[firebase-perf] Native SIGSEGV crash in network instrumentation affecting multiple SDKs #7681
Description
- Android Studio version: Latest stable (Ladybug)
- Firebase Component:
com.google.firebase:firebase-perf - Firebase BOM version:
34.8.0 - Kotlin version:
2.3.0 - Compose Multiplatform:
1.10.0 - Ktor version:
3.3.3(with OkHttp engine) - Target SDK: 36
- Min SDK: 24
Other Firebase components used:
firebase-crashlytics(via BOM)firebase-crashlytics-ndk(via BOM)firebase-analytics(via BOM)firebase-messaging-ktx:24.1.2
Third-party SDKs affected:
- AppsFlyer SDK:
6.17.5 - Coil (with OkHttp):
3.3.0
We are experiencing native crashes (SIGSEGV - null pointer dereference) in Firebase Performance Monitoring's network instrumentation. The crashes occur across multiple code paths and affect network calls from various SDKs.
Key Observations
- All crashes terminate at the same obfuscated location (
yn.b.b) - Multiple entry points lead to the same crash (
xn.z.d,xn.a.<init>,xn.k0.f) - Affects both OkHttp and URLConnection instrumentation
- Cannot reproduce in-house - only occurs on production devices
- Cannot disable Firebase Performance due to business requirements
Affected Network Sources
| Source | Network Type | Firebase Perf Entry Point |
|---|---|---|
| Ktor Client | OkHttp3 | FirebasePerfOkHttpClient |
| AppsFlyer SDK | URLConnection | FirebasePerfUrlConnection |
| Firebase Cloud Messaging | Internal | cloudmessaging |
| Payment SDK | URLConnection | NetUtils via URLConnection |
| OkHttp Interceptor | OkHttp3 | Interceptor chain |
Stack Traces
All crashes share the common termination point in obfuscated class yn.b.b.
Crash 1: OkHttp via FirebasePerfOkHttpClient
null pointer dereference: SIGSEGV 0x0000000000000008
#00 pc 0x48020ef0
#1 pc 0x66e5f0 libart.so
#4 pc ... com.google.firebase.perf.metrics.f.j
#6 pc ... com.google.firebase.perf.network.FirebasePerfOkHttpClient.a
#10 pc ... [ThreadPoolExecutor.runWorker]
Crash 2: URLConnection via FirebasePerfUrlConnection (AppsFlyer)
null pointer dereference: SIGSEGV
#00 yn.b.b [/memfd:jit-cache (deleted)]
#2 xn.z.d
#4 com.google.firebase.perf.metrics.f.j
#6 yg.e.
#8 yg.d.
#10 com.google.firebase.perf.network.FirebasePerfUrlConnection.instrument
#12 [AppsFlyer SDK internal network call]
Crash 3: Firebase Cloud Messaging
null pointer dereference: SIGSEGV
#00 yn.b.b [/memfd:jit-cache (deleted)]
#2 xn.z.d
#4 xn.k0.f
#8 [coroutine invokeSuspend]
#12 com.google.android.gms.cloudmessaging.k.d
#14 com.google.android.gms.cloudmessaging.k.run
Crash 4: Payment SDK via URLConnection
null pointer dereference: SIGSEGV
#00 yn.b.b [/memfd:jit-cache (deleted)]
#2 xn.z.d
#4 xn.k0.f
#6 [Payment SDK NetUtils.doMethod]
#8 [Payment SDK NetUtils.doGet]
#10 [Payment SDK NetUtils.fetchIfModified]
#18 [AsyncTask.doInBackground]
Crash 5: OkHttp Interceptor Chain
null pointer dereference: SIGSEGV
#00 yn.b.b [/memfd:jit-cache (deleted)]
#2 xn.a. ← Constructor call
#4 co.a.intercept ← OkHttp interceptor
#6 co.i.b ← Interceptor chain
#10 [OkHttp async call]
Common Pattern
All crashes follow this pattern:
- Third-party SDK or app code makes network request (OkHttp or URLConnection)
- Firebase Performance intercepts via bytecode instrumentation
- Crash occurs in Firebase Perf's internal obfuscated classes during instrumentation
- Native SIGSEGV with null pointer dereference at address near 0x0
Obfuscated Classes Involved
| Class | Appears In | Role |
|---|---|---|
yn.b.b |
All crashes (crash point) | Core instrumentation |
xn.z.d |
Crashes 1-4 | Method call |
xn.a.<init> |
Crash 5 | Constructor |
xn.k0.f |
Crashes 3-4 | Intermediate |
yg.e, yg.d |
Crash 2 | URLConnection wrapper |
co.a, co.i |
Crash 5 | OkHttp interceptor |
Impact
- Affects production users across multiple Android versions
- Multiple third-party SDKs are impacted including:
- Attribution SDK (AppsFlyer)
- Payment SDK
- Firebase Cloud Messaging
- Cannot be worked around without disabling Firebase Performance entirely
Expected Behavior
Network instrumentation should handle edge cases gracefully and not crash, even if:
- Network request is cancelled mid-flight
- Request originates from third-party SDKs
- Response is null or malformed
Steps to Reproduce
We cannot reproduce this in-house. It only occurs on production devices. The crash is non-deterministic and affects various Android versions.
Workarounds Attempted
- Updating Firebase BOM to 34.8.0 - no effect
- Adding defensive OkHttp interceptor - helps for OkHttp but not URLConnection
- Cannot disable Firebase Performance (business requirement)
Related Issues
- [libart.so] art::ConditionVariable::WaitHoldingLocks #6264 - Similar native crash in libart.so (closed as "not planned")
- App crash: Fatal Exception: retrofit2.j: HTTP 404 #3696 - InstrumentOkHttpEnqueueCallback exception handling (closed)
- [firebase-perf] com.google.firebase.perf.trace function has significant impact on performance and causing ANRs #6407 - Firebase Perf ANR issues (fixed)
Additional Context
The crashes share a common pattern suggesting a missing null check in the network instrumentation code path. The same obfuscated class (yn.b.b) is the crash point across all 5 different triggers, indicating a single underlying bug.