[asterisk-bugs] [Asterisk 0015314]: [patch] Seg fault in chan_local - local_pvt_destroy

Asterisk Bug Tracker noreply at bugs.digium.com
Thu Aug 20 12:10:47 CDT 2009 

A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=15314 
====================================================================== 
Reported By:                sroberts
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   15314
Category:                   Channels/chan_local
Reproducibility:            unable to reproduce
Severity:                   crash
Priority:                   normal
Status:                     acknowledged
Target Version:             1.4.28
Asterisk Version:           1.4.22 
Regression:                 No 
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2009-06-11 04:50 CDT
Last Modified:              2009-08-20 12:10 CDT
====================================================================== 
Summary:                    [patch] Seg fault in chan_local - local_pvt_destroy
Description: 
This is the same issue as 14780. We also use SNOM phones (300s and 320s)
however these extensions are not connected to the server on which Asterisk
crashed. The crash occurred on the queue server.

A backtrace of the crash has been attached.

The crash here occurred when callfile finished execution. We use callfiles
to pause/unpause the agents. The local_pvt being freed is not null:

(gdb) frame 2
https://issues.asterisk.org/view.php?id=2  0x002dd837 in local_pvt_destroy
(pvt=0xa23e928) at chan_local.c:159
159             free(pvt);
(gdb) p pvt
$1 = (struct local_pvt *) 0xa23e928
(gdb) p *pvt
$2 = {lock = {mutex = {__m_reserved = 0, __m_count = 0, __m_owner = 0x0,
__m_kind = 1, __m_lock = {__status = 0, __spinlock = 0}}, track = 1, file =
{0x2e0f08 "chan_local.c", 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
lineno = {158, 0, 0, 0, 0, 0, 0, 0, 0, 0}, reentrancy = 0, func = {0x2e0fbe
"local_pvt_destroy", 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, thread =
{0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, reentr_mutex = {__m_reserved = 0, __m_count
= 0, __m_owner = 0x0, __m_kind = 1, __m_lock = {__status = 0, __spinlock =
0}}}, flags = 16, context = "vital-out", '\0' <repeats 70 times>, exten =
"*\000vital-out\000n", '\0' <repeats 66 times>, reqformat = 64, owner =
0x0, chan = 0x0, u_owner = 0xa2234c8, u_chan = 0xa1c3500, list = {next =
0x0}}


Due to the fact that our queue servers are so busy I cannot simply upgrade
it to a newer version (this one in particular handles around 10000 calls
per day) unless I know a version is stable. I've tested 1.4.25 and it
proved horrendously unstable (deadlocks and seg faults).


======================================================================
Relationships       ID      Summary
----------------------------------------------------------------------
has duplicate       0014780 Asterisk abort (signal 6) in local_pvt_...
====================================================================== 

---------------------------------------------------------------------- 
 (0109350) davidw (reporter) - 2009-08-20 12:10
 https://issues.asterisk.org/view.php?id=15314#c109350 
---------------------------------------------------------------------- 
Oops.  I've been confused by the locking failure error message.  It is not
reporting the line on which the lock failed, but the line on which it was
originally obtained.  It looks like all the failures are on
DEADLOCK_AVOIDANCE.

Summary:

1) The DEADLOCK_AVOIDANCE call in the owner branch of local_hangup is
unsafe.  Because p->owner has already been nulled, a collision can result
in the destruction of the private structure whilst in the
DEADLOCK_AVOIDANCE and resultant crash.

2) The deadlock avoidance code in the p->chan branch is potentially
unsafe, but no actual failures scenario has been found.

3) The IS_OUTBOUND test is potentially unsafe, but no real life scenario
has been found and the only candidate scenarios involve two calls to
local_hangup for the chan side, which should not happen.

4) A lock failure in DEADLOCK_AVOIDANCE results in an error message giving
a misleading location, probably because it was never envisaged that that
lock would fail.  I consider that a bug.

5) A failure to get an answer on the channel side of Originate, and
presumably also with call files, will result in ERROR messages from the
device state call back, because the routine that generates the CDR uses a
dummy channel structure, which is never populated with a name, but
channel_free doesn't treat this as a special case. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-08-20 12:10 davidw         Note Added: 0109350                          
======================================================================

More information about the asterisk-bugs mailing list