Crash in BT device close |
||||
Issue descriptionhttps://crash.corp.google.com/browse?q=reportid=%273403660c4af59544%27 is the top crash right now. pcm_buf is created in configure_dev. Perhaps it has been destroyed. Could you please take a look ? As you suggested, maybe we can pass in a pointer and and set it to NULL to avoid this kind of crash. Thanks!
,
Oct 24 2017
bt_io use a2dp or hfp device, depending on the active profile: https://cs.corp.google.com/chromeos_public/src/third_party/adhd/cras/src/server/cras_bt_io.c?q=cras_bt_io.c+package:%5Echromeos_public$&dr=CSs&l=221 It seems that it was using a2dp device, since hfp device does not have byte buffer. https://cs.corp.google.com/chromeos_public/src/third_party/adhd/cras/src/server/cras_a2dp_iodev.c?dr=CSs&l=217
,
Oct 24 2017
I don't understand why it shows file name and function name not right either...
,
Oct 25 2017
Re #1, I guess that's because the byte_buffer_destroy is an inline function so it prints the close_dev as function name.
,
Oct 25 2017
,
Oct 25 2017
Played with BT output/input with some bad behaviors and was unable to kill cras. The problem might be when cras was unable to open a BT device and crashed when closing it. I'll look into the code in close path and see if there's something we didn't catched.
,
Oct 25 2017
Turns out the use-after-free is when using HFP profile. hfp_info_destroy calls byte_buffer_destroy, and is called by destroy_audio_gateway which is called in many places. I'm going to add some logs to catch the bad uses.
,
Oct 26 2017
I was able to trigger cras hang with the following steps, but it's quite hard to re-pro. 1. Playback youtube to BT headset 2. Select BT headset as input device 3. Use chrome "search by voice" to start BT capture 4. Power off BT headset This might cause hfp read error in hfp_info_callback, which should stop and close the hfp device. However cras hang there. I'm wondering it might be a deadlock when hfp_info_stop calls audio_thread_rm_callback_sync while audio thread is executing the hfp_info_callback. But this is so hard to re-pro so it might take some more time to figure out.
,
Oct 26 2017
,
Nov 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/adhd/+/857fac3ed37254e4e90afbd93210c7d1a0f37c75 commit 857fac3ed37254e4e90afbd93210c7d1a0f37c75 Author: Chinyue Chen <chinyue@google.com> Date: Wed Nov 01 04:49:22 2017 CRAS: byte_buffer - Set buffer pointer to NULL when destroy There are reports that CRAS crashed in byte_buffer_destroy due to double free. This patch sets buffer pointer to NULL when byte buffer is destroyed so it will be easier to detect use-after-free cases. BUG=chromium:777812 TEST=Tested BT playback/capture on eve. Change-Id: Icdba45ce321f42987b930ca77d55dd2953671bb7 Reviewed-on: https://chromium-review.googlesource.com/739062 Commit-Ready: Chinyue Chen <chinyue@chromium.org> Tested-by: Chinyue Chen <chinyue@chromium.org> Reviewed-by: Wu-Cheng Li <wuchengli@chromium.org> [modify] https://crrev.com/857fac3ed37254e4e90afbd93210c7d1a0f37c75/cras/src/server/cras_a2dp_iodev.c [modify] https://crrev.com/857fac3ed37254e4e90afbd93210c7d1a0f37c75/cras/src/server/test_iodev.c [modify] https://crrev.com/857fac3ed37254e4e90afbd93210c7d1a0f37c75/cras/src/common/byte_buffer.h [modify] https://crrev.com/857fac3ed37254e4e90afbd93210c7d1a0f37c75/cras/src/server/cras_hfp_info.c [modify] https://crrev.com/857fac3ed37254e4e90afbd93210c7d1a0f37c75/cras/src/server/dev_stream.c [modify] https://crrev.com/857fac3ed37254e4e90afbd93210c7d1a0f37c75/cras/src/tests/byte_buffer_unittest.cc [modify] https://crrev.com/857fac3ed37254e4e90afbd93210c7d1a0f37c75/cras/src/server/cras_loopback_iodev.c
,
May 3 2018
|
||||
►
Sign in to add a comment |
||||
Comment 1 by wuchengli@chromium.org
, Oct 24 2017