search

google / sanitizers

AddressSanitizer, ThreadSanitizer, MemorySanitizer
Other
11.46k stars 1.03k forks source link

AddressSanitizer tool on Android 6.0.1 #698

Closed dragonltx closed 6 years ago

dragonltx commented 8 years ago

According to the below link,I build the whole Android 6.0.1_r46 system, but it seems the AddressSanitizer can't work. https://source.android.com/devices/tech/debug/asan.html#sanitize_target

the above link which mentioned 2 build command, so I build my Android 6.0.1_r46 source code with below commands: make -j16 make USE_CLANG_PLATFORM_BUILD:=true SANITIZE_TARGET=address -j16

The build got success, but after I flash the both userdata and system images to my device, I can't find the '/data/lib' path, I also can't find the path '/system/lib/asan' from the device.

Can this tool work on Android 6.0.1 and how to make it work?

eugenis commented 8 years ago

What's your lunch target? Are there libraries in $ANDROID_PRODUCT_OUT/data/lib? Some targets don't build userdata.img (or build a fake one).

On Tue, Jul 12, 2016 at 12:37 AM, dragonltx notifications@github.com wrote:

According to the below link,I build the whole Android 6.0.1_r46 system, but it seems the AddressSanitizer can't work. https:source.android.com/devices/tech/debug/asan.html#sanitize_target

In above link it mentioned 2 build command, so I build my Android with below commands: make -j16 make USE_CLANG_PLATFORM_BUILD:=true SANITIZE_TARGET=address -j16

The build got success, but after I flash the both userdata and system images to my device, I can't find the '/data/lib' path, I also can't find the path '/system/lib/asan' from the device.

Can this tool work on Android 6.0.1 and how to make it work?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/google/sanitizers/issues/698, or mute the thread https://github.com/notifications/unsubscribe/AAZuSlF92eq_JV32-_g6iVg9_CsqTCkuks5qU0QjgaJpZM4JKHfz .

dragonltx commented 8 years ago

my lunch target is 21:aosp_shamu-userdebug

There aren't any libraries in $ANDROID_PRODUCT_OUT/data/lib.

eugenis commented 8 years ago

Could you try the master branch? I could not start the build on 6.0.1_r46 becasue of unrelated issues, but master seems to work fine.

On Tue, Jul 12, 2016 at 6:42 PM, dragonltx notifications@github.com wrote:

my lunch target is 21:aosp_shamu-userdebug

There aren't any libraries in $ANDROID_PRODUCT_OUT/data.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/google/sanitizers/issues/698#issuecomment-232231718, or mute the thread https://github.com/notifications/unsubscribe/AAZuSp9R47c-K12nCwcVmHZ6_SeHg2cLks5qVEJ3gaJpZM4JKHfz .

dragonltx commented 8 years ago

Ok!Let me have a try and feed back!

dragonltx commented 8 years ago

I test master branch: make -j16:success make USE_CLANG_PLATFORM_BUILD:=true SANITIZE_TARGET=address -j16: system/core/libcutils/fs_config.c:223: error: undefined reference to 'ubsan_handle_sub_overflow' system/core/libcutils/fs_config.c:64: error: undefined reference to 'ubsan_handle_shift_out_of_bounds' system/core/libcutils/fs_config.c:65: error: undefined reference to 'ubsan_handle_shift_out_of_bounds' system/core/libcutils/fs_config.c:194: error: undefined reference to 'ubsan_handle_sub_overflow' system/core/libcutils/fs_config.c:195: error: undefined reference to 'ubsan_handle_sub_overflow' system/core/libcutils/fs_config.c:273: error: undefined reference to 'ubsan_handle_add_overflow' system/core/libcutils/fs_config.c:273: error: undefined reference to 'ubsan_handle_add_overflow' system/core/libcutils/fs_config.c:273: error: undefined reference to 'ubsan_handle_add_overflow' system/core/libcutils/fs_config.c:64: error: undefined reference to 'ubsan_handle_shift_out_of_bounds' system/core/libcutils/fs_config.c:65: error: undefined reference to 'ubsan_handle_shift_out_of_bounds' system/core/libcutils/canned_fs_config.c:76: error: undefined reference to 'ubsan_handle_add_overflow' system/core/libcutils/canned_fs_config.c:58: error: undefined reference to '__ubsan_handle_mul_overflow' system/core/libcutils/canned_fs_config.c:59: error: undefined reference to 'ubsan_handle_mul_overflow' system/core/libcutils/hashmap.c:54: error: undefined reference to 'ubsan_handle_mul_overflow' system/core/libcutils/hashmap.c:101: error: undefined reference to '__ubsan_handle_sub_overflow' system/core/libcutils/hashmap.c:106: error: undefined reference to 'ubsan_handle_mul_overflow' system/core/libcutils/sched_policy.c:283: error: undefined reference to 'ubsan_handle_negate_overflow' system/core/libcutils/sched_policy.c:363: error: undefined reference to 'ubsan_handle_negate_overflow' system/core/libcutils/fs.c:217: error: undefined reference to '__ubsan_handle_negate_overflow' system/core/libcutils/fs.c:197: error: undefined reference to '__ubsan_handle_negate_overflow' clang++: error: linker command failed with exit code 1 (use -v to see invocation) [ 0% 5/20396] cc out/soong/.intermedi...ternal/google-benchmark/src/walltime.o ninja: build stopped: subcommand failed. make: *\ [ninja_wrapper] Error 1

do you have any ideas?

dragonltx commented 8 years ago

PLATFORM_VERSION_CODENAME=REL PLATFORM_VERSION=6.0.1 TARGET_PRODUCT=aosp_shamu TARGET_BUILD_VARIANT=userdebug TARGET_BUILD_TYPE=release TARGET_BUILD_APPS= TARGET_ARCH=arm TARGET_ARCH_VARIANT=armv7-a-neon TARGET_CPU_VARIANT=krait TARGET_2ND_ARCH= TARGET_2ND_ARCH_VARIANT= TARGET_2ND_CPU_VARIANT= HOST_ARCH=x86_64 HOST_2ND_ARCH=x86 HOST_OS=linux HOST_OS_EXTRA=Linux-3.13.0-24-generic-x86_64-with-Ubuntu-14.04-trusty HOST_CROSS_OS=windows HOST_CROSS_ARCH=x86 HOST_CROSS_2ND_ARCH=x86_64 HOST_BUILD_TYPE=release BUILD_ID=MASTER

OUT_DIR=out

eugenis commented 8 years ago

Yes, that looks familiar. This was broken last week, and fixed on Friday in https://android-review.googlesource.com/#/c/248512/ Please sync and try again :)

On Mon, Jul 18, 2016 at 12:50 AM, dragonltx notifications@github.com wrote:

I test master branch: make -j16:success make USE_CLANG_PLATFORM_BUILD:=true SANITIZE_TARGET=address -j16: system/core/libcutils/fs_config.c:223: error: undefined reference to 'ubsan_handle_sub_overflow' system/core/libcutils/fs_config.c:64: error: undefined reference to 'ubsan_handle_shift_out_of_bounds' system/core/libcutils/fs_config.c:65: error: undefined reference to 'ubsan_handle_shift_out_of_bounds' system/core/libcutils/fs_config.c:194: error: undefined reference to 'ubsan_handle_sub_overflow' system/core/libcutils/fs_config.c:195: error: undefined reference to 'ubsan_handle_sub_overflow' system/core/libcutils/fs_config.c:273: error: undefined reference to 'ubsan_handle_add_overflow' system/core/libcutils/fs_config.c:273: error: undefined reference to 'ubsan_handle_add_overflow' system/core/libcutils/fs_config.c:273: error: undefined reference to 'ubsan_handle_add_overflow' system/core/libcutils/fs_config.c:64: error: undefined reference to 'ubsan_handle_shift_out_of_bounds' system/core/libcutils/fs_config.c:65: error: undefined reference to 'ubsan_handle_shift_out_of_bounds' system/core/libcutils/canned_fs_config.c:76: error: undefined reference to 'ubsan_handle_add_overflow' system/core/libcutils/canned_fs_config.c:58: error: undefined reference to '__ubsan_handle_mul_overflow' system/core/libcutils/canned_fs_config.c:59: error: undefined reference to 'ubsan_handle_mul_overflow' system/core/libcutils/hashmap.c:54: error: undefined reference to 'ubsan_handle_mul_overflow' system/core/libcutils/hashmap.c:101: error: undefined reference to '__ubsan_handle_sub_overflow' system/core/libcutils/hashmap.c:106: error: undefined reference to 'ubsan_handle_mul_overflow' system/core/libcutils/sched_policy.c:283: error: undefined reference to 'ubsan_handle_negate_overflow' system/core/libcutils/sched_policy.c:363: error: undefined reference to 'ubsan_handle_negate_overflow' system/core/libcutils/fs.c:217: error: undefined reference to '__ubsan_handle_negate_overflow' system/core/libcutils/fs.c:197: error: undefined reference to '__ubsan_handle_negate_overflow' clang++: error: linker command failed with exit code 1 (use -v to see invocation) [ 0% 5/20396] cc out/soong/.intermedi...ternal/google-benchmark/src/walltime.o ninja: build stopped: subcommand failed. make: *\ [ninja_wrapper] Error 1

do you have any ideas?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/google/sanitizers/issues/698#issuecomment-233257088, or mute the thread https://github.com/notifications/unsubscribe-auth/AAZuSjoxEh9wSP3Yj1d71LyBCpV70fw-ks5qWzBUgaJpZM4JKHfz .

dragonltx commented 8 years ago

I sync and build with "make USE_CLANG_PLATFORM_BUILD:=true SANITIZE_TARGET=address -j16",it succeed!

but the crash stack from the logcat looks like the version build without asan: 01-01 04:05:14.447 11674 11679 F libc : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x13160 in tid 11679 (le.h264.decoder) 01-01 04:05:14.449 270 270 W : debuggerd: handling request: pid=11674 uid=2000 gid=2000 tid=11679 01-01 04:05:14.464 11687 11687 W debuggerd: type=1400 audit(0.0:18067): avc: denied { search } for name="tmp" dev="dm-1" ino=1068962 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=0 01-01 04:05:14.484 11687 11687 F DEBUG : * * * * * * * * * * * * * * * * 01-01 04:05:14.486 11687 11687 F DEBUG : Build fingerprint: 'Android/aosp_shamu/shamu:6.0.1/MASTER/dragon07190128:userdebug/test-keys' 01-01 04:05:14.486 11687 11687 F DEBUG : Revision: '0' 01-01 04:05:14.487 11687 11687 F DEBUG : ABI: 'arm' 01-01 04:05:14.488 11687 11687 F DEBUG : pid: 11674, tid: 11679, name: le.h264.decoder >>> ./stagefright <<< 01-01 04:05:14.488 11687 11687 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x13160 01-01 04:05:14.488 11687 11687 F DEBUG : r0 b58811a4 r1 00000058 r2 00000006 r3 b6d433f6 01-01 04:05:14.489 11687 11687 F DEBUG : r4 b498060c r5 00000001 r6 b6d43444 r7 00000b06 01-01 04:05:14.489 11687 11687 F DEBUG : r8 00013000 r9 00000003 sl fffffffe fp 00000001 01-01 04:05:14.489 11687 11687 F DEBUG : ip 00000024 sp b5881190 lr b498060e pc b6d18764 cpsr 000f0030 01-01 04:05:14.555 11687 11687 F DEBUG : 01-01 04:05:14.555 11687 11687 F DEBUG : backtrace: 01-01 04:05:14.555 11687 11687 F DEBUG : #00 pc 00028764 /system/lib/libstagefright_soft_avcdec.so (ih264d_cavlc_4x4res_block_totalcoeff_2to10+715) 01-01 04:05:14.555 11687 11687 F DEBUG : #01 pc 000292b9 /system/lib/libstagefright_soft_avcdec.so (ih264d_cavlc_parse4x4coeff_n8+108) 01-01 04:05:14.555 11687 11687 F DEBUG : #02 pc 00029795 /system/lib/libstagefright_soft_avcdec.so (ih264d_cavlc_parse_8x8block_both_available+336) 01-01 04:05:14.555 11687 11687 F DEBUG : #03 pc 0002a0db /system/lib/libstagefright_soft_avcdec.so (ih264d_parse_residual4x4_cavlc+494) 01-01 04:05:14.555 11687 11687 F DEBUG : #04 pc 00018ed3 /system/lib/libstagefright_soft_avcdec.so (ih264d_parse_pmb_cavlc+1466) 01-01 04:05:14.555 11687 11687 F DEBUG : #05 pc 00019a79 /system/lib/libstagefright_soft_avcdec.so (ih264d_parse_inter_slice_data_cavlc+754) 01-01 04:05:14.555 11687 11687 F DEBUG : #06 pc 00027bc1 /system/lib/libstagefright_soft_avcdec.so (ih264d_parse_decode_slice+2756) 01-01 04:05:14.556 11687 11687 F DEBUG : #07 pc 0001fc2b /system/lib/libstagefright_soft_avcdec.so (ih264d_parse_nal_unit+118) 01-01 04:05:14.556 11687 11687 F DEBUG : #08 pc 0000c337 /system/lib/libstagefright_soft_avcdec.so (ih264d_video_decode+1210) 01-01 04:05:14.556 11687 11687 F DEBUG : #09 pc 0000ae2d /system/lib/libstagefright_soft_avcdec.so (android::SoftAVC::onQueueFilled(unsigned int)+504) 01-01 04:05:14.556 11687 11687 F DEBUG : #10 pc 00021ccd /system/lib/libstagefright_omx.so (android::SimpleSoftOMXComponent::onMessageReceived(android::spandroid::AMessage const&)+272) 01-01 04:05:14.557 11687 11687 F DEBUG : #11 pc 00022c9f /system/lib/libstagefright_omx.so (android::AHandlerReflectorandroid::SimpleSoftOMXComponent::onMessageReceived(android::spandroid::AMessage const&)+50) 01-01 04:05:14.557 11687 11687 F DEBUG : #12 pc 0000b5f1 /system/lib/libstagefright_foundation.so (android::AHandler::deliverMessage(android::spandroid::AMessage const&)+24) 01-01 04:05:14.557 11687 11687 F DEBUG : #13 pc 0000d89b /system/lib/libstagefright_foundation.so (android::AMessage::deliver()+62) 01-01 04:05:14.557 11687 11687 F DEBUG : #14 pc 0000c225 /system/lib/libstagefright_foundation.so (android::ALooper::loop()+568) 01-01 04:05:14.557 11687 11687 F DEBUG : #15 pc 0000d9e9 /system/lib/libutils.so (android::Thread::threadLoop(void)+152) 01-01 04:05:14.557 11687 11687 F DEBUG : #16 pc 000486c3 /system/lib/libc.so (pthreadstart(void)+22) 01-01 04:05:14.557 11687 11687 F DEBUG : #17 pc 0001a1cf /system/lib/libc.so (start_thread+6)

not like this with asan: ===14639==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xaef03b32 \ at pc 0xb35b8bc0 bp 0xae3d9808 sp 0xae3d9804 WRITE of size 1 at 0xaef03b32 thread T5

0 0xb35b8bbf in ih264d_decode_recon_tfr_nmb_thread

             external/libavc/decoder/ih264d_thread_parse_decode.c:388
#1 0xb35b917f in ih264d_decode_slice_thread
             external/libavc/decoder/ih264d_thread_parse_decode.c:585
#2 0xb35b9603 in ih264d_decode_picture_thread
            external/libavc/decoder/ih264d_thread_parse_decode.c:602
#3 0xb4ff1adf in __pthread_start(void*) bionic/libc/bionic/pthread_create.cpp:200
#4 0xb4fc44bb in __start_thread bionic/libc/bionic/clone.cpp:41

0xaef03b32 is located 0 bytes to the right of 690-byte region [0xaef03880,0xaef03b32) allocated by thread T3 (le.h264.decoder) here:

5 0xb5d1f3d3 in malloc_stats ??:?

#6 0xb357fe3b in \
   ih264d_allocate_dynamic_bufs external/libavc/decoder/ih264d_utils.c:1869
#7 0xb357ed13 in \
   ih264d_init_pic external/libavc/decoder/ih264d_utils.c:825
#8 0xb3596c9f in \

am i something wrong?

and which binary(https://developers.google.com/android/nexus/drivers#shamumob30o) do you build with the master branch?

eugenis commented 8 years ago

Does this happen early during boot? /data is mounted quite late, and everything that starts before that would run with non-ASan libraries.

Did you flash the userdata partition?

/system/lib/libstagefright_soft_avcdec.so is a library built w/o ASan. It's ASan counterpart could be found in /data/lib.

Hmm, I see you ran "./stagefright", probably from shell. Was it built with ASan? You can verify that with "readelf -l", it should name /system/bin/linker_asan as the interpreter.

On Tue, Jul 19, 2016 at 4:28 AM, dragonltx notifications@github.com wrote:

I sync and build with "make USE_CLANG_PLATFORM_BUILD:=true SANITIZE_TARGET=address -j16",it succeed!

but the crash stack from the logcat looks like the version build without asan: 01-01 04:05:14.447 11674 11679 F libc : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x13160 in tid 11679 (le.h264.decoder) 01-01 04:05:14.449 270 270 W : debuggerd: handling request: pid=11674 uid=2000 gid=2000 tid=11679 01-01 04:05:14.464 11687 11687 W debuggerd: type=1400 audit(0.0:18067): avc: denied { search } for name="tmp" dev="dm-1" ino=1068962 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=0 01-01 04:05:14.484 11687 11687 F DEBUG : * * * * * * * *

01-01 04:05:14.486 11687 11687 F DEBUG : Build fingerprint: 'Android/aosp_shamu/shamu:6.0.1/MASTER/dragon07190128:userdebug/test-keys' 01-01 04:05:14.486 11687 11687 F DEBUG : Revision: '0' 01-01 04:05:14.487 11687 11687 F DEBUG : ABI: 'arm' 01-01 04:05:14.488 11687 11687 F DEBUG : pid: 11674, tid: 11679, name: le.h264.decoder >>> ./stagefright <<< 01-01 04:05:14.488 11687 11687 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x13160 01-01 04:05:14.488 11687 11687 F DEBUG : r0 b58811a4 r1 00000058 r2 00000006 r3 b6d433f6 01-01 04:05:14.489 11687 11687 F DEBUG : r4 b498060c r5 00000001 r6 b6d43444 r7 00000b06 01-01 04:05:14.489 11687 11687 F DEBUG : r8 00013000 r9 00000003 sl fffffffe fp 00000001 01-01 04:05:14.489 11687 11687 F DEBUG : ip 00000024 sp b5881190 lr b498060e pc b6d18764 cpsr 000f0030 01-01 04:05:14.555 11687 11687 F DEBUG : 01-01 04:05:14.555 11687 11687 F DEBUG : backtrace: 01-01 04:05:14.555 11687 11687 F DEBUG : #00 pc 00028764 /system/lib/libstagefright_soft_avcdec.so (ih264d_cavlc_4x4res_block_totalcoeff_2to10+715) 01-01 04:05:14.555 11687 11687 F DEBUG : #1 https://github.com/google/sanitizers/issues/1 pc 000292b9 /system/lib/libstagefright_soft_avcdec.so (ih264d_cavlc_parse4x4coeff_n8+108) 01-01 04:05:14.555 11687 11687 F DEBUG : #2 https://github.com/google/sanitizers/issues/2 pc 00029795 /system/lib/libstagefright_soft_avcdec.so (ih264d_cavlc_parse_8x8block_both_available+336) 01-01 04:05:14.555 11687 11687 F DEBUG : #3 https://github.com/google/sanitizers/issues/3 pc 0002a0db /system/lib/libstagefright_soft_avcdec.so (ih264d_parse_residual4x4_cavlc+494) 01-01 04:05:14.555 11687 11687 F DEBUG : #4 https://github.com/google/sanitizers/issues/4 pc 00018ed3 /system/lib/libstagefright_soft_avcdec.so (ih264d_parse_pmb_cavlc+1466) 01-01 04:05:14.555 11687 11687 F DEBUG : #5 https://github.com/google/sanitizers/issues/5 pc 00019a79 /system/lib/libstagefright_soft_avcdec.so (ih264d_parse_inter_slice_data_cavlc+754) 01-01 04:05:14.555 11687 11687 F DEBUG : #6 https://github.com/google/sanitizers/issues/6 pc 00027bc1 /system/lib/libstagefright_soft_avcdec.so (ih264d_parse_decode_slice+2756) 01-01 04:05:14.556 11687 11687 F DEBUG : #7 https://github.com/google/sanitizers/issues/7 pc 0001fc2b /system/lib/libstagefright_soft_avcdec.so (ih264d_parse_nal_unit+118) 01-01 04:05:14.556 11687 11687 F DEBUG : #8 https://github.com/google/sanitizers/issues/8 pc 0000c337 /system/lib/libstagefright_soft_avcdec.so (ih264d_video_decode+1210) 01-01 04:05:14.556 11687 11687 F DEBUG : #9 https://github.com/google/sanitizers/issues/9 pc 0000ae2d /system/lib/libstagefright_soft_avcdec.so (android::SoftAVC::onQueueFilled(unsigned int)+504) 01-01 04:05:14.556 11687 11687 F DEBUG : #10 https://github.com/google/sanitizers/issues/10 pc 00021ccd /system/lib/libstagefright_omx.so (android::SimpleSoftOMXComponent::onMessageReceived(android::spandroid::AMessage const&)+272) 01-01 04:05:14.557 11687 11687 F DEBUG : #11 https://github.com/google/sanitizers/issues/11 pc 00022c9f /system/lib/libstagefright_omx.so (android::AHandlerReflectorandroid::SimpleSoftOMXComponent::onMessageReceived(android::spandroid::AMessage const&)+50) 01-01 04:05:14.557 11687 11687 F DEBUG : #12 https://github.com/google/sanitizers/issues/12 pc 0000b5f1 /system/lib/libstagefright_foundation.so (android::AHandler::deliverMessage(android::spandroid::AMessage const&)+24) 01-01 04:05:14.557 11687 11687 F DEBUG : #13 https://github.com/google/sanitizers/issues/13 pc 0000d89b /system/lib/libstagefright_foundation.so (android::AMessage::deliver()+62) 01-01 04:05:14.557 11687 11687 F DEBUG : #14 https://github.com/google/sanitizers/issues/14 pc 0000c225 /system/lib/libstagefright_foundation.so (android::ALooper::loop()+568) 01-01 04:05:14.557 11687 11687 F DEBUG : #15 https://github.com/google/sanitizers/issues/15 pc 0000d9e9 /system/lib/libutils.so (android::Thread::threadLoop(void )+152) 01-01 04:05:14.557 11687 11687 F DEBUG : #16 https://github.com/google/sanitizers/issues/16 pc 000486c3 /system/lib/libc.so (pthreadstart(void)+22) 01-01 04:05:14.557 11687 11687 F DEBUG : #17 https://github.com/google/sanitizers/issues/17 pc 0001a1cf /system/lib/libc.so (start_thread+6)

not like this with asan: ===14639==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xaef03b32 \ at pc 0xb35b8bc0 bp 0xae3d9808 sp 0xae3d9804 WRITE of size 1 at 0xaef03b32 thread T5

0 0xb35b8bbf in ih264d_decode_recon_tfr_nmb_thread

external/libavc/decoder/ih264d_thread_parse_decode.c:388

1 https://github.com/google/sanitizers/issues/1 0xb35b917f in

ih264d_decode_slice_thread external/libavc/decoder/ih264d_thread_parse_decode.c:585

2 https://github.com/google/sanitizers/issues/2 0xb35b9603 in

ih264d_decode_picture_thread external/libavc/decoder/ih264d_thread_parse_decode.c:602

3 https://github.com/google/sanitizers/issues/3 0xb4ff1adf in

__pthread_start(void*) bionic/libc/bionic/pthread_create.cpp:200

4 https://github.com/google/sanitizers/issues/4 0xb4fc44bb in

__start_thread bionic/libc/bionic/clone.cpp:41

0xaef03b32 is located 0 bytes to the right of 690-byte region [0xaef03880,0xaef03b32) allocated by thread T3 (le.h264.decoder) here:

5 https://github.com/google/sanitizers/issues/5 0xb5d1f3d3 in

malloc_stats ??:?

6 https://github.com/google/sanitizers/issues/6 0xb357fe3b in \

ih264d_allocate_dynamic_bufs external/libavc/decoder/ih264d_utils.c:1869

7 https://github.com/google/sanitizers/issues/7 0xb357ed13 in \

ih264d_init_pic external/libavc/decoder/ih264d_utils.c:825

8 https://github.com/google/sanitizers/issues/8 0xb3596c9f in \

am i something wrong?

and which binary( https://developers.google.com/android/nexus/drivers#shamumob30o) do you build with the master branch?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/google/sanitizers/issues/698#issuecomment-233604733, or mute the thread https://github.com/notifications/unsubscribe-auth/AAZuShYBkaGCcCxZgXJGtDcDXwAWLskIks5qXLTFgaJpZM4JKHfz .

eugenis commented 8 years ago

As for the binaries, the master branch needs "preview" blobs from https://developers.google.com/android/nexus/blobs-preview

On Tue, Jul 19, 2016 at 11:36 AM, Evgenii Stepanov < eugeni.stepanov@gmail.com> wrote:

Does this happen early during boot? /data is mounted quite late, and everything that starts before that would run with non-ASan libraries.

Did you flash the userdata partition?

/system/lib/libstagefright_soft_avcdec.so is a library built w/o ASan. It's ASan counterpart could be found in /data/lib.

Hmm, I see you ran "./stagefright", probably from shell. Was it built with ASan? You can verify that with "readelf -l", it should name /system/bin/linker_asan as the interpreter.

On Tue, Jul 19, 2016 at 4:28 AM, dragonltx notifications@github.com wrote:

I sync and build with "make USE_CLANG_PLATFORM_BUILD:=true SANITIZE_TARGET=address -j16",it succeed!

but the crash stack from the logcat looks like the version build without asan: 01-01 04:05:14.447 11674 11679 F libc : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x13160 in tid 11679 (le.h264.decoder) 01-01 04:05:14.449 270 270 W : debuggerd: handling request: pid=11674 uid=2000 gid=2000 tid=11679 01-01 04:05:14.464 11687 11687 W debuggerd: type=1400 audit(0.0:18067): avc: denied { search } for name="tmp" dev="dm-1" ino=1068962 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=0 01-01 04:05:14.484 11687 11687 F DEBUG : * * * * * * * *

01-01 04:05:14.486 11687 11687 F DEBUG : Build fingerprint: 'Android/aosp_shamu/shamu:6.0.1/MASTER/dragon07190128:userdebug/test-keys' 01-01 04:05:14.486 11687 11687 F DEBUG : Revision: '0' 01-01 04:05:14.487 11687 11687 F DEBUG : ABI: 'arm' 01-01 04:05:14.488 11687 11687 F DEBUG : pid: 11674, tid: 11679, name: le.h264.decoder >>> ./stagefright <<< 01-01 04:05:14.488 11687 11687 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x13160 01-01 04:05:14.488 11687 11687 F DEBUG : r0 b58811a4 r1 00000058 r2 00000006 r3 b6d433f6 01-01 04:05:14.489 11687 11687 F DEBUG : r4 b498060c r5 00000001 r6 b6d43444 r7 00000b06 01-01 04:05:14.489 11687 11687 F DEBUG : r8 00013000 r9 00000003 sl fffffffe fp 00000001 01-01 04:05:14.489 11687 11687 F DEBUG : ip 00000024 sp b5881190 lr b498060e pc b6d18764 cpsr 000f0030 01-01 04:05:14.555 11687 11687 F DEBUG : 01-01 04:05:14.555 11687 11687 F DEBUG : backtrace: 01-01 04:05:14.555 11687 11687 F DEBUG : #00 pc 00028764 /system/lib/libstagefright_soft_avcdec.so (ih264d_cavlc_4x4res_block_totalcoeff_2to10+715) 01-01 04:05:14.555 11687 11687 F DEBUG : #1 https://github.com/google/sanitizers/issues/1 pc 000292b9 /system/lib/libstagefright_soft_avcdec.so (ih264d_cavlc_parse4x4coeff_n8+108) 01-01 04:05:14.555 11687 11687 F DEBUG : #2 https://github.com/google/sanitizers/issues/2 pc 00029795 /system/lib/libstagefright_soft_avcdec.so (ih264d_cavlc_parse_8x8block_both_available+336) 01-01 04:05:14.555 11687 11687 F DEBUG : #3 https://github.com/google/sanitizers/issues/3 pc 0002a0db /system/lib/libstagefright_soft_avcdec.so (ih264d_parse_residual4x4_cavlc+494) 01-01 04:05:14.555 11687 11687 F DEBUG : #4 https://github.com/google/sanitizers/issues/4 pc 00018ed3 /system/lib/libstagefright_soft_avcdec.so (ih264d_parse_pmb_cavlc+1466) 01-01 04:05:14.555 11687 11687 F DEBUG : #5 https://github.com/google/sanitizers/issues/5 pc 00019a79 /system/lib/libstagefright_soft_avcdec.so (ih264d_parse_inter_slice_data_cavlc+754) 01-01 04:05:14.555 11687 11687 F DEBUG : #6 https://github.com/google/sanitizers/issues/6 pc 00027bc1 /system/lib/libstagefright_soft_avcdec.so (ih264d_parse_decode_slice+2756) 01-01 04:05:14.556 11687 11687 F DEBUG : #7 https://github.com/google/sanitizers/issues/7 pc 0001fc2b /system/lib/libstagefright_soft_avcdec.so (ih264d_parse_nal_unit+118) 01-01 04:05:14.556 11687 11687 F DEBUG : #8 https://github.com/google/sanitizers/issues/8 pc 0000c337 /system/lib/libstagefright_soft_avcdec.so (ih264d_video_decode+1210) 01-01 04:05:14.556 11687 11687 F DEBUG : #9 https://github.com/google/sanitizers/issues/9 pc 0000ae2d /system/lib/libstagefright_soft_avcdec.so (android::SoftAVC::onQueueFilled(unsigned int)+504) 01-01 04:05:14.556 11687 11687 F DEBUG : #10 https://github.com/google/sanitizers/issues/10 pc 00021ccd /system/lib/libstagefright_omx.so (android::SimpleSoftOMXComponent::onMessageReceived(android::spandroid::AMessage const&)+272) 01-01 04:05:14.557 11687 11687 F DEBUG : #11 https://github.com/google/sanitizers/issues/11 pc 00022c9f /system/lib/libstagefright_omx.so (android::AHandlerReflectorandroid::SimpleSoftOMXComponent::onMessageReceived(android::spandroid::AMessage const&)+50) 01-01 04:05:14.557 11687 11687 F DEBUG : #12 https://github.com/google/sanitizers/issues/12 pc 0000b5f1 /system/lib/libstagefright_foundation.so (android::AHandler::deliverMessage(android::spandroid::AMessage const&)+24) 01-01 04:05:14.557 11687 11687 F DEBUG : #13 https://github.com/google/sanitizers/issues/13 pc 0000d89b /system/lib/libstagefright_foundation.so (android::AMessage::deliver()+62) 01-01 04:05:14.557 11687 11687 F DEBUG : #14 https://github.com/google/sanitizers/issues/14 pc 0000c225 /system/lib/libstagefright_foundation.so (android::ALooper::loop()+568) 01-01 04:05:14.557 11687 11687 F DEBUG : #15 https://github.com/google/sanitizers/issues/15 pc 0000d9e9 /system/lib/libutils.so (android::Thread::threadLoop(void )+152) 01-01 04:05:14.557 11687 11687 F DEBUG : #16 https://github.com/google/sanitizers/issues/16 pc 000486c3 /system/lib/libc.so (pthreadstart(void)+22) 01-01 04:05:14.557 11687 11687 F DEBUG : #17 https://github.com/google/sanitizers/issues/17 pc 0001a1cf /system/lib/libc.so (start_thread+6)

not like this with asan: ===14639==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xaef03b32 \ at pc 0xb35b8bc0 bp 0xae3d9808 sp 0xae3d9804 WRITE of size 1 at 0xaef03b32 thread T5

0 0xb35b8bbf in ih264d_decode_recon_tfr_nmb_thread

external/libavc/decoder/ih264d_thread_parse_decode.c:388

1 https://github.com/google/sanitizers/issues/1 0xb35b917f in

ih264d_decode_slice_thread external/libavc/decoder/ih264d_thread_parse_decode.c:585

2 https://github.com/google/sanitizers/issues/2 0xb35b9603 in

ih264d_decode_picture_thread external/libavc/decoder/ih264d_thread_parse_decode.c:602

3 https://github.com/google/sanitizers/issues/3 0xb4ff1adf in

__pthread_start(void*) bionic/libc/bionic/pthread_create.cpp:200

4 https://github.com/google/sanitizers/issues/4 0xb4fc44bb in

__start_thread bionic/libc/bionic/clone.cpp:41

0xaef03b32 is located 0 bytes to the right of 690-byte region [0xaef03880,0xaef03b32) allocated by thread T3 (le.h264.decoder) here:

5 https://github.com/google/sanitizers/issues/5 0xb5d1f3d3 in

malloc_stats ??:?

6 https://github.com/google/sanitizers/issues/6 0xb357fe3b in \

ih264d_allocate_dynamic_bufs external/libavc/decoder/ih264d_utils.c:1869

7 https://github.com/google/sanitizers/issues/7 0xb357ed13 in \

ih264d_init_pic external/libavc/decoder/ih264d_utils.c:825

8 https://github.com/google/sanitizers/issues/8 0xb3596c9f in \

am i something wrong?

and which binary( https://developers.google.com/android/nexus/drivers#shamumob30o) do you build with the master branch?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/google/sanitizers/issues/698#issuecomment-233604733, or mute the thread https://github.com/notifications/unsubscribe-auth/AAZuShYBkaGCcCxZgXJGtDcDXwAWLskIks5qXLTFgaJpZM4JKHfz .

dragonltx commented 8 years ago

yeah! You are right!stagefright wasn't built with asan!

I build with asan,and the crash logcat is right with asan!

Thanks a lot!

morehouse commented 6 years ago

Looks resolved. Please re-open if not.

sxdxwb commented 5 years ago

I meet same problems like dragonltx. i pull -b android-6.0.0_r1 from android srouce code and download the nexus5 's device driver,then i directly build my Android 6.0.1_r46 source code with below commands: make -j16 make USE_CLANG_PLATFORM_BUILD:=true SANITIZE_TARGET=address -j16. The build got success, but after I flash the both userdata and system images to my device, I can't find the '/data/lib' path, I also can't find the path '/system/lib/asan' from the device. what's the means of master branch? android source code branch or others?