search

honeynet / droidbot

A lightweight test input generator for Android. Similar to Monkey, but with more intelligence and cool features!
MIT License
812 stars 234 forks source link

Emulator segfaults when using DroidBox-patched Android in droidbot exploration #64

Closed nastya closed 4 years ago

nastya commented 6 years ago

There is a problem running droidbot analysis on Android emulator with Android4.1 and DroidBox system and ramdisk images. The emulator receives SIGSEGV at some moment while exploring the application under analysis and then reboots breaking this way the droidbot traversal. The number of events sent to the emulator before the fail vary (usually it is 30-60 events). The error received also varies but typically it looks like that in adb logs:

F/libc    (  149): Fatal signal 11 (SIGSEGV) at 0x0b07bda4 (code=1), thread 615 (Binder_B)
I/DEBUG   (   34): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   (   34): Build fingerprint: 'Android/full/generic:4.1.1/JRO03R/eng.mspreitz.20131102.190624:eng/test-keys'
I/DEBUG   (   34): pid: 149, tid: 615, name: UNKNOWN  >>> system_server <<<
I/DEBUG   (   34): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0b07bda4
I/DEBUG   (   34):     r0 0b07bcd8  r1 583de6c2  r2 0b07bda0  r3 00000000
I/DEBUG   (   34):     r4 583de6c2  r5 5c88fb44  r6 2a24ed28  r7 5f044864
I/DEBUG   (   34):     r8 00000000  r9 5f044865  sl 40bf1360  fp 00000000
I/DEBUG   (   34):     ip 00000000  sp 5fc38ba0  lr 00000000  pc 5f044c9e  cpsr 00000030
I/DEBUG   (   34):     d0  0000000000000000  d1  3ddb7cdfd9d7bdbb
I/DEBUG   (   34):     d2  4005ac95baaff9a2  d3  4024000000000000
I/DEBUG   (   34):     d4  0000000000000000  d5  3d909a0000000000
I/DEBUG   (   34):     d6  7e37e43c8800759c  d7  4008000000000000
I/DEBUG   (   34):     d8  4008000000000000  d9  4020000000000003
I/DEBUG   (   34):     d10 40034413509c0a62  d11 3fd34413509f79fe
I/DEBUG   (   34):     d12 3ddb7cdfd9d7bdbb  d13 0000000000000000
I/DEBUG   (   34):     d14 0000000000000000  d15 0000000000000000
I/DEBUG   (   34):     scr 60000010
I/DEBUG   (   34): 
I/DEBUG   (   34): backtrace:
I/DEBUG   (   34):     #00  pc 0000cc9e  /dev/ashmem/dalvik-jit-code-cache (deleted)
I/DEBUG   (   34): 
I/DEBUG   (   34): stack:
I/DEBUG   (   34):          5fc38b60  00000028  
I/DEBUG   (   34):          5fc38b64  2a24ed28  [heap]
I/DEBUG   (   34):          5fc38b68  4079f95c  /system/lib/libdvm.so
I/DEBUG   (   34):          5fc38b6c  407a3748  /system/lib/libdvm.so
I/DEBUG   (   34):          5fc38b70  5f044864  /dev/ashmem/dalvik-jit-code-cache (deleted)
I/DEBUG   (   34):          5fc38b74  5f044c91  /dev/ashmem/dalvik-jit-code-cache (deleted)
I/DEBUG   (   34):          5fc38b78  407a3748  /system/lib/libdvm.so
I/DEBUG   (   34):          5fc38b7c  407773db  /system/lib/libdvm.so (dvmJitChain+142)
I/DEBUG   (   34):          5fc38b80  583de6c2  /system/framework/framework.odex
I/DEBUG   (   34):          5fc38b84  5c88fb44  
I/DEBUG   (   34):          5fc38b88  2a24ed28  [heap]
I/DEBUG   (   34):          5fc38b8c  5f044864  /dev/ashmem/dalvik-jit-code-cache (deleted)
I/DEBUG   (   34):          5fc38b90  00000000  
I/DEBUG   (   34):          5fc38b94  5f044865  /dev/ashmem/dalvik-jit-code-cache (deleted)
I/DEBUG   (   34):          5fc38b98  df0027ad  
I/DEBUG   (   34):          5fc38b9c  00000000  
I/DEBUG   (   34):     #00  5fc38ba0  4079ec88  /system/lib/libdvm.so
I/DEBUG   (   34):          5fc38ba4  2a24ed28  [heap]
I/DEBUG   (   34):          5fc38ba8  4079ec88  /system/lib/libdvm.so
I/DEBUG   (   34):          5fc38bac  569bc558  /dev/ashmem/dalvik-LinearAlloc (deleted)
I/DEBUG   (   34):          5fc38bb0  00000000  
I/DEBUG   (   34):          5fc38bb4  5fc38bd0  
I/DEBUG   (   34):          5fc38bb8  5fc38cb0  
I/DEBUG   (   34):          5fc38bbc  00000000  
I/DEBUG   (   34):          5fc38bc0  5fc38c6c  
I/DEBUG   (   34):          5fc38bc4  407201e8  /system/lib/libdvm.so (dvmInterpret(Thread*, Method const*, JValue*, unsigned int*)+192)
I/DEBUG   (   34):          5fc38bc8  4166c3c8  /dev/ashmem/dalvik-heap (deleted)
I/DEBUG   (   34):          5fc38bcc  4072f10d  /system/lib/libdvm.so
I/DEBUG   (   34):          5fc38bd0  00000000  
I/DEBUG   (   34):          5fc38bd4  5c88ff50  
I/DEBUG   (   34):          5fc38bd8  00000000  
I/DEBUG   (   34):          5fc38bdc  00000000  
I/DEBUG   (   34): 
I/DEBUG   (   34): memory near r0:
I/DEBUG   (   34):     0b07bcb8 ffffffff ffffffff ffffffff ffffffff  ................
I/DEBUG   (   34):     0b07bcc8 ffffffff ffffffff ffffffff ffffffff  ................
I/DEBUG   (   34):     0b07bcd8 ffffffff ffffffff ffffffff ffffffff  ................
I/DEBUG   (   34):     0b07bce8 ffffffff ffffffff ffffffff ffffffff  ................
I/DEBUG   (   34):     0b07bcf8 ffffffff ffffffff ffffffff ffffffff  ................
I/DEBUG   (   34): 
I/DEBUG   (   34): memory near r1:
I/DEBUG   (   34):     583de6a0 003b20f8 61f20010 107100a8 0001f785  . ;....a..q.....
I/DEBUG   (   34):     583de6b0 20f8010c 0010003b 06c2011a 003b20f8  ... ;........ ;.
I/DEBUG   (   34):     583de6c0 61f20010 20f800c8 00100036 034b011a  ...a... 6.....K.
I/DEBUG   (   34):     583de6d0 003b20f8 61f20010 10710070 0001f785  . ;....ap.q.....
I/DEBUG   (   34):     583de6e0 20f8010c 0010003b 009061f2 00110138  ... ;....a..8...
I/DEBUG   (   34): 
I/DEBUG   (   34): memory near r2:
I/DEBUG   (   34):     0b07bd80 ffffffff ffffffff ffffffff ffffffff  ................
I/DEBUG   (   34):     0b07bd90 ffffffff ffffffff ffffffff ffffffff  ................
I/DEBUG   (   34):     0b07bda0 ffffffff ffffffff ffffffff ffffffff  ................
I/DEBUG   (   34):     0b07bdb0 ffffffff ffffffff ffffffff ffffffff  ................
I/DEBUG   (   34):     0b07bdc0 ffffffff ffffffff ffffffff ffffffff  ................
I/DEBUG   (   34): 
I/DEBUG   (   34): memory near r4:
I/DEBUG   (   34):     583de6a0 003b20f8 61f20010 107100a8 0001f785  . ;....a..q.....
I/DEBUG   (   34):     583de6b0 20f8010c 0010003b 06c2011a 003b20f8  ... ;........ ;.
I/DEBUG   (   34):     583de6c0 61f20010 20f800c8 00100036 034b011a  ...a... 6.....K.
I/DEBUG   (   34):     583de6d0 003b20f8 61f20010 10710070 0001f785  . ;....ap.q.....
I/DEBUG   (   34):     583de6e0 20f8010c 0010003b 009061f2 00110138  ... ;....a..8...
I/DEBUG   (   34): 
I/DEBUG   (   34): memory near r5:
I/DEBUG   (   34):     5c88fb24 00000000 00000000 5c88fb98 57a17830  ...........\0x.W
I/DEBUG   (   34):     5c88fb34 56b16648 00000002 583de6bc 00000000  Hf.V......=X....
I/DEBUG   (   34):     5c88fb44 41714928 00000000 419988d0 00000000  (IqA.......A....
I/DEBUG   (   34):     5c88fb54 00000000 00000000 ffffffff 00000000  ................
I/DEBUG   (   34):     5c88fb64 bf800000 00000000 fffffffe 00000000  ................
I/DEBUG   (   34): 
I/DEBUG   (   34): memory near r6:
I/DEBUG   (   34):     2a24ed08 00000001 2a2b4568 00000038 00000012  ....hE+*8.......
I/DEBUG   (   34):     2a24ed18 2a190688 2a193398 2a193398 0000045b  ...*.3.*.3.*[...
I/DEBUG   (   34):     2a24ed28 579f877c 5c88fb44 56b16648 58a7b000  |..WD..\Hf.V...X
I/DEBUG   (   34):     2a24ed38 41714928 73057821 00000000 5fc38ba0  (IqA!x.s......._
I/DEBUG   (   34):     2a24ed48 00000000 5fc38bd0 00000043 00000000  ......._C.......
I/DEBUG   (   34): 
I/DEBUG   (   34): memory near r7:
I/DEBUG   (   34):     5f044844 290000ec f8dfdc03 1c31706c a10447b8  ...)....lp1..G..
I/DEBUG   (   34):     5f044854 ec20f7f3 de00e000 005cf8df 47886f71  .. .......\.qo.G
I/DEBUG   (   34):     5f044864 4300e214 47806ff0 583de6c2 ffb4f7fc  ...C.o.G..=X....
I/DEBUG   (   34):     5f044874 40a25c28 569adf60 00000000 01000100  (\.@`..V........
I/DEBUG   (   34):     5f044884 2a1c0000 56b16648 008a0002 00000001  ...*Hf.V........
I/DEBUG   (   34): 
I/DEBUG   (   34): memory near r9:
I/DEBUG   (   34):     5f044844 290000ec f8dfdc03 1c31706c a10447b8  ...)....lp1..G..
I/DEBUG   (   34):     5f044854 ec20f7f3 de00e000 005cf8df 47886f71  .. .......\.qo.G
I/DEBUG   (   34):     5f044864 4300e214 47806ff0 583de6c2 ffb4f7fc  ...C.o.G..=X....
I/DEBUG   (   34):     5f044874 40a25c28 569adf60 00000000 01000100  (\.@`..V........
I/DEBUG   (   34):     5f044884 2a1c0000 56b16648 008a0002 00000001  ...*Hf.V........
I/DEBUG   (   34): 
I/DEBUG   (   34): memory near sl:
I/DEBUG   (   34):     40bf1340 00000000 00000000 00730069 00000013  ........i.s.....
I/DEBUG   (   34):     40bf1350 40bf2f78 00000000 00000010 00000edb  x/.@............
I/DEBUG   (   34):     40bf1360 40a0c1e8 00000000 00000000 00000000  ...@............
I/DEBUG   (   34):     40bf1370 00000000 00000000 00000000 00000000  ................
I/DEBUG   (   34):     40bf1380 00000000 00000000 58628c60 00000000  ........`.bX....
I/DEBUG   (   34): 
I/DEBUG   (   34): memory near sp:
I/DEBUG   (   34):     5fc38b80 583de6c2 5c88fb44 2a24ed28 5f044864  ..=XD..\(.$*dH._
I/DEBUG   (   34):     5fc38b90 00000000 5f044865 df0027ad 00000000  ....eH._.'......
I/DEBUG   (   34):     5fc38ba0 4079ec88 2a24ed28 4079ec88 569bc558  ..y@(.$*..y@X..V
I/DEBUG   (   34):     5fc38bb0 00000000 5fc38bd0 5fc38cb0 00000000  ......._..._....
I/DEBUG   (   34):     5fc38bc0 5fc38c6c 407201e8 4166c3c8 4072f10d  l.._..r@..fA..r@
I/DEBUG   (   34): 
I/DEBUG   (   34): code around pc:
I/DEBUG   (   34):     5f044c7c 00000000 2a1cf2b4 f85f00a8 68010008  .......*.._....h
I/DEBUG   (   34):     5f044c8c 60013101 6b6b6b28 f8d0b3a8 f20010c8  .1.`(kkk........
I/DEBUG   (   34):     5f044c9c 685202c8 ea436828 f2a50202 f04f0718  ..Rh(hC.......O.
I/DEBUG   (   34):     5f044cac f8c70902 f2a5900c f04f071c f8c70900  ..........O.....
I/DEBUG   (   34):     5f044cbc f2a59000 60ea072c 686a60a9 b1e86829  ....,..`.`jh)h..
I/DEBUG   (   34): 
I/DEBUG   (   34): code around lr:
I/DEBUG   (   34):     00000000 ffffffff ffffffff ffffffff ffffffff  ................
I/DEBUG   (   34):     00000010 ffffffff ffffffff ffffffff ffffffff  ................
I/DEBUG   (   34):     00000020 ffffffff ffffffff ffffffff ffffffff  ................
I/DEBUG   (   34):     00000030 ffffffff ffffffff ffffffff ffffffff  ................
I/DEBUG   (   34):     00000040 ffffffff ffffffff ffffffff ffffffff  ................
I/DEBUG   (   34): 
I/DEBUG   (   34): memory map around fault addr 0b07bda4:
I/DEBUG   (   34):     (no map below)
I/DEBUG   (   34):     (no map for address)
I/DEBUG   (   34):     2a000000-2a002000 /system/bin/app_process

For more information see the adb logs and droidbot command line output in test cases (issue.zip).

Most probably this error is not connected with droidbot exploration. The error is not seen when using emulator with original (not DroidBox-patched) system images and the same AVD.

In order to reproduce the error, get the old droidbot version working with DroidBox on https://github.com/nastya/droidbot/tree/droidbox

Here are the test cases. I used two applications downloaded from Google Play to get the logs describing the error: zok.android.letters.apk and com.alexcruz.papuhwalls_10.apk. Actually the choise of the applications does not matter, such emulator failures are seen every time.

Before running droidbot I started emulator with DroidBox-patched Android and after its boot finished I ran adb logcat > *_logcat*.txt and the droidbot analysis.

droidbot -d emulator-5554 -a test_apps/zok.android.letters.apk -o zok_out1 -use_with_droidbox -policy dfs -count 100 &> zok_log1.txt

droidbot -d emulator-5554 -a test_apps/zok.android.letters.apk -o zok_out2 -use_with_droidbox -policy dfs -count 100 &> zok_log2.txt

When rerunning the analysis with -no_shuffle option the SIGSEGV happens almoast at the same time (see papuh* logs).

droidbot -d emulator-5554 -a test_apps/com.alexcruz.papuhwalls_10.apk -o papuh_out1 -use_with_droidbox -no_shuffle -policy dfs -count 100 &> papuh_log1.txt

droidbot -d emulator-5554 -a test_apps/com.alexcruz.papuhwalls_10.apk -o papuh_out2 -use_with_droidbox -no_shuffle -policy dfs -count 100 &> papuh_log2.txt

The same behavior is seen without using -use_with_droidbox option.

droidbot -d emulator-5554 -a test_apps/zok.android.letters.apk -o zok_out_no_dbox -policy dfs -count 100 &> zok_log_no_dbox.txt