本文记录了一些因为内存参数配置引起的一些issue. 在分析这些issue的时候, 因为不能肯定root cause是硬件引起且涉及分工, 所以有些语句表达的比较委婉, 仅从技术角度分析问题所在. 在得到内存参数配置反馈后, 增加了root cause分析部分内容.
可以做为分析native crash方法的一些总结.
Issue 1. Want to call a function in the air.
[Symptom]
10-29 20:41:25.583 1052 11058 F libc : Fatal signal 11 (SIGSEGV) at 0x000715e8 (code=1), thread 11058 (Binder_B)
10-29 20:41:25.683 17990 17990 I DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
10-29 20:41:25.683 17990 17990 I DEBUG : Build fingerprint: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxx:userdebug/test-keys'
10-29 20:41:25.683 17990 17990 I DEBUG : pid: 1052, tid: 11058, name: Binder_B >>> android.process.acore <<<
10-29 20:41:25.683 17990 17990 I DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 000715e8
10-29 20:41:25.813 17990 17990 I DEBUG : r0 5c748730 r1 00000000 r2 00000000 r3 00000000
10-29 20:41:25.813 17990 17990 I DEBUG : r4 571771f0 r5 5c748730 r6 5d542198 r7 40300001
10-29 20:41:25.813 17990 17990 I DEBUG : r8 5faa7ad8 r9 5c114e70 sl 5c06fc00 fp 5faa7aec
10-29 20:41:25.813 17990 17990 I DEBUG : ip 00071000 sp 5faa7ac0 lr 40459599 pc 4042e984 cpsr 40000010
10-29 20:41:25.813 17990 17990 I DEBUG : d0 0000000000000000 d1 0000000000000000
10-29 20:41:25.813 17990 17990 I DEBUG : d2 000003e800000000 d3 0000000000000004
10-29 20:41:25.823 17990 17990 I DEBUG : d4 005f007300650072 d5 006b006300610070
10-29 20:41:25.823 17990 17990 I DEBUG : d6 002c006500670061 d7 0061007400730020
10-29 20:41:25.823 17990 17990 I DEBUG : d8 3f8000003f800000 d9 0000000000000000
10-29 20:41:25.823 17990 17990 I DEBUG : d10 0000000000000000 d11 0000000000000000
10-29 20:41:25.823 17990 17990 I DEBUG : d12 0000000000000000 d13 0000000000000000
10-29 20:41:25.823 17990 17990 I DEBUG : d14 0000000000000000 d15 0000000000000000
10-29 20:41:25.823 17990 17990 I DEBUG : d16 0069006f00720064 d17 006f0063002e0064
10-29 20:41:25.823 17990 17990 I DEBUG : d18 002e00640069006f d19 0074006e006f0063
10-29 20:41:25.823 17990 17990 I DEBUG : d20 002e0074006e0065 d21 006e006f00430049
10-29 20:41:25.823 17990 17990 I DEBUG : d22 0074006e00650074 d23 0076007200650053
10-29 20:41:25.823 17990 17990 I DEBUG : d24 0000000000000001 d25 0000000000000008
10-29 20:41:25.823 17990 17990 I DEBUG : d26 0000000000000000 d27 0000000000000028
10-29 20:41:25.823 17990 17990 I DEBUG : d28 0000000000000018 d29 0000000000000000
10-29 20:41:25.823 17990 17990 I DEBUG : d30 0000000000000000 d31 0000000000000008
10-29 20:41:25.823 17990 17990 I DEBUG : scr 60000010
10-29 20:41:25.833 17990 17990 I DEBUG : #00 pc 0003a984 /system/lib/libandroid_runtime.so
10-29 20:41:25.833 17990 17990 I DEBUG : #01 pc 00065595 /system/lib/libandroid_runtime.so
10-29 20:41:25.833 17990 17990 I DEBUG : #02 pc 0001f330 /system/lib/libdvm.so (dvmPlatformInvoke+112)
10-29 20:41:25.833 17990 17990 I DEBUG : #03 pc 0004e079 /system/lib/libdvm.so (dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*)+360)
10-29 20:41:25.833 17990 17990 I DEBUG : #04 pc 000287e0 /system/lib/libdvm.so
10-29 20:41:25.833 17990 17990 I DEBUG : #05 pc 0002cfa8 /system/lib/libdvm.so (dvmInterpret(Thread*, Method const*, JValue*)+180)
10-29 20:41:25.833 17990 17990 I DEBUG : #06 pc 0005f695 /system/lib/libdvm.so (dvmCallMethodV(Thread*, Method const*, Object*, bool, JValue*, std::__va_list)+272)
10-29 20:41:25.833 17990 17990 I DEBUG : #07 pc 0004d6b9 /system/lib/libdvm.so
10-29 20:41:25.833 17990 17990 I DEBUG : #08 pc 0004b109 /system/lib/libandroid_runtime.so
10-29 20:41:25.833 17990 17990 I DEBUG : #09 pc 0006610f /system/lib/libandroid_runtime.so
10-29 20:41:25.833 17990 17990 I DEBUG : #10 pc 00014391 /system/lib/libbinder.so (android::BBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+60)
10-29 20:41:25.833 17990 17990 I DEBUG : #11 pc 00016f15 /system/lib/libbinder.so (android::IPCThreadState::executeCommand(int)+520)
10-29 20:41:25.833 17990 17990 I DEBUG : #12 pc 0001733d /system/lib/libbinder.so (android::IPCThreadState::joinThreadPool(bool)+184)
10-29 20:41:25.833 17990 17990 I DEBUG : #13 pc 0001af55 /system/lib/libbinder.so
10-29 20:41:25.833 17990 17990 I DEBUG : #14 pc 00010e37 /system/lib/libutils.so (android::Thread::_threadLoop(void*)+114)
10-29 20:41:25.833 17990 17990 I DEBUG : #15 pc 00048b1d /system/lib/libandroid_runtime.so (android::AndroidRuntime::javaThreadShell(void*)+44)
10-29 20:41:25.833 17990 17990 I DEBUG : #16 pc 0001099d /system/lib/libutils.so
10-29 20:41:25.833 17990 17990 I DEBUG : #17 pc 00012e70 /system/lib/libc.so (__thread_entry+48)
10-29 20:41:25.833 17990 17990 I DEBUG : #18 pc 000125c8 /system/lib/libc.so (pthread_create+172)
[Analysis]
Translate the call stack via stacktrace web tool and gdb:
10-29 20:41:25.833 17990 17990 I DEBUG : #00 pc 0003a984 /system/lib/libandroid_runtime.so
??
??:0
10-29 20:41:25.833 17990 17990 I DEBUG : #01 pc 00065595 /system/lib/libandroid_runtime.so
JavaBBinderHolder
LINUX/android/frameworks/base/core/jni/android_util_Binder.cpp:335
10-29 20:41:25.833 17990 17990 I DEBUG : #02 pc 0001f330 /system/lib/libdvm.so
dvmPlatformInvoke
/LINUX/android/dalvik/vm/arch/arm/CallEABI.S:258
10-29 20:41:25.833 17990 17990 I DEBUG : #03 pc 0004e079 /system/lib/libdvm.so
dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*)
/LINUX/android/dalvik/vm/Jni.cpp:1184
10-29 20:41:25.833 17990 17990 I DEBUG : #04 pc 000287e0 /system/lib/libdvm.so
dalvik_mterp
/LINUX/android/dalvik/vm/mterp/out/InterpAsm-armv7-a-neon.S:16311
10-29 20:41:25.833 17990 17990 I DEBUG : #05 pc 0002cfa8 /system/lib/libdvm.so
dvmInterpret(Thread*, Method const*, JValue*)
LINUX/android/dalvik/vm/interp/Interp.cpp:1964
10-29 20:41:25.833 17990 17990 I DEBUG : #06 pc 0005f695 /system/lib/libdvm.so
dvmCallMethodV(Thread*, Method const*, Object*, bool, JValue*, std::__va_list)
LINUX/android/dalvik/vm/interp/Stack.cpp:526
10-29 20:41:25.833 17990 17990 I DEBUG : #07 pc 0004d6b9 /system/lib/libdvm.so
CallBooleanMethodV
LINUX/android/dalvik/vm/Jni.cpp:1988
10-29 20:41:25.833 17990 17990 I DEBUG : #08 pc 0004b109 /system/lib/libandroid_runtime.so
_JNIEnv::CallBooleanMethod(_jobject*, _jmethodID*, ...)
/LINUX/android/libnativehelper/include/nativehelper/jni.h:633
10-29 20:41:25.833 17990 17990 I DEBUG : #09 pc 0006610f /system/lib/libandroid_runtime.so
JavaBBinder::onTransact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)
LINUX/android/frameworks/base/core/jni/android_util_Binder.cpp:278
10-29 20:41:25.833 17990 17990 I DEBUG : #10 pc 00014391 /system/lib/libbinder.so
android::BBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)
/LINUX/android/frameworks/native/libs/binder/Binder.cpp:108
10-29 20:41:25.833 17990 17990 I DEBUG : #11 pc 00016f15 /system/lib/libbinder.so
android::IPCThreadState::executeCommand(int)
/LINUX/android/frameworks/native/libs/binder/IPCThreadState.cpp:1034
10-29 20:41:25.833 17990 17990 I DEBUG : #12 pc 0001733d /system/lib/libbinder.so
android::IPCThreadState::joinThreadPool(bool)
/LINUX/android/frameworks/native/libs/binder/IPCThreadState.cpp:473
10-29 20:41:25.833 17990 17990 I DEBUG : #13 pc 0001af55 /system/lib/libbinder.so
android::PoolThread::threadLoop()
LINUX/android/frameworks/native/libs/binder/ProcessState.cpp:67
10-29 20:41:25.833 17990 17990 I DEBUG : #14 pc 00010e37 /system/lib/libutils.so
android::Thread::_threadLoop(void*)
LINUX/android/frameworks/native/libs/utils/Threads.cpp:793
10-29 20:41:25.833 17990 17990 I DEBUG : #15 pc 00048b1d /system/lib/libandroid_runtime.so
android::AndroidRuntime::javaThreadShell(void*)
/LINUX/android/frameworks/base/core/jni/AndroidRuntime.cpp:991
10-29 20:41:25.833 17990 17990 I DEBUG : #16 pc 0001099d /system/lib/libutils.so
thread_data_t::trampoline(thread_data_t const*)
/LINUX/android/frameworks/native/libs/utils/Threads.cpp:132
10-29 20:41:25.833 17990 17990 I DEBUG : #17 pc 00012e70 /system/lib/libc.so
__thread_entry
/LINUX/android/bionic/libc/bionic/pthread.c:217
10-29 20:41:25.833 17990 17990 I DEBUG : #18 pc 000125c8 /system/lib/libc.so
pthread_create
LINUX/android/bionic/libc/bionic/pthread.c:356
(gdb) bt
#0 0x4042e984 in ?? () from system/lib/libandroid_runtime.so
#1 0x40459598 in JavaBBinderHolder (this=0x5c748730) at frameworks/base/core/jni/android_util_Binder.cpp:335
#2 android_os_Binder_init (env=0x5d542198, obj=0x40300001) at frameworks/base/core/jni/android_util_Binder.cpp:773
#3 0x40768334 in dvmPlatformInvoke () at dalvik/vm/arch/arm/CallEABI.S:258
#4 0x4079707c in dvmCallJNIMethod (args=0x5c114e6c, pResult=0x5c06fc00, method=0x571771f0, self=0x5c06fbf0) at dalvik/vm/Jni.cpp:1184
#5 0x407717e4 in dalvik_mterp () at dalvik/vm/mterp/out/InterpAsm-armv7-a-neon.S:16311
#6 0x40775fac in dvmInterpret (self=0x5c06fbf0, method=<optimized out>, pResult=0x5faa7cf8) at dalvik/vm/interp/Interp.cpp:1964
#7 0x407a8698 in dvmCallMethodV (self=0x5c06fbf0, method=0x57177030, obj=<optimized out>, fromJni=<optimized out>, pResult=0x5faa7cf8, args=...) at dalvik/vm/interp/Stack.cpp:526
#8 0x407966bc in CallBooleanMethodV (env=0x5d542198, jobj=<optimized out>, methodID=0x57177030, args=...) at dalvik/vm/Jni.cpp:1988
#9 0x4043f10a in _JNIEnv::CallBooleanMethod (this=<optimized out>, obj=<optimized out>, methodID=0x57177030) at libnativehelper/include/nativehelper/jni.h:633
#10 0x4045a112 in JavaBBinder::onTransact (this=0x5d2b2ce8, code=1, data=..., reply=0x5faa7ddc, flags=16) at frameworks/base/core/jni/android_util_Binder.cpp:278
#11 0x403ab392 in android::BBinder::transact (this=0x5d2b2ce8, code=1, data=..., reply=0x5faa7ddc, flags=16) at frameworks/native/libs/binder/Binder.cpp:108
#12 0x403adf16 in android::IPCThreadState::executeCommand (this=0x5cbdbfa8, cmd=<optimized out>) at frameworks/native/libs/binder/IPCThreadState.cpp:1034
#13 0x403ae340 in android::IPCThreadState::joinThreadPool (this=0x5cbdbfa8, isMain=<optimized out>) at frameworks/native/libs/binder/IPCThreadState.cpp:473
#14 0x403b1f58 in android::PoolThread::threadLoop (this=0x5c387bf8) at frameworks/native/libs/binder/ProcessState.cpp:67
#15 0x40207e38 in android::Thread::_threadLoop (user=0x5c387bf8) at frameworks/native/libs/utils/Threads.cpp:793
#16 0x4043cb1e in android::AndroidRuntime::javaThreadShell (args=<optimized out>) at frameworks/base/core/jni/AndroidRuntime.cpp:991
#17 0x4020799e in thread_data_t::trampoline (t=<optimized out>) at frameworks/native/libs/utils/Threads.cpp:132
#18 0x40189e74 in __thread_entry (func=0x40207905 <thread_data_t::trampoline(thread_data_t const*)>, arg=0x5d542198, tls=0x5faa7f00) at bionic/libc/bionic/pthread.c:217
#19 0x401895cc in pthread_create (thread_out=0x5d2ae880, attr=0x5f6a7cf0, start_routine=0x40207905 <thread_data_t::trampoline(thread_data_t const*)>, arg=0x5d542198) at bionic/libc/bionic/pthread.c:356
The last leaf function is not translated!!
Using gdb to get some info on java call stack.
#0 android.os.Binder.init()
#1 android.os.Binder.<init>()
#2 android.database.BulkCursorNative.<init>()
#3 android.database.CursorToBulkCursorAdaptor.<init>()
#4 android.content.ContentProviderNative.onTransact()
#5 android.os.Binder.execTransact()
#6 --- break frame ---
#7 dalvik.system.NativeStart.run()
#8 --- break frame ---
CursorToBulkCursorAdaptor.<init> is java class constructor. And CursorToBulkCursorAdaptor extends BulkCursorNative extends Binder.
android.os.Binder.execTransact() calls android.content.ContentProviderNative.onTransact().
CursorToBulkCursorAdaptor is only used in QUERY_TRANSACTION handling.
@Override
76 public boolean onTransact(int code, Parcel data, Parcel reply, int flags)
77 throws RemoteException {
78 try {
79 switch (code) {
80 case QUERY_TRANSACTION:
81 {
82 data.enforceInterface(IContentProvider.descriptor);
83
84 Uri url = Uri.CREATOR.createFromParcel(data);
85
86 // String[] projection
87 int num = data.readInt();
88 String[] projection = null;
89 if (num > 0) {
90 projection = new String[num];
91 for (int i = 0; i < num; i++) {
92 projection[i] = data.readString();
93 }
94 }
95
96 // String selection, String[] selectionArgs...
97 String selection = data.readString();
98 num = data.readInt();
99 String[] selectionArgs = null;
100 if (num > 0) {
101 selectionArgs = new String[num];
102 for (int i = 0; i < num; i++) {
103 selectionArgs[i] = data.readString();
104 }
105 }
106
107 String sortOrder = data.readString();
108 IContentObserver observer = IContentObserver.Stub.asInterface(
109 data.readStrongBinder());
110 ICancellationSignal cancellationSignal = ICancellationSignal.Stub.asInterface(
111 data.readStrongBinder());
112
113 Cursor cursor = query(url, projection, selection, selectionArgs, sortOrder,
114 cancellationSignal);
115 if (cursor != null) {
116 CursorToBulkCursorAdaptor adaptor = new CursorToBulkCursorAdaptor(
117 cursor, observer, getProviderName());
118 BulkCursorDescriptor d = adaptor.getBulkCursorDescriptor();
119
120 reply.writeNoException();
121 reply.writeInt(1);
122 d.writeToParcel(reply, Parcelable.PARCELABLE_WRITE_RETURN_VALUE);
123 } else {
124 reply.writeNoException();
125 reply.writeInt(0);
126 }
127
128 return true;
129 }
In Binder class@Binder.java
172 /**
173 * Default constructor initializes the object.
174 */
175 public Binder() {
176 init();
177
178 if (FIND_POTENTIAL_LEAKS) {
179 final Class<? extends Binder> klass = getClass();
180 if ((klass.isAnonymousClass() || klass.isMemberClass() || klass.isLocalClass()) &&
181 (klass.getModifiers() & Modifier.STATIC) == 0) {
182 Log.w(TAG, "The following Binder class should be static or leaks might occur: " +
183 klass.getCanonicalName());
184 }
185 }
186 }
native init function of java binder, and lines of intrested are # 773 and 335
#2 android_os_Binder_init (env=0x5d542198, obj=0x40300001) at frameworks/base/core/jni/android_util_Binder.cpp:773
771static void android_os_Binder_init(JNIEnv* env, jobject obj)
772{
773 JavaBBinderHolder* jbh = new JavaBBinderHolder();
774 if (jbh == NULL) {
775 jniThrowException(env, "java/lang/OutOfMemoryError", NULL);
776 return;
777 }
778 ALOGV("Java Binder %p: acquiring first ref on holder %p", obj, jbh);
779 jbh->incStrong((void*)android_os_Binder_init);
780 env->SetIntField(obj, gBinderOffsets.mObject, (int)jbh);
781}
#2//LINUX/android/frameworks/base/core/jni/android_util_Binder.cpp:335
335class JavaBBinderHolder : public RefBase
336{
337public:
........
361};
By now, Except the least callee, the flow is clear. It is doing transanction dispatch in binder worker thread.
But what happened between call #01 and #00?
And what is #00 for? It comes like from the air.
Use register pc 0x4042e984 to find something,
(gdb) disass 0x4042e984
No function contains specified address.
Disassemble failed, check the virtual memory map, it can be fount that the address is in .plt section of libandroid_runtime.so.
So, disassemble forcely.
(gdb) x /i 0x4042e984
=> 0x4042e984: ldr pc, [r12, #1512]! ; 0x5e8
Redraw the pc backwards to find what is to be called.
(gdb) x /3i 0x4042e97C
0x4042e97c: add r12, pc, #0, 12
0x4042e980: add r12, r12, #462848 ; 0x71000
=> 0x4042e984: ldr pc, [r12, #1512]! ; 0x5e8 !!!!!!!!!!!! here map error !!!!!!!!!!!!
new pc = [current pc(0x4042e984) + plt_base(0x71000) + entry_offset(0x5e8)] = [0x4049FF6C] = 0x40124b83 with THUMB bit
(gdb) disass 0x40124b83
Dump of assembler code for function android::DisplayEventReceiver::requestNextVsync():
0x40124b82 <+0>: push {r3, lr}
0x40124b84 <+2>: ldr r0, [r0, #0]
0x40124b86 <+4>: cbz r0, 0x40124b92 <android::DisplayEventReceiver::requestNextVsync()+16>
0x40124b88 <+6>: ldr r1, [r0, #0]
0x40124b8a <+8>: ldr r3, [r1, #24]
0x40124b8c <+10>: blx r3
0x40124b8e <+12>: movs r0, #0
0x40124b90 <+14>: pop {r3, pc}
0x40124b92 <+16>: mvn.w r0, #18
0x40124b96 <+20>: pop {r3, pc}
End of assembler dump.
It is in an unreasonable call for DisplayEventReceiver::requestNextVsync().
It should be noticed that, in the .plt entry trampline, the import function is well parsed with good virtual address 0x40124b83.
But from the log, at $pc=0x4042e984, it said the address [r12, #1512] is 0x715e8.
0x4042e97c: add r12, pc, #0, 12
0x4042e980: add r12, r12, #462848 ; 0x71000
=> 0x4042e984: ldr pc, [r12, #1512]! ; 0x5e8
When executing here, $pc can't be 0x0, the most possibility is that execution comes to 0x4042e984 with r12 0x71000 or 0x4042e980 with r12 0x0 suddenly.
Investigate code of android_os_Binder_init to find something,
(gdb) disass android_os_Binder_init
Dump of assembler code for function android_os_Binder_init(JNIEnv*, jobject):
0x4045957c <+0>: push {r3, r4, r5, r6, r7, lr}
0x4045957e <+2>: mov r6, r0
0x40459580 <+4>: movs r0, #20
0x40459582 <+6>: mov r7, r1
0x40459584 <+8>: blx 0x4042dcb0
0x40459588 <+12>: movs r2, #20
0x4045958a <+14>: movs r1, #0
0x4045958c <+16>: mov r5, r0
0x4045958e <+18>: blx 0x4042de48
0x40459592 <+22>: mov r0, r5
0x40459594 <+24>: blx 0x4042e940
=> 0x40459598 <+28>: ldr r1, [pc, #52] ; (0x404595d0 <android_os_Binder_init(JNIEnv*, jobject)+84>)
0x4045959a <+30>: mov r0, r5
0x4045959c <+32>: add r1, pc
0x4045959e <+34>: ldr r1, [r1, #0]
0x404595a0 <+36>: adds r1, #8
0x404595a2 <+38>: str.w r1, [r0], #8
0x404595a6 <+42>: movs r1, #0
0x404595a8 <+44>: blx 0x4042dae8
0x404595ac <+48>: ldr r1, [pc, #36] ; (0x404595d4 <android_os_Binder_init(JNIEnv*, jobject)+88>)
0x404595ae <+50>: movs r0, #0
0x404595b0 <+52>: str r0, [r5, #12]
0x404595b2 <+54>: add r1, pc
0x404595b4 <+56>: mov r0, r5
0x404595b6 <+58>: blx 0x4042dd40
0x404595ba <+62>: ldr r3, [pc, #28] ; (0x404595d8 <android_os_Binder_init(JNIEnv*, jobject)+92>)
0x404595bc <+64>: ldr r2, [r6, #0]
0x404595be <+66>: mov r0, r6
0x404595c0 <+68>: add r3, pc
0x404595c2 <+70>: mov r1, r7
0x404595c4 <+72>: ldr.w r4, [r2, #436] ; 0x1b4
0x404595c8 <+76>: ldr r2, [r3, #8]
0x404595ca <+78>: mov r3, r5
0x404595cc <+80>: blx r4
0x404595ce <+82>: pop {r3, r4, r5, r6, r7, pc}
0x404595d0 <+84>: ; <UNDEFINED> instruction: 0x00045fb0
0x404595d4 <+88>: ; <UNDEFINED> instruction: 0xffffffc7
0x404595d8 <+92>: andeq lr, r4, r4, lsl #24
End of assembler dump.
With the maybe unmodified register lr, it can concluded that the exection point is in
0x40459594 <+24>: blx 0x4042e940
and the exection should not call function in it, or else, register lr would be modified.
Investigating .plt entry 0x4042e940 call,
(gdb) x /3i 0x4042e940
0x4042e940: add r12, pc, #0, 12
0x4042e944: add r12, r12, #462848 ; 0x71000
0x4042e948: ldr pc, [r12, #1552]! ; 0x610
new pc = [current pc(0x4042e940+8) + plt_base(0x71000) + entry_offset(0x610)] = [0x4049ff58] = 0x40205f4d with THUMB bit
(gdb) disass 0x40205f4d
Dump of assembler code for function android::RefBase::RefBase():
0x40205f4c <+0>: push {r4, lr}
0x40205f4e <+2>: mov r4, r0 // r0 is this pointer
0x40205f50 <+4>: ldr r0, [pc, #32] ; (0x40205f74 <android::RefBase::RefBase()+40>)
0x40205f52 <+6>: add r0, pc
0x40205f54 <+8>: adds r0, #8
0x40205f56 <+10>: str r0, [r4, #0]
0x40205f58 <+12>: movs r0, #16
0x40205f5a <+14>: blx 0x40203374 // new weakref_impl(this)
0x40205f5e <+18>: movs r3, #0
0x40205f60 <+20>: mov.w r1, #268435456 ; 0x10000000
0x40205f64 <+24>: str r4, [r0, #8]
0x40205f66 <+26>: str r1, [r0, #0]
0x40205f68 <+28>: str r3, [r0, #4]
0x40205f6a <+30>: str r3, [r0, #12]
0x40205f6c <+32>: str r0, [r4, #4]
0x40205f6e <+34>: mov r0, r4
0x40205f70 <+36>: pop {r4, pc} // return.
0x40205f72 <+38>: nop
0x40205f74 <+40>: andeq r9, r0, r2, asr r6
End of assembler dump.
Source code in RefBase.cpp,
548RefBase::RefBase()
549 : mRefs(new weakref_impl(this))
550{
551}
So, 0x00065594 <+24>: blx 0x4042e940 is confirmed instruction with THUMB bit to call RefBase::RefBase() constructor.
Dig more about new weakref_impl(this) in RefBase constructor.
<<--begin!! Assemble code corresponding to mRefs(new weakref_impl(this)) list as follows,
(gdb) x /3i 0x40203374
0x40203374: add r12, pc, #0, 12
0x40203378: add r12, r12, #12, 20 ; 0xc000
0x4020337c: ldr pc, [r12, #2804]! ; 0xaf4
new pc = [current pc(0x40203374+8) + plt_base(0xc000) + entry_offset(0xaf4)] = [0x4020FE70] = 0x401f28f9 with THUMB bit
(gdb) x /x 0x4020FE70
0x4020fe70: 0x401f28f9
(gdb) disass 0x401f28f9
Dump of assembler code for function operator new(unsigned int):
0x401f28f8 <+0>: push {r3, lr}
0x401f28fa <+2>: blx 0x401f2828 // malloc();
0x401f28fe <+6>: cbnz r0, 0x401f2904 <operator new(unsigned int)+12>
0x401f2900 <+8>: blx 0x401f2834 // if (ptr==NULL) abort();
0x401f2904 <+12>: pop {r3, pc}
End of assembler dump.
!!end-->
Examine the stack, we can get two points.
a. A meaningful DisplayEventReceiver object 'this' pointer can not be found on stack for DisplayEventReceiver::requestNextVsync() call.
b. It is possible that {r4, lr} in first instruction of android::RefBase::RefBase() has been not pushed onto the stack, because values of stack #00 do not match values of {r4, lr}.
10-29 20:41:25.843 17990 17990 I DEBUG : 5faa7ab8 df0027ad r4
10-29 20:41:25.843 17990 17990 I DEBUG : 5faa7abc 00000000 lr
10-29 20:41:25.843 17990 17990 I DEBUG : #00 5faa7ac0 58848914 /data/dalvik-cache/system@framework@framework.jar@classes.dex
10-29 20:41:25.843 17990 17990 I DEBUG : ........ ........
10-29 20:41:25.843 17990 17990 I DEBUG : #01 5faa7ac0 58848914 /data/dalvik-cache/system@framework@framework.jar@classes.dex
10-29 20:41:25.843 17990 17990 I DEBUG : 5faa7ac4 571771f0 /dev/ashmem/dalvik-LinearAlloc (deleted)
10-29 20:41:25.843 17990 17990 I DEBUG : 5faa7ac8 5c06fbf0
10-29 20:41:25.843 17990 17990 I DEBUG : 5faa7acc 00000000
10-29 20:41:25.843 17990 17990 I DEBUG : 5faa7ad0 5c114e78
10-29 20:41:25.843 17990 17990 I DEBUG : 5faa7ad4 40768334 /system/lib/libdvm.so (dvmPlatformInvoke+116)
10-29 20:41:25.843 17990 17990 I DEBUG : #02 5faa7ad8 5c114e6c
10-29 20:41:25.843 17990 17990 I DEBUG : 5faa7adc 00000001
10-29 20:41:25.843 17990 17990 I DEBUG : 5faa7ae0 41af5198 /dev/ashmem/dalvik-heap (deleted)
10-29 20:41:25.843 17990 17990 I DEBUG : 5faa7ae4 00000000
10-29 20:41:25.843 17990 17990 I DEBUG : 5faa7ae8 00000002
10-29 20:41:25.843 17990 17990 I DEBUG : 5faa7aec 4079707d /system/lib/libdvm.so (dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*)+364)
Because register lr is not modified, body of android::RefBase::RefBase() has not been executed.
The first place where disorder occurs is
0x4042e948: ldr pc, [r12, #1552]! ; 0x610
Further, there are two possibilies crash the program.
a. When process acore is scheduled out, a wild user space pointer is passed to kernel space in another thread of same group, and the pointer points to the acore task's context by coincidence.
In the kernel driver, the context's (user_pc, user_r12) are corrupted with value (0x4042e984, 0x71000) or value (0x4042e980, 0).
When process acore is scheduled to run, the crash occurs. It is possible but with low possibility.
b. A wild address is loaded to register pc in instruction at 0x4042e948, and chaos continue occuring and lead to (user_pc, user_r12) pair with values (0x4042e984, 0x71000) or (0x4042e980, 0).
Dig more by searching the key address in memory.
<<--begin!!
Try to search the key position in user and kernel space. nothing else useful found.
(c)> search -u 4042e980
(c)> search -u 4042e984
5faa782c: 4042e984 // examine the address content, it is likely used by the crasher process to dump registers.
(c)> search -u 4042e988
(c)>
(c)> search -k 4042e980
(c)> search -k 4042e984
cb16782c: 4042e984
e589bfa8: 4042e984 // may be some context struct here? find what field should be here? the current pc?
e589bfec: 4042e984 // absolutely same as printout regs. is the zombie pt_regs?
(c)> search -k 4042e988
(c)>
(c)vtop 0x5faa782c and 0xcb16782c, find the two addresses are mapped to same physical address.
!!end-->
Issue 2. Execution finished with a wild PC.
[Symptom]
10-30 18:29:06.699 11328 12598 F libc : Fatal signal 11 (SIGSEGV) at 0x0541e2be (code=1), thread 12598 (Binder_5)
10-30 18:29:06.799 150 150 I DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
10-30 18:29:06.799 150 150 I DEBUG : Build fingerprint: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:userdebug/test-keys'
10-30 18:29:06.799 150 150 I DEBUG : pid: 11328, tid: 12598, name: Binder_5 >>> android.process.media <<<
10-30 18:29:06.799 150 150 I DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0541e2be
10-30 18:29:06.899 150 150 I DEBUG : r0 5c1391a0 r1 00000001 r2 5c1391a0 r3 00000001
10-30 18:29:06.899 150 150 I DEBUG : r4 58400001 r5 5c142af0 r6 00000000 r7 5c191d14
10-30 18:29:06.909 150 150 I DEBUG : r8 5f5dead8 r9 5c191d0c sl 5c1426b0 fp 5f5deaec
10-30 18:29:06.909 150 150 I DEBUG : ip 4063fd33 sp 5f5deac8 lr 4063f9f9 pc 0541e2be cpsr 80000030
10-30 18:29:06.909 150 150 I DEBUG : d0 00720064006e0061 d1 002e00640069006f
10-30 18:29:06.909 150 150 I DEBUG : d2 0074006e006f0063 d3 002e0074006e0065
10-30 18:29:06.909 150 150 I DEBUG : d4 0000000800000001 d5 0000000000000001
10-30 18:29:06.909 150 150 I DEBUG : d6 01060ff000200000 d7 000000314e4bf804
10-30 18:29:06.909 150 150 I DEBUG : d8 0000000000000000 d9 0000000000000000
10-30 18:29:06.909 150 150 I DEBUG : d10 0000000000000000 d11 0000000000000000
10-30 18:29:06.909 150 150 I DEBUG : d12 0000000000000000 d13 0000000000000000
10-30 18:29:06.909 150 150 I DEBUG : d14 0000000000000000 d15 0000000000000000
10-30 18:29:06.909 150 150 I DEBUG : d16 006e006f00430049 d17 0074006e00650074
10-30 18:29:06.909 150 150 I DEBUG : d18 00610072006f0074 d19 0069005f00650067
10-30 18:29:06.909 150 150 I DEBUG : d20 0052004600200064 d21 00660020004d004f
10-30 18:29:06.909 150 150 I DEBUG : d22 00730065006c0069 d23 0045004800570020
10-30 18:29:06.909 150 150 I DEBUG : d24 3fede16b9c24a98f d25 3fe55559ee5e69f9
10-30 18:29:06.909 150 150 I DEBUG : d26 0000000000000000 d27 0000000000000000
10-30 18:29:06.909 150 150 I DEBUG : d28 0000000000000005 d29 0000000000000000
10-30 18:29:06.909 150 150 I DEBUG : d30 0000000000000000 d31 0000000000000000
10-30 18:29:06.909 150 150 I DEBUG : scr 80000010
10-30 18:29:06.909 150 150 I DEBUG :
10-30 18:29:06.909 150 150 I DEBUG : backtrace:
10-30 18:29:06.919 150 150 I DEBUG : #00 pc 0541e2be <unknown>
10-30 18:29:06.919 150 150 I DEBUG : #01 pc 0005f9f5 /system/lib/libandroid_runtime.so
10-30 18:29:06.919 150 150 I DEBUG : #02 pc 0001f330 /system/lib/libdvm.so (dvmPlatformInvoke+112)
10-30 18:29:06.919 150 150 I DEBUG : #03 pc 0004e079 /system/lib/libdvm.so (dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*)+360)
10-30 18:29:06.919 150 150 I DEBUG : #04 pc 000287e0 /system/lib/libdvm.so
10-30 18:29:06.919 150 150 I DEBUG : #05 pc 0002cfa8 /system/lib/libdvm.so (dvmInterpret(Thread*, Method const*, JValue*)+180)
10-30 18:29:06.919 150 150 I DEBUG : #06 pc 0005f695 /system/lib/libdvm.so (dvmCallMethodV(Thread*, Method const*, Object*, bool, JValue*, std::__va_list)+272)
10-30 18:29:06.919 150 150 I DEBUG : #07 pc 0004d6b9 /system/lib/libdvm.so
10-30 18:29:06.919 150 150 I DEBUG : #08 pc 0004b109 /system/lib/libandroid_runtime.so
10-30 18:29:06.919 150 150 I DEBUG : #09 pc 0006610f /system/lib/libandroid_runtime.so
10-30 18:29:06.919 150 150 I DEBUG : #10 pc 00014391 /system/lib/libbinder.so (android::BBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+60)
10-30 18:29:06.919 150 150 I DEBUG : #11 pc 00016f15 /system/lib/libbinder.so (android::IPCThreadState::executeCommand(int)+520)
10-30 18:29:06.919 150 150 I DEBUG : #12 pc 0001733d /system/lib/libbinder.so (android::IPCThreadState::joinThreadPool(bool)+184)
10-30 18:29:06.919 150 150 I DEBUG : #13 pc 0001af55 /system/lib/libbinder.so
10-30 18:29:06.919 150 150 I DEBUG : #14 pc 00010e37 /system/lib/libutils.so (android::Thread::_threadLoop(void*)+114)
10-30 18:29:06.919 150 150 I DEBUG : #15 pc 00048b1d /system/lib/libandroid_runtime.so (android::AndroidRuntime::javaThreadShell(void*)+44)
10-30 18:29:06.919 150 150 I DEBUG : #16 pc 0001099d /system/lib/libutils.so
10-30 18:29:06.919 150 150 I DEBUG : #17 pc 00012e70 /system/lib/libc.so (__thread_entry+48)
10-30 18:29:06.919 150 150 I DEBUG : #18 pc 000125c8 /system/lib/libc.so (pthread_create+172)
10-30 18:29:06.919 150 150 I DEBUG :
10-30 18:29:06.919 150 150 I DEBUG : stack:
10-30 18:29:06.919 150 150 I DEBUG : 5f5dea88 405c0920 /system/lib/libdvm.so
10-30 18:29:06.919 150 150 I DEBUG : 5f5dea8c 4055eb11 /system/lib/libdvm.so
10-30 18:29:06.919 150 150 I DEBUG : 5f5dea90 5f5deaac [stack:12598]
10-30 18:29:06.919 150 150 I DEBUG : 5f5dea94 5c1391a0
10-30 18:29:06.919 150 150 I DEBUG : 5f5dea98 416f8a38 /dev/ashmem/dalvik-heap (deleted)
10-30 18:29:06.919 150 150 I DEBUG : 5f5dea9c 4055eef9 /system/lib/libdvm.so
10-30 18:29:06.919 150 150 I DEBUG : 5f5deaa0 36500005
10-30 18:29:06.919 150 150 I DEBUG : 5f5deaa4 40560221 /system/lib/libdvm.so
10-30 18:29:06.919 150 150 I DEBUG : 5f5deaa8 5c142af0
10-30 18:29:06.919 150 150 I DEBUG : 5f5deaac 5c1426a0
10-30 18:29:06.919 150 150 I DEBUG : 5f5deab0 5c142af0
10-30 18:29:06.919 150 150 I DEBUG : 5f5deab4 4063f4e7 /system/lib/libandroid_runtime.so
10-30 18:29:06.919 150 150 I DEBUG : 5f5deab8 5c142af0
10-30 18:29:06.919 150 150 I DEBUG : 5f5deabc 5c14a678
10-30 18:29:06.919 150 150 I DEBUG : 5f5deac0 df0027ad
10-30 18:29:06.919 150 150 I DEBUG : 5f5deac4 00000000
10-30 18:29:06.919 150 150 I DEBUG : #00 5f5deac8 56eec070 /dev/ashmem/dalvik-LinearAlloc (deleted)
10-30 18:29:06.919 150 150 I DEBUG : ........ ........
10-30 18:29:06.919 150 150 I DEBUG : #01 5f5deac8 56eec070 /dev/ashmem/dalvik-LinearAlloc (deleted)
10-30 18:29:06.919 150 150 I DEBUG : 5f5deacc 5c1426a0
10-30 18:29:06.919 150 150 I DEBUG : 5f5dead0 00000000
10-30 18:29:06.919 150 150 I DEBUG : 5f5dead4 40534334 /system/lib/libdvm.so (dvmPlatformInvoke+116)
10-30 18:29:06.919 150 150 I DEBUG : #02 5f5dead8 5c191d0c
10-30 18:29:06.929 150 150 I DEBUG : 5f5deadc 00000001
10-30 18:29:06.929 150 150 I DEBUG : 5f5deae0 4167cb78 /dev/ashmem/dalvik-heap (deleted)
10-30 18:29:06.929 150 150 I DEBUG : 5f5deae4 00000008
10-30 18:29:06.929 150 150 I DEBUG : 5f5deae8 0000002c
10-30 18:29:06.929 150 150 I DEBUG : 5f5deaec 4056307d /system/lib/libdvm.so (dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*)+364)
10-30 18:29:06.929 150 150 I DEBUG :
10-30 18:29:06.929 150 150 I DEBUG : memory near r0:
10-30 18:29:06.939 150 150 I DEBUG : 5c139180 00000000 00000000 73616261 00000013 ........abas....
10-30 18:29:06.939 150 150 I DEBUG : 5c139190 74706553 65626d65 00000072 0000003b September...;...
10-30 18:29:06.939 150 150 I DEBUG : 5c1391a0 00000000 5c1ce328 00000048 0000006c ....(..\H...l...
10-30 18:29:06.939 150 150 I DEBUG : 5c1391b0 00000048 00000000 00000000 00000000 H...............
10-30 18:29:06.939 150 150 I DEBUG : 5c1391c0 00000000 75010001 00000000 5c120210 .......u.......\
10-30 18:29:06.939 150 150 I DEBUG :
10-30 18:29:06.939 150 150 I DEBUG : memory near r2:
10-30 18:29:06.939 150 150 I DEBUG : 5c139180 00000000 00000000 73616261 00000013 ........abas....
10-30 18:29:06.939 150 150 I DEBUG : 5c139190 74706553 65626d65 00000072 0000003b September...;...
10-30 18:29:06.939 150 150 I DEBUG : 5c1391a0 00000000 5c1ce328 00000048 0000006c ....(..\H...l...
10-30 18:29:06.939 150 150 I DEBUG : 5c1391b0 00000048 00000000 00000000 00000000 H...............
10-30 18:29:06.939 150 150 I DEBUG : 5c1391c0 00000000 75010001 00000000 5c120210 .......u.......\
10-30 18:29:06.939 150 150 I DEBUG :
10-30 18:29:06.939 150 150 I DEBUG : memory near r4:
10-30 18:29:06.939 150 150 I DEBUG : 583fffe0 000007ce 16960ecd 00010b4a 161f0ecd ........J.......
10-30 18:29:06.939 150 150 I DEBUG : 583ffff0 00011254 0f510ecd 000113df 0ed30ece T.....Q.........
10-30 18:29:06.939 150 150 I DEBUG : 58400000 00015785 00030ecf 000101b4 16190ecf .W..............
10-30 18:29:06.939 150 150 I DEBUG : 58400010 000112ae 00030ecf 000113fa 00030ecf ................
10-30 18:29:06.939 150 150 I DEBUG : 58400020 0001145b 00030ecf 00011464 0ed10ed0 [.......d.......
10-30 18:29:06.939 150 150 I DEBUG :
10-30 18:29:06.939 150 150 I DEBUG : memory near r5:
10-30 18:29:06.939 150 150 I DEBUG : 5c142ad0 00000000 00000000 00000000 00000000 ................
10-30 18:29:06.939 150 150 I DEBUG : 5c142ae0 00000000 00000000 5c142ad4 00000023 .........*.\#...
10-30 18:29:06.939 150 150 I DEBUG : 5c142af0 405b9d34 00000000 0000000f 5c1426a0 4.[@.........&.\
10-30 18:29:06.939 150 150 I DEBUG : 5c142b00 00000000 5a8e4e80 5c142d40 000000db .....N.Z@-.\....
10-30 18:29:06.939 150 150 I DEBUG : 5c142b10 000000c8 00000000 5a6f9770 5c1495b8 ........p.oZ...\
10-30 18:29:06.939 150 150 I DEBUG :
10-30 18:29:06.939 150 150 I DEBUG : memory near r7:
10-30 18:29:06.939 150 150 I DEBUG : 5c191cf4 5c191d28 5c191d28 586acb68 56eec070 (..\(..\h.jXp..V
10-30 18:29:06.939 150 150 I DEBUG : 5c191d04 00000000 00000000 5c1391a0 00000001 ...........\....
10-30 18:29:06.939 150 150 I DEBUG : 5c191d14 5c191d48 58586d94 56eed658 586acb68 H..\.mXXX..Vh.jX
10-30 18:29:06.939 150 150 I DEBUG : 5c191d24 00000000 5c1391a0 41f733c0 00000001 .......\.3.A....
10-30 18:29:06.939 150 150 I DEBUG : 5c191d34 5c191d80 5851cd58 56f9e358 58586d94 ...\X.QXX..V.mXX
10-30 18:29:06.939 150 150 I DEBUG :
10-30 18:29:06.939 150 150 I DEBUG : memory near r8:
10-30 18:29:06.939 150 150 I DEBUG : 5f5deab8 5c142af0 5c14a678 df0027ad 00000000 .*.\x..\.'......
10-30 18:29:06.939 150 150 I DEBUG : 5f5deac8 56eec070 5c1426a0 00000000 40534334 p..V.&.\....4CS@
10-30 18:29:06.939 150 150 I DEBUG : 5f5dead8 5c191d0c 00000001 4167cb78 00000008 ...\....x.gA....
10-30 18:29:06.939 150 150 I DEBUG : 5f5deae8 0000002c 4056307d 5c191d0c 58a2e8ea ,...}0V@...\...X
10-30 18:29:06.939 150 150 I DEBUG : 5f5deaf8 4063f9eb 5c1426b0 58400001 00000000 ..c@.&.\..@X....
10-30 18:29:06.939 150 150 I DEBUG :
10-30 18:29:06.939 150 150 I DEBUG : memory near r9:
10-30 18:29:06.939 150 150 I DEBUG : 5c191cec 56ee71f0 00000000 5c191d28 5c191d28 .q.V....(..\(..\
10-30 18:29:06.939 150 150 I DEBUG : 5c191cfc 586acb68 56eec070 00000000 00000000 h.jXp..V........
10-30 18:29:06.949 150 150 I DEBUG : 5c191d0c 5c1391a0 00000001 5c191d48 58586d94 ...\....H..\.mXX
10-30 18:29:06.949 150 150 I DEBUG : 5c191d1c 56eed658 586acb68 00000000 5c1391a0 X..Vh.jX.......\
10-30 18:29:06.949 150 150 I DEBUG : 5c191d2c 41f733c0 00000001 5c191d80 5851cd58 .3.A.......\X.QX
10-30 18:29:06.949 150 150 I DEBUG :
10-30 18:29:06.949 150 150 I DEBUG : memory near sl:
10-30 18:29:06.949 150 150 I DEBUG : 5c142690 5c14267c 00000000 00000020 00000453 |&.\.... ...S...
10-30 18:29:06.949 150 150 I DEBUG : 5c1426a0 585b7c5c 5c191d0c 56eed658 4157e000 \|[X...\X..V..WA
10-30 18:29:06.949 150 150 I DEBUG : 5c1426b0 41f737f8 965283e6 5f5dec00 00000000 .7.A..R...]_....
10-30 18:29:06.949 150 150 I DEBUG : 5c1426c0 5f5dec34 0000000f 00000000 405344c0 4.]_.........DS@
10-30 18:29:06.949 150 150 I DEBUG : 5c1426d0 00000000 00000000 56468570 5c18e300 ........p.FV...\
10-30 18:29:06.949 150 150 I DEBUG :
10-30 18:29:06.949 150 150 I DEBUG : memory near fp:
10-30 18:29:06.949 150 150 I DEBUG : 5f5deacc 5c1426a0 00000000 40534334 5c191d0c .&.\....4CS@...\
10-30 18:29:06.949 150 150 I DEBUG : 5f5deadc 00000001 4167cb78 00000008 0000002c ....x.gA....,...
10-30 18:29:06.949 150 150 I DEBUG : 5f5deaec 4056307d 5c191d0c 58a2e8ea 4063f9eb }0V@...\...X..c@
10-30 18:29:06.949 150 150 I DEBUG : 5f5deafc 5c1426b0 58400001 00000000 00000000 .&.\..@X........
10-30 18:29:06.949 150 150 I DEBUG : 5f5deb0c 40328a6c 002f0102 585b7c5c 5c191cd8 l.2@../.\|[X...\
10-30 18:29:06.949 150 150 I DEBUG :
10-30 18:29:06.949 150 150 I DEBUG : memory near ip:
10-30 18:29:06.949 150 150 I DEBUG : 4063fd10 3190f8d0 682a4630 b1484798 ed70f7d9 ...10F*h.GH...p.
10-30 18:29:06.949 150 150 I DEBUG : 4063fd20 46306831 2300682a 41b4f8d1 47a04639 1h0F*h.#...A9F.G
10-30 18:29:06.949 150 150 I DEBUG : 4063fd30 bf00bdf8 000541e2 43f7e92d 46894604 .....A..-..C.F.F
10-30 18:29:06.949 150 150 I DEBUG : 4063fd40 b9124615 44794927 4e27e01c 447e6800 .F..'IyD..'N.h~D
10-30 18:29:06.949 150 150 I DEBUG : 4063fd50 3190f8d0 68324620 46074798 4923b920 ...1 F2h.G.F .#I
10-30 18:29:06.949 150 150 I DEBUG :
10-30 18:29:06.949 150 150 I DEBUG : memory near sp:
10-30 18:29:06.949 150 150 I DEBUG : 5f5deaa8 5c142af0 5c1426a0 5c142af0 4063f4e7 .*.\.&.\.*.\..c@
10-30 18:29:06.949 150 150 I DEBUG : 5f5deab8 5c142af0 5c14a678 df0027ad 00000000 .*.\x..\.'......
10-30 18:29:06.949 150 150 I DEBUG : 5f5deac8 56eec070 5c1426a0 00000000 40534334 p..V.&.\....4CS@
10-30 18:29:06.949 150 150 I DEBUG : 5f5dead8 5c191d0c 00000001 4167cb78 00000008 ...\....x.gA....
10-30 18:29:06.949 150 150 I DEBUG : 5f5deae8 0000002c 4056307d 5c191d0c 58a2e8ea ,...}0V@...\...X
10-30 18:29:06.949 150 150 I DEBUG :
10-30 18:29:06.949 150 150 I DEBUG : code around pc:
10-30 18:29:06.949 150 150 I DEBUG : 0541e29c ffffffff ffffffff ffffffff ffffffff ................
10-30 18:29:06.949 150 150 I DEBUG : 0541e2ac ffffffff ffffffff ffffffff ffffffff ................
10-30 18:29:06.949 150 150 I DEBUG : 0541e2bc ffffffff ffffffff ffffffff ffffffff ................
10-30 18:29:06.949 150 150 I DEBUG : 0541e2cc ffffffff ffffffff ffffffff ffffffff ................
10-30 18:29:06.949 150 150 I DEBUG : 0541e2dc ffffffff ffffffff ffffffff ffffffff ................
10-30 18:29:06.949 150 150 I DEBUG :
10-30 18:29:06.949 150 150 I DEBUG : code around lr:
10-30 18:29:06.949 150 150 I DEBUG : 4063f9d8 46294620 e8bd2300 f00641f0 e8bdbbe5 F)F.#...A......
10-30 18:29:06.949 150 150 I DEBUG : 4063f9e8 b57081f0 460c4605 46194610 e9aef7db ..p..F.F.F.F....
10-30 18:29:06.949 150 150 I DEBUG : 4063f9f8 b1304602 46214628 e8bd2300 f0064070 .F0.(F!F.#..p@..
10-30 18:29:06.949 150 150 I DEBUG : 4063fa08 bd70bbd3 4ff1e92d 460d4604 469a4617 ..p.-..O.F.F.F.F
10-30 18:29:06.959 150 150 I DEBUG : 4063fa18 b028f8dd 802cf8dd d0312a00 46414610 ..(...,..*1..FAF
10-30 18:29:06.959 150 150 I DEBUG :
10-30 18:29:06.959 150 150 I DEBUG : memory map around fault addr 0541e2be:
10-30 18:29:06.959 150 150 I DEBUG : (no map below)
10-30 18:29:06.959 150 150 I DEBUG : (no map for address)
10-30 18:29:06.959 150 150 I DEBUG : 40000000-40004000
[Analysis]
The translated Stacktrace:
10-30 18:29:06.919 150 150 I DEBUG : #00 pc 0541e2be <unknown>
10-30 18:29:06.919 150 150 I DEBUG : #01 pc 0005f9f5 /system/lib/libandroid_runtime.so
android::android_os_Parcel_writeInt(_JNIEnv*, _jclass*, int, int)
LINUX/android/frameworks/base/core/jni/android_os_Parcel.cpp:193
10-30 18:29:06.919 150 150 I DEBUG : #02 pc 0001f330 /system/lib/libdvm.so
dvmPlatformInvoke
LINUX/android/dalvik/vm/arch/arm/CallEABI.S:258
10-30 18:29:06.919 150 150 I DEBUG : #03 pc 0004e079 /system/lib/libdvm.so
dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*)
(gdb) print *method
$1 = {clazz = 0x4167cb78, accessFlags = 266, methodIndex = 0, registersSize = 2, outsSize = 0, insSize = 2, name = 0x58acd22e "nativeWriteInt", prototype = {dexFile = 0x40072f78,
protoIdx = 5718}, shorty = 0x58a2e8ea "VII", insns = 0x4063f9eb <android::android_os_Parcel_writeInt(JNIEnv*, jclass, jint, jint)>, jniArgInfo = 0,
nativeFunc = 0x40562f11 <dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*)>, fastJni = false, noRef = true, shouldTrace = false, registerMap = 0x0, inProfile = false}
/LINUX/android/dalvik/vm/Jni.cpp:1184
10-30 18:29:06.919 150 150 I DEBUG : #04 pc 000287e0 /system/lib/libdvm.so
dalvik_mterp
/LINUX/android/dalvik/vm/mterp/out/InterpAsm-armv7-a-neon.S:16311
10-30 18:29:06.919 150 150 I DEBUG : #05 pc 0002cfa8 /system/lib/libdvm.so
dvmInterpret(Thread*, Method const*, JValue*)
/LINUX/android/dalvik/vm/interp/Interp.cpp:1964
10-30 18:29:06.919 150 150 I DEBUG : #06 pc 0005f695 /system/lib/libdvm.so
dvmCallMethodV(Thread*, Method const*, Object*, bool, JValue*, std::__va_list)
(gdb) print * method
$2 = {clazz = 0x41678848, accessFlags = 2, methodIndex = 0, registersSize = 12, outsSize = 5, insSize = 5, name = 0x58a72abd "execTransact", prototype = {dexFile = 0x40072f78,
protoIdx = 10606}, shorty = 0x58a37e2e "ZIIII", insns = 0x584df408, jniArgInfo = 0, nativeFunc = 0x0, fastJni = false, noRef = false, shouldTrace = false, registerMap = 0x0,
inProfile = false}
(gdb) print *(ClassObject*)0x41678848
$3 = {<Object> = {clazz = 0x416591e8, lock = 0}, instanceData = {0, 0, 0, 0}, descriptor = 0x589aed58 "Landroid/os/Binder;",descriptorAlloc = 0x0, accessFlags = 2147680257,
serialNumber = 1342177602, pDvmDex = 0x4157e000, status = CLASS_INITIALIZED, verifyErrorClass = 0x0, initThreadId = 1, objectSize = 20, elementClass = 0x0, arrayDim = 0,
primitiveType = PRIM_NOT, super = 0x41659890, classLoader = 0x0, initiatingLoaderList = {initiatingLoaders = 0x0, initiatingLoaderCount = 0}, interfaceCount = 1, interfaces = 0x56ee6f40,
directMethodCount = 15, directMethods = 0x56ee6f88, virtualMethodCount = 13, virtualMethods = 0x56ee72d8, vtableCount = 23, vtable = 0x56ee77b8, iftableCount = 1, iftable = 0x56ee7820,
ifviPoolCount = 9, ifviPool = 0x56ee7830, ifieldCount = 3, ifieldRefCount = 2, ifields = 0x56ee6f48, refOffsets = 3221225472, sourceFile = 0x5895a78c <Address 0x5895a78c out of bounds>,
sfieldCount = 2, sfields = 0x416788e8}
/LINUX/android/dalvik/vm/interp/Stack.cpp:526
10-30 18:29:06.919 150 150 I DEBUG : #07 pc 0004d6b9 /system/lib/libdvm.so
CallBooleanMethodV
/LINUX/android/dalvik/vm/Jni.cpp:1988
10-30 18:29:06.919 150 150 I DEBUG : #08 pc 0004b109 /system/lib/libandroid_runtime.so
_JNIEnv::CallBooleanMethod(_jobject*, _jmethodID*, ...)
/LINUX/android/libnativehelper/include/nativehelper/jni.h:633
10-30 18:29:06.919 150 150 I DEBUG : #09 pc 0006610f /system/lib/libandroid_runtime.so
JavaBBinder::onTransact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)
/LINUX/android/frameworks/base/core/jni/android_util_Binder.cpp:278
10-30 18:29:06.919 150 150 I DEBUG : #10 pc 00014391 /system/lib/libbinder.so
android::BBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)
/LINUX/android/frameworks/native/libs/binder/Binder.cpp:108
10-30 18:29:06.919 150 150 I DEBUG : #11 pc 00016f15 /system/lib/libbinder.so
android::IPCThreadState::executeCommand(int)
/LINUX/android/frameworks/native/libs/binder/IPCThreadState.cpp:1034
10-30 18:29:06.919 150 150 I DEBUG : #12 pc 0001733d /system/lib/libbinder.so
android::IPCThreadState::joinThreadPool(bool)
/LINUX/android/frameworks/native/libs/binder/IPCThreadState.cpp:473
10-30 18:29:06.919 150 150 I DEBUG : #13 pc 0001af55 /system/lib/libbinder.so
android::PoolThread::threadLoop()
/LINUX/android/frameworks/native/libs/binder/ProcessState.cpp:67
10-30 18:29:06.919 150 150 I DEBUG : #14 pc 00010e37 /system/lib/libutils.so
android::Thread::_threadLoop(void*)
/LINUX/android/frameworks/native/libs/utils/Threads.cpp:793
10-30 18:29:06.919 150 150 I DEBUG : #15 pc 00048b1d /system/lib/libandroid_runtime.so
android::AndroidRuntime::javaThreadShell(void*)
/LINUX/android/frameworks/base/core/jni/AndroidRuntime.cpp:991
10-30 18:29:06.919 150 150 I DEBUG : #16 pc 0001099d /system/lib/libutils.so
thread_data_t::trampoline(thread_data_t const*)
/LINUX/android/frameworks/native/libs/utils/Threads.cpp:132
10-30 18:29:06.919 150 150 I DEBUG : #17 pc 00012e70 /system/lib/libc.so
__thread_entry
/LINUX/android/bionic/libc/bionic/pthread.c:217
10-30 18:29:06.919 150 150 I DEBUG : #18 pc 000125c8 /system/lib/libc.so
pthread_create
/LINUX/android/bionic/libc/bionic/pthread.c:356
From the native call stack, we know the executin is in android_os_Parcel_writeInt, but we can't see the whole control flow.
Note:
The skill of using gdb to find method in the stack is important.
We must examine the java call stack to get more info about call stack.
#0 android.os.Parcel.nativeWriteInt()
#1 android.os.Parcel.writeInt()
#2 android.content.IContentService$Stub$Proxy.registerContentObserver()
#3 android.content.ContentResolver.registerContentObserver()
#4 android.database.AbstractCursor.setNotificationUri()
#5 com.android.providers.media.MediaProvider.query()
#6 android.content.ContentProvider.query()
#7 android.content.ContentProvider$Transport.query()
#8 android.content.ContentProviderNative.onTransact()
#9 android.os.Binder.execTransact()
#10 --- break frame ---
#11 dalvik.system.NativeStart.run()
#12 --- break frame ---
By now, the execution flow is almost clear.
ContentResolver::registerContentObserver(..)@ frameworks/base/core/java/android/content/ContentResolver.java
1217 public final void registerContentObserver(Uri uri, boolean notifyForDescendents,
1218 ContentObserver observer)
1219 {
1220 try {
1221 getContentService().registerContentObserver(uri, notifyForDescendents,
1222 observer.getContentObserver());
1223 } catch (RemoteException e) {
1224 }
1225 }
calls the compile-time aidl-generated intermediate source code.
#2 android.content.IContentService$Stub$Proxy.registerContentObserver()
public void registerContentObserver(android.net.Uri uri, boolean notifyForDescendentsn, android.database.IContentObserver observer) throws android.os.RemoteException
{
android.os.Parcel _data = android.os.Parcel.obtain();
android.os.Parcel _reply = android.os.Parcel.obtain();
try {
_data.writeInterfaceToken(DESCRIPTOR);
if ((uri!=null)) {
_data.writeInt(1);
uri.writeToParcel(_data, 0);
}
else {
_data.writeInt(0);
}
_data.writeInt(((notifyForDescendentsn)?(1):(0)));
_data.writeStrongBinder((((observer!=null))?(observer.asBinder()):(null)));
mRemote.transact(Stub.TRANSACTION_registerContentObserver, _data, _reply, 0);
_reply.readException();
}
finally {
_reply.recycle();
_data.recycle();
}
}
191static void android_os_Parcel_writeInt(JNIEnv* env, jclass clazz, jint nativePtr, jint val){
192 Parcel* parcel = reinterpret_cast<Parcel*>(nativePtr);
193 const status_t err = parcel->writeInt32(val);
194 if (err != NO_ERROR) {
195 signalExceptionForError(env, clazz, err);
196 }
197}
Disassemble android_os_Parcel_writeInt to see what happened exactly.
(gdb) disass $pc
Dump of assembler code for function android::android_os_Parcel_writeInt(JNIEnv*, jclass, jint, jint):
0x4063f9ea <+0>: push {r4, r5, r6, lr}
0x4063f9ec <+2>: mov r5, r0
0x4063f9ee <+4>: mov r4, r1
0x4063f9f0 <+6>: mov r0, r2
0x4063f9f2 <+8>: mov r1, r3
0x4063f9f4 <+10>: blx 0x4061ad54
=> 0x4063f9f8 <+14>: mov r2, r0
0x4063f9fa <+16>: cbz r0, 0x4063fa0a <android::android_os_Parcel_writeInt(JNIEnv*, jclass, jint, jint)+32>
0x4063f9fc <+18>: mov r0, r5
0x4063f9fe <+20>: mov r1, r4
0x4063fa00 <+22>: movs r3, #0
0x4063fa02 <+24>: ldmia.w sp!, {r4, r5, r6, lr}
0x4063fa06 <+28>: b.w 0x406461b0 <android::signalExceptionForError(_JNIEnv*, _jobject*, int, bool)>
0x4063fa0a <+32>: pop {r4, r5, r6, pc}
End of assembler dump.
The register lr(0x4063f9f8+T) is good, so we can conclude that there is no deeper function call after blx.
We examine the fucntion args and parcel content just for a monent.
(gdb)info args
env = 0x5c142af0
clazz = 0x58400001
nativePtr = <optimized out>
val = <optimized out>
The arg clazz is not a good value, it should be word(4-byte) aligned.
(gdb) print *(Parcel*)0x5c1391a0 --- mNativePtr
$10 = {mError = 0, mData = 0x5c1ce328 "", mDataSize = 72, mDataCapacity = 108, mDataPos = 72, mObjects = 0x0, mObjectsSize = 0, mObjectsCapacity = 0, mNextObjectHint = 0, mFdsKnown = true,
mHasFds = false, mAllowFds = true, mOwner = 0x0, mOwnerCookie = 0x5c120210}
Seems good, continue writing...
dvmCallJNIMethod args...
(gdb) print /x args[0] ---- has been dvmPlatformInvoke adjusted?? [r9]<-r2/r3??
$12 = 0x5c1391a0
(gdb) print /x args[1] ---- has been dvmPlatformInvoke adjusted??
$13 = 0x1
(gdb) print /x args[2]
$14 = 0x5c191d48
(gdb) print /x args[-1]
$15 = 0x0
and continue to analyze android_os_Parcel_writeInt using disass.
0x4063f9f4 <+10>: blx 0x4061ad54 to what??
Examine memory map, find it is in
0x40618e20 - 0x4061db38 is .plt in system/lib/libandroid_runtime.so
Try to disassemble the .plt entry trampoline. (No THUMB bit set indicates it is ARM code.)
(gdb)x /3i 0x4061ad54
0x4061ad54: stmia r6!, {}
0x4061ad58: ldmia r2!, {r0, r4, r5, r6}
0x4061ad5c: blx 0x40d738d8
It seems that the .plt entry is not a good trampoline.
The original instructions in the .plt veener are,
(gdb) x /3i 0x3ad54
0x3ad54: add r12, pc, #0, 12
0x3ad58: add r12, r12, #462848 ; 0x71000
0x3ad5c: ldr pc, [r12, #856]! ; 0x358
But display the content as data, both are the same.
(gdb) x /3x 0x4061ad54
0x4061ad54: 0xe28fc600 0xe28cca71 0xe5bcf358
(gdb) x /3x 0x3ad54
0x3ad54: 0xe28fc600 0xe28cca71 0xe5bcf358
It seems that our gdb disass code as Thumb instructions.
new pc = [0x4061ad54+8+0x71000+0x358]=[0x4068C0B4]=0x4068C0B4
(gdb) x /x 0x4068C0B4
0x4068c0b4: 0x4050b397
(gdb) disass 0x4050b397
Dump of assembler code for function android::Parcel::writeIntPtr(int):
0x4050b396 <+0>: b.w 0x4050b366 <android::Parcel::writeAligned<int>(int)>
End of assembler dump.
(gdb) disass 0x4050b366
Dump of assembler code for function android::Parcel::writeAligned<int>(int):
0x4050b366 <+0>: push {r3, r4, r5, lr}
0x4050b368 <+2>: mov r4, r0
0x4050b36a <+4>: ldr r0, [r0, #16]
0x4050b36c <+6>: mov r5, r1
0x4050b36e <+8>: ldr r3, [r4, #12]
0x4050b370 <+10>: adds r2, r0, #4
0x4050b372 <+12>: cmp r2, r3
0x4050b374 <+14>: bhi.n 0x4050b388 <android::Parcel::writeAligned<int>(int)+34>
0x4050b376 <+16>: ldr r1, [r4, #4]
0x4050b378 <+18>: mov r0, r4
0x4050b37a <+20>: ldr r2, [r4, #16]
0x4050b37c <+22>: str r5, [r1, r2]
0x4050b37e <+24>: movs r1, #4
0x4050b380 <+26>: ldmia.w sp!, {r3, r4, r5, lr}
0x4050b384 <+30>: b.w 0x4050a22e <android::Parcel::finishWrite(unsigned int)>
0x4050b388 <+34>: mov r0, r4
0x4050b38a <+36>: movs r1, #4
0x4050b38c <+38>: bl 0x4050acf8 <android::Parcel::growData(unsigned int)>
0x4050b390 <+42>: cmp r0, #0
0x4050b392 <+44>: beq.n 0x4050b376 <android::Parcel::writeAligned<int>(int)+16>
0x4050b394 <+46>: pop {r3, r4, r5, pc}
End of assembler dump.
Examine the stack, find register lr is not pushed onto stack.
Examine where the wild pc 0x0541e2be is and find it is an invalid mapping address.
So, same as issue 1, a wild address is loaded into register pc via instruction
0x3ad5c: ldr pc, [r12, #856]! ; 0x358
By now, we can see there are some corruptions in memory.
The arg clazz is corrupted.
The .plt veener is corrupted.
But the .text is read-only, how the blx destination address can be corrupted?
It is possible but with low possibility that the user_pc is corrupted in the kernel space when the thread is scheduled. Both parts of the user space and kenel space of the thread are corrupted.
After knowing the cause, we can conclude that
The thread's new pc loaded by instruction ldr pc, [r12, #856]! at 0x4061ad5c is corrupted for memory data unstable.
Issue 3: Variable corruption caused SIGSEGV
[Symptom in logcat]
10-31 04:56:14.959 3152 3152 F libc : Fatal signal 11 (SIGSEGV) at 0x400d3010 (code=1), thread 3152 (n.conversations)
10-31 04:56:15.059 27827 27827 I DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
10-31 04:56:15.059 27827 27827 I DEBUG : Build fingerprint: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:userdebug/test-keys'
10-31 04:56:15.059 27827 27827 I DEBUG : pid: 3152, tid: 3152, name: .conversations >>> com.xxxxxxxxxxx.conversations <<<
10-31 04:56:15.059 27827 27827 I DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0000001b
10-31 04:56:15.199 27827 27827 I DEBUG : r0 0000000f r1 40e1cc38 r2 00000000 r3 00000001
10-31 04:56:15.199 27827 27827 I DEBUG : r4 0000000f r5 00000000 r6 40e1cc38 r7 4023be24
10-31 04:56:15.199 27827 27827 I DEBUG : r8 beb30718 r9 4023be1c sl 400d3020 fp beb3072c
10-31 04:56:15.199 27827 27827 I DEBUG : ip 404b418f sp beb30700 lr 40c8b334 pc 404b4162 cpsr 08000030
10-31 04:56:15.199 27827 27827 I DEBUG : d0 0000000000000000 d1 0000000000000000
10-31 04:56:15.199 27827 27827 I DEBUG : d2 000003e800000000 d3 0000000000000008
10-31 04:56:15.199 27827 27827 I DEBUG : d4 00c381e0ffff0400 d5 0000000000000000
10-31 04:56:15.199 27827 27827 I DEBUG : d6 3c0000ff00000000 d7 0000000000000000
10-31 04:56:15.199 27827 27827 I DEBUG : d8 0000000040400000 d9 0000030e3f000000
10-31 04:56:15.199 27827 27827 I DEBUG : d10 400921fb438d9687 d11 3fc15f4776571b67
10-31 04:56:15.199 27827 27827 I DEBUG : d12 4000000000000000 d13 3f0000003f22be8f
10-31 04:56:15.199 27827 27827 I DEBUG : d14 000000003f22be8f d15 0000000000000000
10-31 04:56:15.199 27827 27827 I DEBUG : d16 0000000000000000 d17 0000000000000000
10-31 04:56:15.199 27827 27827 I DEBUG : d18 0000000000000000 d19 0000000000000000
10-31 04:56:15.199 27827 27827 I DEBUG : d20 0000000000000000 d21 0000000000000000
10-31 04:56:15.199 27827 27827 I DEBUG : d22 0000000000000000 d23 0000000000000000
10-31 04:56:15.199 27827 27827 I DEBUG : d24 3ff0000000000000 d25 0000000000000000
10-31 04:56:15.199 27827 27827 I DEBUG : d26 4032000000000000 d27 0000000000000000
10-31 04:56:15.199 27827 27827 I DEBUG : d28 001e001d001c001b d29 0020001f001e001c
10-31 04:56:15.199 27827 27827 I DEBUG : d30 001a001a001a001a d31 0000000000000000
10-31 04:56:15.199 27827 27827 I DEBUG : scr 88000013
10-31 04:56:15.209 27827 27827 I DEBUG :
10-31 04:56:15.209 27827 27827 I DEBUG : backtrace:
10-31 04:56:15.209 27827 27827 I DEBUG : #00 pc 0005f162 /system/lib/libandroid_runtime.so (android::NativeMessageQueue::pollOnce(_JNIEnv*, int)+9)
10-31 04:56:15.209 27827 27827 I DEBUG : #01 pc 0001f330 /system/lib/libdvm.so (dvmPlatformInvoke+112)
10-31 04:56:15.209 27827 27827 I DEBUG : #02 pc 0004e079 /system/lib/libdvm.so (dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*)+360)
10-31 04:56:15.209 27827 27827 I DEBUG : #03 pc 000287e0 /system/lib/libdvm.so
10-31 04:56:15.209 27827 27827 I DEBUG : #04 pc 0002cfa8 /system/lib/libdvm.so (dvmInterpret(Thread*, Method const*, JValue*)+180)
10-31 04:56:15.209 27827 27827 I DEBUG : #05 pc 0005f93f /system/lib/libdvm.so (dvmInvokeMethod(Object*, Method const*, ArrayObject*, ArrayObject*, ClassObject*, bool)+374)
10-31 04:56:15.209 27827 27827 I DEBUG : #06 pc 000668e5 /system/lib/libdvm.so
10-31 04:56:15.209 27827 27827 I DEBUG : #07 pc 000287e0 /system/lib/libdvm.so
10-31 04:56:15.209 27827 27827 I DEBUG : #08 pc 0002cfa8 /system/lib/libdvm.so (dvmInterpret(Thread*, Method const*, JValue*)+180)
10-31 04:56:15.209 27827 27827 I DEBUG : #09 pc 0005f695 /system/lib/libdvm.so (dvmCallMethodV(Thread*, Method const*, Object*, bool, JValue*, std::__va_list)+272)
10-31 04:56:15.209 27827 27827 I DEBUG : #10 pc 0004a6a7 /system/lib/libdvm.so
10-31 04:56:15.209 27827 27827 I DEBUG : #11 pc 00048bed /system/lib/libandroid_runtime.so
10-31 04:56:15.209 27827 27827 I DEBUG : #12 pc 00049609 /system/lib/libandroid_runtime.so (android::AndroidRuntime::start(char const*, char const*)+368)
10-31 04:56:15.209 27827 27827 I DEBUG : #13 pc 00000dcf /system/bin/app_process
10-31 04:56:15.209 27827 27827 I DEBUG :
10-31 04:56:15.209 27827 27827 I DEBUG : stack:
10-31 04:56:15.209 27827 27827 I DEBUG : beb306c0 5cc23ab8
10-31 04:56:15.209 27827 27827 I DEBUG : beb306c4 4098c6d7 /system/lib/libEGL.so (eglSwapBuffers+210)
10-31 04:56:15.209 27827 27827 I DEBUG : beb306c8 5c1a1044 /system/lib/egl/libEGL_adreno200.so
10-31 04:56:15.209 27827 27827 I DEBUG : beb306cc 5c1a1044 /system/lib/egl/libEGL_adreno200.so
10-31 04:56:15.209 27827 27827 I DEBUG : beb306d0 40108630
10-31 04:56:15.219 27827 27827 I DEBUG : beb306d4 5c1a1044 /system/lib/egl/libEGL_adreno200.so
10-31 04:56:15.219 27827 27827 I DEBUG : beb306d8 5c1a1010 /system/lib/egl/libEGL_adreno200.so
10-31 04:56:15.219 27827 27827 I DEBUG : beb306dc 400d3010
10-31 04:56:15.219 27827 27827 I DEBUG : beb306e0 5c1a1044 /system/lib/egl/libEGL_adreno200.so
10-31 04:56:15.219 27827 27827 I DEBUG : beb306e4 5c1945b8 /system/lib/egl/libEGL_adreno200.so (eglSeekCurrentThread+108)
10-31 04:56:15.219 27827 27827 I DEBUG : beb306e8 5c1a1044 /system/lib/egl/libEGL_adreno200.so
10-31 04:56:15.219 27827 27827 I DEBUG : beb306ec 400d3010
10-31 04:56:15.219 27827 27827 I DEBUG : beb306f0 40d175b8 /system/lib/libdvm.so
10-31 04:56:15.219 27827 27827 I DEBUG : beb306f4 401e5a6c
10-31 04:56:15.219 27827 27827 I DEBUG : beb306f8 df002777
10-31 04:56:15.219 27827 27827 I DEBUG : beb306fc e3a070ad
10-31 04:56:15.219 27827 27827 I DEBUG : #00 beb30700 0000000f
10-31 04:56:15.219 27827 27827 I DEBUG : beb30704 40e1cc38 [heap]
10-31 04:56:15.219 27827 27827 I DEBUG : beb30708 57057fd8 /dev/ashmem/dalvik-LinearAlloc (deleted)
10-31 04:56:15.219 27827 27827 I DEBUG : beb3070c 400d3010
10-31 04:56:15.219 27827 27827 I DEBUG : beb30710 00000000
10-31 04:56:15.219 27827 27827 I DEBUG : beb30714 40c8b334 /system/lib/libdvm.so (dvmPlatformInvoke+116)
10-31 04:56:15.219 27827 27827 I DEBUG : #01 beb30718 4023be18
10-31 04:56:15.219 27827 27827 I DEBUG : beb3071c 00000001
10-31 04:56:15.219 27827 27827 I DEBUG : beb30720 416857f0 /dev/ashmem/dalvik-heap (deleted)
10-31 04:56:15.219 27827 27827 I DEBUG : beb30724 00000000
10-31 04:56:15.219 27827 27827 I DEBUG : beb30728 0000002a
10-31 04:56:15.219 27827 27827 I DEBUG : beb3072c 40cba07d /system/lib/libdvm.so (dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*)+364)
10-31 04:56:15.219 27827 27827 I DEBUG : #02 beb30730 4023be18
10-31 04:56:15.219 27827 27827 I DEBUG : beb30734 58c548ea /data/dalvik-cache/system@framework@framework.jar@classes.dex
10-31 04:56:15.219 27827 27827 I DEBUG : beb30738 404b418f /system/lib/libandroid_runtime.so
10-31 04:56:15.219 27827 27827 I DEBUG : beb3073c 400d3020
10-31 04:56:15.219 27827 27827 I DEBUG : beb30740 00000000
10-31 04:56:15.219 27827 27827 I DEBUG : beb30744 00000000
10-31 04:56:15.219 27827 27827 I DEBUG : beb30748 76571b67
10-31 04:56:15.219 27827 27827 I DEBUG : beb3074c 401e5a6c
10-31 04:56:15.219 27827 27827 I DEBUG : beb30750 00000000
10-31 04:56:15.219 27827 27827 I DEBUG : beb30754 588182a0 /data/dalvik-cache/system@framework@framework.jar@classes.dex
10-31 04:56:15.219 27827 27827 I DEBUG : beb30758 4023ad3c
10-31 04:56:15.219 27827 27827 I DEBUG : beb3075c 41c78c90 /dev/ashmem/dalvik-heap (deleted)
10-31 04:56:15.219 27827 27827 I DEBUG : beb30760 56db6008
10-31 04:56:15.219 27827 27827 I DEBUG : beb30764 40e1cfb0 [heap]
10-31 04:56:15.219 27827 27827 I DEBUG : beb30768 beb30798 [stack]
10-31 04:56:15.219 27827 27827 I DEBUG : beb3076c 417feb60 /dev/ashmem/dalvik-heap (deleted)
10-31 04:56:15.219 27827 27827 I DEBUG : ........ ........
10-31 04:56:15.239 27827 27827 I DEBUG :
10-31 04:56:15.239 27827 27827 I DEBUG : memory near r1:
10-31 04:56:15.239 27827 27827 I DEBUG : 40e1cc18 00000010 0000001b 40e32728 401de53c ........('.@<..@
10-31 04:56:15.239 27827 27827 I DEBUG : 40e1cc28 00000000 00000000 00000018 00000023 ............#...
10-31 04:56:15.239 27827 27827 I DEBUG : 40e1cc38 40d10d34 00000000 00000001 400d3010 4..@.........0.@
10-31 04:56:15.239 27827 27827 I DEBUG : 40e1cc48 00000000 5c46cc80 00000000 0000012b ......F\....+...
10-31 04:56:15.239 27827 27827 I DEBUG : 40e1cc58 7379732f 2f6d6574 6d617266 726f7765 /system/framewor
10-31 04:56:15.239 27827 27827 I DEBUG :
10-31 04:56:15.239 27827 27827 I DEBUG : memory near r6:
10-31 04:56:15.239 27827 27827 I DEBUG : 40e1cc18 00000010 0000001b 40e32728 401de53c ........('.@<..@
10-31 04:56:15.239 27827 27827 I DEBUG : 40e1cc28 00000000 00000000 00000018 00000023 ............#...
10-31 04:56:15.239 27827 27827 I DEBUG : 40e1cc38 40d10d34 00000000 00000001 400d3010 4..@.........0.@
10-31 04:56:15.239 27827 27827 I DEBUG : 40e1cc48 00000000 5c46cc80 00000000 0000012b ......F\....+...
10-31 04:56:15.239 27827 27827 I DEBUG : 40e1cc58 7379732f 2f6d6574 6d617266 726f7765 /system/framewor
10-31 04:56:15.239 27827 27827 I DEBUG :
10-31 04:56:15.239 27827 27827 I DEBUG : memory near r7:
10-31 04:56:15.239 27827 27827 I DEBUG : 4023be04 4023be38 588d07f2 57057fd8 00000006 8.#@...X...W....
10-31 04:56:15.239 27827 27827 I DEBUG : 4023be14 00000000 04200019 0000000f 00000000 ...... .........
10-31 04:56:15.239 27827 27827 I DEBUG : 4023be24 4023be88 588cf20a 570581a0 588d07f2 ..#@...X...W...X
10-31 04:56:15.239 27827 27827 I DEBUG : 4023be34 00000000 4023be68 00000000 00000000 ....h.#@........
10-31 04:56:15.239 27827 27827 I DEBUG : 4023be44 00000000 00000000 41b366d8 4023be88 .........f.A..#@
10-31 04:56:15.239 27827 27827 I DEBUG :
10-31 04:56:15.239 27827 27827 I DEBUG : memory near r8:
10-31 04:56:15.239 27827 27827 I DEBUG : beb306f8 df002777 e3a070ad 0000000f 40e1cc38 w'...p......8..@
10-31 04:56:15.239 27827 27827 I DEBUG : beb30708 57057fd8 400d3010 00000000 40c8b334 ...W.0.@....4..@
10-31 04:56:15.239 27827 27827 I DEBUG : beb30718 4023be18 00000001 416857f0 00000000 ..#@.....WhA....
10-31 04:56:15.239 27827 27827 I DEBUG : beb30728 0000002a 40cba07d 4023be18 58c548ea *...}..@..#@.H.X
10-31 04:56:15.239 27827 27827 I DEBUG : beb30738 404b418f 400d3020 00000000 00000000 .AK@ 0.@........
10-31 04:56:15.239 27827 27827 I DEBUG :
10-31 04:56:15.239 27827 27827 I DEBUG : memory near r9:
10-31 04:56:15.239 27827 27827 I DEBUG : 4023bdfc 000026a9 41817218 4023be38 588d07f2 .&...r.A8.#@...X
10-31 04:56:15.239 27827 27827 I DEBUG : 4023be0c 57057fd8 00000006 00000000 04200019 ...W.......... .
10-31 04:56:15.239 27827 27827 I DEBUG : 4023be1c 0000000f 00000000 4023be88 588cf20a ..........#@...X
10-31 04:56:15.239 27827 27827 I DEBUG : 4023be2c 570581a0 588d07f2 00000000 4023be68 ...W...X....h.#@
10-31 04:56:15.239 27827 27827 I DEBUG : 4023be3c 00000000 00000000 00000000 00000000 ................
10-31 04:56:15.239 27827 27827 I DEBUG :
10-31 04:56:15.239 27827 27827 I DEBUG : memory near sl:
10-31 04:56:15.239 27827 27827 I DEBUG : 400d3000 00000000 00000000 00000000 00000453 ............S...
10-31 04:56:15.239 27827 27827 I DEBUG : 400d3010 588d0214 4023be18 570581a0 5128a000 ...X..#@...W..(Q
10-31 04:56:15.239 27827 27827 I DEBUG : 400d3020 00000c50 00002722 beb30840 00000000 P..."'..@.......
10-31 04:56:15.239 27827 27827 I DEBUG : 400d3030 beb30874 00000001 00000000 40c8b4c0 t..............@
10-31 04:56:15.239 27827 27827 I DEBUG : 400d3040 00000000 00000000 565aec70 40236300 ........p.ZV.c#@
10-31 04:56:15.239 27827 27827 I DEBUG :
10-31 04:56:15.239 27827 27827 I DEBUG : memory near fp:
10-31 04:56:15.239 27827 27827 I DEBUG : beb3070c 400d3010 00000000 40c8b334 4023be18 .0.@....4..@..#@
10-31 04:56:15.239 27827 27827 I DEBUG : beb3071c 00000001 416857f0 00000000 0000002a .....WhA....*...
10-31 04:56:15.239 27827 27827 I DEBUG : beb3072c 40cba07d 4023be18 58c548ea 404b418f }..@..#@.H.X.AK@
10-31 04:56:15.239 27827 27827 I DEBUG : beb3073c 400d3020 00000000 00000000 76571b67 0.@........g.Wv
10-31 04:56:15.249 27827 27827 I DEBUG : beb3074c 401e5a6c 00000000 588182a0 4023ad3c lZ.@.......X<.#@
10-31 04:56:15.249 27827 27827 I DEBUG :
10-31 04:56:15.249 27827 27827 I DEBUG : memory near ip:
10-31 04:56:15.249 27827 27827 I DEBUG : 404b416c f7dc462b 6921e928 b1497325 46306832 +F..(.!i%sI.2h0F
10-31 04:56:15.249 27827 27827 I DEBUG : 404b417c 47986b53 69216830 46306dc2 61254790 Sk.G0h!i.m0F.G%a
10-31 04:56:15.249 27827 27827 I DEBUG : 404b418c 4601bd7c 461a4610 bfe0f7ff f02a6880 |..F.F.F.....h*.
10-31 04:56:15.249 27827 27827 I DEBUG : 404b419c 0000bf37 4604b510 68094608 3190f8d1 7......F.F.h...1
10-31 04:56:15.249 27827 27827 I DEBUG : 404b41ac 4a054611 6812447a 60204798 4621b110 .F.JzD.h.G `..!F
10-31 04:56:15.249 27827 27827 I DEBUG :
10-31 04:56:15.249 27827 27827 I DEBUG : memory near sp:
10-31 04:56:15.249 27827 27827 I DEBUG : beb306e0 5c1a1044 5c1945b8 5c1a1044 400d3010 D..\.E.\D..\.0.@
10-31 04:56:15.249 27827 27827 I DEBUG : beb306f0 40d175b8 401e5a6c df002777 e3a070ad .u.@lZ.@w'...p..
10-31 04:56:15.249 27827 27827 I DEBUG : beb30700 0000000f 40e1cc38 57057fd8 400d3010 ....8..@...W.0.@
10-31 04:56:15.249 27827 27827 I DEBUG : beb30710 00000000 40c8b334 4023be18 00000001 ....4..@..#@....
10-31 04:56:15.249 27827 27827 I DEBUG : beb30720 416857f0 00000000 0000002a 40cba07d .WhA....*...}..@
10-31 04:56:15.249 27827 27827 I DEBUG :
10-31 04:56:15.249 27827 27827 I DEBUG : code around pc:
10-31 04:56:15.249 27827 27827 I DEBUG : 404b4140 f8d34639 447a41b4 462b6812 bdf847a0 9F...AzD.h+F.G..
10-31 04:56:15.249 27827 27827 I DEBUG : 404b4150 00039fe7 00054d92 2500b573 23014604 .....M..s..%.F.#
10-31 04:56:15.249 27827 27827 I DEBUG : 404b4160 7303460e 95004611 6880462a f7dc462b .F.s.F..*F.h+F..
10-31 04:56:15.249 27827 27827 I DEBUG : 404b4170 6921e928 b1497325 46306832 47986b53 (.!i%sI.2h0FSk.G
10-31 04:56:15.249 27827 27827 I DEBUG : 404b4180 69216830 46306dc2 61254790 4601bd7c 0h!i.m0F.G%a|..F
10-31 04:56:15.249 27827 27827 I DEBUG :
10-31 04:56:15.249 27827 27827 I DEBUG : code around lr:
10-31 04:56:15.249 27827 27827 I DEBUG : 40c8b314 3497c004 3488c004 3afffff9 e2888004 ...4...4...:....
10-31 04:56:15.249 27827 27827 I DEBUG : 40c8b324 eafffff9 e899000c e59bc00c e12fff3c ............<./.
10-31 04:56:15.249 27827 27827 I DEBUG : 40c8b334 e3560000 159bc010 e24bd014 188c0003 ..V.......K.....
10-31 04:56:15.249 27827 27827 I DEBUG : 40c8b344 e8bd8bc0 e1a0ce22 e59b6008 e2866001 ...."....`...`..
10-31 04:56:15.249 27827 27827 I DEBUG : 40c8b354 e3a02000 e4d6c001 e35c0000 0a000007 . ........\.....
10-31 04:56:15.269 27827 27827 I DEBUG : Write /storage/sdcard0/klog/klog-0-com.xxxxxxxxxxxx.conversations-20121031045615.txt to internal SD failed
[Analysis]
The translated StackTrace:
10-31 04:56:15.209 27827 27827 I DEBUG : #00 pc 0005f162 /system/lib/libandroid_runtime.so
android::NativeMessageQueue::pollOnce(_JNIEnv*, int)
/LINUX/android/frameworks/base/core/jni/android_os_MessageQueue.cpp:96
10-31 04:56:15.209 27827 27827 I DEBUG : #01 pc 0001f330 /system/lib/libdvm.so
dvmPlatformInvoke
/LINUX/android/dalvik/vm/arch/arm/CallEABI.S:258
10-31 04:56:15.209 27827 27827 I DEBUG : #02 pc 0004e079 /system/lib/libdvm.so
dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*)
/LINUX/android/dalvik/vm/Jni.cpp:1184
10-31 04:56:15.209 27827 27827 I DEBUG : #03 pc 000287e0 /system/lib/libdvm.so
dalvik_mterp
/LINUX/android/dalvik/vm/mterp/out/InterpAsm-armv7-a-neon.S:16311
10-31 04:56:15.209 27827 27827 I DEBUG : #04 pc 0002cfa8 /system/lib/libdvm.so
dvmInterpret(Thread*, Method const*, JValue*)
/LINUX/android/dalvik/vm/interp/Interp.cpp:1964
10-31 04:56:15.209 27827 27827 I DEBUG : #05 pc 0005f93f /system/lib/libdvm.so
dvmInvokeMethod(Object*, Method const*, ArrayObject*, ArrayObject*, ClassObject*, bool)
/LINUX/android/dalvik/vm/interp/Stack.cpp:737
10-31 04:56:15.209 27827 27827 I DEBUG : #06 pc 000668e5 /system/lib/libdvm.so
Dalvik_java_lang_reflect_Method_invokeNative
/LINUX/android/dalvik/vm/native/java_lang_reflect_Method.cpp:101
10-31 04:56:15.209 27827 27827 I DEBUG : #07 pc 000287e0 /system/lib/libdvm.so
dalvik_mterp
/LINUX/android/dalvik/vm/mterp/out/InterpAsm-armv7-a-neon.S:16311
10-31 04:56:15.209 27827 27827 I DEBUG : #08 pc 0002cfa8 /system/lib/libdvm.so
dvmInterpret(Thread*, Method const*, JValue*)
/LINUX/android/dalvik/vm/interp/Interp.cpp:1964
10-31 04:56:15.209 27827 27827 I DEBUG : #09 pc 0005f695 /system/lib/libdvm.so
dvmCallMethodV(Thread*, Method const*, Object*, bool, JValue*, std::__va_list)
/LINUX/android/dalvik/vm/interp/Stack.cpp:526
10-31 04:56:15.209 27827 27827 I DEBUG : #10 pc 0004a6a7 /system/lib/libdvm.so
CallStaticVoidMethodV
/LINUX/android/dalvik/vm/Jni.cpp:2121
10-31 04:56:15.209 27827 27827 I DEBUG : #11 pc 00048bed /system/lib/libandroid_runtime.so
_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)
/LINUX/android/libnativehelper/include/nativehelper/jni.h:793
10-31 04:56:15.209 27827 27827 I DEBUG : #12 pc 00049609 /system/lib/libandroid_runtime.so
android::AndroidRuntime::start(char const*, char const*)
/LINUX/android/frameworks/base/core/jni/AndroidRuntime.cpp:880
10-31 04:56:15.209 27827 27827 I DEBUG : #13 pc 00000dcf /system/bin/app_process
main
/LINUX/android/frameworks/base/cmds/app_process/app_main.cpp:197
ERROR DETAILS:
Crashing process 3152 (n.conversations)
Crashing thread 3152 (n.conversations)
Crashing app com.xxxxxxxxxxxx.conversations
Signal SIGSEGV (attempt to access illegal address)
Fault addr 0x0000001B
PC 0x404B4162 android::NativeMessageQueue::pollOnce(_JNIEnv*, int) /system/lib/libandroid_runtime.so
//LINUX/android/frameworks/base/core/jni/android_os_MessageQueue.cpp:96
LR 0x40C8B334 dvmPlatformInvoke /system/lib/libdvm.so
//LINUX/android/dalvik/vm/arch/arm/CallEABI.S:275
BACKTRACE FROM LOG FILE:
0 0x0005F162 android::NativeMessageQueue::pollOnce(_JNIEnv*, int)+0x9 /system/lib/libandroid_runtime.so
1 0x0001F330 dvmPlatformInvoke+0x70 /system/lib/libdvm.so
2 0x0004E079 dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*)+0x168 /system/lib/libdvm.so
3 0x000287E0 dalvik_mterp+0x14 /system/lib/libdvm.so
4 0x0002CFA8 dvmInterpret(Thread*, Method const*, JValue*)+0xB4 /system/lib/libdvm.so
5 0x0005F93F dvmInvokeMethod(Object*, Method const*, ArrayObject*, ArrayObject*, ClassObject*, bool)+0x176 /system/lib/libdvm.so
6 0x000668E5 Dalvik_java_lang_reflect_Method_invokeNative+0x711C /system/lib/libdvm.so
7 0x000287E0 dalvik_mterp+0x14 /system/lib/libdvm.so
8 0x0002CFA8 dvmInterpret(Thread*, Method const*, JValue*)+0xB4 /system/lib/libdvm.so
9 0x0005F695 dvmCallMethodV(Thread*, Method const*, Object*, bool, JValue*, std::__va_list)+0x110 /system/lib/libdvm.so
10 0x0004A6A7 CallStaticVoidMethodV+0xFFFEB122 /system/lib/libdvm.so
11 0x00048BED _JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+0x12 /system/lib/libandroid_runtime.so
12 0x00049609 android::AndroidRuntime::start(char const*, char const*)+0x170 /system/lib/libandroid_runtime.so
13 0x00000DCF main+0x162 /system/bin/app_process
CRASH REASON
Instruction: 0x0005f162 <+10>: strb r3, [r0, #12]
r0 = 0x0000000F, r0 + 12 = 0x0000001B is an illegal address.
Parameter "this" (type = ? *) is currently stored in r0
The java call stack,
#0 android.os.MessageQueue.nativePollOnce (Native Method)
#1 android.os.MessageQueue.next (MessageQueue.java:129)
#2 android.os.Looper.loop (Looper.java:133)
#3 android.app.ActivityThread.main (ActivityThread.java:4793)
-- Break frame --
#5 java.lang.reflect.Method.invokeNative (Native Method)
#6 java.lang.reflect.Method.invoke (Method.java:511)
#7 com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run (ZygoteInit.java:800)
#8 com.android.internal.os.ZygoteInit.main (ZygoteInit.java:551)
-- Break frame --
#10 dalvik.system.NativeStart.main (Native Method)
-- Break frame --
com.xxxxxxxxxxx.conversations is a prebuild apk.
The crash instruction is corresponding to Line#96 @ android_os_MessageQueue.cpp
95void NativeMessageQueue::pollOnce(JNIEnv* env, int timeoutMillis) {
96 mInCallback = true;
97 mLooper->pollOnce(timeoutMillis);
98 mInCallback = false;
99 if (mExceptionObj) {
100 env->Throw(mExceptionObj);
101 env->DeleteLocalRef(mExceptionObj);
102 mExceptionObj = NULL;
103 }
104}
NativeMessageQueue object model,
-----------------+
vtabl |
mRefs ptr |
m_ptr ptr |
mCallback |
-----------------+
NativeMessageQueue::mCallback is an invalid address.
The Message::mPtr is the pointer to the NativeMessageQueue object, it's value is corrupted and results in the crash.
NativeMessageQueue::pollOnce is called with invalid this pointer passed in.
NativeMessageQueue::pollOnce() is non-virtual.
The caller<----------------
154static void android_os_MessageQueue_nativePollOnce(JNIEnv* env, jobject obj, @ android_os_MessageQueue.cpp
155 jint ptr, jint timeoutMillis) {
156 NativeMessageQueue* nativeMessageQueue = reinterpret_cast<NativeMessageQueue*>(ptr);
157 nativeMessageQueue->pollOnce(env, timeoutMillis);
158}
<via dvmPlatformInvoke<--dvmCallJNIMethod >
The caller<----------------
117 final Message next() { @ MessageQueue.java which is called in looper.loop()
118 int pendingIdleHandlerCount = -1; // -1 only during first iteration
119 int nextPollTimeoutMillis = 0;
120
121 for (;;) {
122 if (nextPollTimeoutMillis != 0) {
123 Binder.flushPendingCommands();
124 }
125 nativePollOnce(mPtr, nextPollTimeoutMillis);
......
}
#2 0x40CBA07C in dvmCallJNIMethod+0x016C(+364) /system/lib/libdvm.so
//LINUX/android/dalvik/vm/Jni.cpp:1184
args (unsigned int *) = 0x4023BE18 **************
pResult (JValue *) = 0x400D3020
method (Method *) = 0x57057FD8 **************
self (Thread *) = 0x400D3010
block
modArgs (unsigned int *) = 0x4023BE18
staticMethodClass (_jclass *) = 0x0 **************
accessFlags (unsigned int) = <optimized out>
isSynchronized (bool) = <optimized out>
idx (int) = <optimized out>
lockObj (Object *) = 0x416857F0 **************
oldStatus (ThreadStatus) = THREAD_RUNNING (1)
env (_JNIEnv *) = <optimized out>
(gdb) print *method
$3 = {clazz = 0x40e6bc08, accessFlags = 258(0x102), methodIndex = 0, registersSize = 3, outsSize = 0, insSize = 3, name = 0x58cf24dc "nativePollOnce",
prototype = {dexFile = 0x400d3f78, protoIdx = 5718},
shorty = 0x58c548ea "VII", insns = 0x404b418f <android::android_os_MessageQueue_nativePollOnce(JNIEnv*, jobject, jint, jint)>, jniArgInfo = 0,
nativeFunc = 0x40cb9f11 <dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*)>, fastJni = false, noRef = true, shouldTrace = false, registerMap = 0x0, inProfile = false}
We do not trace more about where the data is corrupted.
****************************************************************************************************************************
But we dig more about the native method call processing flow of dvm with source code.
When a transmit from java to native occurs, dvm sets up a native stack.
In dvmCallJNIMethod(), dvmPlatformInvoke is used to call the native method(signature in Method.insns).
1181 dvmPlatformInvoke(env,
1182 (ClassObject*) staticMethodClass,
1183 method->jniArgInfo, method->insSize, modArgs, method->shorty,
1184 (void*) method->insns, pResult);
(gdb) disass dvmPlatformInvoke
Dump of assembler code for function dvmPlatformInvoke:
0x40c8b2c0 <+0>: push {r6, r7, r8, r9, r11, lr}
0x40c8b2c4 <+4>: add r11, sp, #20
0x40c8b2c8 <+8>: ldr r9, [r11, #4]
0x40c8b2cc <+12>: cmp r1, #0
0x40c8b2d0 <+16>: subeq r3, r3, #1
0x40c8b2d4 <+20>: ldreq r1, [r9], #4
0x40c8b2d8 <+24>: teq r2, #0
0x40c8b2dc <+28>: bmi 0x40c8b348 <dvmPlatformInvoke+136>
0x40c8b2e0 <+32>: and r12, r2, #251658240 ; 0xf000000
0x40c8b2e4 <+36>: lsr r6, r2, #28
0x40c8b2e8 <+40>: sub sp, sp, r12, lsr #21
0x40c8b2ec <+44>: mov r8, sp
0x40c8b2f0 <+48>: mov r7, r9
0x40c8b2f4 <+52>: lsrs r2, r2, #2
0x40c8b2f8 <+56>: addcc r7, r7, #8
0x40c8b2fc <+60>: subcc r3, r3, #2
0x40c8b300 <+64>: addcs r7, r7, #4
0x40c8b304 <+68>: subcs r3, r3, #1
0x40c8b308 <+72>: subs r3, r3, #1
0x40c8b30c <+76>: bmi 0x40c8b328 <dvmPlatformInvoke+104>
0x40c8b310 <+80>: lsrs r2, r2, #1
0x40c8b314 <+84>: ldrcc r12, [r7], #4
0x40c8b318 <+88>: strcc r12, [r8], #4
0x40c8b31c <+92>: bcc 0x40c8b308 <dvmPlatformInvoke+72>
0x40c8b320 <+96>: add r8, r8, #4
0x40c8b324 <+100>: b 0x40c8b310 <dvmPlatformInvoke+80>
0x40c8b328 <+104>: ldm r9, {r2, r3}
0x40c8b32c <+108>: ldr r12, [r11, #12]
0x40c8b330 <+112>: blx r12
=> 0x40c8b334 <+116>: cmp r6, #0
dvmPlatformInvoke() @ CallEABI.S
37Function prototype:
38
39void dvmPlatformInvoke(void* pEnv, ClassObject* clazz, int argInfo, int argc,
40 const u4* argv, const char* signature, void* func, JValue* pReturn)
88 * On entry:
89 * r0 JNIEnv (can be left alone)
90 * r1 clazz (NULL for virtual method calls, non-NULL for static)
91 * r2 arg info
92 * r3 argc (number of 32-bit values in argv)
93 * [sp] argv
94 * [sp,#4] short signature
95 * [sp,#8] func
96 * [sp,#12] pReturn
134 * stack looks like:
135 *
136 * pReturn
137 * func
138 * shorty
139 * argv <-- sp on entry
140 * lr <-- fp
141 * fp
142 * r9...r7
143 * r6 <-- sp after reg save
236.Lcopy_done:
237 /*
238 * Currently:
239 * r0-r3 args (JNIEnv*, thisOrClass, arg0, arg1)
240 * r6 return type (enum DalvikJniReturnType)
241 * r9 original argv
242 * fp frame pointer
243 *
244 * The stack copy is complete. Grab the first two words off of argv
245 * and tuck them into r2/r3. If the first arg is 32-bit and the second
246 * arg is 64-bit, then r3 "holds" a pad word and the load is unnecessary
247 * but harmless.
248 *
249 * If there are 0 or 1 arg words in argv, we will be loading uninitialized
250 * data into the registers, but since nothing tries to use it it's also
251 * harmless (assuming argv[0] and argv[1] point to valid memory, which
252 * is a reasonable assumption for Dalvik's interpreted stacks).
253 */
254 ldmia r9, {r2-r3} @ r2/r3<- argv[0]/argv[1]
255
256 ldr ip, [fp, #8+FP_ADJ] @ ip<- func
257#ifdef __ARM_HAVE_BLX
258 blx ip @ call func ******* call the jni function ********
259#else
260 mov lr, pc @ call func the old-fashioned way
261 bx ip
262#endif
The args for jni function are passed in args[1-(argc-1)].
agrs[0] is the java object on which to call the method, it is use to refer object and lock object if the method is synchronized.
dalvik_mterp () at dalvik/vm/mterp/out/InterpAsm-armv7-a-neon.S
(gdb) disass dalvik_mterp
Dump of assembler code for function dalvik_mterp:
0x40c947cc <+0>: push {r4, r5, r6, r7, r8, r9, r10, r11, lr}
0x40c947d0 <+4>: sub sp, sp, #4
0x40c947d4 <+8>: cmp lr, #0
0x40c947d8 <+12>: bne 0x40c94808 <dalvik_mterp+60>
0x40c947dc <+16>: mov lr, pc
0x40c947e0 <+20>: ldr pc, [r2, #40] ; 0x28 ** call dvmCallJNIMethod
=> 0x40c947e4 <+24>: ldr r0, [r10, #12]
called in <-----------
dvmInterpret(Thread*, Method const*, JValue*) @ dalvik/vm/interp/Interp.cpp:1964
On initilizing....... meth->nativeFunc and meth->jniArgInfo are assigned with dvmResolveNativeMethod and computeJniArgInfo(&meth->prototype) separately.
After name resolved via dvmResolveNativeMethod, meth->nativeFunc is assigned with new MethodCallBridge dvmCallJNIMethod.
So, only resolve once for one native method.
2150 * Pull the interesting pieces out of a DexMethod.
2151 *
2152 * The DEX file isn't going anywhere, so we don't need to make copies of
2153 * the code area.
2154 */
2155static void loadMethodFromDex(ClassObject* clazz, const DexMethod* pDexMethod, @ dalvik/vm/oo/Class.cpp
2156 Method* meth)
2157{
2158 DexFile* pDexFile = clazz->pDvmDex->pDexFile;
2159 const DexMethodId* pMethodId;
2160 const DexCode* pDexCode;
2161
2162 pMethodId = dexGetMethodId(pDexFile, pDexMethod->methodIdx);
2163
2164 meth->name = dexStringById(pDexFile, pMethodId->nameIdx);
2165 dexProtoSetFromMethodId(&meth->prototype, pDexFile, pMethodId);
2166 meth->shorty = dexProtoGetShorty(&meth->prototype);
2167 meth->accessFlags = pDexMethod->accessFlags;
2168 meth->clazz = clazz;
2169 meth->jniArgInfo = 0;
2170
2171 if (dvmCompareNameDescriptorAndMethod("finalize", "()V", meth) == 0) {
2172 /*
2173 * The Enum class declares a "final" finalize() method to
2174 * prevent subclasses from introducing a finalizer. We don't
2175 * want to set the finalizable flag for Enum or its subclasses,
2176 * so we check for it here.
2177 *
2178 * We also want to avoid setting it on Object, but it's easier
2179 * to just strip that out later.
2180 */
2181 if (clazz->classLoader != NULL ||
2182 strcmp(clazz->descriptor, "Ljava/lang/Enum;") != 0)
2183 {
2184 SET_CLASS_FLAG(clazz, CLASS_ISFINALIZABLE);
2185 }
2186 }
2187
2188 pDexCode = dexGetCode(pDexFile, pDexMethod);
2189 if (pDexCode != NULL) {
2190 /* integer constants, copy over for faster access */
2191 meth->registersSize = pDexCode->registersSize;
2192 meth->insSize = pDexCode->insSize;
2193 meth->outsSize = pDexCode->outsSize;
2194
2195 /* pointer to code area */
2196 meth->insns = pDexCode->insns;
2197 } else {
2198 /*
2199 * We don't have a DexCode block, but we still want to know how
2200 * much space is needed for the arguments (so we don't have to
2201 * compute it later). We also take this opportunity to compute
2202 * JNI argument info.
2203 *
2204 * We do this for abstract methods as well, because we want to
2205 * be able to substitute our exception-throwing "stub" in.
2206 */
2207 int argsSize = dvmComputeMethodArgsSize(meth);
2208 if (!dvmIsStaticMethod(meth))
2209 argsSize++;
2210 meth->registersSize = meth->insSize = argsSize;
2211 assert(meth->outsSize == 0);
2212 assert(meth->insns == NULL);
2213
2214 if (dvmIsNativeMethod(meth)) { *****************
2215 meth->nativeFunc = dvmResolveNativeMethod; *****************
2216 meth->jniArgInfo = computeJniArgInfo(&meth->prototype); *****************
2217 }
2218 }
2219}
On running,
/*
434 * Issue a method call with a variable number of arguments. We process
435 * the contents of "args" by scanning the method signature.
436 *
437 * Pass in NULL for "obj" on calls to static methods.
438 *
439 * We don't need to take the class as an argument because, in Dalvik,
440 * we don't need to worry about static synchronized methods.
441 */
442void dvmCallMethodV(Thread* self, const Method* method, Object* obj, @ dalvik/vm/interp/Stack.cpp
443 bool fromJni, JValue* pResult, va_list args)
444{
445 const char* desc = &(method->shorty[1]); // [0] is the return type.
446 int verifyCount = 0;
447 ClassObject* clazz;
448 u4* ins;
449
450 clazz = callPrep(self, method, obj, false);
451 if (clazz == NULL)
452 return;
453
454 /* "ins" for new frame start at frame pointer plus locals */
455 ins = ((u4*)self->interpSave.curFrame) +
456 (method->registersSize - method->insSize);
457
458 //ALOGD(" FP is %p, INs live at >= %p", self->interpSave.curFrame, ins);
459
460 /* put "this" pointer into in0 if appropriate */
461 if (!dvmIsStaticMethod(method)) {
462#ifdef WITH_EXTRA_OBJECT_VALIDATION
463 assert(obj != NULL && dvmIsHeapAddress(obj));
464#endif
465 *ins++ = (u4) obj;
466 verifyCount++;
467 }
468
469 while (*desc != '\0') {
470 switch (*(desc++)) {
471 case 'D': case 'J': {
472 u8 val = va_arg(args, u8);
473 memcpy(ins, &val, 8); // EABI prevents direct store
474 ins += 2;
475 verifyCount += 2;
476 break;
477 }
478 case 'F': {
479 /* floats were normalized to doubles; convert back */
480 float f = (float) va_arg(args, double);
481 *ins++ = dvmFloatToU4(f);
482 verifyCount++;
483 break;
484 }
485 case 'L': { /* 'shorty' descr uses L for all refs, incl array */
486 void* arg = va_arg(args, void*);
487 assert(obj == NULL || dvmIsHeapAddress(obj));
488 jobject argObj = reinterpret_cast<jobject>(arg);
489 if (fromJni)
490 *ins++ = (u4) dvmDecodeIndirectRef(self, argObj);
491 else
492 *ins++ = (u4) argObj;
493 verifyCount++;
494 break;
495 }
496 default: {
497 /* Z B C S I -- all passed as 32-bit integers */
498 *ins++ = va_arg(args, u4);
499 verifyCount++;
500 break;
501 }
502 }
503 }
504
505#ifndef NDEBUG
506 if (verifyCount != method->insSize) {
507 ALOGE("Got vfycount=%d insSize=%d for %s.%s", verifyCount,
508 method->insSize, clazz->descriptor, method->name);
509 assert(false);
510 goto bail;
511 }
512#endif
513
514 //dvmDumpThreadStack(dvmThreadSelf());
515
516 if (dvmIsNativeMethod(method)) { ***************
517 TRACE_METHOD_ENTER(self, method);
518 /*
519 * Because we leave no space for local variables, "curFrame" points
520 * directly at the method arguments.
521 */
522 (*method->nativeFunc)((u4*)self->interpSave.curFrame, pResult, ***************
523 method, self);
524 TRACE_METHOD_EXIT(self, method);
525 } else {
526 dvmInterpret(self, method, pResult); ***************
527 }
528
529#ifndef NDEBUG
530bail:
531#endif
532 dvmPopFrame(self);
533}
70void dvmResolveNativeMethod(const u4* args, JValue* pResult,
71 const Method* method, Thread* self)
72{
73 ClassObject* clazz = method->clazz;
74
75 /*
76 * If this is a static method, it could be called before the class
77 * has been initialized.
78 */
79 if (dvmIsStaticMethod(method)) {
80 if (!dvmIsClassInitialized(clazz) && !dvmInitClass(clazz)) {
81 assert(dvmCheckException(dvmThreadSelf()));
82 return;
83 }
84 } else {
85 assert(dvmIsClassInitialized(clazz) ||
86 dvmIsClassInitializing(clazz));
87 }
88
89 /* start with our internal-native methods */
90 DalvikNativeFunc infunc = dvmLookupInternalNativeMethod(method);
91 if (infunc != NULL) {
92 /* resolution always gets the same answer, so no race here */
93 IF_LOGVV() {
94 char* desc = dexProtoCopyMethodDescriptor(&method->prototype);
95 LOGVV("+++ resolved native %s.%s %s, invoking",
96 clazz->descriptor, method->name, desc);
97 free(desc);
98 }
99 if (dvmIsSynchronizedMethod(method)) {
100 ALOGE("ERROR: internal-native can't be declared 'synchronized'");
101 ALOGE("Failing on %s.%s", method->clazz->descriptor, method->name);
102 dvmAbort(); // harsh, but this is VM-internal problem
103 }
104 DalvikBridgeFunc dfunc = (DalvikBridgeFunc) infunc;
105 dvmSetNativeFunc((Method*) method, dfunc, NULL); ********************
106 dfunc(args, pResult, method, self);
107 return;
108 }
109
110 /* now scan any DLLs we have loaded for JNI signatures */
111 void* func = lookupSharedLibMethod(method);
112 if (func != NULL) {
113 /* found it, point it at the JNI bridge and then call it */
114 dvmUseJNIBridge((Method*) method, func); ********************
115 (*method->nativeFunc)(args, pResult, method, self);
116 return;
117 }
118
119 IF_ALOGW() {
120 char* desc = dexProtoCopyMethodDescriptor(&method->prototype);
121 ALOGW("No implementation found for native %s.%s:%s",
122 clazz->descriptor, method->name, desc);
123 free(desc);
124 }
125
126 dvmThrowUnsatisfiedLinkError("Native method not found", method);
127}
827/*
828 * Point "method->nativeFunc" at the JNI bridge, and overload "method->insns"
829 * to point at the actual function.
830 */
831void dvmUseJNIBridge(Method* method, void* func) {
832 method->shouldTrace = shouldTrace(method);
833
834 // Does the method take any reference arguments?
835 method->noRef = true;
836 const char* cp = method->shorty;
837 while (*++cp != '\0') { // Pre-increment to skip return type.
838 if (*cp == 'L') {
839 method->noRef = false;
840 break;
841 }
842 }
843
844 DalvikBridgeFunc bridge = gDvmJni.useCheckJni ? dvmCheckCallJNIMethod : dvmCallJNIMethod;
845 dvmSetNativeFunc(method, bridge, (const u2*) func);
846}
/*
4532 * Replace method->nativeFunc and method->insns with new values. This is
4533 * commonly performed after successful resolution of a native method.
4534 *
4535 * There are three basic states:
4536 * (1) (initial) nativeFunc = dvmResolveNativeMethod, insns = NULL
4537 * (2) (internal native) nativeFunc = <impl>, insns = NULL
4538 * (3) (JNI) nativeFunc = JNI call bridge, insns = <impl>
4539 *
4540 * nativeFunc must never be NULL for a native method.
4541 *
4542 * The most common transitions are (1)->(2) and (1)->(3). The former is
4543 * atomic, since only one field is updated; the latter is not, but since
4544 * dvmResolveNativeMethod ignores the "insns" field we just need to make
4545 * sure the update happens in the correct order.
4546 *
4547 * A transition from (2)->(1) would work fine, but (3)->(1) will not,
4548 * because both fields change. If we did this while a thread was executing
4549 * in the call bridge, we could null out the "insns" field right before
4550 * the bridge tried to call through it. So, once "insns" is set, we do
4551 * not allow it to be cleared. A NULL value for the "insns" argument is
4552 * treated as "do not change existing value".
4553 */
4554void dvmSetNativeFunc(Method* method, DalvikBridgeFunc func,
4555 const u2* insns)
4556{
4557 ClassObject* clazz = method->clazz;
4558
4559 assert(func != NULL);
4560
4561 /* just open up both; easier that way */
4562 dvmLinearReadWrite(clazz->classLoader, clazz->virtualMethods);
4563 dvmLinearReadWrite(clazz->classLoader, clazz->directMethods);
4564
4565 if (insns != NULL) {
4566 /* update both, ensuring that "insns" is observed first */
4567 method->insns = insns;
4568 android_atomic_release_store((int32_t) func,
4569 (volatile int32_t*)(void*) &method->nativeFunc);
4570 } else {
4571 /* only update nativeFunc */
4572 method->nativeFunc = func;
4573 }
4574
4575 dvmLinearReadOnly(clazz->classLoader, clazz->virtualMethods);
4576 dvmLinearReadOnly(clazz->classLoader, clazz->directMethods);
4577}
/*
1117 * General form, handles all cases.
1118 */
1119void dvmCallJNIMethod(const u4* args, JValue* pResult, const Method* method, Thread* self) {
1120 u4* modArgs = (u4*) args;
1121 jclass staticMethodClass = NULL;
1122
1123 u4 accessFlags = method->accessFlags;
1124 bool isSynchronized = (accessFlags & ACC_SYNCHRONIZED) != 0;
1125
1126 //ALOGI("JNI calling %p (%s.%s:%s):", method->insns,
1127 // method->clazz->descriptor, method->name, method->shorty);
1128
1129 /*
1130 * Walk the argument list, creating local references for appropriate
1131 * arguments.
1132 */
1133 int idx = 0;
1134 Object* lockObj;
1135 if ((accessFlags & ACC_STATIC) != 0) {
1136 lockObj = (Object*) method->clazz;
1137 /* add the class object we pass in */
1138 staticMethodClass = (jclass) addLocalReference(self, (Object*) method->clazz);
1139 } else {
1140 lockObj = (Object*) args[0];
1141 /* add "this" */
1142 modArgs[idx++] = (u4) addLocalReference(self, (Object*) modArgs[0]);
1143 }
1144
1145 if (!method->noRef) {
1146 const char* shorty = &method->shorty[1]; /* skip return type */
1147 while (*shorty != '\0') {
1148 switch (*shorty++) {
1149 case 'L':
1150 //ALOGI(" local %d: 0x%08x", idx, modArgs[idx]);
1151 if (modArgs[idx] != 0) {
1152 modArgs[idx] = (u4) addLocalReference(self, (Object*) modArgs[idx]);
1153 }
1154 break;
1155 case 'D':
1156 case 'J':
1157 idx++;
1158 break;
1159 default:
1160 /* Z B C S I -- do nothing */
1161 break;
1162 }
1163 idx++;
1164 }
1165 }
1166
1167 if (UNLIKELY(method->shouldTrace)) {
1168 logNativeMethodEntry(method, args);
1169 }
1170 if (UNLIKELY(isSynchronized)) {
1171 dvmLockObject(self, lockObj);
1172 }
1173
1174 ThreadStatus oldStatus = dvmChangeStatus(self, THREAD_NATIVE);
1175
1176 ANDROID_MEMBAR_FULL(); /* guarantee ordering on method->insns */
1177 assert(method->insns != NULL);
1178
1179 JNIEnv* env = self->jniEnv;
1180 COMPUTE_STACK_SUM(self);
1181 dvmPlatformInvoke(env,
1182 (ClassObject*) staticMethodClass,
1183 method->jniArgInfo, method->insSize, modArgs, method->shorty,
1184 (void*) method->insns, pResult);
1185 CHECK_STACK_SUM(self);
1186
1187 dvmChangeStatus(self, oldStatus);
1188
1189 convertReferenceResult(env, pResult, method, self);
1190
1191 if (UNLIKELY(isSynchronized)) {
1192 dvmUnlockObject(self, lockObj);
1193 }
1194 if (UNLIKELY(method->shouldTrace)) {
1195 logNativeMethodExit(method, self, *pResult);
1196 }
1197}
======================================================================================
*****************************************************************************************************************************************
More unrelated things about reflect invoke. This is to invoke 'main' in the case.
We dig more to get a view of the start of an activity via logcat.
506 public Object invoke(Object receiver, Object... args) @ libcore/luni/src/main/java/java/lang/reflect/Method.java
507 throws IllegalAccessException, IllegalArgumentException, InvocationTargetException {
508 if (args == null) {
509 args = EmptyArray.OBJECT;
510 }
511 return invokeNative(receiver, args, declaringClass, parameterTypes, returnType, slot, flag);
512 }
41/*
42 * private Object invokeNative(Object obj, Object[] args, Class declaringClass,
43 * Class[] parameterTypes, Class returnType, int slot, boolean noAccessCheck)
44 *
45 * Invoke a static or virtual method via reflection.
46 */
47static void Dalvik_java_lang_reflect_Method_invokeNative(const u4* args,
48 JValue* pResult)
49{
50 // ignore thisPtr in args[0]
51 Object* methObj = (Object*) args[1]; // null for static methods
52 ArrayObject* argList = (ArrayObject*) args[2];
53 ClassObject* declaringClass = (ClassObject*) args[3];
54 ArrayObject* params = (ArrayObject*) args[4];
55 ClassObject* returnType = (ClassObject*) args[5];
56 int slot = args[6];
57 bool noAccessCheck = (args[7] != 0);
58 const Method* meth;
59 Object* result;
60
61 /*
62 * "If the underlying method is static, the class that declared the
63 * method is initialized if it has not already been initialized."
64 */
65 meth = dvmSlotToMethod(declaringClass, slot);
66 assert(meth != NULL);
67
68 if (dvmIsStaticMethod(meth)) {
69 if (!dvmIsClassInitialized(declaringClass)) {
70 if (!dvmInitClass(declaringClass))
71 goto init_failed;
72 }
73 } else {
74 /* looks like interfaces need this too? */
75 if (dvmIsInterfaceClass(declaringClass) &&
76 !dvmIsClassInitialized(declaringClass))
77 {
78 if (!dvmInitClass(declaringClass))
79 goto init_failed;
80 }
81
82 /* make sure the object is an instance of the expected class */
83 if (!dvmVerifyObjectInClass(methObj, declaringClass)) {
84 assert(dvmCheckException(dvmThreadSelf()));
85 RETURN_VOID();
86 }
87
88 /* do the virtual table lookup for the method */
89 meth = dvmGetVirtualizedMethod(methObj->clazz, meth);
90 if (meth == NULL) {
91 assert(dvmCheckException(dvmThreadSelf()));
92 RETURN_VOID();
93 }
94 }
95
96 /*
97 * If the method has a return value, "result" will be an object or
98 * a boxed primitive.
99 */
100 result = dvmInvokeMethod(methObj, meth, argList, params, returnType,
101 noAccessCheck);
102
103 RETURN_PTR(result);
104
105init_failed:
106 /*
107 * If initialization failed, an exception will be raised.
108 */
109 ALOGD("Method.invoke() on bad class %s failed",
110 declaringClass->descriptor);
111 assert(dvmCheckException(dvmThreadSelf()));
112 RETURN_VOID();
113}
645/*
646 * Invoke a method, using the specified arguments and return type, through
647 * one of the reflection interfaces. Could be a virtual or direct method
648 * (including constructors). Used for reflection.
649 *
650 * Deals with boxing/unboxing primitives and performs widening conversions.
651 *
652 * "invokeObj" will be null for a static method.
653 *
654 * If the invocation returns with an exception raised, we have to wrap it.
655 */
656Object* dvmInvokeMethod(Object* obj, const Method* method,
657 ArrayObject* argList, ArrayObject* params, ClassObject* returnType,
658 bool noAccessCheck)
659{
660 ClassObject* clazz;
661 Object* retObj = NULL;
662 Thread* self = dvmThreadSelf();
663 s4* ins;
664 int verifyCount, argListLength;
665 JValue retval;
666 bool needPop = false;
667
668 /* verify arg count */
669 if (argList != NULL)
670 argListLength = argList->length;
671 else
672 argListLength = 0;
673 if (argListLength != (int) params->length) {
674 dvmThrowExceptionFmt(gDvm.exIllegalArgumentException,
675 "wrong number of arguments; expected %d, got %d",
676 params->length, argListLength);
677 return NULL;
678 }
679
680 clazz = callPrep(self, method, obj, !noAccessCheck);
681 if (clazz == NULL)
682 return NULL;
683 needPop = true;
684
685 /* "ins" for new frame start at frame pointer plus locals */
686 ins = ((s4*)self->interpSave.curFrame) +
687 (method->registersSize - method->insSize);
688 verifyCount = 0;
689
690 //ALOGD(" FP is %p, INs live at >= %p", self->interpSave.curFrame, ins);
691
692 /* put "this" pointer into in0 if appropriate */
693 if (!dvmIsStaticMethod(method)) {
694 assert(obj != NULL);
695 *ins++ = (s4) obj;
696 verifyCount++;
697 }
698
699 /*
700 * Copy the args onto the stack. Primitive types are converted when
701 * necessary, and object types are verified.
702 */
703 DataObject** args = (DataObject**)(void*)argList->contents;
704 ClassObject** types = (ClassObject**)(void*)params->contents;
705 for (int i = 0; i < argListLength; i++) {
706 int width = dvmConvertArgument(*args++, *types++, ins);
707 if (width < 0) {
708 dvmPopFrame(self); // throw wants to pull PC out of stack
709 needPop = false;
710 throwArgumentTypeMismatch(i, *(types-1), *(args-1));
711 goto bail;
712 }
713
714 ins += width;
715 verifyCount += width;
716 }
717
718#ifndef NDEBUG
719 if (verifyCount != method->insSize) {
720 ALOGE("Got vfycount=%d insSize=%d for %s.%s", verifyCount,
721 method->insSize, clazz->descriptor, method->name);
722 assert(false);
723 goto bail;
724 }
725#endif
726
727 if (dvmIsNativeMethod(method)) { **********************
728 TRACE_METHOD_ENTER(self, method);
729 /*
730 * Because we leave no space for local variables, "curFrame" points
731 * directly at the method arguments.
732 */
733 (*method->nativeFunc)((u4*)self->interpSave.curFrame, &retval, **********************
734 method, self);
735 TRACE_METHOD_EXIT(self, method);
736 } else {
737 dvmInterpret(self, method, &retval); **********************
738 }
739
740 /*
741 * Pop the frame immediately. The "wrap" calls below can cause
742 * allocations, and we don't want the GC to walk the now-dead frame.
743 */
744 dvmPopFrame(self);
745 needPop = false;
746
747 /*
748 * If an exception is raised, wrap and replace. This is necessary
749 * because the invoked method could have thrown a checked exception
750 * that the caller wasn't prepared for.
751 *
752 * We might be able to do this up in the interpreted code, but that will
753 * leave us with a shortened stack trace in the top-level exception.
754 */
755 if (dvmCheckException(self)) {
756 dvmWrapException("Ljava/lang/reflect/InvocationTargetException;");
757 } else {
758 /*
759 * If this isn't a void method or constructor, convert the return type
760 * to an appropriate object.
761 *
762 * We don't do this when an exception is raised because the value
763 * in "retval" is undefined.
764 */
765 if (returnType != NULL) {
766 retObj = (Object*)dvmBoxPrimitive(retval, returnType);
767 dvmReleaseTrackedAlloc(retObj, NULL);
768 }
769 }
770
771bail:
772 if (needPop) {
773 dvmPopFrame(self);
774 }
775 return retObj;
776}
Why it is for main? In the Dalvik_java_lang_reflect_Method_invokeNative call stage.
(gdb) disass Dalvik_java_lang_reflect_Method_invokeNative
Dump of assembler code for function Dalvik_java_lang_reflect_Method_invokeNative(u4 const*, JValue*):
0x40cd2866 <+0>: stmdb sp!, {r0, r1, r2, r4, r5, r6, r7, r8, r9, r10, r11, lr}
0x40cd286a <+4>: mov r2, r0
0x40cd286c <+6>: ldr r6, [r0, #12]
0x40cd286e <+8>: mov r4, r1
0x40cd2870 <+10>: ldr.w r8, [r0, #4]
0x40cd2874 <+14>: ldr.w r9, [r0, #8]
0x40cd2878 <+18>: ldr r5, [r0, #16]
0x40cd287a <+20>: ldr.w r11, [r0, #20]
0x40cd287e <+24>: ldr.w r10, [r0, #28]
0x40cd2882 <+28>: mov r0, r6
0x40cd2884 <+30>: ldr r1, [r2, #24]
0x40cd2886 <+32>: bl 0x40cd897c <dvmSlotToMethod(ClassObject*, int)>
0x40cd288a <+36>: ldr r3, [r0, #4]
0x40cd288c <+38>: mov r7, r0
0x40cd288e <+40>: lsls r2, r3, #28
0x40cd2890 <+42>: bpl.n 0x40cd28a2 <Dalvik_java_lang_reflect_Method_invokeNative(u4 const*, JValue*)+60>
0x40cd2892 <+44>: ldr r0, [r6, #44] ; 0x2c
0x40cd2894 <+46>: cmp r0, #7
0x40cd2896 <+48>: beq.n 0x40cd28ce <Dalvik_java_lang_reflect_Method_invokeNative(u4 const*, JValue*)+104>
0x40cd2898 <+50>: mov r0, r6
0x40cd289a <+52>: bl 0x40cd562c <dvmInitClass(ClassObject*)>
0x40cd289e <+56>: cbnz r0, 0x40cd28ce <Dalvik_java_lang_reflect_Method_invokeNative(u4 const*, JValue*)+104>
0x40cd28a0 <+58>: b.n 0x40cd28ea <Dalvik_java_lang_reflect_Method_invokeNative(u4 const*, JValue*)+132>
0x40cd28a2 <+60>: ldr r1, [r6, #32]
0x40cd28a4 <+62>: lsls r3, r1, #22
0x40cd28a6 <+64>: bpl.n 0x40cd28b6 <Dalvik_java_lang_reflect_Method_invokeNative(u4 const*, JValue*)+80>
0x40cd28a8 <+66>: ldr r3, [r6, #44] ; 0x2c
0x40cd28aa <+68>: cmp r3, #7
0x40cd28ac <+70>: beq.n 0x40cd28b6 <Dalvik_java_lang_reflect_Method_invokeNative(u4 const*, JValue*)+80>
0x40cd28ae <+72>: mov r0, r6
0x40cd28b0 <+74>: bl 0x40cd562c <dvmInitClass(ClassObject*)>
0x40cd28b4 <+78>: cbz r0, 0x40cd28ea <Dalvik_java_lang_reflect_Method_invokeNative(u4 const*, JValue*)+132>
0x40cd28b6 <+80>: mov r0, r8
0x40cd28b8 <+82>: mov r1, r6
0x40cd28ba <+84>: bl 0x40ccfb38 <dvmVerifyObjectInClass(Object*, ClassObject*)>
0x40cd28be <+88>: cbz r0, 0x40cd28ea <Dalvik_java_lang_reflect_Method_invokeNative(u4 const*, JValue*)+132>
0x40cd28c0 <+90>: mov r1, r7
0x40cd28c2 <+92>: ldr.w r0, [r8]
0x40cd28c6 <+96>: bl 0x40cd5f44 <dvmGetVirtualizedMethod(ClassObject const*, Method const*)>
0x40cd28ca <+100>: mov r7, r0
0x40cd28cc <+102>: cbz r0, 0x40cd28ea <Dalvik_java_lang_reflect_Method_invokeNative(u4 const*, JValue*)+132>
0x40cd28ce <+104>: adds.w r2, r10, #0
0x40cd28d2 <+108>: mov r0, r8
0x40cd28d4 <+110>: mov r1, r7
0x40cd28d6 <+112>: mov r3, r5
0x40cd28d8 <+114>: it ne
0x40cd28da <+116>: movne r2, #1
0x40cd28dc <+118>: str r2, [sp, #4]
0x40cd28de <+120>: mov r2, r9
0x40cd28e0 <+122>: str.w r11, [sp]
0x40cd28e4 <+126>: bl 0x40ccb7c8 <dvmInvokeMethod(Object*, Method const*, ArrayObject*, ArrayObject*, ClassObject*, bool)>
=> 0x40cd28e8 <+130>: str r0, [r4, #0]
0x40cd28ea <+132>: ldmia.w sp!, {r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, pc}
and source code
/*
42 * private Object invokeNative(Object obj, Object[] args, Class declaringClass,
43 * Class[] parameterTypes, Class returnType, int slot, boolean noAccessCheck)
44 *
45 * Invoke a static or virtual method via reflection.
46 */
47static void Dalvik_java_lang_reflect_Method_invokeNative(const u4* args,
48 JValue* pResult)
49{
50 // ignore thisPtr in args[0]
51 Object* methObj = (Object*) args[1]; // null for static methods
52 ArrayObject* argList = (ArrayObject*) args[2];
53 ClassObject* declaringClass = (ClassObject*) args[3];
54 ArrayObject* params = (ArrayObject*) args[4];
55 ClassObject* returnType = (ClassObject*) args[5];
56 int slot = args[6];
57 bool noAccessCheck = (args[7] != 0);
58 const Method* meth;
59 Object* result;
60
61 /*
62 * "If the underlying method is static, the class that declared the
63 * method is initialized if it has not already been initialized."
64 */
65 meth = dvmSlotToMethod(declaringClass, slot);
66 assert(meth != NULL);
67
68 if (dvmIsStaticMethod(meth)) {
69 if (!dvmIsClassInitialized(declaringClass)) {
70 if (!dvmInitClass(declaringClass))
71 goto init_failed;
72 }
73 } else {
74 /* looks like interfaces need this too? */
75 if (dvmIsInterfaceClass(declaringClass) &&
76 !dvmIsClassInitialized(declaringClass))
77 {
78 if (!dvmInitClass(declaringClass))
79 goto init_failed;
80 }
81
82 /* make sure the object is an instance of the expected class */
83 if (!dvmVerifyObjectInClass(methObj, declaringClass)) {
84 assert(dvmCheckException(dvmThreadSelf()));
85 RETURN_VOID();
86 }
87
88 /* do the virtual table lookup for the method */
89 meth = dvmGetVirtualizedMethod(methObj->clazz, meth);
90 if (meth == NULL) {
91 assert(dvmCheckException(dvmThreadSelf()));
92 RETURN_VOID();
93 }
94 }
95
96 /*
97 * If the method has a return value, "result" will be an object or
98 * a boxed primitive.
99 */
100 result = dvmInvokeMethod(methObj, meth, argList, params, returnType,
101 noAccessCheck);
102
103 RETURN_PTR(result);
104
105init_failed:
106 /*
107 * If initialization failed, an exception will be raised.
108 */
109 ALOGD("Method.invoke() on bad class %s failed",
110 declaringClass->descriptor);
111 assert(dvmCheckException(dvmThreadSelf()));
112 RETURN_VOID();
113}
Though the arg meth in calling dvmInvokeMethod is optimized out, but it can be seen in register r7 or r1 before calling it.
Using the value of r7 and r1, try to get method content.
With the field name and shorty, it can be concluded that r7 maybe the correct Mothod var, while r1 maybe has been corrupted.
(gdb) print *(Method*)0x40e1cc38 ---- r1
$9 = {clazz = 0x40d10d34 <gNativeInterface>, accessFlags = 0, methodIndex = 1, registersSize = 0, outsSize = 12304, insSize = 16397, name = 0x0, prototype = {
dexFile = 0x5c46cc80, protoIdx = 0}, shorty = 0x12b "", insns = 0x7379732f, jniArgInfo = 795698548, nativeFunc = 0x6d617266, fastJni = 101, noRef = 119, shouldTrace = 111,
registerMap = 0x6f632f6b, inProfile = 114}
(gdb) print *(Method*)0x570782b8 ---- r7
$10 = {clazz = 0x40e77390, accessFlags = 9, methodIndex = 0, registersSize = 4, outsSize = 2, insSize = 1,name = 0x58ceaed3 "main",prototype = {dexFile = 0x400d3f78,
protoIdx = 10543}, shorty = 0x58c5520c "VL", insns = 0x58736098, jniArgInfo = 0, nativeFunc = 0x0, fastJni = false, noRef = false, shouldTrace = false, registerMap = 0x0,
inProfile = false}
(gdb) print *(ClassObject*)0x40e77390 ---- obj->clazz
$15 = {<Object> = {clazz = 0x40e1d1e8, lock = 0}, instanceData = {0, 0, 0, 0}, descriptor = 0x58bc0812 "Landroid/app/ActivityThread;", descriptorAlloc = 0x0,
accessFlags = 196625, serialNumber = 1342177820, pDvmDex = 0x5128a000, status = CLASS_INITIALIZED, verifyErrorClass = 0x0, initThreadId = 1, objectSize = 180,
elementClass = 0x0, arrayDim = 0, primitiveType = PRIM_NOT, super = 0x40e1d890, classLoader = 0x0, initiatingLoaderList = {initiatingLoaders = 0x0, initiatingLoaderCount = 0},
interfaceCount = 0, interfaces = 0x0, directMethodCount = 83, directMethods = 0x57077330, virtualMethodCount = 59, virtualMethods = 0x57078560, vtableCount = 70,
vtable = 0x57079250, iftableCount = 0, iftable = 0x0, ifviPoolCount = 0, ifviPool = 0x0, ifieldCount = 43, ifieldRefCount = 37, ifields = 0x57076fd0, refOffsets = 3,
sourceFile = 0x58b79596 "ActivityThread.java", sfieldCount = 21, sfields = 0x40e77430}
Frame #9 is "main" of ZygoteInit.
(gdb) up
#9 0x40ccb698 in dvmCallMethodV (self=0x400d3010, method=0x5705cb88, obj=<optimized out>, fromJni=<optimized out>, pResult=0xbeb30aa8, args=...)
at dalvik/vm/interp/Stack.cpp:526
526 dalvik/vm/interp/Stack.cpp: No such file or directory.
(gdb) print method
$11 = (const Method *) 0x5705cb88
(gdb) print *method
$12 = {clazz = 0x40e6ce48, accessFlags = 9, methodIndex = 0, registersSize = 6, outsSize = 3, insSize = 1,name = 0x58ceaed3 "main", prototype = {dexFile = 0x400d3f78,
protoIdx = 10543}, shorty = 0x58c5520c "VL", insns = 0x58a59484, jniArgInfo = 0, nativeFunc = 0x0, fastJni = false, noRef = false, shouldTrace = false, registerMap = 0x0,
inProfile = false}
(gdb) disass 0x58a59484
No function contains specified address.
(gdb) print *(ClassObject*)0x40e6ce48 ---- obj->clazz
$13 = {<Object> = {clazz = 0x40e1d1e8, lock = 0}, instanceData = {0, 0, 0, 0}, descriptor = 0x58bf0c5a "Lcom/android/internal/os/ZygoteInit;", descriptorAlloc = 0x0,
accessFlags = 196609, serialNumber = 1342177773, pDvmDex = 0x5128a000, status = CLASS_INITIALIZED, verifyErrorClass = 0x0, initThreadId = 1, objectSize = 8,
elementClass = 0x0, arrayDim = 0, primitiveType = PRIM_NOT, super = 0x40e1d890, classLoader = 0x0, initiatingLoaderList = {initiatingLoaders = 0x0, initiatingLoaderCount = 0},
interfaceCount = 0, interfaces = 0x0, directMethodCount = 29, directMethods = 0x5705c958, virtualMethodCount = 0, virtualMethods = 0x0, vtableCount = 11, vtable = 0x5705cfb8,
iftableCount = 0, iftable = 0x0, ifviPoolCount = 0, ifviPool = 0x0, ifieldCount = 0, ifieldRefCount = 0, ifields = 0x0, refOffsets = 0,
sourceFile = 0x58c5e5af "ZygoteInit.java", sfieldCount = 17, sfields = 0x40e6cee8}
(gdb)
===============================================================================================
Issue 4: A crazy SIGILL:ILL_ILLOPC issue
[Symptom]
Crash info from Logcat:
10-23 18:09:17.317 15177 15204 F libc : Fatal signal 4 (SIGILL) at 0x4058edd4 (code=1), thread 15204 (pool-1-thread-1)
10-23 18:09:17.317 15259 15289 F libc : Fatal signal 4 (SIGILL) at 0x4058edd4 (code=1), thread 15289 (picasa-uploads-)
10-23 18:09:17.417 148 148 I DEBUG : pid: 15177, tid: 15204, name: pool-1-thread-1 >>> com.xxxxxxxxxxxx.metadatacleanup <<<
10-23 18:09:17.417 148 148 I DEBUG : signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 4058edd4
10-23 18:09:17.627 148 148 I DEBUG : r0 4000fdd8 r1 f0000001 r2 5d988638 r3 00000000
10-23 18:09:17.627 148 148 I DEBUG : r4 5ecbfc4c r5 4000fdd0 r6 a8700005 r7 5d0c6f78
10-23 18:09:17.627 148 148 I DEBUG : r8 4000fdd8 r9 5d988638 sl a8700005 fp 5ecbfc94
10-23 18:09:17.627 148 148 I DEBUG : ip 00000001 sp 5ecbfc28 lr 4059ada9 pc 4058edd4 cpsr 20000010
10-23 18:09:17.627 148 148 I DEBUG : d0 00720064006e0061 d1 002e00640069006f
10-23 18:09:17.627 148 148 I DEBUG : d2 002e007000700061 d3 0074006300410049
10-23 18:09:17.627 148 148 I DEBUG : d4 0000000b00000001 d5 0000000000000001
10-23 18:09:17.627 148 148 I DEBUG : d6 000000030000002c d7 0000000100000010
10-23 18:09:17.627 148 148 I DEBUG : d8 0000000000000000 d9 0000000000000000
10-23 18:09:17.627 148 148 I DEBUG : d10 0000000000000000 d11 0000000000000000
10-23 18:09:17.627 148 148 I DEBUG : d12 0000000000000000 d13 0000000000000000
10-23 18:09:17.627 148 148 I DEBUG : d14 0000000000000000 d15 0000000000000000
10-23 18:09:17.627 148 148 I DEBUG : d16 0074006900760069 d17 006e0061004d0079
10-23 18:09:17.627 148 148 I DEBUG : d18 0073007300630069 d19 006d002e006e006f
10-23 18:09:17.627 148 148 I DEBUG : d20 0061006900640065 d21 0072007400780065
10-23 18:09:17.627 148 148 I DEBUG : d22 00720070002e0061 d23 006400690076006f
10-23 18:09:17.627 148 148 I DEBUG : d24 3fede16b9c24a98f d25 3fe55559ee5e69f9
10-23 18:09:17.627 148 148 I DEBUG : d26 0000000000000000 d27 0000000000000000
10-23 18:09:17.627 148 148 I DEBUG : d28 0000000000000005 d29 0000000000000000
10-23 18:09:17.627 148 148 I DEBUG : d30 0000000000000000 d31 0000000000000000
10-23 18:09:17.627 148 148 I DEBUG : scr 60000010
10-23 18:09:17.627 148 148 I DEBUG :
10-23 18:09:17.627 148 148 I DEBUG : backtrace:
10-23 18:09:17.627 148 148 I DEBUG : #00 pc 00059dd4 /system/lib/libandroid_runtime.so (android::NativeInputEventReceiver::consumeEvents(_JNIEnv*, bool, long long)+363)
10-23 18:09:17.627 148 148 I DEBUG : #01 pc 00014c00 <unknown>
10-23 18:09:17.627 148 148 I DEBUG :
10-23 18:09:17.627 148 148 I DEBUG : stack:
10-23 18:09:17.627 148 148 I DEBUG : 5ecbfbe8 00000004
10-23 18:09:17.627 148 148 I DEBUG : 5ecbfbec 4051fc7f /system/lib/libbinder.so (android::Parcel::continueWrite(unsigned int)+310)
10-23 18:09:17.627 148 148 I DEBUG : 5ecbfbf0 00000000
10-23 18:09:17.627 148 148 I DEBUG : 5ecbfbf4 402d3ff1 /system/lib/libc.so (malloc+12)
10-23 18:09:17.627 148 148 I DEBUG : 5ecbfbf8 00000000
10-23 18:09:17.627 148 148 I DEBUG : 5ecbfbfc 4051fca7 /system/lib/libbinder.so (android::Parcel::continueWrite(unsigned int)+350)
10-23 18:09:17.627 148 148 I DEBUG : 5ecbfc00 5ecbfc2c [stack:15204]
10-23 18:09:17.627 148 148 I DEBUG : 5ecbfc04 56ce0f70 /dev/ashmem/dalvik-LinearAlloc (deleted)
10-23 18:09:17.627 148 148 I DEBUG : 5ecbfc08 a8700005
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc0c a8700005
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc10 a8700005
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc14 5ecbfc4c [stack:15204]
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc18 5ecbfc4c [stack:15204]
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc1c 4000fdd0
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc20 df0027ad
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc24 00000000
10-23 18:09:17.637 148 148 I DEBUG : #00 5ecbfc28 5ecbfc6c [stack:15204]
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc2c 405e91c8
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc30 a8700005
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc34 5d0c6f78
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc38 5ecbfc80 [stack:15204]
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc3c 5a54bc04
10-23 18:09:17.637 148 148 I DEBUG : #01 5ecbfc40 5d25ec38
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc44 4059bc7d /system/lib/libandroid_runtime.so (android::ibinderForJavaObject(_JNIEnv*, _jobject*)+60)
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc48 5ecbfc6c [stack:15204]
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc4c 5d988638
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc50 5d0c6f78
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc54 5cba2e40
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc58 3a600001
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc5c 5a54bc0c
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc60 5ecbfc80 [stack:15204]
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc64 405948cb /system/lib/libandroid_runtime.so
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc68 5d0c6f78
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc6c 3a600001
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc70 56ce6150 /dev/ashmem/dalvik-LinearAlloc (deleted)
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc74 5d25ec28
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc78 00000000
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc7c 409c7334 /system/lib/libdvm.so (dvmPlatformInvoke+116)
10-23 18:09:17.637 148 148 I DEBUG :
10-23 18:09:17.637 148 148 I DEBUG : memory near r0:
10-23 18:09:17.637 148 148 I DEBUG : 4000fdb8 00000000 5d00af78 00000000 00000000 ....x..]........
10-23 18:09:17.637 148 148 I DEBUG : 4000fdc8 0000395c 0000001b 405df688 5d00afa0 \9........]@...]
10-23 18:09:17.637 148 148 I DEBUG : 4000fdd8 00000001 5d988638 5d988658 0000006b ....8..]X..]k...
10-23 18:09:17.637 148 148 I DEBUG : 4000fde8 005b005b 005a003a 003a006c 005b005d [.[.:.Z.l.:.].[.
10-23 18:09:17.637 148 148 I DEBUG : 4000fdf8 005a003a 003a0070 005b005d 0043003a :.Z.p.:.].[.:.C.
10-23 18:09:17.637 148 148 I DEBUG :
10-23 18:09:17.637 148 148 I DEBUG : memory near r2:
10-23 18:09:17.637 148 148 I DEBUG : 5d988618 00000000 00000000 00000000 00000000 ................
10-23 18:09:17.637 148 148 I DEBUG : 5d988628 00000000 00000000 00000006 00000023 ............#...
10-23 18:09:17.637 148 148 I DEBUG : 5d988638 405df604 00000000 006e0061 401c1c90 ..]@....a.n....@
10-23 18:09:17.637 148 148 I DEBUG : 5d988648 1d2001c6 405df664 5d988658 0000001b .. .d.]@X..]....
10-23 18:09:17.637 148 148 I DEBUG : 5d988658 00000002 00000004 5d98864c 00000000 ........L..]....
10-23 18:09:17.637 148 148 I DEBUG :
10-23 18:09:17.637 148 148 I DEBUG : memory near r4:
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc2c 405e91c8 a8700005 5d0c6f78 5ecbfc80 ..^@..p.xo.]...^
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc3c 5a54bc04 5d25ec38 4059bc7d 5ecbfc6c ..TZ8.%]}.Y@l..^
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc4c 5d988638 5d0c6f78 5cba2e40 3a600001 8..]xo.]@..\..`:
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc5c 5a54bc0c 5ecbfc80 405948cb 5d0c6f78 ..TZ...^.HY@xo.]
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc6c 3a600001 56ce6150 5d25ec28 00000000 ..`:Pa.V(.%]....
10-23 18:09:17.637 148 148 I DEBUG :
10-23 18:09:17.637 148 148 I DEBUG : memory near r5:
10-23 18:09:17.637 148 148 I DEBUG : 4000fdb0 4145b988 00000000 00000000 5d00af78 ..EA........x..]
10-23 18:09:17.637 148 148 I DEBUG : 4000fdc0 00000000 00000000 0000395c 0000001b ........\9......
10-23 18:09:17.637 148 148 I DEBUG : 4000fdd0 405df688 5d00afa0 00000001 5d988638 ..]@...]....8..]
10-23 18:09:17.637 148 148 I DEBUG : 4000fde0 5d988658 0000006b 005b005b 005a003a X..]k...[.[.:.Z.
10-23 18:09:17.637 148 148 I DEBUG : 4000fdf0 003a006c 005b005d 005a003a 003a0070 l.:.].[.:.Z.p.:.
10-23 18:09:17.637 148 148 I DEBUG :
10-23 18:09:17.637 148 148 I DEBUG : memory near r6:
10-23 18:09:17.637 148 148 I DEBUG : a86fffe4 ffffffff ffffffff ffffffff ffffffff ................
10-23 18:09:17.637 148 148 I DEBUG : a86ffff4 ffffffff ffffffff ffffffff ffffffff ................
10-23 18:09:17.637 148 148 I DEBUG : a8700004 ffffffff ffffffff ffffffff ffffffff ................
10-23 18:09:17.637 148 148 I DEBUG : a8700014 ffffffff ffffffff ffffffff ffffffff ................
10-23 18:09:17.637 148 148 I DEBUG : a8700024 ffffffff ffffffff ffffffff ffffffff ................
10-23 18:09:17.637 148 148 I DEBUG :
10-23 18:09:17.637 148 148 I DEBUG : memory near r7:
10-23 18:09:17.637 148 148 I DEBUG : 5d0c6f58 006e0061 00720064 0069006f 002e0064 a.n.d.r.o.i.d...
10-23 18:09:17.637 148 148 I DEBUG : 5d0c6f68 006f0063 0074006e 006e0065 00000023 c.o.n.t.e.n.#...
10-23 18:09:17.637 148 148 I DEBUG : 5d0c6f78 40a4cd34 00000000 0000000b 5d25ec28 4..@........(.%]
10-23 18:09:17.637 148 148 I DEBUG : 5d0c6f88 00000000 00000000 5d988670 0000001b ........p..]....
10-23 18:09:17.637 148 148 I DEBUG : 5d0c6f98 405df688 5d0c6fb0 00000000 5cc90308 ..]@.o.].......\
10-23 18:09:17.637 148 148 I DEBUG :
10-23 18:09:17.637 148 148 I DEBUG : memory near r8:
10-23 18:09:17.637 148 148 I DEBUG : 4000fdb8 00000000 5d00af78 00000000 00000000 ....x..]........
10-23 18:09:17.637 148 148 I DEBUG : 4000fdc8 0000395c 0000001b 405df688 5d00afa0 \9........]@...]
10-23 18:09:17.637 148 148 I DEBUG : 4000fdd8 00000001 5d988638 5d988658 0000006b ....8..]X..]k...
10-23 18:09:17.637 148 148 I DEBUG : 4000fde8 005b005b 005a003a 003a006c 005b005d [.[.:.Z.l.:.].[.
10-23 18:09:17.637 148 148 I DEBUG : 4000fdf8 005a003a 003a0070 005b005d 0043003a :.Z.p.:.].[.:.C.
10-23 18:09:17.637 148 148 I DEBUG :
10-23 18:09:17.637 148 148 I DEBUG : memory near r9:
10-23 18:09:17.637 148 148 I DEBUG : 5d988618 00000000 00000000 00000000 00000000 ................
10-23 18:09:17.637 148 148 I DEBUG : 5d988628 00000000 00000000 00000006 00000023 ............#...
10-23 18:09:17.637 148 148 I DEBUG : 5d988638 405df604 00000000 006e0061 401c1c90 ..]@....a.n....@
10-23 18:09:17.637 148 148 I DEBUG : 5d988648 1d2001c6 405df664 5d988658 0000001b .. .d.]@X..]....
10-23 18:09:17.637 148 148 I DEBUG : 5d988658 00000002 00000004 5d98864c 00000000 ........L..]....
10-23 18:09:17.637 148 148 I DEBUG :
10-23 18:09:17.637 148 148 I DEBUG : memory near sl:
10-23 18:09:17.637 148 148 I DEBUG : a86fffe4 ffffffff ffffffff ffffffff ffffffff ................
10-23 18:09:17.637 148 148 I DEBUG : a86ffff4 ffffffff ffffffff ffffffff ffffffff ................
10-23 18:09:17.637 148 148 I DEBUG : a8700004 ffffffff ffffffff ffffffff ffffffff ................
10-23 18:09:17.637 148 148 I DEBUG : a8700014 ffffffff ffffffff ffffffff ffffffff ................
10-23 18:09:17.637 148 148 I DEBUG : a8700024 ffffffff ffffffff ffffffff ffffffff ................
10-23 18:09:17.637 148 148 I DEBUG :
10-23 18:09:17.637 148 148 I DEBUG : memory near fp:
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc74 5d25ec28 00000000 409c7334 5a54bc04 (.%]....4s.@..TZ
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc84 00000001 40c15b78 58918d37 0000000f ....x[.@7..X....
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc94 409f607d 5a54bc04 58918d34 405948b7 }`.@..TZ4..X.HY@
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfca4 5d25ec38 3a600001 00000000 00000000 8.%]..`:........
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfcb4 4030da6c 00000002 5d25ec28 ffffbfff l.0@....(.%]....
10-23 18:09:17.637 148 148 I DEBUG :
10-23 18:09:17.637 148 148 I DEBUG : memory near sp:
10-23 18:09:17.637 148 148 I DEBUG : 5ecbfc08 a8700005 a8700005 a8700005 5ecbfc4c ..p...p...p.L..^
10-23 18:09:17.647 148 148 I DEBUG : 5ecbfc18 5ecbfc4c 4000fdd0 df0027ad 00000000 L..^...@.'......
10-23 18:09:17.647 148 148 I DEBUG : 5ecbfc28 5ecbfc6c 405e91c8 a8700005 5d0c6f78 l..^..^@..p.xo.]
10-23 18:09:17.647 148 148 I DEBUG : 5ecbfc38 5ecbfc80 5a54bc04 5d25ec38 4059bc7d ...^..TZ8.%]}.Y@
10-23 18:09:17.647 148 148 I DEBUG : 5ecbfc48 5ecbfc6c 5d988638 5d0c6f78 5cba2e40 l..^8..]xo.]@..\
10-23 18:09:17.647 148 148 I DEBUG :
10-23 18:09:17.647 148 148 I DEBUG : code around pc:
10-23 18:09:17.647 148 148 I DEBUG : 4058edb4 0003d1f3 0003d1a5 0005a0d6 0003d21b ................
10-23 18:09:17.647 148 148 I DEBUG : 4058edc4 0003d22c 0003d203 00039236 0003d1e2 ,.......6.......
10-23 18:09:17.647 148 148 I DEBUG : 4058edd4 4605b537 0008f100 e846f7e0 b1584604 7..F......F..FX.
10-23 18:09:17.647 148 148 I DEBUG : 4058ede4 f7ff4628 4905ff2b 44794a05 447a9400 (F..+..I.JyD..zD
10-23 18:09:17.647 148 148 I DEBUG : 4058edf4 20054603 ecf0f7df bd3e4620 0003d12d .F. .... F>.-...
10-23 18:09:17.647 148 148 I DEBUG :
10-23 18:09:17.647 148 148 I DEBUG : code around lr:
10-23 18:09:17.647 148 148 I DEBUG : 4059ad88 68ebee6a 9000f8d4 b11b4606 46396928 j..h.....F..(i9F
10-23 18:09:17.647 148 148 I DEBUG : 4059ad98 ee00f7d5 900cf8c5 4640612e e80ef7d4 .........a@F....
10-23 18:09:17.647 148 148 I DEBUG : 4059ada8 e8bd4620 68ea87f0 e7926022 00045864 F.....h"`..dX..
10-23 18:09:17.647 148 148 I DEBUG : 4059adb8 00045854 0004e4a8 0004e48a 0004e476 TX..........v...
10-23 18:09:17.647 148 148 I DEBUG : 4059adc8 4605b5f8 2b006883 6840d047 fb68f7ff ...F.h.+G.@h..h.
10-23 18:09:17.647 148 148 I DEBUG :
10-23 18:09:17.647 148 148 I DEBUG : memory map around fault addr 4058edd4:
10-23 18:09:17.647 148 148 I DEBUG : 4052a000-40535000
10-23 18:09:17.647 148 148 I DEBUG : 40535000-405de000 /system/lib/libandroid_runtime.so
10-23 18:09:17.647 148 148 I DEBUG : 405de000-405e2000 /system/lib/libandroid_runtime.so
[Analysis]
From the log lines, Illegal instruction is fetched and executed, which resulted in SIGILL:ILL_ILLOPC.
The backtrace seems not like a good backtrace.
The translated call stack:
10-23 18:09:17.627 148 148 I DEBUG : #00 pc 00059dd4 /system/lib/libandroid_runtime.so
android::NativeInputEventReceiver::finishInputEvent(unsigned int, bool)
/LINUX/android/frameworks/base/core/jni/android_view_InputEventReceiver.cpp:106
10-23 18:09:17.627 148 148 I DEBUG : #01 pc 00014c00 <unknown>
The method NativeInputEventReceiver::finishInputEvent() source code:
106status_t NativeInputEventReceiver::finishInputEvent(uint32_t seq, bool handled) {
107#if DEBUG_DISPATCH_CYCLE
108 ALOGD("channel '%s' ~ Finished input event.", getInputChannelName());
109#endif
110
111 status_t status = mInputConsumer.sendFinishedSignal(seq, handled);
112 if (status) {
113 ALOGW("Failed to send finished signal on channel '%s'. status=%d",
114 getInputChannelName(), status);
115 }
116 return status;
117}
On line # 106, it is only the method entry.
Disassemble the code at address 0x00059dd4[+8] and find a good push instruction there.
(gdb) disass 0x00059dd4
Dump of assembler code for function android::NativeInputEventReceiver::finishInputEvent(unsigned int, bool):
0x00059dd4 <+0>: push {r0, r1, r2, r4, r5, lr}
0x00059dd6 <+2>: mov r5, r0
0x00059dd8 <+4>: add.w r0, r0, #8
0x00059ddc <+8>: blx 0x39e6c
0x00059de0 <+12>: mov r4, r0
0x00059de2 <+14>: cbz r0, 0x59dfc <android::NativeInputEventReceiver::finishInputEvent(unsigned int, bool)+40>
0x00059de4 <+16>: mov r0, r5
0x00059de6 <+18>: bl 0x59c40 <android::NativeInputEventReceiver::getInputChannelName()>
0x00059dea <+22>: ldr r1, [pc, #20] ; (0x59e00 <android::NativeInputEventReceiver::finishInputEvent(unsigned int, bool)+44>)
0x00059dec <+24>: ldr r2, [pc, #20] ; (0x59e04 <android::NativeInputEventReceiver::finishInputEvent(unsigned int, bool)+48>)
0x00059dee <+26>: add r1, pc
0x00059df0 <+28>: str r4, [sp, #0]
0x00059df2 <+30>: add r2, pc
0x00059df4 <+32>: mov r3, r0
0x00059df6 <+34>: movs r0, #5
0x00059df8 <+36>: blx 0x397dc
0x00059dfc <+40>: mov r0, r4
0x00059dfe <+42>: pop {r1, r2, r3, r4, r5, pc}
0x00059e00 <+44>: andeq sp, r3, sp, lsr #2
0x00059e04 <+48>: andeq r9, r3, r1, lsl r0
End of assembler dump.
But we could not make sure that the Instruction in the image is the valid instruction, because we don't have the ramdump!!
Use the code logged near $pc to verify if memory corrupted.
Because the .text of .so is PIC code section, so we can compare raw data near $pc and data of same address from libandroid_runtime.so.
10-23 18:09:17.647 148 148 I DEBUG : code around pc: ----- from runtime image logged
10-23 18:09:17.647 148 148 I DEBUG : 4058edb4 0003d1f3 0003d1a5 0005a0d6 0003d21b ................
10-23 18:09:17.647 148 148 I DEBUG : 4058edc4 0003d22c 0003d203 00039236 0003d1e2 ,.......6.......
10-23 18:09:17.647 148 148 I DEBUG : 4058edd4 4605b537 0008f100 e846f7e0 b1584604 7..F......F..FX.
10-23 18:09:17.647 148 148 I DEBUG : 4058ede4 f7ff4628 4905ff2b 44794a05 447a9400 (F..+..I.JyD..zD
10-23 18:09:17.647 148 148 I DEBUG : 4058edf4 20054603 ecf0f7df bd3e4620 0003d12d .F. .... F>.-...
(gdb) x /12x 0x59dd4 ---- from libandroid_runtime.so
0x59dd4 <android::NativeInputEventReceiver::finishInputEvent(unsigned int, bool)>: 0x4605b537 0x0008f100 0xe846f7e0 0xb1584604
0x59de4 <android::NativeInputEventReceiver::finishInputEvent(unsigned int, bool)+16>: 0xf7ff4628 0x4905ff2b 0x44794a05 0x447a9400
0x59df4 <android::NativeInputEventReceiver::finishInputEvent(unsigned int, bool)+32>: 0x20054603 0xecf0f7df 0xbd3e4620 0x0003d12d
They matches. Things are good.
Try to use unmodified register lr to get the caller,
(gdb) disass 0x00065da8
Dump of assembler code for function JavaBBinderHolder::get(_JNIEnv*, _jobject*):
0x00065cb0 <+0>: stmdb sp!, {r4, r5, r6, r7, r8, r9, r10, lr}
0x00065cb4 <+4>: add.w r8, r1, #8
0x00065cb8 <+8>: mov r4, r0
..........................................
0x00065d98 <+232>: blx 0x3b99c
0x00065d9c <+236>: str.w r9, [r5, #12]
0x00065da0 <+240>: str r6, [r5, #16]
0x00065da2 <+242>: mov r0, r8
0x00065da4 <+244>: blx 0x39dc4
0x00065da8 <+248>: mov r0, r4 <======
0x00065daa <+250>: ldmia.w sp!, {r4, r5, r6, r7, r8, r9, r10, pc}
Notice the blx at 0x65da4.
(gdb) x /3i 0x39dc4
0x39dc4: add r12, pc, #0, 12
0x39dc8: add r12, r12, #462848 ; 0x71000
0x39dcc: ldr pc, [r12, #3512]! ; 0xdb8
Should we need calculate the veener position and have a try to find out if its content is in memory logged?
It is in .got and may not be logged.
vaddr(0x39dc4) = 0x4058edd4-0x00059dd4+0x39dc4 = 0x4056EDC4
new pc = [0x4056EDC4+8+0x71000+0xdb8] = [0x405E0B84] = ??
Android's binutil objdump can not display function@plt until now, it should be patched and built by yourself.
the caller is JavaBBinderHolder::get(...)@android_util_Binder.cpp
But from the source, JavaBBinderHolder::get doesn't call NativeInputEventReceiver::finishInputEvent(...)
335class JavaBBinderHolder : public RefBase
336{
337public:
338 sp<JavaBBinder> get(JNIEnv* env, jobject obj)
339 {
340 AutoMutex _l(mLock);
341 sp<JavaBBinder> b = mBinder.promote();
342 if (b == NULL) {
343 b = new JavaBBinder(env, obj);
344 mBinder = b;
345 ALOGV("Creating JavaBinder %p (refs %p) for Object %p, weakCount=%d\n",
346 b.get(), b->getWeakRefs(), obj, b->getWeakRefs()->getWeakCount());
347 }
348
349 return b;
350 }
The callstack of the process crashed should not be corrupted, but the function calls in stack except the leaf are lost. The context when the crash occurs is unknown.
For further investigating, ramdump is needed.
After getting the real reason feedbacked, we can know that wild destination address is loaded to register pc and subsequent instruction fetched is corrupted due to bad memory time sequence.
Issue 5: A crazy SIGBUS:BUS_ADRALN issue
[Symptom]
10-23 22:18:47.141 624 635 F libc : Fatal signal 7 (SIGBUS) at 0x41b6b7f4 (code=1), thread 635 (Binder_1)
10-23 22:18:47.141 624 863 F libc : Fatal signal 7 (SIGBUS) at 0x41c94e1c (code=1), thread 863 (CountryDetector)
10-23 22:18:47.141 3560 10641 F libc : Fatal signal 7 (SIGBUS) at 0x41efbfa4 (code=1), thread 10641 (Binder_6)
10-23 22:18:47.241 2448 2448 I DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
10-23 22:18:47.241 2448 2448 I DEBUG : Build fingerprint: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
10-23 22:18:47.241 2448 2448 I DEBUG : pid: 624, tid: 635, name: Binder_1 >>> system_server <<<
10-23 22:18:47.241 2448 2448 I DEBUG : signal 7 (SIGBUS), code 1 (BUS_ADRALN), fault addr 41b6b7f4
10-23 22:18:47.421 2448 2448 I DEBUG : r0 00000000 r1 00000048 r2 41b6b7f4 r3 00000000
10-23 22:18:47.421 2448 2448 I DEBUG : r4 41b6b7f0 r5 5e340230 r6 00000000 r7 00000048
10-23 22:18:47.421 2448 2448 I DEBUG : r8 00000009 r9 41b6b7f4 sl 401f4f14 fp 1dcd64ff
10-23 22:18:47.421 2448 2448 I DEBUG : ip 40b70d4c sp 5ea11bd0 lr 40b1c84d pc 402cffb4 cpsr 80000010
10-23 22:18:47.421 2448 2448 I DEBUG : d0 00720064006e0061 d1 002e00640069006f
10-23 22:18:47.421 2448 2448 I DEBUG : d2 006900640065006d d3 00410049002e0061
10-23 22:18:47.421 2448 2448 I DEBUG : d4 006e00690057002e d5 004d0077006f0064
10-23 22:18:47.421 2448 2448 I DEBUG : d6 00670061006e0061 d7 0065005300720065
10-23 22:18:47.421 2448 2448 I DEBUG : d8 0000000000000000 d9 0000000000000000
10-23 22:18:47.421 2448 2448 I DEBUG : d10 0000000000000000 d11 0000000000000000
10-23 22:18:47.421 2448 2448 I DEBUG : d12 0000000000000000 d13 0000000000000000
10-23 22:18:47.421 2448 2448 I DEBUG : d14 0000000000000000 d15 0000000000000000
10-23 22:18:47.421 2448 2448 I DEBUG : d16 006f006900640075 d17 0076007200650053
10-23 22:18:47.431 2448 2448 I DEBUG : d18 006d007200650070 d19 0069007300730069
10-23 22:18:47.431 2448 2448 I DEBUG : d20 0052002e006e006f d21 005f004400410045
10-23 22:18:47.431 2448 2448 I DEBUG : d22 004e004f00480050 d23 00540053005f0045
10-23 22:18:47.431 2448 2448 I DEBUG : d24 3fede16b9c24a98f d25 3fe55559ee5e69f9
10-23 22:18:47.431 2448 2448 I DEBUG : d26 0000000000000000 d27 0000000000000000
10-23 22:18:47.431 2448 2448 I DEBUG : d28 0100010001000100 d29 0100010001000100
10-23 22:18:47.431 2448 2448 I DEBUG : d30 ffffffffffffffff d31 ffffffffffffffff
10-23 22:18:47.431 2448 2448 I DEBUG : scr 60000010
10-23 22:18:47.431 2448 2448 I DEBUG :
10-23 22:18:47.431 2448 2448 I DEBUG : backtrace:
10-23 22:18:47.431 2448 2448 I DEBUG : #00 pc 00004fb4 /system/lib/libcutils.so (android_atomic_cas)
10-23 22:18:47.431 2448 2448 I DEBUG : #01 pc 00052849 /system/lib/libdvm.so (dvmLockObject+68)
10-23 22:18:47.431 2448 2448 I DEBUG : #02 pc 0001fc1c /system/lib/libdvm.so
10-23 22:18:47.431 2448 2448 I DEBUG : #03 pc 0002cfa8 /system/lib/libdvm.so (dvmInterpret(Thread*, Method const*, JValue*)+180)
10-23 22:18:47.441 2448 2448 I DEBUG : #04 pc 0005f695 /system/lib/libdvm.so (dvmCallMethodV(Thread*, Method const*, Object*, bool, JValue*, std::__va_list)+272)
10-23 22:18:47.441 2448 2448 I DEBUG : #05 pc 0004d6b9 /system/lib/libdvm.so
10-23 22:18:47.441 2448 2448 I DEBUG : #06 pc 0004b109 /system/lib/libandroid_runtime.so
10-23 22:18:47.441 2448 2448 I DEBUG : #07 pc 0006610f /system/lib/libandroid_runtime.so
10-23 22:18:47.441 2448 2448 I DEBUG : #08 pc 00014391 /system/lib/libbinder.so (android::BBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+60)
10-23 22:18:47.441 2448 2448 I DEBUG : #09 pc 00016f15 /system/lib/libbinder.so (android::IPCThreadState::executeCommand(int)+520)
10-23 22:18:47.441 2448 2448 I DEBUG : #10 pc 0001733d /system/lib/libbinder.so (android::IPCThreadState::joinThreadPool(bool)+184)
10-23 22:18:47.441 2448 2448 I DEBUG : #11 pc 0001af55 /system/lib/libbinder.so
10-23 22:18:47.441 2448 2448 I DEBUG : #12 pc 00010e37 /system/lib/libutils.so (android::Thread::_threadLoop(void*)+114)
10-23 22:18:47.441 2448 2448 I DEBUG : #13 pc 00048b1d /system/lib/libandroid_runtime.so (android::AndroidRuntime::javaThreadShell(void*)+44)
10-23 22:18:47.441 2448 2448 I DEBUG : #14 pc 0001099d /system/lib/libutils.so
10-23 22:18:47.441 2448 2448 I DEBUG : #15 pc 00012e70 /system/lib/libc.so (__thread_entry+48)
10-23 22:18:47.441 2448 2448 I DEBUG : #16 pc 000125c8 /system/lib/libc.so (pthread_create+172)
10-23 22:18:47.441 2448 2448 I DEBUG :
10-23 22:18:47.441 2448 2448 I DEBUG : stack:
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11b90 419b53e0 /dev/ashmem/dalvik-heap (deleted)
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11b94 419b53e0 /dev/ashmem/dalvik-heap (deleted)
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11b98 41575018 /dev/ashmem/dalvik-heap (deleted)
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11b9c 00000018
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11ba0 00000001
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11ba4 f7d22713
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11ba8 40108008
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11bac 40d38078 /dev/ashmem/dalvik-heap (deleted)
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11bb0 5e340230
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11bb4 00000001
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11bb8 00000048
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11bbc 00000009
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11bc0 40d3807c /dev/ashmem/dalvik-heap (deleted)
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11bc4 511b31e4 /dev/ashmem/dalvik-aux-structure (deleted)
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11bc8 df0027ad
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11bcc 00000000
10-23 22:18:47.441 2448 2448 I DEBUG : #00 5ea11bd0 5e340230
10-23 22:18:47.441 2448 2448 I DEBUG : ........ ........
10-23 22:18:47.441 2448 2448 I DEBUG : #01 5ea11bd0 5e340230
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11bd4 41b6b7f0 /dev/ashmem/dalvik-heap (deleted)
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11bd8 00000001
10-23 22:18:47.441 2448 2448 I DEBUG : 5ea11bdc 5868e916 /data/dalvik-cache/system@framework@framework.jar@classes.dex
10-23 22:18:47.451 2448 2448 I DEBUG : 5ea11be0 401f4f28
10-23 22:18:47.451 2448 2448 I DEBUG : 5ea11be4 5e340230
10-23 22:18:47.451 2448 2448 I DEBUG : 5ea11be8 000020f2
10-23 22:18:47.451 2448 2448 I DEBUG : 5ea11bec 40ae94c0 /system/lib/libdvm.so
10-23 22:18:47.451 2448 2448 I DEBUG : 5ea11bf0 000021f4
10-23 22:18:47.451 2448 2448 I DEBUG : 5ea11bf4 401f4f14
10-23 22:18:47.451 2448 2448 I DEBUG : 5ea11bf8 00000001
10-23 22:18:47.451 2448 2448 I DEBUG : 5ea11bfc 40ae9c20 /system/lib/libdvm.so
10-23 22:18:47.451 2448 2448 I DEBUG : #02 5ea11c00 40ae94c0 /system/lib/libdvm.so
10-23 22:18:47.451 2448 2448 I DEBUG : 5ea11c04 5e340230
10-23 22:18:47.451 2448 2448 I DEBUG : 5ea11c08 40b70c60 /system/lib/libdvm.so
10-23 22:18:47.451 2448 2448 I DEBUG : 5ea11c0c 56e6f030 /dev/ashmem/dalvik-LinearAlloc (deleted)
10-23 22:18:47.451 2448 2448 I DEBUG : 5ea11c10 00000000
10-23 22:18:47.451 2448 2448 I DEBUG : 5ea11c14 5ea11c34 [stack:635]
10-23 22:18:47.451 2448 2448 I DEBUG : 5ea11c18 5ea11cf8 [stack:635]
10-23 22:18:47.451 2448 2448 I DEBUG : 5ea11c1c 00000000
10-23 22:18:47.451 2448 2448 I DEBUG : 5ea11c20 00000001
10-23 22:18:47.451 2448 2448 I DEBUG : 5ea11c24 40af6fac /system/lib/libdvm.so (dvmInterpret(Thread*, Method const*, JValue*)+184)
10-23 22:18:47.461 2448 2448 I DEBUG :
10-23 22:18:47.461 2448 2448 I DEBUG : memory near r2:
10-23 22:18:47.461 2448 2448 I DEBUG : 41b6b7d4 00000000 41b684c8 21813a1f 00000000 .......A.:.!....
10-23 22:18:47.461 2448 2448 I DEBUG : 41b6b7e4 0000000c 005f0053 00000013 40d14890 ....S._......H.@
10-23 22:18:47.461 2448 2448 I DEBUG : 41b6b7f4 00000000 00000010 00000033 40dab318 ........3......@
10-23 22:18:47.461 2448 2448 I DEBUG : 41b6b804 00000000 416143c0 41614940 00000000 .....CaA@IaA....
10-23 22:18:47.461 2448 2448 I DEBUG : 41b6b814 41b6b830 41614808 41b4d3e8 41a20e80 0..A.HaA...A...A
10-23 22:18:47.461 2448 2448 I DEBUG :
10-23 22:18:47.461 2448 2448 I DEBUG : memory near r4:
10-23 22:18:47.461 2448 2448 I DEBUG : 41b6b7d0 40d150b8 00000000 41b684c8 21813a1f .P.@.......A.:.!
10-23 22:18:47.461 2448 2448 I DEBUG : 41b6b7e0 00000000 0000000c 005f0053 00000013 ........S._.....
10-23 22:18:47.461 2448 2448 I DEBUG : 41b6b7f0 40d14890 00000000 00000010 00000033 .H.@........3...
10-23 22:18:47.461 2448 2448 I DEBUG : 41b6b800 40dab318 00000000 416143c0 41614940 ...@.....CaA@IaA
10-23 22:18:47.461 2448 2448 I DEBUG : 41b6b810 00000000 41b6b830 41614808 41b4d3e8 ....0..A.HaA...A
10-23 22:18:47.461 2448 2448 I DEBUG :
10-23 22:18:47.461 2448 2448 I DEBUG : memory near r5:
10-23 22:18:47.461 2448 2448 I DEBUG : 5e340210 59a511c4 00000000 00000000 00000000 ...Y............
10-23 22:18:47.461 2448 2448 I DEBUG : 5e340220 00000000 00000000 00000028 00000453 ........(...S...
10-23 22:18:47.461 2448 2448 I DEBUG : 5e340230 58557408 401f4f28 571a3c08 51114000 .tUX(O.@.<.W.@.Q
10-23 22:18:47.461 2448 2448 I DEBUG : 5e340240 415920f0 00000000 5ea11c00 00000000 . YA.......^....
10-23 22:18:47.461 2448 2448 I DEBUG : 5e340250 5ea11c34 00000009 00000000 40ae94c0 4..^...........@
10-23 22:18:47.471 2448 2448 I DEBUG :
10-23 22:18:47.471 2448 2448 I DEBUG : memory near r9:
10-23 22:18:47.471 2448 2448 I DEBUG : 41b6b7d4 00000000 41b684c8 21813a1f 00000000 .......A.:.!....
10-23 22:18:47.471 2448 2448 I DEBUG : 41b6b7e4 0000000c 005f0053 00000013 40d14890 ....S._......H.@
10-23 22:18:47.471 2448 2448 I DEBUG : 41b6b7f4 00000000 00000010 00000033 40dab318 ........3......@
10-23 22:18:47.471 2448 2448 I DEBUG : 41b6b804 00000000 416143c0 41614940 00000000 .....CaA@IaA....
10-23 22:18:47.471 2448 2448 I DEBUG : 41b6b814 41b6b830 41614808 41b4d3e8 41a20e80 0..A.HaA...A...A
10-23 22:18:47.471 2448 2448 I DEBUG :
10-23 22:18:47.471 2448 2448 I DEBUG : memory near sl:
10-23 22:18:47.471 2448 2448 I DEBUG : 401f4ef4 58724b68 401f4f28 58723760 56e73bd8 hKrX(O.@`7rX.;.V
10-23 22:18:47.471 2448 2448 I DEBUG : 401f4f04 00000000 00000000 5ea11dac 72900005 ...........^...r
10-23 22:18:47.471 2448 2448 I DEBUG : 401f4f14 401f4f48 58689606 571a3c08 5868e914 HO.@..hX.<.W..hX
10-23 22:18:47.471 2448 2448 I DEBUG : 401f4f24 00000000 5ea11dac 41b6b7f0 41598768 .......^...Ah.YA
10-23 22:18:47.471 2448 2448 I DEBUG : 401f4f34 401f4f94 5855741a 56f69e30 58689606 .O.@.tUX0..V..hX
10-23 22:18:47.471 2448 2448 I DEBUG :
10-23 22:18:47.471 2448 2448 I DEBUG : memory near fp:
10-23 22:18:47.471 2448 2448 I DEBUG : 1dcd64dc ffffffff ffffffff ffffffff ffffffff ................
10-23 22:18:47.471 2448 2448 I DEBUG : 1dcd64ec ffffffff ffffffff ffffffff ffffffff ................
10-23 22:18:47.471 2448 2448 I DEBUG : 1dcd64fc ffffffff ffffffff ffffffff ffffffff ................
10-23 22:18:47.471 2448 2448 I DEBUG : 1dcd650c ffffffff ffffffff ffffffff ffffffff ................
10-23 22:18:47.471 2448 2448 I DEBUG : 1dcd651c ffffffff ffffffff ffffffff ffffffff ................
10-23 22:18:47.471 2448 2448 I DEBUG :
10-23 22:18:47.471 2448 2448 I DEBUG : memory near ip:
10-23 22:18:47.471 2448 2448 I DEBUG : 40b70d2c 4016db01 40158330 4015d51c 401659d1 ...@0..@...@.Y.@
10-23 22:18:47.471 2448 2448 I DEBUG : 40b70d3c 4015df3c 40165cc1 4016d8c7 4015dab0 <..@.\.@...@...@
10-23 22:18:47.471 2448 2448 I DEBUG : 40b70d4c 402cffb4 401595e0 40164933 4015e9d9 ..,@...@3I.@...@
10-23 22:18:47.471 2448 2448 I DEBUG : 40b70d5c 4016db21 404a0520 40158d40 4016dd95 !..@ .J@@..@...@
10-23 22:18:47.471 2448 2448 I DEBUG : 40b70d6c 4016d87d 4015db30 4015de7c 4016a5b5 }..@0..@|..@...@
10-23 22:18:47.471 2448 2448 I DEBUG :
10-23 22:18:47.471 2448 2448 I DEBUG : memory near sp:
10-23 22:18:47.471 2448 2448 I DEBUG : 5ea11bb0 5e340230 00000001 00000048 00000009 0.4^....H.......
10-23 22:18:47.471 2448 2448 I DEBUG : 5ea11bc0 40d3807c 511b31e4 df0027ad 00000000 |..@.1.Q.'......
10-23 22:18:47.471 2448 2448 I DEBUG : 5ea11bd0 5e340230 41b6b7f0 00000001 5868e916 0.4^...A......hX
10-23 22:18:47.471 2448 2448 I DEBUG : 5ea11be0 401f4f28 5e340230 000020f2 40ae94c0 (O.@0.4^. .....@
10-23 22:18:47.471 2448 2448 I DEBUG : 5ea11bf0 000021f4 401f4f14 00000001 40ae9c20 .!...O.@.... ..@
10-23 22:18:47.471 2448 2448 I DEBUG :
10-23 22:18:47.471 2448 2448 I DEBUG : code around pc:
10-23 22:18:47.471 2448 2448 I DEBUG : 402cff94 e5900000 e12fff1e e5810000 f57ff05f ....../....._...
10-23 22:18:47.471 2448 2448 I DEBUG : 402cffa4 e12fff1e f57ff05f e5810000 e12fff1e ../._........./.
10-23 22:18:47.481 2448 2448 I DEBUG : 402cffb4 e192cf9f e3a03000 e13c0000 01823f91 .....0....<..?..
10-23 22:18:47.481 2448 2448 I DEBUG : 402cffc4 e3530000 1afffff9 e050000c 13a00001 ..S.......P.....
10-23 22:18:47.481 2448 2448 I DEBUG : 402cffd4 e12fff1e e192cf9f e3a03000 e13c0000 ../......0....<.
10-23 22:18:47.481 2448 2448 I DEBUG :
10-23 22:18:47.481 2448 2448 I DEBUG : code around lr:
10-23 22:18:47.481 2448 2448 I DEBUG : 40b1c82c f6416860 f50072ff 60632300 4fd3ebb2 `hA..r...#c`...O
10-23 22:18:47.481 2448 2448 I DEBUG : 40b1c83c e038d144 ea40b94b 464a0107 e912f7cc D.8.K.@...JF....
10-23 22:18:47.481 2448 2448 I DEBUG : 40b1c84c 8f5ff3bf d1e32800 4628e038 f0002103 .._..(..8.(F.!..
10-23 22:18:47.481 2448 2448 I DEBUG : 40b1c85c 4682fe63 4e1ae000 f0106860 d1190101 c..F...N`h......
10-23 22:18:47.481 2448 2448 I DEBUG : 40b1c86c 02cff3c0 ea40b94a 464a0107 e8faf7cc ....J.@...JF....
10-23 22:18:47.481 2448 2448 I DEBUG :
10-23 22:18:47.481 2448 2448 I DEBUG : memory map around fault addr 41b6b7f4:
10-23 22:18:47.481 2448 2448 I DEBUG : 40d13000-40d14000 /system/lib/libdbus.so
10-23 22:18:47.481 2448 2448 I DEBUG : 40d14000-41d76000 /dev/ashmem/dalvik-heap (deleted)
10-23 22:18:47.481 2448 2448 I DEBUG : 41d76000-42a86000 /dev/ashmem/dalvik-heap (deleted)
10-23 22:18:47.501 2448 2448 I DEBUG : Write /storage/sdcard0/klog/klog-0-system_server-20121023221847.txt to internal SD failed
10-23 22:18:49.453 2448 2448 I DEBUG : Write /data/klog/klog-2-system_server-20121023221847.txt to USERDATA succeed
10-23 22:18:49.453 2448 2448 I DEBUG : Dump klogcat...
[Analysis]
10-23 22:18:47.431 2448 2448 I DEBUG : #00 pc 00004fb4 /system/lib/libcutils.so
android_atomic_cas
//LINUX/android/system/core/include/cutils/atomic-arm.h:103
10-23 22:18:47.431 2448 2448 I DEBUG : #01 pc 00052849 /system/lib/libdvm.so it is dvmLockObject
android_atomic_acquire_cas
//LINUX/android/system/core/include/cutils/atomic-arm.h:134
10-23 22:18:47.431 2448 2448 I DEBUG : #02 pc 0001fc1c /system/lib/libdvm.so right in libdvm.
dalvik_inst
//LINUX/android/dalvik/vm/mterp/out/InterpAsm-armv7-a-neon.S:828
10-23 22:18:47.431 2448 2448 I DEBUG : #03 pc 0002cfa8 /system/lib/libdvm.so
dvmInterpret(Thread*, Method const*, JValue*)
//LINUX/android/dalvik/vm/interp/Interp.cpp:1964
10-23 22:18:47.441 2448 2448 I DEBUG : #04 pc 0005f695 /system/lib/libdvm.so
dvmCallMethodV(Thread*, Method const*, Object*, bool, JValue*, std::__va_list)
//LINUX/android/dalvik/vm/interp/Stack.cpp:526
10-23 22:18:47.441 2448 2448 I DEBUG : #05 pc 0004d6b9 /system/lib/libdvm.so
CallBooleanMethodV
//LINUX/android/dalvik/vm/Jni.cpp:1988
10-23 22:18:47.441 2448 2448 I DEBUG : #06 pc 0004b109 /system/lib/libandroid_runtime.so
_JNIEnv::CallBooleanMethod(_jobject*, _jmethodID*, ...)
//LINUX/android/libnativehelper/include/nativehelper/jni.h:633
10-23 22:18:47.441 2448 2448 I DEBUG : #07 pc 0006610f /system/lib/libandroid_runtime.so
JavaBBinder::onTransact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)
//LINUX/android/frameworks/base/core/jni/android_util_Binder.cpp:278
10-23 22:18:47.441 2448 2448 I DEBUG : #08 pc 00014391 /system/lib/libbinder.so
android::BBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)
//LINUX/android/frameworks/native/libs/binder/Binder.cpp:108
10-23 22:18:47.441 2448 2448 I DEBUG : #09 pc 00016f15 /system/lib/libbinder.so
android::IPCThreadState::executeCommand(int)
//LINUX/android/frameworks/native/libs/binder/IPCThreadState.cpp:1034
10-23 22:18:47.441 2448 2448 I DEBUG : #10 pc 0001733d /system/lib/libbinder.so
android::IPCThreadState::joinThreadPool(bool)
//LINUX/android/frameworks/native/libs/binder/IPCThreadState.cpp:473
10-23 22:18:47.441 2448 2448 I DEBUG : #11 pc 0001af55 /system/lib/libbinder.so
android::PoolThread::threadLoop()
//LINUX/android/frameworks/native/libs/binder/ProcessState.cpp:67
10-23 22:18:47.441 2448 2448 I DEBUG : #12 pc 00010e37 /system/lib/libutils.so
android::Thread::_threadLoop(void*)
//LINUX/android/frameworks/native/libs/utils/Threads.cpp:793
10-23 22:18:47.441 2448 2448 I DEBUG : #13 pc 00048b1d /system/lib/libandroid_runtime.so
android::AndroidRuntime::javaThreadShell(void*)
//LINUX/android/frameworks/base/core/jni/AndroidRuntime.cpp:991
10-23 22:18:47.441 2448 2448 I DEBUG : #14 pc 0001099d /system/lib/libutils.so
thread_data_t::trampoline(thread_data_t const*)
//LINUX/android/frameworks/native/libs/utils/Threads.cpp:132
10-23 22:18:47.441 2448 2448 I DEBUG : #15 pc 00012e70 /system/lib/libc.so
__thread_entry
//LINUX/android/bionic/libc/bionic/pthread.c:217
10-23 22:18:47.441 2448 2448 I DEBUG : #16 pc 000125c8 /system/lib/libc.so
pthread_create
//LINUX/android/bionic/libc/bionic/pthread.c:356
The log line
10-23 22:18:47.241 2448 2448 I DEBUG : signal 7 (SIGBUS), code 1 (BUS_ADRALN), fault addr 41b6b7f4
shows that it is an Invalid address alignment crash.
From the source code,
130extern inline int android_atomic_acquire_cas(int32_t old_value,
131 int32_t new_value,
132 volatile int32_t *ptr)
133{
134 int status = android_atomic_cas(old_value, new_value, ptr);
135 android_memory_barrier();
136 return status;
137}
The gnu assemble code of android_atomic_cas lists as follows.
98extern inline int android_atomic_cas(int32_t old_value, int32_t new_value,
99 volatile int32_t *ptr)
100{
101 int32_t prev, status;
102 do {
103 __asm__ __volatile__ ("ldrex %0, [%3]\n"
104 "mov %1, #0\n"
105 "teq %0, %4\n"
106 "strexeq %1, %5, [%3]"
107 : "=&r" (prev), "=&r" (status), "+m"(*ptr)
108 : "r" (ptr), "Ir" (old_value), "r" (new_value)
109 : "cc");
110 } while (__builtin_expect(status != 0, 0));
111 return prev != old_value;
112}
the args are passed in r0 00000000 r1 00000048 r2 41b6b7f4.
The real assemble code as follows.
(gdb) disass android_atomic_cas
Dump of assembler code for function android_atomic_cas:
0x00004fb4 <+0>: ldrex r12, [r2]
0x00004fb8 <+4>: mov r3, #0
0x00004fbc <+8>: teq r12, r0
0x00004fc0 <+12>: strexeq r3, r1, [r2]
0x00004fc4 <+16>: cmp r3, #0
0x00004fc8 <+20>: bne 0x4fb4 <android_atomic_cas>
0x00004fcc <+24>: subs r0, r0, r12
0x00004fd0 <+28>: movne r0, #1
0x00004fd4 <+32>: bx lr
End of assembler dump.
(gdb) disass android_atomic_acquire_cas
Dump of assembler code for function android_atomic_acquire_cas:
0x00004fd8 <+0>: ldrex r12, [r2]
0x00004fdc <+4>: mov r3, #0
0x00004fe0 <+8>: teq r12, r0
0x00004fe4 <+12>: strexeq r3, r1, [r2]
0x00004fe8 <+16>: cmp r3, #0
0x00004fec <+20>: bne 0x4fd8 <android_atomic_acquire_cas>
0x00004ff0 <+24>: dmb sy
0x00004ff4 <+28>: subs r0, r0, r12
0x00004ff8 <+32>: movne r0, #1
0x00004ffc <+36>: bx lr
End of assembler dump.
We can see the arg 'ptr' is in r2, and it is not like an unaligned addr.
But the assemble code ldrex %0, [%3] is crashed.
From the assemble code, %3 uses the arg-passed register r2 directly, there is almost no possility to change it.
So, maybe it is a architecture releated issue rather than a memory corrupted issue.
Even after knowing the ddr memory parameter is not well configed, I have no idea about why the bus unalignement error occurs.
Maybe DDR specification and ARM bus specification knowledge needed.
If address is unstable due to time sequence, maybe this address unalignement bus error is reasonable.
256
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
