Fix use-after-free crash in PushAV stream transport during recorder recreation

[raveendra-karu]

Summary

• Added validation check in PushAVClipRecorder destructor to prevent accessing freed mUploadFileBasePath
• Added small delays after mRecorder.reset() calls to ensure proper cleanup before recreation
• Fixed race condition in CanSendPacketsToRecorder(), CheckAndUpdateSession(), and ModifyPushTransport() functions
• Addresses crash in TC_PAVST_2_13.py test execution

Related issues

Fixes #71405

Testing

• CI TC verification
• Manual TC verification in Linux PC

[gemini-code-assist]

Code Review

This pull request introduces a check for an empty file path in the PushAVClipRecorder destructor and adds 10ms delays during recorder resets in PushAVTransport to facilitate cleanup. Review feedback correctly identifies that the added path check is ineffective at preventing use-after-free or data races, as accessing a member variable of a deleted or concurrently modified object is undefined behavior or a race condition regardless of the check.

[gemini-code-assist]

The check !mUploadFileBasePath.empty() does not prevent use-after-free vulnerabilities. If the PushAVClipRecorder instance is being accessed after it has been deleted, calling empty() on a member variable is already undefined behavior. Furthermore, if the concern is concurrent access, a simple check without a mutex is a data race. Since mWorkerThread.join() is called at line 102, any concurrency from the worker thread is already resolved. If other threads are still accessing this object, the lifecycle management of the recorder needs to be corrected at the caller level rather than adding checks inside the destructor.

[github-actions]

PR #71470: Size comparison from fdb31db to 61fc2d7

Full report (34 builds for bl602, bl616, bl702, bl702l, cc13x4_26x4, cc32xx, efr32, esp32, nrfconnect, nxp, psoc6, qpg, realtek, stm32, telink)

platform	target	config	section	fdb31db	61fc2d7	change	% change
bl602	lighting-app	bl602+mfd+littlefs+rpc	FLASH	1090510	1090510	0	0.0
			RAM	144858	144858	0	0.0
bl616	lighting-app	bl616+thread	FLASH	1101988	1101988	0	0.0
			RAM	104280	104280	0	0.0
		bl616+wifi+shell	FLASH	1588876	1588876	0	0.0
			RAM	98176	98176	0	0.0
bl702	lighting-app	bl702+eth	FLASH	1053664	1053664	0	0.0
			RAM	108461	108461	0	0.0
bl702l	contact-sensor-app	bl702l+mfd+littlefs	FLASH	892362	892362	0	0.0
			RAM	105852	105852	0	0.0
cc13x4_26x4	lighting-app	LP_EM_CC1354P10_6	FLASH	775888	775888	0	0.0
			RAM	103396	103396	0	0.0
	lock-ftd	LP_EM_CC1354P10_6	FLASH	788092	788092	0	0.0
			RAM	108588	108588	0	0.0
	pump-app	LP_EM_CC1354P10_6	FLASH	734416	734416	0	0.0
			RAM	97396	97396	0	0.0
	pump-controller-app	LP_EM_CC1354P10_6	FLASH	717844	717844	0	0.0
			RAM	97556	97556	0	0.0
cc32xx	air-purifier	CC3235SF_LAUNCHXL	FLASH	559874	559874	0	0.0
			RAM	204568	204568	0	0.0
	lock	CC3235SF_LAUNCHXL	FLASH	592742	592742	0	0.0
			RAM	204816	204816	0	0.0
efr32	lock-app	BRD4187C	FLASH	992424	992424	0	0.0
			RAM	131268	131268	0	0.0
		BRD4338a	FLASH	796297	796297	0	0.0
			RAM	243364	243364	0	0.0
	window-app	BRD4187C	FLASH	1098000	1098000	0	0.0
			RAM	130308	130308	0	0.0
esp32	all-clusters-app	c3devkit	DRAM	98460	98460	0	0.0
			FLASH	1599174	1599174	0	0.0
			IRAM	93514	93514	0	0.0
nrfconnect	all-clusters-app	nrf52840dk_nrf52840	FLASH	862232	862232	0	0.0
			RAM	162094	162094	0	0.0
nxp	contact	mcxw71+release	FLASH	739016	739016	0	0.0
			RAM	67016	67016	0	0.0
psoc6	all-clusters	cy8ckit_062s2_43012	FLASH	1711700	1711700	0	0.0
			RAM	214028	214028	0	0.0
	all-clusters-minimal	cy8ckit_062s2_43012	FLASH	1609460	1609460	0	0.0
			RAM	210908	210908	0	0.0
	light	cy8ckit_062s2_43012	FLASH	1466876	1466876	0	0.0
			RAM	197068	197068	0	0.0
	lock	cy8ckit_062s2_43012	FLASH	1499596	1499596	0	0.0
			RAM	224820	224820	0	0.0
qpg	lighting-app	qpg6200+debug	FLASH	842668	842668	0	0.0
			RAM	127868	127868	0	0.0
	lock-app	qpg6200+debug	FLASH	781284	781284	0	0.0
			RAM	118816	118816	0	0.0
realtek	light-switch-app	rtl8777g	FLASH	680504	680504	0	0.0
			RAM	101600	101600	0	0.0
	lighting-app	rtl8777g	FLASH	724512	724512	0	0.0
			RAM	101956	101956	0	0.0
stm32	light	STM32WB5MM-DK	FLASH	475452	475452	0	0.0
			RAM	141388	141388	0	0.0
telink	bridge-app	tl7218x	FLASH	730904	730904	0	0.0
			RAM	95924	95924	0	0.0
	light-app-ota-compress-lzma-shell-factory-data	tl3218x	FLASH	850328	850328	0	0.0
			RAM	44340	44340	0	0.0
		tl7218x	FLASH	841734	841734	0	0.0
			RAM	99724	99724	0	0.0
	light-switch-app-ota-compress-lzma-factory-data	tl7218x_retention	FLASH	730232	730232	0	0.0
			RAM	55984	55984	0	0.0
	light-switch-app-ota-compress-lzma-shell-factory-data	tlsr9528a	FLASH	793458	793458	0	0.0
			RAM	75160	75160	0	0.0
	light-switch-app-ota-factory-data	tl3218x_retention	FLASH	730176	730176	0	0.0
			RAM	33468	33468	0	0.0
	lighting-app-ota-factory-data	tlsr9118bdk40d	FLASH	613142	613142	0	0.0
			RAM	118396	118396	0	0.0
	lighting-app-ota-rpc-factory-data-4mb	tlsr9518adk80d	FLASH	839868	839872	4	0.0
			RAM	97432	97432	0	0.0

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.31%. Comparing base (fdb31db) to head (61fc2d7).

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #71470   +/-   ##
=======================================
  Coverage   54.31%   54.31%           
=======================================
  Files        1576     1576           
  Lines      108247   108247           
  Branches    13401    13401           
=======================================
  Hits        58796    58796           
  Misses      49451    49451           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.