[asterisk-bugs] [LibPRI 0014335]: Crash on pri_schedule_event - t200_expire

Asterisk Bug Tracker noreply at bugs.digium.com
Thu Feb 5 08:59:34 CST 2009 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=14335 
====================================================================== 
Reported By:                ricvil
Assigned To:                mattf
====================================================================== 
Project:                    LibPRI
Issue ID:                   14335
Category:                   General
Reproducibility:            random
Severity:                   crash
Priority:                   normal
Status:                     acknowledged
Asterisk Version:           1.4.22 
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             2009-01-26 10:56 CST
Last Modified:              2009-02-05 08:59 CST
====================================================================== 
Summary:                    Crash on pri_schedule_event - t200_expire
Description: 
I have had multiple crashes using libpri 1.4.7 (see
http://bugs.digium.com/view.php?id=14243).

I now upgraded to libpri 1.4.9 (same Asterisk 1.4.22) and the issue still
happens.  Compiled with DONT_OPTIMIZE, DEBUG_CHANNEL_LOCK, and
DEBUG_THREADS

Here is the latest crash from today:
Program terminated with signal 11, Segmentation fault.
http://bugs.digium.com/view.php?id=0  0x009d6ce2 in pri_schedule_event
(pri=0x12, ms=0, function=0x9d43a4
<t200_expire>, data=0xb7a502e0) at prisched.c:44
44              while (pri->master)

(gdb) bt
http://bugs.digium.com/view.php?id=0  0x009d6ce2 in pri_schedule_event
(pri=0x12, ms=0, function=0x9d43a4
<t200_expire>, data=0xb7a502e0) at prisched.c:44
http://bugs.digium.com/view.php?id=1  0x009d3c0f in reschedule_t200
(pri=0xb7a502e0) at q921.c:259
http://bugs.digium.com/view.php?id=2  0x009d4ba7 in q921_transmit_iframe
(pri=0xb7a502e0, buf=0x5725b50,
len=9, cr=1) at q921.c:537
http://bugs.digium.com/view.php?id=3  0x009dd489 in q931_xmit (pri=0xb7a502e0,
h=0x5725b50, len=9, cr=1) at
q931.c:2611
http://bugs.digium.com/view.php?id=4  0x009dd682 in send_message
(pri=0xb7d73540, c=0xb7a383a0, msgtype=69,
ies=0x9f501c) at q931.c:2654
http://bugs.digium.com/view.php?id=5  0x009de935 in q931_disconnect
(pri=0xb7d73540, c=0xb7a383a0, cause=16)
at q931.c:3020
http://bugs.digium.com/view.php?id=6  0x009df2a3 in q931_hangup (pri=0xb7d73540,
c=0xb7a383a0, cause=16) at
q931.c:3230
http://bugs.digium.com/view.php?id=7  0x009d2693 in pri_hangup (pri=0xb7d73540,
call=0xb7a383a0, cause=16)
at pri.c:623
http://bugs.digium.com/view.php?id=8  0x012e9851 in dahdi_hangup
(ast=0xb7a0b9a8) at chan_dahdi.c:2718
http://bugs.digium.com/view.php?id=9  0x08087ae3 in ast_hangup (chan=0xb7a0b9a8)
at channel.c:1507
http://bugs.digium.com/view.php?id=10 0x080d6245 in __ast_pbx_run (c=0xb7a0b9a8)
at pbx.c:2561
http://bugs.digium.com/view.php?id=11 0x080d6495 in pbx_thread (data=0xb7a0b9a8)
at pbx.c:2621
http://bugs.digium.com/view.php?id=12 0x08119e13 in dummy_start
(data=0xb7a6d360) at utils.c:912
http://bugs.digium.com/view.php?id=13 0x0067946b in start_thread () from
/lib/libpthread.so.0
http://bugs.digium.com/view.php?id=14 0x005d0dbe in clone () from /lib/libc.so.6
(gdb) 

I will attach the full backtrace on file backtrace1.txt
====================================================================== 

---------------------------------------------------------------------- 
 (0099498) ricvil (reporter) - 2009-02-05 08:59
 http://bugs.digium.com/view.php?id=14335#c99498 
---------------------------------------------------------------------- 
A few seconds before the crash I once again see the 'Cause: Invalid call
reference value (81)'.  To further explain the setup on the box, PRI#3 is
Master and is connected via a crossover cable to PRI#4.  We use this setup
for a very precise jitter buffer application.  It appears PRI#3 sends out a
Disconnect Request on channel 10 and PRI#4 responds with Release Complete
but with 'Invalid call reference'.  Here is the log:

[Feb  5 07:09:55] VERBOSE[7434] logger.c: -- Processing IE 24 (cs0,
Channel Identification)
[Feb  5 07:09:55] VERBOSE[7434] logger.c: -- Processing IE 121 (cs0,
Restart Indicator)
[Feb  5 07:09:55] VERBOSE[7434] logger.c: q931.c:3844 q931_receive: call
32768 on channel 23 enters state 0 (Null)
[Feb  5 07:09:55] VERBOSE[7434] logger.c: Sending Receiver Ready (26)
[Feb  5 07:09:55] VERBOSE[7434] logger.c:
> [ 02 01 01 34 ]
[Feb  5 07:09:55] VERBOSE[7434] logger.c:
> Supervisory frame:
[Feb  5 07:09:55] VERBOSE[7434] logger.c: > SAPI: 00  C/R: 1 EA: 0
>  TEI: 000        EA: 1
[Feb  5 07:09:55] VERBOSE[7434] logger.c: > Zero: 0     S: 0 01: 1  [ RR
(receive ready) ]
> N(R): 026 P/F: 0
> 0 bytes of data
[Feb  5 07:09:55] VERBOSE[7434] logger.c: -- Restarting T203 timer
[Feb  5 07:09:55] VERBOSE[7434] logger.c:     -- B-channel 0/23
successfully restarted on span 3
[Feb  5 07:09:56] VERBOSE[3042] logger.c: NEW_HANGUP DEBUG: Calling
q931_hangup, ourstate Outgoing call  Proceeding, peerstate Incoming Call
Proceeding
[Feb  5 07:09:56] VERBOSE[3042] logger.c: q931.c:3009 q931_disconnect:
call 37223 on channel 10 enters state 11 (Disconnect Request)
[Feb  5 07:09:56] VERBOSE[3042] logger.c:
> [ 00 01 be 34 08 02 11 67 45 08 02 81 90 ]
[Feb  5 07:09:56] VERBOSE[3042] logger.c:
> Informational frame:
[Feb  5 07:09:56] VERBOSE[3042] logger.c: > SAPI: 00  C/R: 0 EA: 0
>  TEI: 000        EA: 1
[Feb  5 07:09:56] VERBOSE[3042] logger.c: > N(S): 095   0: 0
> N(R): 026   P: 0
> 9 bytes of data
[Feb  5 07:09:56] VERBOSE[3042] logger.c: Stopping T_203 timer
[Feb  5 07:09:56] VERBOSE[3042] logger.c: Starting T_200 timer
[Feb  5 07:09:56] VERBOSE[3042] logger.c: -- Restarting T200 timer
[Feb  5 07:09:56] VERBOSE[3042] logger.c: > Protocol Discriminator: Q.931
(8)  len=9
[Feb  5 07:09:56] VERBOSE[3042] logger.c: > Call Ref: len= 2 (reference
4455/0x1167) (Originator)
[Feb  5 07:09:56] VERBOSE[3042] logger.c: > Message type: DISCONNECT (69)
[Feb  5 07:09:56] VERBOSE[3042] logger.c: > [08 02 81 90]
[Feb  5 07:09:56] VERBOSE[3042] logger.c: > Cause (len= 4) [ Ext: 1 
Coding: CCITT (ITU) standard (0)  Spare: 0  Location: Private network
serving the local user (1)
[Feb  5 07:09:56] VERBOSE[3042] logger.c: >                  Ext: 1 
Cause: Normal Clearing (16), class = Normal Event (1) ]
[Feb  5 07:09:56] VERBOSE[3042] logger.c:     -- Hungup 'DAHDI/58-1'
[Feb  5 07:09:56] VERBOSE[3042] logger.c:   == Spawn extension
(jitter_buffer, 033202751739, 5) exited non-zero on
'SIP/telesip.net-b7db6ba8'
[Feb  5 07:09:56] VERBOSE[7434] logger.c:
< [ 02 01 34 c0 08 02 91 67 5a 08 02 81 d1 ]
[Feb  5 07:09:56] VERBOSE[7434] logger.c:
< Informational frame:
[Feb  5 07:09:56] VERBOSE[7434] logger.c: < SAPI: 00  C/R: 1 EA: 0
<  TEI: 000        EA: 1
[Feb  5 07:09:56] VERBOSE[7434] logger.c: < N(S): 026   0: 0
< N(R): 096   P: 0
< 9 bytes of data

[Feb  5 07:09:56] VERBOSE[7434] logger.c: Handling message for
SAPI/TEI=0/0
[Feb  5 07:09:56] VERBOSE[7434] logger.c: -- ACKing all packets from 94 to
(but not including) 96
[Feb  5 07:09:56] VERBOSE[7434] logger.c: -- ACKing packet 95, new txqueue
is -1 (-1 means empty)
[Feb  5 07:09:56] VERBOSE[7434] logger.c: -- Since there was nothing left,
stopping T200 counter
[Feb  5 07:09:56] VERBOSE[7434] logger.c: -- Nothing left, starting T203
counter
[Feb  5 07:09:56] VERBOSE[7434] logger.c: < Protocol Discriminator: Q.931
(8)  len=9
[Feb  5 07:09:56] VERBOSE[7434] logger.c: < Call Ref: len= 2 (reference
4455/0x1167) (Terminator)
[Feb  5 07:09:56] VERBOSE[7434] logger.c: < Message type: RELEASE COMPLETE
(90)
[Feb  5 07:09:56] VERBOSE[7434] logger.c: < [08 02 81 d1]
[Feb  5 07:09:56] VERBOSE[7434] logger.c: < Cause (len= 4) [ Ext: 1 
Coding: CCITT (ITU) standard (0)  Spare: 0  Location: Private network
serving the local user (1)
[Feb  5 07:09:56] VERBOSE[7434] logger.c: <                  Ext: 1 
Cause: Invalid call reference value (81), class = Invalid message (e.g.
parameter out of range) (5) ]
[Feb  5 07:09:56] VERBOSE[7434] logger.c: -- Processing IE 8 (cs0, Cause)
[Feb  5 07:09:56] VERBOSE[7434] logger.c: q931.c:3760 q931_receive: call
37223 on channel 10 enters state 0 (Null)
[Feb  5 07:09:56] VERBOSE[7434] logger.c: NEW_HANGUP DEBUG: Calling
q931_hangup, ourstate Null, peerstate Null
[Feb  5 07:09:56] VERBOSE[7434] logger.c: NEW_HANGUP DEBUG: Destroying the
call, ourstate Null, peerstate Null
[Feb  5 07:09:56] VERBOSE[7434] logger.c: Sending Receiver Ready (27) 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-02-05 08:59 ricvil         Note Added: 0099498                          
======================================================================

More information about the asterisk-bugs mailing list