISK-1 0x005289d9 in free () from /lib/libc.so.6 ASTERISK-2 0x00b4d2df in ast_rtp_destroy (instance=0x9f87710) at res_rtp_asterisk.c:477 ASTERISK-3 0x08123399 in instance_destructor (obj=0x9f87710) at rtp_engine.c:268 ASTERISK-4 0x0807b447 in internal_ao2_ref (user_data=0x9f87710, delta=-1) at astobj2.c:283 ASTERISK-5 0x08122c99 in ast_rtp_instance_destroy (instance=0x9f87710) at rtp_engine.c:281 ASTERISK-6 0x01bfb0b0 in __sip_destroy (p=0x9f8aa28, lockowner=1, lockdialoglist=5040) at chan_sip.c:5854 ASTERISK-7 0x0807b447 in internal_ao2_ref (user_data=0x9f8aa28, delta=-1) at astobj2.c:283 ASTERISK-8 0x01bc007a in dialog_unlink_all (dialog=0x9f8aa28, lockowner=1, lockdialoglist=<value optimized out>) at chan_sip.c:1930 ASTERISK-9 0x01bc097b in dialog_needdestroy (dialogobj=0x9f8aa28, arg=0xb7b97348, flags=7) at chan_sip.c:15639 ASTERISK-10 0x0807c3b1 in internal_ao2_callback (c=0x9f65990, flags=7, cb_fn=0x1bc0480, arg=0xb7b97348, data=0x0, type=DEFAULT, tag=0x0, file=0x0, line=0, funcname=0x0) at astobj2.c:685 ASTERISK-11 0x0807ccca in __ao2_callback (c=0x9f65990, flags=7, cb_fn=0x1bc0480 <dialog_needdestroy>, arg=0xb7b97348) at astobj2.c:774 ASTERISK-12 0x01c03d16 in do_monitor (data=0x0) at chan_sip.c:23482 ASTERISK-13 0x0815999b in dummy_start (data=0x9f6b990) at utils.c:968 ASTERISK-14 0x0063a5ab in start_thread () from /lib/libpthread.so.0 ASTERISK-15 0x00590cfe in clone () from /lib/libc.so.6 (gdb) frame 0 #0 0x00a64410 in __kernel_vsyscall () (gdb) frame 1 #1 0x004e7df0 in raise () from /lib/libc.so.6 (gdb) frame 2 #2 0x004e9701 in abort () from /lib/libc.so.6 (gdb) frame 3 #3 0x0052028b in __libc_message () from /lib/libc.so.6 (gdb) frame 4 #4 0x00528595 in _int_free () from /lib/libc.so.6 (gdb) frame 5 ASTERISK-1 0x005289d9 in free () from /lib/libc.so.6 (gdb) frame 6 ASTERISK-2 0x00b4d2df in ast_rtp_destroy (instance=0x9f87710) at res_rtp_asterisk.c:477 477 ast_free(rtp); (gdb) frame 7 ASTERISK-3 0x08123399 in instance_destructor (obj=0x9f87710) at rtp_engine.c:268 268 if (instance->data && instance->engine->destroy(instance)) { (gdb) frame 8 ASTERISK-4 0x0807b447 in internal_ao2_ref (user_data=0x9f87710, delta=-1) at astobj2.c:283 283 obj->priv_data.destructor_fn(user_data); (gdb) frame 9 ASTERISK-5 0x08122c99 in ast_rtp_instance_destroy (instance=0x9f87710) at rtp_engine.c:281 281 ao2_ref(instance, -1); (gdb) frame 10 ASTERISK-6 0x01bfb0b0 in __sip_destroy (p=0x9f8aa28, lockowner=1, lockdialoglist=5040) at chan_sip.c:5854 5854 ast_rtp_instance_destroy(p->rtp); (gdb) frame 11 ASTERISK-7 0x0807b447 in internal_ao2_ref (user_data=0x9f8aa28, delta=-1) at astobj2.c:283 283 obj->priv_data.destructor_fn(user_data); (gdb) frame 12 ASTERISK-8 0x01bc007a in dialog_unlink_all (dialog=0x9f8aa28, lockowner=1, lockdialoglist=<value optimized out>) at chan_sip.c:1930 1930 ao2_ref(p, -1); (gdb) frame 13 ASTERISK-9 0x01bc097b in dialog_needdestroy (dialogobj=0x9f8aa28, arg=0xb7b97348, flags=7) at chan_sip.c:15639 15639 dialog_unlink_all(dialog, TRUE, FALSE); (gdb) frame 14 ASTERISK-10 0x0807c3b1 in internal_ao2_callback (c=0x9f65990, flags=7, cb_fn=0x1bc0480, arg=0xb7b97348, data=0x0, type=DEFAULT, tag=0x0, file=0x0, line=0, funcname=0x0) at astobj2.c:685 685 match &= cb_default(EXTERNAL_OBJ(cur->astobj), arg, flags); (gdb) frame 15 ASTERISK-11 0x0807ccca in __ao2_callback (c=0x9f65990, flags=7, cb_fn=0x1bc0480 <dialog_needdestroy>, arg=0xb7b97348) at astobj2.c:774 774 return internal_ao2_callback(c,flags, cb_fn, arg, NULL, DEFAULT, NULL, NULL, 0, NULL); (gdb) frame 16 ASTERISK-12 0x01c03d16 in do_monitor (data=0x0) at chan_sip.c:23482 23482 ao2_t_callback(dialogs, OBJ_UNLINK | OBJ_NODATA | OBJ_MULTIPLE, dialog_needdestroy, &t, (gdb) frame 17 ASTERISK-13 0x0815999b in dummy_start (data=0x9f6b990) at utils.c:968 968 ret = a.start_routine(a.data); (gdb) frame 18 ASTERISK-14 0x0063a5ab in start_thread () from /lib/libpthread.so.0 (gdb) frame 19 ASTERISK-15 0x00590cfe in clone () from /lib/libc.so.6 | ||
Comments: | By: J.W.F. Thirion (thirionjwf) 2009-11-16 10:13:41.000-0600 Please ignore this. The bug appears to be inside a third party library that I used, which caused a buffer overrun. Please close this issue. By: Leif Madsen (lmadsen) 2009-11-16 10:19:34.000-0600 Thanks for reporting back! |