蓝牙调试总结
次阅读
文章目录
最近在移植蓝牙,简单适配以后,发现蓝牙随机工作,非常的不稳定,出错堆栈随机在以下几个之中
情况一
#00 pc 00000000000229ac /system/lib64/libc.so (abort+116) #01 pc 000000000001dac8 /system/lib64/libclang_rt.ubsan_standalone-aarch64-android.so (__sanitizer::Abort()+56) #02 pc 000000000001b688 /system/lib64/libclang_rt.ubsan_standalone-aarch64-android.so (__sanitizer::Die()+164) #03 pc 0000000000026b6c /system/lib64/libclang_rt.ubsan_standalone-aarch64-android.so (__ubsan_handle_cfi_check_fail_abort+68) #04 pc 000000000004d7b4 /system/lib64/hw/bluetooth.default.so (__cfi_check_fail+108) #05 pc 0000000000065408 /system/lib64/hw/bluetooth.default.so (__cfi_check+95240) #06 pc 000000000019690c /system/lib64/hw/bluetooth.default.so (btm_vsc_complete(unsigned char*, unsigned short, unsigned short, void (*)(void*)) [clone .cfi]+140) #07 pc 00000000001a9c94 /system/lib64/hw/bluetooth.default.so (btu_hcif_command_complete_evt_on_task(BT_HDR*) [clone .cfi]+344) #08 pc 0000000000212d6c /system/lib64/hw/bluetooth.default.so (internal_dequeue_ready(void*) [clone .cfi]+112) #09 pc 0000000000219998 /system/lib64/hw/bluetooth.default.so (run_reactor(reactor_t*, int) [clone .cfi]+412) #10 pc 00000000002197d0 /system/lib64/hw/bluetooth.default.so (reactor_start(reactor_t*) [clone .cfi]+84) #11 pc 000000000021b3e4 /system/lib64/hw/bluetooth.default.so (run_thread(void*) [clone .cfi]+356) #12 pc 0000000000082e98 /system/lib64/libc.so (__pthread_start(void*)+36) #13 pc 0000000000024200 /system/lib64/libc.so (__start_thread+68)
情况二
01-24 16:55:33.668 2593 2593 F libc : FORTIFY: pthread_mutex_destroy called on a destroyed mutex (0x7658fb5008)
情况三
#00 pc 0000000000000000 #01 pc 0000000000096908 /system/lib64/libchrome.so (base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)+248) #02 pc 00000000000afd14 /system/lib64/libchrome.so (base::MessageLoop::RunTask(base::PendingTask*)+416) #03 pc 00000000000affbc /system/lib64/libchrome.so (base::MessageLoop::DeferOrRunPendingTask(base::PendingTask)+52) #04 pc 00000000000b03f8 /system/lib64/libchrome.so (base::MessageLoop::DoWork()+380) #05 pc 00000000000b1790 /system/lib64/libchrome.so (base::MessagePumpDefault::Run(base::MessagePump::Delegate*)+180) #06 pc 00000000000afa08 /system/lib64/libchrome.so (base::MessageLoop::RunHandler()+112) #07 pc 00000000000cc60c /system/lib64/libchrome.so (base::RunLoop::Run()+136) #08 pc 00000000000f4d58 /system/lib64/hw/bluetooth.default.so (message_loop_run(void*)+336) #09 pc 00000000001c3ab8 /system/lib64/hw/bluetooth.default.so (work_queue_read_cb(void*)+92) #10 pc 00000000001c1bc4 /system/lib64/hw/bluetooth.default.so (run_reactor(reactor_t*, int)+312) #11 pc 00000000001c1a60 /system/lib64/hw/bluetooth.default.so (reactor_start(reactor_t*)+84) #12 pc 00000000001c3540 /system/lib64/hw/bluetooth.default.so (run_thread(void*)+352) #13 pc 0000000000082f7c /system/lib64/libc.so (__pthread_start(void*)+36) #14 pc 00000000000241c0 /system/lib64/libc.so (__start_thread+68)
情况四
#00 pc 000000000002296c /system/lib64/libc.so (abort+116) #01 pc 00000000000a0ac8 /system/lib64/libc.so (ifree+1204) #02 pc 00000000000a0bf4 /system/lib64/libc.so (je_free+120) #03 pc 00000000000f929c /system/lib64/hw/bluetooth.default.so (fragment_and_dispatch(BT_HDR*)+160) #04 pc 00000000000f6328 /system/lib64/hw/bluetooth.default.so (event_command_ready(waiting_command_t*)+72) #05 pc 0000000000096908 /system/lib64/libchrome.so (base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)+248) #05 pc 0000000000096908 /system/lib64/libchrome.so (base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)+248) #06 pc 00000000000afd14 /system/lib64/libchrome.so (base::MessageLoop::RunTask(base::PendingTask*)+416) #07 pc 00000000000affbc /system/lib64/libchrome.so (base::MessageLoop::DeferOrRunPendingTask(base::PendingTask)+52) #08 pc 00000000000b03f8 /system/lib64/libchrome.so (base::MessageLoop::DoWork()+380) #09 pc 00000000000b1790 /system/lib64/libchrome.so (base::MessagePumpDefault::Run(base::MessagePump::Delegate*)+180) #10 pc 00000000000afa08 /system/lib64/libchrome.so (base::MessageLoop::RunHandler()+112) #11 pc 00000000000cc60c /system/lib64/libchrome.so (base::RunLoop::Run()+136) #12 pc 00000000000f4d58 /system/lib64/hw/bluetooth.default.so (message_loop_run(void*)+336) #13 pc 00000000001c3ab8 /system/lib64/hw/bluetooth.default.so (work_queue_read_cb(void*)+92) #14 pc 00000000001c1bc4 /system/lib64/hw/bluetooth.default.so (run_reactor(reactor_t*, int)+312) #15 pc 00000000001c1a60 /system/lib64/hw/bluetooth.default.so (reactor_start(reactor_t*)+84) #16 pc 00000000001c3540 /system/lib64/hw/bluetooth.default.so (run_thread(void*)+352) #17 pc 0000000000082f7c /system/lib64/libc.so (__pthread_start(void*)+36) #18 pc 00000000000241c0 /system/lib64/libc.so (__start_thread+68)
情况五
#00 pc 00006fc426a14c00 #01 pc 000000000013d230 /system/lib64/hw/bluetooth.default.so (BleAdvertisingManager::CleanUp()+128) #02 pc 000000000013d438 /system/lib64/hw/bluetooth.default.so (btm_ble_multi_adv_cleanup()+68) #03 pc 000000000009ecd0 /system/lib64/hw/bluetooth.default.so (btif_disable_bluetooth()+92) #04 pc 00000000000e7658 /system/lib64/hw/bluetooth.default.so (event_stack_hdl_bt(void*, Stack_Evt_Type)+308) #05 pc 00000000000e7114 /system/lib64/hw/bluetooth.default.so (event_stack_handler(void*)+48) #06 pc 00000000001c3c34 /system/lib64/hw/bluetooth.default.so (work_queue_read_cb(void*)+92) #07 pc 00000000001c1d40 /system/lib64/hw/bluetooth.default.so (run_reactor(reactor_t*, int)+312) #08 pc 00000000001c1bdc /system/lib64/hw/bluetooth.default.so (reactor_start(reactor_t*)+84) #09 pc 00000000001c36bc /system/lib64/hw/bluetooth.default.so (run_thread(void*)+352) #10 pc 0000000000082f7c /system/lib64/libc.so (__pthread_start(void*)+36) #11 pc 00000000000241c0 /system/lib64/libc.so (__start_thread+68)
第一个cfi错误,说明c代码存在安全漏洞 第二个fortify错误,是android新引入的运行时检查,看起来存在double free 第三四个看起来和runtask相关,没有头绪 第五个是简单的函数调用,不应该存在问题,怀疑堆栈已经乱掉了。
CFI、fornity
接下来逐一解决,cfi,fortify检查固然更安全,但C代码太灵活,一些函数指针赋值都会触发此类问题,先关闭检查,在android.bp里面添加 sanitize: { never: true, },
double free 经过打印,发现fixed_queue_free存在多次调用的情况,添加适当保护,并refine调用者杜绝。
run_task问题 libchrome更新支持了C17的右值等新特性,更新了模板实现,调用者蓝牙协议栈需要refine相关代码,这里用了更简单的办法,revert libchrome到老一些的版本来避免该问题。 R Run(Args… args) const & { static_assert(repeat_mode == internal::RepeatMode::Repeating, “OnceCallback::Run() may only be invoked on a non-const " “rvalue, i.e. std::move(callback).Run().");
PolymorphicInvoke f = reinterpret_cast(this->polymorphic_invoke()); return f(this->bind_state_.get(), std::forward(args)…); }
R Run(Args… args) && { // Move the callback instance into a local variable before the invocation, // that ensures the internal state is cleared after the invocation. // It’s not safe to touch |this| after the invocation, since running the // bound function may destroy |this|. Callback cb = std::move(*this); PolymorphicInvoke f = reinterpret_cast(cb.polymorphic_invoke()); return f(cb.bind_state_.get(), std::forward(args)…); }
经过上述修改,蓝牙基本可以工作正常了,表现稳定。
文章作者 carter2005
上次更新 2019-01-30