Crash when network change under Android

[FredSE2021]

Describe the bug

When toggle android mobile wifi on/off several times, app crash.

Steps to reproduce

1. run pjsua2 android, in Android Studio Bumblebee 2021.1.1 Patch 3
2. config a sip account, using TCP transport, and connect to server successfully.
3. turn off Wi-Fi and turn on Wi-Fi, repeat several times, crash issue happen.

PJSIP version

2.12

Context

• Android 9

Log, call stack, etc

libc    : ../src/pjsua-lib/pjsua_acc.c:1790: acc_check_nat_addr: assertion "contact_hdr != ((void*)0)" failed
libc    : Fatal signal 6 (SIGABRT), code -1 (SI_QUEUE) in tid 12301 (Thread-159), pid 12238 (jsip.pjsua2.app)
DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
DEBUG   : Build fingerprint: 'google/blueline/blueline:12/SP1A.210812.016.C1/8029091:user/release-keys'
DEBUG   : Revision: 'MP1.0'
DEBUG   : ABI: 'arm64'
DEBUG   : Timestamp: 2022-04-27 09:42:49.647114754+0800
DEBUG   : Process uptime: 0s
DEBUG   : Cmdline: org.pjsip.pjusa2.app
DEBUG   : pid: 12238, tid: 12301, name: Thread-159  >>> org.pjsip.pjusa2.app <<<
DEBUG   : uid: 10211
DEBUG   : signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
DEBUG   : Abort message: '../src/pjsua-lib/pjsua_acc.c:1790: acc_check_nat_addr: assertion "contact_hdr != ((void*)0)" failed'
DEBUG   :     x0  0000000000000000  x1  000000000000300d  x2  0000000000000006  x3  00000074010a8320
DEBUG   :     x4  0000008080808080  x5  0000008080808080  x6  0000008080808080  x7  8080808080000000
DEBUG   :     x8  00000000000000f0  x9  5af491b4d4667120  x10 0000000000000000  x11 ffffff80fffffbdf
DEBUG   :     x12 0000000000000001  x13 0000000000000018  x14 00000009f8bf20da  x15 0000000000000060
DEBUG   :     x16 0000007734348050  x17 0000007734324eb0  x18 00000074010a8b80  x19 0000000000002fce
DEBUG   :     x20 000000000000300d  x21 00000000ffffffff  x22 0000000000002fce  x23 0000000000002ff0
DEBUG   :     x24 00000074010a9cb0  x25 00000074010a9cb0  x26 00000074010a9ff8  x27 00000000000fc000
DEBUG   :     x28 0000007400fb1000  x29 00000074010a83a0
DEBUG   :     lr  00000077342d7ba0  sp  00000074010a8300  pc  00000077342d7bcc  pst 0000000000000000
DEBUG   : backtrace:
DEBUG   :       #00 pc 000000000004fbcc  /apex/com.android.runtime/lib64/bionic/libc.so (abort+164) (BuildId: ba489d4985c0cf173209da67405662f9)
DEBUG   :       #01 pc 000000000004ff70  /apex/com.android.runtime/lib64/bionic/libc.so (__assert2+36) (BuildId: ba489d4985c0cf173209da67405662f9)
DEBUG   :       #02 pc 0000000000390358  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (BuildId: b2ffb236cc8b8d45af4ce028c8afbed8f3c3
DEBUG   :       #03 pc 000000000038fb28  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (BuildId: b2ffb236cc8b8d45af4ce028c8afbed8f3c3
DEBUG   :       #04 pc 00000000003d702c  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (BuildId: b2ffb236cc8b8d45af4ce028c8afbed8f3c3
DEBUG   :       #05 pc 00000000004203b4  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (BuildId: b2ffb236cc8b8d45af4ce028c8afbed8f3c3
DEBUG   :       #06 pc 000000000041c770  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (BuildId: b2ffb236cc8b8d45af4ce028c8afbed8f3c3
DEBUG   :       #07 pc 000000000041e4f4  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (BuildId: b2ffb236cc8b8d45af4ce028c8afbed8f3c3
DEBUG   :       #08 pc 000000000041e08c  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (BuildId: b2ffb236cc8b8d45af4ce028c8afbed8f3c3
DEBUG   :       #09 pc 000000000041cef8  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (pjsip_tsx_recv_msg+228) (BuildId: b2ffb236cc8
DEBUG   :       #10 pc 000000000041d8cc  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (BuildId: b2ffb236cc8b8d45af4ce028c8afbed8f3c3
DEBUG   :       #11 pc 00000000003fdbb0  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (pjsip_endpt_process_rx_data+680) (BuildId: b2
DEBUG   :       #12 pc 00000000003fd0c0  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (BuildId: b2ffb236cc8b8d45af4ce028c8afbed8f3c3
DEBUG   :       #13 pc 0000000000408224  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (pjsip_tpmgr_receive_packet+1912) (BuildId: b2
DEBUG   :       #14 pc 000000000040f944  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (BuildId: b2ffb236cc8b8d45af4ce028c8afbed8f3c3
DEBUG   :       #15 pc 0000000000576d74  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (BuildId: b2ffb236cc8b8d45af4ce028c8afbed8f3c3
DEBUG   :       #16 pc 0000000000577e48  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (BuildId: b2ffb236cc8b8d45af4ce028c8afbed8f3c3
DEBUG   :       #17 pc 00000000005686e4  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (BuildId: b2ffb236cc8b8d45af4ce028c8afbed8f3c3
DEBUG   :       #18 pc 000000000055ebc8  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (ioqueue_dispatch_read_event+872) (BuildId: b2
DEBUG   :       #19 pc 00000000005615b4  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (pj_ioqueue_poll+1224) (BuildId: b2ffb236cc8b8
DEBUG   :       #20 pc 00000000003fd640  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (pjsip_endpt_handle_events2+312) (BuildId: b2f
DEBUG   :       #21 pc 00000000003a3a14  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (pjsua_handle_events+68) (BuildId: b2ffb236cc8
DEBUG   :       #22 pc 00000000003a2f5c  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (BuildId: b2ffb236cc8b8d45af4ce028c8afbed8f3c3
DEBUG   :       #23 pc 00000000005639c0  /data/app/~~6RZBIZEW3WkY5MUOkpO5Uw==/org.pjsip.pjusa2.app-pqNnNnuWfRlqCzv5R3J7fg==/lib/arm64/libpjsua2.so (BuildId: b2ffb236cc8b8d45af4ce028c8afbed8f3c3
DEBUG   :       #24 pc 00000000000b1910  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+264) (BuildId: ba489d4985c0cf173209da67405662f9)
DEBUG   :       #25 pc 00000000000513f0  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: ba489d4985c0cf173209da67405662f9)

[FredSE2021]

When crash issue happen, there is 2 Contacts in sent-out register sip message:

Supported: outbound, path Contact: <sip:account@internal_ip:40003;transport=TCP;ob> Contact: <sip:account@external_ip:37551;transport=TCP;ob>;expires=0;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-0000-0000-0000e922f243>" Expires: 60

[FredSE2021]

V2.11 pjsua2 android, no such crash issue.

[FredSE2021]

V2.12, if accCfg.getNatConfig().setIceEnabled(false), this crash issue easily reproduced. if accCfg.getNatConfig().setIceEnabled(true), not happen. when ice true, contact append ";+sip.ice".

[FredSE2021]

V2.11, accCfg.getNatConfig().setIceEnabled true or false, cannot reproduce this crash issue.

[sauwming]

Perhaps you can check what's the value of acc->contact in acc_check_nat_addr() before the assertion happened and why the parsing failed. https://github.com/pjsip/pjproject/blob/master/pjsip/src/pjsua-lib/pjsua_acc.c#L1789

[FredSE2021]

Thanks.

after check, "acc->contact" end with redundant bytes. when no this issue, "<sip:test_account@host:port;transport=TCP;ob>", "acc->contact.slen" is correct. when this issue happen, "<sip:test_account@host:port;transport=TCP;ob>ob>", "acc->contact.slen" not include last "ob>".

source codes like below line spent me some additional time to check "acc->contact": PJ_LOG(4, (THIS_FILE, "str = '%.*s'", (int)str->slen, str->ptr)); since it shows str with slen. I tried PJ_LOG(4, (THIS_FILE, "str = '(len=%d)%s'", (int)str->slen, str->ptr)); then found "acc->contact" slen not equal to strlen(ptr).

[FredSE2021]

[FredSE2021]

This issue happen in pjsip/src/pjsua-lib/pjsua_acc.c:3884 auto_rereg_timer_cb function here. pj_strcpy do not set 'null', after replace pj_strcpy function with pj_strdup_with_null, this issue disappear.

I suggest that do not check acc->contact.slen and tmp_contact.slen, if found acc->contact and tmp_contact different, use pj_strdup_with_null to copy tmp_contact into acc->contact.

[trengginas]

Could you please try the patch in #3102

[FredSE2021]

with the patch #3102, I tried 30 times turn off and on Wi-Fi, no issue happen, and all registers ran successfully after Wi-Fi on. The patch works for this issue.

[sauwming]

Thanks for the confirmation.