CTS/GTS 问题分析15

一个安全补丁不再维护造成的case升级的fail问题

问题分析

测试命令：

run cts -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.CorruptApkTests#testSafeInstallOfCorruptAPK_b71360999 -a arm64-v8a

fail host log:

02-25 11:16:13 W/AndroidNativeDevice: InstallException ( cause: ShellCommandUnresponsiveException) when attempting install /tmp/corruptapk1230584624101881124.apk on device 7ac4c90e
02-25 11:16:13 I/AndroidNativeDevice: Attempting recovery on 7ac4c90e
02-25 11:16:13 I/WaitDeviceRecovery: Pausing for 5000 for 7ac4c90e to recover
02-25 11:16:18 I/AndroidNativeDeviceStateMonitor: Device 7ac4c90e is already ONLINE
02-25 11:16:18 I/AndroidNativeDeviceStateMonitor: Waiting 30000 ms for device 7ac4c90e shell to be responsive
02-25 11:16:18 I/AndroidNativeDeviceStateMonitor: Device 7ac4c90e is already ONLINE
02-25 11:16:18 I/AndroidNativeDeviceStateMonitor: Waiting 239999 ms for device 7ac4c90e boot complete
02-25 11:16:18 I/DeviceStateMonitor: Waiting 239945 ms for device 7ac4c90e package manager
02-25 11:16:19 I/AndroidNativeDeviceStateMonitor: Waiting 238695 ms for device 7ac4c90e external store
02-25 11:16:20 I/AndroidNativeDeviceStateMonitor: Device 7ac4c90e is already ONLINE
02-25 11:16:20 I/AndroidNativeDevice: root is required for encryption
02-25 11:16:20 I/AndroidNativeDevice: adb is already running as root on 7ac4c90e
02-25 11:16:20 I/TestDevice: Attempting to disable keyguard on 7ac4c90e using input keyevent 82
02-25 11:16:20 I/AndroidNativeDevice: Recovery successful for 7ac4c90e

这种一般有两种情况: 1.adb异常 2.测试过程中手机异常重启

再看device log:

02-24 20:12:11.451 19176 19297 W ResourceType: No package identifier when getting name for resource number 0x00000000
02-24 20:12:11.453 19176 19297 W ResourceType: ResStringPool_header header size 0x0001 is too small.
02-24 20:12:11.453 19176 19297 F ResourceType: Bad string block: malformed block dimensions
02-24 20:12:11.458 19176 19297 F libc : Fatal signal 6 (SIGABRT), code -6 in tid 19297 (PackageInstalle)
02-24 20:12:11.459 18902 18902 W : debuggerd: handling request: pid=19176 uid=1000 gid=1000 tid=19297
02-24 20:12:11.460 18902 18902 I MIUINDBG_HOOK: hook hook_sigtimedwait
02-24 20:12:11.610 22839 22839 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
02-24 20:12:11.611 22839 22839 F DEBUG : Build fingerprint: 'Xiaomi/hydrogen/hydrogen:7.0/NRD90M/9.2.14:user/release-keys'
02-24 20:12:11.611 22839 22839 F DEBUG : Revision: '0'
02-24 20:12:11.611 22839 22839 F DEBUG : ABI: 'arm64'
02-24 20:12:11.611 22839 22839 F DEBUG : pid: 19176, tid: 19297, name: PackageInstalle >>> system_server <<<
02-24 20:12:11.611 22839 22839 F DEBUG : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
02-24 20:12:11.626 22839 22839 F DEBUG : Abort message: 'Bad string block: malformed block dimensions'
02-24 20:12:11.626 22839 22839 F DEBUG : x0 0000000000000000 x1 0000000000004b61 x2 0000000000000006 x3 0000000000000008
02-24 20:12:11.626 22839 22839 F DEBUG : x4 203a70616d646900 x5 0000000000000000 x6 0000007f9a0ad000 x7 0000000000000000
02-24 20:12:11.627 22839 22839 F DEBUG : x8 0000000000000083 x9 ffffffffffffffdf x10 0000000000000000 x11 0000000000000001
02-24 20:12:11.627 22839 22839 F DEBUG : x12 ffffffffffffffff x13 0000000000000000 x14 0000000000000000 x15 001b09f143bf2dc1
02-24 20:12:11.627 22839 22839 F DEBUG : x16 0000007f9680bed8 x17 0000007f967b94d0 x18 0000000000000000 x19 0000007f7c1054f8
02-24 20:12:11.627 22839 22839 F DEBUG : x20 0000000000000006 x21 0000007f7c105450 x22 0000000000000002 x23 0000000000000000
02-24 20:12:11.627 22839 22839 F DEBUG : x24 0000007f7b3dc918 x25 0000007f7b3dc900 x26 bd013719673bf5f7 x27 00000000ffffffed
02-24 20:12:11.627 22839 22839 F DEBUG : x28 000000000000007f x29 0000007f7c103f10 x30 0000007f967b6960
02-24 20:12:11.627 22839 22839 F DEBUG : sp 0000007f7c103ef0 pc 0000007f967b94d8 pstate 0000000060000000
02-24 20:12:12.155 22839 22839 F DEBUG : 
02-24 20:12:12.155 22839 22839 F DEBUG : backtrace:
02-24 20:12:12.155 22839 22839 F DEBUG : #00 pc 000000000006b4d8 /system/lib64/[libc.so](http://libc.so/) (tgkill+8)
02-24 20:12:12.155 22839 22839 F DEBUG : #01 pc 000000000006895c /system/lib64/[libc.so](http://libc.so/) (pthread_kill+64)
02-24 20:12:12.155 22839 22839 F DEBUG : #02 pc 0000000000023ea8 /system/lib64/[libc.so](http://libc.so/) (raise+24)
02-24 20:12:12.155 22839 22839 F DEBUG : #03 pc 000000000001c92c /system/lib64/[libc.so](http://libc.so/) (abort+52)
02-24 20:12:12.155 22839 22839 F DEBUG : #04 pc 0000000000010d60 /system/lib64/[libcutils.so](http://libcutils.so/) (__android_log_assert+232)
02-24 20:12:12.155 22839 22839 F DEBUG : #05 pc 000000000001eea0 /system/lib64/[libandroidfw.so](http://libandroidfw.so/) (_ZN7android13ResStringPool5setToEPKvmb+848)
02-24 20:12:12.155 22839 22839 F DEBUG : #06 pc 00000000000259e8 /system/lib64/[libandroidfw.so](http://libandroidfw.so/)(_ZN7android8ResTable12parsePackageEPKNS_16ResTable_packageEPKNS0_6HeaderEbb+628)
02-24 20:12:12.155 22839 22839 F DEBUG : #07 pc 0000000000024b00 /system/lib64/[libandroidfw.so](http://libandroidfw.so/)(_ZN7android8ResTable11addInternalEPKvmS2_mbibb+708)
02-24 20:12:12.155 22839 22839 F DEBUG : #08 pc 0000000000024fdc /system/lib64/[libandroidfw.so](http://libandroidfw.so/)(_ZN7android8ResTable3addEPNS_5AssetES2_ibbb+228)
02-24 20:12:12.155 22839 22839 F DEBUG : #09 pc 000000000001788c /system/lib64/[libandroidfw.so](http://libandroidfw.so/)(_ZNK7android12AssetManager20appendPathToResTableERKNS0_10asset_pathEb+660)
02-24 20:12:12.155 22839 22839 F DEBUG : #10 pc 00000000000174bc /system/lib64/[libandroidfw.so](http://libandroidfw.so/)(_ZN7android12AssetManager12addAssetPathERKNS_7String8EPibb+644)
02-24 20:12:12.155 22839 22839 F DEBUG : #11 pc 00000000000f5728 /system/lib64/[libandroid_runtime.so](http://libandroid_runtime.so/)
02-24 20:12:12.155 22839 22839 F DEBUG : #12 pc 0000000001cf5544 /system/framework/arm64/boot-framework.oat (offset 0x196e000) (android.content.res.AssetManager.addAssetPathNative+160)
02-24 20:12:12.155 22839 22839 F DEBUG : #13 pc 0000000001cf5400 /system/framework/arm64/boot-framework.oat (offset 0x196e000) (android.content.res.AssetManager.addAssetPathInternal+92)
02-24 20:12:12.155 22839 22839 F DEBUG : #14 pc 0000000001cf7ab8 /system/framework/arm64/boot-framework.oat (offset 0x196e000) (android.content.res.AssetManager.addAssetPath+52)
02-24 20:12:12.156 22839 22839 F DEBUG : #15 pc 0000000001cce910 /system/framework/arm64/boot-framework.oat (offset 0x196e000) ([android.content.pm](http://android.content.pm/).PackageParser.parseApkLite+332)
02-24 20:12:12.156 22839 22839 F DEBUG : #16 pc 00000000017fc974 /system/framework/oat/arm64/services.odex (offset 0xf4d000)

那么，system_server重启了导致case中断

失败原因

这个很明显发生了NE，且又能复现，这个就非常方便了，直接抓coredump看一下

#0 tgkill () at bionic/libc/arch-arm64/syscalls/tgkill.S:9
#1 0x0000007f7fb0b960 in pthread_kill (t=<optimized out>, sig=6) at bionic/libc/bionic/pthread_kill.cpp:45
#2 0x0000007f7fac6eac in raise (sig=2625) at bionic/libc/bionic/raise.cpp:34
#3 0x0000007f7fabf930 in abort () at bionic/libc/bionic/abort.cpp:47
#4 0x0000007f80ff4d64 in __android_log_assert (cond=<optimized out>, tag=0x7f7df5ef7c "ResourceType", fmt=<optimized out>) at system/core/liblog/logger_write.c:489
#5 0x0000007f7df48ea4 in android::ResStringPool::setTo (this=0x7f702f8358, data=0x7f4d0bf1a4, size=164480, copyData=false) at frameworks/base/libs/androidfw/ResourceTypes.cpp:478
#6 0x0000007f7df4f9ec in android::ResTable::parsePackage (this=0x7f703a3400, pkg=0x7f4d0bf084, header=0x7f62f7d860, appAsLib=<optimized out>, isSystemAsset=false) at frameworks/base/libs/androidfw/ResourceTypes.cpp:6269
#7 0x0000007f7df4eb04 in android::ResTable::addInternal (this=<optimized out>, data=<optimized out>, dataSize=<optimized out>, idmapData=<optimized out>, idmapDataSize=<optimized out>, appAsLib=<optimized out>, 
cookie=<optimized out>, copyData=<optimized out>, isSystemAsset=<optimized out>) at frameworks/base/libs/androidfw/ResourceTypes.cpp:3932
#8 0x0000007f7df4efe0 in android::ResTable::add (this=0x7f703a3400, asset=0x7f62ab2400, idmapAsset=<optimized out>, cookie=5, copyData=false, appAsLib=false, isSystemAsset=false)
at frameworks/base/libs/androidfw/ResourceTypes.cpp:3773
#9 0x0000007f7df41890 in android::AssetManager::appendPathToResTable (this=0x7f62f15700, ap=..., appAsLib=<optimized out>) at frameworks/base/libs/androidfw/AssetManager.cpp:670
#10 0x0000007f7df414c0 in android::AssetManager::addAssetPath (this=<optimized out>, this@entry=0x7f62f15700, path=..., cookie=<optimized out>, cookie@entry=0x7f6369794c, appAsLib=<optimized out>, appAsLib@entry=false, 
isSystemAsset=<optimized out>, isSystemAsset@entry=false) at frameworks/base/libs/androidfw/AssetManager.cpp:223
#11 0x0000007f7f7c172c in android::android_content_AssetManager_addAssetPath (env=0x7f70250900, clazz=<optimized out>, path=0x7f63697938, appAsLib=0 '\000') at frameworks/base/core/jni/android_util_AssetManager.cpp:550
---Type <return> to continue, or q <return> to quit---
#12 0x0000000073e00548 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

注意#4，#5两帧，这是发生重启的原因

pc = 0x7f7df48ea4 in android::ResStringPool::setTo (frameworks/base/libs/androidfw/ResourceTypes.cpp:478); saved pc = 0x7f7df4f9ec
called by frame at 0x7f636976a0, caller of frame at 0x7f63697490
source language c++.
Arglist at 0x7f63697490, args: this=0x7f702f8358, data=0x7f4d0bf1a4, size=164480, copyData=false
Locals at 0x7f63697490, Previous frame's sp is 0x7f636974c0
Saved registers:
x19 at 0x7f636974a8, x20 at 0x7f636974a0, x21 at 0x7f63697498, x22 at 0x7f63697490, x29 at 0x7f636974b0, x30 at 0x7f636974b8

第5帧对应

status_t ResStringPool::setTo(const void* data, size_t size, bool copyData)

然后查找这里的安全补丁，果然最近进了一个安全补丁，但因为B3不维护了，导致的case fail

后续

对于不维护安全补丁的机型，如何测CTS，感觉后续可以再商量下；这个看的没什么意义；