This document lists why a Fuchsia device may reboot. Some are self-explanatory while others require some additional context.
An ungraceful reboot is a reboot that is initiated by either the kernel in response to an error, such as a kernel panic, or performed by the hardware without software intervention, such as a hardware watchdog timeout.
A graceful reboot is a reboot that is initiated by a userspace process. The process may initiate the reboot in response to an error, like when a device’s temperature is too high, but Fuchsia should have the opportunity to undergo an orderly shutdown.
If the kernel is unable to recover from an internal error, that error is considered fatal and the system will reboot.
If the kernel detects that the amount of free physical memory falls below a threshold, the system will reboot. The kernel does not kill processes to try to reclaim memory before rebooting, meaning a single process could cause a system-wide shortage of memory and force the device to reboot.
If a device loses power for long enough between when it is shut down and it boots back up, the system will determine this to be a cold boot.
A device browns out when its voltage dips below an acceptable threshold. This should only occur when there is an issue with a device’s power supply or its power related hardware.
Zircon sets up a hardware watchdog timer that will reboot the device if it is not reset within a specified period of time.
A software watchdog timer may reboot the device if someone sets one up.
If a device loses power for a short period of time, like when a user unplugs a device and rapidly plugs it back in, it may be unable to determine that the reboot was cold and will consider the reboot a result of a brief power loss. It is important to note that there is not a quantitative measure of what brief is and is hardware dependent.
A user or a component acting on behalf of a user, such as SL4F or RCS, determines a reboot is necessary.
A component responsible for system updates must update a package, or multiple packages, that cannot be updated ephemerally. These packages are canonically know as base packages.
A component responsible for system updates fails to apply an update, so the device reboots to try again (or possibly revert the update).
A component responsible for power management detects that a device‘s temperature is too high and the system cannot adequately reduce the device’s temperature by throttling the CPU or reducing the audio volume.
If the session manager is unable to restart a crashed session or a session determines it has failed in an unrecoverable manner, the device reboots.
If the system manager for v1 components (sysmgr) crashes, the device reboots.
If a critical component managed by sysmgr crashed, the device reboots.
Following a data reset to the factory defaults, the device reboots.
The platform can know whether the reboot was graceful, but cannot distinguish between a software update, a user request or some higher-level component detecting the device as overheating. All the platform knows is that the reboot was graceful.
There are some scenarios in which a specific reboot reason cannot be determined, i.e. we don’t know if it was a kernel panic or a watchdog timeout, but we still know the reboot was ungraceful.
There are some scenarios in which the platform cannot determine the specific reboot reason nor can it determine if the reboot was graceful or ungraceful.
Fuchsia exposes the reason a device last (re)booted through FIDL and tracks it on Cobalt and the crash server.
|Reboot reason||FIDL||Cobalt event||Crash signature|
|System running out of memory|
|Hardware watchdog timeout|
|Software watchdog timeout|
|Brief power loss|
|Retry system update|
|Critical component failure|
|Factory data reset||N/A*|
|Generic graceful||graceful field set to true||N/A*|
|Generic ungraceful||graceful field set to false||N/A**|
|Unknown||graceful field not set|
* Not a crash.
** Currently not implemented.