一、抓取Coredump
二、debug coredump
1 找到gdb,以1881为例路径在
cd /prebuild 下./gdb/linux-x86/bin/gdb
2 执行gdb
3 装载可执行文件
cd ../../../dzh-3t/bug/717715/
file symbols/system/bin/app_process64
4 配置动态库的搜索路径
set solib-search-path symbols/system/lib64
``
5 装载corefile
``
core core-system_server-1727
(gdb) bt
#0 syscall () at bionic/libc/arch-arm64/bionic/syscall.S:41
#1 0x0000007f9c663f40 in futex (uaddr=0x7f9ccf75d0, op=0, val=48, val3=0, timeout=<optimized out>, uaddr2=<optimized out>) at art/runtime/base/mutex-inl.h:45
#2 art::ConditionVariable::WaitHoldingLocks (this=<optimized out>, self=<optimized out>) at art/runtime/base/mutex.cc:848
#3 0x0000007f9c8ff30c in TransitionFromSuspendedToRunnable (this=<optimized out>) at art/runtime/thread-inl.h:209
#4 ScopedThreadStateChange (self=<optimized out>, new_thread_state=art::kRunnable, this=<optimized out>) at art/runtime/scoped_thread_state_change.h:51
#5 ScopedObjectAccessUnchecked (this=<optimized out>, env=<optimized out>) at art/runtime/scoped_thread_state_change.h:224
#6 ScopedObjectAccess (this=<optimized out>, env=<optimized out>) at art/runtime/scoped_thread_state_change.h:255
#7 art::JNI::NewStringUTF (env=<optimized out>, utf=<optimized out>) at art/runtime/jni_internal.cc:1646
#8 0x0000007f9da03a60 in NewStringUTF (bytes=<optimized out>, this=0x7f9cc3e180) at libnativehelper/include/nativehelper/jni.h:842
#9 android::android_content_AssetManager_getArrayStringResource (env=0x7f9cc3e180, clazz=<optimized out>, arrayResId=<optimized out>) at frameworks/base/core/jni/android_util_AssetManager.cpp:1982
#10 0x000000007469d84c in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb)
(gdb) info threads
146 LWP 2137 syscall () at bionic/libc/arch-arm64/bionic/syscall.S:41
145 LWP 2160 __ppoll () at bionic/libc/arch-arm64/syscalls/__ppoll.S:7
144 LWP 1943 syscall () at bionic/libc/arch-arm64/bionic/syscall.S:41
143 LWP 1940 syscall () at bionic/libc/arch-arm64/bionic/syscall.S:41
142 LWP 1737 syscall () at bionic/libc/arch-arm64/bionic/syscall.S:41
141 LWP 2304 syscall () at bionic/libc/arch-arm64/bionic/syscall.S:41
140 LWP 2353 syscall () at bionic/libc/arch-arm64/bionic/syscall.S:41
(gdb) t 142
[Switching to thread 142 (LWP 1737)]
#0 syscall () at bionic/libc/arch-arm64/bionic/syscall.S:41
41 in bionic/libc/arch-arm64/bionic/syscall.S
(gdb) bt
#0 syscall () at bionic/libc/arch-arm64/bionic/syscall.S:41
#1 0x0000007f9ca2afcc in futex (val3=0, uaddr=<optimized out>, op=<optimized out>, val=<optimized out>, timeout=<optimized out>, uaddr2=<optimized out>) at art/runtime/base/mutex-inl.h:45
#2 art::ThreadList::SuspendAllInternal (this=<optimized out>, self=<optimized out>, ignore1=<optimized out>, ignore2=<optimized out>, debug_suspend=<optimized out>) at art/runtime/thread_list.cc:591
#3 0x0000007f9ca2b69c in art::ThreadList::SuspendAll (this=0x7f9cced000, cause=0x7f9cb5dea8 "ScopedPause", long_suspend=<optimized out>) at art/runtime/thread_list.cc:481
#4 0x0000007f9c77dcec in art::gc::collector::MarkSweep::RunPhases (this=<optimized out>) at art/runtime/gc/collector/mark_sweep.cc:153
#5 0x0000007f9c7746a4 in art::gc::collector::GarbageCollector::Run (this=0x7f9cc88780, gc_cause=art::gc::kGcCauseBackground,
clear_soft_references=<error reading variable: access outside bounds of object referenced via synthetic pointer>) at art/runtime/gc/collector/garbage_collector.cc:87
#6 0x0000007f9c7ab75c in art::gc::Heap::CollectGarbageInternal (this=<optimized out>, gc_type=<optimized out>, gc_cause=<optimized out>,
clear_soft_references=<error reading variable: access outside bounds of object referenced via synthetic pointer>) at art/runtime/gc/heap.cc:2720
#7 0x0000007f9c7b3dd0 in art::gc::Heap::ConcurrentGC (this=0x7f9cc4c700, self=<optimized out>, force_full=<error reading variable: access outside bounds of object referenced via synthetic pointer>)
at art/runtime/gc/heap.cc:3723
#8 0x0000007f9c7bbb90 in art::gc::Heap::ConcurrentGCTask::Run (this=<optimized out>, self=0x0) at art/runtime/gc/heap.cc:3686
#9 0x0000007f9c7e2048 in art::gc::TaskProcessor::RunAllTasks (this=<optimized out>, self=<optimized out>) at art/runtime/gc/task_processor.cc:124
#10 0x0000000072437bf4 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) f 3
#3 0x0000007f9ca2b69c in art::ThreadList::SuspendAll (this=0x7f9cced000, cause=0x7f9cb5dea8 "ScopedPause", long_suspend=<optimized out>) at art/runtime/thread_list.cc:481
481 art/runtime/thread_list.cc: 没有那个文件或目录.
def dump_all_threads_state
set $current = list_.__end_.__next_
while $current != 0
p * $current.__value_
set $current = $current.__next_
end
end
(gdb) info variables instance_
All variables matching regular expression "instance_":
File art/runtime/arch/arm64/quick_entrypoints_arm64.S:
static __CORE_ADDR art_quick_check_instance_of;
File art/runtime/jit/profile_saver.h:
art::ProfileSaver *art::ProfileSaver::instance_;
File art/runtime/runtime.h:
art::Runtime *art::Runtime::instance_;
(gdb) f 5
#5 art::Thread::FullSuspendCheck (this=0x7944241400) at art/runtime/thread.cc:1561
1561 art/runtime/thread.cc: 没有那个文件或目录.
(gdb) p art::Runtime::instance_
$4 = (art::Runtime *) 0x794fab9600
(gdb) p (*art::Runtime::instance_).thread_list_
$5 = (art::ThreadList *) 0x794faee000
def dump_threads_state
set $current = ((art::ThreadList *) 0x794faee000).list_.__end_.__next_
while $current != 0
p *(*(std::__1::__list_node<art::Thread*, void*> *)$current).__value_
set $current = $current.__next_
end
end
[ro.build.inside.id]: [8.1.0-20180621174504_I]
(gdb) set print pretty on
(gdb) set pagination off
(gdb) dump_threads_state
参考 http://opengrok.rnd.meizu.com/xref/M1881_NF7_base/art/runtime/thread_state.h
找到state=67的线程,即runnable
$20 = {
tls32_ = {
state_and_flags = {
as_struct = {
flags = 5,
state = 67
},
tid = 1942,
找到之后发现是tid=1942的线程
还是敲 info thread命令,通过pid 1942找到对应的线程号
60 LWP 1942 syscall () at bionic/libc/arch-arm64/bionic/syscall.S:41
(gdb) t 60
[Switching to thread 60 (LWP 1942)]
#0 syscall () at bionic/libc/arch-arm64/bionic/syscall.S:41
41 bionic/libc/arch-arm64/bionic/syscall.S: 没有那个文件或目录.
(gdb) bt
#0 syscall () at bionic/libc/arch-arm64/bionic/syscall.S:41
#1 0x0000007f9dff9a00 in __futex (op=<optimized out>, timeout=0x0, bitset=-1, ftx=<optimized out>, value=<optimized out>) at bionic/libc/private/bionic_futex.h:48
#2 __futex_wait_ex (ftx=<optimized out>, shared=<optimized out>, value=<optimized out>, use_realtime_clock=<optimized out>, abs_timeout=<optimized out>) at bionic/libc/private/bionic_futex.h:70
#3 __pthread_normal_mutex_lock (abs_timeout_or_null=<optimized out>, mutex=<optimized out>, shared=<optimized out>, use_realtime_clock=<optimized out>) at bionic/libc/bionic/pthread_mutex.cpp:327
#4 __pthread_mutex_lock_with_timeout (mutex=<optimized out>, use_realtime_clock=<optimized out>, abs_timeout_or_null=<optimized out>) at bionic/libc/bionic/pthread_mutex.cpp:430
#5 0x0000007f9da06f94 in android::android_content_AssetManager_applyStyle (env=0x7f8d441500, themeToken=1979122816, defStyleAttr=<optimized out>, defStyleRes=16974670, xmlParserToken=1953312172, attrs=0x70f1b958, outValues=0x746d2cac, outIndices=0x70fbfcc8, clazz=<optimized out>) at frameworks/base/core/jni/android_util_AssetManager. :1434
#6 0x000000007469cd8c in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
查看android_util_AssetManager.cpp:1434
// Now lock down the resource object and start pulling stuff from it.
static jboolean android_content_AssetManager_applyStyle(JNIEnv* env, jobject clazz,
res.lock();
这里怀疑有别的线程持有了res锁,通过下面命令打印出所有的线程,搜索“AssetManager”
(gdb)thread apply all bt
找到了主线程
Thread 1 (LWP 1727):
#0 syscall () at bionic/libc/arch-arm64/bionic/syscall.S:41
#1 0x0000007f9c663f40 in futex (uaddr=0x7f9ccf75d0, op=0, val=48, val3=0, timeout=<optimized out>, uaddr2=<optimized out>) at art/runtime/base/mutex-inl.h:45
#2 art::ConditionVariable::WaitHoldingLocks (this=<optimized out>, self=<optimized out>) at art/runtime/base/mutex.cc:848
#3 0x0000007f9c8ff30c in TransitionFromSuspendedToRunnable (this=<optimized out>) at art/runtime/thread-inl.h:209
#4 ScopedThreadStateChange (self=<optimized out>, new_thread_state=art::kRunnable, this=<optimized out>) at art/runtime/scoped_thread_state_change.h:51
#5 ScopedObjectAccessUnchecked (this=<optimized out>, env=<optimized out>) at art/runtime/scoped_thread_state_change.h:224
#6 ScopedObjectAccess (this=<optimized out>, env=<optimized out>) at art/runtime/scoped_thread_state_change.h:255
#7 art::JNI::NewStringUTF (env=<optimized out>, utf=<optimized out>) at art/runtime/jni_internal.cc:1646
#8 0x0000007f9da03a60 in NewStringUTF (bytes=<optimized out>, this=0x7f9cc3e180) at libnativehelper/include/nativehelper/jni.h:842
#9 android::android_content_AssetManager_getArrayStringResource (env=0x7f9cc3e180, clazz=<optimized out>, arrayResId=<optimized out>) at frameworks/base/core/jni/android_util_AssetManager.cpp:1982
#10 0x000000007469d84c in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
查看代码在android_util_AssetManager.cpp:1982 调用NewStringUTF 之前的确持有了锁
thread apply all bt 打印所有thread bt
art/runtime/runtime.h:
art::Runtime *art::Runtime::instance_;
(gdb) f 5
#5 art::Thread::FullSuspendCheck (this=0x7944241400) at art/runtime/thread.cc:1561
1561 art/runtime/thread.cc: 没有那个文件或目录.
(gdb) p art::Runtime::instance_
$4 = (art::Runtime *) 0x794fab9600
(gdb) p (*art::Runtime::instance_).thread_list_
$5 = (art::ThreadList *) 0x794faee000
def dump_threads_state
set $current = ((art::ThreadList *) 0x794faee000).list_.__end_.__next_
while $current != 0
p *(*(std::__1::__list_node<art::Thread*, void*> *)$current).__value_
set $current = $current.__next_
end
end
[ro.build.inside.id]: [8.1.0-20180621174504_I]
(gdb) set print pretty on
(gdb) set pagination off
(gdb) dump_threads_state
参考 http://opengrok.rnd.meizu.com/xref/M1881_NF7_base/art/runtime/thread_state.h
找到state=67的线程,即runnable
$20 = {
tls32_ = {
state_and_flags = {
as_struct = {
flags = 5,
state = 67
},
...
tid = 1942,
...
找到之后发现是tid=1942的线程
还是敲 info thread命令,通过pid 1942找到对应的线程号
60 LWP 1942 syscall () at bionic/libc/arch-arm64/bionic/syscall.S:41
(gdb) t 60
[Switching to thread 60 (LWP 1942)]
#0 syscall () at bionic/libc/arch-arm64/bionic/syscall.S:41
41 bionic/libc/arch-arm64/bionic/syscall.S: 没有那个文件或目录.
(gdb) bt
#0 syscall () at bionic/libc/arch-arm64/bionic/syscall.S:41
#1 0x0000007f9dff9a00 in __futex (op=<optimized out>, timeout=0x0, bitset=-1, ftx=<optimized out>, value=<optimized out>) at bionic/libc/private/bionic_futex.h:48
#2 __futex_wait_ex (ftx=<optimized out>, shared=<optimized out>, value=<optimized out>, use_realtime_clock=<optimized out>, abs_timeout=<optimized out>) at bionic/libc/private/bionic_futex.h:70
#3 __pthread_normal_mutex_lock (abs_timeout_or_null=<optimized out>, mutex=<optimized out>, shared=<optimized out>, use_realtime_clock=<optimized out>) at bionic/libc/bionic/pthread_mutex.cpp:327
#4 __pthread_mutex_lock_with_timeout (mutex=<optimized out>, use_realtime_clock=<optimized out>, abs_timeout_or_null=<optimized out>) at bionic/libc/bionic/pthread_mutex.cpp:430
#5 0x0000007f9da06f94 in android::android_content_AssetManager_applyStyle (env=0x7f8d441500, themeToken=1979122816, defStyleAttr=<optimized out>, defStyleRes=16974670, xmlParserToken=1953312172, attrs=0x70f1b958, outValues=0x746d2cac, outIndices=0x70fbfcc8, clazz=<optimized out>) at frameworks/base/core/jni/android_util_AssetManager. :1434
#6 0x000000007469cd8c in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
查看android_util_AssetManager.cpp:1434
// Now lock down the resource object and start pulling stuff from it.
static jboolean android_content_AssetManager_applyStyle(JNIEnv* env, jobject clazz,
res.lock();
这里怀疑有别的线程持有了res锁,通过下面命令打印出所有的线程,搜索“AssetManager”
(gdb)thread apply all bt
找到了主线程
Thread 1 (LWP 1727):
#0 syscall () at bionic/libc/arch-arm64/bionic/syscall.S:41
#1 0x0000007f9c663f40 in futex (uaddr=0x7f9ccf75d0, op=0, val=48, val3=0, timeout=<optimized out>, uaddr2=<optimized out>) at art/runtime/base/mutex-inl.h:45
#2 art::ConditionVariable::WaitHoldingLocks (this=<optimized out>, self=<optimized out>) at art/runtime/base/mutex.cc:848
#3 0x0000007f9c8ff30c in TransitionFromSuspendedToRunnable (this=<optimized out>) at art/runtime/thread-inl.h:209
#4 ScopedThreadStateChange (self=<optimized out>, new_thread_state=art::kRunnable, this=<optimized out>) at art/runtime/scoped_thread_state_change.h:51
#5 ScopedObjectAccessUnchecked (this=<optimized out>, env=<optimized out>) at art/runtime/scoped_thread_state_change.h:224
#6 ScopedObjectAccess (this=<optimized out>, env=<optimized out>) at art/runtime/scoped_thread_state_change.h:255
#7 art::JNI::NewStringUTF (env=<optimized out>, utf=<optimized out>) at art/runtime/jni_internal.cc:1646
#8 0x0000007f9da03a60 in NewStringUTF (bytes=<optimized out>, this=0x7f9cc3e180) at libnativehelper/include/nativehelper/jni.h:842
#9 android::android_content_AssetManager_getArrayStringResource (env=0x7f9cc3e180, clazz=<optimized out>, arrayResId=<optimized out>) at frameworks/base/core/jni/android_util_AssetManager.cpp:1982
#10 0x000000007469d84c in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb)
查看代码在android_util_AssetManager.cpp:1982 调用NewStringUTF 之前的确持有了锁
常用命令:
thread apply all bt 打印所有thread bt
disassemble 查看当前栈帧的机器码
x/d (0x7bebe41c10+152) x 查看该地址的内存, d表示
info registers 查看寄存器的值
info locals 查看当前stack frame局部变量
info variables 查看全局和静态变量
info args 查看当前stack frame参数
网友评论