ASTERISK-25230: Crash in channels/pjsip/basic_calls/incoming/off-nominal/userpass when decreasing reference on PJSIP transport

[Home]

Summary: ASTERISK-25230: Crash in channels/pjsip/basic_calls/incoming/off-nominal/userpass when decreasing reference on PJSIP transport

Reporter: Matt Jordan (mjordan) Labels:

Date Opened: 2015-07-06 08:54:34 Date Closed: 2015-09-10 10:15:44

Priority: Major Regression?

Status: Closed/Complete Components: Resources/res_pjsip Tests/testsuite

Versions: Frequency of
Occurrence

Related
Issues:

Environment: Attachments: ( 0) backtrace_5402.txt
( 1) full.txt

Description: The Asterisk Test Suite caught a crash in PJSIP via the {{channels/pjsip/basic_calls/incoming/off-nominal/userpass}} test when decrementing the reference on a transport that was being disposed of via {{pjsip_rx_data_free_cloned}}:

{code}
[Thread debugging using libthread_db enabled]
Core was generated by `/usr/sbin/asterisk -f -g -q -m -n -C /tmp/asterisk-testsuite/5dddaa9b1d12e2132f'.
Program terminated with signal 11, Segmentation fault.
#0 0x00a21255 in pj_atomic_get (atomic_var=0x0) at ../src/pj/os_core_unix.c:916
916 pj_mutex_lock( atomic_var->mutex );
#0 0x00a21255 in pj_atomic_get (atomic_var=0x0) at ../src/pj/os_core_unix.c:916
oldval = 0
#1 0x006b4e15 in pjsip_transport_dec_ref (tp=0xb7306f14) at ../src/pjsip/sip_transport.c:990
__PRETTY_FUNCTION__ = "pjsip_transport_dec_ref"
#2 0x006b46fe in pjsip_rx_data_free_cloned (rdata=0xb732de54) at ../src/pjsip/sip_transport.c:723
__PRETTY_FUNCTION__ = "pjsip_rx_data_free_cloned"
#3 0x003470b6 in distribute (data=0xb732de54) at res_pjsip/pjsip_distributor.c:449
param = {start_prio = 0, start_mod = 0x365a80, idx_after_start = 1, silent = 0}
handled = 1
rdata = 0xb732de54
is_request = 1
is_ack = 0
endpoint = 0x92dd230
__PRETTY_FUNCTION__ = "distribute"
#4 0x0841f73b in ast_taskprocessor_execute (tps=0x88d8e60) at taskprocessor.c:768
local = {local_data = 0x10, data = 0x88d8e60}
t = 0xb73235c8
size = 135056146
__PRETTY_FUNCTION__ = "ast_taskprocessor_execute"
#5 0x084384e8 in execute_tasks (data=0x88d8e60) at threadpool.c:1269
tps = 0x88d8e60
#6 0x0841f73b in ast_taskprocessor_execute (tps=0x8828d98) at taskprocessor.c:768
local = {local_data = 0xb7201d1c, data = 0xb7201d4c}
t = 0xb73237f0
size = 3
{code}

Note that we weren't shutting down or doing anything else intrusive at the time.

Comments: By: Asterisk Team (asteriskteam) 2015-07-06 08:54:36.511-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].