Closed Bug 984092 Opened 10 years ago Closed 10 years ago

[Tarako] monkey test crash at libxul.so!mozilla::ipc::RawDBusConnection::SendWithReply(void (*)(DBusMessage*, void*), void*, int, DBusMessage*) [RawDBusConnection.cpp : 246 + 0x0]

Categories

(Firefox OS Graveyard :: Bluetooth, defect)

Product:
Firefox OS Graveyard
Component:
Bluetooth
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(blocking-b2g:1.3T+, b2g-v1.3 affected, b2g-v1.3T fixed, b2g-v1.4 unaffected, b2g-v2.0 unaffected)

Status:
RESOLVED FIXED
Project Flags:
blocking-b2g 1.3T+
Tracking Flags:
Tracking Status
b2g-v1.3 --- affected
b2g-v1.3T --- fixed
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected

People

(Reporter: james.zhang, Assigned: shawnjohnjr)

Details

(Keywords: crash)

Attachments

(2 files, 3 obsolete files)

mtlog-end-sp6821a_gonk-hudson-171-yaoyaowuubtpc-1403160630.tar.bz2
6.52 MB, application/x-bzip
Details
Bug 984092: Don't run internal functions while turning Bluetooth on/off, r=echou, a=1.3T+
3.71 KB, patch
Details | Diff | Splinter Review 
Operating system: Android
                  0.0.0 Linux 3.0.8+ #1 PREEMPT Sat Mar 15 03:22:11 CST 2014 armv7l Spreadtrum/sp6821a_gonk/sp6821a_gonk:4.0.4.0.4.0.4/OPENMASTER/171:userdebug/test-keys
CPU: arm
     0 CPUs

Crash reason:  SIGSEGV
Crash address: 0x8

Thread 0 (crashed)
 0  libxul.so!mozilla::ipc::RawDBusConnection::SendWithReply(void (*)(DBusMessage*, void*), void*, int, DBusMessage*) [RawDBusConnection.cpp : 246 + 0x0]
     r4 = 0x00000000    r5 = 0x0000c350    r6 = 0x45268460    r7 = 0x413a2ea9
     r8 = 0x00000000    r9 = 0x4492bd7c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbeca9e38    lr = 0x40fbd7ed    pc = 0x40fbd744
    Found by: given as instruction pointer in context
 1  libxul.so!mozilla::ipc::RawDBusConnection::SendWithReply(void (*)(DBusMessage*, void*), void*, int, char const*, char const*, char const*, int, ...) [RawDBusConnection.cpp : 281 + 0xd]
     r4 = 0x00000000    r5 = 0x0000c350    r6 = 0x45268460    r7 = 0x413a2ea9
     r8 = 0x00000000    r9 = 0x4492bd7c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbeca9e58    pc = 0x40fbd7ed
    Found by: call frame info
 2  libxul.so!mozilla::dom::bluetooth::BluetoothDBusService::CreatePairedDeviceInternal(nsAString_internal const&, int, mozilla::dom::bluetooth::BluetoothReplyRunnable*) [BluetoothDBusService.cpp : 2500 + 0x3b]
     r4 = 0x00000000    r5 = 0xbeca9eac    r6 = 0x0000c350    r7 = 0x45268460
     r8 = 0x00000000    r9 = 0x4492bd7c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbeca9e80    pc = 0x413a2e43
    Found by: call frame info
 3  libxul.so!mozilla::dom::bluetooth::BluetoothRequestParent::DoRequest(mozilla::dom::bluetooth::PairRequest const&) [BluetoothParent.cpp : 366 + 0x9]
     r4 = 0x413a2db5    r5 = 0x00000000    r6 = 0xbeca9fa4    r7 = 0x00000001
     r8 = 0xbecaa020    r9 = 0x4492bd7c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbeca9f88    pc = 0x4139acf1
    Found by: call frame info
 4  libxul.so!mozilla::dom::bluetooth::BluetoothParent::RecvPBluetoothRequestConstructor(mozilla::dom::bluetooth::PBluetoothRequestParent*, mozilla::dom::bluetooth::Request const&) [BluetoothParent.cpp : 195 + 0x3]
     r4 = 0x4492bd60    r5 = 0x00000000    r6 = 0xbeca9fa4    r7 = 0x00000001
     r8 = 0xbecaa020    r9 = 0x4492bd7c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbeca9f90    pc = 0x4139ae73
    Found by: call frame info
 5  libxul.so!mozilla::dom::bluetooth::PBluetoothParent::OnMessageReceived(IPC::Message const&) [PBluetoothParent.cpp : 413 + 0x7]
     r4 = 0x4492bd60    r5 = 0x00000000    r6 = 0xbeca9fa4    r7 = 0x00000001
     r8 = 0xbecaa020    r9 = 0x4492bd7c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbeca9f98    pc = 0x40f3d639
    Found by: call frame info
 6  libxul.so!mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) [PContentParent.cpp : 1993 + 0x7]
     r4 = 0x46c74400    r5 = 0xbecaa6ec    r6 = 0xbecaa710    r7 = 0x4683a0b0
     r8 = 0x42454b14    r9 = 0x4041c48c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa050    pc = 0x40f566b9
    Found by: call frame info
 7  libxul.so!mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) [MessageChannel.cpp : 1126 + 0x5]
     r4 = 0x46c74430    r5 = 0xbecaa6ec    r6 = 0xbecaa710    r7 = 0x4683a0b0
     r8 = 0x4683a0b0    r9 = 0x4041c48c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa6c8    pc = 0x40f208f7
    Found by: call frame info
 8  libxul.so!mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) [MessageChannel.cpp : 1044 + 0x3]
     r4 = 0x00000001    r5 = 0xbecaa6ec    r6 = 0xbecaa710    r7 = 0x4683a0b0
     r8 = 0x4683a0b0    r9 = 0x4041c48c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa6e0    pc = 0x40f2244f
    Found by: call frame info
 9  libxul.so!mozilla::ipc::MessageChannel::OnMaybeDequeueOne() [MessageChannel.cpp : 1027 + 0x3]
     r4 = 0x00000001    r5 = 0xbecaa6ec    r6 = 0xbecaa710    r7 = 0x4683a0b0
     r8 = 0x4683a0b0    r9 = 0x4041c48c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa6e8    pc = 0x40f224e7
    Found by: call frame info
10  libxul.so!RunnableMethod<WebCore::ReverbConvolver, void (WebCore::ReverbConvolver::*)(), Tuple0>::Run() [tuple.h : 383 + 0x5]
     r4 = 0x4044c0c0    r5 = 0x440448a0    r6 = 0xbecaa768    r7 = 0x4044c0cc
     r8 = 0xbecaa760    r9 = 0x4041c48c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa730    pc = 0x40f205c7
    Found by: call frame info
11  libxul.so!mozilla::ipc::MessageChannel::DequeueTask::Run() [MessageChannel.h : 371 + 0x9]
     r4 = 0x4044c0c0    r5 = 0x440448a0    r6 = 0xbecaa768    r7 = 0x4044c0cc
     r8 = 0xbecaa760    r9 = 0x4041c48c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa738    pc = 0x40f20509
    Found by: call frame info
12  libxul.so!MessageLoop::RunTask(Task*) [message_loop.cc : 340 + 0x5]
     r4 = 0x4044c0c0    r5 = 0x440448a0    r6 = 0xbecaa768    r7 = 0x4044c0cc
     r8 = 0xbecaa760    r9 = 0x4041c48c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa740    pc = 0x40f19af5
    Found by: call frame info
13  libxul.so!MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) [message_loop.cc : 348 + 0x5]
     r4 = 0x00000001    r5 = 0xbecaa758    r6 = 0xbecaa768    r7 = 0x4044c0cc
     r8 = 0xbecaa760    r9 = 0x4041c48c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa750    pc = 0x40f1a85f
    Found by: call frame info
14  libxul.so!MessageLoop::DoWork() [message_loop.cc : 448 + 0x7]
     r4 = 0x4044c0c0    r5 = 0xbecaa758    r6 = 0xbecaa768    r7 = 0x4044c0cc
     r8 = 0xbecaa760    r9 = 0x4041c48c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa758    pc = 0x40f1b41d
    Found by: call frame info
15  libxul.so!mozilla::ipc::DoWorkRunnable::Run() [MessagePump.cpp : 45 + 0x7]
     r4 = 0x4044c0c0    r5 = 0x00000001    r6 = 0x00000001    r7 = 0x00000001
     r8 = 0xbecaa7df    r9 = 0x4041c48c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa788    pc = 0x40f239c9
    Found by: call frame info
16  libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp : 612 + 0x5]
     r4 = 0x4041c460    r5 = 0x00000000    r6 = 0x00000001    r7 = 0x00000001
     r8 = 0xbecaa7df    r9 = 0x4041c48c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa798    pc = 0x40df82b5
    Found by: call frame info
17  libxul.so!NS_ProcessNextEvent(nsIThread*, bool) [nsThreadUtils.cpp : 263 + 0xb]
     r4 = 0x00000001    r5 = 0x4044c0c0    r6 = 0x40402b60    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0xbecaa96c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa7d8    pc = 0x40dcb041
    Found by: call frame info
18  libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) [MessagePump.cpp : 124 + 0x7]
     r4 = 0x40402b50    r5 = 0x4044c0c0    r6 = 0x40402b60    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0xbecaa96c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa7e8    pc = 0x40f23b65
    Found by: call frame info
19  libxul.so!MessageLoop::RunInternal() [message_loop.cc : 222 + 0x5]
     r4 = 0x4044c0c0    r5 = 0x433c1fa0    r6 = 0x4041c460    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0xbecaa96c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa810    pc = 0x40f19ab9
    Found by: call frame info
20  libxul.so!MessageLoop::Run() [message_loop.cc : 215 + 0x5]
     r4 = 0x4044c0c0    r5 = 0x433c1fa0    r6 = 0x4041c460    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0xbecaa96c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa818    pc = 0x40f19b37
    Found by: call frame info
21  libxul.so!nsBaseAppShell::Run() [nsBaseAppShell.cpp : 161 + 0x7]
     r4 = 0x00000000    r5 = 0x433c1fa0    r6 = 0x4041c460    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0xbecaa96c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa830    pc = 0x412dc8ed
    Found by: call frame info
22  libxul.so!nsAppStartup::Run() [nsAppStartup.cpp : 276 + 0x5]
     r4 = 0x4334bc40    r5 = 0x40de1f35    r6 = 0xbecaab05    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0xbecaa96c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa840    pc = 0x41908731
    Found by: call frame info
23  libxul.so!XREMain::XRE_mainRun() [nsAppRunner.cpp : 4059 + 0x5]
     r4 = 0xbecaaa14    r5 = 0x40de1f35    r6 = 0xbecaab05    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0xbecaa96c   r10 = 0xbecaa978    fp = 0x00000000
     sp = 0xbecaa848    pc = 0x418e0d79
    Found by: call frame info
24  libxul.so!XREMain::XRE_main(int, char**, nsXREAppData const*) [nsAppRunner.cpp : 4127 + 0x5]
     r4 = 0xbecaaa14    r5 = 0xbecaa9ee    r6 = 0x00000000    r7 = 0x00021178
     r8 = 0x40438000    r9 = 0x4043c000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbecaa9e8    pc = 0x418e374b
    Found by: call frame info
25  libxul.so!XRE_main [nsAppRunner.cpp : 4337 + 0x3]
     r4 = 0x00021178    r5 = 0xbecacbf4    r6 = 0x00000001    r7 = 0x00000000
     r8 = 0xbecaaa14    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbecaaa10    pc = 0x418e38b5
    Found by: call frame info
26  b2g!main [nsBrowserApp.cpp : 163 + 0xf]
     r4 = 0x418e3869    r5 = 0x00000000    r6 = 0x00000001    r7 = 0xbecacbf4
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbecaab20    pc = 0x000098ef
    Found by: call frame info
27  libc.so!__libc_init [libc_init_dynamic.c : 114 + 0x7]
     r4 = 0x00009664    r5 = 0xbecacbf4    r6 = 0x00000001    r7 = 0xbecacbfc
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbecacbd8    pc = 0x40107a57
    Found by: call frame info
28  0xb0001dc5
     r4 = 0x00000000    r5 = 0x00000000    r6 = 0x00000000    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbecacbf0    pc = 0xb0001dc7
    Found by: call frame info
29  b2g!MOZ_PNG_get_cHRM [pngget.c : 514 + 0xf]
     sp = 0xbecacc4c    pc = 0x0000b8d7
    Found by: stack scanning
30  b2g + 0x32
     r4 = 0x00000006    r5 = 0x00001000    r6 = 0x00000011    r7 = 0x00000064
     r8 = 0x00000003    sp = 0xbecacc64    pc = 0x00008034
    Found by: call frame info
blocking-b2g: --- → 1.3T?
We shall add guard protection for all dbus 'internal' functions. Otherwise, this patch can be seen a lot.
Assignee: nobody → shuang
I expected this patch will be landed on 3/18 morning. Thanks for reporting.
Severity: major → critical
Keywords: crash
This patch should be landed on v1.3t.

Bug 950891 - Don't run GetServiceChannel while turning Bluetooth on/off. r=echou, a=1.3+

This patch adds a check to BluetoothDBusService::GetServiceChannel to
ensure that Bluetooth is ready. If the system is in a transition from
on to off, or vice versa, the method might operate on an undefined
state.
(In reply to James Zhang from comment #4)
> This patch should be landed on v1.3t.
> 
> Bug 950891 - Don't run GetServiceChannel while turning Bluetooth on/off.
> r=echou, a=1.3+
> 
> This patch adds a check to BluetoothDBusService::GetServiceChannel to
> ensure that Bluetooth is ready. If the system is in a transition from
> on to off, or vice versa, the method might operate on an undefined
> state.
This bug is different but similar problem. Bug 950891 is related to GetServiceChannel, bug 984092 is related to CreatePairedDeviceInternal.
Comment on attachment 8392670 [details] [diff] [review]
Bug 984092: Don't run internal functions while turning Bluetooth on/off

Review of attachment 8392670 [details] [diff] [review]:
-----------------------------------------------------------------

Hi Shawn,

The solution looks fine to me. r- because the patch is based on current m-c, however this bug should only happen on pre-1.4 branches. Please rebase on 1.3 then send your patch again. Thanks.
Attachment #8392670 - Flags: review?(echou) → review-
blocking-b2g: 1.3T? → 1.3T+
Attachment #8392696 - Attachment description: Bug 984092: Don't run internal functions while turning Bluetooth on/off → Bug 984092: (v1.3only) Don't run internal functions while turning Bluetooth on/off
Comment on attachment 8392696 [details] [diff] [review]
Bug 984092: (v1.3only) Don't run internal functions while turning  Bluetooth on/off

Review of attachment 8392696 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me.
Attachment #8392696 - Flags: review?(echou) → review+
Attachment #8392774 - Attachment description: Bug 984092: Don't run internal functions while turning Bluetooth on/off, r=echou → Bug 984092: Don't run internal functions while turning Bluetooth on/off, r=echou (v1.3)
This bug is 1.3 not the 1.3T specific problem. Change flag to 1.3? for stability fix.
blocking-b2g: 1.3T+ → 1.3?
There is no patch for central, due to refactor in Bug 979370, which fix multi-thread access problem.
Comment on attachment 8392774 [details] [diff] [review]
Bug 984092: Don't run internal functions while turning Bluetooth on/off, r=echou (v1.3)

NOTE: This flag is now for security issues only. Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.

[Approval Request Comment]
Bug caused by (feature/regressing bug #):
  None
User impact if declined:
  b2g crash if user toggles BT on/off rapidly at the same time, pair with one  bluetooth remote device.
Testing completed:
  - Verified rapid BT on/off toggles on .
Risk to taking this patch (and alternatives if risky):
  - Only add protection to check bluetooth on/off state here, i don't see risk here.
blocking-b2g: 1.3? → 1.3T+
hi Shawn, will be great if you can update the status again thanks
Flags: needinfo?(shuang)
Hi Joe,

(In reply to Joe Cheng [:jcheng] from comment #15)
> hi Shawn, will be great if you can update the status again thanks

We've already had a r+ and a+ patch. Please see comment 14. I thought we don't need to mark "checkin-needed" so I told Shawn just wait for sheriffs taking care of it. Maybe I was wrong?
Flags: needinfo?(shuang) → needinfo?(jcheng)
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Clear Joe's ni since the patch has landed on 1.3T.
Flags: needinfo?(jcheng)
(In reply to Shawn Huang [:shuang] [:shawnjohnjr] from comment #12)
> There is no patch for central, due to refactor in Bug 979370, which fix
> multi-thread access problem.

Per above, marking status-b2g-v1.4 and 1.5 as unaffected here since 979370 has landed when 1.4 gecko30->central.
status-b2g-v1.4: --- → unaffected
status-b2g-v2.0: --- → unaffected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: