Canvas.drawVertices() with valid input crashes OpenGL ES driver on Google Pixel 6 Pro

[badlogic]

Steps to Reproduce

1. Clone this minimal reproduction project: https://github.com/badlogic/flutter-mali-crash
2. Run it in any mode (debug, release, profile) on a Google Pixel 6 Pro. Both Android 12, build SQ3A.220705.004 and Android 13, build TP1A.220624.0.21 are affected. Might also happen on other phone models with the same SoC/GPU driver.

Expected results:
The repro app should display 12 instances of a simple textured triangle mesh. Desktop output:

Actual results:
The app crashes on a Google Pixel 6 Pro with the follwing stack trace:

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/raven/raven:13/TP1A.220624.021/8877034:user/release-keys'
Revision: 'MP1.0'
ABI: 'arm64'
Timestamp: 2022-11-23 19:29:37.310413491+0100
Process uptime: 66s
Cmdline: com.example.flutter_mali_crash
pid: 5391, tid: 5440, name: 1.raster  >>> com.example.flutter_mali_crash <<<
uid: 10298
tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xb400007045e52000
    x0  0000005eff8fb000  x1  b400007045e51fc0  x2  0000000000000004  x3  0000005eff90b280
    x4  b400007045e52014  x5  0000005eff90b2d4  x6  430600084449c001  x7  4533d77a4409f8d1
    x8  4449c001ffffffff  x9  4416e44a42b9fff8  x10 ffffffff45334388  x11 42b9fff844533ffb
    x12 440c7fd443060008  x13 ffffffff45375f85  x14 000000000000000c  x15 b400006e98cc5188
    x16 0000006d67ecbb38  x17 000000702d8f1e20  x18 0000006d006e0000  x19 0000000000000000
    x20 0000000000000000  x21 b400006ee8c4a570  x22 0000005eff8fb000  x23 00000000000102d4
    x24 0000000000000000  x25 b400006ee8c4a570  x26 b400006ee8c4a570  x27 0000000000000cf1
    x28 0000000000000028  x29 b400006ce5910ff0
    lr  0000006d65ffb65c  sp  0000006d0093a790  pc  000000702d8f1ddc  pst 0000000020001000
backtrace:
      #00 pc 000000000004eddc  /apex/com.android.runtime/lib64/bionic/libc.so (__memcpy+300) (BuildId: cbc4c62a9b269839456f1d7728d8411e)
      #01 pc 00000000007f6658  /vendor/lib64/egl/libGLES_mali.so (gles_vertexp_copy_client_buffers+120) (BuildId: ae75a6e293b6843d)
      #02 pc 0000000000822530  /vendor/lib64/egl/libGLES_mali.so (gles_vertex_prepare_nx+1200) (BuildId: ae75a6e293b6843d)
      #03 pc 00000000007fef90  /vendor/lib64/egl/libGLES_mali.so (gles_drawp_draw_common+1136) (BuildId: ae75a6e293b6843d)
      #04 pc 0000000000795380  /vendor/lib64/egl/libGLES_mali.so (gles2_draw_draw_range_elements+80) (BuildId: ae75a6e293b6843d)
      #05 pc 00000000017f6938  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #06 pc 000000000185dd88  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #07 pc 000000000185dc64  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #08 pc 00000000017ec6c8  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #09 pc 00000000017ec440  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #10 pc 00000000017ec9fc  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #11 pc 00000000016c4bec  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #12 pc 0000000001a12f60  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #13 pc 00000000018ed4f4  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #14 pc 00000000018ed490  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #15 pc 00000000019046cc  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #16 pc 0000000001903d88  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #17 pc 0000000001904b7c  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #18 pc 00000000019035c4  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #19 pc 0000000001903334  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #20 pc 0000000001910300  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #21 pc 00000000015e598c  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #22 pc 00000000015eb244  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #23 pc 0000000000011178  /system/lib64/libutils.so (android::Looper::pollOnce(int, int*, int*, void**)+808) (BuildId: 0b4a793fa8045c04066d988c68bac8bb)
      #24 pc 00000000000185e4  /system/lib64/libandroid.so (ALooper_pollOnce+100) (BuildId: 40e037fa2f0ad3b9aa4d871265e2bb7e)
      #25 pc 00000000015eb1cc  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #26 pc 00000000015e58e8  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #27 pc 00000000015e9844  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #28 pc 00000000000c14dc  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204) (BuildId: cbc4c62a9b269839456f1d7728d8411e)
      #29 pc 0000000000054930  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: cbc4c62a9b269839456f1d7728d8411e)

I did some digging based on the symbolicated stack trace (see below) and have a theory what's going on.

The repro app constructs a single Vertices instance from a bunch of typed arrays with native backing. I've traced the construction of the instance through native code.

Vertices.raw() calls into Vertices::init() in vertices.cc, which builds a DlVertices instances via the DlVertices::Builder class. All the atttribute arrays like positions, uvs, etc. are actually deep copied, so it's unlikely to be GC issues.

The native side vertices are eventually handed to the OpenGL ES driver through gles2_draw_draw_range_elements(), which crashes in memcpy().

I assume the Flutter engine is batching Vertices instances that have the same Paint and vertex attributes. memcpy() on AARCH64 is notorious for being really picky about memory alignement. My guess is that somewhere in the batching process, the alignement goes bad, the batched vertices/indices are passed to the OpenGL ES driver through gles2_draw_draw_range_elements() and memcpy() says "no can do".

This is somewhat supported by the fact, that the crash does not happen if the dart side Vertices are rendered less than 12 times. On the other hand, the same alignement would likely happen on my other Android devices, so either their memcpy() version is more lenient, or my theory is wrong :)

Code sample

A minimal reproduction sample can be found here: https://github.com/badlogic/flutter-mali-crash

The sample loads mesh data from a text file and converts it to a Vertices instance. It also loads an image and constructs an ImageShader based Paint from it. It then proceeds to render the vertices instance 12 times at random locations on the screen via Canvas.drawVertices().

The app uses Flame to minimize the LOC count. Flame itself does not interfere with the rendering in any meaningful way other than setting a transform on the Canvas instance used for rendering.

import 'dart:convert';
import 'dart:math';
import 'dart:typed_data';
import 'dart:ui' as ui;

import 'package:flame/game.dart';
import 'package:flutter/services.dart';
import 'package:flutter/material.dart';
import 'package:flutter/painting.dart' as painting;

void main() {
  runApp(const MyApp());
}

class MaliCrash extends FlameGame {
  late ui.Image _texture;
  late Paint _paint;
  late ui.Vertices _vertices;
  late List<Vector2> _positions = [];

  Future<void> _loadPaint() async {
    final imageData = (await rootBundle.load("assets/spineboy.png")).buffer.asUint8List();
    final codec = await ui.instantiateImageCodec(imageData);
    final frameInfo = await codec.getNextFrame();
    _texture = frameInfo.image;
    _paint = Paint()
      ..shader = ImageShader(_texture, TileMode.clamp, TileMode.clamp, Matrix4.identity().storage, filterQuality: FilterQuality.high)
      ..isAntiAlias = true;
  }

  Future<void> _loadVertices() async {
    final lines = LineSplitter().convert(await rootBundle.loadString("assets/spineboy.mesh"));
    final numVertices = int.parse(lines[0]);
    final numIndices = int.parse(lines[1]);
    final positions = Float32List(numVertices * 2);
    final uvs = Float32List(numVertices * 2);
    final colors = Int32List(numVertices);
    final indices = Uint16List(numIndices);
    int idx = 2;
    for (int i = 0; i < numVertices * 2; i++) {
      positions[i] = double.parse(lines[idx++]) * 0.2;
    }
    for (int i = 0; i < numVertices * 2; i++) {
      uvs[i] = double.parse(lines[idx++]) * (i % 2 == 0 ? _texture.width : _texture.height);
    }
    for (int i = 0; i < numVertices; i++) {
      colors[i] = int.parse(lines[idx++]);
    }
    for (int i = 0; i < numIndices; i++) {
      indices[i] = int.parse(lines[idx++]);
    }

    _vertices = ui.Vertices.raw(VertexMode.triangles, positions, textureCoordinates: uvs, colors: colors, indices: indices);
  }

  @override
  Future<void> onLoad() async {
    await _loadPaint();
    await _loadVertices();
    final rng = Random();
    for (int i = 0; i < 12; i++) {
      _positions.add(Vector2(rng.nextDouble() * size.x, rng.nextDouble() * size.y));
    }
  }

  @override
  void render(Canvas canvas) {
    for (var position in _positions) {
      canvas.save();
      canvas.translate(position.x, position.y);
      canvas.drawVertices(_vertices, painting.BlendMode.modulate, _paint);
      canvas.restore();
    }
  }
}

class MyApp extends StatelessWidget {
  const MyApp({super.key});

  @override
  Widget build(BuildContext context) {
    return MaterialApp(
      title: 'Mali Crash',
      home: GameWidget(game: MaliCrash())
    );
  }
}

Logs

Relevant portion from flutter run --verbose -d <google-pixel-6-pro-device-id>

 *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/raven/raven:13/TP1A.220624.021/8877034:user/release-keys'
Revision: 'MP1.0'
ABI: 'arm64'
Timestamp: 2022-11-23 19:29:37.310413491+0100
Process uptime: 66s
Cmdline: com.example.flutter_mali_crash
pid: 5391, tid: 5440, name: 1.raster  >>> com.example.flutter_mali_crash <<<
uid: 10298
tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xb400007045e52000
    x0  0000005eff8fb000  x1  b400007045e51fc0  x2  0000000000000004  x3  0000005eff90b280
    x4  b400007045e52014  x5  0000005eff90b2d4  x6  430600084449c001  x7  4533d77a4409f8d1
    x8  4449c001ffffffff  x9  4416e44a42b9fff8  x10 ffffffff45334388  x11 42b9fff844533ffb
    x12 440c7fd443060008  x13 ffffffff45375f85  x14 000000000000000c  x15 b400006e98cc5188
    x16 0000006d67ecbb38  x17 000000702d8f1e20  x18 0000006d006e0000  x19 0000000000000000
    x20 0000000000000000  x21 b400006ee8c4a570  x22 0000005eff8fb000  x23 00000000000102d4
    x24 0000000000000000  x25 b400006ee8c4a570  x26 b400006ee8c4a570  x27 0000000000000cf1
    x28 0000000000000028  x29 b400006ce5910ff0
    lr  0000006d65ffb65c  sp  0000006d0093a790  pc  000000702d8f1ddc  pst 0000000020001000
backtrace:
      #00 pc 000000000004eddc  /apex/com.android.runtime/lib64/bionic/libc.so (__memcpy+300) (BuildId: cbc4c62a9b269839456f1d7728d8411e)
      #01 pc 00000000007f6658  /vendor/lib64/egl/libGLES_mali.so (gles_vertexp_copy_client_buffers+120) (BuildId: ae75a6e293b6843d)
      #02 pc 0000000000822530  /vendor/lib64/egl/libGLES_mali.so (gles_vertex_prepare_nx+1200) (BuildId: ae75a6e293b6843d)
      #03 pc 00000000007fef90  /vendor/lib64/egl/libGLES_mali.so (gles_drawp_draw_common+1136) (BuildId: ae75a6e293b6843d)
      #04 pc 0000000000795380  /vendor/lib64/egl/libGLES_mali.so (gles2_draw_draw_range_elements+80) (BuildId: ae75a6e293b6843d)
      #05 pc 00000000017f6938  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #06 pc 000000000185dd88  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #07 pc 000000000185dc64  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #08 pc 00000000017ec6c8  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #09 pc 00000000017ec440  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #10 pc 00000000017ec9fc  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #11 pc 00000000016c4bec  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #12 pc 0000000001a12f60  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #13 pc 00000000018ed4f4  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #14 pc 00000000018ed490  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #15 pc 00000000019046cc  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #16 pc 0000000001903d88  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #17 pc 0000000001904b7c  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #18 pc 00000000019035c4  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #19 pc 0000000001903334  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #20 pc 0000000001910300  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #21 pc 00000000015e598c  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #22 pc 00000000015eb244  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #23 pc 0000000000011178  /system/lib64/libutils.so (android::Looper::pollOnce(int, int*, int*, void**)+808) (BuildId: 0b4a793fa8045c04066d988c68bac8bb)
      #24 pc 00000000000185e4  /system/lib64/libandroid.so (ALooper_pollOnce+100) (BuildId: 40e037fa2f0ad3b9aa4d871265e2bb7e)
      #25 pc 00000000015eb1cc  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #26 pc 00000000015e58e8  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #27 pc 00000000015e9844  /data/app/~~pVyNdgPC-QI25691CUZIKQ==/com.example.flutter_mali_crash-g69PXgOHXhc12huBtR7sEg==/lib/arm64/libflutter.so (BuildId: d4ff4e896acecea4c25f81864600185cb1f37fb7)
      #28 pc 00000000000c14dc  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204) (BuildId: cbc4c62a9b269839456f1d7728d8411e)
      #29 pc 0000000000054930  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: cbc4c62a9b269839456f1d7728d8411e)

Symbolicated stack entries for libflutter.so:

➜  flutter-mali-crash git:(main) ✗ ~/Library/Android/sdk/ndk/21.1.6352462/toolchains/llvm/prebuilt/darwin-x86_64/bin/aarch64-linux-android-addr2line -e ~/Downloads/libflutter.so
0x00000000017f6938
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../third_party/skia/src/gpu/ganesh/GrOpFlushState.cpp:236
0x000000000185dd88
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../third_party/skia/src/gpu/ganesh/ops/GrOp.h:193
0x000000000185dc64
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../third_party/skia/src/gpu/ganesh/ops/OpsTask.cpp:645
0x00000000017ec6c8
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../third_party/skia/src/gpu/ganesh/GrRenderTask.h:38
0x00000000017ec440
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../third_party/skia/src/gpu/ganesh/GrDrawingManager.cpp:205
0x00000000017ec9fc
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../third_party/skia/src/gpu/ganesh/GrDrawingManager.cpp:484
0x00000000017ec9fc
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../third_party/skia/src/gpu/ganesh/GrDrawingManager.cpp:484
0x00000000016c4bec
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../third_party/skia/include/gpu/GrDirectContext.h:357
0x0000000001a12f60
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../flutter/shell/gpu/gpu_surface_gl_skia.cc:266
0x00000000018ed4f4
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../third_party/libcxx/include/functional:2419
0x00000000018ed490
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../flutter/flow/surface_frame.cc:40
0x00000000019046cc
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../flutter/shell/common/rasterizer.cc:704
0x0000000001903d88
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../flutter/shell/common/rasterizer.cc:484
0x0000000001904b7c
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../flutter/shell/common/rasterizer.cc:191
0x00000000019035c4
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../third_party/libcxx/include/functional:2419
0x0000000001903334
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../flutter/shell/common/rasterizer.cc:195
0x0000000001910300
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../flutter/shell/common/shell.cc:1167
0x00000000015e598c
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../third_party/libcxx/include/functional:2419
0x00000000015eb244
/b/s/w/ir/cache/builder/src/out/android_debug_arm64/../../flutter/fml/platform/android/message_loop_android.cc:42

Output offlutter doctor -v

[✓] Flutter (Channel stable, 3.3.8, on macOS 13.0 22A380 darwin-arm, locale en-AT)
    • Flutter version 3.3.8 on channel stable at /Users/badlogic/workspaces/flutter
    • Upstream repository https://github.com/flutter/flutter.git
    • Framework revision 52b3dc25f6 (2 weeks ago), 2022-11-09 12:09:26 +0800
    • Engine revision 857bd6b74c
    • Dart version 2.18.4
    • DevTools version 2.15.0

[✓] Android toolchain - develop for Android devices (Android SDK version 33.0.0)
    • Android SDK at /Users/badlogic/Library/Android/sdk
    • Platform android-33, build-tools 33.0.0
    • Java binary at: /Applications/Android Studio.app/Contents/jre/Contents/Home/bin/java
    • Java version OpenJDK Runtime Environment (build 11.0.12+0-b1504.28-7817840)
    • All Android licenses accepted.

[✓] Xcode - develop for iOS and macOS (Xcode 14.1)
    • Xcode at /Applications/Xcode.app/Contents/Developer
    • Build 14B47b
    • CocoaPods version 1.11.3

[✓] Chrome - develop for the web
    • Chrome at /Applications/Google Chrome.app/Contents/MacOS/Google Chrome

[✓] Android Studio (version 2021.2)
    • Android Studio at /Applications/Android Studio.app/Contents
    • Flutter plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/9212-flutter
    • Dart plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/6351-dart
    • Java version OpenJDK Runtime Environment (build 11.0.12+0-b1504.28-7817840)

[✓] IntelliJ IDEA Community Edition (version 2022.1.3)
    • IntelliJ at /Applications/IntelliJ IDEA CE.app
    • Flutter plugin version 70.0.4
    • Dart plugin version 221.5921.27

[✓] VS Code (version 1.73.1)
    • VS Code at /Applications/Visual Studio Code.app/Contents
    • Flutter extension can be installed from:
      🔨 https://marketplace.visualstudio.com/items?itemName=Dart-Code.flutter

[✓] Connected device (3 available)
    • Pixel 6 Pro (mobile) • 19131FDEE006RE • android-arm64  • Android 12 (API 32)
    • macOS (desktop)      • macos          • darwin-arm64   • macOS 13.0 22A380 darwin-arm
    • Chrome (web)         • chrome         • web-javascript • Google Chrome 107.0.5304.110

[✓] HTTP Host Availability
    • All required HTTP hosts are available

• No issues found!

[jonahwilliams]

@flutter-symbolizer-bot #115919 (comment) android release arm64

[badlogic]

@jonahwilliams apologies, this was a debug build, so the bot can't symbolicate. I've added symbolicated info in the Logs section?

[chinmaygarde]

I am not sure if this is due to alignment or OOB access. Either way, I'll try to reproduce and bring it to the attention of the Skia folks.

[vendik]

Reproduced in my own app on OnePlus 6, Android 11, Adreno gpu, with different list sizes and method call counts.

It seems the issue is device independent and drawVertices is completely unusable for any (Android) use case in Flutter.

Build fingerprint: 'OnePlus/OnePlus6/OnePlus6:11/RKQ1.201217.002/2111252325:user/release-keys'
Revision: '0'
ABI: 'arm64'
Timestamp: 2022-12-25 16:33:19+0100
pid: 21373, tid: 25427, name: 1.raster  >>> com.test.test_game <<<
uid: 11240
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7ac6778000
    x0  0000007ac17d1000  x1  0000007ac6777fe0  x2  00000000000234d4  x3  0000007ac1870f40
    x4  0000007ac679b504  x5  0000007ac18944a4  x6  0000000000000000  x7  0000000000000000
    x8  0000000000000000  x9  0000000000000000  x10 0000000000000000  x11 0000000000000000
    x12 0000000000000000  x13 0000000000000000  x14 0000000000000008  x15 0000000000000027
    x16 0000007ab70d8578  x17 0000007dc5164400  x18 0000007a633b0000  x19 0000007ac66d8060
    x20 00000000000c34a4  x21 0000000000009c3c  x22 0000007ac66d8060  x23 0000007bd40429b8
    x24 0000000000000000  x25 0000007ac17d1000  x26 00000000fffffff4  x27 0000007b4406a1f0
    x28 0000007b04093c10  x29 0000007a634cb4f0
    lr  0000007ab709a6b8  sp  0000007a634cb200  pc  0000007dc51643ac  pst 0000000020000000
backtrace:
      #00 pc 000000000004a3ac  /apex/com.android.runtime/lib64/bionic/libc.so (__memcpy+284) (BuildId: 07fbaeed7b7a19203975f06be6f1d5ef)
      #01 pc 00000000003896b4  /vendor/lib64/egl/libGLESv2_adreno.so (!!!0000!f56be09eb88f86833124f1df42e945!8e5405b!+34292) (BuildId: 86030fb912dd81c624c12d681f15873c)
      #02 pc 00000000001771e8  /vendor/lib64/egl/libGLESv2_adreno.so (!!!0000!6b200851123c7898055fe62ff9f71f!8e5405b!+616) (BuildId: 86030fb912dd81c624c12d681f15873c)
      #03 pc 000000000016ee70  /vendor/lib64/egl/libGLESv2_adreno.so (!!!0000!77df12deb6a622478efa8fb9929034!8e5405b!+376) (BuildId: 86030fb912dd81c624c12d681f15873c)
      #04 pc 000000000090100c  /data/app/~~k5TFD6AexPobrsm6CHvG3A==/com.test.test_game-fqi93pYSxfJLcGrcbaGvNA==/lib/arm64/libflutter.so (BuildId: 564646c01bd34847870f318ca1487738fe9a5b6f)
      #05 pc 00000000008af000  /data/app/~~k5TFD6AexPobrsm6CHvG3A==/com.test.test_game-fqi93pYSxfJLcGrcbaGvNA==/lib/arm64/libflutter.so (BuildId: 564646c01bd34847870f318ca1487738fe9a5b6f)
      #06 pc 00000000008afa64  /data/app/~~k5TFD6AexPobrsm6CHvG3A==/com.test.test_game-fqi93pYSxfJLcGrcbaGvNA==/lib/arm64/libflutter.so (BuildId: 564646c01bd34847870f318ca1487738fe9a5b6f)
      #07 pc 00000000007cc734  /data/app/~~k5TFD6AexPobrsm6CHvG3A==/com.test.test_game-fqi93pYSxfJLcGrcbaGvNA==/lib/arm64/libflutter.so (BuildId: 564646c01bd34847870f318ca1487738fe9a5b6f)
      #08 pc 0000000000a67e60  /data/app/~~k5TFD6AexPobrsm6CHvG3A==/com.test.test_game-fqi93pYSxfJLcGrcbaGvNA==/lib/arm64/libflutter.so (BuildId: 564646c01bd34847870f318ca1487738fe9a5b6f)
      #09 pc 0000000000965810  /data/app/~~k5TFD6AexPobrsm6CHvG3A==/com.test.test_game-fqi93pYSxfJLcGrcbaGvNA==/lib/arm64/libflutter.so (BuildId: 564646c01bd34847870f318ca1487738fe9a5b6f)
      #10 pc 0000000000976120  /data/app/~~k5TFD6AexPobrsm6CHvG3A==/com.test.test_game-fqi93pYSxfJLcGrcbaGvNA==/lib/arm64/libflutter.so (BuildId: 564646c01bd34847870f318ca1487738fe9a5b6f)
      #11 pc 0000000000976e9c  /data/app/~~k5TFD6AexPobrsm6CHvG3A==/com.test.test_game-fqi93pYSxfJLcGrcbaGvNA==/lib/arm64/libflutter.so (BuildId: 564646c01bd34847870f318ca1487738fe9a5b6f)
      #12 pc 00000000009768b0  /data/app/~~k5TFD6AexPobrsm6CHvG3A==/com.test.test_game-fqi93pYSxfJLcGrcbaGvNA==/lib/arm64/libflutter.so (BuildId: 564646c01bd34847870f318ca1487738fe9a5b6f)
      #13 pc 0000000000980154  /data/app/~~k5TFD6AexPobrsm6CHvG3A==/com.test.test_game-fqi93pYSxfJLcGrcbaGvNA==/lib/arm64/libflutter.so (BuildId: 564646c01bd34847870f318ca1487738fe9a5b6f)
      #14 pc 0000000000718d60  /data/app/~~k5TFD6AexPobrsm6CHvG3A==/com.test.test_game-fqi93pYSxfJLcGrcbaGvNA==/lib/arm64/libflutter.so (BuildId: 564646c01bd34847870f318ca1487738fe9a5b6f)
      #15 pc 000000000071c2e8  /data/app/~~k5TFD6AexPobrsm6CHvG3A==/com.test.test_game-fqi93pYSxfJLcGrcbaGvNA==/lib/arm64/libflutter.so (BuildId: 564646c01bd34847870f318ca1487738fe9a5b6f)
      #16 pc 0000000000019da8  /system/lib64/libutils.so (android::Looper::pollInner(int)+916) (BuildId: 9b0d2d57431eb7385cd57ca628bc282f)
      #17 pc 00000000000199ac  /system/lib64/libutils.so (android::Looper::pollOnce(int, int*, int*, void**)+112) (BuildId: 9b0d2d57431eb7385cd57ca628bc282f)
      #18 pc 0000000000012c74  /system/lib64/libandroid.so (ALooper_pollOnce+100) (BuildId: 393737794b8d1fccde421d733d0fd671)
      #19 pc 000000000071c3f4  /data/app/~~k5TFD6AexPobrsm6CHvG3A==/com.test.test_game-fqi93pYSxfJLcGrcbaGvNA==/lib/arm64/libflutter.so (BuildId: 564646c01bd34847870f318ca1487738fe9a5b6f)
      #20 pc 000000000071aa20  /data/app/~~k5TFD6AexPobrsm6CHvG3A==/com.test.test_game-fqi93pYSxfJLcGrcbaGvNA==/lib/arm64/libflutter.so (BuildId: 564646c01bd34847870f318ca1487738fe9a5b6f)
      #21 pc 00000000000b0048  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+64) (BuildId: 07fbaeed7b7a19203975f06be6f1d5ef)
      #22 pc 00000000000503c8  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 07fbaeed7b7a19203975f06be6f1d5ef)

[jason-simmons]

Reproduced this on a Pixel 6a.

This started with google/skia@8a85ab0

A segfault is happening in the device's implementation of glDrawRangeElements when called from GrGLOpsRenderPass::onDrawIndexed

Looked into this and noticed what appears to be an off-by-one between the size of the bound vertex buffer and the maxIndexValue passed to glDrawRangeElements.

I can get this app to render without crashing by replacing maxIndexValue with maxIndexValue - 1 in the glDrawRangeElements call.

[jason-simmons]

Landed a fix in Skia: https://skia-review.googlesource.com/c/skia/+/631396

[badlogic]

Fantastic! Is there an ETA when this will land in Flutter?

…

On Thu, Jan 19, 2023, 00:08 Jason Simmons ***@***.***> wrote: Landed a fix in Skia: https://skia-review.googlesource.com/c/skia/+/631396 — Reply to this email directly, view it on GitHub <#115919 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAD5QBDFMI6WFPEXBOXWPATWTBZVTANCNFSM6AAAAAASI53WEQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[chinmaygarde]

The Skia patch landed and was rolled into the engine in flutter/engine#39024.

[badlogic]

@chinmaygarde sorry for one more question: this hasn't made it into Flutter 3.7.0, has it? Unless I made an error in my testing, the issue still persists with 3.7.0.

edit: verified my test setup. The issue is present in 3.7.0 as well as latest from the beta channel. It is fixed in the master channel.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. If you are still experiencing a similar issue, please open a new bug, including the output of flutter doctor -v and a minimal reproduction of the issue.