Closed Bug 840925 Opened 12 years ago Closed 12 years ago

[Bluetooth] SIGSEGV while writing to UnixSocket

Categories

(Firefox OS Graveyard :: General, defect)

Product:
Firefox OS Graveyard
Component:
General
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(blocking-b2g:leo+)

Status:
RESOLVED WORKSFORME
Project Flags:
blocking-b2g leo+

People

(Reporter: tzimmermann, Assigned: shawnjohnjr)

References

Details

(Keywords: crash)

Attachments

(1 file)

Close sockets on device unpair
1.76 KB, patch
qdot
: review+
echou
: review-
Details | Diff | Splinter Review
When trying to reproduce bug 838212 in b2g-18, writing to a unix socket failed with a segmentation fault. Debugging output is show below. ----- tdz@linux-6f0r:~/Projects/mozilla/src/B2G-unagi> ./run-gdb.sh attach 109 Attached; pid = 109 Listening on port 11109 prebuilt/linux-x86/toolchain/arm-linux-androideabi-4.4.x/bin/arm-linux-androideabi-gdb -x /tmp/b2g.gdbinit.tdz /home/tdz/Projects/mozilla/src/B2G-unagi/objdir-gecko/dist/bin/b2g GNU gdb (GDB) 7.1-android-gg2 Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "--host=i686-linux-gnu --target=arm-elf-linux". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Really redefine built-in command "frame"? (y or n) [answered Y; input not from terminal] Really redefine built-in command "thread"? (y or n) [answered Y; input not from terminal] Really redefine built-in command "start"? (y or n) [answered Y; input not from terminal] Reading symbols from /home/tdz/Projects/mozilla/src/B2G-unagi/objdir-gecko/dist/bin/b2g...done. Remote debugging from host 127.0.0.1 _______________________________________________________________________________ Error while running hook_stop: Value can't be converted to integer. syscall () at bionic/libc/arch-arm/bionic/syscall.S:50 50 ldmfd sp!, {r4, r5, r6, r7} gdb> c [New Thread 109.233] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 109.233] _______________________________________________________________________________ Error while running hook_stop: Value can't be converted to integer. AppendElements<mozilla::ipc::UnixSocketRawData*> (this=0x47901e50) at ../../dist/include/nsTArray.h:877 877 if (!this->EnsureCapacity(Length() + arrayLen, sizeof(elem_type))) gdb> bt #0 AppendElements<mozilla::ipc::UnixSocketRawData*> (this=0x47901e50) at ../../dist/include/nsTArray.h:877 #1 AppendElement<mozilla::ipc::UnixSocketRawData*> (this=0x47901e50) at ../../dist/include/nsTArray.h:894 #2 mozilla::ipc::UnixSocketImpl::QueueWriteData (this=0x47901e50) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/unixsocket/UnixSocket.cpp:68 #3 mozilla::ipc::SocketSendTask::Run (this=0x47901e50) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/unixsocket/UnixSocket.cpp:372 #4 0x41285b9a in MessageLoop::RunTask (this=0x4245bdf0, task=0x47901e50) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:333 #5 0x41286b98 in MessageLoop::DeferOrRunPendingTask (this=0x47901e50, pending_task=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:341 #6 0x4128785a in MessageLoop::DoWork (this=0x4245bdf0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:441 #7 0x41299764 in base::MessagePumpLibevent::Run (this=0x40402430, delegate=0x4245bdf0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_pump_libevent.cc:310 #8 0x41285b36 in MessageLoop::RunInternal (this=0x47901e50) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:215 #9 0x41285c16 in MessageLoop::RunHandler (this=0x4245bdf0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:208 #10 MessageLoop::Run (this=0x4245bdf0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:182 #11 0x4128ec46 in base::Thread::ThreadMain (this=0x40407280) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/thread.cc:156 #12 0x41299c5e in ThreadFunc (closure=0x47901e50) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/platform_thread_posix.cc:39 #13 0x400dfe18 in __thread_entry (func=0x41299c55 <ThreadFunc>, arg=0x40407280, tls=<value optimized out>) at bionic/libc/bionic/pthread.c:217 #14 0x400df96c in pthread_create (thread_out=<value optimized out>, attr=0xbed64890, start_routine=0x41299c55 <ThreadFunc>, arg=0x40407280) at bionic/libc/bionic/pthread.c:357 #15 0x00000000 in ?? () gdb> info threads [New Thread 109.231] [New Thread 109.234] [New Thread 109.235] [New Thread 109.236] [New Thread 109.237] [New Thread 109.238] [New Thread 109.239] [New Thread 109.240] [New Thread 109.247] [New Thread 109.248] [New Thread 109.249] [New Thread 109.250] [New Thread 109.251] [New Thread 109.252] [New Thread 109.253] [New Thread 109.254] [New Thread 109.255] [New Thread 109.256] [New Thread 109.257] [New Thread 109.258] [New Thread 109.259] [New Thread 109.260] [New Thread 109.261] [New Thread 109.262] [New Thread 109.263] [New Thread 109.264] [New Thread 109.323] [New Thread 109.326] [New Thread 109.327] [New Thread 109.332] [New Thread 109.342] [New Thread 109.371] [New Thread 109.381] [New Thread 109.456] [New Thread 109.486] [New Thread 109.517] [New Thread 109.549] 39 Thread 109.549 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:183 38 Thread 109.517 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 37 Thread 109.486 poll () at bionic/libc/arch-arm/syscalls/poll.S:10 36 Thread 109.456 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 35 Thread 109.381 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 34 Thread 109.371 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:183 33 Thread 109.342 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 32 Thread 109.332 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 31 Thread 109.327 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 30 Thread 109.326 __ioctl () at bionic/libc/arch-arm/syscalls/__ioctl.S:9 29 Thread 109.323 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 28 Thread 109.264 poll () at bionic/libc/arch-arm/syscalls/poll.S:10 27 Thread 109.263 syscall () at bionic/libc/arch-arm/bionic/syscall.S:50 26 Thread 109.262 read () at bionic/libc/arch-arm/syscalls/read.S:9 25 Thread 109.261 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 24 Thread 109.260 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 23 Thread 109.259 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 22 Thread 109.258 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 21 Thread 109.257 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 20 Thread 109.256 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 19 Thread 109.255 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 18 Thread 109.254 poll () at bionic/libc/arch-arm/syscalls/poll.S:10 17 Thread 109.253 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 16 Thread 109.252 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 15 Thread 109.251 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 14 Thread 109.250 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 13 Thread 109.249 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:183 12 Thread 109.248 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 11 Thread 109.247 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 10 Thread 109.240 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 9 Thread 109.239 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 8 Thread 109.238 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:183 7 Thread 109.237 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 6 Thread 109.236 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 5 Thread 109.235 0xffff0520 in ?? () 4 Thread 109.234 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 3 Thread 109.231 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182 * 2 Thread 109.233 AppendElements<mozilla::ipc::UnixSocketRawData*> (this=0x47901e50) at ../../dist/include/nsTArray.h:877 1 Thread 109.109 write () at bionic/libc/arch-arm/syscalls/write.S:10 gdb> info registers r0 0x47901e50 0x47901e50 r1 0x47901e50 0x47901e50 r2 0x0 0x0 r3 0x0 0x0 r4 0x491d6940 0x491d6940 r5 0x47901e50 0x47901e50 r6 0x4245bd58 0x4245bd58 r7 0x4245bd10 0x4245bd10 r8 0x47901e30 0x47901e30 r9 0x4245bdf8 0x4245bdf8 r10 0x0 0x0 r11 0x4245bd90 0x4245bd90 r12 0x401502f0 0x401502f0 sp 0x4245bd10 0x4245bd10 lr 0x41285b9b 0x41285b9b pc 0x41239b52 0x41239b52 <mozilla::ipc::SocketSendTask::Run()+14> cpsr 0x40000030 0x40000030 gdb> up 2 #2 mozilla::ipc::UnixSocketImpl::QueueWriteData (this=0x47901e50) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/unixsocket/UnixSocket.cpp:68 68 mOutgoingQ.AppendElement(aData); gdb> print *this Cannot access memory at address 0x0 gdb> print this $1 = <value optimized out> gdb> print *0x47901e50 $2 = 0x41be32c0 gdb> up #3 mozilla::ipc::SocketSendTask::Run (this=0x47901e50) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/unixsocket/UnixSocket.cpp:372 372 mImpl->QueueWriteData(mData); gdb> print mImpl $3 = (class mozilla::ipc::UnixSocketImpl *) 0x491d6940 gdb> print *mImpl $4 = {<base::MessagePumpLibevent::Watcher> = {_vptr.Watcher = 0x0}, mConsumer = {ptr = 0x0}, mIOLoop = 0x0, mOutgoingQ = {<nsTArray_base<nsTArrayDefaultAllocator>> = {mHdr = 0x0}, <nsTArray_SafeElementAtHelper<mozilla::ipc::UnixSocketRawData*, nsTArray<mozilla::ipc::UnixSocketRawData*, nsTArrayDefaultAllocator> >> = {<No data fields>}, <No data fields>}, mIncoming = {mRawPtr = 0x0}, mReadWatcher = {is_persistent_ = 0x0, event_ = 0x0}, mWriteWatcher = {is_persistent_ = 0x0, event_ = 0x0}, mFd = {value = 0x0}, mConnector = {mRawPtr = 0x0}, mCurrentTaskIsCanceled = 0x0, mTask = 0x0, mAddress = {<nsACString_internal> = {mData = 0x0, mLength = 0x0, mFlags = 0x0}, <No data fields>}, mAddrSize = 0x0, mAddr = {sa_family = 0x0, sa_data = '\000' <repeats 13 times>}, mLock = {<mozilla::BlockingResourceBase> = {static kResourceTypeName = 0x41c039f0}, mLock = 0x0}} gdb> print *this $5 = {<Task> = {<tracked_objects::Tracked> = {_vptr.Tracked = 0x41be32c0}, <No data fields>}, mConsumer = {mRawPtr = 0x47d72790}, mImpl = 0x491d6940, mData = 0x47901e30} gdb>
I had a headset paired, and I think something went wrong when connecting or disconnecting to/from it. The Bluetooth system still tried to send data to it while the UnixSocketImpl is actually closed and deleted. After a while its memory got overwritten by other data and the SendSocketTask failed.
Another instance of this bug is shown at https://bugzilla.mozilla.org/show_bug.cgi?id=838212#c7
The quickest way to reproduce this is: - pair your headphone - connect/disconnect then connect again - unpair while connected If it doesn't work rinse-and-repeat as it tends to happen fairly often.
The written data is Bluetooth reply (+CIEV service=1), which is generated in BluetoothHfpManager::HandleVoiceConnectionChanged. ----- tdz@linux-6f0r:~/Projects/mozilla/src/B2G-unagi> ./run-gdb.sh attach 109 Attached; pid = 109 Listening on port 11109 prebuilt/linux-x86/toolchain/arm-linux-androideabi-4.4.x/bin/arm-linux-androideabi-gdb -x /tmp/b2g.gdbinit.tdz /home/tdz/Projects/mozilla/src/B2G-unagi/objdir-gecko-debug/dist/bin/b2g GNU gdb (GDB) 7.1-android-gg2 Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "--host=i686-linux-gnu --target=arm-elf-linux". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Really redefine built-in command "frame"? (y or n) [answered Y; input not from terminal] Really redefine built-in command "thread"? (y or n) [answered Y; input not from terminal] Really redefine built-in command "start"? (y or n) [answered Y; input not from terminal] Reading symbols from /home/tdz/Projects/mozilla/src/B2G-unagi/objdir-gecko-debug/dist/bin/b2g...done. Remote debugging from host 127.0.0.1 _______________________________________________________________________________ Error while running hook_stop: Value can't be converted to integer. memset () at bionic/libc/arch-arm/bionic/memset.S:69 69 cmp r2, #16 gdb> c [New Thread 109.463] [New Thread 109.234] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 109.234] _______________________________________________________________________________ Error while running hook_stop: Value can't be converted to integer. AppendElements<mozilla::ipc::UnixSocketRawData*> (this=0x47ed6a80) at ../../dist/include/nsTArray.h:877 877 if (!this->EnsureCapacity(Length() + arrayLen, sizeof(elem_type))) gdb> bt #0 AppendElements<mozilla::ipc::UnixSocketRawData*> (this=0x47ed6a80) at ../../dist/include/nsTArray.h:877 #1 AppendElement<mozilla::ipc::UnixSocketRawData*> (this=0x47ed6a80) at ../../dist/include/nsTArray.h:894 #2 mozilla::ipc::UnixSocketImpl::QueueWriteData (this=0x47ed6a80) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/unixsocket/UnixSocket.cpp:68 #3 mozilla::ipc::SocketSendTask::Run (this=0x47ed6a80) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/unixsocket/UnixSocket.cpp:372 #4 0x417b045e in MessageLoop::RunTask (this=0x42d11dd0, task=0x47ed6a80) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:333 #5 0x417b0c88 in MessageLoop::DeferOrRunPendingTask (this=0x47ed6a80, pending_task=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:341 #6 0x417b19da in MessageLoop::DoWork (this=0x42d11dd0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:441 #7 0x417c7c3e in base::MessagePumpLibevent::Run (this=0x40302460, delegate=0x42d11dd0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_pump_libevent.cc:310 #8 0x417b0a12 in MessageLoop::RunInternal (this=0x42d11dd0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:215 #9 0x417b0a72 in MessageLoop::RunHandler (this=0x42d11dd0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:208 #10 MessageLoop::Run (this=0x42d11dd0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:182 #11 0x417ba9dc in base::Thread::ThreadMain (this=0x40307280) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/thread.cc:156 #12 0x417c83ae in ThreadFunc (closure=0x47ed6a80) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/platform_thread_posix.cc:39 #13 0x40091e18 in __thread_entry (func=0x417c83a5 <ThreadFunc>, arg=0x40307280, tls=<value optimized out>) at bionic/libc/bionic/pthread.c:217 #14 0x4009196c in pthread_create (thread_out=<value optimized out>, attr=0xbeb4e818, start_routine=0x417c83a5 <ThreadFunc>, arg=0x40307280) at bionic/libc/bionic/pthread.c:357 #15 0x00000000 in ?? () gdb> up 2 #2 mozilla::ipc::UnixSocketImpl::QueueWriteData (this=0x47ed6a80) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/unixsocket/UnixSocket.cpp:68 68 mOutgoingQ.AppendElement(aData); gdb> print aData $1 = <value optimized out> gdb> down #1 AppendElement<mozilla::ipc::UnixSocketRawData*> (this=0x47ed6a80) at ../../dist/include/nsTArray.h:894 894 return AppendElements(&item, 1); gdb> up #2 mozilla::ipc::UnixSocketImpl::QueueWriteData (this=0x47ed6a80) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/unixsocket/UnixSocket.cpp:68 68 mOutgoingQ.AppendElement(aData); gdb> up #3 mozilla::ipc::SocketSendTask::Run (this=0x47ed6a80) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/unixsocket/UnixSocket.cpp:372 372 mImpl->QueueWriteData(mData); gdb> print mData $2 = (mozilla::ipc::UnixSocketRawData *) 0x47f74cc0 gdb> print *mData $3 = {mData = {mRawPtr = 0x47f74ce0 "\r\n+CIEV: 5,1\r\n\245\245", 'Z' <repeats 16 times>"\205, \312\aB\001"}, mSize = 0xe, mCurrentWriteOffset = 0x0} gdb>
Here is a stack trace of the call to HandleVoiceConnectionChanged before the crash. It looks like the call comes from within JS. The headset had been unpaired for more than a seconds before the call happened. ----- tdz@linux-6f0r:~/Projects/mozilla/src/B2G-unagi> ./run-gdb.sh attach 109 Attached; pid = 109 Listening on port 11109 prebuilt/linux-x86/toolchain/arm-linux-androideabi-4.4.x/bin/arm-linux-androideabi-gdb -x /tmp/b2g.gdbinit.tdz /home/tdz/Projects/mozilla/src/B2G-unagi/objdir-gecko-debug/dist/bin/b2g GNU gdb (GDB) 7.1-android-gg2 Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "--host=i686-linux-gnu --target=arm-elf-linux". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Really redefine built-in command "frame"? (y or n) [answered Y; input not from terminal] Really redefine built-in command "thread"? (y or n) [answered Y; input not from terminal] Really redefine built-in command "start"? (y or n) [answered Y; input not from terminal] Reading symbols from /home/tdz/Projects/mozilla/src/B2G-unagi/objdir-gecko-debug/dist/bin/b2g...done. Remote debugging from host 127.0.0.1 _______________________________________________________________________________ Error while running hook_stop: Value can't be converted to integer. syscall () at bionic/libc/arch-arm/bionic/syscall.S:50 50 ldmfd sp!, {r4, r5, r6, r7} gdb> break /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/dom/bluetooth/BluetoothHfpManager.cpp:541 Breakpoint 1 at 0x41185a0e: file /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/dom/bluetooth/BluetoothHfpManager.cpp, line 541. gdb> c [New Thread 109.453] _______________________________________________________________________________ Error while running hook_stop: Value can't be converted to integer. Breakpoint 1, mozilla::dom::bluetooth::BluetoothHfpManager::HandleVoiceConnectionChanged (this=0x47efe420) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/dom/bluetooth/BluetoothHfpManager.cpp:541 541 NS_WARNING("service is 1"); gdb> bt #0 mozilla::dom::bluetooth::BluetoothHfpManager::HandleVoiceConnectionChanged (this=0x47efe420) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/dom/bluetooth/BluetoothHfpManager.cpp:541 #1 0x41186e3c in mozilla::dom::bluetooth::BluetoothHfpManagerObserver::Observe (this=<value optimized out>, aSubject=<value optimized out>, aTopic=0x4acecd60 "mobile-connection-voice-changed", aData=0x0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/dom/bluetooth/BluetoothHfpManager.cpp:224 #2 0x41765788 in nsObserverList::NotifyObservers (this=<value optimized out>, aSubject=0x0, aTopic=0x4acecd60 "mobile-connection-voice-changed", someData=0x0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/xpcom/ds/nsObserverList.cpp:99 #3 0x417659c0 in nsObserverService::NotifyObservers (this=<value optimized out>, aSubject=0x0, aTopic=0x4acecd60 "mobile-connection-voice-changed", someData=0x0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/xpcom/ds/nsObserverService.cpp:149 #4 0x417a4722 in NS_InvokeByIndex_P (that=0x40493c70, methodIndex=0x5, paramCount=<value optimized out>, params=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:160 #5 0x41305f44 in CallMethodHelper::Invoke (this=0xbebd5c00) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/xpconnect/src/XPCWrappedNative.cpp:3083 #6 CallMethodHelper::Call (this=0xbebd5c00) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/xpconnect/src/XPCWrappedNative.cpp:2417 #7 0x41307160 in XPCWrappedNative::CallMethod (ccx=..., mode=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/xpconnect/src/XPCWrappedNative.cpp:2383 #8 0x4130e352 in XPC_WN_CallMethod (cx=0x40475290, argc=0x3, vp=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1469 #9 0x41ab2b44 in js::CallJSNative (cx=0x40475290, native=0x4130e29d <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/src/jscntxtinlines.h:364 #10 0x41ac6da4 in js::InvokeKernel (cx=0x40475290, args=..., construct=js::NO_CONSTRUCT) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/src/jsinterp.cpp:367 #11 0x41ac010a in js::Interpret (cx=0x40475290, entryFrame=<value optimized out>, interpMode=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/src/jsinterp.cpp:2475 #12 0x41ac6664 in js::RunScript (cx=0x40475290, script=<value optimized out>, fp=0x438ac028) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/src/jsinterp.cpp:324 #13 0x41ac6e24 in js::InvokeKernel (cx=0x40475290, args=..., construct=js::NO_CONSTRUCT) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/src/jsinterp.cpp:378 #14 0x41ac761c in Invoke (cx=0x40475290, thisv=..., fval=..., argc=<value optimized out>, argv=0xbebd6560, rval=0xbebd65c0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/src/jsinterp.h:109 #15 js::Invoke (cx=0x40475290, thisv=..., fval=..., argc=<value optimized out>, argv=0xbebd6560, rval=0xbebd65c0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/src/jsinterp.cpp:411 #16 0x41a048ba in JS_CallFunctionValue (cx=0x40475290, objArg=0x44177cd0, fval=..., argc=0x1, argv=0xbebd6560, rval=0xbebd65c0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/src/jsapi.cpp:5893 #17 0x40e1ca30 in nsFrameMessageManager::ReceiveMessage (this=0x44a73040, aTarget=<value optimized out>, aMessage=<value optimized out>, aSync=<value optimized out>, aCloneData=0xbebd6658, aObjectsArray=0x497cb3d0, aJSONRetVal=0x0, aContext=0x0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/base/src/nsFrameMessageManager.cpp:633 #18 0x40e1d250 in nsAsyncMessageToSameProcessChild::Run (this=0x4ca09160) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/base/src/nsFrameMessageManager.cpp:1094 #19 0x4178ad3e in nsThread::ProcessNextEvent (this=0x40404390, mayWait=<value optimized out>, result=0xbebd66ef) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/xpcom/threads/nsThread.cpp:620 #20 0x41752568 in NS_ProcessNextEvent_P (thread=0x1, mayWait=0x0) at /home/tdz/Projects/mozilla/src/B2G-unagi/objdir-gecko-debug/xpcom/build/nsThreadUtils.cpp:237 #21 0x415cca6a in mozilla::ipc::MessagePump::Run (this=0x40402430, aDelegate=0x4042b0c0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/glue/MessagePump.cpp:82 #22 0x417c0a32 in MessageLoop::RunInternal (this=0x4042b0c0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:215 #23 0x417c0a92 in MessageLoop::RunHandler (this=0x4042b0c0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:208 #24 MessageLoop::Run (this=0x4042b0c0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:182 #25 0x4150765a in nsBaseAppShell::Run (this=0x4350e7c0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/widget/xpwidgets/nsBaseAppShell.cpp:163 #26 0x4140024e in nsAppStartup::Run (this=0x43692eb0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/toolkit/components/startup/nsAppStartup.cpp:290 #27 0x40a143e6 in XREMain::XRE_mainRun (this=0xbebd6984) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/toolkit/xre/nsAppRunner.cpp:3794 #28 0x40a16acc in XREMain::XRE_main (this=0xbebd6984, argc=<value optimized out>, argv=0xbebd8b84, aAppData=0x21160) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/toolkit/xre/nsAppRunner.cpp:3860 #29 0x40a16c7a in XRE_main (argc=0x1, argv=0xbebd8b84, aAppData=0x21160, aFlags=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/toolkit/xre/nsAppRunner.cpp:3935 #30 0x000099fc in do_main (argc=0x1, argv=0xbebd8b84) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/b2g/app/nsBrowserApp.cpp:164 #31 main (argc=0x1, argv=0xbebd8b84) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/b2g/app/nsBrowserApp.cpp:249
If you can reproduce the crash try this in GDB once you hit the relevant breakpoint: call DumpJSStack() It will print out the JavaScript stack so we can see where this is coming from. You will probably need to start b2g manually in order for stdout to be visible though.
Thanks for the tip. I searched the code by hand and found that a ril worker sends either 'networkinfochanged' or 'voiceregistrationstatechange' to RadioInterfaceLayer.onmessage.
The sockets of the Bluetooth managers were never closed during an unpair. That's why they still tried to add data to the send queue. Fixing this bug also fixes the problem that I'm unable to re-pair after the unpair operation.
Attachment #714440 - Flags: review?(kyle)
Attachment #714440 - Flags: review?(echou)
Comment on attachment 714440 [details] [diff] [review] Close sockets on device unpair Review of attachment 714440 [details] [diff] [review]: ----------------------------------------------------------------- Hmm. Kinda shows that we might need some sort of central device management once we get more profiles going, but works for now. Good catch.
Attachment #714440 - Flags: review?(kyle) → review+
Eric, are you OK with the attached patch? There are several reports of crashes in the Bluetooth code and I hope this patch might also fix some them.
Flags: needinfo?(echou)
Comment on attachment 714440 [details] [diff] [review] Close sockets on device unpair Review of attachment 714440 [details] [diff] [review]: ----------------------------------------------------------------- Sorry for the late reply, Thomas. I think this patch may not work because we will disconnect with the connected device even if it's not the one user trying to unpair with. To be honest, I don't think we need to close sockets separately before unpairing with a connected device. The socket should be closed right after unpair happened. I traced the code and found a bug about "OnDisconnect() won't be called even the remote device has shut off the connection". I think that's the main problem we are looking for. I'll make a patch today.
Attachment #714440 - Flags: review?(echou) → review-
Flags: needinfo?(echou)
blocking-b2g: --- → leo?
Depends on: 842434
blocking-b2g: leo? → leo+
Keywords: crash
Assignee: nobody → shuang
Hi Shawn, Please help with this bug.
(In reply to Eric Chou [:ericchou] [:echou] from comment #11) > Comment on attachment 714440 [details] [diff] [review] > Close sockets on device unpair > > Review of attachment 714440 [details] [diff] [review]: > ----------------------------------------------------------------- > > Sorry for the late reply, Thomas. I think this patch may not work because we > will disconnect with the connected device even if it's not the one user > trying to unpair with. > > To be honest, I don't think we need to close sockets separately before > unpairing with a connected device. The socket should be closed right after > unpair happened. I traced the code and found a bug about "OnDisconnect() > won't be called even the remote device has shut off the connection". I think > that's the main problem we are looking for. I'll make a patch today. Bug 842434 is the bug I mentioned(OnDisconnect() won't be called).
Hey Thomas, I wonder this bug will be dispeared if bug 830290 patch applied?
Try to reproduce this issue again, problem no longer existed. I also work with Thomas using the same Bluetooth Headset. It is non-reproducible now.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: