| Summary: | ASTERISK-16138: [patch] Memory corruption from iksemel | ||
| Reporter: | jmls (jmls) | Labels: | |
| Date Opened: | 2010-05-24 13:04:07 | Date Closed: | 2010-10-05 15:24:39 |
| Priority: | Critical | Regression? | No |
| Status: | Closed/Complete | Components: | Resources/res_jabber |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) 20100525__issue17387.diff.txt ( 1) 20100726__issue17387.diff.txt ( 2) btfull.txt ( 3) crash.txt ( 4) valgrind2.txt | |
| Description: | asterisk segfaulted. from valgrind, looks like iksemel was involved. | ||
| Comments: | By: David Woolley (davidw) 2010-05-25 06:13:12 I suspect it will help if you print the values of the parameters to curl_easy_perform, from frame 8, including the result of at least a single indirection on any pointers. Could you also confirm that this is a seg-fault, rather than, say an abort. free() normally fails by issuing abort(), then again, you normally see the abort() call on the stack. (A lot of people call all core dumps seg-faults!) Also have a look at doc/valgrind.txt. As this is memory management related, you may be asked to follow that procedure. By: jmls (jmls) 2010-05-25 13:31:01 I'm currently trying to run valgrind, will let you know. I'm getting many crashes in all different areas at the moment, so valgrind may be my only hope ;) By: jmls (jmls) 2010-05-25 14:00:09 tried to run valgrind, made the system completely unusable. However, I managed to get a valgrind output, and it was full of errors "Warning: invalid file descriptor" I have removed these, and uploaded the rest By: jmls (jmls) 2010-06-12 01:20:41 we've had several crashes recently - none of them seem associated with curl however. Maybe curl was a red herring in this instance. I've attached another file which shows the bt from two different crashes 10 days apart - and they seem almost identical. By: Tilghman Lesher (tilghman) 2010-06-12 10:38:29 That is again memory corruption, and you will need to replicate this under valgrind. That does not speak to whether or not iksemel is at fault, since you aren't running with the patch. By: jmls (jmls) 2010-06-12 12:34:22 a little unfair - I can't run with the patch because the patch makes the system utterly non-responsive on the first jabber call ... ;) By: jmls (jmls) 2010-06-14 12:26:42 if you apply the attached patch, jabber becomes unresponsive. The console gets the message ERROR[11064]: /usr/src/kickstart/asterisk-1.4/asterisk/include/asterisk/lock.h515 __ast_pthread_mutex_unlock: res_jabber.c line 1619 (aji_recv_loop): mutex '&(client)->_lock' freed more times than we've locked! every second or so By: Tilghman Lesher (tilghman) 2010-07-26 12:02:37 What version of iksemel do you have installed on your machine? If you update to iksemel 1.4, does the memory corruption and subsequent crash disappear? By: Tilghman Lesher (tilghman) 2010-08-10 10:02:16 jmls: ping. A patch has been posted. Does the patch fix the crash for you? By: Tilghman Lesher (tilghman) 2010-08-13 15:33:25 No response from reporter. By: jmls (jmls) 2010-10-04 13:52:35 some testing done. Without the patch, running 4 calls for 4 minutes always generates a valgrind result of invalid write, similar to Invalid write of size 4 ==19862== at 0x46A7BC6: iks_filter_packet (filter.c:155) ==19862== by 0x4687587: aji_act_hook (res_jabber.c:692) ==19862== by 0x46A5BEF: tagHook (stream.c:300) ==19862== by 0x46A3BC8: iks_parse (sax.c:341) with the patch, I never get to see an invalid write. However, I cannot generate a crash on demand yet, so don't know if this is a valid fix or not - would have to bow to the great gods of debugging on this one ;) By: jmls (jmls) 2010-10-04 14:31:30 just tested the patch for 20 minutes with 4 calls, each sending a jabber message every second. No problems with the patch, without the patch I always get an invalid write. Still can't crash it, though .. By: Digium Subversion (svnbot) 2010-10-05 15:20:08 Repository: asterisk Revision: 290392 U branches/1.4/res/res_jabber.c ------------------------------------------------------------------------ r290392 | tilghman | 2010-10-05 15:20:08 -0500 (Tue, 05 Oct 2010) | 8 lines Fix a crash by ensuring that we don't alter memory after it's freed. (closes issue ASTERISK-16138) Reported by: jmls Patches: 20100726__issue17387.diff.txt uploaded by tilghman (license 14) Tested by: jmls ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=290392 By: Digium Subversion (svnbot) 2010-10-05 15:21:03 Repository: asterisk Revision: 290396 _U branches/1.6.2/ U branches/1.6.2/res/res_jabber.c ------------------------------------------------------------------------ r290396 | tilghman | 2010-10-05 15:21:03 -0500 (Tue, 05 Oct 2010) | 15 lines Merged revisions 290392 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r290392 | tilghman | 2010-10-05 15:20:07 -0500 (Tue, 05 Oct 2010) | 8 lines Fix a crash by ensuring that we don't alter memory after it's freed. (closes issue ASTERISK-16138) Reported by: jmls Patches: 20100726__issue17387.diff.txt uploaded by tilghman (license 14) Tested by: jmls ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=290396 By: Digium Subversion (svnbot) 2010-10-05 15:23:35 Repository: asterisk Revision: 290408 _U branches/1.8/ U branches/1.8/res/res_jabber.c ------------------------------------------------------------------------ r290408 | tilghman | 2010-10-05 15:23:34 -0500 (Tue, 05 Oct 2010) | 22 lines Merged revisions 290396 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.6.2 ................ r290396 | tilghman | 2010-10-05 15:21:02 -0500 (Tue, 05 Oct 2010) | 15 lines Merged revisions 290392 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r290392 | tilghman | 2010-10-05 15:20:07 -0500 (Tue, 05 Oct 2010) | 8 lines Fix a crash by ensuring that we don't alter memory after it's freed. (closes issue ASTERISK-16138) Reported by: jmls Patches: 20100726__issue17387.diff.txt uploaded by tilghman (license 14) Tested by: jmls ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=290408 By: Digium Subversion (svnbot) 2010-10-05 15:24:38 Repository: asterisk Revision: 290414 _U trunk/ U trunk/res/res_jabber.c ------------------------------------------------------------------------ r290414 | tilghman | 2010-10-05 15:24:38 -0500 (Tue, 05 Oct 2010) | 29 lines Merged revisions 290408 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.8 ................ r290408 | tilghman | 2010-10-05 15:23:33 -0500 (Tue, 05 Oct 2010) | 22 lines Merged revisions 290396 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.6.2 ................ r290396 | tilghman | 2010-10-05 15:21:02 -0500 (Tue, 05 Oct 2010) | 15 lines Merged revisions 290392 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r290392 | tilghman | 2010-10-05 15:20:07 -0500 (Tue, 05 Oct 2010) | 8 lines Fix a crash by ensuring that we don't alter memory after it's freed. (closes issue ASTERISK-16138) Reported by: jmls Patches: 20100726__issue17387.diff.txt uploaded by tilghman (license 14) Tested by: jmls ........ ................ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=290414 | ||