Re: Calculator crashes on AOSP 7.1.1_ r13 under AddressSanitizer (AtlasService)

37 views
Skip to first unread message

John Reck

unread,
Feb 10, 2017, 6:20:48 PM2/10/17
to art...@samsung.com, android-platform
My guess would be this is an issue caused by address sanitizer itself or the mechanism used to run under it. The pixelRef addresses are allocated in zygote as part of asset preloading, which both system_server and applications fork off of. There's an isCompatible check in AssetAtlasService that ensures that we only try to use the atlas if both the application's process as the service's process are forked from the same zygote (app's ppid() == service's ppid()).

If you run without address sanitizer you should be able to verify that all the addresses in the asset atlas are visible (and the same) in both system_server & calculator.

On Wed, Feb 8, 2017 at 11:39 PM, <art...@samsung.com> wrote:
Hello

I am trying to run AOSP calculator under address sanitizer on AOSP Android 7.1.1_r13 on angler device.
Each time I launch calculator it crashes in
#0  0x0000007b82df72d8 in SkImageInfo::width (this=0x716a563be0) at external/skia/include/core/SkImageInfo.h:221
#1  0x0000007b82e346f8 in android::uirenderer::AssetAtlas::createEntries (this=0x7b68f7b3d0, caches=..., map=0x7b6b5b0e80, count=294)
    at frameworks/base/libs/hwui/AssetAtlas.cpp:114
#2  0x0000007b82e34140 in android::uirenderer::AssetAtlas::init (this=0x7b68f7b3d0, buffer=..., map=0x7b6b5b0e80, count=294) at frameworks/base/libs/hwui/AssetAtlas.cpp:44
#3  0x0000007b82dc5d08 in android::uirenderer::renderthread::EglManager::initAtlas (this=0x7b7e85cb40) at frameworks/base/libs/hwui/renderthread/EglManager.cpp:210
#4  0x0000007b82dc43b4 in android::uirenderer::renderthread::EglManager::initialize (this=0x7b7e85cb40) at frameworks/base/libs/hwui/renderthread/EglManager.cpp:131
#5  0x0000007b82dc67f0 in android::uirenderer::renderthread::EglManager::createSurface (this=0x7b7e85cb40, window=0x7b6ddcb090)
    at frameworks/base/libs/hwui/renderthread/EglManager.cpp:226
#6  0x0000007b82d9cfa0 in android::uirenderer::renderthread::CanvasContext::setSurface (this=0x7b6e378100, surface=0x7b6ddcb080)
    at frameworks/base/libs/hwui/renderthread/CanvasContext.cpp:108
#7  0x0000007b82d9e5b8 in android::uirenderer::renderthread::CanvasContext::initialize (this=0x7b6e378100, surface=0x7b6ddcb080)
    at frameworks/base/libs/hwui/renderthread/CanvasContext.cpp:128
#8  0x0000007b82dcd9bc in android::uirenderer::renderthread::Bridge_initialize (args=0x7b7ea3ae40) at frameworks/base/libs/hwui/renderthread/RenderProxy.cpp:141
#9  0x0000007b82dd2b64 in android::uirenderer::renderthread::MethodInvokeRenderTask::run (this=0x7b7ea3ae20) at frameworks/base/libs/hwui/renderthread/RenderTask.h:83
#10 0x0000007b82de056c in android::uirenderer::renderthread::RenderThread::threadLoop (this=0x7b7d25de40) at frameworks/base/libs/hwui/renderthread/RenderThread.cpp:287
#11 0x0000007b825eef44 in android::Thread::_threadLoop (user=0x7b7d25de40) at system/core/libutils/Threads.cpp:751
#12 0x0000007b83ffb1f4 in android::AndroidRuntime::javaThreadShell (args=<optimized out>) at frameworks/base/core/jni/AndroidRuntime.cpp:1173
#13 0x0000007b825ed780 in thread_data_t::trampoline (t=0x7b69154a00) at system/core/libutils/Threads.cpp:99
#14 0x0000007b86a246c0 in __pthread_start (arg=<optimized out>) at bionic/libc/bionic/pthread_create.cpp:198
#15 0x0000007b869d9a80 in __start_thread (fn=0x716a563be0, arg=0x716a563be0) at bionic/libc/bionic/clone.cpp:41
#16 0x0000000000000000 in ?? ()

At frame #1 i = 3 and pixelRef = 0x716a563bc0. But there is no such virtual address in this process.
I investigated code and found out that the parameter int64_t* map is retrieved from atlasservice and has format:
1. address of SkBitmap : 8 bytes
2. x coordinate : 8 byte
3. y coordinate: 8 byte.
I suppose that atlasservice is running inside the system_service process. I looked at /proc/<pid of system_server>/maps and
found out that system_server has virtual address 0x716a563bc0
716a400000-716a600000 rw-p 00000000 00:00 0                              [anon:libc_malloc]

So this issue looks like the system server sends to an application process his virtual address but the application can't read data by this address because application has different virtual addresses.

Is it a bug or I am doing something wrong? Is memory contains SkBitmaps should be mapped into the application process?


Thank you.

Artem Udovichenko

unread,
Feb 13, 2017, 11:34:42 AM2/13/17
to John Reck, android-platform

Thank you for reply, John

Yes, applications running under address sanitizer does not forks from zygote because they need modified app_process.

John Reck

unread,
Feb 14, 2017, 2:54:37 PM2/14/17
to Artem Udovichenko, android-platform
It's not clear to me why the isCompatible check would return true, then. I'd recommend just locally disabling AssetAtlasService (have isCompatible always return false) while debugging with address sanitizer.

Artem Udovichenko

unread,
Feb 15, 2017, 10:00:37 AM2/15/17
to John Reck, android-platform

Hello, John.

When a sanitized process is launching it forks from the zygote and shares memory with system_server.
But after fork it calls exec system call to execute asanwrapper executable and from this time process
does not shares memory with system_server. But ppid == android.os.Process.myPpid() is still true
because the child process and the system server are forked from the same zygote.

So I'll disable AssetAtlasService locally as you suggested.

Thank you very much for your help, John.

Reply all
Reply to author
Forward
0 new messages