OpenDocument.droid icon indicating copy to clipboard operation
OpenDocument.droid copied to clipboard
verified publisher icon opendocument-app

Crash: Memory error

Open slashtab opened this issue 1 year ago • 2 comments 

type: crash
osVersion: google/panther/panther:14/AP1A.240505.005/2024060500:user/release-keys
uid: 10266 (u:r:untrusted_app_32:s0:c10,c257,c512,c768)
cmdline: at.tomtasche.reader
processUptime: 392s

abortMessage: hardened_malloc: fatal allocator error: detected write after free

signal: 6 (SIGABRT), code -1 (SI_QUEUE)
threadName: RenderThread

backtrace:
    /apex/com.android.runtime/lib64/bionic/libc.so (abort+164, pc 64e84)
    /apex/com.android.runtime/lib64/bionic/libc.so (fatal_error+44, pc 4d4c4)
    /apex/com.android.runtime/lib64/bionic/libc.so (allocate+1912, pc 4a4e8)
    /apex/com.android.runtime/lib64/bionic/libc.so (h_realloc+592, pc 49810)
    /apex/com.android.runtime/lib64/bionic/libc.so (realloc+84, pc 460a4)
    /system/lib64/libbinder.so (android::Parcel::flattenBinder(android::sp<android::IBinder> const&)+1260, pc 6041c)
    /system/lib64/libgui.so (android::BufferData::writeToParcel(android::Parcel*) const+488, pc 11f6f8)
    /system/lib64/libgui.so (android::layer_state_t::write(android::Parcel&) const+4220, pc d069c)
    /system/lib64/libgui.so (android::BpSurfaceComposer::setTransactionState(android::gui::FrameTimelineInfo const&, android::Vector<android::ComposerState>&, android::Vector<android::DisplayState> const&, unsigned int, android::sp<android::IBinder> const&, android::InputWindowCommands, long, bool, std::__1::vector<android::client_cache_t, std::__1::allocator<android::client_cache_t> > const&, bool, std::__1::vector<android::ListenerCallbacks, std::__1::allocator<android::ListenerCallbacks> > const&, unsigned long, std::__1::vector<unsigned long, std::__1::allocator<unsigned long> > const&)+236, pc ced0c)
    /system/lib64/libgui.so (android::SurfaceComposerClient::Transaction::apply(bool, bool)+712, pc 95268)
    /system/lib64/libgui.so (android::BLASTBufferQueue::acquireNextBufferLocked(std::__1::optional<android::SurfaceComposerClient::Transaction*>)+9212, pc d78bc)
    /system/lib64/libgui.so (android::BLASTBufferQueue::onFrameAvailable(android::BufferItem const&)+328, pc c07e8)
    /system/lib64/libgui.so (android::ConsumerBase::onFrameAvailable(android::BufferItem const&)+172, pc 1047bc)
    /system/lib64/libgui.so (android::BufferQueue::ProxyConsumerListener::onFrameAvailable(android::BufferItem const&)+92, pc edc8c)
    /system/lib64/libgui.so (android::BufferQueueProducer::queueBuffer(int, android::IGraphicBufferProducer::QueueBufferInput const&, android::IGraphicBufferProducer::QueueBufferOutput*)+1944, pc dc868)
    /system/lib64/libgui.so (android::Surface::queueBuffer(ANativeWindowBuffer*, int)+1288, pc e2538)
    /system/lib64/libgui.so (android::Surface::hook_queueBuffer(ANativeWindow*, ANativeWindowBuffer*, int)+92, pc 123eec)
    /system/lib64/libhwui.so (android::uirenderer::renderthread::VulkanSurface::presentCurrentBuffer(SkRect const&, int)+232, pc 4f3b28)
    /system/lib64/libhwui.so (android::uirenderer::skiapipeline::SkiaVulkanPipeline::swapBuffers(android::uirenderer::renderthread::Frame const&, android::uirenderer::renderthread::IRenderPipeline::DrawResult&, SkRect const&, android::uirenderer::FrameInfo*, bool*)+140, pc 4f39cc)
    /system/lib64/libhwui.so (android::uirenderer::renderthread::CanvasContext::draw(bool)+1480, pc 34c7e8)
    /system/lib64/libhwui.so (android::uirenderer::renderthread::CanvasContext::prepareAndDraw(android::uirenderer::RenderNode*)+232, pc 34b9e8)
    /system/lib64/libhwui.so (android::uirenderer::renderthread::RenderThread::dispatchFrameCallbacks()+156, pc 4cb58c)
    /system/lib64/libhwui.so (android::uirenderer::renderthread::RenderThread::threadLoop()+760, pc 4b84c8)
    /system/lib64/libutils.so (android::Thread::_threadLoop(void*)+368, pc 14280)
    /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204, pc cf93c)
    /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64, pc 66730)

slashtab avatar Jun 07 '24 06:06 slashtab

Thanks for the report!

Looks like an Android UI bug to me, since the stacktrace never mentions our code + we don't change the UI from C++. I'm assuming that causing such a crash should not be possible from within Java. Any other opinions?

PS: Can you consistently reproduce this crash? If so, we could submit it as a bug to Android.

TomTasche avatar Jun 07 '24 06:06 TomTasche

I'm assuming that causing such a crash should not be possible from within Java.

Yes. Android UI is buggy that may be the culprit here.

Can you consistently reproduce this crash?

Yes! 4 out of 5 times, roughly. I reproduced it multiple times before submitting the issue.

slashtab avatar Jun 07 '24 17:06 slashtab