SIGABRT in bluez5_remove_node on switching BT profiles
In gnome-control-center (g-c-c), switching between A2DP, HSP/HFP, or off profiles sometimes results to pipewire-media-session crashing.
The crash can also be reproduced with
export CARD='JBL LIVE650BTNC'
while true; do pactl set-card-profile "$CARD" A2DP; pactl set-card-profile "$CARD" off; donewhich should trigger the crash in a few seconds. It also crashes if switching between A2DP and HSP/HFP, or between HSP/HFP and off. Doesn't seem to require starting/stopping any sources/sinks.
Backtrace looks like this:
(gdb) bt -frame-info source-and-location
#0 0x00007f3f7b49c9d5 in raise () from /lib64/libc.so.6
#1 0x00007f3f7b4858a4 in abort () from /lib64/libc.so.6
#2 0x00007f3f7b485789 in __assert_fail_base.cold () from /lib64/libc.so.6
#3 0x00007f3f7b495026 in __assert_fail () from /lib64/libc.so.6
#4 0x00007f3f7b867524 in pw_proxy_ref (proxy=0x1f93600) at ../src/pipewire/proxy.c:308
308 assert(proxy->refcount > 0);
#5 0x000000000042a592 in sm_object_destroy (obj=0x1f93678) at ../src/examples/media-session/media-session.c:302
302 pw_proxy_ref(h);
#6 0x0000000000415a73 in bluez5_remove_node (device=0x1ac8dc0, node=0x1acdd10) at ../src/examples/media-session/bluez-monitor.c:204
204 sm_object_destroy(&node->snode->obj);
#7 0x0000000000415b44 in bluez5_device_object_info (data=0x1ac8dc0, id=0, info=0x0)
at ../src/examples/media-session/bluez-monitor.c:223
223 bluez5_remove_node(device, node);
#8 0x00007f3f7a515915 in set_profile (this=0x1ac8cf8, profile=0) at ../spa/plugins/bluez5/bluez5-device.c:167
167 spa_device_emit_object_info(&this->hooks, i, NULL);
#9 0x00007f3f7a516556 in impl_set_param (object=0x1ac8cf8, id=9, flags=0, param=0x1a51bd8)
at ../spa/plugins/bluez5/bluez5-device.c:393
393 set_profile(this, id);
#10 0x00007f3f7afae9ea in device_demarshal_set_param (object=0x1ac8fa0, msg=0x1a48ac0)
at ../src/modules/module-client-device/protocol-native.c:188
188 pw_proxy_notify(proxy, struct spa_device_methods, set_param, 0,
#11 0x00007f3f7a72de1c in process_remote (impl=0x1a479c0) at ../src/modules/module-protocol-native.c:762
762 res = demarshal[msg->opcode].func(proxy, msg);
#12 0x00007f3f7a72dfdc in on_remote_data (data=0x1a479c0, fd=21, mask=1) at ../src/modules/module-protocol-native.c:795
795 if ((res = process_remote(impl)) < 0)
#13 0x00007f3f7b7c16e6 in source_io_func (source=0x1a59e50) at ../spa/plugins/support/loop.c:320
320 impl->func.io(source->data, source->fd, source->rmask);
#14 0x00007f3f7b7c1667 in loop_iterate (object=0x1a22388, timeout=-1) at ../spa/plugins/support/loop.c:308
308 s->func(s);
#15 0x00007f3f7b84a89b in pw_main_loop_run (loop=0x1a22060) at ../src/pipewire/main-loop.c:158
158 if ((res = pw_loop_iterate(loop->loop, -1)) < 0) {
#16 0x000000000043129b in main (argc=1, argv=0x7ffeef258e98) at ../src/examples/media-session/media-session.c:2369
2369 pw_main_loop_run(impl.loop);Sometimes also bluetoothd crashes when switching profiles, with bt
(gdb) bt -frame-info source-and-location
#0 0x00007f898c85f5be in __strcmp_sse2_unaligned () from /lib64/libc.so.6
#1 0x000056282d63e98d in match_endpoint_by_path (a=<optimized out>, b=<optimized out>) at profiles/audio/media.c:2187
2187 return !strcmp(endpoint->path, path);
#2 0x000056282d6b157c in queue_remove_if (queue=0x56282e521390, function=0x56282d63e980 <match_endpoint_by_path>, user_data=0x56282e5094b0) at src/shared/queue.c:292
292 if (function(entry->data, user_data)) {
#3 0x000056282d644220 in proxy_removed_cb (proxy=<optimized out>, user_data=0x56282e50af40) at profiles/audio/media.c:2209
2209 endpoint = queue_remove_if(app->endpoints,
#4 0x000056282d6b00e9 in proxy_free (data=0x56282e521320) at gdbus/client.c:581
581 client->proxy_removed(proxy, client->user_data);
#5 0x00007f898ca2dd60 in g_list_foreach () from /lib64/libglib-2.0.so.0
#6 0x00007f898ca3875f in g_list_free_full () from /lib64/libglib-2.0.so.0
#7 0x000056282d6aab86 in service_disconnect (conn=0x56282e4d94a0, user_data=0x56282e528630) at gdbus/client.c:1313
1313 g_list_free_full(client->proxy_list, proxy_free);
#8 0x000056282d6ad6c0 in service_filter (connection=0x56282e4d94a0, message=<optimized out>, user_data=0x56282e50c610) at gdbus/watch.c:484
484 cb->conn_func(connection, cb->user_data);
#9 0x000056282d6acb73 in message_filter (connection=0x56282e4d94a0, message=0x56282e501220, user_data=<optimized out>) at gdbus/watch.c:557
557 data->handle_func(connection, message, data);
#10 0x00007f898c9b2221 in dbus_connection_dispatch () from /lib64/libdbus-1.so.3
#11 0x000056282d6a8940 in message_dispatch (data=0x56282e4d94a0) at gdbus/mainloop.c:72
72 while (dbus_connection_dispatch(conn) == DBUS_DISPATCH_DATA_REMAINS);
#12 0x00007f898ca3ca2b in g_idle_dispatch () from /lib64/libglib-2.0.so.0
#13 0x00007f898ca3d96f in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#14 0x00007f898ca8f758 in g_main_context_iterate.constprop () from /lib64/libglib-2.0.so.0
#15 0x00007f898ca3d033 in g_main_loop_run () from /lib64/libglib-2.0.so.0
#16 0x000056282d62cb69 in mainloop_run () at src/shared/mainloop-glib.c:79
79 g_main_loop_run(main_loop);
#17 mainloop_run_with_signal (func=<optimized out>, user_data=0x0) at src/shared/mainloop-notify.c:201
201 ret = mainloop_run();
#18 main (argc=<optimized out>, argv=<optimized out>) at src/main.c:971
971 mainloop_run_with_signal(signal_callback, NULL);