Native crash about binder and LollipopWebContentsAccessibility
Reported by
hjchangl...@gmail.com,
Sep 28 2017
|
||||||||
Issue descriptionSteps to reproduce the problem: Not reproducible, It rare happen when our activity destroy. We got crash log from a long time auto test. What is the expected behavior? Don't native crash What went wrong? Our app is a Android mailbox app, which use chrome as webview to display mail content. We meet many native in these day, After clarifying log, it may related with last version chrome. 09-26 22:29:21.517 10902 10902 I WebViewFactory: Loading com.android.chrome version 61.0.3163.98 (code 316309852) Error log is below: --------- beginning of crash 09-26 22:29:43.160 11319 10960 F google-breakpad: Microdump skipped (uninteresting) 09-26 22:29:43.182 10902 10960 W google-breakpad: ### ### ### ### ### ### ### ### ### ### ### ### ### 09-26 22:29:43.183 10902 10960 W google-breakpad: Chrome build fingerprint: 09-26 22:29:43.183 10902 10960 W google-breakpad: 10.70.978788 09-26 22:29:43.183 10902 10960 W google-breakpad: 867021285 09-26 22:29:43.183 10902 10960 W google-breakpad: ### ### ### ### ### ### ### ### ### ### ### ### ### 10.70.978788 is app version of our app. 09-26 22:29:43.342 11323 11323 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 09-26 22:29:43.343 11323 11323 F DEBUG : Build fingerprint: 'htc/ocnwhl_00617/htc_ocnwhl:8.0.0/OPR6.170623.013/981039.1:user/release-keys' 09-26 22:29:43.343 11323 11323 F DEBUG : Revision: '0' 09-26 22:29:43.343 11323 11323 F DEBUG : ABI: 'arm' 09-26 22:29:43.343 11323 11323 F DEBUG : pid: 10902, tid: 10960, name: Binder:10902_3 >>> com.htc.android.mail <<< 09-26 22:29:43.343 11323 11323 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xc 09-26 22:29:43.343 11323 11323 F DEBUG : Cause: null pointer dereference 09-26 22:29:43.343 11323 11323 F DEBUG : r0 f3522a94 r1 00000000 r2 00000000 r3 00000001 09-26 22:29:43.343 11323 11323 F DEBUG : r4 e337fad0 r5 f3593680 r6 f3522a94 r7 00000000 09-26 22:29:43.343 11323 11323 F DEBUG : r8 d31ef920 r9 00000000 sl f48e8d5d fp 00000000 09-26 22:29:43.343 11323 11323 F DEBUG : ip f5b71dc0 sp d30ff8a8 lr f5b45af3 pc f48e6ab2 cpsr 600d0030 09-26 22:29:43.408 11323 11323 F DEBUG : 09-26 22:29:43.408 11323 11323 F DEBUG : backtrace: 09-26 22:29:43.408 11323 11323 F DEBUG : #00 pc 0000cab2 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+49) 09-26 22:29:43.408 11323 11323 F DEBUG : #01 pc 00048aef /system/lib/libbinder.so (_ZN7android14IPCThreadState20processPendingDerefsEv+86) 09-26 22:29:43.409 11323 11323 F DEBUG : #02 pc 00048b31 /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+44) 09-26 22:29:43.409 11323 11323 F DEBUG : #03 pc 00060d05 /system/lib/libbinder.so (_ZN7android10PoolThread10threadLoopEv+12) 09-26 22:29:43.409 11323 11323 F DEBUG : #04 pc 0000f1a9 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+140) 09-26 22:29:43.409 11323 11323 F DEBUG : #05 pc 0007abc7 /system/lib/libandroid_runtime.so (_ZN7android14AndroidRuntime15javaThreadShellEPv+102) 09-26 22:29:43.409 11323 11323 F DEBUG : #06 pc 0004959f /system/lib/libc.so (_ZL15__pthread_startPv+22) 09-26 22:29:43.409 11323 11323 F DEBUG : #07 pc 0001b5bd /system/lib/libc.so (__start_thread+32) Because there is no any tip about why it crash, we search log before it happen, and find a strange error log: 09-26 22:29:26.499 10902 10902 E ActivityThread: Activity com.htc.android.mail.activity.ReadThreadActivity has leaked IntentReceiver org.chromium.content.browser.accessibility.LollipopWebContentsAccessibility$1@a0a48be that was originally registered here. Are you missing a call to unregisterReceiver()? 09-26 22:29:26.499 10902 10902 E ActivityThread: android.app.IntentReceiverLeaked: Activity com.htc.android.mail.activity.ReadThreadActivity has leaked IntentReceiver org.chromium.content.browser.accessibility.LollipopWebContentsAccessibility$1@a0a48be that was originally registered here. Are you missing a call to unregisterReceiver()? 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.app.LoadedApk$ReceiverDispatcher.<init>(LoadedApk.java:1402) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.app.LoadedApk.getReceiverDispatcher(LoadedApk.java:1127) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.app.ContextImpl.registerReceiverInternal(ContextImpl.java:1405) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.app.ContextImpl.registerReceiver(ContextImpl.java:1378) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.app.ContextImpl.registerReceiver(ContextImpl.java:1366) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.content.ContextWrapper.registerReceiver(ContextWrapper.java:603) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.content.ContextWrapper.registerReceiver(ContextWrapper.java:603) 09-26 22:29:26.499 10902 10902 E ActivityThread: at org.chromium.content.browser.accessibility.LollipopWebContentsAccessibility.<init>(LollipopWebContentsAccessibility.java:3) 09-26 22:29:26.499 10902 10902 E ActivityThread: at org.chromium.content.browser.ContentViewCore.getAccessibilityNodeProvider(ContentViewCore.java:659) 09-26 22:29:26.499 10902 10902 E ActivityThread: at com.android.webview.chromium.WebViewChromium.getAccessibilityNodeProvider(WebViewChromium.java:636) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.webkit.WebView.getAccessibilityNodeProvider(WebView.java:2623) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.View.createAccessibilityNodeInfoInternal(View.java:7279) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.View.createAccessibilityNodeInfo(View.java:7269) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.accessibility.AccessibilityRecord.setSource(AccessibilityRecord.java:146) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.accessibility.AccessibilityRecord.setSource(AccessibilityRecord.java:119) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.View.onInitializeAccessibilityEventInternal(View.java:7203) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.webkit.WebView.onInitializeAccessibilityEventInternal(WebView.java:2748) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.View.onInitializeAccessibilityEvent(View.java:7191) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.View.sendAccessibilityEventUncheckedInternal(View.java:7053) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.View.sendAccessibilityEventUnchecked(View.java:7038) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.View.sendAccessibilityEventInternal(View.java:7015) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.View.sendAccessibilityEvent(View.java:6982) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.View.onFocusChanged(View.java:6896) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.webkit.WebView.onFocusChanged(WebView.java:2826) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.View.handleFocusGainInternal(View.java:6593) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.ViewGroup.handleFocusGainInternal(ViewGroup.java:733) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.View.requestFocusNoSearch(View.java:10841) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.View.requestFocus(View.java:10820) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.ViewGroup.requestFocus(ViewGroup.java:3182) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.webkit.WebView.-wrap12(Unknown Source:0) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.webkit.WebView$PrivateAccess.super_requestFocus(WebView.java:2335) 09-26 22:29:26.499 10902 10902 E ActivityThread: at com.android.webview.chromium.WebViewChromium.requestFocus(WebViewChromium.java:841) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.webkit.WebView.requestFocus(WebView.java:2854) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.ViewGroup.onRequestFocusInDescendants(ViewGroup.java:3227) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.ViewGroup.requestFocus(ViewGroup.java:3186) 09-26 22:29:26.499 10902 10902 E ActivityThread: at com.htc.lib1.cc.view.viewpager.HtcViewPager.onRequestFocusInDescendants(HtcViewPager.java:3345) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.ViewGroup.requestFocus(ViewGroup.java:3186) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.ViewGroup.onRequestFocusInDescendants(ViewGroup.java:3227) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.ViewGroup.requestFocus(ViewGroup.java:3183) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.ViewGroup.onRequestFocusInDescendants(ViewGroup.java:3227) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.ViewGroup.requestFocus(ViewGroup.java:3183) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.ViewGroup.onRequestFocusInDescendants(ViewGroup.java:3227) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.ViewGroup.requestFocus(ViewGroup.java:3183) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.ViewGroup.onRequestFocusInDescendants(ViewGroup.java:3227) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.ViewGroup.requestFocus(ViewGroup.java:3186) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.View.requestFocus(View.java:10787) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.View.restoreDefaultFocus(View.java:10766) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.ViewGroup.restoreDefaultFocus(ViewGroup.java:3243) 09-26 22:29:26.499 10902 10902 E ActivityThread: at android.view.ViewRootImpl.per 09-26 22:29:26.500 1740 15665 D ActivityManager: unregisterReceiver from pid=10902,uid=10049,rec=67ec986 09-26 22:29:26.501 10902 10902 E ActivityThread: Activity com.htc.android.mail.activity.ReadThreadActivity has leaked IntentReceiver org.chromium.content.browser.accessibility.LollipopWebContentsAccessibility$1@bd279f1 that was originally registered here. Are you missing a call to unregisterReceiver()? 09-26 22:29:26.501 10902 10902 E ActivityThread: android.app.IntentReceiverLeaked: Activity com.htc.android.mail.activity.ReadThreadActivity has leaked IntentReceiver org.chromium.content.browser.accessibility.LollipopWebContentsAccessibility$1@bd279f1 that was originally registered here. Are you missing a call to unregisterReceiver()? 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.app.LoadedApk$ReceiverDispatcher.<init>(LoadedApk.java:1402) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.app.LoadedApk.getReceiverDispatcher(LoadedApk.java:1127) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.app.ContextImpl.registerReceiverInternal(ContextImpl.java:1405) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.app.ContextImpl.registerReceiver(ContextImpl.java:1378) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.app.ContextImpl.registerReceiver(ContextImpl.java:1366) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.content.ContextWrapper.registerReceiver(ContextWrapper.java:603) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.content.ContextWrapper.registerReceiver(ContextWrapper.java:603) 09-26 22:29:26.501 10902 10902 E ActivityThread: at org.chromium.content.browser.accessibility.LollipopWebContentsAccessibility.<init>(LollipopWebContentsAccessibility.java:3) 09-26 22:29:26.501 10902 10902 E ActivityThread: at org.chromium.content.browser.ContentViewCore.getAccessibilityNodeProvider(ContentViewCore.java:659) 09-26 22:29:26.501 10902 10902 E ActivityThread: at com.android.webview.chromium.WebViewChromium.getAccessibilityNodeProvider(WebViewChromium.java:636) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.webkit.WebView.getAccessibilityNodeProvider(WebView.java:2623) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.view.AccessibilityInteractionController$AccessibilityNodePrefetcher.prefetchDescendantsOfRealNode(AccessibilityInteractionController.java:979) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.view.AccessibilityInteractionController$AccessibilityNodePrefetcher.prefetchDescendantsOfRealNode(AccessibilityInteractionController.java:1004) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.view.AccessibilityInteractionController$AccessibilityNodePrefetcher.prefetchDescendantsOfRealNode(AccessibilityInteractionController.java:1004) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.view.AccessibilityInteractionController$AccessibilityNodePrefetcher.prefetchDescendantsOfRealNode(AccessibilityInteractionController.java:1004) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.view.AccessibilityInteractionController$AccessibilityNodePrefetcher.prefetchDescendantsOfRealNode(AccessibilityInteractionController.java:1004) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.view.AccessibilityInteractionController$AccessibilityNodePrefetcher.prefetchDescendantsOfRealNode(AccessibilityInteractionController.java:1004) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.view.AccessibilityInteractionController$AccessibilityNodePrefetcher.prefetchAccessibilityNodeInfos(AccessibilityInteractionController.java:806) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.view.AccessibilityInteractionController.findAccessibilityNodeInfoByAccessibilityIdUiThread(AccessibilityInteractionController.java:170) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.view.AccessibilityInteractionController.-wrap1(Unknown Source:0) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.view.AccessibilityInteractionController$PrivateHandler.handleMessage(AccessibilityInteractionController.java:1149) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.os.Handler.dispatchMessage(Handler.java:105) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.os.Looper.loop(Looper.java:180) 09-26 22:29:26.501 10902 10902 E ActivityThread: at android.app.ActivityThread.main(ActivityThread.java:6950) 09-26 22:29:26.501 10902 10902 E ActivityThread: at java.lang.reflect.Method.invoke(Native Method) 09-26 22:29:26.501 10902 10902 E ActivityThread: at com.android.internal.os.Zygote$MethodAndArgsCaller.run(Zygote.java:240) 09-26 22:29:26.501 10902 10902 E ActivityThread: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:835) 09-26 22:29:26.501 1740 15665 D ActivityManager: unregisterReceiver from pid=10902,uid=10049,rec=e7bd7b3 09-26 22:29:26.502 1740 15665 V ActivityManager: unbindService: conn=android.os.BinderProxy@caceace pid=10902 com.htc.android.mail.activity.ReadThreadActivity is our App Activity, It use a Webview (chrome) to display html content, We don't use any intentreceiver in this part. And our app didn't exist in the call stack. Not sure is it root cause of native crash. Have you seem this error log before? Did this work before? Yes This issue should not exist in Chrome.apk v59 Chrome version: 61.0.3163.98 Channel: stable OS Version: 7.1 and 8.0 Flash Version:
,
Sep 29 2017
Not sure, How to open chrome://crashes on webview in Android? Will it show on Chrome app's crash list? There are more device/ event/ radio log if you need.
,
Sep 29 2017
Thank you for providing more feedback. Adding requester "ligimole@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 29 2017
,
Sep 29 2017
libbinder crash is android code. You'd have to file this against htc
,
Oct 3 2017
Hi,
May we ask do Chrome use binder service in webview?
Our app have some binder service, but they are not related with webview.
We ask htc framework team for the code of crash,
Their reply is below:
If your applications provide binder service for other clients to use,
it will add reference count for binder service,
if no clients need to use this binder service,
It will inform binder framework to decrease strong reference count.
void IPCThreadState::processPendingDerefs()
{
if (mIn.dataPosition() >= mIn.dataSize()) {
size_t numPending = mPendingWeakDerefs.size();
if (numPending> 0) {
for (size_t i = 0; i < numPending; i++) {
RefBase::weakref_type* refs = mPendingWeakDerefs[i];
refs->decWeak(mProcess.get());
}
mPendingWeakDerefs.clear();
}
numPending = mPendingStrongDerefs.size();
if (numPending > 0) {
for (size_t i = 0; i < numPending; i++) {
BBinder* obj = mPendingStrongDerefs[i];
obj->decStrong(mProcess.get()); => crash here, Cause: null pointer dereference
}
mPendingStrongDerefs.clear();
}
}
}
BTW, We use chrome://crashes in Chrome app in happen phone, But it is empty.
,
Oct 13 2017
framework team found this issue should cause by abnormal memory usage of application.
This native crash caused by virtual function table pointer is null, even add null pointer check still can’t fix this issue.
You may need to check if there is abnormal memory usage of native code.
refs->mBase->onLastStrongRef(id); => crash here
backtrace:
#00 pc 0000cab2 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+49)
#01 pc 00048aef /system/lib/libbinder.so (_ZN7android14IPCThreadState20processPendingDerefsEv+86)
#02 pc 00048b31 /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+44)
#03 pc 00060d05 /system/lib/libbinder.so (_ZN7android10PoolThread10threadLoopEv+12)
#04 pc 0000f1a9 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+140)
#05 pc 0007abc7 /system/lib/libandroid_runtime.so (_ZN7android14AndroidRuntime15javaThreadShellEPv+102)
#06 pc 0004959f /system/lib/libc.so (_ZL15__pthread_startPv+22)
#07 pc 0001b5bd /system/lib/libc.so (__start_thread+32)
system/core/libutils/RefBase.cpp:432
caae: 68a0 ldr r0, [r4, #8] => get refs->mBase to r0
cab0: 6801 ldr r1, [r0, #0] => load refs->mBase virtual function table pointer to r1
cab2: 68ca ldr r2, [r1, #12] => load function onLastStrongRef but r1 is 0, 0 +12 = 0xc caused native crash fault address 0xc
cab4: 4629 mov r1, r5
cab6: 4790 blx r2
,
Oct 18 2017
WebView/Chromium has it's own IPC mechanism, it is not using binder.
,
Nov 20 2017
Framework team guess this may cause by memory corruption, they analysis native code and memory change but still not sure root cause. However, Since Chrome V62 released on 11/8, the native crash seems to be fixed. We don't meet any native crash with the same call stack on Chrome V62. Look like this was already fixed by chrome update. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by ligim...@chromium.org
, Sep 28 2017