AddressSanitizer: heap-use-after-free in nice_component_remove_socket()
I'm running a gstreamer webrtc pipeline and see this error almost every time with libnice master:
=================================================================
==8732==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0000408a8 at pc 0x7fc4fe36dacd bp 0x7fc4f7e163a0 sp 0x7fc4f7e16390
READ of size 8 at 0x60d0000408a8 thread T11 (nicesrc0:src)
#0 0x7fc4fe36dacc in conn_check_prune_socket ../subprojects/libnice/agent/conncheck.c:4303
#1 0x7fc4fe355d58 in nice_component_remove_socket ../subprojects/libnice/agent/component.c:206
#2 0x7fc4fe350278 in component_io_cb ../subprojects/libnice/agent/agent.c:5375
#3 0x7fc501a81b88 (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x7fb88)
#4 0x7fc501cf1ae7 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4dae7)
#5 0x7fc501cf1ed7 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4ded7)
#6 0x7fc501cf21d1 in g_main_loop_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e1d1)
#7 0x7fc4f8a06f8e in gst_nice_src_create ../subprojects/libnice/gst/gstnicesrc.c:291
#8 0x7fc4fe27ca4c in gst_base_src_get_range ../subprojects/gstreamer/libs/gst/base/gstbasesrc.c:2521
#9 0x7fc4fe2824d5 in gst_base_src_loop ../subprojects/gstreamer/libs/gst/base/gstbasesrc.c:2845
#10 0x7fc4fffb031b in gst_task_func ../subprojects/gstreamer/gst/gsttask.c:328
#11 0x7fc501d1aad2 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x76ad2)
#12 0x7fc501d1a134 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x76134)
#13 0x7fc506d61163 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8163)
#14 0x7fc506e94dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11adee)
0x60d0000408a8 is located 136 bytes inside of 144-byte region [0x60d000040820,0x60d0000408b0)
freed by thread T11 (nicesrc0:src) here:
#0 0x7fc507066b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70)
#1 0x7fc4fe355c0c in nice_component_remove_socket ../subprojects/libnice/agent/component.c:198
#2 0x7fc4fe350278 in component_io_cb ../subprojects/libnice/agent/agent.c:5375
#3 0x7fc501a81b88 (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x7fb88)
previously allocated by thread T11 (nicesrc0:src) here:
#0 0x7fc507066f30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30)
#1 0x7fc501cf7650 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x53650)
#2 0x7fc4fe372896 in discovery_add_peer_reflexive_candidate ../subprojects/libnice/agent/discovery.c:810
#3 0x7fc4fe36c801 in priv_process_response_check_for_reflexive ../subprojects/libnice/agent/conncheck.c:3063
#4 0x7fc4fe36c801 in priv_map_reply_to_conn_check_request ../subprojects/libnice/agent/conncheck.c:3181
#5 0x7fc4fe36c801 in conn_check_handle_inbound_stun ../subprojects/libnice/agent/conncheck.c:4253
#6 0x7fc4fe34ec32 in agent_recv_message_unlocked ../subprojects/libnice/agent/agent.c:3982
#7 0x7fc4fe34ff1c in component_io_cb ../subprojects/libnice/agent/agent.c:5298
#8 0x7fc501a81b88 (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x7fb88)
Thread T11 (nicesrc0:src) created by T3 (gst-pc-ops) here:
#0 0x7fc506fc3e5f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x4ae5f)
#1 0x7fc501d382df (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x942df)
Thread T3 (gst-pc-ops) created by T0 here:
#0 0x7fc506fc3e5f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x4ae5f)
#1 0x7fc501d382df (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x942df)
SUMMARY: AddressSanitizer: heap-use-after-free ../subprojects/libnice/agent/conncheck.c:4303 in conn_check_prune_socket
Shadow bytes around the buggy address:
0x0c1a800000c0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c1a800000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a800000e0: 00 00 fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c1a800000f0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c1a80000100: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1a80000110: fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa fd fd
0x0c1a80000120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1a80000130: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1a80000140: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
0x0c1a80000150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a80000160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8732==ABORTING