[asterisk-bugs] [JIRA] (ASTERISK-27238) Yet another crash freeing a frame that's already been freed

Richard Kenner (JIRA) noreply at issues.asterisk.org
Thu Aug 31 20:28:07 CDT 2017 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-27238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=238401#comment-238401 ] 

Richard Kenner commented on ASTERISK-27238:
-------------------------------------------

Wow, that did not take long:  All I did was call into a conference bridge from *one* extension and I see dozens of:

==16245== Thread 77:
==16245== Invalid read of size 8
==16245==    at 0x52F71E: ast_frdup (frame.c:316)
==16245==    by 0x5D275F: ast_slinfactory_feed (slinfactory.c:128)
==16245==    by 0x2D73F340: softmix_bridge_write_voice (bridge_softmix.c:652)
==16245==    by 0x2D73F47B: softmix_bridge_write (bridge_softmix.c:731)
==16245==    by 0x483EF5: bridge_channel_write_frame (bridge_channel.c:648)
==16245==    by 0x488693: bridge_handle_trip (bridge_channel.c:2475)
==16245==    by 0x488A77: bridge_channel_wait (bridge_channel.c:2611)
==16245==    by 0x489220: bridge_channel_internal_join (bridge_channel.c:2757)
==16245==    by 0x46EDDF: ast_bridge_join (bridge.c:1715)
==16245==    by 0x20066A1F: confbridge_exec (app_confbridge.c:2448)
==16245==    by 0x5944C3: pbx_exec (pbx_app.c:491)
==16245==    by 0x5803B9: pbx_extension_helper (pbx.c:2923)
==16245==  Address 0xa1ab810 is 96 bytes inside a block of size 545 free'd
==16245==    at 0x4C29CDD: free (vg_replace_malloc.c:530)
==16245==    by 0x52F20D: __frame_free (frame.c:157)
==16245==    by 0x52F24A: ast_frame_free (frame.c:171)
==16245==    by 0x609444: ast_translate (translate.c:626)
==16245==    by 0x4BBDC7: __ast_read (channel.c:4315)
==16245==    by 0x4BC145: ast_read (channel.c:4398)
==16245==    by 0x48855A: bridge_handle_trip (bridge_channel.c:2431)
==16245==    by 0x488A77: bridge_channel_wait (bridge_channel.c:2611)
==16245==    by 0x489220: bridge_channel_internal_join (bridge_channel.c:2757)
==16245==    by 0x46EDDF: ast_bridge_join (bridge.c:1715)
==16245==    by 0x20066A1F: confbridge_exec (app_confbridge.c:2448)
==16245==    by 0x5944C3: pbx_exec (pbx_app.c:491)
==16245==  Block was alloc'd at
==16245==    at 0x4C2A975: calloc (vg_replace_malloc.c:711)
==16245==    by 0x6115DF: _ast_calloc (utils.h:573)
==16245==    by 0x52F840: ast_frdup (frame.c:333)
==16245==    by 0x5D275F: ast_slinfactory_feed (slinfactory.c:128)
==16245==    by 0x2D73F340: softmix_bridge_write_voice (bridge_softmix.c:652)
==16245==    by 0x2D73F47B: softmix_bridge_write (bridge_softmix.c:731)
==16245==    by 0x483EF5: bridge_channel_write_frame (bridge_channel.c:648)
==16245==    by 0x488693: bridge_handle_trip (bridge_channel.c:2475)
==16245==    by 0x488A77: bridge_channel_wait (bridge_channel.c:2611)
==16245==    by 0x489220: bridge_channel_internal_join (bridge_channel.c:2757)
==16245==    by 0x46EDDF: ast_bridge_join (bridge.c:1715)
==16245==    by 0x20066A1F: confbridge_exec (app_confbridge.c:2448)


> Yet another crash freeing a frame that's already been freed
> -----------------------------------------------------------
>
>                 Key: ASTERISK-27238
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27238
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Core/Bridging
>    Affects Versions: 14.6.0
>         Environment: Centos 7
>            Reporter: Richard Kenner
>
> #0  0x00007f5568c3d1d7 in raise () from /lib64/libc.so.6
> #1  0x00007f5568c3e8c8 in abort () from /lib64/libc.so.6
> #2  0x00007f5568c7cf07 in __libc_message () from /lib64/libc.so.6
> #3  0x00007f5568c84503 in _int_free () from /lib64/libc.so.6
> #4  0x0000000000523dff in __frame_free (cache=1, fr=0x7f554c00c6e0)
>     at frame.c:157
> #5  ast_frame_free (frame=frame at entry=0x7f554c00c6e0, cache=cache at entry=1)
>     at frame.c:171
> #6  0x00000000005f3491 in ast_translate (path=0x7f554c021330, 
>     f=f at entry=0x7f554c00c6e0, consume=consume at entry=1) at translate.c:626
> #7  0x00000000004c1b2d in __ast_read (chan=0x7f552801f298, 
>     dropaudio=dropaudio at entry=0) at channel.c:4315
> #8  0x00000000004c1ed7 in ast_read (chan=<optimized out>) at channel.c:4398
> #9  0x000000000048342f in bridge_handle_trip (bridge_channel=0x7f554c00cf98)
>     at bridge_channel.c:2431
> #10 bridge_channel_wait (bridge_channel=0x7f554c00cf98)
>     at bridge_channel.c:2611
> #11 bridge_channel_internal_join (
>     bridge_channel=bridge_channel at entry=0x7f554c00cf98)
>     at bridge_channel.c:2757
> #12 0x000000000046d47e in ast_bridge_join (bridge=0x7f553c005058, 
>     chan=chan at entry=0x7f552801f298, swap=swap at entry=0x0, 
>     features=features at entry=0x7f556739c538, 
> ---Type <return> to continue, or q <return> to quit---  
>     tech_args=tech_args at entry=0x7f556739c560, flags=flags at entry=(unknown: 0))
>     at bridge.c:1715
> #13 0x00007f54e83f58de in confbridge_exec (chan=0x7f552801f298, 
>     data=<optimized out>) at app_confbridge.c:2448
> #14 0x00000000005895a6 in pbx_exec (c=c at entry=0x7f552801f298, 
>     app=app at entry=0x28df9a0, 
>     data=data at entry=0x7f556739cb20 "206,,,default_menu") at pbx_app.c:491
> #15 0x000000000057d9f9 in pbx_extension_helper (c=c at entry=0x7f552801f298, 
>     context=0x7f552801fc68 "Conferences", 
>     exten=exten at entry=0x7f552801fcb8 "206", priority=priority at entry=5, 
>     label=label at entry=0x0, callerid=callerid at entry=0x7f552804d0a0 "150", 
>     action=action at entry=E_SPAWN, found=found at entry=0x7f556739eba0, 
>     combined_find_spawn=combined_find_spawn at entry=1, con=0x0) at pbx.c:2923
> #16 0x000000000057f903 in ast_spawn_extension (combined_find_spawn=1, 
>     found=0x7f556739eba0, callerid=0x7f552804d0a0 "150", priority=5, 
>     exten=0x7f552801fcb8 "206", context=<optimized out>, c=0x7f552801f298)
>     at pbx.c:4154
> #17 __ast_pbx_run (c=c at entry=0x7f552801f298, args=args at entry=0x0)
>     at pbx.c:4328
> #18 0x0000000000580e23 in pbx_thread (data=data at entry=0x7f552801f298)
>     at pbx.c:4650
> #19 0x00000000005f917a in dummy_start (data=<optimized out>) at utils.c:1233
> #20 0x00007f5569a3fdc5 in start_thread () from /lib64/libpthread.so.0
> $2 = {frametype = AST_FRAME_VOICE, subclass = {integer = 0, 
>     format = 0x24bc940, frame_ending = 0}, datalen = 0, samples = 320, 
>   mallocd = 1, mallocd_hdr_len = 545, offset = 64, 
>   src = 0x7f554c00c7a8 "func_jitterbuffer interpolation", data = {ptr = 0x0, 
>     uint32 = 0, pad = "\000\000\000\000\000\000\000"}, delivery = {
>     tv_sec = 1504146592, tv_usec = 647484}, frame_list = {
>     next = 0x7f5544002de0}, flags = 0, ts = 0, len = 0, seqno = 0}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list