GC crashes when hooking too many methods continuously

solohsu commented 5 years ago

大佬你好，我基于你的 YAHFA 实现了一个 Android 9.0 上可以使用的 Xposed 框架 EdXposed。使用过程中发现当连续 hook 的方法数太多（大概超过100个左右）时，有几率导致 GC 的时候发生 crash，一直没能找到具体原因，大佬有空帮忙看下。以下是使用微X模块时微信打开时出现的闪退： tombstone_08.txt

16050-16061/? A/libc: Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x6b636574 in tid 16061 (HeapTaskDaemon), pid 16050 (com.tencent.mm)
16094-16094/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
16094-16094/? A/DEBUG: Build fingerprint: 'Xiaomi/perseus/perseus:9/PKQ1.180729.001/V10.0.11.0.PEECNFH:user/release-keys'
16094-16094/? A/DEBUG: Revision: '0'
16094-16094/? A/DEBUG: ABI: 'arm'
16094-16094/? A/DEBUG: pid: 16050, tid: 16061, name: HeapTaskDaemon  >>> com.tencent.mm <<<
16094-16094/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x6b636574
16094-16094/? A/DEBUG:     r0  6b636568  r1  12f83610  r2  00000000  r3  00000000
16094-16094/? A/DEBUG:     r4  12f83610  r5  e41db380  r6  6b636568  r7  bb0012fc
16094-16094/? A/DEBUG:     r8  0000001c  r9  00000004  r10 00000070  r11 12f83610
16094-16094/? A/DEBUG:     ip  00000000  sp  c906d2c8  lr  e3c99653  pc  e3c9586c
16094-16094/? A/DEBUG: backtrace:
16094-16094/? A/DEBUG:     #00 pc 0015f86c  /system/lib/libart.so (art::gc::collector::ConcurrentCopying::Copy(art::mirror::Object*, art::mirror::Object*, art::MemberOffset)+36)
16094-16094/? A/DEBUG:     #01 pc 0016364f  /system/lib/libart.so (void art::gc::collector::ConcurrentCopying::MarkRoot<false>(art::mirror::CompressedReference<art::gc::collector::ConcurrentCopying::MarkRoot<false>::Object>*)+346)
16094-16094/? A/DEBUG:     #02 pc 00163017  /system/lib/libart.so (_ZN3art6mirror6Object15VisitReferencesILb1ELNS_17VerifyObjectFlagsE0ELNS_17ReadBarrierOptionE1ENS_2gc9collector17ConcurrentCopying16RefFieldsVisitorES8_EEvRKT2_RKT3_+1826)
16094-16094/? A/DEBUG:     #03 pc 0015c463  /system/lib/libart.so (art::gc::collector::ConcurrentCopying::ProcessMarkStackRef(art::mirror::Object*)+114)
16094-16094/? A/DEBUG:     #04 pc 0015bf23  /system/lib/libart.so (art::gc::collector::ConcurrentCopying::ProcessMarkStackOnce()+518)
16094-16094/? A/DEBUG:     #05 pc 0015bd09  /system/lib/libart.so (art::gc::collector::ConcurrentCopying::ProcessMarkStack()+8)
16094-16094/? A/DEBUG:     #06 pc 00156adf  /system/lib/libart.so (art::gc::collector::ConcurrentCopying::MarkingPhase()+1318)
16094-16094/? A/DEBUG:     #07 pc 00155625  /system/lib/libart.so (art::gc::collector::ConcurrentCopying::RunPhases()+856)
16094-16094/? A/DEBUG:     #08 pc 00166265  /system/lib/libart.so (art::gc::collector::GarbageCollector::Run(art::gc::GcCause, bool)+252)
16094-16094/? A/DEBUG:     #09 pc 0017fee5  /system/lib/libart.so (art::gc::Heap::CollectGarbageInternal(art::gc::collector::GcType, art::gc::GcCause, bool)+2420)
16094-16094/? A/DEBUG:     #10 pc 0018d709  /system/lib/libart.so (art::gc::Heap::ConcurrentGC(art::Thread*, art::gc::GcCause, bool)+68)
16094-16094/? A/DEBUG:     #11 pc 00191535  /system/lib/libart.so (art::gc::Heap::ConcurrentGCTask::Run(art::Thread*)+20)
16094-16094/? A/DEBUG:     #12 pc 001aa467  /system/lib/libart.so (art::gc::TaskProcessor::RunAllTasks(art::Thread*)+34)
16094-16094/? A/DEBUG:     #13 pc 00318d93  /system/framework/arm/boot-core-libart.oat (offset 0x17e000) (dalvik.system.VMRuntime.clampGrowthLimit [DEDUPED]+74)
16094-16094/? A/DEBUG:     #14 pc 0046c2ad  /system/framework/arm/boot-core-libart.oat (offset 0x17e000) (java.lang.Daemons$HeapTaskDaemon.runInternal+172)
16094-16094/? A/DEBUG:     #15 pc 0031ab7b  /system/framework/arm/boot-core-libart.oat (offset 0x17e000) (java.lang.Daemons$Daemon.run+66)
16094-16094/? A/DEBUG:     #16 pc 004d2391  /system/framework/arm/boot-core-oj.oat (offset 0x2c9000) (java.lang.Thread.run+64)
16094-16094/? A/DEBUG:     #17 pc 0040e975  /system/lib/libart.so (offset 0x2b0000) (art_quick_invoke_stub_internal+68)
16094-16094/? A/DEBUG:     #18 pc 003e7e99  /system/lib/libart.so (offset 0x2b0000) (art_quick_invoke_stub+224)
16094-16094/? A/DEBUG:     #19 pc 000a1415  /system/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+136)
16094-16094/? A/DEBUG:     #20 pc 0034873d  /system/lib/libart.so (offset 0x2b0000) (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+52)
16094-16094/? A/DEBUG:     #21 pc 00349495  /system/lib/libart.so (offset 0x2b0000) (art::InvokeVirtualOrInterfaceWithJValues(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, jvalue*)+320)
16094-16094/? A/DEBUG:     #22 pc 0036a407  /system/lib/libart.so (offset 0x2b0000) (art::Thread::CreateCallback(void*)+866)
16094-16094/? A/DEBUG:     #23 pc 000637f5  /system/lib/libc.so (__pthread_start(void*)+22)
16094-16094/? A/DEBUG:     #24 pc 0001e019  /system/lib/libc.so (__start_thread+24)

C3C0 commented 5 years ago

Probably similar to my recent bug report here: https://github.com/ElderDrivers/EdXposed/issues/127 More logs with similar GC crashes are available there. Thanks for looking into it.

solohsu commented 5 years ago

已修复，等待 GC 完成再进行 hook 就可以了。 https://github.com/ElderDrivers/EdXposed/commit/30e7dfd3d8963b4ffeb023c2db75deb41324309e

PAGalaxyLab / YAHFA

GC crashes when hooking too many methods continuously #101