Crash with Verification error on Android 12+ [283715197]

Fixed

Bug

Status Update

No update yet.

Description

ku...@gmail.com

created issue #1

May 22, 2023 10:39AM

# compiler: R8
# compiler_version: 8.1.48

First - Verification error reported by system after APK installation

Verification error in void com.foo.bar.TestViewController.updateContentState(com.foo.bar.a)
void com.foo.bar.TestViewController.updateContentState(com.foo.bar.a): [0x12] 
void com.foo.bar.TestViewController.updateContentState(com.foo.bar.a): [0x12] register v2 has type Precise Reference: y0.b but expected Unresolved Reference: com.foo.bar.AdapterContract
void com.foo.bar.TestViewController.updateContentState(com.foo.bar.a) failed to verify: void com.foo.bar.TestViewController.updateContentState(com.foo.bar.a): [0x15] copyRes1 v2<- result0 type=Conflict

App crases on Android 12+

FATAL EXCEPTION: main
Process: com.example.myapplication, PID: 4086
java.lang.VerifyError: Verifier rejected class com.foo.bar.TestViewController: void com.foo.bar.TestViewController.updateContentState(com.foo.bar.a) failed to verify: void com.foo.bar.TestViewController.updateContentState(com.foo.bar.a): [0x15] copyRes1 v2<- result0 type=Conflict (declaration of 'com.foo.bar.TestViewController' appears in /data/app/~~hYH_X5ICv_uxbaCCMrXfwQ==/com.example.myapplication-h_u08qil7FvRYQKJlO2K9A==/base.apk)
    	at com.example.myapplication.MainActivity.onCreate(SourceFile:4)
    	at android.app.Activity.performCreate(Activity.java:8305)
    	at android.app.Activity.performCreate(Activity.java:8284)
    	at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1417)
    	at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3626)
    	at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3782)
    	at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:101)
    	at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
    	at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
    	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2307)
    	at android.os.Handler.dispatchMessage(Handler.java:106)
    	at android.os.Looper.loopOnce(Looper.java:201)
    	at android.os.Looper.loop(Looper.java:288)
    	at android.app.ActivityThread.main(ActivityThread.java:7872)
    	at java.lang.reflect.Method.invoke(Native Method)
    	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:548)
    	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:936)

Cullprit changes was merged between 8.1.0-dev and 8.1.1-dev tag commits.

RejectionErrorSample.zip

117 KB

Download

Comments

mk...@google.com <mk...@google.com> May 22, 2023 01:16PM

Reassigned to mk...@google.com.

ku...@gmail.com <ku...@gmail.com> #2May 24, 2023 07:11AM

Guys, do you have any updates? That crash occurred in stable versions of R8.

mk...@google.com <mk...@google.com> #3May 24, 2023 11:41AM

Thank you for filing an issue with us and for creating a reproduction.

It seems like the issue is related to FilledNewArray. This is the code in 8.1.0-dev:

void com.foo.bar.TestViewController.updateContentState(com.foo.bar.b)
registers: 4, inputs: 2, outputs: 2
------------------------------------------------------------
inst#  offset  instruction         arguments
------------------------------------------------------------
    0:   0x00: InstanceOf          v0, v3, Lcom/foo/bar/b$a;
    1:   0x02: IfNez               v0, 0x25 (+35)
    2:   0x04: InstanceOf          v3, v3, Lcom/foo/bar/b$b;
    3:   0x06: IfEqz               v3, 0x24 (+30)
    4:   0x08: Const4              v3, 0x2 (2)
    5:   0x09: NewArray            v3, v3, [Lcom/foo/bar/a;
    6:   0x0b: NewInstance         v0, Lcom/foo/bar/a$b;
    7:   0x0d: InvokeDirect        { v0 } Lcom/foo/bar/a$b;<init>()V
    8:   0x10: Const4              v1, 0x0 (0)
    9:   0x11: AputObject          v0, v3, v1
   10:   0x13: NewInstance         v0, Lcom/foo/bar/a$a;
   11:   0x15: InvokeDirect        { v0 } Lcom/foo/bar/a$a;<init>()V
   12:   0x18: Const4              v1, 0x1 (1)
   13:   0x19: AputObject          v0, v3, v1

And this is after:

void com.foo.bar.TestViewController.updateContentState(com.foo.bar.a)
registers: 3, inputs: 2, outputs: 2
------------------------------------------------------------
inst#  offset  instruction         arguments
------------------------------------------------------------
    0:   0x00: InstanceOf          v0, v2, Lcom/foo/bar/a$a;
    1:   0x02: IfNez               v0, 0x20 (+30)
    2:   0x04: InstanceOf          v2, v2, Lcom/foo/bar/a$b;
    3:   0x06: IfEqz               v2, 0x1f (+25)
    4:   0x08: NewInstance         v2, Ly0/b;
    5:   0x0a: InvokeDirect        { v2 } Ly0/b;<init>()V
    6:   0x0d: NewInstance         v0, Ly0/a;
    7:   0x0f: InvokeDirect        { v0 } Ly0/a;<init>()V
    8:   0x12: FilledNewArray      { v2 v0 } [Lcom/foo/bar/AdapterContract;
    9:   0x15: MoveResultObject    v2

It seems to work for D8:

void com.foo.bar.TestViewController.updateContentState(com.foo.bar.ContentState)
registers: 5, inputs: 2, outputs: 2
------------------------------------------------------------
inst#  offset  instruction         arguments
------------------------------------------------------------
   ...
   19:   0x29: NewInstance         v4, Lcom/foo/bar/AdapterContract$SummaryItem;
   20:   0x2b: SgetObject          v0, Lcom/foo/bar/SummaryItemType$LoadingSummaryItem;INSTANCE:Lcom/foo/bar/SummaryItemType$LoadingSummaryItem;
   21:   0x2d: CheckCast           v0, Lcom/foo/bar/SummaryItemType;
   22:   0x2f: InvokeDirect        { v4 v0 } Lcom/foo/bar/AdapterContract$SummaryItem;<init>(Lcom/foo/bar/SummaryItemType;)V
   23:   0x32: CheckCast           v4, Lcom/foo/bar/AdapterContract;
         0x34, #66, locals: [3 -> this]
   24:   0x34: NewInstance         v0, Lcom/foo/bar/AdapterContract$ListItem;
   25:   0x36: SgetObject          v1, Lcom/foo/bar/ListItemType$LoadingItem;INSTANCE:Lcom/foo/bar/ListItemType$LoadingItem;
   26:   0x38: CheckCast           v1, Lcom/foo/bar/ListItemType;
   27:   0x3a: InvokeDirect        { v0 v1 } Lcom/foo/bar/AdapterContract$ListItem;<init>(Lcom/foo/bar/ListItemType;)V
   28:   0x3d: CheckCast           v0, Lcom/foo/bar/AdapterContract;
   29:   0x3f: FilledNewArray      { v4 v0 } [Lcom/foo/bar/AdapterContract;
   30:   0x42: MoveResultObject    v4
         0x43, #64, locals: [3 -> this]
   31:   0x43: InvokeStatic        { v4 } Lkotlin/collections/CollectionsKt;listOf([Ljava/lang/Object;)Ljava/util/List;
   32:   0x46: ReturnVoid

I will check if the issue is the missing CheckCast.

mk...@google.com <mk...@google.com> #4May 24, 2023 01:18PM

I made a few additional checks with check-cast and typing the FilledNewArray as Ljava/lang/Object; and both worked.

void com.foo.bar.TestViewController.updateContentState(com.foo.bar.a)
registers: 3, inputs: 2, outputs: 2
------------------------------------------------------------
inst#  offset  instruction         arguments
------------------------------------------------------------
    0:   0x00: InstanceOf          v0, v2, Lcom/foo/bar/a$a;
    1:   0x02: IfNez               v0, 0x24 (+34)
    2:   0x04: InstanceOf          v2, v2, Lcom/foo/bar/a$b;
    3:   0x06: IfEqz               v2, 0x23 (+29)
    4:   0x08: NewInstance         v2, Ly0/b;
    5:   0x0a: InvokeDirect        { v2 } Ly0/b;<init>()V
    6:   0x0d: CheckCast           v2, Lcom/foo/bar/AdapterContract;
    7:   0x0f: NewInstance         v0, Ly0/a;
    8:   0x11: InvokeDirect        { v0 } Ly0/a;<init>()V
    9:   0x14: CheckCast           v0, Lcom/foo/bar/AdapterContract;
   10:   0x16: FilledNewArray      { v2 v0 } [Lcom/foo/bar/AdapterContract;
   11:   0x19: MoveResultObject    v2
...

I could reproduce the error on an api 33 emulator but not 31. Our headless VMs we use for testing did not reproduce it. One thing we can do is synthesize the CheckCast when creating FilledNewArray but potentially the ART team knows why the verifier rejects it on Android 13 (and potentially before).

ngeoffray@, are you aware of any problems or changes to the verification of FilledNewArray?

ku...@gmail.com <ku...@gmail.com> #5May 24, 2023 04:32PM

Yeah, this is my mistake. Crash reproducible on Android 13+

ap...@google.com <ap...@google.com> #6May 25, 2023 01:07PM

Project: r8
Branch: main

commit 2d8c93fe249ac143a8ae9966e85ea1d387b897bc
Author: Morten Krogh-Jespersen <mkroghj@google.com>
Date: Thu May 25 15:05:53 2023

Only generate FilledNewArray when puts match the concrete array type

Bug:

b/283715197

Change-Id: Ie24d90160cceeecd790a5074d8dbcbac116fb58e

M src/main/java/com/android/tools/r8/ir/optimize/CodeRewriter.java
M src/main/java/com/android/tools/r8/utils/InternalOptions.java
M src/test/java/com/android/tools/r8/TestParameters.java
M src/test/java/com/android/tools/r8/rewrite/arrays/FilledArrayDataRemoveCheckCastTest.java

https://r8-review.googlesource.com/79822

ap...@google.com <ap...@google.com> #7May 25, 2023 01:07PM

Project: r8
Branch: main

commit d4b1b5cde09d67a3b7cffed31c6d1cd5aba3ca5d
Author: Morten Krogh-Jespersen <mkroghj@google.com>
Date: Thu May 25 12:55:36 2023

Add tests for rewriting subtypes into FilledNewArray

Bug:

b/283715197

Change-Id: I24d847474f604ce7f0b95b3592a2c57faf1b19fe

M src/test/java/com/android/tools/r8/TestParameters.java
A src/test/java/com/android/tools/r8/rewrite/arrays/FilledArrayDataRemoveCheckCastTest.java
M src/test/java/com/android/tools/r8/utils/codeinspector/CfInstructionSubject.java
M src/test/java/com/android/tools/r8/utils/codeinspector/DexInstructionSubject.java
M src/test/java/com/android/tools/r8/utils/codeinspector/InstructionSubject.java

https://r8-review.googlesource.com/79821

ku...@gmail.com <ku...@gmail.com> #8May 26, 2023 10:48AM

Hi, guys. How about a backport in 8.1?

mk...@google.com <mk...@google.com> #9May 26, 2023 10:49AM

It will be backported when it passes our internal tests.

ap...@google.com <ap...@google.com> #10May 26, 2023 11:55AM

Project: r8
Branch: main

commit 9e7ce5ac7cde29d9c9e806143cc45b1bd9c0302b
Author: Morten Krogh-Jespersen <mkroghj@google.com>
Date: Fri May 26 13:54:38 2023

Check for member type to be of array type

Bug:

b/283715197

Change-Id: Iae3cc98b8a5f5d5eaeb49bf652c0bc4c652c4baf

M src/main/java/com/android/tools/r8/ir/optimize/CodeRewriter.java
M src/test/java/com/android/tools/r8/rewrite/arrays/SimplifyArrayConstructionTest.java

https://r8-review.googlesource.com/79841

ap...@google.com <ap...@google.com> #11May 30, 2023 08:28AM

Project: r8
Branch: 8.1

commit ca69ebf831445b1d059cc3fa7ef4d14e27b50b9d
Author: Morten Krogh-Jespersen <mkroghj@google.com>
Date: Tue May 30 09:18:58 2023

Version 8.1.51

Bug:

b/283715197

Change-Id: If935ca69028331d97c0f65ab99fecec43f3e8ef1

M src/main/java/com/android/tools/r8/Version.java

https://r8-review.googlesource.com/79883

ap...@google.com <ap...@google.com> #12May 30, 2023 08:28AM

Project: r8
Branch: 8.1

commit abc153927e0ce7b644f3b514aeb834a9da09d0ff
Author: Morten Krogh-Jespersen <mkroghj@google.com>
Date: Tue May 30 09:18:47 2023

Check for member type to be of array type

Bug:

b/283715197

https://r8-review.googlesource.com/79882

ap...@google.com <ap...@google.com> #13May 30, 2023 08:28AM

Project: r8
Branch: 8.1

commit 483f2aaf857ccf4c83fd2b5e66169d0f9499c416
Author: Morten Krogh-Jespersen <mkroghj@google.com>
Date: Tue May 30 09:18:34 2023

Only generate FilledNewArray when puts match the concrete array type

Bug:

b/283715197

https://r8-review.googlesource.com/79881

ap...@google.com <ap...@google.com> #14May 30, 2023 08:28AM

Project: r8
Branch: 8.1

commit 274db01d37ff28da61a304070e9457192a488999
Author: Morten Krogh-Jespersen <mkroghj@google.com>
Date: Tue May 30 09:18:22 2023

Add tests for rewriting subtypes into FilledNewArray

Bug:

b/283715197

https://r8-review.googlesource.com/79880

mk...@google.com <mk...@google.com> #15Jun 1, 2023 06:53AM

Verified by mk...@google.com.

This was fixed after landing: https://googleplex-android-review.git.corp.google.com/c/platform/prebuilts/r8/+/23489252

mk...@google.com <mk...@google.com> #16Jun 8, 2023 10:52AM

For our own purposes, the fix in ART is here: https://android-review.git.corp.google.com/c/platform/art/+/2438373

This can not be seen externally.

sg...@google.com <sg...@google.com> #17Jun 8, 2023 10:58AM

The public URL for the Art fix is: https://android-review.googlesource.com/c/platform/art/+/2438373.

ku...@gmail.com <ku...@gmail.com> #18Jun 16, 2023 06:54PM

Hey, guys! Crash still reproduced on Sample Project with fresh R8 8.1.53

mk...@google.com <mk...@google.com> #19Jun 19, 2023 11:42AM

Thanks for reporting back that this is still an issue. I've tested and could also see the same issue. I did do a check before submitting 8.1.51 but must either have used the D8 or an incorrect emulator.

The issue here is the check:

return clazz.isInterface() || valueType.isClassType(elementType);

Ordinarily, type-checking is weakened for interface types due other strange issues and since I found no issues testing it I included it. The fix needs to be:

return valueType.isClassType(elementType);

Will update the code and do a new cherry-pick to the 8.1 branch.

ap...@google.com <ap...@google.com> #20Jun 20, 2023 08:39AM

Project: r8
Branch: main

commit 3232b654f8432d9f8cc0a501afdc2bed8bbde0ec
Author: Morten Krogh-Jespersen <mkroghj@google.com>
Date: Tue Jun 20 10:37:25 2023

Disallow simplifying arrays to interface types if not exact type match

Bug:

b/283715197

Change-Id: Ie11bc1f834f3e30d23ae584ade0e006241e4b54b

M src/main/java/com/android/tools/r8/ir/conversion/passes/ArrayConstructionSimplifier.java
M src/test/java/com/android/tools/r8/rewrite/arrays/SimplifyArrayConstructionTest.java

https://r8-review.googlesource.com/80811

mk...@google.com <mk...@google.com> #21Jun 20, 2023 11:38AM

Status: Assigned (reopened)

Checked that running with 3232b654f8432d9f8cc0a501afdc2bed8bbde0ec resolves the issue by adding :

maven {
    url 'https://storage.googleapis.com/r8-releases/raw/main'
}

and

buildscript {
    dependencies {
        classpath("com.android.tools:r8:3232b654f8432d9f8cc0a501afdc2bed8bbde0ec")
    }
}

The APP now runs without throwing the error

# compiler: R8
# compiler_version: main
# min_api: 24
# compiler_hash: 3232b654f8432d9f8cc0a501afdc2bed8bbde0ec
# common_typos_disable
# {"id":"com.android.tools.r8.mapping","version":"2.2"}
# pg_map_id: 9ef8888
# pg_map_hash: SHA-256 9ef88884af70a1da33707ec31626367b52a37d290c9c8aadf9cd4dc008816dfd

Will merge this new CL to 8.1

ap...@google.com <ap...@google.com> #22Jun 20, 2023 07:56PM

Project: r8
Branch: 8.1

commit 7672aa5bcf2694b8576739355c8d59e3eec08e28
Author: Morten Krogh-Jespersen <mkroghj@google.com>
Date: Tue Jun 20 16:10:28 2023

Version 8.1.55

Bug:

b/283715197

Change-Id: I2fcada1fcb73437993a602f1b52f907ac58b93e2

M src/main/java/com/android/tools/r8/Version.java

https://r8-review.googlesource.com/80882

ap...@google.com <ap...@google.com> #23Jun 20, 2023 07:56PM

Project: r8
Branch: 8.1

commit b9c2cae08b1245442fcdc86373dd8164c61f4557
Author: Morten Krogh-Jespersen <mkroghj@google.com>
Date: Tue Jun 20 16:10:16 2023

Disallow simplifying arrays to interface types if not exact type match

Bug:

b/283715197

Change-Id: Ie11bc1f834f3e30d23ae584ade0e006241e4b54b

M src/main/java/com/android/tools/r8/ir/optimize/CodeRewriter.java
M src/test/java/com/android/tools/r8/rewrite/arrays/SimplifyArrayConstructionTest.java

https://r8-review.googlesource.com/80881

ap...@google.com <ap...@google.com> #24Jun 20, 2023 08:00PM

Project: r8
Branch: 8.1

commit 892155436bed60c4f2f7672d4993950e7b342bd9
Author: Morten Krogh-Jespersen <mkroghj@google.com>
Date: Tue Jun 20 16:18:51 2023

Version 8.1.56

Bug:

b/283715197

Change-Id: Ic845063045a560c9be152873092d50a6fd7c9ece

M src/main/java/com/android/tools/r8/Version.java

https://r8-review.googlesource.com/80884

mk...@google.com <mk...@google.com> Jul 3, 2023 10:20AM

Marked as fixed.

Issue 283715197

Description

Issue summary

Comments

mk...@google.com <mk...@google.com> May 22, 2023 01:16PM

ku...@gmail.com <ku...@gmail.com> #2May 24, 2023 07:11AM

mk...@google.com <mk...@google.com> #3May 24, 2023 11:41AM

mk...@google.com <mk...@google.com> #4May 24, 2023 01:18PM

ku...@gmail.com <ku...@gmail.com> #5May 24, 2023 04:32PM

ap...@google.com <ap...@google.com> #6May 25, 2023 01:07PM

ap...@google.com <ap...@google.com> #7May 25, 2023 01:07PM

ku...@gmail.com <ku...@gmail.com> #8May 26, 2023 10:48AM

mk...@google.com <mk...@google.com> #9May 26, 2023 10:49AM

ap...@google.com <ap...@google.com> #10May 26, 2023 11:55AM

ap...@google.com <ap...@google.com> #11May 30, 2023 08:28AM

ap...@google.com <ap...@google.com> #12May 30, 2023 08:28AM

ap...@google.com <ap...@google.com> #13May 30, 2023 08:28AM

ap...@google.com <ap...@google.com> #14May 30, 2023 08:28AM

mk...@google.com <mk...@google.com> #15Jun 1, 2023 06:53AM

mk...@google.com <mk...@google.com> #16Jun 8, 2023 10:52AM

sg...@google.com <sg...@google.com> #17Jun 8, 2023 10:58AM

ku...@gmail.com <ku...@gmail.com> #18Jun 16, 2023 06:54PM

mk...@google.com <mk...@google.com> #19Jun 19, 2023 11:42AM

ap...@google.com <ap...@google.com> #20Jun 20, 2023 08:39AM

mk...@google.com <mk...@google.com> #21Jun 20, 2023 11:38AM

ap...@google.com <ap...@google.com> #22Jun 20, 2023 07:56PM

ap...@google.com <ap...@google.com> #23Jun 20, 2023 07:56PM

ap...@google.com <ap...@google.com> #24Jun 20, 2023 08:00PM

mk...@google.com <mk...@google.com> Jul 3, 2023 10:20AM

Add comment

Issue metadata