VM crash caused by WebKit engine in android2.3

 

A bug exists in android2.2, 2.3, and 2.3.3, which is described in detail here.

Http://code.google.com/p/android/issues/detail? Id = 12987

Here, the landlord's code can be run. I have this problem on both the 2.2 and 2.3 simulators and the 2.3 real machines.

The core of the problem lies in the following sentence: JNI warning: jarray 0x4074f6e0 points to non-array object (ljava/lang/string ;)

That is, when JNI is called, a string object in Java is accessed as an array, resulting in Virtual Machine crash.

 

First you see here (http://code.google.com/p/android/issues/detail? Id = 12987) Someone mentioned that Google's Nexus S does not have this problem because it uses the V8 engine, so we changed the JS engine in our system from JSC to V8 (the specific process refer to here for http://blog.csdn.net/a345017062/archive/2011/04/20/6336753.aspx ), the problem persists. There is no way to trace it step by step.

 

 

 

It takes a lot of effort to track this issue, so record the tracking process first.

At the beginning, I thought that the system has its own JNI call tracking system. I would like to use the system (the specific process here has a http://blog.csdn.net/a345017062/archive/2011/04/28/6369535.aspx) and wait for me to compile it. so Database Upgrade to the board, view log directly dumbfounded, useless things too much, can only print their own log.

 

 

Two methods are used in total. One is the local method that throws an exception according to the log printed by the system during the VM crash to find out which function is finally called. At first, it was difficult to follow this idea. Because some code in javascriptcore cannot use a series of methods such as logw, finally referred to an article (here there is a detailed description of the http://blog.csdn.net/a345017062/archive/2011/05/04/6394897.aspx) to let log out

 

 

12-20 19:29:34. 582: Warn/dalvikvm (725): JNI warning: jarray 0x4074f6e0 points to non-array object (ljava/lang/string ;)

12-20 19:29:34. 622: INFO/dalvikvm (725): "webviewcorethread" PRIO = 5 tid = 9 native

12-20 19:29:34. 622: INFO/dalvikvm (725): | group = "Main" scount = 0 dscount = 0 OBJ = 0x40521328 self = 0x26bea8

12-20 19:29:34. 622: INFO/dalvikvm (725): | shard id = 734 nice = 0 sched = 0/0 MRM = default handle = 2539488

12-20 19:29:34. 632: INFO/dalvikvm (725): | schedstat = (5341953614 5808331660 581)

12-20 19:29:34. 632: INFO/dalvikvm (725): at Android. WebKit. webviewcore. nativetouchup (native method)

12-20 19:29:34. 632: INFO/dalvikvm (725): at Android. WebKit. webviewcore. nativetouchup (native method)

12-20 19:29:34. 642: INFO/dalvikvm (725): at Android. WebKit. webviewcore. Access $3300 (webviewcore. Java: 53)

12-20 19:29:34. 652: INFO/dalvikvm (725): at Android. WebKit. webviewcore $ eventhub $1. handlemessage (webviewcore. Java: 1158)

12-20 19:29:34. 652: INFO/dalvikvm (725): at Android. OS. handler. dispatchmessage (handler. Java: 99)

12-20 19:29:34. 652: INFO/dalvikvm (725): at Android. OS. low.loop (low.java: 123)

12-20 19:29:34. 652: INFO/dalvikvm (725): at Android. WebKit. webviewcore $ webcorethread. Run (webviewcore. Java: 629)

12-20 19:29:34. 662: INFO/dalvikvm (725): At java. Lang. thread. Run (thread. Java: 1019)

12-20 19:29:34. 672: Error/dalvikvm (725): VM aborting

 

 

Another method is to use the addr2line tool and use the stack information given in the following log to find the specific problem method. For detailed process, refer to this article

Http://blog.chinaunix.net/space.php? Uid = 20564848 & Do = Blog & id = 94732

 

12-20 19:29:34. 852: INFO/debug (30): Build fingerprint: 'generic/SDK/generic: 2.3/grh55/79397: Eng/test-keys'

12-20 19:29:34. 862: INFO/debug (30): PID: 725, TID: 734 >>> XXXXXXXX <

12-20 19:29:34. 862: INFO/debug (30): Signal 11 (SIGSEGV), Code 1 (segv_maperr), fault ADDR deadd00d

12-20 19:29:34. 872: INFO/debug (30): R0 fffffebc R1 deadd00d R2 00000026 R3 00000000

12-20 19:29:34. 872: INFO/debug (30): R4 81da45c8 R5 4074f6e0 R6 81d8592c R7 0026d2b8

12-20 19:29:34. 872: INFO/debug (30): R8 44174b54 R9 43d72e4c 10 43d72e34 FP 41edd82c

12-20 19:29:34. 891: INFO/debug (30): IP 81da4728 SP 44174348 LR afd19375 PC 81d45a02 CPSR 20000030

12-20 19:29:35. 912: INFO/debug (30): #00 PC 00045a02/system/lib/libdvm. So

12-20 19:29:35. 912: INFO/debug (30): #01 PC 000376fc/system/lib/libdvm. So

12-20 19:29:35. 912: INFO/debug (30): #02 PC 000399c4/system/lib/libdvm. So

12-20 19:29:35. 922: INFO/debug (30): #03 PC 0003a4a0/system/lib/libdvm. So

12-20 19:29:35. 932: INFO/debug (30): #04 PC 0032b6d6/system/lib/libwebcore. So

12-20 19:29:35. 952: INFO/debug (30): #05 PC 002a4da4/system/lib/libwebcore. So

12-20 19:29:35. 952: INFO/debug (30): #06 PC 001a6136/system/lib/libwebcore. So

12-20 19:29:35. 952: INFO/debug (30): #07 PC 002a5870/system/lib/libwebcore. So

12-20 19:29:35. 962: INFO/debug (30): #08 PC 00359e36/system/lib/libwebcore. So

12-20 19:29:35. 972: INFO/debug (30): #09 PC 0035d18e/system/lib/libwebcore. So

12-20 19:29:35. 972: INFO/debug (30): #10 pc 0036b078/system/lib/libwebcore. So

12-20 19:29:35. 982: INFO/debug (30): #11 PC 003627ac/system/lib/libwebcore. So

12-20 19:29:35. 982: INFO/debug (30): #12 PC 0029fb24/system/lib/libwebcore. So

12-20 19:29:36. 002: INFO/debug (30): #13 PC 0023366e/system/lib/libwebcore. So

12-20 19:29:36. 002: INFO/debug (30): #14 PC 00239c0c/system/lib/libwebcore. So

12-20 19:29:36. 011: INFO/debug (30): #15 PC 00237a28/system/lib/libwebcore. So

12-20 19:29:36. 011: INFO/debug (30): #16 PC 00237b32/system/lib/libwebcore. So

12-20 19:29:36. 022: INFO/debug (30): #17 PC 0023 adba/system/lib/libwebcore. So

12-20 19:29:36. 022: INFO/debug (30): #18 PC 0023af4e/system/lib/libwebcore. So

12-20 19:29:36. 042: INFO/debug (30): #19 PC 000f80c0/system/lib/libwebcore. So

12-20 19:29:36. 042: INFO/debug (30): #20 pC 000f8c66/system/lib/libwebcore. So

12-20 19:29:36. 052: INFO/debug (30): #21 pc 001b81fa/system/lib/libwebcore. So

12-20 19:29:36. 062: INFO/debug (30): #22 pc 001b82f2/system/lib/libwebcore. So

12-20 19:29:36. 062: INFO/debug (30): #23 PC 001b8318/system/lib/libwebcore. So

12-20 19:29:36. 072: INFO/debug (30): #24 PC 00017d34/system/lib/libdvm. So

 

 

Next, we will analyze this problem.

First put this address (http://code.google.com/p/android/issues/detail? In id = 12987), download the example of the landlord and install it on the machine. The problem is found in the webview. addjavascriptinterface method. VM crashes if you use Java to expand JS APIs and call these APIs in scripts.

Use the method mentioned above to trace and find the problem

/External/WebKit/WebCore/bridge/JNI/JSC/javaclassjsc. cpp:

If (jarray fields = (jarray) (calljnimethod <jobject> (Aclass, "getfields", "() [ljava/lang/reflect/field ;"))){

Int numfields = env-> getarraylength (fields );

...

}

The calljnimethod <jobject> method has an internal error. A jstring is returned, which is used as jarray. When you call env-> getarraylength (fields), the VM uses/Dalvik/Vm/checkjni. the checkarray method in C checks the parameter validity. Once it finds that the parameter is not an array, abortmaybe () is called to close the VM.

 

Now the problem is (jarray) (calljnimethod <jobject> (Aclass, "getfields", "() [ljava/lang/reflect/field ;")) why is a string returned.

I used system in the APK for testing. out. println (t) prints the test object used to register the extended API, prints the string returned by calljnimethod <jobject>, and finds that the two are the same. That is to say, no matter what parameters are passed in to calljnimethod <jobject>, the returned results are serialized test objects.

After tracking, it is found that calljnimethod will eventually call/Dalvik/Vm/interp/stack. method dvmcallmethodv in C. I printed method-> name in dvmcallmethodv and found that every call to calljnimethod is a tostring method, this explains why the string returned by calljnimethod is a serialized test object.

It seems that the problem occurs after the calljnimethod method encapsulates tedious JNI calls. So I wrote a method to replace calljnimethod <jobject>:

Jobject getreturnobject (jnienv * ENV, jobject aninstance, const char * Name,

Const char * signature ){

Jclass testclass = env-> getobjectclass (aninstance );

If (! Testclass ){

Logw ("error 1 ");

Return NULL;

}

Jmethodid methodid = env-> getmethodid (testclass, name, signature );

If (! Methodid ){

Logw ("Error 2 ");

Return NULL;

}

Jobject result = env-> callobjectmethod (aninstance, methodid );

If (! Result ){

Logw ("error 3 ");

Return NULL;

}

Return result;

}

Replace the call jnimethod <jobject> with the getreturnobject method to solve the problem.

 

 

 

References

Add log to the javascriptcore engine of Android source code

Http://blog.csdn.net/a345017062/archive/2011/05/04/6394897.aspx

Use of the addr2line tool for Android or Linux debugging to lock commands

Http://blog.chinaunix.net/space.php? Uid = 20564848 & Do = Blog & id = 94732