Changeset 6142

Timestamp:

Jan 29, 2020 4:05:51 AM (4 years ago)

Author:

ming

Message:

Fixed #2264: Potential deadlock between pjsua lock and sip transport's lock

Location:

pjproject/trunk/pjsip

Files:

• include/pjsip-ua/sip_regc.h (modified) (1 diff)
• src/pjsip-ua/sip_reg.c (modified) (7 diffs)
• src/pjsua-lib/pjsua_acc.c (modified) (1 diff)

pjproject/trunk/pjsip/include/pjsip-ua/sip_regc.h

@@ -210 +210 @@
                                      pj_uint32_t expires);
 
+
+/**
+ * Increment busy counter temporarily, to prevent client registration
+ * structure from being destroyed.
+ *
+ * @param regc      The client registration structure.
+ */
+PJ_DECL(void) pjsip_regc_add_ref( pjsip_regc *regc );
+
+
+/**
+ * Decrement temporary busy counter. After this function
+ * is called, client registration structure may have been destroyed
+ * if there's a pending destroy.
+ *
+ * @param regc      The client registration structure.
+ *
+ * @return          PJ_SUCCESS on success. PJ_EGONE if the registration
+ *                  structure has been destroyed inside the function.
+ */
+PJ_DECL(pj_status_t) pjsip_regc_dec_ref( pjsip_regc *regc );
+
+
 /**
  * Set callback to be called when the registration received a final response.

pjproject/trunk/pjsip/src/pjsip-ua/sip_reg.c

@@ -398 +398 @@
 }
 
+PJ_DEF(void) pjsip_regc_add_ref( pjsip_regc *regc )
+{
+    pj_assert(regc);
+    pj_atomic_inc(regc->busy_ctr);
+}
+
+PJ_DEF(pj_status_t) pjsip_regc_dec_ref( pjsip_regc *regc )
+{
+    pj_assert(regc);
+    if (pj_atomic_dec_and_get(regc->busy_ctr)==0 && regc->_delete_flag) {
+        pjsip_regc_destroy(regc);
+        return PJ_EGONE;
+    }
+    
+    return PJ_SUCCESS;
+}
+
 PJ_DEF(pj_status_t) pjsip_regc_set_credentials( pjsip_regc *regc,
                                                 int count,
@@ -788 +805 @@
      * in pjsip_regc_send() or in the callback
      */
-    pj_atomic_inc(regc->busy_ctr);
+    pjsip_regc_add_ref(regc);
 
     entry->id = 0;
@@ -804 +821 @@
 
     /* Delete the record if user destroy regc during the callback. */
-    if (pj_atomic_dec_and_get(regc->busy_ctr)==0 && regc->_delete_flag) {
-        pjsip_regc_destroy(regc);
-    }
+    pjsip_regc_dec_ref(regc);
 }
 
@@ -1068 +1083 @@
     pj_bool_t update_contact = PJ_FALSE;
 
-    pj_atomic_inc(regc->busy_ctr);
+    pjsip_regc_add_ref(regc);
     pj_lock_acquire(regc->lock);
 
@@ -1368 +1383 @@
 
     /* Delete the record if user destroy regc during the callback. */
-    if (pj_atomic_dec_and_get(regc->busy_ctr)==0 && regc->_delete_flag) {
-        pjsip_regc_destroy(regc);
-    }
+    pjsip_regc_dec_ref(regc);
 }
 
@@ -1380 +1393 @@
     pj_uint32_t cseq;
 
-    pj_atomic_inc(regc->busy_ctr);
+    pjsip_regc_add_ref(regc);
     pj_lock_acquire(regc->lock);
 
@@ -1481 +1494 @@
 
     /* Delete the record if user destroy regc during the callback. */
-    if (pj_atomic_dec_and_get(regc->busy_ctr)==0 && regc->_delete_flag) {
-        pjsip_regc_destroy(regc);
-    }
+    pjsip_regc_dec_ref(regc);
 
     return status;

pjproject/trunk/pjsip/src/pjsua-lib/pjsua_acc.c

@@ -2779 +2779 @@
         }
 
+        /* Increment ref counter and release PJSUA lock here, to avoid
+         * deadlock while making sure that regc won't be destroyed.
+         */
+        pjsip_regc_add_ref(pjsua_var.acc[acc_id].regc);
+        PJSUA_UNLOCK();
+        
         //pjsua_process_msg_data(tdata, NULL);
         status = pjsip_regc_send( pjsua_var.acc[acc_id].regc, tdata );
+        
+        PJSUA_LOCK();
+        if (pjsip_regc_dec_ref(pjsua_var.acc[acc_id].regc) == PJ_EGONE) {
+            /* regc has been deleted. */
+            goto on_return;
+        }
     }