Heap corrupted during CBL(Android) query

kumar1773 · May 22, 2018, 11:52am

I am querying cbl 2.0 on my android but getting following error

05-22 16:58:11.735 24272-24272/com.diro A/libc: Fatal signal 6 (SIGABRT), code -6 in tid 24272 (com.diro)
05-22 16:58:11.796 638-638/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
    Build fingerprint: 'Xiaomi/land/land:6.0.1/MMB29M/V9.5.5.0.MALMIFA:user/release-keys'
    Revision: '0'
    ABI: 'arm64'
    pid: 24272, tid: 24272, name: com.diro  >>> com.diro <<<
    signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
05-22 16:58:11.867 638-638/? A/DEBUG: Abort message: 'heap corruption detected by dlmalloc'
        x0   0000000000000000  x1   0000000000005ed0  x2   0000000000000006  x3   0000000000000000
        x4   0000000000000000  x5   0000000000000001  x6   0000000000000000  x7   0000000000000000
        x8   0000000000000083  x9   fefefeff626e6b6b  x10  7f7f7f7f7f7f7f7f  x11  0101010101010101
        x12  0000007f780897c8  x13  ee919e86ca99bf66  x14  ee919e86ca99bf66  x15  0000007f74f58000
05-22 16:58:11.868 638-638/? A/DEBUG:     x16  0000007f780836a8  x17  0000007f78045bdc  x18  00000000ffffffd0  x19  0000007f784a8088
        x20  0000007f784a7fc8  x21  000000000000000b  x22  0000000000000006  x23  0000000000000000
        x24  0000000000000003  x25  0000007f7808ac10  x26  0000000000000008  x27  0000000000000018
        x28  00000000721ac075  x29  0000007fce0dbd30  x30  0000007f78043378
        sp   0000007fce0dbd30  pc   0000007f78045be4  pstate 0000000020000000
05-22 16:58:11.907 638-638/? A/DEBUG: backtrace:
        #00 pc 000000000006abe4  /system/lib64/libc.so (tgkill+8)
        #01 pc 0000000000068374  /system/lib64/libc.so (pthread_kill+68)
        #02 pc 00000000000212f8  /system/lib64/libc.so (raise+28)
        #03 pc 000000000001ba98  /system/lib64/libc.so (abort+60)
        #04 pc 000000000001eee0  /system/lib64/libc.so (__libc_fatal+128)
        #05 pc 00000000000442dc  /system/lib64/libc.so (__bionic_heap_corruption_error+20)
05-22 16:58:11.908 638-638/? A/DEBUG:     #06 pc 0000000000045ef0  /system/lib64/libc.so (dlmalloc+1968)
        #07 pc 00000000000195f0  /system/lib64/libc.so (malloc+20)
        #08 pc 00000000000ceab4  /system/lib64/libicuuc.so (_ZN6icu_557UVector5_initEiR10UErrorCode+68)
        #09 pc 00000000000c815c  /system/lib64/libicuuc.so (_ZN6icu_556UStackC2ER10UErrorCode+16)
        #10 pc 000000000013a1dc  /system/lib64/libicui18n.so (_ZN6icu_5512RegexCompileC2EPNS_12RegexPatternER10UErrorCode+88)
        #11 pc 0000000000154fd4  /system/lib64/libicui18n.so
        #12 pc 000000000002612c  /system/lib64/libjavacore.so
        #13 pc 0000000073b163dc  /data/dalvik-cache/arm64/system@framework@boot.oat (offset 0x2513000)

Query:

QueryBuilder.select(SelectResult.expression(Meta.id), SelectResult.property(CXP_SEARCH_STR))
                .from(DataSource.database(SingltonDbClass.getInstance(mContext)))
                 .where(Expression.property(TYPE).equalTo(Expression.string(TYPE_CXP)))
                 .execute();

priya.rajagopal · May 22, 2018, 1:11pm

We would need the full stack trace (add it as a gist instead of embedding in a post). From trace above, there is no indication that this has anything to do with Couchbase Lite.

kumar1773 · May 30, 2018, 9:20am

I made a query to cbl 2.0, Got resultset and list displayed correctly in andorid, but when putting applicaiton in background it keeps on crashing with following logs

 --------- beginning of system

05-30 14:38:46.064 559-1566/? I/ActivityManager: START u0 {act=com.android.systemui.recents.SHOW_RECENTS flg=0x10804000 cmp=com.android.systemui/.recents.RecentsActivity} from uid 10023 on display 0
05-30 14:38:46.115 559-569/? D/Sensors: activate handle =0, enable = 0
05-30 14:38:46.115 559-569/? E/Sensors: handleToDriver handle(0)
05-30 14:38:46.115 559-569/? D/Sensors: use new sensor index=2
05-30 14:38:46.115 559-569/? D/Accel: ACC enable: handle:0, en:0
path:/sys/class/misc/m_acc_misc/accactive
05-30 14:38:46.118 26547-26566/com.diro V/FA: Activity paused, time: 617243408
05-30 14:38:46.119 158-588/? D/AudioFlinger: mixer(0xb2bef008) throttle end: throttle time(11)
05-30 14:38:46.124 26547-26566/com.diro I/FA: Tag Manager is not found and thus will not be used
05-30 14:38:46.145 559-569/? D/Accel: ACC enable(0) done
05-30 14:38:46.147 26547-26566/com.diro D/FA: Logging event (FE): _e, Bundle[{_o=auto, _et=4441, _sc=DirectoryHomeNew, _si=4130069752813365859}]
05-30 14:38:46.151 559-572/? I/ProcessStatsService: Prepared write state in 3ms
05-30 14:38:46.236 23202-23211/? I/art: Background partial concurrent mark sweep GC freed 2330(107KB) AllocSpace objects, 2(268KB) LOS objects, 35% free, 28MB/44MB, paused 1.224ms total 262.880ms
05-30 14:38:46.240 559-568/? I/art: Background partial concurrent mark sweep GC freed 14446(924KB) AllocSpace objects, 11(412KB) LOS objects, 33% free, 20MB/30MB, paused 2.103ms total 140.022ms
05-30 14:38:46.321 23202-23249/? I/MaliEGL: [Mali]window_type=1, is_framebuffer=0, errnum = 0
[Mali]surface->num_buffers=4, surface->num_frames=3, win_min_undequeued=1
[Mali]max_allowed_dequeued_buffers=3
05-30 14:38:46.339 22736-26638/? V/FA-SVC: Logging event: origin=auto,name=user_engagement(_e),params=Bundle[{firebase_event_origin(_o)=auto, engagement_time_msec(_et)=4441, firebase_screen_class(_sc)=DirectoryHomeNew, firebase_screen_id(_si)=4130069752813365859}]
05-30 14:38:46.349 22736-26638/? V/FA-SVC: Saving event, name, data size: user_engagement(_e), 71
Event recorded: Event{appId=‘com.diro’, name=‘user_engagement(_e)’, params=Bundle[{firebase_event_origin(_o)=auto, engagement_time_msec(_et)=4441, firebase_screen_class(_sc)=DirectoryHomeNew, firebase_screen_id(_si)=4130069752813365859}]}
05-30 14:38:46.362 22736-26638/? V/FA-SVC: Upload scheduled in approximately ms: 1756512
05-30 14:38:46.365 1298-1298/? W/Binder_A: type=1400 audit(0.0:12469): avc: denied { ioctl } for path=“socket:[880014]” dev=“sockfs” ino=880014 ioctlcmd=7704 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=unix_stream_socket permissive=0
type=1400 audit(0.0:12470): avc: denied { ioctl } for path=“socket:[880014]” dev=“sockfs” ino=880014 ioctlcmd=7704 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=unix_stream_socket permissive=0
05-30 14:38:46.395 22736-26638/? V/FA-SVC: Scheduling upload with GcmTaskService
Scheduling task with Gcm. time: 1756512
05-30 14:38:46.408 22736-26638/? V/FA-SVC: Background event processing time, ms: 69
05-30 14:38:47.106 158-588/? D/AudioMTKHardware: handlecheck createAudioPatch handle [0xbf9] current size 1
05-30 14:38:47.106 158-588/? D/AudioMTKStreamOut: dokeyRouting(), current_device = 2, new_device = 2
05-30 14:38:47.181 19721-20268/? I/OpenGLRenderer: Initialized EGL, version 1.4
05-30 14:38:47.184 23566-23566/? I/BackgroundMemoryTrimmer: Trimming objects from memory, since app is in the background.
05-30 14:38:47.188 19721-20268/? I/MaliEGL: [Mali]window_type=1, is_framebuffer=0, errnum = 0
[Mali]surface->num_buffers=4, surface->num_frames=3, win_min_undequeued=1
[Mali]max_allowed_dequeued_buffers=3
05-30 14:38:47.195 695-695/? W/Binder_4: type=1400 audit(0.0:12471): avc: denied { ioctl } for path=“socket:[1314001]” dev=“sockfs” ino=1314001 ioctlcmd=7704 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=unix_stream_socket permissive=0
type=1400 audit(0.0:12472): avc: denied { ioctl } for path=“socket:[1314001]” dev=“sockfs” ino=1314001 ioctlcmd=7704 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=unix_stream_socket permissive=0
05-30 14:38:47.273 23566-23566/? I/BackgroundMemoryTrimmer: Trimming objects from memory, since app is in the background.
05-30 14:38:47.333 23202-23211/? I/art: Background partial concurrent mark sweep GC freed 1598(65KB) AllocSpace objects, 1(128KB) LOS objects, 35% free, 28MB/44MB, paused 1.084ms total 175.366ms
05-30 14:38:47.912 22736-26648/? I/Authzen: [DeviceStateSyncManager] The server is in sync with current state. Nothing to do
05-30 14:38:48.528 26547-26547/com.diro E/value: shared_pref_is_sync_gateway_registered valetrue
05-30 14:38:48.546 26547-26547/com.diro I/LiteCoreJNI: [NATIVE] C4Replicator.create()
05-30 14:38:48.551 26547-26547/com.diro I/LiteCore [Actor]: Starting Scheduler<0xb7cf84b0> with 4 threads
05-30 14:38:48.553 26547-26547/com.diro I/LiteCoreJNI: [NATIVE] C4Replicator.create() repl -> 0x0xb7c450f8
[NATIVE] C4Replicator.getStatus() repl -> 0xb7c450f8
05-30 14:38:48.558 26547-26674/com.diro I/LiteCoreJNI: [NATIVE] C4Replicator.getResponseHeaders() repl -> 0xb7c450f8
05-30 14:38:48.565 26547-26547/com.diro I/LiteCoreJNI: [NATIVE] C4Replicator.create()
05-30 14:38:48.580 26547-26547/com.diro I/LiteCoreJNI: [NATIVE] C4Replicator.create() repl -> 0x0xb7c658d8
05-30 14:38:48.581 26547-26547/com.diro I/LiteCoreJNI: [NATIVE] C4Replicator.getStatus() repl -> 0xb7c658d8
05-30 14:38:48.583 26547-26675/com.diro I/LiteCoreJNI: [NATIVE] C4Replicator.getResponseHeaders() repl -> 0xb7c658d8
05-30 14:38:48.603 26547-26547/com.diro V/diro: logger push relication log 0 0
05-30 14:38:48.629 26547-26547/com.diro V/diro: logger ghost push change count 0 0
05-30 14:38:48.635 26547-26547/com.diro V/diro: logger ghost pull change count 0 0
05-30 14:38:50.630 26547-26672/com.diro I/LiteCoreJNI: [NATIVE] C4Replicator.statusChangedCallback() repl -> 0x0xb7c450f8 status -> 4
05-30 14:38:50.637 26547-26674/com.diro I/LiteCoreJNI: [NATIVE] C4Replicator.getResponseHeaders() repl -> 0xb7c450f8
05-30 14:38:50.638 26547-26547/com.diro V/diro: logger push relication log 0 0
05-30 14:38:50.690 26547-26671/com.diro E/LiteCore: Assertion failed: !_responseHeaders (/home/couchbase/jenkins/workspace/couchbase-lite-android-edition-build/couchbase-lite-android-ee/libs/couchbase-lite-android/libs/couchbase-lite-core/Replicator/c4Replicator.hh:135, in replicatorGotHTTPResponse)/data/app/com.diro-1/lib/arm/libLiteCoreJNI.so C4Replicator::replicatorGotHTTPResponse(litecore::repl::Replicator*, int, fleeceapi::AllocedDict const&)/data/app/com.diro-1/lib/arm/libLiteCoreJNI.so litecore::repl::Replicator::_onHTTPResponse(int, fleeceapi::AllocedDict)/data/app/com.diro-1/lib/arm/libLiteCoreJNI.so void std::__ndk1::__invoke_void_return_wrapper::__call<std::__ndk1::__bind<void (litecore::repl::Replicator::&)(int, fleeceapi::AllocedDict), litecore::repl::Replicator, int&, fleeceapi::AllocedDict&>&>(std::__ndk1::__bind<void (litecore::repl::Replicator::&)(int, fleeceapi::AllocedDict), litecore::repl::Replicator, int&, fleeceapi::AllocedDict&>&&&)/data/app/com.diro-1/lib/arm/libLiteCoreJNI.so litecore::actor::ThreadedMailbox::performNextMess
05-30 14:38:50.691 26547-26671/com.diro W/LiteCore: Caught exception in Actor: assertion failed
05-30 14:38:50.948 26547-26670/com.diro I/LiteCoreJNI: [NATIVE] C4Replicator.statusChangedCallback() repl -> 0x0xb7c450f8 status -> 4
05-30 14:38:50.954 26547-26547/com.diro V/diro: logger push relication log 9701 0
05-30 14:38:50.986 26547-26672/com.diro E/LiteCore [Sync]: {Repl#1}==> N8litecore4repl10ReplicatorE /data/user/0/com.diro/files/diro.cblite2/ ->wss:devsync.dirolabs.com/phonebooks/_blipsync
05-30 14:38:50.987 26547-26672/com.diro E/LiteCore [Sync]: {Repl#1} Got LiteCore error: WebSocket connection closed by peer (6/1001)
05-30 14:38:50.988 26547-26672/com.diro I/LiteCoreJNI: [NATIVE] C4Replicator.statusChangedCallback() repl -> 0x0xb7c450f8 status -> 0
05-30 14:38:50.991 26547-26674/com.diro I/LiteCoreJNI: [NATIVE] C4Replicator.free() repl -> 0xb7c450f8
05-30 14:38:50.999 26547-26547/com.diro V/diro: logger push relication log 9701 0
05-30 14:38:51.002 26547-26547/com.diro I/LiteCoreJNI: [NATIVE] C4Replicator.create()
05-30 14:38:51.016 26547-26547/com.diro I/LiteCoreJNI: [NATIVE] C4Replicator.create() repl -> 0x0xb7c80198
05-30 14:38:51.017 26547-26547/com.diro I/LiteCoreJNI: [NATIVE] C4Replicator.getStatus() repl -> 0xb7c80198
05-30 14:38:51.021 26547-26547/com.diro V/diro: logger push relication log 0 0
05-30 14:38:51.439 26547-26566/com.diro V/FA: Inactivity, disconnecting from the service

--------- beginning of crash

05-30 14:38:51.744 26547-26684/com.diro A/libc: heap corruption detected by dlmalloc_real
05-30 14:38:51.745 26547-26684/com.diro A/libc: Fatal signal 6 (SIGABRT), code -6 in tid 26684 (irolabs.com/…)
05-30 14:38:51.800 22717-22717/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: ‘google/AQ4501/AQ4501_sprout:6.0.1/MOB31E/3142026:user/release-keys’
Revision: ‘0’
ABI: ‘arm’
05-30 14:38:51.801 22717-22717/? A/DEBUG: pid: 26547, tid: 26684, name: irolabs.com/… >>> com.diro <<<
signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
05-30 14:38:51.846 22717-22717/? A/DEBUG: Abort message: ‘heap corruption detected by dlmalloc_real’
r0 00000000 r1 0000683c r2 00000006 r3 9dcb0978
r4 9dcb0980 r5 9dcb0930 r6 00000002 r7 0000010c
r8 00000200 r9 b7c7f330 sl b7d33538 fp 1b525700
ip 00000006 sp 9dca9df8 lr b6d35d55 pc b6d38144 cpsr 40070010
05-30 14:38:51.859 22717-22717/? A/DEBUG: backtrace:
#00 pc 00044144 /system/lib/libc.so (tgkill+12)
#01 pc 00041d51 /system/lib/libc.so (pthread_kill+32)
#02 pc 0001b9ff /system/lib/libc.so (raise+10)
05-30 14:38:51.860 22717-22717/? A/DEBUG: #03 pc 00018bb1 /system/lib/libc.so (__libc_android_abort+34)
#04 pc 00016774 /system/lib/libc.so (abort+4)
#05 pc 0001a613 /system/lib/libc.so (__libc_fatal+16)
#06 pc 0002e111 /system/lib/libc.so (__bionic_heap_corruption_error+8)
#07 pc 0002f18f /system/lib/libc.so (dlmalloc_real+626)
05-30 14:38:51.861 22717-22717/? A/DEBUG: #08 pc 00048827 /system/lib/libcrypto.so (EVP_MD_CTX_copy_ex+90)
#09 pc 0004f863 /system/lib/libcrypto.so (EVP_DigestVerifyFinal+34)
#10 pc 000607a3 /system/lib/libcrypto.so (ASN1_item_verify+194)
#11 pc 00067c49 /system/lib/libcrypto.so (X509_verify+32)
05-30 14:38:51.862 22717-22717/? A/DEBUG: #12 pc 000082d7 /system/lib/libjavacrypto.so
#13 pc 727e8a49 /data/dalvik-cache/arm/system@framework@boot.oat (offset 0x1ed5000)
05-30 14:38:53.231 22717-22717/? A/DEBUG: Tombstone written to: /data/tombstones/tombstone_02
05-30 14:38:53.231 22717-22717/? E/DEBUG: AM write failed: Broken pipe
05-30 14:38:53.232 559-575/? I/BootReceiver: Copying /data/tombstones/tombstone_02 to DropBox (SYSTEM_TOMBSTONE)
05-30 14:38:53.283 559-605/? I/OpenGLRenderer: Initialized EGL, version 1.4
05-30 14:38:53.289 559-605/? I/MaliEGL: [Mali]window_type=1, is_framebuffer=0, errnum = 0
05-30 14:38:53.290 559-605/? I/MaliEGL: [Mali]surface->num_buffers=4, surface->num_frames=3, win_min_undequeued=1
[Mali]max_allowed_dequeued_buffers=3
05-30 14:38:53.320 559-598/? W/InputDispatcher: channel ‘b89f05b com.diro/com.diro.homepage_module.DirectoryHomeNew (server)’ ~ Consumer closed input channel or an error occurred. events=0x9
05-30 14:38:53.320 559-598/? E/InputDispatcher: channel ‘b89f05b com.diro/com.diro.homepage_module.DirectoryHomeNew (server)’ ~ Channel is unrecoverably broken and will be disposed!
05-30 14:38:53.321 170-170/? I/Zygote: Process 26547 exited due to signal (6)
05-30 14:38:53.321 559-1565/? D/GraphicsStats: Buffer count: 8
05-30 14:38:53.321 559-1560/? I/WindowState: WIN DEATH: Window{b89f05b u0 com.diro/com.diro.homepage_module.DirectoryHomeNew}
05-30 14:38:53.321 559-1560/? W/InputDispatcher: Attempted to unregister already unregistered input channel ‘b89f05b com.diro/com.diro.homepage_module.DirectoryHomeNew (server)’
05-30 14:38:53.323 559-1298/? I/ActivityManager: Process com.diro (pid 26547) has died

kumar1773 · June 6, 2018, 6:04am

App is still crashing please find attached logs log.zip (3.5 KB)

We are stuck with cbl 2.0. Please help us out

borrrden · June 6, 2018, 8:48am

This kind of thing is hard to track down without a reproduction project. If you can provide one, it would help speed up the analysis of what is going wrong. It looks like there might be a race bug inside of the library but it’s hard to tell what it is racing with. If you can provide such a project then definitely file a bug on the couchbase-lite-android repo.

jens · June 7, 2018, 4:59pm

Does Android have any heap diagnostic modes (like iOS’s MallocScribble or the Address Sanitizer?)

kumar1773 · June 13, 2018, 12:19pm

I have attached tombstone file generated by android, these might help you.

tombstone.zip (208.0 KB)

borrrden · June 14, 2018, 5:13am

Is there no way to provide a project and set of instructions?