Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Send callback is invoked on already closed socket. #405

Open
mstyura opened this issue Nov 20, 2019 · 9 comments
Open

Send callback is invoked on already closed socket. #405

mstyura opened this issue Nov 20, 2019 · 9 comments

Comments

@mstyura
Copy link
Contributor

mstyura commented Nov 20, 2019
edited
Loading

Summary:
usrsctp invokes send callback on socket, which was already closed by user's code.
Typically user code in send callback does some memory access to already freed memory.
This happens due to user's code assumption that send callback is never invoked after socket is closed with usrsctp_close.

Reproduces:
Sometimes

Versions:
I've detected that bug happen on current master, but it was not presented on version used by Chromium: 7a8bc9a from 22 Jun 2018
The first commit with the issue is 6bafb12, merged in master as part of PR #249 on 9 Aug 2018.

Steps to reproduce (abstract):

  1. Use usrsctp socket with SO_LINGER set in non-blocking mode with send callback provided by user's code;
  2. Close usrsctp socket with usrsctp_close and release associated resources in user code;

Expected result:
usrsctp will never invoke send callback which is provided by user's code during socket initialization.

Actual result:
Send callback is invoked for socket, which was previously closed with usrsctp_close. It causes user's code misbehavior, typically accessing already freed memory, causing crash due to SIGSEGV.

Steps to reproduce (concrete)
WebRTC has gtest which is accidentally able to reproduce send callback invocation on closed socket.

  1. Download depot tools and add it to PATH;
  2. fetch webrtc - fetches WebRTC source code;
  3. cd src - rest of commands assumed to be executed in WebRTC source code directory;
  4. gclient sync - checkout dependencies;
  5. gn gen out/ReleaseWithAsan --args='is_debug=false rtc_enable_sctp=true symbol_level=2 dcheck_always_on=true is_asan=true' --cflags="-fno-omit-frame-pointer -fno-sanitize-recover=all -fsanitize-address-use-after-scope" - generate build files with optimizations and address sanitizer enabled;
  6. autoninja -C out/ReleaseWithAsan rtc_media_unittests - compile unit tests;
  7. export ASAN_OPTIONS="handle_segv=1:detect_leaks=0:disable_coredump=0:unmap_shadow_on_exit=1:abort_on_error=1" configure ASAN options;
  8. export ASAN_SYMBOLIZER_PATH="$(pwd)/third_party/llvm-build/Release+Asserts/bin/llvm-symbolizer" configure ASAN symbolizer;
  9. gdb --args ./out/ReleaseWithAsan/rtc_media_unittests --gtest_filter="*AllMessagesAreDeliveredOverLossyConnectionConcurrentTests" --gtest_also_run_disabled_tests - execute unittest with gdb attached.

Investigation details:

It is occurred that usrsctp_close might not dispose/free socket.
usrsctp_close only remove reference from "user's" code, basically doing decrement of referene counter.
And if there are any references to struct socket * the socket will survive usrsctp_close invocation:

usrsctp/usrsctplib/user_socket.c

Lines 2192 to 2194 in 09768bf

ACCEPT_LOCK();
SOCK_LOCK(so);
sorele(so);

where sorele:

usrsctp/usrsctplib/user_socketvar.h

Lines 485 to 495 in 09768bf

#define sorele(so) do { \
ACCEPT_LOCK_ASSERT(); \
SOCK_LOCK_ASSERT(so); \
KASSERT((so)->so_count > 0, ("sorele")); \
if (--(so)->so_count == 0) \
sofree(so); \
else { \
SOCK_UNLOCK(so); \
ACCEPT_UNLOCK(); \
} \
} while (0)

so, sofree is only invoked when last reference removed.
I've verified this by locally modifying usrsctp_close to have this:

if (so->so_count != 1) 
{
	KASSERT(0, ("usrsctp_close will released socket, but there are more references"));
}
sorele(so);

And I've got this assert triggered:

GDB backtrace of assert 
(gdb) bt
#0  0x00007ffff7b30f25 in raise () from /usr/lib/libc.so.6
#1  0x00007ffff7b1a897 in abort () from /usr/lib/libc.so.6
#2  0x00005555576ce91e in terminate_non_graceful () at ../../third_party/usrsctp/usrsctplib/usrsctplib/user_environment.h:94
#3  0x00005555576d7d0b in usrsctp_close (so=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:2190
#4  0x0000555556eefb5a in cricket::SctpTransport::CloseSctpSocket (this=0x616000708980) at ../../media/sctp/sctp_transport.cc:844
#5  cricket::SctpTransport::~SctpTransport (this=0x616000708980) at ../../media/sctp/sctp_transport.cc:435
#6  0x0000555556eefdce in cricket::SctpTransport::~SctpTransport (this=0x616000708980) at ../../media/sctp/sctp_transport.cc:433
#7  0x000055555666a3f6 in std::__1::default_delete<cricket::SctpTransport>::operator() (__ptr=0x2, this=<optimized out>)
    at ../../buildtools/third_party/libc++/trunk/include/memory:2338
#8  std::__1::unique_ptr<cricket::SctpTransport, std::__1::default_delete<cricket::SctpTransport> >::reset (this=0x60c000318728, __p=0x0)
    at ../../buildtools/third_party/libc++/trunk/include/memory:2651
#9  (anonymous namespace)::SctpPingPong::~SctpPingPong()::{lambda()#3}::operator()() const (this=<optimized out>) at ../../media/sctp/sctp_transport_reliability_unittest.cc:304
#10 rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::~SctpPingPong()::{lambda()#3}>::OnMessage(rtc::Message*) (this=<optimized out>, msg=0x7fffe96c2700)
    at ../../rtc_base/message_handler.h:60
#11 0x00005555570413a9 in rtc::MessageQueue::Dispatch (this=<optimized out>, pmsg=<optimized out>) at ../../rtc_base/message_queue.cc:514
#12 0x000055555706fdbb in rtc::Thread::ReceiveSendsFromThread (this=<optimized out>, source=<optimized out>) at ../../rtc_base/thread.cc:449
#13 0x000055555703f5a2 in rtc::MessageQueue::Get (this=0x6130000011c0, pmsg=<optimized out>, cmsWait=<optimized out>, process_io=<optimized out>)
    at ../../rtc_base/message_queue.cc:262
#14 0x000055555706f04c in rtc::Thread::ProcessMessages (this=<optimized out>, cmsLoop=<optimized out>) at ../../rtc_base/thread.cc:526
#15 0x000055555706eaea in rtc::Thread::PreRun (pv=0x6130000011c0) at ../../rtc_base/thread.cc:341
#16 0x00007ffff7f724cf in start_thread () from /usr/lib/libpthread.so.0
#17 0x00007ffff7bf42d3 in clone () from /usr/lib/libc.so.6

For example, WebRTC assumes there will no calls from usrsctp to WebRTC:

snipped from WebRTC source 
void SctpTransport::CloseSctpSocket() {
  RTC_DCHECK_RUN_ON(network_thread_);
  if (sock_) {
    // We assume that SO_LINGER option is set to close the association when
    // close is called. This means that any pending packets in usrsctp will be
    // discarded instead of being sent.
    usrsctp_close(sock_);
    sock_ = nullptr;
    usrsctp_deregister_address(this);
    UsrSctpWrapper::DecrementUsrSctpUsageCount();
    ready_to_send_data_ = false;
  }
}

with the assumption repeated here:

additional snipped from WebRTC source 
// This ensures that the usrsctp close call deletes the association. This
// prevents usrsctp from calling OnSctpOutboundPacket with references to
// this class as the address.
linger linger_opt;
linger_opt.l_onoff = 1;
linger_opt.l_linger = 0;
if (usrsctp_setsockopt(sock_, SOL_SOCKET, SO_LINGER, &linger_opt,
                       sizeof(linger_opt))) {
    RTC_LOG_ERRNO(LS_ERROR) << debug_name_ << "->ConfigureSctpSocket(): "
                            << "Failed to set SO_LINGER.";
    return false;
}

Below the typical crash backtrace I've observed when send callback was invoked on already closed socket:

typical backtrace from GDB of crashed application 
(gdb) bt
#0  0x000055555702d8d6 in rtc::AsyncInvoker::DoInvoke (this=0x61600109dbe0, posted_from=..., thread=0x0, closure=std::unique_ptr<class rtc::AsyncClosure> = 0x0 <nullptr>, id=0)
    at ../../rtc_base/async_invoker.cc:86
#1  0x0000555556efbd7a in rtc::AsyncInvoker::AsyncInvoke<void, rtc::MethodFunctor<cricket::SctpTransport, void (cricket::SctpTransport::*)(rtc::CopyOnWriteBuffer const&), void, rtc::CopyOnWriteBuffer const&> > (this=0x61600109dbe0, posted_from=..., thread=<optimized out>, functor=..., id=0) at ../../rtc_base/async_invoker.h:105
#2  cricket::SctpTransport::UsrSctpWrapper::OnSctpOutboundPacket (addr=<optimized out>, data=<optimized out>, length=<optimized out>, tos=<optimized out>, set_df=<optimized out>)
    at ../../media/sctp/sctp_transport.cc:296
#3  0x0000555557730787 in sctp_lowlevel_chunk_output (inp=<optimized out>, stcb=<optimized out>, net=<optimized out>, to=<optimized out>, m=0x61100863c500, 
    auth_offset=<optimized out>, auth=0x0, auth_keyid=0, nofragment_flag=1, ecn_ok=0, out_of_asoc_ok=<optimized out>, src_port=53824, dest_port=54080, v_tag=1159009962, 
    port=<optimized out>, over_addr=<optimized out>, so_locked=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_output.c:5043
#4  0x00005555577529e5 in sctp_send_abort_tcb (stcb=0x61e002271080, operr=<optimized out>, so_locked=<optimized out>)
    at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_output.c:11570
#5  0x00005555576eaeb0 in sctp_inpcb_free (inp=<optimized out>, immediate=<optimized out>, from=1) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:4120
#6  0x00005555577f3139 in sctp_close (so=0x61600109dd80) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_usrreq.c:910
#7  0x00005555576cf324 in sofree (so=0x61600109dd80) at ../../third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:298
#8  0x000055555770e051 in sctp_timeout_handler (t=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:2081
#9  0x00005555577e0454 in sctp_handle_tick (elapsed_ticks=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:372
#10 0x00005555577e0ac5 in user_sctp_timer_iterate (arg=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:424
#11 0x00007ffff7f724cf in start_thread () from /usr/lib/libpthread.so.0
#12 0x00007ffff7bf42d3 in clone () from /usr/lib/libc.so.6

I've checked several crash dumps when send callback is invoked.
In all observed cases sctp_handle_tick triggered execution of SCTP_TIMER_TYPE_HEARTBEAT timer, which in it's callback decided to close socket and invoke send callback:

output from GDB 
(gdb) frame 9
#9  0x00005555577e0454 in sctp_handle_tick (elapsed_ticks=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:372
372				c_func(c_arg);
(gdb) info locals
c_func = 0x55555770cf90 <sctp_timeout_handler>
c_time = <optimized out>
c_arg = 0x617000a33b90
c = <optimized out>
last_heap_version_reported = 27085970
node = 0x617000a33b90
heap = <optimized out>
(gdb) p *((struct sctp_timer*)node->data)
$5 = {
    timer = {
        heap_node = {
            data = 0x617000a33b90, 
            parent = 0x61700068f3f0, 
            left = 0x0, 
            right = 0x0, 
            heap = 0x55555895ca60 <system_base_info+808>, 
            sequence = 27086382}, 
        c_time = 710309,
        c_arg = 0x617000a33b90,
        c_func = 0x55555770cf90 <sctp_timeout_handler>, 
        c_flags = 6}, // 0b110 (SCTP_CALLOUT_ACTIVE | SCTP_CALLOUT_PENDING) 
    type = 5,  // SCTP_TIMER_TYPE_HEARTBEAT
    ep = 0x619000e93980,
    tcb = 0x61e002271080, 
    net = 0x617000a33b00, 
    self = 0x617000a33b90, 
    ticks = 679690,
    stopped_from = 0
}

ASAN report on revision 6bafb12:

typical ASAN report produced on crash 
==19660==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160040a9ed8 at pc 0x555556f004e9 bp 0x7fffdfd989d0 sp 0x7fffdfd989c8
READ of size 8 at 0x6160040a9ed8 thread T18 (SCTP timer)
[Detaching after fork from child process 22310]
    #0 0x555556f004e8 in cricket::SctpTransport::UsrSctpWrapper::OnSctpOutboundPacket(void*, void*, unsigned long, unsigned char, unsigned char) media/sctp/sctp_transport.cc:299:35
    #1 0x555557b3ab9c in sctp_lowlevel_chunk_output third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_output.c:5013:10
    #2 0x555557b5f7e8 in sctp_send_abort_tcb third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_output.c:11510:15
    #3 0x555557ae5456 in sctp_inpcb_free third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:4123:4
    #4 0x555557a9f9f4 in sctp_close third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_usrreq.c
    #5 0x555557a935fd in sofree third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:283:2
    #6 0x555557ac553b in sctp_timeout_handler third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:2070:3
    #7 0x555557b9c660 in sctp_handle_tick third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:166:4
    #8 0x555557b9c9ea in user_sctp_timer_iterate third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:206:3
    #9 0x7ffff7f754ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)

0x6160040a9ed8 is located 344 bytes inside of 584-byte region [0x6160040a9d80,0x6160040a9fc8)
freed by thread T12 (Thread #12 from) here:
    #0 0x555555f4801d in operator delete(void*) /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cpp:160:3
    #1 0x555556884599 in std::__1::default_delete<cricket::SctpTransport>::operator()(cricket::SctpTransport*) const buildtools/third_party/libc++/trunk/include/memory:2378:5
    #2 0x555556884599 in std::__1::unique_ptr<cricket::SctpTransport, std::__1::default_delete<cricket::SctpTransport> >::reset(cricket::SctpTransport*) buildtools/third_party/libc++/trunk/include/memory:2633:7
    #3 0x555556884599 in (anonymous namespace)::SctpPingPong::~SctpPingPong()::'lambda1'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:365:24
    #4 0x555556884599 in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::~SctpPingPong()::'lambda1'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
    #5 0x5555570142f8 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
    #6 0x55555704efca in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:450:5
    #7 0x555557011e77 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
    #8 0x55555704e26b in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:562:10
    #9 0x55555704dc8c in rtc::Thread::PreRun(void*) rtc_base/thread.cc:342:11
    #10 0x7ffff7f754ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)

previously allocated by thread T12 (Thread #12 from) here:
    #0 0x555555f477bd in operator new(unsigned long) /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
    #1 0x55555687ac9d in (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:506:30
    #2 0x55555687ac9d in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
    #3 0x5555570142f8 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
    #4 0x55555704efca in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:450:5
    #5 0x555557011e77 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
    #6 0x55555704e26b in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:562:10
    #7 0x55555704dc8c in rtc::Thread::PreRun(void*) rtc_base/thread.cc:342:11
    #8 0x7ffff7f754ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)

Thread T18 (SCTP timer) created by T8 (Thread #8 from ) here:
    #0 0x555555f0a63a in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x555557b9cb2b in sctp_start_timer third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:220:7
    #2 0x555557a93052 in usrsctp_init third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:107:2
    #3 0x555556eff919 in cricket::SctpTransport::UsrSctpWrapper::InitializeUsrSctp() media/sctp/sctp_transport.cc:208:5
    #4 0x555556ef8e1d in cricket::SctpTransport::UsrSctpWrapper::IncrementUsrSctpUsageCount() media/sctp/sctp_transport.cc:267:7
    #5 0x555556ef8e1d in cricket::SctpTransport::OpenSctpSocket() media/sctp/sctp_transport.cc:747:3
    #6 0x555556ef4cad in cricket::SctpTransport::Connect() media/sctp/sctp_transport.cc:695:8
    #7 0x555556880fd5 in (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:552:30
    #8 0x555556880fd5 in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
    #9 0x5555570142f8 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
    #10 0x55555704efca in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:450:5
    #11 0x555557011e77 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
    #12 0x55555704e167 in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:562:10
    #13 0x55555704dc8c in rtc::Thread::PreRun(void*) rtc_base/thread.cc:342:11
    #14 0x7ffff7f754ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)

Thread T8 (Thread #8 from ) created by T0 here:
    #0 0x555555f0a63a in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x55555704d94b in rtc::Thread::Start() rtc_base/thread.cc:256:20
    #2 0x555556874fb0 in (anonymous namespace)::ThreadPool::ThreadPool(unsigned long) media/sctp/sctp_transport_reliability_unittest.cc:308:15
    #3 0x555556874fb0 in cricket::UsrSctpReliabilityTest_DISABLED_AllMessagesAreDeliveredOverLossyConnectionConcurrentTests_Test::TestBody() media/sctp/sctp_transport_reliability_unittest.cc:740:14
    #4 0x555556c768df in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
    #5 0x555556c768df in testing::Test::Run() third_party/googletest/src/googletest/src/gtest.cc:2508:5
    #6 0x555556c79a32 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2684:11
    #7 0x555556c7b1c6 in testing::TestSuite::Run() third_party/googletest/src/googletest/src/gtest.cc:2816:28
    #8 0x555556cb1c01 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/src/googletest/src/gtest.cc:5338:44
    #9 0x555556cb096a in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
    #10 0x555556cb096a in testing::UnitTest::Run() third_party/googletest/src/googletest/src/gtest.cc:4925:10
    #11 0x555556d20de4 in RUN_ALL_TESTS() third_party/googletest/src/googletest/include/gtest/gtest.h:2473:46
    #12 0x555556d20de4 in webrtc::(anonymous namespace)::TestMainImpl::Run(int, char**) test/test_main_lib.cc:168:21
    #13 0x555556a5e584 in main test/test_main.cc:29:16
    #14 0x7ffff7b1f152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)

Thread T12 (Thread #12 from) created by T0 here:
    #0 0x555555f0a63a in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x55555704d94b in rtc::Thread::Start() rtc_base/thread.cc:256:20
    #2 0x555556874fb0 in (anonymous namespace)::ThreadPool::ThreadPool(unsigned long) media/sctp/sctp_transport_reliability_unittest.cc:308:15
    #3 0x555556874fb0 in cricket::UsrSctpReliabilityTest_DISABLED_AllMessagesAreDeliveredOverLossyConnectionConcurrentTests_Test::TestBody() media/sctp/sctp_transport_reliability_unittest.cc:740:14
    #4 0x555556c768df in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
    #5 0x555556c768df in testing::Test::Run() third_party/googletest/src/googletest/src/gtest.cc:2508:5
    #6 0x555556c79a32 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2684:11
    #7 0x555556c7b1c6 in testing::TestSuite::Run() third_party/googletest/src/googletest/src/gtest.cc:2816:28
    #8 0x555556cb1c01 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/src/googletest/src/gtest.cc:5338:44
    #9 0x555556cb096a in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
    #10 0x555556cb096a in testing::UnitTest::Run() third_party/googletest/src/googletest/src/gtest.cc:4925:10
    #11 0x555556d20de4 in RUN_ALL_TESTS() third_party/googletest/src/googletest/include/gtest/gtest.h:2473:46
    #12 0x555556d20de4 in webrtc::(anonymous namespace)::TestMainImpl::Run(int, char**) test/test_main_lib.cc:168:21
    #13 0x555556a5e584 in main test/test_main.cc:29:16
    #14 0x7ffff7b1f152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)

SUMMARY: AddressSanitizer: heap-use-after-free media/sctp/sctp_transport.cc:299:35 in cricket::SctpTransport::UsrSctpWrapper::OnSctpOutboundPacket(void*, void*, unsigned long, unsigned char, unsigned char)
Shadow bytes around the buggy address:
  0x0c2c8080d380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c8080d390: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c2c8080d3a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c8080d3b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8080d3c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2c8080d3d0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x0c2c8080d3e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8080d3f0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c2c8080d400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c8080d410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c8080d420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==19660==ABORTING

Thread 19 "SCTP timer" received signal SIGABRT, Aborted.

There are several open question here:

  1. Shoudn't all timers already being stopped/cancelled when usrsctp_close completed execution?
  2. Shoudn't the reference counter be 0 at the end of usrsctp_close invocation, causing actual socket release?
@mstyura
Copy link
Contributor Author

mstyura commented Nov 28, 2019

I've finally completed bisect to find out the commit which introduced invocation of send callback on closed socket.
The commit is: 6bafb12
I'm attaching git bisect log with my comments, so anyone could also reproduce/replay bisect.

view bisect.log (can be replayed with `git bisect replay < bisect.log`) 
git bisect start
# good: [7a8bc9a90ca96634aa56ee712856d97f27d903f8] Merge pull request #243 from taylor-b/localtime_r
git bisect good 7a8bc9a90ca96634aa56ee712856d97f27d903f8



# bad: [1de72ec158a133866cb630ea49b3a6d92af76071] Sync FBSDIDs
# reason: crashed in UsrSctpWrapper::OnSctpOutboundPacket
git bisect bad 1de72ec158a133866cb630ea49b3a6d92af76071



# bad: [262237a11994ae7ad82861eb8e16eb5e615c8c2d] sync
# reason: crashed in UsrSctpWrapper::OnSctpOutboundPacket
git bisect bad 262237a11994ae7ad82861eb8e16eb5e615c8c2d

# crash on revision: [262237a11994ae7ad82861eb8e16eb5e615c8c2d]
# (gdb) bt
# #0  0x0000555556cc9df6 in rtc::AsyncInvoker::DoInvoke (this=0x6160029b8de0, posted_from=..., thread=0x0, closure=std::unique_ptr<rtc::AsyncClosure> = 0x0 <nullptr>, id=0)
#     at ../../rtc_base/async_invoker.cc:86
# #1  0x0000555556c0038a in rtc::AsyncInvoker::AsyncInvoke<void, rtc::MethodFunctor<cricket::SctpTransport, void (cricket::SctpTransport::*)(rtc::CopyOnWriteBuffer const&), void, rtc::CopyOnWriteBuffer const&> > (this=0x6160029b8de0, posted_from=..., thread=<optimized out>, functor=..., id=0) at ../../rtc_base/async_invoker.h:105
# #2  cricket::SctpTransport::UsrSctpWrapper::OnSctpOutboundPacket (addr=<optimized out>, data=<optimized out>, length=<optimized out>, tos=<optimized out>, set_df=<optimized out>)
#     at ../../media/sctp/sctp_transport.cc:299
# #3  0x00005555576951ed in sctp_lowlevel_chunk_output (inp=<optimized out>, stcb=<optimized out>, net=<optimized out>, to=<optimized out>, m=0x611010d67d40, 
#     auth_offset=<optimized out>, auth=0x0, auth_keyid=0, nofragment_flag=1, ecn_ok=0, out_of_asoc_ok=<optimized out>, src_port=39670, dest_port=39926, v_tag=1195952554, 
#     port=<optimized out>, over_addr=<optimized out>, so_locked=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_output.c:5013
# #4  0x00005555576b9db9 in sctp_send_abort_tcb (stcb=0x61d007f67a80, operr=<optimized out>, so_locked=<optimized out>)
#     at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_output.c:11511
# #5  0x0000555557657707 in sctp_inpcb_free (inp=<optimized out>, immediate=25099248, from=1) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:4123
# #6  0x0000555557738e75 in sctp_close (so=0x6160029b8f80) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_usrreq.c:901
# #7  0x000055555764053e in sofree (so=0x6160029b8f80) at ../../third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:283
# #8  0x00005555576762dc in sctp_timeout_handler (t=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:2080
# #9  0x0000555557729ed1 in sctp_handle_tick (delta=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:167
# #10 user_sctp_timer_iterate (arg=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:207
# #11 0x00007ffff7f724cf in start_thread () from /usr/lib/libpthread.so.0
# #12 0x00007ffff7bf42d3 in clone () from /usr/lib/libc.so.6
# (gdb) frame 9
# #9  0x0000555557729ed1 in sctp_handle_tick (delta=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:167
# 167				c_func(c_arg);
# (gdb) info locals
# c = <optimized out>
# c_arg = 0x616002b5f6f0
# c_func = 0x555557674530 <sctp_timeout_handler>
# (gdb) p *((struct sctp_timer *)c_arg)
# $1 = {timer = {tqe = {tqe_next = 0x5555588ad680 <system_base_info+680>, tqe_prev = 0x6160028089f0}, c_time = 2014292, c_arg = 0x616002b5f6f0, 
#     c_func = 0x555557674530 <sctp_timeout_handler>, c_flags = 6}, type = 5, ep = 0x6190017ef880, tcb = 0x61d007f67a80, net = 0x616002b5f680, self = 0x616002b5f6f0, ticks = 1983000, 
#   stopped_from = 0}

# an additional crash was also found on revisoin [262237a11994ae7ad82861eb8e16eb5e615c8c2d]
# (gdb) bt
# #0  0x00007ffff7b30f25 in raise () from /usr/lib/libc.so.6
# #1  0x00007ffff7b1a897 in abort () from /usr/lib/libc.so.6
# #2  0x0000555555e7d6e7 in __sanitizer::Abort() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp:155
# #3  0x0000555555e7c401 in __sanitizer::Die() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_termination.cpp:58
# #4  0x0000555555e688ab in ~ScopedInErrorReport () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:186
# #5  0x0000555555e6a28e in ReportGenericError () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:474
# warning: (Internal error: pc 0x555555e6ab37 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ab37 in read in CU, but not in symtab.)
# #6  0x0000555555e6ab38 in __asan_report_load8 () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_rtl.cpp:120
# #7  0x0000555557676cac in sctp_timeout_handler (t=0x616001558ef0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1626
# #8  0x0000555557729ed1 in sctp_handle_tick (delta=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:167
# #9  user_sctp_timer_iterate (arg=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:207
# #10 0x00007ffff7f724cf in start_thread () from /usr/lib/libpthread.so.0
# #11 0x00007ffff7bf42d3 in clone () from /usr/lib/libc.so.6
# (gdb) frame 7
# #7  0x0000555557676cac in sctp_timeout_handler (t=0x616001558ef0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1626
# 1626		inp = (struct sctp_inpcb *)tmr->ep;
# (gdb) info locals
# tmr = 0x616001558ef0
# upcall_socket = 0x0
# did_output = <optimized out>
# inp = <optimized out>
# stcb = <optimized out>
# net = <optimized out>
# type = <optimized out>
# op_err = <optimized out>
# (gdb) p *tmr
# $5 = {timer = {tqe = {tqe_next = 0x6160008790f0, tqe_prev = 0x61600215cdf0}, c_time = 819472, c_arg = 0x616001558ef0, c_func = 0x555557674530 <sctp_timeout_handler>, c_flags = 0}, 
#   type = 5, ep = 0x6190028bef80, tcb = 0x61d00af0e680, net = 0x616001558e80, self = 0x0, ticks = 788180, stopped_from = 0}



# good : [c0f3d153faa0ec3d327d0c13f4a5778d8ebe769b] Sync FreeBSD ID and minor cleanups.
# reason: 2 times crashed, but different crash. 4 times run to completion.
git bisect good c0f3d153faa0ec3d327d0c13f4a5778d8ebe769b

# revision [c0f3d153faa0ec3d327d0c13f4a5778d8ebe769b] also has crash:
# (gdb) bt
# #0  0x00007ffff7b30f25 in raise () from /usr/lib/libc.so.6
# #1  0x00007ffff7b1a897 in abort () from /usr/lib/libc.so.6
# #2  0x0000555555e7d6e7 in __sanitizer::Abort() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp:155
# #3  0x0000555555e7c401 in __sanitizer::Die() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_termination.cpp:58
# #4  0x0000555555e688ab in ~ScopedInErrorReport () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:186
# #5  0x0000555555e6a28e in ReportGenericError () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:474
# warning: (Internal error: pc 0x555555e6ab37 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ab10 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ab37 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ab37 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ab37 in read in CU, but not in symtab.)
# #6  0x0000555555e6ab38 in __asan_report_load8 () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_rtl.cpp:120
# warning: (Internal error: pc 0x555555e6ab37 in read in CU, but not in symtab.)
# #7  0x0000555557676b1c in sctp_timeout_handler (t=0x6160004b6ff0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1623
# #8  0x0000555557729701 in sctp_handle_tick (delta=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:167
# #9  user_sctp_timer_iterate (arg=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:207
# #10 0x00007ffff7f724cf in start_thread () from /usr/lib/libpthread.so.0
# #11 0x00007ffff7bf42d3 in clone () from /usr/lib/libc.so.6
# (gdb) frame  7
# #7  0x0000555557676b1c in sctp_timeout_handler (t=0x6160004b6ff0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1623
# 1623		inp = (struct sctp_inpcb *)tmr->ep;
# (gdb) info locals
# tmr = 0x6160004b6ff0
# did_output = <optimized out>
# inp = <optimized out>
# stcb = <optimized out>
# net = <optimized out>
# type = <optimized out>
# op_err = <optimized out>
# (gdb) p *tmr
# $1 = {timer = {tqe = {tqe_next = 0x61900266dfc0, tqe_prev = 0x61900270d5c0}, c_time = 1301933, c_arg = 0x6160004b6ff0, c_func = 0x555557674530 <sctp_timeout_handler>, c_flags = 0}, 
#   type = 5, ep = 0x619002913f80, tcb = 0x61d00a2b1680, net = 0x6160004b6f80, self = 0x0, ticks = 1270450, stopped_from = 0}
# 



# good : [39852921e2e47892ae615784a0cc3d066ad10ae5] Merge branch 'master' of https://github.com/sctplab/usrsctp into fuzzer-integration
# reason: 1 time has different crash, 5 times run to completion
git bisect good 39852921e2e47892ae615784a0cc3d066ad10ae5

# revision [39852921e2e47892ae615784a0cc3d066ad10ae5] also has crash:
# (gdb) bt
# #0  0x00007ffff7b30f25 in raise () from /usr/lib/libc.so.6
# #1  0x00007ffff7b1a897 in abort () from /usr/lib/libc.so.6
# #2  0x0000555555e7d967 in __sanitizer::Abort() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp:155
# #3  0x0000555555e7c681 in __sanitizer::Die() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_termination.cpp:58
# #4  0x0000555555e68b2b in ~ScopedInErrorReport () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:186
# #5  0x0000555555e6a50e in ReportGenericError () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:474
# warning: (Internal error: pc 0x555555e6adb7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ad90 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6adb7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6adb7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6adb7 in read in CU, but not in symtab.)
# #6  0x0000555555e6adb8 in __asan_report_load8 () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_rtl.cpp:120
# warning: (Internal error: pc 0x555555e6adb7 in read in CU, but not in symtab.)
# #7  0x0000555557672a7c in sctp_timeout_handler (t=0x616002c9dcf0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1610
# #8  0x0000555557749411 in sctp_handle_tick (delta=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:164
# #9  user_sctp_timer_iterate (arg=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:204
# #10 0x00007ffff7f724cf in start_thread () from /usr/lib/libpthread.so.0
# #11 0x00007ffff7bf42d3 in clone () from /usr/lib/libc.so.6
# (gdb) frame 7
# #7  0x0000555557672a7c in sctp_timeout_handler (t=0x616002c9dcf0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1610
# 1610		inp = (struct sctp_inpcb *)tmr->ep;
# (gdb) p *tmr
# $1 = {timer = {tqe = {tqe_next = 0x6190002857c0, tqe_prev = 0x619002348fc0}, c_time = 4474115, c_arg = 0x616002c9dcf0, c_func = 0x555557670490 <sctp_timeout_handler>, c_flags = 0}, 
#   type = 5, ep = 0x619000045b80, tcb = 0x61d000d67e80, net = 0x616002c9dc80, self = 0x0, ticks = 4442660, stopped_from = 0}
# 



# good : [1f164fc8e0a779a3645ce8b25a6b9854e884b705] revert changes
# reason: 2 time has different crash, 4 times run to completion  
git bisect good 1f164fc8e0a779a3645ce8b25a6b9854e884b705

# revision [1f164fc8e0a779a3645ce8b25a6b9854e884b705] also has crash:
# (gdb) bt
# #0  0x00007ffff7b30f25 in raise () from /usr/lib/libc.so.6
# #1  0x00007ffff7b1a897 in abort () from /usr/lib/libc.so.6
# #2  0x0000555555e7d867 in __sanitizer::Abort() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp:155
# #3  0x0000555555e7c581 in __sanitizer::Die() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_termination.cpp:58
# #4  0x0000555555e68a2b in ~ScopedInErrorReport () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:186
# #5  0x0000555555e6a40e in ReportGenericError () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:474
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ac90 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# #6  0x0000555555e6acb8 in __asan_report_load8 () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_rtl.cpp:120
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# #7  0x0000555557672d0c in sctp_timeout_handler (t=0x616001a2cbf0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1613
# #8  0x0000555557749031 in sctp_handle_tick (delta=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:167
# #9  user_sctp_timer_iterate (arg=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:207
# #10 0x00007ffff7f724cf in start_thread () from /usr/lib/libpthread.so.0
# #11 0x00007ffff7bf42d3 in clone () from /usr/lib/libc.so.6
# (gdb) frame 7
# #7  0x0000555557672d0c in sctp_timeout_handler (t=0x616001a2cbf0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1613
# 1613		inp = (struct sctp_inpcb *)tmr->ep;
# (gdb) p *tmr
# $1 = {timer = {tqe = {tqe_next = 0x616002057af0, tqe_prev = 0x6160021f15f0}, c_time = 2904947, c_arg = 0x616001a2cbf0, c_func = 0x555557670720 <sctp_timeout_handler>, c_flags = 0}, 
#   type = 5, ep = 0x619000b69e80, tcb = 0x61d007f54e80, net = 0x616001a2cb80, self = 0x0, ticks = 2874100, stopped_from = 0}
# 



# bad : [30e719a332c07bda5d347d83fecfcb613c47420a] sync
# reason: crashed when send callback is invoked after socket was closed.
git bisect bad 30e719a332c07bda5d347d83fecfcb613c47420a

# (gdb) bt
# #0  0x00007ffff7b30f25 in raise () from /usr/lib/libc.so.6
# #1  0x00007ffff7b1a897 in abort () from /usr/lib/libc.so.6
# #2  0x0000555555e7d867 in __sanitizer::Abort() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp:155
# #3  0x0000555555e7c581 in __sanitizer::Die() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_termination.cpp:58
# #4  0x0000555555e68a2b in ~ScopedInErrorReport () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:186
# #5  0x0000555555e6a40e in ReportGenericError () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:474
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ac90 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# #6  0x0000555555e6acb8 in __asan_report_load8 () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_rtl.cpp:120
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# #7  0x0000555556c00739 in cricket::SctpTransport::UsrSctpWrapper::OnSctpOutboundPacket (addr=<optimized out>, data=<optimized out>, length=<optimized out>, tos=<optimized out>, 
#     set_df=<optimized out>) at ../../media/sctp/sctp_transport.cc:300
# #8  0x00005555576e7bcd in sctp_lowlevel_chunk_output (inp=<optimized out>, stcb=<optimized out>, net=<optimized out>, to=<optimized out>, m=0x6110085f81c0, 
#     auth_offset=<optimized out>, auth=0x0, auth_keyid=0, nofragment_flag=1, ecn_ok=0, out_of_asoc_ok=<optimized out>, src_port=58027, dest_port=58283, v_tag=769635515, 
#     port=<optimized out>, over_addr=<optimized out>, so_locked=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_output.c:5013
# #9  0x000055555770c799 in sctp_send_abort_tcb (stcb=0x61d002a03a80, operr=<optimized out>, so_locked=<optimized out>)
#     at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_output.c:11511
# #10 0x00005555576923e7 in sctp_inpcb_free (inp=<optimized out>, immediate=7601648, from=1) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:4123
# #11 0x000055555764c905 in sctp_close (so=0x616000d69280) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_usrreq.c:901
# #12 0x00005555576406be in sofree (so=0x616000d69280) at ../../third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:283
# #13 0x00005555576724cc in sctp_timeout_handler (t=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:2070
# #14 0x0000555557749801 in sctp_handle_tick (delta=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:167
# #15 user_sctp_timer_iterate (arg=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:207
# #16 0x00007ffff7f724cf in start_thread () from /usr/lib/libpthread.so.0
# #17 0x00007ffff7bf42d3 in clone () from /usr/lib/libc.so.6
#
# (gdb) frame 14
# #14 0x0000555557749801 in sctp_handle_tick (delta=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:167
# 167				c_func(c_arg);
# 
# (gdb) info locals
# c = <optimized out>
# c_arg = 0x616000d695f0
# c_func = 0x555557670720 <sctp_timeout_handler>
# 
# (gdb) p *(struct sctp_timer*)c_arg
# $1 = {timer = {tqe = {tqe_next = 0x616000dc18a0, tqe_prev = 0x61600407eef0}, c_time = 957127, c_arg = 0x616000d695f0, c_func = 0x555557670720 <sctp_timeout_handler>, c_flags = 6}, 
#   type = 5, ep = 0x61900073fa80, tcb = 0x61d002a03a80, net = 0x616000d69580, self = 0x616000d695f0, ticks = 924910, stopped_from = 0}
#
# (gdb) frame 7
# #7  0x0000555556c00739 in cricket::SctpTransport::UsrSctpWrapper::OnSctpOutboundPacket (addr=<optimized out>, data=<optimized out>, length=<optimized out>, tos=<optimized out>, 
#     set_df=<optimized out>) at ../../media/sctp/sctp_transport.cc:300
# 300	        RTC_FROM_HERE, transport->network_thread_,
# 
# (gdb) info locals
# buf = {buffer_ = {ptr_ = 0x6040178acf10}, offset_ = 0, size_ = 20}
# transport = 0x616000d68f80
# (gdb) p transport->network_thread_ 
# $4 = (rtc::Thread *) 0x0
# 


# bad : [6bafb12aa5c6cd7019bf0dde5a7af490cd336a8a] New upcall API
# reason: crashed when send callback is invoked after socket was closed.
git bisect bad 6bafb12aa5c6cd7019bf0dde5a7af490cd336a8a

# (gdb) bt
# #0  0x00007ffff7f7d7b5 in raise () from /usr/lib/libpthread.so.0
# #1  0x00005555569fd3d7 in absl::AbslFailureSignalHandler (signo=<optimized out>, ucontext=<optimized out>) at ../../third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc:93
# #2  <signal handler called>
# #3  0x0000555556cc9fb6 in rtc::AsyncInvoker::DoInvoke (this=0x6160014665e0, posted_from=..., thread=0x0, closure=std::unique_ptr<rtc::AsyncClosure> = 0x0 <nullptr>, id=0)
#     at ../../rtc_base/async_invoker.cc:86
# #4  0x0000555556c0054a in rtc::AsyncInvoker::AsyncInvoke<void, rtc::MethodFunctor<cricket::SctpTransport, void (cricket::SctpTransport::*)(rtc::CopyOnWriteBuffer const&), void, rtc::CopyOnWriteBuffer const&> > (this=0x6160014665e0, posted_from=..., thread=<optimized out>, functor=..., id=0) at ../../rtc_base/async_invoker.h:105
# #5  cricket::SctpTransport::UsrSctpWrapper::OnSctpOutboundPacket (addr=<optimized out>, data=<optimized out>, length=<optimized out>, tos=<optimized out>, set_df=<optimized out>)
#     at ../../media/sctp/sctp_transport.cc:299
# #6  0x00005555576e7cad in sctp_lowlevel_chunk_output (inp=<optimized out>, stcb=<optimized out>, net=<optimized out>, to=<optimized out>, m=0x611000762b80, 
#     auth_offset=<optimized out>, auth=0x0, auth_keyid=0, nofragment_flag=1, ecn_ok=0, out_of_asoc_ok=<optimized out>, src_port=52919, dest_port=53175, v_tag=3243078827, 
#     port=<optimized out>, over_addr=<optimized out>, so_locked=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_output.c:5013
# #7  0x00005555577052eb in sctp_med_chunk_output (inp=<optimized out>, stcb=<optimized out>, asoc=<optimized out>, num_out=<optimized out>, reason_code=<optimized out>, 
#     control_only=<optimized out>, from_where=<optimized out>, now=<optimized out>, now_filled=<optimized out>, frag_point=<optimized out>, so_locked=<optimized out>)
#     at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_output.c:9308
# #8  0x00005555576f7e69 in sctp_chunk_output (inp=<optimized out>, stcb=<optimized out>, from_where=<optimized out>, so_locked=<optimized out>)
#     at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_output.c:10669
# #9  0x000055555767251d in sctp_timeout_handler (t=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1926
# #10 0x00005555577496e1 in sctp_handle_tick (delta=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:166
# #11 0x0000555557749a6c in user_sctp_timer_iterate (arg=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:206
# #12 0x00007ffff7f724cf in start_thread () from /usr/lib/libpthread.so.0
# #13 0x00007ffff7bf42d3 in clone () from /usr/lib/libc.so.6
# (gdb) frame 3
# #3  0x0000555556cc9fb6 in rtc::AsyncInvoker::DoInvoke (this=0x6160014665e0, posted_from=..., thread=0x0, closure=std::unique_ptr<rtc::AsyncClosure> = 0x0 <nullptr>, id=0)
#     at ../../rtc_base/async_invoker.cc:86
# 86	  thread->Post(posted_from, this, id,
# (gdb) info args
# this = 0x6160014665e0
# posted_from = @0x7fffdef09e30: {function_name_ = 0x555555af82a0 <__FUNCTION__._ZN7cricket13SctpTransport14UsrSctpWrapper20OnSctpOutboundPacketEPvS2_mhh> "OnSctpOutboundPacket", 
#   file_and_line_ = 0x555555af82e0 <str> "../../media/sctp/sctp_transport.cc:300"}
# thread = 0x0
# closure = std::unique_ptr<rtc::AsyncClosure> = 0x0 <nullptr>
# id = 0
#
# ASAN report:
# =================================================================
# ==32142==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160021ee6d8 at pc 0x555556c00779 bp 0x7fffdfd929d0 sp 0x7fffdfd929c8
# READ of size 8 at 0x6160021ee6d8 thread T18 (SCTP timer)
# [Detaching after fork from child process 32578]
# (message_queue.cc:518): Message took 548ms to dispatch. Posted from: SendPacket@../../media/sctp/sctp_transport_reliability_unittest.cc:105
#     #0 0x555556c00778 in cricket::SctpTransport::UsrSctpWrapper::OnSctpOutboundPacket(void*, void*, unsigned long, unsigned char, unsigned char) media/sctp/sctp_transport.cc:300:35
#     #1 0x5555576e7cac in sctp_lowlevel_chunk_output third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_output.c:5013:10
#     #2 0x55555770c868 in sctp_send_abort_tcb third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_output.c:11510:15
#     #3 0x555557692556 in sctp_inpcb_free third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:4123:4
#     #4 0x55555764caf4 in sctp_close third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_usrreq.c
#     #5 0x5555576406fd in sofree third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:283:2
#     #6 0x55555767263b in sctp_timeout_handler third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:2070:3
#     #7 0x5555577496e0 in sctp_handle_tick third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:166:4
#     #8 0x555557749a6b in user_sctp_timer_iterate third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:206:3
#     #9 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# 0x6160021ee6d8 is located 344 bytes inside of 584-byte region [0x6160021ee580,0x6160021ee7c8)
# freed by thread T15 (Thread #15 from) here:
#     #0 0x555555e8e9ed in operator delete(void*) /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cpp:160:3
#     #1 0x555556624549 in std::__1::default_delete<cricket::SctpTransport>::operator()(cricket::SctpTransport*) const buildtools/third_party/libc++/trunk/include/memory:2338:5
#     #2 0x555556624549 in std::__1::unique_ptr<cricket::SctpTransport, std::__1::default_delete<cricket::SctpTransport> >::reset(cricket::SctpTransport*) buildtools/third_party/libc++/trunk/include/memory:2651:7
#     #3 0x555556624549 in (anonymous namespace)::SctpPingPong::~SctpPingPong()::'lambda2'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:370:24
#     #4 0x555556624549 in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::~SctpPingPong()::'lambda2'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #5 0x555556cddb88 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #6 0x555556d0c57a in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #7 0x555556cdbd81 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #8 0x555556d0b80b in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #9 0x555556d0b2a9 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #10 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# previously allocated by thread T15 (Thread #15 from) here:
#     #0 0x555555e8e18d in operator new(unsigned long) /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
#     #1 0x555556621549 in (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda0'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:528:30
#     #2 0x555556621549 in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda0'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #3 0x555556cddb88 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #4 0x555556d0c57a in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #5 0x555556cdbd81 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #6 0x555556d0b80b in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #7 0x555556d0b2a9 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #8 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# Thread T18 (SCTP timer) created by T8 (Thread #8 from ) here:
#     #0 0x555555e4f34a in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#     #1 0x555557749bab in sctp_start_timer third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:220:7
#     #2 0x555557640152 in usrsctp_init third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:107:2
#     #3 0x555556bffba9 in cricket::SctpTransport::UsrSctpWrapper::InitializeUsrSctp() media/sctp/sctp_transport.cc:208:5
#     #4 0x555556bf8ebd in cricket::SctpTransport::UsrSctpWrapper::IncrementUsrSctpUsageCount() media/sctp/sctp_transport.cc:268:7
#     #5 0x555556bf8ebd in cricket::SctpTransport::OpenSctpSocket() media/sctp/sctp_transport.cc:748:3
#     #6 0x555556bf4d7d in cricket::SctpTransport::Connect() media/sctp/sctp_transport.cc:696:8
#     #7 0x55555662249c in (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:552:30
#     #8 0x55555662249c in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #9 0x555556cddb88 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #10 0x555556d0c57a in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #11 0x555556cdbd81 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #12 0x555556d0b707 in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #13 0x555556d0b2a9 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #14 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# Thread T8 (Thread #8 from ) created by T0 here:
#     #0 0x555555e4f34a in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#     #1 0x555556d0b00b in rtc::Thread::Start() rtc_base/thread.cc:256:20
#     #2 0x555556618e6b in (anonymous namespace)::ThreadPool::ThreadPool(unsigned long) media/sctp/sctp_transport_reliability_unittest.cc:308:15
#     #3 0x555556618e6b in cricket::UsrSctpReliabilityTest_DISABLED_AllMessagesAreDeliveredOverLossyConnectionConcurrentTests_Test::TestBody() media/sctp/sctp_transport_reliability_unittest.cc:740:14
#     #4 0x5555569ba675 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #5 0x5555569ba675 in testing::Test::Run() third_party/googletest/src/googletest/src/gtest.cc:2508:5
#     #6 0x5555569bc7e9 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2684:11
#     #7 0x5555569bdc26 in testing::TestSuite::Run() third_party/googletest/src/googletest/src/gtest.cc:2816:28
#     #8 0x5555569e8516 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/src/googletest/src/gtest.cc:5338:44
#     #9 0x5555569e733f in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #10 0x5555569e733f in testing::UnitTest::Run() third_party/googletest/src/googletest/src/gtest.cc:4925:10
#     #11 0x555556a4a2d4 in RUN_ALL_TESTS() third_party/googletest/src/googletest/include/gtest/gtest.h:2473:46
#     #12 0x555556a4a2d4 in webrtc::(anonymous namespace)::TestMainImpl::Run(int, char**) test/test_main_lib.cc:168:21
#     #13 0x5555567c0d04 in main test/test_main.cc:29:16
#     #14 0x7ffff7b1c152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
# 
# Thread T15 (Thread #15 from) created by T0 here:
#     #0 0x555555e4f34a in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#     #1 0x555556d0b00b in rtc::Thread::Start() rtc_base/thread.cc:256:20
#     #2 0x555556618e6b in (anonymous namespace)::ThreadPool::ThreadPool(unsigned long) media/sctp/sctp_transport_reliability_unittest.cc:308:15
#     #3 0x555556618e6b in cricket::UsrSctpReliabilityTest_DISABLED_AllMessagesAreDeliveredOverLossyConnectionConcurrentTests_Test::TestBody() media/sctp/sctp_transport_reliability_unittest.cc:740:14
#     #4 0x5555569ba675 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #5 0x5555569ba675 in testing::Test::Run() third_party/googletest/src/googletest/src/gtest.cc:2508:5
#     #6 0x5555569bc7e9 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2684:11
#     #7 0x5555569bdc26 in testing::TestSuite::Run() third_party/googletest/src/googletest/src/gtest.cc:2816:28
#     #8 0x5555569e8516 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/src/googletest/src/gtest.cc:5338:44
#     #9 0x5555569e733f in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #10 0x5555569e733f in testing::UnitTest::Run() third_party/googletest/src/googletest/src/gtest.cc:4925:10
#     #11 0x555556a4a2d4 in RUN_ALL_TESTS() third_party/googletest/src/googletest/include/gtest/gtest.h:2473:46
#     #12 0x555556a4a2d4 in webrtc::(anonymous namespace)::TestMainImpl::Run(int, char**) test/test_main_lib.cc:168:21
#     #13 0x5555567c0d04 in main test/test_main.cc:29:16
#     #14 0x7ffff7b1c152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
# 
# SUMMARY: AddressSanitizer: heap-use-after-free media/sctp/sctp_transport.cc:300:35 in cricket::SctpTransport::UsrSctpWrapper::OnSctpOutboundPacket(void*, void*, unsigned long, unsigned char, unsigned char)
# Shadow bytes around the buggy address:
#   0x0c2c80435c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
#   0x0c2c80435c90: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
#   0x0c2c80435ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c80435cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
#   0x0c2c80435cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
# =>0x0c2c80435cd0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
#   0x0c2c80435ce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
#   0x0c2c80435cf0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
#   0x0c2c80435d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c80435d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#   0x0c2c80435d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# Shadow byte legend (one shadow byte represents 8 application bytes):
#   Addressable:           00
#   Partially addressable: 01 02 03 04 05 06 07 
#   Heap left redzone:       fa
#   Freed heap region:       fd
#   Stack left redzone:      f1
#   Stack mid redzone:       f2
#   Stack right redzone:     f3
#   Stack after return:      f5
#   Stack use after scope:   f8
#   Global redzone:          f9
#   Global init order:       f6
#   Poisoned by user:        f7
#   Container overflow:      fc
#   Array cookie:            ac
#   Intra object redzone:    bb
#   ASan internal:           fe
#   Left alloca redzone:     ca
#   Right alloca redzone:    cb
#   Shadow gap:              cc
# ==32142==ABORTING
# 
# Thread 19 "SCTP timer" received signal SIGABRT, Aborted.
#  

# an additional crash was also found on revisoin [6bafb12aa5c6cd7019bf0dde5a7af490cd336a8a]
# (gdb) bt
# #0  0x00007ffff7b30f25 in raise () from /usr/lib/libc.so.6
# #1  0x00007ffff7b1a897 in abort () from /usr/lib/libc.so.6
# #2  0x0000555555e7d8a7 in __sanitizer::Abort() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp:155
# #3  0x0000555555e7c5c1 in __sanitizer::Die() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_termination.cpp:58
# #4  0x0000555555e68a6b in ~ScopedInErrorReport () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:186
# #5  0x0000555555e6a44e in ReportGenericError () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:474
# warning: (Internal error: pc 0x555555e6acf7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6acd0 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6acf7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6acf7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6acf7 in read in CU, but not in symtab.)
# #6  0x0000555555e6acf8 in __asan_report_load8 () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_rtl.cpp:120
# warning: (Internal error: pc 0x555555e6acf7 in read in CU, but not in symtab.)
# #7  0x000055555767300c in sctp_timeout_handler (t=0x6160018d02f0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1616
# #8  0x00005555577496e1 in sctp_handle_tick (delta=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:166
# #9  0x0000555557749a6c in user_sctp_timer_iterate (arg=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:206
# #10 0x00007ffff7f724cf in start_thread () from /usr/lib/libpthread.so.0
# #11 0x00007ffff7bf42d3 in clone () from /usr/lib/libc.so.6
# (gdb) frame 7
# #7  0x000055555767300c in sctp_timeout_handler (t=0x6160018d02f0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1616
# 1616		inp = (struct sctp_inpcb *)tmr->ep;
# (gdb) p *tmr
# $1 = {timer = {tqe = {tqe_next = 0x616002d0edf0, tqe_prev = 0x616000bde4f0}, c_time = 2567583, c_arg = 0x6160018d02f0, c_func = 0x555557670890 <sctp_timeout_handler>, c_flags = 0}, 
#   type = 5, ep = 0x6190006ffe80, tcb = 0x61d00c99f080, net = 0x6160018d0280, self = 0x0, ticks = 2536670, stopped_from = 0}
# 


# good : [fc07671b75ee062b32561d54ede948214083f89d] sync with upstream
# reason: 4 crashs with different reason, 1 infinite loop in SCTP timer thread, 5 times run to completion,
# failed to compile until following things modified
# ../../media/sctp/sctp_transport.cc:728:35: error: invalid application of 'sizeof' to an incomplete type 'struct sctp_common_header'
# - params.spp_pathmtu = kSctpMtu - sizeof(struct sctp_common_header);
# + params.spp_pathmtu = kSctpMtu - 12;//sizeof(struct sctp_common_header);
# third_party/usrsctp/BUILD.gn:24       "-Wno-address-of-packed-member"
git bisect good fc07671b75ee062b32561d54ede948214083f89d

# 1-st crash instalnce
# ASAN report
# =================================================================
# ==2259==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160031cba28 at pc 0x555557671b4c bp 0x7fffdfd92cd0 sp 0x7fffdfd92cc8
# READ of size 8 at 0x6160031cba28 thread T18 (SCTP timer)
# [Detaching after fork from child process 3180]
#     #0 0x555557671b4b in sctp_timeout_handler third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611:34
#     #1 0x555557748820 in sctp_handle_tick third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:164:4
#     #2 0x555557748820 in user_sctp_timer_iterate third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:204:3
#     #3 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# 0x6160031cba28 is located 168 bytes inside of 608-byte region [0x6160031cb980,0x6160031cbbe0)
# freed by thread T9 (Thread #9 from ) here:
#     #0 0x555555e6477d in free /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
#     #1 0x5555576969d7 in sctp_free_assoc third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:5945:3
#     #2 0x5555576910a2 in sctp_inpcb_free third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:4163:7
#     #3 0x55555764bbc4 in sctp_close third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_usrreq.c
#     #4 0x55555764058d in sofree third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:282:2
#     #5 0x555556bf41b9 in cricket::SctpTransport::CloseSctpSocket() media/sctp/sctp_transport.cc:858:5
#     #6 0x555556bf41b9 in cricket::SctpTransport::~SctpTransport() media/sctp/sctp_transport.cc:438:3
#     #7 0x555556bf442d in cricket::SctpTransport::~SctpTransport() media/sctp/sctp_transport.cc:436:33
#     #8 0x5555566242a9 in std::__1::default_delete<cricket::SctpTransport>::operator()(cricket::SctpTransport*) const buildtools/third_party/libc++/trunk/include/memory:2338:5
#     #9 0x5555566242a9 in std::__1::unique_ptr<cricket::SctpTransport, std::__1::default_delete<cricket::SctpTransport> >::reset(cricket::SctpTransport*) buildtools/third_party/libc++/trunk/include/memory:2651:7
#     #10 0x5555566242a9 in (anonymous namespace)::SctpPingPong::~SctpPingPong()::'lambda1'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:365:24
#     #11 0x5555566242a9 in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::~SctpPingPong()::'lambda1'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #12 0x555556cddb08 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #13 0x555556d0c4fa in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #14 0x555556cdbd01 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #15 0x555556d0b78b in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #16 0x555556d0b229 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #17 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# previously allocated by thread T9 (Thread #9 from ) here:
#     #0 0x555555e649fd in malloc /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#     #1 0x555557698338 in sctp_add_remote_addr third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:4564:8
#     #2 0x55555769a1d3 in sctp_aloc_assoc third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:5146:13
#     #3 0x555557669d75 in sctpconn_connect third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_usrreq.c:8077:9
#     #4 0x555557643b0d in soconnect third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:2060:12
#     #5 0x555557643b0d in user_connect third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:2086:10
#     #6 0x555557643da4 in usrsctp_connect third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:2143:10
#     #7 0x555556bf4e3e in cricket::SctpTransport::Connect() media/sctp/sctp_transport.cc:712:24
#     #8 0x55555662241c in (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:552:30
#     #9 0x55555662241c in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #10 0x555556cddb08 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #11 0x555556d0c4fa in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #12 0x555556cdbd01 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #13 0x555556d0b78b in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #14 0x555556d0b229 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #15 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# Thread T18 (SCTP timer) created by T8 (Thread #8 from ) here:
#     #0 0x555555e4f2ca in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#     #1 0x555557748b4b in sctp_start_timer third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:218:7
#     #2 0x5555576400d2 in usrsctp_init third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:106:2
#     #3 0x555556bffb29 in cricket::SctpTransport::UsrSctpWrapper::InitializeUsrSctp() media/sctp/sctp_transport.cc:208:5
#     #4 0x555556bf8e3d in cricket::SctpTransport::UsrSctpWrapper::IncrementUsrSctpUsageCount() media/sctp/sctp_transport.cc:268:7
#     #5 0x555556bf8e3d in cricket::SctpTransport::OpenSctpSocket() media/sctp/sctp_transport.cc:748:3
#     #6 0x555556bf4cfd in cricket::SctpTransport::Connect() media/sctp/sctp_transport.cc:696:8
#     #7 0x55555662241c in (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:552:30
#     #8 0x55555662241c in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #9 0x555556cddb08 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #10 0x555556d0c4fa in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #11 0x555556cdbd01 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #12 0x555556d0b687 in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #13 0x555556d0b229 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #14 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# Thread T8 (Thread #8 from ) created by T0 here:
#     #0 0x555555e4f2ca in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#     #1 0x555556d0af8b in rtc::Thread::Start() rtc_base/thread.cc:256:20
#     #2 0x555556618deb in (anonymous namespace)::ThreadPool::ThreadPool(unsigned long) media/sctp/sctp_transport_reliability_unittest.cc:308:15
#     #3 0x555556618deb in cricket::UsrSctpReliabilityTest_DISABLED_AllMessagesAreDeliveredOverLossyConnectionConcurrentTests_Test::TestBody() media/sctp/sctp_transport_reliability_unittest.cc:740:14
#     #4 0x5555569ba5f5 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #5 0x5555569ba5f5 in testing::Test::Run() third_party/googletest/src/googletest/src/gtest.cc:2508:5
#     #6 0x5555569bc769 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2684:11
#     #7 0x5555569bdba6 in testing::TestSuite::Run() third_party/googletest/src/googletest/src/gtest.cc:2816:28
#     #8 0x5555569e8496 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/src/googletest/src/gtest.cc:5338:44
#     #9 0x5555569e72bf in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #10 0x5555569e72bf in testing::UnitTest::Run() third_party/googletest/src/googletest/src/gtest.cc:4925:10
#     #11 0x555556a4a254 in RUN_ALL_TESTS() third_party/googletest/src/googletest/include/gtest/gtest.h:2473:46
#     #12 0x555556a4a254 in webrtc::(anonymous namespace)::TestMainImpl::Run(int, char**) test/test_main_lib.cc:168:21
#     #13 0x5555567c0c84 in main test/test_main.cc:29:16
#     #14 0x7ffff7b1c152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
# 
# Thread T9 (Thread #9 from ) created by T0 here:
#     #0 0x555555e4f2ca in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#     #1 0x555556d0af8b in rtc::Thread::Start() rtc_base/thread.cc:256:20
#     #2 0x555556618deb in (anonymous namespace)::ThreadPool::ThreadPool(unsigned long) media/sctp/sctp_transport_reliability_unittest.cc:308:15
#     #3 0x555556618deb in cricket::UsrSctpReliabilityTest_DISABLED_AllMessagesAreDeliveredOverLossyConnectionConcurrentTests_Test::TestBody() media/sctp/sctp_transport_reliability_unittest.cc:740:14
#     #4 0x5555569ba5f5 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #5 0x5555569ba5f5 in testing::Test::Run() third_party/googletest/src/googletest/src/gtest.cc:2508:5
#     #6 0x5555569bc769 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2684:11
#     #7 0x5555569bdba6 in testing::TestSuite::Run() third_party/googletest/src/googletest/src/gtest.cc:2816:28
#     #8 0x5555569e8496 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/src/googletest/src/gtest.cc:5338:44
#     #9 0x5555569e72bf in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #10 0x5555569e72bf in testing::UnitTest::Run() third_party/googletest/src/googletest/src/gtest.cc:4925:10
#     #11 0x555556a4a254 in RUN_ALL_TESTS() third_party/googletest/src/googletest/include/gtest/gtest.h:2473:46
#     #12 0x555556a4a254 in webrtc::(anonymous namespace)::TestMainImpl::Run(int, char**) test/test_main_lib.cc:168:21
#     #13 0x5555567c0c84 in main test/test_main.cc:29:16
#     #14 0x7ffff7b1c152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
# 
# SUMMARY: AddressSanitizer: heap-use-after-free third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611:34 in sctp_timeout_handler
# Shadow bytes around the buggy address:
#   0x0c2c806316f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#   0x0c2c80631700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#   0x0c2c80631710: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
#   0x0c2c80631720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c80631730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# =>0x0c2c80631740: 00 00 00 00 00[00]00 00 00 00 00 00 00 00 00 00
#   0x0c2c80631750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#   0x0c2c80631760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#   0x0c2c80631770: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
#   0x0c2c80631780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c80631790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# Shadow byte legend (one shadow byte represents 8 application bytes):
#   Addressable:           00
#   Partially addressable: 01 02 03 04 05 06 07 
#   Heap left redzone:       fa
#   Freed heap region:       fd
#   Stack left redzone:      f1
#   Stack mid redzone:       f2
#   Stack right redzone:     f3
#   Stack after return:      f5
#   Stack use after scope:   f8
#   Global redzone:          f9
#   Global init order:       f6
#   Poisoned by user:        f7
#   Container overflow:      fc
#   Array cookie:            ac
#   Intra object redzone:    bb
#   ASan internal:           fe
#   Left alloca redzone:     ca
#   Right alloca redzone:    cb
#   Shadow gap:              cc
# ==2259==ABORTING
# 
# Thread 7 "Thread #6 from " received signal SIGSEGV, Segmentation fault.
# 
# (gdb) bt
# #0  0x00007ffff7b30f25 in raise () from /usr/lib/libc.so.6
# #1  0x00007ffff7b1a897 in abort () from /usr/lib/libc.so.6
# #2  0x0000555555e7d827 in __sanitizer::Abort() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp:155
# #3  0x0000555555e7c541 in __sanitizer::Die() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_termination.cpp:58
# #4  0x0000555555e689eb in ~ScopedInErrorReport () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:186
# #5  0x0000555555e6a3ce in ReportGenericError () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:474
# warning: (Internal error: pc 0x555555e6ac77 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ac50 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ac77 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ac77 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ac77 in read in CU, but not in symtab.)
# #6  0x0000555555e6ac78 in __asan_report_load8 () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_rtl.cpp:120
# warning: (Internal error: pc 0x555555e6ac77 in read in CU, but not in symtab.)
# #7  0x0000555557671b4c in sctp_timeout_handler (t=0x6160031cb9f0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611
# #8  0x0000555557748821 in sctp_handle_tick (delta=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:164
# #9  user_sctp_timer_iterate (arg=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:204
# #10 0x00007ffff7f724cf in start_thread () from /usr/lib/libpthread.so.0
# #11 0x00007ffff7bf42d3 in clone () from /usr/lib/libc.so.6
# (gdb) frame 7
# #7  0x0000555557671b4c in sctp_timeout_handler (t=0x6160031cb9f0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611
# 1611		inp = (struct sctp_inpcb *)tmr->ep;
# (gdb) p *tmr
# $1 = {timer = {tqe = {tqe_next = 0x0, tqe_prev = 0x0}, c_time = 0, c_arg = 0x0, c_func = 0x0, c_flags = 0}, type = 0, ep = 0x0, tcb = 0x6160031cba28, net = 0x0, self = 0x0, 
#   ticks = 0, stopped_from = 0}
# 
# 2-nd crash instance:
# =================================================================
# ==4736==ERROR: AddressSanitizer: heap-use-after-free on address 0x616001fb6428 at pc 0x555557671b4c bp 0x7fffdfd92cd0 sp 0x7fffdfd92cc8
# READ of size 8 at 0x616001fb6428 thread T18 (SCTP timer)
# [Detaching after fork from child process 5327]
#     #0 0x555557671b4b in sctp_timeout_handler third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611:34
#     #1 0x555557748820 in sctp_handle_tick third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:164:4
#     #2 0x555557748820 in user_sctp_timer_iterate third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:204:3
#     #3 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# 0x616001fb6428 is located 168 bytes inside of 608-byte region [0x616001fb6380,0x616001fb65e0)
# freed by thread T11 (Thread #11 from) here:
#     #0 0x555555e6477d in free /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
#     #1 0x5555576969d7 in sctp_free_assoc third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:5945:3
#     #2 0x5555576910a2 in sctp_inpcb_free third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:4163:7
#     #3 0x55555764bbc4 in sctp_close third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_usrreq.c
#     #4 0x55555764058d in sofree third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:282:2
#     #5 0x555556bf41b9 in cricket::SctpTransport::CloseSctpSocket() media/sctp/sctp_transport.cc:858:5
#     #6 0x555556bf41b9 in cricket::SctpTransport::~SctpTransport() media/sctp/sctp_transport.cc:438:3
#     #7 0x555556bf442d in cricket::SctpTransport::~SctpTransport() media/sctp/sctp_transport.cc:436:33
#     #8 0x5555566244c9 in std::__1::default_delete<cricket::SctpTransport>::operator()(cricket::SctpTransport*) const buildtools/third_party/libc++/trunk/include/memory:2338:5
#     #9 0x5555566244c9 in std::__1::unique_ptr<cricket::SctpTransport, std::__1::default_delete<cricket::SctpTransport> >::reset(cricket::SctpTransport*) buildtools/third_party/libc++/trunk/include/memory:2651:7
#     #10 0x5555566244c9 in (anonymous namespace)::SctpPingPong::~SctpPingPong()::'lambda2'()::operator()() const media/sct
#     #11 0x5555566244c9 in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::~SctpPingPong()::'lambda2'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #12 0x555556cddb08 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #13 0x555556d0c4fa in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #14 0x555556cdbd01 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #15 0x555556d0b78b in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #16 0x555556d0b229 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #17 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# previously allocated by thread T11 (Thread #11 from) here:
#     #0 0x555555e649fd in malloc /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#     #1 0x555557698338 in sctp_add_remote_addr third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:4564:8
#     #2 0x55555769a1d3 in sctp_aloc_assoc third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:5146:13
#     #3 0x555557669d75 in sctpconn_connect third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_usrreq.c:8077:9
#     #4 0x555557643b0d in soconnect third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:2060:12
#     #5 0x555557643b0d in user_connect third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:2086:10
#     #6 0x555557643da4 in usrsctp_connect third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:2143:10
#     #7 0x555556bf4e3e in cricket::SctpTransport::Connect() media/sctp/sctp_transport.cc:712:24
#     #8 0x5555566228ac in (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda4'()::operator()() const media/sct
#     #9 0x5555566228ac in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda4'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #10 0x555556cddb08 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #11 0x555556d0c4fa in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #12 0x555556cdbd01 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #13 0x555556d0b78b in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #14 0x555556d0b229 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #15 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# Thread T18 (SCTP timer) created by T8 (Thread #8 from ) here:
#     #0 0x555555e4f2ca in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#     #1 0x555557748b4b in sctp_start_timer third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:218:7
#     #2 0x5555576400d2 in usrsctp_init third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:106:2
#     #3 0x555556bffb29 in cricket::SctpTransport::UsrSctpWrapper::InitializeUsrSctp() media/sctp/sctp_transport.cc:208:5
#     #4 0x555556bf8e3d in cricket::SctpTransport::UsrSctpWrapper::IncrementUsrSctpUsageCount() media/sctp/sctp_transport.cc:268:7
#     #5 0x555556bf8e3d in cricket::SctpTransport::OpenSctpSocket() media/sctp/sctp_transport.cc:748:3
#     #6 0x555556bf4cfd in cricket::SctpTransport::Connect() media/sctp/sctp_transport.cc:696:8
#     #7 0x55555662241c in (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()::operator()() const media/sct
#     #8 0x55555662241c in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #9 0x555556cddb08 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #10 0x555556d0c4fa in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #11 0x555556cdbd01 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #12 0x555556d0b687 in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #13 0x555556d0b229 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #14 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# Thread T8 (Thread #8 from ) created by T0 here:
#     #0 0x555555e4f2ca in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#     #1 0x555556d0af8b in rtc::Thread::Start() rtc_base/thread.cc:256:20
#     #2 0x555556618deb in (anonymous namespace)::ThreadPool::ThreadPool(unsigned long) media/sct
#     #3 0x555556618deb in cricket::UsrSctpReliabilityTest_DISABLED_AllMessagesAreDeliveredOverLossyConnectionConcurrentTests_Test::TestBody() media/sct
#     #4 0x5555569ba5f5 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #5 0x5555569ba5f5 in testing::Test::Run() third_party/googletest/src/googletest/src/gtest.cc:2508:5
#     #6 0x5555569bc769 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2684:11
#     #7 0x5555569bdba6 in testing::TestSuite::Run() third_party/googletest/src/googletest/src/gtest.cc:2816:28
#     #8 0x5555569e8496 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/src/googletest/src/gtest.cc:5338:44
#     #9 0x5555569e72bf in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #10 0x5555569e72bf in testing::UnitTest::Run() third_party/googletest/src/googletest/src/gtest.cc:4925:10
#     #11 0x555556a4a254 in RUN_ALL_TESTS() third_party/googletest/src/googletest/include/gtest/gtest.h:2473:46
#     #12 0x555556a4a254 in webrtc::(anonymous namespace)::TestMainImpl::Run(int, char**) test/test_main_lib.cc:168:21
#     #13 0x5555567c0c84 in main test/test_main.cc:29:16
#     #14 0x7ffff7b1c152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
# 
# Thread T11 (Thread #11 from) created by T0 here:
#     #0 0x555555e4f2ca in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#     #1 0x555556d0af8b in rtc::Thread::Start() rtc_base/thread.cc:256:20
#     #2 0x555556618deb in (anonymous namespace)::ThreadPool::ThreadPool(unsigned long) media/sct
#     #3 0x555556618deb in cricket::UsrSctpReliabilityTest_DISABLED_AllMessagesAreDeliveredOverLossyConnectionConcurrentTests_Test::TestBody() media/sct
#     #4 0x5555569ba5f5 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #5 0x5555569ba5f5 in testing::Test::Run() third_party/googletest/src/googletest/src/gtest.cc:2508:5
#     #6 0x5555569bc769 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2684:11
#     #7 0x5555569bdba6 in testing::TestSuite::Run() third_party/googletest/src/googletest/src/gtest.cc:2816:28
#     #8 0x5555569e8496 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/src/googletest/src/gtest.cc:5338:44
#     #9 0x5555569e72bf in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #10 0x5555569e72bf in testing::UnitTest::Run() third_party/googletest/src/googletest/src/gtest.cc:4925:10
#     #11 0x555556a4a254 in RUN_ALL_TESTS() third_party/googletest/src/googletest/include/gtest/gtest.h:2473:46
#     #12 0x555556a4a254 in webrtc::(anonymous namespace)::TestMainImpl::Run(int, char**) test/test_main_lib.cc:168:21
#     #13 0x5555567c0c84 in main test/test_main.cc:29:16
#     #14 0x7ffff7b1c152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
# 
# SUMMARY: AddressSanitizer: heap-use-after-free third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611:34 in sctp_timeout_handler
# Shadow bytes around the buggy address:
#   0x0c2c803eec30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#   0x0c2c803eec40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#   0x0c2c803eec50: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
#   0x0c2c803eec60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c803eec70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
# =>0x0c2c803eec80: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa
#   0x0c2c803eec90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c803eeca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c803eecb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c803eecc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c803eecd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
# Shadow byte legend (one shadow byte represents 8 application bytes):
#   Addressable:           00
#   Partially addressable: 01 02 03 04 05 06 07 
#   Heap left redzone:       fa
#   Freed heap region:       fd
#   Stack left redzone:      f1
#   Stack mid redzone:       f2
#   Stack right redzone:     f3
#   Stack after return:      f5
#   Stack use after scope:   f8
#   Global redzone:          f9
#   Global init order:       f6
#   Poisoned by user:        f7
#   Container overflow:      fc
#   Array cookie:            ac
#   Intra object redzone:    bb
#   ASan internal:           fe
#   Left alloca redzone:     ca
#   Right alloca redzone:    cb
#   Shadow gap:              cc
# ==4736==ABORTING
# 
# Thread 4 "Thread #3 from " received signal SIGSEGV, Segmentation fault.
# [Switching to Thread 0x7ffff1c95700 (LWP 4744)]
# 0x0000555555dee4f2 in Allocate () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_allocator.cpp:465
# 465	/b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_allocator.cpp: No such file or directory.
# 
# 
# (gdb) bt
# #0  0x00007ffff7b30f25 in raise () from /usr/lib/libc.so.6
# #1  0x00007ffff7b1a897 in abort () from /usr/lib/libc.so.6
# #2  0x0000555555e7d827 in __sanitizer::Abort() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp:155
# #3  0x0000555555e7c541 in __sanitizer::Die() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_termination.cpp:58
# #4  0x0000555555e689eb in ~ScopedInErrorReport () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:186
# #5  0x0000555555e6a3ce in ReportGenericError () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:474
# warning: (Internal error: pc 0x555555e6ac77 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ac50 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ac77 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ac77 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ac77 in read in CU, but not in symtab.)
# #6  0x0000555555e6ac78 in __asan_report_load8 () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_rtl.cpp:120
# warning: (Internal error: pc 0x555555e6ac77 in read in CU, but not in symtab.)
# #7  0x0000555557671b4c in sctp_timeout_handler (t=0x616001fb63f0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611
# #8  0x0000555557748821 in sctp_handle_tick (delta=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:164
# #9  user_sctp_timer_iterate (arg=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:204
# #10 0x00007ffff7f724cf in start_thread () from /usr/lib/libpthread.so.0
# #11 0x00007ffff7bf42d3 in clone () from /usr/lib/libc.so.6
# (gdb) frame 7
# #7  0x0000555557671b4c in sctp_timeout_handler (t=0x616001fb63f0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611
# 1611		inp = (struct sctp_inpcb *)tmr->ep;
# (gdb) p *tmr
# $1 = {timer = {tqe = {tqe_next = 0x6160029d8df0, tqe_prev = 0x6160004db2f0}, c_time = 780513, c_arg = 0x616001fb63f0, c_func = 0x55555766f510 <sctp_timeout_handler>, c_flags = 0}, 
#   type = 5, ep = 0x61a003cd5c80, tcb = 0x61d00a08ca80, net = 0x616001fb6380, self = 0x0, ticks = 749640, stopped_from = 0}
# 
# 3-rd crash instance:
# =================================================================
# ==4702==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000e1e228 at pc 0x555557671b4c bp 0x7fffdfd92cd0 sp 0x7fffdfd92cc8
# READ of size 8 at 0x616000e1e228 thread T18 (SCTP timer)
# ==4702==WARNING: failed to fork (errno 12)
# ==4702==WARNING: failed to fork (errno 12)
# ==4702==WARNING: failed to fork (errno 12)
# ==4702==WARNING: failed to fork (errno 12)
# ==4702==WARNING: failed to fork (errno 12)
# ==4702==WARNING: Failed to use and restart external symbolizer!
#     #0 0x555557671b4b  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x211db4b)
#     #1 0x555557748820  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x21f4820)
#     #2 0x7ffff7f724ce  (/usr/lib/libpthread.so.0+0x94ce)
# 
# 0x616000e1e228 is located 168 bytes inside of 608-byte region [0x616000e1e180,0x616000e1e3e0)
# freed by thread T13 (Thread #13 from) here:
#     #0 0x555555e6477d  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x91077d)
#     #1 0x5555576969d7  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x21429d7)
#     #2 0x5555576910a2  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x213d0a2)
#     #3 0x55555764bbc4  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x20f7bc4)
#     #4 0x55555764058d  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x20ec58d)
#     #5 0x555556bf41b9  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x16a01b9)
#     #6 0x555556bf442d  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x16a042d)
#     #7 0x5555566244c9  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x10d04c9)
#     #8 0x555556cddb08  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x1789b08)
#     #9 0x555556d0c4fa  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x17b84fa)
#     #10 0x555556cdbd01  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x1787d01)
#     #11 0x555556d0b78b  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x17b778b)
#     #12 0x555556d0b229  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x17b7229)
#     #13 0x7ffff7f724ce  (/usr/lib/libpthread.so.0+0x94ce)
# 
# previously allocated by thread T13 (Thread #13 from) here:
#     #0 0x555555e649fd  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x9109fd)
#     #1 0x555557698338  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x2144338)
#     #2 0x55555769a1d3  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x21461d3)
#     #3 0x555557669d75  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x2115d75)
#     #4 0x555557643b0d  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x20efb0d)
#     #5 0x555557643da4  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x20efda4)
#     #6 0x555556bf4e3e  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x16a0e3e)
#     #7 0x5555566228ac  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x10ce8ac)
#     #8 0x555556cddb08  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x1789b08)
#     #9 0x555556d0c4fa  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x17b84fa)
#     #10 0x555556cdbd01  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x1787d01)
#     #11 0x555556d0b78b  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x17b778b)
#     #12 0x555556d0b229  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x17b7229)
#     #13 0x7ffff7f724ce  (/usr/lib/libpthread.so.0+0x94ce)
# 
# Thread T18 (SCTP timer) created by T8 (Thread #8 from ) here:
#     #0 0x555555e4f2ca  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x8fb2ca)
#     #1 0x555557748b4b  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x21f4b4b)
#     #2 0x5555576400d2  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x20ec0d2)
#     #3 0x555556bffb29  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x16abb29)
#     #4 0x555556bf8e3d  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x16a4e3d)
#     #5 0x555556bf4cfd  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x16a0cfd)
#     #6 0x55555662241c  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x10ce41c)
#     #7 0x555556cddb08  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x1789b08)
#     #8 0x555556d0c4fa  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x17b84fa)
#     #9 0x555556cdbd01  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x1787d01)
#     #10 0x555556d0b687  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x17b7687)
#     #11 0x555556d0b229  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x17b7229)
#     #12 0x7ffff7f724ce  (/usr/lib/libpthread.so.0+0x94ce)
# 
# Thread T8 (Thread #8 from ) created by T0 here:
#     #0 0x555555e4f2ca  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x8fb2ca)
#     #1 0x555556d0af8b  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x17b6f8b)
#     #2 0x555556618deb  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x10c4deb)
#     #3 0x5555569ba5f5  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x14665f5)
#     #4 0x5555569bc769  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x1468769)
#     #5 0x5555569bdba6  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x1469ba6)
#     #6 0x5555569e8496  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x1494496)
#     #7 0x5555569e72bf  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x14932bf)
#     #8 0x555556a4a254  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x14f6254)
#     #9 0x5555567c0c84  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x126cc84)
#     #10 0x7ffff7b1c152  (/usr/lib/libc.so.6+0x27152)
# 
# Thread T13 (Thread #13 from) created by T0 here:
#     #0 0x555555e4f2ca  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x8fb2ca)
#     #1 0x555556d0af8b  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x17b6f8b)
#     #2 0x555556618deb  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x10c4deb)
#     #3 0x5555569ba5f5  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x14665f5)
#     #4 0x5555569bc769  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x1468769)
#     #5 0x5555569bdba6  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x1469ba6)
#     #6 0x5555569e8496  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x1494496)
#     #7 0x5555569e72bf  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x14932bf)
#     #8 0x555556a4a254  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x14f6254)
#     #9 0x5555567c0c84  (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x126cc84)
#     #10 0x7ffff7b1c152  (/usr/lib/libc.so.6+0x27152)
# 
# SUMMARY: AddressSanitizer: heap-use-after-free (/home/mstyura/Projects/googlesource.com/webrtc/src/out/ReleaseWithAsan/rtc_media_unittests+0x211db4b) 
# Shadow bytes around the buggy address:
#   0x0c2c801bbbf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#   0x0c2c801bbc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#   0x0c2c801bbc10: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
#   0x0c2c801bbc20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c801bbc30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
# =>0x0c2c801bbc40: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
#   0x0c2c801bbc50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
#   0x0c2c801bbc60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
#   0x0c2c801bbc70: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
#   0x0c2c801bbc80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c801bbc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# Shadow byte legend (one shadow byte represents 8 application bytes):
#   Addressable:           00
#   Partially addressable: 01 02 03 04 05 06 07 
#   Heap left redzone:       fa
#   Freed heap region:       fd
#   Stack left redzone:      f1
#   Stack mid redzone:       f2
#   Stack right redzone:     f3
#   Stack after return:      f5
#   Stack use after scope:   f8
#   Global redzone:          f9
#   Global init order:       f6
#   Poisoned by user:        f7
#   Container overflow:      fc
#   Array cookie:            ac
#   Intra object redzone:    bb
#   ASan internal:           fe
#   Left alloca redzone:     ca
#   Right alloca redzone:    cb
#   Shadow gap:              cc
# ==4702==ABORTING
# 
# Thread 11 "Thread #10 from" received signal SIGSEGV, Segmentation fault.
# [Switching to Thread 0x7fffe96b5700 (LWP 4717)]
# 0x00007ffff7c59b90 in __memset_avx2_unaligned_erms () from /usr/lib/libc.so.6
# (gdb) info thread
#   Id   Target Id                                          Frame 
#   1    Thread 0x7ffff7abd300 (LWP 4702) "rtc_media_unitt" 0x00007ffff7be99ef in poll () from /usr/lib/libc.so.6
#   2    Thread 0x7ffff42d5700 (LWP 4708) "Thread #1 from " 0x00007ffff7f78c45 in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#   3    Thread 0x7ffff2fb5700 (LWP 4709) "Thread #2 from " 0x00007ffff7c59b90 in __memset_avx2_unaligned_erms () from /usr/lib/libc.so.6
#   4    Thread 0x7ffff1c95700 (LWP 4710) "Thread #3 from " 0x00007ffff7c59bd0 in __memset_avx2_unaligned_erms () from /usr/lib/libc.so.6
#   5    Thread 0x7ffff0975700 (LWP 4711) "Thread #4 from " 0x00007ffff7c59c69 in __memset_avx2_unaligned_erms () from /usr/lib/libc.so.6
#   6    Thread 0x7fffef655700 (LWP 4712) "Thread #5 from " 0x00007ffff7f78c45 in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#   7    Thread 0x7fffee335700 (LWP 4713) "Thread #6 from " 0x00007ffff7c59c49 in __memset_avx2_unaligned_erms () from /usr/lib/libc.so.6
#   8    Thread 0x7fffed015700 (LWP 4714) "Thread #7 from " 0x00007ffff7c59bd0 in __memset_avx2_unaligned_erms () from /usr/lib/libc.so.6
#   9    Thread 0x7fffebcf5700 (LWP 4715) "Thread #8 from " SetShadow () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_fake_stack.cpp:34
#   10   Thread 0x7fffea9d5700 (LWP 4716) "Thread #9 from " 0x00007ffff7c59bd0 in __memset_avx2_unaligned_erms () from /usr/lib/libc.so.6
# * 11   Thread 0x7fffe96b5700 (LWP 4717) "Thread #10 from" 0x00007ffff7c59b90 in __memset_avx2_unaligned_erms () from /usr/lib/libc.so.6
#   12   Thread 0x7fffe8395700 (LWP 4718) "Thread #11 from" 0x00007ffff7f78c45 in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#   13   Thread 0x7fffe7075700 (LWP 4719) "Thread #12 from" 0x00007ffff7c59b90 in __memset_avx2_unaligned_erms () from /usr/lib/libc.so.6
#   14   Thread 0x7fffe5d55700 (LWP 4720) "Thread #13 from" 0x00007ffff7f78c45 in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#   15   Thread 0x7fffe4a35700 (LWP 4721) "Thread #14 from" 0x00007ffff7f78c45 in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#   16   Thread 0x7fffe3715700 (LWP 4722) "Thread #15 from" 0x00007ffff7c59bd0 in __memset_avx2_unaligned_erms () from /usr/lib/libc.so.6
#   17   Thread 0x7fffe23f5700 (LWP 4723) "Thread #16 from" 0x00007ffff7f78c45 in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#   18   Thread 0x7fffe10b3700 (LWP 4724) "SCTP iterator"   0x00007ffff7f78c45 in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#   19   Thread 0x7fffdfd93700 (LWP 4725) "SCTP timer"      0x00007ffff7b30f25 in raise () from /usr/lib/libc.so.6
# (gdb) thread 19
# [Switching to thread 19 (Thread 0x7fffdfd93700 (LWP 4725))]
# #0  0x00007ffff7b30f25 in raise () from /usr/lib/libc.so.6
# (gdb) bt
# #0  0x00007ffff7b30f25 in raise () from /usr/lib/libc.so.6
# #1  0x00007ffff7b1a897 in abort () from /usr/lib/libc.so.6
# #2  0x0000555555e7d827 in __sanitizer::Abort() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp:155
# #3  0x0000555555e7c541 in __sanitizer::Die() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_termination.cpp:58
# #4  0x0000555555e689eb in ~ScopedInErrorReport () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:186
# #5  0x0000555555e6a3ce in ReportGenericError () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:474
# warning: (Internal error: pc 0x555555e6ac77 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ac50 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ac77 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ac77 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ac77 in read in CU, but not in symtab.)
# #6  0x0000555555e6ac78 in __asan_report_load8 () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_rtl.cpp:120
# warning: (Internal error: pc 0x555555e6ac77 in read in CU, but not in symtab.)
# #7  0x0000555557671b4c in sctp_timeout_handler (t=0x616000e1e1f0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611
# #8  0x0000555557748821 in sctp_handle_tick (delta=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:164
# #9  user_sctp_timer_iterate (arg=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:204
# #10 0x00007ffff7f724cf in start_thread () from /usr/lib/libpthread.so.0
# #11 0x00007ffff7bf42d3 in clone () from /usr/lib/libc.so.6
# (gdb) frame 7
# #7  0x0000555557671b4c in sctp_timeout_handler (t=0x616000e1e1f0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611
# 1611		inp = (struct sctp_inpcb *)tmr->ep;
# (gdb) p *tmr
# $1 = {timer = {tqe = {tqe_next = 0x616003c83df0, tqe_prev = 0x616003ce94f0}, c_time = 3765778, c_arg = 0x616000e1e1f0, c_func = 0x55555766f510 <sctp_timeout_handler>, c_flags = 0}, 
#   type = 5, ep = 0x61a007133480, tcb = 0x61d004d59e80, net = 0x616000e1e180, self = 0x0, ticks = 3734380, stopped_from = 0}
# 

# 4-th crash intsance:
# ==27719==ERROR: AddressSanitizer: heap-use-after-free on address 0x616001e97028 at pc 0x555557671b4c bp 0x7fffea9b2cd0 sp 0x7fffea9b2cc8
# READ of size 8 at 0x616001e97028 thread T9 (SCTP timer)
# [Detaching after fork from child process 17574]
#     #0 0x555557671b4b in sctp_timeout_handler third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611:34
#     #1 0x555557748820 in sctp_handle_tick third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:164:4
#     #2 0x555557748820 in user_sctp_timer_iterate third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:204:3
#     #3 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# 0x616001e97028 is located 168 bytes inside of 608-byte region [0x616001e96f80,0x616001e971e0)
# freed by thread T1 (Thread #1 from ) here:
#     #0 0x555555e6477d in free /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
#     #1 0x5555576969d7 in sctp_free_assoc third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:5945:3
#     #2 0x5555576910a2 in sctp_inpcb_free third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:4163:7
#     #3 0x55555764bbc4 in sctp_close third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_usrreq.c
#     #4 0x55555764058d in sofree third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:282:2
#     #5 0x555556bf41b9 in cricket::SctpTransport::CloseSctpSocket() media/sctp/sctp_transport.cc:858:5
#     #6 0x555556bf41b9 in cricket::SctpTransport::~SctpTransport() media/sctp/sctp_transport.cc:438:3
#     #7 0x555556bf442d in cricket::SctpTransport::~SctpTransport() media/sctp/sctp_transport.cc:436:33
#     #8 0x5555566244c9 in std::__1::default_delete<cricket::SctpTransport>::operator()(cricket::SctpTransport*) const buildtools/third_party/libc++/trunk/include/memory:2338:5
#     #9 0x5555566244c9 in std::__1::unique_ptr<cricket::SctpTransport, std::__1::default_delete<cricket::SctpTransport> >::reset(cricket::SctpTransport*) buildtools/third_party/libc++/trunk/include/memory:2651:7
#     #10 0x5555566244c9 in (anonymous namespace)::SctpPingPong::~SctpPingPong()::'lambda2'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:370:24
#     #11 0x5555566244c9 in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::~SctpPingPong()::'lambda2'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #12 0x555556cddb08 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #13 0x555556d0c4fa in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #14 0x555556cdbd01 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #15 0x555556d0b78b in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #16 0x555556d0b229 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #17 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# previously allocated by thread T1 (Thread #1 from ) here:
#     #0 0x555555e649fd in malloc /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#     #1 0x555557698338 in sctp_add_remote_addr third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:4564:8
#     #2 0x55555769a1d3 in sctp_aloc_assoc third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:5146:13
#     #3 0x555557669d75 in sctpconn_connect third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_usrreq.c:8077:9
#     #4 0x555557643b0d in soconnect third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:2060:12
#     #5 0x555557643b0d in user_connect third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:2086:10
#     #6 0x555557643da4 in usrsctp_connect third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:2143:10
#     #7 0x555556bf4e3e in cricket::SctpTransport::Connect() media/sctp/sctp_transport.cc:712:24
#     #8 0x5555566228ac in (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda4'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:560:30
#     #9 0x5555566228ac in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda4'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #10 0x555556cddb08 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #11 0x555556d0c4fa in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #12 0x555556cdbd01 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #13 0x555556d0b78b in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #14 0x555556d0b229 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #15 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# Thread T9 (SCTP timer) created by T4 (Thread #4 from ) here:
#     #0 0x555555e4f2ca in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#     #1 0x555557748b4b in sctp_start_timer third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:218:7
#     #2 0x5555576400d2 in usrsctp_init third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:106:2
#     #3 0x555556bffb29 in cricket::SctpTransport::UsrSctpWrapper::InitializeUsrSctp() media/sctp/sctp_transport.cc:208:5
#     #4 0x555556bf8e3d in cricket::SctpTransport::UsrSctpWrapper::IncrementUsrSctpUsageCount() media/sctp/sctp_transport.cc:268:7
#     #5 0x555556bf8e3d in cricket::SctpTransport::OpenSctpSocket() media/sctp/sctp_transport.cc:748:3
#     #6 0x555556bf4cfd in cricket::SctpTransport::Connect() media/sctp/sctp_transport.cc:696:8
#     #7 0x55555662241c in (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:552:30
#     #8 0x55555662241c in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #9 0x555556cddb08 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #10 0x555556d0c4fa in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #11 0x555556cdbd01 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #12 0x555556d0b687 in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #13 0x555556d0b229 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #14 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# Thread T4 (Thread #4 from ) created by T0 here:
#     #0 0x555555e4f2ca in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#     #1 0x555556d0af8b in rtc::Thread::Start() rtc_base/thread.cc:256:20
#     #2 0x555556618deb in (anonymous namespace)::ThreadPool::ThreadPool(unsigned long) media/sctp/sctp_transport_reliability_unittest.cc:308:15
#     #3 0x555556618deb in cricket::UsrSctpReliabilityTest_DISABLED_AllMessagesAreDeliveredOverLossyConnectionConcurrentTests_Test::TestBody() media/sctp/sctp_transport_reliability_unittest.cc:740:14
#     #4 0x5555569ba5f5 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #5 0x5555569ba5f5 in testing::Test::Run() third_party/googletest/src/googletest/src/gtest.cc:2508:5
#     #6 0x5555569bc769 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2684:11
#     #7 0x5555569bdba6 in testing::TestSuite::Run() third_party/googletest/src/googletest/src/gtest.cc:2816:28
#     #8 0x5555569e8496 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/src/googletest/src/gtest.cc:5338:44
#     #9 0x5555569e72bf in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #10 0x5555569e72bf in testing::UnitTest::Run() third_party/googletest/src/googletest/src/gtest.cc:4925:10
#     #11 0x555556a4a254 in RUN_ALL_TESTS() third_party/googletest/src/googletest/include/gtest/gtest.h:2473:46
#     #12 0x555556a4a254 in webrtc::(anonymous namespace)::TestMainImpl::Run(int, char**) test/test_main_lib.cc:168:21
#     #13 0x5555567c0c84 in main test/test_main.cc:29:16
#     #14 0x7ffff7b1c152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
# 
# Thread T1 (Thread #1 from ) created by T0 here:
#     #0 0x555555e4f2ca in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#     #1 0x555556d0af8b in rtc::Thread::Start() rtc_base/thread.cc:256:20
#     #2 0x555556618deb in (anonymous namespace)::ThreadPool::ThreadPool(unsigned long) media/sctp/sctp_transport_reliability_unittest.cc:308:15
#     #3 0x555556618deb in cricket::UsrSctpReliabilityTest_DISABLED_AllMessagesAreDeliveredOverLossyConnectionConcurrentTests_Test::TestBody() media/sctp/sctp_transport_reliability_unittest.cc:740:14
#     #4 0x5555569ba5f5 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #5 0x5555569ba5f5 in testing::Test::Run() third_party/googletest/src/googletest/src/gtest.cc:2508:5
#     #6 0x5555569bc769 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2684:11
#     #7 0x5555569bdba6 in testing::TestSuite::Run() third_party/googletest/src/googletest/src/gtest.cc:2816:28
#     #8 0x5555569e8496 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/src/googletest/src/gtest.cc:5338:44
#     #9 0x5555569e72bf in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #10 0x5555569e72bf in testing::UnitTest::Run() third_party/googletest/src/googletest/src/gtest.cc:4925:10
#     #11 0x555556a4a254 in RUN_ALL_TESTS() third_party/googletest/src/googletest/include/gtest/gtest.h:2473:46
#     #12 0x555556a4a254 in webrtc::(anonymous namespace)::TestMainImpl::Run(int, char**) test/test_main_lib.cc:168:21
#     #13 0x5555567c0c84 in main test/test_main.cc:29:16
#     #14 0x7ffff7b1c152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
# 
# SUMMARY: AddressSanitizer: heap-use-after-free third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611:34 in sctp_timeout_handler
# Shadow bytes around the buggy address:
#   0x0c2c803cadb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#   0x0c2c803cadc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#   0x0c2c803cadd0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
#   0x0c2c803cade0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c803cadf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
# =>0x0c2c803cae00: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
#   0x0c2c803cae10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
#   0x0c2c803cae20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
#   0x0c2c803cae30: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
#   0x0c2c803cae40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c803cae50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# Shadow byte legend (one shadow byte represents 8 application bytes):
#   Addressable:           00
#   Partially addressable: 01 02 03 04 05 06 07 
#   Heap left redzone:       fa
#   Freed heap region:       fd
#   Stack left redzone:      f1
#   Stack mid redzone:       f2
#   Stack right redzone:     f3
#   Stack after return:      f5
#   Stack use after scope:   f8
#   Global redzone:          f9
#   Global init order:       f6
#   Poisoned by user:        f7
#   Container overflow:      fc
#   Array cookie:            ac
#   Intra object redzone:    bb
#   ASan internal:           fe
#   Left alloca redzone:     ca
#   Right alloca redzone:    cb
#   Shadow gap:              cc
# ==27719==ABORTING
# 
# Thread 4 "Thread #3 from " received signal SIGSEGV, Segmentation fault.
# 
# (gdb) bt      
# #0  SetShadow () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_fake_stack.cpp:34
# #1  OnMalloc () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_fake_stack.cpp:209
# #2  __asan_stack_malloc_0 () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_fake_stack.cpp:232
# #3  0x00005555569fd111 in absl::AbslFailureSignalHandler (signo=<optimized out>, ucontext=<optimized out>)
#     at ../../third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc:304
# #4  <signal handler called>
# #5  0x00007ffff7b30f25 in raise () from /usr/lib/libc.so.6
# #6  0x00007ffff7b1a897 in abort () from /usr/lib/libc.so.6
# #7  0x0000555555e7d827 in __sanitizer::Abort() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp:155
# #8  0x0000555555e7c541 in __sanitizer::Die() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_termination.cpp:58
# #9  0x0000555555e689eb in ~ScopedInErrorReport () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:186
# #10 0x0000555555e6a3ce in ReportGenericError () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:474
# warning: (Internal error: pc 0x555555e6ac77 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ac77 in read in CU, but not in symtab.)
# #11 0x0000555555e6ac78 in __asan_report_load8 () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_rtl.cpp:120
# #12 0x0000555557671b4c in sctp_timeout_handler (t=0x616001e96ff0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611
# #13 0x0000555557748821 in sctp_handle_tick (delta=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:164
# #14 user_sctp_timer_iterate (arg=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:204
# #15 0x00007ffff7f724cf in start_thread () from /usr/lib/libpthread.so.0
# #16 0x00007ffff7bf42d3 in clone () from /usr/lib/libc.so.6
# (gdb) frame 12
# #12 0x0000555557671b4c in sctp_timeout_handler (t=0x616001e96ff0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611
# 1611		inp = (struct sctp_inpcb *)tmr->ep;
# (gdb) p *tmr
# $1 = {timer = {tqe = {tqe_next = 0x61600167f1f0, tqe_prev = 0x616003d992f0}, c_time = 15294161, c_arg = 0x616001e96ff0, c_func = 0x55555766f510 <sctp_timeout_handler>, c_flags = 0}, 
#   type = 5, ep = 0x61a001b72680, tcb = 0x61d04db03e80, net = 0x616001e96f80, self = 0x0, ticks = 15261450, stopped_from = 0}
# (gdb) 
# 


# good: [92505170034003fae326183908700a3d43bd714a] Merge branch 'master' of https://github.com/neat-project/usrsctp-neat
# reason: 5 times run to completion, 1 time crashed with different crash
git bisect good 92505170034003fae326183908700a3d43bd714a

# ==23507==ERROR: AddressSanitizer: heap-use-after-free on address 0x61600338f528 at pc 0x55555767274c bp 0x7fffea9b2cd0 sp 0x7fffea9b2cc8
# READ of size 8 at 0x61600338f528 thread T9 (SCTP timer)
# [Detaching after fork from child process 27365]
#     #0 0x55555767274b in sctp_timeout_handler third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611:34
#     #1 0x555557748870 in sctp_handle_tick third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:164:4
#     #2 0x555557748870 in user_sctp_timer_iterate third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:204:3
#     #3 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# 0x61600338f528 is located 168 bytes inside of 608-byte region [0x61600338f480,0x61600338f6e0)
# freed by thread T4 (Thread #4 from ) here:
#     #0 0x555555e647bd in free /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
#     #1 0x5555576975d7 in sctp_free_assoc third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:5945:3
#     #2 0x555557691ca2 in sctp_inpcb_free third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:4163:7
#     #3 0x55555764c7c4 in sctp_close third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_usrreq.c
#     #4 0x5555576405cd in sofree third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:283:2
#     #5 0x555556bf41f9 in cricket::SctpTransport::CloseSctpSocket() media/sctp/sctp_transport.cc:858:5
#     #6 0x555556bf41f9 in cricket::SctpTransport::~SctpTransport() media/sctp/sctp_transport.cc:438:3
#     #7 0x555556bf446d in cricket::SctpTransport::~SctpTransport() media/sctp/sctp_transport.cc:436:33
#     #8 0x5555566242e9 in std::__1::default_delete<cricket::SctpTransport>::operator()(cricket::SctpTransport*) const buildtools/third_party/libc++/trunk/include/memory:2338:5
#     #9 0x5555566242e9 in std::__1::unique_ptr<cricket::SctpTransport, std::__1::default_delete<cricket::SctpTransport> >::reset(cricket::SctpTransport*) buildtools/third_party/libc++/trunk/include/memory:2651:7
#     #10 0x5555566242e9 in (anonymous namespace)::SctpPingPong::~SctpPingPong()::'lambda1'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:365:24
#     #11 0x5555566242e9 in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::~SctpPingPong()::'lambda1'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #12 0x555556cddb48 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #13 0x555556d0c53a in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #14 0x555556cdbd41 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #15 0x555556d0b7cb in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #16 0x555556d0b269 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #17 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# previously allocated by thread T4 (Thread #4 from ) here:
#     #0 0x555555e64a3d in malloc /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#     #1 0x555557698f38 in sctp_add_remote_addr third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:4564:8
#     #2 0x55555769add3 in sctp_aloc_assoc third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:5146:13
#     #3 0x55555766a975 in sctpconn_connect third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_usrreq.c:8078:9
#     #4 0x555557643b4d in soconnect third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:2061:12
#     #5 0x555557643b4d in user_connect third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:2087:10
#     #6 0x555557643de4 in usrsctp_connect third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:2144:10
#     #7 0x555556bf4e7e in cricket::SctpTransport::Connect() media/sctp/sctp_transport.cc:712:24
#     #8 0x55555662245c in (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:552:30
#     #9 0x55555662245c in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #10 0x555556cddb48 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #11 0x555556d0c53a in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #12 0x555556cdbd41 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #13 0x555556d0b7cb in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #14 0x555556d0b269 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #15 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# Thread T9 (SCTP timer) created by T4 (Thread #4 from ) here:
#     #0 0x555555e4f30a in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#     #1 0x555557748b9b in sctp_start_timer third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:218:7
#     #2 0x555557640112 in usrsctp_init third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:107:2
#     #3 0x555556bffb69 in cricket::SctpTransport::UsrSctpWrapper::InitializeUsrSctp() media/sctp/sctp_transport.cc:208:5
#     #4 0x555556bf8e7d in cricket::SctpTransport::UsrSctpWrapper::IncrementUsrSctpUsageCount() media/sctp/sctp_transport.cc:268:7
#     #5 0x555556bf8e7d in cricket::SctpTransport::OpenSctpSocket() media/sctp/sctp_transport.cc:748:3
#     #6 0x555556bf4d3d in cricket::SctpTransport::Connect() media/sctp/sctp_transport.cc:696:8
#     #7 0x55555662245c in (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:552:30
#     #8 0x55555662245c in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #9 0x555556cddb48 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #10 0x555556d0c53a in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #11 0x555556cdbd41 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #12 0x555556d0b6c7 in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #13 0x555556d0b269 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #14 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# Thread T4 (Thread #4 from ) created by T0 here:
#     #0 0x555555e4f30a in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#     #1 0x555556d0afcb in rtc::Thread::Start() rtc_base/thread.cc:256:20
#     #2 0x555556618e2b in (anonymous namespace)::ThreadPool::ThreadPool(unsigned long) media/sctp/sctp_transport_reliability_unittest.cc:308:15
#     #3 0x555556618e2b in cricket::UsrSctpReliabilityTest_DISABLED_AllMessagesAreDeliveredOverLossyConnectionConcurrentTests_Test::TestBody() media/sctp/sctp_transport_reliability_unittest.cc:740:14
#     #4 0x5555569ba635 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #5 0x5555569ba635 in testing::Test::Run() third_party/googletest/src/googletest/src/gtest.cc:2508:5
#     #6 0x5555569bc7a9 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2684:11
#     #7 0x5555569bdbe6 in testing::TestSuite::Run() third_party/googletest/src/googletest/src/gtest.cc:2816:28
#     #8 0x5555569e84d6 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/src/googletest/src/gtest.cc:5338:44
#     #9 0x5555569e72ff in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #10 0x5555569e72ff in testing::UnitTest::Run() third_party/googletest/src/googletest/src/gtest.cc:4925:10
#     #11 0x555556a4a294 in RUN_ALL_TESTS() third_party/googletest/src/googletest/include/gtest/gtest.h:2473:46
#     #12 0x555556a4a294 in webrtc::(anonymous namespace)::TestMainImpl::Run(int, char**) test/test_main_lib.cc:168:21
#     #13 0x5555567c0cc4 in main test/test_main.cc:29:16
#     #14 0x7ffff7b1c152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
# 
# SUMMARY: AddressSanitizer: heap-use-after-free third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611:34 in sctp_timeout_handler
# Shadow bytes around the buggy address:
#   0x0c2c80669e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#   0x0c2c80669e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#   0x0c2c80669e70: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
#   0x0c2c80669e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c80669e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
# =>0x0c2c80669ea0: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa
#   0x0c2c80669eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c80669ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c80669ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c80669ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c80669ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
# Shadow byte legend (one shadow byte represents 8 application bytes):
#   Addressable:           00
#   Partially addressable: 01 02 03 04 05 06 07 
#   Heap left redzone:       fa
#   Freed heap region:       fd
#   Stack left redzone:      f1
#   Stack mid redzone:       f2
#   Stack right redzone:     f3
#   Stack after return:      f5
#   Stack use after scope:   f8
#   Global redzone:          f9
#   Global init order:       f6
#   Poisoned by user:        f7
#   Container overflow:      fc
#   Array cookie:            ac
#   Intra object redzone:    bb
#   ASan internal:           fe
#   Left alloca redzone:     ca
#   Right alloca redzone:    cb
#   Shadow gap:              cc
# ==23507==ABORTING
# 
# Thread 3 "Thread #2 from " received signal SIGSEGV, Segmentation fault.
# [Switching to Thread 0x7ffff2fb5700 (LWP 23514)]
# 0x00007ffff7c59c73 in __memset_avx2_unaligned_erms () from /usr/lib/libc.so.6
# 
# (gdb) bt
# #0  0x00007ffff7b30f25 in raise () from /usr/lib/libc.so.6
# #1  0x00007ffff7b1a897 in abort () from /usr/lib/libc.so.6
# #2  0x0000555555e7d867 in __sanitizer::Abort() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp:155
# #3  0x0000555555e7c581 in __sanitizer::Die() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_termination.cpp:58
# #4  0x0000555555e68a2b in ~ScopedInErrorReport () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:186
# #5  0x0000555555e6a40e in ReportGenericError () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:474
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ac90 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# #6  0x0000555555e6acb8 in __asan_report_load8 () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_rtl.cpp:120
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# #7  0x000055555767274c in sctp_timeout_handler (t=0x61600338f4f0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611
# #8  0x0000555557748871 in sctp_handle_tick (delta=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:164
# #9  user_sctp_timer_iterate (arg=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:204
# #10 0x00007ffff7f724cf in start_thread () from /usr/lib/libpthread.so.0
# #11 0x00007ffff7bf42d3 in clone () from /usr/lib/libc.so.6
# (gdb) frame 7
# #7  0x000055555767274c in sctp_timeout_handler (t=0x61600338f4f0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1611
# 1611		inp = (struct sctp_inpcb *)tmr->ep;
# (gdb) p *tmr
# $1 = {timer = {tqe = {tqe_next = 0x61a00a3af0c0, tqe_prev = 0x61a0008a0ec0}, c_time = 9671669, c_arg = 0x61600338f4f0, c_func = 0x555557670110 <sctp_timeout_handler>, c_flags = 0}, 
#   type = 5, ep = 0x61a000abde80, tcb = 0x61d007faf880, net = 0x61600338f480, self = 0x0, ticks = 9608450, stopped_from = 0}
# 

# good: [a0c3a35adeb91541bc545ec0d04735e844cbec65] Merge remote-tracking branch 'upstream/master'
# reason: 1 time crashed with different crash, 3 times run into some state when test become really slow, unable to wait for completion,
# 5 time run to completion,

# crash instance 1
# =================================================================
# ==14786==ERROR: AddressSanitizer: heap-use-after-free on address 0x61600005d428 at pc 0x555557672e3c bp 0x7fffea9b2cd0 sp 0x7fffea9b2cc8
# READ of size 8 at 0x61600005d428 thread T9 (SCTP timer)
# [Detaching after fork from child process 16072]
#     #0 0x555557672e3b in sctp_timeout_handler third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1613:34
#     #1 0x555557749090 in sctp_handle_tick third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:166:4
#     #2 0x555557749090 in user_sctp_timer_iterate third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:206:3
#     #3 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# 0x61600005d428 is located 168 bytes inside of 608-byte region [0x61600005d380,0x61600005d5e0)
# freed by thread T4 (Thread #4 from ) here:
#     #0 0x555555e647bd in free /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
#     #1 0x555557697d07 in sctp_free_assoc third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:5951:3
#     #2 0x5555576923d2 in sctp_inpcb_free third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:4134:7
#     #3 0x55555764c8e4 in sctp_close third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_usrreq.c
#     #4 0x5555576406bd in sofree third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:283:2
#     #5 0x555556bf41f9 in cricket::SctpTransport::CloseSctpSocket() media/sctp/sctp_transport.cc:858:5
#     #6 0x555556bf41f9 in cricket::SctpTransport::~SctpTransport() media/sctp/sctp_transport.cc:438:3
#     #7 0x555556bf446d in cricket::SctpTransport::~SctpTransport() media/sctp/sctp_transport.cc:436:33
#     #8 0x5555566242e9 in std::__1::default_delete<cricket::SctpTransport>::operator()(cricket::SctpTransport*) const buildtools/third_party/libc++/trunk/include/memory:2338:5
#     #9 0x5555566242e9 in std::__1::unique_ptr<cricket::SctpTransport, std::__1::default_delete<cricket::SctpTransport> >::reset(cricket::SctpTransport*) buildtools/third_party/libc++/trunk/include/memory:2651:7
#     #10 0x5555566242e9 in (anonymous namespace)::SctpPingPong::~SctpPingPong()::'lambda1'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:365:24
#     #11 0x5555566242e9 in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::~SctpPingPong()::'lambda1'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #12 0x555556cddb48 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #13 0x555556d0c53a in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #14 0x555556cdbd41 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #15 0x555556d0b7cb in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #16 0x555556d0b269 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #17 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# previously allocated by thread T4 (Thread #4 from ) here:
#     #0 0x555555e64a3d in malloc /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#     #1 0x555557699668 in sctp_add_remote_addr third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:4520:8
#     #2 0x55555769b607 in sctp_aloc_assoc third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c:5151:13
#     #3 0x55555766b045 in sctpconn_connect third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_usrreq.c:8134:9
#     #4 0x555557643c1d in soconnect third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:2061:12
#     #5 0x555557643c1d in user_connect third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:2087:10
#     #6 0x555557643eb4 in usrsctp_connect third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:2144:10
#     #7 0x555556bf4e7e in cricket::SctpTransport::Connect() media/sctp/sctp_transport.cc:712:24
#     #8 0x55555662245c in (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:552:30
#     #9 0x55555662245c in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #10 0x555556cddb48 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #11 0x555556d0c53a in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #12 0x555556cdbd41 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #13 0x555556d0b7cb in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #14 0x555556d0b269 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #15 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# Thread T9 (SCTP timer) created by T4 (Thread #4 from ) here:
#     #0 0x555555e4f30a in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#     #1 0x5555577493bb in sctp_start_timer third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:220:7
#     #2 0x555557640112 in usrsctp_init third_party/usrsctp/usrsctplib/usrsctplib/user_socket.c:107:2
#     #3 0x555556bffb69 in cricket::SctpTransport::UsrSctpWrapper::InitializeUsrSctp() media/sctp/sctp_transport.cc:208:5
#     #4 0x555556bf8e7d in cricket::SctpTransport::UsrSctpWrapper::IncrementUsrSctpUsageCount() media/sctp/sctp_transport.cc:268:7
#     #5 0x555556bf8e7d in cricket::SctpTransport::OpenSctpSocket() media/sctp/sctp_transport.cc:748:3
#     #6 0x555556bf4d3d in cricket::SctpTransport::Connect() media/sctp/sctp_transport.cc:696:8
#     #7 0x55555662245c in (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()::operator()() const media/sctp/sctp_transport_reliability_unittest.cc:552:30
#     #8 0x55555662245c in rtc::FunctorMessageHandler<void, (anonymous namespace)::SctpPingPong::CreateTwoConnectedSctpTransportsWithAllStreams()::'lambda3'()>::OnMessage(rtc::Message*) rtc_base/message_handler.h:61:42
#     #9 0x555556cddb48 in rtc::MessageQueue::Dispatch(rtc::Message*) rtc_base/message_queue.cc:514:19
#     #10 0x555556d0c53a in rtc::Thread::ReceiveSendsFromThread(rtc::Thread const*) rtc_base/thread.cc:449:5
#     #11 0x555556cdbd41 in rtc::MessageQueue::Get(rtc::Message*, int, bool) rtc_base/message_queue.cc:262:5
#     #12 0x555556d0b6c7 in rtc::Thread::ProcessMessages(int) rtc_base/thread.cc:526:10
#     #13 0x555556d0b269 in rtc::Thread::PreRun(void*) rtc_base/thread.cc:341:11
#     #14 0x7ffff7f724ce in start_thread (/usr/lib/libpthread.so.0+0x94ce)
# 
# Thread T4 (Thread #4 from ) created by T0 here:
#     #0 0x555555e4f30a in pthread_create /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#     #1 0x555556d0afcb in rtc::Thread::Start() rtc_base/thread.cc:256:20
#     #2 0x555556618e2b in (anonymous namespace)::ThreadPool::ThreadPool(unsigned long) media/sctp/sctp_transport_reliability_unittest.cc:308:15
#     #3 0x555556618e2b in cricket::UsrSctpReliabilityTest_DISABLED_AllMessagesAreDeliveredOverLossyConnectionConcurrentTests_Test::TestBody() media/sctp/sctp_transport_reliability_unittest.cc:740:14
#     #4 0x5555569ba635 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #5 0x5555569ba635 in testing::Test::Run() third_party/googletest/src/googletest/src/gtest.cc:2508:5
#     #6 0x5555569bc7a9 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2684:11
#     #7 0x5555569bdbe6 in testing::TestSuite::Run() third_party/googletest/src/googletest/src/gtest.cc:2816:28
#     #8 0x5555569e84d6 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/src/googletest/src/gtest.cc:5338:44
#     #9 0x5555569e72ff in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
#     #10 0x5555569e72ff in testing::UnitTest::Run() third_party/googletest/src/googletest/src/gtest.cc:4925:10
#     #11 0x555556a4a294 in RUN_ALL_TESTS() third_party/googletest/src/googletest/include/gtest/gtest.h:2473:46
#     #12 0x555556a4a294 in webrtc::(anonymous namespace)::TestMainImpl::Run(int, char**) test/test_main_lib.cc:168:21
#     #13 0x5555567c0cc4 in main test/test_main.cc:29:16
#     #14 0x7ffff7b1c152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
# 
# SUMMARY: AddressSanitizer: heap-use-after-free third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1613:34 in sctp_timeout_handler
# Shadow bytes around the buggy address:
#   0x0c2c80003a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
#   0x0c2c80003a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
#   0x0c2c80003a50: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
#   0x0c2c80003a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c80003a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
# =>0x0c2c80003a80: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
#   0x0c2c80003a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
#   0x0c2c80003aa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
#   0x0c2c80003ab0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
#   0x0c2c80003ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
#   0x0c2c80003ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# Shadow byte legend (one shadow byte represents 8 application bytes):
#   Addressable:           00
#   Partially addressable: 01 02 03 04 05 06 07 
#   Heap left redzone:       fa
#   Freed heap region:       fd
#   Stack left redzone:      f1
#   Stack mid redzone:       f2
#   Stack right redzone:     f3
#   Stack after return:      f5
#   Stack use after scope:   f8
#   Global redzone:          f9
#   Global init order:       f6
#   Poisoned by user:        f7
#   Container overflow:      fc
#   Array cookie:            ac
#   Intra object redzone:    bb
#   ASan internal:           fe
#   Left alloca redzone:     ca
#   Right alloca redzone:    cb
#   Shadow gap:              cc
# ==14786==ABORTING
# 
# Thread 2 "Thread #1 from " received signal SIGSEGV, Segmentation fault.
# [Switching to Thread 0x7ffff42d5700 (LWP 14792)]
# 0x00007ffff7c59b90 in __memset_avx2_unaligned_erms () from /usr/lib/libc.so.6
# 
# (gdb) bt
# #0  0x00007ffff7b30f25 in raise () from /usr/lib/libc.so.6
# #1  0x00007ffff7b1a897 in abort () from /usr/lib/libc.so.6
# #2  0x0000555555e7d867 in __sanitizer::Abort() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp:155
# #3  0x0000555555e7c581 in __sanitizer::Die() () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_termination.cpp:58
# #4  0x0000555555e68a2b in ~ScopedInErrorReport () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:186
# #5  0x0000555555e6a40e in ReportGenericError () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_report.cpp:474
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6ac90 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# #6  0x0000555555e6acb8 in __asan_report_load8 () at /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_rtl.cpp:120
# warning: (Internal error: pc 0x555555e6acb7 in read in CU, but not in symtab.)
# #7  0x0000555557672e3c in sctp_timeout_handler (t=0x61600005d3f0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1613
# #8  0x0000555557749091 in sctp_handle_tick (delta=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:166
# #9  user_sctp_timer_iterate (arg=<optimized out>) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_callout.c:206
# #10 0x00007ffff7f724cf in start_thread () from /usr/lib/libpthread.so.0
# #11 0x00007ffff7bf42d3 in clone () from /usr/lib/libc.so.6
# (gdb) frame 7
# #7  0x0000555557672e3c in sctp_timeout_handler (t=0x61600005d3f0) at ../../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctputil.c:1613
# 1613		inp = (struct sctp_inpcb *)tmr->ep;
# (gdb) p *tmr
# $1 = {timer = {tqe = {tqe_next = 0x616000a48bf0, tqe_prev = 0x616001fb66f0}, c_time = 3170260, c_arg = 0x61600005d3f0, c_func = 0x555557670850 <sctp_timeout_handler>, c_flags = 0}, 
#   type = 5, ep = 0x619000067280, tcb = 0x61d025cb1480, net = 0x61600005d380, self = 0x0, ticks = 3125010, stopped_from = 0}
# 


# 6bafb12aa5c6cd7019bf0dde5a7af490cd336a8a is the first bad commit
# commit 6bafb12aa5c6cd7019bf0dde5a7af490cd336a8a
# Author: Irene Ruengeler <ruengeler@wireshark.org>
# Date:   Mon Dec 11 14:08:32 2017 +0100
# 
#     New upcall API
# 
#  programs/CMakeLists.txt            |   6 +
#  programs/chargen_server_upcall.c   | 239 ++++++++++++++++++++++++++
#  programs/client_upcall.c           | 333 +++++++++++++++++++++++++++++++++++++
#  programs/daytime_server_upcall.c   | 156 +++++++++++++++++
#  programs/discard_server_upcall.c   | 242 +++++++++++++++++++++++++++
#  programs/echo_server.c             |   2 +-
#  programs/echo_server_upcall.c      | 258 ++++++++++++++++++++++++++++
#  programs/http_client_upcall.c      | 252 ++++++++++++++++++++++++++++
#  usrsctplib/netinet/sctp_callout.c  |   4 +-
#  usrsctplib/netinet/sctp_callout.h  |   1 +
#  usrsctplib/netinet/sctp_input.c    |  45 ++++-
#  usrsctplib/netinet/sctp_usrreq.c   |  29 +++-
#  usrsctplib/netinet/sctputil.c      |  73 +++++++-
#  usrsctplib/netinet6/sctp6_usrreq.c |  23 +++
#  usrsctplib/user_socket.c           |  51 ++++++
#  usrsctplib/user_socketvar.h        |   8 +
#  usrsctplib/usrsctp.h               |  13 ++
#  17 files changed, 1728 insertions(+), 7 deletions(-)
#  create mode 100644 programs/chargen_server_upcall.c
#  create mode 100644 programs/client_upcall.c
#  create mode 100644 programs/daytime_server_upcall.c
#  create mode 100644 programs/discard_server_upcall.c
#  create mode 100644 programs/echo_server_upcall.c
#  create mode 100644 programs/http_client_upcall.c
#

@mstyura mstyura mentioned this issue Jan 14, 2020
Closed
@taylor-b
Copy link
Contributor

This is still a problem for us. @tuexen, do you have any plan how to deal with this? Is there something we should be doing at the client level to wait for the socket to really be closed? Otherwise it seems like usrsctp_close should disconnect all of the callbacks.

Would that pose a problem though? It would mean that when this happens, we wouldn't send out the abort chunk (that's what usrsctp is trying to do when the crash occurs). I guess delivery of that isn't guaranteed anyway though.

@tuexen
Copy link
Member

tuexen commented May 14, 2020

This is still a problem for us. @tuexen, do you have any plan how to deal with this? Is there something we should be doing at the client level to wait for the socket to really be closed? Otherwise it seems like usrsctp_close should disconnect all of the callbacks.

Would that pose a problem though? It would mean that when this happens, we wouldn't send out the abort chunk (that's what usrsctp is trying to do when the crash occurs). I guess delivery of that isn't guaranteed anyway though.

So what is exactly the problem? When the user call usrsctp_close(), the association does not go away instantly. So do you expect no callbacks any more? I guess you are not using the upcall API, right?

@taylor-b
Copy link
Contributor

Yes, the naïve assumption was that after calling usrsctp_close there would be no more callbacks. If that was not intended to be a guarantee, what should we be listening for to tell us that the socket is really closed?

And no, we're not using the upcall API. Should we be? Can you summarize how it works?

This is what we're running into:

    #1 0x109cd0037 in cricket::SctpTransport::UsrSctpWrapper::OnSctpOutboundPacket(void*, void*, unsigned long, unsigned char, unsigned char) ??:0:0
    #2 0x10a7cbd33 in sctp_lowlevel_chunk_output ??:0:0
    #3 0x10a7f04eb in sctp_send_abort_tcb ??:0:0
    #4 0x10a81356f in sctp_inpcb_free ??:0:0
    #5 0x10a837aa8 in sctp_close ??:0:0
    #6 0x10a882b2f in sofree ??:0:0
    #7 0x10a861798 in sctp_timeout_handler ??:0:0
    #8 0x10a77189b in sctp_handle_tick ??:0:0

Presumably this is from the INPKILL timer.

@X-Kent X-Kent mentioned this issue Jul 5, 2020
Closed
@paullouisageneau paullouisageneau mentioned this issue Jul 10, 2020
Merged
@paullouisageneau
Copy link
Contributor

Any updates on this? I'm experiencing the same behavior and I don't know how to handle it.

Are callbacks really supposed to still be called after close? If so, how do you know when it is safe to assume no more calls?

@tuexen
Copy link
Member

tuexen commented Jul 10, 2020
edited
Loading

Yes, the naïve assumption was that after calling usrsctp_close there would be no more callbacks. If that was not intended to be a guarantee, what should we be listening for to tell us that the socket is really closed?

And no, we're not using the upcall API. Should we be? Can you summarize how it works?

This is what we're running into:

    #1 0x109cd0037 in cricket::SctpTransport::UsrSctpWrapper::OnSctpOutboundPacket(void*, void*, unsigned long, unsigned char, unsigned char) ??:0:0
    #2 0x10a7cbd33 in sctp_lowlevel_chunk_output ??:0:0
    #3 0x10a7f04eb in sctp_send_abort_tcb ??:0:0
    #4 0x10a81356f in sctp_inpcb_free ??:0:0
    #5 0x10a837aa8 in sctp_close ??:0:0
    #6 0x10a882b2f in sofree ??:0:0
    #7 0x10a861798 in sctp_timeout_handler ??:0:0
    #8 0x10a77189b in sctp_handle_tick ??:0:0

Presumably this is from the INPKILL timer.

I just realise: You are not referring to the send callback in the socket API (upper layer interface), but to the function to send out packets (lower layer interface). Doesn't deregistering the address do what you want?
Please note that associations live longer that they can interact with their upper layer... When you terminate an application using a TCP connection does also not mean that the TCP connection is terminated.

@paullouisageneau
Copy link
Contributor

paullouisageneau commented Jul 10, 2020
edited
Loading

Same here, it's indeed about the lower layer function to send out packets (the one passed to usrsctp_socket as 5th argument).

On my side the callback was sometimes called after usrsctp_deregister_address. Actually, it could make sense for it to be called after closing the socket but not after deregistering the address.

@tuexen
Copy link
Member

tuexen commented Jul 10, 2020

Same here, it's indeed about the lower layer function to send out packets (the one passed to usrsctp_socket as 5th argument).

On my side the callback was sometimes called after usrsctp_deregister_address. Actually, it would make sense for it to be called after closing the socket but not after deregistering the address.

Let me double check...

@paullouisageneau
Copy link
Contributor

Thanks. Actually the call might not be technically posterior to deregistering but simply concurrent, which results in the same issue depending on thread scheduling.

sancane added a commit to sancane/usrsctp that referenced this issue Oct 11, 2020
@sancane
Provide destroy function for registered addresses
76ef479 
This patch tries to fix the problem of usrsctp calling callbacks even
after the usrsctp_close function is invoked.
Usrsctp seems to keep the asociation around until the teardown procedure
is completed. The problem is that sometimes it is not possible to
complete the shutdown procedure if the lower transport is gone like SCTP
running on top of DTLS. In such case, callbacks triggered from usrsctp
are providing an pointer address to an applications which could not be
valid or dealocated.
To let application know when they can safetely deallocate memory
registered with an association, we are storing a destroy function which
will be used for usrsctp to notify application when the association is
gone.
Related issues:
sctplab#405
sctplab#147
sancane added a commit to sancane/usrsctp that referenced this issue Oct 11, 2020
@sancane
Provide destroy function for registered addresses
ee795f1 
This patch tries to fix the problem of usrsctp calling callbacks even
after the usrsctp_close function is invoked.
Usrsctp seems to keep the asociation around until the teardown procedure
is completed. The problem is that sometimes it is not possible to
complete the shutdown procedure if the lower transport is gone like SCTP
running on top of DTLS. In such case, callbacks triggered from usrsctp
are providing an pointer address to an applications which could have
been deallocated.
To let applications know when they can safetely deallocate memory
registered with an association, we are storing a destroy function which
will be used for usrsctp to notify applications when the association is
gone.
Related issues:
sctplab#405
sctplab#147
sancane added a commit to sancane/usrsctp that referenced this issue Oct 11, 2020
@sancane
Provide a destroy function for registered addresses
a89371f 
This patch tries to fix the problem of usrsctp calling callbacks even
after the usrsctp_close function is invoked.
Usrsctp seems to keep the asociation around until the teardown procedure
is completed. The problem is that sometimes it is not possible to
complete the shutdown procedure if the lower transport is gone like SCTP
running on top of DTLS. In such case, callbacks triggered from usrsctp
are providing an pointer address to an applications which could have
been deallocated.
To let applications know when they can safely deallocate memory
registered with an association, we are storing a destroy function which
will be used for usrsctp to notify applications when the association is
gone.
Related issues:
sctplab#405
sctplab#147
@sancane sancane mentioned this issue Oct 11, 2020
Open
tbeloqui added a commit to pexip/gstreamer that referenced this issue Mar 24, 2023
@tbeloqui
SCTP: changes to handle usrsctp bugs
a81d8de 
Workaround for sctplab/usrsctp#405:
- Since the sctp socket can outlive the sctp assoacition, we need to only
register/deregister the association when creating/closing the socket.
This prevents invalid calls to sctp_packet_out() and receive_cb()
in potential invalid states.

Workaround for sctplab/usrsctp#383:
- Retry usrsctp_finish() for 5seconds. This fixes a race condition between
usrsctp_close() and usrsctp_finish() in which a dead socket will be accessed
by the SCTP thread.
tbeloqui added a commit to pexip/gstreamer that referenced this issue Mar 24, 2023
@tbeloqui
SCTP: changes to handle usrsctp bugs
92f8483 
Workaround for sctplab/usrsctp#405:
- Since the sctp socket can outlive the sctp assoacition, we need to only
register/deregister the association when creating/closing the socket.
This prevents invalid calls to sctp_packet_out() and receive_cb()
in potential invalid states.

Workaround for sctplab/usrsctp#383:
- Retry usrsctp_finish() for 5seconds. This fixes a race condition between
usrsctp_close() and usrsctp_finish() in which a dead socket will be accessed
by the SCTP thread.
tbeloqui added a commit to pexip/gstreamer that referenced this issue Mar 24, 2023
@tbeloqui
SCTP: changes to handle usrsctp bugs
9cf8ac2 
Workaround for sctplab/usrsctp#405:
- Since the sctp socket can outlive the sctp assoacition, we need to only
register/deregister the association when creating/closing the socket.
This prevents invalid calls to sctp_packet_out() and receive_cb()
in potential invalid states.

Workaround for sctplab/usrsctp#383:
- Retry usrsctp_finish() for 5seconds. This fixes a race condition between
usrsctp_close() and usrsctp_finish() in which a dead socket will be accessed
by the SCTP thread.
tbeloqui added a commit to pexip/gstreamer that referenced this issue Mar 24, 2023
@tbeloqui
SCTP: changes to handle usrsctp bugs
e655834 
Workaround for sctplab/usrsctp#405:
- Since the sctp socket can outlive the sctp assoacition, we need to only
register/deregister the association when creating/closing the socket.
This prevents invalid calls to sctp_packet_out() and receive_cb()
in potential invalid states.

Workaround for sctplab/usrsctp#383:
- Retry usrsctp_finish() for 5seconds. This fixes a race condition between
usrsctp_close() and usrsctp_finish() in which a dead socket will be accessed
by the SCTP thread.

(cherry picked from commit 9cf8ac2)
tbeloqui added a commit to pexip/gstreamer that referenced this issue Aug 4, 2023
@tbeloqui
Provide a destroy function for registered addresses
d850ebb 
This patch tries to fix the problem of usrsctp calling callbacks even
after the usrsctp_close function is invoked.
Usrsctp seems to keep the asociation around until the teardown procedure
is completed. The problem is that sometimes it is not possible to
complete the shutdown procedure if the lower transport is gone like SCTP
running on top of DTLS. In such case, callbacks triggered from usrsctp
are providing an pointer address to an applications which could have
been deallocated.
To let applications know when they can safely deallocate memory
registered with an association, we are storing a destroy function which
will be used for usrsctp to notify applications when the association is
gone.
Related issues:
sctplab/usrsctp#405
sctplab/usrsctp#147

From: sctplab/usrsctp#535
havardgraff pushed a commit to pexip/gstreamer that referenced this issue Sep 27, 2023
@tbeloqui @havardgraff
SCTP: changes to handle usrsctp bugs
e5d8ee9 
Workaround for sctplab/usrsctp#405:
- Since the sctp socket can outlive the sctp assoacition, we need to only
register/deregister the association when creating/closing the socket.
This prevents invalid calls to sctp_packet_out() and receive_cb()
in potential invalid states.

Workaround for sctplab/usrsctp#383:
- Retry usrsctp_finish() for 5seconds. This fixes a race condition between
usrsctp_close() and usrsctp_finish() in which a dead socket will be accessed
by the SCTP thread.

(cherry picked from commit 9cf8ac2)
havardgraff pushed a commit to pexip/gstreamer that referenced this issue Sep 27, 2023
@tbeloqui @havardgraff
SCTP: changes to handle usrsctp bugs
297d5c2 
Workaround for sctplab/usrsctp#405:
- Since the sctp socket can outlive the sctp assoacition, we need to only
register/deregister the association when creating/closing the socket.
This prevents invalid calls to sctp_packet_out() and receive_cb()
in potential invalid states.

Workaround for sctplab/usrsctp#383:
- Retry usrsctp_finish() for 5seconds. This fixes a race condition between
usrsctp_close() and usrsctp_finish() in which a dead socket will be accessed
by the SCTP thread.

(cherry picked from commit 9cf8ac2)
havardgraff pushed a commit to pexip/gstreamer that referenced this issue Sep 27, 2023
@tbeloqui @havardgraff
SCTP: changes to handle usrsctp bugs
3be9bfd 
Workaround for sctplab/usrsctp#405:
- Since the sctp socket can outlive the sctp assoacition, we need to only
register/deregister the association when creating/closing the socket.
This prevents invalid calls to sctp_packet_out() and receive_cb()
in potential invalid states.

Workaround for sctplab/usrsctp#383:
- Retry usrsctp_finish() for 5seconds. This fixes a race condition between
usrsctp_close() and usrsctp_finish() in which a dead socket will be accessed
by the SCTP thread.

(cherry picked from commit 9cf8ac2)
havardgraff pushed a commit to pexip/gstreamer that referenced this issue Sep 27, 2023
@tbeloqui @havardgraff
SCTP: changes to handle usrsctp bugs
5aff0bc 
Workaround for sctplab/usrsctp#405:
- Since the sctp socket can outlive the sctp assoacition, we need to only
register/deregister the association when creating/closing the socket.
This prevents invalid calls to sctp_packet_out() and receive_cb()
in potential invalid states.

Workaround for sctplab/usrsctp#383:
- Retry usrsctp_finish() for 5seconds. This fixes a race condition between
usrsctp_close() and usrsctp_finish() in which a dead socket will be accessed
by the SCTP thread.

(cherry picked from commit 9cf8ac2)
havardgraff pushed a commit to pexip/gstreamer that referenced this issue Sep 27, 2023
@tbeloqui @havardgraff
SCTP: changes to handle usrsctp bugs
bb690d7 
Workaround for sctplab/usrsctp#405:
- Since the sctp socket can outlive the sctp assoacition, we need to only
register/deregister the association when creating/closing the socket.
This prevents invalid calls to sctp_packet_out() and receive_cb()
in potential invalid states.

Workaround for sctplab/usrsctp#383:
- Retry usrsctp_finish() for 5seconds. This fixes a race condition between
usrsctp_close() and usrsctp_finish() in which a dead socket will be accessed
by the SCTP thread.

(cherry picked from commit 9cf8ac2)
havardgraff pushed a commit to pexip/gstreamer that referenced this issue Sep 27, 2023
@tbeloqui @havardgraff
SCTP: changes to handle usrsctp bugs
6e72d8e 
Workaround for sctplab/usrsctp#405:
- Since the sctp socket can outlive the sctp assoacition, we need to only
register/deregister the association when creating/closing the socket.
This prevents invalid calls to sctp_packet_out() and receive_cb()
in potential invalid states.

Workaround for sctplab/usrsctp#383:
- Retry usrsctp_finish() for 5seconds. This fixes a race condition between
usrsctp_close() and usrsctp_finish() in which a dead socket will be accessed
by the SCTP thread.

(cherry picked from commit 9cf8ac2)
havardgraff pushed a commit to pexip/gstreamer that referenced this issue Sep 27, 2023
@tbeloqui @havardgraff
SCTP: changes to handle usrsctp bugs
f61959f 
Workaround for sctplab/usrsctp#405:
- Since the sctp socket can outlive the sctp assoacition, we need to only
register/deregister the association when creating/closing the socket.
This prevents invalid calls to sctp_packet_out() and receive_cb()
in potential invalid states.

Workaround for sctplab/usrsctp#383:
- Retry usrsctp_finish() for 5seconds. This fixes a race condition between
usrsctp_close() and usrsctp_finish() in which a dead socket will be accessed
by the SCTP thread.

(cherry picked from commit 9cf8ac2)
havardgraff pushed a commit to pexip/gstreamer that referenced this issue Sep 27, 2023
@tbeloqui @havardgraff
SCTP: changes to handle usrsctp bugs
459e3ec 
Workaround for sctplab/usrsctp#405:
- Since the sctp socket can outlive the sctp assoacition, we need to only
register/deregister the association when creating/closing the socket.
This prevents invalid calls to sctp_packet_out() and receive_cb()
in potential invalid states.

Workaround for sctplab/usrsctp#383:
- Retry usrsctp_finish() for 5seconds. This fixes a race condition between
usrsctp_close() and usrsctp_finish() in which a dead socket will be accessed
by the SCTP thread.

(cherry picked from commit 9cf8ac2)
havardgraff pushed a commit to pexip/gstreamer that referenced this issue Sep 27, 2023
@tbeloqui @havardgraff
SCTP: changes to handle usrsctp bugs
f43fe22 
Workaround for sctplab/usrsctp#405:
- Since the sctp socket can outlive the sctp assoacition, we need to only
register/deregister the association when creating/closing the socket.
This prevents invalid calls to sctp_packet_out() and receive_cb()
in potential invalid states.

Workaround for sctplab/usrsctp#383:
- Retry usrsctp_finish() for 5seconds. This fixes a race condition between
usrsctp_close() and usrsctp_finish() in which a dead socket will be accessed
by the SCTP thread.

(cherry picked from commit 9cf8ac2)
havardgraff pushed a commit to pexip/gstreamer that referenced this issue Sep 27, 2023
@tbeloqui @havardgraff
SCTP: changes to handle usrsctp bugs
15b2054 
Workaround for sctplab/usrsctp#405:
- Since the sctp socket can outlive the sctp assoacition, we need to only
register/deregister the association when creating/closing the socket.
This prevents invalid calls to sctp_packet_out() and receive_cb()
in potential invalid states.

Workaround for sctplab/usrsctp#383:
- Retry usrsctp_finish() for 5seconds. This fixes a race condition between
usrsctp_close() and usrsctp_finish() in which a dead socket will be accessed
by the SCTP thread.

(cherry picked from commit 9cf8ac2)
havardgraff pushed a commit to pexip/gstreamer that referenced this issue Sep 27, 2023
@tbeloqui @havardgraff
SCTP: changes to handle usrsctp bugs
d0967ec 
Workaround for sctplab/usrsctp#405:
- Since the sctp socket can outlive the sctp assoacition, we need to only
register/deregister the association when creating/closing the socket.
This prevents invalid calls to sctp_packet_out() and receive_cb()
in potential invalid states.

Workaround for sctplab/usrsctp#383:
- Retry usrsctp_finish() for 5seconds. This fixes a race condition between
usrsctp_close() and usrsctp_finish() in which a dead socket will be accessed
by the SCTP thread.

(cherry picked from commit 9cf8ac2)
havardgraff pushed a commit to pexip/gstreamer that referenced this issue Sep 27, 2023
@tbeloqui @havardgraff
SCTP: changes to handle usrsctp bugs
10fc1f3 
Workaround for sctplab/usrsctp#405:
- Since the sctp socket can outlive the sctp assoacition, we need to only
register/deregister the association when creating/closing the socket.
This prevents invalid calls to sctp_packet_out() and receive_cb()
in potential invalid states.

Workaround for sctplab/usrsctp#383:
- Retry usrsctp_finish() for 5seconds. This fixes a race condition between
usrsctp_close() and usrsctp_finish() in which a dead socket will be accessed
by the SCTP thread.

(cherry picked from commit 9cf8ac2)
tbeloqui added a commit to pexip/gstreamer that referenced this issue Oct 9, 2024
@tbeloqui
SCTP: changes to handle usrsctp bugs
b80ce01 
Workaround for sctplab/usrsctp#405:
- Since the sctp socket can outlive the sctp assoacition, we need to only
register/deregister the association when creating/closing the socket.
This prevents invalid calls to sctp_packet_out() and receive_cb()
in potential invalid states.

Workaround for sctplab/usrsctp#383:
- Retry usrsctp_finish() for 5seconds. This fixes a race condition between
usrsctp_close() and usrsctp_finish() in which a dead socket will be accessed
by the SCTP thread.

(cherry picked from commit 9cf8ac2)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tuexen @mstyura @paullouisageneau @taylor-b