[Wifi] FX OS crash in nsWifiMonitor::Onready(unsigned int, nsIWifiScanResult**)

RESOLVED FIXED

Status

--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: marcia, Assigned: zhenqing.liu)

Tracking

({crash})

unspecified
ARM
Gonk (Firefox OS)
crash

Firefox Tracking Flags

(b2g-v1.3T affected, b2g-v1.4 affected, b2g-v2.0 ?, b2g-v2.1 ?)

Details

(Whiteboard: [b2g-crash][sprd319559 ][partner-blocker], crash signature)

User Story

This bug was filed from the Socorro interface and is 
report bp-1af3407e-5d5b-4324-abb5-aa4cb2140606.
=============================================================

Attachments

(2 attachments, 1 obsolete attachment)

495 bytes, patch
dougt
: review+
Details | Diff | Splinter Review
11.40 KB, application/x-bzip
Details
This bug was filed from the Socorro interface and is 
report bp-1af3407e-5d5b-4324-abb5-aa4cb2140606.
=============================================================

Seen while running a Master build on Nexus 4. The device was idle at the time of the crash. The build has a recent Gecko, and I pulled the latest Gaia and then installed it.

Frame 	Module 	Signature 	Source
0 	libc.so 	libc.so@0x1ce44 	
1 	libxul.so 	nsWifiMonitor::Onready(unsigned int, nsIWifiScanResult**) 	netwerk/wifi/nsWifiAccessPoint.h
2 	libxul.so 	NS_InvokeByIndex 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp
3 	libxul.so 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	js/xpconnect/src/XPCWrappedNative.cpp
4 	libxul.so 	XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
5 		@0xb1eb40c6
Assignee: nobody → vchang

Comment 1

4 years ago
we meet this crash twice with tarako 1.3t during a monkey test
Whiteboard: [b2g-crash] → [b2g-crash][sprd319559 ]
We met this crash several times when monkey test.
Marcia, do you have any reproduce path?
blocking-b2g: --- → 1.3T?
status-b2g-v1.3T: --- → affected
Flags: needinfo?(mozillamarcia.knous)
status-b2g-v1.4: --- → affected
Flags: needinfo?(pehrsons)
Whiteboard: [b2g-crash][sprd319559 ] → [b2g-crash][sprd319559 ][partner-blocker]
(In reply to James Zhang (Spreadtrum) from comment #2)
> We met this crash several times when monkey test.
> Marcia, do you have any reproduce path?

Hello James - I only saw this crash once, and I wasn't able to reproduce it.
Flags: needinfo?(mozillamarcia.knous)
(Assignee)

Comment 4

4 years ago
Hi, Vincent, according to our backtraces, this crash occured when calling memcpy in libc.so. Maybe one of the following two lines:
   ap->setMacRaw(mac.get());
   ap->setSSIDRaw(ssid.get(), ssid.Length());
Could you please tell me about your case? And by the way, how to print the logs in /gecko/netwerk/wifi/nsWifiMonitorGonk.cpp?
Flags: needinfo?(vchang)
(In reply to Zhenqing Liu from comment #4)
> Hi, Vincent, according to our backtraces, this crash occured when calling
> memcpy in libc.so. Maybe one of the following two lines:
>    ap->setMacRaw(mac.get());
>    ap->setSSIDRaw(ssid.get(), ssid.Length());
> Could you please tell me about your case? And by the way, how to print the
> logs in /gecko/netwerk/wifi/nsWifiMonitorGonk.cpp?

I can't reproduce the problem here. 

You can do the similar way to below link to output the debug message. 
http://dxr.mozilla.org/mozilla-central/source/hal/gonk/GonkHal.cpp?from=gonkhal.cpp&case=true#

I think we should validate mac before setting in below link. 
http://dxr.mozilla.org/mozilla-central/source/netwerk/wifi/nsWifiMonitorGonk.cpp?from=nsWifiMonitorGonk.cpp#147

Can you help to verify if the modification below works for you?

if (!mac.IsEmpty()) {
  ap->setMacRaw(mac.get());
}
Flags: needinfo?(vchang)
status-b2g-v2.0: --- → ?
status-b2g-v2.1: --- → ?
(Assignee)

Comment 6

4 years ago
Created attachment 8448533 [details]
Onready crash patch

I will track this bug with this patch.
@ very late stage for tarako, if stability test is passing in general, move this to 1.4?
blocking-b2g: 1.3T? → 1.4?
Removing 1.4?, please re-nom if this occurs on Dolphin.
blocking-b2g: 1.4? → ---
Hi Zhenging, can you take the bug since you can reproduce the problem and provide the patch?  Does the patch fix the problem?
Assignee: vchang → zhenqing.liu
(Assignee)

Comment 10

4 years ago
(In reply to Vincent Chang[:vchang] from comment #9)
> Hi Zhenging, can you take the bug since you can reproduce the problem and
> provide the patch?  Does the patch fix the problem?

OK, I will take it. 
The crash was never reproduced until now and never a WifiCrash log was printed out.
My patch is just following your method. Thanks!
Flags: needinfo?(pehrsons)
(Assignee)

Comment 11

4 years ago
Created attachment 8477156 [details] [diff] [review]
Wifi_Onready_Crash_p2.patch

Hi Vicent, a few days ago, this bug appeared again. 
I checked the code and find there may be over-bounded access in function |setSSIDRaw()|. With the new patch, the bug never appears until now. Do you think this is the root cause?
Attachment #8448533 - Attachment is obsolete: true
Flags: needinfo?(vchang)
Make sense for me, but not sure if it's a root cause. Do you have the backtrace log?
Flags: needinfo?(vchang)
(Assignee)

Comment 13

4 years ago
Created attachment 8478044 [details]
backtrace

Crash at memcpy() function.
Comment on attachment 8477156 [details] [diff] [review]
Wifi_Onready_Crash_p2.patch

Review of attachment 8477156 [details] [diff] [review]:
-----------------------------------------------------------------

Can you help to review this?
Attachment #8477156 - Flags: review?(dougt)
Comment on attachment 8477156 [details] [diff] [review]
Wifi_Onready_Crash_p2.patch

isn't that special.
Attachment #8477156 - Flags: review?(dougt)
Attachment #8477156 - Flags: review+
Attachment #8477156 - Flags: approval-mozilla-beta?
Attachment #8477156 - Flags: approval-mozilla-aurora?
Comment on attachment 8477156 [details] [diff] [review]
Wifi_Onready_Crash_p2.patch

Aurora and Beta do not currently correspond with any Firefox OS release. Here are the approvals that you should request depending on the branch on which you want to land:

1.3: approval-mozilla-b2g28 (speak with Bhavana before requesting 1.3 approval)
1.4: approval-mozilla-b2g30
2.0: approval-mozilla-b2g32
2.1: No approval. Land on m-c
Attachment #8477156 - Flags: approval-mozilla-beta?
Attachment #8477156 - Flags: approval-mozilla-aurora?
(Assignee)

Updated

4 years ago
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.