libhwui.so crash due to offscreenBuffer is NULL

阿炳

unread,

Jun 20, 2017, 9:56:28 AM6/20/17

to android-platform

Hi, I’m developer from UC Browser team, Alibaba Groups.

Our app is suffering from some crash in hwui for a long time, which is the highest crash reason in UC Browser App in China.

Crash Stack:

signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000010

r0 00000000 r1 00000000 r2 d3575428 r3 00000cf3

r4 d3575428 r5 d597f408 r6 00000000 r7 d597f374

r8 d597f380 r9 f3c33268 10 f3c332e0 fp f39eea40

ip d3dd7008 sp d597f340 lr f3bd8487 pc f3c14a8e cpsr 600f0030

>>> [translate by crash parser] <<<

00 pc 0005ea8e /system/lib/libhwui.so

01 pc 00022483 /system/lib/libhwui.so

02 pc 000220e9 /system/lib/libhwui.so

03 pc 00023cb7 /system/lib/libhwui.so

04 pc 0002713d android::uirenderer::renderthread::RenderThread::threadLoop() LINE:libhwui.so

05 pc 0000e395 android::Thread::_threadLoop(void*) LINE:libutils.so

06 pc 00058621 android::AndroidRuntime::javaThreadShell(void*) LINE:libandroid_runtime.so

07 pc 00047463 __pthread_start(void*) LINE:libc.so

08 pc 00019e2d __start_thread LINE:libc.so

code around pc:

f3c14a4c 447a4479 e93ef7ba 0001d518 00019095 yDzD..>.........

f3c14a5c 00012b3b 000190af 0001d4d0 41f0e92d ;+..........-..A

f3c14a6c b08aaf03 f36f466c 46a50403 48534605 ....lFo....F.FSH

f3c14a7c 460e4614 68004478 90096800 28006968 .F.FxD.h.h..hi.(

f3c14a8c ed96d17b eeb80a04 ec942a40 eeb50a02 {.......@*......

f3c14a9c eef10ac0 d80ffa10 0ac0eef5 fa10eef1 ................

f3c14aac ed96d80a eeb83a03 ed943a43 eeb41a02 .....:..C:......

f3c14abc eef11ac3 da54fa10 1a02ed94 005cf106 ......T.......\.

f3c14acc 1a03edd4 0c00fff4 fffca904 fff41c00 ................

f3c14adc fffc2c01 eff03c01 eff204a1 fffb14a3 .,...<..........

f3c14aec f9410760 f7bb0aef f04feab4 616e0800 `.A.......O...na

f3c14afc 80bcf886 f7c16868 4601fdcf 68686129 ....hh.....F)ahh

f3c14b0c fdc1f7c1 f6486bb3 f6485040 f64041e0 .....kH.@PH..A@.

f3c14b1c f8cd52e1 f7bb8000 f7c9ee80 2801fc4d .R..........M..(

f3c14b2c f648d033 f7bc5040 4603ed5c 40d5f648 3.H.@P..\..FH..@

f3c14b3c d1364283 1203e9d6 f0004628 4628f85b .B6.....(F..[.(F

code around lr:

f3bd8444 48626730 f7f74478 e9d5e8a4 1a09010c 0gbHxD..........

f3bd8454 db3b2905 9178f8df 32fff04f a174f8df .);...x.O..2..t.

f3bd8464 06a1eb02 44f946e8 e00044fa f8506b28 .....F.D.D..(kP.

f3bd8474 6bb87026 6b39b130 0208f107 f03c4620 &p.k0.9k.... F<.

f3bd8484 e017faf1 0112e9d7 d01c4288 1200e9d7 .........B......

f3bd8494 f03c4620 6338faa1 1201e9dd d0044291 F<...8c.....B..

f3bd84a4 98016008 90013004 f107e004 46400130 .`...0......0.@F

f3bd84b4 fda2f7fc 46214638 4653464a ffcaf040 ....8F!FJFSF@...

f3bd84c4 f03c4620 3e01fc2d dacf2e01 0384f895 F<.-..>........

f3bd84d4 6b28b1a8 46206805 0608f105 1200e9d5 ..(k.h F........

f3bd84e4 f03c4633 4a3cfcc3 4b3c4628 447a4621 3F<...<J(F<K!FzD

f3bd84f4 f040447b 4620ffaf f03c4631 e9ddfce5 {D@... F1F<.....

f3bd8504 42b55600 f855d007 46201b04 fb72f03c .V.B..U... F<.r.

f3bd8514 d1f842ae b16d9d00 42a89801 1f01d007 .B....m....B....

f3bd8524 0203f06f ea221b49 44080101 46289001 o...I."....D..(F

f3bd8534 ebd8f7f6 9903482a 68004478 1a406800 ....*H..xD.h.h@.

As I dissassembled the code data given by PC register, I got some instruments like:

f54cba28: e92d 41f0 stmdb sp!, {r4, r5, r6, r7, r8, lr}

f54cba2c: af03 add r7, sp, #12

f54cba2e: b08a sub sp, #40 ; 0x28

f54cba30: 466c mov r4, sp

f54cba32: f36f 0403 bfc r4, #0, #4

f54cba36: 46a5 mov sp, r4

f54cba38: 4605 mov r5, r0

f54cba3a: 484e ldr r0, [pc, #312] ; (0xf54cbb74)

f54cba3c: 4614 mov r4, r2

f54cba3e: 460e mov r6, r1

f54cba40: 4478 add r0, pc

f54cba42: 6800 ldr r0, [r0, #0]

f54cba44: 6800 ldr r0, [r0, #0]

f54cba46: 9009 str r0, [sp, #36] ; 0x24

f54cba48: 6968 ldr r0, [r5, #20]

f54cba4a: 2800 cmp r0, #0

f54cba4c: d170 bne.n 0xf54cbb30

f54cba4e: ed96 0a04 vldr s0, [r6, #16] --> PC pointed to here, in different version libhwui.so, we can find the same instrument sequence just once.

f54cba52: eeb8 2a40 vcvt.f32.u32 s4, s0

f54cba56: ec94 0a02 vldmia r4, {s0-s1}

f54cba5a: eeb5 0ac0 vcmpe.f32 s0, #0.0

I succeeded to find the corresponeding code in Android Source:

void BakedOpRenderer::startRepaintLayer(OffscreenBuffer* offscreenBuffer, const Rect& repaintRect) {

LOG_ALWAYS_FATAL_IF(mRenderTarget.offscreenBuffer, "already has layer...");

// subtract repaintRect from region, since it will be regenerated

if (repaintRect.contains(0, 0,

offscreenBuffer->viewportWidth, offscreenBuffer->viewportHeight)) { ----------> HERE， because of offscreenBuffer was NULL.

// repaint full layer, so throw away entire region

offscreenBuffer->region.clear();

} else {

offscreenBuffer->region.subtractSelf(android::Rect(repaintRect.left, repaintRect.top,

repaintRect.right, repaintRect.bottom));

}

And I guessed the callback stack:

Crash Stack:

>>> [translate by crash parser] <<<

00 pc 0005ea8e /system/lib/libhwui.so --> BakedOpRenderer::startRepaintLayer(From PC)

01 pc 00022483 /system/lib/libhwui.so --> frameBuilder::replayBakedOps<BakedOpDispatcher> (From LR)

02 pc 000220e9 /system/lib/libhwui.so Guessed --> RenderContext::buildLayer

03 pc 00023cb7 /system/lib/libhwui.so Guessed --> MethodInvokeRenderTask::run()

04 pc 0002713d android::uirenderer::renderthread::RenderThread::threadLoop() LINE:libhwui.so

05 pc 0000e395 android::Thread::_threadLoop(void*) LINE:libutils.so

06 pc 00058621 android::AndroidRuntime::javaThreadShell(void*) LINE:libandroid_runtime.so

07 pc 00047463 __pthread_start(void*) LINE:libc.so

08 pc 00019e2d __start_thread LINE:libc.so

The data flow of offscreenBuffer is like:

offscreenBuffer <--- LayerBuilder::offscreenBufer <--- RenderNode::mLayer

I do notice RenderNode::mLayer will set to null_ptr for some reason, and I don't know how the libhwui.so to guarantee RenderNode::mLayer is not null when calling startRepaintLayer.

Here go my question:

1. Did anyone notice the same kind of crash in BakedOpRenderer::startRepaintLayer?

2. How the libhwui.so to guarantee RenderNode::mLayer is not null when calling startRepaintLayer?

Devteam Lakeba

unread,

Sep 16, 2017, 3:55:32 PM9/16/17

to android-platform

i too experience same issue recently from Android vitals, mostly in Android marshmallow and nougat

 native: pc 000000000004276c  /system/lib/libc.so (tgkill+12)

  native: pc 0000000000040379  /system/lib/libc.so (pthread_kill+32)

  native: pc 000000000001ca9b  /system/lib/libc.so (raise+10)

  native: pc 0000000000019d19  /system/lib/libc.so (__libc_android_abort+34)

  native: pc 000000000001755c  /system/lib/libc.so (abort+4)

  native: pc 0000000000008727  /system/lib/libcutils.so (__android_log_assert+86)

  native: pc 0000000000020231  /system/lib/libhwui.so

  native: pc 000000000001d4f9  /system/lib/libhwui.so

  native: pc 000000000001f23b  /system/lib/libhwui.so

  native: pc 0000000000022331  /system/lib/libhwui.so (_ZN7android10uirenderer12renderthread12RenderThread10threadLoopEv+80)

  native: pc 0000000000010205  /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)

  native: pc 00000000000622f3  /system/lib/libandroid_runtime.so (_ZN7android14AndroidRuntime15javaThreadShellEPv+70)

  native: pc 000000000003fc7b  /system/lib/libc.so (_ZL15__pthread_startPv+30)

  native: pc 000000000001a39b  /system/lib/libc.so (__start_thread+6)

Devteam Lakeba

unread,

Oct 2, 2017, 11:37:35 AM10/2/17

to android-platform

any updates...?

On Tuesday, 20 June 2017 19:26:28 UTC+5:30, 阿炳 wrote:

Chao Yu

unread,

Jul 8, 2018, 8:18:00 PM7/8/18

to android-platform

Hi 阿柄：
I’m developer from Tencent. Our team meet many RenderNode native crash, if you may we can communicate it ?

在 2017年9月17日星期日 UTC+8上午3:55:32，Devteam Lakeba写道：

790305...@gmail.com

unread,

Dec 12, 2018, 10:38:21 AM12/12/18

to android-platform

hello，My team also meets this problem and we have no sulution! Have you solved this issue?

在 2017年6月20日星期二 UTC+8下午9:56:28，阿炳写道：

Reply all

Reply to author

Forward