BiometricPrompt.AuthenticationCallback tied to activity lifecycle and leak fragments when following example code. [167014923]

Fixed

Bug

Status Update

No update yet.

Description

py...@gmail.com

created issue #1

Aug 30, 2020 02:05PM

Biometric library version: 1.1.0-alpha01

This bug was reported in Mozilla Fenix, but it's actually a leak in BiometricViewModel.

Mozilla Fenix bug report: https://github.com/mozilla-mobile/fenix/issues/13477

To reproduce, follow the official Android X sample code and add the sample code to a fragment. Display the login prompt, get the fragment destroyed, the fragment is now leaking

As soon as the fragment is destroyed, the leak triggers as the fragment cannot be garbage collected because the AuthenticationCallback implementation is retained.

┬───
│ GC Root: Global variable in native code
│
├─ dalvik.system.PathClassLoader instance
│ Leaking: NO (InternalLeakCanary↓ is not leaking and A ClassLoader is never leaking)
│ ↓ PathClassLoader.runtimeInternalObjects
├─ java.lang.Object[] array
│ Leaking: NO (InternalLeakCanary↓ is not leaking)
│ ↓ Object[].[891]
├─ leakcanary.internal.InternalLeakCanary class
│ Leaking: NO (HomeActivity↓ is not leaking and a class is never leaking)
│ ↓ static InternalLeakCanary.resumedActivity
├─ org.mozilla.fenix.HomeActivity instance
│ Leaking: NO (Activity#mDestroyed is false)
│ ↓ HomeActivity.mViewModelStore
│                ~~~~~~~~~~~~~~~
├─ androidx.lifecycle.ViewModelStore instance
│ Leaking: UNKNOWN
│ ↓ ViewModelStore.mMap
│                  ~~~~
├─ java.util.HashMap instance
│ Leaking: UNKNOWN
│ ↓ HashMap.table
│           ~~~~~
├─ java.util.HashMap$Node[] array
│ Leaking: UNKNOWN
│ ↓ HashMap$Node[].[2]
│                  ~~~
├─ java.util.HashMap$Node instance
│ Leaking: UNKNOWN
│ ↓ HashMap$Node.value
│                ~~~~~
├─ androidx.biometric.BiometricViewModel instance
│ Leaking: UNKNOWN
│ ↓ BiometricViewModel.mClientCallback
│                      ~~~~~~~~~~~~~~~
├─ org.mozilla.fenix.settings.logins.fragment.SavedLoginsAuthFragment$biometricPromptCallback$1 instance
│ Leaking: UNKNOWN
│ Anonymous subclass of androidx.biometric.BiometricPrompt$AuthenticationCallback
│ ↓ SavedLoginsAuthFragment$biometricPromptCallback$1.this$0
│                                                     ~~~~~~
╰→ org.mozilla.fenix.settings.logins.fragment.SavedLoginsAuthFragment instance
 Leaking: YES (ObjectWatcher was watching this because org.mozilla.fenix.settings.logins.fragment.SavedLoginsAuthFragment received Fragment#onDestroy() callback and Fragment#mFragmentManager is null)
 key = 77a534a9-73fb-4b7e-9bb1-1c26e0064ca8
 watchDurationMillis = 9964
 retainedDurationMillis = 4964

Looking at the Android X BiometricPrompt sources, the callback is set in BiometricPrompt.init() which is called from the BiometricPrompt constructor and never unset.

    private void init(
            @Nullable FragmentActivity activity,
            @Nullable FragmentManager fragmentManager,
            @Nullable Executor executor,
            @NonNull AuthenticationCallback callback) {

        mClientFragmentManager = fragmentManager;

        if (activity != null) {
            final BiometricViewModel viewModel =
                    new ViewModelProvider(activity).get(BiometricViewModel.class);
            if (executor != null) {
                viewModel.setClientExecutor(executor);
            }
            viewModel.setClientCallback(callback);
        }
    }

So, as it stands, there is no way to clear the callback, and BiometricViewModel is always created with an activity lifecycle, so the callback always has the lifecycle of the activity. This means that currently the library will leak any fragment it's used from.

Comments

py...@gmail.com <py...@gmail.com> #2Aug 31, 2020 09:14AM

A couple of questions:

1. Have you saw crash in real device or only in simulators?
2. Do you use dynamic feature for language ID?

rb...@unwire.com <rb...@unwire.com> #3Oct 14, 2020 11:24AM

Tested on Android 12 Emulator with custom executor, but cannot repro this issue.

ca...@gmail.com <ca...@gmail.com> #4Nov 4, 2020 09:48PM

Second crash in the description is from a real device. Experienced it myself on two different Xiaomi phones, plus lots of crashes from users in the Google Play console.
Dynamic features are not used in the application.

As a wild guess, I have downgraded build tools from 31.0.0 to 30.0.3, compileSdk from 31 to 30, and moved all work with Language ID to the service in a separate process (just to be sure that crash can kill secondary process instead of main). This combination is in beta for 2 days by now and I don't see any SIGSEGV crashes.

cu...@google.com <cu...@google.com> Jan 15, 2021 09:49PM

Accepted by cu...@google.com.

ap...@google.com <ap...@google.com> #5Jan 21, 2021 01:18AM

Hmm, I feel the crash might be something related to separate/secondary process.

I also changed compileSdk and targetSDK to 31 but still cannot repro this issue.

cu...@google.com <cu...@google.com> Jan 21, 2021 02:21AM

Marked as fixed.

di...@gmail.com <di...@gmail.com> #6Feb 9, 2021 06:08PM

On the contrary, there was no separate process before, when crashes started.

In the new build (with the aforementioned changes) I can see SIGSEGV crash, but only one instead of dozens and it has a bit different backtrace:

signal 11 (SIGSEGV), code 1 (SEGV_MAPERR)
liblanguage_id_jni.so (offset 0x11e000)

backtrace:
  #00  pc 000000000003c7c0  /data/app/azagroup.reedy-mF7zTu2bv_ELlbFArwNgqA==/split_config.arm64_v8a.apk!lib/arm64-v8a/liblanguage_id_jni.so (offset 0x11e000)
  #00  pc 000000000003b960  /data/app/azagroup.reedy-mF7zTu2bv_ELlbFArwNgqA==/split_config.arm64_v8a.apk!lib/arm64-v8a/liblanguage_id_jni.so (offset 0x11e000)
  #00  pc 000000000003bb48  /data/app/azagroup.reedy-mF7zTu2bv_ELlbFArwNgqA==/split_config.arm64_v8a.apk!lib/arm64-v8a/liblanguage_id_jni.so (offset 0x11e000)
  #00  pc 000000000003bafc  /data/app/azagroup.reedy-mF7zTu2bv_ELlbFArwNgqA==/split_config.arm64_v8a.apk!lib/arm64-v8a/liblanguage_id_jni.so (offset 0x11e000)
  #00  pc 0000000000036c98  /data/app/azagroup.reedy-mF7zTu2bv_ELlbFArwNgqA==/split_config.arm64_v8a.apk!lib/arm64-v8a/liblanguage_id_jni.so (offset 0x11e000)
  #00  pc 0000000000032714  /data/app/azagroup.reedy-mF7zTu2bv_ELlbFArwNgqA==/split_config.arm64_v8a.apk!lib/arm64-v8a/liblanguage_id_jni.so (offset 0x11e000)
  #00  pc 0000000000031cac  /data/app/azagroup.reedy-mF7zTu2bv_ELlbFArwNgqA==/split_config.arm64_v8a.apk!lib/arm64-v8a/liblanguage_id_jni.so (offset 0x11e000)
  #00  pc 0000000000057438  /data/app/azagroup.reedy-mF7zTu2bv_ELlbFArwNgqA==/oat/arm64/base.odex (offset 0x57000)

ja...@sharesies.co.nz <ja...@sharesies.co.nz> #7Oct 6, 2022 01:04AM

FYI, ML Kit launched a new language ID SDK in the latest release, which uses a new language ID model. https://developers.google.com/ml-kit/release-notes#august_11_2021

Could you try the new SDK version(17.0.0) to check if you can still repro this native crash? Thanks!

te...@gmail.com <te...@gmail.com> #8May 31, 2023 03:47PM

Thank you, I'll try it and check.