You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
//hook getStackTrace后开两个线程,一边gc,一边调用hook的getStackTrace函数:
new Thread("test_hook_stack") { @OverRide
public void run() {
hook_print_stack();
for (int i = 0; i < 2; i++) {
new GetCallStackThread("test"+i).start();
new GCThread().start();
}
}
}.start();
=====
static class GetCallStackThread extends Thread {
public GetCallStackThread(String name)
{
super(name);
} @OverRide
public void run() {
super.run();
while (true) {
Random r = new Random(new Date().getTime());
try {
Thread.sleep(10 * r.nextInt(10));
} catch (InterruptedException e) {
e.printStackTrace();
}
Exception e = new Exception(r.toString());
long oldAddress = Primitives.getAddress(e);
StackTraceElement[] stacks = e.getStackTrace();
if (stacks == null) {
Log.e("MainActivity", "WTF!!!! address 0x" + Long.toHexString(Primitives.getAddress(e)) +
" " + e.getClass() + " 0x" + Long.toHexString(oldAddress));
}
}
}
}
static class GCThread extends Thread {
@Override
public void run() {
super.run();
Random r = new Random(new Date().getTime());
while (true) {
try {
Thread.sleep(10 * r.nextInt(10));
} catch (InterruptedException e) {
e.printStackTrace();
}
Runtime.getRuntime().gc();
}
}
}
====================
private void hook_print_stack() {
try {
Class<?> throwableClass = java.lang.Throwable.class;
XposedHelpers.findAndHookMethod(throwableClass, "getStackTrace", new XC_MethodHook() { @OverRide
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
StackTraceElement[] stackTrace = (StackTraceElement[]) param.getResult();
if (stackTrace != null) {
List newStack = new ArrayList<>();
for (StackTraceElement element : stackTrace) {
String className = element.getClassName();
if (!className.startsWith("top.canyie.pine")) {
newStack.add(element);
}
}
param.setResult(newStack.toArray(new StackTraceElement[0]));
}
}
});
} catch (Throwable e) {
e.printStackTrace();
}
}
运行不到半小时,logcat就会报错:
2024-07-30 17:37:53.903 16005-16041 e.pine.example top.canyie.pine.examples E Timed out waiting for threads to suspend, waited for 10.000s
Thread not suspended: Thread[21,tid=16040,Runnable,Thread*=0x70d8319f00,peer=0x12d00848,"test0"]
此时使用gdb attach到进程,查看threads:
(gdb) info threads
Id Target Id Frame
1 Thread 16005.16005 "e.pine.examples" 0x00000071f8ea5998 in __epoll_pwait () from target:/apex/com.android.runtime/lib64/bionic/libc.so
2 Thread 16005.16015 "Signal Catcher" 0x00000071f8ea53d8 in _rt_sigtimedwait () from target:/apex/com.android.runtime/lib64/bionic/libc.so
3 Thread 16005.16016 "perfetto_hprof" 0x00000071f8ea4754 in read () from target:/apex/com.android.runtime/lib64/bionic/libc.so
4 Thread 16005.16017 "ADB-JDWP Connec" 0x00000071f8ea5a94 in __ppoll () from target:/apex/com.android.runtime/lib64/bionic/libc.so
5 Thread 16005.16018 "Jit thread pool" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
6 Thread 16005.16019 "HeapTaskDaemon" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
7 Thread 16005.16020 "ReferenceQueueD" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
8 Thread 16005.16021 "FinalizerDaemon" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
9 Thread 16005.16022 "FinalizerWatchd" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
10 Thread 16005.16023 "Binder:16005_1" 0x00000071f8ea49d4 in __ioctl () from target:/apex/com.android.runtime/lib64/bionic/libc.so
11 Thread 16005.16024 "Binder:16005_2" 0x00000071f8ea49d4 in __ioctl () from target:/apex/com.android.runtime/lib64/bionic/libc.so
12 Thread 16005.16026 "Binder:16005_3" 0x00000071f8ea49d4 in __ioctl () from target:/apex/com.android.runtime/lib64/bionic/libc.so
13 Thread 16005.16028 "Binder:16005_4" 0x00000071f8ea49d4 in __ioctl () from target:/apex/com.android.runtime/lib64/bionic/libc.so
14 Thread 16005.16035 "Profile Saver" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
15 Thread 16005.16036 "RenderThread" 0x00000071f8ea5998 in __epoll_pwait () from target:/apex/com.android.runtime/lib64/bionic/libc.so
16 Thread 16005.16040 "test0" 0x00000071fab18018 in ?? ()
17 Thread 16005.16041 "Thread-2" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
18 Thread 16005.16042 "test1" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
19 Thread 16005.16043 "Thread-3" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
Google pixel 的AOSP redfin 11版本下
//hook getStackTrace后开两个线程,一边gc,一边调用hook的getStackTrace函数:
new Thread("test_hook_stack") {
@OverRide
public void run() {
hook_print_stack();
for (int i = 0; i < 2; i++) {
new GetCallStackThread("test"+i).start();
new GCThread().start();
}
}
}.start();
=====
static class GetCallStackThread extends Thread {
public GetCallStackThread(String name)
{
super(name);
}
@OverRide
public void run() {
super.run();
while (true) {
Random r = new Random(new Date().getTime());
try {
Thread.sleep(10 * r.nextInt(10));
} catch (InterruptedException e) {
e.printStackTrace();
}
Exception e = new Exception(r.toString());
long oldAddress = Primitives.getAddress(e);
StackTraceElement[] stacks = e.getStackTrace();
if (stacks == null) {
Log.e("MainActivity", "WTF!!!! address 0x" + Long.toHexString(Primitives.getAddress(e)) +
" " + e.getClass() + " 0x" + Long.toHexString(oldAddress));
====================
private void hook_print_stack() {
try {
Class<?> throwableClass = java.lang.Throwable.class;
XposedHelpers.findAndHookMethod(throwableClass, "getStackTrace", new XC_MethodHook() {
@OverRide
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
StackTraceElement[] stackTrace = (StackTraceElement[]) param.getResult();
if (stackTrace != null) {
List newStack = new ArrayList<>();
for (StackTraceElement element : stackTrace) {
String className = element.getClassName();
if (!className.startsWith("top.canyie.pine")) {
newStack.add(element);
}
}
param.setResult(newStack.toArray(new StackTraceElement[0]));
}
}
});
} catch (Throwable e) {
e.printStackTrace();
}
}
运行不到半小时,logcat就会报错:
2024-07-30 17:37:53.903 16005-16041 e.pine.example top.canyie.pine.examples E Timed out waiting for threads to suspend, waited for 10.000s
Thread not suspended: Thread[21,tid=16040,Runnable,Thread*=0x70d8319f00,peer=0x12d00848,"test0"]
此时使用gdb attach到进程,查看threads:
(gdb) info threads
Id Target Id Frame
2 Thread 16005.16015 "Signal Catcher" 0x00000071f8ea53d8 in _rt_sigtimedwait () from target:/apex/com.android.runtime/lib64/bionic/libc.so
3 Thread 16005.16016 "perfetto_hprof" 0x00000071f8ea4754 in read () from target:/apex/com.android.runtime/lib64/bionic/libc.so
4 Thread 16005.16017 "ADB-JDWP Connec" 0x00000071f8ea5a94 in __ppoll () from target:/apex/com.android.runtime/lib64/bionic/libc.so
5 Thread 16005.16018 "Jit thread pool" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
6 Thread 16005.16019 "HeapTaskDaemon" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
7 Thread 16005.16020 "ReferenceQueueD" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
8 Thread 16005.16021 "FinalizerDaemon" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
9 Thread 16005.16022 "FinalizerWatchd" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
10 Thread 16005.16023 "Binder:16005_1" 0x00000071f8ea49d4 in __ioctl () from target:/apex/com.android.runtime/lib64/bionic/libc.so
11 Thread 16005.16024 "Binder:16005_2" 0x00000071f8ea49d4 in __ioctl () from target:/apex/com.android.runtime/lib64/bionic/libc.so
12 Thread 16005.16026 "Binder:16005_3" 0x00000071f8ea49d4 in __ioctl () from target:/apex/com.android.runtime/lib64/bionic/libc.so
13 Thread 16005.16028 "Binder:16005_4" 0x00000071f8ea49d4 in __ioctl () from target:/apex/com.android.runtime/lib64/bionic/libc.so
14 Thread 16005.16035 "Profile Saver" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
15 Thread 16005.16036 "RenderThread" 0x00000071f8ea5998 in __epoll_pwait () from target:/apex/com.android.runtime/lib64/bionic/libc.so
16 Thread 16005.16040 "test0" 0x00000071fab18018 in ?? ()
17 Thread 16005.16041 "Thread-2" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
18 Thread 16005.16042 "test1" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
19 Thread 16005.16043 "Thread-3" 0x00000071f8e5520c in syscall () from target:/apex/com.android.runtime/lib64/bionic/libc.so
16号Thread 就是test0,卡在
(gdb) x/10i 0x00000071fab18010
0x71fab18010: b 0x71fab18018
0x71fab18014: wfe
=> 0x71fab18018: ldaxr w16, [x17]
0x71fab1801c: cbz w16, 0x71fab18014
0x71fab18020: stlxr w16, wzr, [x17]
0x71fab18024: cbnz w16, 0x71fab18014
0x71fab18028: stur x1, [x17, #4]
0x71fab1802c: stur x2, [x17, #12]
0x71fab18030: stur x3, [x17, #20]
0x71fab18034: stur d0, [x17, #28]
The text was updated successfully, but these errors were encountered: