Context Navigation

← Previous Ticket
Next Ticket →

#2240 closed defect (fixed)

Double destroy of invite session

Reported by:	nanang	Owned by:	nanang
Priority:	normal	Milestone:	release-2.10
Component:	pjsip	Version:	trunk
Keywords:		Cc:
Backport to 1.x milestone:		Backported:	no

Description

Double destroy is indicated by this assertion line:

pjsip_inv_dec_ref: Assertion `inv && inv->ref_cnt' failed.

with traceback:

#0 pjsip_inv_dec_ref (inv=0x4f4b214) at ../src/pjsip-ua/sip_inv.c:245
#1 inv_set_state (inv=0x4f4b214, state=<optimized out>, e=<optimized out>) at ../src/pjsip-ua/sip_inv.c:323
#2 mod_inv_on_tsx_state (tsx=0x4f39864, e=0x6ead64ac) at ../src/pjsip-ua/sip_inv.c:717
#3 pjsip_dlg_on_tsx_state (dlg=0x4f32864, tsx=0x4f39864, e=0x6ead64ac) at ../src/pjsip/sip_dialog.c:2066
#4 tsx_set_state (tsx=tsx@entry=0x4f39864, state=state@entry=PJSIP_TSX_STATE_PROCEEDING,
           event_src_type=event_src_type@entry=PJSIP_EVENT_TX_MSG, event_src=event_src@entry=0x4ef0064, 
           flag=flag@entry=0) at ../src/pjsip/sip_transaction.c:1267
#5 tsx_on_state_proceeding_uas (tsx=0x4f39864, event=<optimized out>) at ../src/pjsip/sip_transaction.c:2710
#6 pjsip_tsx_send_msg (tsx=tsx@entry=0x4f39864, tdata=tdata@entry=0x4ef0064) at ../src/pjsip/sip_transaction.c:1789
#7 pjsip_dlg_send_response (dlg=0x4f32864, tsx=0x4f39864, tdata=tdata@entry=0x4ef0064) at ../src/pjsip/sip_dialog.c:1531
#8 pjsip_inv_send_msg (inv=0x4f4b214, tdata=0x4ef0064) at ../src/pjsip-ua/sip_inv.c:3231
#9 pjsua_call_answer2 (call_id=0, opt=0x0, code=180, reason=0x0, msg_data=0x0) at ../src/pjsua-lib/pjsua_call.c:2317
#10 process_pending_call_answer (call=call@entry=0x76ed5aa8 <pjsua_var+19928>) at ../src/pjsua-lib/pjsua_call.c:978
#11 pjsua_call_on_incoming (rdata=rdata@entry=0x2b6c014) at ../src/pjsua-lib/pjsua_call.c:1666

After investigation, the pjsip_inv_dec_ref() at the top of the traceback can only be called when invite session state is shifting to DISCONNECTED, while answering the call with 180 (as shown in the traceback) normally cause invite session state to shift to EARLY instead of DISCONNECTED, so perhaps the call was disconnected somewhere within the invite session callback on_state_changed() and pjsip_inv_dec_ref() was called twice.

Thanks to Martin Oberhuber for the report.

Change History (1)

comment:1 Changed 5 years ago by nanang

Owner set to nanang
Resolution set to fixed
Status changed from new to closed

In 6087:

Fixed #2240:

Avoid double pjsip_inv_dec_ref() by evaluating the local var 'state' instead of 'inv->state' in checking DISCONNECTED state in 'inv_set_state()', as the 'on_state_changed()' callback may recursively call 'inv_set_state()' and shift the state to DISCONNECTED.
Avoid inv sess destroy in the callback by increasing ref count.

Note: See TracTickets for help on using tickets.

Download in other formats: