Crash when adding/removing buddies (thanks Nikolay Popok and Robert Cichielo for the reports)

[bennylp]

Removing a buddy will crash the library at later time, with stack trace similar to this:

Stack:
 #0    0x00092f9a in pop_freelist at timer.c:136
 #1    0x0009360e in schedule_entry at timer.c:300
 #2    0x00093b82 in pj_timer_heap_schedule at timer.c:472
 #3    0x000b80d0 in pjsip_endpt_schedule_timer at sip_endpoint.c:759
 #4    0x000cc452 in tsx_on_state_null at sip_transaction.c:2118
 #5    0x000cb2b1 in pjsip_tsx_send_msg at sip_transaction.c:1590
 #6    0x000d0d06 in pjsip_dlg_send_request at sip_dialog.c:1174
 #7    0x000a1c68 in pjsip_evsub_send_request at evsub.c:1222
 #8    0x000a71f3 in pjsip_pres_send_request at presence.c:588
 #9    0x000f32db in subscribe_buddy_presence at pjsua_pres.c:1777
 #10    0x000f0a92 in pjsua_buddy_update_pres at pjsua_pres.c:571
 #11    0x000f0987 in pjsua_buddy_subscribe_pres at pjsua_pres.c:536
 #12    0x000f0700 in pjsua_buddy_add at pjsua_pres.c:472
 #13    0x0000cc4f in test_add_buddy at pjsua_app.c:5030
 #14    0x0000ccb9 in test_network_appeared at pjsua_app.c:5039
 #15    0x0000b3bd in console_app_main at pjsua_app.c:4238
 #16    0x0000c66a in app_main at pjsua_app.c:4741
 #17    0x00001b86 in main at main.c:87

And another crash when a buddy is added while network connectivity is down:

 0x000f0f08 pjsip_dlg_dec_lock + 24
 0x001121ac subscribe_buddy_presence + 1152
 0x0010f860 pjsua_buddy_update_pres + 196
 0x0010f768 pjsua_buddy_subscribe_pres + 124
 0x0010f464 pjsua_buddy_add + 1404

Please see ​http://lists.pjsip.org/pipermail/pjsip_lists.pjsip.org/2009-December/009702.html for the report.

[bennylp]

Removing a buddy will crash the library at later time, with stack trace similar to this:

Stack:
 #0    0x00092f9a in pop_freelist at timer.c:136
 #1    0x0009360e in schedule_entry at timer.c:300
 #2    0x00093b82 in pj_timer_heap_schedule at timer.c:472
 #3    0x000b80d0 in pjsip_endpt_schedule_timer at sip_endpoint.c:759
 #4    0x000cc452 in tsx_on_state_null at sip_transaction.c:2118
 #5    0x000cb2b1 in pjsip_tsx_send_msg at sip_transaction.c:1590
 #6    0x000d0d06 in pjsip_dlg_send_request at sip_dialog.c:1174
 #7    0x000a1c68 in pjsip_evsub_send_request at evsub.c:1222
 #8    0x000a71f3 in pjsip_pres_send_request at presence.c:588
 #9    0x000f32db in subscribe_buddy_presence at pjsua_pres.c:1777
 #10    0x000f0a92 in pjsua_buddy_update_pres at pjsua_pres.c:571
 #11    0x000f0987 in pjsua_buddy_subscribe_pres at pjsua_pres.c:536
 #12    0x000f0700 in pjsua_buddy_add at pjsua_pres.c:472
 #13    0x0000cc4f in test_add_buddy at pjsua_app.c:5030
 #14    0x0000ccb9 in test_network_appeared at pjsua_app.c:5039
 #15    0x0000b3bd in console_app_main at pjsua_app.c:4238
 #16    0x0000c66a in app_main at pjsua_app.c:4741
 #17    0x00001b86 in main at main.c:87

And another crash when a buddy is added while network connectivity is down:

 0x000f0f08 pjsip_dlg_dec_lock + 24
 0x001121ac subscribe_buddy_presence + 1152
 0x0010f860 pjsua_buddy_update_pres + 196
 0x0010f768 pjsua_buddy_subscribe_pres + 124
 0x0010f464 pjsua_buddy_add + 1404

Please see ​http://lists.pjsip.org/pipermail/pjsip_lists.pjsip.org/2009-December/009702.html for the report.

[bennylp]

The above comment was meant to go into the description section.

[bennylp]

Fixed in r3031:

• the timer associated with a buddy is not removed when buddy is deleted, causing crash later on in timer heap. Fixed.
• when fails to send the initial SUBSCRIBE request, the dialog associated with buddy subscription will have been destroyed in the callback, causing any subsequent "pjsip_dlg_dec_lock(buddy->dlg)" call to crash. Fixed by protecting the call with "if (buddy->dlg)".