search

streetcomplete / StreetMeasure

Measure distances with AR
Apache License 2.0
60 stars 4 forks source link

one-time crash #1

Open Bubu opened 1 year ago

Bubu commented 1 year ago

Thanks for working through making this a standalone app, in addition to solving the license nonsense it's actually a useful app outside of SC as well :).

Today when using it from within Streetcomplete I got the following crash. It crashed once out of measuring for 4 or so quests. Otherwise it worked fine. I'm not sure if the following crash log is useful at all, but here it is:

--------- beginning of crash
02-12 14:34:39.648  6946  6946 E AndroidRuntime: FATAL EXCEPTION: main
02-12 14:34:39.648  6946  6946 E AndroidRuntime: Process: com.google.android.gms.ui, PID: 6946
02-12 14:34:39.648  6946  6946 E AndroidRuntime: android.app.RemoteServiceException$CannotDeliverBroadcastException: can't deliver broadcast
02-12 14:34:39.648  6946  6946 E AndroidRuntime:    at android.app.ActivityThread.throwRemoteServiceException(ActivityThread.java:1979)
02-12 14:34:39.648  6946  6946 E AndroidRuntime:    at android.app.ActivityThread.-$$Nest$mthrowRemoteServiceException(Unknown Source:0)
02-12 14:34:39.648  6946  6946 E AndroidRuntime:    at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2241)
02-12 14:34:39.648  6946  6946 E AndroidRuntime:    at android.os.Handler.dispatchMessage(Handler.java:106)
02-12 14:34:39.648  6946  6946 E AndroidRuntime:    at android.os.Looper.loopOnce(Looper.java:201)
02-12 14:34:39.648  6946  6946 E AndroidRuntime:    at android.os.Looper.loop(Looper.java:288)
02-12 14:34:39.648  6946  6946 E AndroidRuntime:    at android.app.ActivityThread.main(ActivityThread.java:7872)
02-12 14:34:39.648  6946  6946 E AndroidRuntime:    at java.lang.reflect.Method.invoke(Native Method)
02-12 14:34:39.648  6946  6946 E AndroidRuntime:    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:548)
02-12 14:34:39.648  6946  6946 E AndroidRuntime:    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:936)
02-18 17:17:21.954 23838 23968 F libc    : Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7b8038b000 in tid 23968 (binder:23838_4), pid 23838 (t.streetmeasure)
02-18 17:17:22.887 24879 24879 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
02-18 17:17:22.887 24879 24879 F DEBUG   : Build fingerprint: 'google/sunfish/sunfish:13/TQ1A.230205.002/9471150:user/release-keys'
02-18 17:17:22.887 24879 24879 F DEBUG   : Revision: 'MP1.0'
02-18 17:17:22.887 24879 24879 F DEBUG   : ABI: 'arm64'
02-18 17:17:22.887 24879 24879 F DEBUG   : Timestamp: 2023-02-18 17:17:22.125456263+0100
02-18 17:17:22.887 24879 24879 F DEBUG   : Process uptime: 87s
02-18 17:17:22.887 24879 24879 F DEBUG   : Cmdline: de.westnordost.streetmeasure
02-18 17:17:22.887 24879 24879 F DEBUG   : pid: 23838, tid: 23968, name: binder:23838_4  >>> de.westnordost.streetmeasure <<<
02-18 17:17:22.887 24879 24879 F DEBUG   : uid: 10031
02-18 17:17:22.887 24879 24879 F DEBUG   : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x0000007b8038b000
02-18 17:17:22.887 24879 24879 F DEBUG   :     x0  b49286952e3edc98  x1  0000000000000000  x2  00000078b2df2804  x3  0000000000000002
02-18 17:17:22.887 24879 24879 F DEBUG   :     x4  0000000000000008  x5  0000000000000004  x6  0000000d00000011  x7  0000000d00000011
02-18 17:17:22.887 24879 24879 F DEBUG   :     x8  0000000000000000  x9  0000007b8038b000  x10 0000007c006e6a90  x11 000000000000000e
02-18 17:17:22.887 24879 24879 F DEBUG   :     x12 0000000000000008  x13 00000078b2df2cc8  x14 00000078b2df2d10  x15 000000006f732570
02-18 17:17:22.888 24879 24879 F DEBUG   :     x16 0000007c16bcb180  x17 0000007c189ab118  x18 00000078b239a000  x19 0000000000090006
02-18 17:17:22.888 24879 24879 F DEBUG   :     x20 b400007990522390  x21 0000000000000002  x22 00000078b2df2804  x23 00000078b2df2d1c
02-18 17:17:22.888 24879 24879 F DEBUG   :     x24 0000007c16bca370  x25 00000078b2df4000  x26 0000000000280001  x27 0000000000000008
02-18 17:17:22.888 24879 24879 F DEBUG   :     x28 00000078b2df2d64  x29 00000078b2df2790
02-18 17:17:22.888 24879 24879 F DEBUG   :     lr  0000007c16b9c4a0  sp  00000078b2df2790  pc  0000007c189ab13c  pst 0000000080000000
02-18 17:17:22.888 24879 24879 F DEBUG   : backtrace:
02-18 17:17:22.888 24879 24879 F DEBUG   :       #00 pc 000000000000113c  /apex/com.android.runtime/lib64/bionic/libdl.so (__cfi_slowpath+36) (BuildId: ce71fb830f8ed38a9446bf6688f75929)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #01 pc 000000000005549c  /system/lib64/libcamera_client.so (android::CameraMetadata::update(unsigned int, int const*, unsigned long)+312) (BuildId: a197830bb3e66bb5b88383c4fdfdb501)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #02 pc 000000000019ca9c  /system/lib64/libandroid_runtime.so (CameraMetadata_writeValues(_JNIEnv*, _jclass*, int, _jbyteArray*, long)+680) (BuildId: 291e123985c6451cfa9be22bc41e3502)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #03 pc 000000000030be14  /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (art_jni_trampoline+148)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #04 pc 0000000000209a9c  /apex/com.android.art/lib64/libart.so (nterp_helper+1948) (BuildId: a49c773ef6221a996ecea990e9753caa)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #05 pc 00000000004384b0  /system/framework/framework.jar (android.hardware.camera2.impl.CameraMetadataNative.writeValues+4)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #06 pc 00000000020438b4  /memfd:jit-cache (deleted) (android.hardware.camera2.impl.CameraMetadataNative.setBase+772)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #07 pc 000000000020a2b0  /apex/com.android.art/lib64/libart.so (nterp_helper+4016) (BuildId: a49c773ef6221a996ecea990e9753caa)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #08 pc 00000000004381fc  /system/framework/framework.jar (android.hardware.camera2.impl.CameraMetadataNative.set+28)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #09 pc 000000000020a254  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: a49c773ef6221a996ecea990e9753caa)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #10 pc 0000000000438188  /system/framework/framework.jar (android.hardware.camera2.impl.CameraMetadataNative.set+8)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #11 pc 0000000002019208  /memfd:jit-cache (deleted) (android.hardware.camera2.impl.CameraDeviceImpl$CameraDeviceCallbacks.onResultReceived+776)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #12 pc 000000000202fa9c  /memfd:jit-cache (deleted) (android.hardware.camera2.ICameraDeviceCallbacks$Stub.onTransact+1260)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #13 pc 0000000000b3134c  /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (android.os.Binder.execTransactInternal+1004)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #14 pc 0000000000b30e40  /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (android.os.Binder.execTransact+304)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #15 pc 000000000043436c  /apex/com.android.art/lib64/libart.so (art_quick_invoke_stub+556) (BuildId: a49c773ef6221a996ecea990e9753caa)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #16 pc 00000000004c7ca4  /apex/com.android.art/lib64/libart.so (art::JValue art::InvokeVirtualOrInterfaceWithVarArgs<art::ArtMethod*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, art::ArtMethod*, std::__va_list)+828) (BuildId: a49c773ef6221a996ecea990e9753caa)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #17 pc 00000000005d4cac  /apex/com.android.art/lib64/libart.so (art::JNI<false>::CallBooleanMethodV(_JNIEnv*, _jobject*, _jmethodID*, std::__va_list)+184) (BuildId: a49c773ef6221a996ecea990e9753caa)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #18 pc 00000000000c0494  /system/lib64/libandroid_runtime.so (_JNIEnv::CallBooleanMethod(_jobject*, _jmethodID*, ...)+120) (BuildId: 291e123985c6451cfa9be22bc41e3502)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #19 pc 000000000016cdf0  /system/lib64/libandroid_runtime.so (JavaBBinder::onTransact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+156) (BuildId: 291e123985c6451cfa9be22bc41e3502)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #20 pc 0000000000078980  /system/lib64/libbinder.so (android::BBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+228) (BuildId: 4924e90f9c6f8d2f340fcbd412099a9f)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #21 pc 0000000000076c98  /system/lib64/libbinder.so (android::IPCThreadState::executeCommand(int)+516) (BuildId: 4924e90f9c6f8d2f340fcbd412099a9f)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #22 pc 00000000000931a0  /system/lib64/libbinder.so (android::IPCThreadState::joinThreadPool(bool)+548) (BuildId: 4924e90f9c6f8d2f340fcbd412099a9f)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #23 pc 0000000000092f68  /system/lib64/libbinder.so (android::PoolThread::threadLoop()+24) (BuildId: 4924e90f9c6f8d2f340fcbd412099a9f)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #24 pc 00000000000148e8  /system/lib64/libutils.so (android::Thread::_threadLoop(void*)+528) (BuildId: 5a0d720732600c94ad8354a1188e9f52)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #25 pc 00000000000c8918  /system/lib64/libandroid_runtime.so (android::AndroidRuntime::javaThreadShell(void*)+140) (BuildId: 291e123985c6451cfa9be22bc41e3502)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #26 pc 00000000000b63b0  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+208) (BuildId: 4e07915368c859b1910c68c84a8de75f)
02-18 17:17:22.888 24879 24879 F DEBUG   :       #27 pc 00000000000530b8  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 4e07915368c859b1910c68c84a8de75f)

(Just to be clear, I mostly wanted to document this (and not loose the crash log) in case this happens again/for more people. It might have very well just been a fluke, who knows.)

westnordost commented 1 year ago

This is a crash in a native android library though, also not a single function from de.westnordost.streetmeasure is mentioned in the stacktrace. So nothing I can do about it.

Generally, nothing I can do about native crashes anyway, as the only native code contained in the app is the proprietary "blob" from Google (ARCore SDK) and Google Filament (used by Google's abandoned sceneform).

Looking at the google developer console, the app crashed four times already for different people. Two in libandroid_runtime.so, one in libfilament-jni.so, one in libgui.so. Could be that all these are ultimately caused by ARCore or sceneform, I have no way to debug this :shrug:

divergentdave commented 3 months ago

I have synchronous MTE enabled on my device, and I have noticed occasional crashes while using the app normally. Here's the beginning of one of two tombstone files I have. (The UAF cause appears in both, so it is most likely the correct cause)

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/shiba/shiba:14/AP1A.240505.004/11583682:user/release-keys'
Revision: 'MP1.0'
ABI: 'arm64'
Timestamp: 2024-05-16 20:09:29.899799997-0500
Process uptime: 980s
Cmdline: de.westnordost.streetmeasure
pid: 30399, tid: 30492, name: FEngine::loop  >>> de.westnordost.streetmeasure <<<
uid: 10323
tagged_addr_ctrl: 000000000007fff3 (PR_TAGGED_ADDR_ENABLE, PR_MTE_TCF_SYNC, mask 0xfffe)
pac_enabled_keys: 000000000000000f (PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY, PR_PAC_APDBKEY)
signal 11 (SIGSEGV), code 9 (SEGV_MTESERR), fault addr 0x0b0000748d44d520
    x0  0000007609d12484  x1  0000007205bf6260  x2  ffffffffffffffe0  x3  0000007205bf6480
    x4  0000007205bf64e0  x5  0000000000000004  x6  0000000000000001  x7  0000055cae23b465
    x8  0000000000000001  x9  0000000000005751  x10 0000000000000030  x11 0000007609c8f7b4
    x12 0000000000000020  x13 0000000000000001  x14 000000000000001c  x15 0d0000740d4192b0
    x16 0000007609d08030  x17 0000007609c93bc0  x18 0000007205274000  x19 0b0000748d44d520
    x20 0f000074ad411260  x21 0000000000000002  x22 000000720ebf1420  x23 080000747d4bd0c0
    x24 080000747d4bd100  x25 0000007205bf68b0  x26 0000007205bf6bf0  x27 00000000000fc000
    x28 00000000000fe000  x29 0000007205bf6850
    lr  0000007213aa2fcc  sp  0000007205bf6630  pc  0000007213aa2fcc  pst 0000000080001000

1 total frames
backtrace:
      #00 pc 0000000000059fcc  /data/app/~~hxGyQyzhxXyug4wHYsOk5A==/de.westnordost.streetmeasure-od-BZ9o56HjiPrycb8X0Fg==/split_config.arm64_v8a.apk!libfilament-jni.so (offset 0x3b000) (BuildId: cf20dfcb911ca5298112d102a06ab9db5b739905)

Note: multiple potential causes for this crash were detected, listing them in decreasing order of likelihood.

Cause: [MTE]: Use After Free, 0 bytes into a 32-byte allocation at 0x748d44d520

deallocated by thread 30492:
      #00 pc 00000000000511c8  /apex/com.android.runtime/lib64/bionic/libc.so (scudo::Allocator<scudo::AndroidNormalConfig, &(scudo_malloc_postinit)>::quarantineOrDeallocateChunk(scudo::Options const&, void*, scudo::Chunk::UnpackedHeader*, unsigned long)+920) (BuildId: 33ad5959e2b38fc822cda3c642e16c94)
      #01 pc 000000000004ba54  /apex/com.android.runtime/lib64/bionic/libc.so (scudo::Allocator<scudo::AndroidNormalConfig, &(scudo_malloc_postinit)>::deallocate(void*, scudo::Chunk::Origin, unsigned long, unsigned long)+212) (BuildId: 33ad5959e2b38fc822cda3c642e16c94)
      #02 pc 0000000000059fc8  /data/app/~~hxGyQyzhxXyug4wHYsOk5A==/de.westnordost.streetmeasure-od-BZ9o56HjiPrycb8X0Fg==/split_config.arm64_v8a.apk!libfilament-jni.so (offset 0x3b000) (BuildId: cf20dfcb911ca5298112d102a06ab9db5b739905)
      #03 pc 00000000000607b0  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 33ad5959e2b38fc822cda3c642e16c94)

Cause: [MTE]: Buffer Underflow, 192 bytes left of a 19-byte allocation at 0x748d44d5e0

Cause: [MTE]: Buffer Underflow, 288 bytes left of a 26-byte allocation at 0x748d44d640

Memory tags around the fault address (0xb0000748d44d520), one tag per 16 bytes:
      0x748d44cd00: 0  9  9  0  9  9  0  8  8  0  2  2  0  1  1  0
      0x748d44ce00: a  a  0  b  b  0  2  2  0  c  c  0  b  b  0  3
      0x748d44cf00: 3  0  1  1  0  7  7  0  e  e  0  2  2  0  c  c
      0x748d44d000: 0  5  5  0  1  1  0  a  a  0  5  5  0  2  2  0
      0x748d44d100: c  c  0  a  a  0  d  d  0  b  b  0  3  3  0  2
      0x748d44d200: 2  0  a  a  0  4  4  0  b  b  0  f  f  0  9  9
      0x748d44d300: 0  1  1  0  a  a  0  3  3  0  b  b  0  3  3  0
      0x748d44d400: 8  8  0  6  6  0  f  f  0  3  3  0  c  c  0  6
    =>0x748d44d500: 6  0 [4] 4  0  2  2  0  7  7  0  6  6  0  b  b
      0x748d44d600: 0  2  2  0  b  b  0  1  1  0  5  5  0  6  6  0
      0x748d44d700: 1  1  0  e  e  0  a  a  0  4  4  0  4  4  0  5
      0x748d44d800: 5  0  7  7  0  4  4  0  d  d  0  c  c  0  d  d
      0x748d44d900: 0  5  5  0  7  7  0  d  d  0  d  d  0  7  7  0
      0x748d44da00: f  f  0  1  1  0  e  e  0  6  6  0  3  3  0  1
      0x748d44db00: 1  0  5  5  0  2  2  0  1  1  0  a  a  0  b  b
      0x748d44dc00: 0  d  d  0  1  1  0  f  f  0  9  9  0  1  1  0

Learn more about MTE reports: https://source.android.com/docs/security/test/memory-safety/mte-reports

Looking at the very short stack traces, I agree this is probably an upstream issue.

westnordost commented 3 months ago

I am not directly using libfilament as dependency, but com.google.ar.sceneform, which is not maintained anymore.

The libfilament version used by that sceneform version was com.google.ar.sceneform:filament-android:1.17.1

Switching to a community-maintained version of sceneform https://github.com/SceneView/sceneform-android MIGHT solve the issue, at least a newer version of libfilament is probably used. However, that community maintained version is also already not maintained anymore as per the project's readme. And whether it would fix the issue, I don't know.

There is an even newer replacement, https://github.com/SceneView/sceneview-android , but I think this is for Jetpack Compose, i.e. using that would require the whole UI (i.e. basically the whole app) be rewritten in Jetpack Compose.

Anyway, I would try to replace the google sceneform with the community maintained sceneform, however, ARCore crashes on my phone now since I installed LineageOS (see https://github.com/google-ar/arcore-android-sdk/issues/1595 ) so I can neither use my own app nor test on it. I don't think that issue will ever get fixed.

westnordost commented 2 weeks ago

Switching to a community-maintained version of sceneform https://github.com/SceneView/sceneform-android MIGHT solve the issue

I tried that out shortly, and it blew up the app's size from 7MB to 50MB. I don't know about that... if the library doesn't even have proper Proguard rules so that unused code can be shrunk, I am not sure what to think about the libraries quality overall. Well, it at least didn't crash for me when I quickly tried it out but the old sceneform 1.17 also doesn't crash for me.

The newer https://github.com/SceneView/sceneview-android on the other hand seems to have a completely different API and I didn't find good documentation on this.