Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

framework-arduinoespressif32: BLEClient::~BLEClient() crashes in BLERemoteService::removeCharacteristics() with double free

See original GitHub issue

I presume this issue really needs to be submitted in another repository, but all repository references for framework-arduinoespressif32 go to this repo. Please enlighten me if I need to submit it elsewhere. framework-arduinoespressif32 version is 3.10004.100129 (1.0.4).

I have found that creating a BLEClient() connection and then later calling delete on it is a sure way of getting a crash: panic() while freeing memory.

Digging down through the BLE stack showed that the double free is in BLERemoteService::removeCharacteristics(). It loops over two maps, m_characteristicMap and m_characteristicMapByHandle, calling delete on all the values.

But: the two maps share the same set of values (the characteristics objects), indexed by different keys. To fix, the delete loop should only be applied to m_characteristicMap and the other map should simply be cleared without deleting the values.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
jarikpcommented, May 6, 2020

Reproducing the problem which is fixed by https://github.com/espressif/arduino-esp32/pull/3973 is very easy, at least for me with ESP32 MCU. It simply requires a connection to a service with characteristics, so in the most trivial case the code will look like this:

#include <Arduino.h>
#include <BLEDevice.h>

void setup()
{  
    Serial.begin(115200);
    BLEDevice::init("");
}

void loop()
{
    BLEAdsress *pMacAdd = new BLEAddress("00:00:00:00:00"); // put a valid MAC here
    BLEClient *pClient = BLEDevice::createClient();
   
    pClient->connect(*pMacAdd , BLE_ADDR_TYPE_PUBLIC);

    BLERemoteService *pService = pClient->getService("00000000-0000-0000-0000-000000000000");
    BLERemoteCharacteristic *pCharacteristic = pService ->getCharacteristic("00000000-0000-0000-0000-000000000000");

    if (pCharacteristic->canRead()){
        Serial.println(pCharacteristic->readValue().c_str());
    }

    pClient->disconnect();
    delete pClient;

    delay(10000);
}

The expected behavior would be to read the value every 10th second, but the loop() crashes on “delete pClient” with this error message:

CORRUPT HEAP: Bad head at 0x3ffe0640. Expected 0xabba1234 got 0x3ffe0ba4
assertion "head != NULL" failed: file "/home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/heap/multi_heap_poisoning.c", line 214, function: multi_heap_free
abort() was called at PC 0x400e6e73 on core 1

Backtrace: 0x40091470:0x3ffc84f0 0x400916a1:0x3ffc8510 0x400e6e73:0x3ffc8530 0x400910e5:0x3ffc8560 0x40084b26:0x3ffc8580 0x400850e1:0x3ffc85a0 0x4000bec7:0x3ffc85c0 0x4008dfa7:0x3ffc85e0 0x400d39af:0x3ffc8600 0x400d5aef:0x3ffc8620 0x400d6201:0x3ffc8640 0x400d657e:0x3ffc8660 0x400d659d:0x3ffc8680 0x400d5192:0x3ffc86a0 0x400d6852:0x3ffc86d0 0x400d1a7e:0x3ffc86f0 0x400d7bfd:0x3ffc8710 0x4008e089:0x3ffc8730
0reactions
valeroscommented, Apr 19, 2022

Closing as the issue has nothing to do with the PlatformIO dev-platform.

Read more comments on GitHub >

github_iconTop Results From Across the Web

BLEClient() crashes with double free in BLERemoteService ...
Digging down through the BLE stack showed that the double free is in BLERemoteService::removeCharacteristics() . It loops over two maps, ...
Read more >
IT41452: 8.1.15 CLIENT CRASHES DURING STARTUP WITH ...
IBM Spectrum Protect Backup-Archive Client version 8.1.15 running on ... One of the following messages might accompany the crash: - free(): double free...
Read more >
Doubly freeing memory - OWASP Foundation
Double free errors occur when free() is called more than once with the same memory address as an argument. Calling free() twice on...
Read more >
How to track down a "double free or corruption" error
You can set this from gdb by using the set environment MALLOC_CHECK_ 2 command before running your program; the program should abort, with...
Read more >
CWE-415: Double Free (4.9) - MITRE
When a program calls free() twice with the same argument, the program's memory management data structures become corrupted. This corruption can cause the ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Cmakelists.txt suggestions for multiple components

Next page

Setting CXX flags from extra_script.py doesn't work