Description
Description
On a Pixel 8a with GrapheneOS the app crashes with a memory tagging error in OsmAnd::MapMarkersAnimator_P::update.
The crash only happens when GPS is enabled and happens around the time that the app normally starts displaying the GPS position. When memory tagging is enabled the crash happens 100% of the time and always with the same location in the binary. Disabling memory tagging allows the invalid access and the app continues working without crashing.
If my theory is correct (I can't test it because I can't get the build to work) this is caused by this line removing the item from the collection followed by the access via the key variable (which is now invalid) a few lines down.
Steps to reproduce
- Open OsmAnd on a device with hardware memory tagging enabled
- Wait for GPS lock
- Observe crash
Actual result
Crash
Expected result
No crash
Your Environment (required)
WARNING Crash-Logs MAY contain information you deem sensitive.
Review this CAREFULLY before posting your issue!
OsmAnd Version: 4.9.10 FDroid and 5.0.5 FDroid
Android version: 15 (GrapheneOS)
Device model: Google Pixel 8a
Crash-Logs:
Crash on 4.9.10:
type: crash
flags: dev options enabled
package: net.osmand.plus:491003, targetSdk 34
osVersion: google/akita/akita:15/BP1A.250505.005.B1/2025052800:user/release-keys
uid: 10163 (u:r:untrusted_app:s0:c163,c256,c512,c768)
cmdline: net.osmand.plus
processUptime: 3s
signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr d00d25e4193edf0
threadName: GLThread 32
MTE: enabled
backtrace:
/data/app/~~XPBKeeVEEAu9GP5rvdrkYA==/net.osmand.plus-MsiW4-ba6Auct1SuU5x3-w==/lib/arm64/libOsmAndCoreWithJNI.so (OsmAnd::MapMarkersAnimator_P::update(float)+812, pc 8e00dc)
/data/app/~~XPBKeeVEEAu9GP5rvdrkYA==/net.osmand.plus-MsiW4-ba6Auct1SuU5x3-w==/lib/arm64/libOsmAndCoreWithJNI.so (Java_net_osmand_core_jni_OsmAndCoreJNI_MapMarkersAnimator_1update+16, pc 7e0550)
/system/framework/arm64/boot-framework.oat (art_jni_trampoline+124, pc 7ee96c)
/data/app/~~XPBKeeVEEAu9GP5rvdrkYA==/net.osmand.plus-MsiW4-ba6Auct1SuU5x3-w==/oat/arm64/base.odex (net.osmand.core.jni.MapMarkersAnimator.update+48, pc 3732420)
/data/app/~~XPBKeeVEEAu9GP5rvdrkYA==/net.osmand.plus-MsiW4-ba6Auct1SuU5x3-w==/oat/arm64/base.odex (net.osmand.core.android.MapRendererView$RendererProxy.onDrawFrame+664, pc 36f6ec8)
/apex/com.android.art/lib64/libart.so (nterp_helper+7712, pc 7c9d90)
/system/framework/framework.jar (android.opengl.GLSurfaceView$GLThread.guardedRun+1092, pc 224214)
/apex/com.android.art/lib64/libart.so (nterp_helper+3924, pc 7c8ec4)
/system/framework/framework.jar (android.opengl.GLSurfaceView$GLThread.run+52, pc 22484c)
/apex/com.android.art/lib64/libart.so (art_quick_invoke_stub+612, pc 37db94)
/apex/com.android.art/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+140, pc 3a61ac)
/apex/com.android.art/lib64/libart.so (art::Thread::CreateCallback(void*)+1008, pc 54bcb0)
/apex/com.android.art/lib64/libart.so (art::Thread::CreateCallbackWithUffdGc(void*)+12, pc 54b8ac)
/apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+180, pc 7b134)
/apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68, pc 6bc64)
Crash on 5.0.5:
type: crash
flags: dev options enabled
package: net.osmand.plus:500503, targetSdk 34
osVersion: google/akita/akita:15/BP1A.250505.005.B1/2025052800:user/release-keys
uid: 10163 (u:r:untrusted_app:s0:c163,c256,c512,c768)
cmdline: net.osmand.plus
processUptime: 8s
signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr f00cf008ff27880
threadName: GLThread 32
MTE: enabled
backtrace:
/data/app/~~inDnOx5EynUNuvoBYcG_MA==/net.osmand.plus-JaFWXxQHey1ZG2tZTYirmA==/lib/arm64/libOsmAndCoreWithJNI.so (OsmAnd::MapMarkersAnimator_P::update(float)+812, pc 903144)
/data/app/~~inDnOx5EynUNuvoBYcG_MA==/net.osmand.plus-JaFWXxQHey1ZG2tZTYirmA==/lib/arm64/libOsmAndCoreWithJNI.so (Java_net_osmand_core_jni_OsmAndCoreJNI_MapMarkersAnimator_1update+16, pc 7fce08)
/system/framework/arm64/boot-framework.oat (art_jni_trampoline+124, pc 7ee96c)
/data/app/~~inDnOx5EynUNuvoBYcG_MA==/net.osmand.plus-JaFWXxQHey1ZG2tZTYirmA==/oat/arm64/base.odex (net.osmand.core.jni.MapMarkersAnimator.update+48, pc 398a450)
/data/app/~~inDnOx5EynUNuvoBYcG_MA==/net.osmand.plus-JaFWXxQHey1ZG2tZTYirmA==/oat/arm64/base.odex (net.osmand.core.android.MapRendererView$RendererProxy.onDrawFrame+608, pc 393a130)
/apex/com.android.art/lib64/libart.so (nterp_helper+7712, pc 7c9d90)
/system/framework/framework.jar (android.opengl.GLSurfaceView$GLThread.guardedRun+1092, pc 224214)
/apex/com.android.art/lib64/libart.so (nterp_helper+3924, pc 7c8ec4)
/system/framework/framework.jar (android.opengl.GLSurfaceView$GLThread.run+52, pc 22484c)
/apex/com.android.art/lib64/libart.so (art_quick_invoke_stub+612, pc 37db94)
/apex/com.android.art/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+140, pc 3a61ac)
/apex/com.android.art/lib64/libart.so (art::Thread::CreateCallback(void*)+1008, pc 54bcb0)
/apex/com.android.art/lib64/libart.so (art::Thread::CreateCallbackWithUffdGc(void*)+12, pc 54b8ac)
/apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+180, pc 7b134)
/apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68, pc 6bc64)