Opened 9 years ago

Closed 9 years ago

#1883 closed defect (fixed)

Crash in decrementing transport reference count

Reported by: nanang Owned by: bennylp
Priority: normal Milestone: release-2.5
Component: pjsip Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description

Here is part of pjsip_transport_dec_ref() to help describing the scenario:

    if (pj_atomic_dec_and_get(tp->ref_cnt) == 0) {

        pj_lock_acquire(tp->tpmgr->lock);
        /* Verify again. Do not register timer if the transport is
         * being destroyed.
         */
        if (pj_atomic_get(tp->ref_cnt) == 0 && !tp->is_destroying) {

Scenario:

  1. Thread 1 calling pjsip_transport_dec_ref() on TCP transport A, it decrements ref count to zero. Before getting transport manager lock, there is context switching.
  2. Thread 2 calling pjsip_transport_shutdown() on TCP transport A after receiving notification of connection closed, as it sees transport's ref count is zero, it schedule an immediate timer (timeout==0s) for destroying the transport.
  3. Thread 3 (worker thread) fires up the timer and destroy transport A.
  4. When the context is back to thread 1, crash occurs as it tries to access the just destroyed transport A.

Thanks Joshua Colp for the report.

Change History (1)

comment:1 Changed 9 years ago by nanang

  • Resolution set to fixed
  • Status changed from new to closed

In 5173:

Fix #1883: Check transport validity after getting transport manager lock in pjsip_transport_add/dec_ref() as transport may already be destroyed by other thread.

Note: See TracTickets for help on using tickets.