Null reference / UB when attempting to play audio

[kanerogers]

Hi there! Thanks so much for all your hard work building this library. :)

Unfortunately I'm having an intermittent issue where attempting to play audio on the Oculus Quest 2. I've filed an issue with cpal RustAudio/cpal#636 but it appears that the root cause is a null pointer dereference in oboe::AudioStream::getTimestamp(int).

Here's the log output from oboe:

02-02 12:48:18.895 23477 23502 I OboeAudio: openStream() OUTPUT -------- OboeVersion1.6.1 --------
02-02 12:48:18.896 23477 23502 D OboeAudio: AAudioLoader():  dlopen(libaaudio.so) returned 0x86c9794734b4099
02-02 12:48:18.896 23477 23502 I AAudio  : AAudioStreamBuilder_openStream() called ----------------------------------------
02-02 12:48:18.896 23477 23502 I AudioStreamBuilder: rate   =  44100, channels  = 2, format   = 5, sharing = SH, dir = OUTPUT
02-02 12:48:18.896 23477 23502 I AudioStreamBuilder: device =      2, sessionId = -1, perfMode = 10, callback: ON with frames = 0
02-02 12:48:18.896 23477 23502 I AudioStreamBuilder: usage  =      1, contentType = 2, inputPreset = 6, allowedCapturePolicy = 0
02-02 12:48:18.896 23477 23502 D AudioStreamBuilder: build() MMAP not available because AAUDIO_PERFORMANCE_MODE_LOW_LATENCY not used.
02-02 12:48:18.896 23477 23502 D         : PlayerBase::PlayerBase()
02-02 12:48:18.896 23477 23502 D AudioStreamTrack: open(), request notificationFrames = 0, frameCount = 0
02-02 12:48:18.921 23477 23502 I AAudio  : AAudioStreamBuilder_openStream() returns 0 = AAUDIO_OK for s#1 ----------------
02-02 12:48:18.921 23477 23502 D OboeAudio: AudioStreamAAudio.open() format=2, sampleRate=44100, capacity = 3536
02-02 12:48:18.921 23477 23502 D OboeAudio: AudioStreamAAudio.open: AAudioStream_Open() returned AAUDIO_OK
02-02 12:48:18.921 23477 23502 D AAudio  : AAudioStream_requestStart(s#1) called --------------
02-02 12:48:18.943 23477 23502 D         : PlayerBase::start() from IPlayer
02-02 12:48:18.943 23477 23502 D AAudio  : AAudioStream_requestStart(s#1) returned 0 ---------

And the final crash:

02-02 12:48:22.890 23734 23734 E DEBUG   : failed to readlink /proc/23532/fd/72: No such file or directory
02-02 12:48:23.020 23734 23734 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstone
02-02 12:48:23.025 23734 23734 I crash_dump64: performing dump of process 23477 (target tid = 23532)
02-02 12:48:23.100 23734 23734 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
02-02 12:48:23.101 23734 23734 F DEBUG   : Build fingerprint: 'oculus/hollywood/hollywood:10/QQ3A.200805.001/22310100587300000:user/release-keys'
02-02 12:48:23.101 23734 23734 F DEBUG   : Revision: '0'
02-02 12:48:23.101 23734 23734 F DEBUG   : ABI: 'arm64'
02-02 12:48:23.105 23734 23734 F DEBUG   : Timestamp: 2022-02-02 12:48:23+1100
02-02 12:48:23.106 23734 23734 F DEBUG   : pid: 23477, tid: 23532, name: AudioTrack  >>> rust.beat_saber_example <<<
02-02 12:48:23.107 23734 23734 F DEBUG   : uid: 10044
02-02 12:48:23.107 23734 23734 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
02-02 12:48:23.111 23734 23734 F DEBUG   : Cause: null pointer dereference
02-02 12:48:23.112 23734 23734 F DEBUG   :     x0  000000744a97d700  x1  0000000000000001  x2  00000074336ea610  x3  00000074336ea618
02-02 12:48:23.112 23734 23734 F DEBUG   :     x4  001e3af03b000000  x5  0000007543fcc000  x6  0000007543fcc000  x7  0000000000ace316
02-02 12:48:23.112 23734 23734 F DEBUG   :     x8  00000074336ea678  x9  000000744a97d700  x10 00000074336ea610  x11 0000000000000000
02-02 12:48:23.112 23734 23734 F DEBUG   :     x12 000000000000dc03  x13 000000000000dc02  x14 0000000000000001  x15 0000000000000000
02-02 12:48:23.112 23734 23734 F DEBUG   :     x16 0000007459132260  x17 00000075420807f8  x18 00000074330fe000  x19 000000744a97d880
02-02 12:48:23.112 23734 23734 F DEBUG   :     x20 0000000000000060  x21 0000007431ef3a60  x22 0000007458af2bb8  x23 0100804010040101
02-02 12:48:23.112 23734 23734 F DEBUG   :     x24 00000074b6505b78  x25 0000000000000009  x26 0000007542495db8  x27 000000000d000000
02-02 12:48:23.113 23734 23734 F DEBUG   :     x28 0000000000000dc8  x29 00000074336ea630
02-02 12:48:23.113 23734 23734 F DEBUG   :     sp  00000074336ea5e0  lr  0000007458aeed54  pc  0000000000000000
02-02 12:48:23.161 23734 23734 F DEBUG   :
02-02 12:48:23.161 23734 23734 F DEBUG   : backtrace:
02-02 12:48:23.161 23734 23734 F DEBUG   :       #00 pc 0000000000000000  <unknown>
02-02 12:48:23.162 23734 23734 F DEBUG   :       #01 pc 0000000001796d50  /data/app/rust.beat_saber_example-R7nhED3RyrF9nlL8W1H91w==/lib/arm64/libbeat_saber_example.so (oboe::AudioStream::getTimestamp(int)+56)
02-02 12:48:23.162 23734 23734 F DEBUG   :       #02 pc 04d9495d00000660  <unknown>

As I'm fairly new to audio in general I'm not quite sure where else I should be looking. Please let me know if there's any further details I can provide!

[kanerogers]

Good news, everyone! The true source of the bug is my own stupidity: it looks like the cpal stream was getting dropped too early.

Still - is it worth putting a check on the pointer de-reference? Or a note about safety?