Summary:	ASTERISK-15606: [patch] segfault in pri_schedule_del at prisched.c:124
Reporter:	Jens von Bülow (jensvb)	Labels:
Date Opened:	2010-02-11 04:28:16.000-0600	Date Closed:	2011-06-07 14:01:08
Priority:	Critical	Regression?	No
Status:	Closed/Complete	Components:	Channels/chan_dahdi
Versions:		Frequency of Occurrence
Related Issues:
Environment:		Attachments:	( 0) bug16806.diff.txt ( 1) core.1121.zip ( 2) core.17546.zip
Description:	Hi, I experienced a crash of asterisk 1.6.0.3 in libpri today... Thanks & Regards Jens ****** ADDITIONAL INFORMATION ****** <snip> (gdb) bt full #0  0x00002aaab605e8c9 in pri_schedule_del (pri=0x14ffffffff, id=2) at prisched.c:124 No locals. #1  0x00002aaab60663a2 in q931_release (pri=0x773d650, c=0x762ff90, cause=16) at q931.c:2976        __PRETTY_FUNCTION__ = "q931_release" #2  0x00002aaab6066013 in pri_disconnect_timeout (data=0x762ff90) at q931.c:2929        c = (struct q931_call *) 0x762ff90        pri = (struct pri *) 0x773d650 #3  0x00002aaab605e845 in __pri_schedule_run (pri=0x2aaaac1f9000, tv=0x418da960) at prisched.c:106        x = 2        callback = (void (*)(void *)) 0x2aaab6065fb1 <pri_disconnect_timeout>        data = (void *) 0x762ff90        e = (pri_event *) 0x360a68bf9d #4  0x00002aaab605e8a6 in pri_schedule_run (pri=0x2aaaac1f9000) at prisched.c:118        tv = {tv_sec = 1265875339, tv_usec = 225529} ASTERISK-1  0x00002aaab5bc4c59 in pri_dchannel (vpri=0x2aaab5decc00) at chan_dahdi.c:10403        pri = (struct dahdi_pri *) 0x2aaab5decc00        e = (pri_event *) 0x0        fds = {{fd = 374, events = 3, revents = 0}, {fd = 5775448, events = 0, revents = 0}, {fd = 3656, events = 0,    revents = 0}, {fd = 0, events = 0, revents = 0}}        res = 0        chanpos = 15        x = 5        haveidles = 0        activeidles = 0        nextidle = -1        c = (struct ast_channel *) 0x7630e20        tv = {tv_sec = 0, tv_usec = 0}        lowest = {tv_sec = 0, tv_usec = 0}        next = (struct timeval *) 0x2aaaac1f9070        lastidle = {tv_sec = 1259565878, tv_usec = 923152}        doidling = 0        cc = 0x7441850 "@?\215A"        idlen = "\020?\215A\000\000\000\000@\030D\a\000\000\000\000?\027\000\000\000\000\000\000?)\225\n6\000\000\000H\016\000\000\000\000\000\000?Ig\n6\000\000\000H*\225\n6", '\0' <repeats 11 times>, "\020?\215A", '\0' <repeats 11 times>        idle = (struct ast_channel *) 0x418dafa0        p = 232105781728        t = 1265875339        i = 1        which = 0 ---Type <return> to continue, or q <return> to quit---        numdchans = 1        cause = 0        crv = (struct dahdi_pvt *) 0x0        threadid = 0        ani2str = "0\000\000\000\000"        plancallingnum = '\0' <repeats 120 times>, "p\016\000\000\000\000\000\000H*\225\n6\000\000\000 ?\215A", '\0' <repeats 12 times>, "Q\016\000\000\000\000\000\000H\016\000\000\000\000\000\0009\000\000\000\000\000\000\000\a", '\0' <repeats 75 times>, "b\000\000"        plancallingani = '\0' <repeats 255 times>        calledtonstr = "\000\000\000\000\000\000\000\000\000"        __PRETTY_FUNCTION__ = "pri_dchannel"        __FUNCTION__ = "pri_dchannel" ASTERISK-2  0x000000000051b2ba in dummy_start (data=0x2aaaac021fb0) at utils.c:917        __cancel_buf = {__cancel_jmp_buf = {{__cancel_jmp_buf = {0, -1595106401237809352, 0, 1099808768, 0, 4096,        -1595106401237809656, -1595106402322823277}, __mask_was_saved = 0}}, __pad = {0x418db1a0, 0x0, 0x0, 0x0}}        __cancel_routine = (void (*)(void *)) 0x43000f <ast_unregister_thread>        __cancel_arg = (void *) 0x418db940        not_first_call = 0        ret = (void *) 0x0        a = {start_routine = 0x2aaab5bc3fc9 <pri_dchannel>, data = 0x2aaab5decc00,  name = 0x2aaaac021e20 "pri_dchannel         started at [11413] chan_dahdi.c start_pri()"}        lock_info = (struct thr_lock_info *) 0x7441850        mutex_attr = {__size = "\001\000\000", __align = 1} ASTERISK-3  0x000000360ae064a7 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. ASTERISK-4  0x000000360a6d3c2d in clone () from /lib64/libc.so.6 No symbol table info available. (gdb) </snip>
Comments:	By: Leif Madsen (lmadsen) 2010-02-17 13:33:09.000-0600 I'm not sure what we're going to be able to do here. You're using Asterisk 1.6.0.3, and Asterisk 1.6.0.23-rc2 is currently in testing. Also, you haven't provided which version of libPRI you're using. By: Jens von Bülow (jensvb) 2010-02-17 22:45:57.000-0600 >> Also, you haven't provided which version of libPRI you're using asterisk-1.6.0.3 asterisk-addons-1.6.0.1 dahdi-linux-complete-2.1.0.3+2.1.0.2 libpri-1.4.9 (since the crash I put on my cowboy boots and upgraded to the latest version of everything - if the crash is not glaringly evident in the core dump then I suggest you close this call) By: Jens von Bülow (jensvb) 2010-02-23 13:03:53.000-0600 Hi All, I experienced the crash again tonight... By: Jens von Bülow (jensvb) 2010-02-23 13:06:55.000-0600 Sorry, this time with (after an upgrade) dahdi-linux-complete-2.2.0.2+2.2.0 libpri-1.4.10.2 asterisk-1.6.0.22 asterisk-addons-1.6.0.4 By: Alec Davis (alecdavis) 2010-02-24 02:34:48.000-0600 from your debug trace 'id' is a negative value<pre> Thread 1 (process 1121): #0  0x00002aaab7ed28c9 in pri_schedule_del (pri=0x17ad0a3840, id=-1391834784) at prisched.c:124</pre> Please try bug16806.diff.txt this should prevent the segfault, but as to why 'id' is negative needs to be determined. By: Alec Davis (alecdavis) 2010-02-24 03:32:43.000-0600 looking further into your debug, the 'pri' pointer changes between q921_transmit_iframe and pri_schedule_del, not sure why?? <pre> #0  0x00002aaab7ed28c9 in pri_schedule_del (pri=0x17ad0a3840, id=-1391834784) at prisched.c:124 No locals. #1  0x00002aaab7ed037f in q921_transmit_iframe (pri=0x2aaaad0a3840, buf=0x4446ecb0, len=9, cr=1) at q921.c:536 f = (q921_frame *) 0x2aaac8084050 prev = (q921_frame *) 0x0 #2  0x00002aaab7ed92f7 in q931_xmit (pri=0x2aaaad0a3840, h=0x4446ecb0, len=9, cr=1) at q931.c:2617 </pre> By: Jens von Bülow (jensvb) 2010-02-24 03:42:22.000-0600 Thanks for the effort - I really appreciate it. I will apply the patch tonight and do some testing to see if I can make it fail (up to now, it has been a waiting game) If there is anything I can do to help, please let me know. By: Alec Davis (alecdavis) 2010-02-24 03:51:48.000-0600 The patch makes pri_schedule_del behave closer to the way trunk does. Regards the 'pri' pointer changing, it does due to the searching for pri->master in pri_schedule_del. By: Jens von Bülow (jensvb) 2010-02-24 04:14:28.000-0600 Thanks. I will apply tonight. Any idea why id is negative? By: Alec Davis (alecdavis) 2010-06-12 05:17:48 fixed in trunk Closed due to lack of activity.