08-08 15:02:03.928 5122 5212 F libc : Fatal signal 11 (SIGSEGV) at 0xf9efd31c (code=1), thread 5212 (Thread-278)
08-08 15:02:04.038 238 238 I DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
08-08 15:02:04.038 238 238 I DEBUG : Build fingerprint: 'vivo/msm8916_32/msm8916_32:4.4.4/KTU84P/eng.compiler.20150702:user/dev-keys'
08-08 15:02:04.038 238 238 I DEBUG : Revision: '0'
08-08 15:02:04.038 238 238 I DEBUG : pid: 5122, tid: 5212, name: Thread-278 >>> com.iqoo.secure <<<
08-08 15:02:04.038 238 238 I DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr f9efd31c
08-08 15:02:04.338 238 238 I DEBUG : r0 61b975d4 r1 98000170 r2 61efd1ac r3 61640c10
08-08 15:02:04.338 238 238 I DEBUG : r4 00000000 r5 00000026 r6 6163a350 r7 61b975a0
08-08 15:02:04.338 238 238 I DEBUG : r8 61b97b10 r9 61180c7c sl 61230f20 fp 61b97b24
08-08 15:02:04.338 238 238 I DEBUG : ip 00000001 sp 61b975a0 lr 611a5dfb pc 611a5d6a cpsr a00e0030
08-08 15:02:04.338 238 238 I DEBUG : d0 2e6f692e61766152 d1 2e7961702e696265
08-08 15:02:04.338 238 238 I DEBUG : d2 722e6e6967756c61 d3 6c707564726f6364
08-08 15:02:04.338 238 238 I DEBUG : d4 0000200600004c70 d5 0000e5280000000f
08-08 15:02:04.338 238 238 I DEBUG : d6 0000007f00001001 d7 000020020000e768
08-08 15:02:04.338 238 238 I DEBUG : d8 0000000000000000 d9 0000000000000000
08-08 15:02:04.338 238 238 I DEBUG : d10 0000000000000000 d11 0000000000000000
08-08 15:02:04.338 238 238 I DEBUG : d12 0000000000000000 d13 0000000000000000
08-08 15:02:04.338 238 238 I DEBUG : d14 0000000000000000 d15 0000000000000000
08-08 15:02:04.338 238 238 I DEBUG : d16 67756c702f796170 d17 726f6365722f6e69
08-08 15:02:04.338 238 238 I DEBUG : d18 0041004200420041 d19 0046004500440043
08-08 15:02:04.338 238 238 I DEBUG : d20 0051005200520051 d21 0056005500540053
08-08 15:02:04.338 238 238 I DEBUG : d22 002e002d002c002b d23 0030002f002d002e
08-08 15:02:04.338 238 238 I DEBUG : d24 0058005700550056 d25 0059005a005a0059
08-08 15:02:04.348 238 238 I DEBUG : d26 0000000000000000 d27 0000000000000000
08-08 15:02:04.348 238 238 I DEBUG : d28 0048004700450046 d29 0049004a004a0049
08-08 15:02:04.348 238 238 I DEBUG : d30 005a005a005a005a d31 0000000000000000
08-08 15:02:04.348 238 238 I DEBUG : scr 60000012
08-08 15:02:04.348 238 238 I DEBUG :
08-08 15:02:04.348 238 238 I DEBUG : backtrace:
08-08 15:02:04.348 238 238 I DEBUG : #00 pc 0001cd6a /system/lib/libTms2-Ams-1.3.5-mfr.so ams/AMS_BlueShark/inc/DexFile.h:385
08-08 15:02:04.348 238 238 I DEBUG : #01 pc 0001cdf7 /system/lib/libTms2-Ams-1.3.5-mfr.so ndk/sources/cxx-stl/stlport/stlport/stl/_string_base.h:156
DexFile.h:
<?prettify linenums=383?>
inline const DexStringId* GetStringId(u4 idx) { assert(idx < mHeader->stringIdsSize); return &mStringIds[idx]; }
stringbase.h
<?prettify linenums=156?>
~Stringbase() { Mdeallocate_block(); }
从堆栈分析,调用关系并不成立,string
的析构函数不会走到GetStringId
这个函数,从堆栈报错的地址看fault addr f9efd31c
这是一个位于内核空间的一个虚拟地址,
这时程序已经跑飞了,可能在打印这个堆栈前程序就已经异常了。
DexFile.h:
<?prettify linenums=426?>
const DexStringId* mStringIds;
<?prettify linenums=74?>
typedef struct DexStringId { u4 stringDataOff; /* file offset to stringdataitem */ } DexStringId;
u4为四字节无符号整数
即使假设堆栈顶部是正常的,进一步分析
DexFile.h:
<?prettify linenums=383?>
inline const DexStringId* GetStringId(u4 idx) { assert(idx < mHeader->stringIdsSize); return &mStringIds[idx]; }
只能是mStringIds
这个指针出现问题。查找该指针被修改的位置。
DexFile.cpp
<?prettify linenums=49?>
void DexFile::SetupBasicPointers(const u1* data) { DexHeader header = (DexHeader) data; mBaseAddr = data; mStringIds = (const DexStringId) (data + header->stringIdsOff); mTypeIds = (const DexTypeId) (data + header->typeIdsOff); mFieldIds = (const DexFieldId) (data + header->fieldIdsOff); mMethodIds = (const DexMethodId) (data + header->methodIdsOff); mProtoIds = (const DexProtoId) (data + header->protoIdsOff); mClassDefs = (const DexClassDef) (data + header->classDefsOff); mLinkData = (const DexLink*) (data + header->linkOff); mHeader = header; }
DexFile.cpp
<?prettify linenums=70?>
AmsError DexFile::ParseFile(const u1* data, int length, int flags) { const DexHeader* header; const u1* magic; int result = -1; if (length < sizeof(DexHeader)) { // bad file format LOGE("too short to be a valid .dex\n"); return AmsErrNotSupported; } /* * Peel off the optimized header. */ if (memcmp(data, DEXOPTMAGIC, 4) == 0) { magic = data; if (memcmp(magic+4, DEXOPTMAGICVERS, 4) != 0) { LOGE("bad opt version (0x%02x %02x %02x %02x)\n", magic[4], magic[5], magic[6], magic[7]); return _AmsErrNotSupported; } mOptHeader = (const DexOptHeader) data; LOGV("Good opt header, DEX offset is %d, flags=0x%02x\n", mOptHeader->dexOffset, mOptHeader->flags); / ignore the opt header and appended data from here on out */ data += mOptHeader->dexOffset; length -= mOptHeader->dexOffset; if ((int) mOptHeader->dexLength > length) { LOGE("File truncated? stored len=%d, rem len=%d\n", mOptHeader->dexLength, length); return _AmsErrNotSupported; } length = mOptHeader->dexLength; } SetupBasicPointers(data); header = mHeader;
上面这个函数最终是被ApkInfo.cpp
中的ApkInfo::DeflateDexFile()
调用的。
<?prettify linenums=106?>
AmsError ApkInfo::DeflateDexFile() { AmsError err = _AmsErrGeneral; // find classes.dex entry ZipEntry dexEntry = mZipArchive->FindEntry("classes.dex"); if (dexEntry == NULL) { LOGE("classes.dex file not found\n"); return _AmsErrNotFound; } // get classes.dex size long uncompLen = 0; if (!mZipArchive->GetEntryInfo(dexEntry, NULL, &uncompLen, NULL, NULL, NULL, NULL)) { LOGE("ZipArchive->GetEntryInfo error\n"); return _AmsErrGeneral; } LOGV("uncompLen: %d\n", uncompLen); // exact .dex entry to buffer u1* dexBuf = NULL;ifdef HAVEPOSIXFILEMAP
sysReleaseShmem(&mDexMap); memset(&mDexMap, 0, sizeof(mDexMap)); int r = sysCreatePrivateMap(uncompLen, &mDexMap); if (0!=r) { LOGE("ApkInfo::DeflateDexFile() sysCreatePrivateMap error: %d\n", r); return _AmsErrNoMemory; } dexBuf = (u1*)mDexMap.addr;
else
if (mDexBuf != NULL) { delete mDexBuf; mDexBuf = NULL; } mDexBuf = new u1[uncompLen]; if (mDexBuf == NULL) { LOGE("memory not enough\n"); return _AmsErrNoMemory; } dexBuf = mDexBuf;
endif
long dexLen = mZipArchive->ExtractEntry(dexEntry, dexBuf); if (dexLen != uncompLen) { LOGE("ZipArchive->ExtractEntry error: length=%d, expected=%d\n", dexLen, uncompLen); return _AmsErrGeneral; } // set .dex content if ((err = mDexFile->ParseFile(dexBuf, dexLen, DexFile::kDexParseDefault)) != _AmsErrNone) { LOGE("DexFile->ParseFile error: %d\n", err); return err; } return _AmsErrNone; }
从代码看如果是mStringIds
有问题,应该是对应的APk的classes.dex
二进制文件有问题。