Issue metadata
Sign in to add a comment
|
webview trying to setvolume on an destroyed audiotrack and cause a crash
Reported by
howard....@mediatek.com,
Nov 23
|
||||||||||||||||||||||||
Issue descriptionSteps to reproduce the problem: Monkey test. seldom issue. From log it's playing a video on m.youtube.com. What is the expected behavior? What went wrong? We found a browser issue when it manipulates AudioTrack. An accessing invalid address issue is caused by using AudioTrack object after free: 11-19 12:16:22.321 27870 27906 D AudioTrack: ~AudioTrack(): 0x8b86c600 11-19 12:16:22.334 27870 28079 D AudioTrack: setVolume(): 0x8b86c600, left = 1.000000, right = 1.000000 The threads in Browser process that deleting AudioTrack object and calling setVolume of AudioTrack are different. It seems that browser encounters synchronization issue. *the browser application uses AOSP webview. ---- [Process and threads] LABEL USER PID TID PPID VSZ RSS WCHAN ADDR S PRI NI RTPRIO SCH PCY BIT CPU NAME CMD u:r:platform_app:s0:c512,c768 u0_a52 27870 27906 5995 1294264 87952 do_exit 9892b998 D 19 0 - 0 fg 32 3 com.android.browser AudioThread u:r:platform_app:s0:c512,c768 u0_a52 27870 28079 5995 1294264 87952 0 ae421c86 S 19 0 - 0 bg 32 2 com.android.browser Binder:27870_5 [Exception info] $** *** *** *** *** *** *** *** Exception *** *** *** *** *** *** *** **$ Exception Log Time:[Mon Nov 19 12:16:29 CST 2018] [239615.167310] Exception Class: Native (NE) Exception Type: SIGABRT Current Executing Process: pid: 27870, tid: 28079 com.android.browser Backtrace: #00 pc 0001cc86 /system/lib/libc.so (abort+58) #01 pc 0000223d /system/bin/app_process32 (art::SignalChain::Handler(int, siginfo*, void*)+744) #02 pc 00019994 /system/lib/libc.so #03 pc 00034502 /system/lib/libaudioclient.so (android::AudioTrack::setVolume(float, float)+150) #04 pc 00047739 /system/lib/libaudioclient.so (android::TrackPlayerBase::playerSetVolume()+56) #05 pc 0004726f /system/lib/libaudioclient.so (android::PlayerBase::setVolume(float)+62) #06 pc 00025c1b /system/lib/libaudioclient.so (android::media::BnPlayer::onTransact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+270) #07 pc 000360f9 /system/lib/libbinder.so (android::BBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+72) #08 pc 0003d80d /system/lib/libbinder.so (android::IPCThreadState::executeCommand(int)+404) #09 pc 0003d59f /system/lib/libbinder.so (android::IPCThreadState::getAndExecuteCommand()+106) #10 pc 0003dabf /system/lib/libbinder.so (android::IPCThreadState::joinThreadPool(bool)+38) #11 pc 000543af /system/lib/libbinder.so (android::PoolThread::threadLoop()+14) #12 pc 0000c08b /system/lib/libutils.so (android::Thread::_threadLoop(void*)+166) #13 pc 0006ff57 /system/lib/libandroid_runtime.so (android::AndroidRuntime::javaThreadShell(void*)+82) #14 pc 000632e5 /system/lib/libc.so (__pthread_start(void*)+22) #15 pc 0001de49 /system/lib/libc.so (__start_thread+24) [logcat] 11-19 12:15:55.464 27870 27870 I WebViewFactory: Loading com.android.webview version 66.0.3359.158 (code 336015805) 11-19 12:16:08.968163 27870 27870 D browser : Tab.syncCurrentState()()--->url = https://m.youtube.com/watch?v=nvvLlCG9hH0, webview = com.android.browser.BrowserWebView{88c3843 VFEDHVCL. .F...... 0,0-720,1016} 11-19 12:16:15.218 27870 27870 D WebViewTimersControl: onBrowserActivityPause 11-19 12:16:15.333 27870 27870 V PhoneWindow: DecorView setVisiblity: visibility = 4, Parent = android.view.ViewRootImpl@4691997, this = DecorView@8561784[BrowserActivity] 11-19 12:16:15.618 27870 27925 E chromium: [ERROR:gl_context_virtual.cc(39)] Trying to make virtual context current without decoder. 11-19 12:16:16.918 27870 27906 D : PlayerBase::stop() from IPlayer 11-19 12:16:16.918 27870 27906 D AudioTrack: stop(): 0x8b86c600, mState = 0 11-19 12:16:16.918 27870 27906 D AudioTrack: stop() called with 356566 frames delivered 11-19 12:16:16.920 27870 27967 D AudioTrackShared: obtainBuffer() interrupted by client 11-19 12:16:16.937 27870 27906 D AudioTrack: AudioTrackThread::pause 11-19 12:16:16.937 27870 27906 D AudioTrack: audiotrack 0x8b86c600 stop done 11-19 12:16:17.584 27870 27965 W cr_MediaCodecBridge: Releasing: OMX.MTK.VIDEO.DECODER.VP9 11-19 12:16:17.696 27870 27970 D SurfaceUtils: disconnecting from surface 0x8baec808, reason disconnectFromSurface 11-19 12:16:17.697 27870 27970 D Surface : Surface::disconnect(this=0x8baec800,api=3) 11-19 12:16:17.711 27870 27965 W MediaAnalyticsItem: Unable to record: [1:codec:0:-1::0:-1:1:0:15:android.media.mediacodec.codec=OMX.MTK.VIDEO.DECODER.VP9:android.media.mediacodec.mode=video:android.media.mediacodec.secure=0:android.media.mediacodec.encoder=0:android.media.mediacodec.width=480:android.media.mediacodec.height=360:android.media.mediacodec.rotation-degrees=0:android.media.mediacodec.maxwidth=480:android.media.mediacodec.maxheight=360:android.media.mediacodec.mime=video/x-vnd.on2.vp9:android.media.mediacodec.latency.max=1777185:android.media.mediacodec.latency.min=255872:android.media.mediacodec.latency.avg=581462:android.media.mediacodec.latency.n=107:android.media.mediacodec.latency.unknown=1:] [forcenew=0] 11-19 12:16:17.716 27870 27965 W cr_MediaCodecBridge: Codec released 11-19 12:16:17.783 27870 27870 W AudioManager: Use of stream types is deprecated for operations other than volume control 11-19 12:16:17.783 27870 27870 W AudioManager: See the documentation of requestAudioFocus() for what to use instead with android.media.AudioAttributes to qualify your playback use case 11-19 12:16:21.319 27870 28079 D : PlayerBase::setVolume() from IPlayer 11-19 12:16:21.320 27870 28079 D AudioTrack: setVolume(): 0x8b86c600, left = 0.000000, right = 0.000000 11-19 12:16:22.321 27870 27906 D AudioTrack: stop(): 0x8b86c600, mState = 4 11-19 12:16:22.321 27870 27906 D AudioTrack: ~AudioTrack(): 0x8b86c600 11-19 12:16:22.322 27870 27906 D AudioTrack: stop(): 0x8b86c600, mState = 4 11-19 12:16:22.322 27870 27906 D AudioTrack: AudioTrackThread::requestExit 11-19 12:16:22.322 27870 27906 D AudioTrack: AudioTrackThread::resume 11-19 12:16:22.334 27870 28079 D : PlayerBase::setVolume() from IPlayer 11-19 12:16:22.334 27870 28079 D AudioTrack: setVolume(): 0x8b86c600, left = 1.000000, right = 1.000000 11-19 12:16:22.335 27870 27906 W MediaAnalyticsItem: Unable to record: [1:audiotrack:0:-1::0:-1:1:0:6:android.media.audiotrack.underrunframes=42836:android.media.audiotrack.streamtype=3:android.media.audiotrack.type=1831629677:android.media.audiotrack.usage=1819290742:android.media.audiotrack.samplerate=48000:android.media.audiotrack.channelmask=3:] [forcenew=0] 11-19 12:16:24.782 28126 28079 F google-breakpad: Microdump skipped (uninteresting) 11-19 12:16:24.826 27870 28079 W google-breakpad: ### ### ### ### ### ### ### ### ### ### ### ### ### 11-19 12:16:24.829 27870 28079 W google-breakpad: Chrome build fingerprint: 11-19 12:16:24.829 27870 28079 W google-breakpad: 9 11-19 12:16:24.830 27870 28079 W google-breakpad: 28 11-19 12:16:24.830 27870 28079 W google-breakpad: ### ### ### ### ### ### ### ### ### ### ### ### ### 11-19 12:16:24.830 27870 28079 E libsigchain: exiting due to SIG_DFL handler for signal 11, ucontext 0xab8f7d10 Crashed report ID: How much crashed? Just one tab Is it a problem with a plugin? No Did this work before? N/A Chrome version: 66.0.3359.158 Channel: n/a OS Version: 9.0 Flash Version:
,
Nov 26
,
Nov 26
Hmm, I'm not sure why we'd have an AudioTrack output stream with YouTube, it should be an OpenSLES stream. https://cs.chromium.org/chromium/src/media/audio/android/audio_manager_android.cc?l=249 Is your app using any AudioTrack streams?
,
Dec 4
First of all, could you verify if this could be reproduced in latest version of WebView? As the crash happened in M66, which could already be fixed. If it could be reproduced, please attach full google-breakpad log, it is all the lines with "google-breakpad"
,
Dec 7
I agree that this issue may already fixed in a later chromium release.
However there is no plan for us to switch to latest webview version just yet. After internal discussion, Please close or reject this ticket.
thanks!
---
BTW, I've tried to play this with webviewshell, from systrace & catcher log , chromium uses OpenSLES stream when play youtube, and libOpenSLEs will eventually invokes AudioTrack of platform. (runs in audiothread)
----
[logcat]
12-03 08:16:11.841 7019 7068 I libOpenSLES: Emulating old channel mask behavior (ignoring positional mask 0x3, using default mask 0x3 based on channel count of 2)
12-03 08:16:11.841 7019 7068 D AudioTrack: InitializeMTKLogLevel: default level[2]
12-03 08:16:11.841 7019 7068 D AudioTrack: set(): 0x734d44cc00, streamType 3, sampleRate 48000, format 0x5, channelMask 0x3, frameCount 0, flags #8, notificationFrames 0, sessionId 185, transferType 0, uid -1, pid -1
[thread information]
Running process: m.webview_shell (pid 7019)
Running thread: AudioThread
Args:
{comm: "AudioThread",
tid: 7068,
prio: 120,
stateWhenDescheduled: "R"}
,
Dec 7
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 7
Actually, this is known issue and hasn't been fixed. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by dtapu...@chromium.org
, Nov 23