C/C++ android 11 代码在 strstr api 调用时崩溃
C/C++ android 11 code crash at strstr api call
我在 strstr 下方 api 调用崩溃:
pid: 6640, tid: 6640, name: demoapp >>> /vendor/bin/demoapp <<<
uid: 0
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7b8a91c000
x0 b400007b8a91bf70 x1 0000000000000000 x2 000000000000002f x3 b400007b8a91c000
x4 0000000000000020 x5 0000000040100401 x6 0000000000000000 x7 454349564544200a
x8 0000000000000074 x9 0000000000000010 x10 000000000000001f x11 000000000000003a
x12 000000000000008d x13 000000000000006a x14 00000000000000b5 x15 000000000000000a
x16 0000007e7abd20e8 x17 0000007e7ab5e100 x18 0000007e7b35a000 x19 b400007b8a91befc
x20 0000007fc35ae0b8 x21 0000007fc35add00 x22 00000000000000bf x23 b400007b8a91bf70
x24 0000007e7ae41000 x25 00000000000000b5 x26 00000000000000b4 x27 00000000000000b5
x28 0000007fc35ae146 x29 0000007fc35add30
lr 0000007e7aba9cc0 sp 0000007fc35ad4d0 pc 0000007e7ab5e160 pst 0000000020000000
backtrace:
#00 pc 000000000004a160 /apex/com.android.runtime/lib64/bionic/libc.so (memchr_default+96) (BuildId: 229c19d159f619ab0dd102acf1afb05f)
#01 pc 0000000000095cbc /apex/com.android.runtime/lib64/bionic/libc.so (strstr+804) (BuildId: 229c19d159f619ab0dd102acf1afb05f)
#02 pc 0000000000002714 /vendor/bin/demoapp (main+1740) (BuildId: 5f1858d36b95111200fa67ca2c2aefee)
#03 pc 0000000000049080 /apex/com.android.runtime/lib64/bionic/libc.so (__libc_init+108) (BuildId: 229c19d159f619ab0dd102acf1afb05f)
代码崩溃解析如下:
bionic/libc/arch-arm64/default/bionic/memchr.S::114
109 b.ls .Lmasklast
110 /* Have we found something already? */
111 cbnz synd, .Ltail
112
113 .Lloop:
114 ld1 {vdata1.16b, vdata2.16b}, [src], #32
115 subs cntin, cntin, #32
116 cmeq vhas_chr1.16b, vdata1.16b, vrepchr.16b
117 cmeq vhas_chr2.16b, vdata2.16b, vrepchr.16b
118 /* If we're out of data we finish regardless of the result */
119 b.ls .Lend
bionic/libc/include/bits/fortify/string.h::138
133 __BIONIC_FORTIFY_INLINE
134 void* memchr(const void* const s __pass_object_size, int c, size_t n) __overloadable {
135 size_t bos = __bos(s);
136
137 if (__bos_trivially_ge(bos, n)) {
138 return __builtin_memchr(s, c, n);
139 }
140
141 return __memchr_chk(s, c, n, bos);
142 }
143
bionic/libc/upstream-openbsd/lib/libc/string/strstr.c::139
134 for (;;) {
135 /* Update incremental end-of-haystack pointer */
136 if (z-h < l) {
137 /* Fast estimate for MIN(l,63) */
138 size_t grow = l | 63;
139 const unsigned char *z2 = memchr(z, 0, grow);
140 if (z2) {
141 z = z2;
142 if (z-h < l) return 0;
143 } else z += grow;
144 }
bionic/libc/upstream-openbsd/lib/libc/string/strstr.c::195
190 if (!h[2]) return 0;
191 if (!n[3]) return threebyte_strstr((void *)h, (void *)n);
192 if (!h[3]) return 0;
193 if (!n[4]) return fourbyte_strstr((void *)h, (void *)n);
194
195 return twoway_strstr((void *)h, (void *)n);
196 }
197 DEF_STRONG(strstr);
vendor/source/demoapp.c::37
37 bool ok = (bool)strstr(srcstr, deststr);
看起来 srcstr 和 deststr 都不为 NULL。由于issue不易复现,只能分析stack来寻找线索!
如果不是 NULL 指针问题,那么任何其他原因都可能导致 strstr 崩溃?
函数 strstr() 崩溃的最常见原因是:
- 如果提供的
char* 之一是 nullptr,
- 如果提供的
char* 之一指向没有 '[=14=]' 终止符的字符串。
- 如果提供的
char* 之一发生缓冲区溢出。
还有很多其他可能的原因。如果这没有帮助,请提供出现问题的代码。
我在 strstr 下方 api 调用崩溃:
pid: 6640, tid: 6640, name: demoapp >>> /vendor/bin/demoapp <<<
uid: 0
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7b8a91c000
x0 b400007b8a91bf70 x1 0000000000000000 x2 000000000000002f x3 b400007b8a91c000
x4 0000000000000020 x5 0000000040100401 x6 0000000000000000 x7 454349564544200a
x8 0000000000000074 x9 0000000000000010 x10 000000000000001f x11 000000000000003a
x12 000000000000008d x13 000000000000006a x14 00000000000000b5 x15 000000000000000a
x16 0000007e7abd20e8 x17 0000007e7ab5e100 x18 0000007e7b35a000 x19 b400007b8a91befc
x20 0000007fc35ae0b8 x21 0000007fc35add00 x22 00000000000000bf x23 b400007b8a91bf70
x24 0000007e7ae41000 x25 00000000000000b5 x26 00000000000000b4 x27 00000000000000b5
x28 0000007fc35ae146 x29 0000007fc35add30
lr 0000007e7aba9cc0 sp 0000007fc35ad4d0 pc 0000007e7ab5e160 pst 0000000020000000
backtrace:
#00 pc 000000000004a160 /apex/com.android.runtime/lib64/bionic/libc.so (memchr_default+96) (BuildId: 229c19d159f619ab0dd102acf1afb05f)
#01 pc 0000000000095cbc /apex/com.android.runtime/lib64/bionic/libc.so (strstr+804) (BuildId: 229c19d159f619ab0dd102acf1afb05f)
#02 pc 0000000000002714 /vendor/bin/demoapp (main+1740) (BuildId: 5f1858d36b95111200fa67ca2c2aefee)
#03 pc 0000000000049080 /apex/com.android.runtime/lib64/bionic/libc.so (__libc_init+108) (BuildId: 229c19d159f619ab0dd102acf1afb05f)
代码崩溃解析如下:
bionic/libc/arch-arm64/default/bionic/memchr.S::114
109 b.ls .Lmasklast
110 /* Have we found something already? */
111 cbnz synd, .Ltail
112
113 .Lloop:
114 ld1 {vdata1.16b, vdata2.16b}, [src], #32
115 subs cntin, cntin, #32
116 cmeq vhas_chr1.16b, vdata1.16b, vrepchr.16b
117 cmeq vhas_chr2.16b, vdata2.16b, vrepchr.16b
118 /* If we're out of data we finish regardless of the result */
119 b.ls .Lend
bionic/libc/include/bits/fortify/string.h::138
133 __BIONIC_FORTIFY_INLINE
134 void* memchr(const void* const s __pass_object_size, int c, size_t n) __overloadable {
135 size_t bos = __bos(s);
136
137 if (__bos_trivially_ge(bos, n)) {
138 return __builtin_memchr(s, c, n);
139 }
140
141 return __memchr_chk(s, c, n, bos);
142 }
143
bionic/libc/upstream-openbsd/lib/libc/string/strstr.c::139
134 for (;;) {
135 /* Update incremental end-of-haystack pointer */
136 if (z-h < l) {
137 /* Fast estimate for MIN(l,63) */
138 size_t grow = l | 63;
139 const unsigned char *z2 = memchr(z, 0, grow);
140 if (z2) {
141 z = z2;
142 if (z-h < l) return 0;
143 } else z += grow;
144 }
bionic/libc/upstream-openbsd/lib/libc/string/strstr.c::195
190 if (!h[2]) return 0;
191 if (!n[3]) return threebyte_strstr((void *)h, (void *)n);
192 if (!h[3]) return 0;
193 if (!n[4]) return fourbyte_strstr((void *)h, (void *)n);
194
195 return twoway_strstr((void *)h, (void *)n);
196 }
197 DEF_STRONG(strstr);
vendor/source/demoapp.c::37
37 bool ok = (bool)strstr(srcstr, deststr);
看起来 srcstr 和 deststr 都不为 NULL。由于issue不易复现,只能分析stack来寻找线索!
如果不是 NULL 指针问题,那么任何其他原因都可能导致 strstr 崩溃?
函数 strstr() 崩溃的最常见原因是:
- 如果提供的
char*之一是nullptr, - 如果提供的
char*之一指向没有'[=14=]'终止符的字符串。 - 如果提供的
char*之一发生缓冲区溢出。
还有很多其他可能的原因。如果这没有帮助,请提供出现问题的代码。