[asterisk-bugs] [Asterisk 0010936]: Crash in ast_queue_frame

noreply at bugs.digium.com noreply at bugs.digium.com
Wed Oct 10 13:24:15 CDT 2007 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=10936 
====================================================================== 
Reported By:                ChaseVenters
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   10936
Category:                   Channels/chan_local
Reproducibility:            random
Severity:                   crash
Priority:                   normal
Status:                     new
Asterisk Version:           1.4.12.1  
SVN Branch (only for SVN checkouts, not tarball releases): N/A  
SVN Revision (number only!):  
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             10-10-2007 12:38 CDT
Last Modified:              10-10-2007 13:24 CDT
====================================================================== 
Summary:                    Crash in ast_queue_frame
Description: 
We've been getting this crash randomly with a frequency of one every day or
two (sometimes, two in one day). We first saw this problem in 1.4.6, and we
switched to 1.4.11, then 1.4.12.1 to see if the problem might have been
fixed. On 1.4.12.1, we still have the problem.

This appears to be related to an issue,
http://bugs.digium.com/view.php?id=0009694, that was reported in
May, then closed in August due to a lack of further information. That
reporter claims disabling compiler optimizations made his problem go away,
but that sounds like he just changed the timing of his race condition.

What further information can I provide?
====================================================================== 

---------------------------------------------------------------------- 
 ChaseVenters - 10-10-07 13:24  
---------------------------------------------------------------------- 
This might be helpful as well:

(gdb) frame 0
http://bugs.digium.com/view.php?id=0  0x0807c249 in ast_queue_frame
(chan=0xa109f58, fin=0xa1f18ac) at
channel.c:934
934             AST_LIST_INSERT_TAIL(&chan->readq, f, frame_list);
(gdb) print chan->readq
$1 = {first = 0xb6e18960, last = 0x0}

The macro is:

#define AST_LIST_INSERT_TAIL(head, elm, field) do {                     \
      if (!(head)->first) {                                             \
                (head)->first = (elm);                                  \
                (head)->last = (elm);                                   \
      } else {                                                          \
                (head)->last->field.next = (elm);                       \
                (head)->last = (elm);                                   \
      }                                                                 \
} while (0)

So we're probably blowing up on:

                (head)->last->field.next = (elm);                       \

trying to manipulate a corrupted linked list. 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
10-10-07 13:24  ChaseVenters   Note Added: 0071781                          
======================================================================

More information about the asterisk-bugs mailing list