[asterisk-bugs] [Asterisk 0010765]: Crash with "Segmentation fault" in zap internal timers processing
noreply at bugs.digium.com
noreply at bugs.digium.com
Thu Sep 20 01:58:42 CDT 2007
A NOTE has been added to this issue.
======================================================================
http://bugs.digium.com/view.php?id=10765
======================================================================
Reported By: Ivan
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 10765
Category: Channels/chan_zap
Reproducibility: random
Severity: major
Priority: normal
Status: new
Asterisk Version: 1.4.11
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Disclaimer on File?: N/A
Request Review:
======================================================================
Date Submitted: 09-20-2007 01:32 CDT
Last Modified: 09-20-2007 01:58 CDT
======================================================================
Summary: Crash with "Segmentation fault" in zap internal
timers processing
Description:
Seems like "race condition" effect in channel.c (2255) - no more "chan"
object is accessible in then method generator_force at line:
1847 generate = chan->generator->generate;
======================================================================
----------------------------------------------------------------------
Ivan - 09-20-07 01:58
----------------------------------------------------------------------
I think that in <channel.c> code:
2251 /* save a copy of func/data before unlocking the channel */
2252 int (*func)(void *) = chan->timingfunc;
2253 void *data = chan->timingdata;
2254 ast_channel_unlock(chan);
2255 func(data);
Actually call this <channel.c>:
1838static int generator_force(void *data)
1839{
1840 /* Called if generator doesn't have data */
1841 void *tmp;
1842 int res;
1843 int (*generate)(struct ast_channel *chan, void *tmp, int datalen, int
samples);
1844 struct ast_channel *chan = data;
1845 tmp = chan->generatordata;
1846 chan->generatordata = NULL;
1847 generate = chan->generator->generate;
1848 res = generate(chan, tmp, 0, 160);
1849 chan->generatordata = tmp;
1850 if (res) {
1851 if (option_debug)
1852 ast_log(LOG_DEBUG, "Auto-deactivating generator\n");
1853 ast_deactivate_generator(chan);
1854 }
1855 return 0;
1856}
If to consider that set the timer make like "ast_settimeout(chan, 160,
generator_force, chan);". We come to conclusion <channel.c>:
2251 /* save a copy of func/data before unlocking the channel */
2252 int (*func)(void *) = chan->timingfunc;
2253 void *data = chan->timingdata;
2254 ast_channel_unlock(chan);
2255 func(data);
must be replaced on that:
2251 /* save a copy of func/data before unlocking the channel */
2252 int (*func)(void *) = chan->timingfunc;
2253 void *data = chan->timingdata;
2255 func(data);
2254 ast_channel_unlock(chan);
Or other decision which will allow to guarantee safety of object "chan"
Issue History
Date Modified Username Field Change
======================================================================
09-20-07 01:58 Ivan Note Added: 0070824
======================================================================
More information about the asterisk-bugs
mailing list