Skip to content

SRS 6 crash: AddressSanitizer: heap-use-after-free #4472

Closed
#4474
Closed
SRS 6 crash: AddressSanitizer: heap-use-after-free#4472
#4474
Labels
EnglishNativeThis issue is conveyed exclusively in English.
@thegobot

Description

@thegobot
thegobot
opened on Sep 4, 2025

XCORE-SRS/6.0.174(Hang)

Sep 04 15:02:06 Schrodinger srs[3615648]: [2025-09-04 15:02:06.717][INFO][3615648][6l85ov13] RTC: clear zombies=1 resources, conns=46, removing=0, unsubs=1
Sep 04 15:02:06 Schrodinger srs[3615648]: [2025-09-04 15:02:06.717][INFO][3615648][v1012l73] RTC: disposing #0 resource(RtcConn)(0x51d000361a80), conns=46, disposing=1, zombies=0
Sep 04 15:02:06 Schrodinger srs[3615648]: [2025-09-04 15:02:06.717][INFO][3615648][v1012l73] cleanup when unpublish, created=1, deliver=1
Sep 04 15:02:06 Schrodinger srs[3615648]: [2025-09-04 15:02:06.717][INFO][3615648][v1012l73] Qavg: 2094.429
Sep 04 15:02:06 Schrodinger srs[3615648]: [2025-09-04 15:02:06.717][WARN][3615648][v1012l73][22] 2 frames left in the queue on closing
Sep 04 15:02:06 Schrodinger srs[3615648]: =================================================================
Sep 04 15:02:06 Schrodinger srs[3615648]: ==3615648==ERROR: AddressSanitizer: heap-use-after-free on address 0x5020008f1738 at pc 0x58a8ef116e50 bp 0x79f1d1a5e310 sp 0x79f1d1a5e300
Sep 04 15:02:07 Schrodinger srs[3615648]: READ of size 8 at 0x5020008f1738 thread T0
Sep 04 15:02:07 Schrodinger srs[3615648]:     #0 0x58a8ef116e4f in SrsRtcConnectionNackTimer::on_timer(long) src/app/srs_app_rtc_conn.cpp:1767
Sep 04 15:02:07 Schrodinger srs[3615648]:     #1 0x58a8ef08990b in SrsFastTimer::cycle() src/app/srs_app_hourglass.cpp:187
Sep 04 15:02:07 Schrodinger srs[3615648]:     #2 0x58a8eee7b2a0 in SrsFastCoroutine::cycle() src/app/srs_app_st.cpp:309
Sep 04 15:02:07 Schrodinger srs[3615648]:     #3 0x58a8eee7b3eb in SrsFastCoroutine::pfn(void*) src/app/srs_app_st.cpp:324
Sep 04 15:02:07 Schrodinger srs[3615648]:     #4 0x58a8ef20e3e4 in _st_thread_main /root/srs6/srs/trunk/objs/Platform-SRS6-Linux-6.11.0-GCC13.3.0-x86_64/st-srs/sched.c:380
Sep 04 15:02:07 Schrodinger srs[3615648]:     #5 0x58a8ef20ed19 in st_thread_create /root/srs6/srs/trunk/objs/Platform-SRS6-Linux-6.11.0-GCC13.3.0-x86_64/st-srs/sched.c:666
Sep 04 15:02:07 Schrodinger srs[3615648]:     #6 0x502000001c2f  (<unknown module>)
Sep 04 15:02:07 Schrodinger srs[3615648]: 0x5020008f1738 is located 8 bytes inside of 16-byte region [0x5020008f1730,0x5020008f1740)
Sep 04 15:02:07 Schrodinger srs[3615648]: freed by thread T0 here:
Sep 04 15:02:07 Schrodinger srs[3615648]:     #0 0x58a8eeb15f78 in operator delete(void*) (/usr/local/srs/objs/srs+0x481f78) (BuildId: 8325720507c993c8f6d6ff93af0b888bb2cca27c)
Sep 04 15:02:07 Schrodinger srs[3615648]: previously allocated by thread T0 here:
Sep 04 15:02:07 Schrodinger srs[3615648]:     #0 0x58a8eeb15418 in operator new(unsigned long) (/usr/local/srs/objs/srs+0x481418) (BuildId: 8325720507c993c8f6d6ff93af0b888bb2cca27c)
Sep 04 15:02:07 Schrodinger srs[3615648]: SUMMARY: AddressSanitizer: heap-use-after-free src/app/srs_app_rtc_conn.cpp:1767 in SrsRtcConnectionNackTimer::on_timer(long)
Sep 04 15:02:07 Schrodinger srs[3615648]: Shadow bytes around the buggy address:
Sep 04 15:02:07 Schrodinger srs[3615648]:   0x5020008f1480: fa fa 00 00 fa fa 00 00 fa fa fa fa fa fa fa fa
Sep 04 15:02:07 Schrodinger srs[3615648]:   0x5020008f1500: fa fa fd fd fa fa fa fa fa fa fd fa fa fa fd fd
Sep 04 15:02:07 Schrodinger srs[3615648]:   0x5020008f1580: fa fa 00 00 fa fa fa fa fa fa fa fa fa fa fd fd
Sep 04 15:02:07 Schrodinger srs[3615648]:   0x5020008f1600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Sep 04 15:02:07 Schrodinger srs[3615648]:   0x5020008f1680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Sep 04 15:02:07 Schrodinger srs[3615648]: =>0x5020008f1700: fa fa fa fa fa fa fd[fd]fa fa fd fd fa fa fd fd
Sep 04 15:02:07 Schrodinger srs[3615648]:   0x5020008f1780: fa fa fd fa fa fa 00 00 fa fa fd fd fa fa fa fa
Sep 04 15:02:07 Schrodinger srs[3615648]:   0x5020008f1800: fa fa fa fa fa fa fd fa fa fa fa fa fa fa fa fa
Sep 04 15:02:07 Schrodinger srs[3615648]:   0x5020008f1880: fa fa fd fd fa fa fa fa fa fa fd fd fa fa fa fa
Sep 04 15:02:07 Schrodinger srs[3615648]:   0x5020008f1900: fa fa fa fa fa fa 00 00 fa fa fa fa fa fa fd fd
Sep 04 15:02:07 Schrodinger srs[3615648]:   0x5020008f1980: fa fa fa fa fa fa fa fa fa fa fd fa fa fa fa fa
Sep 04 15:02:07 Schrodinger srs[3615648]: Shadow byte legend (one shadow byte represents 8 application bytes):
Sep 04 15:02:07 Schrodinger srs[3615648]:   Addressable:           00
Sep 04 15:02:07 Schrodinger srs[3615648]:   Partially addressable: 01 02 03 04 05 06 07
Sep 04 15:02:07 Schrodinger srs[3615648]:   Heap left redzone:       fa
Sep 04 15:02:07 Schrodinger srs[3615648]:   Freed heap region:       fd
Sep 04 15:02:07 Schrodinger srs[3615648]:   Stack left redzone:      f1
Sep 04 15:02:07 Schrodinger srs[3615648]:   Stack mid redzone:       f2
Sep 04 15:02:07 Schrodinger srs[3615648]:   Stack right redzone:     f3
Sep 04 15:02:07 Schrodinger srs[3615648]:   Stack after return:      f5
Sep 04 15:02:07 Schrodinger srs[3615648]:   Stack use after scope:   f8
Sep 04 15:02:07 Schrodinger srs[3615648]:   Global redzone:          f9
Sep 04 15:02:07 Schrodinger srs[3615648]:   Global init order:       f6
Sep 04 15:02:07 Schrodinger srs[3615648]:   Poisoned by user:        f7
Sep 04 15:02:07 Schrodinger srs[3615648]:   Container overflow:      fc
Sep 04 15:02:07 Schrodinger srs[3615648]:   Array cookie:            ac
Sep 04 15:02:07 Schrodinger srs[3615648]:   Intra object redzone:    bb
Sep 04 15:02:07 Schrodinger srs[3615648]:   ASan internal:           fe
Sep 04 15:02:07 Schrodinger srs[3615648]:   Left alloca redzone:     ca
Sep 04 15:02:07 Schrodinger srs[3615648]:   Right alloca redzone:    cb
Sep 04 15:02:07 Schrodinger srs[3615648]: [2025-09-04 15:02:07.538][ERROR][3615648][qo98309f][0] =================================================================
Sep 04 15:02:07 Schrodinger srs[3615648]: [2025-09-04 15:02:07.538][ERROR][3615648][qo98309f][0] ==3615648==ERROR: AddressSanitizer: heap-use-after-free on address 0x5020008f1738 at pc 0x58a8ef116e50 bp 0x7>
Sep 04 15:02:07 Schrodinger srs[3615648]: [2025-09-04 15:02:07.538][ERROR][3615648][qo98309f][0] READ of size 8 at 0x5020008f1738 thread T0
Sep 04 15:02:07 Schrodinger srs[3615648]: [2025-09-04 15:02:07.538][ERROR][3615648][qo98309f][0]     #0 0x58a8ef116e4f in SrsRtcConnectionNackTimer::on_timer(long) src/app/srs_app_rtc_conn.cpp:1767, r0=1093
Sep 04 15:02:07 Schrodinger srs[3615648]: [2025-09-04 15:02:07.538][ERROR][3615648][qo98309f][0]     #1 0x58a8ef08990b in SrsFastTimer::cycle() src/app/srs_app_hourglass.cpp:187, r0=1093
Sep 04 15:02:07 Schrodinger srs[3615648]: [2025-09-04 15:02:07.538][ERROR][3615648][qo98309f][0]     #2 0x58a8eee7b2a0 in SrsFastCoroutine::cycle() src/app/srs_app_st.cpp:309, r0=1093
Sep 04 15:02:07 Schrodinger srs[3615648]: [2025-09-04 15:02:07.538][ERROR][3615648][qo98309f][0]     #3 0x58a8eee7b3eb in SrsFastCoroutine::pfn(void*) src/app/srs_app_st.cpp:324, r0=1093
Sep 04 15:02:07 Schrodinger srs[3615648]: [2025-09-04 15:02:07.538][ERROR][3615648][qo98309f][0]     #4 0x58a8ef20e3e4 in _st_thread_main /root/srs6/srs/trunk/objs/Platform-SRS6-Linux-6.11.0-GCC13.3.0-x86_6>
Sep 04 15:02:07 Schrodinger srs[3615648]: [2025-09-04 15:02:07.538][ERROR][3615648][qo98309f][0]     #5 0x58a8ef20ed19 in st_thread_create /root/srs6/srs/trunk/objs/Platform-SRS6-Linux-6.11.0-GCC13.3.0-x86_>
Sep 04 15:02:07 Schrodinger srs[3615648]: [2025-09-04 15:02:07.538][ERROR][3615648][qo98309f][0]     #6 0x502000001c2f  (<unknown module>), r0=1093
Sep 04 15:02:07 Schrodinger srs[3615648]: [2025-09-04 15:02:07.538][ERROR][3615648][qo98309f][0] 0x5020008f1738 is located 8 bytes inside of 16-byte region [0x5020008f1730,0x5020008f1740)
Sep 04 15:02:07 Schrodinger srs[3615648]: [2025-09-04 15:02:07.538][ERROR][3615648][qo98309f][0] freed by thread T0 here:
Sep 04 15:02:07 Schrodinger srs[3615648]: [2025-09-04 15:02:07.784][ERROR][3615648][qo98309f][0]     #0 0x58a8eeb15f78 in operator delete(void*) (/usr/local/srs/objs/srs+0x481f78) (BuildId: 8325720507c993c8>
Sep 04 15:02:07 Schrodinger srs[3615648]: [2025-09-04 15:02:07.784][ERROR][3615648][qo98309f][0] previously allocated by thread T0 here:
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]     #0 0x58a8eeb15418 in operator new(unsigned long) (/usr/local/srs/objs/srs+0x481418) (BuildId: 8325720507c>
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0] SUMMARY: AddressSanitizer: heap-use-after-free src/app/srs_app_rtc_conn.cpp:1767 in SrsRtcConnectionNackTimer>
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0] Shadow bytes around the buggy address:
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   0x5020008f1480: fa fa 00 00 fa fa 00 00 fa fa fa fa fa fa fa fa
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   0x5020008f1500: fa fa fd fd fa fa fa fa fa fa fd fa fa fa fd fd
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   0x5020008f1580: fa fa 00 00 fa fa fa fa fa fa fa fa fa fa fd fd
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   0x5020008f1600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   0x5020008f1680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0] =>0x5020008f1700: fa fa fa fa fa fa fd[fd]fa fa fd fd fa fa fd fd
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   0x5020008f1780: fa fa fd fa fa fa 00 00 fa fa fd fd fa fa fa fa
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   0x5020008f1800: fa fa fa fa fa fa fd fa fa fa fa fa fa fa fa fa
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   0x5020008f1880: fa fa fd fd fa fa fa fa fa fa fd fd fa fa fa fa
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   0x5020008f1900: fa fa fa fa fa fa 00 00 fa fa fa fa fa fa fd fd
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   0x5020008f1980: fa fa fa fa fa fa fa fa fa fa fd fa fa fa fa fa
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0] Shadow byte legend (one shadow byte represents 8 application bytes):
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   Addressable:           00
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   Partially addressable: 01 02 03 04 05 06 07
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   Heap left redzone:       fa
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   Freed heap region:       fd
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   Stack left redzone:      f1
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   Stack mid redzone:       f2
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   Stack right redzone:     f3
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   Stack after return:      f5
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   Stack use after scope:   f8
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   Global redzone:          f9
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   Global init order:       f6
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   Poisoned by user:        f7
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   Container overflow:      fc
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   Array cookie:            ac
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   Intra object redzone:    bb
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   ASan internal:           fe
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   Left alloca redzone:     ca
Sep 04 15:02:08 Schrodinger srs[3615648]: [2025-09-04 15:02:08.029][ERROR][3615648][qo98309f][0]   Right alloca redzone:    cb
Sep 04 15:02:08 Schrodinger srs[3615648]: ==3615648==ABORTING
Sep 04 15:02:08 Schrodinger systemd[1]: srs.service: Main process exited, code=exited, status=1/FAILURE
Sep 04 15:02:08 Schrodinger systemd[1]: srs.service: Failed with result 'exit-code'.
Sep 04 15:02:08 Schrodinger systemd[1]: srs.service: Consumed 2d 6h 17min 11.478s CPU time, 1.7G memory peak, 28.0M memory swap peak.

Metadata

Metadata

Assignees

No one assigned

    Labels

    EnglishNativeThis issue is conveyed exclusively in English.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions