Skip to content
innosu
Written on in Technology

Crash in Chrome: Mysterious Android Crash

Last night, before I went to sleep, I checked my phone. Mysteriously, a lot of apps just outright crash on opening or when I tried to do something useful.

The Situation

The crashes were… weird. Twitter, Facebook, YouTube etc. didn’t crash. FastMail crashed. CookieClicker crashed. A few other apps crashed, but I didn’t test everything. For CookieClicker, nothing is displayed before crashing. FastMail showed a splash screen before crashing. One of the app didn’t crash on the front page, but crashed on navigation. Another app can render some UI before it too crashed.

I followed some online diagnostic. I re-installed FastMail – same result. I wiped the cache partition – same result. I then went to bed, as it was already 9 in the morning.

The Diagnostic

I woke up today (at 3pm) and was preparing for the worse – factory reset. But then, what if it doesn’t solve the problem? Going through the hell of factory reset and not solving the problem would be the last thing I wanted to do. So I googled how to debug a 3rd Party Android app. Apparently it wasn’t hard. So I did.

Following some online guides, at first I use adb logcat AndroidRuntime:E *:S. Nothing is shown. So I checked how logcat work, and then I use adb logcat *:E. That is a lot of log there. Here’s some particularly important section:

08-14 16:05:04.552 22733 22733 F libc    : Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x3 in tid 22733 (ndroid.feedback), pid 22733 (ndroid.feedback)
08-14 16:05:04.697 22843 22843 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
08-14 16:05:04.697 22843 22843 F DEBUG   : Build fingerprint: 'samsung/jackpot2ltexx/jackpot2lte:9/PPR1.180610.011/A730FXXU7CTE1:user/release-keys'
08-14 16:05:04.697 22843 22843 F DEBUG   : Revision: '7'
08-14 16:05:04.697 22843 22843 F DEBUG   : ABI: 'arm64'
08-14 16:05:04.697 22843 22843 F DEBUG   : pid: 22733, tid: 22733, name: ndroid.feedback  >>> com.google.android.feedback <<<
08-14 16:05:04.697 22843 22843 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x3
08-14 16:05:04.697 22843 22843 F DEBUG   : Cause: null pointer dereference
08-14 16:05:04.697 22843 22843 F DEBUG   :     x0  0000000000000010  x1  0000000000000360  x2  0000000000000017  x3  0000000000000018
08-14 16:05:04.698 22843 22843 F DEBUG   :     x4  0000000000000538  x5  000000000000034e  x6  0000000000000005  x7  000000000000000e
08-14 16:05:04.698 22843 22843 F DEBUG   :     x8  0000000000000018  x9  0000000000000003  x10 0000000000000000  x11 0000000000000020
08-14 16:05:04.698 22843 22843 F DEBUG   :     x12 0000000000000004  x13 0000000000000023  x14 0000000000000aa8  x15 0000000000000009
08-14 16:05:04.698 22843 22843 F DEBUG   :     x16 0000000000000020  x17 0000000000000020  x18 0000000000000008  x19 00000070ff2829f0
08-14 16:05:04.698 22843 22843 F DEBUG   :     x20 0000000000000360  x21 00000070d70f3f6c  x22 00000070d7e066c8  x23 00000070d7e066e0
08-14 16:05:04.698 22843 22843 F DEBUG   :     x24 0000007189cdb5f8  x25 00000000134c0fc8  x26 0000007fd483a8a0  x27 0000000013039a78
08-14 16:05:04.698 22843 22843 F DEBUG   :     x28 0000007103446400  x29 0000007fd483a680
08-14 16:05:04.698 22843 22843 F DEBUG   :     sp  0000007fd483a500  lr  00000071031a706c  pc  00000071031a708c
08-14 16:05:04.890 22843 22843 F DEBUG   :
08-14 16:05:04.890 22843 22843 F DEBUG   : backtrace:
08-14 16:05:04.890 22843 22843 F DEBUG   :     #00 pc 00000000004fd08c  /system/lib64/libart.so (_ZN3artL27DoGetCalleeSaveMethodCallerEPNS_9ArtMethodEmb.llvm.1156538818+252)
08-14 16:05:04.890 22843 22843 F DEBUG   :     #01 pc 000000000051d680  /system/lib64/libart.so (artQuickResolutionTrampoline+732)
08-14 16:05:04.890 22843 22843 F DEBUG   :     #02 pc 0000000000563a6c  /system/lib64/libart.so (art_quick_resolution_trampoline+92)
08-14 16:05:04.890 22843 22843 F DEBUG   :     #03 pc 0000000001070a3c  /data/app/com.android.chrome-6evh5SPbzTzzad8Fbs-i1A==/oat/arm64/base.odex (offset 0x690000) (Xw0.onResult+860)
08-14 16:05:04.890 22843 22843 F DEBUG   :     #04 pc 00000000006af2e8  /data/app/com.android.chrome-6evh5SPbzTzzad8Fbs-i1A==/oat/arm64/base.odex (offset 0x690000) (Ay0.run [DEDUPED]+120)
08-14 16:05:04.890 22843 22843 F DEBUG   :     #05 pc 0000000000b24bcc  /system/framework/arm64/boot-framework.oat (offset 0x41f000) (android.os.Handler.dispatchMessage+76)
08-14 16:05:04.890 22843 22843 F DEBUG   :     #06 pc 0000000000b27d30  /system/framework/arm64/boot-framework.oat (offset 0x41f000) (android.os.Looper.loop+1264)
08-14 16:05:04.890 22843 22843 F DEBUG   :     #07 pc 00000000009020c8  /system/framework/arm64/boot-framework.oat (offset 0x41f000) (android.app.ActivityThread.main+680)
08-14 16:05:04.890 22843 22843 F DEBUG   :     #08 pc 000000000055ae4c  /system/lib64/libart.so (art_quick_invoke_static_stub+604)
08-14 16:05:04.890 22843 22843 F DEBUG   :     #09 pc 00000000000d04e8  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
08-14 16:05:04.890 22843 22843 F DEBUG   :     #10 pc 00000000004618b0  /system/lib64/libart.so (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104)
08-14 16:05:04.891 22843 22843 F DEBUG   :     #11 pc 0000000000463304  /system/lib64/libart.so (art::InvokeMethod(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned long)+1440)
08-14 16:05:04.891 22843 22843 F DEBUG   :     #12 pc 00000000003f2988  /system/lib64/libart.so (art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobjectArray*)+52)
08-14 16:05:04.891 22843 22843 F DEBUG   :     #13 pc 000000000011f7e4  /system/framework/arm64/boot.oat (offset 0x115000) (java.lang.Class.getDeclaredMethodInternal [DEDUPED]+180)
08-14 16:05:04.891 22843 22843 F DEBUG   :     #14 pc 0000000000e10428  /system/framework/arm64/boot-framework.oat (offset 0x41f000) (com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run+136)
08-14 16:05:04.891 22843 22843 F DEBUG   :     #15 pc 0000000000e16fc0  /system/framework/arm64/boot-framework.oat (offset 0x41f000) (com.android.internal.os.ZygoteInit.main+2208)
08-14 16:05:04.891 22843 22843 F DEBUG   :     #16 pc 000000000055ae4c  /system/lib64/libart.so (art_quick_invoke_static_stub+604)
08-14 16:05:04.891 22843 22843 F DEBUG   :     #17 pc 00000000000d04e8  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
08-14 16:05:04.891 22843 22843 F DEBUG   :     #18 pc 00000000004618b0  /system/lib64/libart.so (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104)
08-14 16:05:04.891 22843 22843 F DEBUG   :     #19 pc 0000000000461510  /system/lib64/libart.so (art::InvokeWithVarArgs(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+424)
08-14 16:05:04.891 22843 22843 F DEBUG   :     #20 pc 0000000000366218  /system/lib64/libart.so (art::JNI::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+652)
08-14 16:05:04.891 22843 22843 F DEBUG   :     #21 pc 00000000000b9c10  /system/lib64/libandroid_runtime.so (_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+120)
08-14 16:05:04.891 22843 22843 F DEBUG   :     #22 pc 00000000000bc7cc  /system/lib64/libandroid_runtime.so (android::AndroidRuntime::start(char const*, android::Vector<android::String8> const&, bool)+772)
08-14 16:05:04.891 22843 22843 F DEBUG   :     #23 pc 000000000000498c  /system/bin/app_process64 (main+1200)
08-14 16:05:04.891 22843 22843 F DEBUG   :     #24 pc 00000000000ae878  /system/lib64/libc.so (__libc_init+88)
08-14 16:05:05.215  3271  3271 E /system/bin/tombstoned: Tombstone written to: /data/tombstones/tombstone_07

A crash in libart.so? In the Android Runtime? I googled the method name, but found nothing. I then tried to check the tombstone, but apparently I need a rooted device, so I gave up for now.

A keen reader might have already seen it. I read the backtrace more carefully, and there it is!

#03 pc 0000000001070a3c  /data/app/com.android.chrome-6evh5SPbzTzzad8Fbs-i1A==/oat/arm64/base.odex (offset 0x690000) (Xw0.onResult+860)

Crash in com.android.chrome? What is going on here?

The Fix

At least I know that on Android, WebView is mostly rendered using the system Chrome. FastMail app was known to be just a wrapper for their (extremely good) mobile web. A few other apps that crash randomly seems to only crash when WebView were rendered.

Chrome? Did I just spend 7 hours debugging a Chrome bug?

I re-installed Chrome on my Android, and everything went back to normal.

Factory Reset would have worked, I think, but will be much more painful. Note that Android Crash Reporter runs WebView, so it also crashed (the log above was actually from the feedback app ndroid.feedback). But, really?