Write Characteristic crashes Chrome and Canary on OSX
Reported by
juer...@aircable.net,
Apr 28 2017
|
|||||
Issue descriptionUsing the Web Bluetooth API one characteristic is set to notify. While data is coming in I write on another characteristic. Eventually it crashes Chrome. Time when that happens is arbitrary, it seems to me that when both events happen at the same time, it crashes. The app used for testing is: https://github.com/urish/ng-beacon-app It sends many strings to a char while waiting for data on another char. This happens in my case at the same time. Process: Google Chrome Canary [2820] Path: /Applications/Google Chrome Canary.app/Contents/MacOS/Google Chrome Canary Identifier: com.google.Chrome.canary Version: 60.0.3083.0 (3083.0) Code Type: X86-64 (Native) Parent Process: bash [890] Responsible: Terminal [699] User ID: 501 Date/Time: 2017-04-28 16:05:41.007 -0700 OS Version: Mac OS X 10.12.4 (16E195) Report Version: 12 Anonymous UUID: 25FD8EB4-C36E-1D52-5C1B-FCEA2ED3C583 Time Awake Since Boot: 2700 seconds System Integrity Protection: disabled Crashed Thread: 0 CrBrowserMain Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000008 VM Regions Near 0x8: --> __TEXT 000000010ef6f000-000000010ef70000 [ 4K] r-x/rwx SM=COW /Applications/Google Chrome Canary.app/Contents/MacOS/Google Chrome Canary Thread 0 Crashed:: CrBrowserMain Dispatch queue: com.apple.main-thread 0 com.google.Chrome.framework 0x0000000111c89a62 0x10efd7000 + 46869090 1 com.apple.CoreBluetooth 0x00007fffa6ab763c -[CBCentralManager xpcConnection:didReceiveMsg:args:] + 79 2 com.apple.CoreBluetooth 0x00007fffa6ac1996 __34-[CBXpcConnection handleMsg:args:]_block_invoke + 77 here is the log from Canary: While writing is in progress, a read request arrives and crashes Chrome and Canary. [2820:775:0428/160521.615495:VERBOSE1:bluetooth_low_energy_device_mac.mm(394)] <BluetoothLowEnergyDeviceMac 7A:38:D6:67:E6:8D/0x7f7ff65a7f10, "AIRbrdg2">: Discovery complete. [2820:775:0428/160521.615523:VERBOSE2:bluetooth_device.cc(457)] Looking for service: 0000fef1-0000-1000-8000-00805f9b34fb [2820:775:0428/160521.615540:VERBOSE2:bluetooth_device.cc(459)] Service in cache: 0000fef1-0000-1000-8000-00805f9b34fb [2820:775:0428/160521.615554:VERBOSE2:bluetooth_device.cc(459)] Service in cache: 00001016-d102-11e1-9b23-00025b00a5a5 [2820:775:0428/160521.618246:INFO:CONSOLE(679)] "connect chars", source: http://localhost:4200/main.bundle.js (679) [2820:775:0428/160521.618423:INFO:CONSOLE(39888)] "[BLE::Info] Getting Characteristic "%s" of %o", source: http://localhost:4200/vendor.bundle.js (39888) [2820:775:0428/160521.619152:INFO:CONSOLE(39888)] "[BLE::Info] Getting Characteristic "%s" of %o", source: http://localhost:4200/vendor.bundle.js (39888) [2820:775:0428/160521.621937:VERBOSE1:bluetooth_remote_gatt_characteristic_mac.mm(219)] <BluetoothRemoteGattCharacteristicMac 0000fef2-0000-1000-8000-00805f9b34fb/0x7f7ff7c4df00, service: 0000fef1-0000-1000-8000-00805f9b34fb/0x7f7ff66158b0>: Subscribe to characteristic. [2820:775:0428/160521.622143:VERBOSE1:bluetooth_remote_gatt_characteristic_mac.mm(219)] <BluetoothRemoteGattCharacteristicMac c4edc000-9daf-11e3-8003-00025b000b00/0x7f7ff671ac00, service: 0000fef1-0000-1000-8000-00805f9b34fb/0x7f7ff66158b0>: Subscribe to characteristic. [2820:775:0428/160521.674137:INFO:CONSOLE(212)] "ERROR", source: ng:///MdInputModule/MdInputContainer.ngfactory.js (212) [2820:775:0428/160521.674238:INFO:CONSOLE(212)] "ERROR CONTEXT", source: ng:///MdInputModule/MdInputContainer.ngfactory.js (212) [2820:775:0428/160521.675408:INFO:CONSOLE(669)] "writing: %s", source: http://localhost:4200/main.bundle.js (669) [2820:775:0428/160521.675500:INFO:CONSOLE(39888)] "[BLE::Info] Writing Characteristic %o", source: http://localhost:4200/vendor.bundle.js (39888) [2820:775:0428/160521.675578:VERBOSE1:bluetooth_remote_gatt_characteristic_mac.mm(197)] <BluetoothRemoteGattCharacteristicMac c4edc000-9daf-11e3-8003-00025b000b00/0x7f7ff671ac00, service: 0000fef1-0000-1000-8000-00805f9b34fb/0x7f7ff66158b0>: Write characteristic. [2820:775:0428/160522.456374:INFO:CONSOLE(39888)] "[BLE::Info] Starting notifications of "%s"", source: http://localhost:4200/vendor.bundle.js (39888) [2820:775:0428/160523.055718:INFO:CONSOLE(39888)] "[BLE::Info] Starting notifications of "%s"", source: http://localhost:4200/vendor.bundle.js (39888) [2820:775:0428/160523.535063:VERBOSE1:bluetooth_remote_gatt_characteristic_mac.mm(316)] <BluetoothRemoteGattCharacteristicMac c4edc000-9daf-11e3-8003-00025b000b00/0x7f7ff671ac00, service: 0000fef1-0000-1000-8000-00805f9b34fb/0x7f7ff66158b0>: Write value succeeded. [2820:775:0428/160523.547606:VERBOSE1:bluetooth_remote_gatt_characteristic_mac.mm(197)] <BluetoothRemoteGattCharacteristicMac c4edc000-9daf-11e3-8003-00025b000b00/0x7f7ff671ac00, service: 0000fef1-0000-1000-8000-00805f9b34fb/0x7f7ff66158b0>: Write characteristic. [2820:775:0428/160523.547821:INFO:CONSOLE(669)] "writing: %s", source: http://localhost:4200/main.bundle.js (669) [2820:775:0428/160523.547881:INFO:CONSOLE(39888)] "[BLE::Info] Writing Characteristic %o", source: http://localhost:4200/vendor.bundle.js (39888) [2820:775:0428/160523.774961:VERBOSE1:bluetooth_remote_gatt_characteristic_mac.mm(316)] <BluetoothRemoteGattCharacteristicMac c4edc000-9daf-11e3-8003-00025b000b00/0x7f7ff671ac00, service: 0000fef1-0000-1000-8000-00805f9b34fb/0x7f7ff66158b0>: Write value succeeded. [2820:775:0428/160523.786696:VERBOSE1:bluetooth_remote_gatt_characteristic_mac.mm(197)] <BluetoothRemoteGattCharacteristicMac c4edc000-9daf-11e3-8003-00025b000b00/0x7f7ff671ac00, service: 0000fef1-0000-1000-8000-00805f9b34fb/0x7f7ff66158b0>: Write characteristic. [2820:775:0428/160523.786943:INFO:CONSOLE(669)] "writing: %s", source: http://localhost:4200/main.bundle.js (669) [2820:775:0428/160523.787005:INFO:CONSOLE(39888)] "[BLE::Info] Writing Characteristic %o", source: http://localhost:4200/vendor.bundle.js (39888) [2820:775:0428/160524.375541:VERBOSE1:bluetooth_remote_gatt_characteristic_mac.mm(316)] <BluetoothRemoteGattCharacteristicMac c4edc000-9daf-11e3-8003-00025b000b00/0x7f7ff671ac00, service: 0000fef1-0000-1000-8000-00805f9b34fb/0x7f7ff66158b0>: Write value succeeded. [2820:775:0428/160524.386850:INFO:CONSOLE(669)] "writing: %s", source: http://localhost:4200/main.bundle.js (669) [2820:775:0428/160524.386935:INFO:CONSOLE(39888)] "[BLE::Info] Writing Characteristic %o", source: http://localhost:4200/vendor.bundle.js (39888) [2820:775:0428/160524.387010:VERBOSE1:bluetooth_remote_gatt_characteristic_mac.mm(197)] <BluetoothRemoteGattCharacteristicMac c4edc000-9daf-11e3-8003-00025b000b00/0x7f7ff671ac00, service: 0000fef1-0000-1000-8000-00805f9b34fb/0x7f7ff66158b0>: Write characteristic. …. [2820:775:0428/160540.695025:VERBOSE1:bluetooth_remote_gatt_characteristic_mac.mm(316)] <BluetoothRemoteGattCharacteristicMac c4edc000-9daf-11e3-8003-00025b000b00/0x7f7ff671ac00, service: 0000fef1-0000-1000-8000-00805f9b34fb/0x7f7ff66158b0>: Write value succeeded. [2820:775:0428/160540.708861:VERBOSE1:bluetooth_remote_gatt_characteristic_mac.mm(197)] <BluetoothRemoteGattCharacteristicMac c4edc000-9daf-11e3-8003-00025b000b00/0x7f7ff671ac00, service: 0000fef1-0000-1000-8000-00805f9b34fb/0x7f7ff66158b0>: Write characteristic. [2820:775:0428/160540.709081:INFO:CONSOLE(669)] "writing: %s", source: http://localhost:4200/main.bundle.js (669) [2820:775:0428/160540.709136:INFO:CONSOLE(39888)] "[BLE::Info] Writing Characteristic %o", source: http://localhost:4200/vendor.bundle.js (39888) [2820:775:0428/160540.815320:VERBOSE1:bluetooth_remote_gatt_characteristic_mac.mm(270)] <BluetoothRemoteGattCharacteristicMac c4edc000-9daf-11e3-8003-00025b000b00/0x7f7ff671ac00, service: 0000fef1-0000-1000-8000-00805f9b34fb/0x7f7ff66158b0>: Read request arrived. Segmentation fault: 11
,
Apr 29 2017
This is the last one. I can easily reproduce it. Crash ID 4d3a7074-d75b-4179-83c4-e9c335906e45
,
Apr 29 2017
more info: Crash ID 4d3a7074-d75b-4179-83c4-e9c335906e45 (Server ID: 778d86b390000000)
,
Apr 29 2017
The code to reproduce this bug is pretty much based on this: https://github.com/urish/ng-beacon-app The major difference is that once notification are enabled, data is pouring in. Then when write to char occurs, it crashes. It's random, so it's a timing issue. I would guess that read and write happen at the same time, it gets into troubles.
,
Apr 30 2017
The crash is happening at:
device::BluetoothRemoteGattCharacteristicMac::DidUpdateValue(NSError*)
There we have the following code:
if (characteristic_value_read_or_write_in_progress_) {
std::pair<ValueCallback, ErrorCallback> callbacks;
callbacks.swap(read_characteristic_value_callbacks_);
characteristic_value_read_or_write_in_progress_ = false;
So if a notification arrives during a write request the if statement gets executed but there are actually no read callbacks so we crash.
,
May 1 2017
,
May 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6ce865fc28199a11109d3b72ad3b5eb52b3ae826 commit 6ce865fc28199a11109d3b72ad3b5eb52b3ae826 Author: ortuno <ortuno@chromium.org> Date: Tue May 02 01:06:36 2017 bluetooth: Fix crash when a notification arrives during a write 1. Instead of using a boolean to keep track of pending read or writes, check if there are non-null callbacks. 2. Check HasPendingRead only when a notification arrives. BUG= 716655 Review-Url: https://codereview.chromium.org/2849113002 Cr-Commit-Position: refs/heads/master@{#468519} [modify] https://crrev.com/6ce865fc28199a11109d3b72ad3b5eb52b3ae826/device/bluetooth/bluetooth_remote_gatt_characteristic_mac.h [modify] https://crrev.com/6ce865fc28199a11109d3b72ad3b5eb52b3ae826/device/bluetooth/bluetooth_remote_gatt_characteristic_mac.mm [modify] https://crrev.com/6ce865fc28199a11109d3b72ad3b5eb52b3ae826/device/bluetooth/bluetooth_remote_gatt_characteristic_unittest.cc
,
May 2 2017
,
May 5 2017
verified, no crashes anymore. Thanks, guys for this quick turnaround.
,
May 7 2017
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ortuno@chromium.org
, Apr 28 2017