TMSDK native crash 20150817

---

报错堆栈

08-08 15:02:03.928  5122  5212 F libc    : Fatal signal 11 (SIGSEGV) at 0xf9efd31c (code=1), thread 5212 (Thread-278)
08-08 15:02:04.038   238   238 I DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
08-08 15:02:04.038   238   238 I DEBUG   : Build fingerprint: 'vivo/msm8916_32/msm8916_32:4.4.4/KTU84P/eng.compiler.20150702:user/dev-keys'
08-08 15:02:04.038   238   238 I DEBUG   : Revision: '0'
08-08 15:02:04.038   238   238 I DEBUG   : pid: 5122, tid: 5212, name: Thread-278  >>> com.iqoo.secure <<<
08-08 15:02:04.038   238   238 I DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr f9efd31c
08-08 15:02:04.338   238   238 I DEBUG   :     r0 61b975d4  r1 98000170  r2 61efd1ac  r3 61640c10
08-08 15:02:04.338   238   238 I DEBUG   :     r4 00000000  r5 00000026  r6 6163a350  r7 61b975a0
08-08 15:02:04.338   238   238 I DEBUG   :     r8 61b97b10  r9 61180c7c  sl 61230f20  fp 61b97b24
08-08 15:02:04.338   238   238 I DEBUG   :     ip 00000001  sp 61b975a0  lr 611a5dfb  pc 611a5d6a  cpsr a00e0030
08-08 15:02:04.338   238   238 I DEBUG   :     d0  2e6f692e61766152  d1  2e7961702e696265
08-08 15:02:04.338   238   238 I DEBUG   :     d2  722e6e6967756c61  d3  6c707564726f6364
08-08 15:02:04.338   238   238 I DEBUG   :     d4  0000200600004c70  d5  0000e5280000000f
08-08 15:02:04.338   238   238 I DEBUG   :     d6  0000007f00001001  d7  000020020000e768
08-08 15:02:04.338   238   238 I DEBUG   :     d8  0000000000000000  d9  0000000000000000
08-08 15:02:04.338   238   238 I DEBUG   :     d10 0000000000000000  d11 0000000000000000
08-08 15:02:04.338   238   238 I DEBUG   :     d12 0000000000000000  d13 0000000000000000
08-08 15:02:04.338   238   238 I DEBUG   :     d14 0000000000000000  d15 0000000000000000
08-08 15:02:04.338   238   238 I DEBUG   :     d16 67756c702f796170  d17 726f6365722f6e69
08-08 15:02:04.338   238   238 I DEBUG   :     d18 0041004200420041  d19 0046004500440043
08-08 15:02:04.338   238   238 I DEBUG   :     d20 0051005200520051  d21 0056005500540053
08-08 15:02:04.338   238   238 I DEBUG   :     d22 002e002d002c002b  d23 0030002f002d002e
08-08 15:02:04.338   238   238 I DEBUG   :     d24 0058005700550056  d25 0059005a005a0059
08-08 15:02:04.348   238   238 I DEBUG   :     d26 0000000000000000  d27 0000000000000000
08-08 15:02:04.348   238   238 I DEBUG   :     d28 0048004700450046  d29 0049004a004a0049
08-08 15:02:04.348   238   238 I DEBUG   :     d30 005a005a005a005a  d31 0000000000000000
08-08 15:02:04.348   238   238 I DEBUG   :     scr 60000012
08-08 15:02:04.348   238   238 I DEBUG   : 
08-08 15:02:04.348   238   238 I DEBUG   : backtrace:
08-08 15:02:04.348   238   238 I DEBUG   :     #00  pc 0001cd6a  /system/lib/libTms2-Ams-1.3.5-mfr.so ams/AMS_BlueShark/inc/DexFile.h:385  
08-08 15:02:04.348   238   238 I DEBUG   :     #01  pc 0001cdf7  /system/lib/libTms2-Ams-1.3.5-mfr.so ndk/sources/cxx-stl/stlport/stlport/stl/_string_base.h:156

DexFile.h:

<?prettify linenums=383?>

inline const DexStringId* GetStringId(u4 idx) {
    assert(idx < mHeader->stringIdsSize);
    return &mStringIds[idx];
}

stringbase.h

<?prettify linenums=156?>

  ~Stringbase() { Mdeallocate_block(); }

从堆栈分析，调用关系并不成立，string的析构函数不会走到GetStringId这个函数，从堆栈报错的地址看fault addr f9efd31c这是一个位于内核空间的一个虚拟地址， 这时程序已经跑飞了，可能在打印这个堆栈前程序就已经异常了。

DexFile.h:

<?prettify linenums=426?>

const DexStringId*  mStringIds;

<?prettify linenums=74?>

typedef struct DexStringId {
    u4  stringDataOff;      /* file offset to stringdataitem */
} DexStringId;

u4为四字节无符号整数

即使假设堆栈顶部是正常的，进一步分析

DexFile.h:

<?prettify linenums=383?>

inline const DexStringId* GetStringId(u4 idx) {
    assert(idx < mHeader->stringIdsSize);
    return &mStringIds[idx];
}

只能是mStringIds这个指针出现问题。查找该指针被修改的位置。

DexFile.cpp

<?prettify linenums=49?>

void DexFile::SetupBasicPointers(const u1* data) {
    DexHeader header = (DexHeader) data;
 
    mBaseAddr = data;
    mStringIds = (const DexStringId) (data + header->stringIdsOff);
    mTypeIds = (const DexTypeId) (data + header->typeIdsOff);
    mFieldIds = (const DexFieldId) (data + header->fieldIdsOff);
    mMethodIds = (const DexMethodId) (data + header->methodIdsOff);
    mProtoIds = (const DexProtoId) (data + header->protoIdsOff);
    mClassDefs = (const DexClassDef) (data + header->classDefsOff);
    mLinkData = (const DexLink*) (data + header->linkOff);
 
    mHeader = header;
}

DexFile.cpp

<?prettify linenums=70?>

AmsError DexFile::ParseFile(const u1* data, int length, int flags) {
    const DexHeader* header;
    const u1* magic;
    int result = -1;
 
    if (length < sizeof(DexHeader)) {
        // bad file format
        LOGE("too short to be a valid .dex\n");
        return AmsErrNotSupported;
    }
 
    /*
     * Peel off the optimized header.
     */
    if (memcmp(data, DEXOPTMAGIC, 4) == 0) {
        magic = data;
        if (memcmp(magic+4, DEXOPTMAGICVERS, 4) != 0) {
            LOGE("bad opt version (0x%02x %02x %02x %02x)\n", magic[4], magic[5], magic[6], magic[7]);
            return _AmsErrNotSupported;
        }
 
        mOptHeader = (const DexOptHeader) data;
        LOGV("Good opt header, DEX offset is %d, flags=0x%02x\n", mOptHeader->dexOffset, mOptHeader->flags);
 
        / ignore the opt header and appended data from here on out */
        data += mOptHeader->dexOffset;
        length -= mOptHeader->dexOffset;
        if ((int) mOptHeader->dexLength > length) {
            LOGE("File truncated? stored len=%d, rem len=%d\n", mOptHeader->dexLength, length);
            return _AmsErrNotSupported;
        }
        length = mOptHeader->dexLength;
    }
 
    SetupBasicPointers(data);
    header = mHeader;

上面这个函数最终是被ApkInfo.cpp中的ApkInfo::DeflateDexFile()调用的。

<?prettify linenums=106?>

AmsError ApkInfo::DeflateDexFile() {
    AmsError err = _AmsErrGeneral;
    // find classes.dex entry
    ZipEntry dexEntry = mZipArchive->FindEntry("classes.dex");
    if (dexEntry == NULL) {
        LOGE("classes.dex file not found\n");
        return _AmsErrNotFound;
    }
 
    // get classes.dex size
    long uncompLen = 0;
    if (!mZipArchive->GetEntryInfo(dexEntry, NULL, &uncompLen, NULL, NULL, NULL, NULL)) {
        LOGE("ZipArchive->GetEntryInfo error\n");
        return _AmsErrGeneral;
    }
    LOGV("uncompLen: %d\n", uncompLen);
 
    // exact .dex entry to buffer
    u1* dexBuf = NULL;


ifdef HAVEPOSIXFILEMAP

sysReleaseShmem(&mDexMap);
memset(&mDexMap, 0, sizeof(mDexMap));
int r = sysCreatePrivateMap(uncompLen, &mDexMap);
if (0!=r) {
    LOGE("ApkInfo::DeflateDexFile() sysCreatePrivateMap error: %d\n", r);
    return _AmsErrNoMemory;
}
dexBuf = (u1*)mDexMap.addr;


else

if (mDexBuf != NULL) {
    delete mDexBuf;
    mDexBuf = NULL;
}
mDexBuf = new u1[uncompLen];
if (mDexBuf == NULL) {
    LOGE("memory not enough\n");
    return _AmsErrNoMemory;
}
dexBuf = mDexBuf;


endif

 
    long dexLen = mZipArchive->ExtractEntry(dexEntry, dexBuf);
    if (dexLen != uncompLen) {
        LOGE("ZipArchive->ExtractEntry error: length=%d, expected=%d\n", dexLen, uncompLen);
        return _AmsErrGeneral;
    }
 
    // set .dex content
    if ((err = mDexFile->ParseFile(dexBuf, dexLen, DexFile::kDexParseDefault)) != _AmsErrNone) {
        LOGE("DexFile->ParseFile error: %d\n", err);
        return err;
    }
 
    return _AmsErrNone;
}

从代码看如果是mStringIds有问题，应该是对应的APk的classes.dex二进制文件有问题。

---