search

drachtio / drachtio-server

A SIP call processing server that can be controlled via nodejs applications
https://drachtio.org
MIT License
243 stars 93 forks source link

TimerQueue crash #346

Open falvarezoliva opened 7 months ago

falvarezoliva commented 7 months ago

Sometimes the service crash due to pointer exception in function TimerQueue::remove because entry->m_prev and entry->m_next are null pointers.

      else {
        assert( entry->m_prev ) ;
        assert( entry->m_next ) ;
        entry->m_prev->m_next = entry->m_next ;
        entry->m_next->m_prev = entry->m_prev ;
      }

I think that something is wrong in the function doTimer. In the following code when !expired, set both links prev and next of ptr to NULL and after, makes this ptr = ptr->m_next so original ptr is orphan. This produce that when remove is invoked with this ptr, application crash 

  if( !expired ) {
    expired = tailExpired = ptr ;
    ptr->m_prev = ptr->m_next = NULL ;
  }
  else {
    tailExpired->m_next = ptr ;
    ptr->m_prev = tailExpired ;
    tailExpired = ptr ;
  }
  ptr = ptr->m_next ;
davehorton commented 7 months ago

please provide a stack trace from such a crash

falvarezoliva commented 7 months ago

I will send you a trace but only tell me if this is a possible bug. The timer funcion executes doTimer but not drachtio::LockingTimerQueue::doTimer so is violating the mutex and also crash

void timer_function( void rm, su_timer_t timer, void* p ) {

drachtio::TimerQueue* queue = static_cast<drachtio::TimerQueue*>( p ) ;

queue->doTimer(timer);

}

falvarezoliva commented 7 months ago

Log of crash

drachtio.log