Impeller VkPipelineCache corruption causes crash on app restart (Android Snapdragon 845)

[liuliwei-guru]

Steps to reproduce

1. Create an empty project: flutter create vkcachecrash --platform=android
2. Replace lib/main.dart with the code in the Code sample section.
3. Run flutter run or flutter run --release. The crash is more likely to occur on release builds.
4. Once the flutter.impeller.vkcache file is created, kill the process.
5. Launch the app for a second time. It may crash immediately in vkCreatePipelineCache, depending on whether the flutter.impeller.vkcache file from the previous step is corrupted or not. See full logs in the Logs section, both tombstone and adb logcat log.

07-23 15:50:57.311 26920 26920 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
07-23 15:50:57.311 26920 26920 F DEBUG   : Build fingerprint: 'OnePlus/OnePlus6/OnePlus6:10/QKQ1.190716.003/2107162030:user/release-keys'
07-23 15:50:57.311 26920 26920 F DEBUG   : Revision: '0'
07-23 15:50:57.311 26920 26920 F DEBUG   : ABI: 'arm64'
07-23 15:50:57.311 26920 26920 F DEBUG   : Timestamp: 2025-07-23 15:50:57+0800
07-23 15:50:57.312 26920 26920 F DEBUG   : pid: 26874, tid: 26874, name: elinecachecrash  >>> com.example.vkpipelinecachecrash <<<
07-23 15:50:57.312 26920 26920 F DEBUG   : uid: 10750
07-23 15:50:57.312 26920 26920 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x6eeb988000
07-23 15:50:57.312 26920 26920 F DEBUG   :     x0  0000006bc0000ac0  x1  0000006eeb987fda  x2  00000000fffda8af  x3  0000006bc0026180
07-23 15:50:57.312 26920 26920 F DEBUG   :     x4  0000006feb9628d9  x5  0000006cc0000abf  x6  0000000000000000  x7  0000000000000000
07-23 15:50:57.312 26920 26920 F DEBUG   :     x8  0000000000000000  x9  0000000000000000  x10 0000000000000000  x11 0000000000000000
07-23 15:50:57.312 26920 26920 F DEBUG   :     x12 0000000000000000  x13 0000000000000000  x14 0000000000000068  x15 0000000000000000
07-23 15:50:57.312 26920 26920 F DEBUG   :     x16 0000006eec997cd0  x17 0000006fe140b380  x18 0000006fe50f0000  x19 0000006f44d16940
07-23 15:50:57.312 26920 26920 F DEBUG   :     x20 0000006eeb9628da  x21 0000006f44cb9980  x22 0000006bc0000ac0  x23 0000006f44d1aee4
07-23 15:50:57.312 26920 26920 F DEBUG   :     x24 000000000000139e  x25 00000000ffffffff  x26 0000006f44d16950  x27 000000000000000c
07-23 15:50:57.312 26920 26920 F DEBUG   :     x28 000000000000458c  x29 0000007fd1357120
07-23 15:50:57.312 26920 26920 F DEBUG   :     sp  0000007fd13570b0  lr  0000006eec8c597c  pc  0000006fe140b32c
07-23 15:50:57.312 26920 26920 F DEBUG   : 
07-23 15:50:57.312 26920 26920 F DEBUG   : backtrace:
07-23 15:50:57.312 26920 26920 F DEBUG   :       #00 pc 000000000007f32c  /apex/com.android.runtime/lib64/bionic/libc.so (__memcpy+284) (BuildId: a6a4a6a4e20240bbe3173fe560b161af)
07-23 15:50:57.312 26920 26920 F DEBUG   :       #01 pc 00000000001b6978  /vendor/lib64/hw/vulkan.sdm845.so (BuildId: ae2144fe420424bb96f4072c7260f2d9)
07-23 15:50:57.312 26920 26920 F DEBUG   :       #02 pc 00000000001b66a8  /vendor/lib64/hw/vulkan.sdm845.so (BuildId: ae2144fe420424bb96f4072c7260f2d9)
07-23 15:50:57.312 26920 26920 F DEBUG   :       #03 pc 000000000016b2d4  /vendor/lib64/hw/vulkan.sdm845.so (qglinternal::vkCreatePipelineCache(VkDevice_T*, VkPipelineCacheCreateInfo const*, VkAllocationCallbacks const*, VkPipelineCache_T**)+92) (BuildId: ae2144fe420424bb96f4072c7260f2d9)
07-23 15:50:57.312 26920 26920 F DEBUG   :       #04 pc 00000000007ef684  /data/app/com.example.vkpipelinecachecrash-UUFtRjmIlRZm9Nj00fX5jw==/lib/arm64/libflutter.so!libflutter.so (offset 0x47e000) (BuildId: fa495d4dbcee7946be46b9e436f7800458647c9f)

Additional info

Reproducible on two Snapdragon 845 devices (MI 8 and OnePlus 6), both running Android 10 (API 29). Tested with Flutter 3.32.7.

This is not a consistently reproducible crash. I automated the steps by running a script, and it crashes every 5-50 cycles. Once a crash occurs, all subsequent launches will also crash immediately until clear app data or reinstall.

PACKAGE_NAME="$1"
CYCLE_COUNT=0
while true; do
	CYCLE_COUNT=$((CYCLE_COUNT + 1))
	echo "cycle $CYCLE_COUNT"
	# clear /data/data/$PACKAGE_NAME/code_cache/flutter.impeller.vkcache
	adb shell pm clear "$PACKAGE_NAME"
	# launch and wait 2 seconds
	adb shell monkey -p "$PACKAGE_NAME" -c android.intent.category.LAUNCHER 1 > /dev/null 2>&1
	sleep 2
	# kill it
	adb shell am force-stop "$PACKAGE_NAME"
	
	# relaunch, crash may occur
	adb shell monkey -p "$PACKAGE_NAME" -c android.intent.category.LAUNCHER 1 > /dev/null 2>&1
	# wait and detect is proccess alive
	sleep 2
	PID=$(adb shell pidof "$PACKAGE_NAME" 2>/dev/null | tr -d '\r\n')
	if [ -n "$PID" ] && [ "$PID" != "" ]; then
		echo "no crash, continue"
	else
		echo "$PACKAGE_NAME crashed"
		exit 1
done

My Investigation

I tried many times to create a minimal reproducible project, and the key element is AnimatedSwitcher with a 1-second duration (running at least 50 frames to trigger the creation of flutter.impeller.vkcache). This seems to cause the Impeller engine or Vulkan driver to save a corrupted flutter.impeller.vkcache file.

When the Vulkan driver tries to create a pipeline cache from that corrupted file, it crashes.

I pulled out some flutter.impeller.vkcache files and analyzed them. It looks like some illegal memory access data got saved. For example, this vkcache file has a strange string /dev/ashmem/memoryheapbase (deleted) near the end of the flutter.impeller.vkcache file.

00039070 20 00 2F 00 64 00 65 00 76 00 2F 00 61 00 73 00   ./.d.e.v./.a.s.
00039080 68 00 6D 00 65 00 6D 00 2F 00 6D 00 65 00 6D 00  h.m.e.m./.m.e.m.
00039090 6F 00 72 00 79 00 68 00 65 00 61 00 70 00 62 00  o.r.y.h.e.a.p.b.
000390A0 61 00 73 00 65 00 20 00 28 00 64 00 65 00 6C 00  a.s.e. .(.d.e.l.
000390B0 65 00 74 00 65 00 64 00 29 00 00 00 00 00 00 00  e.t.e.d.).......

Expected results

No crash happens or at least it could recovers from consist crashes.

Actual results

Crashes immediately at launch after corrupted flutter.impeller.vkcache persisted.

Code sample

Code sample

import 'dart:async';
import 'package:flutter/material.dart';

void main() {
  runApp(const App());
}

class App extends StatefulWidget {
  const App({super.key});

  @override
  State<App> createState() => _AppState();
}

class _AppState extends State<App> {
  bool _animating = false;

  @override
  void initState() {
    super.initState();
    Future.delayed(Duration(milliseconds: 50)).then((v) {
      setState(() {
        _animating = true;
      });
    });
  }

  @override
  Widget build(BuildContext context) {
    return AnimatedSwitcher(
      duration: Duration(seconds: 1),
      child: _animating ? Square() : Circle(),
    );
  }
}

class Square extends StatelessWidget {
  const Square({super.key});

  @override
  Widget build(BuildContext context) {
    return Container(
      key: const ValueKey('1'),
      width: 50,
      height: 50,
      color: Colors.red,
    );
  }
}

class Circle extends StatelessWidget {
  const Circle({super.key});

  @override
  Widget build(BuildContext context) {
    // ignore: sized_box_for_whitespace
    return Container(
      key: const ValueKey('2'),
      width: 50,
      height: 50,
      decoration: BoxDecoration(
        color: Colors.cyan,
        borderRadius: BorderRadius.circular(50),
      ),
    );
  }
}

Screenshots or Video

Screenshots / Video demonstration

[Upload media here]

Logs

Logs

Tombstone
Adb logcat log

Flutter Doctor output

Doctor output

[✓] Flutter (Channel stable, 3.32.7, on macOS 15.3.1 24D70 darwin-arm64, locale zh-Hans-CN) [294ms]
    • Flutter version 3.32.7 on channel stable at /Users/a250102/fvm/versions/3.32.7
    • Upstream repository https://github.com/flutter/flutter.git
    • Framework revision d7b523b356 (7 days ago), 2025-07-15 17:03:46 -0700
    • Engine revision 39d6d6e699
    • Dart version 3.8.1
    • DevTools version 2.45.1
    • Pub download mirror https://pub.flutter-io.cn
    • Flutter download mirror https://storage.flutter-io.cn

[✓] Android toolchain - develop for Android devices (Android SDK version 35.0.0-rc3) [943ms]
    • Android SDK at /Users/a250102/Library/Android/sdk
    • Platform android-35, build-tools 35.0.0-rc3
    • ANDROID_HOME = /Users/a250102/Library/Android/sdk
    • ANDROID_SDK_ROOT = /Users/a250102/Library/Android/sdk
    • Java binary at: /Library/Java/JavaVirtualMachines/amazon-corretto-17.jdk/Contents/Home/bin/java
      This JDK is specified in your Flutter configuration.
      To change the current JDK, run: `flutter config --jdk-dir="path/to/jdk"`.
    • Java version OpenJDK Runtime Environment Corretto-17.0.13.11.1 (build 17.0.13+11-LTS)
    • All Android licenses accepted.

[✓] Xcode - develop for iOS and macOS (Xcode 16.2) [667ms]
    • Xcode at /Applications/Xcode.app/Contents/Developer
    • Build 16C5032a
    • CocoaPods version 1.16.2

[✓] Chrome - develop for the web [7ms]
    • Chrome at /Applications/Google Chrome.app/Contents/MacOS/Google Chrome

[✓] Android Studio (version 2024.3) [7ms]
    • Android Studio at /Applications/Android Studio.app/Contents
    • Flutter plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/9212-flutter
    • Dart plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/6351-dart
    • Java version OpenJDK Runtime Environment (build 21.0.6+-13368085-b895.109)

[✓] VS Code (version 1.102.1) [6ms]
    • VS Code at /Applications/Visual Studio Code.app/Contents
    • Flutter extension can be installed from:
      🔨 https://marketplace.visualstudio.com/items?itemName=Dart-Code.flutter

[!] Proxy Configuration [6ms]
    • HTTP_PROXY is set
    ! NO_PROXY is not set

[✓] Connected device (3 available) [5.9s]
    • ONEPLUS A6000 (mobile) • 3d818cac • android-arm64  • Android 10 (API 29)
    • macOS (desktop)        • macos    • darwin-arm64   • macOS 15.3.1 24D70 darwin-arm64
    • Chrome (web)           • chrome   • web-javascript • Google Chrome 138.0.7204.159
    ! Error: Browsing on the local area network for iPhone. Ensure the device is unlocked and attached with a cable or associated with the same local area network as this Mac.
      The device must be opted into Developer Mode to connect wirelessly. (code -27)
    ! Error: Browsing on the local area network for PBC-iPhone16e-C. Ensure the device is unlocked and attached with a cable or associated with the same local area network as this Mac.
      The device must be opted into Developer Mode to connect wirelessly. (code -27)
    ! Error: Browsing on the local area network for ZhongTai ‘s iPad. Ensure the device is unlocked and attached with a cable or associated with the same local area network as this Mac.
      The device must be opted into Developer Mode to connect wirelessly. (code -27)

[✓] Network resources [1,080ms]
    • All expected network resources are available.

! Doctor found issues in 1 category.

[tirth-patel-nc]

@liuliwei-guru thanks for the detailed report. I tried symbolizing your stacktrace using the android-arm64-release/ symbols for Flutter 3.32.7. Could you confirm if the unsymbolized stacktrace you shared is from a release build on version 3.32.7, and whether it's the full stacktrace?

Symbolized Logs (Scroll Horizontal for More)

tirthpatel@Tirths-MacBook-Pro j23 % ~/Library/Android/sdk/ndk/27.0.12077973/prebuilt/darwin-x86_64/bin/ndk-stack -sym ~/Downloads/flutter_39d6d6e699e51b2874210e14cddf1a22fb9524b2_android-arm64-release_symbols < ~/Downloads/vkpipelinecache_tombstone.txt           
********** Crash dump: **********
Build fingerprint: 'OnePlus/OnePlus6/OnePlus6:10/QKQ1.190716.003/2107162030:user/release-keys'
#00 0x000000000007f32c /apex/com.android.runtime/lib64/bionic/libc.so (__memcpy+284) (BuildId: a6a4a6a4e20240bbe3173fe560b161af)
#01 0x00000000001b6978 /vendor/lib64/hw/vulkan.sdm845.so (BuildId: ae2144fe420424bb96f4072c7260f2d9)
#02 0x00000000001b66a8 /vendor/lib64/hw/vulkan.sdm845.so (BuildId: ae2144fe420424bb96f4072c7260f2d9)
#03 0x000000000016b2d4 /vendor/lib64/hw/vulkan.sdm845.so (qglinternal::vkCreatePipelineCache(VkDevice_T*, VkPipelineCacheCreateInfo const*, VkAllocationCallbacks const*, VkPipelineCache_T**)+92) (BuildId: ae2144fe420424bb96f4072c7260f2d9)
#04 0x00000000007ef684 /data/app/com.example.vkpipelinecachecrash-UUFtRjmIlRZm9Nj00fX5jw==/lib/arm64/libflutter.so!libflutter.so (offset 0x47e000) (BuildId: fa495d4dbcee7946be46b9e436f7800458647c9f)
                                                                                                                                  impeller::EncodeCommandsInReactor(impeller::RenderPassData const&, impeller::ReactorGLES const&, std::_fl::vector<impeller::Command, std::_fl::allocator<impeller::Command>> const&, std::_fl::vector<impeller::BufferView, std::_fl::allocator<impeller::BufferView>> const&, std::_fl::vector<impeller::TextureAndSampler, std::_fl::allocator<impeller::TextureAndSampler>> const&, std::_fl::vector<impeller::Resource<impeller::BufferView>, std::_fl::allocator<impeller::Resource<impeller::BufferView>>> const&, std::_fl::shared_ptr<impeller::GPUTracerGLES> const&)
                                                                                                                                  out/ci/android_release_arm64/../../../flutter/impeller/renderer/backend/gles/render_pass_gles.cc:476:31
                                                                                                                                  _ZZNK8impeller14RenderPassGLES16OnEncodeCommandsERKNS_7ContextEENK3$_0clINS_11ReactorGLESEEEDaRKT_
                                                                                                                                  out/ci/android_release_arm64/../../../flutter/impeller/renderer/backend/gles/render_pass_gles.cc:677:23
                                                                                                                                  decltype(std::declval<impeller::RenderPassGLES::OnEncodeCommands(impeller::Context const&) const::$_0&>()(std::declval<impeller::ReactorGLES const&>())) std::_fl::__invoke[abi:nn210000]<impeller::RenderPassGLES::OnEncodeCommands(impeller::Context const&) const::$_0&, impeller::ReactorGLES const&>(impeller::RenderPassGLES::OnEncodeCommands(impeller::Context const&) const::$_0&, impeller::ReactorGLES const&)
                                                                                                                                  out/ci/android_release_arm64/../../../flutter/third_party/libcxx/include/__type_traits/invoke.h:179:25
                                                                                                                                  void std::_fl::__invoke_void_return_wrapper<void, true>::__call[abi:nn210000]<impeller::RenderPassGLES::OnEncodeCommands(impeller::Context const&) const::$_0&, impeller::ReactorGLES const&>(impeller::RenderPassGLES::OnEncodeCommands(impeller::Context const&) const::$_0&, impeller::ReactorGLES const&)
                                                                                                                                  out/ci/android_release_arm64/../../../flutter/third_party/libcxx/include/__type_traits/invoke.h:251:5
                                                                                                                                  void std::_fl::__invoke_r[abi:nn210000]<void, impeller::RenderPassGLES::OnEncodeCommands(impeller::Context const&) const::$_0&, impeller::ReactorGLES const&>(impeller::RenderPassGLES::OnEncodeCommands(impeller::Context const&) const::$_0&, impeller::ReactorGLES const&)
                                                                                                                                  out/ci/android_release_arm64/../../../flutter/third_party/libcxx/include/__type_traits/invoke.h:273:10
                                                                                                                                  std::_fl::__function::__alloc_func<impeller::RenderPassGLES::OnEncodeCommands(impeller::Context const&) const::$_0, std::_fl::allocator<impeller::RenderPassGLES::OnEncodeCommands(impeller::Context const&) const::$_0>, void (impeller::ReactorGLES const&)>::operator()[abi:nn210000](impeller::ReactorGLES const&)
                                                                                                                                  out/ci/android_release_arm64/../../../flutter/third_party/libcxx/include/__functional/function.h:167:12
                                                                                                                                  std::_fl::__function::__func<impeller::RenderPassGLES::OnEncodeCommands(impeller::Context const&) const::$_0, std::_fl::allocator<impeller::RenderPassGLES::OnEncodeCommands(impeller::Context const&) const::$_0>, void (impeller::ReactorGLES const&)>::operator()(impeller::ReactorGLES const&)
                                                                                                                                  out/ci/android_release_arm64/../../../flutter/third_party/libcxx/include/__functional/function.h:319:10
Crash dump is completed

Also, could you try reproducing the issue on the latest master or beta channel to see if it still occurs? I wasn't able to replicate it on my end using a Pixel 6a.

[liuliwei-guru]

Could you confirm if the unsymbolized stacktrace you shared is from a release build on version 3.32.7

the tombstone file and stacktrace are exported through adb bugreport. Can confirm I am build and run it on 3.32.7 (running multiple times and all libflutter.so are Build Id: fa495d4dbcee7946be46b9e436f7800458647c9f).

could you try reproducing the issue on the latest master or beta channel to see if it still occurs?

I installed main channel Flutter 3.33.0-1.0.pre-1078 and tried, still reproducible on my MI 8 and OnePlus 6.

here are logs if help
crash_com.example.vkpipelinecachecrash_88_logcat.log
tombstone_00.txt

wasn't able to replicate it on my end using a Pixel 6a.

this issue might related to certain vulkan driver, in this case are phones with Snapdragon 845 SoC like

• Samsung Galaxy S9 & Galaxy S9 Plus & Galaxy note 9
• Google Pixel 3 and Pixel 3 XL
• Sony Xperia XZ2 Premium & XZ3
• Xiaomi MI 8 (tested on my side and reproducible)
• OnePlus 6 & 6T (tested on my side and reproducible)

and this crash is not always occurs, please run the steps by using script above, and wait for at most 100 cycles.

[liuliwei-guru]

could you try reproducing the issue on the latest master or beta channel to see if it still occurs?

Also tested with beta channel Flutter 3.35.0-0.1.pre and still reproducible. log contents seems identical to previous.

crash_com.example.vkpipelinecachecrash_23_logcat.log

tombstone_04.txt

[tirth-patel-nc]

Thanks for the report. I tried symbolizing it using the steps from this comment, but the output doesn’t look correct. Could you please take a look and try symbolizing it, @liuliwei-guru? You can refer to the instructions here:
https://github.com/flutter/flutter/blob/master/engine/src/flutter/docs/Crashes.md

tirthpatel@Tirths-MacBook-Pro j24 % ~/Library/Android/sdk/ndk/27.0.12077973/prebuilt/darwin-x86_64/bin/ndk-stack -sym ~/Downloads/flutter_1c9c20e7c3dd48c66f400a24d48ea806b4ab312a_android-arm64-release_symbols < ~/Downloads/tombstone_04.txt
********** Crash dump: **********
Build fingerprint: 'OnePlus/OnePlus6/OnePlus6:10/QKQ1.190716.003/2107162030:user/release-keys'
#00 0x00000000001b69ac /vendor/lib64/hw/vulkan.sdm845.so (BuildId: ae2144fe420424bb96f4072c7260f2d9)
#01 0x00000000001b66a8 /vendor/lib64/hw/vulkan.sdm845.so (BuildId: ae2144fe420424bb96f4072c7260f2d9)
#02 0x000000000016b2d4 /vendor/lib64/hw/vulkan.sdm845.so (qglinternal::vkCreatePipelineCache(VkDevice_T*, VkPipelineCacheCreateInfo const*, VkAllocationCallbacks const*, VkPipelineCache_T**)+92) (BuildId: ae2144fe420424bb96f4072c7260f2d9)
#03 0x00000000003752ac /data/app/com.example.vkpipelinecachecrash-8xPwkwIOVWHcxYss3Rj0Ug==/base.apk
Crash dump is completed

tirthpatel@Tirths-MacBook-Pro j24 % 

Previous stacktrace - #172624 (comment)

Keeping this open and adding appropriate labels for the team’s tracking, based on the information provided. I don’t have access to the mentioned devices to reproduce this issue.