Open Bubu opened 1 year ago
This is a crash in a native android library though, also not a single function from de.westnordost.streetmeasure is mentioned in the stacktrace. So nothing I can do about it.
Generally, nothing I can do about native crashes anyway, as the only native code contained in the app is the proprietary "blob" from Google (ARCore SDK) and Google Filament (used by Google's abandoned sceneform).
Looking at the google developer console, the app crashed four times already for different people. Two in libandroid_runtime.so
, one in libfilament-jni.so
, one in libgui.so
. Could be that all these are ultimately caused by ARCore or sceneform, I have no way to debug this :shrug:
I have synchronous MTE enabled on my device, and I have noticed occasional crashes while using the app normally. Here's the beginning of one of two tombstone files I have. (The UAF cause appears in both, so it is most likely the correct cause)
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/shiba/shiba:14/AP1A.240505.004/11583682:user/release-keys'
Revision: 'MP1.0'
ABI: 'arm64'
Timestamp: 2024-05-16 20:09:29.899799997-0500
Process uptime: 980s
Cmdline: de.westnordost.streetmeasure
pid: 30399, tid: 30492, name: FEngine::loop >>> de.westnordost.streetmeasure <<<
uid: 10323
tagged_addr_ctrl: 000000000007fff3 (PR_TAGGED_ADDR_ENABLE, PR_MTE_TCF_SYNC, mask 0xfffe)
pac_enabled_keys: 000000000000000f (PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY, PR_PAC_APDBKEY)
signal 11 (SIGSEGV), code 9 (SEGV_MTESERR), fault addr 0x0b0000748d44d520
x0 0000007609d12484 x1 0000007205bf6260 x2 ffffffffffffffe0 x3 0000007205bf6480
x4 0000007205bf64e0 x5 0000000000000004 x6 0000000000000001 x7 0000055cae23b465
x8 0000000000000001 x9 0000000000005751 x10 0000000000000030 x11 0000007609c8f7b4
x12 0000000000000020 x13 0000000000000001 x14 000000000000001c x15 0d0000740d4192b0
x16 0000007609d08030 x17 0000007609c93bc0 x18 0000007205274000 x19 0b0000748d44d520
x20 0f000074ad411260 x21 0000000000000002 x22 000000720ebf1420 x23 080000747d4bd0c0
x24 080000747d4bd100 x25 0000007205bf68b0 x26 0000007205bf6bf0 x27 00000000000fc000
x28 00000000000fe000 x29 0000007205bf6850
lr 0000007213aa2fcc sp 0000007205bf6630 pc 0000007213aa2fcc pst 0000000080001000
1 total frames
backtrace:
#00 pc 0000000000059fcc /data/app/~~hxGyQyzhxXyug4wHYsOk5A==/de.westnordost.streetmeasure-od-BZ9o56HjiPrycb8X0Fg==/split_config.arm64_v8a.apk!libfilament-jni.so (offset 0x3b000) (BuildId: cf20dfcb911ca5298112d102a06ab9db5b739905)
Note: multiple potential causes for this crash were detected, listing them in decreasing order of likelihood.
Cause: [MTE]: Use After Free, 0 bytes into a 32-byte allocation at 0x748d44d520
deallocated by thread 30492:
#00 pc 00000000000511c8 /apex/com.android.runtime/lib64/bionic/libc.so (scudo::Allocator<scudo::AndroidNormalConfig, &(scudo_malloc_postinit)>::quarantineOrDeallocateChunk(scudo::Options const&, void*, scudo::Chunk::UnpackedHeader*, unsigned long)+920) (BuildId: 33ad5959e2b38fc822cda3c642e16c94)
#01 pc 000000000004ba54 /apex/com.android.runtime/lib64/bionic/libc.so (scudo::Allocator<scudo::AndroidNormalConfig, &(scudo_malloc_postinit)>::deallocate(void*, scudo::Chunk::Origin, unsigned long, unsigned long)+212) (BuildId: 33ad5959e2b38fc822cda3c642e16c94)
#02 pc 0000000000059fc8 /data/app/~~hxGyQyzhxXyug4wHYsOk5A==/de.westnordost.streetmeasure-od-BZ9o56HjiPrycb8X0Fg==/split_config.arm64_v8a.apk!libfilament-jni.so (offset 0x3b000) (BuildId: cf20dfcb911ca5298112d102a06ab9db5b739905)
#03 pc 00000000000607b0 /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 33ad5959e2b38fc822cda3c642e16c94)
Cause: [MTE]: Buffer Underflow, 192 bytes left of a 19-byte allocation at 0x748d44d5e0
Cause: [MTE]: Buffer Underflow, 288 bytes left of a 26-byte allocation at 0x748d44d640
Memory tags around the fault address (0xb0000748d44d520), one tag per 16 bytes:
0x748d44cd00: 0 9 9 0 9 9 0 8 8 0 2 2 0 1 1 0
0x748d44ce00: a a 0 b b 0 2 2 0 c c 0 b b 0 3
0x748d44cf00: 3 0 1 1 0 7 7 0 e e 0 2 2 0 c c
0x748d44d000: 0 5 5 0 1 1 0 a a 0 5 5 0 2 2 0
0x748d44d100: c c 0 a a 0 d d 0 b b 0 3 3 0 2
0x748d44d200: 2 0 a a 0 4 4 0 b b 0 f f 0 9 9
0x748d44d300: 0 1 1 0 a a 0 3 3 0 b b 0 3 3 0
0x748d44d400: 8 8 0 6 6 0 f f 0 3 3 0 c c 0 6
=>0x748d44d500: 6 0 [4] 4 0 2 2 0 7 7 0 6 6 0 b b
0x748d44d600: 0 2 2 0 b b 0 1 1 0 5 5 0 6 6 0
0x748d44d700: 1 1 0 e e 0 a a 0 4 4 0 4 4 0 5
0x748d44d800: 5 0 7 7 0 4 4 0 d d 0 c c 0 d d
0x748d44d900: 0 5 5 0 7 7 0 d d 0 d d 0 7 7 0
0x748d44da00: f f 0 1 1 0 e e 0 6 6 0 3 3 0 1
0x748d44db00: 1 0 5 5 0 2 2 0 1 1 0 a a 0 b b
0x748d44dc00: 0 d d 0 1 1 0 f f 0 9 9 0 1 1 0
Learn more about MTE reports: https://source.android.com/docs/security/test/memory-safety/mte-reports
Looking at the very short stack traces, I agree this is probably an upstream issue.
I am not directly using libfilament as dependency, but com.google.ar.sceneform
, which is not maintained anymore.
The libfilament version used by that sceneform version was com.google.ar.sceneform:filament-android:1.17.1
Switching to a community-maintained version of sceneform https://github.com/SceneView/sceneform-android MIGHT solve the issue, at least a newer version of libfilament is probably used. However, that community maintained version is also already not maintained anymore as per the project's readme. And whether it would fix the issue, I don't know.
There is an even newer replacement, https://github.com/SceneView/sceneview-android , but I think this is for Jetpack Compose, i.e. using that would require the whole UI (i.e. basically the whole app) be rewritten in Jetpack Compose.
Anyway, I would try to replace the google sceneform with the community maintained sceneform, however, ARCore crashes on my phone now since I installed LineageOS (see https://github.com/google-ar/arcore-android-sdk/issues/1595 ) so I can neither use my own app nor test on it. I don't think that issue will ever get fixed.
Switching to a community-maintained version of sceneform https://github.com/SceneView/sceneform-android MIGHT solve the issue
I tried that out shortly, and it blew up the app's size from 7MB to 50MB. I don't know about that... if the library doesn't even have proper Proguard rules so that unused code can be shrunk, I am not sure what to think about the libraries quality overall. Well, it at least didn't crash for me when I quickly tried it out but the old sceneform 1.17 also doesn't crash for me.
The newer https://github.com/SceneView/sceneview-android on the other hand seems to have a completely different API and I didn't find good documentation on this.
Thanks for working through making this a standalone app, in addition to solving the license nonsense it's actually a useful app outside of SC as well :).
Today when using it from within Streetcomplete I got the following crash. It crashed once out of measuring for 4 or so quests. Otherwise it worked fine. I'm not sure if the following crash log is useful at all, but here it is:
(Just to be clear, I mostly wanted to document this (and not loose the crash log) in case this happens again/for more people. It might have very well just been a fluke, who knows.)