Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SIPVoIPLink initializer need register_thread first before pj_pool_create #4

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

SIPVoIPLink initializer need register_thread first before pj_pool_create #4

wants to merge 1 commit into from

Conversation

hanyf
Copy link
Contributor

@hanyf hanyf commented Nov 29, 2018

Today I update all the libs of the ring project, build macOS and iOS version client for testing. When I run the client for macOS. Some error occurs:

Client: ring-client-macos

�[0mAssertion failed: (!"Calling pjlib from unknown/external thread. You must " "register external threads with pj_thread_register() " "before calling any pjlib functions."), function pj_thread_this, file ../src/pj/os_core_unix.c, line 692.

backtrace

(lldb) bt
* thread #12, stop reason = signal SIGABRT
    frame #0: 0x00007fff620b6b86 libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x0000000101cb2884 libsystem_pthread.dylib`pthread_kill + 285
    frame #2: 0x00007fff620201c9 libsystem_c.dylib`abort + 127
    frame #3: 0x00007fff61fe8868 libsystem_c.dylib`__assert_rtn + 320
  * frame #4: 0x00000001024e0ba2 libring.0.dylib`pj_thread_this at os_core_unix.c:690
    frame #5: 0x00000001024e0704 libring.0.dylib`pj_mutex_lock(mutex=0x000000010691fcf0) at os_core_unix.c:1286
    frame #6: 0x00000001024ec5e9 libring.0.dylib`pj_lock_acquire(lock=0x000000010691fcc8) at lock.c:180
    frame #7: 0x00000001024f0094 libring.0.dylib`cpool_create_pool(pf=0x000000010691faa0, name="ring", initial_size=65536, increment_sz=4096, callback=0x0000000000000000) at pool_caching.c:131
    frame #8: 0x00000001024ef528 libring.0.dylib`pj_pool_create(f=0x000000010691faa0, name="ring", initial_size=65536, increment_size=4096, callback=0x0000000000000000) at pool_i.h:86
    frame #9: 0x0000000101f3fe4b libring.0.dylib`ring::SIPVoIPLink::SIPVoIPLink(this=0x000000010691fa98) at sipvoiplink.cpp:497
    frame #10: 0x0000000101f498e5 libring.0.dylib`ring::SIPVoIPLink::SIPVoIPLink(this=0x000000010691fa98) at sipvoiplink.cpp:490
    frame #11: 0x0000000101f55457 libring.0.dylib`std::__1::shared_ptr<ring::SIPVoIPLink> std::__1::shared_ptr<ring::SIPVoIPLink>::make_shared<>() [inlined] std::__1::__compressed_pair_elem<ring::SIPVoIPLink, 1, false>::__compressed_pair_elem(this=0x000000010691fa98) at memory:2089
    frame #12: 0x0000000101f5544b libring.0.dylib`std::__1::shared_ptr<ring::SIPVoIPLink> std::__1::shared_ptr<ring::SIPVoIPLink>::make_shared<>() [inlined] std::__1::__compressed_pair<std::__1::allocator<ring::SIPVoIPLink>, ring::SIPVoIPLink>::__compressed_pair<std::__1::allocator<ring::SIPVoIPLink>, true>(this=0x000000010691fa98, __t=0x000070000b052748) at memory:2187

@hanyf hanyf changed the title SIPVoIPLink initializer need register_thread first befor pj_pool_create SIPVoIPLink initializer need register_thread first before pj_pool_create Nov 29, 2018
@AmarOk1412
Copy link
Contributor

@hanyf can you send the patch on https://gerrit-ring.savoirfairelinux.com/ ?

@AmarOk1412
Copy link
Contributor

We do not merge pull requests from here nor have CI activated here. This repo is just a mirror for us.

@hanyf
Copy link
Contributor Author

hanyf commented Nov 29, 2018

@AmarOk1412 ok, I will send this patch on it.

GerritRingMirror pushed a commit that referenced this pull request Jun 9, 2021
@aberaud
multiplexed_socket: Fix memcpy() of nullptr
2b18587 
`memcpy()` has the `__nonnull__` and ASAN doesn't like it even tho the length
of the buffer is 0.  Thus, using a dummy buffer on the stack.

--------------------------------------------------------------------------------
#0 0x55555a0a1b8a in /usr/include/msgpack/v1/sbuffer.hpp:74
#1 0x55555a1dcfd3 in /usr/include/msgpack/v1/pack.hpp:623
#3 0x55555a11eab2 in /usr/include/msgpack/v1/pack.hpp:1311
#4 0x55555a35c1c5 in /ring-project/daemon/src/jamidht/multiplexed_socket.cpp:676
#5 0x55555a363879 in /ring-project/daemon/src/jamidht/multiplexed_socket.cpp:945
#6 0x55555a35554e in /ring-project/daemon/src/jamidht/multiplexed_socket.cpp:459
#7 0x55555a34e0c0 in /ring-project/daemon/src/jamidht/multiplexed_socket.cpp:247
#8 0x55555a37298f in /ring-project/daemon/src/jamidht/multiplexed_socket.cpp:75
(...)
--------------------------------------------------------------------------------

Change-Id: Ibc8c8d808c233da1649f556466b24d68decf85e8
GerritRingMirror pushed a commit that referenced this pull request Jun 11, 2021
@aberaud
call: Fix race condition on stateChangedListeners_
5b67140 
Jamiaccount add a listener while the state is been changed.  This can result in
reallocation of the underlying vector while it's been iterated, resulting in a
read after free.

--------------------------------------------------------------------------------
==930034==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000991900
READ of size 8 at 0x603000991900 thread T1
#0 0x55555a8a6dcb in /ring-project/daemon/src/call.cpp:94
#1 0x55555a8c8483 in /usr/include/c++/11.1.0/bits/invoke.h:61
#2 0x55555a8c654a in /usr/include/c++/11.1.0/bits/invoke.h:111
#3 0x55555a8c4c4e in /usr/include/c++/11.1.0/bits/std_function.h:291
#4 0x55555a8d5102 in /usr/include/c++/11.1.0/bits/std_function.h:560
#5 0x55555a8af158 in /ring-project/daemon/src/call.cpp:270
#6 0x55555a8aff7a in /ring-project/daemon/src/call.cpp:296
#7 0x55555a8b987d in /ring-project/daemon/src/call.cpp:575
#8 0x55555a8b5067 in /ring-project/daemon/src/call.cpp:482
#9 0x55555a8c225b in /ring-project/daemon/src/manager.h:1047
#10 0x55555a8ca928 in /usr/include/c++/11.1.0/bits/invoke.h:61
#11 0x55555a8c88d8 in /usr/include/c++/11.1.0/bits/invoke.h:111
#12 0x55555a8c6878 in /usr/include/c++/11.1.0/bits/std_function.h:291
#13 0x555559cff4a8 in /usr/include/c++/11.1.0/bits/std_function.h:560
#14 0x55555aaae8a1 in /ring-project/daemon/src/scheduled_executor.cpp:137
#15 0x55555aaaaf8f in /ring-project/daemon/src/scheduled_executor.cpp:32
#16 0x55555aab4a2f in /usr/include/c++/11.1.0/bits/invoke.h:61
#17 0x55555aab48ea in /usr/include/c++/11.1.0/bits/invoke.h:96
#18 0x55555aab47bf in /usr/include/c++/11.1.0/bits/std_thread.h:253
#19 0x55555aab46f5 in /usr/include/c++/11.1.0/bits/std_thread.h:260
#20 0x55555aab46ad in /usr/include/c++/11.1.0/bits/std_thread.h:211
#21 0x7ffff45583c3 in /build/gcc/src/gcc/libstdc++-v3/src/c++11/thread.cc:82
#22 0x7ffff649f258 in /usr/lib/libpthread.so.0+0x9258
#23 0x7ffff38e45e2 in /usr/lib/libc.so.6+0xfe5e2

0x603000991900 is located 0 bytes inside of 32-byte region [0x603000991900,0x603000991920)
freed by thread T0 here:
#0 0x7ffff769fd69 in /build/gcc/src/gcc/libsanitizer/asan/asan_new_delete.cpp:172
#1 0x55555a1e3dc3 in /usr/include/c++/11.1.0/ext/new_allocator.h:139
#2 0x55555a18f942 in /usr/include/c++/11.1.0/bits/alloc_traits.h:492
#3 0x55555a12a9c1 in /usr/include/c++/11.1.0/bits/stl_vector.h:354
#4 0x55555a12b390 in /usr/include/c++/11.1.0/bits/vector.tcc:500
#5 0x55555a0e1a7c in /usr/include/c++/11.1.0/bits/vector.tcc:121
#6 0x55555a0b8c40 in /ring-project/daemon/src/call.h:286
#7 0x555559f43b69 in /usr/include/c++/11.1.0/bits/jamiaccount.cpp:675
#8 0x555559f3bf91 in /usr/include/c++/11.1.0/bits/jamiaccount.cpp:483
#9 0x555559f39cb7 in /usr/include/c++/11.1.0/bits/jamiaccount.cpp:449
#10 0x55555a838f0e in /ring-project/daemon/src/manager.cpp:3350
#11 0x55555a7f7aef in /ring-project/daemon/src/manager.cpp:1015
#12 0x555559d3c828 in /usr/include/c++/11.1.0/callmanager.cpp:67
#13 0x555559c70b5a in /ring-project/daemon/bin/dring+0x471cb5a
#14 0x555559c7b71a in /ring-project/daemon/bin/dring+0x472771a
#15 0x555559c943af in /ring-project/daemon/bin/dring+0x47403af
#16 0x555559d06102 in /ring-project/daemon/bin/dring+0x47b2102

previously allocated by thread T0 here:
#0 0x7ffff769eca1 in /build/gcc/src/gcc/libsanitizer/asan/asan_new_delete.cpp:99
#1 0x55555a21b9e8 in /usr/include/c++/11.1.0/ext/new_allocator.h:121
#2 0x55555a1e4083 in /usr/include/c++/11.1.0/bits/alloc_traits.h:460
#3 0x55555a190197 in /usr/include/c++/11.1.0/bits/stl_vector.h:346
#4 0x55555a12af48 in /usr/include/c++/11.1.0/bits/vector.tcc:440
#5 0x55555a0e1a7c in /usr/include/c++/11.1.0/bits/vector.tcc:121
#6 0x55555a0b8c40 in /ring-project/daemon/src/call.h:286
#7 0x55555a8aaaaa in /ring-project/daemon/src/call.cpp:92
#8 0x55555abcb76d in /usr/include/c++/11.1.0/bits/sipcall.cpp:89
#9 0x55555a7c3341 in /usr/include/c++/11.1.0/ext/new_allocator.h:156
#10 0x55555a7c2185 in /usr/include/c++/11.1.0/bits/alloc_traits.h:512
#11 0x55555a7bfe6d in /usr/include/c++/11.1.0/bits/shared_ptr_base.h:519
#12 0x55555a7bcaa4 in /usr/include/c++/11.1.0/bits/shared_ptr_base.h:650
#13 0x55555a7b85e1 in /usr/include/c++/11.1.0/bits/shared_ptr_base.h:1337
#14 0x55555a7b2d2c in /usr/include/c++/11.1.0/bits/shared_ptr.h:409
#15 0x55555a7af189 in /usr/include/c++/11.1.0/bits/shared_ptr.h:861
#16 0x55555a7abce0 in /usr/include/c++/11.1.0/bits/shared_ptr.h:877
#17 0x55555a7a4782 in /ring-project/daemon/src/call_factory.cpp:54
#18 0x555559f39b16 in /usr/include/c++/11.1.0/bits/jamiaccount.cpp:445
#19 0x55555a838f0e in /ring-project/daemon/src/manager.cpp:3350
#20 0x55555a7f7aef in /ring-project/daemon/src/manager.cpp:1015
#21 0x555559d3c828 in /usr/include/c++/11.1.0/callmanager.cpp:67
#22 0x555559c70b5a in /ring-project/daemon/bin/dring+0x471cb5a
#23 0x555559c7b71a in /ring-project/daemon/bin/dring+0x472771a
#24 0x555559c943af in /ring-project/daemon/bin/dring+0x47403af
#25 0x555559d06102 in /ring-project/daemon/bin/dring+0x47b2102

Thread T1 created by T0 here:
(...)
#2 0x55555aaab6bd in /ring-project/daemon/src/scheduled_executor.cpp:27
#3 0x55555a7e61b3 in /ring-project/daemon/src/manager.cpp:456
#4 0x55555a7eea6c in /ring-project/daemon/src/manager.cpp:736
#5 0x55555a7ee39f in /ring-project/daemon/src/manager.cpp:711
#6 0x555559d3b25f in /ring-project/daemon/src/ring_api.cpp:57
#7 0x555559ae17db in /ring-project/daemon/bin/dring+0x458d7db
#8 0x555559ad1285 in /ring-project/daemon/bin/dring+0x457d285
#9 0x555559acf5e1 in /ring-project/daemon/bin/dring+0x457b5e1
#10 0x555559acf292 in /ring-project/daemon/bin/dring+0x457b292
#11 0x555559ace828 in /ring-project/daemon/bin/dring+0x457a828
#12 0x555559acdb01 in /ring-project/daemon/bin/dring+0x4579b01
#13 0x555559acd33f in /ring-project/daemon/bin/dring+0x457933f
#14 0x555559acbc8d in /ring-project/daemon/bin/dring+0x4577c8d
#15 0x555559aca91b in /ring-project/daemon/bin/dring+0x457691b
#16 0x555559ac8eec in /ring-project/daemon/bin/dring+0x4574eec
#17 0x555559ac693b in /ring-project/daemon/bin/dring+0x457293b
#18 0x7ffff380db24 in /usr/lib/libc.so.6+0x27b24

SUMMARY: AddressSanitizer: heap-use-after-free /ring-project/daemon/src/call.cpp:94 in operator()
Shadow bytes around the buggy address:
  0x0c068012a2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068012a2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068012a2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068012a300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
  0x0c068012a310: 00 00 fa fa fa fa fa fa fa fa 00 00 01 fa fa fa
=>0x0c068012a320:[fd]fd fd fd fa fa 00 00 00 07 fa fa fa fa fa fa
  0x0c068012a330: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x0c068012a340: fd fa fa fa 00 00 01 fa fa fa fa fa fa fa fa fa
  0x0c068012a350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068012a360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068012a370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
  Shadow gap:  cc
==930034==ABORTING
--------------------------------------------------------------------------------

Change-Id: I23b4d1017b53a2d7fe224c92527254015e853168
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hanyf @AmarOk1412