[Nice] Multithreading bug when removing streams

Stephan Thamm thammi at chaossource.net
Sun Apr 27 07:50:00 PDT 2014 

Hi,
working on my node.js bindings for libnice [0] I came across what I suspect is 
a multithreading bug in libnice. I was unable to find a statement about 
multithreading support in the documentation, but a mail on this list [1] 
stated that the agent API should be safe.

The error occurs after removing a stream. It seems that code tries to handle 
io for the stream after it was removed, which fails when GSList tries to 
access the freed memory.

I was running my application inside valgrind when the error occured. This 
might have increased the chances of this bug occuring (everything is very slow 
...). The stack traces are attached.

The bug triggered on Debian with libnice 0.1.5 as well as 
0.1.5+rc20140402-0exp1 from Debian Experimental.

I hope that this information is enough to find the cause of the bug. I tried 
looking into the libnice code, but my understanding of the code is not (yet) 
good enough.

[0] https://github.com/thammi/node-libnice
[1] http://lists.freedesktop.org/archives/nice/2009-September/000293.html
-- 
So far, farewell
Thammi
-------------- next part --------------
==18100== Invalid read of size 8
==18100==    at 0x994862A: ??? (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==18100==    by 0x9948988: g_mutex_lock (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==18100==    by 0x8EC4DC7: component_has_io_callback (component.c:632)
==18100==    by 0x8ECB7A7: component_io_cb (agent.c:3921)
==18100==    by 0x936BD12: ??? (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4000.0)
==18100==    by 0x9906CE4: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==18100==    by 0x9907047: ??? (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==18100==    by 0x9907309: g_main_loop_run (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==18100==    by 0x8CB13B8: std::thread::_Impl<std::_Bind_simple<Agent::Agent(NiceCompatibility)::{lambda()#1} ()> >::_M_run() (agent.cpp:98)
==18100==    by 0x637428F: ??? (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19)
==18100==    by 0x6AE8061: start_thread (pthread_create.c:312)
==18100==    by 0x6DE2A3C: clone (clone.S:111)
==18100==  Address 0x7d52238 is 65,768 bytes inside a block of size 65,984 free'd
==18100==    at 0x4C2870C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18100==    by 0x8ECD607: stream_free (stream.c:78)
==18100==    by 0x8EC8085: nice_agent_remove_stream (agent.c:2415)
==18100==    by 0x8CB24E6: Agent::removeStream(int) (agent.cpp:120)
==18100==    by 0x8CB721A: Stream::close(v8::Arguments const&) (stream.cpp:269)
==18100==    by 0x52F4F22: ??? (in /usr/lib/libv8.so.3.14.5)
==18100==    by 0x11CD04106361: ???
==18100==    by 0x11CD0480C7A6: ???
==18100==    by 0x11CD0464258B: ???
==18100==    by 0x11CD046421FE: ???
==18100==    by 0x11CD0410CCCD: ???
==18100==    by 0x11CD0483B9A9: ???
==18100== 
==18100== Invalid read of size 4
==18100==    at 0x6AEA224: pthread_mutex_lock (pthread_mutex_lock.c:66)
==18100==    by 0x9948990: g_mutex_lock (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==18100==    by 0x8EC4DC7: component_has_io_callback (component.c:632)
==18100==    by 0x8ECB7A7: component_io_cb (agent.c:3921)
==18100==    by 0x936BD12: ??? (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4000.0)
==18100==    by 0x9906CE4: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==18100==    by 0x9907047: ??? (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==18100==    by 0x9907309: g_main_loop_run (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==18100==    by 0x8CB13B8: std::thread::_Impl<std::_Bind_simple<Agent::Agent(NiceCompatibility)::{lambda()#1} ()> >::_M_run() (agent.cpp:98)
==18100==    by 0x637428F: ??? (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19)
==18100==    by 0x6AE8061: start_thread (pthread_create.c:312)
==18100==    by 0x6DE2A3C: clone (clone.S:111)
==18100==  Address 0x715c590 is 16 bytes inside a block of size 40 free'd
==18100==    at 0x4C2870C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18100==    by 0x8EC50F7: component_free (component.c:231)
==18100==    by 0x8ECD607: stream_free (stream.c:78)
==18100==    by 0x8EC8085: nice_agent_remove_stream (agent.c:2415)
==18100==    by 0x8CB24E6: Agent::removeStream(int) (agent.cpp:120)
==18100==    by 0x8CB721A: Stream::close(v8::Arguments const&) (stream.cpp:269)
==18100==    by 0x52F4F22: ??? (in /usr/lib/libv8.so.3.14.5)
==18100==    by 0x11CD04106361: ???
==18100==    by 0x11CD0480C7A6: ???
==18100==    by 0x11CD0464258B: ???
==18100==    by 0x11CD046421FE: ???
==18100==    by 0x11CD0410CCCD: ???
==18100== 
==18100== Invalid read of size 4
==18100==    at 0x6AE59C3: __pthread_mutex_lock_full (pthread_mutex_lock.c:177)
==18100==    by 0x9948990: g_mutex_lock (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==18100==    by 0x8EC4DC7: component_has_io_callback (component.c:632)
==18100==    by 0x8ECB7A7: component_io_cb (agent.c:3921)
==18100==    by 0x936BD12: ??? (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4000.0)
==18100==    by 0x9906CE4: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==18100==    by 0x9907047: ??? (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==18100==    by 0x9907309: g_main_loop_run (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==18100==    by 0x8CB13B8: std::thread::_Impl<std::_Bind_simple<Agent::Agent(NiceCompatibility)::{lambda()#1} ()> >::_M_run() (agent.cpp:98)
==18100==    by 0x637428F: ??? (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19)
==18100==    by 0x6AE8061: start_thread (pthread_create.c:312)
==18100==    by 0x6DE2A3C: clone (clone.S:111)
==18100==  Address 0x715c590 is 16 bytes inside a block of size 40 free'd
==18100==    at 0x4C2870C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18100==    by 0x8EC50F7: component_free (component.c:231)
==18100==    by 0x8ECD607: stream_free (stream.c:78)
==18100==    by 0x8EC8085: nice_agent_remove_stream (agent.c:2415)
==18100==    by 0x8CB24E6: Agent::removeStream(int) (agent.cpp:120)
==18100==    by 0x8CB721A: Stream::close(v8::Arguments const&) (stream.cpp:269)
==18100==    by 0x52F4F22: ??? (in /usr/lib/libv8.so.3.14.5)
==18100==    by 0x11CD04106361: ???
==18100==    by 0x11CD0480C7A6: ???
==18100==    by 0x11CD0464258B: ???
==18100==    by 0x11CD046421FE: ???
==18100==    by 0x11CD0410CCCD: ???
==18100== 

GLib (gthread-posix.c): Unexpected error from C library during 'pthread_mutex_lock': Invalid argument.  Aborting.

More information about the nice mailing list