[Darwin] MTRBaseSubscriptionCallback OnDone callback being called async can lead to crashes #22978

jtung-apple · 2022-09-30T17:30:23Z

Darwin SubscriptionCallback bridge MTRBaseSubscriptionCallback has a cleanup crash issue where the onDoneHandler isn't called before callback object deletion, which can lead to crash.

This patch fixes the crash by making sure the deletion is queued and performed later, when there is an onDoneHandler to be called.

…callback being called async can lead to crashes

github-actions · 2022-09-30T18:16:01Z

PR #22978: Size comparison from 2a1f9ef to c9f61bf

Increases (5 builds for esp32, nrfconnect, qpg, telink)

platform	target	config	section	`2a1f9ef`	`c9f61bf`	change
esp32	all-clusters-app	c3devkit	(read/write)	1788118	1788126	8
			.flash.rodata	257688	257696	8
		m5stack	(read/write)	564004	564012	8
			.flash.rodata	314736	314744	8
nrfconnect	all-clusters-minimal-app	nrf52840dk_nrf52840	text	803244	803248	4
qpg	lighting-app	qpg6105+debug	(read/write)	1148600	1148608	8
			.text	595696	595704	8
telink	lighting-app	tlsr9518adk80d	text	592846	592848	2

Decreases (3 builds for bl602, psoc6)

platform	target	config	section	`2a1f9ef`	`c9f61bf`	change	% change
bl602	lighting-app	bl602+rpc	.text	1099774	`1099772`	-2	-0.0
psoc6	all-clusters	cy8ckit_062s2_43012	.debug_info	26821933	26821931	-2	-0.0
	all-clusters-minimal	cy8ckit_062s2_43012	.debug_info	26558714	26558713	-1	-0.0

Full report (37 builds for bl602, bl702, cc13x2_26x2, cyw30739, efr32, esp32, k32w, linux, mbed, nrfconnect, psoc6, qpg, telink)

platform	target	config	section	`2a1f9ef`	`c9f61bf`	change	% change
bl602	lighting-app	bl602	(read/write)	`1388826`	`1388826`	0	0.0
			.bss	90729	90729	0	0.0
			.data	9928	9928	0	0.0
			.text	1068428	1068428	0	0.0
		bl602+rpc	(read/write)	1434038	1434038	0	0.0
			.bss	98161	98161	0	0.0
			.data	10312	10312	0	0.0
			.text	1099774	`1099772`	-2	-0.0
bl702	lighting-app	bl702	(read only)	3262	3262	0	0.0
			(read/write)	1188027	1188027	0	0.0
			.bleromro	6296	6296	0	0.0
			.bleromrw	124	124	0	0.0
			.boot2	688	688	0	0.0
			.bss	67094	67094	0	0.0
			.bss_psram	29696	29696	0	0.0
			.comment	48	48	0	0.0
			.data	4272	4272	0	0.0
			.debug_abbrev	`1506903`	`1506903`	0	0.0
			.debug_aranges	133080	133080	0	0.0
			.debug_frame	486388	486388	0	0.0
			.debug_info	37899859	37899859	0	0.0
			.debug_line	5252986	5252986	0	0.0
			.debug_loc	3364624	3364624	0	0.0
			.debug_ranges	359016	359016	0	0.0
			.debug_str	3456120	3456120	0	0.0
			.hbn	509	509	0	0.0
			.hbn_noinit	260	260	0	0.0
			.init	342	342	0	0.0
			.init_array	144	144	0	0.0
			.psram	0	0	0	0.0
			.riscv.attributes	47	47	0	0.0
			.rodata	116536	116536	0	0.0
			.rsvd	3188	3188	0	0.0
			.shstrtab	293	293	0	0.0
			.stack	2048	2048	0	0.0
			.strtab	564835	564835	0	0.0
			.symtab	171584	171584	0	0.0
			.tcm_data	36	36	0	0.0
			.tcmcode	3262	3262	0	0.0
			.text	0	0	0	0.0
				956624	956624	0	0.0
		bl702+rpc	(read only)	3262	3262	0	0.0
			(read/write)	1283963	1283963	0	0.0
			.bleromro	6296	6296	0	0.0
			.bleromrw	124	124	0	0.0
			.boot2	688	688	0	0.0
			.bss	75142	75142	0	0.0
			.bss_psram	29936	29936	0	0.0
			.comment	48	48	0	0.0
			.data	4800	4800	0	0.0
			.debug_abbrev	1644448	1644448	0	0.0
			.debug_aranges	140584	140584	0	0.0
			.debug_frame	511764	511764	0	0.0
			.debug_info	41806469	41806469	0	0.0
			.debug_line	5627521	5627521	0	0.0
			.debug_loc	`3557369`	`3557369`	0	0.0
			.debug_ranges	381472	381472	0	0.0
			.debug_str	3852020	3852020	0	0.0
			.hbn	509	509	0	0.0
			.hbn_noinit	260	260	0	0.0
			.init	342	342	0	0.0
			.init_array	160	160	0	0.0
			.psram	0	0	0	0.0
			.riscv.attributes	47	47	0	0.0
			.rodata	129928	129928	0	0.0
			.rsvd	3188	3188	0	0.0
			.shstrtab	293	293	0	0.0
			.stack	2048	2048	0	0.0
			.strtab	624008	624008	0	0.0
			.symtab	189392	189392	0	0.0
			.tcm_data	36	36	0	0.0
			.tcmcode	3262	3262	0	0.0
			.text	0	0	0	0.0
				`1030326`	`1030326`	0	0.0
cc13x2_26x2	all-clusters-app	LP_CC2652R7	(read only)	676555	676555	0	0.0
			(read/write)	174980	174980	0	0.0
			.bss	81228	81228	0	0.0
			.data	3380	3380	0	0.0
			.rodata	89547	89547	0	0.0
			.text	586696	586696	0	0.0
	all-clusters-minimal-app	LP_CC2652R7	(read only)	640795	640795	0	0.0
			(read/write)	157996	157996	0	0.0
			.bss	80500	80500	0	0.0
			.data	3380	3380	0	0.0
			.rodata	78683	78683	0	0.0
			.text	561792	561792	0	0.0
	lock-ftd	LP_CC2652R7	(read only)	675239	675239	0	0.0
			(read/write)	173448	173448	0	0.0
			.bss	78468	78468	0	0.0
			.data	3304	3304	0	0.0
			.rodata	77071	77071	0	0.0
			.text	597688	597688	0	0.0
	lock-mtd	LP_CC2652R7	(read only)	659099	659099	0	0.0
			(read/write)	185276	185276	0	0.0
			.bss	74156	74156	0	0.0
			.data	3304	3304	0	0.0
			.rodata	102939	102939	0	0.0
			.text	555680	555680	0	0.0
	pump-app	LP_CC2652R7	(read only)	687403	687403	0	0.0
			(read/write)	162004	162004	0	0.0
			.bss	78420	78420	0	0.0
			.data	3296	3296	0	0.0
			.rodata	90531	90531	0	0.0
			.text	596388	596388	0	0.0
	pump-controller-app	LP_CC2652R7	(read only)	671903	671903	0	0.0
			(read/write)	177616	177616	0	0.0
			.bss	78532	78532	0	0.0
			.data	3292	3292	0	0.0
			.rodata	86087	86087	0	0.0
			.text	585336	585336	0	0.0
	shell	LP_CC2652R7	(read only)	667606	667606	0	0.0
			(read/write)	186240	186240	0	0.0
			.bss	83540	83540	0	0.0
			.data	3376	3376	0	0.0
			.rodata	86262	86262	0	0.0
			.text	581028	581028	0	0.0
cyw30739	light	cyw930739m2evb_01	(read/write)	587354	587354	0	0.0
			.app_xip_area	464012	464012	0	0.0
			.bss	65776	65776	0	0.0
			.data	744	744	0	0.0
			.rodata	0	0	0	0.0
			.text	112	112	0	0.0
	lock	cyw930739m2evb_01	(read/write)	591610	591610	0	0.0
			.app_xip_area	462948	462948	0	0.0
			.bss	71088	71088	0	0.0
			.data	752	752	0	0.0
			.rodata	0	0	0	0.0
			.text	112	112	0	0.0
	ota-requestor-no-progress-logging	cyw930739m2evb_01	(read/write)	543346	543346	0	0.0
			.app_xip_area	425028	425028	0	0.0
			.bss	60784	60784	0	0.0
			.data	716	716	0	0.0
			.rodata	0	0	0	0.0
			.text	112	112	0	0.0
efr32	lighting-app	BRD4161A	(read/write)	1110692	1110692	0	0.0
			.bss	137708	137708	0	0.0
			.data	2068	2068	0	0.0
			.text	970892	970892	0	0.0
		BRD4161A+rpc	(read/write)	973636	973636	0	0.0
			.bss	152236	152236	0	0.0
			.data	2248	2248	0	0.0
			.text	819132	819132	0	0.0
		BRD4161A+rs911x	(read/write)	1003840	1003840	0	0.0
			.bss	170544	170544	0	0.0
			.data	2060	2060	0	0.0
			.text	831216	831216	0	0.0
	lock-app	BRD4161A+wf200	(read/write)	1147760	1147760	0	0.0
			.bss	153424	153424	0	0.0
			.data	2068	2068	0	0.0
			.text	992244	992244	0	0.0
	window-app	BRD4161A	(read/write)	1102684	1102684	0	0.0
			.bss	139156	139156	0	0.0
			.data	2092	2092	0	0.0
			.text	961412	961412	0	0.0
esp32	all-clusters-app	c3devkit	(read only)	1223036	1223036	0	0.0
			(read/write)	1788118	1788126	8	0.0
			.dram0.bss	76944	76944	0	0.0
			.dram0.data	13840	13840	0	0.0
			.flash.rodata	257688	257696	8	0.0
			.flash.text	1223036	1223036	0	0.0
			.iram0.text	65204	65204	0	0.0
		m5stack	(read only)	1233103	1233103	0	0.0
			(read/write)	564004	564012	8	0.0
			.dram0.bss	82304	82304	0	0.0
			.dram0.data	34296	34296	0	0.0
			.flash.rodata	314736	314744	8	0.0
			.flash.text	1227719	1227719	0	0.0
			.iram0.text	123939	123939	0	0.0
k32w	light	k32w0+release	(read/write)	649972	649972	0	0.0
			.bss	70712	70712	0	0.0
			.data	2068	2068	0	0.0
			.text	574464	574464	0	0.0
	lock	k32w0+release	(read/write)	704032	704032	0	0.0
			.bss	71152	71152	0	0.0
			.data	2076	2076	0	0.0
			.text	628076	628076	0	0.0
linux	chip-tool-ipv6only	arm64	(read only)	10422588	10422588	0	0.0
			(read/write)	706257	706257	0	0.0
			.bss	33953	33953	0	0.0
			.data	2864	2864	0	0.0
			.data.rel.ro	650560	650560	0	0.0
			.dynamic	560	560	0	0.0
			.got	13904	13904	0	0.0
			.init	24	24	0	0.0
			.init_array	208	208	0	0.0
			.rodata	517404	517404	0	0.0
			.text	8251204	8251204	0	0.0
	thermostat-no-ble	arm64	(read only)	2387508	2387508	0	0.0
			(read/write)	143649	143649	0	0.0
			.bss	55361	55361	0	0.0
			.data	1912	1912	0	0.0
			.data.rel.ro	77208	77208	0	0.0
			.dynamic	560	560	0	0.0
			.got	5184	5184	0	0.0
			.init	24	24	0	0.0
			.init_array	440	440	0	0.0
			.rodata	143644	143644	0	0.0
			.text	2001568	2001568	0	0.0
mbed	lock-app	CY8CPROTO_062_4343W+release	(read only)	6224	6224	0	0.0
			(read/write)	2451792	2451792	0	0.0
			.bss	215028	215028	0	0.0
			.data	5872	5872	0	0.0
			.text	1414436	1414436	0	0.0
nrfconnect	all-clusters-app	nrf52840dk_nrf52840	(read/write)	`1182911`	`1182911`	0	0.0
			bss	144433	144433	0	0.0
			rodata	144208	144208	0	0.0
			text	815352	815352	0	0.0
	all-clusters-minimal-app	nrf52840dk_nrf52840	(read/write)	1161579	1161579	0	0.0
			bss	143660	143660	0	0.0
			rodata	135780	135780	0	0.0
			text	803244	803248	4	0.0
psoc6	all-clusters	cy8ckit_062s2_43012	(read only)	841968	841968	0	0.0
			(read/write)	`1744436`	`1744436`	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	188712	188712	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2664	2664	0	0.0
			.debug_abbrev	`1229470`	`1229470`	0	0.0
			.debug_aranges	111816	111816	0	0.0
			.debug_frame	373332	373332	0	0.0
			.debug_info	26821933	26821931	-2	-0.0
			.debug_line	3668940	3668940	0	0.0
			.debug_loc	3583264	3583264	0	0.0
			.debug_ranges	338840	338840	0	0.0
			.debug_str	`3439792`	`3439792`	0	0.0
			.heap	841968	841968	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	569480	569480	0	0.0
			.symtab	421056	421056	0	0.0
			.text	1544672	1544672	0	0.0
			.zero.table	8	8	0	0.0
			text	0	0	0	0.0
	all-clusters-minimal	cy8ckit_062s2_43012	(read only)	842704	842704	0	0.0
			(read/write)	1687044	1687044	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	187976	187976	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2664	2664	0	0.0
			.debug_abbrev	1221269	1221269	0	0.0
			.debug_aranges	111288	111288	0	0.0
			.debug_frame	376412	376412	0	0.0
			.debug_info	26558714	26558713	-1	-0.0
			.debug_line	`3689656`	`3689656`	0	0.0
			.debug_loc	3570901	3570901	0	0.0
			.debug_ranges	337456	337456	0	0.0
			.debug_str	3428805	3428805	0	0.0
			.heap	842704	842704	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	533569	533569	0	0.0
			.symtab	407488	407488	0	0.0
			.text	1488016	1488016	0	0.0
			.zero.table	0	0	0	0.0
				8	8	0	0.0
	light	cy8ckit_062s2_43012	(read only)	850896	850896	0	0.0
			(read/write)	1605572	1605572	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	179992	179992	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2456	2456	0	0.0
			.debug_abbrev	1055325	1055325	0	0.0
			.debug_aranges	103496	103496	0	0.0
			.debug_frame	346740	346740	0	0.0
			.debug_info	22022894	22022894	0	0.0
			.debug_line	`3259572`	`3259572`	0	0.0
			.debug_loc	`3268876`	`3268876`	0	0.0
			.debug_ranges	302784	302784	0	0.0
			.debug_str	3234337	3234337	0	0.0
			.heap	850896	850896	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	469946	469946	0	0.0
			.symtab	375936	375936	0	0.0
			.text	1414736	1414736	0	0.0
			.zero.table	0	0	0	0.0
				8	8	0	0.0
	lock	cy8ckit_062s2_43012	(read only)	845880	845880	0	0.0
			(read/write)	1639492	1639492	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	184992	184992	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2472	2472	0	0.0
			.debug_abbrev	1057428	1057428	0	0.0
			.debug_aranges	103896	103896	0	0.0
			.debug_frame	348632	348632	0	0.0
			.debug_info	22261501	22261501	0	0.0
			.debug_line	3257436	3257436	0	0.0
			.debug_loc	3297486	3297486	0	0.0
			.debug_ranges	304728	304728	0	0.0
			.debug_str	3253851	3253851	0	0.0
			.heap	845880	845880	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	472353	472353	0	0.0
			.symtab	377600	377600	0	0.0
			.text	1443640	1443640	0	0.0
			.zero.table	0	0	0	0.0
				8	8	0	0.0
qpg	lighting-app	qpg6105+debug	(read/write)	1148600	1148608	8	0.0
			.bss	110548	110548	0	0.0
			.data	868	868	0	0.0
			.text	595696	595704	8	0.0
	lock-app	qpg6105+debug	(read/write)	1113648	1113648	0	0.0
			.bss	106364	106364	0	0.0
			.data	872	872	0	0.0
			.text	560748	560748	0	0.0
telink	light-switch-app	tlsr9518adk80d	(read/write)	814548	814548	0	0.0
			bss	72172	72172	0	0.0
			noinit	43488	43488	0	0.0
			text	574626	574626	0	0.0
	lighting-app	tlsr9518adk80d	(read/write)	836660	836660	0	0.0
			bss	73028	73028	0	0.0
			noinit	43488	43488	0	0.0
			text	592846	592848	2	0.0
	ota-requestor-app	tlsr9518adk80d	(read/write)	844612	844612	0	0.0
			bss	73936	73936	0	0.0
			noinit	43488	43488	0	0.0
			text	599028	599028	0	0.0

project-chip#22978 accidentally reintroduced the crash that project-chip#22324 had fixed. To avoid more issues along these lines: 1) Add unit tests that reproduce the crashes described in project-chip#22320 (with the changes from project-chip#22978) and project-chip#22935 (without those changes). 2) Change MTRBaseSubscriptionCallback to always invoke its callbacks synchronously, on the Matter queue, so that we can clean up the MTRClusterStateCacheContainer's pointer to the ClusterStateCache before it gets deleted on the Matter queue. 3) Move the queueing of callbacks to the client queue into the consumers of MTRBaseSubscriptionCallback, so they can do whatever sync work they need (like the above cleanup) before going async. 4) Update documentation.

#22978 accidentally reintroduced the crash that #22324 had fixed. To avoid more issues along these lines: 1) Add unit tests that reproduce the crashes described in #22320 (with the changes from #22978) and #22935 (without those changes). 2) Change MTRBaseSubscriptionCallback to always invoke its callbacks synchronously, on the Matter queue, so that we can clean up the MTRClusterStateCacheContainer's pointer to the ClusterStateCache before it gets deleted on the Matter queue. 3) Move the queueing of callbacks to the client queue into the consumers of MTRBaseSubscriptionCallback, so they can do whatever sync work they need (like the above cleanup) before going async. 4) Update documentation.

…hip#23076) project-chip#22978 accidentally reintroduced the crash that project-chip#22324 had fixed. To avoid more issues along these lines: 1) Add unit tests that reproduce the crashes described in project-chip#22320 (with the changes from project-chip#22978) and project-chip#22935 (without those changes). 2) Change MTRBaseSubscriptionCallback to always invoke its callbacks synchronously, on the Matter queue, so that we can clean up the MTRClusterStateCacheContainer's pointer to the ClusterStateCache before it gets deleted on the Matter queue. 3) Move the queueing of callbacks to the client queue into the consumers of MTRBaseSubscriptionCallback, so they can do whatever sync work they need (like the above cleanup) before going async. 4) Update documentation.

Issue project-chip#22935 [Darwin] MTRBaseSubscriptionCallback OnDone …

c9f61bf

…callback being called async can lead to crashes

jtung-apple added the darwin label Sep 30, 2022

jtung-apple requested review from woody-apple and bzbarsky-apple September 30, 2022 17:30

jtung-apple self-assigned this Sep 30, 2022

jtung-apple mentioned this pull request Sep 30, 2022

[Darwin] MTRBaseSubscriptionCallback needs to have consistent handling of callbacks #22936

Closed

pullapprove bot requested review from mlepage-google, msandstedt, rgoliver, robszewczyk, saurabhst, selissia, tecimovic, tehampson, turon, vijs, vivien-apple, wbschiller, xylophone21 and yufengwangca September 30, 2022 17:31

pullapprove bot added the review - pending label Sep 30, 2022

andy31415 approved these changes Sep 30, 2022

View reviewed changes

msandstedt approved these changes Oct 3, 2022

View reviewed changes

pullapprove bot added review - approved and removed review - pending labels Oct 3, 2022

jtung-apple merged commit 8e2c926 into project-chip:master Oct 3, 2022

bzbarsky-apple mentioned this pull request Oct 7, 2022

Better fix for crashes around MTRBaseSubscriptionCallback. #23076

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Darwin] MTRBaseSubscriptionCallback OnDone callback being called async can lead to crashes #22978

[Darwin] MTRBaseSubscriptionCallback OnDone callback being called async can lead to crashes #22978

jtung-apple commented Sep 30, 2022

github-actions bot commented Sep 30, 2022 •

edited

Loading

[Darwin] MTRBaseSubscriptionCallback OnDone callback being called async can lead to crashes #22978

[Darwin] MTRBaseSubscriptionCallback OnDone callback being called async can lead to crashes #22978

Conversation

jtung-apple commented Sep 30, 2022

github-actions bot commented Sep 30, 2022 • edited Loading

github-actions bot commented Sep 30, 2022 •

edited

Loading