[libretro] android 32-bit version crashes at startup

[andres-asm]

What happens?

Content crashes on content load

What should happen?

It should work

What hardware, operating system, and PPSSPP version? On desktop, GPU matters for graphical issues.

Android, 9a5766b on a Shield Portable and on Shield ATV running the 32 bit version of RetroArch.
64-bit variant on the same commit is fine.

I/RetroArch(21112): jni_thread_destruct()
I/RetroArch(21112): Loading dynamic libretro core from: "/data/data/com.retroarch/cores/ppsspp_libretro_android.so"
W/linker  (21112): ppsspp_libretro_android.so: unused DT entry: type 0x6ffffffe arg 0x127c08
W/linker  (21112): ppsspp_libretro_android.so: unused DT entry: type 0x6fffffff arg 0x3
F/libc    (21112): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x9f239ff0 in tid 21244 (Emu)
I/libc    (21112): Suppressing debuggerd output because prctl(PR_GET_DUMPABLE)==0

[andres-asm]

That log was from a shield portable

11-03 19:13:39.517 21132 21177 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x1cd0 in tid 21177 (Emu)
11-03 19:13:39.517   233   233 W         : debuggerd: handling request: pid=21132 uid=10083 gid=10083 tid=21177
11-03 19:13:39.524 21178 21178 W debuggerd: type=1400 audit(0.0:261): avc: denied { search } for name="com.retroarch.ra32" dev="mmcblk0p29" ino=631879 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
11-03 19:13:39.588 21178 21178 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
11-03 19:13:39.589 21178 21178 F DEBUG   : LineageOS Version: '14.1-20180328-NIGHTLY-foster'
11-03 19:13:39.589 21178 21178 F DEBUG   : Build fingerprint: 'NVIDIA/loki_e_wifi/foster:7.0/NRD90M/2427173_1038.2788:user/release-keys'
11-03 19:13:39.589 21178 21178 F DEBUG   : Revision: '0'
11-03 19:13:39.589 21178 21178 F DEBUG   : ABI: 'arm'
11-03 19:13:39.589 21178 21178 F DEBUG   : pid: 21132, tid: 21177, name: Emu  >>> com.retroarch.ra32 <<<
11-03 19:13:39.589 21178 21178 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x1cd0
11-03 19:13:39.589 21178 21178 F DEBUG   :     r0 0880432c  r1 00001ccc  r2 ffffffff  r3 ffffffff
11-03 19:13:39.589 21178 21178 F DEBUG   :     r4 000000cc  r5 ffffffff  r6 00000000  r7 00004e20
11-03 19:13:39.589 21178 21178 F DEBUG   :     r8 8b11b77f  r9 8b3d9597  sl 8b12ce20  fp 8b3c6000
11-03 19:13:39.589 21178 21178 F DEBUG   :     ip 8b117660  sp 8d6d8850  lr 8b3da09c  pc 8a83d5d8  cpsr 800e0010
11-03 19:13:39.590 21178 21178 F DEBUG   :
11-03 19:13:39.590 21178 21178 F DEBUG   : backtrace:
11-03 19:13:39.593 21178 21178 F DEBUG   :     #00 pc 0023d5d8  /data/data/com.retroarch.ra32/cores/ppsspp_libretro_android.so
11-03 19:13:39.593 21178 21178 F DEBUG   :     #01 pc fffffffd  <unknown>
11-03 19:13:39.780   233   233 W         : debuggerd: resuming target 21132
11-03 19:13:39.781   706 21179 W ActivityManager:   Force finishing activity com.retroarch.ra32/com.retroarch.browser.retroactivity.RetroActivityFuture
11-03 19:13:39.783   706 21179 I WindowManager: setFocusedApp token: Token{bd70cee ActivityRecord{d2c3a69 u0 ca.dstudio.atvlauncher.pro/ca.ds

This is from a different device.

I didn't get those DT entry errors in this one, but I noticed this again

11-03 19:13:38.787 21132 21149 I RetroArch: === Build =======================================
11-03 19:13:38.788 21132 21149 I RetroArch: Capabilities:  NEON VFPv3 VFPv4
11-03 19:13:38.788 21132 21149 I RetroArch: [INFO] Built: Nov  2 2019
11-03 19:13:38.788 21132 21149 I RetroArch: [INFO] Version: 1.8.1
11-03 19:13:38.788 21132 21149 I RetroArch: [INFO] Git: bfdc8e6
11-03 19:13:38.788 21132 21149 I RetroArch: [INFO] =================================================
11-03 19:13:38.789 21132 21157 I RetroArch: jni_thread_destruct()
11-03 19:13:38.789 21132 21149 I RetroArch: Loading dynamic libretro core from: "/data/user/0/com.retroarch.ra32/cores/ppsspp_libretro_android.so"

first thing that gets done is jni_thread_destruct. I had never seen that, I'll ask the RA guys

[andres-asm]

Ok, it's the threaded video driver, makes no difference though

[turnerlgithub]

Hi fr500, I'm having the exact same problem. on android 32bit device.

[GITEMUFAN11]

Same here

https://forums.libretro.com/t/ppsspp-crashing-at-launch/25039/8

my android is also 32-bit along with retroarch

[gouchi]

@fr500 Is it still an issue ?

[GITEMUFAN11]

its still an issue:

For the record i have tried:

copy contents to folder suggestion orignally there was no folder the retroarch system directory so had to create a folder called PPSSPP to copy contents to from archive ppsspp-master\assets the retroarch directory was on the root of the internal directory.

the run-ahead + rewind setting is already disabled on retroarch

use the online updater to download and extract the retroarch assets.zip

Anyway none of these suggestions have worked

I am currently use a device on android 6.0 (32-bit) and device samsung exynos octa 7870 (8x ARM Cortex-A53 @1.59ghz)

Running the latest version of retroarch, the standalone ppsspp works fine

[gouchi]

@GITEMUFAN11 may you try to get some log with adb logcat ?

Here is the log I could get using RA 09/12/21 on Nexus 4

09-12 13:33:01.927  9766  9766 W Thread-2: type=1400 audit(0.0:464): avc: granted { execute } for path="/data/data/com.retroarch.ra32/cores/ppsspp_libretro_android.so" dev="mmcblk0p23" ino=643381 scontext=u:r:untrusted_app_27:s0:c204,c256,c512,c768 tcontext=u:object_r:app_data_file:s0:c204,c256,c512,c768 tclass=file
09-12 13:33:01.978  9766  9766 W Thread-2: type=1400 audit(0.0:465): avc: granted { execute } for path="/data/data/com.retroarch.ra32/cores/ppsspp_libretro_android.so" dev="mmcblk0p23" ino=643381 scontext=u:r:untrusted_app_27:s0:c204,c256,c512,c768 tcontext=u:object_r:app_data_file:s0:c204,c256,c512,c768 tclass=file
09-12 13:33:02.021  9723  9766 I PPSSPP  : EARLY: ThreadManager::Init(compute threads: 4, all: 8)
09-12 13:33:02.058  9723  9766 I Adreno-EGL: <qeglDrvAPI_eglInitialize:379>: QUALCOMM Build: 10/21/15, 369a2ea, I96aee987eb
09-12 13:33:02.129  9723  9766 W Adreno-EGL: <qeglDrvAPI_eglGetConfigAttrib:607>: EGL_BAD_ATTRIBUTE
09-12 13:33:02.341  9723  9766 D         : PlayerBase::PlayerBase()
09-12 13:33:02.342  9723  9766 D         : TrackPlayerBase::TrackPlayerBase()
09-12 13:33:02.342  9723  9766 I libOpenSLES: Emulating old channel mask behavior (ignoring positional mask 0x3, using default mask 0x3 based on channel count of 2)
09-12 13:33:02.342  9723  9766 W AudioTrack: set(): notificationFrames=-26 clamped to the range -1 to -8
09-12 13:33:02.344   236   236 D audio_hw_extn: audio_extn_get_parameters: returns 
09-12 13:33:02.344   254   466 I hash_map_utils: key: 'vr_audio_mode_on' value: ''
09-12 13:33:02.345   254   466 W AudioFlinger: createTrack_l(): mismatch between requested flags (00000104) and output flags (00000006)
09-12 13:33:02.346   254   466 D AudioFlinger: Client defaulted notificationFrames to 240 for frameCount 1920
09-12 13:33:02.347   254   466 D AF::TrackHandle: OpPlayAudio: track:68 usage:1 not muted
09-12 13:33:02.350  9723  9766 I AudioTrack: createTrack_l(1092222976): AUDIO_OUTPUT_FLAG_FAST successful; frameCount 0 -> 1920
09-12 13:33:02.354   236  6461 D audio_hw_primary: start_output_stream: enter: stream(0xa6a30140)usecase(1: low-latency-playback) devices(0x2)
09-12 13:33:02.354   236  6461 D audio_hw_primary: select_devices: out_snd_device(2: speaker) in_snd_device(0: )
09-12 13:33:02.354   236  6461 I msm8960_platform: platform_send_audio_calibration: sending audio calibration for snd_device(2) acdb_id(14)
09-12 13:33:02.354   236  6461 D ACDB-LOADER: ACDB -> send_afe_cal
09-12 13:33:02.354   236  6461 D audio_route: Apply path: speaker
09-12 13:33:02.361   236  6461 D audio_route: Apply path: low-latency-playback
09-12 13:33:02.361   236  6461 D audio_hw_primary: select_devices: done
09-12 13:33:02.545  9723 10036 D         : PlayerBase::stop() from IPlayer
09-12 13:33:02.545  9723 10036 D AudioTrack: stop(25): called with 6240 frames delivered
09-12 13:33:02.774  9723 10041 F libc    : Fatal signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x78b2379c in tid 10041 (Emu), pid 9723 (.retroarch.ra32)
09-12 13:33:02.852 10044 10044 W crash_dump32: failed to fetch registers for thread 9723: I/O error
09-12 13:33:02.853 10044 10044 W crash_dump32: failed to fetch registers for thread 9731: I/O error
09-12 13:33:02.854 10044 10044 W crash_dump32: failed to fetch registers for thread 9736: I/O error
09-12 13:33:02.854 10044 10044 W crash_dump32: failed to fetch registers for thread 9740: I/O error
09-12 13:33:02.855 10044 10044 W crash_dump32: failed to fetch registers for thread 9741: I/O error
09-12 13:33:02.855 10044 10044 W crash_dump32: failed to fetch registers for thread 9745: I/O error
09-12 13:33:02.856 10044 10044 W crash_dump32: failed to fetch registers for thread 9746: I/O error
09-12 13:33:02.857 10044 10044 W crash_dump32: failed to fetch registers for thread 9747: I/O error
09-12 13:33:02.857 10044 10044 W crash_dump32: failed to fetch registers for thread 9748: I/O error
09-12 13:33:02.858 10044 10044 W crash_dump32: failed to fetch registers for thread 9751: I/O error
09-12 13:33:02.858 10044 10044 W crash_dump32: failed to fetch registers for thread 9753: I/O error
09-12 13:33:02.859 10044 10044 W crash_dump32: failed to fetch registers for thread 9761: I/O error
09-12 13:33:02.859 10044 10044 W crash_dump32: failed to fetch registers for thread 9766: I/O error
09-12 13:33:02.859 10044 10044 W crash_dump32: failed to fetch registers for thread 9773: I/O error
09-12 13:33:02.859 10044 10044 W crash_dump32: failed to fetch registers for thread 9781: I/O error
09-12 13:33:02.860 10044 10044 W crash_dump32: failed to fetch registers for thread 10009: I/O error
09-12 13:33:02.860 10044 10044 W crash_dump32: failed to fetch registers for thread 10010: I/O error
09-12 13:33:02.860 10044 10044 W crash_dump32: failed to fetch registers for thread 10011: I/O error
09-12 13:33:02.861 10044 10044 W crash_dump32: failed to fetch registers for thread 10012: I/O error
09-12 13:33:02.861 10044 10044 W crash_dump32: failed to fetch registers for thread 10013: I/O error
09-12 13:33:02.861 10044 10044 W crash_dump32: failed to fetch registers for thread 10014: I/O error
09-12 13:33:02.861 10044 10044 W crash_dump32: failed to fetch registers for thread 10015: I/O error
09-12 13:33:02.862 10044 10044 W crash_dump32: failed to fetch registers for thread 10016: I/O error
09-12 13:33:02.862 10044 10044 W crash_dump32: failed to fetch registers for thread 10017: I/O error
09-12 13:33:02.862 10044 10044 W crash_dump32: failed to fetch registers for thread 10019: I/O error
09-12 13:33:02.862 10044 10044 W crash_dump32: failed to fetch registers for thread 10028: I/O error
09-12 13:33:02.863 10044 10044 W crash_dump32: failed to fetch registers for thread 10030: I/O error
09-12 13:33:02.863 10044 10044 W crash_dump32: failed to fetch registers for thread 10031: I/O error
09-12 13:33:02.863 10044 10044 W crash_dump32: failed to fetch registers for thread 10036: I/O error
09-12 13:33:02.894 10044 10044 I crash_dump32: obtaining output fd from tombstoned, type: kDebuggerdTombstone
09-12 13:33:02.895   358   358 I /system/bin/tombstoned: received crash request for pid 10041
09-12 13:33:02.895 10044 10044 I crash_dump32: performing dump of process 9723 (target tid = 10041)
09-12 13:33:02.941 10044 10044 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
09-12 13:33:02.941 10044 10044 F DEBUG   : Build fingerprint: 'google/occam/mako:5.1.1/LMY48T/2237560:user/release-keys'
09-12 13:33:02.941 10044 10044 F DEBUG   : Revision: '0'
09-12 13:33:02.941 10044 10044 F DEBUG   : ABI: 'arm'
09-12 13:33:02.942 10044 10044 F DEBUG   : Timestamp: 2021-09-12 13:33:02+0200
09-12 13:33:02.942 10044 10044 F DEBUG   : pid: 9723, tid: 10041, name: Emu  >>> com.retroarch.ra32 <<<
09-12 13:33:02.942 10044 10044 F DEBUG   : uid: 10204
09-12 13:33:02.942 10044 10044 F DEBUG   : signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x78b2379c (*pc=0x4843b085)
09-12 13:33:02.943 10044 10044 F DEBUG   :     r0  0890003c  r1  00001ccc  r2  ffffffff  r3  ffffffff
09-12 13:33:02.943 10044 10044 F DEBUG   :     r4  ffffffff  r5  ffffffff  r6  7932c040  r7  00004e20
09-12 13:33:02.943 10044 10044 F DEBUG   :     r8  ffffffff  r9  77810000  r10 7932c040  r11 5fcb8000
09-12 13:33:02.943 10044 10044 F DEBUG   :     ip  00000001  sp  6be94150  lr  7781009c  pc  78b2379c
09-12 13:33:03.156 10044 10044 F DEBUG   : 
09-12 13:33:03.156 10044 10044 F DEBUG   : backtrace:
09-12 13:33:03.157 10044 10044 F DEBUG   :     NOTE: Function names and BuildId information is missing for some frames due
09-12 13:33:03.157 10044 10044 F DEBUG   :     NOTE: to unreadable libraries. For unwinds of apps, only shared libraries
09-12 13:33:03.157 10044 10044 F DEBUG   :     NOTE: found under the lib/ directory are readable.
09-12 13:33:03.157 10044 10044 F DEBUG   :       #00 pc 0031379c  /data/data/com.retroarch.ra32/cores/ppsspp_libretro_android.so

Thank you.

[unknownbrackets]

SIGILL should mean an illegal opcode. Maybe retroarch is compiling with parameters for armv7s or otherwise the wrong arch?

That phone should've had NEON etc., so not sure what else it could've miscompiled. If you turn off jit, does it work fine?

-[Unknown]

[bslenul]

I don't play on my phone (an "old" Samsung Galaxy A5 2016, Android 7 32bit) so never really cared about this, but while trying to reproduce an issue today I got that crash on startup. Switching to "Interpreter" didn't change anything unfortunately.

The weird thing is that it worked once, then it always crashed on the next boots and I have no idea why, I deleted the config and save folder for the core to make sure it was starting fresh again but nope, I can't make it boot again for whatever reason :/ I rebooted my phone too, didn't help. Standalone works fine.

[fcatrin]

I had this problem in my NVIDIA Shield but not in another device so I started digging until I reached a point where someone with more inside knowledge can help.

In summary, juts to help understand this full comment:

• Crash is random
• Crash happens when trying to execute the first line of MIPS code
• Crash is in the JIT implementation

Now the details:

The crash is random, but it is always in the same place, it looks like some sort of memory corruption that just depends on the initial state of the memory, that may explain why in other devices it seems to always work, whilst in the Shield it crashes most of the time, but not always.

Using ndk-stack I found that the crash is right here:

MIPSComp::JitAt()
/mnt/sata/fcatrin/tmp/libretro-super/libretro-ppsspp/libretro/jni/../../Core/MIPS/JitCommon/JitCommon.cpp:52:0

Switching to Interpreter doesn't change anything because for some reason it still uses JIT (that may be another bug).

Checking the source and adding some trace inside that function, I found that there is nothing inside that function that causes the crash, it is the entry point of the function that causes the crash! So it seems that when the core is starting to run the MIPS code for the fist time, that area has a problem.

I added some traces to see when that area is corrupted but I didn't find any change. I also compared the contents of that area with the device that works fine and they are the same. This is a sample of my trace/dumps (memory locations will change)

RetroArch: [JIT] DUMP 0x8f5e63bd : B5 03 AF 4D F8 04 BD 82 __KernelLoadELFFromPtr.q
RetroArch: [JIT] DUMP 0x8f5e63bd : B5 03 AF 4D F8 04 BD 82 __KernelLoadELFFromPtr.r
RetroArch: [JIT] DUMP 0x8f5e63bd : B5 03 AF 4D F8 04 BD 82 __KernelLoadELFFromPtr.t
RetroArch: [JIT] DUMP 0x8f5e63bd : B5 03 AF 4D F8 04 BD 82 ShaderManagerGLES::ShaderManagerGLES.a
RetroArch: [JIT] DUMP 0x8f5e63bd : B5 03 AF 4D F8 04 BD 82 ShaderManagerGLES::ShaderManagerGLES.b

The area dumped is where MIPSComp::JitAt() is, which is basically

0x8f5e63bd B5 03 AF 4D    stcmi  p3, c0, [pc, #0x2d4]!
0x8f5e63c0 F8 04 BD 82    adcshi r0, sp, #248, #8

The part that crashes with SIGILL / ILL_ILLOPC is the second line

DEBUG   : Build fingerprint: 'NVIDIA/foster_e/foster:11/RQ1A.210105.003/7094531_2971.7725:user/release-keys'
DEBUG   : Revision: '0'
DEBUG   : ABI: 'arm'
DEBUG   : Timestamp: 2022-04-14 00:35:29-0400
DEBUG   : pid: 6026, tid: 6256, name: Emu  >>> com.retroarch <<<
DEBUG   : uid: 10131
DEBUG   : signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x8f5e63c0 (*pc=0xbd04f84d)
DEBUG   :     r0  00bdffe0  r1  27000000  r2  00004e20  r3  0004ea80
DEBUG   :     r4  ffffffff  r5  ffffffff  r6  00000004  r7  0004ea80
DEBUG   :     r8  ffffffff  r9  91571000  r10 8fd14e90  r11 90e5a000
DEBUG   :     ip  00000000  sp  964d70d0  lr  91571100  pc  8f5e63c0
DEBUG   : backtrace:
DEBUG   :     NOTE: Function names and BuildId information is missing for some frames due
DEBUG   :     NOTE: to unreadable libraries. For unwinds of apps, only shared libraries
DEBUG   :     NOTE: found under the lib/ directory are readable.
DEBUG   :       #00 pc 006233c0  /data/user/0/com.retroarch/ppsspp_libretro_android.so

The logs that I added inside MIPSComp::JitAt() show me the contents of the MIPS PC register and I can see that in the machine that I have no problems the fist trace has PC=08804124, the same value that I can see here

[LOADER] Module entry: 08804124

But, when the Shield crashes, it never reaches that point, it crashes when trying to execute the first line of MIPS code

I wanted to add the DUMP exactly before calling JitAt() but I haven't been able to find that code. I have only found when the function is referenced, but that's not where it is being called. Here I think someone can ring a bell, jump in or explain how that part works so I can continue working on it

This is the reference in Core/MIPS/ARM/ArmAsm.cpp, but that's not the function call as I can see.

QuickCallFunction(R2, (void *)&MIPSComp::JitAt);

I added the patch with my DUMP code just in case.
I can add more logs or anything else if requested

Thanks
ppsspp_dirty_logs.txt

[fcatrin]

Here is an additional thought:
The backtrace of this crash always shows the current frame but not the previous frames. Typically on these crashes one can see the full stack trace from the core, then retroarch and finally dalvik, here instead the containing frame points to anything.

#01 pc fffffffd <unknown>

Could it be that the SP register has a wrong value when arriving to this part of the code?

[andres-asm]

The libretro core is so broken right now that fixing this is not worthwhile right now

…

On Thu, Apr 14, 2022 at 6:58 PM Franco Catrin ***@***.***> wrote: Here is an additional thought: The backtrace of this crash always shows the current frame but not the previous frames. Typically on these crashes one can see the full stack trace from the core, then retroarch and finally dalvik, here instead the containing frame points to anything. #1 pc fffffffd <unknown> Could it be that the SP register has a wrong value when arriving to this part of the code? — Reply to this email directly, view it on GitHub <#12464 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AANEFUC5J6BBT5C6LA5HLPLVFCWK7ANCNFSM4JINXE2Q> . You are receiving this because you were mentioned.Message ID: ***@***.***>