Closed Bug 1021838 Opened 7 years ago Closed 7 years ago

[Wifi] FX OS crash in nsWifiMonitor::Onready(unsigned int, nsIWifiScanResult**)

Categories

(Firefox OS Graveyard :: Wifi, defect)

ARM
Gonk (Firefox OS)
defect
Not set
critical

Tracking

(b2g-v1.3T affected, b2g-v1.4 affected, b2g-v2.0 ?, b2g-v2.1 ?)

RESOLVED FIXED
Tracking Status
b2g-v1.3T --- affected
b2g-v1.4 --- affected
b2g-v2.0 --- ?
b2g-v2.1 --- ?

People

(Reporter: marcia, Assigned: zhenqing.liu)

Details

(Keywords: crash, Whiteboard: [b2g-crash][sprd319559 ][partner-blocker])

Crash Data

User Story

This bug was filed from the Socorro interface and is 
report bp-1af3407e-5d5b-4324-abb5-aa4cb2140606.
=============================================================

Attachments

(2 files, 1 obsolete file)

This bug was filed from the Socorro interface and is 
report bp-1af3407e-5d5b-4324-abb5-aa4cb2140606.
=============================================================

Seen while running a Master build on Nexus 4. The device was idle at the time of the crash. The build has a recent Gecko, and I pulled the latest Gaia and then installed it.

Frame 	Module 	Signature 	Source
0 	libc.so 	libc.so@0x1ce44 	
1 	libxul.so 	nsWifiMonitor::Onready(unsigned int, nsIWifiScanResult**) 	netwerk/wifi/nsWifiAccessPoint.h
2 	libxul.so 	NS_InvokeByIndex 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp
3 	libxul.so 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	js/xpconnect/src/XPCWrappedNative.cpp
4 	libxul.so 	XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
5 		@0xb1eb40c6
Assignee: nobody → vchang
we meet this crash twice with tarako 1.3t during a monkey test
Whiteboard: [b2g-crash] → [b2g-crash][sprd319559 ]
We met this crash several times when monkey test.
Marcia, do you have any reproduce path?
blocking-b2g: --- → 1.3T?
Flags: needinfo?(mozillamarcia.knous)
Flags: needinfo?(pehrsons)
Whiteboard: [b2g-crash][sprd319559 ] → [b2g-crash][sprd319559 ][partner-blocker]
(In reply to James Zhang (Spreadtrum) from comment #2)
> We met this crash several times when monkey test.
> Marcia, do you have any reproduce path?

Hello James - I only saw this crash once, and I wasn't able to reproduce it.
Flags: needinfo?(mozillamarcia.knous)
Hi, Vincent, according to our backtraces, this crash occured when calling memcpy in libc.so. Maybe one of the following two lines:
   ap->setMacRaw(mac.get());
   ap->setSSIDRaw(ssid.get(), ssid.Length());
Could you please tell me about your case? And by the way, how to print the logs in /gecko/netwerk/wifi/nsWifiMonitorGonk.cpp?
Flags: needinfo?(vchang)
(In reply to Zhenqing Liu from comment #4)
> Hi, Vincent, according to our backtraces, this crash occured when calling
> memcpy in libc.so. Maybe one of the following two lines:
>    ap->setMacRaw(mac.get());
>    ap->setSSIDRaw(ssid.get(), ssid.Length());
> Could you please tell me about your case? And by the way, how to print the
> logs in /gecko/netwerk/wifi/nsWifiMonitorGonk.cpp?

I can't reproduce the problem here. 

You can do the similar way to below link to output the debug message. 
http://dxr.mozilla.org/mozilla-central/source/hal/gonk/GonkHal.cpp?from=gonkhal.cpp&case=true#

I think we should validate mac before setting in below link. 
http://dxr.mozilla.org/mozilla-central/source/netwerk/wifi/nsWifiMonitorGonk.cpp?from=nsWifiMonitorGonk.cpp#147

Can you help to verify if the modification below works for you?

if (!mac.IsEmpty()) {
  ap->setMacRaw(mac.get());
}
Flags: needinfo?(vchang)
Attached file Onready crash patch (obsolete) —
I will track this bug with this patch.
@ very late stage for tarako, if stability test is passing in general, move this to 1.4?
blocking-b2g: 1.3T? → 1.4?
Removing 1.4?, please re-nom if this occurs on Dolphin.
blocking-b2g: 1.4? → ---
Hi Zhenging, can you take the bug since you can reproduce the problem and provide the patch?  Does the patch fix the problem?
Assignee: vchang → zhenqing.liu
(In reply to Vincent Chang[:vchang] from comment #9)
> Hi Zhenging, can you take the bug since you can reproduce the problem and
> provide the patch?  Does the patch fix the problem?

OK, I will take it. 
The crash was never reproduced until now and never a WifiCrash log was printed out.
My patch is just following your method. Thanks!
Flags: needinfo?(pehrsons)
Hi Vicent, a few days ago, this bug appeared again. 
I checked the code and find there may be over-bounded access in function |setSSIDRaw()|. With the new patch, the bug never appears until now. Do you think this is the root cause?
Attachment #8448533 - Attachment is obsolete: true
Flags: needinfo?(vchang)
Make sense for me, but not sure if it's a root cause. Do you have the backtrace log?
Flags: needinfo?(vchang)
Attached file backtrace
Crash at memcpy() function.
Comment on attachment 8477156 [details] [diff] [review]
Wifi_Onready_Crash_p2.patch

Review of attachment 8477156 [details] [diff] [review]:
-----------------------------------------------------------------

Can you help to review this?
Attachment #8477156 - Flags: review?(dougt)
Comment on attachment 8477156 [details] [diff] [review]
Wifi_Onready_Crash_p2.patch

isn't that special.
Attachment #8477156 - Flags: review?(dougt)
Attachment #8477156 - Flags: review+
Attachment #8477156 - Flags: approval-mozilla-beta?
Attachment #8477156 - Flags: approval-mozilla-aurora?
Comment on attachment 8477156 [details] [diff] [review]
Wifi_Onready_Crash_p2.patch

Aurora and Beta do not currently correspond with any Firefox OS release. Here are the approvals that you should request depending on the branch on which you want to land:

1.3: approval-mozilla-b2g28 (speak with Bhavana before requesting 1.3 approval)
1.4: approval-mozilla-b2g30
2.0: approval-mozilla-b2g32
2.1: No approval. Land on m-c
Attachment #8477156 - Flags: approval-mozilla-beta?
Attachment #8477156 - Flags: approval-mozilla-aurora?
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.