Crash in Java_io_realm_internal_UncheckedRow_nativeGetString, StringData.size = 18446744073709551615

[turninX]

SDK and version

SDK : Java
Version: 10.18.0 (Core 13.26)

Observations

• How frequent do the crash occur?
  Occasionally
• Does it happen in production or during dev/test?
  Production
• Can the crash be reproduced by you?
  No
• Can you provide instructions for how we can reproduce it?
  No

Crash log / stacktrace

tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
pac_enabled_keys: 000000000000000f (PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY, PR_PAC_APDBKEY)
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x000000749819b000
x0 0000007549db8c68 x1 0000007549db8c50 x2 0000000000000001 x3 0000007549db8c51
x4 0000007549db8c51 x5 000000749d84fa22 x6 0000000000000000 x7 0329363530456e67
x8 00000074977e35ef x9 ffffffffffffffff x10 0000000000000000 x11 0000000000000010
x12 0000000000000006 x13 0000000000000000 x14 0000000000000000 x15 cccccccccccccccd
x16 000000754c6e7640 x17 000000754c34e848 x18 0000000000000010 x19 0000007549db8c68
x20 000000749819b000 x21 000000754c6c06a8 x22 0000007549db8fa0 x23 0000007549db8cd8
x24 0000007549db8c70 x25 000000754c6c0780 x26 00000074977e4014 x27 0000000000000a24
x28 0000000000000004 x29 0000007549db8e80
lr 000000754c3fdb64 sp 0000007549db8c30 pc 000000754c3fdb4c pst 0000000020001000

45 total frames
backtrace:
#00 pc 000000000052bb4c /system/lib64/librealm-jni.so (BuildId: aa217a1a1b03f926baca10c685be43ebb7ff54eb)
realm/realm-core#1 pc 000000000052af90 /system/lib64/librealm-jni.so (BuildId: aa217a1a1b03f926baca10c685be43ebb7ff54eb)
realm/realm-core#2 pc 0000000000516314 /system/lib64/librealm-jni.so (Java_io_realm_internal_UncheckedRow_nativeGetString+76) (BuildId: aa217a1a1b03f926baca10c685be43ebb7ff54eb)
realm/realm-core#3 pc 00000000000c5950 /system/framework/arm64/boot.oat (art_jni_trampoline+112) (BuildId: 36a7ad640553c3bd7087c686f110d5fb93a394bb)
realm/realm-core#4 pc 000000000020a980 /apex/com.android.art/lib64/libart.so (nterp_helper+5648) (BuildId: 0b86a4ef6d0b55361e40b63f447517db)
realm/realm-core#5 pc 00000000002bd5ac /system/custom/app/Gallery/Gallery.apk (io.realm.internal.UncheckedRow.getString+4)

Steps & Code to Reproduce

We located the crash location: realm-library/src/main/cpp/util.cpp:
jstring to_jstring(JNIEnv* env, StringData str) {
......
size_t size = Xcode::find_utf16_buf_size(in_begin2, in_end, error_code);
if (in_begin2 != in_end) {
throw realm::RuntimeError(ErrorCodes::RuntimeError,string_to_hex("Failure when computing UTF-16 size", str, in_begin, in_end, out_curr, out_end, size, error_code));
}
......
}
static std::string string_to_hex(const std::string& message, StringData& str, const char* in_begin, const char* in_end,
jchar* out_curr, jchar* out_end, size_t retcode, size_t error_code)
{
std::ostringstream ret;

const char* s = str.data();
ret << message << " ";
ret << "error_code = " << error_code << "; ";
ret << "retcode = " << retcode << "; ";
ret << "StringData.size = " << str.size() << "; ";
ret << "StringData.data = " << str << "; ";    **(Crashed here)**
ret << "StringData as hex = ";
for (std::string::size_type i = 0; i < str.size(); ++i)
    ret << " 0x" << std::hex << std::setfill('0') << std::setw(2) << (int)s[i];
ret << "; ";
ret << "in_begin = " << in_begin << "; ";
ret << "in_end = " << in_end << "; ";
ret << "out_curr = " << out_curr << "; ";
ret << "out_end = " << out_end << ";";
return ret.str();

}
We compiled the SDK based on realm-java 10.18.0 (Core 13.26), added some logs, and found that str.size() == -1, which caused a memory out-of-bounds error when constructing the RuntimeError message：
09-15 13:59:35.461 8607 8759 I REALM_MYDEBUG: error_code = 4
09-15 13:59:35.461 8607 8759 I REALM_MYDEBUG: retcode = 2596
09-15 13:59:35.461 8607 8759 I REALM_MYDEBUG: StringData.size = 18446744073709551615 (that is -1)
09-15 13:59:35.461 8607 8759 I REALM_MYDEBUG: in_begin = 0x74977e4014 (bigger than in_end )
09-15 13:59:35.461 8607 8759 I REALM_MYDEBUG: in_end = 0x74977e35ef
09-15 13:59:35.461 8607 8759 I REALM_MYDEBUG: out_curr = 0x7549db8f40
09-15 13:59:35.461 8607 8759 I REALM_MYDEBUG: out_end = 0x7549db8fa0

[sync-by-unito]

➤ PM Bot commented:

Jira ticket: RCORE-2263

[sync-by-unito]

➤ PM Bot commented:

Jira ticket: RJAVA-1267