![(please configure the [header_logo] section in trac.ini)](/repos/chrome/site/pj.jpg)
Opened 8 years ago
Closed 7 years ago
#2009 closed defect (fixed)
Crash in TURN server resolution callback when ICE objects already destroyed
| Reported by: | nanang | Owned by: | bennylp |
|---|---|---|---|
| Priority: | normal | Milestone: | release-2.7 |
| Component: | pjnath | Version: | trunk |
| Keywords: | Cc: | ||
| Backport to 1.x milestone: | Backported: | no |
Description (last modified by nanang)
There are two synchronization issues in ICE:
- ICE objects are destroyed while DNS resolution of TURN server is on progress, so crash will happen when the resolution callback is invoked.
Stack trace:
Exception Type: SIGSEGV Exception Codes: SEGV_MAPERR at 0x321e07eb52803ca1 Thread 17 Crashed: 0 0x30303363 null 1 0x10124bb40 sess_init_update + 528 2 0x10124f9d8 turn_on_state + 1520 3 0x101262374 turn_on_state + 112 4 0x10125ef74 set_state + 216 5 0x10125f74c dns_srv_resolver_cb + 64 6 0x1011ae078 dns_callback + 3272 7 0x1011a698c on_read_complete + 1308
- Race condition between PJMEDIA transport ICE's pjmedia_transport_close() and ICE stream transport's sess_init_update():
- sess_init_update() thread is suspended after evaluating destroy_req that is equal to PJ_FALSE
- pjmedia_transport_close() is invoked (from another thread, e.g: SIP or UI thread), then transport ICE is destroyed
- when sess_init_update() thread is resumed and invoking callback to transport ICE, crash occurs as transport ICE is destroyed already.
Thanks Qinxi Chen and Alexei Kolomiets for the report.
Change History (3)
comment:1 Changed 8 years ago by nanang
comment:2 Changed 7 years ago by nanang
- Description modified (diff)
comment:3 Changed 7 years ago by nanang
- Resolution set to fixed
- Status changed from new to closed
In 5604:
Note: See
TracTickets for help on using
tickets.
In 5583: