[Freeswitch-users] Crash in v1.6.5

Ken Rice krice at freeswitch.org
Sat Jan 2 23:30:13 MSK 2016

Bug Reports go to Jira


-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org
[mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Alex
Sent: Saturday, January 2, 2016 2:22 PM
To: freeswitch-users at lists.freeswitch.org
Subject: [Freeswitch-users] Crash in v1.6.5

(Cross-posting from Freeswitch-dev because that list doesn't appear to be
terribly active? Perhaps I am mistaken, in which case, sorry!)


I'm running v1.6.5:70b8c17, and recently ran into this crash scenario:

(gdb) where
#0  switch_core_session_get_channel (session=0x0) at
#1  0x00007f955ec53ce9 in sofia_update_callee_id (session=0x0,
profile=0x1a7ce80, sip=0x7f940c20b728, send=SWITCH_TRUE) at sofia.c:1086
#2  0x00007f955ec59e55 in our_sofia_event_callback (event=nua_i_update,
status=200, phrase=0x7f9525d82270 "OK", nua=0x7f953c0120e0,
profile=0x1a7ce80, nh=0x7f944fc705a0,
     sofia_private=0x7f944ef34460, sip=0x7f940c20b728, de=0x7f953c012d40,
tags=0x7f9525d82260) at sofia.c:1594
#3  0x00007f955ec5f4fb in sofia_process_dispatch_event (dep=<value optimized
out>) at sofia.c:1983
#4  0x00007f955ec60266 in sofia_msg_thread_run (thread=<value optimized 
out>, obj=0x7f955ebf5ad8) at sofia.c:2031
#5  0x00007f95625f899b in dummy_worker (opaque=0x1a732d0) at
#6  0x00007f95617a2a51 in start_thread () from /lib64/libpthread.so.0
#7  0x0000003acfae893d in clone () from /lib64/libc.so.6

Specifically, the crash was on an assertion that tried to dereference a null
session pointer:

#0  switch_core_session_get_channel (session=0x0) at
1357        switch_assert(session->channel);

However, while I am a C programmer, I don't know the first thing about 
FS internals and thus don't know what else to look for in this core dump 
so as to make a useful report. My assumption is that a check for NULL 
session pointer somewhere in frames 0/1 isn't really an adequate 
compensatory mechanism because the root of the problem lies elsewhere.

I did manage to track down the definition of Sofia's 'sip_t' structure 
and, it looks to me like this happened while either generating a 200 OK 
response to an UPDATE request:

(gdb) print sip->sip_request->rq_method
$1 = sip_method_update

And it doesn't appear to be in the course of processing a reply, because 
the status substructure seems blank:

(gdb) print sip->sip_status
$2 = (sip_status_t *) 0x0

However, I don't know how to get at the raw message buffer of the UPDATE 

Any help would be appreciated!

-- Alex

Alex Balashov | Principal | Evariste Systems LLC
303 Perimeter Center North, Suite 300
Atlanta, GA 30346
United States

Tel: +1-800-250-5920 (toll-free) / +1-678-954-0671 (direct)
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/

Professional FreeSWITCH Consulting Services: 
consulting at freeswitch.org

Official FreeSWITCH Sites

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list