mod_sofia: segfault on refer

[wmasilva]

Got a segfault in freeswitch cause by libsofia:

freeswitch[3667959]: segfault at 18 ip 00007f825d34a55b sp 00007f824b7fcc30 error 4 in libsofia-sip-ua.so.0.6.0[7f825d2af000+cf000]

Not sure if the issue is in freeswitch or sofia-sip.

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f825d34a55b in su_task_execute () from /lib/libsofia-sip-ua.so.0
[Current thread is 1 (Thread 0x7f824b801700 (LWP 3667959))]
(gdb) bt
#0  0x00007f825d34a55b in su_task_execute () from /lib/libsofia-sip-ua.so.0
#1  0x00007f825d2f9a08 in nua_handle_by_replaces () from /lib/libsofia-sip-ua.so.0
#2  0x00007f825acd0ab6 in sofia_global_nua_handle_by_replaces (replaces=replaces@entry=0x56360e9a5500) at sofia.c:8903
#3  0x00007f825acd215e in sofia_handle_sip_i_refer (nua=nua@entry=0x56361a6c4600, profile=profile@entry=0x56361e276100, nh=nh@entry=0x56361d646c60, session=session@entry=0x56360e094028, sip=sip@entry=0x56360d1848f8, 
    de=de@entry=0x5636288087e0, tags=0x563610bdf030) at sofia.c:9051
#4  0x00007f825acdee7c in our_sofia_event_callback (event=nua_i_refer, status=100, phrase=0x563610bdf1b8 "Trying", nua=0x56361a6c4600, profile=0x56361e276100, nh=0x56361d646c60, sofia_private=<optimized out>, sip=0x56360d1848f8, 
    de=0x5636288087e0, tags=0x563610bdf030) at sofia.c:1875
#5  0x00007f825ace5df8 in sofia_process_dispatch_event (dep=0x7f824b7fd660) at sofia.c:2253
#6  0x00007f825aca8867 in sofia_receive_message (session=0x56360e094028, msg=0x7f824b7fe3e0) at mod_sofia.c:1348
#7  0x00007f825dcf6686 in switch_core_session_perform_receive_message (session=session@entry=0x56360e094028, message=<optimized out>, message@entry=0x7f824b7fe3e0, file=file@entry=0x7f825e04d1b5 "src/switch_ivr.c", 
    func=func@entry=0x7f825e04e270 <__func__.47> "switch_ivr_parse_signal_data", line=line@entry=893) at src/switch_core_session.c:854
#8  0x00007f825ddc3528 in switch_ivr_parse_signal_data (session=0x56360e094028, all=all@entry=SWITCH_FALSE, only_session_thread=only_session_thread@entry=SWITCH_TRUE) at src/switch_ivr.c:893
#9  0x00007f825dcc9ab1 in switch_channel_check_signal (channel=channel@entry=0x56361d656110, in_thread_only=in_thread_only@entry=SWITCH_TRUE) at src/switch_channel.c:2270
#10 0x00007f825dcc9c6f in switch_channel_test_ready (channel=channel@entry=0x56361d656110, check_ready=check_ready@entry=SWITCH_TRUE, check_media=check_media@entry=SWITCH_FALSE) at src/switch_channel.c:2280
#11 0x00007f825dd92787 in audio_bridge_thread (obj=obj@entry=0x563626a98b18, thread=0x0) at src/switch_ivr_bridge.c:538
#12 0x00007f825dd93fb2 in audio_bridge_on_exchange_media (session=0x56360e094028) at src/switch_ivr_bridge.c:979
#13 0x00007f825dcff619 in switch_core_session_run (session=0x56360e094028) at src/switch_core_state_machine.c:650
#14 0x00007f825dcf8250 in switch_core_session_thread (thread=<optimized out>, obj=0x56360e094028) at src/switch_core_session.c:1727
#15 0x00007f825dcf385e in switch_core_session_thread_pool_worker (thread=0x56361a8ca280, obj=<optimized out>) at src/switch_core_session.c:1791
#16 0x00007f825dc37ea7 in start_thread (arg=<optimized out>) at pthread_create.c:477
#17 0x00007f825d953a2f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Freeswitch version: Version 1.10.12-dev git 9df3076 2024-01-29 16:05:45Z 64bit
Sofia: 1.13.17-1286198851a61bullseye

NOTE: my FS version includes the modification in mod_sofia from pr #2390 .

From the BT i got the call-id for the sip messages and the call flow is:

it looks that the issue occurs because the refer is done at same second but a few ms after of the hangup for the channel that would be transfer., so i guess the nua_execute is done in a reference that does not exist.
I've try to reproduce the issue manually but i couldn't.. the system is running for two days without any crash.

But the problem is there... i'm not sure where is the correct place to solve the issue.

Thanks,
António