Android11 AMS 死锁问题求助

堆栈信息

"Binder:25407_D" prio=5 tid=42 Blocked | group="main" sCount=1 dsCount=0 flags=1 obj=0x14341e60 self=0xb4003ffe7f87e3c0 | sysTid=26283 nice=0 cgrp=default sched=0/0 handle=0x3ffc8e189cc0 | state=S schedstat=( 381790950 53211910 2682 ) utm=23 stm=14 core=124 HZ=100 | stack=0x3ffc8e092000-0x3ffc8e094000 stackSize=995KB | held mutexes= at com.android.server.wm.ActivityTaskManagerService$LocalService.getTopApp(ActivityTaskManagerService.java:7220)

waiting to lock <0x05e9d6a0> (a com.android.server.wm.WindowManagerGlobalLock) held by thread 120 at com.android.server.am.ActivityManagerService.getTopAppLocked(ActivityManagerService.java:17932) at com.android.server.am.OomAdjuster.updateOomAdjLocked(OomAdjuster.java:405) at com.android.server.am.ActivityManagerService.updateOomAdjLocked(ActivityManagerService.java:18176) at com.android.server.am.BroadcastQueue.processNextBroadcastLocked(BroadcastQueue.java:1047) at com.android.server.am.ActivityManagerService.finishReceiver(ActivityManagerService.java:16870)
locked <0x09b5a5d1> (a com.android.server.am.ActivityManagerService) at android.app.IActivityManager$Stub.onTransact(IActivityManager.java:2358) at com.android.server.am.ActivityManagerService.onTransact(ActivityManagerService.java:2880) at android.os.Binder.execTransactInternal(Binder.java:1159) at android.os.Binder.execTransact(Binder.java:1123)

"Binder:25407_F" prio=5 tid=120 Blocked | group="main" sCount=1 dsCount=0 flags=1 obj=0x13640700 self=0xb4003ffe7f8f9a70 | sysTid=26998 nice=0 cgrp=default sched=0/0 handle=0x3ffc47078cc0 | state=S schedstat=( 642065500 59367960 3956 ) utm=39 stm=24 core=118 HZ=100 | stack=0x3ffc46f81000-0x3ffc46f83000 stackSize=995KB | held mutexes= at com.android.server.am.ActivityManagerService.checkContentProviderAccess(ActivityManagerService.java:6829)

waiting to lock <0x09b5a5d1> (a com.android.server.am.ActivityManagerService) held by thread 42 at com.android.server.am.ActivityManagerService$LocalService.checkContentProviderAccess(ActivityManagerService.java:18962) at com.android.server.content.ContentService.registerContentObserver(ContentService.java:352) at android.content.IContentService$Stub.onTransact(IContentService.java:482) at android.os.Binder.execTransactInternal(Binder.java:1159) at android.os.Binder.execTransact(Binder.java:1123) at android.os.BinderProxy.transactNative(Native method) at android.os.BinderProxy.transact(BinderProxy.java:550) at android.app.IActivityController$Stub$Proxy.activityStarting(IActivityController.java:273) at com.android.server.wm.ActivityStarter.executeRequest(ActivityStarter.java:1034) at com.android.server.wm.ActivityStarter.execute(ActivityStarter.java:669)
locked <0x05e9d6a0> (a com.android.server.wm.WindowManagerGlobalLock) at com.android.server.wm.ActivityTaskManagerService.startActivityAsUser(ActivityTaskManagerService.java:1099) at com.android.server.wm.ActivityTaskManagerService.startActivityAsUser(ActivityTaskManagerService.java:1071) at com.android.server.wm.ActivityTaskManagerService.startActivity(ActivityTaskManagerService.java:1046) at android.app.IActivityTaskManager$Stub.onTransact(IActivityTaskManager.java:1422) at android.os.Binder.execTransactInternal(Binder.java:1154) at android.os.Binder.execTransact(Binder.java:1123)

xingda920813

20 天前

Android 12 修改了 ActivityTaskManagerService, 缓存了 mTopApp 的值, 从而在调用 ActivityTaskManagerService.getTopApp() 时不再需要获取 WindowManagerGlobalLock:

https://cs.android.com/android/platform/superproject/+/android-12.0.0_r33:frameworks/base/services/core/java/com/android/server/wm/ActivityTaskManagerService.java;bpv=0;bpt=0

相应的 Google Patch:

https://cs.android.com/android/_/android/platform/frameworks/base/+/8f7dd59911eef213c0d1b5db460f6e8114aeeea0

里面明确提到了改动是为了避免锁住 WindowManager.

如果没办法适配 Android 12, 那只能自己做 Patch 把 Android 12 的这部分改动尝试 pick 进 Android 11, 或者去掉 getTopApp() 里的 synchronized 块, 不过这样将不再线程安全.

xingda920813

17 天前

@honhon 这个 IActivityController 的实际实现者既不在 system_server 进程中 (从 IActivityController$Stub$Proxy 和 BinderProxy 可以看出), 在 AOSP 中也没找到. 应该是一个单独的 signature 权限的 APK, 运行在单独的进程中.

activityStarting() 调到 registerContentObserver() 是否合理要看这个 IActivityController 的具体实现, 可以在系统启动时在 ActivityTaskManagerService.setActivityController() 里面打个断点看看 Binder.getCallingPid() 是哪个 APK.

这个调用栈看上去是运行在 system_server 的 ActivityTaskManagerService 通过 Binder 远程调用到 IActivityController 的实现 APK, IActivityController 的实现代码又通过 Binder 远程调用到 ContentService.registerContentObserver(), 又回到了 system_server.