高通camx进程Pointer tag for 0x6772615474726f50 was truncated类型crash问题分析一：踩内存或内存泄漏导致。-CSDN博客

Timestamp: 2025-07-16 03:57:11.922311437+0800
Process uptime: 0s
Cmdline: /vendor/bin/hw/vendor.qti.camera.provider-service_64
pid: 10742, tid: 10748, name: binder:10742_1  >>> /vendor/bin/hw/vendor.qti.camera.provider-service_64 <<<
uid: 1047
tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
Abort message: 'Pointer tag for 0x6772615474726f50 was truncated, see 'https://source.android.com/devices/tech/debug/tagged-pointers'.'
    x0  0000000000000000  x1  00000000000029fc  x2  0000000000000006  x3  000000786bbc12a0
    x4  60626d7471731f72  x5  60626d7471731f72  x6  60626d7471731f72  x7  7f7f7f7f7f7f7f7f
    x8  00000000000000f0  x9  7263f7e5ee8bf1dc  x10 000000ff00000020  x11 0000000000000000
    x12 000000006876b297  x13 000000007fffffff  x14 0000000003c63de6  x15 0000023c8cd8c2ee
    x16 00000078efdef818  x17 00000078efdd6b80  x18 000000786b1b8000  x19 00000000000029f6
    x20 00000000000029fc  x21 00000000ffffffff  x22 b4000077f35c4e00  x23 00000078462a8dee
    x24 00000078462b3ed2  x25 00000078462b1964  x26 00000078462a7c9a  x27 b4000077bb93dec0
    x28 0000007846494004  x29 000000786bbc1320
    lr  00000078efd714a8  sp  000000786bbc12a0  pc  00000078efd714cc  pst 0000000000001000
26 total frames
backtrace:
      #00 pc 00000000000854cc  /apex/com.android.runtime/lib64/bionic/libc.so (abort+160) (BuildId: cddb4a3e9dd8511821cfbd22aa0235dd)
      #01 pc 000000000005c56c  /apex/com.android.runtime/lib64/bionic/libc.so (free+112) (BuildId: cddb4a3e9dd8511821cfbd22aa0235dd)
      #02 pc 00000000014f77b4  /vendor/lib64/hw/camera.qcom.so (CamX::MetaBuffer::~MetaBuffer()+196) (BuildId: b3c450ebf580515e8ac4e6947d94bed5)
      #03 pc 00000000014f7374  /vendor/lib64/hw/camera.qcom.so (CamX::MetaBuffer::Destroy(int)+308) (BuildId: b3c450ebf580515e8ac4e6947d94bed5)
      #04 pc 0000000000125eac  /odm/lib64/libextensionlayer.so (ChiMetadata::DestroyInternal(bool)+60) (BuildId: 65d44ed97ef02d99c00b9700a4eb3e36)
      #05 pc 0000000000127de8  /odm/lib64/libextensionlayer.so (ChiMetadataManager::MetaClient::ReleaseBuffers()+488) (BuildId: 65d44ed97ef02d99c00b9700a4eb3e36)
      #06 pc 0000000000127b90  /odm/lib64/libextensionlayer.so (ChiMetadataManager::MetaClient::~MetaClient()+16) (BuildId: 65d44ed97ef02d99c00b9700a4eb3e36)
      #07 pc 000000000012a344  /odm/lib64/libextensionlayer.so (ChiMetadataManager::~ChiMetadataManager()+788) (BuildId: 65d44ed97ef02d99c00b9700a4eb3e36)
      #08 pc 00000000003eeee0  /vendor/lib64/hw/com.qti.chi.override.so (Usecase::DestroyObject(int)+1504) (BuildId: ce229eccca2b19b6dc661f694536cd3f)
      #09 pc 0000000000371e94  /vendor/lib64/hw/com.qti.chi.override.so (ExtensionModule::TeardownOverrideUsecase(camera3_device const*, int)+804) (BuildId: ce229eccca2b19b6dc661f694536cd3f)
      #10 pc 0000000000370b90  /vendor/lib64/hw/com.qti.chi.override.so (ExtensionModule::TeardownOverrideSession(camera3_device const*, unsigned long, void*)+1536) (BuildId: ce229eccca2b19b6dc661f694536cd3f)
      #11 pc 000000000005e2d8  /odm/lib64/libextensionlayer.so (ExtensionLayer::TeardownOverrideSession(camera3_device const*, unsigned long, void*)+504) (BuildId: 65d44ed97ef02d99c00b9700a4eb3e36)
      #12 pc 000000000073ac60  /vendor/lib64/hw/camera.qcom.so (CamX::HALDevice::Close()+304) (BuildId: b3c450ebf580515e8ac4e6947d94bed5)
      #13 pc 000000000071bb44  /vendor/lib64/hw/camera.qcom.so (CamX::close(hw_device_t*) (.2a583cbb45729b7a414d2432fcff0731.cfi)+1732) (BuildId: b3c450ebf580515e8ac4e6947d94bed5)     
	  #14 pc 0000000000728628  /vendor/lib64/hw/camera.qcom.so (CamX::close(hw_device_t*) (.cfi)+136) (BuildId: b3c450ebf580515e8ac4e6947d94bed5)
      #15 pc 00000000000223bc  /vendor/lib64/camx.device-impl.so (android::hardware::camera::device::implementation::CameraDeviceSession::close()+220) (BuildId: 5f6fe90ba4baa4b77d08d04687a8be82)
      #16 pc 00000000000221e8  /vendor/lib64/android.hardware.camera.device-V1-ndk.so (aidl::android::hardware::camera::device::_aidl_android_hardware_camera_device_ICameraDeviceSession_onTransact(AIBinder*, unsigned int, AParcel const*, AParcel*) (.cfi)+1728) (BuildId: 88eaf41d2152d28595c2850f1ddcb8aa)
      #17 pc 00000000000112dc  /system/lib64/libbinder_ndk.so (ABBinder::onTransact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+176) (BuildId: d19f34426975486c4171b5c8fe41a80b)
      #18 pc 000000000004d144  /system/lib64/libbinder.so (android::BBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+324) (BuildId: f0508b1abf9b5d1922746a2d74457eda)
      #19 pc 000000000004d9e8  /system/lib64/libbinder.so (android::IPCThreadState::executeCommand(int)+1140) (BuildId: f0508b1abf9b5d1922746a2d74457eda)
      #20 pc 00000000000637bc  /system/lib64/libbinder.so (android::IPCThreadState::joinThreadPool(bool)+816) (BuildId: f0508b1abf9b5d1922746a2d74457eda)
      #21 pc 0000000000062fbc  /system/lib64/libbinder.so (android::PoolThread::threadLoop()+100) (BuildId: f0508b1abf9b5d1922746a2d74457eda)
      #22 pc 0000000000017464  /system/lib64/libutils.so (android::Thread::_threadLoop(void*)+252) (BuildId: 9427b5708f5a8cc41550e82da211fb7f)
      #23 pc 0000000000019bd0  /system/lib64/libutils.so (libutil_thread_trampoline(void*) (.__uniq.226528677032898775202282855395389835431)+24) (BuildId: 9427b5708f5a8cc41550e82da211fb7f)
      #24 pc 0000000000095e2c  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+184) (BuildId: cddb4a3e9dd8511821cfbd22aa0235dd)
      #25 pc 0000000000088648  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68) (BuildId: cddb4a3e9dd8511821cfbd22aa0235dd)

2.2 ：分析堆栈

我们很清晰的看到：Abort message: 'Pointer tag for 0x6772615474726f50 was truncated, see 'https://source.android.com/devices/tech/debug/tagged-pointers'.'

指针异常，我们解析下堆栈看看哪里crash。

2.3 ：解析堆栈

addr2line解析crash在代码这里

~/log/vnd/out/target/product/vnd/symbols$ prebuilts/clang/host/linux-x86/clang-r510928/bin/llvm-addr2line  -Cife vendor/lib64/hw/camera.qcom.so -Cfip 00000000014f77b4  
CamX::MetaBuffer::MemoryRegion::Release() at vendor/qcom/proprietary/camx/src/core/camxmetabuffer.cpp:81 (discriminator 2)
 (inlined by) CamX::MetaBuffer::~MetaBuffer() at vendor/qcom/proprietary/camx/src/core/camxmetabuffer.cpp:2221 (discriminator 2)

2.4 ：分析代码

我们分析到 CAMX_DELETE[] m_pVaddr;这一行crash。

vendor/qcom/proprietary/camx/src/core/camxmetabuffer.cpp

2210  MetaBuffer::~MetaBuffer()
2211  {
2212      for (vector<Link>::iterator pLink = m_metaBufferDependentLinks.begin();
2213          pLink != m_metaBufferDependentLinks.end(); ++pLink)
2214      {
2215          pLink->m_pMetaBuffer = NULL;
2216      }
2217  
2218      for (vector<MemoryRegion>::iterator pRegion = m_memoryRegions.begin();
2219           pRegion != m_memoryRegions.end(); ++pRegion)
2220      {
2221          pRegion->Release();
2222      }
2223  
2224      if (NULL != m_pMap)
2225      {
2226          CAMX_DELETE m_pMap;
2227          m_pMap = NULL;
2228      }
2229  
2230      if (NULL != m_pMemoryRegionLock)
2231      {
2232          m_pMemoryRegionLock->Destroy();
2233          m_pMemoryRegionLock = NULL;
2234      }
2235  
2236      if (NULL != m_pClientLock)
2237      {
2238          m_pClientLock->Destroy();
2239          m_pClientLock = NULL;
2240      }
2241  
2242      if (NULL != m_pRWLock)
2243      {
2244          m_pRWLock->Destroy();
2245          m_pRWLock = NULL;
2246      }
2247  
2248      m_metaBufferDependentLinks.clear();
2249      m_metaBufferDependentLinks.shrink_to_fit();
2250  
2251      m_memoryRegions.clear();
2252      m_memoryRegions.shrink_to_fit();
2253  
2254      m_metaBufferClients.clear();
2255      m_metaBufferClients.shrink_to_fit();
2256  }

76  VOID MetaBuffer::MemoryRegion::Release()
77  {
78      if (NULL != m_pVaddr)
79      {
80          CAMX_ASSERT(0 < m_size);
81          CAMX_DELETE[] m_pVaddr;
82          m_pVaddr = NULL;
83          m_size   = 0;
84      }
85  }

2.5 ：结论

new和delete不会受代码流程影响。非逻辑问题，明确是指针异常，要么是踩内存，要么是内存泄漏导致。

2.6 ：分析日志

搜索日志，已经OOM了，我们去解决内存泄漏问题即可。

30708 30708 W [130171.185232]: CommonTask # 7: page allocation failure: order:0, mode:0x10800(GFP_NOWAIT|__GFP_NORETRY), nodemask=(null),cpuset=foreground,mems_allowed=0
23295 23295 W [130181.188925]kworker/X19: 4: page allocation failure: order:0, mode:0x10800(GFP_NOWAIT|__GFP_NORETRY), nodemask=(null),cpuset=/,mems_allowed=0
19416 19416 W [130191.214579]kworker/X19: 19: page allocation failure: order:0, mode:0x10800(GFP_NOWAIT|__GFP_NORETRY), nodemask=(null),cpuset=/,mems_allowed=0
30790 30790 E [130192.899382]kgsl: out of memory: only allocated 4Kb of 128Kb requested
32310 32310 W [130201.595205]kworker/X19: 21: page allocation failure: order:0, mode:0x10800(GFP_NOWAIT|__GFP_NORETRY), nodemask=(null),cpuset=/,mems_allowed=0
16999 16999 W [130212.108566]kworker/X19: 27: page allocation failure: order:0, mode:0x10800(GFP_NOWAIT|__GFP_NORETRY), nodemask=(null),cpuset=/,mems_allowed=0

同时压测asan版本发现也存在踩内存，同步解决踩内存：hwasan实例分析踩内存之三：camx进程中【UINT32变量】居然heap-buffer-overflow ok

【关注我，后续持续新增专题博文，谢谢！！！】

下一篇讲解：