[asterisk-bugs] [JIRA] (ASTERISK-28456) Asterisk crashed and core dumps when attempting to free a frame

Asterisk Team (JIRA) noreply at issues.asterisk.org
Thu Jun 20 05:38:47 CDT 2019 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-28456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=247446#comment-247446 ] 

Asterisk Team commented on ASTERISK-28456:
------------------------------------------

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.

> Asterisk crashed and core dumps when attempting to free a frame
> ---------------------------------------------------------------
>
>                 Key: ASTERISK-28456
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28456
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Core/Bridging
>    Affects Versions: 15.7.2
>         Environment: Linux mb-au-syd-ha2 2.6.32-754.14.2.el6.x86_64 #1 SMP Tue May 14 19:35:42 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
> Asterisk 15.7.2 built by root @ xxxxxxx on a x86_64 running Linux on 2019-06-20 02:21:07 UTC
>            Reporter: Vilius Adamkavicius
>
> Each crash seems to correspond to hangup message received, majority hangup causes seems to 17 and 21
> [Jun 20 13:20:03] VERBOSE[18101][C-00000af6] sig_pri.c: Span 6: Channel 0/13 got hangup request, cause 21
> [Jun 20 13:20:09] Asterisk 15.7.2 built by root @ mb-au-syd-ha2 on a x86_64 running Linux on 2019-06-20 02:21:07 UTC
> [Jun 20 14:16:15] VERBOSE[16330][C-00000658] sig_pri.c: Span 1: Channel 0/14 got hangup request, cause 17
> [Jun 20 14:16:50] VERBOSE[23152][C-00000008] sig_pri.c: Span 1: Channel 0/18 got hangup request, cause 17
> [Jun 20 15:04:25] VERBOSE[23669][C-000018e2] sig_pri.c: Span 3: Channel 0/1 got hangup request, cause 21
> etc.
> All core dumps seems to be consistent.
> (gdb) bt
> #0  0x0000003d294324f5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> #1  0x0000003d29433cd5 in abort () at abort.c:92
> #2  0x0000003d29470417 in __libc_message (do_abort=2, fmt=0x3d29558c00 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
> #3  0x0000003d29475e5e in malloc_printerr (action=3, str=0x3d29558f70 "double free or corruption (out)", ptr=<value optimized out>, ar_ptr=<value optimized out>) at malloc.c:6360
> #4  0x0000003d29478cf0 in _int_free (av=0x3d2978e120, p=0x7f14880414f0, have_lock=0) at malloc.c:4846
> #5  0x000000000053441c in __frame_free (fr=0x7f1488041500, cache=1) at frame.c:160
> #6  0x000000000053445c in ast_frame_free (frame=0x7f1488041500, cache=1) at frame.c:173
> #7  0x00000000004878a7 in bridge_frame_free (frame=0x7f1488041500) at bridge_channel.c:1026
> #8  0x000000000048c12d in bridge_handle_trip (bridge_channel=0x7f144c01bca0) at bridge_channel.c:2628
> #9  0x000000000048c59c in bridge_channel_wait (bridge_channel=0x7f144c01bca0) at bridge_channel.c:2763
> #10 0x000000000048cd94 in bridge_channel_internal_join (bridge_channel=0x7f144c01bca0) at bridge_channel.c:2914
> #11 0x0000000000470b21 in ast_bridge_join (bridge=0x7f144c04b010, chan=0x7f144800fd60, swap=0x0, features=0x7f1410bd9130, tech_args=0x7f1410bd9158, flags=0) at bridge.c:1729
> #12 0x00007f1425565d1c in confbridge_exec (chan=0x7f144800fd60, data=0x7f1410bd9380 "3018,invadeconf_bridge,invadeconf_userq") at app_confbridge.c:2577
> #13 0x00000000005a15eb in pbx_exec (c=0x7f144800fd60, app=0x2700260, data=0x7f1410bd9380 "3018,invadeconf_bridge,invadeconf_userq") at pbx_app.c:492
> #14 0x000000000058c143 in pbx_extension_helper (c=0x7f144800fd60, con=0x0, context=0x7f1448010720 "InVADEDialler", exten=0x7f1448010770 "3018", priority=2, label=0x0, callerid=0x7f1448022880 "0293044380",
>     action=E_SPAWN, found=0x7f1410bdba60, combined_find_spawn=1) at pbx.c:2926
> #15 0x00000000005900dd in ast_spawn_extension (c=0x7f144800fd60, context=0x7f1448010720 "InVADEDialler", exten=0x7f1448010770 "3018", priority=2, callerid=0x7f1448022880 "0293044380", found=0x7f1410bdba60,
>     combined_find_spawn=1) at pbx.c:4157
> #16 0x0000000000590eb5 in __ast_pbx_run (c=0x7f144800fd60, args=0x0) at pbx.c:4331
> #17 0x0000000000592aa0 in ast_pbx_run_args (c=0x7f144800fd60, args=0x0) at pbx.c:4701
> #18 0x0000000000592aca in ast_pbx_run (c=0x7f144800fd60) at pbx.c:4710
> #19 0x000000000059b35c in pbx_outgoing_exec (data=0x7f1448001af0) at pbx.c:7612
> #20 0x0000000000626eb7 in dummy_start (data=0x7f1448031190) at utils.c:1258
> #21 0x0000003d29807aa1 in start_thread (arg=0x7f1410bdc700) at pthread_create.c:301
> #22 0x0000003d294e8c4d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
> (gdb) bt
> #0  0x0000003d294324f5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> #1  0x0000003d29433cd5 in abort () at abort.c:92
> #2  0x0000003d29470417 in __libc_message (do_abort=2, fmt=0x3d29558c00 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
> #3  0x0000003d29475e5e in malloc_printerr (action=3, str=0x3d29558f70 "double free or corruption (out)", ptr=<value optimized out>, ar_ptr=<value optimized out>) at malloc.c:6360
> #4  0x0000003d29478cf0 in _int_free (av=0x3d2978e120, p=0x7fe32c007910, have_lock=0) at malloc.c:4846
> #5  0x000000000053441c in __frame_free (fr=0x7fe32c007920, cache=1) at frame.c:160
> #6  0x000000000053445c in ast_frame_free (frame=0x7fe32c007920, cache=1) at frame.c:173
> #7  0x00000000004878a7 in bridge_frame_free (frame=0x7fe32c007920) at bridge_channel.c:1026
> #8  0x000000000048c12d in bridge_handle_trip (bridge_channel=0x7fe344087a20) at bridge_channel.c:2628
> #9  0x000000000048c59c in bridge_channel_wait (bridge_channel=0x7fe344087a20) at bridge_channel.c:2763
> #10 0x000000000048cd94 in bridge_channel_internal_join (bridge_channel=0x7fe344087a20) at bridge_channel.c:2914
> #11 0x0000000000470b21 in ast_bridge_join (bridge=0x7fe3440061b0, chan=0x7fe348047490, swap=0x0, features=0x7fe2f7f9a130, tech_args=0x7fe2f7f9a158, flags=0) at bridge.c:1729
> #12 0x00007fe30c546d1c in confbridge_exec (chan=0x7fe348047490, data=0x7fe2f7f9a380 "3027,invadeconf_bridge,invadeconf_userq") at app_confbridge.c:2577
> #13 0x00000000005a15eb in pbx_exec (c=0x7fe348047490, app=0x3adb420, data=0x7fe2f7f9a380 "3027,invadeconf_bridge,invadeconf_userq") at pbx_app.c:492
> #14 0x000000000058c143 in pbx_extension_helper (c=0x7fe348047490, con=0x0, context=0x7fe348047e50 "InVADEDialler", exten=0x7fe348047ea0 "3027", priority=2, label=0x0, callerid=0x7fe348001fc0 "0293044380",
>     action=E_SPAWN, found=0x7fe2f7f9ca60, combined_find_spawn=1) at pbx.c:2926
> #15 0x00000000005900dd in ast_spawn_extension (c=0x7fe348047490, context=0x7fe348047e50 "InVADEDialler", exten=0x7fe348047ea0 "3027", priority=2, callerid=0x7fe348001fc0 "0293044380", found=0x7fe2f7f9ca60,
>     combined_find_spawn=1) at pbx.c:4157
> #16 0x0000000000590eb5 in __ast_pbx_run (c=0x7fe348047490, args=0x0) at pbx.c:4331
> #17 0x0000000000592aa0 in ast_pbx_run_args (c=0x7fe348047490, args=0x0) at pbx.c:4701
> #18 0x0000000000592aca in ast_pbx_run (c=0x7fe348047490) at pbx.c:4710
> #19 0x000000000059b35c in pbx_outgoing_exec (data=0x7fe348050700) at pbx.c:7612
> #20 0x0000000000626eb7 in dummy_start (data=0x7fe34802a440) at utils.c:1258
> #21 0x0000003d29807aa1 in start_thread (arg=0x7fe2f7f9d700) at pthread_create.c:301
> #22 0x0000003d294e8c4d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
> (gdb) bt
> #0  0x0000003d294324f5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> #1  0x0000003d29433cd5 in abort () at abort.c:92
> #2  0x0000003d29470417 in __libc_message (do_abort=2, fmt=0x3d29558c00 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
> #3  0x0000003d29475e5e in malloc_printerr (action=3, str=0x3d29558f70 "double free or corruption (out)", ptr=<value optimized out>, ar_ptr=<value optimized out>) at malloc.c:6360
> #4  0x0000003d29478cf0 in _int_free (av=0x3d2978e120, p=0x7febfc02afb0, have_lock=0) at malloc.c:4846
> #5  0x000000000053441c in __frame_free (fr=0x7febfc02afc0, cache=1) at frame.c:160
> #6  0x000000000053445c in ast_frame_free (frame=0x7febfc02afc0, cache=1) at frame.c:173
> #7  0x00000000004878a7 in bridge_frame_free (frame=0x7febfc02afc0) at bridge_channel.c:1026
> #8  0x000000000048c12d in bridge_handle_trip (bridge_channel=0x7fec480126a0) at bridge_channel.c:2628
> #9  0x000000000048c59c in bridge_channel_wait (bridge_channel=0x7fec480126a0) at bridge_channel.c:2763
> #10 0x000000000048cd94 in bridge_channel_internal_join (bridge_channel=0x7fec480126a0) at bridge_channel.c:2914
> #11 0x0000000000470b21 in ast_bridge_join (bridge=0x7fec54006580, chan=0x7fec4c031240, swap=0x0, features=0x7febcee86130, tech_args=0x7febcee86158, flags=0) at bridge.c:1729
> #12 0x00007febe298ad1c in confbridge_exec (chan=0x7fec4c031240, data=0x7febcee86380 "3000,invadeconf_bridge,invadeconf_userq") at app_confbridge.c:2577
> #13 0x00000000005a15eb in pbx_exec (c=0x7fec4c031240, app=0x31bc6c0, data=0x7febcee86380 "3000,invadeconf_bridge,invadeconf_userq") at pbx_app.c:492
> #14 0x000000000058c143 in pbx_extension_helper (c=0x7fec4c031240, con=0x0, context=0x7fec4c031c00 "InVADEDialler", exten=0x7fec4c031c50 "3000", priority=2, label=0x0, callerid=0x7fec4c030fc0 "0293044380",
>     action=E_SPAWN, found=0x7febcee88a60, combined_find_spawn=1) at pbx.c:2926
> #15 0x00000000005900dd in ast_spawn_extension (c=0x7fec4c031240, context=0x7fec4c031c00 "InVADEDialler", exten=0x7fec4c031c50 "3000", priority=2, callerid=0x7fec4c030fc0 "0293044380", found=0x7febcee88a60,
>     combined_find_spawn=1) at pbx.c:4157
> #16 0x0000000000590eb5 in __ast_pbx_run (c=0x7fec4c031240, args=0x0) at pbx.c:4331
> #17 0x0000000000592aa0 in ast_pbx_run_args (c=0x7fec4c031240, args=0x0) at pbx.c:4701
> #18 0x0000000000592aca in ast_pbx_run (c=0x7fec4c031240) at pbx.c:4710
> #19 0x000000000059b35c in pbx_outgoing_exec (data=0x7fec4c006c50) at pbx.c:7612
> #20 0x0000000000626eb7 in dummy_start (data=0x7fec4c011fc0) at utils.c:1258
> #21 0x0000003d29807aa1 in start_thread (arg=0x7febcee89700) at pthread_create.c:301
> #22 0x0000003d294e8c4d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list