Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Darwin segmentation fault on subscription error #21588

Closed
kpark-apple opened this issue Aug 3, 2022 · 1 comment
Closed

Darwin segmentation fault on subscription error #21588

kpark-apple opened this issue Aug 3, 2022 · 1 comment
Labels
darwin

Comments

@kpark-apple
Copy link
Contributor

Problem

When a report error occurs and the queued report handler is executed after the SubscriptionCallback object is deleted, calling the report handler on the queue would cause a segmentation fault, like the following:

hread 3 name:   Dispatch queue: com.apple.CoreHAP.CHIPAccessoryServer.clientQueue.0
Thread 3 Crashed:
0   Matter                        	       0x1186cf480 invocation function for block in (anonymous namespace)::SubscriptionCallback::ReportData() + 60
1   libdispatch.dylib             	       0x1ddb137ac _dispatch_call_block_and_release + 32
2   libdispatch.dylib             	       0x1ddb137ac _dispatch_call_block_and_release + 32
3   libdispatch.dylib             	       0x1ddb152d0 _dispatch_client_callout + 20
4   libdispatch.dylib             	       0x1ddb1c9d4 _dispatch_lane_serial_drain + 672
5   libdispatch.dylib             	       0x1ddb1d554 _dispatch_lane_invoke + 436
6   libdispatch.dylib             	       0x1ddb280a8 _dispatch_workloop_worker_thread + 652
7   libsystem_pthread.dylib       	       0x1ddd7afe4 _pthread_wqthread + 288
8   libsystem_pthread.dylib       	       0x1ddd825c8 start_wqthread + 8

Log leading to the fault:

2022-08-03 07:05:40.348341-0700 0x1f0b     Error       0x0                  767    0    homed: (Matter) [com.csa.matter:all] <F0><9F><94><B4> [1659535540355] [767:7947] CHIP: [DMG] Subscription Liveness timeout with SubscriptionID = 0xced8bd17, Peer = 01:0000000010EA606E
2022-08-03 07:05:40.348917-0700 0x1f0b     Default     0x0                  767    0    homed: (Matter) [com.csa.matter:all] <F0><9F><9F><A2> [1659535540356] [767:7947] CHIP: [DMG] mResubscribePolicy is null
2022-08-03 07:05:40.349806-0700 0x1f0b     Default     0x0                  767    0    homed: (Matter) [com.csa.matter:all] <F0><9F><9F><A2> [1659535540357] [767:7947] CHIP: [DMG] MoveToState ReadClient[0x10e605570]: Moving to [      Idle]

Proposed Solution

I didn't try myself but, in SubscriptionCallback::ReportData(), capture the callback blocks in the closure instead of capturing "this" object when queuing the handler callback:

That is,

    __auto_type attributeReportCallback = mAttributeReportCallback;
    if (attributeReportCallback && attributeReports.count) {
        dispatch_async(mQueue, ^{
            attributeReportCallback(attributeReports);
        });
    }
    __auto_type eventReportCallback = mEventReportCallback;
    if (eventReportCallback && eventReports.count) {
        dispatch_async(mQueue, ^{
            eventReportCallback(eventReports);
        });
    }

instead of

    if (mAttributeReportCallback && attributeReports.count) {
        dispatch_async(mQueue, ^{
            mAttributeReportCallback(attributeReports);
        });
    }
    if (mEventReportCallback && eventReports.count) {
        dispatch_async(mQueue, ^{
            mEventReportCallback(eventReports);
        });
    }
@bzbarsky-apple
Copy link
Contributor

This was fixed in #21456

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
darwin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bzbarsky-apple @kpark-apple