Pulse use-after-free
=================================================================
==926351==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000a6728 at pc 0x555555aa2313 bp 0x7fffefff78a0 sp 0x7fffefff7890
READ of size 8 at 0x60c0000a6728 thread T5 (threaded-ml)
[1691760278.218|9099|accel.cpp :209 ] -- Starting decoding init for cuda with default device.
[1691760278.218|9099|accel.cpp :209 ] -- Starting decoding init for vaapi with default device.
[1691760278.221|9099|accel.cpp :185 ] Device type vaapi successfully created.
[1691760278.221|9099|accel.cpp :218 ] -- Init passed for vaapi with default device.
[AVHWFramesContext @ 0x60e002153a40] [IMGUTILS @ 0x7fffcd1e4040] Picture size 0x0 is invalid
[1691760278.221|9099|accel.cpp :344 ] Failed to initialize hardware frame context: Invalid argument (-22)
[1691760278.222|9099|accel.cpp :209 ] -- Starting decoding init for vdpau with default device.
[1691760278.222|9099|media_decoder.cpp :548 ] Using H.264 / AVC / MPEG-4 AVC / MPEG-4 part 10 (h264) decoder for video
[1691760278.222|9099|media_decoder.cpp :559 ] Not using hardware decoding for h264
[New Thread 0x7fffd9388640 (LWP 926606)]
[1691760278.338|9092|media_decoder.cpp :171 ] Using format video4linux2 and resolution 960x540
#0 0x555555aa2312 in std::_Function_base::_M_empty() const /usr/include/c++/11/bits/std_function.h:247
#1 0x555555ff005e in std::function<void (bool)>::operator()(bool) const /usr/include/c++/11/bits/std_function.h:588
#2 0x5555567e6cbb in operator() media/audio/pulseaudio/audiostream.cpp:221
#3 0x5555567e6d60 in _FUN media/audio/pulseaudio/audiostream.cpp:222
#4 0x7ffff73cb76f (/lib/x86_64-linux-gnu/libpulse.so.0+0x2076f)
#5 0x7ffff66d4382 (/usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-15.99.so+0x40382)
#6 0x7ffff66d55be in pa_pdispatch_run (/usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-15.99.so+0x415be)
#7 0x7ffff73bf082 (/lib/x86_64-linux-gnu/libpulse.so.0+0x14082)
#8 0x7ffff66da486 (/usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-15.99.so+0x46486)
#9 0x7ffff66db1d7 (/usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-15.99.so+0x471d7)
#10 0x7ffff66db599 (/usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-15.99.so+0x47599)
#11 0x7ffff66df739 (/usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-15.99.so+0x4b739)
#12 0x7ffff73d2a72 in pa_mainloop_dispatch (/lib/x86_64-linux-gnu/libpulse.so.0+0x27a72)
#13 0x7ffff73d30c9 in pa_mainloop_iterate (/lib/x86_64-linux-gnu/libpulse.so.0+0x280c9)
#14 0x7ffff73d316f in pa_mainloop_run (/lib/x86_64-linux-gnu/libpulse.so.0+0x2816f)
#15 0x7ffff73e337c (/lib/x86_64-linux-gnu/libpulse.so.0+0x3837c)
#16 0x7ffff66edcb2 (/usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-15.99.so+0x59cb2)
#17 0x7ffff6094b42 in start_thread nptl/pthread_create.c:442
#18 0x7ffff61269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
0x60c0000a6728 is located 104 bytes inside of 120-byte region [0x60c0000a66c0,0x60c0000a6738)
freed by thread T1 here:
#0 0x7ffff74b724f in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:172
#1 0x555556788eec in std::default_delete<jami::AudioStream>::operator()(jami::AudioStream*) const /usr/include/c++/11/bits/unique_ptr.h:85
#2 0x55555678aa79 in std::__uniq_ptr_impl<jami::AudioStream, std::default_delete<jami::AudioStream> >::reset(jami::AudioStream*) (/home/sblin/Projects/jami-project/client-qt/daemon/test/unitTest/ut_ice_media_cand_exchange+0x1236a79)
#3 0x555556788605 in std::unique_ptr<jami::AudioStream, std::default_delete<jami::AudioStream> >::reset(jami::AudioStream*) (/home/sblin/Projects/jami-project/client-qt/daemon/test/unitTest/ut_ice_media_cand_exchange+0x1234605)
#4 0x55555677fefc in jami::PulseLayer::stopStream(jami::AudioDeviceType) media/audio/pulseaudio/pulselayer.cpp:482
#5 0x555555b14e0b in jami::AudioDeviceGuard::~AudioDeviceGuard() /home/sblin/Projects/jami-project/client-qt/daemon/src/manager.cpp:2234
#6 0x555555b563f7 in std::default_delete<jami::AudioDeviceGuard>::operator()(jami::AudioDeviceGuard*) const /usr/include/c++/11/bits/unique_ptr.h:85
#7 0x555555b42224 in std::unique_ptr<jami::AudioDeviceGuard, std::default_delete<jami::AudioDeviceGuard> >::~unique_ptr() /usr/include/c++/11/bits/unique_ptr.h:361
#8 0x55555667cf22 in jami::AudioInput::~AudioInput() media/audio/audio_input.cpp:69
#9 0x555556498105 in void __gnu_cxx::new_allocator<jami::AudioInput>::destroy<jami::AudioInput>(jami::AudioInput*) /usr/include/c++/11/ext/new_allocator.h:168
#10 0x55555649800a in void std::allocator_traits<std::allocator<jami::AudioInput> >::destroy<jami::AudioInput>(std::allocator<jami::AudioInput>&, jami::AudioInput*) /usr/include/c++/11/bits/alloc_traits.h:535
#11 0x555556497aea in std::_Sp_counted_ptr_inplace<jami::AudioInput, std::allocator<jami::AudioInput>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/include/c++/11/bits/shared_ptr_base.h:528
#12 0x555555aaea2b in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/11/bits/shared_ptr_base.h:168
#13 0x555555aa7001 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/11/bits/shared_ptr_base.h:705
#14 0x555555b3dc03 in std::__shared_ptr<jami::AudioInput, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/11/bits/shared_ptr_base.h:1154
#15 0x555556407fad in std::__shared_ptr<jami::AudioInput, (__gnu_cxx::_Lock_policy)2>::reset() /usr/include/c++/11/bits/shared_ptr_base.h:1272
#16 0x55555668eeda in jami::AudioRtpSession::stop() media/audio/audio_rtp_session.cpp:250
[1691760278.631|9092|accel.cpp :209 ] -- Starting decoding init for cuda with default device.
[1691760278.631|9092|media_decoder.cpp :548 ] Using MJPEG (Motion JPEG) (mjpeg) decoder for video
[1691760278.631|9092|media_decoder.cpp :559 ] Not using hardware decoding for mjpeg
[1691760278.635|9092|video_input.cpp :346 ] created decoder with video params : size=960X536, fps=30.000000 pix=yuvj422p
[1691760278.635|9092|sinkclient.cpp :498 ] [Sink:0x613000005b50] Started - size=960x540, mixer=No
#17 0x5555562c5dc2 in jami::SIPCall::stopAllMedia() sip/sipcall.cpp:2247
#18 0x5555562bb546 in jami::SIPCall::peerHungup() sip/sipcall.cpp:1488
#19 0x555555b12746 in jami::Manager::peerHungupCall(jami::Call&) /home/sblin/Projects/jami-project/client-qt/daemon/src/manager.cpp:1970
#20 0x5555562be19c in operator() sip/sipcall.cpp:1646
#21 0x5555562dd01b in operator() manager.h:906
#22 0x5555562ea33d in __invoke_impl<void, jami::runOnMainThread<jami::SIPCall::onClosed()::<lambda()> >(jami::SIPCall::onClosed()::<lambda()>&&, char const*, uint32_t)::<lambda()>&> /usr/include/c++/11/bits/invoke.h:61
#23 0x5555562e841d in __invoke_r<void, jami::runOnMainThread<jami::SIPCall::onClosed()::<lambda()> >(jami::SIPCall::onClosed()::<lambda()>&&, char const*, uint32_t)::<lambda()>&> /usr/include/c++/11/bits/invoke.h:111
#24 0x5555562e55a8 in _M_invoke /usr/include/c++/11/bits/std_function.h:290
#25 0x555555aa7c6f in std::function<void ()>::operator()() const /usr/include/c++/11/bits/std_function.h:590
#26 0x555555c30039 in jami::ScheduledExecutor::loop() /home/sblin/Projects/jami-project/client-qt/daemon/src/scheduled_executor.cpp:145
#27 0x555555c2defb in operator() /home/sblin/Projects/jami-project/client-qt/daemon/src/scheduled_executor.cpp:35
#28 0x555555c33061 in __invoke_impl<void, jami::ScheduledExecutor::ScheduledExecutor(const string&)::<lambda()> > /usr/include/c++/11/bits/invoke.h:61
#29 0x555555c33024 in __invoke<jami::ScheduledExecutor::ScheduledExecutor(const string&)::<lambda()> > /usr/include/c++/11/bits/invoke.h:96
previously allocated by thread T1 here:
#0 0x7ffff74b61e7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
#1 0x55555677e7f7 in jami::PulseLayer::createStream(std::unique_ptr<jami::AudioStream, std::default_delete<jami::AudioStream> >&, jami::AudioDeviceType, jami::PaDeviceInfos const&, bool, std::function<void (unsigned long)>&&) media/audio/pulseaudio/pulselayer.cpp:414
#2 0x55555677f7c2 in jami::PulseLayer::startStream(jami::AudioDeviceType) media/audio/pulseaudio/pulselayer.cpp:457
#3 0x555555b14b11 in jami::AudioDeviceGuard::AudioDeviceGuard(jami::Manager&, jami::AudioDeviceType) /home/sblin/Projects/jami-project/client-qt/daemon/src/manager.cpp:2225
#4 0x555555b4214b in std::_MakeUniq<jami::AudioDeviceGuard>::__single_object std::make_unique<jami::AudioDeviceGuard, jami::Manager&, jami::AudioDeviceType&>(jami::Manager&, jami::AudioDeviceType&) /usr/include/c++/11/bits/unique_ptr.h:962
#5 0x555555b34049 in jami::Manager::startAudioStream(jami::AudioDeviceType) manager.h:149
#6 0x55555667e85c in jami::AudioInput::initDevice(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) media/audio/audio_input.cpp:189
#7 0x555556680e9e in jami::AudioInput::switchInput(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) media/audio/audio_input.cpp:312
#8 0x55555668cce1 in jami::AudioRtpSession::startSender() media/audio/audio_rtp_session.cpp:101
#9 0x55555668e8a1 in jami::AudioRtpSession::start(std::unique_ptr<dhtnet::IceSocket, std::default_delete<dhtnet::IceSocket> >, std::unique_ptr<dhtnet::IceSocket, std::default_delete<dhtnet::IceSocket> >) media/audio/audio_rtp_session.cpp:220
#10 0x5555562c4d05 in jami::SIPCall::startAllMedia() sip/sipcall.cpp:2173
#11 0x5555562cbcb0 in jami::SIPCall::onIceNegoSucceed() sip/sipcall.cpp:2748
#12 0x5555562d6406 in operator() sip/sipcall.cpp:3388
#13 0x5555562e0b13 in operator() manager.h:906
#14 0x5555562eaba1 in __invoke_impl<void, jami::runOnMainThread<jami::SIPCall::initIceMediaTransport(bool, std::optional<dhtnet::IceTransportOptions>)::<lambda(bool)>::<lambda()> >(jami::SIPCall::initIceMediaTransport(bool, std::optional<dhtnet::IceTransportOptions>)::<lambda(bool)>::<lambda()>&&, char const*, uint32_t)::<lambda()>&> /usr/include/c++/11/bits/invoke.h:61
#15 0x5555562e91cd in __invoke_r<void, jami::runOnMainThread<jami::SIPCall::initIceMediaTransport(bool, std::optional<dhtnet::IceTransportOptions>)::<lambda(bool)>::<lambda()> >(jami::SIPCall::initIceMediaTransport(bool, std::optional<dhtnet::IceTransportOptions>)::<lambda(bool)>::<lambda()>&&, char const*, uint32_t)::<lambda()>&> /usr/include/c++/11/bits/invoke.h:111
#16 0x5555562e6a6d in _M_invoke /usr/include/c++/11/bits/std_function.h:290
#17 0x555555aa7c6f in std::function<void ()>::operator()() const /usr/include/c++/11/bits/std_function.h:590
#18 0x555555c30039 in jami::ScheduledExecutor::loop() /home/sblin/Projects/jami-project/client-qt/daemon/src/scheduled_executor.cpp:145
#19 0x555555c2defb in operator() /home/sblin/Projects/jami-project/client-qt/daemon/src/scheduled_executor.cpp:35
#20 0x555555c33061 in __invoke_impl<void, jami::ScheduledExecutor::ScheduledExecutor(const string&)::<lambda()> > /usr/include/c++/11/bits/invoke.h:61
#21 0x555555c33024 in __invoke<jami::ScheduledExecutor::ScheduledExecutor(const string&)::<lambda()> > /usr/include/c++/11/bits/invoke.h:96
#22 0x555555c32fd1 in _M_invoke<0> /usr/include/c++/11/bits/std_thread.h:259
#23 0x555555c32fa5 in operator() /usr/include/c++/11/bits/std_thread.h:266
#24 0x555555c32f89 in _M_run /usr/include/c++/11/bits/std_thread.h:211
#25 0x7ffff64dc252 (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc252)
Thread T5 (threaded-ml) created by T0 here:
[1691760278.666|9092|media_recorder.cpp :277 ] [Recorder: 0x6160010e3690] Recorder input #1: v:local
[New Thread 0x7fffce1ea640 (LWP 926607)]
#0 0x7ffff7458685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x7ffff66edd63 in pa_thread_new (/usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-15.99.so+0x59d63)
Thread T1 created by T0 here:
#0 0x7ffff7458685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x7ffff64dc328 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc328)
#2 0x555555c2e28b in jami::ScheduledExecutor::ScheduledExecutor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/sblin/Projects/jami-project/client-qt/daemon/src/scheduled_executor.cpp:30
#3 0x555555afe37e in jami::Manager::ManagerPimpl::ManagerPimpl(jami::Manager&) /home/sblin/Projects/jami-project/client-qt/daemon/src/manager.cpp:460
#4 0x555555b026ee in jami::Manager::Manager() /home/sblin/Projects/jami-project/client-qt/daemon/src/manager.cpp:738
#5 0x555555b024f1 in jami::Manager::instance() /home/sblin/Projects/jami-project/client-qt/daemon/src/manager.cpp:715
#6 0x555555c2b537 in libjami::init(libjami::InitFlag) /home/sblin/Projects/jami-project/client-qt/daemon/src/ring_api.cpp:69
#7 0x555555aa534c in jami::test::IceMediaCandExchangeTest::IceMediaCandExchangeTest() (/home/sblin/Projects/jami-project/client-qt/daemon/test/unitTest/ut_ice_media_cand_exchange+0x55134c)
#8 0x555555acba5d in CppUnit::ConcretTestFixtureFactory<jami::test::IceMediaCandExchangeTest>::makeFixture() (/home/sblin/Projects/jami-project/client-qt/daemon/test/unitTest/ut_ice_media_cand_exchange+0x577a5d)
#9 0x555555aa866f in CppUnit::TestSuiteBuilderContext<jami::test::IceMediaCandExchangeTest>::makeFixture() const (/home/sblin/Projects/jami-project/client-qt/daemon/test/unitTest/ut_ice_media_cand_exchange+0x55466f)
#10 0x555555aa5dd3 in jami::test::IceMediaCandExchangeTest::addTestsToSuite(CppUnit::TestSuiteBuilderContextBase&) (/home/sblin/Projects/jami-project/client-qt/daemon/test/unitTest/ut_ice_media_cand_exchange+0x551dd3)
#11 0x555555aa62c2 in jami::test::IceMediaCandExchangeTest::suite() (/home/sblin/Projects/jami-project/client-qt/daemon/test/unitTest/ut_ice_media_cand_exchange+0x5522c2)
#12 0x555555acba32 in CppUnit::TestSuiteFactory<jami::test::IceMediaCandExchangeTest>::makeTest() (/home/sblin/Projects/jami-project/client-qt/daemon/test/unitTest/ut_ice_media_cand_exchange+0x577a32)
#13 0x7ffff7f8172e in CppUnit::TestFactoryRegistry::addTestToSuite(CppUnit::TestSuite*) (/lib/x86_64-linux-gnu/libcppunit-1.15.so.1+0x2772e)
SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/11/bits/std_function.h:247 in std::_Function_base::_M_empty() const
Shadow bytes around the buggy address:
0x0c188000cc90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c188000cca0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c188000ccb0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c188000ccc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c188000ccd0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c188000cce0: fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa fa fa
0x0c188000ccf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c188000cd00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c188000cd10: 00 00 00 00 00 00 05 fa fa fa fa fa fa fa fa fa
0x0c188000cd20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c188000cd30: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==926351==ABORTING
[Thread 0x7fffce1ea640 (LWP 926607) exited]
[Thread 0x7fffd9388640 (LWP 926606) exited]
[Thread 0x7fffcf1ec640 (LWP 926605) exited]
[Thread 0x7fffcd1e8640 (LWP 926603) exited]
[Thread 0x7fffcd9e9640 (LWP 926602) exited]
[Thread 0x7fffcf9ed640 (LWP 926598) exited]
[Thread 0x7fffd01ee640 (LWP 926597) exited]
[Thread 0x7fffd09ef640 (LWP 926596) exited]
[Thread 0x7fffd31f4640 (LWP 926592) exited]
[Thread 0x7fffda38a640 (LWP 926591) exited]
[Thread 0x7ffface46640 (LWP 926582) exited]
[Thread 0x7fffac62f640 (LWP 926581) exited]
[Thread 0x7fffd19f1640 (LWP 926448) exited]
[Thread 0x7fffd21f2640 (LWP 926447) exited]
[Thread 0x7fffd39f5640 (LWP 926444) exited]
[Thread 0x7fffd41f6640 (LWP 926443) exited]
[Thread 0x7fffd49f7640 (LWP 926441) exited]
[Thread 0x7fffd51f8640 (LWP 926440) exited]
[Thread 0x7fffd59f9640 (LWP 926439) exited]
[Thread 0x7fffd7348640 (LWP 926438) exited]
[Thread 0x7fffd9b89640 (LWP 926403) exited]
[Thread 0x7fffd6b31640 (LWP 926402) exited]
[Thread 0x7fffd8b87640 (LWP 926374) exited]
[Thread 0x7fffdab8b640 (LWP 926369) exited]
[Thread 0x7fffdb38c640 (LWP 926368) exited]
[Thread 0x7fffdbb8d640 (LWP 926367) exited]
[Thread 0x7fffdc38e640 (LWP 926366) exited]
[Thread 0x7fffdcff5640 (LWP 926365) exited]
[Thread 0x7fffdd7f6640 (LWP 926364) exited]
[Thread 0x7fffddff7640 (LWP 926363) exited]
[Thread 0x7fffde7f8640 (LWP 926362) exited]
[Thread 0x7fffdeff9640 (LWP 926361) exited]
[Thread 0x7fffefffb640 (LWP 926359) exited]
[Thread 0x7ffff07fc640 (LWP 926358) exited]
[Thread 0x7ffff0ffd640 (LWP 926357) exited]
[Thread 0x7ffff17fe640 (LWP 926356) exited]
[Thread 0x7ffff1fff640 (LWP 926354) exited]
[Thread 0x7ffff58064c0 (LWP 926351) exited]
[Thread 0x7fffdf7fa640 (LWP 926604) exited]
[New process 926351]
[Inferior 1 (process 926351) exited with code 01]
(gdb)
In
auto* op = pa_context_get_source_info_by_name(
context,
name,
[](pa_context* /*c*/, const pa_source_info* i, int /*eol*/, void* userdata) {
AudioStream* thisPtr = (AudioStream*) userdata;
// this whole closure gets called twice by pulse for some reason
// the 2nd time, i is invalid
if (!i) {
// JAMI_ERR("[audiostream] source info not found for %s", realName);
return;
}
// string compare
bool usingEchoCancel = std::string_view(i->driver) == "module-echo-cancel.c";
JAMI_WARN("[audiostream] capture stream using pulse echo cancel module? %s (%s)",
usingEchoCancel ? "yes" : "no",
i->name);
if (!thisPtr) {
JAMI_ERR("[audiostream] AudioStream pointer became invalid during "
"pa_source_info_cb_t callback!");
return;
}
thisPtr->echoCancelCb(usingEchoCancel);
},
this);
destruction may occurs between:
if (!thisPtr) {
JAMI_ERR("[audiostream] AudioStream pointer became invalid during "
"pa_source_info_cb_t callback!");
return;
}
// HERE
thisPtr->echoCancelCb(usingEchoCancel);