![(please configure the [header_logo] section in trac.ini)](/repos/chrome/site/pj.jpg)
Opened 10 years ago
Closed 10 years ago
#1807 closed defect (fixed)
Crash when shutting down library while having subscription transactions on going
| Reported by: | nanang | Owned by: | bennylp |
|---|---|---|---|
| Priority: | normal | Milestone: | release-2.4 |
| Component: | pjsip | Version: | trunk |
| Keywords: | Cc: | ||
| Backport to 1.x milestone: | Backported: | no |
Description
Scenario:
- send SUBSCRIBE, no response from server yet
- user decides to exit app, app sends un-SUBSCRIBE for the same evsub session, also no response from server yet
- while both SUBSCRIBE transactions haven't timed out yet, app shuts down the lib using pjsua_destroy2(PJSUA_DESTROY_NO_RX_MSG)
- crash with call stack trace points to cancellation of a transaction timer entry
Investigation found that there is a possibility of uncancelled timer entry after its memory pool has been released. An evsub session can only have one pending UAC SUBSCRIBE, so if there are two of them, it will terminate the older one using zero timeout timer to avoid deadlock. Unfortunately, the timer may never be executed nor cancelled if the library is shutting down without polling events, i.e: when PJSUA_DESTROY_NO_RX_MSG is specified. So when the evsub session and the dialog are destroyed, the timer which is allocated using dialog pool, becomes invalid and eventually causes crash whenever accessed (e.g: cancelling other timer entry).
Thanks Marcus Froeschl for the report.
Change History (1)
comment:1 Changed 10 years ago by nanang
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
In 4969: