Summary:ASTERISK-26166: res_pjsip_pubsub: Crash when decrementing reference count of message
Reporter:Ross Beer (rossbeer)Labels:
Date Opened:2016-06-30 07:23:56Date Closed:2016-09-01 09:41:53
Versions:13.9.1 13.10.0-rc1 Frequency of
duplicatesASTERISK-26199 PJSIP: tx_data_destroy called twice
is duplicated byASTERISK-26174 res_pjsip: Crash when freeing cloned message in distributor
Environment:Fedora Server 23 / CentOS 7Attachments:( 0) backtrace_2016-06-30T11_30_41_CLEAN.txt
( 1) backtrace-2016-07-12T12_12_21_CLEAN.txt
( 2) backtrace-2016-07-14.txt
( 3) core_dump_output_2016-07-11_1047.txt
Description:Segfault in "0  pj_atomic_dec_and_get (atomic_var=0x352e3735312e3733) at ../src/pj/os_core_unix.c:962"

This fault ticket was requested by George Joseph and is a similar issue to a previous patch ASTERISK-26099.
Comments:By: Asterisk Team (asteriskteam) 2016-06-30 07:23:56.808-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

By: Ross Beer (rossbeer) 2016-07-11 04:55:31.826-0500

Additional Output

By: Ross Beer (rossbeer) 2016-07-12 06:26:19.914-0500

This issue is causing many crashes on multiple boxes, please help!

By: Ross Beer (rossbeer) 2016-07-13 03:51:51.711-0500

I have tried using the bundled pjsip with the same results:

{NOFORMAT}Stack trace of thread 7827:
#0  0x00007f9133582b29 pj_atomic_dec_and_get (libpj.so.2)
#1  0x00007f9139265b30 pjsip_tx_data_dec_ref (libpjsip.so.2)
#2  0x00007f9139270f07 tsx_shutdown (libpjsip.so.2)
#3  0x00007f9139271141 tsx_set_state (libpjsip.so.2)
#4  0x00007f91392711ca tsx_on_state_terminated (libpjsip.so.2)
#5  0x00007f9139271227 tsx_timer_callback (libpjsip.so.2)
#6  0x00007f91335913b7 pj_timer_heap_poll (libpj.so.2)
#7  0x00007f9139260c3b pjsip_endpt_handle_events2 (libpjsip.so.2)
#8  0x00007f9131ae2638 n/a (/usr/lib64/asterisk/modules/res_pjsip.so (deleted)){NOFORMAT}

By: Ross Beer (rossbeer) 2016-07-21 06:45:20.623-0500

A patch is currently up for review on this issue: https://gerrit.asterisk.org/#/c/3254/

By: Malcolm Davenport (mdavenport) 2016-09-01 09:41:53.590-0500