Zero-Allocation-Hashing Fatal crash on Samsung Galaxy J5 (SM-J530F)

Hi,

I have it only on android device: Samsung Galaxy J5 (SM-J530F), but possibly there are other devices affected.

We have fatal crash that always happens when trying to hash byte array (contents does not seem to matter) using xxHash:

LongHashFunction
        .xx().hashBytes(value)

Taken from LogCat:

    --------- beginning of crash
2020-03-12 12:07:08.966 16010-16280/? A/libc: Fatal signal 7 (SIGBUS), code 1, fault addr 0x1338520c in tid 16280 (.pl/...), pid 16010 ()
2020-03-12 12:07:09.051 16283-16283/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2020-03-12 12:07:09.051 16283-16283/? A/DEBUG: Build fingerprint: 'samsung/j5y17ltexx/j5y17lte:8.1.0/M1AJQ/J530FXXU3BRJ2:user/release-keys'
2020-03-12 12:07:09.052 16283-16283/? A/DEBUG: Revision: '7'
2020-03-12 12:07:09.052 16283-16283/? A/DEBUG: ABI: 'arm'
2020-03-12 12:07:09.052 16283-16283/? A/DEBUG: pid: 16010, tid: 16280, name: .pl/...  >>> com.erfg.music <<<
2020-03-12 12:07:09.052 16283-16283/? A/DEBUG: signal 7 (SIGBUS), code 1 (BUS_ADRALN), fault addr 0x1338520c
2020-03-12 12:07:09.052 16283-16283/? A/DEBUG:     r0 1338520c  r1 0000000c  r2 ca9e95cc  r3 0000000c
2020-03-12 12:07:09.052 16283-16283/? A/DEBUG:     r4 6f31be58  r5 00000004  r6 00000000  r7 ca9e98c8
2020-03-12 12:07:09.052 16283-16283/? A/DEBUG:     r8 00000000  r9 cb5f2c00  sl ca9e96c8  fp ca9e9654
2020-03-12 12:07:09.052 16283-16283/? A/DEBUG:     ip eae9fced  sp ca9e95a8  lr eae9fcf7  pc eae9fcfa  cpsr 600d0030
2020-03-12 12:07:09.185 16283-16283/? A/DEBUG: backtrace:
2020-03-12 12:07:09.185 16283-16283/? A/DEBUG:     #00 pc 00310cfa  /system/lib/libart.so (art::Unsafe_getLong(_JNIEnv*, _jobject*, _jobject*, long long)+13)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #01 pc 005db08f  /system/framework/arm/boot.oat (offset 0x1cb000) (sun.misc.Unsafe.getLong [DEDUPED]+110)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #02 pc 0040c575  /system/lib/libart.so (art_quick_invoke_stub_internal+68)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #03 pc 004116e5  /system/lib/libart.so (art_quick_invoke_stub+228)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #04 pc 000b0227  /system/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+138)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #05 pc 00204005  /system/lib/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+224)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #06 pc 001ff54d  /system/lib/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+588)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #07 pc 003f8c87  /system/lib/libart.so (MterpInvokeVirtualQuick+598)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #08 pc 00402714  /system/lib/libart.so (ExecuteMterpImpl+29972)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #09 pc 001e6bc1  /system/lib/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+340)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #10 pc 001eb36f  /system/lib/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame*, art::JValue*)+142)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #11 pc 001ff535  /system/lib/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+564)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #12 pc 003f8c87  /system/lib/libart.so (MterpInvokeVirtualQuick+598)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #13 pc 00402714  /system/lib/libart.so (ExecuteMterpImpl+29972)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #14 pc 001e6bc1  /system/lib/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+340)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #15 pc 001eb36f  /system/lib/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame*, art::JValue*)+142)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #16 pc 001ff535  /system/lib/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+564)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #17 pc 003f8c87  /system/lib/libart.so (MterpInvokeVirtualQuick+598)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #18 pc 00402714  /system/lib/libart.so (ExecuteMterpImpl+29972)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #19 pc 001e6bc1  /system/lib/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+340)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #20 pc 001eb36f  /system/lib/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame*, art::JValue*)+142)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #21 pc 00200159  /system/lib/libart.so (_ZN3art11interpreter6DoCallILb1ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+444)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #22 pc 003f8fa5  /system/lib/libart.so (MterpInvokeVirtualQuickRange+472)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #23 pc 00402794  /system/lib/libart.so (ExecuteMterpImpl+30100)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #24 pc 001e6bc1  /system/lib/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+340)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #25 pc 001eb36f  /system/lib/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame*, art::JValue*)+142)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #26 pc 001ff535  /system/lib/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+564)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #27 pc 003f8c87  /system/lib/libart.so (MterpInvokeVirtualQuick+598)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #28 pc 00402714  /system/lib/libart.so (ExecuteMterpImpl+29972)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #29 pc 001e6bc1  /system/lib/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+340)
2020-03-12 12:07:09.186 16283-16283/? A/DEBUG:     #30 pc 001eb36f  /system/lib/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame*, art::JValue*)+142)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #31 pc 001ff535  /system/lib/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+564)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #32 pc 003f77b9  /system/lib/libart.so (MterpInvokeStatic+184)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #33 pc 003feb14  /system/lib/libart.so (ExecuteMterpImpl+14612)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #34 pc 001e6bc1  /system/lib/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+340)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #35 pc 001eb36f  /system/lib/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame*, art::JValue*)+142)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #36 pc 001ff535  /system/lib/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+564)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #37 pc 003f8c87  /system/lib/libart.so (MterpInvokeVirtualQuick+598)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #38 pc 00402714  /system/lib/libart.so (ExecuteMterpImpl+29972)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #39 pc 001e6bc1  /system/lib/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+340)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #40 pc 001eb36f  /system/lib/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame*, art::JValue*)+142)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #41 pc 001ff535  /system/lib/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+564)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #42 pc 003f8c87  /system/lib/libart.so (MterpInvokeVirtualQuick+598)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #43 pc 00402714  /system/lib/libart.so (ExecuteMterpImpl+29972)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #44 pc 001e6bc1  /system/lib/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+340)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #45 pc 001eb36f  /system/lib/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame*, art::JValue*)+142)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #46 pc 001ff535  /system/lib/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+564)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #47 pc 003f7391  /system/lib/libart.so (MterpInvokeInterface+1080)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #48 pc 003feb94  /system/lib/libart.so (ExecuteMterpImpl+14740)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #49 pc 001e6bc1  /system/lib/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+340)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #50 pc 001eb36f  /system/lib/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame*, art::JValue*)+142)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #51 pc 001ff535  /system/lib/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+564)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #52 pc 003f7391  /system/lib/libart.so (MterpInvokeInterface+1080)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #53 pc 003feb94  /system/lib/libart.so (ExecuteMterpImpl+14740)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #54 pc 001e6bc1  /system/lib/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+340)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #55 pc 001eb36f  /system/lib/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame*, art::JValue*)+142)
2020-03-12 12:07:09.187 16283-16283/? A/DEBUG:     #56 pc 001ff535  /system/lib/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+564)
2020-03-12 12:07:09.188 16283-16283/? A/DEBUG:     #57 pc 003f7391  /system/lib/libart.so (MterpInvokeInterface+1080)
2020-03-12 12:07:09.188 16283-16283/? A/DEBUG:     #58 pc 003feb94  /system/lib/libart.so (ExecuteMterpImpl+14740)
2020-03-12 12:07:09.188 16283-16283/? A/DEBUG:     #59 pc 001e6bc1  /system/lib/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+340)
2020-03-12 12:07:09.188 16283-16283/? A/DEBUG:     #60 pc 001eb36f  /system/lib/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame*, art::JValue*)+142)
2020-03-12 12:07:09.188 16283-16283/? A/DEBUG:     #61 pc 001ff535  /system/lib/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+564)
2020-03-12 12:07:09.188 16283-16283/? A/DEBUG:     #62 pc 003f7391  /system/lib/libart.so (MterpInvokeInterface+1080)
2020-03-12 12:07:09.188 16283-16283/? A/DEBUG:     #63 pc 003feb94  /system/lib/libart.so (ExecuteMterpImpl+14740)
2020-03-12 12:07:11.258 2748-2748/? E//system/bin/tombstoned: Tombstone written to: /data/tombstones/tombstone_07
2020-03-12 12:07:11.266 2693-2693/? E/audit: type=1701 audit(1584011231.251:1220): auid=4294967295 uid=10219 gid=10219 ses=4294967295 subj=u:r:untrusted_app:s0:c512,c768 pid=16280 comm=".pl/..." exe="/system/bin/app_process32" sig=7
2020-03-12 12:07:11.301 2962-16284/? E/ActivityManager: Found activity ActivityRecord{dc4c01c u0 com.efgd.music/.MainActivity t-1 f} in proc activity list using null instead of expected ProcessRecord{ca03534 16010:com.efgd.music/u0a219}
2020-03-12 12:07:11.398 3338-3338/? E/SKBD: bbw getInstance start
2020-03-12 12:07:11.398 3338-3338/? E/SKBD: bbw sendSIPInformation state: 6   isAbstractKeyboardView :  true
2020-03-12 12:07:11.404 3338-16293/? E/SKBD: bbw sending null keyboardInfo as SIP is closed
2020-03-12 12:07:11.419 5224-5254/? E/PBSessionCacheImpl: sessionId[22976978907188413] not persisted.

Mar 12 '20 12:03 jakoss

@gzm55 I remember you looked at some other Android-related issues, would you be able to check this one out? Thanks

Mar 12 '20 13:03 dpisklov

are other hash functions than xx() produce the same crash? does value equal to null? what is the length of value? hashBytes(new byte[0-16]) always produce the same crash?

Mar 12 '20 15:03 gzm55

I have no physical access to this device now, since all our work is remote due to covid spread. All information i have is from QA team in my company, so i have limited options here.

We are using xxHash to generate HMAC for requests. So value is mostly around 200-300 bytes long UTF-8 encoded string. It can never be null (it's kotlin, value is based on NonNullable string). If you need more data on that i will try to get this device somehow.

Mar 12 '20 15:03 jakoss

how can relate this stack to hash function?

Mar 12 '20 17:03 gzm55

That's the weird part. There is no my code on the stack. But if I remove call to hash function - everything else runs just fine. Add this to only one device it happens on - i think this might be some framework issue. And it's Samsung, which have a long history of breaking Android framework in many ways..

I know that this might be impossible to fix, but I hoped somebody might have some idea

Mar 12 '20 17:03 jakoss

sorry, i have no idea~ need more info, so better to get the device for debugging and test some other hash methods.

Mar 13 '20 04:03 gzm55

@Nekromancer can u try to catch exceptions when call hash method:

LongHashFunction h = null;
long v= 0;
try {
  h = LongHashFunction.xx();
} catch (Throwable e) { throw new Exception(e); }
try {
  v = h.hashBytes(value);
} catch (Throwable e) { throw new Exception(e); }

Mar 13 '20 12:03 gzm55

I tried to capture exception, but it's fatal crash so nothing was caught. It just crashes the process entirely, bypassing even global exception handlers.

I will try more as soon as I will get the device

Mar 13 '20 12:03 jakoss

Zero-Allocation-Hashing Zero-Allocation-Hashing copied to clipboard

Fatal crash on Samsung Galaxy J5 (SM-J530F)

Zero-Allocation-Hashing
Zero-Allocation-Hashing copied to clipboard