I'm writing a C++ class using boost threads. The purpose of the class is to start a new thread, generate in this thread every 2 seconds an object called LocationEstimatePF and call a callback function in another class, giving this LocationEstimatePF as parameter.
Something like this:
void Simulator::startSimulation() {
running_ = true;
sim_thread_ = new boost::thread(boost::bind(&Simulator::run, this));
}
void Simulator::run() {
for (;;) {
if(running_){
try {
//Generate estimate
LocationEstimatePF estimate(1,2,3,4,5);
engine_.updateLocationEstimate(estimate);
//Wait for 2 seconds for next estimate
boost::this_thread::sleep(boost::posix_time::milliseconds(2000));
} catch (boost::thread_interrupted&) {
return;
}
}
}
}
The engine and thread are defined as a member variable in the .h file as follows:
InMapsEngine& engine_;
boost::thread* sim_thread_;
And the callback method in the Engine class:
void updateLocationEstimate(const LocationEstimatePF& estimate) { Log::info("Test");};
Now when I run startSimulation() above, I get a segmentation fault. Now, I know that engine_ is correctly set, I can even call other methods without a problem. I believe the problem lies in the local variable, do you guys have any idea? The "Test" in the engine is never printed.
Here the stack trace:
I/DEBUG (11781): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000000
I/DEBUG (11781): r0 00000000 r1 66da3e68 r2 00000001 r3 00000000
I/DEBUG (11781): r4 001e8480 r5 00000000 r6 00000000 r7 40490000
I/DEBUG (11781): r8 62055ab0 r9 66da3e68 sl 3f800000 fp 40000000
I/DEBUG (11781): ip 00000001 sp 66da3e60 lr 61864604 pc 616b0a4e cpsr 60000030
I/DEBUG (11781): d0 4158b82020000000 d1 3f110612c247fff9
I/DEBUG (11781): d2 400b8ae93f57e022 d3 400b8ae943697f55
I/DEBUG (11781): d4 c2ef3a464385c588 d5 407eb7ac40c0a412
I/DEBUG (11781): d6 40dd1ce4bec8a7a3 d7 0062e080400b8ae9
I/DEBUG (11781): d8 3fd9b1b440400000 d9 0000000000000000
I/DEBUG (11781): d10 0000000000000000 d11 0000000000000000
I/DEBUG (11781): d12 0000000000000000 d13 0000000000000000
I/DEBUG (11781): d14 0000000000000000 d15 0000000000000000
I/DEBUG (11781): d16 3fe0000000000000 d17 4158b82000000000
I/DEBUG (11781): d18 3fd7e1cb1c913900 d19 3fc41a88bb99a35a
I/DEBUG (11781): d20 0000000000000000 d21 3fac47489540ee39
I/DEBUG (11781): d22 3f8293cfee13fd75 d23 3f96eb1df9afa780
I/DEBUG (11781): d24 3f5871d465fee876 d25 3f6e1beddd51e95d
I/DEBUG (11781): d26 3f30d636137869f2 d27 3f439d2605c8ef21
I/DEBUG (11781): d28 3fe66819a15509c2 d29 3f13d11c3e64b4a4
I/DEBUG (11781): d30 bef375cbdb605373 d31 3f8b5c41074afda1
I/DEBUG (11781): scr 80000093
I/DEBUG (11781):
I/DEBUG (11781): backtrace:
I/DEBUG (11781): #00 pc 00367a4e /data/app-lib/de.tum.ei.lmt.inmaps3d-1/libInMapsJNI.so (Simulator::run()+69)
I/DEBUG (11781): #01 pc 0051b600 /data/app-lib/de.tum.ei.lmt.inmaps3d-1/libInMapsJNI.so
I/DEBUG (11781):
I/DEBUG (11781): stack:
I/DEBUG (11781): 66da3e20 83a88000
I/DEBUG (11781): 66da3e24 02ed263d
I/DEBUG (11781): 66da3e28 83a88000
I/DEBUG (11781): 66da3e2c 02ed263d
I/DEBUG (11781): 66da3e30 61f05dd3
I/DEBUG (11781): 66da3e34 0004f4cf
I/DEBUG (11781): 66da3e38 532719d5 /dev/ashmem/dalvik-mark-stack (deleted)
I/DEBUG (11781): 66da3e3c 176a6e38
I/DEBUG (11781): 66da3e40 61c0ee99 /data/app-lib/de.tum.ei.lmt.inmaps3d-1/libInMapsJNI.so
I/DEBUG (11781): 66da3e44 001e8480
I/DEBUG (11781): 66da3e48 00000000
I/DEBUG (11781): 66da3e4c 00000000
I/DEBUG (11781): 66da3e50 40490000 /system/lib/libskia.so (GrGLCaps::initStencilFormats(GrGLContextInfo const&)+808)
I/DEBUG (11781): 66da3e54 62055ab0
I/DEBUG (11781): 66da3e58 df0027ad
I/DEBUG (11781): 66da3e5c 00000000
I/DEBUG (11781): #00 66da3e60 001e8480
I/DEBUG (11781): 66da3e64 00000000
I/DEBUG (11781): 66da3e68 00000000
I/DEBUG (11781): 66da3e6c 00000000
I/DEBUG (11781): 66da3e70 00000000
I/DEBUG (11781): 66da3e74 00000000
I/DEBUG (11781): 66da3e78 00000000
I/DEBUG (11781): 66da3e7c 00000000
I/DEBUG (11781): 66da3e80 3f800000
I/DEBUG (11781): 66da3e84 40000000
I/DEBUG (11781): 66da3e88 40400000 /system/lib/libskia.so
I/DEBUG (11781): 66da3e8c 00000000
I/DEBUG (11781): 66da3e90 00000000
I/DEBUG (11781): 66da3e94 40490000 /system/lib/libskia.so (GrGLCaps::initStencilFormats(GrGLContextInfo const&)+808)
I/DEBUG (11781): 66da3e98 00000000
I/DEBUG (11781): 66da3e9c 16c16c17
Your InMapsEngine reference is not initialized or do you set it up outside of the class constructor ?
InMapsEngine & engine_;
You could use member object instead
InMapsEngine engine_;
... or set your reference before the thread calls it.
It's hard to tell from your stacktrace exactly what is going wrong, but it could be that you have multiple threads trying to access your shared engine resource at the same time.
One way to do this would be to use a mutex and condition variable to signal to your threads when your engine resource is available to them.:
try{
boost::mutex::scoped_lock lock(engine_mutex);
m_condition.wait(lock);
engine_.updateLocationEstimate(estimate);
m_condition.notify_one();
}
catch (boost::thread_interrupted&) {
return;
}
boost::this_thread::sleep(boost::posix_time::milliseconds(2000));
Though you may want to use a regular lock instead if you want to include your sleep in the try block. Just remember to unlock.
Related
I'm trying hook JNI_CreateJavaVM with Dobby for APP testing.
jint (*originJNI_CreateJavaVM)(JavaVM **p_vm, JNIEnv **p_env, void *vm_args);
jint JNICALL myJNI_CreateJavaVM(JavaVM **p_vm, JNIEnv **p_env, void *vm_args)
{
__android_log_print(ANDROID_LOG_INFO, "ddinmys", "%s", "JNI_CreateJavaVM enter");
jint j = originJNI_CreateJavaVM(p_vm, p_env, vm_args);
__android_log_print(ANDROID_LOG_INFO, "ddinmys", "%s %d", "JNI_CreateJavaVM leave", j);
return j;
}
void __attribute__((constructor)) myConstructor(void)
{
void *p = dlsym(RTLD_DEFAULT, "JNI_CreateJavaVM");
if (p != NULL) {
DobbyHook(p, (void*)myJNI_CreateJavaVM, (void **)&originJNI_CreateJavaVM);
}
}
After run it the system keeping bootloop and logcat print as below.
I/ddinmys (13184): JNI_CreateJavaVM enter
F/libc (13184): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 13184 (zygote)
I/DEBUG ( 1448): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 1448): Build fingerprint: 'Android/aosp_shamu/shamu:5.1.1/LYZ28N/0.0.1:user/release-keys'
I/DEBUG ( 1448): Revision: '0'
I/DEBUG ( 1448): ABI: 'x86'
I/DEBUG ( 1448): pid: 13184, tid: 13184, name: zygote >>> zygote <<<
I/DEBUG ( 1448): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
I/DEBUG ( 1448): eax 00000000 ebx b449b6c8 ecx b77b929c edx b4499000
I/DEBUG ( 1448): esi b76ec248 edi bfe6441c
I/DEBUG ( 1448): xcs 00000073 xds 0000007b xes 0000007b xfs 00000000 xss 0000007b
I/DEBUG ( 1448): eip b68598d6 ebp bfe633f8 esp bfe63380 flags 00010292
I/DEBUG ( 1448):
I/DEBUG ( 1448): backtrace:
I/DEBUG ( 1448): #00 pc 000008d6 /system/lib/libnativehelper.so
I/DEBUG ( 1448): #01 pc 0007f3ba /system/lib/libandroid_runtime.so
I/DEBUG ( 1448): #02 pc 00000dc7 /system/lib/libandroid_runtime.so
I/DEBUG ( 1448): #03 pc 0000211f /system/bin/app_process32
I/DEBUG ( 1448): #04 pc fffffe4a <unknown>
I/DEBUG ( 1448):
I/DEBUG ( 1448): Tombstone written to: /data/tombstones/tombstone_07
I see already hooked JNI_CreateJavaVM but won't continue the origin func with fatal.
F/libc (13184): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 13184 (zygote)
Sorry if there are other questions like this one, but I tried almost everything with no results.
I have an assembly file calling the main function of a cpp file(I'm making a kernel entry)
kerne.asm
[bits 32]
[extern _main]
jmp _main
cli
hlt
main.cpp
void a()
{
//a
}
void bc()
{
//bc
}
extern "C" int main()
{
return 0;
}
makefile
all: kes.o ke.o ke1.tmp otp.txt
kes.o : kerne.asm
nasm -f win32 -o H:\x86f\lkt\kes.o H:\x86f\lkt\kerne.asm
ke.o : main.cpp
g++ -Wall -m32 -g -std=c++14 -std=c++1y -ffreestanding -nostartfiles -c main.cpp -o ke.o
ke1.tmp : kes.o ke.o
ld -m i386pe -r -o ke1.tmp -Ttext 0x1000 kes.o ke.o
otp.txt : ke1.tmp
objdump -d ke1.tmp > otp.txt
otp.txt output
ke1.tmp: file format pe-i386
Disassembly of section .text:
00001000 <.text>:
1000: e9 00 00 00 00 jmp 1005 <.text+0x5>
1005: ee out %al,(%dx)
1006: 77 90 ja f98 <#feat.00+0xf97>
00001008 <__Z1av>:
1008: 55 push %ebp
1009: 89 e5 mov %esp,%ebp
100b: 90 nop
100c: 5d pop %ebp
100d: c3 ret
0000100e <__Z2bcv>:
100e: 55 push %ebp
100f: 89 e5 mov %esp,%ebp
1011: 90 nop
1012: 5d pop %ebp
1013: c3 ret
00001014 <_main>:
1014: 55 push %ebp
1015: 89 e5 mov %esp,%ebp
1017: 83 e4 f0 and $0xfffffff0,%esp
101a: e8 00 00 00 00 call 101f <_main+0xb>
101f: b8 00 00 00 00 mov $0x0,%eax
1024: c9 leave
1025: c3 ret
1026: 90 nop
1027: 90 nop
...
In the otp output the instruction at 1000 is the jmp _main istrunction. How you can see the address is not resolved correctly, making it point to the next instruction(1005). Where am I doing wrong?
edit:
nm kes.o
00000000 a .absolut
00000000 t .text
00000001 a #feat.00
U _main
nm ke.o
00000000 b .bss
00000000 d .data
00000000 N .debug_abbrev
00000000 N .debug_aranges
00000000 N .debug_frame
00000000 N .debug_info
00000000 N .debug_line
00000000 r .rdata$zzz
00000000 t .text
U ___main
00000000 T __Z1av
00000006 T __Z2bcv
0000000c T _main
objdump -r ke1.tmp
ke1.tmp: file format pe-i386
RELOCATION RECORDS FOR [.text]:
OFFSET TYPE VALUE
00000001 DISP32 _main-0x00000014
0000001b DISP32 ___main+0x00001000
RELOCATION RECORDS FOR [.debug_aranges]:
OFFSET TYPE VALUE
00000006 secrel32 .debug_info
00000010 dir32 .text-0x00001008
RELOCATION RECORDS FOR [.debug_info]:
OFFSET TYPE VALUE
00000006 secrel32 .debug_abbrev
00000088 dir32 .text-0x00001008
00000090 secrel32 .debug_line
000000a1 dir32 .text-0x00001008
000000c0 dir32 .text-0x00001008
000000d6 dir32 .text-0x00001008
RELOCATION RECORDS FOR [.debug_line]:
OFFSET TYPE VALUE
0000003a dir32 .text-0x00001008
RELOCATION RECORDS FOR [.debug_frame]:
OFFSET TYPE VALUE
00000018 secrel32 .debug_frame
0000001c dir32 .text-0x00001008
00000038 secrel32 .debug_frame
0000003c dir32 .text-0x00001008
00000058 secrel32 .debug_frame
0000005c dir32 .text-0x00001008
The reason is that with the -r option, ld produces an object file, not an executable. In the object file, many addresses are unset because they are to be set later by final linking (without -r) using data from the relocation table.
#DavidWohlferd #fuz #numzero yep, the problem was the -r flag in ld. Now all the addresses are resolved correctly. Thanks to all for the help!
I am looking into the CPP code which i am not very familiar with and facing a crash while assigning a constant simple string in tinyxml2. I have searched for 2 days and could not find any logic for this over the net.
This issue is hardly reproducible.
crash:
pid: 22847, tid: 22967, name: BluetoothAdapte >>> com.android.bluetooth <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
r0 ab425974 r1 e4cf3de5 r2 80000000 r3 ab3f26d8
r4 ab425b00 r5 0000344e r6 00000000 r7 00000000
r8 00000000 r9 ab425bb8 sl 00000004 fp 00000002
ip a0000000 sp e4bd46c8 lr 00000000 pc 00000000 cpsr 800f0010
backtrace:
#00 pc 00000000 <unknown>
stack:
e4bd4688 01000000
e4bd468c f722fc4d /system/lib/libstdc++.so (operator new[](unsigned int)+8)
e4bd4690 ab3f26d8 [heap]
e4bd4694 e4ce76af /system/lib/hw/bluetooth.default.so (tinyxml2::StrPair::SetStr(char const*, int)+40)
e4bd4698 ab425974 [heap]
e4bd469c ab425bd0 [heap]
e4bd46a0 ab425950 [heap]
e4bd46a4 e4cf3de0 /system/lib/hw/bluetooth.default.so
e4bd46a8 e4d3ed20 /system/lib/hw/bluetooth.default.so
e4bd46ac e4ce895b /system/lib/hw/bluetooth.default.so (tinyxml2::XMLElement::FindOrCreateAttribute(char const*)+106)
code :
https://github.com/leethomason/tinyxml2/blob/master/tinyxml2.cpp: crashes at line 177
void StrPair::Reset()
{
if ( flags & NEEDS_DELETE ) {
delete [] start;
}
flags = 0;
start = 0;
end = 0;
}
void StrPair::SetStr( const char* str, int flags )
{
Reset();
size_t len = strlen( str );
start = new char[ len+1 ]; //crashes here
memcpy( start, str, len+1 );
end = start + len;
this->flags = flags | NEEDS_DELETE;
}
I would like to overwrite function (interupt handlers) with the weak attribute, but linker does not link my definition. Codes are shorted for better reading.
vectors.c
void NMI_Handler (void) __attribute__((weak));
void HardFault_Handler (void) __attribute__((weak));
__attribute__ ((section(".vectors"), used))
void (* const gVectors[])(void) =
{
NMI_Handler,
HardFault_Handler
};
void NMI_Handler (void) { while(1); }
void HardFault_Handler (void) { while(1); }
I redefine default definition in the file cpuexcept.cpp
extern "C" __attribute__((naked))
void NMI_Handler()
{
EXCEPT_ENTRY(CPUExcept);
}
extern "C" __attribute__((naked))
void HardFault_Handler()
{
EXCEPT_ENTRY(CPUExcept);
}
If I compile and dump it, output (library lib.a) is:
cpuexcept.oo: file format elf32-littlearm
rw-rw-rw- 0/0 4728 Jun 26 16:20 2012 cpuexcept.oo
architecture: arm, flags 0x00000011:
HAS_RELOC, HAS_SYMS
start address 0x00000000
private flags = 5000000: [Version5 EABI]
Sections:
Idx Name Size VMA LMA File off Algn Flags
0 .text 0000051c 00000000 00000000 00000034 2**2 CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
1 .data 00000000 00000000 00000000 00000550 2**0 CONTENTS, ALLOC, LOAD, DATA
2 .bss 00000000 00000000 00000000 00000550 2**0 ALLOC
3 .rodata 000001dc 00000000 00000000 00000550 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA
4 .comment 00000012 00000000 00000000 0000072c 2**0 CONTENTS, READONLY
5 .ARM.attributes 00000031 00000000 00000000 0000073e 2**0 CONTENTS, READONLY
SYMBOL TABLE:
00000000 l df *ABS* 00000000 cpuexcept.cpp
00000000 l d .text 00000000 .text
00000000 l d .data 00000000 .data
00000000 l d .bss 00000000 .bss
000004e0 g F .text 0000000a NMI_Handler
000004ec g F .text 0000000a HardFault_Handler
000004e0 <NMI_Handler>:
4e0: e92d 0ff0 stmdb sp!, {r4, r5, r6, r7, r8, r9, sl, fp}
4e4: 4668 mov r0, sp
4e6: f7ff fffe bl c0 <CPUExcept> 4e6: R_ARM_THM_CALL CPUExcept
4ea: bf00 nop
000004ec <HardFault_Handler>:
4ec: e92d 0ff0 stmdb sp!, {r4, r5, r6, r7, r8, r9, sl, fp}
4f0: 4668 mov r0, sp
4f2: f7ff fffe bl c0 <CPUExcept> 4f2: R_ARM_THM_CALL CPUExcept
4f6: bf00 nop
vectors.o: file format elf32-littlearm
rw-rw-rw- 0/0 4464 Jun 27 13:52 2012 vectors.o
architecture: arm, flags 0x00000011:
HAS_RELOC, HAS_SYMS
start address 0x00000000
private flags = 5000000: [Version5 EABI]
Sections:
Idx Name Size VMA LMA File off Algn Flags
0 .text 00000114 00000000 00000000 00000034 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .data 00000000 00000000 00000000 00000148 2**0 CONTENTS, ALLOC, LOAD, DATA
2 .bss 00000000 00000000 00000000 00000148 2**0 ALLOC
3 .vectors 00000130 00000000 00000000 00000148 2**2 CONTENTS, ALLOC, LOAD, RELOC, READONLY, DATA
4 .comment 00000012 00000000 00000000 00000278 2**0 CONTENTS, READONLY
5 .ARM.attributes 00000031 00000000 00000000 0000028a 2**0 CONTENTS, READONLY
SYMBOL TABLE:
00000000 l df *ABS* 00000000 vectors.c
00000000 l d .text 00000000 .text
00000000 l d .data 00000000 .data
00000000 l d .bss 00000000 .bss
00000000 l d .vectors 00000000 .vectors
00000000 l d .comment 00000000 .comment
00000000 l d .ARM.attributes 00000000 .ARM.attributes
00000000 w F .text 00000002 NMI_Handler
00000004 w F .text 00000002 HardFault_Handler
00000000 <NMI_Handler>:
0: e7fe b.n 0 <NMI_Handler>
2: bf00 nop
00000004 <HardFault_Handler>:
4: e7fe b.n 4 <HardFault_Handler>
6: bf00 nop
Default function with the weak attribute is linked in to target application. My definition is linked correct, if I define function f() in cpuexcept.cpp and I use it in main function or if my definiton of handler is in other .c module.
I use arm-none-eabi-gcc 4.6.2 (YAGARTO) compiler in cygwin.
You could try to define your function like
void NMI_Handler(void)
and not as
void NMI_Handler()
As the weak definition is also void NMI_Handler (void) __attribute__((weak));
So the linker will not see any difference.
I have a corruption memory heap problem with an application.
by using windbg and a dump file of the crash as an input I have the following output with dd esp command
0:002> dd esp
00000000`03e3e490 14badf55 00000000 03e3e8c0 00000000
00000000`03e3e4a0 00000000 00000000 03e3e8c0 00000000
00000000`03e3e4b0 03e3e8c0 00000000 6b0064f2 00000000
00000000`03e3e4c0 03e3f030 00000000 6b002510 00000000
00000000`03e3e4d0 00000000 00000000 03dfede8 00000000
00000000`03e3e4e0 c0000005 00000000 00000000 7d6210e8
00000000`03e3e4f0 00000002 00000000 00000000 00000000
00000000`03e3e500 00000000 00001000 78b83980 036b0000
There is this adress : 14badf55
I really don't know how to interpret this "bad"..
Is anyone have an idea of the meaning of this bad ?
EDIT:
when I try to use this command :
u 14badf55
the following output comes :
00000000`14badf55 ?? ???
^ Memory access error in 'u 14badf55'
The .ecxr command give me :
rax=0000000003e3e488 rbx=0000000003e3e8c0 rcx=0000000003e3dfb0
rdx=0000000000000000 rsi=000000006b005a17 rdi=0000000000000000
rip=000000006b006369 rsp=0000000003e3e490 rbp=0000000003dfede8
r8=000000006b00254a r9=0000000003e3e4d8 r10=0000000000000007
r11=0000000000000000 r12=000000006b01fe90 r13=0000000000000000
r14=0000000003e3f110 r15=0000000078b83980
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=0000 es=0000 fs=0000 gs=0000 efl=00000204
wow64!Wow64NotifyDebugger+0x9:
00000000`6b006369 b001 mov al,1
You can see the c0000005 output in the file. This is the sign of a access violation.
Run the following:
- .cxr 00000000`03e3e4e0 (To set the exception context)
- kL (to get a stack trace)