Closed Bug 1015810 Opened 10 years ago Closed 10 years ago

[Sora][BT] Happen to crash when switch off or on "BT".

Categories

(Firefox OS Graveyard :: General, defect, P1)

Product:
Firefox OS Graveyard
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: sync-1, Unassigned)

Details

(Keywords: crash, Whiteboard: [b2g-crash])

Attachments

(4 files)

BT crash log
81.92 KB, application/octet-stream
Details
log
60.75 KB, application/octet-stream
Details
Video of this issue
1.26 MB, video/3gpp
Details
bug1015810.patch
699 bytes, patch
Details | Diff | Splinter Review 
FFOS1.3 Mozilla Build ID: 20140422024003
 
 DEFECT DESCRIPTION:
  Happen to crash when switch off or on "BT".
 
  REPRODUCING PROCEDURES:
  1. Lauch BT and pair with BT headset(Rapoo H6000);
  2. Answer a call and do some operations in BT(As pair with others and search devices, switch off or on "visible" )
  3. Happen to crash when switch off or on "BT".--KO
 
  EXPECTED BEHAVIOUR:
  Have no crash situation.
 
 
  Buri can't reproduce it.
Attached file BT crash log 

    
    

    
  

      
      
      
      

        Attached file
          
        log
      

    


  

    
    

    
  
Steps to reproduce:
1. Lauch BT and pair with BT headset
2. switch on/off bluetooth in settings.
3. repeat 2) --> crash

I will capture minidump log for analyse.

    
    

    
  
(In reply to Kunny Liu from comment #3)
> Steps to reproduce:
> 1. Lauch BT and pair with BT headset
> 2. switch on/off bluetooth in settings.
> 3. repeat 2) --> crash
> 
> I will capture minidump log for analyse.

Hi Kunny -

To clarify:

1. Does this problem only happen on Rapoo H6000, or it happens on every BT headset you have?
2. You said the device will crash when you repeatedly switch on/off in BT settting, so how many time you need to repeat? and do you need to do it fast?(for example, pn and then Off with an interval of 1 seconds?)
3. Is it 100% reproduciable?
4. Can you attach a video?

Thanks for your help

Vance
Flags: needinfo?(liukun)

    
    

    
  
> Hi Kunny -
> 
> To clarify:
> 
> 1. Does this problem only happen on Rapoo H6000, or it happens on every BT
> headset you have?

--->  Reproduced with three bt-headset.

> 2. You said the device will crash when you repeatedly switch on/off in BT
> settting, so how many time you need to repeat? and do you need to do it
> fast?(for example, pn and then Off with an interval of 1 seconds?)

Maybe 4~5 times, not fast. Interval of switch on/off is almost 2s.

> 3. Is it 100% reproduciable?
---> Yes.

> 4. Can you attach a video?
----> OK, I will.
Flags: needinfo?(liukun)

    
    

    
  

      
      
      
      

        Attached video
          
        Video of this issue
      

    


  

    
    

    
  
Dears:
Sorry I can't capture the minidump file. Because when I made a image with "export B2G_NOOPT=1" and "make buildsymbols", I can't reproduced this issue.
Please check the adb log.
Thanks!

    
    

    
  
Dears:
I found the root reason of this issue. It cause by patch of Bug#1002353. Exactly cause by below code:

> +  bool hasRendering = HAS_RENDERING(mTarget.cod) || HAS_CAPTURING(mTarget.cod);

Please help check. Thanks!

    
  
Flags: needinfo?(shuang)

    
    

    
  
Kunny,
What's the headset CoD value? Can you provide EIR records?
Flags: needinfo?(shuang)

    
    

    
  
(In reply to Shawn Huang [:shuang] [:shawnjohnjr] from comment #9)
> Kunny,
> What's the headset CoD value? Can you provide EIR records?

Cod : 0x240404

BT-Headset: Sky-Tone S8

    
    

    
  
(In reply to Kunny Liu from comment #7)
> Dears:
> Sorry I can't capture the minidump file. Because when I made a image with
> "export B2G_NOOPT=1" and "make buildsymbols", I can't reproduced this issue.
> Please check the adb log.
> Thanks!
Kunny,
Even if NOOPT=1 leads the problem disappear, do you mind getting minidump and parse symbol without NOOPT=1, although enabling optimization might cause incorrect backtrace, but it is worthy checking anyway.

    
    

    
  
Hi Shawn:
It's so strange that I can't get any files in "/data/b2g/mozilla/g6xd8zwb.default/minidumps" by below command:

1. ". ./build/envsetup.sh"
2. "lunch msm8610-eng"
3. "make -j8"
4. "make buildsymbols"

run cmd: "MOZ_CRASHREPORTER="1" /system/bin/b2g.sh" in adb shell.

When crash happened, I can't found any files.

I think you can reproduce this issue by add patch of Bug#1002353.

    
    

    
  
(In reply to Kunny Liu from comment #12)
> Hi Shawn:
> It's so strange that I can't get any files in
> "/data/b2g/mozilla/g6xd8zwb.default/minidumps" by below command:
> 
> 1. ". ./build/envsetup.sh"
> 2. "lunch msm8610-eng"
> 3. "make -j8"
> 4. "make buildsymbols"
> 
> run cmd: "MOZ_CRASHREPORTER="1" /system/bin/b2g.sh" in adb shell.
> 
> When crash happened, I can't found any files.
> 
> I think you can reproduce this issue by add patch of Bug#1002353.
Thanks. I've found the way to reproduce it on our reference phone.

    
    

    
  
Program received signal SIGSEGV, Segmentation fault.
mozilla::ipc::RawDBusConnection::SendWithReply (this=0x0, aCallback=0xb53f2e99 <DiscoverServicesCallback(DBusMessage*, void*)>, aData=0xa7fcac20, aTimeout=-1, 
    aMessage=0xa6dc3940) at ../../../gecko/ipc/dbus/RawDBusConnection.cpp:246
246	                                            aTimeout, aCallback, aData));
(gdb) bt
#0  mozilla::ipc::RawDBusConnection::SendWithReply (this=0x0, aCallback=0xb53f2e99 <DiscoverServicesCallback(DBusMessage*, void*)>, aData=0xa7fcac20, aTimeout=-1, 
    aMessage=0xa6dc3940) at ../../../gecko/ipc/dbus/RawDBusConnection.cpp:246
#1  0xb503d070 in mozilla::ipc::RawDBusConnection::SendWithReply (this=0x0, aCallback=0xb53f2e99 <DiscoverServicesCallback(DBusMessage*, void*)>, aData=0xa7fcac20, 
    aTimeout=-1, aPath=0xbe8d2620 "/org/bluez/17522/hci0/dev_00_21_3C_86_0E_CE", aIntf=0xb5fcba3b "org.bluez.Device", aFunc=0xb5fcba4c "DiscoverServices", 
    aFirstArgType=115) at ../../../gecko/ipc/dbus/RawDBusConnection.cpp:281
#2  0xb53f35aa in mozilla::dom::bluetooth::BluetoothDBusService::UpdateSdpRecords (this=<optimized out>, aDeviceAddress=<optimized out>, aManager=0xa99217b0)
    at /home/shawnjohnjr/flame/B2G/gecko/dom/bluetooth/bluez/linux/BluetoothDBusService.cpp:2992
#3  0xb53edb9e in mozilla::dom::bluetooth::BluetoothA2dpManager::Connect (this=0xa99217b0, aDeviceAddress=..., aController=0xa82b00a0)
    at /home/shawnjohnjr/flame/B2G/gecko/dom/bluetooth/bluez/BluetoothA2dpManager.cpp:164
#4  0xb53ea266 in mozilla::dom::bluetooth::BluetoothProfileController::Next (this=0xa82b00a0)
    at /home/shawnjohnjr/flame/B2G/gecko/dom/bluetooth/BluetoothProfileController.cpp:196
#5  0xb53ea33a in mozilla::dom::bluetooth::BluetoothProfileController::OnConnect (this=0xa82b00a0, aErrorStr=...)
    at /home/shawnjohnjr/flame/B2G/gecko/dom/bluetooth/BluetoothProfileController.cpp:229
#6  0xb53eee14 in mozilla::dom::bluetooth::BluetoothHfpManager::OnConnect (this=<optimized out>, aErrorStr=...)
    at /home/shawnjohnjr/flame/B2G/gecko/dom/bluetooth/bluez/BluetoothHfpManager.cpp:1913
#7  0xb53ef0f8 in mozilla::dom::bluetooth::BluetoothHfpManager::OnSocketConnectError (this=0xa9945740, aSocket=<optimized out>)
    at /home/shawnjohnjr/flame/B2G/gecko/dom/bluetooth/bluez/BluetoothHfpManager.cpp:1675
#8  0xb53f22a0 in mozilla::dom::bluetooth::BluetoothSocket::OnConnectError (this=<optimized out>) at ../../../gecko/dom/bluetooth/bluez/BluetoothSocket.cpp:88
#9  0xb503d6fc in mozilla::ipc::UnixSocketConsumer::NotifyError (this=<optimized out>) at ../../../gecko/ipc/unixsocket/UnixSocket.cpp:927
#10 0xb503d728 in mozilla::ipc::OnSocketEventTask::Run (this=<optimized out>) at ../../../gecko/ipc/unixsocket/UnixSocket.cpp:305
#11 0xb4e8a5dc in ProcessNextEvent (result=0xbe8d27df, mayWait=<optimized out>, this=0xb6b21ee0) at ../../../gecko/xpcom/threads/nsThread.cpp:612

    
    

    
  

      
      
      
      

        Attached patch
          
          
        bug1015810.patchSplinter Review
      

    


  
Hi Kunny,
Can you use this patch and see if you can still reproduce on v.1.3 branch?

        Attachment #8429189 -
        Flags: feedback?(liukun)

    
    

    
  
Thanks!
I will try and give you feedback ASAP.

    
    

    
  
Hi Shawn:
I have tested in my device, can't reproduced. Now I'm waiting for our QA feedback.
BTW:
Could you mind tell me what's the root reason of this issue and why this patch can resolved it? I'd like to know more about this.
Thanks!

    
    

    
  
It's related to dbus operation while bluetooth disabled. BluetoothProfileController queue outgoing connection for both HFP/A2DP. However, while outgoing connection is ongoing, SDP query is performed (introduced from patch of bug 1002353). Because bluetooth is disabled, dbus operation shall not continue to execute, otherwise some data structure had been deleted, and that leads to SIGSEGV.
Keywords: crash
Whiteboard: [b2g-crash]

    
    

    
  
Dears:

Please close this bug. Thanks!

    
    

    
  
Patch of bug 1002353 did not commit into v1.3, so we don't need to do anything. So I closed this bug per Comment 19.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME

    
  

        Attachment #8429189 -
        Flags: feedback?(liukun)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: