
Reputation: 3617

SIGILL in android native code on NVIDIA Tegra 2 (on BL instruction)

I'm getting an wicked crash in native code. So far my code runs fine on all devices, except this one:

LG-P990 (has NVIDIA Tegra 2 Dual Core 1 GHz processor).


It happens every time.

Crash seems to be in a code belonging to libc++ (so I have no corresponding C++ code). I must be missing something, since the crash seems to be on an BL instruction ?

Application.mk is configured to build for all platforms, so the phone in question should be using the armeabi-v7a.

1022  1022 I DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
1022  1022 I DEBUG   : Build fingerprint: 'lge/lge_star/p990/p990:2.2.2/FRG83G/lgp990-V10d.2ED2ED2216:user/release-keys'
1022  1022 I DEBUG   : pid: 3932, tid: 3942  >>> com.package.appdebug <<<
1022  1022 I DEBUG   : signal 4 (SIGILL), fault addr 819372a8
1022  1022 I DEBUG   :  r0 00000000  r1 4056c000  r2 00000000  r3 002fe356
1022  1022 I DEBUG   :  r4 00000000  r5 002fe354  r6 4a754540  r7 4a7543c8
1022  1022 I DEBUG   :  r8 4a7543b0  r9 00000000  10 00000000  fp ffffffff
1022  1022 I DEBUG   :  ip 00000002  sp 4a754310  lr 819372a0  pc 819372a8  cpsr 20000010
1022  1022 I DEBUG   :  d0  000084c000002601  d1  461c0000bf800000
1022  1022 I DEBUG   :  d2  461c0800461c0400  d3  bf800000461c0c00
1022  1022 I DEBUG   :  d4  0000005b00000000  d5  00000000000084c0
1022  1022 I DEBUG   :  d6  4056c00000000000  d7  4056c00000000000
1022  1022 I DEBUG   :  d8  0000000000000000  d9  0000000000000000
1022  1022 I DEBUG   :  d10 0000000000000000  d11 0000000000000000
1022  1022 I DEBUG   :  d12 0000000000000000  d13 0000000000000000
1022  1022 I DEBUG   :  d14 0000000000000000  d15 0000000000000000
1022  1022 I DEBUG   :  scr 20000012
1022  1022 I DEBUG   : 
1022  1022 I DEBUG   :          #00  pc 001372a8  /data/data/com.package.appdebug/lib/libthor.so
1022  1022 I DEBUG   :          #01  lr 819372a0  /data/data/com.package.appdebug/lib/libthor.so
1022  1022 I DEBUG   : 
1022  1022 I DEBUG   : code around pc:
1022  1022 I DEBUG   : 81937288 e3a00006 e08f1001 ebfcf395 e1a00005 
1022  1022 I DEBUG   : 81937298 e28d1004 ebfcf251 e59d3004 e1530005 
1022  1022 I DEBUG   : 819372a8 ec410b30 eef77be0 edc67a00 0a000002 
1022  1022 I DEBUG   : 819372b8 e5d33000 e3530000 0a00000c eddf7a25 
1022  1022 I DEBUG   : 819372c8 e3a03004 edc67a00 e5873000 e3a00006 
1022  1022 I DEBUG   : 
1022  1022 I DEBUG   : code around lr:
1022  1022 I DEBUG   : 81937280 ebfcf20d e59f10e8 e3a00006 e08f1001 
1022  1022 I DEBUG   : 81937290 ebfcf395 e1a00005 e28d1004 ebfcf251 
1022  1022 I DEBUG   : 819372a0 e59d3004 e1530005 ec410b30 eef77be0 
1022  1022 I DEBUG   : 819372b0 edc67a00 0a000002 e5d33000 e3530000 
1022  1022 I DEBUG   : 819372c0 0a00000c eddf7a25 e3a03004 edc67a00 
1022  1022 I DEBUG   : 
1022  1022 I DEBUG   : stack:
1022  1022 I DEBUG   :     4a7542d0  81969250  
1022  1022 I DEBUG   :     4a7542d4  8192b700  /data/data/com.package.appdebug/lib/libthor.so
1022  1022 I DEBUG   :     4a7542d8  0000002d  
1022  1022 I DEBUG   :     4a7542dc  00000000  
1022  1022 I DEBUG   :     4a7542e0  00000000  
1022  1022 I DEBUG   :     4a7542e4  00000000  
1022  1022 I DEBUG   :     4a7542e8  00000000  
1022  1022 I DEBUG   :     4a7542ec  00000000  
1022  1022 I DEBUG   :     4a7542f0  00000000  
1022  1022 I DEBUG   :     4a7542f4  00000000  
1022  1022 I DEBUG   :     4a7542f8  00000000  
1022  1022 I DEBUG   :     4a7542fc  00000000  
1022  1022 I DEBUG   :     4a754300  002fe354  [heap]
1022  1022 I DEBUG   :     4a754304  4a754540  
1022  1022 I DEBUG   :     4a754308  df002777  
1022  1022 I DEBUG   :     4a75430c  e3a070ad  
1022  1022 I DEBUG   : #00 4a754310  4a7543c8  
1022  1022 I DEBUG   :     4a754314  002fe356  [heap]
1022  1022 I DEBUG   :     4a754318  4a754368  
1022  1022 I DEBUG   :     4a75431c  4a754358  
1022  1022 I DEBUG   :     4a754320  4a754368  
1022  1022 I DEBUG   :     4a754324  4a7543c8  
1022  1022 I DEBUG   :     4a754328  002fe354  [heap]
1022  1022 I DEBUG   :     4a75432c  4a7543b0  
1022  1022 I DEBUG   :     4a754330  81969348  
1022  1022 I DEBUG   :     4a754334  8192cb34  /data/data/com.package.appdebug/lib/libthor.so
1022  1022 I DEBUG   :     4a754338  00000000  
1022  1022 I DEBUG   :     4a75433c  ffffffff  
1022  1022 I DEBUG   :     4a754340  4a754420  
1022  1022 I DEBUG   :     4a754344  4a7543c8  
1022  1022 I DEBUG   :     4a754348  4a754368  
1022  1022 I DEBUG   :     4a75434c  00000000  
1022  1022 I DEBUG   :     4a754350  4a7543f8  
1022  1022 I DEBUG   :     4a754354  00000020  

Here's the disassembly of the object file: Crash (Program counter) is address 137270

00137238 <_ZSt14__convert_to_vIfEvPKcRT_RSt12_Ios_IostateRKPi>:
  137238:   e92d45f0    push    {r4, r5, r6, r7, r8, sl, lr}
  13723c:   e1a05000    mov r5, r0
  137240:   e24dd00c    sub sp, sp, #12 ; 0xc
  137244:   e1a06001    mov r6, r1
  137248:   e3a00006    mov r0, #6  ; 0x6
  13724c:   e3a01000    mov r1, #0  ; 0x0
  137250:   e1a07002    mov r7, r2
  137254:   ebfcf3a4    bl  740ec <_ZN7_JNIEnv12NewGlobalRefEP8_jobject-0x7c>
  137258:   e250a000    subs    sl, r0, #0  ; 0x0
  13725c:   01a0400a    moveq   r4, sl
  137260:   0a00000b    beq 137294 <_ZSt14__convert_to_vIfEvPKcRT_RSt12_Ios_IostateRKPi+0x5c>
  137264:   ebfcf250    bl  73bac <_ZN7_JNIEnv12NewGlobalRefEP8_jobject-0x5bc>
  137268:   e2808001    add r8, r0, #1  ; 0x1
  13726c:   e1a00008    mov r0, r8
  137270:   eb000b5b    bl  139fe4 <_Znaj>
  137274:   e1a0100a    mov r1, sl
  137278:   e1a02008    mov r2, r8
  13727c:   e1a04000    mov r4, r0
  137280:   ebfcf20d    bl  73abc <_ZN7_JNIEnv12NewGlobalRefEP8_jobject-0x6ac>
  137284:   e59f10e8    ldr r1, [pc, #232]  ; 137374 <_ZSt14__convert_to_vIfEvPKcRT_RSt12_Ios_IostateRKPi+0x13c>
  137288:   e3a00006    mov r0, #6  ; 0x6
  13728c:   e08f1001    add r1, pc, r1
  137290:   ebfcf395    bl  740ec <_ZN7_JNIEnv12NewGlobalRefEP8_jobject-0x7c>
  137294:   e1a00005    mov r0, r5
  137298:   e28d1004    add r1, sp, #4  ; 0x4
  13729c:   ebfcf251    bl  73be8 <_ZN7_JNIEnv12NewGlobalRefEP8_jobject-0x580>
  1372a0:   e59d3004    ldr r3, [sp, #4]
  1372a4:   e1530005    cmp r3, r5
  1372a8:   ec410b30    vmov    d16, r0, r1
  1372ac:   eef77be0    fcvtsd  s15, d16
  1372b0:   edc67a00    fsts    s15, [r6]
  1372b4:   0a000002    beq 1372c4 <_ZSt14__convert_to_vIfEvPKcRT_RSt12_Ios_IostateRKPi+0x8c>
  1372b8:   e5d33000    ldrb    r3, [r3]
  1372bc:   e3530000    cmp r3, #0  ; 0x0
  1372c0:   0a00000c    beq 1372f8 <_ZSt14__convert_to_vIfEvPKcRT_RSt12_Ios_IostateRKPi+0xc0>
  1372c4:   eddf7a25    flds    s15, [pc, #148]
  1372c8:   e3a03004    mov r3, #4  ; 0x4
  1372cc:   edc67a00    fsts    s15, [r6]
  1372d0:   e5873000    str r3, [r7]
  1372d4:   e3a00006    mov r0, #6  ; 0x6
  1372d8:   e1a01004    mov r1, r4
  1372dc:   ebfcf382    bl  740ec <_ZN7_JNIEnv12NewGlobalRefEP8_jobject-0x7c>
  1372e0:   e3540000    cmp r4, #0  ; 0x0
  1372e4:   0a000001    beq 1372f0 <_ZSt14__convert_to_vIfEvPKcRT_RSt12_Ios_IostateRKPi+0xb8>
  1372e8:   e1a00004    mov r0, r4
  1372ec:   eb0000ea    bl  13769c <_ZdaPv>
  1372f0:   e28dd00c    add sp, sp, #12 ; 0xc
  1372f4:   e8bd85f0    pop {r4, r5, r6, r7, r8, sl, pc}
  1372f8:   eef00be0    fabsd   d16, d16
  1372fc:   eddf1b15    vldr    d17, [pc, #84]  ; 137358 <_ZSt14__convert_to_vIfEvPKcRT_RSt12_Ios_IostateRKPi+0x120>
  137300:   eef40be1    fcmped  d16, d17
  137304:   eef1fa10    fmstat
  137308:   da000005    ble 137324 <_ZSt14__convert_to_vIfEvPKcRT_RSt12_Ios_IostateRKPi+0xec>
  13730c:   eef57ac0    fcmpezs s15
  137310:   eef1fa10    fmstat
  137314:   da00000a    ble 137344 <_ZSt14__convert_to_vIfEvPKcRT_RSt12_Ios_IostateRKPi+0x10c>
  137318:   eddf7a11    flds    s15, [pc, #68]
  13731c:   edc67a00    fsts    s15, [r6]
  137320:   ea000009    b   13734c <_ZSt14__convert_to_vIfEvPKcRT_RSt12_Ios_IostateRKPi+0x114>
  137324:   ed9f7a0f    flds    s14, [pc, #60]
  137328:   eef47a47    fcmps   s15, s14
  13732c:   eef1fa10    fmstat
  137330:   0afffff8    beq 137318 <_ZSt14__convert_to_vIfEvPKcRT_RSt12_Ios_IostateRKPi+0xe0>
  137334:   ed9f7a0c    flds    s14, [pc, #48]
  137338:   eef47a47    fcmps   s15, s14
  13733c:   eef1fa10    fmstat
  137340:   1affffe3    bne 1372d4 <_ZSt14__convert_to_vIfEvPKcRT_RSt12_Ios_IostateRKPi+0x9c>
  137344:   eddf7a09    flds    s15, [pc, #36]
  137348:   edc67a00    fsts    s15, [r6]
  13734c:   e3a03004    mov r3, #4  ; 0x4
  137350:   e5873000    str r3, [r7]
  137354:   eaffffde    b   1372d4 <_ZSt14__convert_to_vIfEvPKcRT_RSt12_Ios_IostateRKPi+0x9c>
  137358:   e0000000    and r0, r0, r0
  13735c:   47efffff    undefined
  137360:   00000000    andeq   r0, r0, r0
  137364:   7f7fffff    svcvc   0x007fffff
  137368:   7f800000    svcvc   0x00800000
  13736c:   ff800000    undefined instruction 0xff800000
  137370:   ff7fffff    undefined instruction 0xff7fffff
  137374:   0001caa8    andeq   ip, r1, r8, lsr #21

Any ideas ?

Upvotes: 0

Views: 737

Answers (1)

David Given
David Given

Reputation: 13701

I think your crash is actually happening at 0x1372a8 --- if you look at the bit immediately below the register dump, you can see that Android has automatically calculated the offset for you. (It doesn't always get it right. See how the lr address hasn't been modified? However, Android always loads shared objects at aligned address, so the bottom four or five digits of the address match up, which makes it easy to figure out what the address should be.)

Incidentally, it's always worth checking that the bytes in the 'code around pc' section actually match the disassembly to make sure you're looking in the right place. They won't match perfectly, because the disassembly is showing you the instructions before they've been fixed up, but double checking this has saved my bacon many times.

Upvotes: 1

Related Questions