Closed Bug 830704 Opened 12 years ago Closed 12 years ago

[Bluetooth] Crash when turning off Bluetooth during file transmission

Categories

(Firefox OS Graveyard :: General, defect)

Product:
Firefox OS Graveyard
Component:
General
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(blocking-b2g:tef+, firefox19 wontfix, firefox20 wontfix, firefox21 fixed, b2g18 verified, b2g18-v1.0.0 fixed, b2g18-v1.0.1 verified)

Status:
VERIFIED FIXED
Milestone:
B2G C4 (2jan on)
Project Flags:
blocking-b2g tef+
Tracking Flags:
Tracking Status
firefox19 --- wontfix
firefox20 --- wontfix
firefox21 --- fixed
b2g18 --- verified
b2g18-v1.0.0 --- fixed
b2g18-v1.0.1 --- verified

People

(Reporter: tzimmermann, Assigned: tzimmermann)

Details

(Keywords: crash, Whiteboard: [b2g-crash][triage:1/16])

Crash Data

Attachments

(1 file, 1 obsolete file)

Delete UnixSocketImpl instance after SocketReceiveTasks completed
2.63 KB, patch
tzimmermann
: review+
Details | Diff | Splinter Review
Gecko crashes with a segmentation fault when turning off Bluetooth during a file transfer. This is almost always reproducible. A stack trace is attached. STR: - turn on Bluetooth and pair with PC - send file from PC to phone - let file transfer run for a while, then turn off Bluetooth Expected result: - 'Transfer canceled' message or something similar Actual result: - Gecko crashes >>> tdz@linux-6f0r:~/Projects/mozilla/src/B2G-unagi> ./run-gdb.sh attach 109 Attached; pid = 109 Listening on port 11109 prebuilt/linux-x86/toolchain/arm-linux-androideabi-4.4.x/bin/arm-linux-androideabi-gdb -x /tmp/b2g.gdbinit.tdz /home/tdz/Projects/mozilla/src/B2G-unagi/objdir-gecko/dist/bin/b2g GNU gdb (GDB) 7.1-android-gg2 Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "--host=i686-linux-gnu --target=arm-elf-linux". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Really redefine built-in command "frame"? (y or n) [answered Y; input not from terminal] Really redefine built-in command "thread"? (y or n) [answered Y; input not from terminal] Really redefine built-in command "start"? (y or n) [answered Y; input not from terminal] Reading symbols from /home/tdz/Projects/mozilla/src/B2G-unagi/objdir-gecko/dist/bin/b2g...done. Remote debugging from host 127.0.0.1 _______________________________________________________________________________ Error while running hook_stop: Value can't be converted to integer. syscall () at bionic/libc/arch-arm/bionic/syscall.S:50 50 ldmfd sp!, {r4, r5, r6, r7} gdb> c [New Thread 109.482] Program received signal SIGSEGV, Segmentation fault. _______________________________________________________________________________ Error while running hook_stop: Value can't be converted to integer. mozilla::ipc::SocketReceiveTask::Run (this=0x475b2760) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/unixsocket/UnixSocket.cpp:321 321 mImpl->mConsumer->ReceiveSocketData(mRawData); gdb> bt #0 mozilla::ipc::SocketReceiveTask::Run (this=0x475b2760) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/unixsocket/UnixSocket.cpp:321 #1 0x41173262 in nsThread::ProcessNextEvent (this=0x404098e0, mayWait=<value optimized out>, result=0xbec077df) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/xpcom/threads/nsThread.cpp:620 #2 0x4115368e in NS_ProcessNextEvent_P (thread=0x3a0070, mayWait=0x0) at /home/tdz/Projects/mozilla/src/B2G-unagi/objdir-gecko/xpcom/build/nsThreadUtils.cpp:237 #3 0x41088800 in mozilla::ipc::MessagePump::Run (this=0x40402400, aDelegate=0x4042b0c0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/glue/MessagePump.cpp:82 #4 0x41194a50 in MessageLoop::RunInternal (this=0x1000000) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:215 #5 0x41194b06 in MessageLoop::RunHandler (this=0x4042b0c0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:208 #6 MessageLoop::Run (this=0x4042b0c0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:182 #7 0x4100f350 in nsBaseAppShell::Run (this=0x4290e820) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/widget/xpwidgets/nsBaseAppShell.cpp:163 #8 0x40f72c10 in nsAppStartup::Run (this=0x42a738b0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/toolkit/components/startup/nsAppStartup.cpp:290 #9 0x409ab63a in XREMain::XRE_mainRun (this=0xbec0799c) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/toolkit/xre/nsAppRunner.cpp:3794 #10 0x409adca4 in XREMain::XRE_main (this=0xbec0799c, argc=<value optimized out>, argv=0xbec09b84, aAppData=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/toolkit/xre/nsAppRunner.cpp:3860 #11 0x409addf0 in XRE_main (argc=0x1, argv=0xbec09b84, aAppData=0x1f180, aFlags=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/toolkit/xre/nsAppRunner.cpp:3935 #12 0x0000a11e in do_main (argc=0x1, argv=0xbec09b84) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/b2g/app/nsBrowserApp.cpp:164 #13 main (argc=0x1, argv=0xbec09b84) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/b2g/app/nsBrowserApp.cpp:249 gdb>
Patch coming soon...
blocking-b2g: --- → tef?
tracking-b2g18: --- → ?
Version info: Version: e9dfbe2e99bfec5c1609b8e7fafe54477914c715 from git://github.com/mozilla-b2g/B2G.git (b2g18) Gecko: b75dfee39f8a5b634a9bc39dacf2bdf59ee4333f Gaia: df38c1bb813029f3ccfa4a997fb1529b3ff1a1ff
Severity: normal → critical
Crash Signature: [@ mozilla::ipc::SocketReceiveTask::Run()]
Whiteboard: [b2g-crash]
The problem here is that an instance of UnixSocketImpl gets deleted while there are still users left (SocketReceiveTask). The delete operation is added to the end of the main thread's event queue. All users of the UnixSocketImpl should be located in front of it. The patch introduces the generic class template DeleteInstanceRunnable. I'd like to move it to a more visible location, if there is a fitting file. The fix has been tested with inbound and gecko18.
Attachment #702299 - Flags: review?(kyle)
Attachment #702299 - Flags: review?(kyle) → review+
Comment on attachment 702602 [details] [diff] [review] Delete UnixSocketImpl instance after SocketReceiveTasks completed [Approval Request Comment] Bug caused by (feature/regressing bug #): - User impact if declined: Crash when Bluetooth gets turned off during file transfers Testing completed: On my unagi Risk to taking this patch (and alternatives if risky): AFSAIK, Bluetooth is the only user of the patched code. So it probably wont get worse. String or UUID changes made by this patch: -
Attachment #702602 - Flags: approval-mozilla-b2g18?
blocking-b2g: tef? → tef+
tracking-b2g18: ? → ---
Whiteboard: [b2g-crash] → [b2g-crash][triage:1/16]
https://hg.mozilla.org/mozilla-central/rev/57bf5244f06c
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → B2G C4 (2jan on)
Attachment #702602 - Flags: approval-mozilla-b2g18?
Landed on mozilla-b2g18/gaia master prior to the 1/25 branching to mozilla-b2g18_v1_0_0/v1.0.0, updating status-b2g-v1.0.0 to fixed.
status-b2g18-v1.0.0: --- → fixed
Does not make sense to create a regression issue.
Flags: in-moztrap-
Verified fixed on Unagi Build ID: 20130401070203 Kernel Date: Dec 5 Gecko: http://hg.mozilla.org/releases/mozilla-b2g18_v1_0_1/rev/b28463f2e718 Gaia: ddb38ac8a34f9e30e09d0ff3b5c1bfb9b664b7c3 and Unagi Build ID: 20130401070203 Kernel Date: Dec 5 Gecko: http://hg.mozilla.org/releases/mozilla-b2g18/rev/f9f11b8cbf8a Gaia: 663101b6eb809383e5882d9bc3868a923a57998a Able to Cancel a bluetooth transfer mid transfer and device responses without crashing. Devices gives a message saying 'Bluetooth sending file failed, transferred failed'
status-b2g18: fixedverified
status-b2g18-v1.0.1: --- → verified
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: