[Sofia-sip-devel] [ sofia-sip-Bugs-1803686 ] nua_event doesn't detect NUA destruction inside the callback

Mon, 08 Oct 2007 07:57:38 -0700 

Bugs item #1803686, was opened at 2007-09-27 18:55
Message generated for change (Comment added) made by ppessi
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=756076&aid=1803686&group_id=143636

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
>Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: Mikhail Zabaluev (mzabaluev)
Assigned to: Nobody/Anonymous (nobody)
Summary: nua_event doesn't detect NUA destruction inside the callback

Initial Comment:
Running telepathy-sofiasip under valgrind exposes problems with accessing 
message data that have just been freed:

==5065== Invalid read of size 4
==5065==    at 0x409FE39: su_msg_is_non_null (su_wait.h:532)
==5065==    by 0x409FDE1: nua_event (nua.c:1035)
==5065==    by 0x40F792E: su_base_port_execute_msgs (su_base_port.c:253)
==5065==    by 0x40F76E5: su_base_port_getmsgs (su_base_port.c:179)
==5065==    by 0x4026B7D: su_source_dispatch (su_source.c:425)
==5065==  Address 0x45978E8 is 40 bytes inside a block of size 188 free'd
==5065==    at 0x4021258: free (vg_replace_malloc.c:233)
==5065==    by 0x40EFC6B: su_home_unref (su_alloc.c:671)
==5065==    by 0x409BDD9: nua_destroy (nua.c:228)
==5065==    by 0x80550D1: priv_r_shutdown (sip-connection-sofia.c:78)
==5065==    by 0x8056834: sip_connection_sofia_callback 
(sip-connection-sofia.c:794)
==5065==    by 0x409FD57: nua_event (nua.c:1020)
==5065==    by 0x40F792E: su_base_port_execute_msgs (su_base_port.c:253)
==5065==    by 0x40F76E5: su_base_port_getmsgs (su_base_port.c:179)
==5065==    by 0x4026B7D: su_source_dispatch (su_source.c:425)

==5065== Invalid read of size 4
==5065==    at 0x40F55EF: su_msg_destroy (su_root.c:968)
==5065==    by 0x409FE1C: nua_event (nua.c:1042)
==5065==    by 0x40F792E: su_base_port_execute_msgs (su_base_port.c:253)
==5065==    by 0x40F76E5: su_base_port_getmsgs (su_base_port.c:179)
==5065==    by 0x4026B7D: su_source_dispatch (su_source.c:425)
==5065==  Address 0x45978E8 is 40 bytes inside a block of size 188 free'd
==5065==    at 0x4021258: free (vg_replace_malloc.c:233)
==5065==    by 0x40EFC6B: su_home_unref (su_alloc.c:671)
==5065==    by 0x409BDD9: nua_destroy (nua.c:228)
==5065==    by 0x80550D1: priv_r_shutdown (sip-connection-sofia.c:78)
==5065==    by 0x8056834: sip_connection_sofia_callback 
(sip-connection-sofia.c:794)
==5065==    by 0x409FD57: nua_event (nua.c:1020)
==5065==    by 0x40F792E: su_base_port_execute_msgs (su_base_port.c:253)
==5065==    by 0x40F76E5: su_base_port_getmsgs (su_base_port.c:179)
==5065==    by 0x4026B7D: su_source_dispatch (su_source.c:425)

This corresponds to the following code in nua.c:

  nua->nua_callback(e->e_event, e->e_status, e->e_phrase,
                    nua, nua->nua_magic,
                    nh, nh ? nh->nh_magic : NULL,
                    e->e_msg ? sip_object(e->e_msg) : NULL,
                    e->e_tags);

  if (nh && !NH_IS_DEFAULT(nh) && nua_handle_unref(nh)) {
#if HAVE_NUA_HANDLE_DEBUG
    SU_DEBUG_0(("nua(%p): freed by application\n", (void *)nh));
#else
    SU_DEBUG_9(("nua(%p): freed by application\n", (void *)nh));
#endif
  }

  if (!su_msg_is_non_null(nua->nua_current))
    return;

  if (e->e_msg)
    msg_destroy(e->e_msg), e->e_msg = NULL;

  su_msg_destroy(nua->nua_current);

I tried to nullify the nua pointer in the "freed by application" block, and 
then guard operations with nua->nua_current with null checks, but the condition 
to detect NUA destruction doesn't seem to work right.

----------------------------------------------------------------------

>Comment By: Pekka Pessi (ppessi)
Date: 2007-10-08 17:57

Message:
Logged In: YES 
user_id=52043
Originator: NO

I pushed a different patch to darcs. 

----------------------------------------------------------------------

Comment By: Mikhail Zabaluev (mzabaluev)
Date: 2007-10-08 16:53

Message:
Logged In: YES 
user_id=313104
Originator: YES

File Added: sofia-sip-ref-nua-event.dpatch

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=756076&aid=1803686&group_id=143636

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Sofia-sip-devel mailing list
Sofia-sip-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sofia-sip-devel

Reply via email to