Fixes potential race in teardown/restart flow observed under trickplay#1302
Merged
pstroffolino merged 12 commits intoApr 25, 2026
Conversation
cpc005
reviewed
Apr 21, 2026
jfagunde
reviewed
Apr 21, 2026
jfagunde
reviewed
Apr 22, 2026
jfagunde
reviewed
Apr 24, 2026
Contributor
|
Looks Good |
nebutler963
approved these changes
Apr 24, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the AAMP profiler’s telemetry reset path to avoid races/use-after-free during teardown/restart (notably under trickplay) by synchronizing access to the telemetry cJSON tree and clearing a cached child pointer before freeing the parent.
Changes:
- Add
discontinuityParamMutexprotection aroundtelemetryParamreset inProfileEventAAMP::TuneBegin(). - Clear
mLldLowBuffObjectbefore deletingtelemetryParamin bothTuneBegin()andGetTelemetryParam()to avoid use-after-free/double-free patterns.
Contributor
Author
|
The code changes have gone through Copilot as a minimal code change. |
Signed-off-by: Philip Stroffolino <philip_stroffolino@cable.comcast.com>
…/GetTelemetryParam - Guard against cJSON_CreateObject() returning NULL (OOM): keep existing telemetryParam intact and log an error rather than leaving it null and crashing callers like SetLatencyParam that dereference it without a guard. - Move cJSON_Delete() and cJSON_PrintUnformatted() outside the discontinuityParamMutex critical section: swap the pointer under the lock, then free/log the old tree after release to reduce lock contention. Signed-off-by: Philip Stroffolino <philip_stroffolino@cable.comcast.com>
Abhi-jith-S
pushed a commit
that referenced
this pull request
May 12, 2026
…1305) on linear channel on performing multiple times trickplay/Seek" (#1302) Reason for Change: Fixes potential race in teardown/restart flow observed under trickplay * Move cJSON_CreateObject outside mutex * Reason for Change: NULL -> nullptr * AampProfiler: OOM guard + narrow mutex critical sections in TuneBegin/GetTelemetryParam - Guard against cJSON_CreateObject() returning NULL (OOM): keep existing telemetryParam intact and log an error rather than leaving it null and crashing callers like SetLatencyParam that dereference it without a guard. - Move cJSON_Delete() and cJSON_PrintUnformatted() outside the discontinuityParamMutex critical section: swap the pointer under the lock, then free/log the old tree after release to reduce lock contention. --------- Signed-off-by: Philip Stroffolino <philip_stroffolino@cable.comcast.com>
varatharajan568
pushed a commit
that referenced
this pull request
May 20, 2026
…1305) on linear channel on performing multiple times trickplay/Seek" (#1302) Reason for Change: Fixes potential race in teardown/restart flow observed under trickplay * Move cJSON_CreateObject outside mutex * Reason for Change: NULL -> nullptr * AampProfiler: OOM guard + narrow mutex critical sections in TuneBegin/GetTelemetryParam - Guard against cJSON_CreateObject() returning NULL (OOM): keep existing telemetryParam intact and log an error rather than leaving it null and crashing callers like SetLatencyParam that dereference it without a guard. - Move cJSON_Delete() and cJSON_PrintUnformatted() outside the discontinuityParamMutex critical section: swap the pointer under the lock, then free/log the old tree after release to reduce lock contention. --------- Signed-off-by: Philip Stroffolino <philip_stroffolino@cable.comcast.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix race condition in ProfileEventAAMP::TuneBegin and move mLldLowBuffObject null assignment before cJSON_Delete in both TuneBegin and GetTelemetryParam to prevent use-after-free (addresses double free in ticket)
Add discontinuityParamMutex lock_guard in TuneBegin to protect telemetryParam and mLldLowBuffObject from concurrent access
Move mLldLowBuffObject = NULL to before cJSON_Delete(telemetryParam) in both methods, ensuring the pointer is cleared before the underlying cJSON node it points to is freed