[Bug] [Android] Random JNI errors when calling provider_data() or uid() on a valid user right after initializing Auth. #1671
Description
[REQUIRED] Please fill in the following fields:
- Pre-built SDK from the website or open-source from this repo: prebuilt release
- Firebase C++ SDK version: 12.4.0 (already happened with Firebase C++ SDK 11.0.1)
- Problematic Firebase Component: Auth
- Other Firebase Components in use: Analytics, Crashlytics, Firestore, Functions, RemoteConfig
- Platform you are using the C++ SDK on: Mac
- Platform you are targeting: Android
[REQUIRED] Please describe the issue here:
Crashlytics reports some random crashes a few seconds after startup, during the initialization of our app, when accessing the state of a previously signed in user.
The stacks look like this:
JNI DETECTED ERROR IN APPLICATION: use of deleted global reference 0x3886
#00 pc 0x000000000008cdd0 /apex/com.android.runtime/lib64/bionic/libc.so (abort+164)
#01 pc 0x000000000053b0a4 /apex/com.android.art/lib64/libart.so (art::Runtime::Abort(char const*)+2340)
#02 pc 0x000000000001394c /system/lib64/libbase.so (android::base::SetAborter(std::__1::function<void (char const*)>&&)::$_3::__invoke(char const*)+76)
#03 pc 0x00000000000130cc /system/lib64/libbase.so (android::base::LogMessage::~LogMessage()+312)
#04 pc 0x0000000000372930 /apex/com.android.art/lib64/libart.so (art::JavaVMExt::JniAbort(char const*, char const*)+2596)
#05 pc 0x0000000000372aa0 /apex/com.android.art/lib64/libart.so (art::JavaVMExt::JniAbortF(char const*, char const*, ...)+188)
#06 pc 0x000000000058edbc /apex/com.android.art/lib64/libart.so (art::Thread::DecodeJObject(_jobject*) const+740)
#07 pc 0x00000000005335bc /apex/com.android.art/lib64/libart.so (art::JValue art::InvokeVirtualOrInterfaceWithVarArgs<art::ArtMethod*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, art::ArtMethod*, std::__va_list)+72)
#08 pc 0x0000000000533918 /apex/com.android.art/lib64/libart.so (art::JValue art::InvokeVirtualOrInterfaceWithVarArgs<_jmethodID*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+92)
#09 pc 0x000000000038ca54 /apex/com.android.art/lib64/libart.so (art::JNI<false>::CallObjectMethodV(_JNIEnv*, _jobject*, _jmethodID*, std::__va_list)+656)
#10 pc 0x0000000001efb0a8 /data/app/~~we2dODBK-dwTNyJ0WwgHVw==/XXX-PL2uZARhnKyZj-sBR8U9ag==/split_config.arm64_v8a.apk!libgame_android.so (_JNIEnv::CallObjectMethod(_jobject*, _jmethodID*, ...)+116) (BuildId: 49d308be143cc46526a72431ce8b6942c800f328)
#11 pc 0x0000000001db7500 /data/app/~~we2dODBK-dwTNyJ0WwgHVw==/XXX-PL2uZARhnKyZj-sBR8U9ag==/split_config.arm64_v8a.apk!libgame_android.so (firebase::auth::User::provider_data() const+112) (BuildId: 49d308be143cc46526a72431ce8b6942c800f328)
it varies a bit and sometimes the JNI error is : JNI DETECTED ERROR IN APPLICATION: obj == null
Also, sometimes it will crash in firebase::auth::User::uid() instead, there is a call right after provider_data().
Our crash is very similar to this issue, but note that we are not registering any AuthStateListener ourselves: #753
Steps to reproduce:
Have you been able to reproduce this issue with just the Firebase C++ quickstarts ?
No, rate seems low: about 1 crash per day per 10000 users.
Relevant code
Here is what happens on app launch:
Our app starts by initializing the firebase app
firebase::App::Create(env, _activity->clazz);
then about 1 second later, we initialize Auth and try to retrieve some data if the user is signed in
auth::Auth *auth = auth::Auth::GetAuth(App::GetInstance()); << First call of GetAuth
auth::User user = auth->current_user();
if (!user.is_valid())
return;
std::vector<auth::UserInfoInterface> data = user.provider_data(); << Crash here
...
All our calls to Auth are done from the same native cpp thread.
Investigation:
By looking at the SDK code, it seems this crash could happen if there is a data race where a thread calls Auth::UpdateCurrentUser (more specifically SetImplFromLocalRef(env, j_user, &auth_data->user_impl)) while our native thread is accessing the current_user's properties.
Potential culprit:
From my understanding, the initialization of Auth will synchronously call UpdateCurrentUser, so accessing the user right after should be fine.
But what I also noticed is that Auth::InitPlatformAuth will register a JniAuthStateListener.
I believe addAuthStateListener from FirebaseAuth.java will trigger a callback from a Java Thread after a random delay, which will eventually result in a call to JniAuthStateListener_nativeOnAuthStateChanged and Auth::UpdateCurrentUser from another thread, resulting in a data race.
I was not able to reproduce the crash with the production code, but I was able to get it by calling User::uid() many times right after the init of Auth. Something like this:
auth::Auth *auth = auth::Auth::GetAuth(App::GetInstance());
auth::User user = auth->current_user();
if (!user.is_valid())
return;
for (int i = 0; i < 1000000; i++)
user.uid();
...
This generates a crash similar to the one we see in production. It happens around every 5 to 10 app launches. I couldn't get it to crash with user.provider_data() though, maybe it's just less likely because it has more instructions.
Also, I haven't been able to generate the crash when Auth is initialized about 1s before the first user access.
Other notes:
- We have never seen this crash on other calls to User::uid() or User::provider_data(), only the ones right after the Auth initialization crashes.
- We also have an iOS version and have never seen any crash there when accessing a User's properties.
Activity