[asterisk-bugs] [Asterisk 0013063]: Crash in iax2_destroy at chan_iax2.c:1309

noreply at bugs.digium.com noreply at bugs.digium.com
Wed Jul 16 03:23:04 CDT 2008 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=13063 
====================================================================== 
Reported By:                ZX81
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   13063
Category:                   Channels/chan_iax2
Reproducibility:            always
Severity:                   crash
Priority:                   normal
Status:                     new
Asterisk Version:           SVN 
SVN Branch (only for SVN checkouts, not tarball releases):  1.4  
SVN Revision (number only!): 129803 
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             07-12-2008 19:12 CDT
Last Modified:              07-16-2008 03:23 CDT
====================================================================== 
Summary:                    Crash in iax2_destroy at chan_iax2.c:1309
Description: 
Brand new system taken from 1.4svn (r129803).

The machine is at my house and the network is particularly bad today
(http://bugs.digium.com/view.php?id=22#60%
packet loss).

I have a caching name server, and have registrations to three Asterisk 1.4
machines I own (trunking enabled).

There are no users on the machine as it is being built for production for
next week.

With no activity except for the outgoing registrations and qualify
statements, Asterisk crashed with the following:

http://bugs.digium.com/view.php?id=0  0xb732a9dc in iax2_destroy (callno=4176)
at chan_iax2.c:1309
http://bugs.digium.com/view.php?id=1  0xb7334dc3 in __iax2_poke_noanswer
(data=0x81f02e0) at
chan_iax2.c:8869
http://bugs.digium.com/view.php?id=2  0xb734d3d5 in iax2_process_thread
(data=0x81f40d0) at
chan_iax2.c:8642
http://bugs.digium.com/view.php?id=3  0x080ff690 in dummy_start (data=0x81e9c00)
at utils.c:912
http://bugs.digium.com/view.php?id=4  0xb7f37240 in start_thread () from
/lib/tls/i686/cmov/libpthread.so.0
http://bugs.digium.com/view.php?id=5  0xb7e5249e in clone () from
/lib/tls/i686/cmov/libc.so.6

The machine is:

2.6.18-5-686 http://bugs.digium.com/view.php?id=1 SMP Tue Dec 18 21:24:20 UTC
2007 i686 GNU/Linux

It crashed twice earlier (within 10 minutes of each other), but has not
crashed in the last 2 hours.

The only difference I can see (seeing as the box is doing nothing) is that
in the period where it crashed twice, the packet loss was extreme.

This may prove to be a difficult one to track down, however I have
recompiled Asterisk with DEBUG_THREADS and DONT_OPTIMIZE and will upload
another core if I get one.
====================================================================== 

---------------------------------------------------------------------- 
 ZX81 - 07-16-08 03:23  
---------------------------------------------------------------------- 
So, 126999 has been running for just under four and a half hours.

If the tests are correct, then it should actually be the 127068 and 127069
commits.

Basically just one commit.

http://svn.digium.com/view/asterisk?view=rev&rev=127068
http://svn.digium.com/view/asterisk?view=rev&rev=127069

There are actually no other commits to the Asterisk 1.4 branch between
126999 and 127068.  There are so many team branches!  I looked in my
svn-commits folder and didn't find the patches between so I went to the
above URL and went through each revision between 126999 and 127068.

As a side note there are some numbers which return a python error which
dumps some info on the server such as file path and the fact it is running
on a 64bit os.  Doesn't really matter, but would probably be cleaner if it
returned an error:

http://svn.digium.com/view/asterisk?view=rev&revision=127036 

The actual line of code that it crashes in was added in that commit,
although the same line was removed from further down.

The diff is here:

http://svn.digium.com/view/asterisk/branches/1.4/channels/chan_iax2.c?r1=127069&r2=127067&pathrev=127069

I'm recompiling and retesting 127069, so it should replicate the same
result by crashing.  

Inside the function:

static unsigned char compress_subclass(int subclass) 

There is the entry at 1309 which now does:

AST_SCHED_DEL(sched, iaxs[callno]->lagid);
AST_SCHED_DEL(sched, iaxs[callno]->pingid);

In a block which is inside an if(!owner) block.  Why its crashing in
AST_SCHED_DEL(sched, iaxs[callno]->pingid); I don't know.  I have over 400
cores if someone wants some :)

Let me know if there's any other info I can provide. 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
07-16-08 03:23  ZX81           Note Added: 0090329                          
======================================================================

More information about the asterisk-bugs mailing list