Ticket #1988 (closed defect: fixed)
Crash on UDP transport restart
|Reported by:||nanang||Owned by:||bennylp|
|Backport to 1.x milestone:||Backported:||no|
Reported that the crash happened because an outstanding read operation key is reset by udp_on_read_complete() so socket read list gets corrupted. When there is incoming packet, ioqueue will try to deliver the packet to application by accessing the corrupted socket read list.
After investigation, possible scenario is:
- Spinning loop inside read callback udp_on_read_complete() is somehow still running while another thread is is executing UDP restart (pjsip_udp_transport_restart()).
- The UDP restart reinitiates read operation, so some op_key are queued to socket read list.
- Unfortunately the still spinning udp_on_read_complete() may wipe out those op_key.
The solution idea is to make sure that there is no read callback execution before reinitiating read operation in UDP restart. However, such synchronization is not simple (note: ioqueue may release key/socket lock before invoking read callback to avoid deadlock). A possible workaround is to wait for any active spinning loop in read callback to complete before reinitiating read operation in UDP restart.
Thanks Kinsey Moore for the report.