【转载】art gc相关死锁黑屏问题总结

时间:2025-01-25 07:03:38

art gc相关死锁黑屏问题总结 | wwm的笔记

背景:

从测试同学那边拿过来两台黑屏的机器,点击电源、屏幕都没有反应,不过还好adb可以链接,有root权限,一番deubgging后,确认表面原因是system_server进程的art虚拟机卡在了gc前flip线程状态的操作中,而最终的root cause也比较有意思,所以本文就简单记录下问题的排查过程。

1. 按照习惯,快速检查下是否发生了watchdog

$ adb shell ``ls` `-l ``/data/anr/
-rw------- 1 system system 53592 2019-05-03 14:21 anr_2019-05-03-14-21-53-368
-rw------- 1 system system 845398 2019-05-03 14:30 anr_2019-05-03-14-30-03-498
-rw------- 1 system system 1078028 2019-05-03 14:58 anr_2019-05-03-14-58-40-505
-rw------- 1 system system 1060669 2019-05-03 14:59 anr_2019-05-03-14-59-00-410
-rw------- 1 system system 527393 2019-05-03 17:32 anr_2019-05-03-17-32-22-852
-rw------- 1 system system 619826 2019-05-03 17:33 anr_2019-05-03-17-32-58-212
// ...

并没有watchdog相关日志

2. 查看系统当前时间

`$ adb shell ``date``Sun May  5 13:52:25 CST 2019`

3. 查看system_server进程各个线程的状态

$ pid=`adb shell pidof system_server` && adb shell ``ps` `-T $pid
USER           PID   TID  PPID     VSZ    RSS WCHAN            ADDR S CMD           
system        1471  1471   635 11629888 168336 futex_wait_queue_me 0 S system_server
system        1471  1477   635 11629888 168336 do_sigtimedwait    0 S Signal Catcher
system        1471  1478   635 11629888 168336 futex_wait_queue_me 0 S ADB-JDWP Connec
system        1471  1479   635 11629888 168336 futex_wait_queue_me 0 S Binder:filter-p
system        1471  1480   635 11629888 168336 poll_schedule_timeout 0 S Binder:``read``-per
system        1471  1481   635 11629888 168336 futex_wait_queue_me 0 S ReferenceQueueD
system        1471  1482   635 11629888 168336 futex_wait_queue_me 0 S FinalizerDaemon
system        1471  1483   635 11629888 168336 futex_wait_queue_me 0 S FinalizerWatchd
system        1471  1484   635 11629888 168336 futex_wait_queue_me 0 S HeapTaskDaemon
system        1471  1524   635 11629888 168336 futex_wait_queue_me 0 S Binder:1471_1
system        1471  1525   635 11629888 168336 futex_wait_queue_me 0 S Binder:1471_2
system        1471  1673   635 11629888 168336 futex_wait_queue_me 0 S android.``bg
system        1471  1675   635 11629888 168336 futex_wait_queue_me 0 S ActivityManager
system        1471  1676   635 11629888 168336 SyS_epoll_wait     0 S 
system        1471  1677   635 11629888 168336 SyS_epoll_wait     0 S ActivityManager
system        1471  1678   635 11629888 168336 SyS_epoll_wait     0 S ActivityManager
system        1471  1684   635 11629888 168336 futex_wait_queue_me 0 S batterystats-wo
system        1471  1687   635 11629888 168336 wait_woken         0 S FileObserver
system        1471  1688   635 11629888 168336 futex_wait_queue_me 0 S android.``fg
system        1471  1689   635 11629888 168336 futex_wait_queue_me 0 S 
system        1471  1690   635 11629888 168336 futex_wait_queue_me 0 S 
system        1471  1691   635 11629888 168336 futex_wait_queue_me 0 S CpuTracker
system        1471  1692   635 11629888 168336 futex_wait_queue_me 0 S PowerManagerSer
system        1471  1693   635 11629888 168336 futex_wait_queue_me 0 S BatteryStats_wa
system        1471  1694   635 11629888 168336 SyS_epoll_wait     0 S work-thread
system        1471  1695   635 11629888 168336 SyS_epoll_wait     0 S PackageManager
system        1471  1696   635 11629888 168336 SyS_epoll_wait     0 S PackageManager
system        1471  1817   635 11629888 168336 SyS_epoll_wait     0 S PackageInstalle
system        1471  1821   635 11629888 168336 SyS_epoll_wait     0 S 
system        1471  1822   635 11629888 168336 SyS_epoll_wait     0 S 
...

这一步主要是快速检查下有没有D(disk blocked)状态的线程

3. 查看system_server进程backtrace

$ pid=`adb shell pidof system_server` && adb shell ``kill` `-3 $pid

得到:

点击下载完整backtrace!system_server_1471堆栈-Android文档类资源-****下载

   
检查各个线程在虚拟机内部的状态后,看到一个比较奇怪的现象:

"Binder:filter-perf-event"` `prio=``5` `tid=``4` `WaitingForGcThreadFlip
"HeapTaskDaemon"` `daemon prio=``5` `tid=``9` `WaitingForGcThreadFlip
"PowerManagerService"` `prio=``5` `tid=``24` `WaitingForGcThreadFlip
"HwBinder:1471_1"` `prio=``5` `tid=``35` `WaitingForGcThreadFlip
"WifiStateMachine"` `prio=``5` `tid=``56` `WaitingForGcThreadFlip
"Binder:1471_3"` `prio=``5` `tid=``92` `WaitingForGcThreadFlip
"Binder:1471_5"` `prio=``5` `tid=``105` `WaitingForGcThreadFlip
"Binder:1471_7"` `prio=``5` `tid=``107` `WaitingForGcThreadFlip
"Binder:1471_A"` `prio=``5` `tid=``120` `WaitingForGcThreadFlip
"Binder:1471_D"` `prio=``5` `tid=``123` `WaitingForGcThreadFlip
"Binder:1471_E"` `prio=``5` `tid=``124` `WaitingForGcThreadFlip
"Binder:1471_11"` `prio=``5` `tid=``127` `WaitingForGcThreadFlip
"Binder:1471_17"` `prio=``5` `tid=``133` `WaitingForGcThreadFlip
"Binder:1471_18"` `prio=``5` `tid=``134` `WaitingForGcThreadFlip
"Binder:1471_19"` `prio=``5` `tid=``135` `WaitingForGcThreadFlip
"HwBinder:1471_4"` `prio=``5` `tid=``12` `WaitingForGcThreadFlip
"Binder:1471_20"` `prio=``5` `tid=``146` `WaitingForGcThreadFlip
"HwBinder:1471_5"` `prio=``5` `tid=``34` `WaitingForGcToComplete
"ADB-JDWP Connection Control Thread"` `daemon prio=``0` `tid=``5` `WaitingForGcToComplete
""` `prio=``5` `tid=``21` `WaitingForGcToComplete
"CpuTracker"` `prio=``5` `tid=``23` `WaitingForGcToComplete
"UEventObserver"` `prio=``5` `tid=``36` `WaitingForGcToComplete
"HwBinder:1471_2"` `prio=``5` `tid=``43` `WaitingForGcToComplete
"HwBinder:1471_3"` `prio=``5` `tid=``44` `WaitingForGcToComplete
"NetdConnector"` `prio=``5` `tid=``50` `WaitingForGcToComplete
"WifiService"` `prio=``5` `tid=``55` `WaitingForGcToComplete
"DeviceStorageMonitorService"` `prio=``5` `tid=``67` `WaitingForGcToComplete
"SecurityWriteHandlerThread"` `prio=``5` `tid=``72` `WaitingForGcToComplete
"watchdog"` `prio=``5` `tid=``101` `WaitingForGcToComplete
"HwBinder:1471_5"` `prio=``5` `tid=``34` `WaitingForGcToComplete
"Timer-20"` `prio=``5` `tid=``170` `WaitingForGcToComplete
"IpClient.wlan0"` `prio=``5` `tid=``176` `WaitingForGcToComplete
"OkHttp ConnectionPool"` `daemon prio=``5` `tid=``185` `WaitingForGcToComplete
...
"main"` `prio=``5` `tid=``1` `Blocked
"Binder:1471_1"` `prio=``5` `tid=``10` `Blocked
"Binder:1471_2"` `prio=``5` `tid=``11` `Blocked
""` `prio=``5` `tid=``13` `Blocked
"ActivityManager"` `prio=``5` `tid=``14` `Blocked
"batterystats-worker"` `prio=``5` `tid=``18` `Blocked
""` `prio=``5` `tid=``20` `Blocked
""` `prio=``5` `tid=``22` `Blocked
"AlarmManager"` `prio=``5` `tid=``40` `Blocked
"InputDispatcher"` `prio=``10` `tid=``46` `Blocked
"InputReader"` `prio=``10` `tid=``47` `Blocked
""` `prio=``5` `tid=``53` `Blocked
"Binder:1471_4"` `prio=``5` `tid=``93` `Blocked
"Binder:1471_6"` `prio=``5` `tid=``106` `Blocked
"Binder:1471_8"` `prio=``5` `tid=``108` `Blocked
"Binder:1471_9"` `prio=``5` `tid=``118` `Blocked
"Binder:1471_B"` `prio=``5` `tid=``121` `Blocked
"Binder:1471_C"` `prio=``5` `tid=``122` `Blocked
"Binder:1471_F"` `prio=``5` `tid=``125` `Blocked
"Binder:1471_10"` `prio=``5` `tid=``126` `Blocked
"Binder:1471_12"` `prio=``5` `tid=``128` `Blocked
"Binder:1471_13"` `prio=``5` `tid=``129` `Blocked
"Binder:1471_14"` `prio=``5` `tid=``130` `Blocked
"Binder:1471_15"` `prio=``5` `tid=``131` `Blocked
"Binder:1471_16"` `prio=``5` `tid=``132` `Blocked
"Binder:1471_1A"` `prio=``5` `tid=``136` `Blocked
"Binder:1471_1B"` `prio=``5` `tid=``140` `Blocked
"Binder:1471_1C"` `prio=``5` `tid=``117` `Blocked
"Binder:1471_1D"` `prio=``5` `tid=``141` `Blocked
"Binder:1471_1E"` `prio=``5` `tid=``144` `Blocked
"Binder:1471_1F"` `prio=``5` `tid=``145` `Blocked
"NetworkMonitorNetworkAgentInfo [WIFI () - 950]"` `prio=``5` `tid=``149` `Blocked

一堆线程都是gc相关的状态,具体什么意思,我也不关心,还是再继续看下blocked的线程,都具体卡在什么地方:

"Binder:1471_6" prio=5 tid=106 Blocked
  | group="main" sCount=1 dsCount=0 flags=1 obj=0x14064288 self=0x721bdfb000
  | sysTid=2126 nice=0 cgrp=default sched=0/0 handle=0x72107ff4f0
  | state=S schedstat=( 5605933458050 5415448290382 12052578 ) utm=475916 stm=84677 core=5 HZ=100
  | stack=0x7210704000-0x7210706000 stackSize=1009KB
  | held mutexes=
  at (:4825)
  - waiting to lock <0x05e68352> (a ) held by thread 53
  at $3600(:291)
  at $(:4900)
  at (:1133)
  at (:1163)
  at (:1185)
  at $(:85)
  at (:728)
 
"Binder:1471_8" prio=5 tid=108 Blocked
  | group="main" sCount=1 dsCount=0 flags=1 obj=0x14064398 self=0x7219dd9000
  | sysTid=2168 nice=0 cgrp=default sched=0/0 handle=0x720fdff4f0
  | state=S schedstat=( 5601724562758 5464273391739 12340199 ) utm=473400 stm=86772 core=6 HZ=100
  | stack=0x720fd04000-0x720fd06000 stackSize=1009KB
  | held mutexes=
  at (:8527)
  - waiting to lock <0x00c6c1f5> (a ) held by thread 146
  at $(:225)
  at (:3399)
  at (:728)
 
"" prio=5 tid=53 Blocked
  | group="main" sCount=1 dsCount=0 flags=1 obj=0x1405f790 self=0x72163fc000
  | sysTid=1881 nice=-2 cgrp=default sched=0/0 handle=0x721767d4f0
  | state=S schedstat=( 992941159886 2687927167537 3629569 ) utm=24231 stm=75063 core=5 HZ=100
  | stack=0x721757a000-0x721757c000 stackSize=1041KB
  | held mutexes=
  at $(:27503)
  - waiting to lock <0x00c6c1f5> (a ) held by thread 146
  at (:4461)
  - locked <0x05e68352> (a )
  at $(:4435)
  at (:102)
  at (:207)
  at (:65)
  at (:44)

接着看 0x05e68352 和 0x00c6c1f5 这俩monitor锁的持有线程:

"Binder:1471_20" prio=5 tid=146 WaitingForGcThreadFlip
  | group="main" sCount=1 dsCount=0 flags=1 obj=0x14147028 self=0x72126b5800
  | sysTid=18045 nice=-2 cgrp=default sched=0/0 handle=0x72049824f0
  | state=S schedstat=( 6101767900274 5905637387083 13051781 ) utm=516502 stm=93674 core=7 HZ=100
  | stack=0x7204887000-0x7204889000 stackSize=1009KB
  | held mutexes=
  kernel: __switch_to+0xa4/0xfc
  kernel: futex_wait_queue_me+0xc4/0x13c
  kernel: futex_wait+0xe4/0x204
  kernel: do_futex+0x168/0x80c
  kernel: SyS_futex+0x90/0x1b8
  kernel: __sys_trace+0x4c/0x4c
  native: #00 pc 000000000001ef2c  /system/lib64/ (syscall+28)
  native: #01 pc 00000000000d855c  /system/lib64/ (art::ConditionVariable::WaitHoldingLocks(art::Thread*)+148)
  native: #02 pc 00000000001f0680  /system/lib64/ (art::gc::Heap::IncrementDisableThreadFlip(art::Thread*)+516)
  native: #03 pc 0000000000384fe4  /system/lib64/ (art::JNI::GetStringCritical(_JNIEnv*, _jstring*, unsigned char*)+692)
  native: #04 pc 000000000012e268  /system/lib64/libandroid_runtime.so (android::android_os_Parcel_writeString(_JNIEnv*, _jclass*, long, _jstring*)+64)
  at (Native method)
  at $(:369)
  at (:707)
  at (:652)
  at (:1513)
  at $Stub$(:943)
  at (:8146)
  at (:8255)
  - locked <0x00c6c1f5> (a )
  at $(:199)
  at (:3399)
  at (:728)

可以看到还是owner线程正是之前 WaitingForGcThreadFlip 中的一员,那么下一步通过gdb看下这一类线程具体卡在哪一行代码上:

  • 根据机器的版本号确认symbol文件后,通过公司同事分享的脚本一行命令就可以attach到system_server进程上
  • $ ~/Documents/gdb_native_tools/ attach /home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols system_server
     
    process: system_server, pid(1471), parent(zygote64)
    gdbserver:/data/local/tmp/gdbserver64
    bin_path: /home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols/system/bin/
    solib:    /home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols/system/lib64/
    bin:      /home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols/system/bin/app_process64
     
    Attached; pid = 1471
    gdbserver: Unable to determine the number of hardware watchpoints available.
    gdbserver: Unable to determine the number of hardware breakpoints available.
    Listening on port 1234
     
    GNU gdb (GDB) 7.11
    Copyright (C) 2016 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later </licenses/>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    and "show warranty" for details.
    This GDB was configured as "x86_64-linux-gnu".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    </software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
    </software/gdb/documentation/>.
    For help, type "help".
    Type "apropos word" to search for commands related to "word".
    Reading symbols from /home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols/system/bin/app_process64...done.
    Remote debugging using localhost:1234
    Remote debugging from host 127.0.0.1
    warning: .dynamic section for "/home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols/system/bin/app_process64" is not at the expected address (wrong library or version mismatch?)
    warning: .dynamic section for "/home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols/system/lib64/libandroid_runtime.so" is not at the expected address (wrong library or version mismatch?)
    warning: .dynamic section for "/home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols/system/lib64/" is not at the expected address (wrong library or version mismatch?)
    warning: .dynamic section for "/home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols/system/lib64/" is not at the expected address (wrong library or version mismatch?)
    warning: .dynamic section for "/home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols/system/lib64/" is not at the expected address (wrong library or version mismatch?)
    warning: Could not load shared library symbols for 15 libraries, . /system/lib64/libclang_rt.ubsan_standalone.
    Use the "info sharedlibrary" command to see the complete listing.
    Do you need "set solib-search-path" or "set sysroot"?
    Reading symbols from /home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols/system/bin/app_process64...done.
    Reading symbols from /home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols/system/bin/linker64...done.
    ......
    syscall () at bionic/libc/arch-arm64/bionic/:41
    41  bionic/libc/arch-arm64/bionic/: No such file or directory.
    Source directories searched: /mnt/miui/v10-p-dipper-alpha:$cdir:$cwd
    #0  syscall () at bionic/libc/arch-arm64/bionic/:41
    #1  0x0000007238a80560 in art::futex (uaddr=0x723961df68, op=0, val=20935915, timeout=0x7fc723ee90, uaddr2=0x7fc723ee90, val3=0) at art/runtime/base/:43
    #2  art::ConditionVariable::WaitHoldingLocks (this=0x723961df58, self=0x7239614c00) at art/runtime/base/:953
    #3  0x0000007238d6241c in art::Monitor::Lock<(art::LockReason)1> (this=0x723961df20, self=0x7239614c00) at art/runtime/:559
    #4  0x0000007238d687a8 in art::Monitor::MonitorEnter (self=0x7239614c00, obj=<optimized out>, trylock=<optimized out>) at art/runtime/:1462
    #5  0x0000007238ec40fc in art::mirror::Object::MonitorEnter (this=0x62 <_DYNAMIC+98>, self=0x7239614c00) at art/runtime/mirror/:98
    #6  artLockObjectFromCode (obj=0x62 <_DYNAMIC+98>, self=0x7239614c00) at art/runtime/entrypoints/quick/quick_lock_entrypoints.cc:32
    #7  0x0000007238f04e9c in art_quick_lock_object () at art/runtime/arch/arm64/quick_entrypoints_arm64.S:1510
    #8  0x00000072207cf6a4 in ?? ()
    Backtrace stopped: not enough registers or memory available to unwind further
    /home/pip/Documents/gdb_native_tools/gdb-script/: No such file or directory.
    /home/pip/Documents/gdb_native_tools/shadow/gdb_driver.py: No such file or directory.
    (gdb) handle SIG35 nostop noprint pass
    Signal        Stop  Print   Pass to program Description
    SIG35         No    No  Yes     Real-time event 35
    (gdb) handle SIG33 nostop noprint pass
    Signal        Stop  Print   Pass to program Description
    SIG33         No    No  Yes     Real-time event 33
    

tips:handle SIG35 nostop noprint pass 是为了不处理android平台上用于抓native trace的 sig35 信号,减小我们的调试过程意外中断的可能性(只是个习惯, 这个问题中其实不做也没关系)

  • 切换到gc线程
  • (gdb) thread 9
    [Switching to thread 9 (Thread 1471.1484)]
    #0  syscall () at bionic/libc/arch-arm64/bionic/:41
    41      svc     #0
    (gdb) bt
    #0  syscall () at bionic/libc/arch-arm64/bionic/:41
    #1  0x0000007238a80560 in art::futex (uaddr=0x7239723910, op=0, val=93152, timeout=0x7221a89ab0, uaddr2=0x7221a89ab0, val3=0) at art/runtime/base/:43
    #2  art::ConditionVariable::WaitHoldingLocks (this=0x7239723900, self=0x723966b000) at art/runtime/base/:953
    #3  0x0000007238b98d54 in art::gc::Heap::ThreadFlipBegin (this=0x72396b7600, self=0x723966b000) at art/runtime/gc/:845 // <<<<<<<<<<<<<<<<<<<<<<<
    #4  0x0000007238e52204 in art::ThreadList::FlipThreadRoots (this=<optimized out>, thread_flip_visitor=0x7221a89ca0, flip_callback=<optimized out>, collector=
        0x7239716500, pause_listener=<optimized out>) at art/runtime/thread_list.cc:591
    #5  0x0000007238b65cc4 in art::gc::collector::ConcurrentCopying::FlipThreadRoots (this=0x7239716500) at art/runtime/gc/collector/concurrent_copying.cc:620
    #6  0x0000007238b64c50 in art::gc::collector::ConcurrentCopying::RunPhases (this=0x7239716500) at art/runtime/gc/collector/concurrent_copying.cc:178
    #7  0x0000007238b7af80 in art::gc::collector::GarbageCollector::Run (this=0x7239716500, gc_cause=<optimized out>, clear_soft_references=<optimized out>)
        at art/runtime/gc/collector/garbage_collector.cc:96
    #8  0x0000007238b9d93c in art::gc::Heap::CollectGarbageInternal (this=0x72396b7600, gc_type=art::gc::collector::kGcTypeFull, gc_cause=art::gc::kGcCauseBackground,
        clear_soft_references=false) at art/runtime/gc/:2616
    #9  0x0000007238baeeb8 in art::gc::Heap::ConcurrentGC (this=0x72396b7600, self=<optimized out>, cause=art::gc::kGcCauseBackground, force_full=false)
        at art/runtime/gc/:3621
    #10 0x0000007238bb4524 in art::gc::Heap::ConcurrentGCTask::Run (this=<optimized out>, self=0x0 <_DYNAMIC>) at art/runtime/gc/:3582
    #11 0x0000007238bd692c in art::gc::TaskProcessor::RunAllTasks (this=0x72396bb100, self=0x723966b000) at art/runtime/gc/task_processor.cc:129
    #12 0x0000000072a7e3f0 in  [DEDUPED] ()
       from /home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols/system/framework/arm64/
    #13 0x0000000072c20bd8 in $ ()
       from /home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols/system/framework/arm64/
    #14 0x0000000072a80c40 in $ ()
       from /home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols/system/framework/arm64/
    #15 0x0000000071baa4dc in  ()
       from /home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols/system/framework/arm64/
    #16 0x0000007238f0498c in art_quick_invoke_stub () at art/runtime/arch/arm64/quick_entrypoints_arm64.S:1702
    #17 0x0000007238a78524 in art::ArtMethod::Invoke (this=0x6ff68ad8, self=0x723966b000, args=<optimized out>, args_size=<optimized out>, result=0x7221a8a310,
        shorty=0x7269daa9 "V") at art/runtime/art_method.cc:374
    #18 0x0000007238e07258 in art::(anonymous namespace)::InvokeWithArgArray (soa=..., method=0x6ff68ad8, arg_array=0x7221a8a318, result=<optimized out>,
        shorty=0x7269daa9 "V") at art/runtime/:456
    #19 0x0000007238e08314 in art::InvokeVirtualOrInterfaceWithJValues (soa=..., obj=0x5 <_DYNAMIC+5>, mid=<optimized out>, args=0x0 <_DYNAMIC>)
        at art/runtime/:548
    #20 0x0000007238e36764 in art::Thread::CreateCallback (arg=0x723966b000) at art/runtime/:473
    #21 0x00000072bb501db0 in __pthread_start (arg=0x7221a8a4f0) at bionic/libc/bionic/pthread_create.cpp:254
    #22 0x00000072bb4a378c in __start_thread (fn=0x72bb501d88 <__pthread_start(void*)>, arg=0x7221a8a4f0) at bionic/libc/bionic/:52
    

结合代码: art/runtime/gc/#845

void Heap::ThreadFlipBegin(Thread* self) {
  // Supposed to be called by GC. Set thread_flip_running_ to be true. If disable_thread_flip_count_
  // > 0, block. Otherwise, go ahead.
  CHECK(kUseReadBarrier);
  ScopedThreadStateChange tsc(self, kWaitingForGcThreadFlip);
  MutexLock mu(self, *thread_flip_lock_);
  bool has_waited = false;
  uint64_t wait_start = NanoTime();
  CHECK(!thread_flip_running_);
  // Set this to true before waiting so that frequent JNI critical enter/exits won't starve
  // GC. This like a writer preference of a reader-writer lock.
  thread_flip_running_ = true;
  while (disable_thread_flip_count_ > 0) { // <<<<<<<<<<<<
    has_waited = true;
    thread_flip_cond_->Wait(self); // <<<<<<<<<<<<<
  }
  if (has_waited) {
    uint64_t wait_time = NanoTime() - wait_start;
    total_wait_time_ += wait_time;
    if (wait_time > long_pause_log_threshold_) {
      LOG(INFO) << __FUNCTION__ << " blocked for " << PrettyDuration(wait_time);
    }
  }
}

既然在等待一个condition,那么 disable_thread_flip_count_ 肯定是大于0的,我们可以打印一下这个变量的值:

(gdb) print disable_thread_flip_count_
$1 = 1

果然它是1,正常情况下,当前线程在thread_flip_cond_这个条件上wait一段时间后,肯定会有一个线程会去notify它,来唤醒处于wait状态的线程;

  • 那么,接下来自然是快速过一下源码,看看都有哪些函数会去操作thread_flip_cond_:
void Heap::ThreadFlipEnd(Thread* self) {
  // Supposed to be called by GC. Set thread_flip_running_ to false and potentially wake up mutators
  // waiting before doing a JNI critical.
  CHECK(kUseReadBarrier);
  MutexLock mu(self, *thread_flip_lock_);
  CHECK(thread_flip_running_);
  thread_flip_running_ = false;
  // Potentially notify mutator threads blocking to enter a JNI critical section.
  thread_flip_cond_->Broadcast(self);  // <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
}
 
void Heap::DecrementDisableThreadFlip(Thread* self) {
  // Supposed to be called by mutators. Decrement disable_thread_flip_count_ and potentially wake up
  // the GC waiting before doing a thread flip.
  CHECK(kUseReadBarrier);
  self->DecrementDisableThreadFlipCount();
  bool is_outermost = self->GetDisableThreadFlipCount() == 0;
  if (!is_outermost) {
    // If this is not an outermost JNI critical exit, we don't need to decrement the global counter.
    // The global counter is decremented only once for a thread for the outermost exit.
    return;
  }
  MutexLock mu(self, *thread_flip_lock_);
  CHECK_GT(disable_thread_flip_count_, 0U);
  --disable_thread_flip_count_;
  if (disable_thread_flip_count_ == 0) {
    // Potentially notify the GC thread blocking to begin a thread flip.
    thread_flip_cond_->Broadcast(self); // <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
  }
}

再看一下各个线程的backtrace,确认了,没有哪个在调用上面两个任意一个

  • 那些处于WaitingForGcThreadFlip的线程block在哪?
  • (gdb) t 23
    [Switching to thread 23 (Thread 1471.1692)]
    #0  syscall () at bionic/libc/arch-arm64/bionic/:41
    41      svc     #0
    (gdb) bt
    #0  syscall () at bionic/libc/arch-arm64/bionic/:41
    #1  0x0000007238a80560 in art::futex (uaddr=0x7239723910, op=0, val=93152, timeout=0x721cbe2850, uaddr2=0x721cbe2850, val3=0) at art/runtime/base/:43
    #2  art::ConditionVariable::WaitHoldingLocks (this=0x7239723900, self=0x721d26a000) at art/runtime/base/:953
    #3  0x0000007238b98684 in art::gc::Heap::IncrementDisableThreadFlip (this=0x72396b7600, self=0x721d26a000) at art/runtime/gc/:798
    #4  0x0000007238d2cfe8 in art::JNI::GetStringCritical (env=<optimized out>, java_string=<optimized out>, is_copy=0x0 <_DYNAMIC>) at art/runtime/jni_internal.cc:1887
    #5  0x00000072bae3177c in android::sp<android::IGraphicBufferProducer>::~sp (this=0x0 <_DYNAMIC>) at system/core/libutils/include/utils/:156
    #6  android::nativeCreateScoped (env=<optimized out>, clazz=<optimized out>, surfaceObject=<optimized out>)
        at frameworks/base/core/jni/android_view_SurfaceSession.cpp:51
    #7  0x00000000748c94ac in  ()
       from /home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols/system/framework/arm64/
    #8  0x0000000000000000 in ?? () from /home/pip/Downloads/e8-V10.3.3.-gcflip-hang/out/target/product/equuleus/symbols/system/bin/app_process64
    

art/runtime/gc/:798 对应的代码:

void Heap::IncrementDisableThreadFlip(Thread* self) {
  // Supposed to be called by mutators. If thread_flip_running_ is true, block. Otherwise, go ahead.
  CHECK(kUseReadBarrier);
  bool is_nested = self->GetDisableThreadFlipCount() > 0;
  self->IncrementDisableThreadFlipCount();
  if (is_nested) {
    // If this is a nested JNI critical section enter, we don't need to wait or increment the global
    // counter. The global counter is incremented only once for a thread for the outermost enter.
    return;
  }
  ScopedThreadStateChange tsc(self, kWaitingForGcThreadFlip);     // <<<<<<<<<<<<<<<<<<<<<<< 改变线程状态
  MutexLock mu(self, *thread_flip_lock_);
  bool has_waited = false;
  uint64_t wait_start = NanoTime();
  if (thread_flip_running_) {
    ScopedTrace trace("IncrementDisableThreadFlip");
    while (thread_flip_running_) {
      has_waited = true;
      thread_flip_cond_->Wait(self); // <<<<<<<<<<<<<<<<<<<<
    }
  }
  ++disable_thread_flip_count_;
  if (has_waited) {
    uint64_t wait_time = NanoTime() - wait_start;
    total_wait_time_ += wait_time;
    if (wait_time > long_pause_log_threshold_) {
      LOG(INFO) << __FUNCTION__ << " blocked for " << PrettyDuration(wait_time);
    }
  }
}

所以到这儿,我们清楚的一点是,肯定是由于某个线程没有正常调用 DecrementDisableThreadFlip() 函数,导致 disable_thread_flip_count_ 一直不为0;

  • disable_thread_flip_count_ 一直不为 0 这个锅应该是谁的?
    仔细看一下上面这个函数的代码,不仅全局有个disable_thread_flip_count_, 同时每个线程还有thread local的 disable_thread_flip_count,每次调用IncrementDisableThreadFlip()开始的时候,都会先执行Thread::Current()->IncrementDisableThreadFlipCount(),看下它的代码:
  • // art/runtime/
    uint32_t GetDisableThreadFlipCount() const {
      CHECK(kUseReadBarrier);
      return tls32_.disable_thread_flip_count;
    }
    

YEAH!下面只需要逐个遍历art里面每个线程,把 tls32_.disable_thread_flip_count > 1的部分打印出来:
稍微修改一下gdb脚本下的 脚本里的art_dump_thread_list_base函数:

define art_dump_thread_list
    art_dump_thread_list_base 0
end
 
define art_dump_thread_list_base
    set $dump_mutex = $arg0
    #  第一个节点
    set $first = ('art::Runtime'::instance_)->thread_list_->list_->__end_->__next_
    printf "\n  Id    Thread Id   art::Thread*    disable_flip_count    STATE         FLAGS                NAME             SUSPEND_COUNT           MUTEX\n"
 
    set $list_node = 0
    set $count = 1
 
    while $list_node != $first
        if $list_node == 0
            set $list_node = $first
        end
         
        set $thread = ('art::Thread'*)(*(void**)((uint64_t)$list_node + 2*sizeof(void*)))
        set $flip_count = (('art::Thread'*)$thread)->tls32_->disable_thread_flip_count
        if $flip_count != 0  # <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< 1 
            set $thread_id = (('art::Thread'*)$thread)->tls32_->tid
 
            #printf "monitor_enter_object: 0x%lx", $thread->tlsPtr_.monitor_enter_object
            printf "%4d     %6d     %p   ", $count, $thread_id, $thread
 
            printf "         %d        ", $flip_count # <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< 2
 
            thread_print_state $thread
 
            printf "              "
            thread_print_name $thread
            printf "              "
            thread_print_suspend_count $thread
 
            if $dump_mutex == 1
                thread_print_mutex $thread
            end
 
            printf "\n"
        end
 
        set $list_node = $list_node->__next_
        set $count = $count + 1
 
        if $list_node == $first
            loop_break
        end
    end
end

然后重新导入脚本然后执行这个函数即可:

(gdb) source /home/pip/Documents/gdb_native_tools/
(gdb) art_dump_thread_list
  Id    Thread Id   art::Thread*    disable_flip_count    STATE                       NAME                        SUSPEND_COUNT        
   4       1479     0x723973c800            1          kWaitingForGcThreadFlip     Binder:filter-perf-event     0
  23       1692     0x721d26a000            1          kWaitingForGcThreadFlip     PowerManagerService          0
  31       1825     0x722b7ab800            1          kWaitingForGcThreadFlip     HwBinder:1471_1              0
  52       1884     0x721c426c00            1          kWaitingForGcThreadFlip     WifiStateMachine             0
  88       1938     0x721bc96800            1          kWaitingForGcThreadFlip     Binder:1471_3                0
  98       2125     0x721c54d000            1          kWaitingForGcThreadFlip     Binder:1471_5                0
 100       2166     0x721a129800            1          kWaitingForGcThreadFlip     Binder:1471_7                0
 113       2894     0x7219cc1000            1          kWaitingForGcThreadFlip     Binder:1471_A                0
 116       2949     0x721273ec00            1          kWaitingForGcThreadFlip     Binder:1471_D                0
 117       2950     0x7219cc0400            1          kWaitingForGcThreadFlip     Binder:1471_E                0
 120       3089     0x720b025000            1          kWaitingForGcThreadFlip     Binder:1471_11               0
 126       3135     0x720c454800            1          kWaitingForGcThreadFlip     Binder:1471_17               0
 127       3140     0x721929cc00            1          kWaitingForGcThreadFlip     Binder:1471_18               0
 128       3142     0x720eb42000            1          kWaitingForGcThreadFlip     Binder:1471_19               0
 132       8981     0x7219d25800            1          kWaitingForGcThreadFlip     HwBinder:1471_4              0
 142      18045     0x72126b5800            1          kWaitingForGcThreadFlip     Binder:1471_20               0
 181       4738     0x7211c94400            1          kNative                     AsyncTask #36709             0

最后那个 AsyncTask #36709 十分可疑,别的线程的disable_flip_count 为1的原因是正在调用 IncrementDisableThreadFlip()函数,OK,接着看下它在执行什么函数:

  • 嫌疑人 “AsyncTask #36709” 干了些什么?
  • "AsyncTask #36709" prio=5 tid=180 Native
      | group="main" sCount=1 dsCount=0 flags=1 obj=0x14d149c8 self=0x7211c94400
      | sysTid=4738 nice=0 cgrp=default sched=0/0 handle=0x708411b4f0
      | state=S schedstat=( 3931924 16620626 18 ) utm=0 stm=0 core=7 HZ=100
      | stack=0x7084018000-0x708401a000 stackSize=1041KB
      | held mutexes=
      kernel: __switch_to+0xa4/0xfc
      kernel: binder_thread_read+0xa78/0x11a0
      kernel: binder_ioctl+0x920/0xb08
      kernel: do_vfs_ioctl+0xb8/0x8d8
      kernel: SyS_ioctl+0x84/0x98
      kernel: __sys_trace+0x4c/0x4c
      native: #00 pc 000000000006e5bc  /system/lib64/ (__ioctl+4)
      native: #01 pc 0000000000029544  /system/lib64/ (ioctl+136)
      native: #02 pc 000000000001e22c  /system/lib64/ (android::hardware::IPCThreadState::talkWithDriver(bool)+240)
      native: #03 pc 000000000001e884  /system/lib64/ (android::hardware::IPCThreadState::waitForResponse(android::hardware::Parcel*, int*)+324)
      native: #04 pc 0000000000012204  /system/lib64/ (android::hardware::BpHwBinder::transact(unsigned int, android::hardware::Parcel const&, android::hardware::Parcel*, unsigned int, std::__1::function<void (android::hardware::Parcel&)>)+312)
      native: #05 pc 00000000000c9764  /system/lib64/@1. (android::hardware::gnss::V1_0::BpHwGnssXtra::_hidl_injectXtraData(android::hardware::IInterface*, android::hardware::details::HidlInstrumentor*, android::hardware::hidl_string const&)+244)
      native: #06 pc 000000000005d5c4  /system/lib64/libandroid_servers.so (android::android_location_GnssLocationProvider_inject_xtra_data(_JNIEnv*, _jobject*, _jbyteArray*, int)+268)
      at .native_inject_xtra_data(Native method)
      at $2300(:112)
      at $(:1140)
      at (:1167)
      at $(:641)
      at (:764)
    

它在一个jni里执行一个hw binder call,结合下代码:

// frameworks/base/services/core/jni/com_android_server_location_GnssLocationProvider.cpp#1613
static void android_location_GnssLocationProvider_inject_xtra_data(JNIEnv* env, jobject /* obj */,
        jbyteArray data, jint length) {
    if (gnssXtraIface == nullptr) {
        ALOGE("XTRA Interface not supported");
        return;
    }
 
    jbyte* bytes = reinterpret_cast<jbyte *>(env->GetPrimitiveArrayCritical(data, 0));
    gnssXtraIface->injectXtraData(std::string((const char*)bytes, length));
    env->ReleasePrimitiveArrayCritical(data, bytes, JNI_ABORT);
}

(不熟悉art实现)一眼看过去,都是正常的jni调用,好像跟disable_flip_count没啥关系呀?全局搜一下DecrementDisableThreadFlip()和IncrementDisableThreadFlip被调用的地方:

ReleaseStringCritical() → DecrementDisableThreadFlip()
ReleasePrimitiveArray() → DecrementDisableThreadFlip()

GetPrimitiveArrayCritical() → IncrementDisableThreadFlip()
GetStringCritical() → IncrementDisableThreadFlip()

到这个地方,稍稍消化总结一下,不难推断出:
这个问题必然是因为 AsyncTask #36709 在执行jni调用过程中,它执行了:
GetPrimitiveArrayCritical() → IncrementDisableThreadFlip() → 使得全局变量 disable_thread_flip_count_ = 1
但是在继续执行 gnssXtraIface →injectXtraData() 这个 hal 接口的时候,一直被block,自然无法执行 ReleasePrimitiveArrayCritical() → DecrementDisableThreadFlip() → disable_thread_flip_count_ = 0

4. gnssXtraIface→injectXtraData() 为什么会一直被block?

查看binder transactin日志

$ adb shell cat /sys/kernel/debug/binder/transactions
 
proc 1471
context hwbinder
  thread 1673: l 00 need_return 0 tr 0
    incoming transaction 979513688: ffffffed66132800 from 1007:1007 to 1471:1673 code 2 flags 10 pri 0:120 r1 node 978962390 size 48:0 data ffffff8014f00258
    outgoing transaction 979513687: ffffffed66133e00 from 1471:1673 to 1007:1007 code 3 flags 10 pri 0:120 r1
  thread 8981: l 01 need_return 0 tr 0
    incoming transaction 979513990: ffffffed2541c700 from 1007:2040 to 1471:8981 code 4 flags 10 pri 0:120 r1 node 978962390 size 132:16 data ffffff8014f00508
  thread 4738: l 00 need_return 0 tr 0
    outgoing transaction 979513850: ffffffee6324a400 from 1471:4738 to 1007:0 code 2 flags 10 pri 0:120 r1
  thread 8981: l 01 need_return 0 tr 0
    incoming transaction 979513990: ffffffed2541c700 from 1007:2040 to 1471:8981 code 4 flags 10 pri 0:120 r1 node 978962390 size 132:16 data ffffff8014f00508
 
proc 1007
context hwbinder8981
  thread 1007: l 12 need_return 0 tr 0
    outgoing transaction 979513688: ffffffed66132800 from 1007:1007 to 1471:1673 code 2 flags 10 pri 0:120 r1
    incoming transaction 979513687: ffffffed66133e00 from 1471:1673 to 1007:1007 code 3 flags 10 pri 0:120 r1 node 956 size 36:0 data ffffff8012000008
  thread 2040: l 10 need_return 0 tr 0
    outgoing transaction 979513990: ffffffed2541c700 from 1007:2040 to 1471:8981 code 4 flags 10 pri 0:120 r1
pending transaction 979513850: ffffffee6324a400 from 1471:4738 to 1007:0 code 2 flags 10 pri 0:120 r1 node 5700 size 120:16 data ffffff8012000030

incoming transaction from 1471:4738 to 1007:0,得到对端进程pid为1007, 继续看下这个进程里各个线程的状态

$ adb shell ps -T 1007
USER           PID   TID  PPID     VSZ    RSS WCHAN            ADDR S CMD           
system        1007  1007     1   29016    156 binder_thread_read  0 S ignss_1_1
system        1007  2040     1   29016    156 binder_thread_read  0 S IPC Thread
system        1007 17865     1   29016    156 poll_schedule_timeout 0 S ignss_1_1

各个线程看起来都是正常的,通过debuggerd查看backtrace

$ adb shell debuggerd -b 1007
----- pid 1007 at 2019-05-05 13:25:52 -----
Cmd line: /vendor/bin/ignss_1_1
ABI: 'arm64'
 
"ignss_1_1" sysTid=1007
  #00 pc 000000000006e5bc  /system/lib64/ (__ioctl+4)
  #01 pc 0000000000029544  /system/lib64/ (ioctl+136)
  #02 pc 000000000001e22c  /system/lib64/vndk-sp-28/ (android::hardware::IPCThreadState::talkWithDriver(bool)+240)
  #03 pc 000000000001e77c  /system/lib64/vndk-sp-28/ (android::hardware::IPCThreadState::waitForResponse(android::hardware::Parcel*, int*)+60)
  #04 pc 0000000000012204  /system/lib64/vndk-sp-28/ (android::hardware::BpHwBinder::transact(unsigned int, android::hardware::Parcel const&, android::hardware::Parcel*, unsigned int, std::__1::function<void (android::hardware::Parcel&)>)+312)
  #05 pc 0000000000097ddc  /system/lib64/@1. (android::hardware::gnss::V1_0::BpHwGnssCallback::_hidl_gnssStatusCb(android::hardware::IInterface*, android::hardware::details::HidlInstrumentor*, android::hardware::gnss::V1_0::IGnssCallback::GnssStatusValue)+208)
  #06 pc 000000000001ccf0  /vendor/lib64/@1. (android::hardware::gnss::V1_0::implementation::Gnss::statusCb(GpsStatus*)+68)
  #07 pc 000000000001b5b4  /vendor/lib64/hw/ (gps_stop()+156)
  #08 pc 0000000000013ae0  /vendor/lib64/hw/ (proxy__gps_stop()+168)
  #09 pc 000000000001e1d4  /vendor/lib64/@1. (android::hardware::gnss::V1_0::implementation::Gnss::stop()+28)
  #10 pc 0000000000088328  /system/lib64/@1. (android::hardware::gnss::V1_0::BnHwGnss::_hidl_stop(android::hidl::base::V1_0::BnHwBase*, android::hardware::Parcel const&, android::hardware::Parcel*, std::__1::function<void (android::hardware::Parcel&)>)+152)
  #11 pc 000000000002e324  /system/lib64/@1. (android::hardware::gnss::V1_1::BnHwGnss::onTransact(unsigned int, android::hardware::Parcel const&, android::hardware::Parcel*, unsigned int, std::__1::function<void (android::hardware::Parcel&)>)+1624)
  #12 pc 000000000001df34  /system/lib64/vndk-sp-28/ (android::hardware::BHwBinder::transact(unsigned int, android::hardware::Parcel const&, android::hardware::Parcel*, unsigned int, std::__1::function<void (android::hardware::Parcel&)>)+72)
  #13 pc 000000000001508c  /system/lib64/vndk-sp-28/ (android::hardware::IPCThreadState::executeCommand(int)+1508)
  #14 pc 0000000000014938  /system/lib64/vndk-sp-28/ (android::hardware::IPCThreadState::getAndExecuteCommand()+204)
  #15 pc 0000000000015708  /system/lib64/vndk-sp-28/ (android::hardware::IPCThreadState::joinThreadPool(bool)+268)
  #16 pc 0000000000000cb8  /vendor/bin/ignss_1_1 (main+468)
  #17 pc 00000000000acec0  /system/lib64/ (__libc_init+88)
 
"IPC Thread" sysTid=2040
  #00 pc 000000000006e5bc  /system/lib64/ (__ioctl+4)
  #01 pc 0000000000029544  /system/lib64/ (ioctl+136)
  #02 pc 000000000001e22c  /system/lib64/vndk-sp-28/ (android::hardware::IPCThreadState::talkWithDriver(bool)+240)
  #03 pc 000000000001e884  /system/lib64/vndk-sp-28/ (android::hardware::IPCThreadState::waitForResponse(android::hardware::Parcel*, int*)+324)
  #04 pc 0000000000012204  /system/lib64/vndk-sp-28/ (android::hardware::BpHwBinder::transact(unsigned int, android::hardware::Parcel const&, android::hardware::Parcel*, unsigned int, std::__1::function<void (android::hardware::Parcel&)>)+312)
  #05 pc 0000000000098294  /system/lib64/@1. (android::hardware::gnss::V1_0::BpHwGnssCallback::_hidl_gnssNmeaCb(android::hardware::IInterface*, android::hardware::details::HidlInstrumentor*, long, android::hardware::hidl_string const&)+272)
  #06 pc 000000000001d0b4  /vendor/lib64/@1. (android::hardware::gnss::V1_0::implementation::Gnss::nmeaCb(long, char const*, int)+112)
  #07 pc 00000000000136d8  /vendor/lib64/hw/ (proxy__gps_nmea_cb(long, char const*, int)+180)
  #08 pc 0000000000018c88  /vendor/lib64/hw/ (GpsiClient::marshal_gps_nmea_cb(IpcIncomingMessage&)+300)
  #09 pc 00000000000252a4  /vendor/lib64/hw/ (IpcPipeTransportBase::OnSelect(int, bool, bool, bool, void*)+344)
  #10 pc 0000000000025a28  /vendor/lib64/hw/ (SelectManager::PerformOneWaitAndProcess()+468)
  #11 pc 0000000000017860  /vendor/lib64/hw/ (ipc_thread_proc(void*)+56)
  #12 pc 0000000000023160  /vendor/lib64/@1. (threadFunc(void*)+12)
  #13 pc 0000000000081dac  /system/lib64/ (__pthread_start(void*)+36)
  #14 pc 0000000000023788  /system/lib64/ (__start_thread+68)
 
"ignss_1_1" sysTid=17865
  #00 pc 000000000006e604  /system/lib64/ (__pselect6+4)
  #01 pc 000000000002bbf8  /system/lib64/ (select+144)
  #02 pc 000000000001974c  /vendor/lib64/hw/ (SelectManager::PerformOneWaitAndProcess()+268)
  #03 pc 000000000000e8e8  /vendor/lib64/hw/ (ipc_thread_proc(void*)+116)
  #04 pc 0000000000081dac  /system/lib64/ (__pthread_start(void*)+36)
  #05 pc 0000000000023788  /system/lib64/ (__start_thread+68)
 
----- end 1007 -----

结合上面的binder call日志,可以看到ignss_1_1进程内部的两个binder线程都在回调system_server进程的binder 接口,没有空闲binder线程可以处理来自system_server的gnssXtraIface→injectXtraData() 请求!

incoming 1471:1673
outgoing 1007:1007 to 1471:1673 // blocked !
outgoing 1007:2040 to 1471:8981 // WaitingForGcThreadFlip !

. 1471:1673 并不是一个binder线程, 但确响应了来自1007:1007的binder call,这是binder api设计上面的优化,复用? todo:确认

"" prio=5 tid=13 Blocked
  | group="main" sCount=1 dsCount=0 flags=1 obj=0x13fc3428 self=0x7232239400
  | sysTid=1673 nice=0 cgrp=default sched=0/0 handle=0x721da8e4f0
  | state=S schedstat=( 19417818968810 14397831932031 20757829 ) utm=561393 stm=1380388 core=5 HZ=100
  | stack=0x721d98b000-0x721d98d000 stackSize=1041KB
  | held mutexes=
  at (:22705)
  - waiting to lock <0x00c6c1f5> (a ) held by thread 146
  at (:1195)
  at (:1766)
  at .native_stop(Native method)
  at (:1607)
  at (:1405)
  at (:1345)
  at $4100(:112)
  at $(:2400)
  at (:106)
  at (:207)
  at (:65)

5. 修复方案

所以这个问题也是system_server↔ ignss_1_1 这两个进程相互binder call + jni call + 虚拟机正好在执行垃圾回收;

参考 oracle的文档:

After calling GetPrimitiveArrayCritical, the native code should not run for an extended period of time before it calls ReleasePrimitiveArrayCritical. We must treat the code inside this pair of functions as running in a “critical region.” Inside a critical region, native code must not call other JNI functions, or any system call that may cause the current thread to block and wait for another Java thread. (For example, the current thread must not call read on a stream being written by another Java thread.)

These restrictions make it more likely that the native code will obtain an uncopied version of the array, even if the VM does not support pinning. For example, a VM may temporarily disable garbage collection when the native code is holding a pointer to an array obtained via GetPrimitiveArrayCritical.

GetPrimitiveArrayCritical 和 ReleasePrimitiveArrayCritical 两个函数间的代码执行耗时不应太久! 结合此处的业务逻辑,而且也不会被太频繁的调用,拷贝一份原始数组给binder call作为参数即可:

static void android_location_GnssLocationProvider_inject_xtra_data(JNIEnv* env, jobject /* obj */,
        jbyteArray data, jint length) {
    if (gnssXtraIface == nullptr) {
        ALOGE("XTRA Interface not supported");
        return;
    }
 
--    jbyte* bytes = reinterpret_cast<jbyte *>(env->GetPrimitiveArrayCritical(data, 0));
++    jbyte* bytes = reinterpret_cast<jbyte *>(env->GetByteArrayElements(data, 0));
    gnssXtraIface->injectXtraData(std::string((const char*)bytes, length));
--    env->ReleasePrimitiveArrayCritical(data, bytes, JNI_ABORT);
++    env->ReleaseByteArrayElements(data, bytes, JNI_ABORT);
}