** FIRST CRASH ** (gdb) back #0 0x00007f869688de2c in ?? () from /lib/libc.so.6 #1 0x00007f869688f7e8 in calloc () from /lib/libc.so.6 #2 0x00000000004a3f13 in ast_log (level=, file=0x537684 "astobj2.c", line=321, function=0x537861 "__ao2_ref", fmt=0x5376ff "refcount %d on object %p\n") at /usr/src/asterisk-1.6.2.16.1/include/asterisk/utils.h:462 #3 0x0000000000439bf8 in __ao2_ref (user_data=0x17920a8, delta=) at astobj2.c:321 #4 0x00007f8690c141f4 in __sip_autodestruct (data=) at chan_sip.c:1770 #5 0x00000000004f5875 in ast_sched_runq (con=0x174e8a0) at sched.c:621 #6 0x00007f8690c26890 in do_monitor (data=) at chan_sip.c:22789 #7 0x0000000000507c0c in dummy_start (data=) at utils.c:967 #8 0x00007f86960a2fc7 in start_thread () from /lib/libpthread.so.0 #9 0x00007f86968e764d in clone () from /lib/libc.so.6 #10 0x0000000000000000 in ?? () /* this case must never happen */ if (current_value < 0) ast_log(LOG_ERROR, "refcount %d on object %p\n", current_value, user_data); ** SECOND CRASH ** (gdb) bt #0 0x00007fe13a144e2c in ?? () from /lib/libc.so.6 #1 0x00007fe13a1467e8 in calloc () from /lib/libc.so.6 #2 0x00000000004a3f13 in ast_log (level=, file=0x5618ac "utils.c", line=1535, function=0x5619d0 "__ast_string_field_init", fmt=0x561959 "trying to reset empty pool\n") at /usr/src/asterisk-1.6.2.16.1/include/asterisk/utils.h:462 #3 0x00000000005094b1 in __ast_string_field_init (mgr=0x2b2d9a0, pool_head=0x2b2d858, needed=, file=, lineno=, func=0x1f

) at utils.c:1541 #4 0x00007fe1344ad624 in __sip_destroy (p=0x2b2d848, lockowner=, lockdialoglist=) at chan_sip.c:5682 #5 0x0000000000439baa in __ao2_ref (user_data=0x2b2d848, delta=4752) at astobj2.c:325 #6 0x00007fe1344cb1f4 in __sip_autodestruct (data=) at chan_sip.c:1770 #7 0x00000000004f5875 in ast_sched_runq (con=0x2af5ac0) at sched.c:621 #8 0x00007fe1344dd890 in do_monitor (data=) at chan_sip.c:22789 #9 0x0000000000507c0c in dummy_start (data=) at utils.c:967 #10 0x00007fe139959fc7 in start_thread () from /lib/libpthread.so.0 #11 0x00007fe13a19e64d in clone () from /lib/libc.so.6 #12 0x0000000000000000 in ?? () (gdb) up #3 0x00000000005094b1 in __ast_string_field_init (mgr=0x2b2d9a0, pool_head=0x2b2d858, needed=, file=, lineno=, func=0x1f

) at utils.c:1541 1541 ast_log(LOG_WARNING, "trying to reset empty pool\n"); (gdb) list 1536 return -1; 1537 } 1538 cur = *pool_head; 1539 } else { /* preserve the last pool */ 1540 if (*pool_head == NULL) { 1541 ast_log(LOG_WARNING, "trying to reset empty pool\n"); 1542 return -1; 1543 } 1544 mgr->used = 0; 1545 preserve = *pool_head; ** THIRD CRASH (on clean 1.6.2.16.1 + rgagnon 17255 patch) ** same as first: 319 /* this case must never happen */ 320 if (current_value < 0) 321 ast_log(LOG_ERROR, "refcount %d on object %p\n", current_value, user_data); (gdb) print ret $4 = 0 and delta is -1, as it's called as: (gdb) up #4 0x00007f79da5661f4 in __sip_autodestruct (data=) at chan_sip.c:1770 1770 ao2_ref(p, -1); (gdb) print *p $5 = {next = 0x0, invitestate = INV_NONE, method = 2, __field_mgr_pool = 0x0, callid = 0x561920 "", randdata = 0x561920 "", accountcode = 0x561920 "", realm = 0x561920 "", nonce = 0x561920 "", opaque = 0x561920 "", qop = 0x561920 "", domain = 0x561920 "", from = 0x561920 "", useragent = 0x561920 "", exten = 0x561920 "", context = 0x561920 "", subscribecontext = 0x561920 "", subscribeuri = 0x561920 "", fromdomain = 0x561920 "", fromuser = 0x561920 "", fromname = 0x561920 "", tohost = 0x561920 "", todnid = 0x561920 "", language = 0x561920 "", mohinterpret = 0x561920 "", mohsuggest = 0x561920 "", rdnis = 0x561920 "", redircause = 0x561920 "", theirtag = 0x561920 "", username = 0x561920 "", peername = 0x561920 "", authname = 0x561920 "", uri = 0x561920 "", okcontacturi = 0x561920 "", peersecret = 0x561920 "", peermd5secret = 0x561920 "", cid_num = 0x561920 "", cid_name = 0x561920 "", fullcontact = 0x561920 "", our_contact = 0x561920 "", rpid = 0x561920 "", rpid_from = 0x561920 "", url = 0x561920 "", parkinglot = 0x561920 "", __field_mgr = {size = 512, used = 270, last_alloc = 0x0}, via = "SIP/2.0/UDP 91.194.225.103:5060;branch=z9hG4bK524f1dc5;rport", '\0' , socket = {type = SIP_TRANSPORT_UDP, fd = -1, port = 50195, tcptls_session = 0x0}, ocseq = 103, icseq = 0, callgroup = 0, pickupgroup = 0, lastinvite = 0, flags = {{flags = 790529}, {flags = 1075839232}}, do_history = 0 '\0', alreadygone = 0 '\0', needdestroy = 0 '\0', outgoing_call = 0 '\0', answered_elsewhere = 0 '\0', novideo = 0 '\0', notext = 0 '\0', timer_t1 = 500, timer_b = 32000, sipoptions = 0, reqsipoptions = 0, prefs = {order = "\004\t", '\0' , framing = "\024\024", '\0' }, capability = 264, jointcapability = 0, peercapability = 0, prefcodec = 0, noncodeccapability = 1, jointnoncodeccapability = 0, redircodecs = 0, maxcallbitrate = 0, t38_maxdatagram = 0, outboundproxy = 0x0, t38 = {state = T38_DISABLED, our_parms = {request_response = 0, version = 0, max_ifp = 0, rate = AST_T38_RATE_2400, rate_management = AST_T38_RATE_MANAGEMENT_TRANSFERRED_TCF, fill_bit_removal = 0, transcoding_mmr = 0, transcoding_jbig = 0}, their_parms = {request_response = 0, version = 0, max_ifp = 0, rate = AST_T38_RATE_2400, rate_management = AST_T38_RATE_MANAGEMENT_TRANSFERRED_TCF, fill_bit_removal = 0, transcoding_mmr = 0, transcoding_jbig = 0}}, udptlredirip = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, udptl = 0x0, callingpres = 0, authtries = 0, expiry = 0, branch = 1380916677, invite_branch = 0, tag = "as27961d53", sessionid = 0, sessionversion = 0, sessionversion_remote = -1, session_modify = 1, portinuri = 0, sa = {sin_family = 2, sin_port = 50195, sin_addr = {s_addr = 1354765785}, sin_zero = "\000\000\000\000\000\000\000"}, redirip = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, vredirip = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, tredirip = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, lastrtprx = 0, lastrtptx = 0, rtptimeout = 0, recv = {sin_family = 2, sin_port = 50195, sin_addr = {s_addr = 1354765785}, sin_zero = "\000\000\000\000\000\000\000"}, ourip = { sin_family = 2, sin_port = 50195, sin_addr = {s_addr = 1742848603}, sin_zero = "\000\000\000\000\000\000\000"}, owner = 0x0, route = 0x0, route_persistant = 0, notify_headers = 0x0, peerauth = 0x0, noncecount = 1, stalenonce = 0, lastmsg = '\0' , amaflags = 0, pendinginvite = 0, glareinvite = 0, initreq = {rlPart1 = 0, rlPart2 = 9, len = 549, headers = 11, method = 2, lines = 0, sdp_start = 0, sdp_count = 0, debug = 0 '\0', has_to_tag = 0 '\0', ignore = 0 '\0', header = {0, 38, 105, 123, 177, 214, 267, 287, 324, 494, 508, 549, 0 }, line = {549, 0 }, data = 0x0, content = 0x0, socket = {type = 0, fd = 0, port = 0, tcptls_session = 0x0}, next = {next = 0x0}}, initid = -1, waitid = -1, autokillid = -1, t38id = -1, allowtransfer = TRANSFER_OPENFORALL, refer = 0x0, subscribed = NONE, stateid = -1, laststate = 0, dialogver = 0, dsp = 0x0, relatedpeer = 0x0, registry = 0x0, rtp = 0x0, vrtp = 0x0, trtp = 0x0, packets = 0x0, history = 0x0, history_entries = 0, chanvars = 0x0, request_queue = {first = 0x0, last = 0x0}, request_queue_sched_id = -1, provisional_keepalive_sched_id = -1, last_provisional = 0x0, options = 0x0, autoframing = 0, stimer = 0x0, red = 0, hangupcause = 0, mwi = 0x0, offered_media = {{offered = 0, text = '\0' }, {offered = 0, text = '\0' }, {offered = 0, text = '\0' }, {offered = 0, text = '\0' }}}