修改系統(tǒng)代碼如下

xiabo@VM-DEV:~/android-q/system/core/rootdir$ git diff 
diff --git a/init/property_service.cpp b/init/property_service.cpp
index f2c7462..ef8e800 100644
--- a/init/property_service.cpp
+++ b/init/property_service.cpp
@@ -742,6 +742,23 @@ static void load_override_properties() {
     }
 }
 
+static int check_rlim_action() {
+ struct rlimit rl;
+ std::string value = android::base::GetProperty("persist.debug.trace", "");
+
+ if(value == "1") {
+ rl.rlim_cur = RLIM_INFINITY;
+ rl.rlim_max = RLIM_INFINITY;
+ if (setrlimit(RLIMIT_CORE, &rl) < 0) {
+ PLOG(ERROR) << "could not enable core file generation";
+ } else {
+ PLOG(INFO) << "setrlimit success";
+ }
+ }
+ PLOG(INFO) << "setrlimit persist.debug.trace " << value;
+ return 0;
+}
+
 /* When booting an encrypted system, /data is not mounted when the
  * property service is started, so any properties stored there are
  * not loaded. Vold triggers init to load these properties once it
@@ -767,6 +784,7 @@ void load_persist_props(void) {
     }
     persistent_properties_loaded = true;
     property_set("ro.persistent_properties.ready", "true");
+ check_rlim_action();
 }
 
 // If the ro.product.[brand|device|manufacturer|model|name] properties have not been explicitly
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 893998c..1605a2f 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -848,3 +848,8 @@ on property:ro.debuggable=1
 service flash_recovery /system/bin/install-recovery.sh
     class main
     oneshot
+
+# corefile limit
+on property:persist.debug.trace=1
+ mkdir /data/core 0777 root root
+ write /proc/sys/kernel/core_pattern "/data/core/%E.%p.%e"

diff --git a/runtime/native/dalvik_system_ZygoteHooks.cc b/runtime/native/dalvik_system_ZygoteHooks.cc
index de28c28..706c0c9 100644
--- a/runtime/native/dalvik_system_ZygoteHooks.cc
+++ b/runtime/native/dalvik_system_ZygoteHooks.cc
@@ -44,6 +44,8 @@
 #include "thread_list.h"
 #include "trace.h"
 
+#include <sys/prctl.h>
+
 #include <sys/resource.h>
 
 namespace art {
@@ -235,6 +237,22 @@ static uint32_t EnableDebugFeatures(uint32_t runtime_flags) {
     runtime_flags &= ~DEBUG_GENERATE_DEBUG_INFO;
   }
 
+
+ rlimit rl;
+ rl.rlim_cur = 0;
+ char prop_value[1024];
+ prop_value[0] = '1';
+ // property_get("persist.debug.trace", prop_value, "0");
+ if (prop_value[0] == '1') {
+ LOG(INFO) << "setting RLIM to infinity for process " << getpid();
+ rl.rlim_cur = RLIM_INFINITY;
+ } else {
+ rl.rlim_cur = 0;
+ }
+ rl.rlim_max = RLIM_INFINITY;
+ if (setrlimit(RLIMIT_CORE, &rl) == -1) {
+ LOG(ERROR) << "setrlimit(RLIMIT_CORE) failed for pid " << getpid();
+ }
   return runtime_flags;
 }

重新編譯系統(tǒng)后荐吵，刷入boot.img與system.img
通過設(shè)置屬性
setprop persist.debug.trace 1
關(guān)閉selinux
setenforce 0
來打開coredump
通過kill -6 pid 觸發(fā)coredump,成功后會在/data/core/ 目錄下生成相應(yīng)的coredump文件膘壶，將文件導(dǎo)入ida后開始分析