Android: 64-bit ARM apk crashes during startup. #32175
Labels
P-android
Android devices
Comments
mukilan
added
C-untriaged
|
Looks like Gecko doesn't run into this issue only because it uses Patching Servo to use jemalloc on Android also fixes the crash in Servo, so I guess that might be the permanent solution here. |
mukilan
added a commit
to mukilan/servo
that referenced
this issue
May 13, 2024
This is a fix for the crash issue in 64-bit ARM [servo#32175][1]. When targeting Android 11 and above, 64-bit ARM platforms have the 'Tagged Pointer' feature enabled by default which causes memory allocated using the system allocator to have a non-zero 'tag' set in the highest byte of heap addresses. This is incompatible with SpiderMonkey which assumes that only the bottom 48 bits are set and asserts this at various points. Both Servo and Gecko have a similar architecture where the pointer to a heap allocated DOM struct is encoded as a JS::Value and stored in the DOM_OBJECT_SLOT (reserved slot) of the JSObject which reflects the native DOM struct. As observed in servo#32175, even Gecko crashes with `jemalloc` disabled which suggests that support for using the native system allocator with tagged pointers enabled by default is not present at the moment. [1]: servo#32175 Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>
mukilan
added a commit
to mukilan/servo
that referenced
this issue
May 13, 2024
This is a fix for the crash issue in 64-bit ARM [servo#32175][1]. When targeting Android 11 and above, 64-bit ARM platforms have the 'Tagged Pointer' feature enabled by default which causes memory allocated using the system allocator to have a non-zero 'tag' set in the highest byte of heap addresses. This is incompatible with SpiderMonkey which assumes that only the bottom 48 bits are set and asserts this at various points. Both Servo and Gecko have a similar architecture where the pointer to a heap allocated DOM struct is encoded as a JS::Value and stored in the DOM_OBJECT_SLOT (reserved slot) of the JSObject which reflects the native DOM struct. As observed in servo#32175, even Gecko crashes with `jemalloc` disabled which suggests that support for using the native system allocator with tagged pointers enabled by default is not present at the moment. [1]: servo#32175 Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>
mukilan
added a commit
to mukilan/servo
that referenced
this issue
May 13, 2024
This is a fix for the crash issue in 64-bit ARM [servo#32175][1]. When targeting Android 11 and above, 64-bit ARM platforms have the 'Tagged Pointer' feature enabled by default which causes memory allocated using the system allocator to have a non-zero 'tag' set in the highest byte of heap addresses. This is incompatible with SpiderMonkey which assumes that only the bottom 48 bits are set and asserts this at various points. Both Servo and Gecko have a similar architecture where the pointer to a heap allocated DOM struct is encoded as a JS::Value and stored in the DOM_OBJECT_SLOT (reserved slot) of the JSObject which reflects the native DOM struct. As observed in servo#32175, even Gecko crashes with `jemalloc` disabled which suggests that support for using the native system allocator with tagged pointers enabled by default is not present at the moment. [1]: servo#32175 Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>
github-merge-queue bot
pushed a commit
that referenced
this issue
May 13, 2024
This is a fix for the crash issue in 64-bit ARM [#32175][1]. When targeting Android 11 and above, 64-bit ARM platforms have the 'Tagged Pointer' feature enabled by default which causes memory allocated using the system allocator to have a non-zero 'tag' set in the highest byte of heap addresses. This is incompatible with SpiderMonkey which assumes that only the bottom 48 bits are set and asserts this at various points. Both Servo and Gecko have a similar architecture where the pointer to a heap allocated DOM struct is encoded as a JS::Value and stored in the DOM_OBJECT_SLOT (reserved slot) of the JSObject which reflects the native DOM struct. As observed in #32175, even Gecko crashes with `jemalloc` disabled which suggests that support for using the native system allocator with tagged pointers enabled by default is not present at the moment. [1]: #32175 Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug:
Android builds for 64-bit ARM crash on startup with the following error message:
To Reproduce:
./mach build --target=aarch64-linux-android./mach install --target=aarch64-linux-android./mach run --androidMore info
I was able to generate a backtrace by setting RUST_BACKTRACE=full in the jni port's init method.
I decoded the stack trace using
addr2lineandnmand I think this is due to the Tagged Pointers feature enabled on 64-bit ARM systems for apps that target Android SDK 30 and above.The Tagged Pointer feature sets the upper most byte of a 64-bit pointer to a non-zero tag value for identifying memory safety issues. However, the SpiderMonkey assumes all user-mode pointers are only 48-bits wide on 64-bit systems when encoding the user-mode pointer into a JS::Value. A similar assertion is present in mozjs as well.
Servo in particular stores the pointers to the Rust allocated DOM structs as Private JS::Value in the reserved slot of the reflected JSObject. Since the addresses of these rust allocated DOM structs are tagged i.e upper byte is non-zero, the assertions in both SM and mozjs are violated.
I'm not sure how Gecko deals with this case. Either they have MTE disabled (which is possible using the AndroidManifest.xml, but this option will go away) or Gecko doesn't rely on using private user mode pointers the way Servo does, or uses a custom allocator for non-JS objects.
The text was updated successfully, but these errors were encountered: