[Live-devel] Tricky bug in RTSP-on-HTTP server implementation?

Cristiano Belloni belloni at imavis.com
Sat Oct 23 08:06:19 PDT 2010 

  Il 23/10/2010 05:44, Ross Finlayson ha scritto:
> OK, I have now installed a new version (2010.10.23) of the "LIVE555 
> Streaming Media" code that should overcome this problem.
Dear Ross,
the new version works correctly (no more ignored RTSP requests), but it 
seems to introduce a new bug, this time in memory management. Glibc 
seems to crash on a double free or corruption when the RTSP connection 
is abruptedly closed (I could see this behaviour on VLC everytime I 
closed the client clicking on the "close" button on the VLC window - I 
didn't have had time to analyze the network dump yet, and I don't know 
if VLC sends a TEARDOWN or closes the socket directly in that case).
Please note that this happens *not only* on HTTP-over-RTSP connection, 
but on RTSP/UDP and RTSP/TCP sessions too.
Here's the backtrace:

*** glibc detected *** ./rtspServer: double free or corruption (out): 
0x406e5008 ***
======= Backtrace: =========
/lib/libc.so.6[0x40231f3c]
/lib/libc.so.6(cfree+0xa0)[0x40233bd0]
./rtspServer(_ZN15OutPacketBufferD1Ev+0x18)[0x5e9e8]
./rtspServer(_ZN18MultiFramedRTPSinkD2Ev+0x28)[0x6b160]
./rtspServer(_ZN12VideoRTPSinkD2Ev+0x14)[0x6b45c]
./rtspServer(_ZN19JPEGRSTVideoRTPSinkD0Ev+0x14)[0x47518]
./rtspServer(_ZN16MediaLookupTable6removeEPKc+0x60)[0x479c4]
./rtspServer(_ZN11StreamState7reclaimEv+0x24)[0x7e654]
./rtspServer(_ZN11StreamStateD0Ev+0x14)[0x7e978]
./rtspServer(_ZN29OnDemandServerMediaSubsession12deleteStreamEjRPv+0x78)[0x7ef4c]
./rtspServer(_ZN10RTSPServer17RTSPClientSession19reclaimStreamStatesEv+0x60)[0x6e8bc]
./rtspServer(_ZN10RTSPServer17RTSPClientSessionD2Ev+0xbc)[0x7222c]
./rtspServer(_ZN15LimitRTSPServer22LimitRTSPClientSessionD0Ev+0x44)[0x46e7c]
./rtspServer(_ZN10RTSPServer17RTSPClientSession18handleRequestBytesEi+0x3a8)[0x6fae4]
./rtspServer(_ZN10RTSPServer17RTSPClientSession23incomingRequestHandler1Ev+0x48)[0x6fe28]
./rtspServer(_ZN18BasicTaskScheduler10SingleStepEj+0x1ec)[0x91904]
./rtspServer(_ZN19BasicTaskScheduler011doEventLoopEPc+0x20)[0x90c84]
./rtspServer(_Z8mainLoopP16UsageEnvironmentjjPc+0x614)[0x449e8]
./rtspServer(main+0x3c)[0x410f4]
/lib/libc.so.6(__libc_start_main+0x120)[0x401ddfd4]
======= Memory map: ========
00008000-000ba000 r-xp 00000000 fe:01 68090      
/usr/local/rtspServer/rtspServer
000c2000-000c7000 rw-p 000b2000 fe:01 68090      
/usr/local/rtspServer/rtspServer
000c7000-00162000 rwxp 000c7000 00:00 0          [heap]
40000000-4001d000 r-xp 00000000 fe:01 92962      /lib/ld-2.8.so
4001d000-40021000 rw-p 4001d000 00:00 0
40021000-40022000 rw-s 00000000 00:0e 11139      
/dev/shm/sem.sem_empty_c1SnPP
40022000-40023000 rw-s 00000000 00:0e 11140      
/dev/shm/sem.sem_fill_WIxeyt
40023000-40024000 rw-p 40023000 00:00 0
40024000-40025000 r--p 0001c000 fe:01 92962      /lib/ld-2.8.so
40025000-40026000 rw-p 0001d000 fe:01 92962      /lib/ld-2.8.so
40026000-4002c000 r-xp 00000000 fe:01 92946      /lib/librt-2.8.so
4002c000-40033000 ---p 00006000 fe:01 92946      /lib/librt-2.8.so
40033000-40034000 r--p 00005000 fe:01 92946      /lib/librt-2.8.so
40034000-40035000 rw-p 00006000 fe:01 92946      /lib/librt-2.8.so
40035000-400f6000 r-xp 00000000 fe:01 32631      
/usr/lib/libstdc++.so.6.0.10
400f6000-400fd000 ---p 000c1000 fe:01 32631      
/usr/lib/libstdc++.so.6.0.10
400fd000-40100000 r--p 000c0000 fe:01 32631      
/usr/lib/libstdc++.so.6.0.10
40100000-40102000 rw-p 000c3000 fe:01 32631      
/usr/lib/libstdc++.so.6.0.10
40102000-40107000 rw-p 40102000 00:00 0
40107000-401ac000 r-xp 00000000 fe:01 92936      /lib/libm-2.8.so
401ac000-401b3000 ---p 000a5000 fe:01 92936      /lib/libm-2.8.so
401b3000-401b4000 r--p 000a4000 fe:01 92936      /lib/libm-2.8.so
401b4000-401b5000 rw-p 000a5000 fe:01 92936      /lib/libm-2.8.so
401b5000-401c1000 r-xp 00000000 fe:01 92971      /lib/libgcc_s.so.1
401c1000-401c8000 ---p 0000c000 fe:01 92971      /lib/libgcc_s.so.1
401c8000-401c9000 rw-p 0000b000 fe:01 92971      /lib/libgcc_s.so.1
401c9000-402e6000 r-xp 00000000 fe:01 92950      /lib/libc-2.8.so
402e6000-402ed000 ---p 0011d000 fe:01 92950      /lib/libc-2.8.so
402ed000-402ef000 r--p 0011c000 fe:01 92950      /lib/libc-2.8.so
402ef000-402f0000 rw-p 0011e000 fe:01 92950      /lib/libc-2.8.so
402f0000-402f3000 rw-p 402f0000 00:00 0
402f3000-40307000 r-xp 00000000 fe:01 92964      /lib/libpthread-2.8.so
40307000-4030f000 ---p 00014000 fe:01 92964      /lib/libpthread-2.8.so
4030f000-40310000 r--p 00014000 fe:01 92964      /lib/libpthread-2.8.so
40310000-40311000 rw-p 00015000 fe:01 92964      /lib/libpthread-2.8.so
40311000-40313000 rw-p 40311000 00:00 0
40313000-404fc000 rw-s 00000000 00:07 1310727    /SYSV000005d0 (deleted)
404fc000-406e5000 rw-s 00000000 00:07 1310727    /SYSV000005d0 (deleted)
406e5000-407da000 rw-p 406e5000 00:00 0
40800000-40821000 rw-p 40800000 00:00 0
40821000-40900000 ---p 40821000 00:00 0
be9a8000-be9bd000 rwxp be9a8000 00:00 0          [stack]

If you need more info, I'm gonna collect them as soon as I can.

Best Regards,
Cristiano.

-- 
Belloni Cristiano
Imavis Srl.
www.imavis.com <http://www.imavis.com>
belloni at imavis.com <mailto://belloni@imavis.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20101023/db8cc87b/attachment-0001.html>

More information about the live-devel mailing list