search

ossrs / srs

SRS is a simple, high-efficiency, real-time media server supporting RTMP, WebRTC, HLS, HTTP-FLV, HTTP-TS, SRT, MPEG-DASH, and GB28181.
https://ossrs.io
MIT License
25.69k stars 5.38k forks source link

heap-use-after-free crash occurs after the streaming endpoint disconnects. #4143

Closed retamia closed 2 months ago

retamia commented 2 months ago

!!! Before submitting a new bug report, please ensure you have searched for any existing bugs and utilized the Ask AI feature at https://ossrs.io or https://ossrs.net (for users in China). Duplicate issues or questions that are overly simple or already addressed in the documentation will be removed without any response.

Describe the bug

When there are two playback endpoints, a heap-use-after-free crash occurs after the streaming endpoint disconnects.

Version release6.0

To Reproduce Steps to reproduce the behavior:

  1. Open OBS start streaming
  2. Run ffmpeg ffmpeg -rw_timeout 10000000 -i http://127.0.0.1:8080/live/test.flv -c copy -f flv -y /dev/null
  3. Open another terminal and run the ffmpeg command ffmpeg -rw_timeout 10000000 -i http://127.0.0.1:8080/live/test.flv -c copy -f flv -y /dev/null
  4. OBS stop streaming

Expected behavior When the streaming and playback endpoints end normally, SRS will not crash

Screenshots image

Additional context

./objs/srs -c conf/http.flv.live.conf
[2024-08-13 20:18:51.531][INFO][23519][6776o0b8] XCORE-SRS/6.0.146(Hang)
[2024-08-13 20:18:51.535][INFO][23519][6776o0b8] config parse complete
[2024-08-13 20:18:51.535][INFO][23519][6776o0b8] write log to console
[2024-08-13 20:18:51.535][INFO][23519][6776o0b8] SRS/6.0.146(Hang), MIT
[2024-08-13 20:18:51.535][INFO][23519][6776o0b8] authors: Winlin<winlinvip@gmail.com> XiaoZhihong<hondaxiao@tencent.com> Winlin<winlinvip@gmail.com> ZhaoWenjie<zhaowenjie@tal.com> ShiWei<xiaoq_bj@126.com> XiaoZhihong<hondaxiao@tencent.com> WuPengqiang<pengqiang.wpq@alibaba-inc.com> XiaLixin<xialixin@kanzhun.com> LiPeng<lipeng19811218@gmail.com> ChenGuanghua<jinxue.cgh@alibaba-inc.com> ChenHaibo<nmgchenhaibo@foxmail.com> ZhangJunqin<chundonglinlin@126.com> and https://github.com/ossrs/srs/blob/develop/trunk/AUTHORS.md#contributors
[2024-08-13 20:18:51.535][INFO][23519][6776o0b8] cwd=/Volumes/t7/live/srs/trunk, work_dir=./, build: 2024-08-13 20:18:12, configure: --log-verbose=on --log-info=on --log-level_v2=on --srt=on --rtc=off --cxx11=on --jobs=12, uname: Darwin mtdeMacBook-Pro.local 23.5.0 Darwin Kernel Version 23.5.0: Wed May  1 20:09:52 PDT 2024; root:xnu-10063.121.3~5/RELEASE_X86_64 x86_64, osx: 1, env: 0, pkg: 
[2024-08-13 20:18:51.535][INFO][23519][6776o0b8] configure detail: --prefix=/usr/local/srs --config=conf/srs.conf --osx=on --hls=on --hds=off --dvr=on --ssl=on --https=on --ssl-1-0=off --ssl-local=off --sys-ssl=off --transcode=on --ingest=on --stat=on --http-callback=on --http-server=on --stream-converter=on --http-api=on --utest=off --srt=on --sys-srt=off --rtc=off --h265=on --gb28181=off --simulator=off --cxx11=on --cxx14=off --backtrace=on --ffmpeg-fit=reserved --sys-ffmpeg=off --ffmpeg-opus=off --nasm=on --srtp-nasm=off --sys-srtp=off --clean=on --gperf=off --gmc=off --gmd=off --gmp=off --gcp=off --gprof=off --static=off --shared-st=off --shared-srt=reserved --shared-ffmpeg=reserved --shared-srtp=reserved --log-verbose=on --log-info=on --log-trace=on --log-level_v2=on --gcov=off --apm=off --debug=off --debug-stats=off --cross-build=off --sanitizer=on --sanitizer-static=off --sanitizer-log=off --cygwin64=off --single-thread=on --generic-linux=off --build-cache=on --cc=gcc --cxx=g++ --ar=ar --ld=gcc --randlib=randlib
[2024-08-13 20:18:51.535][INFO][23519][6776o0b8] srs checking config...
[2024-08-13 20:18:51.538][INFO][23519][6776o0b8] ips, iface[0] en0 ipv4 0x8863 192.168.20.92, iface[1] en5 ipv6 0x8863 fe80::aede:48ff:fe00:1122%en5, iface[2] en0 ipv6 0x8863 fe80::8b2:73e:c5af:12d8%en0, iface[3] awdl0 ipv6 0x8843 fe80::e030:95ff:fe0e:2907%awdl0, iface[4] llw0 ipv6 0x8863 fe80::e030:95ff:fe0e:2907%llw0
[2024-08-13 20:18:51.538][INFO][23519][6776o0b8] devices, intranet en0 192.168.20.92, intranet en5 fe80::aede:48ff:fe00:1122%en5, intranet en0 fe80::8b2:73e:c5af:12d8%en0, intranet awdl0 fe80::e030:95ff:fe0e:2907%awdl0, intranet llw0 fe80::e030:95ff:fe0e:2907%llw0
[2024-08-13 20:18:51.538][WARN][23519][6776o0b8][0] stats network use index=0, ip=192.168.20.92, ifname=en0
[2024-08-13 20:18:51.538][WARN][23519][6776o0b8][0] stats disk not configed, disk iops disabled.
[2024-08-13 20:18:51.538][INFO][23519][6776o0b8] write log to console
[2024-08-13 20:18:51.538][INFO][23519][6776o0b8] features, rch:on, dash:on, hls:on, hds:off, srt:on, hc:on, ha:on, hs:on, hp:on, dvr:on, trans:on, inge:on, stat:on, sc:on
[2024-08-13 20:18:51.538][INFO][23519][6776o0b8] SRS on amd64 x86_64, conf:conf/http.flv.live.conf, limit:1000, writev:1024, encoding:little-endian, HZ:100
[2024-08-13 20:18:51.538][INFO][23519][6776o0b8] mw sleep:350ms. mr enabled:on, default:0, sleep:350ms
[2024-08-13 20:18:51.538][INFO][23519][6776o0b8] gc:on, pq:30000ms, cscc:[0,16), csa:on, tn:on(may hurts performance), ss:auto(guess by merged write)
[2024-08-13 20:18:51.538][INFO][23519][6776o0b8] system default latency(ms): mw(0-350) + mr(0-350) + play-queue(0-30000)
[2024-08-13 20:18:51.538][WARN][23519][6776o0b8][0] SRS/6.0.146 is not stable
[2024-08-13 20:18:51.538][INFO][23519][6776o0b8] Run in single thread mode
[2024-08-13 20:18:51.547][INFO][23519][6776o0b8] CircuitBreaker: enabled=1, high=2x90, critical=1x95, dying=5x99
[2024-08-13 20:18:51.547][INFO][23519][6776o0b8] http flv live stream, vhost=__defaultVhost__, mount=[vhost]/[app]/[stream].flv
[2024-08-13 20:18:51.547][INFO][23519][6776o0b8] http: root mount to ./objs/nginx/html
[2024-08-13 20:18:51.547][INFO][23519][6776o0b8] server main cid=6776o0b8, pid=23519, ppid=19489, asprocess=0
[2024-08-13 20:18:51.548][INFO][23519][6776o0b8] RTMP listen at tcp://0.0.0.0:1935, fd=7
[2024-08-13 20:18:51.548][INFO][23519][6776o0b8] HTTP-Server listen at tcp://0.0.0.0:8080, fd=8
[2024-08-13 20:18:51.548][INFO][23519][6776o0b8] signal installed, reload=1, reopen=30, fast_quit=15, grace_quit=3
[2024-08-13 20:18:51.549][INFO][23519][6776o0b8] http: api mount /console to ./objs/nginx/html/console
[2024-08-13 20:18:51.549][INFO][23519][0mnmm244] Hybrid cpu=0.00%,0MB
[2024-08-13 20:18:51.550][INFO][23519][xn98t9x5] TCP: connection manager run, conns=0
[2024-08-13 20:18:51.550][INFO][23519][31702kfi] SRT: connection manager run, conns=0
[2024-08-13 20:18:54.267][INFO][23519][2bd65x79] RTMP client ip=127.0.0.1:60861, fd=9
[2024-08-13 20:18:54.268][INFO][23519][2bd65x79] simple handshake success.
[2024-08-13 20:18:54.268][INFO][23519][2bd65x79] connect app, tcUrl=rtmp://127.0.0.1:1935/live, pageUrl=, swfUrl=rtmp://127.0.0.1:1935/live, schema=rtmp, vhost=127.0.0.1, port=1935, app=live, args=null
[2024-08-13 20:18:54.268][INFO][23519][2bd65x79] protocol in.buffer=0, in.ack=0, out.ack=0, in.chunk=4096, out.chunk=128
[2024-08-13 20:18:54.268][INFO][23519][2bd65x79] client identified, type=fmle-publish, vhost=127.0.0.1, app=live, stream=202404-78db246b-9ad8-472b-9dd6-df04f108886e, param=, duration=0ms
[2024-08-13 20:18:54.268][INFO][23519][2bd65x79] connected stream, tcUrl=rtmp://127.0.0.1:1935/live, pageUrl=, swfUrl=rtmp://127.0.0.1:1935/live, schema=rtmp, vhost=__defaultVhost__, port=1935, app=live, stream=202404-78db246b-9ad8-472b-9dd6-df04f108886e, param=, args=null
[2024-08-13 20:18:54.269][INFO][23519][2bd65x79] new live source, stream_url=/live/202404-78db246b-9ad8-472b-9dd6-df04f108886e
[2024-08-13 20:18:54.269][INFO][23519][2bd65x79] source url=/live/202404-78db246b-9ad8-472b-9dd6-df04f108886e, ip=127.0.0.1, cache=1/2500, is_edge=0, source_id=/
[2024-08-13 20:18:54.270][INFO][23519][2bd65x79] ignore disabled exec for vhost=__defaultVhost__
[2024-08-13 20:18:54.270][INFO][23519][2bd65x79] http: mount flv stream for sid=/live/202404-78db246b-9ad8-472b-9dd6-df04f108886e, mount=/live/202404-78db246b-9ad8-472b-9dd6-df04f108886e.flv
[2024-08-13 20:18:54.270][INFO][23519][2bd65x79] start publish mr=0/350, p1stpt=20000, pnt=5000, tcp_nodelay=0
[2024-08-13 20:18:54.270][INFO][23519][2bd65x79] got metadata, width=1280, height=720, vcodec=7, acodec=10
[2024-08-13 20:18:54.457][INFO][23519][2bd65x79] 7B audio sh, codec(10, profile=LC, 2channels, 0kbps, 22050HZ), flv(16bits, 2channels, 22050HZ)
[2024-08-13 20:18:54.457][INFO][23519][2bd65x79] 50B video sh, codec(7, profile=Main, level=3.1, 1280x720, 0kbps, 0.0fps, 0.0s)
[2024-08-13 20:18:56.531][INFO][23519][0mnmm244] Hybrid cpu=0.00%,0MB
[2024-08-13 20:18:57.969][INFO][23519][59o0282v] HTTP #0 127.0.0.1:60909 GET http://127.0.0.1:8080/live/202404-78db246b-9ad8-472b-9dd6-df04f108886e.flv, content-length=-1
[2024-08-13 20:18:57.969][INFO][23519][59o0282v] dispatch cached gop success. count=79, duration=1524
[2024-08-13 20:18:57.969][INFO][23519][59o0282v] create consumer, active=1, queue_size=30000ms, jitter=1
[2024-08-13 20:18:57.969][INFO][23519][59o0282v] FLV /live/202404-78db246b-9ad8-472b-9dd6-df04f108886e.flv, encoder=FLV, mw_sleep=350ms, cache=0, msgs=128, dinm=1, guess_av=1/1/1
[2024-08-13 20:18:57.969][INFO][23519][59o0282v] FLV: write header audio=1, video=1, dinm=1, config=1/1/1
[2024-08-13 20:19:00.734][INFO][23519][n09fu703] HTTP #0 127.0.0.1:60949 GET http://127.0.0.1:8080/live/202404-78db246b-9ad8-472b-9dd6-df04f108886e.flv, content-length=-1
[2024-08-13 20:19:00.734][INFO][23519][n09fu703] dispatch cached gop success. count=19, duration=374
[2024-08-13 20:19:00.734][INFO][23519][n09fu703] create consumer, active=1, queue_size=30000ms, jitter=1
[2024-08-13 20:19:00.734][INFO][23519][n09fu703] FLV /live/202404-78db246b-9ad8-472b-9dd6-df04f108886e.flv, encoder=FLV, mw_sleep=350ms, cache=0, msgs=128, dinm=1, guess_av=1/1/1
[2024-08-13 20:19:00.734][INFO][23519][n09fu703] FLV: write header audio=1, video=1, dinm=1, config=1/1/1
[2024-08-13 20:19:01.532][INFO][23519][0mnmm244] Hybrid cpu=0.00%,0MB
[2024-08-13 20:19:06.532][INFO][23519][0mnmm244] Hybrid cpu=0.00%,0MB, cid=183,1, timer=62,0,0, clock=1,46,2,0,0,0,0,0,0
[2024-08-13 20:19:06.569][INFO][23519][2bd65x79] cleanup when unpublish
[2024-08-13 20:19:06.689][INFO][23519][n09fu703] TCP: before dispose resource(HttpConn)(0x60c000001d80), conns=3, zombies=0, ign=0, inz=0, ind=0
[2024-08-13 20:19:06.689][WARN][23519][n09fu703][4] server disconnect. ret=4040
[2024-08-13 20:19:06.689][INFO][23519][xn98t9x5] TCP: clear zombies=1 resources, conns=3, removing=0, unsubs=0
[2024-08-13 20:19:06.689][INFO][23519][n09fu703] TCP: disposing #0 resource(HttpConn)(0x60c000001d80), conns=3, disposing=1, zombies=0
[2024-08-13 20:19:06.726][INFO][23519][59o0282v] TCP: before dispose resource(HttpConn)(0x60c0000019c0), conns=2, zombies=0, ign=0, inz=0, ind=0
[2024-08-13 20:19:06.726][WARN][23519][59o0282v][4] server disconnect. ret=4040
[2024-08-13 20:19:06.727][INFO][23519][xn98t9x5] TCP: clear zombies=1 resources, conns=2, removing=0, unsubs=0
[2024-08-13 20:19:06.727][INFO][23519][59o0282v] TCP: disposing #0 resource(HttpConn)(0x60c0000019c0), conns=2, disposing=1, zombies=0
[2024-08-13 20:19:06.769][INFO][23519][2bd65x79] http: unmount flv stream for sid=/live/202404-78db246b-9ad8-472b-9dd6-df04f108886e, i=2
[2024-08-13 20:19:06.769][INFO][23519][2bd65x79] TCP: before dispose resource(RtmpConn)(0x6120000007c0), conns=1, zombies=0, ign=0, inz=0, ind=0
[2024-08-13 20:19:06.769][WARN][23519][2bd65x79][4] client disconnect peer. ret=1009
[2024-08-13 20:19:06.769][INFO][23519][xn98t9x5] TCP: clear zombies=1 resources, conns=1, removing=0, unsubs=0
[2024-08-13 20:19:06.769][INFO][23519][2bd65x79] TCP: disposing #0 resource(RtmpConn)(0x6120000007c0), conns=1, disposing=1, zombies=0
[2024-08-13 20:19:11.532][INFO][23519][0mnmm244] Hybrid cpu=0.00%,0MB, cid=183,1, timer=62,0,0, clock=1,46,2,0,0,0,0,0,0
[2024-08-13 20:19:12.537][INFO][23519][eh0g9445] Live: cleanup die source, id=[2bd65x79], total=1
[2024-08-13 20:19:12.537][INFO][23519][eh0g9445] free live source id=[2bd65x79]
[2024-08-13 20:19:16.532][INFO][23519][0mnmm244] Hybrid cpu=0.00%,0MB, cid=183,1, timer=62,0,0, clock=1,46,2,0,0,0,0,0,0
[2024-08-13 20:19:21.211][INFO][23519][h9034b6m] HTTP #0 127.0.0.1:61212 GET http://127.0.0.1:8080/live/202404-78db246b-9ad8-472b-9dd6-df04f108886e.flv, content-length=-1
[2024-08-13 20:19:21.212][INFO][23519][h9034b6m] new live source, stream_url=/live/202404-78db246b-9ad8-472b-9dd6-df04f108886e
[2024-08-13 20:19:21.212][INFO][23519][h9034b6m] http: mount flv stream for sid=/live/202404-78db246b-9ad8-472b-9dd6-df04f108886e, mount=/live/202404-78db246b-9ad8-472b-9dd6-df04f108886e.flv
[2024-08-13 20:19:21.212][INFO][23519][h9034b6m] flv: source url=/live/202404-78db246b-9ad8-472b-9dd6-df04f108886e, is_edge=0, source_id=/
[2024-08-13 20:19:21.212][INFO][23519][h9034b6m] create consumer, active=0, queue_size=30000ms, jitter=1
[2024-08-13 20:19:21.212][INFO][23519][h9034b6m] FLV /live/202404-78db246b-9ad8-472b-9dd6-df04f108886e.flv, encoder=FLV, mw_sleep=350ms, cache=0, msgs=128, dinm=1, guess_av=1/1/1
[2024-08-13 20:19:21.532][INFO][23519][0mnmm244] Hybrid cpu=0.00%,0MB, cid=59,1, timer=62,0,0, clock=0,44,3,1,1,1,0,0,0, free=1
[2024-08-13 20:19:26.533][INFO][23519][0mnmm244] Hybrid cpu=0.00%,0MB, cid=59,1, timer=62,0,0, clock=0,44,3,1,1,1,0,0,0, free=1
[2024-08-13 20:19:26.815][INFO][23519][h9034b6m] TCP: before dispose resource(HttpConn)(0x60c000002140), conns=1, zombies=0, ign=0, inz=0, ind=0
[2024-08-13 20:19:26.815][WARN][23519][h9034b6m][54] client disconnect peer. ret=1007
[2024-08-13 20:19:26.815][INFO][23519][xn98t9x5] TCP: clear zombies=1 resources, conns=1, removing=0, unsubs=0
[2024-08-13 20:19:26.815][INFO][23519][h9034b6m] TCP: disposing #0 resource(HttpConn)(0x60c000002140), conns=1, disposing=1, zombies=0
[2024-08-13 20:19:29.216][INFO][23519][5j20tp07] RTMP client ip=127.0.0.1:61307, fd=9
[2024-08-13 20:19:29.216][INFO][23519][5j20tp07] simple handshake success.
[2024-08-13 20:19:29.216][INFO][23519][5j20tp07] connect app, tcUrl=rtmp://127.0.0.1:1935/live, pageUrl=, swfUrl=rtmp://127.0.0.1:1935/live, schema=rtmp, vhost=127.0.0.1, port=1935, app=live, args=null
[2024-08-13 20:19:29.216][INFO][23519][5j20tp07] protocol in.buffer=0, in.ack=0, out.ack=0, in.chunk=4096, out.chunk=128
[2024-08-13 20:19:29.216][INFO][23519][5j20tp07] client identified, type=fmle-publish, vhost=127.0.0.1, app=live, stream=202404-78db246b-9ad8-472b-9dd6-df04f108886e, param=, duration=0ms
[2024-08-13 20:19:29.216][INFO][23519][5j20tp07] connected stream, tcUrl=rtmp://127.0.0.1:1935/live, pageUrl=, swfUrl=rtmp://127.0.0.1:1935/live, schema=rtmp, vhost=__defaultVhost__, port=1935, app=live, stream=202404-78db246b-9ad8-472b-9dd6-df04f108886e, param=, args=null
[2024-08-13 20:19:29.216][INFO][23519][5j20tp07] source url=/live/202404-78db246b-9ad8-472b-9dd6-df04f108886e, ip=127.0.0.1, cache=1/2500, is_edge=0, source_id=/
[2024-08-13 20:19:29.217][INFO][23519][5j20tp07] ignore disabled exec for vhost=__defaultVhost__
[2024-08-13 20:19:29.217][INFO][23519][5j20tp07] start publish mr=0/350, p1stpt=20000, pnt=5000, tcp_nodelay=0
[2024-08-13 20:19:29.217][INFO][23519][5j20tp07] got metadata, width=1280, height=720, vcodec=7, acodec=10
[2024-08-13 20:19:29.417][INFO][23519][5j20tp07] 7B audio sh, codec(10, profile=LC, 2channels, 0kbps, 22050HZ), flv(16bits, 2channels, 22050HZ)
[2024-08-13 20:19:29.417][INFO][23519][5j20tp07] 50B video sh, codec(7, profile=Main, level=3.1, 1280x720, 0kbps, 0.0fps, 0.0s)
[2024-08-13 20:19:31.533][INFO][23519][0mnmm244] Hybrid cpu=0.00%,0MB, cid=90,1, timer=62,0,0, clock=0,45,3,0,0,1,0,1,0, free=1
[2024-08-13 20:19:34.242][INFO][23519][6c9t83g6] HTTP #0 127.0.0.1:61370 GET http://127.0.0.1:8080/live/202404-78db246b-9ad8-472b-9dd6-df04f108886e.flv, content-length=-1
[2024-08-13 20:19:34.242][INFO][23519][6c9t83g6] dispatch cached gop success. count=47, duration=902
[2024-08-13 20:19:34.242][INFO][23519][6c9t83g6] create consumer, active=1, queue_size=30000ms, jitter=1
[2024-08-13 20:19:34.242][INFO][23519][6c9t83g6] FLV /live/202404-78db246b-9ad8-472b-9dd6-df04f108886e.flv, encoder=FLV, mw_sleep=350ms, cache=0, msgs=128, dinm=1, guess_av=1/1/1
[2024-08-13 20:19:34.242][INFO][23519][6c9t83g6] -> HTS http: got 50 msgs, age=0, min=8, mw=350
[2024-08-13 20:19:34.242][INFO][23519][6c9t83g6] FLV: write header audio=1, video=1, dinm=1, config=1/1/1
[2024-08-13 20:19:36.533][INFO][23519][0mnmm244] Hybrid cpu=0.00%,0MB, cid=90,1, timer=62,0,0, clock=0,45,3,0,0,1,0,1,0, free=1
[2024-08-13 20:19:37.493][INFO][23519][66z2r2r3] HTTP #0 127.0.0.1:61412 GET http://127.0.0.1:8080/live/202404-78db246b-9ad8-472b-9dd6-df04f108886e.flv, content-length=-1
[2024-08-13 20:19:37.494][INFO][23519][66z2r2r3] dispatch cached gop success. count=10, duration=177
[2024-08-13 20:19:37.494][INFO][23519][66z2r2r3] create consumer, active=1, queue_size=30000ms, jitter=1
[2024-08-13 20:19:37.494][INFO][23519][66z2r2r3] FLV /live/202404-78db246b-9ad8-472b-9dd6-df04f108886e.flv, encoder=FLV, mw_sleep=350ms, cache=0, msgs=128, dinm=1, guess_av=1/1/1
[2024-08-13 20:19:37.494][INFO][23519][66z2r2r3] FLV: write header audio=1, video=1, dinm=1, config=1/1/1
[2024-08-13 20:19:41.533][INFO][23519][0mnmm244] Hybrid cpu=0.00%,0MB, cid=90,1, timer=62,0,0, clock=0,45,3,0,0,1,0,1,0, free=1
[2024-08-13 20:19:41.720][INFO][23519][5j20tp07] cleanup when unpublish
[2024-08-13 20:19:41.947][INFO][23519][6c9t83g6] TCP: before dispose resource(HttpConn)(0x60c000003100), conns=3, zombies=0, ign=0, inz=0, ind=0
[2024-08-13 20:19:41.947][WARN][23519][6c9t83g6][4] server disconnect. ret=4040
[2024-08-13 20:19:41.947][INFO][23519][xn98t9x5] TCP: clear zombies=1 resources, conns=3, removing=0, unsubs=0
[2024-08-13 20:19:41.947][INFO][23519][6c9t83g6] TCP: disposing #0 resource(HttpConn)(0x60c000003100), conns=3, disposing=1, zombies=0
[2024-08-13 20:19:42.021][INFO][23519][5j20tp07] http: unmount flv stream for sid=/live/202404-78db246b-9ad8-472b-9dd6-df04f108886e, i=3
[2024-08-13 20:19:42.021][INFO][23519][5j20tp07] TCP: before dispose resource(RtmpConn)(0x612000001840), conns=2, zombies=0, ign=0, inz=0, ind=0
[2024-08-13 20:19:42.021][WARN][23519][5j20tp07][4] client disconnect peer. ret=1009
[2024-08-13 20:19:42.021][INFO][23519][xn98t9x5] TCP: clear zombies=1 resources, conns=2, removing=0, unsubs=0
[2024-08-13 20:19:42.021][INFO][23519][5j20tp07] TCP: disposing #0 resource(RtmpConn)(0x612000001840), conns=2, disposing=1, zombies=0
=================================================================
==23519==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400002a618 at pc 0x00010098de8a bp 0x000105193d30 sp 0x000105193d28
READ of size 8 at 0x60400002a618 thread T0
    #0 0x10098de89 in SrsLiveStream::do_serve_http(ISrsHttpResponseWriter*, ISrsHttpMessage*) srs_app_http_stream.cpp:754

0x60400002a618 is located 8 bytes inside of 48-byte region [0x60400002a610,0x60400002a640)
freed by thread T0 here:
    #0 0x102130a2d in wrap__ZdlPv+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xeca2d)

previously allocated by thread T0 here:
    #0 0x10213060d in wrap__Znwm+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xec60d)

SUMMARY: AddressSanitizer: heap-use-after-free srs_app_http_stream.cpp:754 in SrsLiveStream::do_serve_http(ISrsHttpResponseWriter*, ISrsHttpMessage*)
Shadow bytes around the buggy address:
  0x60400002a380: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x60400002a400: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x60400002a480: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x60400002a500: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x60400002a580: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
=>0x60400002a600: fa fa fd[fd]fd fd fd fd fa fa fd fd fd fd fd fd
  0x60400002a680: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
  0x60400002a700: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x60400002a780: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x60400002a800: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x60400002a880: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
[2024-08-13 20:19:43.172][ERROR][23519][66z2r2r3][0] =================================================================
[2024-08-13 20:19:43.172][ERROR][23519][66z2r2r3][0] ==23519==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400002a618 at pc 0x00010098de8a bp 0x000105193d30 sp 0x000105193d28
[2024-08-13 20:19:43.172][ERROR][23519][66z2r2r3][0] READ of size 8 at 0x60400002a618 thread T0
[2024-08-13 20:19:43.172][ERROR][23519][66z2r2r3][0]     #0 0x10098de89 in SrsLiveStream::do_serve_http(ISrsHttpResponseWriter*, ISrsHttpMessage*) srs_app_http_stream.cpp:754, r0=1092
[2024-08-13 20:19:43.172][ERROR][23519][66z2r2r3][0] 0x60400002a618 is located 8 bytes inside of 48-byte region [0x60400002a610,0x60400002a640)
[2024-08-13 20:19:43.172][ERROR][23519][66z2r2r3][0] freed by thread T0 here:
[2024-08-13 20:19:43.172][ERROR][23519][66z2r2r3][0]     #0 0x102130a2d in wrap__ZdlPv+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xeca2d), r0=1092
[2024-08-13 20:19:43.172][ERROR][23519][66z2r2r3][0] previously allocated by thread T0 here:
[2024-08-13 20:19:43.172][ERROR][23519][66z2r2r3][0]     #0 0x10213060d in wrap__Znwm+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xec60d), r0=1092
[2024-08-13 20:19:43.172][ERROR][23519][66z2r2r3][0] SUMMARY: AddressSanitizer: heap-use-after-free srs_app_http_stream.cpp:754 in SrsLiveStream::do_serve_http(ISrsHttpResponseWriter*, ISrsHttpMessage*)
[2024-08-13 20:19:43.172][ERROR][23519][66z2r2r3][0] Shadow bytes around the buggy address:
[2024-08-13 20:19:43.172][ERROR][23519][66z2r2r3][0]   0x60400002a380: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
[2024-08-13 20:19:43.173][ERROR][23519][66z2r2r3][0]   0x60400002a400: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
[2024-08-13 20:19:43.173][ERROR][23519][66z2r2r3][0]   0x60400002a480: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
[2024-08-13 20:19:43.173][ERROR][23519][66z2r2r3][0]   0x60400002a500: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
[2024-08-13 20:19:43.173][ERROR][23519][66z2r2r3][0]   0x60400002a580: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
[2024-08-13 20:19:43.173][ERROR][23519][66z2r2r3][0] =>0x60400002a600: fa fa fd[fd]fd fd fd fd fa fa fd fd fd fd fd fd
[2024-08-13 20:19:43.173][ERROR][23519][66z2r2r3][0]   0x60400002a680: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
[2024-08-13 20:19:43.173][ERROR][23519][66z2r2r3][0]   0x60400002a700: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
[2024-08-13 20:19:43.173][ERROR][23519][66z2r2r3][0]   0x60400002a780: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
[2024-08-13 20:19:43.173][ERROR][23519][66z2r2r3][0]   0x60400002a800: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
[2024-08-13 20:19:43.173][ERROR][23519][66z2r2r3][0]   0x60400002a880: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
[2024-08-13 20:19:43.173][ERROR][23519][66z2r2r3][0] Shadow byte legend (one shadow byte represents 8 application bytes):
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   Addressable:           00
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   Partially addressable: 01 02 03 04 05 06 07 
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   Heap left redzone:       fa
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   Freed heap region:       fd
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   Stack left redzone:      f1
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   Stack mid redzone:       f2
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   Stack right redzone:     f3
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   Stack after return:      f5
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   Stack use after scope:   f8
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   Global redzone:          f9
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   Global init order:       f6
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   Poisoned by user:        f7
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   Container overflow:      fc
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   Array cookie:            ac
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   Intra object redzone:    bb
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   ASan internal:           fe
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   Left alloca redzone:     ca
[2024-08-13 20:19:43.174][ERROR][23519][66z2r2r3][0]   Right alloca redzone:    cb
==23519==ABORTING
[1]    23519 abort      ./objs/srs -c conf/http.flv.live.conf
retamia commented 2 months ago

I did some preliminary code inspection. The two playback endpoints share the same SrsLiveStream instance. After the first one disconnects, alive_ is set to false.

  alive_ = true;
  err = do_serve_http(w, r);
  alive_ = false;

In the SrsHttpStreamServer::http_unmount(SrsRequest* r) function, stream->alive() is already false, so mux.unhandle will free the SrsLiveStream. This causes the other connection coroutine to return to its execution environment after the SrsLiveStream instance has already been freed.

    // Wait for cache and stream to stop.
    int i = 0;
    for (; i < 1024; i++) {
        if (!cache->alive() && !stream->alive()) {
            break;
        }
        srs_usleep(100 * SRS_UTIME_MILLISECONDS);
    }

    // Unmount the HTTP handler, which will free the entry. Note that we must free it after cache and
    // stream stopped for it uses it.
    mux.unhandle(entry->mount, stream.get());
winlinvip commented 2 months ago

Got it, it's really a bug that need to be fixed.

retamia commented 2 months ago

Got it, it's really a bug that need to be fixed.

I’ve applied a temporary fix, but I'm not sure if it’s correct. For now, the crash issue has stopped occurring.