search

airsdk / Adobe-Runtime-Support

Report, track and discuss issues in Adobe AIR. Monitored by Adobe - and HARMAN - and maintained by the AIR community.
200 stars 11 forks source link

[AIR 51.0.1.4][Ubuntu 16 or similar] `malloc_consolidate(): invalid chunk size` crash with some devices #3359

Open itlancer opened 2 months ago

itlancer commented 2 months ago

Problem Description

AIR applications built with Linux applications built with AIR 51.0.1.4 sometimes crashes with Ubuntu 16 or based on the same Debian core. May be it related to fix made in this thread https://github.com/airsdk/Adobe-Runtime-Support/discussions/1917#discussioncomment-9864225

Tested with AIR 51.0.1.4 with different AIR applications, different devices and different Linux x86_64 versions. With VM and real devices. Same issue with Ubuntu 16 or Linux x86_64 systems based on the same Debian core. There is no such issues with Ubuntu 22.0.4 LTS. There is no such issues with AIR 50.2.4.4 and below. There is no such issues with other platforms. Didn't test with Linux ARM64 devices.

Related issues: https://github.com/airsdk/Adobe-Runtime-Support/issues/3353 https://github.com/airsdk/Adobe-Runtime-Support/issues/2442

Steps to Reproduce

I couldn't make an isolated sample. But it happens at 80% of launches a complex AIR application which loading 3-5 files (~90 MB each) in parallel via URLStream and save them to local Files via FileStream. All in async mode.

Actual Result: Application crash with errors:

malloc_consolidate(): invalid chunk size
malloc(): smallbin double linked list corrupted

or

corrupted double-linked list
double free or corruption (fasttop)

Expected Result: Application work without crash.

Known Workarounds

none *use AIR 50.2.4.4

itlancer commented 1 month ago

Issue still exists with latest AIR 51.1.1.1.

itlancer commented 1 month ago

Issue still exists with latest AIR 51.1.1.2. And it reproducible with any Linux (not just Ubuntu 16) devices with multiple files downloading simultaneously. Crash occurs when saving data to disk (not downloading). Seems can be stable reproducible with "fast" servers. Looks like multiple FileStream saving threads cause conflict under the hood.

Here sample: air51_linux_download_crash.zip

It just downloading 4 files simultaneously in async mode via URLStream and write bytes to application storage via FileStream also in async mode. Almost in 100% of launches you will get crash in ~10-20 seconds.

With gdb launch you will get crash log:

malloc(): unaligned tcache chunk detected

Thread 2463 "air51_linux_dow" received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffa25fe640 (LWP 58552)]
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140735917581888) at ./nptl/pthread_kill.c:44
44  ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140735917581888)
    at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140735917581888)
    at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140735917581888, signo=signo@entry=6)
    at ./nptl/pthread_kill.c:89
#3  0x00007ffff7242476 in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/posix/raise.c:26
#4  0x00007ffff72287f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff7289676 in __libc_message
    (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff73dbb77 "%s\n")
    at ../sysdeps/posix/libc_fatal.c:155
#6  0x00007ffff72a0cfc in malloc_printerr
    (str=str@entry=0x7ffff73ded20 "malloc(): unaligned tcache chunk detected")
    at ./malloc/malloc.c:5664
#7  0x00007ffff72a53dc in tcache_get (tc_idx=<optimized out>)
    at ./malloc/malloc.c:3195
#8  __GI___libc_malloc (bytes=32) at ./malloc/malloc.c:3313
#9  0x00007ffff7924739 in g_malloc () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#10 0x00007ffff7919910 in g_source_set_callback ()
    at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#11 0x00007ffff791c39e in g_timeout_add_full ()
    at /lib/x86_64-linux-gnu/libglib-2.0.so.0
--Type <RET> for more, q to quit, c to continue without paging--c
#12 0x00007ffff54a7e33 in  () at /home/username/Documents/air51_linux_download_crash/air51_linux_download_crash/Adobe AIR/Versions/1.0/libCore.so
#13 0x00007ffff54a6a65 in  () at /home/username/Documents/air51_linux_download_crash/air51_linux_download_crash/Adobe AIR/Versions/1.0/libCore.so
#14 0x00007ffff53ebe89 in  () at /home/username/Documents/air51_linux_download_crash/air51_linux_download_crash/Adobe AIR/Versions/1.0/libCore.so
#15 0x00007ffff547276e in  () at /home/username/Documents/air51_linux_download_crash/air51_linux_download_crash/Adobe AIR/Versions/1.0/libCore.so
#16 0x00007ffff5560070 in  () at /home/username/Documents/air51_linux_download_crash/air51_linux_download_crash/Adobe AIR/Versions/1.0/libCore.so
#17 0x00007ffff5562a35 in  () at /home/username/Documents/air51_linux_download_crash/air51_linux_download_crash/Adobe AIR/Versions/1.0/libCore.so
#18 0x00007ffff5563218 in  () at /home/username/Documents/air51_linux_download_crash/air51_linux_download_crash/Adobe AIR/Versions/1.0/libCore.so
#19 0x00007ffff53faebf in  () at /home/username/Documents/air51_linux_download_crash/air51_linux_download_crash/Adobe AIR/Versions/1.0/libCore.so
#20 0x00007ffff53faf3f in  () at /home/username/Documents/air51_linux_download_crash/air51_linux_download_crash/Adobe AIR/Versions/1.0/libCore.so
#21 0x00007ffff53faf91 in  () at /home/username/Documents/air51_linux_download_crash/air51_linux_download_crash/Adobe AIR/Versions/1.0/libCore.so
#22 0x00007ffff7294ac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#23 0x00007ffff7326850 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
itlancer commented 1 week ago

Issue still exists with latest AIR 51.1.1.4.