*Issue Summary:* Framework reboot due to native crash in zygote crash with
SIGSEGV error.
*Reproduction:* Long duration test with multiple apps and reproduction
rate – 1/100.
*Description:*
Below is the tombstone for zygote:
Line 56603:07-08 10:19:39.605 26565 26565 F DEBUG : Build
fingerprint:
------------------------------------------------------------------
Line 56604: 07-08 10:19:39.605 26565 26565 F DEBUG : Revision: '0'
Line 56605: 07-08 10:19:39.605 26565 26565 F DEBUG : ABI: 'arm'
Line 56608: 07-08 10:19:39.606 26565 26565 F DEBUG : pid: 652,
tid: 26546, name: HeapTaskDaemon >>> zygote <<<
Line 56609: 07-08 10:19:39.606 26565 26565 F DEBUG : signal 11
(SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x130
Line 56610: 07-08 10:19:39.606 26565 26565 F DEBUG : Cause: null
pointer dereference
Line 56611: 07-08 10:19:39.606 26565 26565 F DEBUG : r0
dec0b000 r1 5616eb84 r2 00000007 r3 00000000
Line 56612: 07-08 10:19:39.606 26565 26565 F DEBUG : r4
00000130 r5 cd7929c8 r6 00000000 r7 e4fdc380
Line 56613: 07-08 10:19:39.606 26565 26565 F DEBUG : r8
cd7924bc r9 00000000 r10 00000002 r11 00008a0c
Line 56614: 07-08 10:19:39.607 26565 26565 F DEBUG : ip
e49b8974 sp cd7924b0 lr e45e1507 pc e45ec316
Line 56712: 07-08 10:19:39.730 26565 26565 F DEBUG :
Line 56713: 07-08 10:19:39.730 26565 26565 F DEBUG : backtrace:
Line 56715: 07-08 10:19:39.730 26565 26565 F DEBUG : #00 pc
000aa316 /system/lib/libart.so (art::TimingLogger::Reset()+106)
Line 56716: 07-08 10:19:39.730 26565 26565 F DEBUG : #01 pc
0016663b /system/lib/libart.so
(art::gc::collector::GarbageCollector::Run(art::gc::GcCause, bool)+178)
Line 56717: 07-08 10:19:39.730 26565 26565 F DEBUG : #02 pc
0018035d /system/lib/libart.so
(art::gc::Heap::CollectGarbageInternal(art::gc::collector::GcType,
art::gc::GcCause, bool)+2420)
Line 56718: 07-08 10:19:39.730 26565 26565 F DEBUG : #03 pc
0018dbeb /system/lib/libart.so (art::gc::Heap::ConcurrentGC(art::Thread*,
art::gc::GcCause, bool)+182)
Line 56719: 07-08 10:19:39.730 26565 26565 F DEBUG : #04 pc
00191b11 /system/lib/libart.so
(art::gc::Heap::ConcurrentGCTask::Run(art::Thread*)+20)
Line 56720: 07-08 10:19:39.730 26565 26565 F DEBUG : #05 pc
001aa957 /system/lib/libart.so
(art::gc::TaskProcessor::RunAllTasks(art::Thread*)+34)
Line 56721: 07-08 10:19:39.731 26565 26565 F DEBUG : #06 pc
0007463b /system/framework/arm/boot-core-libart.oat (offset 0x73000)
(dalvik.system.VMRuntime.clampGrowthLimit [DEDUPED]+74)
Line 56722: 07-08 10:19:39.731 26565 26565 F DEBUG : #07 pc
0014a85d /system/framework/arm/boot-core-libart.oat (offset 0x73000)
(java.lang.Daemons$HeapTaskDaemon.runInternal+172)
Line 56723: 07-08 10:19:39.731 26565 26565 F DEBUG : #08 pc
000ec963 /system/framework/arm/boot-core-libart.oat (offset 0x73000)
(java.lang.Daemons$Daemon.run+66)
Line 56724: 07-08 10:19:39.731 26565 26565 F DEBUG : #09 pc
002151b1 /system/framework/arm/boot-core-oj.oat (offset 0x106000)
(java.lang.Thread.run+64)
Line 56725: 07-08 10:19:39.731 26565 26565 F DEBUG : #10 pc
00411575 /system/lib/libart.so (art_quick_invoke_stub_internal+68)
Line 56726: 07-08 10:19:39.731 26565 26565 F DEBUG : #11 pc
003eb045 /system/lib/libart.so (art_quick_invoke_stub+224)
Line 56727: 07-08 10:19:39.731 26565 26565 F DEBUG : #12 pc
000a183d /system/lib/libart.so (art::ArtMethod::Invoke(art::Thread*,
unsigned int*, unsigned int, art::JValue*, char const*)+136)
Line 56728: 07-08 10:19:39.731 26565 26565 F DEBUG : #13 pc
003498d5 /system/lib/libart.so (art::(anonymous
namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable
const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*,
art::JValue*, char const*)+52)
Line 56729: 07-08 10:19:39.731 26565 26565 F DEBUG : #14 pc
0034a62d /system/lib/libart.so
(art::InvokeVirtualOrInterfaceWithJValues(art::ScopedObjectAccessAlreadyRunnable
const&, _jobject*, _jmethodID*, jvalue*)+320)
Line 56730: 07-08 10:19:39.731 26565 26565 F DEBUG : #15 pc
0036d0a3 /system/lib/libart.so (art::Thread::CreateCallback(void*)+866)
Line 56731: 07-08 10:19:39.731 26565 26565 F DEBUG : #16 pc
00072dcd /system/lib/libc.so (__pthread_start(void*)+22)
Line 56732: 07-08 10:19:39.731 26565 26565 F DEBUG : #17 pc
0001e3b1 /system/lib/libc.so (__start_thread+24)
One more observation is that we saw few app crashes prior to zygote crash
in the path of zygote forking these apps.
pid: 17395, tid: 17395, name: o.android.imoi >>> zygote <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x4
Cause: null pointer dereference
r0 00000000 r1 8b148311 r2 00000000 r3 00000000
r4 e4bdc424 r5 e4bdc420 r6 e4b97a64 r7 e4bdc3c8
r8 e4bc8000 r9 e4bdc448 r10 00003000 r11 00000003
ip 000000ff sp ffbe1230 lr e41e7dd5 pc e41e7de8
backtrace:
#00 pc 000a8de8 /system/lib/libart.so
(art::CumulativeLogger::Reset()+68)
#01 pc 00166901 /system/lib/libart.so
(art::gc::collector::GarbageCollector:: ()+192)
#02 pc 0017d853 /system/lib/libart.so
(art::gc::Heap::ResetGcPerformanceInfo()+34)
#03 pc 003570db /system/lib/libart.so
(art::Runtime::InitNonZygoteOrPostFork(_JNIEnv*, bool,
art::Runtime::NativeBridgeAction, char const*, bool)+74)
#04 pc 002e8fb7 /system/lib/libart.so
(art::ZygoteHooks_nativePostForkChild(_JNIEnv*, _jclass*, long long, int,
unsigned char, unsigned char, _jstring*)+3146)
#05 pc 00074c63 /system/framework/arm/boot-core-libart.oat (offset
0x73000) (dalvik.system.ZygoteHooks.nativePostForkChild+154)
#06 pc 000eba15 /system/framework/arm/boot-core-libart.oat (offset
0x73000) (dalvik.system.ZygoteHooks.postForkChild+68)
#07 pc 00ba0ab9 /system/framework/arm/boot-framework.oat (offset
0x393000) (com.android.internal.os.Zygote.callPostForkChildHooks+80)
#08 pc 00412975 /system/lib/libart.so
(art_quick_invoke_stub_internal+68)
#09 pc 003eaec7 /system/lib/libart.so
(art_quick_invoke_static_stub+222)
#10 pc 000a184f /system/lib/libart.so
(art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int,
art::JValue*, char const*)+154)
#11 pc 00349655 /system/lib/libart.so (art::(anonymous
namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable
const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*,
art::JValue*, char const*)+52)
#12 pc 0034947f /system/lib/libart.so
(art::InvokeWithVarArgs(art::ScopedObjectAccessAlreadyRunnable const&,
_jobject*, _jmethodID*, std::__va_list)+310)
#13 pc 00290219 /system/lib/libart.so
(art::JNI::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*,
std::__va_list)+444)
#14 pc 0006e579 /system/lib/libandroid_runtime.so
(_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+28)
#15 pc 0011c2ed /system/lib/libandroid_runtime.so ((anonymous
namespace)::ForkAndSpecializeCommon(_JNIEnv*, unsigned int, unsigned int,
_jintArray*, int, _jobjectArray*, long long, long long, int, _jstring*,
_jstring*, bool, _jintArray*, _jintArray*, bool, _jstring*, _jstring*)+4052)
#16 pc 0011ab37 /system/lib/libandroid_runtime.so
(android::com_android_internal_os_Zygote_nativeForkAndSpecialize(_JNIEnv*,
_jclass*, int, int, _jintArray*, int, _jobjectArray*, int, _jstring*,
_jstring*, _jintArray*, _jintArray*, unsigned char, _jstring*,
_jstring*)+470)
#17 pc 003b8ba3 /system/framework/arm/boot-framework.oat (offset
0x393000) (com.android.internal.os.Zygote.nativeForkAndSpecialize+338)
#18 pc 00ba3a8b /system/framework/arm/boot-framework.oat (offset
0x393000) (com.android.internal.os.ZygoteConnection.processOneCommand+1450)
#19 pc 00ba7a5b /system/framework/arm/boot-framework.oat (offset
0x393000) (com.android.internal.os.ZygoteServer.runSelectLoop+770)
#20 pc 00ba5269 /system/framework/arm/boot-framework.oat (offset
0x393000) (com.android.internal.os.ZygoteInit.main+1696)
#21 pc 00412975 /system/lib/libart.so
(art_quick_invoke_stub_internal+68)
#22 pc 003eaec7 /system/lib/libart.so
(art_quick_invoke_static_stub+222)
#23 pc 000a184f /system/lib/libart.so
(art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int,
art::JValue*, char const*)+154)
#24 pc 00349655 /system/lib/libart.so (art::(anonymous
namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable
const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*,
art::JValue*, char const*)+52)
#25 pc 0034947f /system/lib/libart.so
(art::InvokeWithVarArgs(art::ScopedObjectAccessAlreadyRunnable const&,
_jobject*, _jmethodID*, std::__va_list)+310)
#26 pc 00290219 /system/lib/libart.so
(art::JNI::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*,
std::__va_list)+444)
#27 pc 0006e579 /system/lib/libandroid_runtime.so
(_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+28)
#28 pc 0007073b /system/lib/libandroid_runtime.so
(android::AndroidRuntime::start(char const*,
android::Vector<android::String8> const&, bool)+462)
#29 pc 00001c8f /system/bin/app_process32 (main+1122)
#30 pc 000a2245 /system/lib/libc.so (__libc_init+48)
#31 pc 000017eb /system/bin/app_process32 (_start_main+38)
#32 pc 000000c4 <unknown>
*Analysis:*
Loaded coredump in GDB:
#0 art::TimingLogger::Reset (this=0x130) at
art/runtime/base/timing_logger.cc:148
No locals.
#1 0xe46a863e in Reset (this=0x120, gc_cause=<optimized out>,
clear_soft_references=<optimized out>) at
art/runtime/gc/collector/garbage_collector.cc:49
No locals.
#2 art::gc::collector::GarbageCollector::Run (this=0xe4fdc380,
gc_cause=art::gc::kGcCauseBackground, clear_soft_references=true) at
art/runtime/gc/collector/garbage_collector.cc:92
start_time = 151785656375586
current_iteration = 0x120
end_time = <optimized out>
self = <optimized out>
#3 0xe46c2360 in art::gc::Heap::CollectGarbageInternal (this=0xe4f3c800,
gc_type=art::gc::collector::kGcTypeFull,
gc_cause=art::gc::kGcCauseBackground, clear_soft_references=<optimized out>)
at art/runtime/gc/heap.cc:2648
runtime = 0xe4f3c400
self = 0xe42acc00
collector = 0xe4fdc380
#4 0xe46cfbee in art::gc::Heap::ConcurrentGC (this=0xe4f3c800,
self=0xe42acc00, cause=art::gc::kGcCauseBackground, force_full=<optimized
out>) at art/runtime/gc/heap.cc:3675
next_gc_type = art::gc::collector::kGcTypeSticky
tid = 26546
#5 0xe46d3b14 in art::gc::Heap::ConcurrentGCTask::Run (this=<optimized
out>, self=0x5616eb84) at art/runtime/gc/heap.cc:3620
heap = 0xe4f3c800
#6 0xe46ec958 in art::gc::TaskProcessor::RunAllTasks (this=0xe4f30200,
self=0xe42acc00) at art/runtime/gc/task_processor.cc:129
task = 0xdec08000
#7 0x720bc63c in ?? ()
>From here, we see that at frame 2, current_iteration = 0x120 is holding
invalid address, which is a member of garbage collector class, see below
code for reference.
In file -- art/runtime/gc/collector/garbage_collector.cc
91 Iteration* current_iteration = GetCurrentIteration();
92 current_iteration->Reset(gc_cause, clear_soft_references);
429 const collector::Iteration* GetCurrentGcIteration() const {
430 return ¤t_gc_iteration_;
431 }
1254 collector::Iteration current_gc_iteration_;
And we see the collector object being zeroed out, which seems to be the
reason for our crash.
gdb) f 2
#2 art::gc::collector::GarbageCollector::Run (this=0xe4fdc380,
gc_cause=art::gc::kGcCauseBackground, clear_soft_references=true) at
art/runtime/gc/collector/garbage_collector.cc:92
92 in art/runtime/gc/collector/garbage_collector.cc
(gdb) x/100 this
0xe4fdc380: 0 0 0 0
0xe4fdc390: 0 0 0 0
0xe4fdc3a0: 0 0 0 0
0xe4fdc3b0: 0 0 0 0
0xe4fdc3c0: 0 0 0 0
0xe4fdc3d0: 0 0 0 0
0xe4fdc3e0: 0 0 0 0
0xe4fdc3f0: 0 0 0 0
0xe4fdc400: 0 0 0 0
0xe4fdc410: 0 0 0 0
0xe4fdc420: 0 0 0 0
0xe4fdc430: 0 0 0 0
0xe4fdc440: 0 0 0 0
0xe4fdc450: 0 0 0 0
0xe4fdc460: 0 0 0 0
0xe4fdc470: 0 0 0 0
0xe4fdc480: 0 0 0 0
0xe4fdc490: 0 0 0 0
0xe4fdc4a0: 0 0 0 0
0xe4fdc4b0: 0 0 0 0
0xe4fdc4c0: 0 0 0 0
0xe4fdc4d0: 0 0 0 0
0xe4fdc4e0: 0 0 0 0
0xe4fdc4f0: 0 0 0 0
The app crashes seen prior to this zygote crash also seem be to due to
similar reason, collector object being NULL.
Can you please help to provide any debug suggestions/ share any similar
instances of this issue ?
Debug approaches we pursued:
We have internally tried to use ASAN and malloc_debug to check is such
corruptions can be caught.
Unfortunately, after enabling malloc_debug, issue was not reproducible.
And with ASAN enablement, device runs slow, and results in other unrelated
issues.
Regards,
Deepika
--
You received this message because you are subscribed to the Google Groups
"Android Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/android-developers/ebe1f5f3-fcf0-488e-b087-378dbf7313de%40googlegroups.com.
