How to debug and solve null pointer dereference in Android libgui.so

Question

I'm trying to get the Sony Stock Camera from their tama devices working on Android 12. I'm getting the following backtrace:

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'Sony/H8324/H8324:10/52.1.A.3.49/052001A003004902006556692:user/release-keys'
Revision: '0'
ABI: 'arm64'
Timestamp: 2022-08-16 20:04:11.168778323+0200
Process uptime: 0s
Cmdline: com.sonyericsson.android.camera
pid: 3646, tid: 3678, name: ImageReader  >>> com.sonyericsson.android.camera <<<
uid: 10133
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
Cause: null pointer dereference
    x0  0000007c7081b5d0  x1  0000007ee0a7f7cc  x2  0000000000000000  x3  0000000000000010
    x4  0000000000000000  x5  0000007bce6a9fa8  x6  0000007f020ff000  x7  0000000000001ac8
    x8  0000007eebfefa38  x9  0000007eebfb6d00  x10 0000007eebfefa28  x11 000000007081b5e8
    x12 0000ffff00000eff  x13 00000000db4450c6  x14 003b7c4575e22800  x15 0000e787a5a92f54
    x16 0000007ef28a97f8  x17 0000007ee09e4c78  x18 0000007bce16e000  x19 ffffffff9d042408
    x20 0000007da07ef240  x21 00000000ce6aa260  x22 0000000000000000  x23 0000007bce6ab000
    x24 0000007c4d808d00  x25 0000007bce6aa470  x26 0000007bce6aa484  x27 0000007bce6aa470
    x28 0000007bce6aa360  x29 0000007bce6aa210
    lr  0000007eebfac2b8  sp  0000007bce6aa200  pc  0000007eebfac2dc  pst 0000000060000000

backtrace:
      #00 pc 00000000000e22dc  /system/lib64/libgui.so (android::Surface::Surface(android::sp<android::IGraphicBufferProducer> const&, bool, android::sp<android::IBinder> const&)+128) (BuildId: 5f0e35ac67a320ebbf7dbfedaba3b4f3)
      #01 pc 000000000000103c  /system/system_ext/lib64/libgui_shim.so (android::Surface::Surface(android::sp<android::IGraphicBufferProducer> const&, bool)+40) (BuildId: f763096071886df8dfce73855c765827)
      #02 pc 0000000000011eb4  /system/lib64/libimageprocessorjni.so (BypassCameraBurstBufferManager_initializeSurface+216) (BuildId: c3128a7b0c9351c6fe96247d3e3c35b7)
      #03 pc 000000000000e8c4  /system/lib64/libimageprocessorjni.so (BypassCameraPhoto_prepareSnapshot+84) (BuildId: c3128a7b0c9351c6fe96247d3e3c35b7)
      #04 pc 000000000000c580  /system/lib64/libimageprocessorjni.so (Java_com_sonymobile_imageprocessor_bypasscamera2_BypassCamera_nativeRequestPrepareSnapshot+24) (BuildId: c3128a7b0c9351c6fe96247d3e3c35b7)
      #05 pc 0000000000222244  /apex/com.android.art/lib64/libart.so (art_quick_generic_jni_trampoline+148) (BuildId: 143d4d521718f1d1b0005e86eb8ae170)
      #06 pc 0000000000212b80  /apex/com.android.art/lib64/libart.so (nterp_helper+5648) (BuildId: 143d4d521718f1d1b0005e86eb8ae170)
      #07 pc 000000000068c7bc  /system/priv-app/SemcCameraUI-xxhdpi-release/SemcCameraUI-xxhdpi-release.apk (com.sonymobile.imageprocessor.bypasscamera2.BypassCamera.requestPrepareSnapshot+4)
      #08 pc 00000000002124c4  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: 143d4d521718f1d1b0005e86eb8ae170)
      #09 pc 00000000005c3c84  /system/priv-app/SemcCameraUI-xxhdpi-release/SemcCameraUI-xxhdpi-release.apk (com.sonyericsson.android.camera.device.BypassCameraController.requestPrepareSnapshot+184)
      #10 pc 00000000002124c4  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: 143d4d521718f1d1b0005e86eb8ae170)
      #11 pc 00000000005c2b28  /system/priv-app/SemcCameraUI-xxhdpi-release/SemcCameraUI-xxhdpi-release.apk (com.sonyericsson.android.camera.device.BypassCameraController.access$5400+0)
      #12 pc 00000000002115a4  /apex/com.android.art/lib64/libart.so (nterp_helper+52) (BuildId: 143d4d521718f1d1b0005e86eb8ae170)
      #13 pc 00000000005c0652  /system/priv-app/SemcCameraUI-xxhdpi-release/SemcCameraUI-xxhdpi-release.apk (com.sonyericsson.android.camera.device.BypassCameraController$1.run+474)
      #14 pc 0000000000519190  /system/framework/arm64/boot-framework.oat (android.os.Handler.dispatchMessage+80) (BuildId: 37e0b9b91b95ea25a00d76a0661686229fcf1085)
      #15 pc 000000000051c08c  /system/framework/arm64/boot-framework.oat (android.os.Looper.loopOnce+1148) (BuildId: 37e0b9b91b95ea25a00d76a0661686229fcf1085)
      #16 pc 000000000051bb74  /system/framework/arm64/boot-framework.oat (android.os.Looper.loop+516) (BuildId: 37e0b9b91b95ea25a00d76a0661686229fcf1085)
      #17 pc 000000000051b058  /system/framework/arm64/boot-framework.oat (android.os.HandlerThread.run+536) (BuildId: 37e0b9b91b95ea25a00d76a0661686229fcf1085)
      #18 pc 0000000000218964  /apex/com.android.art/lib64/libart.so (art_quick_invoke_stub+548) (BuildId: 143d4d521718f1d1b0005e86eb8ae170)
      #19 pc 0000000000284208  /apex/com.android.art/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+188) (BuildId: 143d4d521718f1d1b0005e86eb8ae170)
      #20 pc 000000000061fab0  /apex/com.android.art/lib64/libart.so (art::JValue art::InvokeVirtualOrInterfaceWithJValues<art::ArtMethod*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, art::ArtMethod*, jvalue const*)+460) (BuildId: 143d4d521718f1d1b0005e86eb8ae170)
      #21 pc 000000000066e674  /apex/com.android.art/lib64/libart.so (art::Thread::CreateCallback(void*)+1184) (BuildId: 143d4d521718f1d1b0005e86eb8ae170)
      #22 pc 00000000000b1810  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+264) (BuildId: 6bfaf10f10e5ff343703efae2f1bdbdb)
      #23 pc 00000000000512f0  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 6bfaf10f10e5ff343703efae2f1bdbdb)

Since libimageprocessorjni.so is closed source and there's no updated lib which matches the new Surface constructor I had to create a shim:

#include <cutils/log.h>
#include <gui/IGraphicBufferProducer.h>

#define LOG_TAG "libgui_shim"

extern "C" void _ZN7android7SurfaceC1ERKNS_2spINS_22IGraphicBufferProducerEEEbRKNS1_INS_7IBinderEEE(
        const android::sp<android::IGraphicBufferProducer>& bufferProducer, bool controlledByApp = false,
        const android::sp<android::IBinder>& surfaceControlHandle = nullptr);

extern "C" void _ZN7android7SurfaceC1ERKNS_2spINS_22IGraphicBufferProducerEEEb(
        const android::sp<android::IGraphicBufferProducer>& bufferProducer, bool controlledByApp) {
    if (bufferProducer == nullptr) {
        ALOGE("bufferProducer == nullptr");
    }
    _ZN7android7SurfaceC1ERKNS_2spINS_22IGraphicBufferProducerEEEbRKNS1_INS_7IBinderEEE(bufferProducer, controlledByApp);
}

As you can see I've already tried to figure out where the null pointer happens exactly (It isn't bufferProducer because there's no bufferProducer == nullptr in the log). I don't think it's the surfaceControlHandle but the method definition in my shim exactly matches the one from libgui: https://android.googlesource.com/platform/frameworks/native/+/refs/tags/android-12.1.0_r22/libs/gui/include/gui/Surface.h#93 Running addr2line is not that helpful either:

$ aarch64-linux-android-addr2line -e libgui.so -s -f -C 00000000000e22dc
aarch64-linux-android-addr2line: libgui.so: don't know how to handle section `.relr.dyn' [0x      13]
sp
StrongPointer.h:273

Checking StrongPointer.h at line 273 (https://android.googlesource.com/platform/system/core/+/refs/tags/android-12.1.0_r22/libutils/include/utils/StrongPointer.h#273) I can see that other must be NULL.

Is there any convenient way to find out what other is and how to solve my null pointer dereference?

EDIT: The partial output from stack by reading in the tombstone as described here:

Stack Trace:
  RELADDR           FUNCTION                                                                                                                                                                                                         FILE:LINE
  v-------------->  android::sp<android::IGraphicBufferProducer>::sp(android::sp<android::IGraphicBufferProducer> const&)                                                                                                            system/core/libutils/include/utils/StrongPointer.h:273
  00000000000e22dc  android::Surface::Surface(android::sp<android::IGraphicBufferProducer> const&, bool, android::sp<android::IBinder> const&)+128                                                                                   frameworks/native/libs/gui/Surface.cpp:67
  000000000000103c  android::Surface::Surface(android::sp<android::IGraphicBufferProducer> const&, bool)+40                                                                                                                          device/sony/tama-common/libshims/gui_shim.cpp:10 (discriminator 2)
  0000000000011eb4  BypassCameraBurstBufferManager_initializeSurface+216) (BuildId: c3128a7b0c9351c6fe96247d3e3c35b7                                                                                                                 /system/lib64/libimageprocessorjni.so
  000000000000e8c4  BypassCameraPhoto_prepareSnapshot+84) (BuildId: c3128a7b0c9351c6fe96247d3e3c35b7                                                                                                                                 /system/lib64/libimageprocessorjni.so
  000000000000c580  Java_com_sonymobile_imageprocessor_bypasscamera2_BypassCamera_nativeRequestPrepareSnapshot+24) (BuildId: c3128a7b0c9351c6fe96247d3e3c35b7                                                                        /system/lib64/libimageprocessorjni.so
  0000000000222244  art_quick_generic_jni_trampoline+148) (BuildId: 143d4d521718f1d1b0005e86eb8ae170                                                                                                                                 /apex/com.android.art/lib64/libart.so
  0000000000212b80  nterp_helper+5648) (BuildId: 143d4d521718f1d1b0005e86eb8ae170                                                                                                                                                    /apex/com.android.art/lib64/libart.so
  000000000068c7bc  com.sonymobile.imageprocessor.bypasscamera2.BypassCamera.requestPrepareSnapshot+4                                                                                                                                /system/priv-app/SemcCameraUI-xxhdpi-release/SemcCameraUI-xxhdpi-release.apk
  00000000002124c4  nterp_helper+3924) (BuildId: 143d4d521718f1d1b0005e86eb8ae170                                                                                                                                                    /apex/com.android.art/lib64/libart.so
  00000000005c3c84  com.sonyericsson.android.camera.device.BypassCameraController.requestPrepareSnapshot+184                                                                                                                         /system/priv-app/SemcCameraUI-xxhdpi-release/SemcCameraUI-xxhdpi-release.apk
  00000000002124c4  nterp_helper+3924) (BuildId: 143d4d521718f1d1b0005e86eb8ae170                                                                                                                                                    /apex/com.android.art/lib64/libart.so
  00000000005c2b28  com.sonyericsson.android.camera.device.BypassCameraController.access$5400+0                                                                                                                                      /system/priv-app/SemcCameraUI-xxhdpi-release/SemcCameraUI-xxhdpi-release.apk
  00000000002115a4  nterp_helper+52) (BuildId: 143d4d521718f1d1b0005e86eb8ae170                                                                                                                                                      /apex/com.android.art/lib64/libart.so
  00000000005c0652  com.sonyericsson.android.camera.device.BypassCameraController$1.run+474                                                                                                                                          /system/priv-app/SemcCameraUI-xxhdpi-release/SemcCameraUI-xxhdpi-release.apk
  0000000000519190  android.os.Handler.dispatchMessage+80) (BuildId: 37e0b9b91b95ea25a00d76a0661686229fcf1085                                                                                                                        /system/framework/arm64/boot-framework.oat
  000000000051c08c  android.os.Looper.loopOnce+1148) (BuildId: 37e0b9b91b95ea25a00d76a0661686229fcf1085                                                                                                                              /system/framework/arm64/boot-framework.oat
  000000000051bb74  android.os.Looper.loop+516) (BuildId: 37e0b9b91b95ea25a00d76a0661686229fcf1085                                                                                                                                   /system/framework/arm64/boot-framework.oat
  000000000051b058  android.os.HandlerThread.run+536) (BuildId: 37e0b9b91b95ea25a00d76a0661686229fcf1085                                                                                                                             /system/framework/arm64/boot-framework.oat
  0000000000218964  art_quick_invoke_stub+548) (BuildId: 143d4d521718f1d1b0005e86eb8ae170                                                                                                                                            /apex/com.android.art/lib64/libart.so
  0000000000284208  art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+188) (BuildId: 143d4d521718f1d1b0005e86eb8ae170                                                                     /apex/com.android.art/lib64/libart.so
  000000000061fab0  art::JValue art::InvokeVirtualOrInterfaceWithJValues<art::ArtMethod*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, art::ArtMethod*, jvalue const*)+460) (BuildId: 143d4d521718f1d1b0005e86eb8ae170  /apex/com.android.art/lib64/libart.so
  000000000066e674  art::Thread::CreateCallback(void*)+1184) (BuildId: 143d4d521718f1d1b0005e86eb8ae170                                                                                                                              /apex/com.android.art/lib64/libart.so
  00000000000b1810  __pthread_start(void*)+264) (BuildId: 6bfaf10f10e5ff343703efae2f1bdbdb                                                                                                                                           /apex/com.android.runtime/lib64/bionic/libc.so
  00000000000512f0  __start_thread+64) (BuildId: 6bfaf10f10e5ff343703efae2f1bdbdb

So this must be the bufferPRoducer somehow. If i use patchelf to replace libgui with the stock version from Android 10 and a bunch of related other libs the error is gone. It must be somehow possible to use shims to get the old behavior back instead of pushing 25 old stock libs on my device.

android::sp& surfaceControlHandle = nullptr ? Assigning nullptr to a reference??? — Pepijn Kramer, Aug 17 '22 at 16:54
@PepijnKramer yes, but the surfaceControlHandle is not the problem. Based on the stack output it's actually the bufferProducer. Even though I don't get the log output for my nullptr check. — dtrunk, Aug 17 '22 at 17:20
It might not be the problem, however null references have no place in a valid program so that default assignment to nullptr shouldn't even be there. See answer to this : https://stackoverflow.com/questions/4364536/is-null-reference-possible — Pepijn Kramer, Aug 17 '22 at 17:56
@PepijnKramer It's also there in the AOSP code and it's a valid nullptr because it's somewhat of an optional variable which don't need to be used. See https://android.googlesource.com/platform/frameworks/native/+/refs/tags/android-12.1.0_r22/libs/gui/include/gui/Surface.h#93 which I also linked to in my question above. — dtrunk, Aug 17 '22 at 17:58
A reference is not a pointer, and make your extern "C" functions real "C" functions, so make a function that calls the constructor (C++ is not supposed to be exported like that) — Pepijn Kramer, Aug 17 '22 at 18:01

How to debug and solve null pointer dereference in Android libgui.so

0 Answers0