Closed Bug 841984 Opened 12 years ago Closed 12 years ago

Bluetooth: SIGSEGV in mozilla::ipc::dbus_func_send_async, BluetoothDBusService::SetProperty

Categories

(Core :: DOM: Device Interfaces, defect)

Product:
Core
Component:
DOM: Device Interfaces
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22
Project Flags:
blocking-b2g tef+
Tracking Flags:
Tracking Status
firefox20 --- wontfix
firefox21 --- wontfix
firefox22 --- fixed
b2g18 --- fixed
b2g18-v1.0.0 --- wontfix
b2g18-v1.0.1 --- fixed

People

(Reporter: gwagner, Assigned: echou)

References

Details

Attachments

(3 files)

Patch 1(v1): Abort dbus connection after receiving Disconnected signal
4.86 KB, patch
echou
: review-
Details | Diff | Splinter Review
Patch 2(v1): Check both return value and pending_call
971 bytes, patch
qdot
: review+
Details | Diff | Splinter Review
patch 3: v1: Fixed potential memory problem in SetProperty()
1.06 KB, patch
qdot
: review+
Details | Diff | Splinter Review
STR: unpair a device in bluetooth settings and wait 30 sec: [Parent 281] WARNING: Disconnected Signal not handled!: file /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp, line 1531 [Child 729] WARNING: There is no observer for "invalidformsubmit". One should be implemented!: file /Volumes/2mac/gaia/isrc/content/html/content/src/nsHTMLFormElement.cpp, line 1767 [Parent 281] WARNING: Failed to get device properties: file /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp, line 1324 [Parent 281] WARNING: Getting properties failed!: file /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp, line 1930 [Child 729] WARNING: There is no observer for "invalidformsubmit". One should be implemented!: file /Volumes/2mac/gaia/isrc/content/html/content/src/nsHTMLFormElement.cpp, line 1767 [Parent 281] WARNING: Failed to get device properties: file /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp, line 1324 [Parent 281] WARNING: Getting properties failed!: file /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp, line 1930 [Child 729] WARNING: There is no observer for "invalidformsubmit". One should be implemented!: file /Volumes/2mac/gaia/isrc/content/html/content/src/nsHTMLFormElement.cpp, line 1767 [Child 729] WARNING: There is no observer for "invalidformsubmit". One should be implemented!: file /Volumes/2mac/gaia/isrc/content/html/content/src/nsHTMLFormElement.cpp, line 1767 [Parent 281] WARNING: Failed to get device properties: file /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp, line 1324 [Parent 281] WARNING: Getting properties failed!: file /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp, line 1930 [Child 729] WARNING: There is no observer for "invalidformsubmit". One should be implemented!: file /Volumes/2mac/gaia/isrc/content/html/content/src/nsHTMLFormElement.cpp, line 1767 process 281: D-Bus not compiled with backtrace support so unable to print a backtrace Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 281.281] __libc_android_abort () at bionic/libc/unistd/abort.c:82 82 *((char*)0xdeadbaad) = 39; (gdb) bt #0 __libc_android_abort () at bionic/libc/unistd/abort.c:82 #1 0x44c55192 in _dbus_abort () at external/dbus/dbus/dbus-sysdeps.c:94 #2 0x44c3ccf8 in _dbus_warn_check_failed ( format=0x44c5f697 "arguments to %s() were incorrect, assertion \"%s\" failed in file %s line %d.\nThis is normally a bug in some application using the D-Bus library.\n") at external/dbus/dbus/dbus-internals.c:302 #3 0x44c49f82 in dbus_pending_call_get_completed (pending=0x0) at external/dbus/dbus/dbus-pending-call.c:628 #4 0x42641a42 in mozilla::ipc::dbus_func_send_async (conn=0x4baeb1a0, msg=0x482e6860, timeout_ms=1000, user_cb=0x418d11f1 <GetVoidCallback(DBusMessage*, void*)>, user=0x4b953f70) at /Volumes/2mac/gaia/isrc/ipc/dbus/DBusUtils.cpp:114 #5 0x418d508c in mozilla::dom::bluetooth::BluetoothDBusService::SetProperty (this=0x46753240, aType=mozilla::dom::bluetooth::TYPE_ADAPTER, aPath=..., aValue=..., aRunnable=0x4b953f70) at /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp:2086 #6 0x418bdcdc in mozilla::dom::bluetooth::BluetoothRequestParent::DoRequest (this=0x4b953f40, aRequest=...) at /Volumes/2mac/gaia/isrc/dom/bluetooth/ipc/BluetoothParent.cpp:313 #7 0x418bd530 in mozilla::dom::bluetooth::BluetoothParent::RecvPBluetoothRequestConstructor (this=0x4bf93a00, aActor=0x4b953f40, aRequest=...) at /Volumes/2mac/gaia/isrc/dom/bluetooth/ipc/BluetoothParent.cpp:191 #8 0x4206e9de in mozilla::dom::bluetooth::PBluetoothParent::OnMessageReceived (this=0x4bf93a00, __msg=...) at /Volumes/2mac/gaia/isrc/debotorobuild/ipc/ipdl/PBluetoothParent.cpp:433 #9 0x420bdf34 in mozilla::dom::PContentParent::OnMessageReceived (this=0x493a4400, __msg=...) at /Volumes/2mac/gaia/isrc/debotorobuild/ipc/ipdl/PContentParent.cpp:1368 #10 0x4204137e in mozilla::ipc::AsyncChannel::OnDispatchMessage (this=0x493a4408, msg=...) at /Volumes/2mac/gaia/isrc/ipc/glue/AsyncChannel.cpp:473 #11 0x4204cd06 in mozilla::ipc::RPCChannel::OnMaybeDequeueOne (this=0x493a4408) at /Volumes/2mac/gaia/isrc/ipc/glue/RPCChannel.cpp:402 #12 0x42006d9e in DispatchToMethod<mozilla::dom::ContentParent, void (mozilla::dom::ContentParent::*)()> (obj=0x493a4408, method=0x4204cb4d <mozilla::ipc::RPCChannel::OnMaybeDequeueOne()>, arg=...) at /Volumes/2mac/gaia/isrc/ipc/chromium/src/base/tuple.h:383 #13 0x42006b50 in RunnableMethod<mozilla::dom::ContentParent, void (mozilla::dom::ContentParent::*)(), Tuple0>::Run (this=0x4d0fcc40) at /Volumes/2mac/gaia/isrc/ipc/chromium/src/base/task.h:307 #14 0x4204b810 in mozilla::ipc::RPCChannel::RefCountedTask::Run (this=0x466d3440) at ../../dist/include/mozilla/ipc/RPCChannel.h:425 #15 0x4204b8f4 in mozilla::ipc::RPCChannel::DequeueTask::Run (this=0x4a9ffea0) at ../../dist/include/mozilla/ipc/RPCChannel.h:448 #16 0x4270e340 in MessageLoop::RunTask (this=0x4042b0c0, task=0x4a9ffea0) at /Volumes/2mac/gaia/isrc/ipc/chromium/src/base/message_loop.cc:333 #17 0x4270e39c in MessageLoop::DeferOrRunPendingTask (this=0x4042b0c0, pending_task=...) at /Volumes/2mac/gaia/isrc/ipc/chromium/src/base/message_loop.cc:341 #18 0x4270e706 in MessageLoop::DoWork (this=0x4042b0c0) at /Volumes/2mac/gaia/isrc/ipc/chromium/src/base/message_loop.cc:441 #19 0x4204a0d4 in mozilla::ipc::DoWorkRunnable::Run (this=0x40401be0) at /Volumes/2mac/gaia/isrc/ipc/glue/MessagePump.cpp:42 #20 0x426b34b0 in nsThread::ProcessNextEvent (this=0x40404390, mayWait=true, result=0xbea7f707) at /Volumes/2mac/gaia/isrc/xpcom/threads/nsThread.cpp:627 #21 0x4264fdca in NS_ProcessNextEvent_P (thread=0x40404390, mayWait=true) at /Volumes/2mac/gaia/isrc/debotorobuild/xpcom/build/nsThreadUtils.cpp:238 #22 0x4204a3b6 in mozilla::ipc::MessagePump::Run (this=0x40402430, aDelegate=0x4042b0c0) at /Volumes/2mac/gaia/isrc/ipc/glue/MessagePump.cpp:117 #23 0x4270defc in MessageLoop::RunInternal (this=0x4042b0c0) at /Volumes/2mac/gaia/isrc/ipc/chromium/src/base/message_loop.cc:215 #24 0x4270de96 in MessageLoop::RunHandler (this=0x4042b0c0) at /Volumes/2mac/gaia/isrc/ipc/chromium/src/base/message_loop.cc:208 #25 0x4270de3e in MessageLoop::Run (this=0x4042b0c0) at /Volumes/2mac/gaia/isrc/ipc/chromium/src/base/message_loop.cc:182 #26 0x41ee0c1a in nsBaseAppShell::Run (this=0x45725880) at /Volumes/2mac/gaia/isrc/widget/xpwidgets/nsBaseAppShell.cpp:163 #27 0x41d089b0 in nsAppStartup::Run (this=0x458ab400) at /Volumes/2mac/gaia/isrc/toolkit/components/startup/nsAppStartup.cpp:288 ---Type <return> to continue, or q <return> to quit--- #28 0x40b6a640 in XREMain::XRE_mainRun (this=0xbea7f990) at /Volumes/2mac/gaia/isrc/toolkit/xre/nsAppRunner.cpp:3871 #29 0x40b6a872 in XREMain::XRE_main (this=0xbea7f990, argc=1, argv=0xbea81ba4, aAppData=0x3a7f4) at /Volumes/2mac/gaia/isrc/toolkit/xre/nsAppRunner.cpp:3938 #30 0x40b6aa1e in XRE_main (argc=1, argv=0xbea81ba4, aAppData=0x3a7f4, aFlags=0) at /Volumes/2mac/gaia/isrc/toolkit/xre/nsAppRunner.cpp:4141 #31 0x00009e70 in do_main (argc=1, argv=0xbea81ba4) at /Volumes/2mac/gaia/isrc/b2g/app/nsBrowserApp.cpp:164 #32 0x0000a124 in main (argc=1, argv=0xbea81ba4) at /Volumes/2mac/gaia/isrc/b2g/app/nsBrowserApp.cpp:249
Depends on: 842434
I can reproduce this issue when repeating the process of pair and unpair. Here are something I found during the process: (In reply to Gregor Wagner [:gwagner] from comment #0) > STR: unpair a device in bluetooth settings and wait 30 sec: > > [Parent 281] WARNING: Disconnected Signal not handled!: file > /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp, line > 1531 We should handle "Disconnected" signal because it indicates that the dbus connection is going to closed and we should establish a new connection for later usage. Please see the following link for more details. http://dbus.freedesktop.org/doc/api/html/group__DBusConnection.html ... When a connection is disconnected, you are guaranteed to get a signal "Disconnected" from the interface DBUS_INTERFACE_LOCAL, path DBUS_PATH_LOCAL. > [Parent 281] WARNING: Failed to get device properties: file > /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp, line > 1324 > [Parent 281] WARNING: Getting properties failed!: file > /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp, line > 1930 > [Parent 281] WARNING: Failed to get device properties: file > /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp, line > 1324 > [Parent 281] WARNING: Getting properties failed!: file > /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp, line > 1930 > [Parent 281] WARNING: Failed to get device properties: file > /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp, line > 1324 > [Parent 281] WARNING: Getting properties failed!: file > /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp, line > 1930 File another bug for fixing this warning. Bug 842471. > #0 __libc_android_abort () at bionic/libc/unistd/abort.c:82 > #1 0x44c55192 in _dbus_abort () at external/dbus/dbus/dbus-sysdeps.c:94 > #2 0x44c3ccf8 in _dbus_warn_check_failed ( > format=0x44c5f697 "arguments to %s() were incorrect, assertion \"%s\" > failed in file %s line %d.\nThis is normally a bug in some application using > the D-Bus library.\n") at external/dbus/dbus/dbus-internals.c:302 > #3 0x44c49f82 in dbus_pending_call_get_completed (pending=0x0) at > external/dbus/dbus/dbus-pending-call.c:628 > #4 0x42641a42 in mozilla::ipc::dbus_func_send_async (conn=0x4baeb1a0, > msg=0x482e6860, timeout_ms=1000, user_cb=0x418d11f1 > <GetVoidCallback(DBusMessage*, void*)>, > user=0x4b953f70) at /Volumes/2mac/gaia/isrc/ipc/dbus/DBusUtils.cpp:114 > #5 0x418d508c in mozilla::dom::bluetooth::BluetoothDBusService::SetProperty > (this=0x46753240, aType=mozilla::dom::bluetooth::TYPE_ADAPTER, aPath=..., > aValue=..., > aRunnable=0x4b953f70) at > /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp:2086 Since the dbus connection is broken somehow after we remove device without closing profile sockets first during the unpair process, we failed to get DBusPendingCall in function dbus_connection_send_with_reply(). Although it returns TRUE but leaves *pending_return as NULL. That's why assertion failed in frame #3. I will generate a patch for reviewing today.
Assignee: nobody → gyeh
set connection to nullptr after receiving "Disconnected" signal from dbus
Attachment #716919 - Flags: review?(echou)
We shouldn't never call dbus_pending_call_get_completed and dbus_pending_call_set_notify with a null DBusPendingCall, so we can check both return value and pending_call returned from dbus_connection_send_with_reply.
Attachment #716920 - Flags: review?(kyle)
Attachment #716920 - Flags: review?(kyle) → review+
> File another bug for fixing this warning. Bug 842471. > > > #0 __libc_android_abort () at bionic/libc/unistd/abort.c:82 > > #1 0x44c55192 in _dbus_abort () at external/dbus/dbus/dbus-sysdeps.c:94 > > #2 0x44c3ccf8 in _dbus_warn_check_failed ( > > format=0x44c5f697 "arguments to %s() were incorrect, assertion \"%s\" > > failed in file %s line %d.\nThis is normally a bug in some application using > > the D-Bus library.\n") at external/dbus/dbus/dbus-internals.c:302 > > #3 0x44c49f82 in dbus_pending_call_get_completed (pending=0x0) at > > external/dbus/dbus/dbus-pending-call.c:628 > > #4 0x42641a42 in mozilla::ipc::dbus_func_send_async (conn=0x4baeb1a0, > > msg=0x482e6860, timeout_ms=1000, user_cb=0x418d11f1 > > <GetVoidCallback(DBusMessage*, void*)>, > > user=0x4b953f70) at /Volumes/2mac/gaia/isrc/ipc/dbus/DBusUtils.cpp:114 > > #5 0x418d508c in mozilla::dom::bluetooth::BluetoothDBusService::SetProperty > > (this=0x46753240, aType=mozilla::dom::bluetooth::TYPE_ADAPTER, aPath=..., > > aValue=..., > > aRunnable=0x4b953f70) at > > /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp:2086 > > Since the dbus connection is broken somehow after we remove device without > closing profile sockets first during the unpair process, we failed to get > DBusPendingCall in function dbus_connection_send_with_reply(). Although it > returns TRUE but leaves *pending_return as NULL. That's why assertion failed > in frame #3. > The symptom is exactly the same as bug 836715.
(In reply to Eric Chou [:ericchou] [:echou] from comment #4) > > File another bug for fixing this warning. Bug 842471. > > > > > #0 __libc_android_abort () at bionic/libc/unistd/abort.c:82 > > > #1 0x44c55192 in _dbus_abort () at external/dbus/dbus/dbus-sysdeps.c:94 > > > #2 0x44c3ccf8 in _dbus_warn_check_failed ( > > > format=0x44c5f697 "arguments to %s() were incorrect, assertion \"%s\" > > > failed in file %s line %d.\nThis is normally a bug in some application using > > > the D-Bus library.\n") at external/dbus/dbus/dbus-internals.c:302 > > > #3 0x44c49f82 in dbus_pending_call_get_completed (pending=0x0) at > > > external/dbus/dbus/dbus-pending-call.c:628 > > > #4 0x42641a42 in mozilla::ipc::dbus_func_send_async (conn=0x4baeb1a0, > > > msg=0x482e6860, timeout_ms=1000, user_cb=0x418d11f1 > > > <GetVoidCallback(DBusMessage*, void*)>, > > > user=0x4b953f70) at /Volumes/2mac/gaia/isrc/ipc/dbus/DBusUtils.cpp:114 > > > #5 0x418d508c in mozilla::dom::bluetooth::BluetoothDBusService::SetProperty > > > (this=0x46753240, aType=mozilla::dom::bluetooth::TYPE_ADAPTER, aPath=..., > > > aValue=..., > > > aRunnable=0x4b953f70) at > > > /Volumes/2mac/gaia/isrc/dom/bluetooth/linux/BluetoothDBusService.cpp:2086 > > > > Since the dbus connection is broken somehow after we remove device without > > closing profile sockets first during the unpair process, we failed to get > > DBusPendingCall in function dbus_connection_send_with_reply(). Although it > > returns TRUE but leaves *pending_return as NULL. That's why assertion failed > > in frame #3. > > > > The symptom is exactly the same as bug 836715. Oops, sorry, I was wrong. Please ignore this comment.
* I think this should be the root cause of the original problem. A temporary NS_ConvertUTF16toUTF8 instance is created without being used at the same line of code. This is quite the same problem as bug 836715.
Assignee: gyeh → echou
Attachment #721039 - Flags: review?(bent.mozilla)
Blocks: 846586
also seen on b2g18_v1.0.1
blocking-b2g: --- → tef?
status-b2g18-v1.0.1: --- → affected
Attachment #721039 - Flags: review?(kyle)
Attachment #721039 - Flags: review?(kyle) → review+
Comment on attachment 716919 [details] [diff] [review] Patch 1(v1): Abort dbus connection after receiving Disconnected signal Review of attachment 716919 [details] [diff] [review]: ----------------------------------------------------------------- We shouldn't add a DBus-only method to BluetoothService. Since this issue could be fixed by other patches, I would suggest that we handle the signal "Disconnected" in another bug.
Attachment #716919 - Flags: review?(echou) → review-
Attachment #721039 - Flags: review?(bent.mozilla)
blocking-b2g: tef? → tef+
https://hg.mozilla.org/mozilla-central/rev/23ee06d7a4a9 https://hg.mozilla.org/mozilla-central/rev/e0f127f67a8c
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: