Closed
Bug 764690
Opened 13 years ago
Closed 12 years ago
WebTelephony: crash in 'TelephonyCall::NotifyError'
Categories
(Core :: DOM: Device Interfaces, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: hsinyi, Assigned: hsinyi)
References
Details
Attachments
(1 file)
|
852 bytes,
patch
|
bent.mozilla
:
review-
|
Details | Diff | Splinter Review |
Hi, I encountered system crash when I dialed a non-emergency number without SIM card.
Below you can find the gdb log.
-------------------------------
warning: (Internal error: pc 0x80 in read in psymtab, but not in symtab.)
Program received signal SIGSEGV, Segmentation fault.
warning: (Internal error: pc 0x80 in read in psymtab, but not in symtab.)
warning: (Internal error: pc 0x80 in read in psymtab, but not in symtab.)
warning: (Internal error: pc 0x80 in read in psymtab, but not in symtab.)
#0 ?? (warning: (Internal error: pc 0x80 in read in psymtab, but not in symtab.)
) at bionic/libc/stdlib/atexit.c:208
warning: (Internal error: pc 0x80 in read in psymtab, but not in symtab.)
#1 0x404ea414 in nsRefPtr<nsToolkitProfile>::assign_with_AddRef (this=0x532fd8, rhs=0x47d8a0) at ../../dist/include/nsAutoPtr.h:845
#2 nsRefPtr<nsToolkitProfile>::operator= (this=0x532fd8, rhs=0x47d8a0) at ../../dist/include/nsAutoPtr.h:930
#3 0x408fd868 in mozilla::dom::telephony::CallEvent::Create (aCall=0x47d8a0) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/dom/telephony/CallEvent.cpp:24
#4 0x408fd4fa in mozilla::dom::telephony::TelephonyCall::NotifyError (this=0x47d8a0, aError=...) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/dom/telephony/TelephonyCall.cpp:134
#5 0x408fc0e8 in mozilla::dom::telephony::Telephony::NotifyError (this=<value optimized out>, aCallIndex=<value optimized out>, aError=...)
at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/dom/telephony/Telephony.cpp:489
#6 0x408fbfb8 in mozilla::dom::telephony::Telephony::RILTelephonyCallback::NotifyError (this=<value optimized out>, callIndex=4708512, error=...)
at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/dom/telephony/Telephony.h:107
#7 0x40c1b9d4 in NS_InvokeByIndex_P (that=0x137a7f8, methodIndex=<value optimized out>, paramCount=<value optimized out>, params=<value optimized out>)
at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:160
#8 0x409b3790 in CallMethodHelper::Invoke (ccx=<value optimized out>, mode=<value optimized out>) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/xpconnect/src/XPCWrappedNative.cpp:3107
#9 CallMethodHelper::Call (ccx=<value optimized out>, mode=<value optimized out>) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/xpconnect/src/XPCWrappedNative.cpp:2435
#10 XPCWrappedNative::CallMethod (ccx=<value optimized out>, mode=<value optimized out>) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/xpconnect/src/XPCWrappedNative.cpp:2401
#11 0x409b89ba in XPC_WN_CallMethod (cx=0x1ab168, argc=2, vp=0x422bc1a8) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1500
#12 0x40e40d92 in CallJSNative (cx=0x1ab168, args=..., construct=js::NO_CONSTRUCT) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jscntxtinlines.h:395
#13 InvokeKernel (cx=0x1ab168, args=..., construct=js::NO_CONSTRUCT) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jsinterp.cpp:311
#14 0x40e257fc in Invoke (cx=0x1ab168, argc=<value optimized out>, vp=0x422bc188) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jsinterp.h:100
#15 js_fun_apply (cx=0x1ab168, argc=<value optimized out>, vp=0x422bc188) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jsfun.cpp:735
#16 0x40e40d92 in CallJSNative (cx=0x1ab168, args=..., construct=js::NO_CONSTRUCT) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jscntxtinlines.h:395
#17 InvokeKernel (cx=0x1ab168, args=..., construct=js::NO_CONSTRUCT) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jsinterp.cpp:311
#18 0x40e41838 in js::Interpret (cx=0x1ab168, entryFrame=<value optimized out>, interpMode=<value optimized out>) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jsinterp.cpp:2435
#19 0x40e48744 in js::RunScript (cx=0x1ab168, script=<value optimized out>, fp=0x422bc0c0) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jsinterp.cpp:267
#20 0x40e497d4 in InvokeKernel (cx=0x1ab168, thisv=..., fval=..., argc=<value optimized out>, argv=0x422bc060, rval=0xbe8744a8) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jsinterp.cpp:322
#21 Invoke (cx=0x1ab168, thisv=..., fval=..., argc=<value optimized out>, argv=0x422bc060, rval=0xbe8744a8) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jsinterp.h:100
#22 Invoke (cx=0x1ab168, thisv=..., fval=..., argc=<value optimized out>, argv=0x422bc060, rval=0xbe8744a8) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jsinterp.cpp:354
#23 0x40e74146 in js::IndirectProxyHandler::call (this=<value optimized out>, cx=0x1ab168, proxy=0x479a7ec0, argc=1, vp=0x422bc050) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jsproxy.cpp:442
#24 0x40ebd7c6 in js::DirectWrapper::call (this=0x41457bc8, cx=0x1ab168, wrapper=0x479a7ec0, argc=1, vp=0x422bc050) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jswrapper.cpp:214
#25 0x40ebef88 in js::CrossCompartmentWrapper::call (this=0x41457bc8, cx=0x1ab168, wrapper_=0x479a7ec0, argc=1, vp=0x422bc050) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jswrapper.cpp:651
#26 0x40e76780 in js::Proxy::call (cx=0x1ab168, argc=129, vp=<value optimized out>) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jsproxy.cpp:1133
#27 proxy_Call (cx=0x1ab168, argc=129, vp=<value optimized out>) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jsproxy.cpp:1649
#28 0x40e49772 in CallJSNative (cx=0x1ab168, thisv=..., fval=..., argc=<value optimized out>, argv=0xbe874728, rval=0xbe874770) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jscntxtinlines.h:395
#29 InvokeKernel (cx=0x1ab168, thisv=..., fval=..., argc=<value optimized out>, argv=0xbe874728, rval=0xbe874770) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jsinterp.cpp:311
#30 Invoke (cx=0x1ab168, thisv=..., fval=..., argc=<value optimized out>, argv=0xbe874728, rval=0xbe874770) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jsinterp.h:100
#31 Invoke (cx=0x1ab168, thisv=..., fval=..., argc=<value optimized out>, argv=0xbe874728, rval=0xbe874770) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jsinterp.cpp:354
#32 0x40def1aa in JS_CallFunctionValue (cx=0x1ab168, obj=<value optimized out>, fval=..., argc=1, argv=0xbe874728, rval=0xbe874770) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/js/src/jsapi.cpp:5481
#33 0x40729ee6 in nsFrameMessageManager::ReceiveMessage (this=0x41dca0, aTarget=<value optimized out>, aMessage=<value optimized out>, aSync=<value optimized out>, aJSON=..., aObjectsArray=0x49221560,
aJSONRetVal=0x0, aContext=0x0) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/content/base/src/nsFrameMessageManager.cpp:468
#34 0x40729f4a in nsAsyncMessageToSameProcessChild::Run (this=<value optimized out>) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/content/base/src/nsFrameMessageManager.cpp:913
#35 0x40c11922 in nsThread::ProcessNextEvent (this=0x21180, mayWait=<value optimized out>, result=0xbe87484f) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/xpcom/threads/nsThread.cpp:624
#36 0x40bf28c6 in NS_ProcessNextEvent_P (thread=0x47d8a0, mayWait=false) at /home/hsinyi/WorkSpace/mozilla/B2G-new/objdir-gecko/xpcom/build/nsThreadUtils.cpp:213
#37 0x40b77c7c in mozilla::ipc::MessagePump::Run (this=0xf098, aDelegate=0xf288) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/ipc/glue/MessagePump.cpp:82
#38 0x40c30dd4 in MessageLoop::RunInternal (this=0x41045eee) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/ipc/chromium/src/base/message_loop.cc:208
#39 0x40c30e8a in MessageLoop::RunHandler (this=0xf288) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/ipc/chromium/src/base/message_loop.cc:201
#40 MessageLoop::Run (this=0xf288) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/ipc/chromium/src/base/message_loop.cc:175
#41 0x40b0c65c in nsBaseAppShell::Run (this=0x1c5670) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/widget/xpwidgets/nsBaseAppShell.cpp:163
#42 0x40a4c68c in nsAppStartup::Run (this=0x1c5600) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/toolkit/components/startup/nsAppStartup.cpp:256
#43 0x404e3242 in XREMain::XRE_mainRun (this=0xbe874a0c) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/toolkit/xre/nsAppRunner.cpp:3781
#44 0x404e59b8 in XREMain::XRE_main (this=0xbe874a0c, argc=<value optimized out>, argv=0xbe876bf4, aAppData=<value optimized out>) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/toolkit/xre/nsAppRunner.cpp:3858
#45 0x404e5b10 in XRE_main (argc=1, argv=0xbe876bf4, aAppData=0xa970, aFlags=<value optimized out>) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/toolkit/xre/nsAppRunner.cpp:3934
#46 0x0000896a in do_main (argc=1, argv=0xbe876bf4) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/b2g/app/nsBrowserApp.cpp:153
#47 main (argc=1, argv=0xbe876bf4) at /home/hsinyi/WorkSpace/mozilla/B2G-new/gecko/b2g/app/nsBrowserApp.cpp:236
warning: (Internal error: pc 0x80 in read in psymtab, but not in symtab.)
|
Assignee | |
Comment 1•13 years ago
|
||
After discussing with Cervantes, we noticed that this issue resulted from reference to a dead TelephonyCall object. So, we added reference by 'nsRefPtr<TelephonyCall> kungFuDeathGrip(this);' to make sure the call object is alive before leaving 'NotifyError' function.
Attachment #632997 -
Flags: review?(philipp)
|
|
Assignee | |
Updated•13 years ago
|
Hardware: x86_64 → All
|
||
Comment 2•13 years ago
|
||
Comment on attachment 632997 [details] [diff] [review]
Patch
This needs to be reviewed by somebody with more kung fu skills.
Attachment #632997 -
Flags: review?(philipp) → review?(bent.mozilla)
Comment on attachment 632997 [details] [diff] [review]
Patch
Review of attachment 632997 [details] [diff] [review]:
-----------------------------------------------------------------
No, we need to fix the caller, Telephony.
I see a couple problems here:
> NS_IMETHODIMP
> Telephony::NotifyError(PRInt32 aCallIndex,
> const nsAString& aError)
> {
> ...
> mCalls[index]->NotifyError(aError);
This should be:
nsRefPtr<TelephonyCall> call = mCalls[index];
call->NotifyError(aError);
Attachment #632997 -
Flags: review?(bent.mozilla) → review-
(In reply to ben turner [:bent] from comment #3)
> I see a couple problems here:
I'll followup in another bug on this other stuff. Fixing the crash is enough here.
|
|
Assignee | |
Comment 5•13 years ago
|
||
(In reply to ben turner [:bent] from comment #3)
> Comment on attachment 632997 [details] [diff] [review]
> Patch
>
> Review of attachment 632997 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> No, we need to fix the caller, Telephony.
>
> I see a couple problems here:
>
>
> > NS_IMETHODIMP
> > Telephony::NotifyError(PRInt32 aCallIndex,
> > const nsAString& aError)
> > {
> > ...
> > mCalls[index]->NotifyError(aError);
>
> This should be:
>
> nsRefPtr<TelephonyCall> call = mCalls[index];
> call->NotifyError(aError);
Hi Ben,
Sorry that I don't really understand what the problem is. Can you explain a little bit more? Thanks!
The general rule in XPCOM is that an extra reference has been acquired for all parameters and the 'this' object before a function call is made. This rule is not being followed in Telephony::NotifyError() right now. As the stack trace above shows it is possible for the mCalls array to mutate during the call to TelephonyCall::NotifyError (since JS is being called), so the extra reference is dropped too soon.
Using a nsRefPtr on the stack (as in comment 3) solves this problem.
Does that help?
|
|
Assignee | |
Comment 7•13 years ago
|
||
(In reply to ben turner [:bent] from comment #6)
> The general rule in XPCOM is that an extra reference has been acquired for
> all parameters and the 'this' object before a function call is made. This
> rule is not being followed in Telephony::NotifyError() right now. As the
> stack trace above shows it is possible for the mCalls array to mutate during
> the call to TelephonyCall::NotifyError (since JS is being called), so the
> extra reference is dropped too soon.
>
> Using a nsRefPtr on the stack (as in comment 3) solves this problem.
>
> Does that help?
Yes, it helps a lot. Thanks a lot for explaining this in such details. :)
|
|
Assignee | |
Comment 8•12 years ago
|
||
Comment #3 has been addressed somewhere else. See [1].
Mark this bug as fixed.
[1] https://mxr.mozilla.org/mozilla-central/source/dom/telephony/Telephony.cpp#473
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•