Open davidhaley opened 3 months ago
Hi, I have a similar issue in my app. I'm not sure, but I think that this issue was not in the previous versions of Grapheno. I'm going to proof that. In my case I have a similar output around the native sound libraries using the Oboe library when I perform a Bluetooth switch off/on. I have also a messages around the Bluetooth headset interface like:
12:01:17.548 HeadsetSystemInterface com...roid.bluetooth E getSubscriberNumber() failed: mBluetoothInCallService is null
12:01:17.548 HeadsetSystemInterface com...roid.bluetooth I Try to get phone number without mBluetoothInCallService.
12:01:17.548 bluetooth com...roid.bluetooth I bta_ag_better_state_machine: Opening sco for EVT BTA_AG_SCO_OPEN_EVT
12:01:17.548 bluetooth com...roid.bluetooth I bta_ag_sco_event: device:xx:xx:xx:xx:29:89 index:0x0000 state:BTA_AG_SCO_OPENING_ST[3] event:BTA_AG_SCO_CONN_OPEN_E[7]
12:01:17.548 bluetooth com...roid.bluetooth W bta_ag_sco_event: SCO_state_change: [BTA_AG_SCO_OPENING_ST(0x03)]->[BTA_AG_SCO_OPEN_ST(0x06)] after event [BTA_AG_SCO_CONN_OPEN_E(0x07)]
12:01:17.548 BluetoothH...ServiceJni com...roid.bluetooth I AudioStateCallback: 2 for xx:xx:xx:xx:29:89
And the native crash also is a "null pointer dereference" maybe of the system sound library in my case, but all here around the Bluetooth headset.
A ABI: 'arm64'
A Process uptime: 34s
A tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
A signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0000000000000000
A Cause: null pointer dereference
A x0 0000000000000000 x1 b400cd33e06ac7f0 x2 b400cd68b34853de x3 b400cd68b34853e0
A x4 b400cd68b3485200 x5 000000006d8d9e5a x6 0000000079622d32 x7 000000003320646e
A x8 b400cd33e06ac748 x9 0000000000000001 x10 0000000000000000 x11 0000000000013200
A x12 0000000000000aeb x13 0000000000000000 x14 00000000421a3242 x15 00000000024984a9
A x16 0000cc611d987220 x17 0000cf9a0f72e8d0 x18 0000cc605eec8000 x19 0000cc60606c0000
A x20 0000cf9a0f7af000 x21 0000cc60606c0000 x22 0000000000001811 x23 000000000000177b
A x24 0000cc60606c0000 x25 0000cc6060464d90 x26 0000cc60606c1030 x27 0000000000a78000
A x28 0000000000a58000 x29 0000cc60604649a0
A lr 0000cc61184b93a4 sp 0000cc6060464900 pc 0000cc61184b93a4 pst 0000000060001000
A 12 total frames
A backtrace:
A #00 pc 00000000000373a4 /base.apk!libsystemsound.so (offset 0x2005000) (AndroidAudioDeviceManager::start_recording()+368) (BuildId: dde9dc177472c52a527db7ff32ecfc54b9bc606e)
A #01 pc 00000000000c2ca8 /base.apk!libnative-lib.so (offset 0x1cc4000) (AndroidAudioDevice::record(std::__ndk1::vector<short, std::__ndk1::allocator<short> >&)+60) (BuildId: 73001af52afe078da681e0d6dcd9ddcc317d5013)
A #02 pc 00000000003db9dc /base.apk!libclientlib.so (offset 0x13a2000) (WebRtcAudioProcessingDevice::record(std::__ndk1::vector<short, std::__ndk1::allocator<short> >&)+108) (BuildId: 5d5df3f1860b7d3e0c13b43a11f7adad023fee58)
A #03 pc 00000000003a2fa0 /base.apk!libclientlib.so (offset 0x13a2000) (record::service()+148) (BuildId: 5d5df3f1860b7d3e0c13b43a11f7adad023fee58)
A #04 pc 0000000000086dac /base.apk!libnative-lib.so (offset 0x1cc4000) (process::operator()()+308) (BuildId: 73001af52afe078da681e0d6dcd9ddcc317d5013)
A #05 pc 0000000000086c3c /base.apk!libnative-lib.so (offset 0x1cc4000) (BuildId: 73001af52afe078da681e0d6dcd9ddcc317d5013)
A #06 pc 0000000000086c14 /base.apk!libnative-lib.so (offset 0x1cc4000) (std::__ndk1::__invoke_of<process&>::type std::__ndk1::reference_wrapper<process>::operator()<>() const+24) (BuildId: 73001af52afe078da681e0d6dcd9ddcc317d5013)
A #07 pc 0000000000086bb0 /base.apk!libnative-lib.so (offset 0x1cc4000) (BuildId: 73001af52afe078da681e0d6dcd9ddcc317d5013)
A #08 pc 0000000000086b10 /base.apk!libnative-lib.so (offset 0x1cc4000) (BuildId: 73001af52afe078da681e0d6dcd9ddcc317d5013)
A #09 pc 00000000000864a4 /base.apk!libnative-lib.so (offset 0x1cc4000) (BuildId: 73001af52afe078da681e0d6dcd9ddcc317d5013)
A #10 pc 000000000007635c /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204) (BuildId: 7193576d5829f1a9df65e69f55c40039)
A #11 pc 0000000000067d90 /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 7193576d5829f1a9df65e69f55c40039)
E Tombstone written to: tombstone_41
@hpsaturn Doesn't look related.
I think that yes, of course the backtraces are different and seems that it has not relation, but the both outputs are jni implementations, in the first case is libbluetooth_jni.so that is an implementation that uses the low latency audio library. From the original output of @davidhaley we have:
/apex/com.android.btservices/lib64/libbluetooth_jni.so (bluetooth::audio::aidl::BluetoothAudioClientInterface::SetAllowedLatencyModes(std::__1::vector<aidl::android::hardware::bluetooth::audio::LatencyMode, std::__1::allocator<aidl::android::hardware::bluetooth::audio::LatencyMode> >)+820, pc 7514c4)
In my case, my implementation also uses the Oboe library that is the same low latency audio of the system, it is an abstraction of the aaudio library. On the other hand the both apps have the same behavior after that the Bluetooth has changes in the connection state. In my backtrace you can see the calls of my audiomanager that uses the same low level library of libbluetooth_jni.so, and both apps have the same cause: null pointer dereference
Did you try using exploit protection compatibility mode, specifically disabling hardened_malloc for the app?
I was trying to connect wireless earbuds, stopped, switched profiles a few minutes later, and then noticed a notification for this crash.