ICE/PJSIP - Crash and assertion failure in pj_stun_session_cancel_req() and pj_stun_session_retransmit_req()

The issue was triggered by patch in https://git.jami.net/savoirfairelinux/ring-daemon/-/issues/617

Resorting the check list when a new check is received is causing side effects, leading to crashes and assert failures.

added to epic &22

Back trace on Android phoneÈ

    --------- beginning of crash
2021-09-10 14:29:52.149 5020-7231/cx.ring A/libc: Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0 in tid 7231 (Thread-2481), pid 5020 (cx.ring)
2021-09-10 14:29:52.332 5020-7223/cx.ring D/libjami: [1631298592.332| 7223|ice_transport.cpp :557  ] [ice:0xb4000071e01383e0] ioqueue error 120004: Interrupted system call
2021-09-10 14:29:52.332 5020-5722/cx.ring D/libjami: [1631298592.332| 5722|ice_transport.cpp :557  ] [ice:0xb4000071dffff4b0] ioqueue error 120004: Interrupted system call
2021-09-10 14:29:52.343 5020-5086/cx.ring E/libjami: [1631298592.343| 5086|sipvoiplink.cpp   :827  ] pjsip_endpt_handle_events failed with error Interrupted system call
2021-09-10 14:29:52.344 7234-7234/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2021-09-10 14:29:52.344 7234-7234/? A/DEBUG: Build fingerprint: 'google/coral/coral:11/RQ3A.210805.001.A1/7474174:user/release-keys'
2021-09-10 14:29:52.344 7234-7234/? A/DEBUG: Revision: 'MP1.0'
2021-09-10 14:29:52.344 7234-7234/? A/DEBUG: ABI: 'arm64'
2021-09-10 14:29:52.345 7234-7234/? A/DEBUG: Timestamp: 2021-09-10 14:29:52-0400
2021-09-10 14:29:52.345 7234-7234/? A/DEBUG: pid: 5020, tid: 7231, name: Thread-2481  >>> cx.ring <<<
2021-09-10 14:29:52.345 7234-7234/? A/DEBUG: uid: 10284
2021-09-10 14:29:52.345 7234-7234/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
2021-09-10 14:29:52.345 7234-7234/? A/DEBUG: Cause: null pointer dereference
2021-09-10 14:29:52.345 7234-7234/? A/DEBUG:     x0  b4000071800203b8  x1  b40000716041c8b8  x2  0000000000000000  x3  0000000000000000
2021-09-10 14:29:52.345 7234-7234/? A/DEBUG:     x4  b40000716052e638  x5  000000008800a8c0  x6  0000000000000010  x7  00000000e1f9d288
2021-09-10 14:29:52.345 7234-7234/? A/DEBUG:     x8  0000000000000000  x9  0000000000000110  x10 0000000000000004  x11 0000000000000000
2021-09-10 14:29:52.345 7234-7234/? A/DEBUG:     x12 0000000000000000  x13 0000000000000038  x14 0000000000000002  x15 0000000000000002
2021-09-10 14:29:52.345 7234-7234/? A/DEBUG:     x16 0000000000000001  x17 b40000704eb755c0  x18 0000006f2f00c000  x19 b4000071800203b8
2021-09-10 14:29:52.345 7234-7234/? A/DEBUG:     x20 b40000716041c8b8  x21 0000000000011174  x22 0000000000000000  x23 0000000000000000
2021-09-10 14:29:52.345 7234-7234/? A/DEBUG:     x24 b40000704eb5f638  x25 b40000704eb8b520  x26 b40000704eb8b520  x27 0000000000000002
2021-09-10 14:29:52.345 7234-7234/? A/DEBUG:     x28 b400007180020978  x29 000000704eb492b0
2021-09-10 14:29:52.345 7234-7234/? A/DEBUG:     lr  0000006fecbd18cc  sp  000000704eb492b0  pc  0000006fecbde804  pst 0000000080001000
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG: backtrace:
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #00 pc 00000000014f4804  /data/app/~~avjNGYLJKLDTvFf4dmzdlw==/cx.ring-IzLdaSChuJANL9NpwNd8Wg==/lib/arm64/libring.so (pj_stun_session_cancel_req+68)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #01 pc 00000000014e78c8  /data/app/~~avjNGYLJKLDTvFf4dmzdlw==/cx.ring-IzLdaSChuJANL9NpwNd8Wg==/lib/arm64/libring.so (on_check_complete+1200)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #02 pc 00000000014e90c8  /data/app/~~avjNGYLJKLDTvFf4dmzdlw==/cx.ring-IzLdaSChuJANL9NpwNd8Wg==/lib/arm64/libring.so (on_stun_request_complete+3956)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #03 pc 00000000014f50bc  /data/app/~~avjNGYLJKLDTvFf4dmzdlw==/cx.ring-IzLdaSChuJANL9NpwNd8Wg==/lib/arm64/libring.so (stun_tsx_on_complete+328)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #04 pc 00000000014f88d0  /data/app/~~avjNGYLJKLDTvFf4dmzdlw==/cx.ring-IzLdaSChuJANL9NpwNd8Wg==/lib/arm64/libring.so (pj_stun_client_tsx_on_rx_msg+264)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #05 pc 00000000014f4d34  /data/app/~~avjNGYLJKLDTvFf4dmzdlw==/cx.ring-IzLdaSChuJANL9NpwNd8Wg==/lib/arm64/libring.so (pj_stun_session_on_rx_pkt+1052)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #06 pc 00000000014e8090  /data/app/~~avjNGYLJKLDTvFf4dmzdlw==/cx.ring-IzLdaSChuJANL9NpwNd8Wg==/lib/arm64/libring.so (pj_ice_sess_on_rx_pkt+348)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #07 pc 00000000014ee128  /data/app/~~avjNGYLJKLDTvFf4dmzdlw==/cx.ring-IzLdaSChuJANL9NpwNd8Wg==/lib/arm64/libring.so (stun_on_rx_data+108)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #08 pc 00000000014f800c  /data/app/~~avjNGYLJKLDTvFf4dmzdlw==/cx.ring-IzLdaSChuJANL9NpwNd8Wg==/lib/arm64/libring.so (parse_rx_packet+548)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #09 pc 00000000015132b8  /data/app/~~avjNGYLJKLDTvFf4dmzdlw==/cx.ring-IzLdaSChuJANL9NpwNd8Wg==/lib/arm64/libring.so (ioqueue_on_read_complete+404)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #10 pc 000000000150e760  /data/app/~~avjNGYLJKLDTvFf4dmzdlw==/cx.ring-IzLdaSChuJANL9NpwNd8Wg==/lib/arm64/libring.so (ioqueue_dispatch_read_event+496)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #11 pc 000000000150ff2c  /data/app/~~avjNGYLJKLDTvFf4dmzdlw==/cx.ring-IzLdaSChuJANL9NpwNd8Wg==/lib/arm64/libring.so (pj_ioqueue_poll+744)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #12 pc 0000000000d455e4  /data/app/~~avjNGYLJKLDTvFf4dmzdlw==/cx.ring-IzLdaSChuJANL9NpwNd8Wg==/lib/arm64/libring.so (jami::IceTransport::Impl::handleEvents(unsigned int)+188)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #13 pc 0000000000d4d278  /data/app/~~avjNGYLJKLDTvFf4dmzdlw==/cx.ring-IzLdaSChuJANL9NpwNd8Wg==/lib/arm64/libring.so (jami::IceTransport::Impl::Impl(char const*, jami::IceTransportOptions const&)::$_5::operator()() const+56)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #14 pc 0000000000d4d1f4  /data/app/~~avjNGYLJKLDTvFf4dmzdlw==/cx.ring-IzLdaSChuJANL9NpwNd8Wg==/lib/arm64/libring.so (decltype(std::__ndk1::forward<jami::IceTransport::Impl::Impl(char const*, jami::IceTransportOptions const&)::$_5>(fp)()) std::__ndk1::__invoke<jami::IceTransport::Impl::Impl(char const*, jami::IceTransportOptions const&)::$_5>(jami::IceTransport::Impl::Impl(char const*, jami::IceTransportOptions const&)::$_5&&)+24)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #15 pc 0000000000d4d194  /data/app/~~avjNGYLJKLDTvFf4dmzdlw==/cx.ring-IzLdaSChuJANL9NpwNd8Wg==/lib/arm64/libring.so (void std::__ndk1::__thread_execute<std::__ndk1::unique_ptr<std::__ndk1::__thread_struct, std::__ndk1::default_delete<std::__ndk1::__thread_struct> >, jami::IceTransport::Impl::Impl(char const*, jami::IceTransportOptions const&)::$_5>(std::__ndk1::tuple<std::__ndk1::unique_ptr<std::__ndk1::__thread_struct, std::__ndk1::default_delete<std::__ndk1::__thread_struct> >, jami::IceTransport::Impl::Impl(char const*, jami::IceTransportOptions const&)::$_5>&, std::__ndk1::__tuple_indices<>)+32)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #16 pc 0000000000d4cef8  /data/app/~~avjNGYLJKLDTvFf4dmzdlw==/cx.ring-IzLdaSChuJANL9NpwNd8Wg==/lib/arm64/libring.so (void* std::__ndk1::__thread_proxy<std::__ndk1::tuple<std::__ndk1::unique_ptr<std::__ndk1::__thread_struct, std::__ndk1::default_delete<std::__ndk1::__thread_struct> >, jami::IceTransport::Impl::Impl(char const*, jami::IceTransportOptions const&)::$_5> >(void*)+104)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #17 pc 00000000000afd4c  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+64) (BuildId: 49090ae59e6ae37f8beae53c551820ad)
2021-09-10 14:29:52.381 7234-7234/? A/DEBUG:       #18 pc 0000000000050288  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 49090ae59e6ae37f8beae53c551820ad)

Back trace on Windows:

pj_stun_session_cancel_req(pj_stun_session * sess, pj_stun_tx_data * tdata, int notify, int notify_status) Line 1142    C
     on_check_complete(pj_ice_sess * ice, pj_ice_sess_check * check) Line 1994    C
>    handle_incoming_check(pj_ice_sess * ice, const pj_ice_rx_check * rcheck) Line 4092    C
     on_stun_rx_request(pj_stun_session * sess, const unsigned char * pkt, unsigned int pkt_len, const pj_stun_rx_data * rdata, void * token, const void * src_addr, unsigned int src_addr_len) Line 3898    C
     [Inline Frame] on_incoming_request(pj_stun_session * tmp_pool, unsigned int) Line 1387    C
     pj_stun_session_on_rx_pkt(pj_stun_session * sess, const void * packet, unsigned __int64 pkt_size, unsigned int options, void * token, unsigned __int64 * parsed_len, const void * src_addr, unsigned int src_addr_len) Line 1519    C
     pj_ice_sess_on_rx_pkt(pj_ice_sess * ice, unsigned int comp_id, unsigned int transport_id, void * pkt, unsigned __int64 pkt_size, const void * src_addr, int src_addr_len) Line 4281    C
     stun_on_rx_data(pj_stun_sock * stun_sock, void * pkt, unsigned int pkt_len, const void * src_addr, unsigned int addr_len) Line 2879    C
     parse_rx_packet(pj_activesock_t * asock, void * data, unsigned __int64 size, const void * rx_addr, unsigned int sock_addr_len) Line 730    C
     ioqueue_on_read_complete(pj_ioqueue_key_t * key, pj_ioqueue_op_key_t * op_key, __int64 bytes_read) Line 504    C
     ioqueue_dispatch_read_event(pj_ioqueue_t * ioqueue, pj_ioqueue_key_t * h) Line 625    C
     pj_ioqueue_poll(pj_ioqueue_t * ioqueue, const pj_time_val * timeout) Line 1099    C
     [Inline Frame] jami::IceTransport::Impl::handleEvents(unsigned int) Line 547    C++
     jami::IceTransport::Impl::{ctor}::__l2::<lambda>() Line 439    C++

changed the description

mentioned in issue #617 (closed)

marked this issue as related to #617 (closed)

assigned to @mchibani1

added SprintIn progress label

added SprintTo review label and removed SprintIn progress label

added SprintDone label and removed SprintTo review label

Full backtrace Linux gdb.txt:

Other backtrace. Difference symptom: gdb.txt

mentioned in commit 15bdc648

removed SprintDone label

closed