Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.x] Segmentation fault (139) videoroom pointer becomes NULL during ICE negotiation #3503

Open
jongirard opened this issue Jan 10, 2025 · 3 comments
Open

[1.x] Segmentation fault (139) videoroom pointer becomes NULL during ICE negotiation #3503

jongirard opened this issue Jan 10, 2025 · 3 comments
Labels
multistream Related to Janus 1.x

Comments

@jongirard
Copy link

jongirard commented Jan 10, 2025
edited
Loading

What version of Janus is this happening on?
Version: Janus 1.3.0 (commit dfd86e3)

Have you tested a more recent version of Janus too?
No, currently 1.3.0 is the latest version.

Was this working before?
N/A

Is there a gdb or libasan trace of the issue?
Full GDB log: https://gist.github.com/jongirard/03169daf5193bf3feb29ae2e8ed01229
GDB pointer trace: https://gist.github.com/jongirard/c98202a826fbf05d97a313d36ea083ab

Additional context
The crash happens in the videoroom handler after sending one of the WebSocket messages with a NULL videoroom pointer.

Thread 22 "janus" received signal SIGSEGV, Segmentation fault.
#0  0x00007ffff7c972e9 in g_mutex_lock () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#1  0x00007ffff40a2172 in janus_videoroom_handler (data=<optimized out>) at plugins/janus_videoroom.c:12580
(gdb) print videoroom
$1 = (janus_videoroom *) 0x0

Context from logs just before the crash:

  1. ICE restart triggered and SDP negotiation occurs
  2. Remote SDP is processed (with a/v codecs, ICE credentials)
  3. SDP answer generated and ICE candidates prepared
  4. Series of WebSocket messages sent:
    • 334 bytes (SDP answer)
    • 241 bytes (trickle candidate)
    • 139 bytes (end-of-candidates)
  5. Crash occurs immediately after sending the last WebSocket message

This appears to be a race condition.. trying to lock a mutex on a NULL videoroom pointer during the WebSocket message transmission phase of ICE negotiation, specifically after sending trickle candidate events. I'm able to consistently reproduce.
@jongirard jongirard added the multistream Related to Janus 1.x label Jan 10, 2025
@atoppi
Copy link
Member

atoppi commented Jan 10, 2025

janus_videoroom.c:12580 does not use the videoroom pointer.
This is likely a race condition occurring on a subscriber that has been removed.

Please try to reproduce with the AddressSanitizer enabled.

@jongirard
Copy link
Author

Hi @atoppi, here are the logs from the ASAN output: https://gist.github.com/jongirard/39a0f5073c6d83a377fa0f192074f31f

In addition, I'll provide the Janus logs just before the crash occurs (feel free to disregard if it isn't helpful). https://gist.github.com/jongirard/a908bdb66e0e44a1ae120c4ec15c629c

@atoppi
Copy link
Member

atoppi commented Jan 11, 2025

Please try again with:

  • janus master
  • libnice 0.1.22
  • libwebsockets 4.3.3

It would also help having:

  • some details about your environment
  • instructions on how to repeat the crash by ourselves

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
multistream Related to Janus 1.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jongirard @atoppi