我有一堆在我眼前的一切不同的Andr​​oid手机运行4.3 / 4.4，他们似乎都从蓝牙一些bug痛苦。我运行的应用程序仅仅是用于扫描周围的其它蓝牙设备上使用此回调：的http://developer.android.com/reference/android/bluetooth/BluetoothAdapter.LeScanCallback.html

I have a bunch of various Android phones in front of me all running 4.3/4.4 and they all seem to be suffering from some bug in Bluetooth. The app I am running is simply scanning for other bluetooth devices around it using this callback: http://developer.android.com/reference/android/bluetooth/BluetoothAdapter.LeScanCallback.html

刚刚LogCatting的数据，并仍然有问题...

Just LogCatting the data and still having problems...

有谁知道这个错误，有一个修复呢？我真的需要蓝牙扫描稳定的最后期限，明天我有我的应用程序的演示......

Does anyone know about this bug and have a fix for it? I really need to get bluetooth scanning stable for a deadline I have tomorrow for a demo of my application...

感谢。

编辑：据说在4.4.3（或4.4.4），这是解决。 （我们presentation项目当然这一天......帮了我们没有好）。主要的问题是XML文件跟踪MAC地址的日益超过2000的大小，然后崩溃......系统复位将清零xml文件，从而暂时解决问题。

Supposedly in 4.4.3 (or 4.4.4) this was resolved. (Of course the day of our presentation for the project...did us no good). The main issue was the XML file keeping track of mac addresses growing over the size of 2000 and then crashing...a system reset would clear the xml file, thus solving the problem temporarily.

推荐答案

这是在不出现有一个分辨率为present Android的蓝牙code的错误。因为其他人不断寻找这个问题，以及，我会寄我发现通过蓝牙堆栈跟踪这个问题的时候，即使它不能真正被作为一项决议，适用，除非有人ppared做出重大改变的$ P $ AOSP为基础的安装。

This is a bug in the Android bluetooth code which does not appear to have a resolution at present. Since other people keep finding this as well, I'm going to post what I found when tracing the problem through the bluetooth stack, even though it cannot really be applied as a resolution unless one is prepared to make major changes to an AOSP-based install.

从根本上说，这个问题是在btif_config.c一个SIGSEGV在find_add_node（）时alloc_node（）听到过许多独特的BTLE硬件地址后失败。

Fundamentally, the problem is a SIGSEGV in btif_config.c at find_add_node() when alloc_node() fails after hearing too many unique BTLE hardware addresses.

堆栈跟踪信息化的一部分

Informative part of stack trace

D/BtGatt.btif(22509): btif_gattc_upstreams_evt: Event 4096
D/BtGatt.btif(22509): btif_gattc_add_remote_bdaddr device added idx=1
D/BtGatt.btif(22509): btif_gattc_update_properties BLE device name=beacon len=6 dev_type=2
F/libc    (22509): Fatal signal 11 (SIGSEGV) at 0x00000000 (code=1), thread 22530 (BTIF)
I/DEBUG   (  171): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   (  171): Build fingerprint: 'google/occam/mako:4.4.2/KOT49H/937116:user/release-keys'
I/DEBUG   (  171): Revision: '11'
I/DEBUG   (  171): pid: 22509, tid: 22530, name: BTIF  >>> com.android.bluetooth <<<
I/DEBUG   (  171): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000000
I/DEBUG   (  171):     r0 ffffffff  r1 00007d00  r2 00007c60  r3 74c7cf00
I/DEBUG   (  171):     r4 74c7cf10  r5 00000000  r6 756f95a8  r7 7503c671

I/DEBUG   (  171): backtrace:
I/DEBUG   (  171):     #00  pc 0004e68c  /system/lib/hw/bluetooth.default.so
I/DEBUG   (  171):     #01  pc 0004ea65  /system/lib/hw/bluetooth.default.so (btif_config_set+156)

拆卸时，code的问题是这样的，而显然是有问题系列清算R5，然后尝试去引用它作为基地指针：

Disassembling, the code in question is this rather obviously problematic series of clearing r5 and then attempting to de-reference it as a base pointer:

       4e68a:   2500        movs    r5, #0
       4e68c:   6829        ldr r1, [r5, #0]
       4e68e:   b919        cbnz    r1, 4e698 <btif_gattc_test_command_impl+0x74c>
       4e690:   4630        mov r0, r6
       4e692:   f7dd ef78   blx 2c584 <strdup@plt>

这相当于如果（！于节点>名）检查在find_add_node结束时（）

This corresponds to the "if(!node->name)" check at the end of find_add_node()

static cfg_node* find_add_node(cfg_node* p, const char* name)
{
    int i = -1;
    cfg_node* node = NULL;
    if((i = find_inode(p, name)) < 0)
    {
        if(!(node = find_free_node(p)))
        {
            int old_size = alloc_node(p, CFG_GROW_SIZE);
            if(old_size >= 0)
            {
                i = GET_NODE_COUNT(old_size);
                node = &p->child[i];
                ADD_CHILD_COUNT(p, 1);
            } /* else clause to handle failure of alloc_node() is missing here */
        } else ADD_CHILD_COUNT(p, 1);
    }
    else node = &p->child[i];
    if(!node->name)   /* this will SIGSEGV if node is still NULL */
        node->name = strdup(name);
    return node;
}

具体而言，没有else子句来处理alloc_node（）的失败，所以当这种情况发生（presumably由于用光存储空间听到了太多的设备地址之后）code之间通过，并尝试取消引用节点指针名成员而无需将其设置为一个非空的地址。

Specifically, there is no else clause to handle the failure of alloc_node(), so when that happens (presumably due to running out of storage after hearing too many device addresses) the code falls through and attempts to dereference the name member of the node pointer without ever having set it to a non-null address.

的修复将presumably需要涉及到：

此错误情况下，非崩溃处理时，一个新的记录不能被分配​​

non-crash handling of this error case when a new record cannot be allocated

过去，当听到新的正在不断听取和存储记录的数量变得不可理喻地址更积极丢弃

more aggressive discarding of past-heard addresses when new ones keep being heard and the number of records being stored becomes unreasonable