GATT segmentation fault.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello.

I'm working in a GATT based profile and I have observed an anomalous
behavior in GATT related to the timeouts between requestes and
replies. I've checked that if a request is sent and no reply is
received in a 30 seconds (GATT_TIMEOUT macro) the callback
disconnect_timeout in gattrib.c is invoked, in this function the
GAttrib structure is destroyed witouth having in account the
references held in other parts of the bluetooth daemon like proximity,
device or attribute plugin. As far as I have seen, the attrib_destroy
function only uses the destroy callback reference to notify when the
GAttrib structure is released, but there are no place in the code when
this callback is set. Only the disconnect fuction is set in device.c
through the g_attrib_set_disconnect_function but it isn't called at
this point.

I'm not sure about the right patch to solve this issue due that it
seems to be a problem with the GAttrib references in gattrib.c code.
May be change the original function:

static gboolean disconnect_timeout(gpointer data)
{
	struct _GAttrib *attrib = data;

	attrib_destroy(attrib);

	return FALSE;
}

for another one wich only closes the IOchannel and notify about the
disconnection:

static gboolean disconnect_timeout(gpointer data)
{
	struct _GAttrib *attrib = data;

	g_io_channel_flush (attrib->io);
        g_io_channel_ref(io);
        attrib->io = NULL;
        if (attrib->disconnect)
			attrib->disconnect(attrib->disc_user_data);
	return FALSE;
}

May be we have to release pending events and so on. I'm not sure.

Here you are a trace with this problem.

#0  0xb7c8ff10 in ?? () from /lib/libc.so.6
No symbol table info available.
#1  0xb7c90ea7 in ?? () from /lib/libc.so.6
No symbol table info available.
#2  0xb7c925d7 in realloc () from /lib/libc.so.6
No symbol table info available.
#3  0xb7e45243 in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#4  0xb7e45ad9 in g_realloc () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#5  0xb7e60887 in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#6  0xb7e60f93 in g_string_insert_len () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#7  0xb7e6115b in g_string_append () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#8  0xb7e47003 in g_log_default_handler () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#9  0xb7e479c0 in g_logv () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#10 0xb7e47d13 in g_log () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#11 0xb7e47f1d in g_return_if_fail_warning () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#12 0xb7e4e682 in g_queue_get_length () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#13 0xb7f96663 in g_attrib_send (attrib=0xb8036f08, id=0, opcode=18
'\022', pdu=0xb803d580 "\022\024", len=5, func=0xb7f850f0
<final_measurement_cb>, user_data=0xb803d948,
    notify=0) at attrib/gattrib.c:451
        __btd_debug_desc = {file = 0xb7fdbf9c "attrib/gattrib.c", flags = 1}
        c = 0xb80322e0
        __FUNCTION__ = "g_attrib_send"
#14 0xb7f957c3 in gatt_write_char (attrib=0xb8036f08, handle=20,
value=0xbffff80e "", vlen=2, func=0xb7f850f0 <final_measurement_cb>,
user_data=0xb803d948) at attrib/gatt.c:540
        buf = 0xb803d580 "\022\024"
        buflen = 256
        plen = <optimized out>
        __FUNCTION__ = "gatt_write_char"
#15 0xb7f8526e in disable_final_measurement (t=0xb803c940) at
thermometer/thermometer.c:629
        ch = 0xb800ac98
        desc = 0xb800ac98
        btuuid = {type = BT_UUID16, value = {u16 = 10498, u32 = 10498,
u128 = {data = "\002)", '\000' <repeats 13 times>}}}
        atval = "\000"
        msg = <optimized out>
        __FUNCTION__ = "disable_final_measurement"
#16 0xb7f4766a in service_filter (connection=0xb800a6f0,
message=0xb800cf18, user_data=0xb800ced8) at gdbus/watch.c:477
        data = 0xb800ced8
        cb = 0xb803d928
        name = 0xb803d6e4 ":1.260"
        old = 0xb803d6f0 ":1.260"
        new = 0xb803d6fc ""
#17 0xb7f4730d in message_filter (connection=0xb800a6f0,
message=0xb800cf18, user_data=0x0) at gdbus/watch.c:527
        data = 0xb800ced8
        sender = <optimized out>
        path = <optimized out>
        iface = 0xb800cfd8 "org.freedesktop.DBus"
        member = <optimized out>
        arg = 0xb803d6e4 ":1.260"
#18 0xb7dc4c31 in dbus_connection_dispatch () from /usr/lib/libdbus-1.so.3
No symbol table info available.
#19 0xb7f45e88 in message_dispatch (data=0xb800a6f0) at gdbus/mainloop.c:80
        conn = 0xb800a6f0
#20 0xb7e4053f in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#21 0xb7e3ec4f in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#22 0xb7e3f3b0 in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#23 0xb7e3faeb in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#24 0xb7f45321 in main (argc=1, argv=0xbffffc54) at src/main.c:473
        context = <optimized out>
        err = 0x0
        sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction =
0x1}, sa_mask = {__val = {0 <repeats 32 times>}}, sa_flags = 1,
sa_restorer = 0}
        config = 0xb8007600
        __FUNCTION__ = "main"

What it is happening is that the GAttrib is released when timeout
expires but the plugin still keeps a reference to the Gattrib memory.
Next time any gattrib function is invoked the memory fault happens. In
this case in g_attrib_send function.

Another less important issue is related to the internal GIOChannel
reference in _GAttrib. This reference is increased when the GAttrib is
created but never decremented when is destroyed.

Please let me know If I can help in any other way.
Regards.
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux