[pjsip] pjsip crash (possible heap corruption?)

Anshuman S. Rawat arawat at 3clogic.com
Thu Jun 14 06:07:40 EDT 2012


I am using PJSIP with UDP on Windows XP and am repeatedly seeing crashes all over the place. Actually this started happening after I increased PJSIP_POOL_RDATA_LEN and PJSIP_POOL_RDATA_INC size to 8000 (I have reverted it for now).
I tried to debug using WinDbg and this is what I get:

(668.ea8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000002 ebx=07f00ec4 ecx=04a10858 edx=0be3e1a0 esi=7c911583 edi=00000000
eip=10032ff1 esp=0834fee4 ebp=0834ff1c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
10032ff1 8b4214          mov     eax,dword ptr [edx+14h] ds:0023:0be3e1b4=????????
0:009> k
ChildEBP RetAddr  
0834ff1c 10032d14 sipPhone!poll_iocp+0xd1 [d:\src\pjsip\pjlib\src\pj\ioqueue_winnt.c @ 702]
0834ff44 101cfcb0 sipPhone!pj_ioqueue_poll+0x64 [d:\src\pjsip\pjlib\src\pj\ioqueue_winnt.c @ 917]
0834ff6c 10005bea sipPhone!pjsip_endpt_handle_events2+0xb0 [d:\src\pjsip\pjsip\src\pjsip\sip_endpoint.c @ 719]
0834ff90 10004ab4 sipPhone!pjsua_handle_events+0x3a [d:\pjsip\pjsip\src\pjsua-lib\pjsua_core.c @ 1769]
0834ffa0 10027680 sipPhone!worker_thread+0x14 [d:\src\pjsip\pjsip\src\pjsua-lib\pjsua_core.c @ 792]
0834ffb4 7c80b729 sipPhone!thread_main+0x40 [d:\src\pjsip\pjlib\src\pj\os_core_win32.c @ 435]
0834ffec 00000000 kernel32!BaseThreadStart+0x37

Line 702 in ioqueue_winnt.c:

switch (pOv->operation) {

Checking for pOv on Windbg reveals:

0:009> dt pov
Local var @ 0x834ff08 Type generic_overlapped*
   +0x000 overlapped       : _OVERLAPPED
   +0x014 operation        : ??
Memory read error 0be3e1b4

Checking for 0x0be3e1a0 in heap revevals:

0:009> !heap -p -a 0x0be3e1a0
    address 0be3e1a0 found in
    _DPH_HEAP_ROOT @ 2811000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    c04ad38:          be3e000             5000
    7c927573 ntdll!RtlFreeHeap+0x000000f9
    78134c39 MSVCR80!free+0x000000cd
    100320d8 sipPhone!default_block_free+0x00000038
    1002e7f8 sipPhone!reset_pool+0x00000078
    1002e775 sipPhone!pj_pool_reset+0x00000015
    101e2c7f sipPhone!udp_on_read_complete+0x0000020f
    10033042 sipPhone!poll_iocp+0x00000122
    10032d14 sipPhone!pj_ioqueue_poll+0x00000064
    101cfcb0 sipPhone!pjsip_endpt_handle_events2+0x000000b0
    10005bea sipPhone!pjsua_handle_events+0x0000003a
    10004ab4 sipPhone!worker_thread+0x00000014
    10027680 sipPhone!thread_main+0x00000040
    7c80b729 kernel32!BaseThreadStart+0x00000037

Looks like heap corruption. This shouldn't be happenning. Any pointers on how to go about fixing this?


PS: I am working for pjsip 1.8.10
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pjsip.org/pipermail/pjsip_lists.pjsip.org/attachments/20120614/4d9f2e67/attachment.html>

More information about the pjsip mailing list