Android virtual machine internals

Android VM Internals
JVM, Dalvik, Art
By: Shaul Rosenzweig

What are JVM and Dalvik?
Java Virtual machines:
An abstract computing machines that enable
running of a Java program.

What is Art?
Application runtime environment that translates
application bytecode into native instructions, that
are later executed by it.

Java Virtual Machine
● Interprets Java bytecode instructions
● Stack based
● Stack based easy to interpret on many architectures
● Classloader loads, verifies, resolves and links .class files which contain
instructions on runtime
● Byte long opcodes, out of 255 possible, 198 are in use
● Many languages can be compiled to Java bytecode

Dalvik
● Class library based on Apache Harmony JVM, not Oracle JVM
● Developed by Dan Borenstein along with Android, named after town in
Iceland
● Register based: optimized for ARM platformance
● Low memory footprint, optimized for running several instances at the same
time
● .class files are compiled into .dx, resolved and merged into .dex files compile
time
● Longer instructions, less of them
● JIT added in Froyo (2.2) to improve performance
● JIT saves ODEX files in /data/dalvik-cache

Art
● Previewed in KitKat, replaced Dalvik in Lollipop
● No more JIT, uses AOT compilation
● Lower memory footprint, more disk used
● Same input bytecodes (DEX) as Dalvik, compiled into native (elf) executables
● Improved GC, power consumption and performance
● Art files: memory mapping is currently fixed (defeating ASLR)
● Not really 64 bit, VM architecture is 32 bit, getting there
● Art format constantly changing, undocumented and proprietary
● Supports ARM, ARM_64, x86 and Mips

Bytecode example: prep
private static int calculate() {
int ret = -321;
for(int i = 0; i < 10000 ; i++) {
ret += i%5;
}
return ret;
}
> javac -target 1.7 -source 1.7 Test.java
> dx --dex --output="Test.dex" "Test.class"
> r2 Test.class
> r2 Test.dex

Java bytecode
sipush 0xfebf
istore_0
iconst_0
istore_1
iload_1
sipush 0x2710
if_icmpge 0x02b6
iload_0
iload_1
iconst_5
irem
iadd
istore_0
iinc 1 1
goto 0x02a3
iload_0
ireturn
const/16 v1, 0xfebf
const/4 v0, 0
const/16 v2, 0x2710
if-ge v0, v2, 0x1f2
rem-int/lit8 v2, v0, 0x5
add-int/2addr v1, v2
add-int/lit8 v0, v0, 0x1
goto 0x000001de
return v1
DEX bytecode

╒ (fcn) sym.Test.calculate 27
│ 0x0000029d 11febf sipush 65215 ; push short -321 to stack
│ 0x000002a0 3b istore_0 ; store stack value to int0
│ 0x000002a1 03 iconst_0 ; load value 0 to stack
│ 0x000002a2 3c istore_1 ; store to int1
│ ┌─> 0x000002a3 1b iload_1 ; push value of int1 to stack
│ │ 0x000002a4 112710 sipush 10000 ; push constant 10000 to stack
│ ┌──< 0x000002a7 a2000f if_icmpge 0x02b6 ; if top stack values >= goto add│
│ ││ 0x000002aa 1a iload_0 ; load int0 into stack
│ ││ 0x000002ab 1b iload_1 ; load int1 into stack
│ ││ 0x000002ac 08 iconst_5 ; load const 5 into stack
│ ││ 0x000002ad 70 irem ; reminder of topmost two and push
│ ││ 0x000002ae 60 iadd ; add topmost two and push
│ ││ 0x000002af 3b istore_0 ; store to int0
│ ││ 0x000002b0 840101 iinc 1 1 ; int1++
│ │└─< 0x000002b3 a7fff0 goto 0x02a3 ; back to start of loop
│ └──> 0x000002b6 1a iload_0 ; load int0 into stack
╘ 0x000002b7 ac ireturn ; return value on stack
-321
Operand stackVariables Operations:
Push -321 to operand stack

│ ││ 0x000002b0 840101 iinc 1 1 ; int1++
Int0 = -321
Variables Operand stack Operations:
Pop topmost value on stack
and assign to int0

│ ││ 0x000002b0 840101 iinc 1 1 ; int1++
0
Int0 = -321
Push 0 to stack

│ ││ 0x000002b0 840101 iinc 1 1 ; int1++
Int0 = -321
Int1 = 0
Pop from stack and assign
to Int1

│ ││ 0x000002b0 840101 iinc 1 1 ; int1++
0
Int0 = -321
Int1 = 0
Push int1 to stack

│ ││ 0x000002b0 840101 iinc 1 1 ; int1++
10000
0
Int0 = -321
Int1 = 0
Push constant 10000 to
stack

│ ││ 0x000002b0 840101 iinc 1 1 ; int1++
Int0 = -321
Int1 = 0
Pop two values from stack
(0 and 10000), compare
them, if true jump to 0x02b6

│ ││ 0x000002b0 840101 iinc 1 1 ; int1++
-321
Int0 = -321
Int1 = 0
Push int0 into stack

│ ││ 0x000002b0 840101 iinc 1 1 ; int1++
0
-321
Int0 = -321
Int1 = 0

│ ││ 0x000002b0 840101 iinc 1 1 ; int1++
5
0
-321
Int0 = -321
Int1 = 0
Push constant 5 into stack

│ ││ 0x000002b0 840101 iinc 1 1 ; int1++
0
-321
Int0 = -321
Int1 = 0
(0 and 5), calculate modulo
and push to stack (0)

│ ││ 0x000002b0 840101 iinc 1 1 ; int1++
-321
Int0 = -321
Int1 = 0
(0 and -321), add them and
push the result into stack

│ ││ 0x000002b0 840101 iinc 1 1 ; int1++
Int0 = -321
Int1 = 0
Pop topmost value from
stack and store into int0

│ ││ 0x000002b0 840101 iinc 1 1 ; int1++
Int0 = -321
Int1 = 1
Increment int1 by 1

│ ││ 0x000002b0 840101 iinc 1 1 ; int1++
Int0 = -321
Int1 = 1
Goto 0x2a3

│ ││ 0x000002b0 840101 iinc 1 1 ; int1++
Value of int0
Int0 = {calculated in loop}
Int1 = 10000 {break condition}

│ ││ 0x000002b0 840101 iinc 1 1 ; int1++
Value of int0
Int0 = {calculated in loop}
Int1 = 10000 {break condition}
Return topmost value on the
stack

╒ (fcn) sym.static.Calculate.LTest_.Calculate.calculate 28
│ ; CALL XREF from 0x0000021e (entry0)
│ 0x000001d8 1301bffe const/16 v1, 0xfebf ;ret = -321
│ 0x000001dc 1200 const/4 v0, 0 ;i = 0
│ ┌─> 0x000001de 13021027 const/16 v2, 0x2710 ; 10000
│ ┌──< 0x000001e2 35200800 if-ge v0, v2, 0x1f2 ; if (gt) goto 0x1f2
│ ││ 0x000001e6 dc020005 rem-int/lit8 v2, v0, 0x5 ; v2 = i % 5
│ ││ 0x000001ea b021 add-int/2addr v1, v2 ; ret += v2
│ ││ 0x000001ec d8000001 add-int/lit8 v0, v0, 0x1 ; i++
│ │└─< 0x000001f0 28f7 goto 0x000001de ; goto start of loop
╘ └──> 0x000001f2 0f01 return v1 ; return ret;
Registers
V1 = -321
Operations:
Assign value -321 to register v1

│ 0x000001dc 1200 const/4 v0, 0 ;i = 0
│ ┌─> 0x000001de 13021027 const/16 v2, 0x2710 ; 10000
Registers:
V1 = -321
V0 = 0
Operations:
Assign value 0 to register v1

│ 0x000001dc 1200 const/4 v0, 0 ;i = 0
│ ┌─> 0x000001de 13021027 const/16 v2, 0x2710 ; 10000
Registers
V1 = -321
V0 = 0
V2 = 10000
Operations:
Assign value 10000 to register v2

│ 0x000001dc 1200 const/4 v0, 0 ;i = 0
│ ┌─> 0x000001de 13021027 const/16 v2, 0x2710 ; 10000
Registers
V1 = -321
V0 = 0
V2 = 10000
Operations:
If v2 is greater than v0, jump to
0x01f2

│ 0x000001dc 1200 const/4 v0, 0 ;i = 0
│ ┌─> 0x000001de 13021027 const/16 v2, 0x2710 ; 10000
Registers
V1 = -321
V0 = 0
V2 = 0
Operations:
Calculate v0 modulo constant 5
and store result into register v2

│ 0x000001dc 1200 const/4 v0, 0 ;i = 0
│ ┌─> 0x000001de 13021027 const/16 v2, 0x2710 ; 10000
Registers
V1 = -321
V0 = 0
V2 = 0
Operations:
Add values of V1 and V2 and store
the result into V1

│ 0x000001dc 1200 const/4 v0, 0 ;i = 0
│ ┌─> 0x000001de 13021027 const/16 v2, 0x2710 ; 10000
Registers
V1 = -321
V0 = 1
V2 = 0
Operations:
Increment value of V0 by 1

│ 0x000001dc 1200 const/4 v0, 0 ;i = 0
│ ┌─> 0x000001de 13021027 const/16 v2, 0x2710 ; 10000
Registers
V1 = -321
V0 = 1
V2 = 0
Operations:
Jump to 0x01de

│ 0x000001dc 1200 const/4 v0, 0 ;i = 0
│ ┌─> 0x000001de 13021027 const/16 v2, 0x2710 ; 10000
Registers
V1 = {calculated value}
V0 = 10000
V2 = {calculated value}
Operations:
Return value of v1

More
● Java bytecode: https://en.wikipedia.org/wiki/Java_bytecode_instruction_listings
● DEX bytecode: https://source.android.com/devices/tech/dalvik/dalvik-bytecode.html
● Radare2: http://rada.re/r/
○ https://play.google.com/store/apps/details?id=org.radare2.installer&hl=en
○ https://www.gitbook.com/book/radare/radare2book/details
○ https://www.gitbook.com/book/monosource/radare2-explorations/details
● IDA pro: https://www.hex-rays.com/products/ida/
● Dextra, new DEX decompiler: http://newandroidbook.com/tools/dextra.html
● Dan Borenstein, I/O ‘08: https://www.youtube.com/watch?v=ptjedOZEXPM
● I/O 2014 ART talk: https://www.youtube.com/watch?v=EBlTzQsUoOw

Android virtual machine internals

Recommended

Recommended

More Related Content

Similar to Android virtual machine internals

Similar to Android virtual machine internals (20)

More from Shaul Rosenzwieg

More from Shaul Rosenzwieg (8)

Recently uploaded

Recently uploaded (20)

Android virtual machine internals