[asterisk-bugs] [JIRA] (ASTERISK-24759) Reference of deleted ao2 object during shutdown of res_pjsip_pubsub
Matt Jordan (JIRA)
noreply at issues.asterisk.org
Mon Feb 16 11:53:35 CST 2015
[ https://issues.asterisk.org/jira/browse/ASTERISK-24759?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Jordan updated ASTERISK-24759:
-----------------------------------
Status: Open (was: Triage)
> Reference of deleted ao2 object during shutdown of res_pjsip_pubsub
> -------------------------------------------------------------------
>
> Key: ASTERISK-24759
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-24759
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_pjsip, Resources/res_pjsip_pubsub
> Reporter: Scott Griepentrog
> Severity: Minor
>
> During CLI command "core shutdown gracefully", send_notify() can be called on a subscription tree, and it is possible for that ao2 object to be unreferenced during the call. This was caught with valgrind:
> {noformat}
> ==11153== Invalid write of size 4
> ==11153== at 0x14CCF322: send_notify (res_pjsip_pubsub.c:2088)
> ==11153== by 0x14CD0BF1: subscription_persistence_recreate (res_pjsip_pubsub.c:1385)
> ==11153== by 0x45D94B: internal_ao2_traverse (astobj2_container.c:351)
> ==11153== by 0x45DC3B: __ao2_callback_debug (astobj2_container.c:446)
> ==11153== by 0x14CC8791: subscription_persistence_load (res_pjsip_pubsub.c:1408)
> ==11153== by 0x5EB583: ast_taskprocessor_execute (taskprocessor.c:769)
> ==11153== by 0x5F5853: threadpool_execute (threadpool.c:351)
> ==11153== by 0x5F709B: worker_active (threadpool.c:1075)
> ==11153== by 0x5F6E37: worker_start (threadpool.c:995)
> ==11153== by 0x602F83: dummy_start (utils.c:1232)
> ==11153== by 0x670DDF2: start_thread (in /usr/lib64/libpthread-2.17.so)
> ==11153== by 0x74651AC: clone (in /usr/lib64/libc-2.17.so)
> ==11153== Address 0xa68e840 is 144 bytes inside a block of size 176 free'd
> ==11153== at 0x4C29577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==11153== by 0x45C5D7: internal_ao2_ref (astobj2.c:458)
> ==11153== by 0x45C6AB: __ao2_ref_debug (astobj2.c:484)
> ==11153== by 0x45C8B0: __ao2_cleanup_debug (astobj2.c:519)
> ==11153== by 0x14CC9D24: pubsub_on_evsub_state (res_pjsip_pubsub.c:3111)
> ==11153== by 0xE85A797: set_state (in /usr/lib64/libpjsip-simple.so.2)
> ==11153== by 0xE85BA53: mod_evsub_on_tsx_state (in /usr/lib64/libpjsip-simple.so.2)
> ==11153== by 0xEA9A92C: pjsip_dlg_on_tsx_state (in /usr/lib64/libpjsip.so.2)
> ==11153== by 0xEA94959: tsx_set_state (in /usr/lib64/libpjsip.so.2)
> ==11153== by 0xEA9649E: tsx_on_state_proceeding_uac (in /usr/lib64/libpjsip.so.2)
> ==11153== by 0xEA9681C: tsx_on_state_calling (in /usr/lib64/libpjsip.so.2)
> ==11153== by 0xEA97CEE: pjsip_tsx_recv_msg (in /usr/lib64/libpjsip.so.2)
> ==11153==
> {noformat}
> Where res_pjsip_pubsub.c:2088 is the last line below setting the scheduled notify to zero, which points to the sub_tree object being deleted during the send_request:
> {noformat}
> if (sub_tree->is_list) {
> pjsip_require_hdr *require = create_require_eventlist(tdata->pool);
> pjsip_msg_add_hdr(tdata->msg, (pjsip_hdr *) require);
> }
> if (sip_subscription_send_request(sub_tree, tdata)) {
> return -1;
> }
> sub_tree->send_scheduled_notify = 0;
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list