New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 906958 link

Starred by 1 user
Status: Fixed
Owner:
hychao@chromium.org
Closed: Nov 22
Cc:
kbleicher@chromium.org
cychiang@chromium.org
chromeos-audio-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

CRAS: crash in ucm_set_enabled

Project Member Reported by hychao@chromium.org, Nov 20 
Stable signature: ucm_set_enabled-6de6363cExample
report ID: 1fb49b038f853f51
Link: https://crash.corp.google.com/1fb49b038f853f51


Stats:
10	11210.0.0	ucm_set_enabled-6de6363c
8	11151.22.0	ucm_set_enabled-6de6363c
6	11151.17.0	ucm_set_enabled-6de6363c
5	11151.4.0	ucm_set_enabled-6de6363c
5	11097.0.0	ucm_set_enabled-6de6363c
4	11210.0.0	ucm_set_enabled-83601694
3	11151.25.0	ucm_set_enabled-6de6363c
3	11151.13.0	ucm_set_enabled-6de6363c
2	11125.0.0	ucm_set_enabled-6de6363c
2	11151.29.0	ucm_set_enabled-6de6363c
2	11143.0.0	ucm_set_enabled-6de6363c
1	11143.0.0	ucm_set_enabled-0eba3042
1	11108.0.0	ucm_set_enabled-6de6363c
1	11108.0.0	ucm_set_enabled-83601694
1	11151.13.0	ucm_set_enabled-83601694
1	10895.78.0	ucm_set_enabled-6de6363c
1	11151.29.0	ucm_set_enabled-d4661755
1	11151.4.0	ucm_set_enabled-83601694


Sample backtraces:

Mani R71
(gdb) bt
#0  device_enabled (mgr=0x400000002, dev=0x800000008 <error: Cannot access memory at address 0x800000008>) at server/cras_alsa_ucm.c:94
#1  ucm_set_enabled (mgr=0x400000002, dev=0x800000008 <error: Cannot access memory at address 0x800000008>, enable=0) at server/cras_alsa_ucm.c:483
#2  0x0000556c2350dabd in enable_active_ucm (aio=<optimized out>, plugged=<optimized out>) at server/cras_alsa_io.c:1710
#3  alsa_iodev_set_active_node (iodev=0x556c23720710, ionode=0x556c23726750, dev_enabled=0) at server/cras_alsa_io.c:2330
#4  0x0000556c234efa10 in cras_iodev_list_disable_dev (dev=0x556c23720710, force_close=true) at server/cras_iodev_list.c:1160
#5  0x0000556c234efef3 in cras_iodev_list_rm_output (dev=0x556c23720710) at server/cras_iodev_list.c:1213
#6  0x0000556c2350de75 in alsa_iodev_destroy (iodev=0x556c23720710) at server/cras_alsa_io.c:2275
#7  0x0000556c2350b48c in cras_alsa_card_destroy (alsa_card=0x556c236c5720) at server/cras_alsa_card.c:626
#8  0x0000556c234f63db in cras_system_remove_alsa_card (alsa_card_index=0) at server/cras_system_state.c:399
#9  0x0000556c234f6ffb in device_remove_alsa (sysname=<optimized out>, card=<optimized out>) at server/cras_udev.c:307
#10 remove_device_if_card (dev=<optimized out>) at server/cras_udev.c:350
#11 udev_sound_subsystem_callback (arg=<optimized out>) at server/cras_udev.c:386
#12 0x0000556c234cdd36 in cras_server_run (profile_disable_mask=<optimized out>) at server/cras_server.c:611
#13 0x0000556c234cd11e in main (argc=<optimized out>, argv=0x7ffe098df128) at server/cras.c:141


Snappy R69

(gdb) bt
#0  device_enabled (mgr=0x0, dev=0x200000002 <error: Cannot access memory at address 0x200000002>) at server/cras_alsa_ucm.c:87
#1  ucm_set_enabled (mgr=0x0, dev=0x200000002 <error: Cannot access memory at address 0x200000002>, enable=0) at server/cras_alsa_ucm.c:476
#2  0x00005c95b9e67bcd in enable_active_ucm (aio=<optimized out>, plugged=<optimized out>) at server/cras_alsa_io.c:1675
#3  alsa_iodev_set_active_node (iodev=0x5c95bb340e50, ionode=0x5c95bb341180, dev_enabled=0) at server/cras_alsa_io.c:2271
#4  0x00005c95b9e4ab60 in cras_iodev_list_disable_dev (dev=0x5c95bb340e50, force_close=true) at server/cras_iodev_list.c:1052
#5  0x00005c95b9e4b043 in cras_iodev_list_rm_output (dev=0x5c95bb340e50) at server/cras_iodev_list.c:1105
#6  0x00005c95b9e67f45 in alsa_iodev_destroy (iodev=0x5c95bb340e50) at server/cras_alsa_io.c:2216
#7  0x00005c95b9e6562c in cras_alsa_card_destroy (alsa_card=0x5c95bb359f90) at server/cras_alsa_card.c:589
#8  0x00005c95b9e50feb in cras_system_remove_alsa_card (alsa_card_index=1) at server/cras_system_state.c:388
#9  0x00005c95b9e51b1b in device_remove_alsa (sysname=<optimized out>, card=<optimized out>) at server/cras_udev.c:307
#10 remove_device_if_card (dev=<optimized out>) at server/cras_udev.c:350
#11 udev_sound_subsystem_callback (arg=<optimized out>) at server/cras_udev.c:386
#12 0x00005c95b9e29b36 in cras_server_run (profile_disable_mask=<optimized out>) at server/cras_server.c:554
#13 0x00005c95b9e2901e in main (argc=<optimized out>, argv=0x7ffd78a9cc98) at server/cras.c:141
Project Member

Comment 1 by bugdroid1@chromium.org, Nov 21 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/adhd/+/2c7831e8ab1f036242e791932512758681f1e5bd

commit 2c7831e8ab1f036242e791932512758681f1e5bd
Author: Hsin-Yu Chao <hychao@google.com>
Date: Wed Nov 21 04:32:39 2018

CRAS: alsa_io - Free jack list after removed from iodev list

In destructor of alsa_io, we should call destructor of jack list
after iodev is fully removed from iodev list. Otherwise in
cras_iodev_list_rm_output() the jack of active node is still being
used and could cause invalid memory access.

BUG= chromium:906958 
TEST=None

Change-Id: Ie505504ebbf3f8c8977cdfa891c9ae1ddcbbc938
Reviewed-on: https://chromium-review.googlesource.com/1343701
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Hsinyu Chao <hychao@chromium.org>
Reviewed-by: Cheng-Yi Chiang <cychiang@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/2c7831e8ab1f036242e791932512758681f1e5bd/cras/src/server/cras_alsa_io.c

Comment 2 by hychao@chromium.org, Nov 21

Cc: kbleicher@chromium.org
Labels: Merge-Request-71
Status: Started (was: Assigned)
Requesting merge to 71.
Note this is a small fix for a crash starting M69.
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 21

Labels: -Merge-Request-71 Hotlist-Merge-Review Merge-Review-71
This bug requires manual review: We are only 12 days from stable.
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by gov...@chromium.org, Nov 21

Labels: OS-Chrome

Comment 5 by geo...@google.com, Nov 21

Labels: -Merge-Review-71 Merge-Approved-71
Approved for M71 ChromeOS
Project Member

Comment 6 by bugdroid1@chromium.org, Nov 22

Labels: merge-merged-release-R71-11151.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/adhd/+/2cd1a5f09429e6ad821ebad1dc3794c49c182e11

commit 2cd1a5f09429e6ad821ebad1dc3794c49c182e11
Author: Hsin-Yu Chao <hychao@google.com>
Date: Thu Nov 22 05:33:27 2018

CRAS: alsa_io - Free jack list after removed from iodev list

In destructor of alsa_io, we should call destructor of jack list
after iodev is fully removed from iodev list. Otherwise in
cras_iodev_list_rm_output() the jack of active node is still being
used and could cause invalid memory access.

BUG= chromium:906958 
TEST=None

Change-Id: Ie505504ebbf3f8c8977cdfa891c9ae1ddcbbc938
Reviewed-on: https://chromium-review.googlesource.com/1343701
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Hsinyu Chao <hychao@chromium.org>
Reviewed-by: Cheng-Yi Chiang <cychiang@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
(cherry picked from commit 2c7831e8ab1f036242e791932512758681f1e5bd)
Reviewed-on: https://chromium-review.googlesource.com/c/1347651
Reviewed-by: Hsinyu Chao <hychao@chromium.org>
Commit-Queue: Hsinyu Chao <hychao@chromium.org>

[modify] https://crrev.com/2cd1a5f09429e6ad821ebad1dc3794c49c182e11/cras/src/server/cras_alsa_io.c

Comment 7 by hychao@chromium.org, Nov 22

Labels: -Merge-Approved-71 Merge-Merged
Status: Fixed (was: Started)

Sign in to add a comment