id summary reporter owner description type status priority milestone component version resolution keywords cc backport_to_milestone backported 1883 Crash in decrementing transport reference count nanang bennylp "Here is part of {{{pjsip_transport_dec_ref()}}} to help describing the scenario: {{{ if (pj_atomic_dec_and_get(tp->ref_cnt) == 0) { pj_lock_acquire(tp->tpmgr->lock); /* Verify again. Do not register timer if the transport is * being destroyed. */ if (pj_atomic_get(tp->ref_cnt) == 0 && !tp->is_destroying) { }}} Scenario: 1. Thread 1 calling {{{pjsip_transport_dec_ref()}}} on TCP transport A, it decrements ref count to zero. Before getting transport manager lock, there is context switching. 1. Thread 2 calling {{{pjsip_transport_shutdown()}}} on TCP transport A after receiving notification of connection closed, as it sees transport's ref count is zero, it schedule an immediate timer (timeout==0s) for destroying the transport. 1. Thread 3 (worker thread) fires up the timer and destroy transport A. 1. When the context is back to thread 1, crash occurs as it tries to access the just destroyed transport A. Thanks Joshua Colp for the report." defect closed normal release-2.5 pjsip trunk fixed 0