Android tombstone 分析案例
Android tombstone 分析案例
tombstone文件内容
一份在Android M 上出现 surfaceflinger SIGSEGV 11 导致机器重启案例
1. 体系结构
ABI: 'arm'
程序为arm 32bit程序
2. 发生Crash线程
pid: 299, tid: 372, name: Binder_2 >>> /system/bin/surfaceflinger <<<
进程号为299下的子线程372名为Binder_2线程发生错误,进程名 /system/bin/surfaceflinger
3. 原因
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xa29c0000
访问0xa29c0000无效地址引发SIGSEGV错误
4. 寄存器状态
r0 00000000 r1 00000000 r2 b6bd9164 r3 b6bd9164
r4 b673f6e8 r5 b6ca0443 r6 a29c0000 r7 a29b2920
r8 9ce0b908 r9 41742563 sl b673f6e8 fp b673f6e8
ip 0000005d sp b673f530 lr b6c9dd53 pc b6c9dd3e cpsr 200f0030
d0 0000000020202020 d1 0000000000000000
d2 69742e6d6f632f67 d3 687a6965772e616d
d4 6e75616c2e676e61 d5 6569762e72656863
d6 6976697463612e77 d7 676976614e2e7974
d8 0000000000000000 d9 0000000000000000
d10 0000000000000000 d11 0000000000000000
d12 0000000000000000 d13 0000000000000000
d14 0000000000000000 d15 0000000000000000
d16 0000000000000000 d17 4024000000000000
d18 3ff0000000000000 d19 3ff0000000000000
d20 0000000000000000 d21 3ff0000000000000
d22 3ff0000000000000 d23 4001cddf78000000
d24 3ff0000000000000 d25 0000000000000000
d26 4071800000000000 d27 4006666666666666
d28 4001cddf78000000 d29 3ff0000000000000
d30 0000000000000000 d31 0000000000000000
scr 80000010
ARM Cortex-A8处理器有40个32位长的寄存器,其中有32个通用寄存器,7个状态寄存器和1个程序计数器
4.1 处理器工作模式下的寄存器
User & System | FIQ | Supervisor | Abort | IRQ | Undefined |
---|---|---|---|---|---|
r0 | r0 | r0 | r0 | r0 | r0 |
r1 | r1 | r1 | r1 | r1 | r1 |
r2 | r2 | r2 | r2 | r2 | r2 |
r3 | r3 | r3 | r3 | r3 | r3 |
r4 | r4 | r4 | r4 | r4 | r4 |
r5 | r5 | r5 | r5 | r5 | r5 |
r6 | r6 | r6 | r6 | r6 | r6 |
r7 | r7 | r7 | r7 | r7 | r7 |
r8 | r8_fiq | r8 | r8 | r8 | r8 |
r9 | r9_fiq | r9 | r9 | r9 | r9 |
r10 | r10_fiq | r10 | r10 | r10 | r10 |
r11 | r11_fiq | r11 | r11 | r11 | r11 |
r12 | r12_fiq | r12 | r12 | r12 | r12 |
r13 | r13_fiq | r13_svc | r13_abt | r13_irq | r13_und |
r14 | r14_fiq | r14_svc | r14_abt | r14_irq | r14_und |
r15(pc) | r15(pc) | r15(pc) | r15(pc) | r15(pc) | r15(pc) |
4.2 未分组寄存器r0 – r7
在所有运行模式下,未分组寄存器都指向同一个物理寄存器,他们未被系统用作特殊的用途。因此在中断或异常处理进行异常模式转换时,由于不同的处理器运行模式均使用相同的物理寄存器,所以可能造成寄存器中数据的破坏。
4.3 分组寄存器r8 – r14
对于分组寄存器,所访问的物理寄存器都与当前的处理器运行模式相关。当使用快速中断模式下的寄存器时,寄存器r8为r8_fiq,而使用用户模式下r8为r8_usr这个两个寄存器不是同一个。
其中r13常用作存放堆栈指针,用户也可以使用其他寄存器存放堆栈指针,称为sp;
和r14称为连接寄存器(link register,lr),当执行子程序时,r14可存放子程序返回地址,执行完子程序后,又将r14的值复制回pc,也可作为通用寄存器使用。
4.4 程序计数器pc(r15)
ARM采用的是流水线机制,当正确读取了pc的值时,该值为当前指令地址加8个字节,指向当前指令的下两条指令地址,ARM是字对齐,pc寄存器的值bits[0,1] = 0,第0位和第1位总为0,也就是16进制地址最低位应为0,4,8,c,当工作模式处理thumb下,当正确读取了pc的值时,该值为当前指令地址加4个字节,pc寄存器的值bits[0] = 0,第0位总为,也就是16进制地址最低位应为0,2,4,8,a,c,e。
4.5 程序状态寄存器
cpsr(当前程序状态寄存器),包含了条件标记位、中断屏蔽位、当前处理器模式标志等,每一种处理器模式下都有一个专门的物理寄存器用于备份程序状态的寄存器spsr,当特定的异常中断发生,该寄存器可用于保存cpsr和事后恢复cpsr。
标志位 | 含义 |
---|---|
N | 当两个补码表示有符号数运算时,N = 1表示运算结果是个负值,N = 0表示运算结果是个正值 |
Z | Z = 1 表示运算结果为0,否则不为0 |
C | 做加法指令时发生了进位,C = 1 表示无符号数运算发生上溢出,做减法指令时发生了借位,C = 0表示无符号数运算发生了下溢出 |
V | 符号数运算时发生了符号位溢出,V =1 |
I | 中断屏蔽位 irq |
F | 快速中断屏蔽位 fiq |
T | T = 0,表示ARM指令模式,T = 1,表示thumb指令模式 |
M[4:0] | 处理器模式 |
---|---|
0b_10000 | user |
0b_10001 | fiq |
0b_10010 | irq |
0b_10011 | supervisor |
0b_10111 | abort |
0b_11011 | undefined |
0b_11111 | system |
4.6 ARM参数规则
C程序约定参数1~参数4 分别保存到 r0~r3 寄存器中 ,剩下的参数从右往左依次入栈,被调用者实现栈平衡,返回值存放在 r0 中。
C++程序约定参数1、参数2、参数3分别保存在r1、r2、r3中,this指针存放r0中,剩下的参数从右往左依次入栈,被调用者实现栈平衡,返回值存放在 r0 中。
5. 回溯栈
记录程序的调用过程,不完全可信。详情可查询官方介绍
https://source.android.google.cn/devices/tech/debug
backtrace:
#00 pc 00009d3e /system/lib/libui.so (android::Region::dump(android::String8&, char const*, unsigned int) const+53)
#01 pc 00015e2d /system/lib/libsurfaceflinger.so
#02 pc 0001dfe3 /system/lib/libsurfaceflinger.so
#03 pc 0001d9d5 /system/lib/libsurfaceflinger.so
#04 pc 0001e41f /system/lib/libsurfaceflinger.so
#05 pc 00019b1d /system/lib/libbinder.so (android::BBinder::onTransact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+164)
#06 pc 0001e677 /system/lib/libsurfaceflinger.so
#07 pc 00019985 /system/lib/libbinder.so (android::BBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+60)
#08 pc 0001ec63 /system/lib/libbinder.so (android::IPCThreadState::executeCommand(int)+542)
#09 pc 0001edb9 /system/lib/libbinder.so (android::IPCThreadState::getAndExecuteCommand()+64)
#10 pc 0001ee1d /system/lib/libbinder.so (android::IPCThreadState::joinThreadPool(bool)+48)
#11 pc 0002377d /system/lib/libbinder.so
#12 pc 00010115 /system/lib/libutils.so (android::Thread::_threadLoop(void*)+112)
#13 pc 0003f8c3 /system/lib/libc.so (__pthread_start(void*)+30)
#14 pc 00019e55 /system/lib/libc.so (__start_thread+6)
6. 程序栈
记录程序运行过程中压入栈空间信息,sp寄存器写入记录
stack:
b673f4f0 b673f6e8 [stack:372]
b673f4f4 b6e7005f /system/lib/libutils.so (android::String8::appendFormatV(char const*, std::__va_list)+58)
b673f4f8 b673f6e8 [stack:372]
b673f4fc b673f528 [stack:372]
b673f500 b673f6e8 [stack:372]
b673f504 b6ca0443 /system/lib/libui.so
b673f508 a29bfff0 [anon:libc_malloc]
b673f50c a29b2920 [anon:libc_malloc]
b673f510 9ce0b908 [anon:libc_malloc]
b673f514 b6e700b5 /system/lib/libutils.so (android::String8::appendFormat(char const*, ...)+16)
b673f518 b673f6e8 [stack:372]
b673f51c b673f528 [stack:372]
b673f520 b6c9dd53 /system/lib/libui.so (android::Region::dump(android::String8&, char const*, unsigned int) const+74)
b673f524 b6ca0443 /system/lib/libui.so
b673f528 00000008
b673f52c 00000000
#00 b673f530 00000000
b673f534 00000000
b673f538 0000006a
b673f53c 9ce0b800 [anon:libc_malloc]
b673f540 b6ef893c /system/lib/libsurfaceflinger.so
b673f544 00000000
b673f548 b673f6e8 [stack:372]
b673f54c b6ed6e31 /system/lib/libsurfaceflinger.so
#01 b673f550 b6ab09b0 [anon:libc_malloc]
b673f554 00000500
b673f558 00000001
b673f55c 00000000
b673f560 00000000
b673f564 000002d0
b673f568 00000000
b673f56c 00000000
b673f570 00000500
b673f574 000002d0
b673f578 00000001
b673f57c 00000000
b673f580 000000ff
b673f584 00000003
b673f588 00000000
b673f58c 3ff00000
........ ........
7. 寄存器地址附近内存
记录当前寄存器地址附近的内存存放的内容
memory near r2:
b6bd9144 310ca366 b401696d ee9116bc 38f208d4 f..1mi.........8
b6bd9154 585c839d 9c6118bf c0f3fa8b c211c74c ..\X..a.....L...
b6bd9164 44c2719f 217b90e4 12965102 7038b463 .q.D..{!.Q..c.8p
b6bd9174 466f46fe 2ac1c78e 26c3c32c 2943cba1 .FoF...*,..&..C)
b6bd9184 70735e5a a5aaf1be ac1f963b a3129b0c Z^sp....;.......
b6bd9194 6e6388ed 987e67e0 fe186450 9076bade ..cn.g~.Pd....v.
b6bd91a4 d71581ed e46f76be 0c6f5f99 d44085d3 .....vo.._o...@.
b6bd91b4 ee86bcc8 d23ca932 ead5f2a1 96a1c776 ....2.<.....v...
b6bd91c4 53537b2b 32785faa 64b1eb9b f0759cf3 +{SS._x2...d..u.
b6bd91d4 a95d0e3e d9ce918a 5f2fa464 ce466e61 >.].....d./_anF.
b6bd91e4 363414d2 c72b68b5 8bd5af2c 0500d4cd ..46.h+.,.......
b6bd91f4 ed4b2448 621b702b 89f2530a 7a705ac5 H$K.+p.b.S...Zpz
b6bd9204 836e7416 987eb477 c6187ee4 b8c2fdd3 .tn.w.~..~......
b6bd9214 2b6dd6b2 4cb59709 5e5d32a6 52518ae5 ..m+...L.2]^..QR
b6bd9224 8a5db5b6 ead5fac1 18df49b1 4d63c1c6 ..]......I....cM
b6bd9234 03d98790 5188c1ea d9088155 ce46baf2 .......QU.....F.
memory near r3:
b6bd9144 310ca366 b401696d ee9116bc 38f208d4 f..1mi.........8
b6bd9154 585c839d 9c6118bf c0f3fa8b c211c74c ..\X..a.....L...
b6bd9164 44c2719f 217b90e4 12965102 7038b463 .q.D..{!.Q..c.8p
b6bd9174 466f46fe 2ac1c78e 26c3c32c 2943cba1 .FoF...*,..&..C)
b6bd9184 70735e5a a5aaf1be ac1f963b a3129b0c Z^sp....;.......
b6bd9194 6e6388ed 987e67e0 fe186450 9076bade ..cn.g~.Pd....v.
b6bd91a4 d71581ed e46f76be 0c6f5f99 d44085d3 .....vo.._o...@.
b6bd91b4 ee86bcc8 d23ca932 ead5f2a1 96a1c776 ....2.<.....v...
b6bd91c4 53537b2b 32785faa 64b1eb9b f0759cf3 +{SS._x2...d..u.
b6bd91d4 a95d0e3e d9ce918a 5f2fa464 ce466e61 >.].....d./_anF.
b6bd91e4 363414d2 c72b68b5 8bd5af2c 0500d4cd ..46.h+.,.......
b6bd91f4 ed4b2448 621b702b 89f2530a 7a705ac5 H$K.+p.b.S...Zpz
b6bd9204 836e7416 987eb477 c6187ee4 b8c2fdd3 .tn.w.~..~......
b6bd9214 2b6dd6b2 4cb59709 5e5d32a6 52518ae5 ..m+...L.2]^..QR
b6bd9224 8a5db5b6 ead5fac1 18df49b1 4d63c1c6 ..]......I....cM
b6bd9234 03d98790 5188c1ea d9088155 ce46baf2 .......QU.....F.
memory near r4:
b673f6c8 00000001 b6aa4018 b6a8c8d0 9f066b28 .....@......(k..
b673f6d8 b6a8c8d0 9f066b28 a013f0f0 00000000 ....(k..........
b673f6e8 9b709010 00000001 00000000 b6ef6784 ..p..........g..
b673f6f8 b673f724 00000001 b6aa4004 000000c0 $.s......@......
b673f708 00000001 b673f720 0000012b b6edf423 .... .s.+...#...
b673f718 0000012b b6e91b1f 9ce3c3a0 b6ea26b0 +............&..
b673f728 a013f0d0 00000001 00000000 00000004 ................
b673f738 b673f838 b673f804 b673f838 5f444d50 8.s...s.8.s.PMD_
b673f748 b6aa4000 00000000 000003e8 b6edf67b .@..........{...
b673f758 00000010 b6e9bcb5 b673f77c 00000000 ........|.s.....
b673f768 b673f77c b6e914b7 b673f804 b6e9a1d3 |.s.......s.....
b673f778 b673f804 b6a941c0 00000020 b673f804 ..s..A.. .....s.
b673f788 00000000 b69820d4 00000020 b660e000 ..... .. .....`.
b673f798 b6e96765 b6e9a1f7 b673f804 b69820b4 eg........s.. ..
b673f7a8 b673f838 b6aa4004 b673f804 5f444d50 8.s..@....s.PMD_
b673f7b8 00000000 00000000 0000012b b6e91987 ........+.......
memory near r5:
b6ca0420 2020006e 69676552 25206e6f 74282073 n. Region %s (t
b6ca0430 3d736968 202c7025 6e756f63 64253d74 his=%p, count=%d
b6ca0440 20000a29 5b202020 2c643325 64332520 ).. [%3d, %3d
b6ca0450 3325202c 25202c64 0a5d6433 63655200 , %3d, %3d]..Rec
b6ca0460 69570074 20687464 74207525 6c206f6f t.Width %u too l
b6ca0470 65677261 726f6620 63655220 6c632074 arge for Rect cl
b6ca0480 2c737361 616c6320 6e69706d 65480067 ass, clamping.He
b6ca0490 74686769 20752520 206f6f74 6772616c ight %u too larg
b6ca04a0 6f662065 65522072 63207463 7373616c e for Rect class
b6ca04b0 6c63202c 69706d61 2000676e 62696c5b , clamping. [lib
b6ca04c0 005d6975 64696f76 6e555f20 646e6977 ui].void _Unwind
b6ca04d0 7365525f 28656d75 776e555f 5f646e69 _Resume(_Unwind_
b6ca04e0 65637845 6f697470 292a206e 74786500 Exception *).ext
b6ca04f0 616e7265 696c2f6c 78786362 2f696261 ernal/libcxxabi/
b6ca0500 2f637273 69776e55 552f646e 6e69776e src/Unwind/Unwin
b6ca0510 48452d64 2e494241 00707063 776e555f d-EHABI.cpp._Unw
memory near r6:
a29bffe0 00000008 00000000 00000000 00000000 ................
a29bfff0 00000008 00000000 00000000 00000000 ................
a29c0000 -------- -------- -------- -------- ................
a29c0010 -------- -------- -------- -------- ................
a29c0020 -------- -------- -------- -------- ................
a29c0030 -------- -------- -------- -------- ................
a29c0040 -------- -------- -------- -------- ................
a29c0050 -------- -------- -------- -------- ................
a29c0060 -------- -------- -------- -------- ................
a29c0070 -------- -------- -------- -------- ................
a29c0080 -------- -------- -------- -------- ................
a29c0090 -------- -------- -------- -------- ................
a29c00a0 -------- -------- -------- -------- ................
a29c00b0 -------- -------- -------- -------- ................
a29c00c0 -------- -------- -------- -------- ................
a29c00d0 -------- -------- -------- -------- ................
memory near r7:
a29b2900 9f067b80 9f4ffe30 9f032400 9f1af0f0 .{..0.O..$......
a29b2910 00000000 00000000 0000050b 000002d0 ................
a29b2920 00000001 00000040 b6c8d2fc b6750340 ....@.......@.u.
a29b2930 00000000 00000000 00000000 00000000 ................
a29b2940 00690075 0049002e 00750053 00660072 u.i...I.S.u.r.f.
a29b2950 00630061 00430065 006d006f 006f0070 a.c.e.C.o.m.p.o.
a29b2960 00650073 00000072 00000501 000002d0 s.e.r...........
a29b2970 00000000 00000040 b6c8d2fc 9efffa80 ....@...........
a29b2980 00000000 00000000 00000000 00000000 ................
a29b2990 00000000 00000000 00000000 00000000 ................
a29b29a0 00000000 00000000 00000000 00000000 ................
a29b29b0 00000000 00000000 00000000 00000000 ................
a29b29c0 00000000 00000040 b6c8d2fc 9efff5c0 ....@...........
a29b29d0 00000000 00000000 00000500 000002d0 ................
a29b29e0 00000000 00000000 00000000 00000000 ................
a29b29f0 00000000 00000000 00000000 00000000 ................
memory near r8:
9ce0b8e8 00000001 00000007 00000010 b6ca2be8 .............+..
9ce0b8f8 a29aefb0 00000001 00000007 00000010 ................
9ce0b908 00000500 000002d0 00000000 00000000 ................
9ce0b918 00000500 000002d0 00000500 000002d0 ................
9ce0b928 00000000 00000000 00000500 000002d0 ................
9ce0b938 00005497 00000000 702003ff 0000000a .T........ p....
9ce0b948 3f800000 00000000 00000000 00000000 ...?............
9ce0b958 3f800000 00000000 00000000 00000000 ...?............
9ce0b968 3f800000 00000000 b6ca2be8 a29aefb0 ...?.....+......
9ce0b978 00000001 00000007 00000010 b6ca2be8 .............+..
9ce0b988 a29aefb0 00000001 00000007 00000010 ................
9ce0b998 00000000 00000000 00000000 2036203c ............< 6
9ce0b9a8 5e6c61d3 00004b19 5e6c61d3 00004b19 .al^.K...al^.K..
9ce0b9b8 6169d976 00004b19 00000000 00000000 v.ia.K..........
9ce0b9c8 ffffffff 7fffffff ffffffff 7fffffff ................
9ce0b9d8 ffffffff 7fffffff 00000000 00000000 ................
memory near r9:
41742540 -------- -------- -------- -------- ................
41742550 -------- -------- -------- -------- ................
41742560 -------- -------- -------- -------- ................
41742570 -------- -------- -------- -------- ................
41742580 -------- -------- -------- -------- ................
41742590 -------- -------- -------- -------- ................
417425a0 -------- -------- -------- -------- ................
417425b0 -------- -------- -------- -------- ................
417425c0 -------- -------- -------- -------- ................
417425d0 -------- -------- -------- -------- ................
417425e0 -------- -------- -------- -------- ................
417425f0 -------- -------- -------- -------- ................
41742600 -------- -------- -------- -------- ................
41742610 -------- -------- -------- -------- ................
41742620 -------- -------- -------- -------- ................
41742630 -------- -------- -------- -------- ................
memory near sl:
b673f6c8 00000001 b6aa4018 b6a8c8d0 9f066b28 .....@......(k..
b673f6d8 b6a8c8d0 9f066b28 a013f0f0 00000000 ....(k..........
b673f6e8 9b709010 00000001 00000000 b6ef6784 ..p..........g..
b673f6f8 b673f724 00000001 b6aa4004 000000c0 $.s......@......
b673f708 00000001 b673f720 0000012b b6edf423 .... .s.+...#...
b673f718 0000012b b6e91b1f 9ce3c3a0 b6ea26b0 +............&..
b673f728 a013f0d0 00000001 00000000 00000004 ................
b673f738 b673f838 b673f804 b673f838 5f444d50 8.s...s.8.s.PMD_
b673f748 b6aa4000 00000000 000003e8 b6edf67b .@..........{...
b673f758 00000010 b6e9bcb5 b673f77c 00000000 ........|.s.....
b673f768 b673f77c b6e914b7 b673f804 b6e9a1d3 |.s.......s.....
b673f778 b673f804 b6a941c0 00000020 b673f804 ..s..A.. .....s.
b673f788 00000000 b69820d4 00000020 b660e000 ..... .. .....`.
b673f798 b6e96765 b6e9a1f7 b673f804 b69820b4 eg........s.. ..
b673f7a8 b673f838 b6aa4004 b673f804 5f444d50 8.s..@....s.PMD_
b673f7b8 00000000 00000000 0000012b b6e91987 ........+.......
memory near fp:
b673f6c8 00000001 b6aa4018 b6a8c8d0 9f066b28 .....@......(k..
b673f6d8 b6a8c8d0 9f066b28 a013f0f0 00000000 ....(k..........
b673f6e8 9b709010 00000001 00000000 b6ef6784 ..p..........g..
b673f6f8 b673f724 00000001 b6aa4004 000000c0 $.s......@......
b673f708 00000001 b673f720 0000012b b6edf423 .... .s.+...#...
b673f718 0000012b b6e91b1f 9ce3c3a0 b6ea26b0 +............&..
b673f728 a013f0d0 00000001 00000000 00000004 ................
b673f738 b673f838 b673f804 b673f838 5f444d50 8.s...s.8.s.PMD_
b673f748 b6aa4000 00000000 000003e8 b6edf67b .@..........{...
b673f758 00000010 b6e9bcb5 b673f77c 00000000 ........|.s.....
b673f768 b673f77c b6e914b7 b673f804 b6e9a1d3 |.s.......s.....
b673f778 b673f804 b6a941c0 00000020 b673f804 ..s..A.. .....s.
b673f788 00000000 b69820d4 00000020 b660e000 ..... .. .....`.
b673f798 b6e96765 b6e9a1f7 b673f804 b69820b4 eg........s.. ..
b673f7a8 b673f838 b6aa4004 b673f804 5f444d50 8.s..@....s.PMD_
b673f7b8 00000000 00000000 0000012b b6e91987 ........+.......
memory near sp:
b673f510 9ce0b908 b6e700b5 b673f6e8 b673f528 ..........s.(.s.
b673f520 b6c9dd53 b6ca0443 00000008 00000000 S...C...........
b673f530 00000000 00000000 0000006a 9ce0b800 ........j.......
b673f540 b6ef893c 00000000 b673f6e8 b6ed6e31 <.........s.1n..
b673f550 b6ab09b0 00000500 00000001 00000000 ................
b673f560 00000000 000002d0 00000000 00000000 ................
b673f570 00000500 000002d0 00000001 00000000 ................
b673f580 000000ff 00000003 00000000 3ff00000 ...............?
b673f590 00000000 00000000 00000000 00000000 ................
b673f5a0 00000000 3ff00000 b6750040 00000000 .......?@.u.....
b673f5b0 00000500 00000000 00000000 00000000 ................
b673f5c0 000002d0 00000500 00000000 00005492 .............T..
b673f5d0 b675d300 b6750040 00000000 00000000 ..u.@.u.........
b673f5e0 00000000 00000000 00000000 00000000 ................
b673f5f0 0000008d 0000006a b6aa4000 0000008d ....j....@......
b673f600 b673f668 ffff7938 41742563 b0000000 h.s.8y..c%tA....
code around pc:
b6c9dd1c bf08685e 44394605 001bf345 46209000 ^h...F9DE..... F
b6c9dd2c edc8f7fb 480db195 1705eb06 4478490c .......H.....IxD
b6c9dd3c e896180d 68b0000c e88d68f1 46200003 .......h.h.... F
b6c9dd4c f7fb4629 3610edb8 d1f242be e8bdb002 )F.....6.B......
b6c9dd5c bf0088f0 000050aa ffffd65a 0000508a .....P..Z....P..
b6c9dd6c ffffd67b 4604b510 49094808 58084478 {......F.H.IxD.X
b6c9dd7c 60203008 f7fb4620 4620ec9c ed0af7fb .0 ` F.... F....
b6c9dd8c e8bd4620 f0014010 bf00bc81 0000504c F...@......LP..
b6c9dd9c ffffffdc 00004770 00004770 4608011b ....pG..pG.....F
b6c9ddac 461a4611 bcf2f001 bf082b00 f9624770 .F.F.....+..pGb.
b6c9ddbc 3b010a8f 0a8df941 4770d1f9 4608011b ...;A.....pG...F
b6c9ddcc 461a4611 bceaf001 4608011b 461a4611 .F.F.......F.F.F
b6c9dddc bce4f001 48f0e92d 68876803 da0842bb ....-..H.h.h.B..
b6c9ddec 6841600b 42996883 6003dd0e 60132100 .`Ah.h.B...`.!.`
b6c9ddfc 429fe074 600fda0d 68c36801 dd0f428b t..B...`.h.h.B..
b6c9de0c 60116081 e0692101 21006011 0c00f04f .`.`.!i..`.!O...
code around lr:
b6c9dd30 480db195 1705eb06 4478490c e896180d ...H.....IxD....
b6c9dd40 68b0000c e88d68f1 46200003 f7fb4629 ...h.h.... F)F..
b6c9dd50 3610edb8 d1f242be e8bdb002 bf0088f0 ...6.B..........
b6c9dd60 000050aa ffffd65a 0000508a ffffd67b .P..Z....P..{...
b6c9dd70 4604b510 49094808 58084478 60203008 ...F.H.IxD.X.0 `
b6c9dd80 f7fb4620 4620ec9c ed0af7fb e8bd4620 F.... F.... F..
b6c9dd90 f0014010 bf00bc81 0000504c ffffffdc .@......LP......
b6c9dda0 00004770 00004770 4608011b 461a4611 pG..pG.....F.F.F
b6c9ddb0 bcf2f001 bf082b00 f9624770 3b010a8f .....+..pGb....;
b6c9ddc0 0a8df941 4770d1f9 4608011b 461a4611 A.....pG...F.F.F
b6c9ddd0 bceaf001 4608011b 461a4611 bce4f001 .......F.F.F....
b6c9dde0 48f0e92d 68876803 da0842bb 6841600b -..H.h.h.B...`Ah
b6c9ddf0 42996883 6003dd0e 60132100 429fe074 .h.B...`.!.`t..B
b6c9de00 600fda0d 68c36801 dd0f428b 60116081 ...`.h.h.B...`.`
b6c9de10 e0692101 21006011 0c00f04f 600be019 .!i..`.!O......`
b6c9de20 68c56841 dd0442a9 e0072300 21016013 Ah.h.B...#...`.!
8. 内存映射
/proc/[pid]/maps信息,主要关注分配的地址空间范围,链接库加载地址等
memory map: (fault address prefixed with --->)
7f593000-7f596fff r-x 0 4000 /system/bin/surfaceflinger (BuildId: 3542df5080ff5d8373eaa0daeaf50563)
7f597000-7f597fff r-- 3000 1000 /system/bin/surfaceflinger
7f598000-7f598fff rw- 0 1000
885e1000-88964fff rw- 0 384000 /dev/zero (deleted)
889a1000-88d60fff rw- 0 3c0000 /dev/zero (deleted)
88d61000-89120fff rw- 0 3c0000 /dev/zero (deleted)
89121000-894e0fff rw- 0 3c0000 /dev/zero (deleted)
894e1000-898a0fff rw- 0 3c0000 /dev/zero (deleted)
......
a2980000-a29bffff rw- 0 40000 [anon:libc_malloc]
--->Fault address falls at a29c0000 between mapped regions
......
b6c94000-b6ca0fff r-x 0 d000 /system/lib/libui.so (BuildId: bcbb0ef1524507569a065e0517f7de7e)
b6ca1000-b6ca1fff --- 0 1000
b6ca2000-b6ca2fff r-- d000 1000 /system/lib/libui.so
b6ca3000-b6ca3fff rw- e000 1000 /system/lib/libui.so
......
b6f27000-b6f28fff rw- 0 2000 [anon:thread signal stack]
b6f29000-b6f44fff r-x 0 1c000 /system/bin/linker (BuildId: fadfa94c4db633a6b0caa1b166a9d192)
b6f45000-b6f45fff r-- 1b000 1000 /system/bin/linker
b6f46000-b6f47fff rw- 1c000 2000 /system/bin/linker
b6f48000-b6f49fff rw- 0 2000
bec6e000-bec8efff rw- 0 21000 [stack]
bee27000-bee27fff r-x 0 1000 [sigpage]
ffff0000-ffff0fff r-x 0 1000 [vectors]
9. 常用分析工具
gdb, objdump, nm, addr2line, readelf
10. 案例分析
寄存器cpsr = 0x200F0030 = 0010 0000 0000 1111 0000 0000 0011 0000,处理器模式为USR(bits[4:0]=0b_10000),当前执行指令为thumb模式(bits[5] = 1)
错误原因是在 #00 pc 00009d3e /system/lib/libui.so (android::Region::dump(android::String8&, char const*, unsigned int) 非法访问内存地址0xa29c0000而引发。
拿到带符号的 /system/lib/libui.so—> /symbols/system/lib/libui.so文件
此时可以通过objdump -Dd /symbols/system/lib/libui.so > libui,so.objdump 获得反编译后的文件
或直接使用gdb加载带符号的libui.so
(gdb) file out/target/product/[platfrom]/symbols/system/lib/libui.so
Reading symbols from out/target/product/[platfrom]/symbols/system/lib/libui.so...done.
获得函数汇编指令
(gdb) disassemble 'android::Region::dump(android::String8&, char const*, unsigned int) const'+53
Dump of assembler code for function android::Region::dump(android::String8&, char const*, unsigned int) const:
0x00009d08 <+0>: stmdb sp!, {r4, r5, r6, r7, r11, lr}
0x00009d0c <+4>: sub sp, #8
0x00009d0e <+6>: mov r3, r0
0x00009d10 <+8>: mov r4, r1
0x00009d12 <+10>: ldr r0, [r3, #8]
0x00009d14 <+12>: ldr r1, [pc, #72] ; (0x9d60 <android::Region::dump(android::String8&, char const*, unsigned int) const+88>)
0x00009d16 <+14>: ldr r7, [pc, #76] ; (0x9d64 <android::Region::dump(android::String8&, char const*, unsigned int) const+92>)
0x00009d18 <+16>: subs r5, r0, #1
0x00009d1a <+18>: add r1, pc
0x00009d1c <+20>: ldr r6, [r3, #4]
0x00009d1e <+22>: it eq
0x00009d20 <+24>: moveq r5, r0
0x00009d22 <+26>: add r1, r7
0x00009d24 <+28>: sbfx r0, r5, #0, #28
0x00009d28 <+32>: str r0, [sp, #0]
0x00009d2a <+34>: mov r0, r4
0x00009d2c <+36>: blx 0x58c0
0x00009d30 <+40>: cbz r5, 0x9d58 <android::Region::dump(android::String8&, char const*, unsigned int) const+80>
0x00009d32 <+42>: ldr r0, [pc, #52] ; (0x9d68 <android::Region::dump(android::String8&, char const*, unsigned int) const+96>)
0x00009d34 <+44>: add.w r7, r6, r5, lsl #4
0x00009d38 <+48>: ldr r1, [pc, #48] ; (0x9d6c <android::Region::dump(android::String8&, char const*, unsigned int) const+100>)
0x00009d3a <+50>: add r0, pc
0x00009d3c <+52>: adds r5, r1, r0
0x00009d3e <+54>: ldmia.w r6, {r2, r3}
0x00009d42 <+58>: ldr r0, [r6, #8]
0x00009d44 <+60>: ldr r1, [r6, #12]
0x00009d46 <+62>: stmia.w sp, {r0, r1}
0x00009d4a <+66>: mov r0, r4
0x00009d4c <+68>: mov r1, r5
0x00009d4e <+70>: blx 0x58c0
0x00009d52 <+74>: adds r6, #16
0x00009d54 <+76>: cmp r6, r7
0x00009d56 <+78>: bne.n 0x9d3e <android::Region::dump(android::String8&, char const*, unsigned int) const+54>
0x00009d58 <+80>: add sp, #8
0x00009d5a <+82>: ldmia.w sp!, {r4, r5, r6, r7, r11, pc}
0x00009d5e <+86>: nop
0x00009d60 <+88>: andeq r5, r0, r10, lsr #1
0x00009d64 <+92>: ; <UNDEFINED> instruction: 0xffffd65a
0x00009d68 <+96>: andeq r5, r0, r10, lsl #1
0x00009d6c <+100>: ; <UNDEFINED> instruction: 0xffffd67b
End of assembler dump.
0x00009d3e <+54>: ldmia.w r6, {r2, r3} 此处访问地址0xa29c0000导致Crash,此时的r6寄存器存的值:正是0xa29c0000,ldmia.w r6, {r2, r3} 是32bit thumb指令分别将r6+0和r6+4的值读到r2和r3,相当于 ldr.w r2 [r6, #0],ldr.w r3 [r6, #4], 而当前的r6存放的地址是0xa29c0000,该地址不可访问。
如果程序继续往下,可知道0x00009d3e~0x00009d56之间是一个循环体
0x00009d3e <+54>: ldmia.w r6, {r2, r3}
0x00009d42 <+58>: ldr r0, [r6, #8]
0x00009d44 <+60>: ldr r1, [r6, #12]
0x00009d46 <+62>: stmia.w sp, {r0, r1}
0x00009d4a <+66>: mov r0, r4
0x00009d4c <+68>: mov r1, r5
0x00009d4e <+70>: blx 0x58c0
0x00009d52 <+74>: adds r6, #16
0x00009d54 <+76>: cmp r6, r7
0x00009d56 <+78>: bne.n 0x9d3e <android::Region::dump(android::String8&, char const*, unsigned int) const+54>
并且判断条件为
0x00009d54 <+76>: cmp r6, r7
而当前的r7 = 0xa29b2920 ,很显然 r6 > r7,在看到循环计数为
0x00009d52 <+74>: adds r6, #16
即r6 = r6 + 16,是一个自增语句,那么r6永远不可能等于r7,程序这么运行下去,可能会堆溢出,可能会栈溢出。通过在maps搜索地址0xa29b2920在哪个地址空间范围里
a2980000-a29bffff rw- 0 40000 [anon:libc_malloc]
获得代码行位置
(gdb) list *0x00009d3e
0x9d3e is in android::Region::dump(android::String8&, char const*, unsigned int) const (frameworks/native/libs/ui/Region.cpp:860).
852 void Region::dump(String8& out, const char* what, uint32_t /* flags */) const
853 {
854 const_iterator head = begin();
855 const_iterator const tail = end();
856
857 out.appendFormat(" Region %s (this=%p, count=%" PRIdPTR ")\n",
858 what, this, tail - head);
859 while (head != tail) {
860 out.appendFormat(" [%3d, %3d, %3d, %3d]\n", head->left, head->top,
861 head->right, head->bottom);
862 ++head;
863 }
864 }
其中0x00009d3e~0x00009d56为代码859~863的实现,其中pc = 0x00009d4e时,r0 = out,r1 = r5 = (" [%3d, %3d, %3d, %3d]\n")[0],r2 = head->left,r3 = head->top,剩下head->right,head->bottom分别有序存放在栈上。
这个循环过程中r5始终不变,此时应该仍保存了字符串的首地址r5 = 0xb6ca0443,通过r5寄存器附近内存信息可以找到该字符串:
b6ca0440 20000a29 5b202020 2c643325 64332520 ).. [%3d, %3d
b6ca0450 3325202c 25202c64 0a5d6433 63655200 , %3d, %3d]..Rec
[0xb6ca0443~b6ca045b] = 20 2020205b … 33645d0a = " [%3d, %3d, %3d, %3d]\n"
字符串常量存在elf文件中,我们也可以计算偏移量在gdb中打印,找到libui.so的加载地址,这时需要用到maps信息了。
b6c94000-b6ca0fff r-x 0 d000 /system/lib/libui.so (BuildId: bcbb0ef1524507569a065e0517f7de7e)
b6ca1000-b6ca1fff --- 0 1000
b6ca2000-b6ca2fff r-- d000 1000 /system/lib/libui.so
b6ca3000-b6ca3fff rw- e000 1000 /system/lib/libui.so
offset = addr - load = 0xb6ca0443 - 0xb6c94000 = 0x0000c443
(gdb) x /26 0x0000C443
0xc443: 0x20 0x20 0x20 0x20 0x5b 0x25 0x33 0x64
0xc44b: 0x2c 0x20 0x25 0x33 0x64 0x2c 0x20 0x25
0xc453: 0x33 0x64 0x2c 0x20 0x25 0x33 0x64 0x5d
0xc45b: 0x0a 0x00
当然也可以从汇编代码中计算出该字符串的偏移量,找到r5的计算相关指令
0x00009d32 <+42>: ldr r0, [pc, #52] ; (0x9d68 <android::Region::dump(android::String8&, char const*, unsigned int) const+96>)
0x00009d34 <+44>: add.w r7, r6, r5, lsl #4 ;// 这条是end()方法中的指令, 产生这样的结果是因为编译器优化,进行了重排
0x00009d38 <+48>: ldr r1, [pc, #48] ; (0x9d6c <android::Region::dump(android::String8&, char const*, unsigned int) const+100>)
0x00009d3a <+50>: add r0, pc
0x00009d3c <+52>: adds r5, r1, r0
- r0 = [0x00009d32 + 4 + 0x34] = [0x00009d68] = 0x0000508A
- r1 = [0x00009d38 + 4 + 0x30] = [0x00009d6c] = 0xFFFFD67B
- r0 = 0x0000508A + 0x00009D3A + 4 = 0x0000EDC8
- r5 = 0x0000EDC8 + 0xFFFFD67B[补] = 0x0000EDC8 + 0x80002985 = 0x0000EDC8 - 0x00002985 = 0x0000C443
其中:(这里也可以直接16进制打开libui.so打开找到对应的值)
(gdb) p /x *0x00009d68
$17 = 0x508a
(gdb) p /x *0x00009d6c
$18 = 0xffffd67b
r6 = head 在循环过程中自增,而r7 = tail = 0xa29b2920 始终不变,很可能在一开始head就已经大于tail,它们分别来自函数begin()和end(),用gdb查看相应的汇编指令。
(gdb) disassemble 'android::Region::begin() const'
Dump of assembler code for function android::Region::begin() const:
0x00008b40 <+0>: ldr r0, [r0, #4]
0x00008b42 <+2>: bx lr
(gdb) disassemble 'android::Region::end() const'
Dump of assembler code for function android::Region::end() const:
0x00008b44 <+0>: ldr r1, [r0, #4]
0x00008b46 <+2>: ldr r0, [r0, #8]
0x00008b48 <+4>: subs r2, r0, #1
0x00008b4a <+6>: it eq
0x00008b4c <+8>: moveq r2, r0
0x00008b4e <+10>: add.w r0, r1, r2, lsl #4
0x00008b52 <+14>: bx lr
计算下end()的结果,从汇编上看begin()和end()都从this偏移4个字节取值,应该是某个成员变量,这里先不管。
- r1 = [r0 + 4]
- r0 = [r0 + 8]
- r2 = r0 - 1 = [r0 + 8] - 1
- if r2 == 0 ; r2 = r0 = [r0 + 8]
- r0 = r1 - r2 << 4 = [r0 + 4] + (([r0 + 8] - 1) ? ([r0 + 8] : [r0 + 8] - 1)) * 16
记: [r0 + 4] = a, [r0 + 8] = b,那么end()返回值为
return a + 16 * [(b - 1) == 0] ? b : (b - 1)
当 b = 1; begin() = end()
当 b > 1; begin() < end() = a + 16 * b
当 b = 0; begin() > end() = a + 16 * (0 -1) = a - 16
当 b < 0; begin() > end() = a - 16 * b
分别查看0x00008b46,0x00008b40对应的代码行
(gdb) list *0x00008b40
0x8b40 is in android::Region::begin() const (system/core/include/utils/VectorImpl.h:59).
54 void finish_vector();
55
56 VectorImpl& operator = (const VectorImpl& rhs);
57
58 /*! C-style array access */
59 inline const void* arrayImpl() const { return mStorage; }
60 void* editArrayImpl();
61
62 /*! vector stats */
63 inline size_t size() const { return mCount; }
(gdb) list *0x00008b46
0x8b46 is in android::Region::end() const (system/core/include/utils/VectorImpl.h:63).
58 /*! C-style array access */
59 inline const void* arrayImpl() const { return mStorage; }
60 void* editArrayImpl();
61
62 /*! vector stats */
63 inline size_t size() const { return mCount; }
64 inline bool isEmpty() const { return mCount == 0; }
65 size_t capacity() const;
66 ssize_t setCapacity(size_t size);
67 ssize_t resize(size_t size);
分别是Vector.array()和Vector.size(),gdb加载symbols/system/lib/libutils.so
(gdb) ptype 'android::VectorImpl'
type = class android::VectorImpl {
private:
void *mStorage;
size_t mCount;
const uint32_t mFlags;
const size_t mItemSize;
...
(gdb) p &(('android::VectorImpl'*)0x0)->mStorage
$19 = (void **) 0x4
(gdb) p &(('android::VectorImpl'*)0x0)->mCount
$20 = (size_t *) 0x8
回到libui.so查看Region::mStorage成员偏移量
(gdb) ptype 'android::Region'
type = class android::Region : public android::LightFlattenable<android::Region> {
public:
static const android::Region INVALID_REGION;
private:
android::Vector<android::Rect> mStorage;
查看 mStorage在class内的偏移量
(gdb) p &(('android::Region'*)0)->mStorage
$8 = (android::Vector<android::Rect> *) 0x0
查看android::Rect成员
(gdb) ptype 'android::Rect'
type = class android::Rect : public ARect, public android::LightFlattenablePod<android::Rect> {
...
typedef ARect::value_type value_type;
(gdb) ptype 'ARect'
type = struct ARect {
value_type left;
value_type top;
value_type right;
value_type bottom;
typedef int32_t value_type;
}
一个Rect成员占16个字节,其中left偏移量0x0,top偏移量0x4,right偏移量0x8,bottom偏移量0xc;
(gdb) p &(('ARect'*)0x0)->left
$11 = (int32_t *) 0x0
(gdb) p &(('ARect'*)0x0)->top
$12 = (int32_t *) 0x4
(gdb) p &(('ARect'*)0x0)->right
$13 = (int32_t *) 0x8
(gdb) p &(('ARect'*)0x0)->bottom
$14 = (int32_t *) 0xc
begin() 通过 mStorage偏移4个字节找到Vector.mStorage,而end() 通过mStorage偏移8个字节找到Vector.mCount,再计算。 因此当size() = 0,应该让end() 返回 array();即begin() = end()
找到源代码文件frameworks/native/libs/ui/Region.cpp、frameworks/native/include/ui/Region.h
inline bool isRect() const { return mStorage.size() == 1; }
Region::const_iterator Region::begin() const {
return mStorage.array();
}
Region::const_iterator Region::end() const {
size_t numRects = isRect() ? 1 : mStorage.size() - 1;
return mStorage.array() + numRects;
}
最后修改为:
Region::const_iterator Region::end() const {
if (mStorage.isEmpty()) return mStorage.array();
size_t numRects = isRect() ? 1 : mStorage.size() - 1;
return mStorage.array() + numRects;
}
11. 局限性
由于tombstone只能保存到最后一帧时寄存器地址附近的内存状态,往往错误根源不在最后一帧产生,希望回溯上一帧信息往往都会遇到寄存器被复用过,丢失数值无法计算,这种情况下只有走查代码,但场景过多不易分析,要获得更多的信息时需要打开coredump重新复现,分析coredump。
本文地址:https://blog.csdn.net/penguin38/article/details/107360654