[asterisk-bugs] [Asterisk 0015109]: Abort by memory allocator, possibly in moh_files_generator
Asterisk Bug Tracker
noreply at bugs.digium.com
Tue Jun 23 10:03:01 CDT 2009
A NOTE has been added to this issue.
======================================================================
https://issues.asterisk.org/view.php?id=15109
======================================================================
Reported By: jvandal
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 15109
Category: Resources/res_musiconhold
Reproducibility: random
Severity: block
Priority: normal
Status: acknowledged
Target Version: 1.4.27
Asterisk Version: 1.4.24
Regression: No
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
======================================================================
Date Submitted: 2009-05-14 10:49 CDT
Last Modified: 2009-06-23 10:03 CDT
======================================================================
Summary: Abort by memory allocator, possibly in
moh_files_generator
Description:
I have a server running with Asterisk 1.4.24.1 where it randomly segfault
for "unknown" reason.
I'm not sure if this is related to moh_files_generator function or with
filestream_descructor.
Let me know what needed in order to fix this crash, if GDB traces aren't
enough.
Asterisk is compiled with DONT_OPTIMIZE and others flag needed for "gdb".
======================================================================
Relationships ID Summary
----------------------------------------------------------------------
related to 0014958 Segfault Asterisk 1.4.24.1
related to 0015123 out of bounds crash and core dump
has duplicate 0015195 double free or corruption (!prev) in mo...
======================================================================
----------------------------------------------------------------------
(0106847) aragon (reporter) - 2009-06-23 10:03
https://issues.asterisk.org/view.php?id=15109#c106847
----------------------------------------------------------------------
There are similarities in the valgrind.txt for this bug report and 15377
Both appear to be related to when the external trunk channel is torn down
(IAX or PRI)
For example:
In the IAX2 crash under valgrind.
==3923== Syscall param ioctl(generic) points to uninitialised byte(s)
==3923== at 0x801869: ioctl (in /lib/libc-2.5.so)
==3923== by 0x6FA6BE7: build_channels (chan_dahdi.c:11281)
==3923== by 0x6FA6E66: process_dahdi (chan_dahdi.c:11330)
==3923== by 0x6FAB302: setup_dahdi (chan_dahdi.c:12108)
==3923== by 0x6FAB784: load_module (chan_dahdi.c:12177)
==3923== by 0x80C336C: load_resource (in /usr/sbin/asterisk)
==3923== by 0x80C3E39: load_modules (in /usr/sbin/asterisk)
==3923== by 0x80720CB: main (in /usr/sbin/asterisk)
==3923== Address 0xbee9b8ac is on thread 1's stack
==3923==
==3923== Thread 116:
==3923== Conditional jump or move depends on uninitialised value(s)
==3923== at 0x808AE6D: ast_waitfor_nandfds (in /usr/sbin/asterisk)
==3923== by 0x456CDA2: run_agi (res_agi.c:1910)
==3923== by 0x456DC1E: agi_exec_full (res_agi.c:2144)
==3923== by 0x456DDB8: agi_exec (res_agi.c:2176)
==3923== by 0x80D5538: pbx_exec (in /usr/sbin/asterisk)
==3923== by 0x80D92BE: pbx_extension_helper (in /usr/sbin/asterisk)
==3923== by 0x80DA61D: ast_spawn_extension (in /usr/sbin/asterisk)
==3923== by 0x80DAA7D: __ast_pbx_run (in /usr/sbin/asterisk)
==3923== by 0x80DBA8E: pbx_thread (in /usr/sbin/asterisk)
==3923== by 0x8120ACE: dummy_start (in /usr/sbin/asterisk)
==3923== by 0x8B249A: start_thread (in /lib/libpthread-2.5.so)
==3923== by 0x80942D: clone (in /lib/libc-2.5.so)
==3923==
==3923== Thread 41:
==3923== Invalid read of size 4
==3923== at 0x47BB598: iax2_destroy (chan_iax2.c:1363)
==3923== by 0x47C47B3: iax2_hangup (chan_iax2.c:3567)
==3923== by 0x808A04F: ast_hangup (in /usr/sbin/asterisk)
==3923== by 0x80DB825: __ast_pbx_run (in /usr/sbin/asterisk)
==3923== by 0x80DBA8E: pbx_thread (in /usr/sbin/asterisk)
==3923== by 0x8120ACE: dummy_start (in /usr/sbin/asterisk)
==3923== by 0x8B249A: start_thread (in /lib/libpthread-2.5.so)
==3923== by 0x80942D: clone (in /lib/libc-2.5.so)
==3923== Address 0x5c8 is not stack'd, malloc'd or (recently) free'd
==3923==
==3923== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==3923== Access not within mapped region at address 0x5C8
==3923== at 0x47BB598: iax2_destroy (chan_iax2.c:1363)
==3923== by 0x47C47B3: iax2_hangup (chan_iax2.c:3567)
==3923== by 0x808A04F: ast_hangup (in /usr/sbin/asterisk)
==3923== by 0x80DB825: __ast_pbx_run (in /usr/sbin/asterisk)
==3923== by 0x80DBA8E: pbx_thread (in /usr/sbin/asterisk)
==3923== by 0x8120ACE: dummy_start (in /usr/sbin/asterisk)
==3923== by 0x8B249A: start_thread (in /lib/libpthread-2.5.so)
==3923== by 0x80942D: clone (in /lib/libc-2.5.so)
==3923== If you believe this happened as a result of a stack overflow in
your
==3923== program's main thread (unlikely but possible), you can try to
increase
==3923== the size of the main thread stack using the --main-stacksize=
flag.
==3923== The main thread stack size used in this run was 10485760.
==3923==
==3923== ERROR SUMMARY: 17105 errors from 11 contexts (suppressed: 1771
from 1)
==3923== malloc/free: in use at exit: 10,879,691 bytes in 43,784 blocks.
==3923== malloc/free: 642,719 allocs, 598,935 frees, 226,384,887 bytes
allocated.
==3923== For counts of detected errors, rerun with: -v
==3923== Use --track-origins=yes to see where uninitialised values come
from
==3923== searching for pointers to 43,784 not-freed blocks.
==3923== checked 33,057,928 bytes.
In the valgrind.txt while using PRI trunks
==9508== Invalid write of size 4
==9508== at 0x667A060: q931_disconnect (q931.c:2978)
==9508== by 0x6679730: pri_connect_timeout (q931.c:2834)
==9508== by 0x66728D8: __pri_schedule_run (prisched.c:101)
==9508== by 0x6672943: pri_schedule_run (prisched.c:113)
==9508== by 0x65FC13C: pri_dchannel (chan_dahdi.c:9031)
==9508== by 0x8120ACE: dummy_start (in /usr/sbin/asterisk)
==9508== by 0x8B249A: start_thread (in /lib/libpthread-2.5.so)
==9508== by 0x80942D: clone (in /lib/libc-2.5.so)
==9508== Address 0x43113a8 is 1,256 bytes inside a block of size 2,848
free'd
==9508== at 0x400562C: free (vg_replace_malloc.c:323)
==9508== by 0x6677F99: q931_destroy (q931.c:2411)
==9508== by 0x6677FF7: q931_destroycall (q931.c:2422)
==9508== by 0x667A8AA: q931_hangup (q931.c:3154)
==9508== by 0x667A6DF: q931_release_complete (q931.c:3111)
==9508== by 0x667A96C: q931_hangup (q931.c:3181)
==9508== by 0x666E47A: pri_hangup (pri.c:600)
==9508== by 0x65E180F: dahdi_hangup (chan_dahdi.c:3010)
==9508== by 0x808A04F: ast_hangup (in /usr/sbin/asterisk)
==9508== by 0x80DB825: __ast_pbx_run (in /usr/sbin/asterisk)
==9508== by 0x80DBA8E: pbx_thread (in /usr/sbin/asterisk)
==9508== by 0x8120ACE: dummy_start (in /usr/sbin/asterisk)
The last few lines in the CLI output during IAX2 crash under valgrind...
-- Added extension 's' priority 2 to default-app-calltrace-perform
[Jun 22 12:16:48] WARNING[7463]: mp3/interface.c:215 decodeMP3: Junk at
the beginning of frame 54414757
-- Added extension 's' priority 3 to default-app-calltrace-perform
-- Added extension 's' priority 4 to default-app-calltrace-perform
[Jun 22 12:16:50] ERROR[7463]: utils.c:966 ast_carefulwrite: write()
returned error: Broken pipe
-- Added extension 's' priority 5 to default-app-calltrace-perform
-- Remote UNIX connection disconnected
-- Added extension 's' priority 6 to default-app-calltrace-perform
Later on in PRI valgrind trace I see some musiconhold data but no crash
under valgrind...
==9508== Thread 57:
==9508== Invalid read of size 4
==9508== at 0x80B4606: __frame_free (in /usr/sbin/asterisk)
==9508== by 0x80B475E: ast_frame_free (in /usr/sbin/asterisk)
==9508== by 0x46D2396: moh_files_generator (res_musiconhold.c:295)
==9508== by 0x808B65F: ast_read_generator_actions (in
/usr/sbin/asterisk)
==9508== by 0x808CFCD: __ast_read (in /usr/sbin/asterisk)
==9508== by 0x808D275: ast_read (in /usr/sbin/asterisk)
==9508== by 0x8079AA4: autoservice_run (in /usr/sbin/asterisk)
==9508== by 0x8120ACE: dummy_start (in /usr/sbin/asterisk)
==9508== by 0x8B249A: start_thread (in /lib/libpthread-2.5.so)
==9508== by 0x80942D: clone (in /lib/libc-2.5.so)
==9508== Address 0x5ff11b0 is 400 bytes inside a block of size 688
free'd
==9508== at 0x400562C: free (vg_replace_malloc.c:323)
==9508== by 0x8072790: __ast_free_region (in /usr/sbin/asterisk)
==9508== by 0x8073182: __ast_free (in /usr/sbin/asterisk)
==9508== by 0x80749ED: ao2_ref (in /usr/sbin/asterisk)
==9508== by 0x80B3072: ast_filestream_frame_freed (in
/usr/sbin/asterisk)
==9508== by 0x80B4602: __frame_free (in /usr/sbin/asterisk)
==9508== by 0x80B475E: ast_frame_free (in /usr/sbin/asterisk)
==9508== by 0x46D2396: moh_files_generator (res_musiconhold.c:295)
==9508== by 0x808B65F: ast_read_generator_actions (in
/usr/sbin/asterisk)
==9508== by 0x808CFCD: __ast_read (in /usr/sbin/asterisk)
==9508== by 0x808D275: ast_read (in /usr/sbin/asterisk)
==9508== by 0x8079AA4: autoservice_run (in /usr/sbin/asterisk)
Bug https://issues.asterisk.org/view.php?id=15377
Probably needs relationship added to
https://issues.asterisk.org/view.php?id=15109
Issue History
Date Modified Username Field Change
======================================================================
2009-06-23 10:03 aragon Note Added: 0106847
======================================================================
More information about the asterisk-bugs
mailing list