946437 - [Buri] FX OS crash in mozilla::dom::network::MobileConnection::Listener::NotifyVoiceChanged()

Status: VERIFIED FIXED

(Core :: DOM: Device Interfaces, defect)

Description

[Marcia Knous [:marcia]]

This bug was filed from the Socorro interface and is 
report bp-cab56611-d6a6-498d-be70-21c442131204.
=============================================================

STR:
1. Unsure, happened after tweaking something in settings.

jsmith suggested adding vicamo to the bug. Will try to get better STR

Frame 	Module 	Signature 	Source
0 	libxul.so 	mozilla::dom::network::MobileConnection::Listener::NotifyVoiceChanged() 	dom/network/src/MobileConnection.cpp
1 	libxul.so 	NS_InvokeByIndex 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp
2 	libxul.so 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	js/xpconnect/src/XPCWrappedNative.cpp
3 	libxul.so 	XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
4 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
5 	libxul.so 	js_fun_call(JSContext*, unsigned int, JS::Value*) 	js/src/jsfun.cpp
6 	libxul.so 	js_fun_apply(JSContext*, unsigned int, JS::Value*) 	js/src/jsfun.cpp
7 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
8 	libxul.so 	Interpret 	js/src/vm/Interpreter.cpp
9 	libxul.so 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
10 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
11 	libxul.so 	js::Invoke 	js/src/vm/Interpreter.cpp
12 	libxul.so 	JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) 	js/src/jsapi.cpp
13 	libxul.so 	nsFrameMessageManager::ReceiveMessage(nsISupports*, nsAString_internal const&, bool, mozilla::dom::StructuredCloneData const*, CpowHolder*, nsIPrincipal*, nsTArray<nsString>*) 	content/base/src/nsFrameMessageManager.cpp
14 	libxul.so 	mozilla::dom::ContentChild::RecvAsyncMessage(nsString const&, mozilla::dom::ClonedMessageData const&, nsTArray<mozilla::jsipc::CpowEntry> const&, IPC::Principal const&) 	dom/ipc/ContentChild.cpp
15 	libxul.so 	mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) 	/builds/slave/b2g_m-cen_ham_ntly-00000000000/build/objdir-gecko/ipc/ipdl/PContentChild.cpp
16 	libxul.so 	mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) 	ipc/glue/MessageChannel.cpp
17 	libxul.so 	mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) 	ipc/glue/MessageChannel.cpp
18 	libxul.so 	mozilla::ipc::MessageChannel::OnMaybeDequeueOne() 	ipc/glue/MessageChannel.cpp
19 	libxul.so 	RunnableMethod<WebCore::ReverbConvolver, void (WebCore::ReverbConvolver::*)(), Tuple0>::Run() 	ipc/chromium/src/base/tuple.h
20 	libxul.so 	mozilla::ipc::MessageChannel::DequeueTask::Run() 	/builds/slave/b2g_m-cen_ham_ntly-00000000000/build/objdir-gecko/ipc/glue/../../dist/include/mozilla/ipc/MessageChannel.h
21 	libxul.so 	MessageLoop::RunTask(Task*) 	ipc/chromium/src/base/message_loop.cc
22 	libxul.so 	MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) 	ipc/chromium/src/base/message_loop.cc
23 	libxul.so 	MessageLoop::DoWork() 	ipc/chromium/src/base/message_loop.cc
24 	libxul.so 	mozilla::ipc::DoWorkRunnable::Run() 	ipc/glue/MessagePump.cpp
25 	libxul.so 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
26 	libxul.so 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
27 	libxul.so 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
28 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
29 	libxul.so 	MessageLoop::RunInternal() 	ipc/chromium/src/base/message_loop.cc
30 	libxul.so 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
31 	libxul.so 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
32 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp
33 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
34 	libxul.so 	MessageLoop::RunInternal() 	ipc/chromium/src/base/message_loop.cc
35 	libxul.so 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
36 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp
37 	plugin-container 	main 	ipc/app/MozillaRuntimeMain.cpp
38 	libc.so 	__libc_init 	bionic/libc/bionic/libc_init_dynamic.c
39

Comment 1

[Tony Nguyen]

Steps to repro:

1. Go through and complete FTU 
2. Navigate into the Usage app
3. Complete the Usage app tutorial and tap "Let's go!"
4. Allow device to idle (~1 minute)
5. Unlock the device 

Actual: 
Device will crash 

Repro Rate: 3/5 60%

Environmental Variables:
Device: Buri v1.3 mozRIL
BuildID: 20131204040204
Gaia: 45564d6318cdab2fae2de0eb801308e2bcf4e472
Gecko: 9688476c1544
Version: 28.0a1

Comment 2

[Marcia Knous [:marcia]]

I am able to reproduce this as well, without going through the FTU. If you just go through the Usage app setup and stay on the last page), let the screen lock engage, unlock -> crash.

Comment 3

[Jason Smith [:jsmith]]

Does this reproduce on 1.2 or 1.1?

Comment 5

[Hsin-Yi Tsai (she/her) [:hsinyi]]

Seems the root cause might be the same as https://bugzilla.mozilla.org/show_bug.cgi?id=933203#c38 ...

Comment 6

[Nikolai Khristoforov]

The bug does not reproduce on the 1.2 or 1.1. I let the device go to sleep on the screen after the Usage set-up. The device did not crash after unlocking the device. Tried 5 times on both FxOS versions.

Device: Leo v1.1 Moz RIL
BuildID: 20131203041431
Gaia: 19c9ff3a46a4389e40253c97b359763243af4531
Gecko: 617eb9d9bcc2
Version: 18.0

Device: Buri v1.2 Moz RIL
BuildID: 20131205004003
Gaia: 0659f16b9790b1cf9eba4d80743fcc774d2ffe3a
Gecko: af2c7ebb5967
Version: 26.0

Comment 7

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: Possible fix

Gregor saw something like this on his phone and we debugged a little. We haven't gotten it to crash since then, but this fixes a bug where we won't call Shutdown on our MobileConnection objects if we call Unlink before we destruct the MobileConnectionArray.

Comment 8

[Kyle Huey (Exited; not receiving bugmail, old account, do not use)]

(In reply to Blake Kaplan (:mrbkap) from comment #7)
> Created attachment 8343438 [details] [diff] [review]
> Possible fix
> 
> Gregor saw something like this on his phone and we debugged a little. We
> haven't gotten it to crash since then, but this fixes a bug where we won't
> call Shutdown on our MobileConnection objects if we call Unlink before we
> destruct the MobileConnectionArray.

FWIW, it should be easy to construct a testcase that makes the MobileConnectionArray participate in a cycle to see this crash.

Comment 9

[Hsin-Yi Tsai (she/her) [:hsinyi]]

(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #8)
> (In reply to Blake Kaplan (:mrbkap) from comment #7)
> > Created attachment 8343438 [details] [diff] [review]
> > Possible fix
> > 
> > Gregor saw something like this on his phone and we debugged a little. We
> > haven't gotten it to crash since then, but this fixes a bug where we won't
> > call Shutdown on our MobileConnection objects if we call Unlink before we
> > destruct the MobileConnectionArray.
> 
> FWIW, it should be easy to construct a testcase that makes the
> MobileConnectionArray participate in a cycle to see this crash.

(In reply to Blake Kaplan (:mrbkap) from comment #7)
> Created attachment 8343438 [details] [diff] [review]
> Possible fix
> 
> Gregor saw something like this on his phone and we debugged a little. We
> haven't gotten it to crash since then, but this fixes a bug where we won't
> call Shutdown on our MobileConnection objects if we call Unlink before we
> destruct the MobileConnectionArray.

Thanks for the patch. Now I am sure bug 947042 is a duplicate of this.
The patch looks good and the solution is exactly what bug 947042 is talking about. 
Bug 947042 comment 0 mentions STR, and I am trying to reproduce with the patch. Once the test passes, I am going to give r+. :)

Comment 11

[Hsin-Yi Tsai (she/her) [:hsinyi]]

Comment on attachment 8343438 [details] [diff] [review]
Possible fix

Review of attachment 8343438 [details] [diff] [review]:
-----------------------------------------------------------------

I don't see crash per STR in Bug 947042 comment 0. Thanks!

Comment 12

[Hsin-Yi Tsai (she/her) [:hsinyi]]

Thanks!

https://hg.mozilla.org/integration/b2g-inbound/rev/1b6e515ec0b1

Comment 13

[Loli (:lolimartinezcr)]

Tested: 12/04
master
Gecko c63c0a6
Gaia f615ae7

Steps:

1. Go through and complete FTU 
2. Navigate into the Usage app
3. Complete the Usage app tutorial and tap "Let's go!"
4. Complete process

Actual: 
user can't finish process

Usage just crashed
Would you like to send Mozilla a report about the crash to help us fix the problem? (Report are sent over WI-FI only.)

Expected result: FTE process finished

Comment 14

[Loli (:lolimartinezcr)]

tested 12/09

actual: user can't finish process

NO see this message

Usage just crashed
Would you like to send Mozilla a report about the crash to help us fix the problem? (Report are sent over WI-FI only.)

Comment 15

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/1b6e515ec0b1

Comment 16

[Loli (:lolimartinezcr)]

Tested 1.3
12/12
Gecko c8ebb7f
Gaia cbd2921

This bug still ocurre in this branch, this bug should be resolve in 1.3?

Comment 17

[Loli (:lolimartinezcr)]

Tested 1.3
12/17
Gecko fb3888e
Gaia 8d29694

Verified