Open funsafe-ptr opened 3 days ago
I highly doubt valgrind is working
Can you try lldb -- ./a.out
and r
?
same stuff.
(lldb) target create "./a.out"
Current executable set to '/data/data/com.termux/files/home/a.out' (aarch64).
(lldb) r
Process 2637 launched: '/data/data/com.termux/files/home/a.out' (aarch64)
Process 2637 stopped
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
frame #0: 0x0000007fb7b617e8 libc.so`getauxval + 8
libc.so`getauxval:
-> 0x7fb7b617e8 <+8>: ldr x9, [x8]
0x7fb7b617ec <+12>: cbz x9, 0x7fb7b61804 ; <+36>
0x7fb7b617f0 <+16>: add x8, x8, #0x10
0x7fb7b617f4 <+20>: cmp x9, x0
(lldb)
After r
then bt all
?
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
* frame #0: 0x0000007fb73b47e8 libc.so`getauxval + 8
frame #1: 0x0000007fb76b280c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2654 + 84
frame #2: 0x0000007fb76b84e4 libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2780 + 60
frame #3: 0x0000007fb76b01e8 libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2614 + 60
frame #4: 0x0000007fb774f91c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol3645 + 72
frame #5: 0x0000007fb774fb3c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol3646 + 76
frame #6: 0x0000007fb76f4c48 libclang_rt.asan-aarch64-android.so`___interceptor_read + 40
frame #7: 0x0000007fb7433b30 libc.so`je_pages_boot + 92
frame #8: 0x0000007fb7432fdc libc.so`malloc_init_hard_a0_locked + 2940
frame #9: 0x0000007fb74310b0 libc.so`jemalloc_constructor + 348
frame #10: 0x0000007fb7eb33e4 linker64`__dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_mbS5_ + 284
frame #11: 0x0000007fb7eb3610 linker64`__dl__ZN6soinfo17call_constructorsEv + 400
frame #12: 0x0000007fb7eb3508 linker64`__dl__ZN6soinfo17call_constructorsEv + 136
frame #13: 0x0000007fb7eb3508 linker64`__dl__ZN6soinfo17call_constructorsEv + 136
frame #14: 0x0000007fb7eaedf4 linker64`__dl___linker_init + 3192
frame #15: 0x0000007fb7eb5bf4 linker64`__dl__start + 8
(lldb)
I think I need logcat
for this
Any ideas? @finagolfin @licy183 @sylirre
The support for aarch64 16kb pagesize in asan
is added in https://github.com/llvm/llvm-project/commit/c6049e67efaaca34ca8ad93b007397b118574b81. Maybe it breaks the usage of asan on older Android devices.
I can't reproduce it on my Android 7.x device.
# termux-info
Termux Variables:
TERMUX_APK_RELEASE=GITHUB
TERMUX_APP_PACKAGE_MANAGER=apt
TERMUX_APP_PID=15447
TERMUX_IS_DEBUGGABLE_BUILD=1
TERMUX_VERSION=0.118.0
TERMUX__USER_ID=0
Packages CPU architecture:
aarch64
Subscribed repositories:
# sources.list
deb https://mirrors.ustc.edu.cn/termux/termux-main stable main
Updatable packages:
All packages up to date
termux-tools version:
1.44.1
Android version:
7.1.1
Kernel build information:
Linux localhost 3.18.41+ #1 SMP PREEMPT Fri Jul 10 10:30:30 CST 2020 aarch64 Android
Device manufacturer:
Meizu
Device model:
PRO 6s
LD Variables:
LD_LIBRARY_PATH=
LD_PRELOAD=/data/data/com.termux/files/usr/lib/libtermux-exec.so
I cannot reproduce with your example on Android 13 AArch64, where I regularly run some Swift tests with Asan also. Maybe a specific incompatibility with 8.1 or your device?
(lldb) b getauxval
Breakpoint 7: no locations (pending).
WARNING: Unable to resolve breakpoint to any actual locations.
(lldb) run
Process 3233 launched: '/data/data/com.termux/files/home/a.out' (aarch64)
1 location added to breakpoint 1
Process 3233 stopped
* thread #1, name = 'a.out', stop reason = breakpoint 1.1 5.1 7.1
frame #0: 0x0000007fb73b37e0 libc.so`getauxval
libc.so`getauxval:
-> 0x7fb73b37e0 <+0>: adrp x8, 181
0x7fb73b37e4 <+4>: ldr x8, [x8, #0x58]
0x7fb73b37e8 <+8>: ldr x9, [x8]
0x7fb73b37ec <+12>: cbz x9, 0x7fb73b3804 ; <+36>
(lldb) register read
General Purpose Registers:
x0 = 0x0000000000000006
x1 = 0x0000007fffffd358
x2 = 0x0000007fffffd348
x3 = 0x0000007fffffd340
x4 = 0x0000000000100000
x5 = 0x0000000000000000
x6 = 0x2f6d65747379732f
x7 = 0x696c2f343662696c
x8 = 0xaaaaaaaaaaaaaaaa
x9 = 0x0000007fb768fc47
x10 = 0x0000000000000000
x11 = 0x0000007fb746c960 libc.so`key_map
x12 = 0x0000000000000000
x13 = 0x0000000000000000
x14 = 0x0000000000000000
x15 = 0x0000007fb7e7d000
x16 = 0x0000007fb775e790
x17 = 0x0000007fb73b37e0 libc.so`getauxval
x18 = 0x00000000dd4bab49
x19 = 0x0000007fffffd348
x20 = 0x0000000000000000
x21 = 0x0000000000100000
x22 = 0x0000007fffffd358
x23 = 0x0000007fffffd340
x24 = 0x0000007fb768853d
x25 = 0x0000007fb7831460
x26 = 0x0000007fb746d000 libc.so`key_map + 1696
x27 = 0x0000000000000003
x28 = 0x0000007fb742ff54 libc.so`jemalloc_constructor
fp = 0x0000007fffffdbf0
lr = 0x0000007fb76b480c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2654 + 84
sp = 0x0000007fffffd2e0
pc = 0x0000007fb73b37e0 libc.so`getauxval
cpsr = 0x00000000
I think that register x0
is the first parameter to getauxval
, and AT_PAGESZ
defined to 6
(lldb) step
Process 3233 stopped
* thread #1, name = 'a.out', stop reason = instruction step into
frame #0: 0x0000007fb73b37e4 libc.so`getauxval + 4
libc.so`getauxval:
-> 0x7fb73b37e4 <+4>: ldr x8, [x8, #0x58]
0x7fb73b37e8 <+8>: ldr x9, [x8]
0x7fb73b37ec <+12>: cbz x9, 0x7fb73b3804 ; <+36>
0x7fb73b37f0 <+16>: add x8, x8, #0x10
(lldb) step
Process 3233 stopped
* thread #1, name = 'a.out', stop reason = instruction step into
frame #0: 0x0000007fb73b37e8 libc.so`getauxval + 8
libc.so`getauxval:
-> 0x7fb73b37e8 <+8>: ldr x9, [x8]
0x7fb73b37ec <+12>: cbz x9, 0x7fb73b3804 ; <+36>
0x7fb73b37f0 <+16>: add x8, x8, #0x10
0x7fb73b37f4 <+20>: cmp x9, x0
(lldb) step
Process 3233 stopped
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
frame #0: 0x0000007fb73b37e8 libc.so`getauxval + 8
libc.so`getauxval:
-> 0x7fb73b37e8 <+8>: ldr x9, [x8]
0x7fb73b37ec <+12>: cbz x9, 0x7fb73b3804 ; <+36>
0x7fb73b37f0 <+16>: add x8, x8, #0x10
0x7fb73b37f4 <+20>: cmp x9, x0
(lldb)
and getauxval
working just fine in this
~ $ echo $'#include <sys/auxv.h>\n#include <stdio.h>\nint main(){printf("%zu", getauxval(AT_PAGESZ));}' | cc -x c - -o ./aux.out; ./aux.out
4096~ $
full
(lldb) target create "./a.out"
Current executable set to '/data/data/com.termux/files/home/a.out' (aarch64).
(lldb) b getauxval
Breakpoint 1: no locations (pending).
WARNING: Unable to resolve breakpoint to any actual locations.
(lldb) run
Process 10590 launched: '/data/data/com.termux/files/home/a.out' (aarch64)
1 location added to breakpoint 1
Process 10590 stopped
* thread #1, name = 'a.out', stop reason = breakpoint 1.1
frame #0: 0x0000007fb732a7e0 libc.so`getauxval
libc.so`getauxval:
-> 0x7fb732a7e0 <+0>: adrp x8, 181
0x7fb732a7e4 <+4>: ldr x8, [x8, #0x58]
0x7fb732a7e8 <+8>: ldr x9, [x8]
0x7fb732a7ec <+12>: cbz x9, 0x7fb732a804 ; <+36>
(lldb) register read
General Purpose Registers:
x0 = 0x0000000000000006
x1 = 0x0000007fffffd358
x2 = 0x0000007fffffd348
x3 = 0x0000007fffffd340
x4 = 0x0000000000100000
x5 = 0x0000000000000000
x6 = 0x2f6d65747379732f
x7 = 0x696c2f343662696c
x8 = 0xaaaaaaaaaaaaaaaa
x9 = 0x0000007fb745ec47
x10 = 0x0000000000000000
x11 = 0x0000007fb73e3960 libc.so`key_map
x12 = 0x0000000000000000
x13 = 0x0000000000000000
x14 = 0x0000000000000000
x15 = 0x0000007fb7e7d000
x16 = 0x0000007fb752d790
x17 = 0x0000007fb732a7e0 libc.so`getauxval
x18 = 0x00000000fedd5cca
x19 = 0x0000007fffffd348
x20 = 0x0000000000000000
x21 = 0x0000000000100000
x22 = 0x0000007fffffd358
x23 = 0x0000007fffffd340
x24 = 0x0000007fb745753d
x25 = 0x0000007fb7600460
x26 = 0x0000007fb73e4000 libc.so`key_map + 1696
x27 = 0x0000000000000003
x28 = 0x0000007fb73a6f54 libc.so`jemalloc_constructor
fp = 0x0000007fffffdbf0
lr = 0x0000007fb748380c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2654 + 84
sp = 0x0000007fffffd2e0
pc = 0x0000007fb732a7e0 libc.so`getauxval
cpsr = 0x00000000
(lldb) step
Process 10590 stopped
* thread #1, name = 'a.out', stop reason = instruction step into
frame #0: 0x0000007fb732a7e4 libc.so`getauxval + 4
libc.so`getauxval:
-> 0x7fb732a7e4 <+4>: ldr x8, [x8, #0x58]
0x7fb732a7e8 <+8>: ldr x9, [x8]
0x7fb732a7ec <+12>: cbz x9, 0x7fb732a804 ; <+36>
0x7fb732a7f0 <+16>: add x8, x8, #0x10
(lldb) register read
General Purpose Registers:
x0 = 0x0000000000000006
x1 = 0x0000007fffffd358
x2 = 0x0000007fffffd348
x3 = 0x0000007fffffd340
x4 = 0x0000000000100000
x5 = 0x0000000000000000
x6 = 0x2f6d65747379732f
x7 = 0x696c2f343662696c
x8 = 0x0000007fb73df000 libc.so`__find_icu_symbol(char const*)::found_icu
x9 = 0x0000007fb745ec47
x10 = 0x0000000000000000
x11 = 0x0000007fb73e3960 libc.so`key_map
x12 = 0x0000000000000000
x13 = 0x0000000000000000
x14 = 0x0000000000000000
x15 = 0x0000007fb7e7d000
x16 = 0x0000007fb752d790
x17 = 0x0000007fb732a7e0 libc.so`getauxval
x18 = 0x00000000fedd5cca
x19 = 0x0000007fffffd348
x20 = 0x0000000000000000
x21 = 0x0000000000100000
x22 = 0x0000007fffffd358
x23 = 0x0000007fffffd340
x24 = 0x0000007fb745753d
x25 = 0x0000007fb7600460
x26 = 0x0000007fb73e4000 libc.so`key_map + 1696
x27 = 0x0000000000000003
x28 = 0x0000007fb73a6f54 libc.so`jemalloc_constructor
fp = 0x0000007fffffdbf0
lr = 0x0000007fb748380c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2654 + 84
sp = 0x0000007fffffd2e0
pc = 0x0000007fb732a7e4 libc.so`getauxval + 4
cpsr = 0x00200000
(lldb) step
Process 10590 stopped
* thread #1, name = 'a.out', stop reason = instruction step into
frame #0: 0x0000007fb732a7e8 libc.so`getauxval + 8
libc.so`getauxval:
-> 0x7fb732a7e8 <+8>: ldr x9, [x8]
0x7fb732a7ec <+12>: cbz x9, 0x7fb732a804 ; <+36>
0x7fb732a7f0 <+16>: add x8, x8, #0x10
0x7fb732a7f4 <+20>: cmp x9, x0
(lldb) register read
General Purpose Registers:
x0 = 0x0000000000000006
x1 = 0x0000007fffffd358
x2 = 0x0000007fffffd348
x3 = 0x0000007fffffd340
x4 = 0x0000000000100000
x5 = 0x0000000000000000
x6 = 0x2f6d65747379732f
x7 = 0x696c2f343662696c
x8 = 0x0000000000000000
x9 = 0x0000007fb745ec47
x10 = 0x0000000000000000
x11 = 0x0000007fb73e3960 libc.so`key_map
x12 = 0x0000000000000000
x13 = 0x0000000000000000
x14 = 0x0000000000000000
x15 = 0x0000007fb7e7d000
x16 = 0x0000007fb752d790
x17 = 0x0000007fb732a7e0 libc.so`getauxval
x18 = 0x00000000fedd5cca
x19 = 0x0000007fffffd348
x20 = 0x0000000000000000
x21 = 0x0000000000100000
x22 = 0x0000007fffffd358
x23 = 0x0000007fffffd340
x24 = 0x0000007fb745753d
x25 = 0x0000007fb7600460
x26 = 0x0000007fb73e4000 libc.so`key_map + 1696
x27 = 0x0000000000000003
x28 = 0x0000007fb73a6f54 libc.so`jemalloc_constructor
fp = 0x0000007fffffdbf0
lr = 0x0000007fb748380c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2654 + 84
sp = 0x0000007fffffd2e0
pc = 0x0000007fb732a7e8 libc.so`getauxval + 8
cpsr = 0x00200000
(lldb) step
Process 10590 stopped
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
frame #0: 0x0000007fb732a7e8 libc.so`getauxval + 8
libc.so`getauxval:
-> 0x7fb732a7e8 <+8>: ldr x9, [x8]
0x7fb732a7ec <+12>: cbz x9, 0x7fb732a804 ; <+36>
0x7fb732a7f0 <+16>: add x8, x8, #0x10
0x7fb732a7f4 <+20>: cmp x9, x0
(lldb)
(lldb) disassemble
libc.so`getauxval:
0x7fb732a7e0 <+0>: adrp x8, 181
0x7fb732a7e4 <+4>: ldr x8, [x8, #0x58]
-> 0x7fb732a7e8 <+8>: ldr x9, [x8]
0x7fb732a7ec <+12>: cbz x9, 0x7fb732a804 ; <+36>
0x7fb732a7f0 <+16>: add x8, x8, #0x10
0x7fb732a7f4 <+20>: cmp x9, x0
0x7fb732a7f8 <+24>: b.eq 0x7fb732a828 ; <+72>
0x7fb732a7fc <+28>: ldr x9, [x8], #0x10
0x7fb732a800 <+32>: cbnz x9, 0x7fb732a7f4 ; <+20>
0x7fb732a804 <+36>: stp x29, x30, [sp, #-0x10]!
0x7fb732a808 <+40>: mov x29, sp
0x7fb732a80c <+44>: bl 0x7fb7327eb0 ; symbol stub for: __errno
0x7fb732a810 <+48>: mov x8, x0
0x7fb732a814 <+52>: orr w9, wzr, #0x2
0x7fb732a818 <+56>: mov x0, xzr
0x7fb732a81c <+60>: str w9, [x8]
0x7fb732a820 <+64>: ldp x29, x30, [sp], #0x10
0x7fb732a824 <+68>: ret
0x7fb732a828 <+72>: ldur x0, [x8, #-0x8]
0x7fb732a82c <+76>: ret
(lldb)
this is the source i think, getauxval
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0) * frame #0: 0x0000007fb73b47e8 libc.so`getauxval + 8 frame #1: 0x0000007fb76b280c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2654 + 84 frame #2: 0x0000007fb76b84e4 libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2780 + 60 frame #3: 0x0000007fb76b01e8 libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2614 + 60 frame #4: 0x0000007fb774f91c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol3645 + 72 frame #5: 0x0000007fb774fb3c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol3646 + 76 frame #6: 0x0000007fb76f4c48 libclang_rt.asan-aarch64-android.so`___interceptor_read + 40 frame #7: 0x0000007fb7433b30 libc.so`je_pages_boot + 92 frame #8: 0x0000007fb7432fdc libc.so`malloc_init_hard_a0_locked + 2940 frame #9: 0x0000007fb74310b0 libc.so`jemalloc_constructor + 348 frame #10: 0x0000007fb7eb33e4 linker64`__dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_mbS5_ + 284 frame #11: 0x0000007fb7eb3610 linker64`__dl__ZN6soinfo17call_constructorsEv + 400 frame #12: 0x0000007fb7eb3508 linker64`__dl__ZN6soinfo17call_constructorsEv + 136 frame #13: 0x0000007fb7eb3508 linker64`__dl__ZN6soinfo17call_constructorsEv + 136 frame #14: 0x0000007fb7eaedf4 linker64`__dl___linker_init + 3192 frame #15: 0x0000007fb7eb5bf4 linker64`__dl__start + 8 (lldb)
Can you post this with more up
? I still think you need to provide us logcat
.
It seems that __libc_auxv
is not properly initialized by __libc_init
, but this is really strange.
@truboxl what did you mean with up?
logcat V
logcat V
--------- beginning of main
10-20 18:25:28.981 28083 28083 W app_process: type=1400 audit(0.0:230707): avc: denied { read } for name="uptime" dev="proc" ino=4026532066 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file permissive=0
10-20 18:25:55.041 28189 28189 W crash_dump64: type=1400 audit(0.0:230710): avc: denied { read write } for path="/dev/pts/34" dev="devpts" ino=37 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:untrusted_app_devpts:s0:c512,c768 tclass=chr_file permissive=0
10-20 18:25:55.065 28190 28190 W crash_dump64: type=1400 audit(0.0:230711): avc: denied { search } for name="com.termux" dev="dm-0" ino=1269891 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
10-20 18:25:55.069 28190 28190 I chatty : uid=10148(com.termux.api) crash_dump64 identical 2 lines
10-20 18:25:55.069 28190 28190 W crash_dump64: type=1400 audit(0.0:230714): avc: denied { search } for name="com.termux" dev="dm-0" ino=1269891 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
10-20 18:25:55.069 28190 28190 W crash_dump64: type=1400 audit(0.0:230715): avc: denied { search } for name="home" dev="dm-0" ino=1279354 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
10-20 18:25:55.077 28190 28190 W crash_dump64: type=1400 audit(0.0:230716): avc: denied { search } for name="com.termux" dev="dm-0" ino=1269891 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
something about SELinux. https://stackoverflow.com/questions/51231326/what-is-the-meaning-of-avc-denied-read-for-name-line-in-logcat
(lldb) up
frame #1: 0x0000007fb73ae80c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2654 + 84
libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2654:
-> 0x7fb73ae80c <+84>: str x0, [x25]
0x7fb73ae810 <+88>: cmp x0, x21
0x7fb73ae814 <+92>: adrp x26, -43
0x7fb73ae818 <+96>: add x26, x26, #0x558
i think maybe from this. https://github.com/llvm/llvm-project/blob/e6c01432b6fb6077e1bdf2e0abf05d2c2dd3fd3e/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L1212 https://github.com/llvm/llvm-project/blob/e6c01432b6fb6077e1bdf2e0abf05d2c2dd3fd3e/compiler-rt/lib/sanitizer_common/sanitizer_common.h#L65
There is an alternate copy of lib in ndk-multilib
.
Can you try echo "int main(){}" | cc -x c - -fsanitize=address -Wl,-rpath,"/data/data/com.termux/files/usr/opt/ndk-multilib/cross-compiler-rt/lib"; ./a.out
? If the same happens, please attach the logs with up
too
For logcat
, I expect output like this https://source.android.com/docs/core/tests/debug#debuggerd
That SELinux warning is expected and normal
i think you mean echo "int main(){}" | cc -x c - -fsanitize=address -Wl,-rpath,"/data/data/com.termux/files/usr/opt/ndk-multilib/cross-compiler-rt/"; ./a.out
without lib
.
and yes it is working. i tried to invoke the sanitizer and it is working
echo "int main(){*(volatile int*)0xdead = 0xbad;}" | cc -x c - -fsanitize=address -Wl,-rpath,"/data/data/com.termux/files/usr/opt/ndk-multilib/cross-compiler-rt/"; ./a.out
AddressSanitizer:DEADLYSIGNAL
=================================================================
==8845==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000dead (pc 0x005cafb7f2d8 bp 0x007ffb2dd520 sp 0x007ffb2dd510 T0)
==8845==The signal is caused by a WRITE memory access.
#0 0x5cafb7f2d8 in main (/data/data/com.termux/files/home/a.out+0x52d8)
#1 0x78861809c0 in __libc_init (/system/lib64/libc.so+0xa39c0) (BuildId: 8dc90cf7149cde2ed9c5e76ba8ba5a22)
#2 0x5cafb7f158 in _start_main crtbegin.c
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/data/data/com.termux/files/home/a.out+0x52d8) in main
==8845==ABORTING
fish: Job 1, './a.out' terminated by signal SIGABRT (Abort)
about logcat, what do you think i should do? i cant access
ls: cannot access '/data/tombstones/': Permission denied
one more thing i think the lib should be implicitly linked. https://clang.llvm.org/docs/AddressSanitizer.html#usage
echo "int main(){}" | cc -x c - -fsanitize=address; ./a.out
CANNOT LINK EXECUTABLE "./a.out": library "libclang_rt.asan-aarch64-android.so" not found
Ah yes sorry about that
I suppose something really broke
Can you help try
curl -L https://android.googlesource.com/platform/prebuilts/clang/host/linux-x86/+/refs/heads/main/clang-r530567/lib/clang/19/lib/linux/libclang_rt.asan-aarch64-android.so?format=TEXT | base64 -d > libclang_rt.asan-aarch64-android.so
and then change the rpath so that it uses that lib?
Just want to confirm this should error also
echo "int main(){}" | cc -x c - -fsanitize=address -Wl,-rpath,"./"; ./a.out
WARNING: linker: "/data/data/com.termux/files/home/libclang_rt.asan-aarch64-android.so" unused DT entry: type 0x70000001 arg 0x0
fish: Job 1, './a.out' terminated by signal SIGSEGV (Address boundary error)
(lldb) target create "./a.out"
Current executable set to '/data/data/com.termux/files/home/a.out' (aarch64).
(lldb) run
Process 8767 launched: '/data/data/com.termux/files/home/a.out' (aarch64)
WARNING: linker: "/data/data/com.termux/files/home/libclang_rt.asan-aarch64-android.so" unused DT entry: type 0x70000001 arg 0x0
Process 8767 stopped
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
frame #0: 0x0000007fb7cb67e8 libc.so`getauxval + 8
libc.so`getauxval:
-> 0x7fb7cb67e8 <+8>: ldr x9, [x8]
0x7fb7cb67ec <+12>: cbz x9, 0x7fb7cb6804 ; <+36>
0x7fb7cb67f0 <+16>: add x8, x8, #0x10
0x7fb7cb67f4 <+20>: cmp x9, x0
(lldb) bt all
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
* frame #0: 0x0000007fb7cb67e8 libc.so`getauxval + 8
frame #1: 0x0000007fb782acb4 libclang_rt.asan-aarch64-android.so`::ReadFileToBuffer() [inlined] GetPageSizeCached at sanitizer_common.h:72:22
frame #2: 0x0000007fb782ac88 libclang_rt.asan-aarch64-android.so`::ReadFileToBuffer() at sanitizer_file.cpp:134:19
frame #3: 0x0000007fb782fd0c libclang_rt.asan-aarch64-android.so`::ReadLongProcessName() at sanitizer_linux.cpp:1203:7
frame #4: 0x0000007fb782a2e0 libclang_rt.asan-aarch64-android.so`::CacheBinaryName() [inlined] ReadProcessName at sanitizer_common.cpp:279:3
frame #5: 0x0000007fb782a2cc libclang_rt.asan-aarch64-android.so`::CacheBinaryName() at sanitizer_common.cpp:298:3
frame #6: 0x0000007fb78c489c libclang_rt.asan-aarch64-android.so`::AsanInitInternal() at asan_rtl.cpp:398:3
frame #7: 0x0000007fb78c4adc libclang_rt.asan-aarch64-android.so`::TryAsanInitFromRtl() at asan_rtl.cpp:533:17
frame #8: 0x0000007fb78685ac libclang_rt.asan-aarch64-android.so`::___interceptor_read() at sanitizer_common_interceptors.inc:972:3
frame #9: 0x0000007fb7d35b30 libc.so`je_pages_boot + 92
frame #10: 0x0000007fb7d34fdc libc.so`malloc_init_hard_a0_locked + 2940
frame #11: 0x0000007fb7d330b0 libc.so`jemalloc_constructor + 348
frame #12: 0x0000007fb7eb33e4 linker64`__dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_mbS5_ + 284
frame #13: 0x0000007fb7eb3610 linker64`__dl__ZN6soinfo17call_constructorsEv + 400
frame #14: 0x0000007fb7eb3508 linker64`__dl__ZN6soinfo17call_constructorsEv + 136
frame #15: 0x0000007fb7eb3508 linker64`__dl__ZN6soinfo17call_constructorsEv + 136
frame #16: 0x0000007fb7eaedf4 linker64`__dl___linker_init + 3192
frame #17: 0x0000007fb7eb5bf4 linker64`__dl__start + 8
(lldb) up
frame #1: 0x0000007fb782acb4 libclang_rt.asan-aarch64-android.so`::ReadFileToBuffer() [inlined] GetPageSizeCached at sanitizer_common.h:72:22
(lldb) up
frame #2: 0x0000007fb782ac88 libclang_rt.asan-aarch64-android.so`::ReadFileToBuffer() at sanitizer_file.cpp:134:19
(lldb) up
frame #3: 0x0000007fb782fd0c libclang_rt.asan-aarch64-android.so`::ReadLongProcessName() at sanitizer_linux.cpp:1203:7
(lldb) up
frame #4: 0x0000007fb782a2e0 libclang_rt.asan-aarch64-android.so`::CacheBinaryName() [inlined] ReadProcessName at sanitizer_common.cpp:279:3
(lldb) up
frame #5: 0x0000007fb782a2cc libclang_rt.asan-aarch64-android.so`::CacheBinaryName() at sanitizer_common.cpp:298:3
(lldb) up
frame #6: 0x0000007fb78c489c libclang_rt.asan-aarch64-android.so`::AsanInitInternal() at asan_rtl.cpp:398:3
(lldb) up
frame #7: 0x0000007fb78c4adc libclang_rt.asan-aarch64-android.so`::TryAsanInitFromRtl() at asan_rtl.cpp:533:17
(lldb) up
frame #8: 0x0000007fb78685ac libclang_rt.asan-aarch64-android.so`::___interceptor_read() at sanitizer_common_interceptors.inc:972:3
(lldb) up
frame #9: 0x0000007fb7d35b30 libc.so`je_pages_boot + 92
libc.so`je_pages_boot:
-> 0x7fb7d35b30 <+92>: mov x20, x0
0x7fb7d35b34 <+96>: mov w0, w19
0x7fb7d35b38 <+100>: bl 0x7fb7cb3f10 ; symbol stub for: close
0x7fb7d35b3c <+104>: cmp x20, #0x0
(lldb)
and logcat pretty much same as before, this is what i do, create new terminal, logcat v
, go to previous terminal, ./a.out
, and the logcat just print
--------- beginning of main
10-20 23:56:02.284 8934 8934 W app_process: type=1400 audit(0.0:241017): avc: denied { read } for name="uptime" dev="proc" ino=4026532066 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file permissive=0
10-20 23:56:15.516 9035 9035 W crash_dump64: type=1400 audit(0.0:241021): avc: denied { read write } for path="/dev/pts/34" dev="devpts" ino=37 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:untrusted_app_devpts:s0:c512,c768 tclass=chr_file permissive=0
10-20 23:56:15.548 9036 9036 W crash_dump64: type=1400 audit(0.0:241022): avc: denied { search } for name="com.termux" dev="dm-0" ino=1269891 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
10-20 23:56:15.564 9036 9036 W crash_dump64: type=1400 audit(0.0:241026): avc: denied { search } for name="com.termux" dev="dm-0" ino=1269891 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
no crash dump
Thanks! This confirms the upcoming NDK r28 will have the same issue. We should report to https://github.com/android/ndk
The support for aarch64 16kb pagesize in
asan
is added in https://github.com/llvm/llvm-project/commit/c6049e67efaaca34ca8ad93b007397b118574b81. Maybe it breaks the usage of asan on older Android devices.
Yes with the latest log should point to checking sanitizer_common.h:72:22
Curiously https://github.com/llvm/llvm-project/commit/c6049e67efaaca34ca8ad93b007397b118574b81#diff-7aa35d74ad2634ba31a6fede2910e32d837220fd761b6898542d8a0b71ccfe5aL65 mentions Android post-M sysconf(_SC_PAGESIZE) crashes if called from .preinit_array
but was removed in the commit.
yes, getauxval
crashes in preinit_array
minimal example
~ $ echo $'#include <sys/auxv.h>\nstatic void a() {getauxval(AT_PAGESZ);}; void (*preinit[])()__attribute((section(".preinit_array")))={&a};int main(){}' | cc -x c -;./a.out
Segmentation fault
(lldb) target create "./a.out"
Current executable set to '/data/data/com.termux/files/home/a.out' (aarch64).
(lldb) run
Process 28871 launched: '/data/data/com.termux/files/home/a.out' (aarch64)
Process 28871 stopped
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
frame #0: 0x0000007fb7cbe7e8 libc.so`getauxval + 8
libc.so`getauxval:
-> 0x7fb7cbe7e8 <+8>: ldr x9, [x8]
0x7fb7cbe7ec <+12>: cbz x9, 0x7fb7cbe804 ; <+36>
0x7fb7cbe7f0 <+16>: add x8, x8, #0x10
0x7fb7cbe7f4 <+20>: cmp x9, x0
(lldb) bt
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
* frame #0: 0x0000007fb7cbe7e8 libc.so`getauxval + 8
frame #1: 0x00000055555597a8 a.out`a + 16
frame #2: 0x0000007fb7eb33e4 linker64`__dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_mbS5_ + 284
frame #3: 0x0000007fb7eaede4 linker64`__dl___linker_init + 3176
frame #4: 0x0000007fb7eb5bf4 linker64`__dl__start + 8
(lldb)
Problem description
Clang 18 worked just fine, but after upgrading to Clang 19, the executable with Address Sanitizer crashes with signal SIGSEGV.
What steps will reproduce the bug?
echo "int main(){}" | cc -x c -; ./a.out
working just fine.echo "int main(){}" | cc -x c - -fsanitize=address -Wl,-rpath,"/data/data/com.termux/files/usr/lib/clang/19/lib/linux"; ./a.out
crash:'./a.out' terminated by signal SIGSEGV (Address boundary error)
with valgrind
What is the expected behavior?
working just fine.
System information