調試這種問題,一定找最開始出錯的信息出處,不能只看重複的錯誤的log信息
一、minicom(串口所報的信息)
[47229.637506] BUG: Bad page map in process ActivityManager pte:08000603 pmd:8a02f000
[47229.653282] page:81c04000 count:1 mapcount:-1 mapping: (null) index:0x0
[47229.667190] page flags: 0x404(referenced|reserved)
[47229.678367] addr:5724b000 vm_flags:10220051 anon_vma: (null) mapping:89d5437c index:fd
[47229.694767] vma->vm_ops->fault: (null)
[47229.703574] vma->vm_file->f_op->mmap: binder_mmap+0x0/0x2a8
[47229.715143] CPU: 0 PID: 418 Comm: ActivityManager Tainted: G W 3.10.14-00015-g04cf458-dirty #2
[47229.735347] Stack : 00000000 00000000 808632aa 0000005c 00000001 807e0000 8a0462e8 81c04000
8072cc64 807cee87 000001a2 80862a44 8a0462e8 81c04000 89fb3570 8a02f92c
5724b000 80647144 8065ade8 8003e850 00000000 00000000 8072e554 8a093bec
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 8a093b78
…
[47229.809786] Call Trace:
[47229.814784] [<80023978>] show_stack+0x64/0x7c
[47229.824708] [<800c98c0>] print_bad_pte+0x15c/0x204
[47229.834528] [<800cb1c4>] unmap_single_vma+0x420/0x584
[47229.844876] [<800cbca8>] unmap_vmas+0x68/0x90
[47229.853942] [<800d2ff4>] exit_mmap+0xcc/0x1bc
[47229.863879] [<8003c020>] mmput+0x50/0x114
[47229.872100] [<80043eb4>] do_exit+0x23c/0x9b4
[47229.880850] [<800456a8>] do_group_exit+0x48/0xf4
[47229.891062] [<800539b8>] get_signal_to_deliver+0x1c4/0x760
[47229.902454] [<80021ec0>] do_signal+0x28/0x258
[47229.911384] [<80022ce4>] do_notify_resume+0x7c/0x98
[47229.922138] [<8001eba0>] work_notifysig+0x10/0x18
[47229.931777]
解讀
出現上述情況一般是進程在從TLB中虛擬查找物理時,找到了空的地址或者其他進程的地址(非法地址)。
上述log信息指的是進程ActivityManager訪問了物理地址是81c04000,而這個地址是flags: 0x404(referenced|reserved) 其它進程已經設置標誌位預留,佔用了。
而Call Trace: 下面的意思是函數間調用關係依次是
work_notifysig—do_notify_resume—- ……..—-show_stack
最接近問題所在的就是show_stack這個函數了。
二、android logcat 捕捉的信息
W/ActivityManager( 392): Activity pause timeout for ActivityRecord{397cc275 u0 com.android.gallery3d/.app.MovieActivity t110 f}
F/libc ( 392): Fatal signal 11 (SIGSEGV), code 128, fault addr 0x0 in tid 402 (GCDaemon)
I/DEBUG ( 93): Build fingerprint: ‘Ingenic/dorado/dorado:5.1.1/LMY48G/snmu11130450:userdebug/test-keys’
I/DEBUG ( 93): Revision: ‘0’
I/DEBUG ( 93): ABI: ‘mips’
I/DEBUG ( 93): pid: 392, tid: 402, name: GCDaemon >>> system_server <<<
I/DEBUG ( 93): signal 11 (SIGSEGV), code 128 (SI_KERNEL), fault addr 0x0
I/DEBUG ( 93): zr 00000000 at 00000001 v0 743fea88 v1 30506670
I/DEBUG ( 93): a0 13210210 a1 5b4974cc a2 5b4974c8 a3 00000014
I/DEBUG ( 93): t0 5b4974c4 t1 00000010 t2 00000004 t3 0000022e
I/DEBUG ( 93): t4 5b4974c0 t5 000009bb t6 0000022e t7 000009bf
I/DEBUG ( 93): s0 13210210 s1 7406cf8c s2 5b4974cc s3 74496fc0
I/DEBUG ( 93): s4 5b4974b0 s5 00000004 s6 5b4974c8 s7 006d006f
I/DEBUG ( 93): t8 00000000 t9 7406cf8c k0 59c6b51c k1 00000000
I/DEBUG ( 93): gp 744018c0 sp 5b497430 s8 000009bf ra 7406d9d4
I/DEBUG ( 93): hi 0000007e lo 3f645214 bva 006d007b epc 7406cfe0
I/DEBUG ( 93):
I/DEBUG ( 93): backtrace:
I/DEBUG ( 93): #00 pc 001cefe0 /system/lib/libart.so (void art::mirror::Object::VisitReferences
system_server 進程掛了,pc指針指向地址001cefe0 ,對應函數是
/system/lib/libart.so 中的void art::mirror::Object::VisitReferences<false
二、
--------- beginning of crash
05-12 16:19:34.679 145 145 F libc : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 145 (mediaserver)
05-12 16:19:34.794 129 129 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
05-12 16:19:34.794 129 129 F DEBUG : Build fingerprint: 'Ingenic/dorado/dorado:6.0/MDB08M/cjwang05100919:userdebug/test-keys'
05-12 16:19:34.794 129 129 F DEBUG : Revision: '0'
05-12 16:19:34.794 129 129 F DEBUG : ABI: 'mips'
05-12 16:19:34.794 129 129 F DEBUG : pid: 145, tid: 145, name: mediaserver >>> /system/bin/mediaserver <<<
05-12 16:19:34.794 129 129 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
05-12 16:19:34.867 129 129 F DEBUG : zr 00000000 at 00000001 v0 7ff5b2cc v1 00000000
05-12 16:19:34.867 129 129 F DEBUG : a0 00000002 a1 00000002 a2 00010024 a3 75a1fd64
05-12 16:19:34.867 129 129 F DEBUG : t0 00010019 t1 00010025 t2 00000002 t3 00000000
05-12 16:19:34.867 129 129 F DEBUG : t4 00000000 t5 00000001 t6 00000000 t7 00000000
05-12 16:19:34.867 129 129 F DEBUG : s0 7ff5b2cc s1 7ff5b268 s2 7ff5b394 s3 00010000
05-12 16:19:34.867 129 129 F DEBUG : s4 774c2398 s5 774c2038 s6 00000001 s7 7779ac98
05-12 16:19:34.867 129 129 F DEBUG : t8 00000003 t9 777a72f8 k0 7ff5adf0 k1 00000000
05-12 16:19:34.867 129 129 F DEBUG : gp 777a9040 sp 7ff5b250 s8 7ff5b2e0 ra 776fdfa8
05-12 16:19:34.867 129 129 F DEBUG : hi 00000000 lo 00000000 bva 00000000 epc 776fdfbc
05-12 16:19:34.970 129 129 F DEBUG :
05-12 16:19:34.970 129 129 F DEBUG : backtrace:
05-12 16:19:34.983 129 129 F DEBUG : #00 pc 0005cfbc /system/lib/libcameraservice.so (android::CameraModule::deriveCameraCharacteristicsKeys(unsigned int, android::CameraMetadata&)+668)
05-12 16:19:34.983 129 129 F DEBUG : #01 pc 0005dd28 /system/lib/libcameraservice.so (android::CameraModule::getCameraInfo(int, camera_info*)+904)
05-12 16:19:34.983 129 129 F DEBUG : #02 pc 00056a44 /system/lib/libcameraservice.so (android::CameraFlashlight::createFlashlightControl(android::String8 const&)+472)
05-12 16:19:34.983 129 129 F DEBUG : #03 pc 00056f24 /system/lib/libcameraservice.so (android::CameraFlashlight::findFlashUnits()+444)
05-12 16:19:34.983 129 129 F DEBUG : #04 pc 0004c170 /system/lib/libcameraservice.so (android::CameraService::onFirstRef()+788)
05-12 16:19:34.983 129 129 F DEBUG : #05 pc 00002b3c /system/bin/mediaserver
05-12 16:19:34.983 129 129 F DEBUG : #06 pc 000017cc /system/bin/mediaserver (main+300)
05-12 16:19:34.983 129 129 F DEBUG : #07 pc 00016d14 /system/lib/libc.so (__libc_init+140)
05-12 16:19:34.983 129 129 F DEBUG : #08 pc 00001d34 /system/bin/mediaserver
05-12 16:19:34.983 129 129 F DEBUG : #09 pc 00001cdc /system/bin/mediaserver
從logcat捕捉的信息可以看出,在進程mediaserver中出錯,具體出錯的函數在/system/lib/libcameraservice.so 庫中的
CameraModule::deriveCameraCharacteristicsKeys(unsigned int, android::CameraMetadata&) 函數。也就是backtrace:中的第一個,下面都是一次調用關係,最終會調用到函數:deriveCameraCharacteristicsKeys()