Crash when getting notification on Pixel 7

[Elserjo]

Phone Model: Pixel 7
Build Version: TQ1A.230105.001.A2.2023020200

Today, when i have received notification in telegram, i could not unlock my phone and notification window blink twice. Then, i saw GrapheneOS logo and phone was restarted.

As far as I understand, the phone was not rebooted, as I immediately saw the GrapheneOS logo, not bootloader.

I have some crash message, i hope it wiil be useful:

02-08 10:03:06.005  1000   630   630 F hardened_malloc: fatal allocator error: detected write after free
02-08 10:03:06.006  1000   630   630 F libc    : Fatal signal 6 (SIGABRT), code -1 (SI_QUEUE) in tid 630 (surfaceflinger), pid 630 (surfaceflinger)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
02-08 10:03:06.497  1000  8555  8555 F DEBUG   : Build fingerprint: 'google/panther/panther:13/TQ1A.230105.001.A2/2023020200:user/release-keys'
02-08 10:03:06.497  1000  8555  8555 F DEBUG   : Revision: 'MP1.0'
02-08 10:03:06.497  1000  8555  8555 F DEBUG   : ABI: 'arm64'
02-08 10:03:06.497  1000  8555  8555 F DEBUG   : Timestamp: 2023-02-08 10:03:06.218101130+0300
02-08 10:03:06.497  1000  8555  8555 F DEBUG   : Process uptime: 250042s
02-08 10:03:06.497  1000  8555  8555 F DEBUG   : Cmdline: /system/bin/surfaceflinger
02-08 10:03:06.497  1000  8555  8555 F DEBUG   : pid: 630, tid: 630, name: surfaceflinger  >>> /system/bin/surfaceflinger <<<
02-08 10:03:06.497  1000  8555  8555 F DEBUG   : uid: 1000
02-08 10:03:06.497  1000  8555  8555 F DEBUG   : tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   : signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :     x0  0000000000000000  x1  0000000000000276  x2  0000000000000006  x3  0000f7bf3ffcc030
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :     x4  1f63647362647364  x5  1f63647362647364  x6  1f63647362647364  x7  7f7f7f7f7f7f7f7f
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :     x8  00000000000000f0  x9  0000c5ca7a7dfae8  x10 0000000000000001  x11 0000c5ca7a828260
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :     x12 ffffffffc4653600  x13 000000007fffffff  x14 0000000000832598  x15 00000596e869328d
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :     x16 0000c5ca7a893f60  x17 0000c5ca7a86f9a0  x18 0000c5ca87b6a000  x19 0000000000000276
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :     x20 0000000000000276  x21 00000000ffffffff  x22 0000c349d5558d20  x23 0000c5b3a4c14180
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :     x24 b400c3051c472850  x25 00000000000000e0  x26 000000000000000b  x27 0000c5b1935e5000
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :     x28 0000c5b193767150  x29 0000f7bf3ffcc0b0
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :     lr  0000c5ca7a818098  sp  0000f7bf3ffcc010  pc  0000c5ca7a8180c4  pst 0000000000001000
02-08 10:03:06.497  1000  8555  8555 F DEBUG   : backtrace:
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #00 pc 000000000005b0c4  /apex/com.android.runtime/lib64/bionic/libc.so (abort+164) (BuildId: 788dfa0029149523162ab494de41241a)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #01 pc 0000000000047da8  /apex/com.android.runtime/lib64/bionic/libc.so (fatal_error+112) (BuildId: 788dfa0029149523162ab494de41241a)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #02 pc 0000000000044e74  /apex/com.android.runtime/lib64/bionic/libc.so (allocate+2068) (BuildId: 788dfa0029149523162ab494de41241a)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #03 pc 00000000000441e8  /apex/com.android.runtime/lib64/bionic/libc.so (h_realloc+904) (BuildId: 788dfa0029149523162ab494de41241a)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #04 pc 00000000000404c4  /apex/com.android.runtime/lib64/bionic/libc.so (realloc+84) (BuildId: 788dfa0029149523162ab494de41241a)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #05 pc 000000000006aaa0  /system/lib64/libbinder.so (android::Parcel::continueWrite(unsigned long)+1008) (BuildId: 72f2176311b4a64be07780b7b89dd0db)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #06 pc 0000000000069604  /system/lib64/libbinder.so (android::Parcel::writeInt32(int)+100) (BuildId: 72f2176311b4a64be07780b7b89dd0db)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #07 pc 00000000000107dc  /system/lib64/libbinder_ndk.so (AParcel_writeInt32+12) (BuildId: dcdfda4714d3323201961722a15b1739)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #08 pc 0000000000016b7c  /system/lib64/android.hardware.graphics.composer3-V1-ndk.so (aidl::android::hardware::graphics::composer3::DisplayCommand::writeToParcel(AParcel*) const+44) (BuildId: e4d9015cba867ef75f7d47f1f68efba4)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #09 pc 000000000001069c  /system/lib64/libbinder_ndk.so (AParcel_writeParcelableArray+76) (BuildId: dcdfda4714d3323201961722a15b1739)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #10 pc 000000000001f898  /system/lib64/android.hardware.graphics.composer3-V1-ndk.so (aidl::android::hardware::graphics::composer3::BpComposerClient::executeCommands(std::__1::vector<aidl::android::hardware::graphics::composer3::DisplayCommand, std::__1::allocator<aidl::android::hardware::graphics::composer3::DisplayCommand> > const&, std::__1::vector<aidl::android::hardware::graphics::composer3::CommandResultPayload, std::__1::allocator<aidl::android::hardware::graphics::composer3::CommandResultPayload> >*)+200) (BuildId: e4d9015cba867ef75f7d47f1f68efba4)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #11 pc 000000000011dd4c  /system/bin/surfaceflinger (android::Hwc2::AidlComposer::execute()+284) (BuildId: 5d2888d8e592809ac68a93b41a092bfc)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #12 pc 00000000001213a0  /system/bin/surfaceflinger (android::Hwc2::AidlComposer::presentDisplay(unsigned long, int*)+64) (BuildId: 5d2888d8e592809ac68a93b41a092bfc)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #13 pc 000000000013f3e8  /system/bin/surfaceflinger (android::HWC2::impl::Display::present(android::sp<android::Fence>*)+72) (BuildId: 5d2888d8e592809ac68a93b41a092bfc)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #14 pc 00000000001493e0  /system/bin/surfaceflinger (android::impl::HWComposer::presentAndGetReleaseFences(android::HalDisplayId, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >, std::__1::shared_ptr<android::FenceTime> const&)+640) (BuildId: 5d2888d8e592809ac68a93b41a092bfc)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #15 pc 00000000001e9c78  /system/bin/surfaceflinger (android::compositionengine::impl::Display::presentAndGetFrameFences()+440) (BuildId: 5d2888d8e592809ac68a93b41a092bfc)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #16 pc 00000000001f5378  /system/bin/surfaceflinger (android::compositionengine::impl::Output::postFramebuffer()+184) (BuildId: 5d2888d8e592809ac68a93b41a092bfc)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #17 pc 00000000001eff08  /system/bin/surfaceflinger (android::compositionengine::impl::Output::present(android::compositionengine::CompositionRefreshArgs const&)+504) (BuildId: 5d2888d8e592809ac68a93b41a092bfc)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #18 pc 00000000001e7de0  /system/bin/surfaceflinger (android::compositionengine::impl::CompositionEngine::present(android::compositionengine::CompositionRefreshArgs&)+224) (BuildId: 5d2888d8e592809ac68a93b41a092bfc)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #19 pc 00000000001a808c  /system/bin/surfaceflinger (android::SurfaceFlinger::composite(long, long)+1500) (BuildId: 5d2888d8e592809ac68a93b41a092bfc)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #20 pc 0000000000183ffc  /system/bin/surfaceflinger (android::impl::MessageQueue::Handler::handleMessage(android::Message const&)+108) (BuildId: 5d2888d8e592809ac68a93b41a092bfc)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #21 pc 0000000000017f78  /system/lib64/libutils.so (android::Looper::pollInner(int)+376) (BuildId: 969862d96738b6f29af52490aebe220e)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #22 pc 0000000000017da0  /system/lib64/libutils.so (android::Looper::pollOnce(int, int*, int*, void**)+112) (BuildId: 969862d96738b6f29af52490aebe220e)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #23 pc 0000000000184664  /system/bin/surfaceflinger (android::impl::MessageQueue::waitMessage()+84) (BuildId: 5d2888d8e592809ac68a93b41a092bfc)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #24 pc 000000000018d05c  /system/bin/surfaceflinger (android::scheduler::Scheduler::run()+28) (BuildId: 5d2888d8e592809ac68a93b41a092bfc)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #25 pc 00000000001e76e8  /system/bin/surfaceflinger (main+1992) (BuildId: 5d2888d8e592809ac68a93b41a092bfc)
02-08 10:03:06.497  1000  8555  8555 F DEBUG   :       #26 pc 00000000000527e0  /apex/com.android.runtime/lib64/bionic/libc.so (__libc_init+96) (BuildId: 788dfa0029149523162ab494de41241a)

[girlbossceo]

Is this still an issue on latest GrapheneOS release (QPR2)?

[girlbossceo]

Closing assuming it's fixed in QPR2 as no one else has reported or reacted to this issue, no response from the original poster, and this issue was made before QPR2. If this is still an issue let us know.

[girlbossceo]

Very likely this was just a one-time random memory bug in surfaceflinger given it's mostly in C/C++. hardened_malloc caught it anyways.