search

GrapheneOS / os-issue-tracker

Issue tracker for GrapheneOS Android Open Source Project hardening work. Standalone projects like Auditor, AttestationServer and hardened_malloc have their own dedicated trackers.
https://grapheneos.org/
365 stars 21 forks source link

Pixel 8 bluetooth app crash #3504

Open pedrosantosmartins opened 6 months ago

pedrosantosmartins commented 6 months ago 
type: crash
osVersion: google/shiba/shiba:14/AP1A.240405.002.B1/2024050300:user/release-keys
uid: 1002 (u:r:bluetooth:s0)
cmdline: com.android.bluetooth
processUptime: 0s

signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr f00dd2c5f732808
threadName: bt_a2dp_source_
MTE: enabled

backtrace:
    /apex/com.android.runtime/lib64/bionic/libc.so (pthread_mutex_lock+12, pc d70fc)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (std::__1::recursive_mutex::lock()+20, pc bad5a4)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (A2dpCodecConfig::copyOutOtaCodecConfig(unsigned char*)+44, pc 5bfaac)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (a2dp_aac_encoder_init(tA2DP_ENCODER_INIT_PEER_PARAMS const*, A2dpCodecConfig*, unsigned int (*)(unsigned char*, unsigned int), bool (*)(BT_HDR*, unsigned long, unsigned int))+172, pc 5c782c)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (btif_a2dp_source_setup_codec_delayed(RawAddress const&)+488, pc 531158)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)+204, pc ada04c)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (base::MessageLoop::RunTask(base::PendingTask*)+360, pc ad9538)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (base::MessageLoop::DoWork()+460, pc ad985c)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (base::MessagePumpDefault::Run(base::MessagePump::Delegate*)+112, pc adc120)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (base::RunLoop::Run()+72, pc ae9278)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (bluetooth::common::MessageLoopThread::Run(std::__1::promise<void>)+344, pc 7cd008)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (bluetooth::common::MessageLoopThread::RunThread(bluetooth::common::MessageLoopThread*, std::__1::promise<void>)+56, pc 7cca78)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(bluetooth::common::MessageLoopThread*, std::__1::promise<void>), bluetooth::common::MessageLoopThread*, std::__1::promise<void> > >(void*)+92, pc 7cd65c)
    /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204, pc d5e6c)
    /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68, pc 69a64)
muhomorr commented 6 months ago

How to reproduce this crash?

pedrosantosmartins commented 6 months ago

I had just paired the phone with the car radio (Sony DSX-A416BT) and was switching the radio on/off multiple times.

siowhao123 commented 1 month ago 
type: crash
osVersion: google/shiba/shiba:14/AP1A.240405.002.B1/2024050300:user/release-keys
uid: 1002 (u:r:bluetooth:s0)
cmdline: com.android.bluetooth
processUptime: 0s

signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr f00dd2c5f732808
threadName: bt_a2dp_source_
MTE: enabled

backtrace:
    /apex/com.android.runtime/lib64/bionic/libc.so (pthread_mutex_lock+12, pc d70fc)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (std::__1::recursive_mutex::lock()+20, pc bad5a4)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (A2dpCodecConfig::copyOutOtaCodecConfig(unsigned char*)+44, pc 5bfaac)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (a2dp_aac_encoder_init(tA2DP_ENCODER_INIT_PEER_PARAMS const*, A2dpCodecConfig*, unsigned int (*)(unsigned char*, unsigned int), bool (*)(BT_HDR*, unsigned long, unsigned int))+172, pc 5c782c)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (btif_a2dp_source_setup_codec_delayed(RawAddress const&)+488, pc 531158)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)+204, pc ada04c)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (base::MessageLoop::RunTask(base::PendingTask*)+360, pc ad9538)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (base::MessageLoop::DoWork()+460, pc ad985c)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (base::MessagePumpDefault::Run(base::MessagePump::Delegate*)+112, pc adc120)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (base::RunLoop::Run()+72, pc ae9278)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (bluetooth::common::MessageLoopThread::Run(std::__1::promise<void>)+344, pc 7cd008)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (bluetooth::common::MessageLoopThread::RunThread(bluetooth::common::MessageLoopThread*, std::__1::promise<void>)+56, pc 7cca78)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(bluetooth::common::MessageLoopThread*, std::__1::promise<void>), bluetooth::common::MessageLoopThread*, std::__1::promise<void> > >(void*)+92, pc 7cd65c)
    /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204, pc d5e6c)
    /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68, pc 69a64)

I also encountered the same problem. After I paired phone, did you find a solution?

thestinger commented 1 month ago

How did you trigger it?

siowhao123 commented 1 month ago

How did you trigger it?

When I pairing another phone using bluetooth...

siowhao123 commented 1 month ago

so about this issue , how to fix it ?

thestinger commented 1 month ago

We currently aren't able to trigger it so it's hard for us to resolve. It appears to only occur on 8th gen Pixels but we've been unable to replicate it there.