Hello,
I'm working on fixing a system_server crash that was found to occur
randomly. By following the logs and the stack trace, I find a
situation that appears impossible to occur under normal circumstances.
The function "pollOnce()" in Looper.cpp is called with its pointer
arguments set to NULL. A SIGSEGV occurs in the body of the function
where an attempt is made to access one of the pointers (outFd). The
function arguments are never modified and checks are in place to
access pointers only if they are non-NULL. But it seens that this
pointer has changed and acquired a non-NULL invalid address. An access
in the subsequent code causes a SIGSEGV. I'm unable to see how outFd
got modified - unless a child function (pollInner) returned by not
restoring the registers correctly. From the disassembly, r6 is to hold
the backup of outFd and we see in the logs it is not null. The other
two pointer args (held in r8 and r7) seem to be proper (NULL).
I've provided the details below. I'm still trying to find an
explanation for this problem and will appreciate any suggestions.
Regards,
Shridhar
LOGS:
I/DEBUG ( 108): pid: 184, tid: 225 >>> system_server <<<
I/DEBUG ( 108): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault
addr 20000000
I/DEBUG ( 108): r0 fffffffe r1 00000001 r2 6d344489 r3
00000000
I/DEBUG ( 108): r4 00388bf0 r5 ffffffff r6 20000000 r7
00000000
I/DEBUG ( 108): r8 00000000 r9 00000014 10 31359f10 fp
2b498a30
I/DEBUG ( 108): ip 68127cb0 sp 31459b38 lr 6f904a1c pc
68121b0a cpsr 60000030
STACK TRACE WITH RELEVANT CODE INLINED:
#00 pc 00021b0a /system/lib/libutils.so
android::Looper::pollOnce(int, int*, int*, void**)
frameworks/base/libs/utils/Looper.cpp:182
159 int Looper::pollOnce(int timeoutMillis, int* outFd, int*
outEvents, void** outData) {
160 int result = 0;
161 for (;;) {
162 while (mResponseIndex < mResponses.size()) {
163 const Response& response =
mResponses.itemAt(mResponseIndex++);
164 if (! response.request.callback) {
165 #if DEBUG_POLL_AND_WAKE
166 LOGD("%p ~ pollOnce - returning signalled
identifier %d: "
167 "fd=%d, events=0x%x, data=%p", this,
168 response.request.ident,
response.request.fd,
169 response.events, response.request.data);
170 #endif
171 if (outFd != NULL) *outFd = response.request.fd;
172 if (outEvents != NULL) *outEvents =
response.events;
173 if (outData != NULL) *outData =
response.request.data;
174 return response.request.ident;
175 }
176 }
177
178 if (result != 0) {
179 #if DEBUG_POLL_AND_WAKE
180 LOGD("%p ~ pollOnce - returning result %d", this,
result);
181 #endif
<HERE> 182 if (outFd != NULL) *outFd = 0;
183 if (outEvents != NULL) *outEvents = NULL;
184 if (outData != NULL) *outData = NULL;
185 return result;
186 }
187
188 result = pollInner(timeoutMillis);
189 }
190 }
#01 pc 00046b04 /system/lib/libandroid_runtime.so
android::Looper::pollOnce(int)
frameworks/base/include/utils/Looper.h:101
99 int pollOnce(int timeoutMillis, int* outFd, int* outEvents,
void** outData);
100 inline int pollOnce(int timeoutMillis) {
<HERE> 101 return pollOnce(timeoutMillis, NULL, NULL, NULL);
102 }
#02 pc 00046b0e /system/lib/libandroid_runtime.so
_ZN7androidL38android_os_MessageQueue_nativePollOnceEP7_JNIEnvP8_jobjectii
frameworks/base/core/jni/android_os_MessageQueue.cpp:118
115 static void android_os_MessageQueue_nativePollOnce(JNIEnv* env,
jobject obj,
116 jint ptr, jint timeoutMillis) {
117 NativeMessageQueue* nativeMessageQueue =
reinterpret_cast<NativeMessageQueue*>(ptr);
<HERE> 118 nativeMessageQueue->pollOnce(timeoutMillis);
119 }
#03 pc 00011ef4 /system/lib/libdvm.so
dvmPlatformInvoke
dalvik/vm/arch/arm/CallEABI.S:243
#04 pc 00043754 /system/lib/libdvm.so
dvmCallJNIMethod_virtualNoRef
system/core/include/cutils/atomic-arm.h:25
--
unsubscribe: [email protected]
website: http://groups.google.com/group/android-porting
