1130956 - [PTS][Certification] Gecko crashed while testing TC_AG_PSI_BV_04_I

Status: RESOLVED FIXED

(Firefox OS Graveyard :: Bluetooth, defect)

Description

[Shawn Huang [:shawnjohnjr][:shuang] (as a happy gecko contributor)]

Crashed happen receiving AT commands AT+COPS?
Log:
	- MTC: AT+COPS=3,0
	- MTC: AT+COPS?
	- MTC INCONC: Sending AT command from MTC to AT PTC timed out
	- FATAL ERROR (AT): The response to the following AT command has timed out: AT+COPS?

Comment 1

[Shawn Huang [:shawnjohnjr][:shuang] (as a happy gecko contributor)]

(gdb) bt
#0  0xb5bd598e in mozalloc_abort (msg=<optimized out>)
    at ../../../../../b2g37_v2_2/mozilla-b2g37_v2_2/memory/mozalloc/mozalloc_abort.cpp:37
#1  0xb4e88454 in event_exit (errcode=errcode@entry=-559030611)
    at ../../../../../b2g37_v2_2/mozilla-b2g37_v2_2/ipc/chromium/src/third_party/libevent/log.c:79
#2  0xb4e88528 in event_errx (eval=eval@entry=-559030611, 
    fmt=0xb603d255 "%s: noting a del on a non-setup event %p (events: 0x%x, fd: %d, flags: 0x%x)")
    at ../../../../../b2g37_v2_2/mozilla-b2g37_v2_2/ipc/chromium/src/third_party/libevent/log.c:136
#3  0xb4e86454 in event_del_internal (ev=0xa6704b00)
    at ../../../../../b2g37_v2_2/mozilla-b2g37_v2_2/ipc/chromium/src/third_party/libevent/event.c:2265
#4  0xb4e86690 in event_del (ev=0xa6704b00)
    at ../../../../../b2g37_v2_2/mozilla-b2g37_v2_2/ipc/chromium/src/third_party/libevent/event.c:2188
#5  0xb4e8966e in base::MessagePumpLibevent::FileDescriptorWatcher::StopWatchingFileDescriptor (this=this@entry=0xae338c54)
    at ../../../../../b2g37_v2_2/mozilla-b2g37_v2_2/ipc/chromium/src/base/message_pump_libevent.cc:82
#6  0xb4f76d9a in mozilla::ipc::UnixFdWatcher::RemoveWatchers (
    this=this@entry=0xae338c40, aWatchers=aWatchers@entry=3)

Comment 2

[Shawn Huang [:shawnjohnjr][:shuang] (as a happy gecko contributor)]

It looks like bluetoothd died.

02-09 16:13:23.839 F/libc    ( 1078): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x2 in tid 1078 (bluetoothd)
02-09 16:13:23.960 I/DEBUG   (  184): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
02-09 16:13:23.960 I/DEBUG   (  184): Build fingerprint: 'Android/full_hammerhead/hammerhead:5.0/LRX21T/bruce_sun01071151:eng/test-keys'
02-09 16:13:23.960 I/DEBUG   (  184): Revision: '11'
02-09 16:13:23.960 I/DEBUG   (  184): ABI: 'arm'
02-09 16:13:23.961 I/DEBUG   (  184): pid: 1078, tid: 1078, name: bluetoothd  >>> /system/bin/bluetoothd <<<
02-09 16:13:23.961 I/DEBUG   (  184): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2
02-09 16:13:23.970 I/DEBUG   (  184):     r0 00000000  r1 00000000  r2 b6ff8de5  r3 00000030
02-09 16:13:23.970 I/DEBUG   (  184):     r4 beece5bc  r5 b6ff8eab  r6 00000000  r7 00000000
02-09 16:13:23.971 I/DEBUG   (  184):     r8 b6ff8de5  r9 b6ff91d5  sl b6ffc84c  fp beeceafc
02-09 16:13:23.971 I/DEBUG   (  184):     ip 00000000  sp beece588  lr b6ff6463  pc b6ff6f34  cpsr 600f0030
02-09 16:13:23.971 I/DEBUG   (  184): 
02-09 16:13:23.971 I/DEBUG   (  184): backtrace:
02-09 16:13:23.971 I/DEBUG   (  184):     #00 pc 00003f34  /system/bin/bluetoothd
02-09 16:13:23.971 I/DEBUG   (  184):     #01 pc 0000345f  /system/bin/bluetoothd
02-09 16:13:23.971 I/DEBUG   (  184):     #02 pc 00003e6b  /system/bin/bluetoothd
02-09 16:13:23.971 I/DEBUG   (  184):     #03 pc 00003e6b  /system/bin/bluetoothd
02-09 16:13:23.971 I/DEBUG   (  184):     #04 pc 0000279d  /system/bin/bluetoothd
02-09 16:13:23.971 I/DEBUG   (  184):     #05 pc 00002b35  /system/bin/bluetoothd
02-09 16:13:23.971 I/DEBUG   (  184):     #06 pc 00000c39  /system/lib/libfdio.so
02-09 16:13:23.971 I/DEBUG   (  184):     #07 pc 00000e0f  /system/lib/libfdio.so (epoll_loop+66)
02-09 16:13:23.971 I/DEBUG   (  184):     #08 pc 00001075  /system/bin/bluetoothd
02-09 16:13:23.972 I/DEBUG   (  184):     #09 pc 000128ed  /system/lib/libc.so (__libc_init+44)
02-09 16:13:23.972 I/DEBUG   (  184):     #10 pc 00001128  /system/bin/bluetoothd
02-09 16:13:24.280 I/DEBUG   (  184): 
02-09 16:13:24.280 I/DEBUG   (  184): Tombstone written to: /data/tombstones/tombstone_03

Comment 3

[Shawn Huang [:shawnjohnjr][:shuang] (as a happy gecko contributor)]

Program received signal SIGSEGV, Segmentation fault.
read_pdu_at_va (ap=..., fmt=0xb6f6bde5 "0", offset=0, pdu=0x0) at system/bluetoothd/src/bt-proto.c:122
122	        chr = memchr(pdu->data + offset, '\0', pdu->len - offset);
(gdb) bt
#0  read_pdu_at_va (ap=..., fmt=0xb6f6bde5 "0", offset=0, pdu=0x0) at system/bluetoothd/src/bt-proto.c:122
#1  read_pdu_at (pdu=pdu@entry=0x0, offset=offset@entry=0, fmt=0xb6f6bde5 "0") at system/bluetoothd/src/bt-proto.c:158
#2  0xb6f69462 in opcode_cops_response (cmd=0x0) at system/bluetoothd/src/bt-hf-io.c:856
#3  0xb6f69e6c in handle_pdu (field=0xb6f6beab "opcode", value=<optimized out>, cmd=<optimized out>, handler=<optimized out>) at system/bluetoothd/src/bt-proto.c:50
#4  0xb6f69e6c in handle_pdu (field=0xb6f6bea3 "service", value=<optimized out>, cmd=<optimized out>, handler=<optimized out>) at system/bluetoothd/src/bt-proto.c:50
#5  0xb6f687a0 in handle_pdu (cmd=cmd@entry=0xb6c21008) at system/bluetoothd/src/bt-io.c:251
#6  0xb6f68b38 in io_state_in (handle_pdu=0xb6f68791 <handle_pdu>, io_state=0xb6f70058 <io_state>) at system/bluetoothd/src/bt-io.c:134
#7  io_fd_event_in (fd=<optimized out>, data=0xb6f70058 <io_state>) at system/bluetoothd/src/bt-io.c:307
#8  io_fd0_event (fd=<optimized out>, events=<optimized out>, data=0xb6f70058 <io_state>) at system/bluetoothd/src/bt-io.c:346
#9  0xb6ea5c3a in epoll_loop_iteration () at system/libfdio/src/loop.c:198
#10 0xb6ea5e12 in epoll_loop (init=0xb6f6b4f9 <init>, uninit=0xb6f6b4e9 <uninit>, data=data@entry=0xbe9caaac) at system/libfdio/src/loop.c:220
#11 0xb6f67078 in main (argc=3, argv=0xbe9cab04) at system/bluetoothd/src/main.c:178

Comment 4

[Shawn Huang [:shawnjohnjr][:shuang] (as a happy gecko contributor)]

I think |cmd| should be NULL.

--- a/src/bt-hf-io.c
+++ b/src/bt-hf-io.c
@@ -851,7 +851,7 @@ opcode_cops_response(const struct pdu* cmd)
   assert(bthf_interface);
   assert(bthf_interface->cops_response);
 
-  cmd = NULL;
+  rsp = NULL;
 
   off = read_pdu_at(cmd, 0, "0", &rsp);
   if (off < 0) {

Comment 5

[Shawn Huang [:shawnjohnjr][:shuang] (as a happy gecko contributor)]

Attachment: Bug 1130956 - Fix daemon crashed while sending COPS response

Comment 6

[Thomas Zimmermann [:tzimmermann] [:tdz]]

Comment on attachment 8561314 [details] [review]
Bug 1130956 - Fix daemon crashed while sending COPS response

Thank you for fixing this bug.

It looks like a lot of small bugs and typos show up, now that the code gets real QA.

Comment 7

[howie [:howie]]

blocker for 2.2

Comment 8

[Carsten Book [:Tomcat]]

https://github.com/mozilla-b2g/platform_system_bluetoothd/commit/9d83b3a8e72c773820ada75e5a2cd128a743cf35

Comment 9

[Shawn Huang [:shawnjohnjr][:shuang] (as a happy gecko contributor)]

Comment on attachment 8561314 [details] [review]
Bug 1130956 - Fix daemon crashed while sending COPS response

NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bluetooh daemon introduced
User impact if declined: bluetoothd crashed while replying Handsfree AT command COPS (opeator name query)
Testing completed: certification test case pass
Risk to taking this patch (and alternatives if risky): No risk, just simple typo fix
String or UUID changes made by this patch: None

Comment 10

[Ryan VanderMeulen [:RyanVM]]

Fixing the incorrectly-set status flags so this doesn't end up in limbo after it gets approval.

Comment 11

[Ryan VanderMeulen [:RyanVM]]

v2.2: https://github.com/mozilla-b2g/platform_system_bluetoothd/commit/1c734cd4dec912e701f074e37a9894b7724bfaa6