[FFOS7715 v2.1s][Message] monkey test crash, libxul.so!mozilla::dom::mobilemessage::MobileMessageCursorCallback::NotifyCursorResult(nsISupports**, unsigned int) [MobileMessageCursorCallback.cpp : 178 + 0x2]

NEW
Unassigned

Status

Firefox OS
RIL
3 years ago
3 years ago

People

(Reporter: Wei Gao (Spreadtrum), Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sprd 442789 ])

(Reporter)

Description

3 years ago
Thread 0 (crashed)
 0  libxul.so!mozilla::dom::mobilemessage::MobileMessageCursorCallback::NotifyCursorResult(nsISupports**, unsigned int) [MobileMessageCursorCallback.cpp : 178 + 0x2]
     r4 = 0xaf04e660    r5 = 0x00000001    r6 = 0x00000001    r7 = 0xbea71b04
     r8 = 0xaf1cc520    r9 = 0xbea71b58   r10 = 0x00000000    fp = 0xb6b51418
     sp = 0xbea71ac8    lr = 0xb578ff1b    pc = 0xb578ff1e
    Found by: given as instruction pointer in context
 1  libxul.so!mozilla::dom::mobilemessage::MobileMessageCursorChild::DoNotifyResult(nsTArray<mozilla::dom::mobilemessage::MobileMessageData> const&) [SmsChild.cpp : 365 + 0xb]
     r4 = 0xbea71af8    r5 = 0xbea71b08    r6 = 0x00000001    r7 = 0x00000001
     r8 = 0xaf1cc520    r9 = 0xbea71b58   r10 = 0x00000000    fp = 0xb6b51418
     sp = 0xbea71ae8    pc = 0xb5792505
    Found by: call frame info
 2  libxul.so!mozilla::dom::mobilemessage::MobileMessageCursorChild::RecvNotifyResult(mozilla::dom::mobilemessage::MobileMessageCursorData const&) [SmsChild.cpp : 307 + 0x3]
     r4 = 0xaf1cc520    r5 = 0xbea71b68    r6 = 0x00000000    r7 = 0x00660001
     r8 = 0x00000000    r9 = 0xbea71dcf   r10 = 0x00000000    fp = 0xb6b51418
     sp = 0xbea71b38    pc = 0xb579260f
    Found by: call frame info
 3  libxul.so!mozilla::dom::mobilemessage::PMobileMessageCursorChild::OnMessageReceived(IPC::Message const&) [PMobileMessageCursorChild.cpp : 179 + 0x9]
     r4 = 0xaf1cc520    r5 = 0xbea71b68    r6 = 0x00000000    r7 = 0x00660001
     r8 = 0x00000000    r9 = 0xbea71dcf   r10 = 0x00000000    fp = 0xb6b51418
     sp = 0xbea71b40    pc = 0xb525f2ad
    Found by: call frame info
 4  libxul.so!mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) [PContentChild.cpp : 3982 + 0x7]
     r4 = 0xbea71cd4    r5 = 0xb6b51448    r6 = 0xaf1bdaf0    r7 = 0xbea71edc
     r8 = 0x00000000    r9 = 0xbea71dcf   r10 = 0x00000000    fp = 0xb6b51418
     sp = 0xbea71b80    pc = 0xb5216605
    Found by: call frame info
 5  libxul.so!mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) [MessageChannel.cpp : 1233 + 0x5]
     r4 = 0xbea71cd4    r5 = 0xb6b51448    r6 = 0xaf1bdaf0    r7 = 0xbea71edc
     r8 = 0x00000000    r9 = 0xbea71dcf   r10 = 0x00000000    fp = 0xb685aaa0
     sp = 0xbea71ca0    pc = 0xb51d3ab3
    Found by: call frame info
 6  libxul.so!mozilla::ipc::MessageChannel::OnMaybeDequeueOne() [MessageChannel.cpp : 1098 + 0x3]
     r4 = 0x00000001    r5 = 0xbea71ed0    r6 = 0xaf1bdaf0    r7 = 0xbea71edc
     r8 = 0x00000000    r9 = 0xbea71dcf   r10 = 0x00000000    fp = 0xb685aaa0
     sp = 0xbea71cb8    pc = 0xb51d5c37
    Found by: call frame info
 7  libxul.so!RunnableMethod<FdWatcher, void (FdWatcher::*)(), Tuple0>::Run() [tuple.h : 383 + 0x13]
     r4 = 0xb08310a0    r5 = 0xbea71ed0    r6 = 0xaf1bdaf0    r7 = 0xbea71edc
     r8 = 0x00000000    r9 = 0xbea71dcf   r10 = 0x00000000    fp = 0xb685aaa0
     sp = 0xbea71cf8    pc = 0xb506b031
......more
Component: Gaia::SMS → RIL
(Reporter)

Comment 1

3 years ago
Our QA tested 4 phones and 3 of them occured.

I have uploaded three logs at:

ftp://ftp.spreadtrum.com/7715/1170964

username:mouzhi
password:mouZHI$$61

Thanks.
Component: RIL → Gaia::SMS
(Reporter)

Updated

3 years ago
Component: Gaia::SMS → RIL
(Reporter)

Comment 2

3 years ago
NS_IMETHODIMP
MobileMessageCursorCallback::NotifyCursorResult(nsISupports** aResults,
                                                uint32_t aSize)
{
  printf_stderr("BVS, MobileMessageCursorCallback::NotifyCursorResult() start, mObjectId: %lld", mObjectId);
  MOZ_ASSERT(mDOMCursor);

  nsCOMPtr<nsPIDOMWindow> window = mDOMCursor->GetOwner();    //this line is 178th
  if (!window) {
    return NS_ERROR_FAILURE;
  }
(Reporter)

Comment 3

3 years ago
Dear Bevis

I am sorry to trouble you again. :(
Could you help to take a look at this issue?
I don't know where to start.
Thanks so much.
Flags: needinfo?(btseng)
Flags: needinfo?(btseng)
See Also: → bug 1144016
keep NI on me.
Flags: needinfo?(btseng)
Hi WeiGao,

After checking the log, I cannot see the reason why the following line will be crashed:
> nsCOMPtr<nsPIDOMWindow> window = mDOMCursor->GetOwner();    //this line is 178th
1. mDOMCursor has be ensured in line 177 with MOZ_ASSERT.
2. GetOwner() do nothing but return the address of the parent window. [1]

Unfortunately, I don't have too much to suggest but add more logs to see what the values of related pointers are for further investigation. :(

[1] https://dxr.mozilla.org/mozilla-central/source/dom/events/DOMEventTargetHelper.h#138
Flags: needinfo?(btseng)
(Reporter)

Comment 6

3 years ago
(In reply to Bevis Tseng[:bevistseng][:btseng] from comment #5)
> Hi WeiGao,
> 
> After checking the log, I cannot see the reason why the following line will
> be crashed:
> > nsCOMPtr<nsPIDOMWindow> window = mDOMCursor->GetOwner();    //this line is 178th
> 1. mDOMCursor has be ensured in line 177 with MOZ_ASSERT.
> 2. GetOwner() do nothing but return the address of the parent window. [1]
> 
> Unfortunately, I don't have too much to suggest but add more logs to see
> what the values of related pointers are for further investigation. :(
> 
> [1]
> https://dxr.mozilla.org/mozilla-central/source/dom/events/
> DOMEventTargetHelper.h#138

Hi Bevis

Thanks for your attention.
So, could you provide some logs about this?
Thanks so much.
(Reporter)

Updated

3 years ago
Whiteboard: [sprd 442789 ]
(In reply to Wei Gao (Spreadtrum) from comment #6)
> Hi Bevis
> 
> Thanks for your attention.
> So, could you provide some logs about this?
> Thanks so much.

No, just the pointers like mDOMCursor, window in this crash point.
(Reporter)

Comment 8

3 years ago
Dear Bevis

I have a question about this.
How does MOZ_ASSERT check the pointer?
If the pointer in MOZ_ASSERT has something wrong, what will happen in MOZ_ASSERT? 
Will the ffos reboot or other thing happen?
Thanks so much.
Flags: needinfo?(btseng)
Hi Wei Gao,

In debug build, the process is supposed to be crashed with file name and line printed.
In non-debug build, it will be blocked infinitely.

https://dxr.mozilla.org/mozilla-central/source/mfbt/Assertions.h#366-386
Flags: needinfo?(btseng)
You need to log in before you can comment on or make changes to this bug.