Rarely crashes on SendSctpData when enableSctp is enabled

satoren · July 7, 2023, 10:29am

I was investigating the crash and found a code that I assume is a workaround for a similar problem, so I have a question about it.

github.com

versatica/mediasoup/blob/760f203dfe19aabe2e46684d8c7814e3cee6dd30/worker/src/RTC/Transport.cpp#L3050


      
          
          	inline void Transport::OnSctpAssociationSendData(
          	  RTC::SctpAssociation* /*sctpAssociation*/, const uint8_t* data, size_t len)
          	{
          		MS_TRACE();
          
          		// Ignore if destroying.
          		// NOTE: This is because when the child class (i.e. WebRtcTransport) is deleted,
          		// its destructor is called first and then the parent Transport's destructor,
          		// and we would end here calling SendSctpData() which is an abstract method.
          		if (this->destroying)
          		{
          			return;
          		}
          
          		if (this->sctpAssociation)
          		{
          			SendSctpData(data, len);
          		}
          	}

In what cases has this destroying flag been effective? It appears that both the destructor of Transport and the destructor of onSendSctpData are called in one thread of Worker, is this correct? If so, in what case was onSendSctpData called during the Transport destructor?

If onSendSctpData is ever called during the destruction,Since this flag is set to true in the Transport destructor, the effect of this flag appears to be limited since the WebRTCTransport was destroyed prior to that time as noted in the comments.

Thanks for reading.

ibc · July 7, 2023, 10:43am

this.destroyed is a member of the parent Transport class so it still exists at this time. However the WebRtcTransport child class was destroyed so we should NOT call SendSctpData() anymore since it’s an abstract method only defined in child classes.

satoren · July 7, 2023, 2:53pm

Do the following cases occur?

WebRtcTransport destructor executes (delete dtlsTransport)
onSendSctpData is called (destroying is still false but dtlsTransport or iceServer is null or
freed address)
Transport destructor executes (destroyed set to true)

Crashes without reaching 3

ibc · July 7, 2023, 3:31pm

I cannot check it now but I wrote that code for a reason (to avoid a crash). Not sure if it’s crashing for you or what. Is it? I’ll check the flow you said next week.

snnz · July 7, 2023, 4:49pm

This is what one would expect. Destructor of the derived class is called before the destructor of the base class. Either this or some other flag should be set before WebRtcTransport starts disposing its resources.

satoren · July 10, 2023, 2:01am

Upon further investigation of the code, I discovered an interesting problem.
This may only occur in the Rust version where there are multiple Workers in one process.

The thread that creates/executes the WebRTCTransport and the thread onSendSctpData may be different.
This checker is thread local, but is only executed on the first Worker thread created (since numSctpAssociations is a normal global variable).

github.com

versatica/mediasoup/blob/760f203dfe19aabe2e46684d8c7814e3cee6dd30/worker/src/DepUsrSCTP.cpp#L163


      
          
          	auto it = DepUsrSCTP::mapIdSctpAssociation.find(sctpAssociation->id);
          
          	MS_ASSERT(
          	  it == DepUsrSCTP::mapIdSctpAssociation.end(),
          	  "the id of the SctpAssociation is already in the map");
          
          	DepUsrSCTP::mapIdSctpAssociation[sctpAssociation->id] = sctpAssociation;
          
          	if (++DepUsrSCTP::numSctpAssociations == 1u)
          		DepUsrSCTP::checker->Start();
          }
          
          void DepUsrSCTP::DeregisterSctpAssociation(RTC::SctpAssociation* sctpAssociation)
          {
          	MS_TRACE();
          
          	std::lock_guard<std::mutex> lock(GlobalSyncMutex);
          
          	MS_ASSERT(DepUsrSCTP::checker != nullptr, "Checker not created");

Then, Transports created in the second Workers appear to be executed in the thread of the first Worker.
Perhaps if this could be called in the same Worker thread that created the Transport, the crash would be eliminated. However, the usrsctp interface is difficult, and I did not know if that method was possible.

ibc · July 10, 2023, 9:07am

I think we should fix the bug properly since IMHO it could indeed also happen in mediasoup Node. PR done here, please @satoren check it:

github.com/versatica/mediasoup

worker: Add Transport::Destroying() protected method

versatica:v3 ← versatica:transport-destroying

opened 09:06AM - 10 Jul 23 UTC

ibc

+25 -3

Must be called by `Transport` child classes at the top of their destructors. …Related to https://mediasoup.discourse.group/t/rarely-crashes-on-sendsctpdata-when-enablesctp-is-enabled/5340/ @nazar-pc as told in the forum, this bug only affected Rust although I think that it could perfectly affect mediasoup Node as well.

satoren · July 11, 2023, 12:17am

Thank you for fix crash.

However, I believe the Rust version still has the following problems.

Create Worker1 and Transport1 (create DepUsrSCTP::Checker and into DepUsrSCTP::checker as thread local variable)
Create Worker2 and Transport2
Destroy Worker1 and Transport1

DepUsrSCTP::Checker is not deleted because numSctpAssociations is greater than 1, but the worker thread that runs it is stopped
And DepUsrSCTP::Checker leaks because there is no holding the pointer to checker

ibc · July 11, 2023, 2:25pm

@satoren can you please report an issue for this in GH?

satoren · July 13, 2023, 7:41am

Write a reproducible test and then create an GH issue.

ibc · July 13, 2023, 8:54am

Yes please. Thanks.

Topic		Replies	Views
Mediasoup SFU not emiting close event on transport when client transport closes mediasoup libraries	5	543	January 6, 2022
Transport Connection closes frequently mediasoup libraries	6	1578	April 27, 2020
Browser reload behavior mediasoup libraries	4	307	December 1, 2020
Checking for wrtc-transport disconnect on server side. mediasoup libraries	4	427	July 8, 2020
does transport.close() on server side tiggers transport close on client side? mediasoup libraries	5	214	November 4, 2022

Rarely crashes on SendSctpData when enableSctp is enabled

Related Topics