Project

General

Profile

Issue #39

Sending a SMS sometimes crashes the modem

Added by Anonymous over 8 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
High
Category:
Telephony and mobile data
Target version:
Start date:
02/04/2012
Due date:
% Done:

20%

Estimated time:
Resolution:
fixed
Device:
Nexus S (I902x)

Description

It seems that sometimes, sending a SMS crashes the modem (ie: not any message after sending the SMS).

On the logs, it sends and dumps the SMS at libsamsung-ipc level, which is a good sign.

Perhaps the modem segfaults, due to incorrect size on the message we send with the RIL.

History

#1

Updated by Paul Kocialkowski over 8 years ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 20

Apparently, it's the RIL that crashes. I didn't see this happening on Galaxy S though. Main log when this happens:

I/DEBUG ( 131): * *
I/DEBUG ( 131): Build fingerprint: 'google/soju/crespo:2.3.4/GRJ22/121341:user/release-keys'
I/DEBUG ( 131): pid: 132, tid: 191 >>> /system/bin/rild <<<
I/DEBUG ( 131): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr deadbaad
I/DEBUG ( 131): r0 00000027 r1 deadbaad r2 a0000000 r3 00000000
I/DEBUG ( 131): r4 00000001 r5 00000000 r6 0001d3d8 r7 0000a000
I/DEBUG ( 131): r8 00000054 r9 0001d390 10 0001d458 fp 00000060
I/DEBUG ( 131): ip afd47668 sp 40108d58 lr afd19615 pc afd16104 cpsr 60000030
I/DEBUG ( 131): d0 444e455320435049 d1 20534d5320726574
I/DEBUG ( 131): d2 4620304420202020 d3 2045362044442044
I/DEBUG ( 131): d4 6d6d6f6320333578 d5 5f4350493d646e61
I/DEBUG ( 131): d6 444e45535f534d53 d7 7830282047534d5f
I/DEBUG ( 131): d8 0000000000000000 d9 0000000000000000
I/DEBUG ( 131): d10 0000000000000000 d11 0000000000000000
I/DEBUG ( 131): d12 0000000000000000 d13 0000000000000000
I/DEBUG ( 131): d14 0000000000000000 d15 0000000000000000
I/DEBUG ( 131): d16 0000000000000000 d17 0000000000000000
I/DEBUG ( 131): d18 0000000000000000 d19 0000000000000000
I/DEBUG ( 131): d20 0000000000000000 d21 0000000000000000
I/DEBUG ( 131): d22 0000000000000000 d23 0000000000000000
I/DEBUG ( 131): d24 0000000000000000 d25 0000000000000000
I/DEBUG ( 131): d26 0000000000000000 d27 0000000000000000
I/DEBUG ( 131): d28 0000000000000000 d29 0000000000000000
I/DEBUG ( 131): d30 0000000000000000 d31 0000000000000000
I/DEBUG ( 131): scr 00000000
I/DEBUG ( 131):

#2

Updated by Paul Kocialkowski over 8 years ago

On http://groups.google.com/group/android-ndk/browse_thread/thread/8d083a0ccebe0faa
Mike Edenfield says:

A fault address of deadbaad is a signal that your problem is a corrupt
memory heap.  The error's going to come from libc, but that's just
because libc's memory management routines are what ultimately triggered
the fault, not because libc itself is buggy.  The most likely cause is
somewhere in your code that you're calling free() or delete on something
you don't own, or have already released.  That's causing heap corruption
that breaks things later on down the road.

I'll investigate the code to see if there is a way this is what's happening.

#3

Updated by Paul Kocialkowski almost 8 years ago

It usually goes like this: RILJ asks to send the SMS and right after sending the IPC request, it fails:

D/RILJ    (  287): [2189]> SEND_SMS
D/RIL-SMS (   95): We have no SMSC, let's ask one
D/RIL-SMS (   95): Storing new SMS request in the queue at index 0
D/RIL-IPC (   95): ipc: crespo_ipc_fmt_client_send: SEND FMT!
D/RIL-IPC (   95): ipc: crespo_ipc_fmt_client_send: Request: mseq=0x07 command=IPC_SMS_SVC_CENTER_ADDR (0x040a) type=GET
D/RIL-IPC (   95): ipc: crespo_ipc_fmt_client_recv: RECV FMT!
D/RIL-IPC (   95): ipc: crespo_ipc_fmt_client_recv: Response: aseq=0x07 command=IPC_SMS_SVC_CENTER_ADDR (0x040a) type=RESP
D/RIL-IPC (   95): ipc: ==== FMT DATA DUMP ====
D/RIL-IPC (   95): ipc: [0000]   07 91 33 96 05 00 96 F5   FF FF FF FF               ..3..... ....
D/RIL-IPC (   95): ipc: =======================
D/RIL-SMS (   95): Completing the request
D/RIL-SMS (   95): Sending SMS message!
D/RIL-SMS (   95): data_len is 0x2c + 0x7 + 0x5 = 0x38
D/RIL-SMS (   95): PDU TP-DA Len is 0xb
E/RIL-SMS (   95): PDU TP-UDH Len failed (0xcc)
D/RIL-IPC (   95): ipc: crespo_ipc_fmt_client_send: SEND FMT!
D/RIL-IPC (   95): ipc: crespo_ipc_fmt_client_send: Request: mseq=0x07 command=IPC_SMS_SEND_MSG (0x0401) type=EXEC
D/RIL-IPC (   95): ipc: ==== FMT DATA DUMP ====
D/RIL-IPC (   95): ipc: [0000]   02 02 00 34 07 91 33 96   05 00 96 F5 01 00 0B 91   ...4..3. ........
D/RIL-IPC (   95): ipc: [3f36]   33 86 36 73 87 F0 00 00   23 CC 30 08 CE AE C3 C3   3.6s.... ..0.....
D/RIL-IPC (   95): ipc: [e9a8]   72 3A A8 1D 4E CF 41 EA   53 38 0D 92 A7 CB 6E 90   r...N.A. S8....n.
D/RIL-IPC (   95): ipc: [4fa6]   39 9C A6 83 C2 75 50 0C                             9....uP. 
D/RIL-IPC (   95): ipc: =======================
E/RILJ    (  287): Hit EOS reading message length

Android debugger gives the following infos:

I/DEBUG   (   94): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr deadbaad
I/DEBUG   (   94):  r0 deadbaad  r1 00000001  r2 a0000000  r3 00000000
I/DEBUG   (   94):  r4 00000000  r5 00000027  r6 4011b2bc  r7 401294d4
I/DEBUG   (   94):  r8 01a3e218  r9 01a3e1e0  10 01a3e258  fp 01a3dbd8
I/DEBUG   (   94):  ip ffffffff  sp 402ccc38  lr 400fc419  pc 400f8760  cpsr 600f0030
I/DEBUG   (   94):  d0  3d3d3d3d3d3d3d3d  d1  3d3d3d3d3d3d3d3d
I/DEBUG   (   94):  d2  202020202020203d  d3  202020202020203d
I/DEBUG   (   94):  d4  3d646e616d6d6f63  d5  5f534d535f435049
I/DEBUG   (   94):  d6  47534d5f444e4553  d7  3130343078302820
I/DEBUG   (   94):  d8  0000000000000000  d9  0000000000000000
I/DEBUG   (   94):  d10 0000000000000000  d11 0000000000000000
I/DEBUG   (   94):  d12 0000000000000000  d13 0000000000000000
I/DEBUG   (   94):  d14 0000000000000000  d15 0000000000000000
I/DEBUG   (   94):  d16 414afb0423958106  d17 3f50624dd2f1a9fc
I/DEBUG   (   94):  d18 41bff8b256000000  d19 0000000000000000
I/DEBUG   (   94):  d20 0000000000000000  d21 0000000000000000
I/DEBUG   (   94):  d22 0000000000000000  d23 0000000000000000
I/DEBUG   (   94):  d24 0000000000000000  d25 0000000000000000
I/DEBUG   (   94):  d26 0000000000000000  d27 0000000000000000
I/DEBUG   (   94):  d28 0000000000000000  d29 0000000000000000
I/DEBUG   (   94):  d30 0000000000000000  d31 0000000000000000
I/DEBUG   (   94):  scr 00000010
I/DEBUG   (   94): 
I/DEBUG   (   94):          #00  pc 00017760  /system/lib/libc.so
I/DEBUG   (   94):          #01  pc 0001370a  /system/lib/libc.so
I/DEBUG   (   94):          #02  pc 00015a48  /system/lib/libc.so (dlfree)
I/DEBUG   (   94):          #03  pc 000160d8  /system/lib/libc.so (free)
I/DEBUG   (   94):          #04  pc 0000fd70  /system/lib/libsamsung-ril.so (ril_request_send_sms_complete)
I/DEBUG   (   94):          #05  pc 0000ffe4  /system/lib/libsamsung-ril.so (ipc_sms_svc_center_addr)
I/DEBUG   (   94):          #06  pc 0000bd82  /system/lib/libsamsung-ril.so (ipc_fmt_dispatch)
I/DEBUG   (   94):          #07  pc 0000c662  /system/lib/libsamsung-ril.so (ipc_fmt_read_loop)
I/DEBUG   (   94):          #08  pc 0000bf60  /system/lib/libsamsung-ril.so (ril_client_thread)
I/DEBUG   (   94):          #09  pc 00012e04  /system/lib/libc.so (__thread_entry)
I/DEBUG   (   94):          #10  pc 00012934  /system/lib/libc.so (pthread_create)

#4

Updated by Paul Kocialkowski over 7 years ago

Seems to get better lately. RIL SMS engine rewrite seems to have improved things. Closing the issue if no crash happens until the end of the week (means hundreds of SMS sent).

#5

Updated by Paul Kocialkowski over 7 years ago

  • Status changed from In Progress to Closed
  • Resolution set to fixed

It has been more than two weeks now since the SMS engine was rewritten and it has been tested extensively (hundreds of SMS sent) over all the Samsung phone Replicant supports (Nexus S, Galaxy S, Galaxy S2) and the bug didn't occur once, while it was happening quite often before. Clearly, this issue has been fixed.

#6

Updated by Denis 'GNUtoo' Carikli over 4 years ago

  • Category changed from 45 to Telephony and mobile data
  • Device Nexus S (I902x) added

Also available in: Atom PDF