InputFlinger崩溃问题分析报告
Posted YYPapa
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了InputFlinger崩溃问题分析报告相关的知识,希望对你有一定的参考价值。
【NE现场】
DEBUG : pid: 2034, tid: 3409, name: InputReader >>> system_server <<< DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x6fa1bc44 DEBUG : r0 4c37003b r1 746e6658 r2 718a8178 r3 6fa1bc40 DEBUG : r4 9de8234c r5 9fd0e884 r6 9de823c4 r7 9de822e0 DEBUG : r8 9fd0e88c r9 00000000 sl 00000420 fp 9de822e0 DEBUG : ip 9fd0e818 sp 9dcbe7c0 lr 9de82354 pc b6bed43a cpsr a0070030 DEBUG : DEBUG : backtrace: DEBUG : #00 pc 0002b43a /system/lib/libinputflinger.so (android::RawPointerData::copyFrom(android::RawPointerData const&)+99) DEBUG : #01 pc 00030ff9 /system/lib/libinputflinger.so (android::TouchInputMapper::processRawTouches(bool)+136) DEBUG : #02 pc 000315a1 /system/lib/libinputflinger.so (android::MultiTouchInputMapper::process(android::RawEvent const*)+6) DEBUG : #03 pc 0002a75b /system/lib/libinputflinger.so (android::InputDevice::process(android::RawEvent const*, unsigned int)+106) DEBUG : #04 pc 0002a7b7 /system/lib/libinputflinger.so (android::InputReader::processEventsForDeviceLocked(int, android::RawEvent const*, unsigned int)+70) DEBUG : #05 pc 0002a9c3 /system/lib/libinputflinger.so (android::InputReader::processEventsLocked(android::RawEvent const*, unsigned int)+50) DEBUG : #06 pc 0002aad7 /system/lib/libinputflinger.so (android::InputReader::loopOnce()+182) DEBUG : #07 pc 000274a3 /system/lib/libinputflinger.so (android::InputReaderThread::threadLoop()+8) DEBUG : #08 pc 0001006d /system/lib/libutils.so (android::Thread::_threadLoop(void*)+112) DEBUG : #09 pc 0005fbef /system/lib/libandroid_runtime.so (android::AndroidRuntime::javaThreadShell(void*)+70) DEBUG : #10 pc 0003f54f /system/lib/libc.so (__pthread_start(void*)+30) DEBUG : #11 pc 00019c2f /system/lib/libc.so (__start_thread+6)
这个问题在多个机型上出现过且概率较高。
由于每次调用栈都一样,且都是system_server的InputRead线程Crash,
且每次都是系统启动的时,Input系统初始化的时候挂掉的。
【问题分析】
用gdb分析core:
(gdb) bt #0 0xb6ba45b8 in android::RawPointerData::copyFrom ([email protected]=0xa9c88ae0, other=...) at frameworks/native/services/inputflinger/InputReader.cpp:1534 #1 0xb6baa17c in copyFrom (other=..., this=0xa9c88ad8) at frameworks/native/services/inputflinger/InputReader.h:1410 #2 android::TouchInputMapper::processRawTouches (this=0xa9c88800, timeout=<optimized out>) at frameworks/native/services/inputflinger/InputReader.cpp:3986 #3 0xb6baa724 in android::MultiTouchInputMapper::process (this=0xa9c88800, rawEvent=0xae9a0a58) at frameworks/native/services/inputflinger/InputReader.cpp:6488 #4 0xb6ba38dc in android::InputDevice::process (this=0x9df57bc0, [email protected]=0xae9a0908, count=0, [email protected]=15) at frameworks/native/services/inputflinger/InputReader.cpp:1065 #5 0xb6ba393a in android::InputReader::processEventsForDeviceLocked (this=0xae9a0800, deviceId=6, rawEvents=0xae9a0908, count=15) at frameworks/native/services/inputflinger/InputReader.cpp:523 #6 0xb6ba3b46 in android::InputReader::processEventsLocked ([email protected]=0xae9a0800, [email protected]=0xae9a0908, [email protected]=15) at frameworks/native/services/inputflinger/InputReader.cpp:358 #7 0xb6ba3c5a in android::InputReader::loopOnce (this=0xae9a0800) at frameworks/native/services/inputflinger/InputReader.cpp:307 #8 0xb6ba0624 in android::InputReaderThread::threadLoop (this=<optimized out>) at frameworks/native/services/inputflinger/InputReader.cpp:919 #9 0xb6f2f06e in android::Thread::_threadLoop (user=0x9dfcde40) at system/core/libutils/Threads.cpp:758 #10 0xb6e58d48 in android::AndroidRuntime::javaThreadShell (args=<optimized out>) at frameworks/base/core/jni/AndroidRuntime.cpp:1215 #11 0xb6d07550 in __pthread_start (arg=0x9dbba930, [email protected]=<error reading variable: value has been optimized out>) at bionic/libc/bionic/pthread_create.cpp:199 #12 0xb6ce1c30 in __start_thread (fn=<optimized out>, arg=<optimized out>) at bionic/libc/bionic/clone.cpp:41 #13 0x00000000 in ?? ()
查看源码,崩溃的地方是:
void RawPointerData::copyFrom(const RawPointerData& other) { pointerCount = other.pointerCount; hoveringIdBits = other.hoveringIdBits; touchingIdBits = other.touchingIdBits; for (uint32_t i = 0; i < pointerCount; i++) { pointers[i] = other.pointers[i]; int id = pointers[i].id; idToIndex[id] = other.idToIndex[id]; } }
这里挂掉,要么是other值有问题,要么是id值有问题。
(gdb) p &other $95 = (const android::RawPointerData *) 0x9ea21c18 (gdb) p id $96 = 1953391990
显然,是id值异常了。
这个问题在同样一个模块高概率出现,说明很可能这部分逻辑有问题,所以得分析代码流程。
走到它的上一级函数,查看这个other及id是怎么来的:
void TouchInputMapper::processRawTouches(bool timeout) { ... const size_t N = mRawStatesPending.size(); size_t count; for(count = 0; count < N; count++) { const RawState& next = mRawStatesPending[count]; ... mCurrentRawState.copyFrom(next); if (mCurrentRawState.when < mLastRawState.when) { mCurrentRawState.when = mLastRawState.when; } cookAndDispatch(mCurrentRawState.when); }
是从mRawStatesPending里面来的。继续往上推导,看这个mRawStatesPending是怎么来的:
void TouchInputMapper::sync(nsecs_t when) { const RawState* last = mRawStatesPending.isEmpty() ? &mCurrentRawState : &mRawStatesPending.top(); // Push a new state. mRawStatesPending.push(); RawState* next = &mRawStatesPending.editTop(); next->clear(); next->when = when; // Sync button state. next->buttonState = mTouchButtonAccumulator.getButtonState() | mCursorButtonAccumulator.getButtonState(); // Sync scroll next->rawVScroll = mCursorScrollAccumulator.getRelativeVWheel(); next->rawHScroll = mCursorScrollAccumulator.getRelativeHWheel(); mCursorScrollAccumulator.finishSync(); // Sync touch syncTouch(when, next); // Assign pointer ids. if (!mHavePointerIds) { assignPointerIds(last, next); } ... processRawTouches(false /*timeout*/); }
mRawStatesPending是个缓冲区,这里先调用push来获取一个RawState,并调用clear()来初始化RawState。
然后调用syncTouch()来对新的RawState赋值,crash的RawState就是这个新构建的RawState。
要看这个新的RawState如何被构建的,那得看syncTouch()的实现:
void MultiTouchInputMapper::syncTouch(nsecs_t when, RawState* outState) { size_t inCount = mMultiTouchMotionAccumulator.getSlotCount(); size_t outCount = 0; BitSet32 newPointerIdBits; for (size_t inIndex = 0; inIndex < inCount; inIndex++) { const MultiTouchMotionAccumulator::Slot* inSlot = mMultiTouchMotionAccumulator.getSlot(inIndex); if (!inSlot->isInUse()) { continue; } ... RawPointerData::Pointer& outPointer = outState->rawPointerData.pointers[outCount]; outPointer.x = inSlot->getX(); outPointer.y = inSlot->getY(); outPointer.pressure = inSlot->getPressure(); outPointer.touchMajor = inSlot->getTouchMajor(); outPointer.touchMinor = inSlot->getTouchMinor(); outPointer.toolMajor = inSlot->getToolMajor(); outPointer.toolMinor = inSlot->getToolMinor(); outPointer.orientation = inSlot->getOrientation(); outPointer.distance = inSlot->getDistance(); outPointer.tiltX = 0; outPointer.tiltY = 0; outPointer.toolType = inSlot->getToolType(); ... bool isHovering = mTouchButtonAccumulator.getToolType() != AMOTION_EVENT_TOOL_TYPE_MOUSE && (mTouchButtonAccumulator.isHovering() || (mRawPointerAxes.pressure.valid && inSlot->getPressure() <= 0)); outPointer.isHovering = isHovering; // Assign pointer id using tracking id if available. mHavePointerIds = true; int32_t trackingId = inSlot->getTrackingId(); int32_t id = -1; if (trackingId >= 0) { for (BitSet32 idBits(mPointerIdBits); !idBits.isEmpty(); ) { uint32_t n = idBits.clearFirstMarkedBit(); if (mPointerTrackingIdMap[n] == trackingId) { id = n; } } if (id < 0 && !mPointerIdBits.isFull()) { id = mPointerIdBits.markFirstUnmarkedBit(); mPointerTrackingIdMap[id] = trackingId; } } if (id < 0) { mHavePointerIds = false; outState->rawPointerData.clearIdBits(); newPointerIdBits.clear(); } else { outPointer.id = id; outState->rawPointerData.idToIndex[id] = outCount; outState->rawPointerData.markIdBit(id, isHovering); newPointerIdBits.markBit(id); } outCount += 1; } outState->rawPointerData.pointerCount = outCount; mPointerIdBits = newPointerIdBits; mMultiTouchMotionAccumulator.finishSync(); }
出问题的Pointer的具体值就是在这里赋值的,
从mMultiTouchMotionAccumulator里找到isInUse为true的时候就把对应slot里的内容拷贝给pointer里。
注意,我们关注的的id也是这里赋值的。
通过GDB对比mMultiTouchMotionAccumulator和最终Crash时候的Pointer.
(gdb) p mMultiTouchMotionAccumulator.mSlotCount
$71 = 10
(gdb) p *(android::MultiTouchMotionAccumulator::Slot *) (0x9ed3fa00+sizeof(android::MultiTouchMotionAccumulator::Slot)*0)
$81 = {
mInUse = true,
mHaveAbsMTTouchMinor = false,
mHaveAbsMTWidthMinor = false,
mHaveAbsMTToolType = false,
mAbsMTPositionX = 0,
mAbsMTPositionY = 0,
mAbsMTTouchMajor = 11,
mAbsMTTouchMinor = 0,
mAbsMTWidthMajor = 0,
mAbsMTWidthMinor = 0,
mAbsMTOrientation = 0,
mAbsMTTrackingId = -1,
mAbsMTPressure = 0,
mAbsMTDistance = 0,
mAbsMTToolType = 0
}
(gdb) p *(android::MultiTouchMotionAccumulator::Slot *) (0x9ed3fa00+sizeof(android::MultiTouchMotionAccumulator::Slot)*1)
$82 = {
mInUse = true,
mHaveAbsMTTouchMinor = false,
mHaveAbsMTWidthMinor = false,
mHaveAbsMTToolType = false,
mAbsMTPositionX = 483,
mAbsMTPositionY = 115,
mAbsMTTouchMajor = 8,
mAbsMTTouchMinor = 0,
mAbsMTWidthMajor = 0,
mAbsMTWidthMinor = 0,
mAbsMTOrientation = 0,
mAbsMTTrackingId = -1,
mAbsMTPressure = 0,
mAbsMTDistance = 0,
mAbsMTToolType = 0
}
(gdb) p *(android::MultiTouchMotionAccumulator::Slot *) (0x9ed3fa00+sizeof(android::MultiTouchMotionAccumulator::Slot)*2)
$83 = {
mInUse = true,
mHaveAbsMTTouchMinor = false,
mHaveAbsMTWidthMinor = false,
mHaveAbsMTToolType = false,
mAbsMTPositionX = 0,
mAbsMTPositionY = 207,
mAbsMTTouchMajor = 10,
mAbsMTTouchMinor = 0,
mAbsMTWidthMajor = 0,
mAbsMTWidthMinor = 0,
mAbsMTOrientation = 0,
mAbsMTTrackingId = -1,
mAbsMTPressure = 0,
mAbsMTDistance = 0,
mAbsMTToolType = 0
}
(gdb) p *(android::MultiTouchMotionAccumulator::Slot *) (0x9ed3fa00+sizeof(android::MultiTouchMotionAccumulator::Slot)*3)
$84 = {
mInUse = true,
mHaveAbsMTTouchMinor = false,
mHaveAbsMTWidthMinor = false,
mHaveAbsMTToolType = false,
mAbsMTPositionX = 641,
mAbsMTPositionY = 579,
mAbsMTTouchMajor = 9,
mAbsMTTouchMinor = 0,
mAbsMTWidthMajor = 0,
mAbsMTWidthMinor = 0,
mAbsMTOrientation = 0,
mAbsMTTrackingId = -1,
mAbsMTPressure = 0,
mAbsMTDistance = 0,
mAbsMTToolType = 0
}
(gdb) p *(android::MultiTouchMotionAccumulator::Slot *) (0x9ed3fa00+sizeof(android::MultiTouchMotionAccumulator::Slot)*4)
$85 = {
mInUse = true,
mHaveAbsMTTouchMinor = false,
mHaveAbsMTWidthMinor = false,
mHaveAbsMTToolType = false,
mAbsMTPositionX = 435,
mAbsMTPositionY = 493,
mAbsMTTouchMajor = 7,
mAbsMTTouchMinor = 0,
mAbsMTWidthMajor = 0,
mAbsMTWidthMinor = 0,
mAbsMTOrientation = 0,
mAbsMTTrackingId = -1,
mAbsMTPressure = 0,
mAbsMTDistance = 0,
mAbsMTToolType = 0
}
(gdb) p *(android::MultiTouchMotionAccumulator::Slot *) (0x9ed3fa00+sizeof(android::MultiTouchMotionAccumulator::Slot)*5)
$86 = {
mInUse = true,
mHaveAbsMTTouchMinor = false,
mHaveAbsMTWidthMinor = false,
mHaveAbsMTToolType = false,
mAbsMTPositionX = 0,
mAbsMTPositionY = 20,
mAbsMTTouchMajor = 0,
mAbsMTTouchMinor = 0,
mAbsMTWidthMajor = 0,
mAbsMTWidthMinor = 0,
mAbsMTOrientation = 0,
mAbsMTTrackingId = -1,
mAbsMTPressure = 0,
mAbsMTDistance = 0,
mAbsMTToolType = 0
}
(gdb) p *(android::MultiTouchMotionAccumulator::Slot *) (0x9ed3fa00+sizeof(android::MultiTouchMotionAccumulator::Slot)*6)
$87 = {
mInUse = true,
mHaveAbsMTTouchMinor = false,
mHaveAbsMTWidthMinor = false,
mHaveAbsMTToolType = false,
mAbsMTPositionX = 598,
mAbsMTPositionY = 870,
mAbsMTTouchMajor = 3,
mAbsMTTouchMinor = 0,
mAbsMTWidthMajor = 0,
mAbsMTWidthMinor = 0,
mAbsMTOrientation = 0,
mAbsMTTrackingId = 71,
mAbsMTPressure = 0,
mAbsMTDistance = 0,
mAbsMTToolType = 0
}
(gdb) p *(android::MultiTouchMotionAccumulator::Slot *) (0x9ed3fa00+sizeof(android::MultiTouchMotionAccumulator::Slot)*7)
$97 = {
mInUse = false,
mHaveAbsMTTouchMinor = false,
mHaveAbsMTWidthMinor = false,
mHaveAbsMTToolType = false,
mAbsMTPositionX = 0,
mAbsMTPositionY = 0,
mAbsMTTouchMajor = 0,
mAbsMTTouchMinor = 0,
mAbsMTWidthMajor = 0,
mAbsMTWidthMinor = 0,
mAbsMTOrientation = 0,
mAbsMTTrackingId = -1,
mAbsMTPressure = 0,
mAbsMTDistance = 0,
mAbsMTToolType = 0
}
(gdb) p *(android::MultiTouchMotionAccumulator::Slot *) (0x9ed3fa00+sizeof(android::MultiTouchMotionAccumulator::Slot)*8)
$98 = {
mInUse = false,
mHaveAbsMTTouchMinor = false,
mHaveAbsMTWidthMinor = false,
mHaveAbsMTToolType = false,
mAbsMTPositionX = 0,
mAbsMTPositionY = 0,
mAbsMTTouchMajor = 0,
mAbsMTTouchMinor = 0,
mAbsMTWidthMajor = 0,
mAbsMTWidthMinor = 0,
mAbsMTOrientation = 0,
mAbsMTTrackingId = -1,
mAbsMTPressure = 0,
mAbsMTDistance = 0,
mAbsMTToolType = 0
}
(gdb) p *(android::MultiTouchMotionAccumulator::Slot *) (0x9ed3fa00+sizeof(android::MultiTouchMotionAccumulator::Slot)*9)
$99 = {
mInUse = false,
mHaveAbsMTTouchMinor = false,
mHaveAbsMTWidthMinor = false,
mHaveAbsMTToolType = false,
mAbsMTPositionX = 0,
mAbsMTPositionY = 0,
mAbsMTTouchMajor = 0,
mAbsMTTouchMinor = 0,
mAbsMTWidthMajor = 0,
mAbsMTWidthMinor = 0,
mAbsMTOrientation = 0,
mAbsMTTrackingId = -1,
mAbsMTPressure = 0,
mAbsMTDistance = 0,
mAbsMTToolType = 0
}
可以看出,一共有10个slot,其中前7个是mInUse=true的。
对应Pointer的数据如下:
$89 = (const android::RawPointerData &) @0x9ea21c18: {
pointerCount = 7,
pointers = {{
id = 0,
x = 0,
y = 0,
pressure = 0,
touchMajor = 11,
touchMinor = 11,
toolMajor = 0,
toolMinor = 0,
orientation = 0,
distance = 0,
tiltX = 0,
tiltY = 0,
toolType = 1,
isHovering = false
}, {
id = 1953391990,
x = 483,
y = 115,
pressure = 0,
touchMajor = 8,
touchMinor = 8,
toolMajor = 0,
toolMinor = 0,
orientation = 0,
distance = 0,
tiltX = 0,
tiltY = 0,
toolType = 1,
isHovering = false
}, {
id = 0,
x = 0,
y = 207,
pressure = 0,
touchMajor = 10,
touchMinor = 10,
toolMajor = 0,
toolMinor = 0,
orientation = 0,
distance = 0,
tiltX = 0,
tiltY = 0,
toolType = 1,
isHovering = false
}, {
id = 0,
x = 641,
y = 579,
pressure = 0,
touchMajor = 9,
touchMinor = 9,
toolMajor = 0,
toolMinor = 0,
orientation = 0,
distance = 0,
tiltX = 0,
tiltY = 0,
toolType = 1,
isHovering = false
}, {
id = 0,
x = 435,
y = 493,
pressure = 0,
touchMajor = 7,
touchMinor = 7,
toolMajor = 0,
toolMinor = 0,
orientation = 0,
distance = 0,
tiltX = 0,
tiltY = 0,
toolType = 1,
isHovering = false
}, {
id = 0,
x = 0,
y = 20,
pressure = 0,
touchMajor = 0,
touchMinor = 0,
toolMajor = 0,
toolMinor = 0,
orientation = 0,
distance = 0,
tiltX = 0,
tiltY = 0,
toolType = 1,
isHovering = false
}, {
id = 0,
x = 598,
y = 870,
pressure = 0,
touchMajor = 3,
touchMinor = 3,
toolMajor = 0,
toolMinor = 0,
orientation = 0,
distance = 0,
tiltX = 0,
tiltY = 0,
toolType = 1,
isHovering = false
},
...
}},
hoveringIdBits = {
value = 0
},
touchingIdBits = {
value = 2147483648
},
idToIndex = {6, 0 <repeats 31 times>}
}
发现有效数据pointerCount刚好是7个,且数据也是非常相近。除了第二个Pinter里的id值,这个id值就是crash时的1953391990。
所以得重点看这个id是怎么来的,简化MultiTouchInputMapper::syncTouch():
void MultiTouchInputMapper::syncTouch(nsecs_t when, RawState* outState) { size_t inCount = mMultiTouchMotionAccumulator.getSlotCount(); size_t outCount = 0; BitSet32 newPointerIdBits; for (size_t inIndex = 0; inIndex < inCount; inIndex++) { const MultiTouchMotionAccumulator::Slot* inSlot = mMultiTouchMotionAccumulator.getSlot(inIndex); if (!inSlot->isInUse()) { continue; } ... // Assign pointer id using tracking id if available. mHavePointerIds = true; int32_t trackingId = inSlot->getTrackingId(); int32_t id = -1; if (trackingId >= 0) { for (BitSet32 idBits(mPointerIdBits); !idBits.isEmpty(); ) { uint32_t n = idBits.clearFirstMarkedBit(); if (mPointerTrackingIdMap[n] == trackingId) { id = n; } } if (id < 0 && !mPointerIdBits.isFull()) { id = mPointerIdBits.markFirstUnmarkedBit(); mPointerTrackingIdMap[id] = trackingId; } } if (id < 0) { mHavePointerIds = false; outState->rawPointerData.clearIdBits(); newPointerIdBits.clear(); } else { outPointer.id = id; outState->rawPointerData.idToIndex[id] = outCount; outState->rawPointerData.markIdBit(id, isHovering); newPointerIdBits.markBit(id); } outCount += 1; } outState->rawPointerData.pointerCount = outCount; mPointerIdBits = newPointerIdBits; mMultiTouchMotionAccumulator.finishSync(); }
从代码中可以看出,当我们trackingId为负值时,这里不会更新id值!
而我们从其上一级函数的语义可以看出来,这里的outState里的初始值都是无效的。
而我们mMultiTouchMotionAccumulator的前6个trackingId都是-1,也就是说前6个都不会更新id。
对比SingleTouchInputMapper::syncTouch()里是有对id赋初值的。
void SingleTouchInputMapper::syncTouch(nsecs_t when, RawState* outState) { ... RawPointerData::Pointer& outPointer = outState->rawPointerData.pointers[0]; outPointer.id = 0; outPointer.x = mSingleTouchMotionAccumulator.getAbsoluteX(); outPointer.y = mSingleTouchMotionAccumulator.getAbsoluteY(); outPointer.pressure = mSingleTouchMotionAccumulator.getAbsolutePressure(); outPointer.touchMajor = 0; ... outPointer.isHovering = isHovering; } }
很可能就是这里的问题了,看起来是Android原生问题。为此去查Android的gerrit,发现确实有在这里做了修改。
【解决方案】
https://android-review.googlesource.com/#/c/174790/
只不过它的改法不是简单的赋初值,它的逻辑如下:
void MultiTouchInputMapper::syncTouch(nsecs_t when, RawState* outState) { size_t inCount = mMultiTouchMotionAccumulator.getSlotCount(); size_t outCount = 0; BitSet32 newPointerIdBits; bool needRecomputePointerIds = false; for (size_t inIndex = 0; inIndex < inCount; inIndex++) { const MultiTouchMotionAccumulator::Slot* inSlot = mMultiTouchMotionAccumulator.getSlot(inIndex); if (!inSlot->isInUse()) { continue; } ... // Assign pointer id using tracking id if available. mHavePointerIds = true; int32_t trackingId = inSlot->getTrackingId(); int32_t id = -1; if (trackingId >= 0) { for (BitSet32 idBits(mPointerIdBits); !idBits.isEmpty(); ) { uint32_t n = idBits.clearFirstMarkedBit(); if (mPointerTrackingIdMap[n] == trackingId) { id = n; } } if (id < 0 && !mPointerIdBits.isFull()) { id = mPointerIdBits.markFirstUnmarkedBit(); mPointerTrackingIdMap[id] = trackingId; } } if (id < 0) { needRecomputePointerIds = true; //mHavePointerIds = false; outState->rawPointerData.clearIdBits(); newPointerIdBits.clear(); } else { outPointer.id = id; outState->rawPointerData.idToIndex[id] = outCount; outState->rawPointerData.markIdBit(id, isHovering); newPointerIdBits.markBit(id); } outCount += 1; } if (needRecomputePointerIds) { mHavePointerIds = false; } outState->rawPointerData.pointerCount = outCount; mPointerIdBits = newPointerIdBits; mMultiTouchMotionAccumulator.finishSync(); }
原先的逻辑里,最后一个slot的id>0,mHavePointerIds值就是true。
修改后的逻辑是,只要有一个id<0也就是trackingId为负数,则mHavePointerIds值是false。
对应我们的case,最后一个slot,其trackingId是74,这里对应的mHavePointerIds就是true了。
而如果按照修改后的逻辑,这里mHavePointerIds应该就是false了。
这个mHavePointerIds有啥用呢?
void TouchInputMapper::sync(nsecs_t when) { const RawState* last = mRawStatesPending.isEmpty() ? &mCurrentRawState : &mRawStatesPending.top(); // Push a new state. mRawStatesPending.push(); RawState* next = &mRawStatesPending.editTop(); next->clear(); next->when = when; ... // Sync touch syncTouch(when, next); // Assign pointer ids. if (!mHavePointerIds) { assignPointerIds(last, next); } ... processRawTouches(false /*timeout*/); }
syncTouch()后会判断mHavePointerIds,如果是false,则重新分配id。
这样就不会出现crash了。
以上是关于InputFlinger崩溃问题分析报告的主要内容,如果未能解决你的问题,请参考以下文章
Android - 应用程序启动时片段 onCreate 崩溃
每当我运行我的片段时,这行代码 mapFragment.setRetainInstance(true);正在崩溃我的应用程序? [关闭]