[asterisk-bugs] [Asterisk 0014060]: [patch] Astrerisk crashes using the app_queue.c transfer datastores

Asterisk Bug Tracker noreply at bugs.digium.com
Thu Dec 11 07:35:05 CST 2008


The following issue has been UPDATED. 
====================================================================== 
http://bugs.digium.com/view.php?id=14060 
====================================================================== 
Reported By:                nivek
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   14060
Category:                   Applications/app_queue
Reproducibility:            random
Severity:                   crash
Priority:                   normal
Status:                     new
Asterisk Version:           1.4.22 
SVN Branch (only for SVN checkouts, not tarball releases):  1.4  
SVN Revision (number only!): 162994 
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             2008-12-11 07:33 CST
Last Modified:              2008-12-11 07:35 CST
====================================================================== 
Summary:                    [patch] Astrerisk crashes using the app_queue.c
transfer datastores
Description: 
When Asterisk crashes and we analyze the dump, Asterisk always crashes in
main/channel.c at line 3562 of 1.4 SVN which states in the dump trace:
    if (ds->info->chan_fixup)

After a lot of debugging statements, we have found that right after the
return from queue_transfer_fixup() it crashes on the above statement.

Variable ds seems to have a value but ds->info and ds->info->chan_fixup
comeback as undefined.

Looking at the code, we believe (Marquis and I are colleagues) the
ast_channel_datastore_free in the queue_transfer_fixup is causing the
grief.

If I understand the code flow correctly, the ast_channel_datastore_remove
unlinks the datastore from the linked list but the datastore still retains
its values to point to the next data structure in the linked list.  The
ast_channel_datastore_free, of course, adds the datastore allocated memory
back into the heap for it to be allocated again.  We believe that the
memory added back to the heap gets reallocated to another process and
causes the crash.

This crash is very random.  I has happened once a day for three days then
not again for a week.  If happened within 15 minutes of each other on one
day.  Sometimes it took a week or so to happen.

I have included a patch to 1.4-SVN that we have used for a little over a
month now without a crash (knock on wood).  The patch also includes a
change to the time parameter passing and calculations that were using 'int'
instead of 'long'.  We elected to use 'time_t' in case 'time_t' ever
changed it could be more portable.  This is your call on that.


====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2008-12-11 07:35 nivek          Summary                  Astrerisk crashes using
the app_queue.c transfer datastores => [patch] Astrerisk crashes using the
app_queue.c transfer datastores
======================================================================




More information about the asterisk-bugs mailing list