Uploaded image for project: 'Qt Mobility'
  1. Qt Mobility
  2. QTMOBILITY-1730

cwrtwidget.exe crash KERN-EXEC 0 due to referencing empty handle

    XMLWordPrintable

Details

    • Bug
    • Resolution: Out of scope
    • P1: Critical
    • None
    • 1.2.0
    • Bearer Management
    • Symbian^3 MCL wk21

    Description

      This is observed from Mobile Crash Server and there are now 27x crash

      The defect id in MC2: 367877
      An example of crash id: 3503509

      The call stack:

      00455cc4 8050f0f3 ..P. [0017] User::Free(void*) (EXPORTED) us_exec.o(.text)
00455cc8 0055c3d4 ..U.
00455ccc 0000df05 ....
00455cd0 00000000 ....
00455cd4 80718201 ..q. [0007] RSubSessionBase::SendReceive(int, const TIpcArgs&) const CS_CLI.o(i._ZNK15RSubSessionBase11SendReceiveEiRK8TIpcArgs)               <= CRASH HERE DUE TO THE RSessionBase HANDLE =0
00455cd8 00629dd0 ..b.
00455cdc 807143dd .Cq. [0013] RConnection::CancelProgressNotification() (EXPORTED) RConnection.o(.text)
00455ce0 7dbb0498 ...}
00455ce4 8050f0f3 ..P. [0017] User::Free(void*) (EXPORTED) us_exec.o(.text)
00455ce8 0055c3d4 ..U.
00455cec 80c8a1bb .... [0007] operator delete (void*) (EXPORTED) operator_delete.o(.text)
00455cf0 00000000 ....
00455cf4 7ade4f07 .O.z [0009] QtMobility::ConnectionProgressNotifier::DoCancel() (EXPORTED) qnetworksession_s60_p.o(.text)
00455cfc 80507685 .vP. [0013] CActive::Cancel() (EXPORTED) ub_act.o(.text)
00455d0c 7ade4ead .N.z [0007] QtMobility::ConnectionProgressNotifier::~ConnectionProgressNotifier__deallocating() (EXPORTED) qnetworksession_s60_p.o(.text)
00455d14 7ade3f27 '?.z [002f] QtMobility::QNetworkSessionPrivate::~QNetworkSessionPrivate() (EXPORTED) qnetworksession_s60_p.o(.text)

      Root cause:
      From looking at the code
      http://s60lxr.nmp.nokia.com/source/sf/mw/qtmobility/src/bearer/qnetworksession_s60_p.cpp?v=mcl_201121_hw79u_06

      one possibility how this can happen

      I think a simple one is constructing then destroying QNetworkSessionPrivate().

      The one happening in crash is probably not as simple as this, but it demonstrate how it is possible that the RConnection was already closed/not established when the destructor is called for QNetworkSessionPrivate. It is probably better to have a check to see whether a connection is established

      the destructor when deleting the ipConnectionNotifier assumes that RConnection was established

      083 QNetworkSessionPrivate::~QNetworkSessionPrivate()
084 {
085     isOpen = false;
086     isOpening = false;
087 
088     // Cancel Connection Progress Notifications first.
089     // Note: ConnectionNotifier must be destroyed before Canceling RConnection::Start()
090     //       => deleting ipConnectionNotifier results RConnection::CancelProgressNotification()
091     delete ipConnectionNotifier;
092     ipConnectionNotifier = NULL;

      The destructor

      1393 ConnectionProgressNotifier::~ConnectionProgressNotifier()
1394 {
1395     Cancel();
1396 }
1397 
1398 void ConnectionProgressNotifier::StartNotifications()
...
1410 
1411 void ConnectionProgressNotifier::DoCancel()
1412 {
1413     iConnection.CancelProgressNotification();
1414 }

      Attachments

        Activity

          People

            shkearns Shane Kearns
            tero Tero Kuutti (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: