R8 full mode causes ClassCastException inside org.apache.ftpserver:ftpserver-core:1.2.0 [349872492]

Assigned

Bug

Status Update

No update yet.

Description

dr...@gmail.com

created issue #1

Jun 28, 2024 07:49AM

See also https://github.com/zhanghai/MaterialFiles/issues/1260#issuecomment-2196254166 for a bit more info about the error.

Stacktrace:

CREATED
OPENED
SENT: 220 Service ready for new user.
RECEIVED: USER anonymous
SENT: 331 Guest login okay, send your complete e-mail address as password.
RECEIVED: PASS *****
PASS.execute()
java.lang.ClassCastException
	at e5.a.p(SourceFile:1)
	at S8.f.e(SourceFile:75)
	at M8.q.a(SourceFile:270)
...
Login failure - anonymous
SENT: 530 Authentication failed.
CLOSED

Deobfuscated stacktrace:

java.lang.ClassCastException
	at org.apache.ftpserver.impl.FtpIoSession.getClientCertificates(FtpIoSession.java)
	at org.apache.ftpserver.command.impl.PASS.execute(PASS.java)
	at org.apache.ftpserver.impl.DefaultFtpHandler.messageReceived(DefaultFtpHandler.java)
...

Steps to reproduce:

Clone https://github.com/zhanghai/MaterialFiles/tree/v1.7.3 (the v1.7.3 release tag).
Create a signing.properties by following signing.properties.example in the project, i.e. generate a signing key and fill it in.
Run ./gradlew clean build and install APK
Start FTP server from drawer, then use "Add stroage > FTP server" and 127.0.0.1:2121 + Anonymous authentication to connect to that server, connection fails due to auth failure and the above ClassCastException is shown in the logcat.
Rebuild the app but with android.enableR8.fullMode=false added to gradle.properties (similar to this reverted commit), then install, restart FTP server and retry the FTP connection - it works fine this time without R8 full mode.

Comments

dr...@gmail.com <dr...@gmail.com> #2Jun 28, 2024 08:13AM

Hello,

Thank you for reaching out to us with your request.

We have duly noted your feedback and will thoroughly validate it. While we cannot provide an estimated time of implementation or guarantee the fulfillment of the issue, please be assured that your input is highly valued. Your feedback enables us to enhance our products and services.

We appreciate your continued trust and support in improving our Google Cloud Platform products. In case you want to report a new issue, Please do not hesitate to create a new issue on the Issue Tracker providing a detailed description of your issue.

Once again, we sincerely appreciate your valuable feedback; Thank you for your understanding and collaboration.

sg...@google.com <sg...@google.com> #3Jun 28, 2024 02:22PM

Reassigned to sg...@google.com.

Being able to view the available backups in console would be helpful

dr...@gmail.com <dr...@gmail.com> #4Jun 28, 2024 09:26PM

I can confirm that adding the following rule fixes the issue (SslFilter doesn't have a no-arg constructor so I picked the 1-arg one):

-keep class org.apache.mina.filter.ssl.SslFilter {
    public <init>(javax.net.ssl.SSLContext);
}

However, there's something more confusing and worrying here.

I wanted to check how SslFilter is being instantiated via reflection so I connected Java debugger to a debug build. To my surprise, my breakpoint in either of the two constructors were never hit, and when I added breakpoint to FtpIoSession.getClientCertificates(), I could see that on debug build if (getFilterChain().contains(SslFilter.class)) actually evaluated to false and the branch that contains the cast was never hit.

    public Certificate[] getClientCertificates() {
        // Hit but false
        if (getFilterChain().contains(SslFilter.class)) {
            // Never hit
            SslFilter sslFilter = (SslFilter) getFilterChain().get(
                    SslFilter.class);
...
        }

        // no certificates available
        return null;

    }

This is also kind of evident in terms of functionality - the FTP server included in Material Files doesn't support or enable SSL at all, so it's natural that an SslFilter is never instantiated either.

There's no reflective instantiation of SslFilter according to code search within its source code either.

My guess is that due to SSL is unused the SslFilter class is also somehow optimized (e.g. its constructor got correctly removed), but that somehow messed up the Class.isAssignableFrom() check in DefaultIoFilterChain.contains() as well.

Could you please help double check if there's something unexpected that R8 is doing in this case?

I tested and found that this regression/behavior change happend in AGP 8.4.0, so I'll revert to AGP 8.3.2 for now.

Message last modified on Jun 30, 2024 05:03AM

Issue 349872492

Description

Issue summary

Comments

dr...@gmail.com <dr...@gmail.com> #2Jun 28, 2024 08:13AM

sg...@google.com <sg...@google.com> #3Jun 28, 2024 02:22PM

dr...@gmail.com <dr...@gmail.com> #4Jun 28, 2024 09:26PM

Add comment

Issue metadata