Closed Bug 1017504 Opened 11 years ago Closed 11 years ago

[Sora][FOTA] after FOTA updates,the system crash

Categories

(Firefox OS Graveyard :: Vendcom, defect, P1)

Product:
Firefox OS Graveyard
Component:
Vendcom
Type:
defect

Tracking

(blocking-b2g:1.3+)

Status:
RESOLVED FIXED
Project Flags:
blocking-b2g 1.3+

People

(Reporter: sync-1, Unassigned)

Details

(Keywords: crash, Whiteboard: [b2g-crash][cert][POVB])

Crash Data

Attachments

(15 files)

SW12A+ZZ10-->SW12F+ZZ10 dmesg log
37.66 KB, application/octet-stream
Details
SW12A+ZZ10-->SW12F+ZZ10 logcat
89.66 KB, application/octet-stream
Details
SW12C+ZZ10-->SW12F+ZZ10 logcat
325.55 KB, text/plain
Details
SW12A+ZZ10-->SW12F+ZZ10 Crash Reports
55.06 KB, application/octet-stream
Details
crash reporter first boot up after fota upgrade
155.55 KB, text/plain
Details
crash reporter first boot up after fota upgrade (reback some patch)
160.70 KB, text/plain
Details
Crash at end of FTU app (on hamachi)
7.71 KB, text/plain
Details
TabChild.cpp(Modified)
78.23 KB, text/plain
Details
it crash again,but it is different from before
132.85 KB, text/plain
Details
TabChild diff
638 bytes, patch
Details | Diff | Splinter Review
crashreporter11(after apply the patch)
140.56 KB, text/plain
Details
logcat_log
279.02 KB, text/x-vhdl
Details
downCrash00
1.27 MB, text/x-vhdl
Details
This bug come back
171.57 KB, text/plain
Details
After I omitted our code. The crash is still.
155.64 KB, text/plain
Details
Firefox OS v1.3 AU_LINUX_GECKO_B2G_JB_3.2.01.03.00.112.301 Mozilla build ID:20140422024003 DEFECT DESCRIPTION: after FOTA updates,the system crash REPRODUCING PROCEDURES: 1.download SW 12C+ZZ10,write CU:4019X-2CALEU0,check the updates and download the diff package. 2.install the diff package,after install ,the device ask whether to send crash reports to mozilla,and there is no updates message in status bar to tell us the upgrade is sucessfull.--KO 中文描述: 1.下载SW12C+ZZ10,写好CU:4019X-2CALEU0,进入system updates下载好差分包; 2.安装好差分包重启手机,会问你是否需要把crash reports发送给mozilla,在status bar上也没有升级成功的消息--KO EXPECTED BEHAVIOUR: after system updates,the system should not crash tel:021-51790200-7559 reproducing rate:60% ASSOCIATE SPECIFICATION: TEST PLAN REFERENCE: TOOLS AND PLATFORMS USED: USER IMPACT: REPRODUCING RATE: For FT PR, Please list reference mobile's behavior:
Component: Gaia::System → IPC
Keywords: crash
Product: Firefox OS → Core
Whiteboard: [b2g-crash]
Crash Signature: [@ MessageLoop::RunTask(Task*)]
blocking-b2g: --- → 1.3?
Priority: P2 → P1
blocking-b2g: 1.3? → 1.3+
Whiteboard: [b2g-crash] → [b2g-crash][cert]
Andrew, Please review and reassign
Flags: needinfo?(overholt)
Whiteboard: [b2g-crash][cert] → [b2g-crash]
Whiteboard: [b2g-crash] → [b2g-crash][cert]
Dave/Ben, any thoughts?
Flags: needinfo?(dhylands)
Flags: needinfo?(bent.mozilla)
Assuming this is using v1.3 (the filenames in the report don't line up to anything easily identifiable)? If so, we're here: http://mxr.mozilla.org/mozilla-b2g28_v1_3/source/ipc/chromium/src/base/message_loop.cc#340 The crash address is not 0, so I'm going to guess that we're trying to run a Task that has already been deleted. Crash-stats shows we have an extremely small number of crashes with this signature so I'm inclined to think that some local modification has caused this.
Flags: needinfo?(bent.mozilla)
I took a look at the crash. Both of the reports from comment 1 are caused by a segmentation fault on address 0x6567617a I think it's crashing while trying to dereference the this pointer, and 0x6567617a isn't a valid value for a this pointer (since its not 4 byte aligned). Maybe conincidental, but 0x6567617a is made up entirely of ASCII characters, which would look like "zage" in memory. So it's quite probable that we've got a memory trample. I don't have a Sora device, so I probably can't do much more investigation. To investigate further, I think we'd need to flash Sora device with the image in question, and have the exact update which is causing the problem. What type of update was this? Were files replaced? Or patched? If the files were patched, and an non-matching base file was patched, then I wouldn't be surprised by a crash.
Flags: needinfo?(dhylands)
Please help out with answers to Dave's questions in comment 9, Baijian.
Flags: needinfo?(overholt) → needinfo?(baijian)
And I guess that you should also do a comparison. You have a device with image A that you want to update to image B. And you have some update which takes you from A to B. It isn't clear to me exactly when you're seeing the crash. I've been assuming that you see the crash after booting up with A + update applied. Do you also see the crash when you flash B directly? If you don't see the crash when B is flashed directly, then you should pull the files from the phone after flashing with A and applying the update and identify what's different from applying B directly.
Sorry for delay I used google OTA update, and upgrade the images:boot.img, system.img, recovery.img, modem(firmware), custpack.img(gaia:apps) and so on. The base files is the same as files in phone before update. There is the recovery log: Installing update... Verifying current system... partition read matched size 7813120 sha cc7299cee2e8ae478626e3edc6f1e1bd88b0c49d partition read matched size 353136 sha c1642426b92beff52bd308c68b6c43a33b77dc32 partition read matched size 146884 sha 319f1ae5c04f9c00ea40f6d0a2b96bc7ad772665 partition read matched size 338988 sha 85ae36242d71db1d1a5ee6b895d6def47ce0120a 57356288 bytes free on /cache (26158588 needed) Removing unneeded files...patch /custpack/b2g/defaults/settings.json: Patching system files... now dadd25aa patch /custpack/build.prop: now cb60f098 patch /custpack/webapps/alcatelhelp.gaiamobile.org/application.zip: now 4040add8 patch /custpack/webapps/bluetooth.gaiamobile.org/application.zip: now 169bad1d patch /custpack/webapps/bluetooth.gaiamobile.org/manifest.webapp: now 60a9ce8d patch /custpack/webapps/browser.gaiamobile.org/application.zip: now 8b2be2f4 patch /custpack/webapps/calendar.gaiamobile.org/application.zip: now d242adcb patch /custpack/webapps/camera.gaiamobile.org/application.zip: now fdb63c13 patch /custpack/webapps/clock.gaiamobile.org/application.zip: now 41ab8bcc patch /custpack/webapps/communications.gaiamobile.org/application.zip: now 2dc5e986 patch /custpack/webapps/costcontrol.gaiamobile.org/application.zip: now f27208a1 patch /custpack/webapps/costcontrol.gaiamobile.org/manifest.webapp: now 304e5c16 patch /custpack/webapps/email.gaiamobile.org/application.zip: now cfc19e84 patch /custpack/webapps/filemanager.gaiamobile.org/application.zip: now 76ce4283 patch /custpack/webapps/fl.gaiamobile.org/application.zip: now e7b7638e patch /custpack/webapps/fl.gaiamobile.org/manifest.webapp: now dfd4feaa patch /custpack/webapps/fm.gaiamobile.org/application.zip: now 8f612c28 patch /custpack/webapps/gallery.gaiamobile.org/application.zip: now 9cbc05c9 patch /custpack/webapps/homescreen.gaiamobile.org/application.zip: now 24c437cf patch /custpack/webapps/keyboard.gaiamobile.org/application.zip: now 4dbf2de9 patch /custpack/webapps/keyboard.gaiamobile.org/manifest.webapp: now dd354644 patch /custpack/webapps/mmitest.gaiamobile.org/application.zip: now c49f6327 patch /custpack/webapps/music.gaiamobile.org/application.zip: now 1e15c680 patch /custpack/webapps/pdfjs.gaiamobile.org/application.zip: now 9bd76c2f patch /custpack/webapps/pdfjs.gaiamobile.org/manifest.webapp: now 52c0ca44 patch /custpack/webapps/ringtones.gaiamobile.org/application.zip: now 9ff4a570 patch /custpack/webapps/setringtone.gaiamobile.org/application.zip: now ec138b13 patch /custpack/webapps/settings.gaiamobile.org/application.zip: now 5e3dfcfa patch /custpack/webapps/sms.gaiamobile.org/application.zip: now 292a7d0d patch /custpack/webapps/system.gaiamobile.org/application.zip: now 4aedfe9a patch /custpack/webapps/video.gaiamobile.org/application.zip: now f71a1424 patch /custpack/webapps/wallpaper.gaiamobile.org/application.zip: now 37b14331 patch /custpack/webapps/wallpaper.gaiamobile.org/manifest.webapp: now 62a90419 patch /custpack/webapps/wappush.gaiamobile.org/application.zip: now 2bd44ddd patch /custpack/webapps/wappush.gaiamobile.org/manifest.webapp: now f8a7b0ae patch /firmware/IMAGE/MODEM.B00: now 65bd43d9 patch /firmware/IMAGE/MODEM.B01: now 8a82d39e patch /firmware/IMAGE/MODEM.B04: now 1a31f233 patch /firmware/IMAGE/MODEM.B05: now 19948f27 patch /firmware/IMAGE/MODEM.B06: now cd155766 patch /firmware/IMAGE/MODEM.B09: now 2fb2bb25 patch /firmware/IMAGE/MODEM.B16: now 8b6675ac patch /firmware/IMAGE/MODEM.B17: now 38ea9b82 patch /firmware/IMAGE/MODEM.B18: now 7b9e84eb patch /firmware/IMAGE/MODEM.B22: now 2765ff48 patch /firmware/IMAGE/MODEM.B23: now 636e40fd patch /firmware/IMAGE/MODEM.B27: now b3343107 patch /firmware/IMAGE/MODEM.B28: now 7b97704e patch /firmware/IMAGE/MODEM.B29: now 7e2ffbd9 patch /firmware/IMAGE/MODEM.MDT: now db512224 patch /system/b2g/application.ini: now e61817ed patch /system/b2g/b2g: now 30e542ea patch /system/b2g/distribution/bundles/libqc_b2g_location/libqc_b2g_location.so: now 41314627 patch /system/b2g/distribution/bundles/libqc_b2g_ril/content_helper/QCContentHelper.js: now 04ec9b00 patch /system/b2g/distribution/bundles/libqc_b2g_ril/libqc_b2g_ril.so: now ae4a29e1 patch /system/b2g/libfreebl3.so: now fd2125cf patch /system/b2g/libmozglue.so: now c941867a patch /system/b2g/libnss3.so: now cd718a9e patch /system/b2g/libnssckbi.so: now 9eccb535 patch /system/b2g/libsoftokn3.so: now 359c7b27 patch /system/b2g/libxul.so: now 6d56fd99 patch /system/b2g/omni.ja: now 04ab7f39 patch /system/b2g/plugin-container: now 1d609d48 patch /system/b2g/updater: now cd09d841 patch /system/bin/debuggerd: now 85c96cc3 patch /system/bin/mcDriverDaemon: now cdfe00e9 patch /system/bin/mdnsd: now d29c5330 patch /system/bin/time_daemon: now d2128554 patch /system/bin/trace_util: now 93238243 patch /system/etc/plmn-list.conf: now 5f17becd patch /system/etc/recovery-resource.dat: now 7cd63d7b patch /system/lib/libLLVM.so: now db5fbad1 patch /system/lib/libRS.so: now 077059be patch /system/lib/libRSCpuRef.so: now 1dc9f7e5 patch /system/lib/libRSDriver.so: now ce6af356 patch /system/lib/libbcc.sha1.so: now 05b9386f patch /system/lib/libbcc.so: now f7be4412 patch /system/lib/libcompiler_rt.so: now 56ab1f59 patch /system/lib/libmdnssd.so: now 008f70f2 patch /system/lib/libstagefright_soft_aacdec.so: now 5746538b patch /system/lib/libstagefright_soft_aacenc.so: now 97d4aca1 patch /system/lib/libwebrtc_audio_preprocessing.so: now bf0d9433 patch /system/lib/modules/ansi_cprng.ko: now 8e40c5a0 patch /system/lib/modules/coresight-event.ko: now 7f00a951 patch /system/lib/modules/dma_test.ko: now 00be69cf patch /system/lib/modules/evbug.ko: now 03aadf4a patch /system/lib/modules/gpio_axis.ko: now aaee6190 patch /system/lib/modules/gpio_event.ko: now 0ce4eb23 patch /system/lib/modules/gpio_input.ko: now 88b5abc3 patch /system/lib/modules/gpio_matrix.ko: now 03d7bc3c patch /system/lib/modules/gpio_output.ko: now 3eed0301 patch /system/lib/modules/mmc_test.ko: now ea47b2a0 patch /system/lib/modules/msm-buspm-dev.ko: now c909111c patch /system/lib/modules/oprofile.ko: now 805fb4a3 patch /system/lib/modules/pronto/pronto_wlan.ko: now 01564f9e patch /system/lib/modules/qcedev.ko: now f3c1adbd patch /system/lib/modules/qcrypto.ko: now 972e0d96 patch /system/lib/modules/radio-iris-transport.ko: now 3a83cca0 patch /system/lib/modules/reset_modem.ko: now e7e942ca patch /system/lib/modules/spidev.ko: now 91c557f7 patch /system/vendor/lib/libril-qc-qmi-1.so: now 023b37e1 Patching boot image... patch EMMC:/dev/block/platform/msm_sdcc.1/by-name/boot:7813120:cc7299cee2e8ae478626e3edc6f1e1bd88b0c49d:7813120:42480fa2206be18431f0dedb7c94de84b39161ad: partition read matched size 7813120 sha cc7299cee2e8ae478626e3edc6f1e1bd88b0c49d 57356288 bytes free on /cache (7813120 needed) now 42480fa2 raw O_SYNC write /dev/block/platform/msm_sdcc.1/by-name/boot attempt 1 start at 0 caches dropped verification read succeeded (attempt 1) sleeping after close get_Partition_info partition : /dev/block/platform/msm_sdcc.1/by-name/fsg byte_size : 180000 mmc_raw_erase partition : /dev/block/platform/msm_sdcc.1/by-name/fsg byte_size : 180000 Writing study img... mmc_raw_erase done! get_Partition_info partition : /dev/block/platform/msm_sdcc.1/by-name/modemst1 byte_size : 180000 mmc_raw_erase partition : /dev/block/platform/msm_sdcc.1/by-name/modemst1 byte_size : 180000 mmc_raw_erase done! get_Partition_info partition : /dev/block/platform/msm_sdcc.1/by-name/modemst2 byte_size : 180000 mmc_raw_erase partition : /dev/block/platform/msm_sdcc.1/by-name/modemst2 byte_size : 180000 mmc_raw_erase done! Patching emmcboot image...patch EMMC:/dev/block/platform/msm_sdcc.1/by-name/aboot:353136:c1642426b92beff52bd308c68b6c43a33b77dc32:353136:225fa998c283f879505a2a7a3ae0ec9990240cd0: partition read matched size 353136 sha c1642426b92beff52bd308c68b6c43a33b77dc32 57356288 bytes free on /cache (353136 needed) now 225fa998 raw O_SYNC write /dev/block/platform/msm_sdcc.1/by-name/aboot attempt 1 start at 0 caches dropped verification read succeeded (attempt 1) sleeping after close Patching rpm image...patch EMMC:/dev/block/platform/msm_sdcc.1/by-name/rpm:146884:319f1ae5c04f9c00ea40f6d0a2b96bc7ad772665:146884:ab4251d6f39536e755e151765c9638cb8a9ccf46: partition read matched size 146884 sha 319f1ae5c04f9c00ea40f6d0a2b96bc7ad772665 57356288 bytes free on /cache (146884 needed) now ab4251d6 raw O_SYNC write /dev/block/platform/msm_sdcc.1/by-name/rpm attempt 1 start at 0 caches dropped verification read succeeded (attempt 1) sleeping after close Patching tz image...patch EMMC:/dev/block/platform/msm_sdcc.1/by-name/tz:338988:85ae36242d71db1d1a5ee6b895d6def47ce0120a:338988:bd47116ffc20c1ae71b120fe3f28998ad669d8cc: partition read matched size 338988 sha 85ae36242d71db1d1a5ee6b895d6def47ce0120a 57356288 bytes free on /cache (338988 needed) now bd47116f raw O_SYNC write /dev/block/platform/msm_sdcc.1/by-name/tz attempt 1 start at 0 caches dropped verification read succeeded (attempt 1) sleeping after close patch EMMC:/dev/block/platform/msm_sdcc.1/by-name/abootbk:353136:c1642426b92beff52bd308c68b6c43a33b77dc32:353136:225fa998c283f879505a2a7a3ae0ec9990240cd0: partition read matched size 353136 sha c1642426b92beff52bd308c68b6c43a33b77dc32 57356288 bytes free on /cache (353136 needed) Patching abootbk image... now 225fa998 raw O_SYNC write /dev/block/platform/msm_sdcc.1/by-name/abootbk attempt 1 start at 0 caches dropped verification read succeeded (attempt 1) sleeping after close patch EMMC:/dev/block/platform/msm_sdcc.1/by-name/rpmbk:146884:319f1ae5c04f9c00ea40f6d0a2b96bc7ad772665:146884:ab4251d6f39536e755e151765c9638cb8a9ccf46: Patching rpmbk image...partition read matched size 146884 sha 319f1ae5c04f9c00ea40f6d0a2b96bc7ad772665 57356288 bytes free on /cache (146884 needed) now ab4251d6 raw O_SYNC write /dev/block/platform/msm_sdcc.1/by-name/rpmbk attempt 1 start at 0 caches dropped verification read succeeded (attempt 1) sleeping after close patch EMMC:/dev/block/platform/msm_sdcc.1/by-name/tzbk:338988:85ae36242d71db1d1a5ee6b895d6def47ce0120a:338988:bd47116ffc20c1ae71b120fe3f28998ad669d8cc: Patching tz image...partition read matched size 338988 sha 85ae36242d71db1d1a5ee6b895d6def47ce0120a 57356288 bytes free on /cache (338988 needed) now bd47116f raw O_SYNC write /dev/block/platform/msm_sdcc.1/by-name/tzbk attempt 1 start at 0 caches dropped verification read succeeded (attempt 1) sleeping after close minzip: Extracted 3 file(s) minzip: Extracted 1 file(s) minzip: Extracted 1 file(s) minzip: Extracted 2 file(s) Unpacking new files... Unpacking new recovery... Symlinks and permissions... script result was [/system] Installation success. package install result:INSTALL SUCCESS dir_name = /data/fota (In reply to Dave Hylands [:dhylands] from comment #9) > I took a look at the crash. Both of the reports from comment 1 are caused by > a segmentation fault on address 0x6567617a > > I think it's crashing while trying to dereference the this pointer, and > 0x6567617a isn't a valid value for a this pointer (since its not 4 byte > aligned). > > Maybe conincidental, but 0x6567617a is made up entirely of ASCII characters, > which would look like "zage" in memory. So it's quite probable that we've > got a memory trample. > > I don't have a Sora device, so I probably can't do much more investigation. > > To investigate further, I think we'd need to flash Sora device with the > image in question, and have the exact update which is causing the problem. > > What type of update was this? Were files replaced? Or patched? If the files > were patched, and an non-matching base file was patched, then I wouldn't be > surprised by a crash.
Flags: needinfo?(baijian)
I will do a comparison.The crash happened after booting up with A + update applied first time.Applying B directly,there is no crash. (In reply to Dave Hylands [:dhylands] from comment #11) > And I guess that you should also do a comparison. > > You have a device with image A that you want to update to image B. > > And you have some update which takes you from A to B. > > It isn't clear to me exactly when you're seeing the crash. I've been > assuming that you see the crash after booting up with A + update applied. Do > you also see the crash when you flash B directly? > > If you don't see the crash when B is flashed directly, then you should pull > the files from the phone after flashing with A and applying the update and > identify what's different from applying B directly.
Hi I had a test http://mxr.mozilla.org/mozilla-central/source/dom/apps/src/Webapps.jsm#58 change "let runUpdate = AppsUtils.isFirstRun(Services.prefs)" to "let runUpdate = true", Then every time boot-up ,there will be a cash: https://crash-stats.mozilla.com/report/index/da9ad316-a242-437d-87ad-0927a2140529 Those two crash is related ?? Thanks
Assignee: nobody → dhylands
I built 1.3 for my hamachi, and I observed a crash at the end of FTU. It was a segfault on address 0. So this may be the same crash. I'll dig into this further on Monday (I just thought I update where I got to today). The crash I ran into has nothing to do with updates. It happened on the first run after flashing.
Well it only seems to have happened once for. So far, all further attempts to reproduce have failed. Looking at comment 12, it appears that the update was applied fine, and that the problem is a bug with the updated version of SW.
OK - I got something reproducible. The secret seems to be to get the "First Time User" app to run. For me, on my hamachi, the crash I'm seeing is at the very end of the FTU run, just after you hit "Skip". BrowserElementChildPreload.js's _takeScreenShot function winds up calling ctx.scale which eventually tries to call dlopen on /system/lib/egl/libGLES_android.so That's the last place I get anything sensible from the debugger. I've been doing: > PRODUCTION=1 make -C gaia reset-gaia which will clean things up so that the FTU app runs. I then just click Next through the FTU app, and after pressing Skip, I get the crash (in the Communications app, which is where FTU is). Here's the backtrace just before calling dlopen: (gdb) break Loader.cpp:278 Breakpoint 1 at 0x4005ca04: file frameworks/base/opengl/libs/EGL/Loader.cpp, line 278. (gdb) c Continuing. Breakpoint 1, android::Loader::load_driver (this=0x45441020, kind=0x400625e6 "GLES", tag=0x45441370 "android", cnx=0x40068d10, mask=7) at frameworks/base/opengl/libs/EGL/Loader.cpp:278 278 void* dso = dlopen(driver_absolute_path, RTLD_NOW | RTLD_LOCAL); (gdb) bt #0 android::Loader::load_driver (this=0x45441020, kind=0x400625e6 "GLES", tag=0x45441370 "android", cnx=0x40068d10, mask=7) at frameworks/base/opengl/libs/EGL/Loader.cpp:278 #1 0x4005cb3c in android::Loader::open (this=0x45441020, display=<value optimized out>, impl=<value optimized out>, cnx=0x40068d10) at frameworks/base/opengl/libs/EGL/Loader.cpp:188 #2 0x4004f43a in egl_init_drivers_locked () at frameworks/base/opengl/libs/EGL/egl.cpp:261 #3 android::egl_init_drivers () at frameworks/base/opengl/libs/EGL/egl.cpp:289 #4 0x4005161e in eglGetDisplay (display=0x0) at frameworks/base/opengl/libs/EGL/eglApi.cpp:138 #5 0x40be56c0 in mozilla::gl::GLLibraryEGL::fGetDisplay (this=0x42afeb94) at /home/work/B2G-hamachi-1.3/gecko/gfx/gl/GLLibraryEGL.h:139 #6 mozilla::gl::GLLibraryEGL::EnsureInitialized (this=0x42afeb94) at /home/work/B2G-hamachi-1.3/gecko/gfx/gl/GLLibraryEGL.cpp:198 #7 0x40be1a6c in mozilla::gl::GLContextProviderEGL::CreateOffscreen (size=..., caps=..., flags=mozilla::gl::ContextFlagsNone) at /home/work/B2G-hamachi-1.3/gecko/gfx/gl/GLContextProviderEGL.cpp:904 #8 0x412a25d8 in mozilla::dom::CanvasRenderingContext2D::EnsureTarget (this=0x441eb800) at /home/work/B2G-hamachi-1.3/gecko/content/canvas/src/CanvasRenderingContext2D.cpp:910 #9 0x412a3194 in mozilla::dom::CanvasRenderingContext2D::TransformWillUpdate (this=0x7) at /home/work/B2G-hamachi-1.3/gecko/content/canvas/src/CanvasRenderingContext2D.cpp:2074 #10 0x412a33f6 in mozilla::dom::CanvasRenderingContext2D::Scale (this=0x7, x=-6.2943654484115541e-06, y=1, error=...) at /home/work/B2G-hamachi-1.3/gecko/content/canvas/src/CanvasRenderingContext2D.cpp:1207 #11 0x40cc84ee in scale (cx=0x4045e4a0, obj=<value optimized out>, self=0x441eb800, args=...) at /home/work/B2G-hamachi-1.3/objdir-gecko-debug-userdebug/dom/bindings/CanvasRenderingContext2DBinding.cpp:882 #12 0x40cbc9f2 in genericMethod (cx=0x4045e4a0, argc=<value optimized out>, vp=<value optimized out>) at /home/work/B2G-hamachi-1.3/objdir-gecko-debug-userdebug/dom/bindings/CanvasRenderingContext2DBinding.cpp:4853 #13 0x41e89d90 in js::CallJSNative (cx=0x4045e4a0, native=0x40cbc939 <genericMethod>, args=...) at /home/work/B2G-hamachi-1.3/gecko/js/src/jscntxtinlines.h:220 #14 0x41e9d2e2 in js::Invoke (cx=0x4045e4a0, args=..., construct=js::NO_CONSTRUCT) at /home/work/B2G-hamachi-1.3/gecko/js/src/vm/Interpreter.cpp:463 #15 0x41e90ba0 in Interpret (cx=0x4045e4a0, state=<value optimized out>) at /home/work/B2G-hamachi-1.3/gecko/js/src/vm/Interpreter.cpp:2511 #16 0x41e9cbee in js::RunScript (cx=0x4045e4a0, state=...) at /home/work/B2G-hamachi-1.3/gecko/js/src/vm/Interpreter.cpp:420 #17 0x41e9d278 in js::Invoke (cx=0x4045e4a0, args=..., construct=js::NO_CONSTRUCT) at /home/work/B2G-hamachi-1.3/gecko/js/src/vm/Interpreter.cpp:482 #18 0x41e9dbde in js::Invoke (cx=0x4045e4a0, thisv=..., fval=..., argc=0, argv=0xbeda8a90, rval=...) at /home/work/B2G-hamachi-1.3/gecko/js/src/vm/Interpreter.cpp:519 #19 0x41d5e1b2 in JS_CallFunctionValue (cx=0x4045e4a0, objArg=<value optimized out>, fval=..., argc=0, argv=0xbeda8a90, rval=0xbeda8b40) at /home/work/B2G-hamachi-1.3/gecko/js/src/jsapi.cpp:5008 #20 0x40fd65e2 in nsXPCWrappedJSClass::CallMethod (this=0x45385d00, wrapper=<value optimized out>, methodIndex=<value optimized out>, info_=0x43e60dc0, nativeParams=0xbeda8cd8) at /home/work/B2G-hamachi-1.3/gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:1413 #21 0x40fd2acc in nsXPCWrappedJS::CallMethod (this=0x448f7100, methodIndex=3, info=0x43e60dc0, params=0xbeda8cd8) at /home/work/B2G-hamachi-1.3/gecko/js/xpconnect/src/XPCWrappedJS.cpp:479 #22 0x4089bd4c in PrepareAndDispatch (self=<value optimized out>, methodIndex=<value optimized out>, args=<value optimized out>) at /home/work/B2G-hamachi-1.3/gecko/xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:105 #23 0x4089b384 in SharedStub () from /home/work/B2G-hamachi-1.3/objdir-gecko-debug-userdebug/dist/bin/libxul.so #24 0x40866ac0 in Run (this=0x453695c0) at /home/work/B2G-hamachi-1.3/gecko/xpcom/base/nsMessageLoop.cpp:113 #25 0x40a37ce8 in MessageLoop::RunTask (this=0xbeda9894, task=0x453695c0) at /home/work/B2G-hamachi-1.3/gecko/ipc/chromium/src/base/message_loop.cc:340 #26 0x40a37d2c in MessageLoop::ProcessNextDelayedNonNestableTask (this=0xbeda9894) at /home/work/B2G-hamachi-1.3/gecko/ipc/chromium/src/base/message_loop.cc:238 #27 0x40a37d3c in MessageLoop::DoIdleWork (this=0xbeda8cd8) at /home/work/B2G-hamachi-1.3/gecko/ipc/chromium/src/base/message_loop.cc:479 #28 0x40a46c52 in mozilla::ipc::MessagePump::Run (this=0x40402b20, aDelegate=0xbeda9894) at /home/work/B2G-hamachi-1.3/gecko/ipc/glue/MessagePump.cpp:116 #29 0x40a46d98 in mozilla::ipc::MessagePumpForChildProcess::Run (this=0x40402b20, aDelegate=0xbeda9894) at /home/work/B2G-hamachi-1.3/gecko/ipc/glue/MessagePump.cpp:250 #30 0x40a381f2 in MessageLoop::RunInternal (this=0xbeda9894) at /home/work/B2G-hamachi-1.3/gecko/ipc/chromium/src/base/message_loop.cc:222 #31 0x40a3820a in MessageLoop::RunHandler (this=0xbeda9894) at /home/work/B2G-hamachi-1.3/gecko/ipc/chromium/src/base/message_loop.cc:215 #32 MessageLoop::Run (this=0xbeda9894) at /home/work/B2G-hamachi-1.3/gecko/ipc/chromium/src/base/message_loop.cc:189 #33 0x40f7e04a in nsBaseAppShell::Run (this=0x44163c40) at /home/work/B2G-hamachi-1.3/gecko/widget/xpwidgets/nsBaseAppShell.cpp:161 #34 0x41918e06 in XRE_RunAppShell () at /home/work/B2G-hamachi-1.3/gecko/toolkit/xre/nsEmbedFunctions.cpp:679 #35 0x40a46d02 in mozilla::ipc::MessagePumpForChildProcess::Run (this=0x40402b20, aDelegate=0xbeda9894) at /home/work/B2G-hamachi-1.3/gecko/ipc/glue/MessagePump.cpp:217 #36 0x40a381f2 in MessageLoop::RunInternal (this=0xbeda9894) at /home/work/B2G-hamachi-1.3/gecko/ipc/chromium/src/base/message_loop.cc:222 #37 0x40a3820a in MessageLoop::RunHandler (this=0xbeda9894) at /home/work/B2G-hamachi-1.3/gecko/ipc/chromium/src/base/message_loop.cc:215 #38 MessageLoop::Run (this=0xbeda9894) at /home/work/B2G-hamachi-1.3/gecko/ipc/chromium/src/base/message_loop.cc:189 #39 0x419196b0 in XRE_InitChildProcess (aArgc=2, aArgv=0xbeda99b0, aProcess=1078209536) at /home/work/B2G-hamachi-1.3/gecko/toolkit/xre/nsEmbedFunctions.cpp:516 #40 0x00008894 in main (argc=7, argv=0xbeda9a34) at /home/work/B2G-hamachi-1.3/gecko/ipc/app/MozillaRuntimeMain.cpp:137 (gdb) print driver_absolute_path $1 = "/system/lib/egl/libGLES_android.so\000\276\270fھ\260\344E@HgھH\232(D\001\344E@s0\336A\003\000\000\000\001\000\000\000\254\344E@hfھ\000\062(D\001gھ\254\344E@\240\344E@Q\000\000\000Hgھ,\241\231B\bgھ\fgھ\330mھ\030gھ\203s\336A%\276\324AQ", '\000' <repeats 11 times>"\300, hھ", '\000' <repeats 12 times>, "8gھ\334hھ@\254\212Bpsھ\345\377\377\377\340\344E@\001QaE\210gھ\214gھ\001\001\000\000\001gھ\315h\323@\001gھ\210gھ\320gھ\204hھ\270\227\231B\001\000\000\000\304\344E@0tھ\000\246*D\001\274\335A4eھ\000\000\000\000\000gھ\b\000\000\000\260mھ\260mھ\202\377\377\377\063\350\330A\001nھTg"... (gdb) n Program received signal SIGSEGV, Segmentation fault. 0xb0005496 in unwind_phase2_forced (ucbp=0x0, entry_vrs=<value optimized out>, resuming=12288) at /tmp/android-build-bb7e003d31d08f72cabc269a652912b7/src/build/../gcc/gcc-4.4.3/libgcc/../gcc/config/arm/unwind-arm.c:717 717 /tmp/android-build-bb7e003d31d08f72cabc269a652912b7/src/build/../gcc/gcc-4.4.3/libgcc/../gcc/config/arm/unwind-arm.c: No such file or directory. in /tmp/android-build-bb7e003d31d08f72cabc269a652912b7/src/build/../gcc/gcc-4.4.3/libgcc/../gcc/config/arm/unwind-arm.c
Oh yeah - this was running whatever the latest on v1.3 for hamachi Unassigning myself and ni overholt to reassign to somebody in graphics...
Assignee: dhylands → nobody
Flags: needinfo?(overholt)
Is this code path even valid in a child process? I'm not familiar enough with the graphics stuff to know whether this code should even be expected to work in a child process (as I mentioned before, this all happens in the Communications app, NOT the main app).
Milan, can you fit this into the graphics team's work list?
Flags: needinfo?(overholt) → needinfo?(milan)
Flags: needinfo?(milan)
Hmm, part of the bug update stayed in my head. CC-d Kats, just in case this is related to the event issue he's looking at. Jeff, can you take a peak at comment 17/18 and shed some light for us?
Flags: needinfo?(jmuizelaar)
Doesn't appear related to anything I'm currently looking at.
So there doesn't look to be anything unusual going on here. We're just loading up the gl driver for our first use of it. Can you get more information about the actual crash?
(In reply to Jeff Muizelaar [:jrmuizel] from comment #23) > So there doesn't look to be anything unusual going on here. We're just > loading up the gl driver for our first use of it. Can you get more > information about the actual crash? I'm not sure what kind of more information you want? Now I'm sooo confused. If I run b2g under the debugger, then I get the weirdness where it's crashing while loading EGL. If I don't run it under the debugger, then it loads EGL fine, takes the snapshot and I see an assert: Assertion failure: mHandleCreatedByOtherProcessWasUsed, at /home/work/B2G-hamachi-1.3/gecko/ipc/glue/FileDescriptor.cpp:69 I'll see if I can figure out anything else.
Yeah - adding some code and putting a breakpoint in FileDescriptor.cpp it still crashes while loading the EGL library, and even just attaching via the debugger and letting the program run with no breakpoints does the crash at library load time. If I run the program not under the debugger, then it loads the EGL library fine, and does the extra prints and hits the assert in FileDescriptor.cpp So it seems that the EGL library thing is just red-herring and some type of interaction between the debugger and the EGL library.
Hi try it locally in those days and found another crash. It may be related to this crash.
Flags: needinfo?(nobody)
Comment on attachment 8434616 [details] crash reporter first boot up after fota upgrade [Approval Request Comment] Regression caused by (bug #): User impact if declined: Testing completed (on m-c, etc.): Risk to taking this patch (and alternatives if risky): String or IDL/UUID changes made by this patch: NOTE: This flag is now for security issues only. Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings. [Approval Request Comment] Bug caused by (feature/regressing bug #): User impact if declined: Testing completed: Risk to taking this patch (and alternatives if risky): String or UUID changes made by this patch:
Attachment #8434616 - Flags: feedback+
Attachment #8434616 - Flags: approval-mozilla-release?
Attachment #8434616 - Flags: approval-mozilla-b2g28?
Comment on attachment 8434616 [details] crash reporter first boot up after fota upgrade These flags are not appropriate for a crash stack.
Attachment #8434616 - Flags: feedback+
Attachment #8434616 - Flags: approval-mozilla-release?
Attachment #8434616 - Flags: approval-mozilla-b2g28?
please do it as soon as possible Thanks
Flags: needinfo?(nobody)
Flags: needinfo?(jmuizelaar)
I suspect it's you that's being asked for more info here, Dave.
Flags: needinfo?(dhylands)
Reassigning back to me. I'm still investigating.
Assignee: nobody → dhylands
Flags: needinfo?(dhylands)
This is the only crash I've been able to get out of my hamachi. The callstack here doesn't look at all like the original one reported, so I'm going to open a new bug. I think I'll need a Sora phone, with the builds that are crashing, and instructions on creating those builds before I can proceed any further.
I filed bug 1023513 to cover the crash that I saw on my hamachi. It would be good if the reporter could try the patch in that bug and report back on whether it solves the problem in this bug.
Assignee: dhylands → nobody
Flags: needinfo?(sync-1)
Actually, it looks like bug 918595 is a better fix for the problem (I'll probably close 1023513 as invalid) So it would good to know if bug 918595 (which wasn't backported to 1.3) fixes this problem.
Attached file TabChild.cpp(Modified)
Our source code is based on AU_LINUX_GECKO_B2G_JB_3.2.01.03.00.112.301. The file(TabChild.cpp) is very difference from file modified by Bug 9918595. But we still added the patch into the TabChild.cpp and had a try. The problem is still exist.
It is crashed dump file (In reply to jian.bai from comment #35) > Created attachment 8438189 [details] > TabChild.cpp(Modified) > > Our source code is based on AU_LINUX_GECKO_B2G_JB_3.2.01.03.00.112.301. The > file(TabChild.cpp) is very difference from file modified by Bug 9918595. But > we still added the patch into the TabChild.cpp and had a try. The problem is > still exist.
Flags: needinfo?(nobody)
The crash address in the second example is 0x0070697e which looks like the end of an ASCII string "~iF" (might just be a coincidence). I'm unable to reproduce anymore crashes on my Hamachi 1.3 phone, so before I can investigate this further I'll need to be able to build a copy of FirefoxOS for the Sora (i.e. I'll need a copy of the source actually used to build gecko and gaia which will be our tree plus whatever modifications the vendor made), and get a Sora phone with an appropriate image on it.
Hi Because The file TabChild.cp based on partch of bug 918595 is different from our source code. This is our modified:https://bugzilla.mozilla.org/attachment.cgi?id=8438837.Can you help us to review it ? Thanks. By the way, we found a strange phenomenon: we crated a file(data/fota/result.txt) and wrote something into it when the fota upgrade is finished,but when the phone start-up, we found the file is missed. I sure the file we didn't delete it. Thanks (In reply to Dave Hylands [:dhylands] from comment #37) > The crash address in the second example is 0x0070697e which looks like the > end of an ASCII string "~iF" (might just be a coincidence). > > I'm unable to reproduce anymore crashes on my Hamachi 1.3 phone, so before I > can investigate this further I'll need to be able to build a copy of > FirefoxOS for the Sora (i.e. I'll need a copy of the source actually used to > build gecko and gaia which will be our tree plus whatever modifications the > vendor made), and get a Sora phone with an appropriate image on it.
Hi Dave I'm sad to tell you the source code we couldn't provide to. But we can provide some file. Jian Bai
TabChild.cpp : https://bug1017504.bugzilla.mozilla.org/attachment.cgi?id=8438189 (In reply to jian.bai from comment #38) > Hi > > Because The file TabChild.cp based on partch of bug 918595 is different from > our source code. This is our > modified:https://bugzilla.mozilla.org/attachment.cgi?id=8438837.Can you help > us to review it ? Thanks. > By the way, we found a strange phenomenon: we crated a > file(data/fota/result.txt) and wrote something into it when the fota upgrade > is finished,but when the phone start-up, we found the file is missed. I sure > the file we didn't delete it. > > Thanks > > (In reply to Dave Hylands [:dhylands] from comment #37) > > The crash address in the second example is 0x0070697e which looks like the > > end of an ASCII string "~iF" (might just be a coincidence). > > > > I'm unable to reproduce anymore crashes on my Hamachi 1.3 phone, so before I > > can investigate this further I'll need to be able to build a copy of > > FirefoxOS for the Sora (i.e. I'll need a copy of the source actually used to > > build gecko and gaia which will be our tree plus whatever modifications the > > vendor made), and get a Sora phone with an appropriate image on it.
Attached patch TabChild diffSplinter Review
This is what I get as a diff between my b2g28_v1_3 branch and the attachment from comment 40.
(In reply to Andrew Overholt [:overholt] from comment #41) > Created attachment 8440082 [details] [diff] [review] > TabChild diff > > This is what I get as a diff between my b2g28_v1_3 branch and the attachment > from comment 40. I was going to say that's just the patch from bug 918595, but it must have been hand typed? Because it doesn't quite match. For example, the for loop just has for (...stuff..; ..stuff...; index) but the real patch has index++ It isn't clear to me why the patch from bug 918595 wasn't just applied directly. I was able to do the following: > wget -O bug-918595.patch 'https://bugzilla.mozilla.org/attachment.cgi?id=8412884' > patch -p1 < bug-918595.patch and it applied cleanly: > patching file dom/ipc/TabChild.cpp > Hunk #1 succeeded at 1207 (offset 3 lines). It would be good if the reporter could undo his patch, and apply the patch from bug 918995 using the above commands (from within the gecko directory).
Hi I apply the patch and had a try. Another crash was occured.
Attached file logcat_log
This is the crash adb log. There is something: 06-11 15:36:12.399 I/Gecko ( 905): 06-11 15:36:12.399 I/Gecko ( 905): ###!!! [Child][MessageChannel::SendAndWait] Error: Channel error: cannot send/recv 06-11 15:36:12.399 I/Gecko ( 905): 06-11 15:36:12.399 I/Gecko ( 905): [Child 905] ###!!! ABORT: constructor for actor failed: file /local/code/soul3.5/soul3.5_0528/out/target/product/msm8610/obj/objdir-gecko/ipc/ipdl/PLayerTransactionChild.cpp, line 122 06-11 15:36:12.399 I/Gecko ( 905): 06-11 15:36:12.399 I/Gecko ( 905): ###!!! [Child][MessageChannel] Error: Channel error: cannot send/recv 06-11 15:36:12.399 I/Gecko ( 905):
Flags: needinfo?(sync-1)
Those messages are all from the parent after the child crashed.
Attached file downCrash00
When I downloaded fota upgrade package for some times, I shut down the phone,the crash occured.
Attachment #8444181 - Flags: approval-mozilla-b2g28?
Comment on attachment 8444181 [details] downCrash00 Please don't set approval flags on attachments that aren't patches.
Attachment #8444181 - Flags: approval-mozilla-b2g28?
(In reply to jian.bai from comment #46) > Created attachment 8444181 [details] > downCrash00 > > When I downloaded fota upgrade package for some times, I shut down the > phone,the crash occured. Is this a new crash? Can you please provide more information so we can take the right action?
Yes,it is a new crash.I don't patch TabChild diff. I just downloaded my fota upgrad package and deleted it for some times.Then shut down ,So the crash was occured.
Hi Bai Jian, per discussion, for this new crash issue please submit another Bug ID if you want Mozilla to help to check. As to the original crash mentioned in Comment#0, it is caused by your own patch and now has been solved. So lets close this issue and track the new crash in another one
Status: NEW → RESOLVED
Closed: 11 years ago
Component: IPC → Vendcom
Product: Core → Firefox OS
Resolution: --- → FIXED
Whiteboard: [b2g-crash][cert] → [b2g-crash][cert][POVB]
Attached file This bug come back
Hi, After last version, the rate is lower.But it is still.
The crash is still.Please help
Flags: needinfo?(vchen)
(In reply to jian.bai from comment #53) > Created attachment 8449920 [details] > After I omitted our code. The crash is still. > > The crash is still.Please help This is a crash but it is totally different from the earlier crashes reported in this bug. Please open a new bug.
a new bug:https://bugzilla.mozilla.org/show_bug.cgi?id=1033966 (In reply to Dave Hylands [:dhylands] from comment #54) > (In reply to jian.bai from comment #53) > > Created attachment 8449920 [details] > > After I omitted our code. The crash is still. > > > > The crash is still.Please help > > This is a crash but it is totally different from the earlier crashes > reported in this bug. > Please open a new bug.
It has been fixed. Please close it
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: