Hello, Sebastian Humenda, le mer. 26 févr. 2025 09:29:25 +0100, a ecrit: > The ASAN output is below. It didn't figure out the line numbers. If this is > too vague, I have to try and change the way I get the ASAN output.
I believe we have the information: > ==208649==ERROR: AddressSanitizer: heap-use-after-free on address > 0x60c0019f8101 at pc 0x55de2ae390a3 bp 0x7fff172e34a0 sp 0x7fff172e3498 > READ of size 1 at 0x60c0019f8101 thread T0 > #0 0x55de2ae390a2 in usbCancelRequest ??:? This is the urb->endpoint read. We are trying to cancel a request but it was already freed. > #1 0x55de2ae28e6c in usbDeallocatePendingInputRequest usb.c:? > #2 0x55de2ad68398 in removeItem queue.c:? > #3 0x55de2ad683e4 in discardElement queue.c:? > #4 0x55de2ad6897b in deleteElement ??:? > #5 0x55de2ad6917e in deleteElements ??:? > #6 0x55de2ae27b26 in usbFinishEndpoint usb.c:? This is going through endpoint->direction.input.pending.requests I guess the request didn't get remove from it on getting freed. > #7 0x55de2ad698ef in processQueue ??:? > #8 0x55de2ae27b97 in usbRemoveEndpoints usb.c:? > #9 0x55de2ae2816c in usbCloseInterface ??:? > #10 0x55de2ae2863f in usbCloseDevice ??:? > #11 0x55de2ae2c589 in usbCloseChannel ??:? > #12 0x55de2ae4dfaa in disconnectUsbResource gio_usb.c:? > #13 0x55de2ae4afcd in gioDisconnectResource ??:? > #14 0x55de2ae1b32a in disconnectBrailleResource ??:? > #15 0x7ff8a203f0a6 in ?? ??:0 > #16 0x55de2ad7cc2a in destructBrailleDriver ??:? > #17 0x55de2ad7d8ee in deactivateBrailleDriver config.c:? > #18 0x55de2ad7dcba in stopBrailleDriver config.c:? > #19 0x55de2ad7dd17 in stopBrailleDriverActivity config.c:? > #20 0x55de2ad84ae4 in stopActivity ??:? > #21 0x55de2ad7df4a in disableBrailleDriver ??:? > #22 0x55de2ad7dfad in restartBrailleDriver ??:? > #23 0x55de2ad35181 in handleBrailleDriverFailed core.c:? > #24 0x55de2ad3556c in brlttyWait ??:? > #25 0x55de2ad2dad7 in brlttyRun brltty.c:? > #26 0x55de2ad2db10 in main ??:? > #27 0x7ff8a9a46249 in __libc_start_call_main > ../sysdeps/nptl/libc_start_call_main.h:58 > #28 0x7ff8a9a46304 in __libc_start_main_impl ../csu/libc-start.c:360 > #27 0x55de2ad2da00 in _start ??:? > 0x60c0019f8101 is located 1 bytes inside of 120-byte region > [0x60c0019f8100,0x60c0019f8178) > freed by thread T0 here: > #0 0x7ff8ac4b76a8 in __interceptor_free > ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52 > #28 0x55de2ae3b6bb in usbHandleCompletedInputRequests ??:? This indeed freed the urb after dequeuing it from eptx->completedRequests, but it doesn't seem to have dequeued it from endpoint->direction.input.pending.requests while at it. Dave, any idea? Samuel > #29 0x55de2ad5e975 in invokeMonitorCallback async_io.c:? > #30 0x55de2ad5fcef in asyncExecuteIoCallback ??:? > #31 0x55de2ad5bbde in ioCallbackExecuter async_wait.c:? > #32 0x55de2ad5bf06 in awaitAction async_wait.c:? > #33 0x55de2ad5c1ef in asyncAwaitCondition ??:? > #34 0x55de2ad3547b in brlttyWait ??:? > #35 0x55de2ad2dad7 in brlttyRun brltty.c:? > #36 0x55de2ad2db10 in main ??:? > #10 0x7ff8a9a46249 in __libc_start_call_main > ../sysdeps/nptl/libc_start_call_main.h:58 > previously allocated by thread T0 here: > #0 0x7ff8ac4b89cf in __interceptor_malloc > ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69 > #37 0x55de2ae38625 in usbMakeURB usb_linux.c:? > #38 0x55de2ae38df6 in usbSubmitRequest ??:? > #39 0x55de2ae28fd0 in usbAddPendingInputRequest usb.c:? > #40 0x55de2ae290e0 in usbEnsurePendingInputRequests usb.c:? > #41 0x55de2ae293c8 in usbHandleInputResponse ??:? > #42 0x55de2ae3a991 in usbHandleInputURB usb_linux.c:? > #43 0x55de2ae3b472 in usbHandleCompletedInputRequest usb_linux.c:? > #44 0x55de2ae3b668 in usbHandleCompletedInputRequests ??:? > #45 0x55de2ad5e975 in invokeMonitorCallback async_io.c:? > #46 0x55de2ad5fcef in asyncExecuteIoCallback ??:? > #47 0x55de2ad5bbde in ioCallbackExecuter async_wait.c:? > #48 0x55de2ad5bf06 in awaitAction async_wait.c:? > #49 0x55de2ad5c1ef in asyncAwaitCondition ??:? > #50 0x55de2ad3547b in brlttyWait ??:? > #51 0x55de2ad2dad7 in brlttyRun brltty.c:? > #52 0x55de2ad2db10 in main ??:? > #17 0x7ff8a9a46249 in __libc_start_call_main > ../sysdeps/nptl/libc_start_call_main.h:58 _______________________________________________ This message was sent via the BRLTTY mailing list. To post a message, send an e-mail to: [email protected] For general information, go to: http://brltty.app/mailman/listinfo/brltty
