Crash at client after successful handshake

Question

Crash at client after successful handshake

Ifilehk opened this issue a year ago · comments

Hello Jan

Here a new issue.

After a successful handshake and regular exchange of data between client and server, the client crashes with this message in the console:

`F/libc ( 4545): Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xd3e7ef20 in tid 27907 (2.ui), pid 4545 (.ptt.ptt_client)

Build fingerprint: 'samsung/jfltexx/jflte:5.0.1/LRX22C/I9505XXUHQK1:user/release-keys'
Revision: '0'
ABI: 'arm'
Timestamp: 2023-03-14 21:49:29.752080152+0000
Process uptime: 101s
Cmdline: com.ptt.ptt_client
pid: 4545, tid: 27907, name: 2.ui >>> com.ptt.ptt_client <<<
uid: 10128
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xd3e7ef20
r0 b3e7ef00 r1 aef54220 r2 d3e7eefc r3 07ffffff
r4 80000000 r5 ffffffff r6 b3e00540 r7 b3e01e50
r8 b3e00380 r9 00000002 r10 b4224308 r11 b3e01e90
ip aef5422c sp 7c8fb760 lr 0000001f pc aef670a8
backtrace:
#00 pc 000370a8 /apex/com.android.runtime/lib/bionic/libc.so (arena_slab_reg_alloc+104) (BuildId: 44204e0c53d8b940de9ce87036b16471)
#1 pc 00037665 /apex/com.android.runtime/lib/bionic/libc.so (je_arena_malloc_hard+376) (BuildId: 44204e0c53d8b940de9ce87036b16471)
#2 pc 000309c1 /apex/com.android.runtime/lib/bionic/libc.so (je_malloc+1040) (BuildId: 44204e0c53d8b940de9ce87036b16471)
#3 pc 0002c9a7 /apex/com.android.runtime/lib/bionic/libc.so (malloc+18) (BuildId: 44204e0c53d8b940de9ce87036b16471)
#4 pc 0017b290 /data/app/~~h34K_ao9DgsUqVurL_NozQ==/com.ptt.ptt_client-YGK0p71IU5wqaxxrSpQMwA==/base.apk!libcrypto.so (CRYPTO_zalloc+96)`

This one happened after 1 minute and 30 seconds. But could get sometimes 4 hours without problem.

Will try to give you more input for this crash later ...

Ifilehk · Answer 1 · Wed Mar 15 2023 15:15:57 GMT+0800 (China Standard Time)

I will push an other crash trace. This time after 31 minutes of successful regular data exchanges between client and server

`F/libc ( 4547): Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x6e61685f in tid 32185 (2.ui), pid 4547 (.ptt.ptt_client)

Build fingerprint: 'samsung/jfltexx/jflte:5.0.1/LRX22C/I9505XXUHQK1:user/release-keys'
Revision: '0'
ABI: 'arm'
Timestamp: 2023-03-15 07:08:30.417001250+0000
Process uptime: 1910s
Cmdline: com.ptt.ptt_client
pid: 4547, tid: 32185, name: 2.ui >>> com.ptt.ptt_client <<<
uid: 10128
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x6e61685f
r0 b0fe5d50 r1 74657228 r2 6e61685f r3 6ef8c3b4
r4 b0fe5d50 r5 6f096e76 r6 00000000 r7 00000000
r8 00000000 r9 00000005 r10 af698600 r11 7cafb830
ip 6ede2a88 sp 7cafb818 lr 6ed83d7c pc 6ef856b0
backtrace:
#00 pc 001746b0 /data/app/~~QgUNhQ4PU7u3RzvGZGNGTw==/com.ptt.ptt_client-gXU5vg16HQczwbpfWR8K9A==/base.apk!libcrypto.so (OPENSSL_LH_free+52)`

Ifilehk · Answer 2 · Wed Mar 15 2023 18:15:40 GMT+0800 (China Standard Time)

Back on the long run bug. This time happened after 2h30m. The crash report is:

`F/libc (24065): Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x74756c6a in tid 2632 (2.ui), pid 24065 (.ptt.ptt_client)

Build fingerprint: 'samsung/jfltexx/jflte:5.0.1/LRX22C/I9505XXUHQK1:user/release-keys'
Revision: '0'
ABI: 'arm'
Timestamp: 2023-03-15 09:52:15.118364183+0000
Process uptime: 8984s
Cmdline: com.ptt.ptt_client
pid: 24065, tid: 2632, name: 2.ui >>> com.ptt.ptt_client <<<
uid: 10128
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x74756c6a
r0 74756c66 r1 6f1cde76 r2 00000062 r3 6f0c33b4
r4 a6599ca0 r5 6f1cde76 r6 00000000 r7 00000000
r8 00000000 r9 00000005 r10 a6886d00 r11 8487b838
ip 6ef34a88 sp 8487b820 lr 6eed5d7c pc 6f0bc6e4
backtrace:
#00 pc 001746e4 /data/app/~~c6vZr8wTdVLNoWRLEhcJtQ==/com.ptt.ptt_client-HpqtiAhAR17i_qtZYzriFQ==/base.apk!libcrypto.so (OPENSSL_LH_free+104)`

Problem seems to be the call of _libSsl.SSL_free(_ssl)

I put some print points in the code to trace the way to this line. This is the result:

I/flutter (24065): _incomming -> _libCrypto.BIO_write(_rbio, buffer.cast(), input.length);
I/flutter (24065): void _maintainState() { 65536
I/flutter (24065): _libSsl.SSL_shutdown(_ssl);
I/flutter (24065): void _maintainState() { 65536
I/flutter (24065): final ret = _libSsl.SSL_read(_ssl, buffer.cast(), bufferSize); 0
I/flutter (24065): r = _dtlsClient._socket.send(buffer.asTypedList(ret), _address, _port);
I/flutter (24065): r = _dtlsClient._socket.send(buffer.asTypedList(ret), _address, _port); OK
I/flutter (24065): int res0 = _maintainOutgoing(); 31
I/flutter (24065): _libSsl.SSL_free(_ssl);
I/flutter (24065): _libSsl.SSL_free(_ssl); OK
I/flutter (24065): END CLOSE
I/flutter (24065): _handleError(ret, _received.addError);
I/flutter (24065): _libSsl.SSL_free(_ssl);

I suppose void _handleAlert(DtlsAlert event) { has been called. Did not have a print there when I did this test but reading the prints _libSsl.SSL_free(_ssl); is called twice and this may result in the exception.

Will run the test again to make sure that this comes from the void _handleAlert(DtlsAlert event) {

In the print we can see also that after in _incomming void _maintainState() {the code should execute final ret = _libSsl.SSL_read(_ssl, buffer.cast(), bufferSize);but jumps directly to_libSsl.SSL_shutdown(_ssl);`

Will let you know more later ...

Ifilehk · Answer 3 · Wed Mar 15 2023 20:58:27 GMT+0800 (China Standard Time)

After 2H19m. Confirmed that void _handleAlert(DtlsAlert event) is called during the failed _libSsl.SSL_read(_ssl, buffer.cast(), bufferSize);

I/flutter (24066): _incomming -> _libCrypto.BIO_write(_rbio, buffer.cast(), input.length);
I/flutter (24066): void _maintainState() { 65536
I/flutter (24066): void _handleAlert(DtlsAlert event) true
I/flutter (24066): Future close({bool closedByClient = false}) async {
I/flutter (24066): _libSsl.SSL_shutdown(_ssl);
I/flutter (24066): void _maintainState() { 65536
I/flutter (24066): final ret = _libSsl.SSL_read(_ssl, buffer.cast(), bufferSize); 0
I/flutter (24066): r = _dtlsClient._socket.send(buffer.asTypedList(ret), _address, _port);
I/flutter (24066): r = _dtlsClient._socket.send(buffer.asTypedList(ret), _address, _port); OK
I/flutter (24066): int res0 = _maintainOutgoing(); 31
I/flutter (24066): Future close({bool closedByClient = false}) async {
I/flutter (24066): _libSsl.SSL_free(_ssl);
I/flutter (24066): _libSsl.SSL_free(_ssl); OK
I/flutter (24066): END CLOSE
I/flutter (24066): _handleError(ret, _received.addError);
I/flutter (24066): _libSsl.SSL_free(_ssl);
F/libc (24066): Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x74756c66 in tid 11733 (2.ui), pid 24066 (.ptt.ptt_client)

Build fingerprint: 'samsung/jfltexx/jflte:5.0.1/LRX22C/I9505XXUHQK1:user/release-keys'
Revision: '0'
ABI: 'arm'
Timestamp: 2023-03-15 12:37:35.006260090+0000
Process uptime: 8389s
Cmdline: com.ptt.ptt_client
pid: 24066, tid: 11733, name: 2.ui >>> com.ptt.ptt_client <<<
uid: 10128
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x74756c66
r0 b0d7c6c0 r1 6c735362 r2 74756c66 r3 6ec9a3b4
r4 b0d7c6c0 r5 6eda4e76 r6 00000000 r7 00000000
r8 00000000 r9 00000005 r10 a690a400 r11 7c8fb838
ip 6eacba88 sp 7c8fb820 lr 6ea6cd7c pc 6ec936b0
backtrace:
#00 pc 001746b0 /data/app/~~_e98pQxWpKhxWk-dBVUyVw==/com.ptt.ptt_client-hWyX0Z_HsTeijuhW_NRF-A==/base.apk!libcrypto.so (OPENSSL_LH_free+52)

Jan Romann · Answer 4 · Fri Mar 17 2023 08:55:58 GMT+0800 (China Standard Time)

Based on the traces you've posted, I came up with a potential fix in #56. Could you have a look if that resolves the issue?