Skip to content

GitLab

Closed
Created by Sébastien Blin@sblinOwner

Crash in OpenSL Layer - Android

Potential crash on playstore:

backtrace:
  #00  pc 0000000000085888  /apex/com.android.runtime/lib64/bionic/libc.so (__memcpy+248)
  #00  pc 00000000009cf9ec  /data/app/~~QWALmU1nwmeEvS6MLMbQ2Q==/cx.ring-IkugpkPqtZLOBFWZ6inK1Q==/lib/arm64/libring.so
  #00  pc 00000000009d18d8  /data/app/~~QWALmU1nwmeEvS6MLMbQ2Q==/cx.ring-IkugpkPqtZLOBFWZ6inK1Q==/lib/arm64/libring.so
  #00  pc 000000000001c0e8  /system/lib64/libwilhelm.so (audioTrack_callBack_pullFromBuffQueue(int, void*, void*)+180)
  #00  pc 0000000000079c68  /system/lib64/libaudioclient.so (android::AudioTrack::processAudioBuffer()+2368)
  #00  pc 0000000000078f7c  /system/lib64/libaudioclient.so (android::AudioTrack::AudioTrackThread::threadLoop()+312)
  #00  pc 00000000000154dc  /system/lib64/libutils.so (android::Thread::_threadLoop(void*)+460)
  #00  pc 00000000000a4d20  /system/lib64/libandroid_runtime.so (android::AndroidRuntime::javaThreadShell(void*)+140)
  #00  pc 0000000000014cd8  /system/lib64/libutils.so (thread_data_t::trampoline(thread_data_t const*)+412)
  #00  pc 00000000000eb0ec  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+64)
  #00  pc 000000000008b850  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64)

On my device:

2021-12-15 10:27:34.827 26087-26087/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2021-12-15 10:27:34.827 26087-26087/? A/DEBUG: Build fingerprint: 'motorola/kiev_retailu/kiev:11/RZKS31.Q3-25-15-1/d940e8:user/release-keys'
2021-12-15 10:27:34.827 26087-26087/? A/DEBUG: Revision: 'pvt'
2021-12-15 10:27:34.827 26087-26087/? A/DEBUG: ABI: 'arm64'
2021-12-15 10:27:34.828 26087-26087/? A/DEBUG: Timestamp: 2021-12-15 10:27:34-0500
2021-12-15 10:27:34.828 26087-26087/? A/DEBUG: pid: 22160, tid: 26084, name: AudioTrack  >>> cx.ring <<<
2021-12-15 10:27:34.828 26087-26087/? A/DEBUG: uid: 10387
2021-12-15 10:27:34.828 26087-26087/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x8ecfe25800000000
2021-12-15 10:27:34.828 26087-26087/? A/DEBUG:     x0  8ecfe25800000000  x1  b4000072d1ce0b00  x2  00000000000001e0  x3  8ecfe25800000000
2021-12-15 10:27:34.828 26087-26087/? A/DEBUG:     x4  b4000072d1ce0ce0  x5  8ecfe258000001e0  x6  0000000000000000  x7  0000000000000000
2021-12-15 10:27:34.828 26087-26087/? A/DEBUG:     x8  00000000000000f0  x9  0000000000000000  x10 8ecfe26000000071  x11 0000000000000000
2021-12-15 10:27:34.828 26087-26087/? A/DEBUG:     x12 0000000000000000  x13 0000000000000000  x14 0000000000000002  x15 00000071e214c000
2021-12-15 10:27:34.828 26087-26087/? A/DEBUG:     x16 0000007185219fe8  x17 0000007483a222c0  x18 0000007180846000  x19 b400007331c1c400
2021-12-15 10:27:34.828 26087-26087/? A/DEBUG:     x20 b400007331c1b9b0  x21 00000071e214ba00  x22 b4000072a1c21130  x23 b400007331c1bbd8
2021-12-15 10:27:34.828 26087-26087/? A/DEBUG:     x24 000000748308cea9  x25 00000071e214c000  x26 0000007183fc8454  x27 00000074851c0140
2021-12-15 10:27:34.828 26087-26087/? A/DEBUG:     x28 00000071e214ba08  x29 00000071e214b5d0
2021-12-15 10:27:34.828 26087-26087/? A/DEBUG:     lr  0000007183fc7f50  sp  00000071e214b5b0  pc  0000007483a22248  pst 0000000020001000
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG: backtrace:
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #00 pc 000000000004a248  /apex/com.android.runtime/lib64/bionic/libc.so (__memcpy+248) (BuildId: 1fdafb7d457cc367eb58ced21a4fa8ac)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #01 pc 0000000000e79f4c  /data/app/~~Vlyg2gq6SPkC7Wb7M_ToPg==/cx.ring-u9ihF0JKX163ILKSJyh-FA==/lib/arm64/libring.so (std::__ndk1::enable_if<(is_same<std::__ndk1::remove_const<short const>::type, short>::value) && (is_trivially_copy_assignable<short>::value), short*>::type std::__ndk1::__copy<short const, short>(short const*, short const*, short*)+80)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #02 pc 0000000000e79eec  /data/app/~~Vlyg2gq6SPkC7Wb7M_ToPg==/cx.ring-u9ihF0JKX163ILKSJyh-FA==/lib/arm64/libring.so (short* std::__ndk1::copy<short const*, short*>(short const*, short const*, short*)+84)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #03 pc 0000000000e747f8  /data/app/~~Vlyg2gq6SPkC7Wb7M_ToPg==/cx.ring-u9ihF0JKX163ILKSJyh-FA==/lib/arm64/libring.so (std::__ndk1::enable_if<__is_cpp17_random_access_iterator<short const*>::value, short*>::type std::__ndk1::copy_n<short const*, int, short*>(short const*, int, short*)+52)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #04 pc 0000000000e72000  /data/app/~~Vlyg2gq6SPkC7Wb7M_ToPg==/cx.ring-u9ihF0JKX163ILKSJyh-FA==/lib/arm64/libring.so (jami::OpenSLLayer::engineServiceRing()+572)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #05 pc 0000000000e774d4  /data/app/~~Vlyg2gq6SPkC7Wb7M_ToPg==/cx.ring-u9ihF0JKX163ILKSJyh-FA==/lib/arm64/libring.so (decltype(*(std::__ndk1::forward<jami::OpenSLLayer*&>(fp0)).*fp()) std::__ndk1::__invoke<void (jami::OpenSLLayer::*&)(), jami::OpenSLLayer*&, void>(void (jami::OpenSLLayer::*&)(), jami::OpenSLLayer*&)+100)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #06 pc 0000000000e77460  /data/app/~~Vlyg2gq6SPkC7Wb7M_ToPg==/cx.ring-u9ihF0JKX163ILKSJyh-FA==/lib/arm64/libring.so (std::__ndk1::__bind_return<void (jami::OpenSLLayer::*)(), std::__ndk1::tuple<jami::OpenSLLayer*>, std::__ndk1::tuple<>, __is_valid_bind_return<void (jami::OpenSLLayer::*)(), std::__ndk1::tuple<jami::OpenSLLayer*>, std::__ndk1::tuple<> >::value>::type std::__ndk1::__apply_functor<void (jami::OpenSLLayer::*)(), std::__ndk1::tuple<jami::OpenSLLayer*>, 0ul, std::__ndk1::tuple<> >(void (jami::OpenSLLayer::*&)(), std::__ndk1::tuple<jami::OpenSLLayer*>&, std::__ndk1::__tuple_indices<0ul>, std::__ndk1::tuple<>&&)+72)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #07 pc 0000000000e77408  /data/app/~~Vlyg2gq6SPkC7Wb7M_ToPg==/cx.ring-u9ihF0JKX163ILKSJyh-FA==/lib/arm64/libring.so (std::__ndk1::__bind_return<void (jami::OpenSLLayer::*)(), std::__ndk1::tuple<jami::OpenSLLayer*>, std::__ndk1::tuple<>, __is_valid_bind_return<void (jami::OpenSLLayer::*)(), std::__ndk1::tuple<jami::OpenSLLayer*>, std::__ndk1::tuple<> >::value>::type std::__ndk1::__bind<void (jami::OpenSLLayer::*)(), jami::OpenSLLayer*>::operator()<>()+40)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #08 pc 0000000000e773bc  /data/app/~~Vlyg2gq6SPkC7Wb7M_ToPg==/cx.ring-u9ihF0JKX163ILKSJyh-FA==/lib/arm64/libring.so (decltype(std::__ndk1::forward<std::__ndk1::__bind<void (jami::OpenSLLayer::*)(), jami::OpenSLLayer*>&>(fp)()) std::__ndk1::__invoke<std::__ndk1::__bind<void (jami::OpenSLLayer::*)(), jami::OpenSLLayer*>&>(std::__ndk1::__bind<void (jami::OpenSLLayer::*)(), jami::OpenSLLayer*>&)+24)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #09 pc 0000000000e77370  /data/app/~~Vlyg2gq6SPkC7Wb7M_ToPg==/cx.ring-u9ihF0JKX163ILKSJyh-FA==/lib/arm64/libring.so (void std::__ndk1::__invoke_void_return_wrapper<void>::__call<std::__ndk1::__bind<void (jami::OpenSLLayer::*)(), jami::OpenSLLayer*>&>(std::__ndk1::__bind<void (jami::OpenSLLayer::*)(), jami::OpenSLLayer*>&)+24)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #10 pc 0000000000e77348  /data/app/~~Vlyg2gq6SPkC7Wb7M_ToPg==/cx.ring-u9ihF0JKX163ILKSJyh-FA==/lib/arm64/libring.so (std::__ndk1::__function::__alloc_func<std::__ndk1::__bind<void (jami::OpenSLLayer::*)(), jami::OpenSLLayer*>, std::__ndk1::allocator<std::__ndk1::__bind<void (jami::OpenSLLayer::*)(), jami::OpenSLLayer*> >, void ()>::operator()()+24)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #11 pc 0000000000e76308  /data/app/~~Vlyg2gq6SPkC7Wb7M_ToPg==/cx.ring-u9ihF0JKX163ILKSJyh-FA==/lib/arm64/libring.so (std::__ndk1::__function::__func<std::__ndk1::__bind<void (jami::OpenSLLayer::*)(), jami::OpenSLLayer*>, std::__ndk1::allocator<std::__ndk1::__bind<void (jami::OpenSLLayer::*)(), jami::OpenSLLayer*> >, void ()>::operator()()+24)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #12 pc 0000000000c2dc14  /data/app/~~Vlyg2gq6SPkC7Wb7M_ToPg==/cx.ring-u9ihF0JKX163ILKSJyh-FA==/lib/arm64/libring.so (std::__ndk1::__function::__value_func<void ()>::operator()() const+56)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #13 pc 0000000000c2d6f0  /data/app/~~Vlyg2gq6SPkC7Wb7M_ToPg==/cx.ring-u9ihF0JKX163ILKSJyh-FA==/lib/arm64/libring.so (std::__ndk1::function<void ()>::operator()() const+20)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #14 pc 0000000000e7a5d0  /data/app/~~Vlyg2gq6SPkC7Wb7M_ToPg==/cx.ring-u9ihF0JKX163ILKSJyh-FA==/lib/arm64/libring.so (jami::opensl::AudioPlayer::processSLCallback(SLAndroidSimpleBufferQueueItf_ const* const*)+336)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #15 pc 0000000000e7a470  /data/app/~~Vlyg2gq6SPkC7Wb7M_ToPg==/cx.ring-u9ihF0JKX163ILKSJyh-FA==/lib/arm64/libring.so (jami::opensl::bqPlayerCallback(SLAndroidSimpleBufferQueueItf_ const* const*, void*)+28)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #16 pc 000000000001c118  /system/lib64/libwilhelm.so (audioTrack_callBack_pullFromBuffQueue(int, void*, void*)+180) (BuildId: 3dc436cad2f5774c2a5d1236156e2640)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #17 pc 0000000000078b78  /system/lib64/libaudioclient.so (android::AudioTrack::processAudioBuffer()+2376) (BuildId: e6b35b953c2ab1e220e508553e2c3803)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #18 pc 0000000000077f40  /system/lib64/libaudioclient.so (android::AudioTrack::AudioTrackThread::threadLoop()+272) (BuildId: e6b35b953c2ab1e220e508553e2c3803)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #19 pc 0000000000015598  /system/lib64/libutils.so (android::Thread::_threadLoop(void*)+460) (BuildId: 5d6af74124211886d954d61c96514a46)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #20 pc 00000000000a1ec8  /system/lib64/libandroid_runtime.so (android::AndroidRuntime::javaThreadShell(void*)+144) (BuildId: 8dd68419fe710778585e2c5c133d86e0)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #21 pc 0000000000014d94  /system/lib64/libutils.so (thread_data_t::trampoline(thread_data_t const*)+412) (BuildId: 5d6af74124211886d954d61c96514a46)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #22 pc 00000000000afc6c  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+64) (BuildId: 1fdafb7d457cc367eb58ced21a4fa8ac)
2021-12-15 10:27:34.868 26087-26087/? A/DEBUG:       #23 pc 00000000000502c8  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 1fdafb7d457cc367eb58ced21a4fa8ac)
2021-12-15 10:27:35.236 991-991/? E/tombstoned: Tombstone written to: /data/tombstones/tombstone_11
2021-12-15 10:27:35.274 1697-8175/? E/FrameEvents: updateAcquireFence: Did not find frame.

Randomly happens when receiving a crash.

Observations. buf->cap_ is completely incorrect, so it's rather a bad queue or a bad buf_manager.h

Edited by Sébastien Blin