Giters

ONLYOFFICE / documents-app-android

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

8.0.1 crashes when being run with ARMv8.5 MTE (Memory Tagging)

FID02 opened this issue · comments

commented

When running the Onlyoffice app with ARMv8.5 memory tagging enabled, it will crash upon creating and opening a document, with the below error. You will only be able to reproduce this currently on a Google Pixel 8 or Google Pixel 8 Pro device, running GrapheneOS with memory tagging enabled for Onlyoffice.

Notice: This is not a bug with GrapheneOS, it is a memory corruption bug which is exposed by GrapheneOS, which is in the Onlyoffice app. Android will be eventually deploying memory tagging by default, so this needs to be resolved, it cannot be ignored. An engineer with good understanding of debugging native code need to deal with this.

Steps to reproduce

  1. Install and open the Onlyoffice app
  2. Complete or skip the first-run wizard
  3. Press the + button to create a new document, and select any document type

The crash occurs during loading of the document.

Additional information
version 8.0.1
com.onlyoffice.documents
versionCode 533

Crash log

type: crash
osVersion: google/shiba/shiba:14/AP1A.240405.002/2024040300:user/release-keys
uid: 10224 (u:r:untrusted_app:s0:c224,c256,c512,c768)
cmdline: com.onlyoffice.documents:DocumentsActivity
processUptime: 5s

signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr 800dc74746c71d0
cause: [MTE]: Buffer Overflow, 32 bytes right of a 32-byte allocation at 0xdc74746c7190
cause: [MTE]: Buffer Underflow, 128 bytes left of a 24-byte allocation at 0xdc74746c7250
cause: [MTE]: Buffer Underflow, 272 bytes left of a 24-byte allocation at 0xdc74746c72e0
threadName: GLThread 38
MTE: enabled

backtrace:
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libkernel.so (NSThreads::CBaseThreadMonitor::GetBaseThread(long const&)+144, pc e7d90)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (CThreadsMonitor::CheckAttach()+52, pc 1b24ec)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (JniBaseCallbacks::callback(std::__ndk1::function<void (_JNIEnv*)>)+68, pc 1b22b4)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (JniEditorsCallbacks::callbackCommentsEvent(int, std::__ndk1::basic_string<wchar_t, std::__ndk1::char_traits<wchar_t>, std::__ndk1::allocator<wchar_t> >)+112, pc 1bbdb8)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (CPlatformController::OnCommentsEvent(int, std::__ndk1::basic_string<wchar_t, std::__ndk1::char_traits<wchar_t>, std::__ndk1::allocator<wchar_t> >)+72, pc 1b19a8)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (ASC::CBaseEditorsController::OnEvent(NSEditorApi::CAscMenuEvent*)+228, pc 1adaac)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (ASC::CDEditorController::OnEvent(NSEditorApi::CAscMenuEvent*)+52, pc 1a4414)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (CEditorCtrl::OnEventInternal(int, NSJSON::CValue)+636, pc 1fe150)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (CWordCtrlEmbed::OnCallMenuEvent(NSCommon::smart_ptr<NSJSBase::CJSValue>, NSCommon::smart_ptr<NSJSBase::CJSValue>)+152, pc 2905bc)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (CWordCtrlEmbedAdapter::initFunctions(NSJSBase::CJSEmbedObject*)::'lambda11'(NSJSBase::CJSFunctionArguments*)::operator()(NSJSBase::CJSFunctionArguments*) const+120, pc 264de0)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdoctrenderer.so (NSJSBase::_Call(v8::FunctionCallbackInfo<v8::Value> const&)+300, pc 1734e4)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdoctrenderer.so (v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo)+548, pc 85a46c)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdoctrenderer.so (v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments)+640, pc 859ad0)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdoctrenderer.so (v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*)+244, pc 859290)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdoctrenderer.so (Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit+104, pc 758a08)
commented

Hello @FID02 Thank your for your request. I created ticket 68151 with your proposal