* fix compatibility for legacy and make sure work on new rsd as well

hazmi-e205 · hazmi-e205 · commit 596f0b2bbfef · 2026-03-17T16:08:50.000+07:00
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -367,11 +367,11 @@ This section records all practical changes made during iOS 26.2 USB bring-up. Ke
 - `ProcessService::GetProcessListDTX()` timeout increased to 15s for large process-list replies on tunnel paths.
 - `FPSService` hardening:
   - bounded probe/start timeouts
-  - explicit error path when `startSamplingAtTimeInterval:` times out
+  - `startSamplingAtTimeInterval:` timeout handled as warning/non-fatal for cross-version compatibility
   - cleanup of partially created channel/connection on startup failure.
 - `PerformanceService` hardening:
   - bounded attribute/config/start timeouts
-  - explicit failure handling for `start`
+  - `start` timeout handled as warning/non-fatal for cross-version compatibility
   - cleanup on startup failure.
 - `Stop()` behavior for FPS/Performance changed to always clean up existing channel/connection resources even when `m_running` is false (prevents leaked receive threads after partial startup failures).
 - `XCTestService` hardening:
@@ -381,6 +381,34 @@ This section records all practical changes made during iOS 26.2 USB bring-up. Ke
   - reset port-forwarder object if initial port-forward setup fails
   - `Stop()` now also runs when only forwarding resources exist (not only when running/thread-active).
 
+### 10) Detailed dual-compatibility findings (iOS 15 + iOS 26.2)
+
+These were the key cross-version findings from real-device validation:
+
+1. Different startup semantics across iOS versions:
+- iOS 26.2 reliably replies to `runningProcesses` and stream-start flows on the RSD/CDTunnel path.
+- iOS 15 can stream FPS/perf data even when sync `start` reply is delayed/missing.
+- Action taken: treat FPS/perf `start` reply timeout as warning (non-fatal), continue waiting for stream data.
+
+2. Cleanup behavior must not depend only on `m_running`:
+- Partial startup failures can leave channels/connections allocated while `m_running == false`.
+- Action taken: `Stop()` paths in FPS/Performance/XCTest/WDA now clean up resources even in partial-failure states.
+
+3. iOS 15 SSL receive crash during stop:
+- Crash stack showed `SSL_read` via `idevice_connection_receive_timeout` while stopping FPS.
+- Root cause: close/disconnect race with receive thread in idevice (SSL) transport mode.
+- Action taken: split transport close path:
+  - socket mode: close immediately without recv-lock (avoids tunnel deadlock)
+  - idevice mode: close under recv+send locks (prevents SSL use-after-free race).
+
+4. Timeout tuning must be service-specific:
+- Process list can be large (especially on modern systems), so short sync timeout causes false failures.
+- Action taken: increased process list sync timeout; set bounded but practical service timeouts for FPS/perf setup.
+
+5. Final validated matrix:
+- iOS 15 (legacy USB DTX/SSL): process list, FPS, performance: working.
+- iOS 26.2 (USB CDTunnel + RSD + DTX): process list, FPS, performance: working.
+
 ## Service Implementation Patterns (iOS 15 Tested)
 
 ### Global Message Handler Pattern
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 A standalone, pure C++20 library for communicating with iOS Instruments services. Supports iOS 12-16 via USB/network and iOS 17+ via USB RSD, USB CDTunnel/CoreDeviceProxy, USB-NCM fallback, or external CoreDevice tunnel.
 
-**Status**: DTX protocol working - process listing, FPS monitoring, and performance monitoring tested on **iOS 12 and iOS 15** via USB (Feb 2026). iOS 26.2 USB path validated (Mar 2026): built-in CDTunnel + RSD + DTX handshake + process listing, FPS service, and performance service all working.
+**Status**: DTX protocol working - process listing, FPS monitoring, and performance monitoring validated on **iOS 12, iOS 15, and iOS 26.2** via USB. iOS 26.2 uses built-in CDTunnel + RSD + DTX; iOS 15 uses legacy USB DTX/SSL path.
 
 ## Features
 
@@ -108,7 +108,7 @@ printf("iOS: %s\n", info.version.c_str());
 #### Process Management
 
 ```cpp
-// List all running processes (✅ Tested on iOS 15 via USB)
+// List all running processes (validated on iOS 15 and iOS 26.2 via USB)
 std::vector<ProcessInfo> procs;
 Error err = inst->Process().GetProcessList(procs);
 if (err == Error::Success) {
@@ -459,3 +459,4 @@ GNU Affero General Public License v3.0 (AGPL-3.0)
 This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 
 See the [LICENSE](LICENSE) file for full details.
+
diff --git a/src/dtx/dtx_transport.cpp b/src/dtx/dtx_transport.cpp
@@ -146,20 +146,21 @@ DTXTransport::~DTXTransport() {
 
 void DTXTransport::Close() {
     m_connected = false;
-    // IMPORTANT: close socket without waiting for m_recvMutex.
-    // Receive() holds m_recvMutex while blocked in recv(); taking m_recvMutex here
-    // can deadlock Disconnect()->Close()->join(receiveThread).
+    // Socket mode: close without taking m_recvMutex to avoid deadlock when the
+    // receive thread is blocked in recv() while holding m_recvMutex.
     if (m_socketFd >= 0) {
         CLOSE_SOCKET(static_cast<socket_t>(m_socketFd));
         m_socketFd = -1;
+        return;
     }
-    {
-        std::lock_guard<std::mutex> lock(m_sendMutex);
-        if (m_connection && m_ownsConnection) {
-            idevice_disconnect(m_connection);
-        }
-        m_connection = nullptr;
+
+    // idevice/SSL mode: synchronize against in-flight ReadExact()/Receive()
+    // to avoid use-after-free races inside idevice_connection_receive_timeout().
+    std::scoped_lock<std::mutex, std::mutex> lock(m_recvMutex, m_sendMutex);
+    if (m_connection && m_ownsConnection) {
+        idevice_disconnect(m_connection);
     }
+    m_connection = nullptr;
 }
 
 bool DTXTransport::ReadExact(uint8_t* buffer, size_t length) {
diff --git a/src/services/fps_service.cpp b/src/services/fps_service.cpp
@@ -109,9 +109,9 @@ Error FPSService::Start(uint32_t sampleIntervalMs,
     startMsg->AppendAuxiliary(NSObject(0.0));
     auto response = m_channel->SendMessageSync(startMsg, kStartTimeoutMs);
     if (!response) {
-        if (errorCb) errorCb(Error::Timeout, "startSampling timeout");
-        Stop();
-        return Error::Timeout;
+        // Some iOS versions start streaming without returning a sync response.
+        // Keep the session alive and rely on incoming stream messages.
+        INST_LOG_WARN(TAG, "startSampling timed out, continuing and waiting for stream data");
     }
 
     m_running.store(true);
diff --git a/src/services/performance_service.cpp b/src/services/performance_service.cpp
@@ -191,9 +191,9 @@ Error PerformanceService::Start(const PerfConfig& config,
     auto startMsg = DTXMessage::CreateWithSelector("start");
     response = m_channel->SendMessageSync(startMsg, kStartTimeoutMs);
     if (!response) {
-        if (errorCb) errorCb(Error::Timeout, "start timeout");
-        Stop();
-        return Error::Timeout;
+        // Some iOS versions begin sysmontap streaming without a sync reply.
+        // Continue and process incoming channel/global messages.
+        INST_LOG_WARN(TAG, "sysmontap start timed out, continuing and waiting for stream data");
     }
     INST_LOG_INFO(TAG, "Performance monitoring started (interval=%ums)",
                  actualConfig.sampleIntervalMs);
