Closed Bug 1058366 Opened 10 years ago Closed 10 years ago

Bluetooth closes invalid fd

Categories

(Firefox OS Graveyard :: Bluetooth, defect, P1)

ARM
Gonk (Firefox OS)
defect

Tracking

(blocking-b2g:2.0+, b2g-v2.0 fixed, b2g-v2.1 fixed)

RESOLVED FIXED
2.1 S3 (29aug)
blocking-b2g 2.0+
Tracking Status
b2g-v2.0 --- fixed
b2g-v2.1 --- fixed

People

(Reporter: khuey, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [b2g-crash][caf priority: p1] [POVB])

Attachments

(1 file)

+++ This bug was initially created as a clone of Bug #1057220 +++

With Sotaro's patch in bug 1057220 to catch invalid fd closes:

Operating system: Android
                  0.0.0 Linux 3.4.0-g8263518 #27 SMP PREEMPT Sun Aug 24 22:28:38 PDT 2014 armv7l qcom/msm8610/msm8610:4.4.2/KVT49L/eng.tkundu.20140823.094323:userdebug/test-keys
CPU: arm
     ARMv0
     4 CPUs

Crash reason:  SIGABRT
Crash address: 0xe6

Thread 0 (crashed)
 0  libc.so + 0x22208
     r0 = 0x00000000    r1 = 0x000000e6    r2 = 0x00000006    r3 = 0x00000000
     r4 = 0x00000006    r5 = 0x00000009    r6 = 0x000000e6    r7 = 0x0000010c
     r8 = 0xac1e0780    r9 = 0xac789690   r10 = 0xb6485bf8   r12 = 0xb18daf70
     fp = 0xbebaa7f8    sp = 0xbebaa530    lr = 0xb6f60249    pc = 0xb6f6f208
    Found by: given as instruction pointer in context
 1  libc.so!pthread_kill [pthread_kill.cpp : 49 + 0xb]
     r4 = 0x00000006    r5 = 0x00000009    r6 = 0x000000e6    r7 = 0xb18daf70
     r8 = 0xac1e0780    r9 = 0xac789690   r10 = 0xb6485bf8   r12 = 0xb18daf70
     fp = 0xbebaa7f8    sp = 0xbebaa548    lr = 0xb6f60249    pc = 0xb6f60249
    Found by: call frame info
 2  libc.so!raise [raise.cpp : 32 + 0x9]
     r4 = 0x00000006    r5 = 0x00000000    r6 = 0x00000001    r7 = 0xb18daf70
     r8 = 0xac1e0780    r9 = 0xac789690   r10 = 0xb6485bf8    fp = 0xbebaa7f8
     sp = 0xbebaa558    pc = 0xb6f6045d
    Found by: call frame info
 3  libc.so!__libc_android_abort [abort.cpp : 55 + 0x3]
     r4 = 0xbebaa564    r5 = 0x00000000    r6 = 0x00000001    r7 = 0xb18daf70
     r8 = 0xac1e0780    r9 = 0xac789690   r10 = 0xb6485bf8    fp = 0xbebaa7f8
     sp = 0xbebaa560    pc = 0xb6f5f14f
    Found by: call frame info
 4  libc.so + 0x21abe
     r4 = 0x0000006b    r5 = 0xffffffff    r6 = 0x00000001    r7 = 0xb18daf70
     r8 = 0xac1e0780    r9 = 0xac789690   r10 = 0xb6485bf8    fp = 0xbebaa7f8
     sp = 0xbebaa588    pc = 0xb6f6eac0
    Found by: call frame info
 5  libc.so!close [close.c : 50 + 0x3]
     r3 = 0xb6f8d0bd    r4 = 0x0000006b    r5 = 0xffffffff    r6 = 0x00000001
     r7 = 0xb18daf70    r8 = 0xac1e0780    r9 = 0xac789690   r10 = 0xb6485bf8
     fp = 0xbebaa7f8    sp = 0xbebaa590    lr = 0xb6f5c299    pc = 0xb6f5c299
    Found by: call frame info
 6  bluetooth.default.so!btc_close_serv_socket [btc_common.c : 445 + 0x5]
     r0 = 0xfffffff7    r1 = 0x0000006b    r2 = 0x5386f66c    r4 = 0x0000006b
     r5 = 0xb1120c3d    r6 = 0x00000001    r7 = 0xb18daf70    r8 = 0xac1e0780
     r9 = 0xac789690   r10 = 0xb6485bf8    fp = 0xbebaa7f8    sp = 0xbebaa5a8
     pc = 0xb10eda5b
    Found by: call frame info
 7  bluetooth.default.so!btc_deinit [btc_common.c : 69 + 0x7]
     r0 = 0xb1120c3d    r1 = 0xb1138048    r2 = 0xffffffff    r4 = 0xb11299c8
     r5 = 0x00000000    r6 = 0x00000001    r7 = 0xb18daf70    r8 = 0xac1e0780
     r9 = 0xac789690   r10 = 0xb6485bf8    fp = 0xbebaa7f8    sp = 0xbebaa5c0
     pc = 0xb10edab1
    Found by: call frame info
 8  bluetooth.default.so!btif_disable_bluetooth [btif_core.c : 696 + 0x3]
     r4 = 0xb11299c8    r5 = 0x00000000    r6 = 0x00000001    r7 = 0xb18daf70
     r8 = 0xac1e0780    r9 = 0xac789690   r10 = 0xb6485bf8    fp = 0xbebaa7f8
     sp = 0xbebaa5c8    pc = 0xb106a273
    Found by: call frame info
 9  libxul.so!StartStopGonkBluetooth [BluetoothServiceBluedroid.cpp : 848 + 0x3]
     r3 = 0xb1067e89    r4 = 0xb640e214    r5 = 0x00000000    r6 = 0x00000001
     r7 = 0xb18daf70    r8 = 0xac1e0780    r9 = 0xac789690   r10 = 0xb6485bf8
     fp = 0xbebaa7f8    sp = 0xbebaa5d8    pc = 0xb52f3b45
    Found by: call frame info
10  libxul.so!mozilla::dom::bluetooth::BluetoothServiceBluedroid::StopInternal() [BluetoothServiceBluedroid.cpp : 921 + 0x5]
     r0 = 0x00000000    r1 = 0xac1e07a0    r4 = 0x00000000    r5 = 0xac1e07a0
     r6 = 0xac2b9ce4    r7 = 0xb18daf70    r8 = 0xac1e0780    r9 = 0xac789690
    r10 = 0xb6485bf8    fp = 0xbebaa7f8    sp = 0xbebaa5f0    pc = 0xb52f3b6d
    Found by: call frame info
11  libxul.so!mozilla::dom::bluetooth::BluetoothService::StopBluetooth(bool) [BluetoothService.cpp : 472 + 0x7]
     r0 = 0xb18daf70    r1 = 0xac1e07a0    r2 = 0x00000000    r4 = 0x00000000
     r5 = 0xac1e07a0    r6 = 0xac2b9ce4    r7 = 0xb18daf70    r8 = 0xac1e0780
     r9 = 0xac789690   r10 = 0xb6485bf8    fp = 0xbebaa7f8    sp = 0xbebaa608
     pc = 0xb52edd67
    Found by: call frame info
12  libxul.so!mozilla::dom::bluetooth::BluetoothService::HandleSettingsChanged(nsAString_internal const&) [BluetoothService.cpp : 645 + 0x5]
     r0 = 0xb18daf70    r1 = 0x00000000    r2 = 0x00000000    r4 = 0xbebaa634
     r5 = 0xb18daf70    r6 = 0xbebaa658    r7 = 0xad5e7f30    r8 = 0xac1e0780
     r9 = 0xac789690   r10 = 0xb6485bf8    fp = 0xbebaa7f8    sp = 0xbebaa628
     pc = 0xb52ee221
    Found by: call frame info
13  libxul.so!mozilla::dom::bluetooth::BluetoothService::Observe(nsISupports*, char const*, char16_t const*) [BluetoothService.cpp : 758 + 0x3]
     r4 = 0xb18daf70    r5 = 0xac1e0780    r6 = 0xac789690    r7 = 0xad5e7f30
     r8 = 0xac1e0780    r9 = 0xac789690   r10 = 0xb6485bf8    fp = 0xbebaa7f8
     sp = 0xbebaa6b8    pc = 0xb52ee2a1
    Found by: call frame info
14  libxul.so!nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) [nsObserverList.cpp : 96 + 0x7]
     r0 = 0xb18daf70    r1 = 0xac789690    r2 = 0x00000050    r3 = 0x00000001
     r4 = 0xbebaa6dc    r5 = 0x0000000d    r6 = 0xb52ee25d    r7 = 0xad5e7f30
     r8 = 0xac1e0780    r9 = 0xac789690   r10 = 0xb6485bf8    fp = 0xbebaa7f8
     sp = 0xbebaa6d8    pc = 0xb4b415c3
    Found by: call frame info
15  libxul.so!nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) [nsObserverService.cpp : 302 + 0x9]
     r0 = 0xaf4c1774    r1 = 0xac051d40    r2 = 0xac1e0780    r4 = 0xac1e0780
     r5 = 0xac789690    r6 = 0xad5e7f30    r7 = 0xb68a68f0    r8 = 0x00000003
     r9 = 0xbebaa880   r10 = 0xb6485bf8    fp = 0xbebaa7f8    sp = 0xbebaa700
     pc = 0xb4b41939
    Found by: call frame info
16  libxul.so!NS_InvokeByIndex [xptcinvoke_arm.cpp : 164 + 0x11]
     r3 = 0xac789690    r4 = 0xb4b41905    r5 = 0xbebaa730    r6 = 0xbebaa718
     r7 = 0xbebaa738    r8 = 0x00000003    r9 = 0xbebaa880   r10 = 0xb6485bf8
     fp = 0xbebaa7f8    sp = 0xbebaa718    pc = 0xb4b5a19b
    Found by: call frame info
17  libxul.so!XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) [XPCWrappedNative.cpp : 2395 + 0xd]
     r3 = 0xbebaa840    r4 = 0x00000003    r5 = 0xbebaa788    r6 = 0x00000003
     r7 = 0xbebaa860    r8 = 0x00000000    r9 = 0x00000003   r10 = 0xb6485bf8
     fp = 0xbebaa7f8    sp = 0xbebaa760    pc = 0xb517fe7b
    Found by: call frame info
18  libxul.so!XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) [XPCWrappedNativeJSOps.cpp : 1272 + 0x7]
     r4 = 0xb6b7d520    r5 = 0xbebaa930    r6 = 0x00000001    r7 = 0xb62851bc
     r8 = 0xb636c708    r9 = 0xb1b27560   r10 = 0xbebaa9f0    fp = 0x00000003
     sp = 0xbebaa8f8    pc = 0xb5181d27
    Found by: call frame info
19  0xb390cf76
     r4 = 0xaf3a45b0    r5 = 0xffffff87    r6 = 0xb3713c54    r7 = 0xffffff87
     r8 = 0x00000203    r9 = 0xad77b990   r10 = 0x00000001    fp = 0xbebaaa08
     sp = 0xbebaa9c0    pc = 0xb390cf78
    Found by: call frame info
20  libxul.so!EnterBaseline [BaselineJIT.cpp : 124 + 0x15]
     sp = 0xbebaab10    pc = 0xb59c500b
    Found by: stack scanning
21  libxul.so!js::jit::EnterBaselineMethod(JSContext*, js::RunState&) [BaselineJIT.cpp : 155 + 0x7]
     r4 = 0xbebaabc8    r5 = 0x00000001    r6 = 0xb6b7d520    r7 = 0xbebaac70
     r8 = 0x00000000    sp = 0xbebaab68    pc = 0xb59c53a1
    Found by: call frame info
22  libxul.so!js::RunScript [Interpreter.cpp : 391 + 0x7]
     r4 = 0xbebaac70    r5 = 0xb6b7d520    r6 = 0xacd52340    r7 = 0xacd50e00
     r8 = 0x00000000    sp = 0xbebaac20    pc = 0xb5b1b8a3
    Found by: call frame info
23  libxul.so!js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [Interpreter.cpp : 369 + 0xd]
     r4 = 0xbebaac50    r5 = 0x00000001    r6 = 0xb6b7d520    r7 = 0xbebaafa8
     r8 = 0x00000000    sp = 0xbebaac40    pc = 0xb5b1b9f7
    Found by: call frame info
24  libxul.so!js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) [Interpreter.cpp : 511 + 0xb]
     r4 = 0x00000000    r5 = 0xffffff87    r6 = 0xbebab178    r7 = 0xbebaafa8
     r8 = 0xbebab178    r9 = 0xb6b7d520   r10 = 0xbebaaf98    fp = 0xbebab150
     sp = 0xbebaaf60    pc = 0xb5b1c009
    Found by: call frame info
25  libxul.so!JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) [jsapi.cpp : 5209 + 0x13]
     r4 = 0xbebab170    r5 = 0xbebab160    r6 = 0xb6b7d520    r7 = 0x00000001
     r8 = 0xb636c708    r9 = 0xb6141458   r10 = 0xbebab160    fp = 0xa8b8b400
     sp = 0xbebab000    pc = 0xb5a5b739
    Found by: call frame info
26  libxul.so!nsFrameMessageManager::ReceiveMessage(nsISupports*, nsAString_internal const&, bool, mozilla::dom::StructuredCloneData const*, CpowHolder*, nsIPrincipal*, nsTArray<nsString>*) [nsFrameMessageManager.cpp : 1072 + 0x3]
     r4 = 0xbebab0ec    r5 = 0x00000001    r6 = 0x00000000    r7 = 0xac0dcf00
     r8 = 0xb636c708    r9 = 0xb6141458   r10 = 0xbebab160    fp = 0xa8b8b400
     sp = 0xbebab028    pc = 0xb534c377
    Found by: call frame info
27  libxul.so!nsFrameMessageManager::ReceiveMessage(nsISupports*, nsAString_internal const&, bool, mozilla::dom::StructuredCloneData const*, CpowHolder*, nsIPrincipal*, nsTArray<nsString>*) [nsFrameMessageManager.cpp : 1092 + 0x17]
     r4 = 0x00000000    r5 = 0xbebab3e0    r6 = 0x00000000    r7 = 0x00000000
     r8 = 0xb636c708    r9 = 0xbebab538   r10 = 0x00000000    fp = 0xa8b8b400
     sp = 0xbebab1f8    pc = 0xb534c523
    Found by: call frame info
28  libxul.so!mozilla::dom::ContentParent::RecvAsyncMessage(nsString const&, mozilla::dom::ClonedMessageData const&, nsTArray<mozilla::jsipc::CpowEntry> const&, IPC::Principal const&) [ContentParent.cpp : 3259 + 0x9]
     r4 = 0xa8b8b400    r5 = 0xbebab3e0    r6 = 0xbebab48c    r7 = 0xbebab4a4
     r8 = 0xbebab480    r9 = 0xbebab538   r10 = 0x00000000    fp = 0xa8b8b400
     sp = 0xbebab3c8    pc = 0xb5117d9f
    Found by: call frame info
29  libxul.so!mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) [PContentParent.cpp : 3832 + 0x13]
     r4 = 0xb5117d25    r5 = 0x00000000    r6 = 0xbebab62c    r7 = 0x001a008f
     r8 = 0xb6bc6770    r9 = 0x00000001   r10 = 0x00000000    fp = 0xa8b8b400
     sp = 0xbebab418    pc = 0xb4ccf2cd
    Found by: call frame info
30  libxul.so!mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) [MessageChannel.cpp : 1152 + 0x5]
     r4 = 0xa8b8b430    r5 = 0xbebab62c    r6 = 0xad6817f0    r7 = 0xb6b7d1ac
     r8 = 0xb6bc6770    r9 = 0x00000001   r10 = 0x00000000    fp = 0x0000000f
     sp = 0xbebab5f8    pc = 0xb4c942d3
    Found by: call frame info
31  libxul.so!mozilla::ipc::MessageChannel::OnMaybeDequeueOne() [MessageChannel.cpp : 1049 + 0x3]
     r0 = 0xa8b8b430    r1 = 0xbebab62c    r2 = 0x00000002    r4 = 0x00000001
     r5 = 0xb6b7d1a0    r6 = 0xad6817f0    r7 = 0xb6b7d1ac    r8 = 0xb6bc6770
     r9 = 0x00000001   r10 = 0x00000000    fp = 0x0000000f    sp = 0xbebab610
     pc = 0xb4c962eb
    Found by: call frame info
32  libxul.so!RunnableMethod<FdWatcher, void (FdWatcher::*)(), Tuple0>::Run() [tuple.h : 383 + 0x13]
     r4 = 0xac01f0d8    r5 = 0xb6b7d1a0    r6 = 0xad6817f0    r7 = 0xb6b7d1ac
     r8 = 0xb6bc6770    r9 = 0x00000001   r10 = 0x00000000    fp = 0x0000000f
     sp = 0xbebab650    pc = 0xb4b37cb5
    Found by: call frame info
33  libxul.so!mozilla::ipc::MessageChannel::DequeueTask::Run() [MessageChannel.h : 385 + 0x9]
     r0 = 0xb4c96273    r1 = 0x00000000    r2 = 0x00000000    r4 = 0xac01f0d8
     r5 = 0xb6b7d1a0    r6 = 0xad6817f0    r7 = 0xb6b7d1ac    r8 = 0xb6bc6770
     r9 = 0x00000001   r10 = 0x00000000    fp = 0x0000000f    sp = 0xbebab660
     pc = 0xb4c93cdb
    Found by: call frame info
34  libxul.so!MessageLoop::RunTask(Task*) [message_loop.cc : 357 + 0x5]
     r3 = 0xb4c93ccf    r4 = 0xac01f0d8    r5 = 0xb6b7d1a0    r6 = 0xad6817f0
     r7 = 0xb6b7d1ac    r8 = 0xb6bc6770    r9 = 0x00000001   r10 = 0x00000000
     fp = 0x0000000f    sp = 0xbebab668    pc = 0xb4c8b621
    Found by: call frame info
35  libxul.so!MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) [message_loop.cc : 365 + 0x5]
     r3 = 0xbebab688    r4 = 0x00000001    r5 = 0xbebab698    r6 = 0xad6817f0
     r7 = 0xb6b7d1ac    r8 = 0xb6bc6770    r9 = 0x00000001   r10 = 0x00000000
     fp = 0x0000000f    sp = 0xbebab678    pc = 0xb4c8bcdb
    Found by: call frame info
36  libxul.so!MessageLoop::DoWork() [message_loop.cc : 443 + 0x3]
     r3 = 0x00000000    r4 = 0xb6b7d1a0    r5 = 0xbebab698    r6 = 0xad6817f0
     r7 = 0xb6b7d1ac    r8 = 0xb6bc6770    r9 = 0x00000001   r10 = 0x00000000
     fp = 0x0000000f    sp = 0xbebab688    pc = 0xb4c8cd0d
    Found by: call frame info
37  libxul.so!mozilla::ipc::DoWorkRunnable::Run() [MessagePump.cpp : 228 + 0x7]
     r4 = 0xb6b7d1a0    r5 = 0x00000001    r6 = 0xbebab6dc    r7 = 0xbebab70f
     r8 = 0xb6bc6770    r9 = 0x00000001   r10 = 0x00000000    fp = 0x0000000f
     sp = 0xbebab6b8    pc = 0xb4c96dfd
    Found by: call frame info
38  libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp : 766 + 0x5]
     r3 = 0xb4c96ddf    r4 = 0xb6bc6740    r5 = 0x00000001    r6 = 0xbebab6dc
     r7 = 0xbebab70f    r8 = 0xb6bc6770    r9 = 0x00000001   r10 = 0x00000000
     fp = 0x0000000f    sp = 0xbebab6c8    pc = 0xb4b55f5b
    Found by: call frame info
39  libxul.so!NS_ProcessNextEvent(nsIThread*, bool) [nsThreadUtils.cpp : 263 + 0xb]
     r4 = 0x00000001    r5 = 0xb6b7d1a0    r6 = 0xb6b01ec0    r7 = 0x00000000
     r8 = 0xbebab7a0    r9 = 0xbebab790   r10 = 0x00000000    fp = 0x0000000f
     sp = 0xbebab708    pc = 0xb4b27d2f
    Found by: call frame info
40  libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) [MessagePump.cpp : 136 + 0x7]
     r0 = 0xb6bc6740    r1 = 0x01000001    r4 = 0xb6b01eb0    r5 = 0xb6b7d1a0
     r6 = 0xb6b01ec0    r7 = 0x00000000    r8 = 0xbebab7a0    r9 = 0xbebab790
    r10 = 0x00000000    fp = 0x0000000f    sp = 0xbebab718    pc = 0xb4c970ab
    Found by: call frame info
41  libxul.so!MessageLoop::RunInternal() [message_loop.cc : 229 + 0x5]
     r4 = 0xb6b7d1a0    r5 = 0xb197d700    r6 = 0xb6bc6740    r7 = 0xbebab965
     r8 = 0xbebab7a0    r9 = 0xbebab790   r10 = 0x00000000    fp = 0x0000000f
     sp = 0xbebab740    pc = 0xb4c8b5af
    Found by: call frame info
42  libxul.so!MessageLoop::Run() [message_loop.cc : 222 + 0x5]
     r3 = 0x00000000    r4 = 0xb6b7d1a0    r5 = 0xb197d700    r6 = 0xb6bc6740
     r7 = 0xbebab965    r8 = 0xbebab7a0    r9 = 0xbebab790   r10 = 0x00000000
     fp = 0x0000000f    sp = 0xbebab748    pc = 0xb4c8b661
    Found by: call frame info
43  libxul.so!nsBaseAppShell::Run() [nsBaseAppShell.cpp : 164 + 0x7]
     r0 = 0x00000001    r1 = 0xb6fccf00    r2 = 0xb6b7d1a0    r3 = 0x00000000
     r4 = 0x00000000    r5 = 0xb197d700    r6 = 0xb6bc6740    r7 = 0xbebab965
     r8 = 0xbebab7a0    r9 = 0xbebab790   r10 = 0x00000000    fp = 0x0000000f
     sp = 0xbebab760    pc = 0xb5141183
    Found by: call frame info
44  libxul.so!nsAppStartup::Run() [nsAppStartup.cpp : 278 + 0x5]
     r4 = 0xb2ecb670    r5 = 0xbebab874    r6 = 0xb4b41905    r7 = 0xbebab965
     r8 = 0xbebab7a0    r9 = 0xbebab790   r10 = 0x00000000    fp = 0x0000000f
     sp = 0xbebab770    pc = 0xb5756db7
    Found by: call frame info
45  libxul.so!XREMain::XRE_mainRun() [nsAppRunner.cpp : 4012 + 0x5]
     r4 = 0xbebab7a8    r5 = 0xbebab874    r6 = 0xb4b41905    r7 = 0xbebab965
     r8 = 0xbebab7a0    r9 = 0xbebab790   r10 = 0x00000000    fp = 0x0000000f
     sp = 0xbebab778    pc = 0xb573fdd3
    Found by: call frame info
46  libxul.so!XREMain::XRE_main(int, char**, nsXREAppData const*) [nsAppRunner.cpp : 4083 + 0x5]
     r4 = 0xbebab874    r5 = 0x00000000    r6 = 0x00000000    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0xbebada1c
     sp = 0xbebab848    pc = 0xb574112d
    Found by: call frame info
47  libxul.so!XRE_main [nsAppRunner.cpp : 4297 + 0x3]
     r4 = 0x00000000    r5 = 0x00024948    r6 = 0xbebada24    r7 = 0x00000001
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0xbebada1c
     sp = 0xbebab870    pc = 0xb5741289
    Found by: call frame info
48  b2g!main [nsBrowserApp.cpp : 163 + 0xf]
     r4 = 0xbebada24    r5 = 0x00000001    r6 = 0xb5741249    r7 = 0xbebac9d8
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0xbebada1c
     sp = 0xbebab980    pc = 0x0000ad7d
    Found by: call frame info
49  libc.so!__libc_init [libc_init_dynamic.cpp : 112 + 0x7]
     r4 = 0xbebada24    r5 = 0xbebada2c    r6 = 0x00000001    r7 = 0xb6f96fd8
     r8 = 0x0000ab7d    r9 = 0x00000000   r10 = 0x00000000    fp = 0xbebada1c
     sp = 0xbebad9f0    pc = 0xb6f5b4ed
    Found by: call frame info
50  b2g + 0x2aea
     r4 = 0x00000000    r5 = 0x00000000    r6 = 0x00000000    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0xbebada1c
     sp = 0xbebada08    pc = 0x0000aaec
    Found by: call frame info
51  linker!set_soinfo_pool_protection [linker.cpp : 291 + 0xb]
     sp = 0xbebada20    pc = 0xb6fbd881
    Found by: stack scanning
52  0xbebadb2f
     r3 = 0x00000001    r4 = 0xbebadb21    r5 = 0x00000000    sp = 0xbebada30
     pc = 0xbebadb31
    Found by: call frame info

Maybe we're disabling Bluetooth before it has fully initialized?
Blocks: 1057220
No longer blocks: 1031527, 1035281, 1036419
blocking-b2g: --- → 2.0+
No longer depends on: 1057220, 1034294, 1036561, 1038461, 1039883, 1041751, 1053204
Whiteboard: [b2g-crash][caf-crash 217][caf priority: p1][CR 686674] → [b2g-crash][caf priority: p1]
Flags: needinfo?(btian)
https://www.codeaurora.org/cgit/quic/la/platform/external/bluetooth/bluedroid/tree/btc/src/btc_common.c?h=LNX.LA.2.7.3&id=AU_LINUX_GECKO_B2G_KK_2.0.01.04.00.114.058#n448
    int s = socket(AF_LOCAL, SOCK_STREAM, 0);
    temp_sock=socket_local_client_connect(s, name, ANDROID_SOCKET_NAMESPACE_ABSTRACT, SOCK_STREAM);
    ......
    close(s);

I wonder how |s| becomes invalid fd.
Assignee: shuang → nobody
Clear ni? me since Shawn is checking this bug.
Flags: needinfo?(btian)
(In reply to Shawn Huang [:shuang] [:shawnjohnjr] from comment #1)
> https://www.codeaurora.org/cgit/quic/la/platform/external/bluetooth/
> bluedroid/tree/btc/src/btc_common.c?h=LNX.LA.2.7.
> 3&id=AU_LINUX_GECKO_B2G_KK_2.0.01.04.00.114.058#n448
>     int s = socket(AF_LOCAL, SOCK_STREAM, 0);
>     temp_sock=socket_local_client_connect(s, name,
> ANDROID_SOCKET_NAMESPACE_ABSTRACT, SOCK_STREAM);
>     ......
>     close(s);
> 
> I wonder how |s| becomes invalid fd.

Sorry wrong link, this is correct one:
https://www.codeaurora.org/cgit/quic/la/platform/external/bluetooth/bluedroid/tree/btc/src/btc_common.c?h=b2g_kk_3.5#n445
Can we add extra logs for BTC module since the AOSP bluedroid doesn't have this code?
(In reply to Shawn Huang [:shuang] [:shawnjohnjr] from comment #5)
> Can we add extra logs for BTC module since the AOSP bluedroid doesn't have
> this code?

Shawn if I understand correctly the patch in comment 4 has extra logging enabled, you want a run with that patch right?
Flags: needinfo?(tkundu) → needinfo?(shuang)
Hi Shawn,

we have seen this issue 10 times with bionic patch from bug 1057220 comment 38 . 

I asked our test team to reproduce again with your patch in Comment 4 .

If you want to add more logs then please go ahead, add more logs for [1] and share with us again !

[1] https://www.codeaurora.org/cgit/quic/la/platform/external/bluetooth/bluedroid/log/?h=b2g_kk_3.5
(In reply to Shawn Huang [:shuang] [:shawnjohnjr] from comment #1)
> https://www.codeaurora.org/cgit/quic/la/platform/external/bluetooth/
> bluedroid/tree/btc/src/btc_common.c?h=LNX.LA.2.7.
> 3&id=AU_LINUX_GECKO_B2G_KK_2.0.01.04.00.114.058#n448
>     int s = socket(AF_LOCAL, SOCK_STREAM, 0);
>     temp_sock=socket_local_client_connect(s, name,
> ANDROID_SOCKET_NAMESPACE_ABSTRACT, SOCK_STREAM);
>     ......
>     close(s);
> 
> I wonder how |s| becomes invalid fd.

Shawn, see that in the function socket_local_client_connect we return the same fd as the input param. 

So |temp_sock| is same as |s| which is freed at close(temp_sock) at line#444 [1],

[1] https://www.codeaurora.org/cgit/quic/la/platform/external/bluetooth/bluedroid/tree/btc/src/btc_common.c?h=b2g_kk_3.5#n444
(In reply to bhargavg1 from comment #8)
> (In reply to Shawn Huang [:shuang] [:shawnjohnjr] from comment #1)
> > https://www.codeaurora.org/cgit/quic/la/platform/external/bluetooth/
> > bluedroid/tree/btc/src/btc_common.c?h=LNX.LA.2.7.
> > 3&id=AU_LINUX_GECKO_B2G_KK_2.0.01.04.00.114.058#n448
> >     int s = socket(AF_LOCAL, SOCK_STREAM, 0);
> >     temp_sock=socket_local_client_connect(s, name,
> > ANDROID_SOCKET_NAMESPACE_ABSTRACT, SOCK_STREAM);
> >     ......
> >     close(s);
> > 
> > I wonder how |s| becomes invalid fd.
> 
> Shawn, see that in the function socket_local_client_connect we return the
> same fd as the input param. 
> 
> So |temp_sock| is same as |s| which is freed at close(temp_sock) at line#444
> [1],
> 
> [1]
> https://www.codeaurora.org/cgit/quic/la/platform/external/bluetooth/
> bluedroid/tree/btc/src/btc_common.c?h=b2g_kk_3.5#n444

Yes, then it will become double close.
Flags: needinfo?(shuang)
|close(temp_sock)| shall be removed, I think this cannot be fixed from gecko side, but BTC module inside bluedroid. Please let me know if there is anything we need to do.
Flags: needinfo?(bhargavg1)
(In reply to Shawn Huang [:shuang] [:shawnjohnjr] from comment #10)
> |close(temp_sock)| shall be removed, I think this cannot be fixed from gecko
> side, but BTC module inside bluedroid. Please let me know if there is
> anything we need to do.

Yes, I am asking the test team for a stab at the patch with only one close call
Flags: needinfo?(bhargavg1)
Blocks: 1058780
Whiteboard: [b2g-crash][caf priority: p1] → [b2g-crash][caf priority: p1] [POVB]
Blocks: 1060091
Change uploaded in CAF builds
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2.1 S3 (29aug)
You need to log in before you can comment on or make changes to this bug.