Closed Bug 1011110 Opened 11 years ago Closed 11 years ago

Crash while toggling bluetooth and running other stability scripts

Categories

(Firefox OS Graveyard :: Bluetooth, defect)

Product:
Firefox OS Graveyard
Component:
Bluetooth
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(blocking-b2g:1.4+, firefox30 wontfix, firefox31 wontfix, firefox32 fixed, b2g-v1.4 fixed, b2g-v2.0 fixed)

Status:
RESOLVED FIXED
Milestone:
2.0 S3 (6june)
Project Flags:
blocking-b2g 1.4+
Tracking Flags:
Tracking Status
firefox30 --- wontfix
firefox31 --- wontfix
firefox32 --- fixed
b2g-v1.4 --- fixed
b2g-v2.0 --- fixed

People

(Reporter: ggrisco, Assigned: khuey)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [caf-crash 214][caf priority: p2][CR 664942][b2g-crash][p=2])

Crash Data

Attachments

(3 files, 2 obsolete files)

decoded minidump of crash
420.40 KB, text/plain
Details
EXTRA file attachment (plus some logs)
575.41 KB, text/plain
Details
Patch
1.73 KB, patch
khuey
: review+
Details | Diff | Splinter Review
Crash in PBluetoothRequest::Transition while turning bluetooth on/off signature: [@ mozalloc_abort(char const*) | NS_DebugBreak | mozilla::dom::bluetooth::PBluetoothRequest::Transition(mozilla::dom::bluetooth::PBluetoothRequest::State, mozilla::ipc::Trigger, mozilla::dom::bluetooth::PBluetoothRequest::State*) | mozilla::dom::bluetooth::PBluetoothRequestParent::Send__delete__(mozilla::dom::bluetooth::PBluetoothRequestParent*, mozilla::dom::bluetooth::BluetoothReply const&) ]
xpcom_runtime_abort([Parent 205] ###!!! ABORT: __delete__()d actor: file PBluetoothRequest.cpp, line 29)
This happened during enabled process. 05-15 15:00:14.080 205 15378 E bt-btm : BTM_SecRegister:p_cb_info->p_le_callback == 0xb0a371a1 05-15 15:00:14.080 205 15378 E bt-btm : BTM_SecRegister: btm_cb.api.p_le_callback = 0xb0a371a1 05-15 15:00:14.090 205 741 E bt-btif : btif_config_get(L189): assert failed: section && *section && key && *key && name && *name && bytes && type 05-15 15:00:14.090 205 741 E bt-btif : btif_config_get(L189): assert failed: section && *section && key && *key && name && *name && bytes && type 05-15 15:00:14.090 205 741 E bt-btif : btif_storage_get_adapter_property service_mask:0x40040 05-15 15:00:14.090 205 15378 W bt-l2cap: L2CAP - L2CA_Register() called for PSM: 0x0019 05-15 15:00:14.090 205 15378 W bt-l2cap: L2CAP - L2CA_Register() called for PSM: 0x0017 05-15 15:00:14.090 205 15378 W bt-l2cap: L2CAP - L2CA_Register() called for PSM: 0x001b 05-15 15:00:14.100 205 15381 E bt_mct : hci lib postload completed 05-15 15:00:14.100 205 741 I bte_conf: Attempt to load did conf from /etc/bluetooth/bt_did.conf 05-15 15:00:14.100 205 741 I bte_conf: [1] primary_record=1 vendor_id=0x001D vendor_id_source=0x0001 product_id=0x1200 version=0x1436 05-15 15:00:14.100 205 741 I bte_conf: Attempt to load did conf from /etc/bluetooth/bt_did.conf 05-15 15:00:14.100 205 741 I bte_conf: Attempt to load did conf from /etc/bluetooth/bt_did.conf 05-15 15:00:14.100 205 741 I GeckoBluetooth: AdapterStateChangeCallback: BT_STATE 1 05-15 15:00:14.100 205 741 D bt-btif : btif_av_state_idle_handler event:BTA_AV_ENABLE_EVT flags 0 05-15 15:00:14.100 205 741 D bt-btif : btif_av_state_idle_handler event:BTA_AV_REGISTER_EVT flags 0 05-15 15:00:14.110 205 205 I Gecko : [Parent 205] ###!!! ABORT: __delete__()d actor: file PBluetoothRequest.cpp, line 29 05-15 15:00:14.110 205 205 E Gecko : mozalloc_abort: [Parent 205] ###!!! ABORT: __delete__()d actor: file PBluetoothRequest.cpp, line 29
blocking-b2g: 1.4? → 1.4+
Keywords: crash
Whiteboard: [CR 664942] → [CR 664942][b2g-crash]
I think we can try to reproduce this bug using some extreme ways: It looks like Bluetooth just got disabled, however, after 90ms, bluedroid enable again. 05-15 15:00:12.480 205 741 I bt_vendor: bt-vendor : BT_VND_OP_POWER_CTRL: Off 05-15 15:00:12.480 205 741 I bt_vendor: Starting hciattach daemon 05-15 15:00:12.480 205 741 I bt_vendor: try to set false 05-15 15:00:12.480 205 15156 I GKI_LINUX: gki_task_entry: gki_task task_id=0 [BTU] terminating 05-15 15:00:12.480 205 741 I GKI_LINUX: GKI_exit_task: GKI_exit_task 0 done 05-15 15:00:12.480 205 741 I GKI_LINUX: GKI_destroy_task: GKI_shutdown(): task [BTU] terminated 05-15 15:00:12.480 205 741 I GeckoBluetooth: AdapterStateChangeCallback: BT_STATE 0 05-15 15:00:12.570 205 205 I bluedroid: enable 05-15 15:00:12.570 205 205 I bt_hci_bdroid: init
(In reply to Shawn Huang [:shuang] [:shawnjohnjr] from comment #4) > I think we can try to reproduce this bug using some extreme ways: Hi Shawn, can you clarify if you are going to attempt to reproduce or if you are asking for some action from me? Thanks, Greg
Flags: needinfo?(shuang)
Summary: Crash while toggline bluetooth and running other stability scripts → Crash while toggling bluetooth and running other stability scripts
Greg, I just tried to figure out any STR to reproduce this bug. After checking 'EXTRA file', I found enable/disable interval is 90ms, after that mozalloc_abort occurred. I'm not asking any actions because this test is just simply enable/disable test case. What's the test script's behavior?
Flags: needinfo?(shuang)
Crash observed on: Device: msm8226 Firmware: AU_LABEL Moz BuildID: 20140511000204 B2G Version: 1.4 Gecko Version: 30.0 Gaia: http://git.mozilla.org/?p=releases/gaia.git;a=commit;h=17fb44880e95bc7ae363a609d811bf5a9a067b5b Gecko: http://git.mozilla.org/?p=releases/gecko.git;a=commit;h=2f11e3aba98eb785ec24504fe9988ab61a03b64d
(In reply to Shawn Huang [:shuang] [:shawnjohnjr] from comment #6) > What's the test script's behavior? This is what I have from test team: 1. Make calls from phone (mobile originated) 2. Open camera 3. Receive calls (mobile terminated) 4. Device kept in idle mode for some time. 5. Performed Bluetooth on/off multiple times.
Whiteboard: [CR 664942][b2g-crash] → [CR 664942][b2g-crash][ETA=22][p=2]
This only happened whenever something goes wrong with BluetoothReplyRunnable, AFAIK, since ACTOR's previous state becomes to unknown. This might lead PBluetoothRequest::Transition to NS_RUNTIMEABORT.
Whiteboard: [CR 664942][b2g-crash][ETA=22][p=2] → [CR 664942][b2g-crash][ETA:5/22][p=2]
I'm running Bluetooth on/off auto-test with gdb attach overnight now, see if I can use gdb to get more debug information. Right now, I can only identify actor was been deleted. Thomas, any suggestion would like to share?
Flags: needinfo?(tzimmermann)
Sorry, no. Someone with a deeper insight into our IPDL implementation might be able help.
Flags: needinfo?(tzimmermann)
Crash observed on: Device: msm8226 Gonk Version: AU_LINUX_GECKO_B2G_KK_3.5.01.04.00.113.102 Moz BuildID: 20140515000202 B2G Version: 1.4 Gecko Version: 30.0 Gaia: http://git.mozilla.org/?p=releases/gaia.git;a=commit;h=2e97bee6bb79d3577dba1bf2a1bbfcba64ee99ab Gecko: http://git.mozilla.org/?p=releases/gecko.git;a=commit;h=35f27a8e9b3f651748aa22095553024556272de8
https://bug997962.bugzilla.mozilla.org/attachment.cgi?id=8426077 There is a racing problem when accessing static nsTArrays on different threads, it might be problematic in general, specially BluetoothReplyRunnable pointer stores in those nsTArrays in Bug 997962. We shall try this patch first to see any stability improvement.
Greg, Can we apply patches based on https://bugzilla.mozilla.org/show_bug.cgi?id=997962#c43 and see if we can fix in general?
Flags: needinfo?(ggrisco)
Whiteboard: [CR 664942][b2g-crash][ETA:5/22][p=2] → [CR 664942][b2g-crash][ETA:5/27][p=2]
(In reply to Shawn Huang [:shuang] [:shawnjohnjr] from comment #15) > Greg, > Can we apply patches based on > https://bugzilla.mozilla.org/show_bug.cgi?id=997962#c43 and see if we can > fix in general? That patch has been obsoleted. Please use https://bugzilla.mozilla.org/attachment.cgi?id=8426118 instead.
Another thing that I'm trying to do is to enable IPC debug log. Here is what I did: In adb shell, do: #stop b2g #export MOZ_IPC_MESSAGE_LOG=1 #b2g.sh This will output IPC transaction log to logcat for better understanding why things happened.
(In reply to Shawn Huang [:shuang] [:shawnjohnjr] from comment #17) > Another thing that I'm trying to do is to enable IPC debug log. > Here is what I did: > In adb shell, do: > #stop b2g > #export MOZ_IPC_MESSAGE_LOG=1 > #b2g.sh > > This will output IPC transaction log to logcat for better understanding why > things happened. This only works when the b2g build with flag B2G_DEBUG=1
While enabling bluetooth normally, IPC msg, Msg___delete__ sent from PBluetoothRequestParent to PBluetoothRequestChild. I'm still trying to enable these logs and try to reproduce this bug locally. 05-21 09:42:54.100 I/GeckoIPC( 4229): [time:1400679774116858][4229->4659][PBluetoothParent] Sending Msg_Enabled([TODO]) 05-21 09:42:54.100 I/GeckoIPC( 4229): [time:1400679774117074][4229->4659][PBluetoothParent] Sending Msg_Notify([TODO]) 05-21 09:42:54.110 I/GeckoIPC( 4229): [time:1400679774118763][4229->4659][PBluetoothParent] Sending Msg_Notify([TODO]) 05-21 09:42:54.110 I/GeckoIPC( 4659): [time:1400679774120410][4659<-4229][PBluetoothChild] Received Msg_Enabled([TODO]) 05-21 09:42:54.110 I/GeckoIPC( 4659): [time:1400679774120525][4659<-4229][PBluetoothChild] Received Msg_Notify([TODO]) 05-21 09:42:54.110 I/GeckoIPC( 4659): [time:1400679774120651][4659<-4229][PBluetoothChild] Received Msg_Notify([TODO]) 05-21 09:42:54.110 I/GeckoIPC( 4659): [time:1400679774122496][4659->4229][PBluetoothChild] Sending Msg_PBluetoothRequestConstructor([TODO]) 05-21 09:42:54.110 I/GeckoIPC( 4229): [time:1400679774123173][4229<-4659][PBluetoothParent] Received Msg_PBluetoothRequestConstructor([TODO]) 05-21 09:42:54.110 I/GeckoIPC( 4659): [time:1400679774123420][4659->4229][PBluetoothChild] Sending Msg_PBluetoothRequestConstructor([TODO]) 05-21 09:42:54.110 I/GeckoIPC( 4229): [time:1400679774123516][4229->4659][PBluetoothRequestParent] Sending Msg___delete__([TODO]) 05-21 09:42:54.110 I/GeckoIPC( 4229): [time:1400679774123763][4229<-4659][PBluetoothParent] Received Msg_PBluetoothRequestConstructor([TODO]) 05-21 09:42:54.110 I/GeckoIPC( 4229): [time:1400679774124058][4229->4659][PBluetoothRequestParent] Sending Msg___delete__([TODO]) 05-21 09:42:54.110 I/GeckoIPC( 4659): [time:1400679774124122][4659<-4229][PBluetoothRequestChild] Received Msg___delete__([TODO]) 05-21 09:42:54.110 I/GeckoIPC( 4659): [time:1400679774124578][4659<-4229][PBluetoothRequestChild] Received Msg___delete__([TODO]) 05-21 09:42:54.110 I/GeckoIPC( 4659): [time:1400679774125342][4659->4229][PBluetoothChild] Sending Msg_RegisterSignalHandler([TODO]) 05-21 09:42:54.110 I/GeckoIPC( 4229): [time:1400679774126175][4229<-4659][PBluetoothParent] Received Msg_RegisterSignalHandler([TODO]) 05-21 09:42:54.120 I/GeckoIPC( 4659): [time:1400679774127825][4659->4229][PBluetoothChild] Sending Msg_PBluetoothRequestConstructor([TODO]) 05-21 09:42:54.120 I/GeckoIPC( 4229): [time:1400679774128475][4229<-4659][PBluetoothParent] Received Msg_PBluetoothRequestConstructor([TODO]) 05-21 09:42:54.120 I/GeckoIPC( 4229): [time:1400679774128660][4229->4659][PBluetoothRequestParent] Sending Msg___delete__([TODO]) 05-21 09:42:54.130 I/GeckoIPC( 4659): [time:1400679774142196][4659->4229][PBluetoothChild] Sending Msg_PBluetoothRequestConstructor([TODO]) 05-21 09:42:54.130 I/GeckoIPC( 4229): [time:1400679774143253][4229<-4659][PBluetoothParent] Received Msg_PBluetoothRequestConstructor([TODO]) 05-21 09:42:54.130 I/GeckoIPC( 4229): [time:1400679774143406][4229->4659][PBluetoothRequestParent] Sending Msg___delete__([TODO]) 05-21 09:42:54.130 I/GeckoIPC( 4659): [time:1400679774144221][4659->4229][PBluetoothChild] Sending Msg_PBluetoothRequestConstructor([TODO]) 05-21 09:42:54.130 I/GeckoIPC( 4229): [time:1400679774144748][4229<-4659][PBluetoothParent] Received Msg_PBluetoothRequestConstructor([TODO]) 05-21 09:42:54.130 I/GeckoIPC( 4659): [time:1400679774146490][4659<-4229][PBluetoothRequestChild] Received Msg___delete__([TODO]) 05-21 09:42:54.170 I/GeckoIPC( 4229): [time:1400679774181173][4229->4659][PBluetoothRequestParent] Sending Msg___delete__([TODO]) 05-21 09:42:54.170 I/GeckoIPC( 4659): [time:1400679774183142][4659<-4229][PBluetoothRequestChild] Received Msg___delete__([TODO]) 05-21 09:42:54.170 I/GeckoIPC( 4659): [time:1400679774186305][4659<-4229][PBluetoothRequestChild] Received Msg___delete__([TODO]) 05-21 09:42:54.270 I/GeckoIPC( 4229): [time:1400679774285863][4229->4659][PBluetoothParent] Sending Msg_Notify([TODO]) 05-21 09:42:54.270 I/GeckoIPC( 4659): [time:1400679774286129][4659<-4229][PBluetoothChild] Received Msg_Notify([TODO]) 05-21 09:42:54.270 I/GeckoIPC( 4659): [time:1400679774286274][4659->4229][PBluetoothChild] Sending Msg_RegisterSignalHandler([TODO]) 05-21 09:42:54.270 I/GeckoIPC( 4229): [time:1400679774286536][4229<-4659][PBluetoothParent] Received Msg_RegisterSignalHandler([TODO]) 05-21 09:42:55.180 I/GeckoIPC( 4229): [time:1400679775190585][4229->4659][PBluetoothParent] Sending Msg_Notify([TODO]) 05-21 09:42:55.240 I/GeckoIPC( 4659): [time:1400679775252220][4659<-4229][PBluetoothChild] Received Msg_Notify([TODO]) 05-21 09:42:55.240 I/GeckoIPC( 4659): [time:1400679775252937][4659->4229][PBluetoothChild] Sending Msg_RegisterSignalHandler([TODO]) 05-21 09:42:55.240 I/GeckoIPC( 4229): [time:1400679775253775][4229<-4659][PBluetoothParent] Received Msg_RegisterSignalHandler([TODO]) 05-21 09:42:57.140 I/GeckoIPC( 4229): [time:1400679777154398][4229->4659][PBluetoothParent] Sending Msg_Notify([TODO]) 05-21 09:42:57.160 I/GeckoIPC( 4659): [time:1400679777176431][4659<-4229][PBluetoothChild] Received Msg_Notify([TODO]) 05-21 09:42:57.170 I/GeckoIPC( 4659): [time:1400679777179584][4659->4229][PBluetoothChild] Sending Msg_RegisterSignalHandler([TODO]) 05-21 09:42:57.170 I/GeckoIPC( 4229): [time:1400679777184305][4229<-4659][PBluetoothParent] Received Msg_RegisterSignalHandler([TODO]) 05-21 09:42:58.680 I/GeckoIPC( 4229): [time:1400679778688316][4229->4659][PBluetoothParent] Sending Msg_Notify([TODO]) 05-21 09:42:58.690 I/GeckoIPC( 4659): [time:1400679778700842][4659<-4229][PBluetoothChild] Received Msg_Notify([TODO]) 05-21 09:42:58.690 I/GeckoIPC( 4659): [time:1400679778701496][4659->4229][PBluetoothChild] Sending Msg_RegisterSignalHandler([TODO]) 05-21 09:42:58.690 I/GeckoIPC( 4229): [time:1400679778702906][4229<-4659][PBluetoothParent] Received Msg_RegisterSignalHandler([TODO])
I still cannot reproduce this bug using my auto Bluetooth on/off test scripts on Nexus 5/Flame after 8000 times on/off tests. I think this can be one of use-after-free-of-IPDL-actor bugs. While Bluetooh has been turned on, the following Request types were performed: 1. TDefaultAdapterPathRequest 2. TPairedDevicePropertiesRequest 3. TDefaultAdapterPathRequest 4. TStartDiscoveryRequest (If no previous connected headset) 5. TPairedDevicePropertiesRequest 6. TStopDiscoveryRequest (If Discovery timeout, triggers StopDiscovery) Among these six operations, if IPDL actor has been deleted, crash happened.
http://dxr.mozilla.org/mozilla-central/source/dom/bluetooth/ipc/BluetoothParent.cpp#49 I can't figure out there is any chance that mRequest will be deleted. Actor will be deleted only in DeallocPBluetoothRequestParent, and the path is: PBluetoothRequestParent::Send__delete__ -> PBluetoothParent::RemoveMangee -> BluetoothParent::DeallocPBluetoothRequestParent->BluetoothRequestParent::~BluetoothRequestParent.
It looks like using raw pointer is bad idea. After checking other modules, they have NS ref-counting, so I guess adding ref-counting for BluetoothRequestParent probably can this bug. I will add NS_INLINE_DECL_THREADSAFE_REFCOUNTING(BluetoothRequestParent) and test it. Meanwhile, I'm still finding the root cause why BluetoothRequestParent destructor been called before PBluetoothRequestParent::Send__delete__ got called.
Attachment #8427000 - Flags: feedback? → feedback?(tzimmermann)
libxul.so!mozilla::dom::bluetooth::PBluetoothRequestParent::Send__delete__(mozilla::dom::bluetooth::PBluetoothRequestParent*, mozilla::dom::bluetooth::BluetoothReply const&) [PBluetoothRequestParent.cpp : 69 + 0x7] r0 = 0x0000001d r1 = 0x00000000 r2 = 0x00000000 r3 = 0x000c0001 r4 = 0x97339f40 r5 = 0x9fbff700 r6 = 0xbedc36a8 r7 = 0x000c0001 r8 = 0x9fbff2a0 r9 = 0x00000001 r10 = 0x00000000 fp = 0x00000000 sp = 0xbedc3690 pc = 0xb4ed62a7 r0 = 0x0000001d, r1 = 0x00000000 seems invalid. So something goes wrong with both PBluetoothReuqestParent* and BluetoothReply*. Patch on Comment 23 is not enough. Still need to check BluetoothReply*
Crash observed on: Device: msm8226 Gonk Version: AU_LINUX_GECKO_B2G_KK_3.5.01.04.00.113.102 Moz BuildID: 20140515000202 B2G Version: 1.4 Gecko Version: 30.0 Gaia: http://git.mozilla.org/?p=releases/gaia.git;a=commit;h=2e97bee6bb79d3577dba1bf2a1bbfcba64ee99ab Gecko: http://git.mozilla.org/?p=releases/gecko.git;a=commit;h=35f27a8e9b3f651748aa22095553024556272de8
Crash observed on: Device: msm8226 Gonk Version: AU_LINUX_GECKO_B2G_KK_3.5.01.04.00.113.102 Moz BuildID: 20140515000202 B2G Version: 1.4 Gecko Version: 30.0 Gaia: http://git.mozilla.org/?p=releases/gaia.git;a=commit;h=2e97bee6bb79d3577dba1bf2a1bbfcba64ee99ab Gecko: http://git.mozilla.org/?p=releases/gecko.git;a=commit;h=35f27a8e9b3f651748aa22095553024556272de8
sorry for the spam, please ignore comments 25, 26.
Flags: needinfo?(ggrisco)
(In reply to Shawn Huang [:shuang] [:shawnjohnjr] from comment #24) > libxul.so!mozilla::dom::bluetooth::PBluetoothRequestParent:: > Send__delete__(mozilla::dom::bluetooth::PBluetoothRequestParent*, > mozilla::dom::bluetooth::BluetoothReply const&) [PBluetoothRequestParent.cpp > : 69 + 0x7] > r0 = 0x0000001d r1 = 0x00000000 r2 = 0x00000000 r3 = 0x000c0001 > r4 = 0x97339f40 r5 = 0x9fbff700 r6 = 0xbedc36a8 r7 = 0x000c0001 > r8 = 0x9fbff2a0 r9 = 0x00000001 r10 = 0x00000000 fp = 0x00000000 > sp = 0xbedc3690 pc = 0xb4ed62a7 > > r0 = 0x0000001d, r1 = 0x00000000 seems invalid. So something goes wrong with > both PBluetoothReuqestParent* and BluetoothReply*. Patch on Comment 23 is > not enough. Still need to check BluetoothReply* If r0 is 'this' pointer, r1, r2 are fucntion parameters, these registers had been modified. So I can only say that adding reference counting on BluetoothRequestParent should help use-after-free-of-IPDL-actor. But i still cannot explain why r0-r2 registers are all invalid.
Crash observed on: Device: msm8226 Gonk Version: AU_LINUX_GECKO_B2G_KK_3.5.01.04.00.113.102 Moz BuildID: 20140515000202 B2G Version: 1.4 Gecko Version: 30.0 Gaia: http://git.mozilla.org/?p=releases/gaia.git;a=commit;h=2e97bee6bb79d3577dba1bf2a1bbfcba64ee99ab Gecko: http://git.mozilla.org/?p=releases/gecko.git;a=commit;h=35f27a8e9b3f651748aa22095553024556272de8
Comment on attachment 8427000 [details] [diff] [review] 0001-Add-thread-safe-ref-counting-for-BluetoothRequestPar.patch Per discussed with echou, redirect to bent. Thanks.
Attachment #8427000 - Flags: review?(benjamin) → review?(bent.mozilla)
Crash observed on: Device: msm8226 Gonk Version: AU_LINUX_GECKO_B2G_KK_3.5.01.04.00.113.102 Moz BuildID: 20140515000202 B2G Version: 1.4 Gecko Version: 30.0 Gaia: http://git.mozilla.org/?p=releases/gaia.git;a=commit;h=2e97bee6bb79d3577dba1bf2a1bbfcba64ee99ab Gecko: http://git.mozilla.org/?p=releases/gecko.git;a=commit;h=35f27a8e9b3f651748aa22095553024556272de8
Comment on attachment 8427000 [details] [diff] [review] 0001-Add-thread-safe-ref-counting-for-BluetoothRequestPar.patch Review of attachment 8427000 [details] [diff] [review]: ----------------------------------------------------------------- How can this fix your problem? You are only reference counting this in the exact spots where you new/deleted it before, so this doesn't change the lifetime at all.
Attachment #8427000 - Flags: review-
Comment on attachment 8427000 [details] [diff] [review] 0001-Add-thread-safe-ref-counting-for-BluetoothRequestPar.patch Review of attachment 8427000 [details] [diff] [review]: ----------------------------------------------------------------- Following STR does not work with this patch. 1) pair with device A 2) unpair with device A 3) Repeat (1) and (2) 10 times. Please upload a new fix
Flags: needinfo?(shuang)
Attachment #8427000 - Flags: review?(bent.mozilla)
Flags: needinfo?(shuang)
Attachment #8427000 - Attachment is obsolete: true
Attachment #8427000 - Flags: feedback?(echou)
Eric, Please help move this ahead as this is blocking partner testing.
Flags: needinfo?(echou)
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #32) > Comment on attachment 8427000 [details] [diff] [review] > 0001-Add-thread-safe-ref-counting-for-BluetoothRequestPar.patch > > Review of attachment 8427000 [details] [diff] [review]: > ----------------------------------------------------------------- > > How can this fix your problem? You are only reference counting this in the > exact spots where you new/deleted it before, so this doesn't change the > lifetime at all. I can't reproduce locally, somehow it's hard for me to speed the progress. ReplyRunnable is constructed in BluetoothRequestParent constructor, BluetoothRequestParent is constructed in |BluetoothParent::AllocPBluetoothRequestParent()|, destructed in |BluetoothParent::DeallocPBluetoothRequestParent()|. |DeallocPBluetoothRequestParent()| only happened after |mRequest->Send__delete__()| had been executed. http://dxr.mozilla.org/mozilla-central/source/dom/bluetooth/ipc/BluetoothParent.cpp#49 I really can't explain here, mRequest got freed based on the crash stack frame #3, if i interpreted correctly. Kyle, do you have any suggestion from IPC perspective?
Flags: needinfo?(khuey)
Attached patch Patch (obsolete) — Splinter Review
Try this.
Flags: needinfo?(khuey)
Tapas, can you try the patch in comment 36?
Flags: needinfo?(tkundu)
Comment on attachment 8430977 [details] [diff] [review] Patch Review of attachment 8430977 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/bluetooth/ipc/BluetoothParent.cpp @@ +59,2 @@ > void > Revoke() I tried, and found this |Revoke()| function will never be executed during Bluetooth on/off. I wonder when will this |Revoke| be called?
#comment 38 has given this info already :) . Clearing NI on me.
Flags: needinfo?(tkundu)
(In reply to Shawn Huang [:shuang] [:shawnjohnjr] from comment #38) > Comment on attachment 8430977 [details] [diff] [review] > Patch > > Review of attachment 8430977 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: dom/bluetooth/ipc/BluetoothParent.cpp > @@ +59,2 @@ > > void > > Revoke() > > I tried, and found this |Revoke()| function will never be executed during > Bluetooth on/off. I wonder when will this |Revoke| be called? It's called when the other process dies unexpectedly (say if the app doing bluetooth is OOM killed in the middle of it). (In reply to Tapas Kumar Kundu from comment #39) > #comment 38 has given this info already :) . Clearing NI on me. Unless I'm missing something comment 38 doesn't give the results of a test run on my patch ...
Flags: needinfo?(khuey) → needinfo?(tkundu)
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #40) Patch looks fine in my own testing of bluetooth on/off . I didn't see issues like #comment 33. But I asked my colleagues to test this patch for stability test. I will confirm here once they confirm me.
Comment on attachment 8430977 [details] [diff] [review] Patch Review of attachment 8430977 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/bluetooth/ipc/BluetoothParent.cpp @@ +68,5 @@ > MOZ_CRASH("This should never be called!"); > } > + > + virtual void > + ReleaseMembers() MOZ_OVERRIDE Please go ahead and mark this class as MOZ_FINAL.
Attachment #8430977 - Flags: review?(bent.mozilla) → review+
Attached patch PatchSplinter Review
Attachment #8430977 - Attachment is obsolete: true
Attachment #8432840 - Flags: review+
Just waiting on the confirmation from comment 41 to land this.
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #44) > Just waiting on the confirmation from comment 41 to land this. This change is still under testing. You can land it if it looks ok to you.
https://hg.mozilla.org/mozilla-central/rev/1cd1d27985e9
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
https://hg.mozilla.org/releases/mozilla-b2g30_v1_4/rev/775862aee0ea
status-b2g-v1.4: --- → fixed
status-b2g-v2.0: --- → fixed
status-firefox30: --- → wontfix
status-firefox31: --- → wontfix
status-firefox32: --- → fixed
Whiteboard: [CR 664942][b2g-crash][ETA:5/27][p=2] → [CR 664942][b2g-crash][p=2]
Target Milestone: --- → 2.0 S3 (6june)
Whiteboard: [CR 664942][b2g-crash][p=2] → [caf priority: p2][CR 664942][b2g-crash][p=2]
Flags: needinfo?(echou)
We didn't see this anymore. It seems like it is fixed. Thanks for your help
Flags: needinfo?(tkundu)
Whiteboard: [caf priority: p2][CR 664942][b2g-crash][p=2] → [caf-crash 214][caf priority: p2][CR 664942][b2g-crash][p=2]
Test case needs to be added to cover this issue
QA Whiteboard: [QAnalyst-Triage?]
Flags: needinfo?(ktucker)
Flags: in-moztrap?(dharris)
Test case added in moztrap: https://moztrap.mozilla.org/manage/case/14325/
URL: https://moztrap.mozilla.org/manage/ca...
QA Whiteboard: [QAnalyst-Triage?] → [QAnalyst-Triage+]
Flags: needinfo?(ktucker)
Flags: in-moztrap?(dharris)
Flags: in-moztrap+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: