Issue #39
closedSending a SMS sometimes crashes the modem
20%
Description
It seems that sometimes, sending a SMS crashes the modem (ie: not any message after sending the SMS).
On the logs, it sends and dumps the SMS at libsamsung-ipc level, which is a good sign.
Perhaps the modem segfaults, due to incorrect size on the message we send with the RIL.
Updated by Paul Kocialkowski about 12 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 20
Apparently, it's the RIL that crashes. I didn't see this happening on Galaxy S though. Main log when this happens:
I/DEBUG ( 131): * *
I/DEBUG ( 131): Build fingerprint: 'google/soju/crespo:2.3.4/GRJ22/121341:user/release-keys'
I/DEBUG ( 131): pid: 132, tid: 191 >>> /system/bin/rild <<<
I/DEBUG ( 131): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr deadbaad
I/DEBUG ( 131): r0 00000027 r1 deadbaad r2 a0000000 r3 00000000
I/DEBUG ( 131): r4 00000001 r5 00000000 r6 0001d3d8 r7 0000a000
I/DEBUG ( 131): r8 00000054 r9 0001d390 10 0001d458 fp 00000060
I/DEBUG ( 131): ip afd47668 sp 40108d58 lr afd19615 pc afd16104 cpsr 60000030
I/DEBUG ( 131): d0 444e455320435049 d1 20534d5320726574
I/DEBUG ( 131): d2 4620304420202020 d3 2045362044442044
I/DEBUG ( 131): d4 6d6d6f6320333578 d5 5f4350493d646e61
I/DEBUG ( 131): d6 444e45535f534d53 d7 7830282047534d5f
I/DEBUG ( 131): d8 0000000000000000 d9 0000000000000000
I/DEBUG ( 131): d10 0000000000000000 d11 0000000000000000
I/DEBUG ( 131): d12 0000000000000000 d13 0000000000000000
I/DEBUG ( 131): d14 0000000000000000 d15 0000000000000000
I/DEBUG ( 131): d16 0000000000000000 d17 0000000000000000
I/DEBUG ( 131): d18 0000000000000000 d19 0000000000000000
I/DEBUG ( 131): d20 0000000000000000 d21 0000000000000000
I/DEBUG ( 131): d22 0000000000000000 d23 0000000000000000
I/DEBUG ( 131): d24 0000000000000000 d25 0000000000000000
I/DEBUG ( 131): d26 0000000000000000 d27 0000000000000000
I/DEBUG ( 131): d28 0000000000000000 d29 0000000000000000
I/DEBUG ( 131): d30 0000000000000000 d31 0000000000000000
I/DEBUG ( 131): scr 00000000
I/DEBUG ( 131):
Updated by Paul Kocialkowski about 12 years ago
On http://groups.google.com/group/android-ndk/browse_thread/thread/8d083a0ccebe0faa
Mike Edenfield says:
A fault address of deadbaad is a signal that your problem is a corrupt memory heap. The error's going to come from libc, but that's just because libc's memory management routines are what ultimately triggered the fault, not because libc itself is buggy. The most likely cause is somewhere in your code that you're calling free() or delete on something you don't own, or have already released. That's causing heap corruption that breaks things later on down the road.
I'll investigate the code to see if there is a way this is what's happening.
Updated by Paul Kocialkowski over 11 years ago
It usually goes like this: RILJ asks to send the SMS and right after sending the IPC request, it fails:
D/RILJ ( 287): [2189]> SEND_SMS D/RIL-SMS ( 95): We have no SMSC, let's ask one D/RIL-SMS ( 95): Storing new SMS request in the queue at index 0 D/RIL-IPC ( 95): ipc: crespo_ipc_fmt_client_send: SEND FMT! D/RIL-IPC ( 95): ipc: crespo_ipc_fmt_client_send: Request: mseq=0x07 command=IPC_SMS_SVC_CENTER_ADDR (0x040a) type=GET D/RIL-IPC ( 95): ipc: crespo_ipc_fmt_client_recv: RECV FMT! D/RIL-IPC ( 95): ipc: crespo_ipc_fmt_client_recv: Response: aseq=0x07 command=IPC_SMS_SVC_CENTER_ADDR (0x040a) type=RESP D/RIL-IPC ( 95): ipc: ==== FMT DATA DUMP ==== D/RIL-IPC ( 95): ipc: [0000] 07 91 33 96 05 00 96 F5 FF FF FF FF ..3..... .... D/RIL-IPC ( 95): ipc: ======================= D/RIL-SMS ( 95): Completing the request D/RIL-SMS ( 95): Sending SMS message! D/RIL-SMS ( 95): data_len is 0x2c + 0x7 + 0x5 = 0x38 D/RIL-SMS ( 95): PDU TP-DA Len is 0xb E/RIL-SMS ( 95): PDU TP-UDH Len failed (0xcc) D/RIL-IPC ( 95): ipc: crespo_ipc_fmt_client_send: SEND FMT! D/RIL-IPC ( 95): ipc: crespo_ipc_fmt_client_send: Request: mseq=0x07 command=IPC_SMS_SEND_MSG (0x0401) type=EXEC D/RIL-IPC ( 95): ipc: ==== FMT DATA DUMP ==== D/RIL-IPC ( 95): ipc: [0000] 02 02 00 34 07 91 33 96 05 00 96 F5 01 00 0B 91 ...4..3. ........ D/RIL-IPC ( 95): ipc: [3f36] 33 86 36 73 87 F0 00 00 23 CC 30 08 CE AE C3 C3 3.6s.... ..0..... D/RIL-IPC ( 95): ipc: [e9a8] 72 3A A8 1D 4E CF 41 EA 53 38 0D 92 A7 CB 6E 90 r...N.A. S8....n. D/RIL-IPC ( 95): ipc: [4fa6] 39 9C A6 83 C2 75 50 0C 9....uP. D/RIL-IPC ( 95): ipc: ======================= E/RILJ ( 287): Hit EOS reading message length
Android debugger gives the following infos:
I/DEBUG ( 94): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr deadbaad I/DEBUG ( 94): r0 deadbaad r1 00000001 r2 a0000000 r3 00000000 I/DEBUG ( 94): r4 00000000 r5 00000027 r6 4011b2bc r7 401294d4 I/DEBUG ( 94): r8 01a3e218 r9 01a3e1e0 10 01a3e258 fp 01a3dbd8 I/DEBUG ( 94): ip ffffffff sp 402ccc38 lr 400fc419 pc 400f8760 cpsr 600f0030 I/DEBUG ( 94): d0 3d3d3d3d3d3d3d3d d1 3d3d3d3d3d3d3d3d I/DEBUG ( 94): d2 202020202020203d d3 202020202020203d I/DEBUG ( 94): d4 3d646e616d6d6f63 d5 5f534d535f435049 I/DEBUG ( 94): d6 47534d5f444e4553 d7 3130343078302820 I/DEBUG ( 94): d8 0000000000000000 d9 0000000000000000 I/DEBUG ( 94): d10 0000000000000000 d11 0000000000000000 I/DEBUG ( 94): d12 0000000000000000 d13 0000000000000000 I/DEBUG ( 94): d14 0000000000000000 d15 0000000000000000 I/DEBUG ( 94): d16 414afb0423958106 d17 3f50624dd2f1a9fc I/DEBUG ( 94): d18 41bff8b256000000 d19 0000000000000000 I/DEBUG ( 94): d20 0000000000000000 d21 0000000000000000 I/DEBUG ( 94): d22 0000000000000000 d23 0000000000000000 I/DEBUG ( 94): d24 0000000000000000 d25 0000000000000000 I/DEBUG ( 94): d26 0000000000000000 d27 0000000000000000 I/DEBUG ( 94): d28 0000000000000000 d29 0000000000000000 I/DEBUG ( 94): d30 0000000000000000 d31 0000000000000000 I/DEBUG ( 94): scr 00000010 I/DEBUG ( 94): I/DEBUG ( 94): #00 pc 00017760 /system/lib/libc.so I/DEBUG ( 94): #01 pc 0001370a /system/lib/libc.so I/DEBUG ( 94): #02 pc 00015a48 /system/lib/libc.so (dlfree) I/DEBUG ( 94): #03 pc 000160d8 /system/lib/libc.so (free) I/DEBUG ( 94): #04 pc 0000fd70 /system/lib/libsamsung-ril.so (ril_request_send_sms_complete) I/DEBUG ( 94): #05 pc 0000ffe4 /system/lib/libsamsung-ril.so (ipc_sms_svc_center_addr) I/DEBUG ( 94): #06 pc 0000bd82 /system/lib/libsamsung-ril.so (ipc_fmt_dispatch) I/DEBUG ( 94): #07 pc 0000c662 /system/lib/libsamsung-ril.so (ipc_fmt_read_loop) I/DEBUG ( 94): #08 pc 0000bf60 /system/lib/libsamsung-ril.so (ril_client_thread) I/DEBUG ( 94): #09 pc 00012e04 /system/lib/libc.so (__thread_entry) I/DEBUG ( 94): #10 pc 00012934 /system/lib/libc.so (pthread_create)
Updated by Paul Kocialkowski over 11 years ago
Seems to get better lately. RIL SMS engine rewrite seems to have improved things. Closing the issue if no crash happens until the end of the week (means hundreds of SMS sent).
Updated by Paul Kocialkowski over 11 years ago
- Status changed from In Progress to Closed
- Resolution set to fixed
It has been more than two weeks now since the SMS engine was rewritten and it has been tested extensively (hundreds of SMS sent) over all the Samsung phone Replicant supports (Nexus S, Galaxy S, Galaxy S2) and the bug didn't occur once, while it was happening quite often before. Clearly, this issue has been fixed.
Updated by Denis 'GNUtoo' Carikli over 8 years ago
- Category changed from 45 to Telephony and mobile data
- Device Nexus S (I902x) added