Android进程Crash处理流程

发表于 | 分类于 | 阅读次数

之前的一篇文章,讲到了应用程序无响应(ANR)时Android的处理逻辑。这篇文章,就来分析下应用进程发生崩溃(Crash)时,Android是如何处理的?总的说来,Android主要有两大类Crash:

  • Java(JVM)层: 应用程序发生运行时错误(如空指针,浮点运算错误,数据索引超出界限)或者系统进程崩溃(长时间无响应);
  • Native层: native进程或者kernel发生运行时错误;

APP层Crash处理

对Java层,Android需要处理两种情况的Crash:

  • 对于APP中未捕获的异常,捕捉到后,进行处理;
  • 监控UI线程(主线程)、前台服务线程、IO线程、显示线程(IMS/WMS,DMS中使用)以及Binder进程通信线程是否挂起(10s内无响应则视为挂起);

主线程(main thread)是指应用启动时创建的进程中的第一个线程,而UI线程则是负责输入、绘制等前台交互,大部分情况下主线程就是UI线程,参考:

下面就从这两种情况来分析APP出现的Crash。

未捕获异常Crash

对于每个进程,在启动过程初始化运行时执行环境时,都会设置一个未捕获异常处理函数,用于捕获APP中未捕获到的异常情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

private static final void commonInit() {
    if (DEBUG) Slog.d(TAG, "Entered RuntimeInit!");

    /* set default handler; this applies to all threads in the VM */
    Thread.setDefaultUncaughtExceptionHandler(new UncaughtHandler());

    TimezoneGetter.setInstance(new TimezoneGetter() {
        @Override
        public String getId() {
            return SystemProperties.get("persist.sys.timezone");
        }
    });
    TimeZone.setDefault(null);
    ....
    initialized = true;
}

捕获到应用Crash后,向AMS发送Crash信息,最后将进程杀死:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

private static class UncaughtHandler implements Thread.UncaughtExceptionHandler {
    public void uncaughtException(Thread t, Throwable e) {
        try {
            // Don't re-enter -- avoid infinite loops if crash-reporting crashes.
            if (mCrashing) return;
            mCrashing = true;
            
            if (mApplicationObject == null) {
                // 进程启动时设置了mApplicationObject = ApplicationThread
            } else {
                StringBuilder message = new StringBuilder();
                message.append("FATAL EXCEPTION: ").append(t.getName()).append("\n");
                final String processName = ActivityThread.currentProcessName();
                if (processName != null) {
                    message.append("Process: ").append(processName).append(", ");
                }
                message.append("PID: ").append(Process.myPid());
                Clog_e(TAG, message.toString(), e);
            }
            ....
            // Bring up crash dialog, wait for it to be dismissed
            ActivityManagerNative.getDefault().handleApplicationCrash(
                    mApplicationObject, new ApplicationErrorReport.CrashInfo(e));
        } catch (Throwable t2) {
            ....
        } finally {
            // Try everything to make sure this process goes away.
            Process.killProcess(Process.myPid());
            System.exit(10);
        }
    }
}

参考源码:/android/frameworks/base/core/java/com/android/internal/os/RuntimeInit.java

AMS接收到Crash后,找到应用的进程记录,做下一步处理:

1
2
3
4
5
6
7
8
9
10
11


public void handleApplicationCrash(IBinder app, ApplicationErrorReport.CrashInfo crashInfo) {
       ProcessRecord r = findAppProcess(app, "Crash");
       final String processName = app == null ? "system_server"
               : (r == null ? "unknown" : r.processName);
       final int userId = r == null ? UserHandle.USER_OWNER : r.userId;
       ....
       // 处理应用Crash
       handleApplicationCrashInner("crash", r, processName, crashInfo);
   }

AMS处理APP的Crash主要做了两件事情:

  • 保存Crash的当时的现场到Dropbox;
  • 如果发现该APP频繁Crash,记录信息,强制其停止,不提示用户;否则需要弹出APP出错的对话框告知用户,由用户自己选择处理的方式(重启或者强制停止);
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16


void handleApplicationCrashInner(String eventType, ProcessRecord r, String processName,
        ApplicationErrorReport.CrashInfo crashInfo) {
    EventLog.writeEvent(EventLogTags.AM_CRASH, Binder.getCallingPid(),
            UserHandle.getUserId(Binder.getCallingUid()), processName,
            r == null ? -1 : r.info.flags,
            crashInfo.exceptionClassName,
            crashInfo.exceptionMessage,
            crashInfo.throwFileName,
            crashInfo.throwLineNumber);

    addErrorToDropBox(eventType, r, processName, null, null, null, null, null, crashInfo);

    mAppErrors.crashApplication(r, crashInfo);
}

系统挂起

在应用层, Android有一个专门的监控者Watchdog线程来负责监控应用层是否出现系统挂起(在给定时间10s无响应则视为挂起),比如系统服务IMS(AMS,WMS)无响应,UI线程、IO线程无响应,Binder IPC线程无响应等各种异常情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

private Watchdog() {
    super("watchdog");

    // The shared foreground thread is the main checker.  It is where we
    // will also dispatch monitor checks and do other work.
    mMonitorChecker = new HandlerChecker(FgThread.getHandler(),
            "foreground thread", DEFAULT_TIMEOUT);
    mHandlerCheckers.add(mMonitorChecker);
    // Add checker for main thread.  We only do a quick check since there
    // can be UI running on the thread.
    mHandlerCheckers.add(new HandlerChecker(new Handler(Looper.getMainLooper()),
            "main thread", DEFAULT_TIMEOUT));
    // Add checker for shared UI thread.
    mHandlerCheckers.add(new HandlerChecker(UiThread.getHandler(),
            "ui thread", DEFAULT_TIMEOUT));
    // And also check IO thread.
    mHandlerCheckers.add(new HandlerChecker(IoThread.getHandler(),
            "i/o thread", DEFAULT_TIMEOUT));
    // And the display thread.
    mHandlerCheckers.add(new HandlerChecker(DisplayThread.getHandler(),
            "display thread", DEFAULT_TIMEOUT));

    // Initialize monitor for Binder threads.
    addMonitor(new BinderThreadMonitor());
}

Watchdog线程是在system_server进程启动时启动起来的:

1
2
3
4
5
6
7
8

private void startOtherServices() {
        ....
        final Watchdog watchdog = Watchdog.getInstance();
        watchdog.init(context, mActivityManagerService);
        ....
        Watchdog.getInstance().start();
}

Watchdog线程启动后,开始监测各个线程有无响应(通过在线程消息队列的头部添加一个可执行对象,对于Binder线程则通过BlockUtilThreadAvailable来检测是否有Binder线程可用),一旦发现系统某个线程无响应,则抓取相应APP的堆栈LOG,同时保存kernel的堆栈信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

public void run() {
    boolean waitedHalf = false;
    File traceFile = new File("/data/anr/traces.txt");
    try {
        if (!traceFile.exists()) {
            traceFile.createNewFile();
        }
        traceFile.setReadable(true, false);
        traceFile.setWritable(true, false);
    } catch(IOException e) {
        Slog.e(TAG, "Failed to create /data/anr/traces.txt");
    }

    while (true) {
        final ArrayList<HandlerChecker> blockedCheckers;
        final String subject;
        final boolean allowRestart;
        synchronized (this) {
            long timeout = CHECK_INTERVAL;
            for (int i=0; i<mHandlerCheckers.size(); i++) {
                HandlerChecker hc = mHandlerCheckers.get(i);
                hc.scheduleCheckLocked();
            }
            ....
            final int waitState = evaluateCheckerCompletionLocked();
            if (waitState == COMPLETED) {
                // The monitors have returned; reset
                waitedHalf = false;
                continue;
            } else if (waitState == WAITING) {
                // still waiting but within their configured intervals; back off and recheck
                continue;
            } else if (waitState == WAITED_HALF) {
                ....
                continue;
            }

            // something is overdue!
            blockedCheckers = getBlockedCheckersLocked();
            subject = describeCheckersLocked(blockedCheckers);
            allowRestart = mAllowRestart;
        }
    }

    // 系统处于挂起状态,保存APP堆栈信息
   final File stack = ActivityManagerService.dumpStackTraces(
                !waitedHalf, pids, null, null, NATIVE_STACKS_OF_INTEREST);
    ....
    // 保存kernel堆栈信息
    if (RECORD_KERNEL_THREADS) {
        dumpKernelStackTraces();
    }
    ....
  }

参考源码:/android/frameworks/base/services/core/java/com/android/server/Watchdog.java

接下来,就来看一看Android是如何处理native进程crash的。

Native层Crash处理

在native层,Android的Crash处理主要由三个部分组成:

  • kernel捕捉到进程的异常信号(SIGABRT,SIGBUS,SIGFPE)时,调用信号处理函数;信号处理函数负责收集Crash进程的错误信息,并将错误信息通过socket发送给debugger守护进程;
  • debugger守护进程接收到crash信息后,一方面告知AMS有进程发生Crash,一方面通过tomestone保存完整的现场信息;
  • AMS收到Crash信息后,弹出对话框告知用户Crash信息,同时保存该crash进程的相关LOG;

接下来,我们分步骤来看下native层Crash的处理流程。

Crash信号处理函数

Native进程发生崩溃(Crash)时,kernel会向其发送一个信号(signal),此时当前进程被中断,kernel接着调用事先注册在系统中的信号处理函数(Signal Handler)。Android在启动时专门注册了一个signal handler用于处理Native进程由于运行错误而出现的信号。

那么,Android的signal handler是在哪里注册到系统中的了?在Android库bionic中有一个动态链接库linker(文件目录/android/bionic/),linker启动时会初始化通过系统调用signal向系统注册信号处理函数; Android主要处理SIGABRTSIGBUS等几种Crash信号(linux signal):

  • SIGABRT(6): abort, 异常终止;
  • SIGBUS(10): bus error, 总线错误;
  • SIGFPE(8): Floating Point Exception, 浮点运算异常;
  • SIGILL(4): Illegal Instruction, 非法指令;
  • SIGSEGV(11): Invalid memory Segmentation Fault, 无效内存访问;
  • SIGSTKFLT(16): stack fault, 堆栈错误;
  • SIGTRAP(5): Trace Trap, 跟踪陷阱;

debugger.cpp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

__LIBC_HIDDEN__ void debuggerd_init() {
      struct sigaction action;
      memset(&action, 0, sizeof(action));
      sigemptyset(&action.sa_mask);
      // 信号处理函数
      action.sa_sigaction = debuggerd_signal_handler;
      action.sa_flags = SA_RESTART | SA_SIGINFO;
    
      // Use the alternate signal stack if available so we can catch stack overflows.
      action.sa_flags |= SA_ONSTACK;
      // 需要捕捉的信号
      sigaction(SIGABRT, &action, nullptr);
      sigaction(SIGBUS, &action, nullptr);
      sigaction(SIGFPE, &action, nullptr);
      sigaction(SIGILL, &action, nullptr);
      sigaction(SIGSEGV, &action, nullptr);
    #if defined(SIGSTKFLT)
      sigaction(SIGSTKFLT, &action, nullptr);
    #endif
      sigaction(SIGTRAP, &action, nullptr);
}

注册完信号处理函数后,一旦kernel检测到有进程出现上述信号,则会调用debuggerd_signal_handler函数进行处理:此时会通过socket接口android:debuggerd32(对于64位系统,socket名为android:debuggerd)发送错误信息,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18


/*
 * Catches fatal signals so we can ask debuggerd to ptrace us before
 * we crash.
 */
static void debuggerd_signal_handler(int signal_number, siginfo_t* info, void*) {
  // It's possible somebody cleared the SA_SIGINFO flag, which would mean
  // our "info" arg holds an undefined value.
  if (!have_siginfo(signal_number)) {
    info = nullptr;
  }

  log_signal_summary(signal_number, info);
  // 向debuggered发送错误信息
  send_debuggerd_packet(info);
  ....
}

调用send_debuggerd_packet,首先连接debuggerd的服务端socket;接着不断尝试向该socket写入数据,直至成功:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

static void send_debuggerd_packet(siginfo_t* info) {
  // Mutex to prevent multiple crashing threads from trying to talk
  // to debuggerd at the same time.
  static pthread_mutex_t crash_mutex = PTHREAD_MUTEX_INITIALIZER;
  int ret = pthread_mutex_trylock(&crash_mutex);
  ...
  // 连接debuggerd
  int s = socket_abstract_client(DEBUGGER_SOCKET_NAME, SOCK_STREAM | SOCK_CLOEXEC);
  if (s == -1) {
    __libc_format_log(ANDROID_LOG_FATAL, "libc", "Unable to open connection to debuggerd: %s", strerror(errno));
    return;
  }

  // debuggerd knows our pid from the credentials on the
  // local socket but we need to tell it the tid of the crashing thread.
  // debuggerd will be paranoid and verify that we sent a tid
  // that's actually in our process.
  debugger_msg_t msg;
  // crash
  msg.action = DEBUGGER_ACTION_CRASH;
  msg.tid = gettid();
  msg.abort_msg_address = reinterpret_cast<uintptr_t>(g_abort_message);
  msg.original_si_code = (info != nullptr) ? info->si_code : 0;
  // 向socket写入数据
  ret = TEMP_FAILURE_RETRY(write(s, &msg, sizeof(msg)));
  if (ret == sizeof(msg)) {
    char debuggerd_ack;
    ret = TEMP_FAILURE_RETRY(read(s, &debuggerd_ack, 1));
    int saved_errno = errno;
    notify_gdb_of_libraries();
    errno = saved_errno;
  } else {
    // read or write failed -- broken connection?
    __libc_format_log(ANDROID_LOG_FATAL, "libc", "Failed while talking to debuggerd: %s", strerror(errno));
  }
  // 关闭socket
  close(s);
}

参考源码: /android/bionic/linker/debugger.cpp

debuggerd.cpp

在服务端进程debuggerd启动时,会不断监听客户端的连接请求,一旦发现有连接,就会读取其中的数据进行处理:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

static int do_server() {
  // debuggerd crashes can't be reported to debuggerd.
  // Reset all of the crash handlers.
  signal(SIGABRT, SIG_DFL);
  signal(SIGBUS, SIG_DFL);
  signal(SIGFPE, SIG_DFL);
  signal(SIGILL, SIG_DFL);
  signal(SIGSEGV, SIG_DFL);
#ifdef SIGSTKFLT
  signal(SIGSTKFLT, SIG_DFL);
#endif
  signal(SIGTRAP, SIG_DFL);

  // Ignore failed writes to closed sockets
  signal(SIGPIPE, SIG_IGN);
  ....
  // 创建服务端socket
  int s = socket_local_server(SOCKET_NAME, ANDROID_SOCKET_NAMESPACE_ABSTRACT,
                              SOCK_STREAM | SOCK_CLOEXEC);

  // Fork a process that stays root, and listens on a pipe to pause and resume the target.(具体什么作用,没看明白)
  if (!start_signal_sender()) {
    ALOGE("debuggerd: failed to fork signal sender");
    return 1;
  }
  // 监听并处理客户端进程请求
  for (;;) {
    sockaddr_storage ss;
    sockaddr* addrp = reinterpret_cast<sockaddr*>(&ss);
    socklen_t alen = sizeof(ss);

    ALOGV("waiting for connection\n");
    int fd = accept4(s, addrp, &alen, SOCK_CLOEXEC);
    if (fd == -1) {
      continue;
    }

    handle_request(fd);
  }
  return 0;
}

现在debuggerd与客户端进程已经建立好连接了,读取其中的数据并fork一个新的进程处理之:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

static void handle_request(int fd) {
  ScopedFd closer(fd);
  debugger_request_t request;
  memset(&request, 0, sizeof(request));
  // 读取数据
  int status = read_request(fd, &request);
  if (status != 0) {
    return;
  }
  ....
  // Fork a child to handle the rest of the request.
  pid_t fork_pid = fork();
  if (fork_pid == -1) {
    ALOGE("debuggerd: failed to fork: %s\n", strerror(errno));
  // 在子进程中处理请求
  } else if (fork_pid == 0) {
    worker_process(fd, request);
  } else {
    monitor_worker_process(fork_pid, request);
  }
}

在子进程中处理Crash:首先尝试连接AMS,接着会保存Crash进程的DUMP LOG,最后通过socket发送消息告知AMS有Crash发生,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

static void worker_process(int fd, debugger_request_t& request) {
  // Open the tombstone file if we need it.
  std::string tombstone_path;
  int tombstone_fd = -1;
  switch (request.action) {
    case DEBUGGER_ACTION_DUMP_TOMBSTONE:
    case DEBUGGER_ACTION_CRASH:
      tombstone_fd = open_tombstone(&tombstone_path);
      if (tombstone_fd == -1) {
        ALOGE("debuggerd: failed to open tombstone file: %s\n", strerror(errno));
        exit(1);
      }
      break;
      ....
  }

  // Don't attach to the sibling threads if we want to attach gdb.
  // Supposedly, it makes the process less reliable.
  bool attach_gdb = should_attach_gdb(request);
  ....
  std::set<pid_t> siblings;
  if (!attach_gdb) {
    ptrace_siblings(request.pid, request.tid, siblings);
  }

  int amfd = -1;
  std::unique_ptr<std::string> amfd_data;
  if (request.action == DEBUGGER_ACTION_CRASH) {
    // 连接AMS
    amfd = activity_manager_connect();
    amfd_data.reset(new std::string);
  }

  bool succeeded = false;
  ....
  int crash_signal = SIGKILL;
  // 保存DUMP LOG
  succeeded = perform_dump(request, fd, tombstone_fd, backtrace_map.get(), siblings,
                           &crash_signal, amfd_data.get());
  if (succeeded) {
    if (request.action == DEBUGGER_ACTION_DUMP_TOMBSTONE) {
      if (!tombstone_path.empty()) {
        android::base::WriteFully(fd, tombstone_path.c_str(), tombstone_path.length());
      }
    }
  }
  ....
  if (!attach_gdb) {
    // Tell the Activity Manager about the crashing process. If we are
    // waiting for gdb to attach, do not send this or Activity Manager
    // might kill the process before anyone can attach.
    activity_manager_write(request.pid, crash_signal, amfd, *amfd_data.get());
  }
  ....

  close(amfd);

  exit(!succeeded);
}

连接AMS用来监听native crash的socket, 从这里我们也可以看到,debuggerd进程实际连接的是在NativeCrashListener.java中创建的socket:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

static int activity_manager_connect() {
  android::base::unique_fd amfd(socket(PF_UNIX, SOCK_STREAM, 0));

  struct sockaddr_un address;
  memset(&address, 0, sizeof(address));
  address.sun_family = AF_UNIX;
  // The path used here must match the value defined in NativeCrashListener.java.
  strncpy(address.sun_path, "/data/system/ndebugsocket", sizeof(address.sun_path));
  if (TEMP_FAILURE_RETRY(connect(amfd.get(), reinterpret_cast<struct sockaddr*>(&address), sizeof(address))) == -1) {
    return -1;
  }

  struct timeval tv;
  memset(&tv, 0, sizeof(tv));
  tv.tv_sec = 1;  // tight leash
  if (setsockopt(amfd.get(), SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv)) == -1) {
    ALOGE("debuggerd: Unable to connect to activity manager (setsockopt SO_SNDTIMEO failed: %s)",
          strerror(errno));
    return -1;
  }

  tv.tv_sec = 3;  // 3 seconds on handshake read
  if (setsockopt(amfd.get(), SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)) == -1) {
    ALOGE("debuggerd: Unable to connect to activity manager (setsockopt SO_RCVTIMEO failed: %s)",
          strerror(errno));
    return -1;
  }

  return amfd.release();
}

参考源码: /android/system/core/debuggerd/debuggerd.cpp

ActivityManagerService.java

进程debuggerd跟AMS是通过一个叫/data/system/ndebugsocket的socket进行通信的,该socket在NativeCrashListener.java中创建的; NativeCrashListener实际是一个线程,它是在AMS初始化时创建的,其作用是一直在监听来自debuggerd进程的请求,如果有则处理:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

NativeCrashListener(ActivityManagerService am) {
       mAm = am;
   }

   @Override
   public void run() {
       final byte[] ackSignal = new byte[1];

       // The file system entity for this socket is created with 0700 perms, owned
       // by system:system.  debuggerd runs as root, so is capable of connecting to
       // it, but 3rd party apps cannot.
       ....
       try {
           FileDescriptor serverFd = Os.socket(AF_UNIX, SOCK_STREAM, 0);
           final UnixSocketAddress sockAddr = UnixSocketAddress.createFileSystem(
                   DEBUGGERD_SOCKET_PATH);
           Os.bind(serverFd, sockAddr);
           Os.listen(serverFd, 1);

           while (true) {
               FileDescriptor peerFd = null;
               try {
                   // 等待客户端连接
                   peerFd = Os.accept(serverFd, null /* peerAddress */);
                   if (MORE_DEBUG) Slog.v(TAG, "Got debuggerd socket " + peerFd);
                   if (peerFd != null) {
                       // Only the superuser is allowed to talk to us over this socket
                       StructUcred credentials =
                               Os.getsockoptUcred(peerFd, SOL_SOCKET, SO_PEERCRED);
                       if (credentials.uid == 0) {
                           // 处理Crash数据
                           consumeNativeCrashData(peerFd);
                       }
                   }
               } catch (Exception e) {
                   Slog.w(TAG, "Error handling connection", e);
               } finally {
                   ....
               }
           }
       } catch (Exception e) {
           Slog.e(TAG, "Unable to init native debug socket!", e);
       }
   }

读取socket中的Crash数据,并将其报告给AMS:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

void consumeNativeCrashData(FileDescriptor fd) {
        final byte[] buf = new byte[4096];
        final ByteArrayOutputStream os = new ByteArrayOutputStream(4096);

        try {
            StructTimeval timeout = StructTimeval.fromMillis(SOCKET_TIMEOUT_MILLIS);
            Os.setsockoptTimeval(fd, SOL_SOCKET, SO_RCVTIMEO, timeout);
            Os.setsockoptTimeval(fd, SOL_SOCKET, SO_SNDTIMEO, timeout);

            // first, the pid and signal number
            int headerBytes = readExactly(fd, buf, 0, 8);
            if (headerBytes != 8) {
                // protocol failure; give up
                Slog.e(TAG, "Unable to read from debuggerd");
                return;
            }

            int pid = unpackInt(buf, 0);
            int signal = unpackInt(buf, 4);

            // now the text of the dump
            if (pid > 0) {
                final ProcessRecord pr;
                synchronized (mAm.mPidsSelfLocked) {
                    pr = mAm.mPidsSelfLocked.get(pid);
                }
                if (pr != null) {
                    // Don't attempt crash reporting for persistent apps
                    if (pr.persistent) {
                        return;
                    }

                    int bytes;
                    do {
                        // get some data
                        bytes = Os.read(fd, buf, 0, buf.length);
                        if (bytes > 0) {
                            // did we just get the EOD null byte?
                            if (buf[bytes-1] == 0) {
                                os.write(buf, 0, bytes-1);  // exclude the EOD token
                                break;
                            }
                            // no EOD, so collect it and read more
                            os.write(buf, 0, bytes);
                        }
                    } while (bytes > 0);
                    ....
                    // 启动另一个线程NativeCrashReporter通知AMS
                    final String reportString = new String(os.toByteArray(), "UTF-8");
                    (new NativeCrashReporter(pr, signal, reportString)).start();
                } else {
                    Slog.w(TAG, "Couldn't find ProcessRecord for pid " + pid);
                }
            } else {
                Slog.e(TAG, "Bogus pid!");
            }
        } catch (Exception e) {
            Slog.e(TAG, "Exception dealing with report", e);
            // ugh, fail.
        }
    }

通过NativeCrashReporter线程告知AMS有native crash发生:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

class NativeCrashReporter extends Thread {
    ProcessRecord mApp;
    int mSignal;
    String mCrashReport;

    NativeCrashReporter(ProcessRecord app, int signal, String report) {
        super("NativeCrashReport");
        mApp = app;
        mSignal = signal;
        mCrashReport = report;
    }

    @Override
    public void run() {
        try {
            CrashInfo ci = new CrashInfo();
            ci.exceptionClassName = "Native crash";
            ci.exceptionMessage = Os.strsignal(mSignal);
            ci.throwFileName = "unknown";
            ci.throwClassName = "unknown";
            ci.throwMethodName = "unknown";
            ci.stackTrace = mCrashReport;

            mAm.handleApplicationCrashInner("native_crash", mApp, mApp.processName, ci);
        } catch (Exception e) {
            Slog.e(TAG, "Unable to report native crash", e);
        }
    }
}

之后的处理流程,跟在第一节关于未捕获异常的时候,就基本一样了。详细可以参考上节内容。