[asterisk-bugs] [JIRA] (ASTERISK-23012) crash in pjsip_transport_dec_ref when called from rx_task_data_destroy in res_pjsip_registrar

Kevin Harwell (JIRA) noreply at issues.asterisk.org
Thu Mar 13 16:05:18 CDT 2014 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-23012?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=216481#comment-216481 ] 

Kevin Harwell commented on ASTERISK-23012:
------------------------------------------

At this time I have been unable to reproduce the problem after 1000+ runs of the test that uncovered the problem to begin with and the test has not crashed on the build agents in over a month, so for now the issue is going to be closed out.  Hard to fix something that is not showing to be broken (well any more).

But just in case this gets reopened:

Looking at the _pjsip_transport_dec_ref_ function (in sip_transport.c) there is an assert check on the transport ref count.  It expects it to be greater than zero upon entering the function.  So the ref on the transport is decremented one too many times before entering this function.  At a quick glance all transport dec refs seem to be associated with a corresponding add ref.

However (this is just a guess at some direction and only a guess after a cursory look at the code), in the _pjsip_rx_data_clone_ function a shallow copy of the transport takes place and then before bumping transport ref message headers are copied.  Perhaps a race condition?  I am not sure, although there seems to be no locking going on, but I may have missed something.

> crash in pjsip_transport_dec_ref when called from rx_task_data_destroy in res_pjsip_registrar
> ---------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-23012
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-23012
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip_registrar
>    Affects Versions: 12.0.0-beta2
>            Reporter: Matt Jordan
>            Assignee: Kevin Harwell
>         Attachments: backtrace_6600.txt
>
>
> Found by the Test Suite in channels/pjsip/registration/inbound/nominal/mixed/unauthed:
> https://bamboo.asterisk.org/bamboo/browse/AST-ATSF4-C632TE-100/test/case/1413778
> Backtrace is attached.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list