[Home]

Summary:ASTERISK-24444: PBX: Crash when generating extension for pattern matching hint
Reporter:Leandro Dardini (ldardini)Labels:
Date Opened:2014-10-22 10:23:18Date Closed:2014-11-12 10:13:22.000-0600
Priority:MajorRegression?
Status:Closed/CompleteComponents:Core/PBX
Versions:11.13.1 12.6.1 Frequency of
Occurrence
Frequent
Related
Issues:
duplicatesASTERISK-19143 Core dump when adding dialplan extension
is duplicated byASTERISK-19711 Crash emanating from add_exten_to_pattern_tree()
Environment:Linux CentOS 6.5 Kernel 2.6.32-431.11.2.el6.x86_64Attachments:( 0) backtrace.txt
( 1) backtrace11.txt
Description:Asterisk crashes in the middle of the normal daily calls from clients. The crash has been noticed on both 12.6.1 and 11.13.1
Comments:By: Leandro Dardini (ldardini) 2014-10-22 10:24:58.784-0500

Backtrace created using

gdb -se "asterisk" -ex "bt full" -ex "thread apply all bt" --batch -c core > /tmp/backtrace.txt

By: Leandro Dardini (ldardini) 2014-10-22 10:39:43.796-0500

In case it is needed, this is my extensions.conf, used only for hint processing.

{quote}

{noformat}
# cat /etc/asterisk/extensions.conf
{noformat}

{noformat}
[globals]

[authenticated]
exten => _.,hint,Custom:$\{EXTEN\}
{noformat}

{quote}

extensions.ael is the one used for the call logic and this is its start:

{quote}
{noformat}
       _X. => {
           NoOp(Received a call from peer $\{CHANNEL(peername)\} with CID $\{CALLERID(num)\} $\{CALLERID(name)\} to number $\{EXTEN\} for accountcode $\{CDR(accountcode)\} with SIP CALL ID $\{SIPCALLID\} requesting for a max duration of $\{SETTIMEOUT\} SETPEERNAME=$\{SETPEERNAME\});
           NoOp(Transfer: $\{BLINDTRANSFER\} - $\{TRANSFERED_BY\} - $\{TRANSFER_CONTEXT\} - $\{CALLERID(RDNIS)\});
           Set(TTL=$\{MAXTTL\});
           Set(TENANTID=$\{ODBC_TENANTID_FROM_ACCOUNTCODE($\{CDR\(accountcode)\})\});
...
{noformat}
{quote}

By: Leandro Dardini (ldardini) 2014-10-24 16:18:54.457-0500

Backtrace from asterisk 11.13.1

By: Matt Jordan (mjordan) 2014-10-28 11:30:07.526-0500

In a core file generated from the crash, can you print out the following using {{gdb}}:

{noformat}
# frame 6
# print *m2
# print *e1
# print *m2->exten
# print m2->exten->exten
{noformat}


By: Leandro Dardini (ldardini) 2014-10-28 11:59:19.981-0500

I am not really sure to have made the required steps. I run on asterisk 11 server:

{noformat}
gdb -se "asterisk"  -c core
{noformat}

and then:

{noformat}
(gdb) frame 6
#6  0x000000000052f82a in create_match_char_tree (con=0x100000000) at pbx.c:2431
2431            while ((e1 = ast_hashtab_next(t1))) {
(gdb) print *m2
No symbol "m2" in current context.
(gdb) print *e1
$1 = {exten = 0x7f1a52750560 "100-autolabcoldwater  ", matchcid = 0, cidmatch = 0x0, priority = 0, label = 0x0, parent = 0x0, app = 0x0, cached_app = 0x0, data = 0x0, datad = 0, peer = 0x0, peer_table = 0x0,   peer_label_table = 0x0, registrar = 0x0, next = 0x0, stuff = 0x7f1a52750960 "`\005uR\032\177"}
(gdb) print *m2->exten
No symbol "m2" in current context.
(gdb) print *m2->exten->exten
No symbol "m2" in current context.
{noformat}

On asterisk 12:

{noformat}
(gdb)  frame 6
#6  0x00000000005643c2 in add_exten_to_pattern_tree (con=0x2768fd0, e1=0x7fedf428f5d0, findonly=0) at pbx.c:2402
2402                                            ast_log(LOG_WARNING, "Found duplicate exten. Had %s found %s\n",
(gdb) print *m2
$1 = {is_pattern = 0, deleted = 0, specificity = 1, alt_char = 0x0, next_char = 0x0, exten = 0x7fedf416c680, x = "6"}
(gdb) print *e1
$2 = {exten = 0x7fedf428f648 "(613)235-0056", matchcid = 0, cidmatch = 0x7fedf428f656 "", priority = -1, label = 0x0, parent = 0x2768fd0, app = 0x7fedf428f657 "Custom:(613) 235-0056", cached_app = 0x0,
 data = 0x7fedf4419670, datad = 0x42f2b0 <free@plt>, peer = 0x0, peer_table = 0x0, peer_label_table = 0x0, registrar = 0x7fee50fbf820 "pbx_config", next = 0x0, stuff = 0x7fedf428f5d0 "H\366(\364\355\177"}
(gdb) print *m2->exten
$3 = {exten = 0x1 <Address 0x1 out of bounds>, matchcid = 4571731, cidmatch = 0xe8 <Address 0xe8 out of bounds>, priority = 2, label = 0x690b20 "\370\331E", parent = 0x0,
 app = 0x515f8d "UH\211\345H\203\354@H\211}\330H\211uЉU\314H\213E\320H\211E\350H\213E\330H\211E\360H\213U\360H\213E\350H\211\326H\211\307\350\335\304\377\377\211E\374\203}", <incomplete sequence \374>,
 cached_app = 0x0, data = 0x0, datad = 0x515fe0 <hash_cb>, peer = 0xb, peer_table = 0x0, peer_label_table = 0x0, registrar = 0x0, next = 0x0, stuff = 0x7fedf416c680 "\001"}
(gdb) print *m2->exten->exten
Cannot access memory at address 0x1
{noformat}

Unfortunately I had to put a dirty patch on the server because it was a production server. I instructed my client to fix its phone by removing the spaces in the BLF monitoring extension and I commented out the ast_log(LOG_WARNING, "Found duplicate exten. Had %s found %s\n" instructions in the code. Since then, I had no other core dumps.

By: Joshua C. Colp (jcolp) 2014-11-10 08:02:52.485-0600

A patch which resolves this crash is now available at https://reviewboard.asterisk.org/r/4162/