[android-porting] Re: system_server crash in pollOnce()

[Bart Van Bos]

I have the same issue right now. Did you find a solution to your problem?

I've posted a question (Crash in /system/lib/libutils.so 
(android::Looper::pollOnce(int, int*, int*, void**)) in the *android-ndk*group 
that describes more details.

Any help on this would be much appreciated,
Bart

Op dinsdag 25 oktober 2011 21:21:23 UTC+2 schreef Shridhar Basty het 
volgende:
>
> Hello, 
>
> I'm working on fixing a system_server crash that was found to occur 
> randomly. By following the logs and the stack trace, I find a 
> situation that appears impossible to occur under normal circumstances. 
> The function "pollOnce()" in Looper.cpp is called with its pointer 
> arguments set to NULL. A SIGSEGV occurs in the body of the function 
> where an attempt is made to access one of the pointers (outFd). The 
> function arguments are never modified and checks are in place to 
> access pointers only if they are non-NULL. But it seens that this 
> pointer has changed and acquired a non-NULL invalid address. An access 
> in the subsequent code causes a SIGSEGV. I'm unable to see how outFd 
> got modified - unless a child function (pollInner) returned by not 
> restoring the registers correctly. From the disassembly, r6 is to hold 
> the backup of outFd and we see in the logs it is not null. The other 
> two pointer args (held in r8 and r7) seem to be proper (NULL). 
>
> I've provided the details below. I'm still trying to find an 
> explanation for this problem and will appreciate any suggestions. 
>
> Regards, 
> Shridhar 
>
> LOGS: 
> I/DEBUG   (  108): pid: 184, tid: 225  >>> system_server <<< 
> I/DEBUG   (  108): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault 
> addr 20000000 
> I/DEBUG   (  108):  r0 fffffffe  r1 00000001  r2 6d344489  r3 
> 00000000 
> I/DEBUG   (  108):  r4 00388bf0  r5 ffffffff  r6 20000000  r7 
> 00000000 
> I/DEBUG   (  108):  r8 00000000  r9 00000014  10 31359f10  fp 
> 2b498a30 
> I/DEBUG   (  108):  ip 68127cb0  sp 31459b38  lr 6f904a1c  pc 
> 68121b0a  cpsr 60000030 
>
> STACK TRACE WITH RELEVANT CODE INLINED: 
> #00  pc 00021b0a  /system/lib/libutils.so 
> android::Looper::pollOnce(int, int*, int*, void**) 
> frameworks/base/libs/utils/Looper.cpp:182 
>
>         159 int Looper::pollOnce(int timeoutMillis, int* outFd, int* 
> outEvents, void** outData) { 
>         160     int result = 0; 
>         161     for (;;) { 
>         162         while (mResponseIndex < mResponses.size()) { 
>         163             const Response& response = 
> mResponses.itemAt(mResponseIndex++); 
>         164             if (! response.request.callback) { 
>         165 #if DEBUG_POLL_AND_WAKE 
>         166                 LOGD("%p ~ pollOnce - returning signalled 
> identifier %d: " 
>         167                         "fd=%d, events=0x%x, data=%p", this, 
>         168                         response.request.ident, 
> response.request.fd, 
>         169                         response.events, 
> response.request.data); 
>         170 #endif 
>         171                 if (outFd != NULL) *outFd = 
> response.request.fd; 
>         172                 if (outEvents != NULL) *outEvents = 
> response.events; 
>         173                 if (outData != NULL) *outData = 
> response.request.data; 
>         174                 return response.request.ident; 
>         175             } 
>         176         } 
>         177 
>         178         if (result != 0) { 
>         179 #if DEBUG_POLL_AND_WAKE 
>         180             LOGD("%p ~ pollOnce - returning result %d", this, 
> result); 
>         181 #endif 
> <HERE>        182             if (outFd != NULL) *outFd = 0; 
>         183             if (outEvents != NULL) *outEvents = NULL; 
>         184             if (outData != NULL) *outData = NULL; 
>         185             return result; 
>         186         } 
>         187 
>         188         result = pollInner(timeoutMillis); 
>         189     } 
>         190 } 
>
> #01  pc 00046b04  /system/lib/libandroid_runtime.so 
> android::Looper::pollOnce(int) 
> frameworks/base/include/utils/Looper.h:101 
>
>          99     int pollOnce(int timeoutMillis, int* outFd, int* 
> outEvents, 
> void** outData); 
>         100     inline int pollOnce(int timeoutMillis) { 
> <HERE>        101         return pollOnce(timeoutMillis, NULL, NULL, 
> NULL); 
>         102     } 
>
> #02  pc 00046b0e  /system/lib/libandroid_runtime.so 
> _ZN7androidL38android_os_MessageQueue_nativePollOnceEP7_JNIEnvP8_jobjectii 
> frameworks/base/core/jni/android_os_MessageQueue.cpp:118 
>
>         115 static void android_os_MessageQueue_nativePollOnce(JNIEnv* 
> env, 
> jobject obj, 
>         116         jint ptr, jint timeoutMillis) { 
>         117     NativeMessageQueue* nativeMessageQueue = 
> reinterpret_cast<NativeMessageQueue*>(ptr); 
> <HERE>        118     nativeMessageQueue->pollOnce(timeoutMillis); 
>         119 } 
>
> #03  pc 00011ef4  /system/lib/libdvm.so 
> dvmPlatformInvoke 
> dalvik/vm/arch/arm/CallEABI.S:243 
>
> #04  pc 00043754  /system/lib/libdvm.so 
> dvmCallJNIMethod_virtualNoRef 
> system/core/include/cutils/atomic-arm.h:25 
>

-- 
-- 
unsubscribe: android-porting+unsubscr...@googlegroups.com
website: http://groups.google.com/group/android-porting

--- 
You received this message because you are subscribed to the Google Groups 
"android-porting" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to android-porting+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.