[libc] Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR) when calling a native function with a large string on ARM devices and x86 emulators

[ekmousa]

Android application type

Classic Xamarin.Android (MonoAndroid12.0, etc.)

Affected platform version

VS 2022 17.7.2

Description

Having a native Android library with a function that receives two unsigned short arrays, and passing a large string (at least 521,593 characters) as the first argument, and an empty char array of the same size as the second argument crashes the app with [libc] Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR) only when running from a worker thread. Running the same code from the UI thread works fine.

I haven't tested with all other architectures, so not sure if the issue is specific to ARM and x86 or happens on other architectures.

The same issue doesn't happen with MAUI on .NET 8 preview

Simple sample application attached where the issue occurs
AndroidPinvokeTest.zip

Steps to Reproduce

1. Download the attached test app and run the Xamarin version (note, for ARM, I had to increase the string length to 621, 593 in order to recreate the issue, so the string size might be variable)
2. Click the Run Test button on the main page

Did you find any workaround?

No

Relevant log output

x86 emulator logs:

09-20 13:37:12.100 29181 29274 F libc    : Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xb6677ffc in tid 29274 (Thread Pool Wor), pid 29181 (name.xamformapp)
09-20 13:37:12.089   550  1507 I system_server: oneway function results will be dropped but finished with status OK and parcel size 4
09-20 13:37:12.109 29181 29234 D OpenGLRenderer: endAllActiveAnimators on 0xe7e84c30 (RippleDrawable) with handle 0xb65a2bd0
09-20 13:37:12.148 29308 29308 I crash_dump32: obtaining output fd from tombstoned, type: kDebuggerdTombstone
09-20 13:37:12.149   291   291 I tombstoned: received crash request for pid 29274
09-20 13:37:12.154 29308 29308 I crash_dump32: performing dump of process 29181 (target tid = 29274)
09-20 13:37:12.164 29308 29308 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
09-20 13:37:12.164 29308 29308 F DEBUG   : Build fingerprint: 'Android/sdk_phone_x86/generic_x86:11/RSR1.210210.001.A1/7193139:userdebug/dev-keys'
09-20 13:37:12.164 29308 29308 F DEBUG   : Revision: '0'
09-20 13:37:12.164 29308 29308 F DEBUG   : ABI: 'x86'
09-20 13:37:12.165 29308 29308 F DEBUG   : Timestamp: 2023-09-20 13:37:12+0100
09-20 13:37:12.165 29308 29308 F DEBUG   : pid: 29181, tid: 29274, name: Thread Pool Wor  >>> com.companyname.xamformapp <<<
09-20 13:37:12.165 29308 29308 F DEBUG   : uid: 10121
09-20 13:37:12.165 29308 29308 F DEBUG   : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xb6677ffc
09-20 13:37:12.165 29308 29308 F DEBUG   : Cause: stack pointer is close to top of stack; likely stack overflow.
09-20 13:37:12.165 29308 29308 F DEBUG   :     eax e8008cb0  ebx bf4afb58  ecx e8008cb0  edx b6678030
09-20 13:37:12.165 29308 29308 F DEBUG   :     edi b6776b41  esi e8008cb0
09-20 13:37:12.165 29308 29308 F DEBUG   :     ebp b6776bd8  esp b6678000  eip bf3d5019
09-20 13:37:12.171 29308 29308 F DEBUG   : backtrace:
09-20 13:37:12.171 29308 29308 F DEBUG   :       #00 pc 002c5019  /data/app/~~y9svOvY9GoPQ1EQWmGrLIg==/com.companyname.xamformapp-CDNHQs_YO0BgjXyw7F2vUA==/lib/x86/libmonosgen-2.0.so (mono_threads_enter_gc_safe_region_unbalanced_with_info+9)
09-20 13:37:12.229   550  6354 I system_server: oneway function results will be dropped but finished with status OK and parcel size 4
09-20 13:37:12.394     0     0 D logd    : logdr: UID=10121 GID=10121 PID=29308 n tail=50 logMask=8 pid=29181 start=0ns timeout=0ns
09-20 13:37:12.396     0     0 D logd    : logdr: UID=10121 GID=10121 PID=29308 n tail=50 logMask=1 pid=29181 start=0ns timeout=0ns
09-20 13:37:12.724     0     0 D logd    : logdr: UID=10121 GID=10121 PID=29308 n tail=0 logMask=8 pid=29181 start=0ns timeout=0ns
09-20 13:37:12.738   291   291 E tombstoned: Tombstone written to: /data/tombstones/tombstone_15

ARM Castles device logs:

--------- beginning of crash
09-21 05:21:34.094  3621  3711 F libc    : Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x87da9ffc in tid 3711 (Thread Pool Wor), pid 3621 (name.xamformapp)
09-21 05:21:34.117   473  2890 D audio_hw_primary: start_output_stream: exit
09-21 05:21:34.117   473  2890 D msm8916_platform: platform_split_snd_device: snd_device(2) num devices(0) new_snd_devices(0)
09-21 05:21:34.117   473  2890 I msm8916_platform: platform_get_custom_mtmx_params: no matching param with id 0 ip_ch 2 op_ch 1 uc_id 1 snd_dev 2
09-21 05:21:34.130  3621  3692 D OpenGLRenderer: endAllActiveAnimators on 0x87723c80 (RippleDrawable) with handle 0x8772f9f0
09-21 05:21:34.149   517   517 I ConfigStore: android::hardware::configstore::V1_0::ISurfaceFlingerConfigs::hasHDRDisplay retrieved: 0
09-21 05:21:34.200   517   517 I chatty  : uid=1000(system) /system/bin/surfaceflinger identical 10 lines
09-21 05:21:34.200   517   517 I ConfigStore: android::hardware::configstore::V1_0::ISurfaceFlingerConfigs::hasHDRDisplay retrieved: 0
09-21 05:21:34.208  3751  3751 I crash_dump32: obtaining output fd from tombstoned, type: kDebuggerdTombstone
09-21 05:21:34.208   801   801 I /system/bin/tombstoned: received crash request for pid 3711
09-21 05:21:34.210  3751  3751 I crash_dump32: performing dump of process 3621 (target tid = 3711)
09-21 05:21:34.216   517   517 I ConfigStore: android::hardware::configstore::V1_0::ISurfaceFlingerConfigs::hasHDRDisplay retrieved: 0
09-21 05:21:34.244  3751  3751 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
09-21 05:21:34.244  3751  3751 F DEBUG   : Build fingerprint: 'Castles/msm8937_32/msm8937_32:9/PKQ1.191020.001/kurt08300547:user/dev-keys'
09-21 05:21:34.244  3751  3751 F DEBUG   : Revision: '0'
09-21 05:21:34.244  3751  3751 F DEBUG   : ABI: 'arm'
09-21 05:21:34.244  3751  3751 F DEBUG   : pid: 3621, tid: 3711, name: Thread Pool Wor  >>> com.companyname.xamformapp <<<
09-21 05:21:34.244  3751  3751 F DEBUG   : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x87da9ffc
09-21 05:21:34.244  3751  3751 F DEBUG   :     r0  0003068c  r1  87050030  r2  00000001  r3  80000000
09-21 05:21:34.244  3751  3751 F DEBUG   :     r4  00000000  r5  00000000  r6  87050030  r7  00000000
09-21 05:21:34.244  3751  3751 F DEBUG   :     r8  8f7bf360  r9  ad5bad8c  r10 00000000  r11 87ea91a8
09-21 05:21:34.244  3751  3751 F DEBUG   :     ip  87ea91a8  sp  87d79970  lr  00000000  pc  8838da60
09-21 05:21:34.286  3751  3751 F DEBUG   : 
09-21 05:21:34.286  3751  3751 F DEBUG   : backtrace:
09-21 05:21:34.286  3751  3751 F DEBUG   :     #00 pc 0000da60  <anonymous:88380000>
09-21 05:21:34.283   517   517 I chatty  : uid=1000(system) /system/bin/surfaceflinger identical 13 lines

FYI @msackton

[msackton]

A few other notes:

1. This does not happen on x86_64 emulators
2. This does happen on a physical Castletech Saturn 1000 device using the armeabi-v7a ABI
3. We have not tested on ARM64 chipsets

Castletech Saturn 1000 device is a POS Android device using an ARM A53 processor.
The "magic number" to cause the crash is slightly higher on the Castletech device. We have not tested to see if a MUCH larger magic number would cause the crash on x86_64.

[jpobst]

With support for Classic Xamarin.Android ended May 1st, 2024, this issue is likely no longer relevant.

If this still persists in .NET 8+, please open a new issue with updated information based on net8.0-android or greater. Please include a link to this issue for context.