Crash when running taintgrind on Android 4.4.2

[rewhy]

This tool is very interesting and powerful when I use it with Ubuntu system.

However, when I try to use it on both devices Nexus 4 and Nexus 5 running Android 4.4.2, it crashes. But if I run it on the emulator and Nexus s, no crash happen. (Nexus 4 and Nexus 5 have multi-core CPUs, and the emulator and Nexus s have single-core CPUs.)

I don't know whether the crash is caused by valgrind or taintgrind.

The starting command and output are as following: valgrind -v --tool=taintgrind --file-filter=/sdcard/test.txt --taint-start=0 --taint-len=8 cat /sdcard/test.txt

==2700== Taintgrind, the taint analysis tool ==2700== Copyright (C) 2010-2014, and GNU GPL'd, by Wei Ming Khoo. ==2700== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==2700== Command: /data/local/tmp/readfile /sdcard/test.txt ==2700== --2700-- Valgrind options: --2700-- -v --2700-- --tool=taintgrind --2700-- --file-filter=/sdcard/test.txt --2700-- --taint-start=0 --2700-- --taint-len=8 --2700-- Contents of /proc/version: --2700-- Linux version 3.4.0-perf-g2cae413 (android-build@vpbs1.mtv.corp.google.com) (gcc version 4.6.x-google 20120106 (prerelease) (GCC) ) #1 SMP PREEMPT Wed Nov 20 14:54:28 PST 2013 --2700-- --2700-- Arch and hwcaps: ARM, LittleEndian, ARMv7-neon-vfp --2700-- Page sizes: currently 4096, max supported 4096 --2700-- Valgrind library directory: /data/local/tmp/Inst/lib/valgrind --2700-- Reading syms from /data/local/tmp/readfile --2700-- object doesn't have a symbol table --2700-- Reading EXIDX entries: 39 available --2700-- Reading EXIDX entries: 36 attempted, 36 successful --2700-- Reading syms from /system/bin/linker --2700-- Considering /system/bin/linker .. --2700-- .. CRC mismatch (computed 9733dd11 wanted 369f923f) --2700-- object doesn't have a symbol table --2700-- Reading syms from /data/local/tmp/Inst/lib/valgrind/taintgrind-arm-linux --2700-- object doesn't have a dynamic symbol table --2700-- warning: addVar: implausibly large (syscallnames) --2700-- warning: addVar: unknown size (ips) --2700-- warning: addVar: unknown size (ips) --2700-- warning: addVar: unknown size (sps) --2700-- warning: addVar: unknown size (sps) --2700-- warning: addVar: unknown size (qualname) --2700-- warning: addVar: unknown size (qualname) --2700-- warning: addVar: unknown size (qualname) --2700-- warning: addVar: unknown size (qualname) --2700-- warning: addVar: unknown size (qualname) --2700-- Scheduler: using generic scheduler lock implementation. set_address_range_perms(0) lenA:0x1000 lenB:0x0 V128to32(t28) vex: the `impossible' happened: iselIntExpr_R: cannot reduce tree vex storage: T total 697816 bytes allocated vex storage: P total 192 bytes allocated

valgrind: the 'impossible' happened: LibVEX called failure_exit().

host stacktrace: ==2700== at 0x38037350: show_sched_status_wrk (m_libcassert.c:343) ==2700== by 0x380374F3: report_and_quit (m_libcassert.c:415) ==2700== by 0x380376F7: vgPlain_core_panic_at (m_libcassert.c:491) ==2700== by 0x38037727: vgPlain_core_panic (m_libcassert.c:501) ==2700== by 0x3805A42B: failure_exit (m_translate.c:740) ==2700== by 0x38129DD3: vpanic (main_util.c:231) ==2700== by 0x3819630F: iselIntExpr_R (host_arm_isel.c:1902) ==2700== by 0x381A51B7: doHelperCall.isra.24.constprop.25 (host_arm_isel.c:589) ==2700== by 0x381A66E3: iselSB_ARM (host_arm_isel.c:5990) ==2700== by 0x38126FBB: LibVEX_Translate (main_main.c:1014) ==2700== by 0x3805D31B: vgPlain_translate (m_translate.c:1765) ==2700== by 0x3809A22B: handle_chain_me (scheduler.c:1076) ==2700== by 0x3809C9B3: vgPlain_scheduler (scheduler.c:1420) ==2700== by 0x380B07F3: run_a_thread_NORETURN (syswrap-linux.c:102) ==2700== by 0xFFFFFFFF: ???

sched status: running_tid=1

Thread 1: status = VgTs_Runnable (lwpid 2700) ==2700== at 0x4004CBC: ??? (in /system/bin/linker) ==2700== by 0x4002C23: ??? (in /system/bin/linker)

Thanks a lot for your useful tool.

[wmkhoo]

What happens when you run valgrind alone without taintgrind? It looks like a VEX translation error.

[rewhy]

When I run valgrind alone or with other tools (memcheck, callgrind and cachegrind.), no crashes happen. And I also think it should be a VEX translation error, but the errors only happen on the multi-core cpu devices.

[wmkhoo]

Ok the bug is probably in convert_Value (tnt_translate.c). TG tries to convert 128-bit SIMD values to 32-bit values in order to display run-time and taint values. Unfortunately, the ARM VEX translator doesn't recognise the V128to32 operation (it is commented out in host_arm_isel.c and is probably x86-only). In any case, the issue is how to display a 128-bit SIMD operand/value which I currently don't have an answer for.

[rewhy]

Thanks for you answer first. But I am still confused why this error doesn't happen on Android emulator if the cause is that the ARM VES translator of valgrind doesn't implement the V128to32 operation.
Thanks so much.

[wmkhoo]

I'm not sure why the error doesn't happen on the emulator. You were running 'cat'. Could it be compiled differently?

[rewhy]

The "cat" was running in the same android system version. Moreover I also ran TG on my own apps on these devices with same compiling configuration, same errors happened.

[wmkhoo]

It took a while, but see if this patch works.

[wmkhoo]

Closing this issue