[asterisk-bugs] [JIRA] (ASTERISK-26675) PJSIP Segmentation Fault grp_lock_acquire

Joshua Colp (JIRA) noreply at issues.asterisk.org
Fri Feb 3 10:20:10 CST 2017 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-26675?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Joshua Colp updated ASTERISK-26675:
-----------------------------------

    Assignee: Richard Mudgett  (was: Joshua Colp)

> PJSIP Segmentation Fault grp_lock_acquire
> -----------------------------------------
>
>                 Key: ASTERISK-26675
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-26675
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_pjsip
>    Affects Versions: GIT
>         Environment: Fedora 23, PJSIP SVN 2.5.5 (Commit 5503)
>            Reporter: Ross Beer
>            Assignee: Richard Mudgett
>         Attachments: pjproject-svn-tsx_timer_callback.patch
>
>
> Asterisk 13 GIT segfaults when trying to obtain a group lock when accessing a SIP Transaction:
> {noformat}
> #0  0x00007fe560cd97a8 in grp_lock_acquire (p=0x7fe574848758) at ../src/pj/lock.c:290
>         glock = 0x7fe574848758
>         lck = 0x0
> #1  0x00007fe560cd97f2 in pj_grp_lock_acquire (grp_lock=<optimized out>) at ../src/pj/lock.c:478
> #2  0x00007fe56cd45509 in tsx_timer_callback (theap=<optimized out>, entry=0x7fe57593a1b8) at ../src/pjsip/sip_transaction.c:1170
>         event = {prev = 0x0, next = 0x7fe560cd57e7 <pj_elapsed_time+71>, type = PJSIP_EVENT_TIMER, body = {timer = {entry = 0x7fe57593a1b8}, tsx_state = {src = {rdata = 0x7fe57593a1b8, tdata = 0x7fe57593a1b8, timer = 0x7fe57593a1b8, status = 1972609464, data = 0x7fe57593a1b8}, tsx = 0x2e1bcb0, prev_state = 1624070230, type = 32741}, tx_msg = {tdata = 0x7fe57593a1b8}, tx_error = {tdata = 0x7fe57593a1b8, tsx = 0x2e1bcb0}, rx_msg = {rdata = 0x7fe57593a1b8}, user = {user1 = 0x7fe57593a1b8, user2 = 0x2e1bcb0, user3 = 0x7fe560cd5856 <pj_gettickcount+54>, user4 = 0x7fe57593a1b8}}}
>         tsx = 0x7fe57593a038
> #3  0x00007fe560ce3b1f in pj_timer_heap_poll (ht=0x2e1bcb0, next_delay=next_delay at entry=0x7fe55a8c4d70) at ../src/pj/timer.c:643
>         node = 0x7fe57593a1b8
>         grp_lock = 0x0
>         now = {sec = 4625280, msec = 350}
>         count = 1
> #4  0x00007fe56cd342bb in pjsip_endpt_handle_events2 (endpt=0x2e1b9c8, max_timeout=max_timeout at entry=0x7fe55a8c4db0, p_count=p_count at entry=0x0) at ../src/pjsip/sip_endpoint.c:713
>         timeout = {sec = 0, msec = 0}
>         count = 0
>         net_event_count = 0
>         c = <optimized out>
> #5  0x00007fe56cd34387 in pjsip_endpt_handle_events (endpt=<optimized out>, max_timeout=max_timeout at entry=0x7fe55a8c4db0) at ../src/pjsip/sip_endpoint.c:770
> #6  0x00007fe55ec12d18 in monitor_thread_exec (endpt=<optimized out>) at res_pjsip.c:4029
>         delay = {sec = 0, msec = 10}
> #7  0x00007fe560cd4196 in thread_main (param=0x2e237a8) at ../src/pj/os_core_unix.c:541
>         rec = 0x2e237a8
>         result = <optimized out>
> #8  0x00007fe5eeeb061a in start_thread (arg=0x7fe55a8c5700) at pthread_create.c:334
>         __res = <optimized out>
>         pd = 0x7fe55a8c5700
>         now = <optimized out>
>         unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140623043385088, 2214477618423267645, 140725615033839, 140623043385088, 8388608, 0, -2201747081483517635, -2202055161909214915}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
>         not_first_call = <optimized out>
>         pagesize_m1 = <optimized out>
>         sp = <optimized out>
>         freesize = <optimized out>
> #9  0x00007fe5ee1ec5fd in clone () at /lib64/libc.so.6
> {noformat}
> The thread running at the time was :
> {noformat}
> Thread 1 (Thread 0x7fe55a8c5700 (LWP 26817)):
> #0  0x00007fe560cd97a8 in grp_lock_acquire (p=0x7fe574848758) at ../src/pj/lock.c:290
> #1  0x00007fe560cd97f2 in pj_grp_lock_acquire (grp_lock=<optimized out>) at ../src/pj/lock.c:478
> #2  0x00007fe56cd45509 in tsx_timer_callback (theap=<optimized out>, entry=0x7fe57593a1b8) at ../src/pjsip/sip_transaction.c:1170
> #3  0x00007fe560ce3b1f in pj_timer_heap_poll (ht=0x2e1bcb0, next_delay=next_delay at entry=0x7fe55a8c4d70) at ../src/pj/timer.c:643
> #4  0x00007fe56cd342bb in pjsip_endpt_handle_events2 (endpt=0x2e1b9c8, max_timeout=max_timeout at entry=0x7fe55a8c4db0, p_count=p_count at entry=0x0) at ../src/pjsip/sip_endpoint.c:713
> #5  0x00007fe56cd34387 in pjsip_endpt_handle_events (endpt=<optimized out>, max_timeout=max_timeout at entry=0x7fe55a8c4db0) at ../src/pjsip/sip_endpoint.c:770
> #6  0x00007fe55ec12d18 in monitor_thread_exec (endpt=<optimized out>) at res_pjsip.c:4029
> #7  0x00007fe560cd4196 in thread_main (param=0x2e237a8) at ../src/pj/os_core_unix.c:541
> #8  0x00007fe5eeeb061a in start_thread (arg=0x7fe55a8c5700) at pthread_create.c:334
> #9  0x00007fe5ee1ec5fd in clone () at /lib64/libc.so.6
> {noformat}
> Another segfault happened:
> {noformat}
> Using host libthread_db library "/lib64/libthread_db.so.1".
> Core was generated by `/usr/sbin/asterisk -f -vvvg -c'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x00007fdb45d69417 in copy_node (ht=0x142b0e0, ht=0x142b0e0, moved_node=0x7fdb506cb730, slot=0) at ../src/pj/timer.c:136
> 136         ht->timer_ids[moved_node->_timer_id] = (int)slot;
> [Current thread is 1 (Thread 0x7fdaecd08700 (LWP 29086))]
> #0  0x00007fdb45d69417 in remove_node (ht=0x142b0e0, ht=0x142b0e0, moved_node=0x7fdb506cb730, slot=0) at ../src/pj/timer.c:136
>         parent = <optimized out>
>         moved_node = 0x7fdb506cb730
>         removed_node = 0x7fdb20247030
> #1  0x00007fdb45d69417 in remove_node (ht=ht at entry=0x142b0e0, slot=slot at entry=0) at ../src/pj/timer.c:244
>         parent = <optimized out>
>         moved_node = 0x7fdb506cb730
>         removed_node = 0x7fdb20247030
> #2  0x00007fdb45d69af1 in pj_timer_heap_poll (ht=0x142b0e0, next_delay=next_delay at entry=0x7fdaecd07d70) at ../src/pj/timer.c:630
>         node = <optimized out>
>         grp_lock = <optimized out>
>         now = {sec = 4458703, msec = 334}
>         count = 8
> #3  0x00007fdb472742bb in pjsip_endpt_handle_events2 (endpt=0x142adf8, max_timeout=max_timeout at entry=0x7fdaecd07db0, p_count=p_count at entry=0x0) at ../src/pjsip/sip_endpoint.c:713
>         timeout = {sec = 0, msec = 0}
>         count = 0
>         net_event_count = 0
>         c = <optimized out>
> #4  0x00007fdb47274387 in pjsip_endpt_handle_events (endpt=<optimized out>, max_timeout=max_timeout at entry=0x7fdaecd07db0) at ../src/pjsip/sip_endpoint.c:770
> #5  0x00007fdb440aecc8 in monitor_thread_exec (endpt=<optimized out>) at res_pjsip.c:4007
>         delay = {sec = 0, msec = 10}
> #6  0x00007fdb45d5a196 in thread_main (param=0x1433b88) at ../src/pj/os_core_unix.c:541
>         rec = 0x1433b88
>         result = <optimized out>
> #7  0x00007fdb813fa61a in start_thread (arg=0x7fdaecd08700) at pthread_create.c:334
>         __res = <optimized out>
>         pd = 0x7fdaecd08700
>         now = <optimized out>
>         unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140578252687104, -1527102281778558953, 140726077707343, 140578252687104, 8388608, 0, 1547968542935517207, 1547451494643304471}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
>         not_first_call = <optimized out>
>         pagesize_m1 = <optimized out>
>         sp = <optimized out>
>         freesize = <optimized out>
> #8  0x00007fdb807365fd in clone () at /lib64/libc.so.6
> {noformat}
> While running thread:
> {noformat}
> Thread 1 (Thread 0x7fdaecd08700 (LWP 29086)):
> #0  0x00007fdb45d69417 in remove_node (ht=0x142b0e0, ht=0x142b0e0, moved_node=0x7fdb506cb730, slot=0) at ../src/pj/timer.c:136
> #1  0x00007fdb45d69417 in remove_node (ht=ht at entry=0x142b0e0, slot=slot at entry=0) at ../src/pj/timer.c:244
> #2  0x00007fdb45d69af1 in pj_timer_heap_poll (ht=0x142b0e0, next_delay=next_delay at entry=0x7fdaecd07d70) at ../src/pj/timer.c:630
> #3  0x00007fdb472742bb in pjsip_endpt_handle_events2 (endpt=0x142adf8, max_timeout=max_timeout at entry=0x7fdaecd07db0, p_count=p_count at entry=0x0) at ../src/pjsip/sip_endpoint.c:713
> #4  0x00007fdb47274387 in pjsip_endpt_handle_events (endpt=<optimized out>, max_timeout=max_timeout at entry=0x7fdaecd07db0) at ../src/pjsip/sip_endpoint.c:770
> #5  0x00007fdb440aecc8 in monitor_thread_exec (endpt=<optimized out>) at res_pjsip.c:4007
> #6  0x00007fdb45d5a196 in thread_main (param=0x1433b88) at ../src/pj/os_core_unix.c:541
> #7  0x00007fdb813fa61a in start_thread (arg=0x7fdaecd08700) at pthread_create.c:334
> #8  0x00007fdb807365fd in clone () at /lib64/libc.so.6
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list