Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#1002 closed defect (fixed)

Crash when adding/removing buddies (thanks Nikolay Popok and Robert Cichielo for the reports)

Reported by: bennylp Owned by: bennylp
Priority: normal Milestone: release-1.5.5
Component: pjsua-lib Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported:

Description (last modified by bennylp)

Removing a buddy will crash the library at later time, with stack trace similar to this:

Stack:
 #0    0x00092f9a in pop_freelist at timer.c:136
 #1    0x0009360e in schedule_entry at timer.c:300
 #2    0x00093b82 in pj_timer_heap_schedule at timer.c:472
 #3    0x000b80d0 in pjsip_endpt_schedule_timer at sip_endpoint.c:759
 #4    0x000cc452 in tsx_on_state_null at sip_transaction.c:2118
 #5    0x000cb2b1 in pjsip_tsx_send_msg at sip_transaction.c:1590
 #6    0x000d0d06 in pjsip_dlg_send_request at sip_dialog.c:1174
 #7    0x000a1c68 in pjsip_evsub_send_request at evsub.c:1222
 #8    0x000a71f3 in pjsip_pres_send_request at presence.c:588
 #9    0x000f32db in subscribe_buddy_presence at pjsua_pres.c:1777
 #10    0x000f0a92 in pjsua_buddy_update_pres at pjsua_pres.c:571
 #11    0x000f0987 in pjsua_buddy_subscribe_pres at pjsua_pres.c:536
 #12    0x000f0700 in pjsua_buddy_add at pjsua_pres.c:472
 #13    0x0000cc4f in test_add_buddy at pjsua_app.c:5030
 #14    0x0000ccb9 in test_network_appeared at pjsua_app.c:5039
 #15    0x0000b3bd in console_app_main at pjsua_app.c:4238
 #16    0x0000c66a in app_main at pjsua_app.c:4741
 #17    0x00001b86 in main at main.c:87

And another crash when a buddy is added while network connectivity is down:

 0x000f0f08 pjsip_dlg_dec_lock + 24
 0x001121ac subscribe_buddy_presence + 1152
 0x0010f860 pjsua_buddy_update_pres + 196
 0x0010f768 pjsua_buddy_subscribe_pres + 124
 0x0010f464 pjsua_buddy_add + 1404

Please see http://lists.pjsip.org/pipermail/pjsip_lists.pjsip.org/2009-December/009702.html for the report.

Change History (5)

comment:1 Changed 9 years ago by bennylp

Removing a buddy will crash the library at later time, with stack trace similar to this:

Stack:
 #0    0x00092f9a in pop_freelist at timer.c:136
 #1    0x0009360e in schedule_entry at timer.c:300
 #2    0x00093b82 in pj_timer_heap_schedule at timer.c:472
 #3    0x000b80d0 in pjsip_endpt_schedule_timer at sip_endpoint.c:759
 #4    0x000cc452 in tsx_on_state_null at sip_transaction.c:2118
 #5    0x000cb2b1 in pjsip_tsx_send_msg at sip_transaction.c:1590
 #6    0x000d0d06 in pjsip_dlg_send_request at sip_dialog.c:1174
 #7    0x000a1c68 in pjsip_evsub_send_request at evsub.c:1222
 #8    0x000a71f3 in pjsip_pres_send_request at presence.c:588
 #9    0x000f32db in subscribe_buddy_presence at pjsua_pres.c:1777
 #10    0x000f0a92 in pjsua_buddy_update_pres at pjsua_pres.c:571
 #11    0x000f0987 in pjsua_buddy_subscribe_pres at pjsua_pres.c:536
 #12    0x000f0700 in pjsua_buddy_add at pjsua_pres.c:472
 #13    0x0000cc4f in test_add_buddy at pjsua_app.c:5030
 #14    0x0000ccb9 in test_network_appeared at pjsua_app.c:5039
 #15    0x0000b3bd in console_app_main at pjsua_app.c:4238
 #16    0x0000c66a in app_main at pjsua_app.c:4741
 #17    0x00001b86 in main at main.c:87

And another crash when a buddy is added while network connectivity is down:

 0x000f0f08 pjsip_dlg_dec_lock + 24
 0x001121ac subscribe_buddy_presence + 1152
 0x0010f860 pjsua_buddy_update_pres + 196
 0x0010f768 pjsua_buddy_subscribe_pres + 124
 0x0010f464 pjsua_buddy_add + 1404

Please see http://lists.pjsip.org/pipermail/pjsip_lists.pjsip.org/2009-December/009702.html for the report.

comment:2 Changed 9 years ago by bennylp

The above comment was meant to go into the description section.

comment:3 Changed 9 years ago by bennylp

  • Description modified (diff)

comment:4 Changed 9 years ago by bennylp

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in r3031:

  • the timer associated with a buddy is not removed when buddy is deleted, causing crash later on in timer heap. Fixed.
  • when fails to send the initial SUBSCRIBE request, the dialog associated with buddy subscription will have been destroyed in the callback, causing any subsequent "pjsip_dlg_dec_lock(buddy->dlg)" call to crash. Fixed by protecting the call with "if (buddy->dlg)".

comment:5 Changed 9 years ago by ismangil

  • Milestone changed from release-1.6 to release-1.5.5
Note: See TracTickets for help on using tickets.