<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi,</p>
<p>i would like to request help to analyze a Backtrace which was
caused by SIGSEGV while dereferencing tsx->transport which was
NULL.<br>
</p>
<p>../src/pjsip/sip_transaction.c:1884<br>
</p>
<p>tsx->is_reliable =
PJSIP_TRANSPORT_IS_RELIABLE(tsx->transport);</p>
<p>The Asterisk version is 13.21.</p>
<p>Best Regards,</p>
<p>Silvan<br>
</p>
<p><br>
</p>
<p><u>BT</u></p>
<p>#0 0x00007ff1dfddd57c in send_msg_callback
(send_state=0x7ff228011ca0, sent=893, cont=0x7ff1d10c508c) at
../src/pjsip/sip_transaction.c:1884<br>
tsx = 0x7ff20007aae8<br>
tdata = <optimized out><br>
#1 0x00007ff1dfdcab2f in stateless_send_transport_cb
(token=token@entry=0x7ff228011ca0,
tdata=tdata@entry=0x7ff228010d88, sent=893) at
../src/pjsip/sip_util.c:1134<br>
status = <optimized out><br>
cont = 0<br>
cur_addr = <optimized out><br>
cur_addr_len = <optimized out><br>
via = <optimized out><br>
stateless_data = 0x7ff228011ca0<br>
#2 0x00007ff1dfdcae99 in stateless_send_transport_cb
(token=token@entry=0x7ff228011ca0,
tdata=tdata@entry=0x7ff228010d88, sent=<optimized out>,
sent@entry=-70002) at ../src/pjsip/sip_util.c:1266<br>
status = <optimized out><br>
cont = 1<br>
cur_addr = ...<br>
cur_addr_len = 16<br>
via = <optimized out><br>
stateless_data = 0x7ff228011ca0<br>
#3 0x00007ff1dfdcaff2 in stateless_send_resolver_callback
(status=<optimized out>, token=0x7ff228011ca0,
addr=<optimized out>) at ../src/pjsip/sip_util.c:1358<br>
stateless_data = 0x7ff228011ca0<br>
tdata = 0x7ff228010d88<br>
#4 0x00007ff1dfdcdc17 in dns_a_callback
(user_data=0x7ff1c06bbd88, status=0, pkt=<optimized out>) at
../src/pjsip/sip_resolve.c:574<br>
query = 0x7ff1c06bbd88<br>
srv = 0x7ff1c06bbf70<br>
#5 0x00007ff1df94754e in on_read_complete (key=0x5632f3553e70,
op_key=0x7ff1c00032d8, bytes_read=262) at
../src/pjlib-util/resolver.c:1754<br>
resolver = ...<br>
pool = 0x7ff1c0001f28<br>
dns_pkt = 0x7ff1c0001fd0<br>
q = 0x7ff1c00010a0<br>
addr = "\017\000\000\000\000\000\000\000\001", '\000'
<repeats 15 times>,
"|\000\000\000w\000\000\000o\000\000\000j\000\000\000\214\231^\004\362\177"<br>
src_addr = ...<br>
src_addr_len = 0x7ff1c0003514<br>
rx_pkt = 0x7ff1c0002ed8 "ho\201\200"<br>
rx_pkt_size = 512<br>
status = 0<br>
pj_x_except__ = {<br>
state = {{<br>
__jmpbuf = {140676571091936, 748226197904433297,
140676285084376, 94776830800816, 94776830803688, 140676571092592,
-756154092660973423, -756177114808442735}, <br>
__mask_was_saved = 0, <br>
__saved_mask = {<br>
__val = {3414590758286940160, 8016, 124,
94776826805152, 94776826805072, 140675613982752, 140678484584408,
566935683072, 8000, 455266533376, 7, 0, 140675613988968, 8048,
18446744073709551456, 125}<br>
}<br>
}}, <br>
prev = 0x0<br>
}<br>
pj_x_code__ = <optimized out><br>
#6 0x00007ff2045e73af in ioqueue_dispatch_read_event
(ioqueue=0x5632f35533b0, h=0x5632f3553e70) at
../src/pj/ioqueue_common_abs.c:605<br>
read_op = 0x7ff1c00032d8<br>
bytes_read = 262<br>
has_lock = 0<br>
rc = <optimized out><br>
ioqueue = 0x5632f35533b0<br>
h = 0x5632f3553e70<br>
rc = <optimized out><br>
#7 0x00007ff2045e88a3 in pj_ioqueue_poll (ioqueue=0x5632f35533b0,
timeout=timeout@entry=0x7ff1d10c5e20) at
../src/pj/ioqueue_select.c:1009<br>
rfdset = {<br>
data = {6, 1024, 0 <repeats 15 times>,
94776830801360, 0, 0, 20404, 113, 94776832952432, 94776830799856,
94776823271405, 94776830801472, 94776830801472, 94776830801232, 0,
0, 94776823223728, 0, 0, 0, 240, 128, 94776830802448, 3,
140678524199578, 0, 0, 94776830801360, 0, 0, 94776823223728, 0,
94776823272027, 0, 0, 0, 368, 128, 94776830801088, 3,
140678524199578, 0, 0, 94776830801232, 94776830801728, 0,
94776823223728, 0, 94776823271658, 0, 0, 0, 20405, 54113}<br>
}<br>
wfdset = {<br>
data = {0 <repeats 17 times>, 3, 140678524199578,
0, 0, 94776830801728, 94776830802048, 0, 94776823223728, 0,
94776830801984, 0, 0, 0, 20405, 53857, 94776830801216,
140678488087712, 0, 0, 7308324466003108904, 8307, 64, 128,
94776830802160, 1, 94776823271495, 94776830802176, 94776830802176,
94776830801728, 94776830802304, 94776830801856, 94776823223728, 0,
-15890, 0, 0, 0, 192, 128, 94776830801840, 3, 140678524199578, 0,
0, 94776830802048, 0, 0, 94776823223728, 0, 94776823272009, 0}<br>
}<br>
xfdset = {<br>
data = {0 <repeats 18 times>, 20405, 53409,
94776830801216, 94776830801712, 0, 0, 94776830801712, 3,
140678524199578, 0, 0, 94776830801232, 0, 94776830801728,
94776823223728, 0, 94776823271527, 0, 0, 0, 20406, 53249,
94776830789360, 94776830801216, 0, 0, 0, 94776830789376, 0,
94776830801232, 94776823223728, 0, 94776823271489, 0, 0, 0, 20407,
53121, 94776830788832, 94776830789360, 0, 0, 0, 94776830788848, 0,
94776830789376, 94776823223728, 0, 94776823271439, 0}<br>
}<br>
nfds = <optimized out><br>
i = <optimized out><br>
count = <optimized out><br>
event_cnt = <optimized out><br>
processed_cnt = 0<br>
h = <optimized out><br>
event = {{<br>
key = 0x5632f3553e70, <br>
event_type = READABLE_EVENT<br>
}, {<br>
key = 0x7ff19ab8d8c0, <br>
event_type = 285628416<br>
}, {<br>
key = 0x206, <br>
event_type = 4294967295<br>
}, {<br>
key = 0x7ff19ab8d870, <br>
event_type = 4062678910<br>
}, {<br>
key = 0x206, <br>
event_type = 4062679128<br>
}, {<br>
key = 0x1, <br>
event_type = 4061178302<br>
}, {<br>
key = 0x5632f22790aa, <br>
event_type = 2595805352<br>
}, {<br>
key = 0x5632f22790aa, <br>
event_type = 4061178763<br>
}, {<br>
key = 0x0, <br>
event_type = NO_EVENT<br>
}, {<br>
key = 0x0, <br>
event_type = 660<br>
}, {<br>
key = 0x5632f2279240, <br>
event_type = 285628416<br>
}, {<br>
key = 0x91, <br>
event_type = NO_EVENT<br>
}, {<br>
key = 0x0, <br>
event_type = 285628416<br>
}, {<br>
key = 0x206, <br>
event_type = 285628416<br>
}, {<br>
key = 0x7ff198bcf7e0, <br>
event_type = 285628416<br>
}, {<br>
key = 0x7ff140ae8008, <br>
event_type = 4294967295<br>
}}<br>
#8 0x00007ff1dfdc9da8 in pjsip_endpt_handle_events2
(endpt=0x5632f336b398,
max_timeout=max_timeout@entry=0x7ff1d10c5e70,
p_count=p_count@entry=0x0) at ../src/pjsip/sip_endpoint.c:744<br>
timeout = {<br>
sec = 0, <br>
msec = 10<br>
}<br>
count = 2<br>
net_event_count = 0<br>
c = <optimized out><br>
#9 0x00007ff1dfdc9e47 in pjsip_endpt_handle_events
(endpt=<optimized out>,
max_timeout=max_timeout@entry=0x7ff1d10c5e70) at
../src/pjsip/sip_endpoint.c:776<br>
#10 0x00007ff2043a0e08 in monitor_thread_exec (endpt=<optimized
out>) at res_pjsip.c:4394<br>
delay = {<br>
sec = 0, <br>
msec = 10<br>
}<br>
#11 0x00007ff2045e9c40 in thread_main (param=0x5632f3042268) at
../src/pj/os_core_unix.c:541<br>
rec = 0x5632f3042268<br>
result = <optimized out><br>
#12 0x00007ff243cf26db in start_thread (arg=0x7ff1d10c6700) at
pthread_create.c:463<br>
pd = 0x7ff1d10c6700<br>
now = <optimized out><br>
unwind_buf = {<br>
cancel_jmp_buf = {{<br>
jmp_buf = {140676571096832, 748226197904433297,
140676571094912, 0, 94776825487976, 140723842785296,
-756154092312846191, -754708779702411119}, <br>
mask_was_saved = 0<br>
}}, <br>
priv = {<br>
pad = {0x0, 0x0, 0x0, 0x0}, <br>
data = {<br>
prev = 0x0, <br>
cleanup = 0x0, <br>
canceltype = 0<br>
}<br>
}<br>
}<br>
not_first_call = <optimized out><br>
#13 0x00007ff24322b88f in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95</p>
<p><br>
</p>
<p><br>
</p>
<p>Also there is some strange data structure visible which kinda
overwrote parts of internal data structures starting at<br>
<br>
57b:2bd8│ 0x5632f35532c8 ◂— 0xfffc001efffc001f<br>
57c:2be0│ 0x5632f35532d0 ◂— 0xfffc001cfffc001d<br>
57d:2be8│ 0x5632f35532d8 ◂— 0xfffc001afffc001b<br>
57e:2bf0│ 0x5632f35532e0 ◂— 0xfffc0018fffc0019<br>
57f:2bf8│ 0x5632f35532e8 ◂— 0xfffc0016fffc0017<br>
580:2c00│ 0x5632f35532f0 ◂— 0xfffc0014fffc0015<br>
581:2c08│ 0x5632f35532f8 ◂— 0xfffc0012fffc0013<br>
582:2c10│ 0x5632f3553300 ◂— 0xfffc0010fffc0011<br>
583:2c18│ 0x5632f3553308 ◂— 0xfffc000efffc000f<br>
584:2c20│ 0x5632f3553310 ◂— 0xfffc000cfffc000d /* '\r' */<br>
585:2c28│ 0x5632f3553318 ◂— 0xfffc000afffc000b /* '\x0b' */<br>
586:2c30│ 0x5632f3553320 ◂— 0xfffc0008fffc0009 /* '\t' */<br>
587:2c38│ 0x5632f3553328 ◂— 0xfffc0006fffc0007<br>
588:2c40│ 0x5632f3553330 ◂— 0xfffc0004fffc0005<br>
589:2c48│ 0x5632f3553338 ◂— 0xfffc0002fffc0003<br>
58a:2c50│ 0x5632f3553340 —▸ 0x5632f3553368 ◂— 0x0<br>
58b:2c58│ 0x5632f3553348 —▸ 0x7ff2045e9960 (pj_mutex_lock) ◂—
push rbp<br>
58c:2c60│ 0x5632f3553350 —▸ 0x7ff2045e9de0 (pj_mutex_trylock)
◂— push rbp<br>
58d:2c68│ 0x5632f3553358 —▸ 0x7ff2045e9ba0 (pj_mutex_unlock)
◂— test rdi, rdi<br>
58e:2c70│ 0x5632f3553360 —▸ 0x7ff2045e9eb0 (pj_mutex_destroy)
◂— test rdi, rdi</p>
<p><br>
</p>
<p>and going up like this overwriting areas of ioqueue.active_list
in frame 7 and maybe more. It looks more or less like and reminds
me of some really broken pointer arithmetic;</p>
<p>(It could be possible that the variable value started at some
higher value and decreased down to this fragment)<br>
</p>
<p>...</p>
<p>...</p>
<p>...<br>
</p>
<p> write_list = {<br>
prev = 0x5632f3553170, <br>
next = 0x5632f2e195b0, <br>
op = PJ_IOQUEUE_OP_NONE, <br>
buf = 0x5632f2e25067 "", <br>
size = 0, <br>
written = 0, <br>
flags = 0, <br>
rmt_addr = {<br>
sin_family = 0, <br>
sin_port = 0, <br>
sin_addr = {<br>
s_addr = 20403<br>
}, <br>
sin_zero = "\000\000\000\000\321\325\000"<br>
}, <br>
rmt_addrlen = 0<br>
}, <br>
accept_list = {<br>
prev = 0x5632f35506f0, <br>
next = 0x5632f3552f70, <br>
op = PJ_IOQUEUE_OP_NONE, <br>
accept_fd = 0x0, <br>
local_addr = 0x0, <br>
rmt_addr = 0x5632f3550700, <br>
addrlen = 0x5632f3553550<br>
}, <br>
ref_count = 4082446208, <br>
closing = 22066, <br>
free_time = {<br>
sec = 94776823223728, <br>
msec = 0<br>
}<br>
}<br>
</p>
</body>
</html>