Realm-java: App crashes randomly after updating Realm from 3.0.0 to 3.5.0

That is interesting because both of them happen in libskia but it was only visible after a Realm update.

Reminds me of https://github.com/realm/realm-java/issues/4733 (and https://github.com/realm/realm-java/issues/4621 ) ...

We had our doubts that the issue could be related to image rendering but what we wonder is why does it happen upon upgrading realm or otherwise works fine with 3.0.0

You will most likely need to send an APK to reproduce this to help[at]realm.io with 3.5.0 to have them check it out.

How often does this occur?

Realm Core was updated a couple of times between 3.0.0 and 3.5.0. It would be helpful if you can share your APK so we can try to reproduce it.

hey there, eike here from fileee. i will prepare an apk and a video for you and sent it to you via mail. The problem happens quite often and is easily reproducible. i will show you in the video how.

@beeender could you please take a look? APK's here https://secure.helpscout.net/conversation/408147789 seems related to the libskia issues reported in #4733 #4621

I am checking

@eikaramba I am playing with your apk, some qeustions:

1. After uploading a garbage , it shows "In Process" all the time. I have been waiting for 10+ minutes. Anything I can do to continue the following steps?
2. Does it happen to x86 emulator only?

hey @beeender, oh that is strange.
1) You can swipe-to-refresh in order to trigger a sync. normally a push notification should do that automatically.
2) i know it happens on x86 and x86_64. Both emulator and real devices. Is that your question?

@eikaramba

i know it happens on x86 and x86_64. Both emulator and real devices. Is that your question?

So it doesn't happen to ARM devices?

@eikaramba I can reproduce it on arm device. Checking now.

What has been tried from Realm side so far:

1. Downgrade realm-core version by version until v2.7.0 by replacing the so file in the apk. The crash still can be reproduced by the original apk file. I would like to try some earlier core version, but there are some java-NI dependency issues which is hard to solve.
2. I doubt there might be a write-after-free issue in realm side. By disable all the calling of destructors, the issue still can be reproduced. So this should not be the case.

Some observation:

1. The issue can actually be reproduced easily by randomly changing some attributes of the documents then apply it. No need to create a new document. The issue happens when the transaction is committed, then some UI refreshing is triggred.
2. From the callstack, my feeling is there is a dangling pointer passed to the imageview which caused the imaging parsing crash.

Things worth to try:

1. maybe you can add some code to repeatedly change some attributes and commit transaction to see if the crash can be reproduced easily.
2. If 1 can produce it, try to find out which imageview was crashed and try if the crash can be reproduced without realm involved.
3. If I can get a apk which is built with older realm (3.0.0? or even a higher version which doesn't have the issue), I can try to do some more testing with native libs to see if there is a regression bug in recent version.

@eikaramba @patelnishantk

Thank you very much for your effort. Im building an apk with realm 3.0.0 for you and send it via mail. For the other points we will need to create a ticket and try to do this "dummy testing". It might take a few days, but we will try it out

Some updates, I replaced the realm so file with realm-java 3.0.0 + realm-core 2.8.4 (which is used in realm-java 3.5) in the 3.0.0 apk file @eikaramba sent. No crash has been seen.
Except realm-core, we do have some other native code (JNI + object store). Those are relatively difficult to do bisect testing. I will try to test those later.

I have the same problem. Is there any news to solve it?
I have a fatal signal 11 or 7, always by accident. In libskia.so native library.
Realm 3.5.0
I save RealmList from the server to the Realm. ChangeListener is updated and update ListView Adapter

I/DEBUG: *
I/DEBUG: Build fingerprint: 'Sony/D5103/D5103:4.4.4/18.1.A.2.25/5vd_bw:user/release-keys'
I/DEBUG: Revision: '0'
I/DEBUG: pid: 7463, tid: 7463, name: package >>> package <<<
I/DEBUG: signal 7 (SIGBUS), code 1 (BUS_ADRALN), fault addr 0000000a
I/DEBUG: r0 0000000a r1 000009d2 r2 00000000 r3 0000000a
I/DEBUG: r4 62df5f10 r5 60116650 r6 00000000 r7 57589730
I/DEBUG: r8 bed82d48 r9 57589728 sl 41559818 fp bed82d5c
I/DEBUG: ip 40636b8c sp bed82d38 lr 40518adf pc 40132608 cpsr 00070010
I/DEBUG: d0 0000000000000000 d1 0000000000000000
I/DEBUG: d2 0000000000000000 d3 0000000000000000
I/DEBUG: d4 00010b5600010b40 d5 00010b7300010b60
I/DEBUG: d6 00010c4900010c00 d7 3f80000060099840
I/DEBUG: d8 0000000000000000 d9 0000000000000000
I/DEBUG: d10 0000000000000000 d11 0000000000000000
I/DEBUG: d12 0000000000000000 d13 0000000000000000
I/DEBUG: d14 0000000000000000 d15 0000000000000000
I/DEBUG: d16 0065006700760045 d17 0069004e0020006e
I/DEBUG: d18 000000000000000d d19 0000000d00000000
I/DEBUG: d20 0000000000000000 d21 0000000d00000000
I/DEBUG: d22 407de3fc41f41ac0 d23 41f41ac05f7bee00
I/DEBUG: d24 0098009700950096 d25 0099009a009a0099
I/DEBUG: d26 0000000000000000 d27 0000000000000000
I/DEBUG: d28 0071007200720071 d29 0076007500740073
I/DEBUG: d30 009a009a009a009a d31 0000000000000000
I/DEBUG: scr 80000013
I/DEBUG: backtrace:
I/DEBUG: #00 pc 00003608 /system/lib/libcutils.so (android_atomic_inc+8)
I/DEBUG: #01 pc 000c4adb /system/lib/libskia.so (SkPaint::operator=(SkPaint const&)+26)
I/DEBUG: #02 pc 0002038c /system/lib/libdvm.so (dvmPlatformInvoke+112)
I/DEBUG: #03 pc 00051007 /system/lib/libdvm.so (dvmCallJNIMethod(unsigned int const, JValue, Method const, Thread)+398)
I/DEBUG: #04 pc 00029864 /system/lib/libdvm.so
I/DEBUG: #05 pc 00005804
I/DEBUG: stack:
I/DEBUG: bed82cf8 415fd779 /system/lib/libdvm.so
I/DEBUG: bed82cfc 60116650
I/DEBUG: bed82d00 6bb00029
I/DEBUG: bed82d04 575d51f0 /dev/ashmem/dalvik-LinearAlloc (deleted)
I/DEBUG: bed82d08 00000000
I/DEBUG: bed82d0c 415592e8
I/DEBUG: bed82d10 41614c58 /system/lib/libdvm.so
I/DEBUG: bed82d14 00000000
I/DEBUG: bed82d18 8df00001
I/DEBUG: bed82d1c 00000000
I/DEBUG: bed82d20 3f800000
I/DEBUG: bed82d24 41559808
I/DEBUG: bed82d28 00000000
I/DEBUG: bed82d2c 57589b0c
I/DEBUG: bed82d30 41644b78 /dev/ashmem/dalvik-zygote (deleted)
I/DEBUG: bed82d34 41559808
I/DEBUG: #00 bed82d38 575d5950 /dev/ashmem/dalvik-LinearAlloc (deleted)
I/DEBUG: ........ ........
I/DEBUG: #01 bed82d38 575d5950 /dev/ashmem/dalvik-LinearAlloc (deleted)
I/DEBUG: bed82d3c 41559808
I/DEBUG: bed82d40 00000000
I/DEBUG: bed82d44 4157c390 /system/lib/libdvm.so (dvmPlatformInvoke+116)
I/DEBUG: #02 bed82d48 57589728
I/DEBUG: bed82d4c 00000001
I/DEBUG: bed82d50 00000008
I/DEBUG: bed82d54 41644b78 /dev/ashmem/dalvik-zygote (deleted)
I/DEBUG: bed82d58 bed83030 [stack]
I/DEBUG: bed82d5c 415ad00b /system/lib/libdvm.so (dvmCallJNIMethod(unsigned int const, JValue, Method const, Thread*)+402)
I/DEBUG: memory near r4:
I/DEBUG: 62df5ef0 41e7bfd0 401221d8 6c432f67 4c737361
I/DEBUG: 62df5f00 6564616f 65640072 00000020 00000053
I/DEBUG: 62df5f10 608d9b38 41e00000 3f800000 00000000
I/DEBUG: 62df5f20 00000000 00000000 00000000 00000000
I/DEBUG: 62df5f30 00000000 00000000 00000000 00000000
I/DEBUG: 62df5f40 00000000 ff71a0d0 00000000 40800000
I/DEBUG: 62df5f50 0b000521 5b6ff590 0000042a 00000033
I/DEBUG: 62df5f60 6340a008 00019e8c 000152b0 00000000
I/DEBUG: 62df5f70 00000000 00000000 00000000 5b6f7ee8
I/DEBUG: 62df5f80 00000000 00000000 724d624a 00000013
I/DEBUG: 62df5f90 59a636f8 60932440 62df5a10 0000001b
I/DEBUG: 62df5fa0 62dfae48 63cd5510 62b4ba88 456c6f6f
I/DEBUG: 62df5fb0 00000018 0000008b 00000000 00000000
I/DEBUG: 62df5fc0 62df5fcc 62df603c 62df603c 00000000
I/DEBUG: 62df5fd0 00000000 62df5fe8 62df6010 00000000
I/DEBUG: 62df5fe0 62df6040 62df6040 3f800000 00000000
I/DEBUG: memory near r5:
I/DEBUG: 60116630 0101011d 10000008 00000005 00000003
I/DEBUG: 60116640 0101013f 05000008 00003801 00000992
I/DEBUG: 60116650 60116648 60116648 3f800000 00000000
I/DEBUG: 60116660 63cd6dc8 00000006 00000000 00000000
I/DEBUG: 60116670 00000000 00000000 00000000 00000000
I/DEBUG: 60116680 00000000 ffffffff 00000000 40800000
I/DEBUG: 60116690 0b000521 5b6ff590 00000009 00000051
I/DEBUG: 601166a0 601168a8 63534898 3f800000 00000000
I/DEBUG: 601166b0 00000000 00000000 00000000 00000000
I/DEBUG: 601166c0 00000000 00000000 00000000 00000000
I/DEBUG: 601166d0 00000000 ff000000 00000000 40800000
I/DEBUG: 601166e0 0b000501 5b6ff590 000000a0 0000001a
I/DEBUG: 601166f0 62df59a0 00000103 6011eb20 6011eb30
I/DEBUG: 60116700 000000b8 00000052 60951058 41a00000
I/DEBUG: 60116710 3f800000 00000000 00000000 00000000
I/DEBUG: 60116720 00000000 00000000 00000000 00000000
I/DEBUG: memory near r7:
I/DEBUG: 57589710 575d5c28 57589744 58f0e178 575d5950
I/DEBUG: 57589720 0000000a 00000000 62df5f10 60116650
I/DEBUG: 57589730 57589768 590af124 575d6a30 58f0e178
I/DEBUG: 57589740 00000000 62df5f10 60116650 42043e28
I/DEBUG: 57589750 41e83bf0 57589788 590aded8 576ad8c8
I/DEBUG: 57589760 590af124 00000000 00000001 42043e28
I/DEBUG: 57589770 41e83bf0 57589840 590ae480 577c0500
I/DEBUG: 57589780 590aded8 00000000 42044418 00000002
I/DEBUG: 57589790 41e83bf0 42043e28 00000000 00000002
I/DEBUG: 575897a0 00000000 00000000 00000000 00000000
I/DEBUG: 575897b0 00000000 00000000 42053cd0 00000001
I/DEBUG: 575897c0 00000000 4230c970 00000000 41eabd88
I/DEBUG: 575897d0 0000001f 00000064 57589820 5862a128
I/DEBUG: 575897e0 5758980c 58636bc4 57590008 58608f2c
I/DEBUG: 575897f0 00000000 42044418 00000000 42044418
I/DEBUG: 57589800 00000000 00000002 00000002 00000000
I/DEBUG: memory near r8:
I/DEBUG: bed82d28 00000000 57589b0c 41644b78 41559808
I/DEBUG: bed82d38 575d5950 41559808 00000000 4157c390
I/DEBUG: bed82d48 57589728 00000001 00000008 41644b78
I/DEBUG: bed82d58 bed83030 415ad00b 57589728 592acaa6
I/DEBUG: bed82d68 4022a7d7 41559818 00000017 5922cb4f
I/DEBUG: bed82d78 6c000029 00000000 00000010 40122394
I/DEBUG: bed82d88 401221d0 000000c1 6095ee80 400e4fd3
I/DEBUG: bed82d98 609664c0 6095ee80 5ef71440 609664c8
I/DEBUG: bed82da8 00000000 400e53bf 4011e000 00000000
I/DEBUG: bed82db8 00000000 6095ee80 5ef71440 400e1cd5
I/DEBUG: bed82dc8 00000001 415c155f bed82ddc 000000c2
I/DEBUG: bed82dd8 00000000 00000000 bed82e40 609664c8
I/DEBUG: bed82de8 4163ae88 000000c1 41644b78 000000c2
I/DEBUG: bed82df8 00000000 00000000 00000000 00000000
I/DEBUG: bed82e08 42043e28 000000c1 41644b78 00000000
I/DEBUG: bed82e18 000000c1 42043e28 575d5950 00000004
I/DEBUG: memory near r9:
I/DEBUG: 57589708 00000000 00000000 575d5c28 57589744
I/DEBUG: 57589718 58f0e178 575d5950 0000000a 00000000
I/DEBUG: 57589728 62df5f10 60116650 57589768 590af124
I/DEBUG: 57589738 575d6a30 58f0e178 00000000 62df5f10
I/DEBUG: 57589748 60116650 42043e28 41e83bf0 57589788
I/DEBUG: 57589758 590aded8 576ad8c8 590af124 00000000
I/DEBUG: 57589768 00000001 42043e28 41e83bf0 57589840
I/DEBUG: 57589778 590ae480 577c0500 590aded8 00000000
I/DEBUG: 57589788 42044418 00000002 41e83bf0 42043e28
I/DEBUG: 57589798 00000000 00000002 00000000 00000000
I/DEBUG: 575897a8 00000000 00000000 00000000 00000000
I/DEBUG: 575897b8 42053cd0 00000001 00000000 4230c970
I/DEBUG: 575897c8 00000000 41eabd88 0000001f 00000064
I/DEBUG: 575897d8 57589820 5862a128 5758980c 58636bc4
I/DEBUG: 575897e8 57590008 58608f2c 00000000 42044418
I/DEBUG: 575897f8 00000000 42044418 00000000 00000002
I/DEBUG: memory near sl:
I/DEBUG: 415597f8 00000000 00000800 57581008 0000045b
I/DEBUG: 41559808 58f0e178 57589728 575d6a30 595ed000
I/DEBUG: 41559818 42044418 00000328 bed82e88 00000000
I/DEBUG: 41559828 bed82edc 00000001 00010008 41581440
I/DEBUG: 41559838 00000000 00000000 56b53b70 57584300
I/DEBUG: 41559848 00000000 00000000 00000000 00006000
I/DEBUG: 41559858 00000000 400cb154 4157c500 41581440
I/DEBUG: 41559868 00000000 4158553c 415855b0 41585460
I/DEBUG: 41559878 41585480 415854dc 00000000 00000000
I/DEBUG: 41559888 00000000 00000000 00000000 00000000
I/DEBUG: 41559898 00000000 00000000 00002000 4162154c
I/DEBUG: 415598a8 00000000 00000000 0000000b 5a0de008
I/DEBUG: 415598b8 00000001 00000100 00000200 00000000
I/DEBUG: 415598c8 00000000 00000000 00000000 00000000
I/DEBUG: 415598d8 00000000 00000000 00000000 00000000
I/DEBUG: 415598e8 00000000 00000000 00000000 00000000
I/DEBUG: memory near fp:
I/DEBUG: bed82d3c 41559808 00000000 4157c390 57589728
I/DEBUG: bed82d4c 00000001 00000008 41644b78 bed83030
I/DEBUG: bed82d5c 415ad00b 57589728 592acaa6 4022a7d7
I/DEBUG: bed82d6c 41559818 00000017 5922cb4f 6c000029
I/DEBUG: bed82d7c 00000000 00000010 40122394 401221d0
I/DEBUG: bed82d8c 000000c1 6095ee80 400e4fd3 609664c0
I/DEBUG: bed82d9c 6095ee80 5ef71440 609664c8 00000000
I/DEBUG: bed82dac 400e53bf 4011e000 00000000 00000000
I/DEBUG: bed82dbc 6095ee80 5ef71440 400e1cd5 00000001
I/DEBUG: bed82dcc 415c155f bed82ddc 000000c2 00000000
I/DEBUG: bed82ddc 00000000 bed82e40 609664c8 4163ae88
I/DEBUG: bed82dec 000000c1 41644b78 000000c2 00000000
I/DEBUG: bed82dfc 00000000 00000000 00000000 42043e28
I/DEBUG: bed82e0c 000000c1 41644b78 00000000 000000c1
I/DEBUG: bed82e1c 42043e28 575d5950 00000004 0000000a
I/DEBUG: bed82e2c 57589714 bed83030 415a239d 00000004
I/DEBUG: memory near ip:
I/DEBUG: 40636b6c 00000000 00000000 00000000 400fcbe9
I/DEBUG: 40636b7c 400fcaf5 4010e628 40141927 40132620
I/DEBUG: 40636b8c 40132600 40141919 400f6135 400f62e4
I/DEBUG: 40636b9c 400f5cd8 400f665d 401557f8 401521d8
I/DEBUG: 40636bac 40141931 401499f8 40157ff0 401525d0
I/DEBUG: 40636bbc 401325e0 40141885 401418db 4010e7cc
I/DEBUG: 40636bcc 4010e6f0 40147368 40158fb0 400e605d
I/DEBUG: 40636bdc 4013c581 400e2944 400e2a48 400f7425
I/DEBUG: 40636bec 40141927 40141919 400fa5b7 400fc985
I/DEBUG: 40636bfc 400f6340 401483d0 4014ee68 400f7723
I/DEBUG: 40636c0c 4010e205 400ffaf1 4010e4ef 40147548
I/DEBUG: 40636c1c 40147378 4010eb98 400e2720 4010e27b
I/DEBUG: 40636c2c 400ff701 400e1cb5 400f70dd 400ea029
I/DEBUG: 40636c3c 4010e6d0 4010f93c 400fa559 400f75c5
I/DEBUG: 40636c4c 400ff649 400ff6df 401325b8 4014a038
I/DEBUG: 40636c5c 4010f8f8 40148f70 4010e824 406c7154
I/DEBUG: memory near sp:
I/DEBUG: bed82d18 8df00001 00000000 3f800000 41559808
I/DEBUG: bed82d28 00000000 57589b0c 41644b78 41559808
I/DEBUG: bed82d38 575d5950 41559808 00000000 4157c390
I/DEBUG: bed82d48 57589728 00000001 00000008 41644b78
I/DEBUG: bed82d58 bed83030 415ad00b 57589728 592acaa6
I/DEBUG: bed82d68 4022a7d7 41559818 00000017 5922cb4f
I/DEBUG: bed82d78 6c000029 00000000 00000010 40122394
I/DEBUG: bed82d88 401221d0 000000c1 6095ee80 400e4fd3
I/DEBUG: bed82d98 609664c0 6095ee80 5ef71440 609664c8
I/DEBUG: bed82da8 00000000 400e53bf 4011e000 00000000
I/DEBUG: bed82db8 00000000 6095ee80 5ef71440 400e1cd5
I/DEBUG: bed82dc8 00000001 415c155f bed82ddc 000000c2
I/DEBUG: bed82dd8 00000000 00000000 bed82e40 609664c8
I/DEBUG: bed82de8 4163ae88 000000c1 41644b78 000000c2
I/DEBUG: bed82df8 00000000 00000000 00000000 00000000
I/DEBUG: bed82e08 42043e28 000000c1 41644b78 00000000
I/DEBUG: code around pc:
I/DEBUG: 401325e8 e1910f9f e080c003 e1812f9c e3520000
I/DEBUG: 401325f8 1afffffa e12fff1e e1a03000 f57ff05f
I/DEBUG: 40132608 e1930f9f e2801001 e1832f91 e3520000
I/DEBUG: 40132618 1afffffa e12fff1e e1a03000 f57ff05f
I/DEBUG: 40132628 e3e02000 e1930f9f e080c002 e1831f9c
I/DEBUG: 40132638 e3510000 1afffffa e12fff1e e1a03000
I/DEBUG: 40132648 f57ff05f e1910f9f e000c003 e1812f9c
I/DEBUG: 40132658 e3520000 1afffffa e12fff1e e1a03000
I/DEBUG: 40132668 f57ff05f e1910f9f e180c003 e1812f9c
I/DEBUG: 40132678 e3520000 1afffffa e12fff1e 6883b508
I/DEBUG: 40132688 47984608 2140ea6f ea801840 eb023290
I/DEBUG: 40132698 ea831302 bd082093 2203b5f8 46046943
I/DEBUG: 401326a8 43726846 0f92ebb3 0076d923 46302104
I/DEBUG: 401326b8 ec4af7ff b1e04605 1e772200 6821e011
I/DEBUG: 401326c8 3022f851 6858e00a e00cf8d3 0c00ea07
I/DEBUG: 401326d8 102cf855 f84560d9 4673302c d1f22b00
I/DEBUG: code around lr:
I/DEBUG: 40518abc bd104620 4604b570 460d6808 f7eab108
I/DEBUG: 40518acc 6928fb95 f7eab108 6968fb91 f7eab108
I/DEBUG: 40518adc 69a8fb8d f7eab108 69e8fb89 f7eab108
I/DEBUG: 40518aec 6a28fb85 f7eab108 6a68fb81 f7eab108
I/DEBUG: 40518afc 6aa8fb7d f7eab108 6ae8fb79 f7eab108
I/DEBUG: 40518b0c 6b28fb75 f7eab108 6820fb71 f7d9b108
I/DEBUG: 40518b1c 6920fe85 fbf8f7f9 f7f96960 69a0fbf5
I/DEBUG: 40518b2c fbf2f7f9 f7f969e0 6a20fbef fbecf7f9
I/DEBUG: 40518b3c f7f96a60 6aa0fbe9 fbe6f7f9 f7f96ae0
I/DEBUG: 40518b4c 6b20fbe3 f7d9b108 6ca6fe69 46294620
I/DEBUG: 40518b5c f7d8224c 3601ec00 462064a6 64636c6b
I/DEBUG: 40518b6c 2248bd70 f7d8b508 f1d0ec02 bf380001
I/DEBUG: 40518b7c bd082000 b095b530 a8014604 ff1ff7ff
I/DEBUG: 40518b8c 46206ca5 f7ffa901 3501ff95 64a5a801
I/DEBUG: 40518b9c ff6cf7ff bd30b015 47706c80 47706481
I/DEBUG: 40518bac 6c40b51f 2301b948 93029001 000cf88d
I/DEBUG: crash_level = -1

I/DEBUG: *
I/DEBUG: Build fingerprint: 'Sony/D5103/D5103:4.4.4/18.1.A.2.25/5vd_bw:user/release-keys'
I/DEBUG: Revision: '0'
I/DEBUG: pid: 672, tid: 672, name: package >>> package <<<
I/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000000
I/DEBUG: r0 62653228 r1 bed82a4c r2 00000000 r3 00000000
I/DEBUG: r4 bed82a4c r5 00000018 r6 bed82c90 r7 62653228
I/DEBUG: r8 00000000 r9 00000002 sl 41559818 fp bed82d5c
I/DEBUG: ip 00000000 sp bed82a18 lr 40519615 pc 00000000 cpsr 600b0010
I/DEBUG: d0 000000003f800000 d1 000000003f800000
I/DEBUG: d2 0000000000000000 d3 0000000000000000
I/DEBUG: d4 000021140000210a d5 0000211600002115
I/DEBUG: d6 62ce18283f800000 d7 4280000062ce1828
I/DEBUG: d8 000000005fce1828 d9 0000000000000000
I/DEBUG: d10 0000000000000000 d11 0000000000000000
I/DEBUG: d12 0000000000000000 d13 0000000000000000
I/DEBUG: d14 0000000000000000 d15 0000000000000000
I/DEBUG: d16 62ce182862653228 d17 000000003f800000
I/DEBUG: d18 0000000000000000 d19 0000000000000000
I/DEBUG: d20 0000000000000000 d21 0000000000000000
I/DEBUG: d22 ffffffff00000000 d23 4080000000000000
I/DEBUG: d24 bf29e349c3efb024 d25 3fe14834647e6f99
I/DEBUG: d26 0000000000000000 d27 bf569f3bc1c2dfa4
I/DEBUG: d28 0071007200720071 d29 bfe241a4e8885a30
I/DEBUG: d30 009a009a009a009a d31 3ff00128e0000000
I/DEBUG: scr 60000017
I/DEBUG: backtrace:
I/DEBUG: #00 pc 00000000
I/DEBUG: #01 pc 000c5613 /system/lib/libskia.so
I/DEBUG: #02 pc 000c60d5 /system/lib/libskia.so (SkPaint::descriptorProc(SkDeviceProperties const, SkMatrix const, void ()(SkTypeface, SkDescriptor const, void), void, bool) const+12)
I/DEBUG: #03 pc 000c6ebb /system/lib/libskia.so (SkPaint::getFontMetrics(SkPaint::FontMetrics, float) const+90)
I/DEBUG: #04 pc 0007c887 /system/lib/libandroid_runtime.so
I/DEBUG: #05 pc 0002038c /system/lib/libdvm.so (dvmPlatformInvoke+112)
I/DEBUG: #06 pc 00051007 /system/lib/libdvm.so (dvmCallJNIMethod(unsigned int const, JValue, Method const, Thread)+398)
I/DEBUG: #07 pc 00029864 /system/lib/libdvm.so
I/DEBUG: #08 pc 00005804
I/DEBUG: stack:
I/DEBUG: bed829d8 400e3f35 /system/lib/libc.so (dlmalloc)
I/DEBUG: bed829dc bed82ad8 [stack]
I/DEBUG: bed829e0 62c6f778
I/DEBUG: bed829e4 00000034
I/DEBUG: bed829e8 bed82cb0 [stack]
I/DEBUG: bed829ec 40919e30 /system/lib/libicui18n.so
I/DEBUG: bed829f0 00000004
I/DEBUG: bed829f4 40919e90 /system/lib/libicui18n.so
I/DEBUG: bed829f8 407e2ac0 /system/lib/libicuuc.so
I/DEBUG: bed829fc bed82ad8 [stack]
I/DEBUG: bed82a00 000000ff
I/DEBUG: bed82a04 4089b1b9 /system/lib/libicui18n.so
I/DEBUG: bed82a08 bed82cb0 [stack]
I/DEBUG: bed82a0c bed82ce0 [stack]
I/DEBUG: bed82a10 62ce8cb8
I/DEBUG: bed82a14 00000200
I/DEBUG: #00 bed82a18 5fce1828 /data/dalvik-cache/data@[email protected]@classes.dex
I/DEBUG: ........ ........
I/DEBUG: #01 bed82a18 5fce1828 /data/dalvik-cache/data@[email protected]@classes.dex
I/DEBUG: bed82a1c 00000000
I/DEBUG: bed82a20 bed82a4c [stack]
I/DEBUG: bed82a24 bed82cf8 [stack]
I/DEBUG: bed82a28 bed82c90 [stack]
I/DEBUG: bed82a2c bed82c90 [stack]
I/DEBUG: bed82a30 5758968c
I/DEBUG: bed82a34 bed82d48 [stack]
I/DEBUG: bed82a38 405184a9 /system/lib/libskia.so
I/DEBUG: bed82a3c 4051a0d9 /system/lib/libskia.so (SkPaint::descriptorProc(SkDeviceProperties const, SkMatrix const, void ()(SkTypeface, SkDescriptor const, void), void, bool) const+16)
I/DEBUG: #02 bed82a40 bed82ad8 [stack]
I/DEBUG: bed82a44 4089b2bf /system/lib/libicui18n.so
I/DEBUG: bed82a48 345ad82c
I/DEBUG: bed82a4c 62baebe0
I/DEBUG: bed82a50 62baebe0
I/DEBUG: bed82a54 42800000 /dev/ashmem/dalvik-heap (deleted)
I/DEBUG: bed82a58 3f800000
I/DEBUG: bed82a5c 00000000
I/DEBUG: bed82a60 3f800000
I/DEBUG: bed82a64 00000000
I/DEBUG: bed82a68 00000000
I/DEBUG: bed82a6c 3f800000
I/DEBUG: bed82a70 00000000
I/DEBUG: bed82a74 00000000
I/DEBUG: bed82a78 ffffffff
I/DEBUG: bed82a7c 00005959
I/DEBUG: ........ ........
I/DEBUG: memory near r0:
I/DEBUG: 62653208 40c4e618 401739d8 00000000 00000000
I/DEBUG: 62653218 00000000 00000008 440c0000 43b40000
I/DEBUG: 62653228 4430c000 000000a3 62cc1af8 62baebe0
I/DEBUG: 62653238 00000007 00730075 00720065 0069005f
I/DEBUG: 62653248 00000064 00000000 00000020 00610065
I/DEBUG: 62653258 00320033 00310064 00310066 00660039
I/DEBUG: 62653268 00320061 00330034 00650066 00310062
I/DEBUG: 62653278 00650033 00350061 00380035 00310034
I/DEBUG: 62653288 00300039 00370033 00320031 00000000
I/DEBUG: 62653298 006e0061 00720064 0069006f 002e0064
I/DEBUG: 626532a8 00700061 002e0070 00410049 00700070
I/DEBUG: 626532b8 0069006c 00610063 00690074 006e006f
I/DEBUG: 626532c8 000000a0 00000012 00000000 626532d0
I/DEBUG: 626532d8 626532d0 000000a3 40c4f698 00000000
I/DEBUG: 626532e8 ffffffff 00000003 00000000 00000021
I/DEBUG: 626532f8 0000001f 00000020 40c4f668 62baf668
I/DEBUG: memory near r1:
I/DEBUG: bed82a2c bed82c90 5758968c bed82d48 405184a9
I/DEBUG: bed82a3c 4051a0d9 bed82ad8 4089b2bf 345ad82c
I/DEBUG: bed82a4c 62baebe0 62baebe0 42800000 3f800000
I/DEBUG: bed82a5c 00000000 3f800000 00000000 00000000
I/DEBUG: bed82a6c 3f800000 00000000 00000000 ffffffff
I/DEBUG: bed82a7c 00005959 00180001 bed82c50 bed82cb0
I/DEBUG: bed82a8c 63e00dd0 63e06888 409266e4 bed82cb0
I/DEBUG: bed82a9c 63e06890 bed82ce0 400e53bf 4011e000
I/DEBUG: bed82aac bed82c20 bed82c20 409266e4 bed82cb0
I/DEBUG: bed82abc 400e1cd5 407e2dc8 4075dfbb bed82ad8
I/DEBUG: bed82acc 408948c5 62c6f778 408a874d 40924d08
I/DEBUG: bed82adc bed82cb0 62c6f778 bed82ce0 0000000f
I/DEBUG: bed82aec 00000000 42010000 0000001c 00000001
I/DEBUG: bed82afc 00000000 0000000f 00000000 0000005d
I/DEBUG: bed82b0c ffffffff ffffffff 41588900 fffffe58
I/DEBUG: bed82b1c 00b60000 00000000 00000000 00000000
I/DEBUG: memory near r4:
I/DEBUG: bed82a2c bed82c90 5758968c bed82d48 405184a9
I/DEBUG: bed82a3c 4051a0d9 bed82ad8 4089b2bf 345ad82c
I/DEBUG: bed82a4c 62baebe0 62baebe0 42800000 3f800000
I/DEBUG: bed82a5c 00000000 3f800000 00000000 00000000
I/DEBUG: bed82a6c 3f800000 00000000 00000000 ffffffff
I/DEBUG: bed82a7c 00005959 00180001 bed82c50 bed82cb0
I/DEBUG: bed82a8c 63e00dd0 63e06888 409266e4 bed82cb0
I/DEBUG: bed82a9c 63e06890 bed82ce0 400e53bf 4011e000
I/DEBUG: bed82aac bed82c20 bed82c20 409266e4 bed82cb0
I/DEBUG: bed82abc 400e1cd5 407e2dc8 4075dfbb bed82ad8
I/DEBUG: bed82acc 408948c5 62c6f778 408a874d 40924d08
I/DEBUG: bed82adc bed82cb0 62c6f778 bed82ce0 0000000f
I/DEBUG: bed82aec 00000000 42010000 0000001c 00000001
I/DEBUG: bed82afc 00000000 0000000f 00000000 0000005d
I/DEBUG: bed82b0c ffffffff ffffffff 41588900 fffffe58
I/DEBUG: bed82b1c 00b60000 00000000 00000000 00000000
I/DEBUG: memory near r6:
I/DEBUG: bed82c70 575d51f0 415a944f 41622d00 d7b00029
I/DEBUG: bed82c80 d7b00029 bed82c90 5fce1828 bed82c90
I/DEBUG: bed82c90 62653228 42800000 3f800000 00000000
I/DEBUG: bed82ca0 00000000 00000000 00000000 00000000
I/DEBUG: bed82cb0 00000000 00000000 00000000 00000000
I/DEBUG: bed82cc0 00000000 ffffffff 00000000 40800000
I/DEBUG: bed82cd0 030000a1 5b6ff590 00000433 3acb4984
I/DEBUG: bed82ce0 3f000000 00000000 5410002d d7b00029
I/DEBUG: bed82cf0 415592e8 4022a88b 415fd779 62baebe8
I/DEBUG: bed82d00 d7500029 575d51f0 00000000 415592e8
I/DEBUG: bed82d10 41614c58 00000000 54000001 00000000
I/DEBUG: bed82d20 3f800000 00000000 00000000 575d5fb0
I/DEBUG: bed82d30 41559808 00000004 5758968c bed82d48
I/DEBUG: bed82d40 57589684 4157c390 57589680 00000001
I/DEBUG: bed82d50 592119fe 41eaa918 bed83030 415ad00b
I/DEBUG: bed82d60 57589680 592119fc 4022a861 41559818
I/DEBUG: memory near r7:
I/DEBUG: 62653208 40c4e618 401739d8 00000000 00000000
I/DEBUG: 62653218 00000000 00000008 440c0000 43b40000
I/DEBUG: 62653228 4430c000 000000a3 62cc1af8 62baebe0
I/DEBUG: 62653238 00000007 00730075 00720065 0069005f
I/DEBUG: 62653248 00000064 00000000 00000020 00610065
I/DEBUG: 62653258 00320033 00310064 00310066 00660039
I/DEBUG: 62653268 00320061 00330034 00650066 00310062
I/DEBUG: 62653278 00650033 00350061 00380035 00310034
I/DEBUG: 62653288 00300039 00370033 00320031 00000000
I/DEBUG: 62653298 006e0061 00720064 0069006f 002e0064
I/DEBUG: 626532a8 00700061 002e0070 00410049 00700070
I/DEBUG: 626532b8 0069006c 00610063 00690074 006e006f
I/DEBUG: 626532c8 000000a0 00000012 00000000 626532d0
I/DEBUG: 626532d8 626532d0 000000a3 40c4f698 00000000
I/DEBUG: 626532e8 ffffffff 00000003 00000000 00000021
I/DEBUG: 626532f8 0000001f 00000020 40c4f668 62baf668
I/DEBUG: memory near sl:
I/DEBUG: 415597f8 00000000 00000800 57581008 0000045b
I/DEBUG: 41559808 590adb3c 57589680 577c0458 595ed000
I/DEBUG: 41559818 41eaa8d0 00000328 bed82e88 00000000
I/DEBUG: 41559828 bed82edc 00000001 00010008 41581440
I/DEBUG: 41559838 00000000 00000000 56b53b70 57584300
I/DEBUG: 41559848 00000000 00000000 00000000 00006000
I/DEBUG: 41559858 00000000 400cb154 4157c500 41581440
I/DEBUG: 41559868 00000000 4158553c 415855b0 41585460
I/DEBUG: 41559878 41585480 415854dc 00000000 00000000
I/DEBUG: 41559888 00000000 00000000 00000000 00000000
I/DEBUG: 41559898 00000000 00000000 00002000 4162154c
I/DEBUG: 415598a8 00000000 00000000 0000000c 5a0de008
I/DEBUG: 415598b8 00000001 00000100 00000200 00000000
I/DEBUG: 415598c8 00000000 00000000 00000000 00000000
I/DEBUG: 415598d8 00000000 00000000 00000000 00000000
I/DEBUG: 415598e8 00000000 00000000 00000000 00000000
I/DEBUG: memory near fp:
I/DEBUG: bed82d3c bed82d48 57589684 4157c390 57589680
I/DEBUG: bed82d4c 00000001 592119fe 41eaa918 bed83030
I/DEBUG: bed82d5c 415ad00b 57589680 592119fc 4022a861
I/DEBUG: bed82d6c 41559818 00000017 5922cb4f 00000000
I/DEBUG: bed82d7c 00000000 00000010 40122394 401221d0
I/DEBUG: bed82d8c 000000c1 63e068a8 400e4fd3 63e00dc8
I/DEBUG: bed82d9c 63e068a8 58593aa0 63e00dd0 00000000
I/DEBUG: bed82dac 400e53bf 4011e000 00000000 00000000
I/DEBUG: bed82dbc 63e068a8 58593aa0 400e1cd5 00000000
I/DEBUG: bed82dcc 415c155f bed82ddc 000000c2 00000000
I/DEBUG: bed82ddc 00000000 bed82e40 63e00dd0 4163ae88
I/DEBUG: bed82dec 000000c1 41644b78 000000c2 00000000
I/DEBUG: bed82dfc 00000000 00000000 00000000 00000000
I/DEBUG: bed82e0c 00000000 41644b78 4161ac34 ffffffff
I/DEBUG: bed82e1c 00000000 575d5fb0 00000004 0000000a
I/DEBUG: bed82e2c 5758966c bed83030 415a239d 00000004
I/DEBUG: memory near sp:
I/DEBUG: bed829f8 407e2ac0 bed82ad8 000000ff 4089b1b9
I/DEBUG: bed82a08 bed82cb0 bed82ce0 62ce8cb8 00000200
I/DEBUG: bed82a18 5fce1828 00000000 bed82a4c bed82cf8
I/DEBUG: bed82a28 bed82c90 bed82c90 5758968c bed82d48
I/DEBUG: bed82a38 405184a9 4051a0d9 bed82ad8 4089b2bf
I/DEBUG: bed82a48 345ad82c 62baebe0 62baebe0 42800000
I/DEBUG: bed82a58 3f800000 00000000 3f800000 00000000
I/DEBUG: bed82a68 00000000 3f800000 00000000 00000000
I/DEBUG: bed82a78 ffffffff 00005959 00180001 bed82c50
I/DEBUG: bed82a88 bed82cb0 63e00dd0 63e06888 409266e4
I/DEBUG: bed82a98 bed82cb0 63e06890 bed82ce0 400e53bf
I/DEBUG: bed82aa8 4011e000 bed82c20 bed82c20 409266e4
I/DEBUG: bed82ab8 bed82cb0 400e1cd5 407e2dc8 4075dfbb
I/DEBUG: bed82ac8 bed82ad8 408948c5 62c6f778 408a874d
I/DEBUG: bed82ad8 40924d08 bed82cb0 62c6f778 bed82ce0
I/DEBUG: bed82ae8 0000000f 00000000 42010000 0000001c
I/DEBUG: code around pc:
I/DEBUG: 00000000 ffffffff ffffffff ffffffff ffffffff
I/DEBUG: 00000010 ffffffff ffffffff ffffffff ffffffff
I/DEBUG: 00000020 ffffffff ffffffff ffffffff ffffffff
I/DEBUG: 00000030 ffffffff ffffffff ffffffff ffffffff
I/DEBUG: 00000040 ffffffff ffffffff ffffffff ffffffff
I/DEBUG: 00000050 ffffffff ffffffff ffffffff ffffffff
I/DEBUG: 00000060 ffffffff ffffffff ffffffff ffffffff
I/DEBUG: 00000070 ffffffff ffffffff ffffffff ffffffff
I/DEBUG: 00000080 ffffffff ffffffff ffffffff ffffffff
I/DEBUG: 00000090 ffffffff ffffffff ffffffff ffffffff
I/DEBUG: 000000a0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG: 000000b0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG: 000000c0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG: 000000d0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG: 000000e0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG: 000000f0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG: code around lr:
I/DEBUG: 405195f4 6ac3eefd 1a90ee16 1031f884 f8842300
I/DEBUG: 40519604 f8843032 46213033 69426838 47904638
I/DEBUG: 40519614 2301e009 3034f884 f00ce783 28030003
I/DEBUG: 40519624 af79f47f ecbde775 e8bd8b02 bf0083f8
I/DEBUG: 40519634 00000000 42400000 ff7f807f 42800000
I/DEBUG: 40519644 000fcda8 000fcd90 ac02b573 26004d0b
I/DEBUG: 40519654 447d480b f8444478 f7d70d04 6828eef2
I/DEBUG: 40519664 fe56f7f8 4d07602e 6828447d fe50f7f8
I/DEBUG: 40519674 602e4620 ff19f7ef bf00bd7c 00121d12
I/DEBUG: 40519684 00121d0c 00121cf0 43f0e92d 8b04ed2d
I/DEBUG: 40519694 486c4604 460fb087 44784e6b f7d79005
I/DEBUG: 405196a4 f897eed0 ee093032 eeb83a10 eddf0a49
I/DEBUG: 405196b4 f8977a63 f8970031 ee081030 ee080a90
I/DEBUG: 405196c4 ed9f1a10 447e1a5f 9a27ee80 0a68eef8
I/DEBUG: 405196d4 1a48eef8 9a40eeb5 8a81ee60 fa10eef1
I/DEBUG: 405196e4 8a81ee21 eeb7d121 eef42a00 eef18a42
I/DEBUG: crash_level = -1

@gukzilla does you problem also happen to realm-java 3.5.0 only? Have you tried to use an other version?

@beeender Yes, i tried other versions. Versions after 3.1.4.
I have still the same problem.
I call a synchronous list-save operation "executeTransaction"
It saves in the main thread.
If you do not save anything, everything works fine.

@gukzilla Does it crash with realm-java 3.0.0?

@beeender I can not verify it. The library does not contain a RealmObjectChangeListener
Everywhere in the project this listener is used

@gukzilla Can you reproduce the issue? A project with source code may help to locate the cause. You can send it [email protected] if you want to share it privately.

I still think there is a much bigger chance that the bug existing in libskia than Realm, executeTransaction() just triggered the redraw leading to the skia crash.

Anyway, a project with source code may help to debug.

@beeender
Unfortunately I can only provide a debug.apk. Since I signed the NDA contract.
Video to reproduce the error.
And also provide the class in which the error occurs.

Will this suit you?

@gukzilla not really ... We got a debug apk before and the skia issue can be reproduced. But without source code it would take us unpredictable time to debug the issue which might not be caused by Realm ...

Would it be possible for you to make a sample project to reproduce it?

BTW, some more questions:

1. Does it happen to all devices/emulators?
2. Any specific Android versions have this issue?

@beeender

1. This happens on all devices
2. I was able to reproduce the bug on all versions, beginning with 4.4.4 and up to 6.0.1

There is no error on version 7.0 nougat

Later I will try to provide a simple project for reproducing the error

@beeender
Hi, I downgrade the Realm version to 3.0.0, and issue gone.
Unfortunately, I can not yet provide the source code.
I hope this helps a bit in the investigation.

verified, #5222 is not the cause of this issue.

Copy from #5291

We update project in latest version
any one can tested and debugging and may can help us for this issue

https://github.com/RooyeKhat-Media/iGap-Android

@beeender I wonder if it is related but certain classes do synchronously about N + M + L transactions depending on item, so each change is pretty much its own transaction.

See this class as example. But I'd also be on the lookout for this one, and this one.

any news ?

@RooyeKhat no progress from my side. Is there any hint from your side we can reproduce it with iGap app?

@beeender

Yes
reply to #5291

Some updates:

Tried to compile realm with ndk15c and replace the so file to test @gukzilla , issue is still there.

Some updates:

Some users are helping us to build a test case to reproduce this issue constantly. (I tried, but failed :( ) If anyone has a sample project to reproduce this issue, please let us know. Otherwise it is quite difficult to figure out the root cause.

+1 any news ?

hey guys, we updated iGap project and you can see latest release, but yet we have problem with realm,
of course main problem is with RealmAdapter?
you don't have any solution yet?

@saeedmozaffari The major issue is we cannot reproduce this issue on our side. And i also spent a few hours with the iGap to try to reproduce the issue, but no luck :(

The thing is, this could be a Realm issue, and it could also be a platform/device issue which accidentally triggered by some logic of Realm(the crash log doesn't really show anything on the Realm side). Without a reproducible case, it is really difficult for us to figure out what is wrong there.

I also tried to mimic the logic in iGap to reproduce this issue with some simple logic, which can be found https://github.com/realm/realm-android-adapters/pull/128 , still, no luck.

So what will be helpful for us to identify/solve the issue:

1. A project with source code which can reproduce the issue and the reproducible steps.
2. APK file which can reproduce the issue constantly without source code is also fine. It takes more time to debug, but as long as we can easily reproduce the issue, it is still very helpful.

(Anyone wants to help, maybe you can check https://github.com/realm/realm-android-adapters/pull/128 and add some possible logic which is close to what you have in your project. My assumption is some image redraw triggered by listener caused it, but i tried some, no luck. I did also try to move some relevant source from iGap to the testing project, still no luck. )

any update ?

We finally got a working demo application with the crash and i send it to @beeender along with the sourcceode, hopefully this will resolve this issue.

@eikaramba
Thanks! I got the project. Best gift for the Thanksgiving! Working on it!

@eikaramba very good news

Some updates:

We can constantly reproduce the issue with the project provided by @eikaramba .
The issue is related with the Object level we introduced in v3.1.0. In v3.1.0 the mechanism of sending object notifications has been changed a bit as well.
It feels more like an issue in the skia side since I have tried to comment out most of the suspicious logic and the issue can still be easily reproduced.

From the backtrace, it is like there is something wrong with the life cycle management of the libskia's native Matrixobject.

With the Android 8.0 (Oreo), the code related with Matrix has been changed a lots, and interesting thing is the issue cannot be reproduced on Oreo.

I guess there some timing changes triggered this issue and I will try to figure out the root cause and find a way to work around it.

Updates:

The backtrace shows there might be a null pointer being used in Matrix.native_setTranslate (signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x20, 0x20 is very much like some memory content close to addr 0x0)

With a conditional breakpoint, I am successfully to confirm that by some reasons Matrix.native_instance has been set to 0. See source code of Matrix.java https://android.googlesource.com/platform/frameworks/base/+/376590d/graphics/java/android/graphics/Matrix.java#43

It shouldn't be caused by Realm. But i will keep checking.

The problem:

From the backtrace:

08-01 14:46:55.790 1747-1747/? A/DEBUG: pid: 855, tid: 855, name: mport.dev.debug  >>> <package name> <<<
08-01 14:46:55.790 1747-1747/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x20
08-01 14:46:55.790 1747-1747/? A/DEBUG:     eax 00000000  ebx acc00ac0  ecx 00000011  edx 00000001
08-01 14:46:55.790 1747-1747/? A/DEBUG:     esi 00000000  edi 00000000
08-01 14:46:55.790 1747-1747/? A/DEBUG:     xcs 00000073  xds 0000007b  xes 0000007b  xfs 0000003b  xss 0000007b
08-01 14:46:55.790 1747-1747/? A/DEBUG:     eip aef531cc  ebp bfbeb8a8  esp bfbeb8a8  flags 00210206
08-01 14:46:56.077 1747-1747/? A/DEBUG: backtrace:
08-01 14:46:56.077 1747-1747/? A/DEBUG:     #00 pc 001dc1cc  /system/lib/libskia.so (_ZN8SkMatrix12setTranslateEff+60)
08-01 14:46:56.077 1747-1747/? A/DEBUG:     #01 pc 000f8be2  /system/lib/libandroid_runtime.so (_ZN7android12SkMatrixGlue12setTranslateEP7_JNIEnvP8_jobjectxff+50)

The relevant disassemble code

(lldb) di -f
libskia.so`SkMatrix::setTranslate:
    0xe7a59f90 <+0>:   pushl  %ebp
    0xe7a59f91 <+1>:   movl   %esp, %ebp
    0xe7a59f93 <+3>:   andl   $-0x4, %esp
    0xe7a59f96 <+6>:   movl   0x8(%ebp), %eax
    0xe7a59f99 <+9>:   movss  0x10(%ebp), %xmm0         ; xmm0 = mem[0],zero,zero,zero
    0xe7a59f9e <+14>:  movss  0xc(%ebp), %xmm1          ; xmm1 = mem[0],zero,zero,zero
    0xe7a59fa3 <+19>:  xorps  %xmm2, %xmm2
    0xe7a59fa6 <+22>:  ucomiss %xmm1, %xmm2
    0xe7a59fa9 <+25>:  setp   %cl
    0xe7a59fac <+28>:  setne  %dl
    0xe7a59faf <+31>:  orb    %cl, %dl
    0xe7a59fb1 <+33>:  ucomiss %xmm0, %xmm2
    0xe7a59fb4 <+36>:  setp   %ch
    0xe7a59fb7 <+39>:  setne  %cl
    0xe7a59fba <+42>:  orb    %ch, %cl
    0xe7a59fbc <+44>:  orb    %dl, %cl
    0xe7a59fbe <+46>:  jne    0xe7a59fc6                ; <+54>
    0xe7a59fc0 <+48>:  xorps  %xmm0, %xmm0
    0xe7a59fc3 <+51>:  xorps  %xmm1, %xmm1
    0xe7a59fc6 <+54>:  movzbl %cl, %ecx
    0xe7a59fc9 <+57>:  orl    $0x10, %ecx
->  0xe7a59fcc <+60>:  movl   $0x3f800000, 0x20(%eax)   ; imm = 0x3F800000 
    0xe7a59fd3 <+67>:  movl   $0x3f800000, 0x10(%eax)   ; imm = 0x3F800000 
    0xe7a59fda <+74>:  movl   $0x3f800000, (%eax)       ; imm = 0x3F800000 
    0xe7a59fe0 <+80>:  movl   $0x0, 0x1c(%eax)
    0xe7a59fe7 <+87>:  movl   $0x0, 0x18(%eax)
    0xe7a59fee <+94>:  movss  %xmm0, 0x14(%eax)

The java code where it's calling into the native code:

    public void setTranslate(float dx, float dy) {
        native_setTranslate(native_instance, dx, dy);
    }

The fault addr 0x20 shows there might be a problem using a null pointer. So let's assume the problem is native_instance is 0 when setTranslate() gets called.

Verify the assumption

Set a breakpoint at Matrix.setTranslate() with condition this.native_instance == 0. Re-run the test case, and the debugger successfully stopped at the bp before crash. The assumption is correct. (see the screen shot in the previous comment)

What could cause the native_instance set to 0?

The only place i can find in the android source tree is in the Matrix.finalize() (before Android 8 Oreo)

    @Override
    protected void finalize() throws Throwable {
        try {
            finalizer(native_instance);
            native_instance = 0;  // Other finalizers can still call us.
        } finally {
            super.finalize();
        }
    }

I failed to go further since my debugger doesn't work well with the platform work. But from the git history of Matrix.java, there is memory issue with Matrix object's finalize(). See commit from Android https://android.googlesource.com/platform/frameworks/base/+/ffa84e008c712ceffa09d6b89a49882c88b3cca5

The commit message:

Reduce risk of memory corruption due to finalization.

Many classes in graphics/java and elsewhere deallocate native memory
in a finalizer on the assumption that instance methods can no longer
be called once the finalizer has been called.  This is incorrect if
the object can be used, possibly indirectly, from another finalizer,
possibly one in the application.

This is the initial installment of a patch to cause such post-finalization
uses to at least see a null pointer rather than causing memory corruption
by accessing deallocated native memory. This should make it possible to
identify and fix such finalization ordering issues.

There are more graphics classes that need this treatment, and probably
many more in other subsystems.

This solution is < 100% effective if finalizers can be invoked
concurrently.  We currently promise that they aren't.

(In my opinion, the real cause here is a language spec bug.  But that ship
has sailed.)

The Matrix object could resuscitate cause native crash because of this. Please note, this commit doesn't fix the issue, without this fix, the issue might happen at the same place or later somewhere since the native_instance points to a freed memory place. with this commit, hopefully the crash will always happen immediate when accessing the memory at 0x0 or some places closed to that, like in our case 0x20.

This commit was released in Android M, so you probably see different crash log on devices before Android M.

Is there a fix for Android about this issue?

Yes, the native object management of Matrix has been refactored in Android Oreo. The finalize() won't be used anymore. See https://android.googlesource.com/platform/frameworks/base/+/94931bd87e27e766167cf005788b148af49f6ac2%5E%21/#F1

* And this is why this particular crash cannot be reproduced on Android O *

Why does it happen to a specific version of Realm?

No, I don't think it happens to a specific version of Realm. Although i confirmed the crash was triggered by the Object fine grained notifications, it still could happen with the realm before that version, or happens without realm. Unluckily our timing changes of the object notification coincidentally matches the preconditions of the issue very well.

When you register a listener on a Realm object or collection, the listener will keep being triggered when the relevant data changes until the Realm object/collection gets GCed or removeChangeListener() called explicitly.

So if you registered a listener on a RealmObject, refresh view A in the onChange(). And some Matrix object contained by the view A or it's descendants get resuscitated, the crash will happen when the listener gets called with relevant data changes.

How to avoid this problem?

It is actually simple, two solutions:

1. Get all of your users updated to Androd Oreo. which is simple, and no code changes are needed.
2. Remember to call removeChangeListener() when the view is dropped. This will not only solve the problem, but also speed up your app since no more useless work in the listeners which is not needed anymore.

@eikaramba I will send a email to you about the fix of your specific problem.
@RooyeKhat @saeedmozaffari Please take a look at above comments and check your implementations. Especially about removing the not-needed listeners.

@beeender thanks for your good answer,

where we added addChangeListener() manually, we always use from removeChangeListener() when view lifecycle onStop() called.

but i have another question about your second solution "Remember to call removeChangeListener()", as I said before, we use from realm adapter, and also we set autoUpdate true in Realm adapter, also as i saw addChangeListener() will be registered in RealmRecyclerViewAdapter codes.
now how we can use removeChangeListener() in RealmRecyclerViewAdapter ,due to the we need keep autoUpdate true always for sync list with latest user changes.
another point that can be important that is we use multiple Realm adapter at the same time (5 adapter in view pager) , so we have multiple addChangeListener() that can't use removeChangeListener() for that , because need sync with latest change always.

can you give me guidance on this?

updateData() will remove the previous listener.
https://github.com/realm/realm-android-adapters/blob/master/adapters/src/main/java/io/realm/RealmRecyclerViewAdapter.java#L166

Yes, updateData() will remove the previous listener. but we can't use this.

please see the following code

public static void setAction(final long roomId, final long userId, final String action) {
    Realm realm = Realm.getDefaultInstance();
    realm.executeTransactionAsync(new Realm.Transaction() {
        @Override
        public void execute(Realm realm) {
            RealmRoom realmRoom = realm.where(RealmRoom.class).equalTo(RealmRoomFields.ID, roomId).findFirst();
            if (realmRoom != null) {
                realmRoom.setActionState(action, userId);
            }
        }
    });
    realm.close();
}

as you know, after than i set data in Realm, onBindViewHolder will be called just for _one_ row and we update that in RecyclerView. so we don't need use from updateDate() because also in updateData() , notifyDataSetChanged() are used. that's very bad for my app performance.

we have two reason for use from RealmAdapter :
1- autoUpdate,
2- just notify changed item , (not all item notifyDataSetChanged() )

if we can't use these benefits so RealmAdapter will not be useful to us.

for example before we used from compile 'com.github.thorbenprimke:realm-recyclerview:0.9.24' .
we migrated from compile 'com.github.thorbenprimke:realm-recyclerview:0.9.24' to RealmAdapter , although we did not have signal error in thorbenprimke lib , we migrated just because after one change in Realm notifyDataSetChanged() was called and it was very bad for my app performance.

so seems to we need another solution.

I don't mean to call the updateData() all the time. You can just call it when the view is not needed -- eg.: when the fragment detached?

So the workaround is to call adapter.updateData(null) in Activity.onDestroy() / Fragment.onDestroyView(), right?

well my problem is that my fragment will never be detached when user work with my app.
actually just when the user completely closes the application main fragment will be destroyed.

Your whole app consists of 1 fragment?

Note this i have a messenger , so room list page never be closed

Wooooow it all fits into place - a guy told me a while ago that "they had a crash in libskia.so which was caused by reading from a RealmResults many many times", but what that actually means is that they created many objects, which caused GC!

So GC can cause Matrix object's finalize() to cause crash in certain edge case, if view is updated when that happens.

That's kind of scary. 😢 I guess the solution is that one shouldn't update views that are no longer on screen?

That's kind of scary. 😢 I guess the solution is that one shouldn't update views that are no longer on screen?

The thing need to be worried is the views are detached. Views that are not in front of the screen stack but still attached are fine, since they shouldn't be GCed anyway.

@saeedmozaffari

well my problem is that my fragment will never be detached when user work with my app. actually just when the user completely closes the application main fragment will be destroyed.

If the fragment has never been detached, then it may not be the problem since it shouldn't be GCed. you need to check those views might be GCed.

Unfortunately . After a few months , still our program has thousands of errors in realm. In fact, your answer is not very compelling for us. In our opinion your answer to this is like that after taking the NullPointerException error from the program, consider this problem for the operating system!
While our mistake is causing this error!
Please suggest a solution to solve this issue!

@saeedrooyekhat you need to unregister the RealmObjectChangeListeners from onDestroy(), basically.

My initial idea would be to wrap RealmResults in a MutableLiveData.