Summary: | ASTERISK-24759: Reference of deleted ao2 object during shutdown of res_pjsip_pubsub | ||
Reporter: | Scott Griepentrog (sgriepentrog) | Labels: | |
Date Opened: | 2015-02-05 11:04:11.000-0600 | Date Closed: | |
Priority: | Minor | Regression? | |
Status: | Open/New | Components: | Resources/res_pjsip Resources/res_pjsip_pubsub |
Versions: | Frequency of Occurrence | Occasional | |
Related Issues: | |||
Environment: | Attachments: | ||
Description: | During CLI command "core shutdown gracefully", send_notify() can be called on a subscription tree, and it is possible for that ao2 object to be unreferenced during the call. This was caught with valgrind:
{noformat} ==11153== Invalid write of size 4 ==11153== at 0x14CCF322: send_notify (res_pjsip_pubsub.c:2088) ==11153== by 0x14CD0BF1: subscription_persistence_recreate (res_pjsip_pubsub.c:1385) ==11153== by 0x45D94B: internal_ao2_traverse (astobj2_container.c:351) ==11153== by 0x45DC3B: __ao2_callback_debug (astobj2_container.c:446) ==11153== by 0x14CC8791: subscription_persistence_load (res_pjsip_pubsub.c:1408) ==11153== by 0x5EB583: ast_taskprocessor_execute (taskprocessor.c:769) ==11153== by 0x5F5853: threadpool_execute (threadpool.c:351) ==11153== by 0x5F709B: worker_active (threadpool.c:1075) ==11153== by 0x5F6E37: worker_start (threadpool.c:995) ==11153== by 0x602F83: dummy_start (utils.c:1232) ==11153== by 0x670DDF2: start_thread (in /usr/lib64/libpthread-2.17.so) ==11153== by 0x74651AC: clone (in /usr/lib64/libc-2.17.so) ==11153== Address 0xa68e840 is 144 bytes inside a block of size 176 free'd ==11153== at 0x4C29577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==11153== by 0x45C5D7: internal_ao2_ref (astobj2.c:458) ==11153== by 0x45C6AB: __ao2_ref_debug (astobj2.c:484) ==11153== by 0x45C8B0: __ao2_cleanup_debug (astobj2.c:519) ==11153== by 0x14CC9D24: pubsub_on_evsub_state (res_pjsip_pubsub.c:3111) ==11153== by 0xE85A797: set_state (in /usr/lib64/libpjsip-simple.so.2) ==11153== by 0xE85BA53: mod_evsub_on_tsx_state (in /usr/lib64/libpjsip-simple.so.2) ==11153== by 0xEA9A92C: pjsip_dlg_on_tsx_state (in /usr/lib64/libpjsip.so.2) ==11153== by 0xEA94959: tsx_set_state (in /usr/lib64/libpjsip.so.2) ==11153== by 0xEA9649E: tsx_on_state_proceeding_uac (in /usr/lib64/libpjsip.so.2) ==11153== by 0xEA9681C: tsx_on_state_calling (in /usr/lib64/libpjsip.so.2) ==11153== by 0xEA97CEE: pjsip_tsx_recv_msg (in /usr/lib64/libpjsip.so.2) ==11153== {noformat} Where res_pjsip_pubsub.c:2088 is the last line below setting the scheduled notify to zero, which points to the sub_tree object being deleted during the send_request: {noformat} if (sub_tree->is_list) { pjsip_require_hdr *require = create_require_eventlist(tdata->pool); pjsip_msg_add_hdr(tdata->msg, (pjsip_hdr *) require); } if (sip_subscription_send_request(sub_tree, tdata)) { return -1; } sub_tree->send_scheduled_notify = 0; {noformat} | ||
Comments: |