[asterisk-dev] 1.6.1.10-rc1 crash on a VOLUME() func

Mon Nov 9 04:40:36 CST 2009

On Sun, 8 Nov 2009 14:50:29 +0100, Pavel Troller wrote
> Hi!
> 
> > On Sun, 8 Nov 2009 14:33:06 +0200, Kaloyan Kovachev wrote
> > > On Sat, 7 Nov 2009 10:40:13 +0100, Pavel Troller wrote
> > > > Hi!
> > > >   I just upgraded to 1.6.1.10-rc1 and it started to crash occasionally. By
> > > > test-calling, I found that just one dialplan extension is causing the
crash,
> > > > which contained a Set(VOLUME(TX)=2) command.
> > > >   The crash is detected as:
> > > > *** glibc detected *** /opt/asterisk/sbin/asterisk: double free or
> > > corruption (!prev): 0x092e7bc0 ***
> > > >   but it seems that it doesn't appear directly in the code of the function
> > > > mentioned; it looks that it just corrupts (or frees) some structure in
memory,
> > > > which then causes a subsequent crash at another place. Because
func_volume.c
> > > > code didn't change since I'm tracking the sources (from 1.6.1.0), it looks
> > that
> > > > some other change made the VOLUME() function incompatible with the current
> > > > code, or some hidden bug present in the code for a longer time has been
> > > > activated. I was trying to find a cause in the patch text, but I failed.
> > > >   I just know, that
> > > >   1) In 1.6.1.7-rc2 it was working perfectly
> > > >   2) In 1.6.10.1-rc1, removing the above command prevents the crashes.
> > > > 
> > > >   Any help would be appreciated; I'm ready to experiment with possible
> > patches.
> > > >
> > > 
> > > It is probably not the patch you are loking for, but there is one 'ready for
> > > review' at https://issues.asterisk.org/view.php?id=14621 which is a
rewrite of
> > > function volume ... it may or may not fix your crash ... in case there are
> > > some changes in the audiohooks code - the crash might be because they
were not
> > > made to the function's own audiohook implementation
> > >
> 
> I've imported the patch onto my sources, recompiled, but the crash is still
> there.
> 
> > 
> > the audiohooks code was changed in
> > http://svnview.digium.com/svn/asterisk?view=revision&revision=224858 
> > I guess at line 648:
> >  if (audiohook->manipulate_callback(audiohook, chan, middle_frame,
direction)) {
> > 
> > should be:
> > if (audiohook->manipulate_callback(audiohook, chan, middle_frame, direction)
> > && middle_frame) {
> 
> Also entered this change, and, as in the previous case, the crash is still
there.

Wrong code path for this change, sorry.

> I will debug the problem more, but I need to clarify something regarding
Asterisk
> build system. It's for a separate mail, I'm going to write it just now :-).
> 

Looking a bit more at the code ...

 /* Feed in frame to manipulation */
 	if (audiohook->manipulate_callback(audiohook, chan, middle_frame, direction)) {
 	ast_frfree(middle_frame);
 	middle_frame = NULL;
 	}

so if there is more than one manipulate audiohook and the first one fails
(returns nonzero), the middle_frame is set to NULL, but then in
volume_callback we have:

   if (frame->frametype == AST_FRAME_DTMF) {

could this be the reason for the crash (or separate issue)? If so then few
lines before this check there should be:

 if (audiohook->status == AST_AUDIOHOOK_STATUS_DONE || !frame)
 	return 0;

or in audiohooks code the middle frame should not be freed instead, but there
should be (another) temporary frame which is used to replace middle_frame only
on success?

> With regards, Pavel
> 
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
> 
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev