Opened 10 years ago

Closed 10 years ago

#1773 closed defect (fixed)

Crash caused by race condition between transport destroy and callback

Reported by: nanang Owned by: bennylp
Priority: normal Milestone: release-2.3
Component: pjsip Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description

Call stack:

Thread 14 Crashed:
pj_list_insert_nodes_before (list_i.h:25)
int_parse_msg (sip_parser.c:1033)
pjsip_parse_rdata (sip_parser.c:761)
pjsip_tpmgr_receive_packet (sip_transport.c:1651)
on_data_read (sip_transport_tcp.c:1292)
ioqueue_on_read_complete (activesock.c:495)

Thread 15:
pj_mutex_lock (os_core_unix.c:1243)
pj_ioqueue_unregister (ioqueue_common_abs.c:1326)
pj_activesock_close (activesock.c:305)
tcp_destroy (sip_transport_tcp.c:775)
tcp_destroy_transport (sip_transport_tcp.c:724)
destroy_transport (sip_transport.c:1092)
pj_timer_heap_poll (timer.c:748)

The call stack shows that the transport callback is being invoked when transport destroy is on progress. As reported, a possible scenario is that the tp_info of the rdata is accessed after the memory pool has been released.

Thanks Itay Bianco for the report.

Change History (1)

comment:1 Changed 10 years ago by nanang

  • Resolution set to fixed
  • Status changed from new to closed

In 4862:

Fix #1773: Added group lock to SIP transport to avoid race condition between transport callback and destroy.

Note: See TracTickets for help on using tickets.