fix: AudioRing cursor desync + capture thread use-after-free

AudioRing (reader-detects-lap architecture): - Writer NEVER touches read_pos — fixes SPSC invariant violation - Reader self-corrects when lapped (snaps read_pos forward) - Power-of-2 capacity (16384 = 341ms) with bitmask indexing - Added overflow_count and underrun_count diagnostics - Wired ring health into engine stats and periodic logging Capture thread use-after-free (drain latch): - Added CountDownLatch(2) to AudioPipeline - Audio threads count down after exiting their loops - teardown() awaits latch (200ms timeout) before destroy() - Guarantees no in-flight JNI calls when native handle is freed - stopAudio() no longer nulls pipeline (teardown handles it) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 13:28:34 +04:00
parent 6597b5bd86
commit 4af7c5f94c
5 changed files with 117 additions and 42 deletions
--- a/android/app/src/main/java/com/wzp/audio/AudioPipeline.kt
+++ b/android/app/src/main/java/com/wzp/audio/AudioPipeline.kt
@@ -19,6 +19,8 @@ import java.io.FileOutputStream
 import java.io.OutputStreamWriter
 import java.nio.ByteBuffer
 import java.nio.ByteOrder
+import java.util.concurrent.CountDownLatch
+import java.util.concurrent.TimeUnit
 import kotlin.math.pow
 import kotlin.math.sqrt

@@ -58,6 +60,9 @@ class AudioPipeline(private val context: Context) {
    var debugRecording: Boolean = true
    private var captureThread: Thread? = null
    private var playoutThread: Thread? = null
+    /** Latch counted down by each audio thread after exiting its loop.
+     *  stop() does NOT wait on this — teardown waits via awaitDrain(). */
+    private var drainLatch: CountDownLatch? = null

    private val debugDir: File by lazy {
        File(context.cacheDir, "wzp_debug").also { it.mkdirs() }
@@ -66,9 +71,11 @@ class AudioPipeline(private val context: Context) {
    fun start(engine: WzpEngine) {
        if (running) return
        running = true
+        drainLatch = CountDownLatch(2) // one for capture, one for playout

        captureThread = Thread({
            runCapture(engine)
+            drainLatch?.countDown() // signal: capture loop exited, no more JNI calls
            // Park thread forever — exiting triggers a libcrypto TLS destructor
            // crash (SIGSEGV in OPENSSL_free) on Android when a JNI-calling thread exits.
            parkThread()
@@ -80,6 +87,7 @@ class AudioPipeline(private val context: Context) {

        playoutThread = Thread({
            runPlayout(engine)
+            drainLatch?.countDown() // signal: playout loop exited
            parkThread()
        }, "wzp-playout").apply {
            isDaemon = true
@@ -92,10 +100,20 @@ class AudioPipeline(private val context: Context) {

    fun stop() {
        running = false
-        // Don't join — threads are parked as daemons to avoid native TLS crash
+        // Don't join threads — they are parked as daemons to avoid native TLS crash.
+        // Don't null thread refs or drainLatch — teardown() needs awaitDrain().
+        Log.i(TAG, "audio pipeline stopped (running=false)")
+    }
+
+    /** Block until both audio threads have exited their loops (max 200ms).
+     *  After this returns, no more JNI calls to the engine will be made. */
+    fun awaitDrain(): Boolean {
+        val ok = drainLatch?.await(200, TimeUnit.MILLISECONDS) ?: true
+        if (!ok) Log.w(TAG, "awaitDrain: audio threads did not drain in 200ms")
        captureThread = null
        playoutThread = null
-        Log.i(TAG, "audio pipeline stopped")
+        drainLatch = null
+        return ok
    }

    private fun applyGain(pcm: ShortArray, count: Int, db: Float) {
--- a/android/app/src/main/java/com/wzp/ui/call/CallViewModel.kt
+++ b/android/app/src/main/java/com/wzp/ui/call/CallViewModel.kt
@@ -254,8 +254,17 @@ class CallViewModel : ViewModel(), WzpCallback {
        Log.i(TAG, "teardown: stopping audio, stopService=$stopService")
        val hadCall = audioStarted
        CallService.onStopFromNotification = null
-        stopAudio()
+        stopAudio()             // sets running=false (non-blocking)
        stopStatsPolling()
+
+        // Wait for audio threads to exit their loops before destroying the engine.
+        // This guarantees no in-flight JNI calls to writeAudio/readAudio.
+        val drained = audioPipeline?.awaitDrain() ?: true
+        if (!drained) {
+            Log.w(TAG, "teardown: audio threads did not drain in time")
+        }
+        audioPipeline = null
+
        Log.i(TAG, "teardown: stopping engine")
        try { engine?.stopCall() } catch (e: Exception) { Log.w(TAG, "stopCall err: $e") }
        try { engine?.destroy() } catch (e: Exception) { Log.w(TAG, "destroy err: $e") }
@@ -399,8 +408,7 @@ class CallViewModel : ViewModel(), WzpCallback {

    private fun stopAudio() {
        if (!audioStarted) return
-        audioPipeline?.stop()
-        audioPipeline = null
+        audioPipeline?.stop()    // sets running=false; DON'T null — teardown needs awaitDrain()
        audioRouteManager?.unregister()
        audioRouteManager?.setSpeaker(false)
        _isSpeaker.value = false