1021838 - [Wifi] FX OS crash in nsWifiMonitor::Onready(unsigned int, nsIWifiScanResult**)

Status: RESOLVED FIXED

(Firefox OS Graveyard :: Wifi, defect)

Description

[Marcia Knous [:marcia]]

This bug was filed from the Socorro interface and is 
report bp-1af3407e-5d5b-4324-abb5-aa4cb2140606.
=============================================================

Seen while running a Master build on Nexus 4. The device was idle at the time of the crash. The build has a recent Gecko, and I pulled the latest Gaia and then installed it.

Frame 	Module 	Signature 	Source
0 	libc.so 	libc.so@0x1ce44 	
1 	libxul.so 	nsWifiMonitor::Onready(unsigned int, nsIWifiScanResult**) 	netwerk/wifi/nsWifiAccessPoint.h
2 	libxul.so 	NS_InvokeByIndex 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp
3 	libxul.so 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	js/xpconnect/src/XPCWrappedNative.cpp
4 	libxul.so 	XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
5 		@0xb1eb40c6

Comment 1

[ying.xu]

we meet this crash twice with tarako 1.3t during a monkey test

Comment 2

[James Zhang (Spreadtrum)]

We met this crash several times when monkey test.
Marcia, do you have any reproduce path?

Comment 3

[Marcia Knous [:marcia]]

(In reply to James Zhang (Spreadtrum) from comment #2)
> We met this crash several times when monkey test.
> Marcia, do you have any reproduce path?

Hello James - I only saw this crash once, and I wasn't able to reproduce it.

Comment 4

[Zhenqing Liu]

Hi, Vincent, according to our backtraces, this crash occured when calling memcpy in libc.so. Maybe one of the following two lines:
   ap->setMacRaw(mac.get());
   ap->setSSIDRaw(ssid.get(), ssid.Length());
Could you please tell me about your case? And by the way, how to print the logs in /gecko/netwerk/wifi/nsWifiMonitorGonk.cpp?

Comment 5

[Vincent Chang[:vchang][changyihsin]]

(In reply to Zhenqing Liu from comment #4)
> Hi, Vincent, according to our backtraces, this crash occured when calling
> memcpy in libc.so. Maybe one of the following two lines:
>    ap->setMacRaw(mac.get());
>    ap->setSSIDRaw(ssid.get(), ssid.Length());
> Could you please tell me about your case? And by the way, how to print the
> logs in /gecko/netwerk/wifi/nsWifiMonitorGonk.cpp?

I can't reproduce the problem here. 

You can do the similar way to below link to output the debug message. 
http://dxr.mozilla.org/mozilla-central/source/hal/gonk/GonkHal.cpp?from=gonkhal.cpp&case=true#

I think we should validate mac before setting in below link. 
http://dxr.mozilla.org/mozilla-central/source/netwerk/wifi/nsWifiMonitorGonk.cpp?from=nsWifiMonitorGonk.cpp#147

Can you help to verify if the modification below works for you?

if (!mac.IsEmpty()) {
  ap->setMacRaw(mac.get());
}

Comment 6

[Zhenqing Liu]

Attachment: Onready crash patch

I will track this bug with this patch.

Comment 7

[Joe Cheng [:jcheng] (please needinfo)]

@ very late stage for tarako, if stability test is passing in general, move this to 1.4?

Comment 8

[Bruce Huang [:bhuang] (inactive)]

Removing 1.4?, please re-nom if this occurs on Dolphin.

Comment 9

[Vincent Chang[:vchang][changyihsin]]

Hi Zhenging, can you take the bug since you can reproduce the problem and provide the patch?  Does the patch fix the problem?

Comment 10

[Zhenqing Liu]

(In reply to Vincent Chang[:vchang] from comment #9)
> Hi Zhenging, can you take the bug since you can reproduce the problem and
> provide the patch?  Does the patch fix the problem?

OK, I will take it. 
The crash was never reproduced until now and never a WifiCrash log was printed out.
My patch is just following your method. Thanks!

Comment 11

[Zhenqing Liu]

Attachment: Wifi_Onready_Crash_p2.patch

Hi Vicent, a few days ago, this bug appeared again. 
I checked the code and find there may be over-bounded access in function |setSSIDRaw()|. With the new patch, the bug never appears until now. Do you think this is the root cause?

Comment 12

[Vincent Chang[:vchang][changyihsin]]

Make sense for me, but not sure if it's a root cause. Do you have the backtrace log?

Comment 13

[Zhenqing Liu]

Attachment: backtrace

Crash at memcpy() function.

Comment 14

[Vincent Chang[:vchang][changyihsin]]

Comment on attachment 8477156 [details] [diff] [review]
Wifi_Onready_Crash_p2.patch

Review of attachment 8477156 [details] [diff] [review]:
-----------------------------------------------------------------

Can you help to review this?

Comment 15

[Doug Turner (:dougt)]

Comment on attachment 8477156 [details] [diff] [review]
Wifi_Onready_Crash_p2.patch

isn't that special.

Comment 16

[Lawrence Mandel [:lmandel] (use needinfo)]

Comment on attachment 8477156 [details] [diff] [review]
Wifi_Onready_Crash_p2.patch

Aurora and Beta do not currently correspond with any Firefox OS release. Here are the approvals that you should request depending on the branch on which you want to land:

1.3: approval-mozilla-b2g28 (speak with Bhavana before requesting 1.3 approval)
1.4: approval-mozilla-b2g30
2.0: approval-mozilla-b2g32
2.1: No approval. Land on m-c