Closed
Bug 984092
Opened 10 years ago
Closed 10 years ago
[Tarako] monkey test crash at libxul.so!mozilla::ipc::RawDBusConnection::SendWithReply(void (*)(DBusMessage*, void*), void*, int, DBusMessage*) [RawDBusConnection.cpp : 246 + 0x0]
Categories
(Firefox OS Graveyard :: Bluetooth, defect)
Tracking
(blocking-b2g:1.3T+, b2g-v1.3 affected, b2g-v1.3T fixed, b2g-v1.4 unaffected, b2g-v2.0 unaffected)
RESOLVED
FIXED
blocking-b2g | 1.3T+ |
Tracking | Status | |
---|---|---|
b2g-v1.3 | --- | affected |
b2g-v1.3T | --- | fixed |
b2g-v1.4 | --- | unaffected |
b2g-v2.0 | --- | unaffected |
People
(Reporter: james.zhang, Assigned: shawnjohnjr)
Details
(Keywords: crash)
Attachments
(2 files, 3 obsolete files)
6.52 MB,
application/x-bzip
|
Details | |
3.71 KB,
patch
|
Details | Diff | Splinter Review |
Operating system: Android 0.0.0 Linux 3.0.8+ #1 PREEMPT Sat Mar 15 03:22:11 CST 2014 armv7l Spreadtrum/sp6821a_gonk/sp6821a_gonk:4.0.4.0.4.0.4/OPENMASTER/171:userdebug/test-keys CPU: arm 0 CPUs Crash reason: SIGSEGV Crash address: 0x8 Thread 0 (crashed) 0 libxul.so!mozilla::ipc::RawDBusConnection::SendWithReply(void (*)(DBusMessage*, void*), void*, int, DBusMessage*) [RawDBusConnection.cpp : 246 + 0x0] r4 = 0x00000000 r5 = 0x0000c350 r6 = 0x45268460 r7 = 0x413a2ea9 r8 = 0x00000000 r9 = 0x4492bd7c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbeca9e38 lr = 0x40fbd7ed pc = 0x40fbd744 Found by: given as instruction pointer in context 1 libxul.so!mozilla::ipc::RawDBusConnection::SendWithReply(void (*)(DBusMessage*, void*), void*, int, char const*, char const*, char const*, int, ...) [RawDBusConnection.cpp : 281 + 0xd] r4 = 0x00000000 r5 = 0x0000c350 r6 = 0x45268460 r7 = 0x413a2ea9 r8 = 0x00000000 r9 = 0x4492bd7c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbeca9e58 pc = 0x40fbd7ed Found by: call frame info 2 libxul.so!mozilla::dom::bluetooth::BluetoothDBusService::CreatePairedDeviceInternal(nsAString_internal const&, int, mozilla::dom::bluetooth::BluetoothReplyRunnable*) [BluetoothDBusService.cpp : 2500 + 0x3b] r4 = 0x00000000 r5 = 0xbeca9eac r6 = 0x0000c350 r7 = 0x45268460 r8 = 0x00000000 r9 = 0x4492bd7c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbeca9e80 pc = 0x413a2e43 Found by: call frame info 3 libxul.so!mozilla::dom::bluetooth::BluetoothRequestParent::DoRequest(mozilla::dom::bluetooth::PairRequest const&) [BluetoothParent.cpp : 366 + 0x9] r4 = 0x413a2db5 r5 = 0x00000000 r6 = 0xbeca9fa4 r7 = 0x00000001 r8 = 0xbecaa020 r9 = 0x4492bd7c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbeca9f88 pc = 0x4139acf1 Found by: call frame info 4 libxul.so!mozilla::dom::bluetooth::BluetoothParent::RecvPBluetoothRequestConstructor(mozilla::dom::bluetooth::PBluetoothRequestParent*, mozilla::dom::bluetooth::Request const&) [BluetoothParent.cpp : 195 + 0x3] r4 = 0x4492bd60 r5 = 0x00000000 r6 = 0xbeca9fa4 r7 = 0x00000001 r8 = 0xbecaa020 r9 = 0x4492bd7c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbeca9f90 pc = 0x4139ae73 Found by: call frame info 5 libxul.so!mozilla::dom::bluetooth::PBluetoothParent::OnMessageReceived(IPC::Message const&) [PBluetoothParent.cpp : 413 + 0x7] r4 = 0x4492bd60 r5 = 0x00000000 r6 = 0xbeca9fa4 r7 = 0x00000001 r8 = 0xbecaa020 r9 = 0x4492bd7c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbeca9f98 pc = 0x40f3d639 Found by: call frame info 6 libxul.so!mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) [PContentParent.cpp : 1993 + 0x7] r4 = 0x46c74400 r5 = 0xbecaa6ec r6 = 0xbecaa710 r7 = 0x4683a0b0 r8 = 0x42454b14 r9 = 0x4041c48c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa050 pc = 0x40f566b9 Found by: call frame info 7 libxul.so!mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) [MessageChannel.cpp : 1126 + 0x5] r4 = 0x46c74430 r5 = 0xbecaa6ec r6 = 0xbecaa710 r7 = 0x4683a0b0 r8 = 0x4683a0b0 r9 = 0x4041c48c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa6c8 pc = 0x40f208f7 Found by: call frame info 8 libxul.so!mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) [MessageChannel.cpp : 1044 + 0x3] r4 = 0x00000001 r5 = 0xbecaa6ec r6 = 0xbecaa710 r7 = 0x4683a0b0 r8 = 0x4683a0b0 r9 = 0x4041c48c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa6e0 pc = 0x40f2244f Found by: call frame info 9 libxul.so!mozilla::ipc::MessageChannel::OnMaybeDequeueOne() [MessageChannel.cpp : 1027 + 0x3] r4 = 0x00000001 r5 = 0xbecaa6ec r6 = 0xbecaa710 r7 = 0x4683a0b0 r8 = 0x4683a0b0 r9 = 0x4041c48c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa6e8 pc = 0x40f224e7 Found by: call frame info 10 libxul.so!RunnableMethod<WebCore::ReverbConvolver, void (WebCore::ReverbConvolver::*)(), Tuple0>::Run() [tuple.h : 383 + 0x5] r4 = 0x4044c0c0 r5 = 0x440448a0 r6 = 0xbecaa768 r7 = 0x4044c0cc r8 = 0xbecaa760 r9 = 0x4041c48c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa730 pc = 0x40f205c7 Found by: call frame info 11 libxul.so!mozilla::ipc::MessageChannel::DequeueTask::Run() [MessageChannel.h : 371 + 0x9] r4 = 0x4044c0c0 r5 = 0x440448a0 r6 = 0xbecaa768 r7 = 0x4044c0cc r8 = 0xbecaa760 r9 = 0x4041c48c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa738 pc = 0x40f20509 Found by: call frame info 12 libxul.so!MessageLoop::RunTask(Task*) [message_loop.cc : 340 + 0x5] r4 = 0x4044c0c0 r5 = 0x440448a0 r6 = 0xbecaa768 r7 = 0x4044c0cc r8 = 0xbecaa760 r9 = 0x4041c48c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa740 pc = 0x40f19af5 Found by: call frame info 13 libxul.so!MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) [message_loop.cc : 348 + 0x5] r4 = 0x00000001 r5 = 0xbecaa758 r6 = 0xbecaa768 r7 = 0x4044c0cc r8 = 0xbecaa760 r9 = 0x4041c48c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa750 pc = 0x40f1a85f Found by: call frame info 14 libxul.so!MessageLoop::DoWork() [message_loop.cc : 448 + 0x7] r4 = 0x4044c0c0 r5 = 0xbecaa758 r6 = 0xbecaa768 r7 = 0x4044c0cc r8 = 0xbecaa760 r9 = 0x4041c48c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa758 pc = 0x40f1b41d Found by: call frame info 15 libxul.so!mozilla::ipc::DoWorkRunnable::Run() [MessagePump.cpp : 45 + 0x7] r4 = 0x4044c0c0 r5 = 0x00000001 r6 = 0x00000001 r7 = 0x00000001 r8 = 0xbecaa7df r9 = 0x4041c48c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa788 pc = 0x40f239c9 Found by: call frame info 16 libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp : 612 + 0x5] r4 = 0x4041c460 r5 = 0x00000000 r6 = 0x00000001 r7 = 0x00000001 r8 = 0xbecaa7df r9 = 0x4041c48c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa798 pc = 0x40df82b5 Found by: call frame info 17 libxul.so!NS_ProcessNextEvent(nsIThread*, bool) [nsThreadUtils.cpp : 263 + 0xb] r4 = 0x00000001 r5 = 0x4044c0c0 r6 = 0x40402b60 r7 = 0x00000000 r8 = 0x00000000 r9 = 0xbecaa96c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa7d8 pc = 0x40dcb041 Found by: call frame info 18 libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) [MessagePump.cpp : 124 + 0x7] r4 = 0x40402b50 r5 = 0x4044c0c0 r6 = 0x40402b60 r7 = 0x00000000 r8 = 0x00000000 r9 = 0xbecaa96c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa7e8 pc = 0x40f23b65 Found by: call frame info 19 libxul.so!MessageLoop::RunInternal() [message_loop.cc : 222 + 0x5] r4 = 0x4044c0c0 r5 = 0x433c1fa0 r6 = 0x4041c460 r7 = 0x00000000 r8 = 0x00000000 r9 = 0xbecaa96c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa810 pc = 0x40f19ab9 Found by: call frame info 20 libxul.so!MessageLoop::Run() [message_loop.cc : 215 + 0x5] r4 = 0x4044c0c0 r5 = 0x433c1fa0 r6 = 0x4041c460 r7 = 0x00000000 r8 = 0x00000000 r9 = 0xbecaa96c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa818 pc = 0x40f19b37 Found by: call frame info 21 libxul.so!nsBaseAppShell::Run() [nsBaseAppShell.cpp : 161 + 0x7] r4 = 0x00000000 r5 = 0x433c1fa0 r6 = 0x4041c460 r7 = 0x00000000 r8 = 0x00000000 r9 = 0xbecaa96c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa830 pc = 0x412dc8ed Found by: call frame info 22 libxul.so!nsAppStartup::Run() [nsAppStartup.cpp : 276 + 0x5] r4 = 0x4334bc40 r5 = 0x40de1f35 r6 = 0xbecaab05 r7 = 0x00000000 r8 = 0x00000000 r9 = 0xbecaa96c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa840 pc = 0x41908731 Found by: call frame info 23 libxul.so!XREMain::XRE_mainRun() [nsAppRunner.cpp : 4059 + 0x5] r4 = 0xbecaaa14 r5 = 0x40de1f35 r6 = 0xbecaab05 r7 = 0x00000000 r8 = 0x00000000 r9 = 0xbecaa96c r10 = 0xbecaa978 fp = 0x00000000 sp = 0xbecaa848 pc = 0x418e0d79 Found by: call frame info 24 libxul.so!XREMain::XRE_main(int, char**, nsXREAppData const*) [nsAppRunner.cpp : 4127 + 0x5] r4 = 0xbecaaa14 r5 = 0xbecaa9ee r6 = 0x00000000 r7 = 0x00021178 r8 = 0x40438000 r9 = 0x4043c000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbecaa9e8 pc = 0x418e374b Found by: call frame info 25 libxul.so!XRE_main [nsAppRunner.cpp : 4337 + 0x3] r4 = 0x00021178 r5 = 0xbecacbf4 r6 = 0x00000001 r7 = 0x00000000 r8 = 0xbecaaa14 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbecaaa10 pc = 0x418e38b5 Found by: call frame info 26 b2g!main [nsBrowserApp.cpp : 163 + 0xf] r4 = 0x418e3869 r5 = 0x00000000 r6 = 0x00000001 r7 = 0xbecacbf4 r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbecaab20 pc = 0x000098ef Found by: call frame info 27 libc.so!__libc_init [libc_init_dynamic.c : 114 + 0x7] r4 = 0x00009664 r5 = 0xbecacbf4 r6 = 0x00000001 r7 = 0xbecacbfc r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbecacbd8 pc = 0x40107a57 Found by: call frame info 28 0xb0001dc5 r4 = 0x00000000 r5 = 0x00000000 r6 = 0x00000000 r7 = 0x00000000 r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbecacbf0 pc = 0xb0001dc7 Found by: call frame info 29 b2g!MOZ_PNG_get_cHRM [pngget.c : 514 + 0xf] sp = 0xbecacc4c pc = 0x0000b8d7 Found by: stack scanning 30 b2g + 0x32 r4 = 0x00000006 r5 = 0x00001000 r6 = 0x00000011 r7 = 0x00000064 r8 = 0x00000003 sp = 0xbecacc64 pc = 0x00008034 Found by: call frame info
Reporter | ||
Updated•10 years ago
|
blocking-b2g: --- → 1.3T?
Assignee | ||
Comment 1•10 years ago
|
||
pattern is similar with bug 950891.
Assignee | ||
Comment 2•10 years ago
|
||
We shall add guard protection for all dbus 'internal' functions. Otherwise, this patch can be seen a lot.
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → shuang
Assignee | ||
Comment 3•10 years ago
|
||
I expected this patch will be landed on 3/18 morning. Thanks for reporting.
Reporter | ||
Comment 4•10 years ago
|
||
This patch should be landed on v1.3t. Bug 950891 - Don't run GetServiceChannel while turning Bluetooth on/off. r=echou, a=1.3+ This patch adds a check to BluetoothDBusService::GetServiceChannel to ensure that Bluetooth is ready. If the system is in a transition from on to off, or vice versa, the method might operate on an undefined state.
Assignee | ||
Comment 5•10 years ago
|
||
(In reply to James Zhang from comment #4) > This patch should be landed on v1.3t. > > Bug 950891 - Don't run GetServiceChannel while turning Bluetooth on/off. > r=echou, a=1.3+ > > This patch adds a check to BluetoothDBusService::GetServiceChannel to > ensure that Bluetooth is ready. If the system is in a transition from > on to off, or vice versa, the method might operate on an undefined > state. This bug is different but similar problem. Bug 950891 is related to GetServiceChannel, bug 984092 is related to CreatePairedDeviceInternal.
Assignee | ||
Comment 6•10 years ago
|
||
Attachment #8392670 -
Flags: review?(echou)
Comment 7•10 years ago
|
||
Comment on attachment 8392670 [details] [diff] [review] Bug 984092: Don't run internal functions while turning Bluetooth on/off Review of attachment 8392670 [details] [diff] [review]: ----------------------------------------------------------------- Hi Shawn, The solution looks fine to me. r- because the patch is based on current m-c, however this bug should only happen on pre-1.4 branches. Please rebase on 1.3 then send your patch again. Thanks.
Attachment #8392670 -
Flags: review?(echou) → review-
Assignee | ||
Comment 8•10 years ago
|
||
Attachment #8392696 -
Flags: review?(echou)
Updated•10 years ago
|
blocking-b2g: 1.3T? → 1.3T+
Assignee | ||
Updated•10 years ago
|
Attachment #8392670 -
Attachment is obsolete: true
Assignee | ||
Updated•10 years ago
|
Attachment #8392696 -
Attachment description: Bug 984092: Don't run internal functions while turning Bluetooth on/off → Bug 984092: (v1.3only) Don't run internal functions while turning Bluetooth on/off
Comment 9•10 years ago
|
||
Comment on attachment 8392696 [details] [diff] [review] Bug 984092: (v1.3only) Don't run internal functions while turning Bluetooth on/off Review of attachment 8392696 [details] [diff] [review]: ----------------------------------------------------------------- Looks good to me.
Attachment #8392696 -
Flags: review?(echou) → review+
Assignee | ||
Updated•10 years ago
|
Attachment #8392696 -
Attachment is obsolete: true
Assignee | ||
Comment 10•10 years ago
|
||
Assignee | ||
Updated•10 years ago
|
Attachment #8392774 -
Attachment description: Bug 984092: Don't run internal functions while turning Bluetooth on/off, r=echou → Bug 984092: Don't run internal functions while turning Bluetooth on/off, r=echou (v1.3)
Assignee | ||
Updated•10 years ago
|
status-b2g-v1.3:
--- → affected
status-b2g-v1.3T:
--- → affected
Assignee | ||
Comment 11•10 years ago
|
||
This bug is 1.3 not the 1.3T specific problem. Change flag to 1.3? for stability fix.
blocking-b2g: 1.3T+ → 1.3?
Assignee | ||
Comment 12•10 years ago
|
||
There is no patch for central, due to refactor in Bug 979370, which fix multi-thread access problem.
Assignee | ||
Comment 13•10 years ago
|
||
Comment on attachment 8392774 [details] [diff] [review] Bug 984092: Don't run internal functions while turning Bluetooth on/off, r=echou (v1.3) NOTE: This flag is now for security issues only. Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings. [Approval Request Comment] Bug caused by (feature/regressing bug #): None User impact if declined: b2g crash if user toggles BT on/off rapidly at the same time, pair with one bluetooth remote device. Testing completed: - Verified rapid BT on/off toggles on . Risk to taking this patch (and alternatives if risky): - Only add protection to check bluetooth on/off state here, i don't see risk here.
Updated•10 years ago
|
blocking-b2g: 1.3? → 1.3T+
Assignee | ||
Updated•10 years ago
|
Attachment #8392774 -
Attachment is obsolete: true
Assignee | ||
Comment 14•10 years ago
|
||
Comment 15•10 years ago
|
||
hi Shawn, will be great if you can update the status again thanks
Flags: needinfo?(shuang)
Comment 16•10 years ago
|
||
Hi Joe, (In reply to Joe Cheng [:jcheng] from comment #15) > hi Shawn, will be great if you can update the status again thanks We've already had a r+ and a+ patch. Please see comment 14. I thought we don't need to mark "checkin-needed" so I told Shawn just wait for sheriffs taking care of it. Maybe I was wrong?
Flags: needinfo?(shuang) → needinfo?(jcheng)
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Comment 18•10 years ago
|
||
Clear Joe's ni since the patch has landed on 1.3T.
Flags: needinfo?(jcheng)
Comment 19•10 years ago
|
||
(In reply to Shawn Huang [:shuang] [:shawnjohnjr] from comment #12) > There is no patch for central, due to refactor in Bug 979370, which fix > multi-thread access problem. Per above, marking status-b2g-v1.4 and 1.5 as unaffected here since 979370 has landed when 1.4 gecko30->central.
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•