极客笔记当我们要分析Android用户空间的一些内存奔溃/内存被踩问题时,需要使用到ASAN,在Android 10之前,我们可以使用
Androdid ASAN、malloc debug等工具来调试,但Androdid ASAN会导致系统非常卡顿,使用起来体验非常不好。
由此,从Android 10及以上版本,针对AArch64硬件,引入了Hardware-assisted AddressSanitizer(HWASan),HWASan是一个类似于AddressSanitizer(ASAN)的内存错误检测工具。与ASAN相比,HWASan使用的内存要少得多,这使它适合于整个系统打开HWASAN。
| 分类 | 适用场景 | Issue | 原理 | 缺点 | 共同的缺点 |
|---|---|---|---|---|---|
| ASAN | 可在 32 位和 64 位 ARM 以及 x86 和 x86-64 上运行(在 Android 11 之后的 AOSP master 中,弃用了 arm64 上的平台开发 ASan,改为使用 HWASan) | Stack and heap buffer overflow/underflow Heap use after freeStack use outside scopeDouble free/wild free | 使用shadow memory(内存的一个区域)内存状态进行标记,如free掉的内存在shadow中标记为0xfd,已经申请的内存,前后存在安全区标记为0xfa | 对于free的内存标记存在隔离时间,即free的区域一段时间后重新分配其他所有者,此时原持有者访问不会报错对应flow的安全区总归有大小,如果踩踏过了安全区,同样不会报错 | 无法检查 Java 代码,但可以检测 JNI 库中的错误和C代码 |
| HWASAN | 仅适用于 Android 10 及更高版本,且只能用于 AArch64 硬件 | Stack and heap buffer overflow/underflowHeap use after freeStack use outside scopeDouble free/wild freestack use after return | AArch64是64位的架构,一个64bit的指针值,其中真正用于寻址的只有低48位.AArch64拥有地址标记(Address tagging, or top-byte-ignore)的特性,它表示允许软件使用64bit指针值的高8位开发特定功能。HWASAN用这8bit来存储一块内存区域的标签(tag)。 | 对于所有错误的检测将有一定概率false negative(漏掉一些真实的错误),概率为1/256。原因是tag的生成只能从256(2的8次方)个数中选一个,因此不同地址的tag将有可能相同 | 无法检查 Java 代码,但可以检测 JNI 库中的错误和C代码 |
如何打开HWASan
打上相关Patch
在Kernel中有一些针对HWASAN的Patch需要先打上:
Kernel 4.19 + Android 10
-
Patch1(arm64: untag user addresses in access_ok and __uaccess_mask_ptr):
-
Patch2(uaccess: add untagged_addr definition for other arches):
-
Patch3(arm64: Define Documentation/arm64/elf_at_flags.txt):
-
Patch4(selftests, arm64: add a selftest for passing tagged pointers to kernel):
-
Patch5(arm64: add type casts to untagged_addr macro):
-
Patch6(fs, arm64: untag user address in copy_mount_options):
-
Patch7(arm64: update Documentation/arm64/tagged-pointers.txt):
-
Patch8(elf: Make AT_FLAGS arch configurable):
-
Patch9(lib, arm64: untag addrs passed to strncpy_from_user and strnlen_user):
-
Patch10(mm, arm64: untag user addresses in mm/gup.c):
-
Patch11(arm64: elf: Advertise relaxed ABI):
kernel 4.19 & 5.4 + Android 11 & Android 12
- [Patch 1] : Project platform/system/memory/lmkd
From 0d1155a1a5b2de3bfc9ce04037956ce89b5670d3 Mon Sep 17 00:00:00 2001
From: Rishiraj Manwatkar <rmanwatk@codeaurora.org>
Date: Wed, 25 Mar 2020 19:27:56 -0700
Subject: [PATCH] Do not merge: hwasan: don't sanitize lmkd
Change-Id: Ie45120e2ba4cc63a117d09b166387eecff9bb67b
---
Android.bp | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)diff如下:
diff --git a/Android.bp b/Android.bp
index f177b0d..30136d1 100644
--- a/Android.bp
+++ b/Android.bp
@@ -12,7 +12,9 @@ cc_defaults {
cc_binary {
name: "lmkd",
-
+ sanitize: {hwaddress: false,
+ address: false,
+ },
srcs: ["lmkd.cpp"],
shared_libs: [
"libcutils",
--
2.7.4- [Patch 2] Project platform/vendor/qcom-proprietary/QIIFA-fwk
From a0568d9cc881b5292c979b82c89c90bab671d9a9 Mon Sep 17 00:00:00 2001
From: shrkum <shrkum@qti.qualcomm.com>
Date: Fri, 10 Jul 2020 16:10:20 +0530
Subject: [PATCH] Temporary disabled the vndk
Hardware for this device is not enabled for 32bit architecture.
So all the 32bit libraries has not been compliled
Change-Id: I4c8f8e1fffa50647ad18e216291860f87bcaf873
---
plugins/qiifa_abi_checker/abi_config.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)diff如下:
diff --git a/plugins/qiifa_abi_checker/abi_config.json b/plugins/qiifa_abi_checker/abi_config.json
index 1d74897..9961010 100644
--- a/plugins/qiifa_abi_checker/abi_config.json
+++ b/plugins/qiifa_abi_checker/abi_config.json
@@ -1,7 +1,7 @@
[
{
"abi_type": "vndk",
- "enabled": "true"
+ "enabled": "false"
},
{
"abi_type": "sphal",
--
2.7.4- [Patch 3] Project platform/hardware/interfaces
From d2d78f9de19473c78cabe08f7693500d47d468b8 Mon Sep 17 00:00:00 2001
From: Rishiraj Manwatkar <rmanwatk@codeaurora.org>
Date: Thu, 23 Jul 2020 21:11:03 -0700
Subject: [PATCH] Health 1.0: Fix hwasan crash
Change-Id: Ic0d842c7ec3532a926ef95800f3e63585907d4d9
---
health/1.0/default/convert.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)diff如下:
diff --git a/health/1.0/default/convert.cpp b/health/1.0/default/convert.cpp
index 7f1e3c4..3680d4d 100644
--- a/health/1.0/default/convert.cpp
+++ b/health/1.0/default/convert.cpp
@@ -79,7 +79,7 @@ void convertFromHealthConfig(const HealthConfig& c, struct healthd_config
*hc) {
hc->batteryCurrentAvgPath =
android::String8(c.batteryCurrentAvgPath.c_str(),
- c.batteryCurrentNowPath.size());
+ c.batteryCurrentAvgPath.size());
hc->batteryChargeCounterPath =
android::String8(c.batteryChargeCounterPath.c_str(),
--
2.7.4- [Patch 4] Project platform/vendor/qcom-opensource/power
From 3f26bbe82c27afd5505a4b1e3081f5b87ba52c99 Mon Sep 17 00:00:00 2001
From: Rishiraj Manwatkar <rmanwatk@codeaurora.org>
Date: Wed, 18 Mar 2020 20:54:12 -0700
Subject: [PATCH] Do not merge: HWASAN flag to pass the build
Change-Id: I9a88825b9310660ce40660d70b4f87f835699cde
Signed-off-by: Rishiraj Manwatkar <rmanwatk@codeaurora.org>
---
Android.mk | 1 +
1 file changed, 1 insertion(+)diff如下:
diff --git a/Android.mk b/Android.mk
index 209521c..0479de6 100644
--- a/Android.mk
+++ b/Android.mk
@@ -85,6 +85,7 @@ ifeq ((TARGET_USES_INTERACTION_BOOST),true)
LOCAL_CFLAGS += -DINTERACTION_BOOST
endif
+LOCAL_NOSANITIZE := hwaddress
ifeq ((call is-board-platform-in-list,trinket), true)
LOCAL_MODULE := power.qcom
LOCAL_MODULE_TAGS := optional
--
2.7.4kernel 5.10 + Android 12
- [Patch 1] QSSI project: platform/vendor/qcom-proprietary/QIIFA-fwk
From 633a0af1b8465a326858697069f10c65df0b18bb Mon Sep 17 00:00:00 2001
From: shrkum <shrkum@qti.qualcomm.com>
Date: Fri, 10 Jul 2020 16:10:20 +0530
Subject: [PATCH] Temporary disabled the vndk
Hardware for this device is not enabled for 32bit architecture.
So all the 32bit libraries has not been compliled
Change-Id: I4c8f8e1fffa50647ad18e216291860f87bcaf873
---
plugins/qiifa_abi_checker/abi_config.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)diff如下:
diff --git a/plugins/qiifa_abi_checker/abi_config.json b/plugins/qiifa_abi_checker/abi_config.json
index 54b7312..5ed8bb0 100644
--- a/plugins/qiifa_abi_checker/abi_config.json
+++ b/plugins/qiifa_abi_checker/abi_config.json
@@ -1,7 +1,7 @@
[
{
"abi_type": "vndk",
- "enabled": "true"
+ "enabled": "false"
},
{
"abi_type": "sphal",
--
2.7.4- [Patch 2] QSSI project: platform/hardware/interfaces
From deff1dda35cf7ab8a8df651ce7f7733e4af5ba12 Mon Sep 17 00:00:00 2001
From: Rishiraj Manwatkar <rmanwatk@quicinc.com>
Date: Tue, 23 Mar 2021 17:04:48 -0700
Subject: [PATCH] DNM: hwasan: suppress configestore crash
Change-Id: I377654aa3e7821c427ec16defa11cb141ab5985d
---
configstore/1.1/default/Android.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)diff如下:
diff --git a/configstore/1.1/default/Android.mk b/configstore/1.1/default/Android.mk
index 6b7bb00..a8811e0 100644
--- a/configstore/1.1/default/Android.mk
+++ b/configstore/1.1/default/Android.mk
@@ -12,7 +12,7 @@ LOCAL_MODULE_CLASS := EXECUTABLES
LOCAL_MODULE_RELATIVE_PATH := hw
LOCAL_INIT_RC := android.hardware.configstore@1.1-service.rc
LOCAL_SRC_FILES:= service.cpp
-
+LOCAL_NOSANITIZE := never
include $(LOCAL_PATH)/surfaceflinger.mk
LOCAL_SHARED_LIBRARIES := \
--
2.7.4- [Patch 3] Vendor project: platform/hardware/qcom/display
From 91de7501b4559b0041e15b37b845be32e7b2305a Mon Sep 17 00:00:00 2001
From: Rishiraj Manwatkar <rmanwatk@quicinc.com>
Date: Fri, 9 Apr 2021 18:24:16 -0700
Subject: [PATCH] DNM: HWASAN: suppress composer service compilation error
Change-Id: I9edda923a3e633a065282f50a6803271f0423290
---
composer/Android.bp | 1 +
1 file changed, 1 insertion(+)diff如下:
diff --git a/composer/Android.bp b/composer/Android.bp
index c6661c6..a4df435 100644
--- a/composer/Android.bp
+++ b/composer/Android.bp
@@ -6,6 +6,7 @@ cc_binary {
defaults: ["qtidisplay_defaults"],
sanitize: {
integer_overflow: true,
+ hwaddress: false,
},
vendor: true,
relative_install_path: "hw",
--
2.7.4编译时打开hwasan
编译时能带的OPTION参数
export HWASAN_OPTIONS=heap_history_size=1023,stack_history_size=512,export_memory_stats=0,max_malloc_fill_size=0,alloc_dealloc_mismatch=1或者
export ASAN_OPTIONS=alloc_dealloc_mismatch=1关于参数说明如下:
| 参数 | 说明 |
|---|---|
| halt_on_error=0 | 当检测出内存问题后,进程不退出,继续执行。默认退出(已测试) |
| detect_leaks=1 | 支持内存泄漏检测功能,arm上不支持(已测试) |
| check_initialization_order=1 | 检验初始化顺序,如两个全局变量初始化有关联,未测试 |
| detect_stack_use_after_return=1 | return后检测栈使用,未测试 |
整个系统打开hwasan
- QSSi build:
lunch aosp_walleye-userdebug # (or any other product)
./build.sh dist SANITIZE_TARGET=hwaddress- Non-QSSi build:
lunch aosp_walleye-userdebug # (or any other product)
make SANITIZE_TARGET=hwaddress某个模块打开hwasan
-
将 libc.so 和 libclang_rt.hwasan-aarch64-android.so 库(来自 HWASAN full build)push到手机
#cp LINUX\android\out\target\product\[target]\system\apex\com.android.runtime\lib64\bionic\ libclang_rt.hwasan-aarch64-android.so#cp LINUX\android\out\target\product\[target]\system\apex\com.android.runtime\lib64\bionic\ libc.so #adb push \libclang_rt.hwasan-aarch64-android.so /system/lib64 #adb push \libc.so /system/lib64 -
在模块中打开HWASAN
-
Android.mk
LOCAL_SANITIZE += hwaddress -
Android.bp
sanitize:{hwaddress:true,},
-
-
通过 mm/mma -jN 编译模块,将编译出来的库push到手机
-
重启手机生效
注:有些模块会打开HWAsan后会出现 __cfi_check_fail,可以通过下面的命令来确认该库是否打开了CFI check
'readelf -a xxx.so |grep cfi如果打开了CFI check,可以通过下面的方式来关闭CFI Check:
HWAsan报告
当 HWASan 工具检测到内存 bug 时,系统会通过 abort() 终止该进程,并将报告输出到 stderr 和 logcat。与 Android 上的所有原生代码崩溃问题一样,HWASan 错误也可以在 /data/tombstones 下找到。
参考:https://source.android.google.cn/docs/security/test/memory-safety/hwasan-reports?hl=zh-cn
HWAsan解析Symbol
由于版本默认库或者bin是stripped过的,因此无法解析,如
==4415==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x003a861bb057 at pc 0x00775f3c664c bp 0x007fd0f434b0 sp 0x007fd0f42c90
READ of size 8 at 0x003a861bb057 thread T0
#0 0x775f3c6648 (/system/lib64/libclang_rt.asan-aarch64-android.so+0x72648)
#1 0x775f3c6ff8 (/system/lib64/libclang_rt.asan-aarch64-android.so+0x72ff8)
#2 0x59861bf0a8 (/vendor/bin/qrtr-lookup+0x20a8)
#3 0x775f72488c (/apex/com.android.runtime/lib64/bionic/libc.so+0x4988c)
0x003a861bb057 is located 0 bytes to the right of 7-byte region [0x003a861bb050,0x003a861bb057)
allocated by thread T0 here:
#0 0x775f3f6088 (/system/lib64/libclang_rt.asan-aarch64-android.so+0xa2088)
#1 0x59861bf094 (/vendor/bin/qrtr-lookup+0x2094)
#2 0x775f72488c (/apex/com.android.runtime/lib64/bionic/libc.so+0x4988c)
#3 0x59861bf044 (/vendor/bin/qrtr-lookup+0x2044)
#4 0x7760b9fbb4 (/vendor/bin/qrtr-lookup+0x4cbb4)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/system/lib64/libclang_rt.asan-aarch64-android.so+0x72648)
Shadow bytes around the buggy address:
0x001750c375b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x001750c375c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x001750c375d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x001750c375e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x001750c375f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x001750c37600: fa fa 00 fa fa fa 00 fa fa fa[07]fa fa fa fa fa
0x001750c37610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x001750c37620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x001750c37630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x001750c37640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x001750c37650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4415==ABORTING直接解析
- push llvm-symbolizer到system/bin下
- 如push到其他目录,需要保证该目录在PATH下或者设置环境变量export ASAN_SYMBOLIZER_PATH=/system/bin/llvm-symbolizer
- llvm-symbolizer路径:android\vendor\qcom\proprietary\llvm-arm-toolchain-ship\10.0\aarch64-linux-android\bin\llvm-symbolizer
- push 对应模块带有symbols的库或者bin到对应目录下android\out\target\product\sm4250\symbols
可得到如下信息,得到具体的函数,行号等等
=================================================================
==6646==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x003c452d8057 at pc 0x00749d4d364c bp 0x007fd09ac530 sp 0x007fd09abd10
READ of size 8 at 0x003c452d8057 thread T0
#0 0x749d4d3648 in printf_common(void*, char const*, std::__va_list) /out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:547:9
#1 0x749d4d3ff8 in __interceptor_vprintf /out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1645:1
#2 0x749d4d3ff8 in printf /out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1703:1
#3 0x5b452dc1a8 in main vendor/qcom/proprietary/qmi-framework/qrtr/src/lookup.c:143:5
#4 0x749d3a888c in __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so+0x4988c)
0x003c452d8057 is located 0 bytes to the right of 7-byte region [0x003c452d8050,0x003c452d8057)
allocated by thread T0 here:
#0 0x749d503088 in malloc /out/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x5b452dc194 in main vendor/qcom/proprietary/qmi-framework/qrtr/src/lookup.c:142:21
#2 0x749d3a888c in __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so+0x4988c)
#3 0x5b452dc044 in _start_main bionic/libc/arch-common/bionic/crtbegin.c:45:3
#4 0x749eb2dbb4 (/vendor/bin/qrtr-lookup+0x4cbb4)
SUMMARY: AddressSanitizer: heap-buffer-overflow /out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:547:9 in printf_common(void*, char const*, std::__va_list)
Shadow bytes around the buggy address:
0x001788a5afb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x001788a5afc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x001788a5afd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x001788a5afe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x001788a5aff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x001788a5b000: fa fa 00 fa fa fa 00 fa fa fa[07]fa fa fa fa fa
0x001788a5b010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x001788a5b020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x001788a5b030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x001788a5b040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x001788a5b050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==6646==ABORTING
Aborted编译带symbols的库/bin
- push llvm-symbolizer到system/bin下
- 模块的编译脚本携带如下参数
Android.mk
LOCAL_STRIP_MODULE :=falseAndroid.bp
strip :{keep_symbols: true,},可得到如下信息,得到具体的函数
==10804==ERROR: HWAddressSanitizer: invalid-free on address 0x0038f7647040 at pc 0x0072ed942bb8
tags: 1a/96 (ptr/mem)
#0 0x72ed942bb4 in __sanitizer_free /out/llvm-project/compiler-rt/lib/hwasan/hwasan_interceptors.cpp:108:3
#1 0x57f764b0b8 in main (/vendor/bin/qrtr-lookup+0x20b8)
#2 0x72ed831174 in __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so+0x4e174)
#3 0x57f764b044 in _start_main (/vendor/bin/qrtr-lookup+0x2044)
#4 0x72eefd3bb4 (/vendor/bin/qrtr-lookup+0x4cbb4)
[0x0038f7647040,0x0038f7647060) is a small unallocated heap chunk; size: 32 offset: 0
0x0038f7647040 is located 0 bytes inside of 7-byte region [0x0038f7647040,0x0038f7647047)
freed by thread T0 here:
#0 0x72ed942bb4 in __sanitizer_free /out/llvm-project/compiler-rt/lib/hwasan/hwasan_interceptors.cpp:108:3
#1 0x57f764b0b0 in main (/vendor/bin/qrtr-lookup+0x20b0)
#2 0x72ed831174 in __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so+0x4e174)
#3 0x57f764b044 in _start_main (/vendor/bin/qrtr-lookup+0x2044)
#4 0x72eefd3bb4 (/vendor/bin/qrtr-lookup+0x4cbb4)
previously allocated here:
#0 0x72ed943084 in __sanitizer_malloc /out/llvm-project/compiler-rt/lib/hwasan/hwasan_interceptors.cpp:169:3
#1 0x72ed826bdc in malloc (/apex/com.android.runtime/lib64/bionic/libc.so+0x43bdc)
#2 0x57f764b094 in main (/vendor/bin/qrtr-lookup+0x2094)
#3 0x72ed831174 in __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so+0x4e174)
#4 0x57f764b044 in _start_main (/vendor/bin/qrtr-lookup+0x2044)
#5 0x72eefd3bb4 (/vendor/bin/qrtr-lookup+0x4cbb4)
hwasan_dev_note_heap_rb_distance: 1 1023
Thread: T0 0x006900002000 stack: [0x007fd2fc0000,0x007fd37c0000) sz: 8388608 tls: [0x000000000000,0x000000000000)
Memory tags around the buggy address (one tag corresponds to 16 bytes):
0x006d8f764680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x006d8f764690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x006d8f7646a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x006d8f7646b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x006d8f7646c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x006d8f7646d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x006d8f7646e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x006d8f7646f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x006d8f764700: 08 00 08 00 [96] 00 00 00 00 00 00 00 00 00 00 00
0x006d8f764710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x006d8f764720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x006d8f764730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x006d8f764740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x006d8f764750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x006d8f764760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x006d8f764770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x006d8f764780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Tags for short granules around the buggy address (one tag corresponds to 16 bytes):
0x006d8f7646f0: .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
=>0x006d8f764700: e2 .. 7a .. [..] .. .. .. .. .. .. .. .. .. .. ..
0x006d8f764710: .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
See https://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html#short-granules for a description of short granule tags
SUMMARY: HWAddressSanitizer: invalid-free /out/llvm-project/compiler-rt/lib/hwasan/hwasan_interceptors.cpp:108:3 in __sanitizer_freeHOST解析
将dump信息copy进入文件dumpinfo,按照如下格式(===开头)
=================================================================
==24786==ERROR: AddressSanitizer: SEGV on unknown address 0x180001a46bc1c34 (pc 0x00761175f308 bp 0x007fc5f519b0 sp 0x007fc5f51970 T0)
==24786==The signal is caused by a READ memory access.
#0 0x761175f308 (/system/system_ext/lib64/libimsmedia_jni.so+0x3308)
#1 0x761175f1b8 in JNI_OnLoad (/system/system_ext/lib64/libimsmedia_jni.so+0x31b8)
#2 0x7681c104d8 in art::JavaVMExt::LoadNativeLibrary(_JNIEnv*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, _jobject*, _jclass*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*) (/apex/com.android.art/lib64/libart.so+0x5be4d8)
#3 0x7678bf2128 in JVM_NativeLoad (/apex/com.android.art/lib64/libopenjdkjvm.so+0x8128)
#4 0x6fba7a24 (/apex/com.android.art/javalib/arm64/boot.oat+0x80a24)然后执行(asan_symbolize路径,android\external\compiler-rt\lib\asan\scripts)
asan_symbolize -s "$OUT/symbols"/ < ./external/compiler-rt/lib/asan/scripts/dumpinfo得到如下信息,包含函数,行号等
#0 0x7332a21308 in _Z18load_ims_media_libPKc vendor/qcom/proprietary/commonsys/telephony-apps/ims/jni/media/ims_media_jni.cpp:477:56
#1 0x7332a211b8 in _Z18load_ims_media_libPKc vendor/qcom/proprietary/commonsys/telephony-apps/ims/jni/media/ims_media_jni.cpp:0:0
#2 0x73a24dc168 in _ZN3art9JavaVMExt17LoadNativeLibraryEP7_JNIEnvRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEP8_jobjectP7_jclassPS9_ art/runtime/jni/java_vm_ext.cc:1080:19
#3 0x7399a1b16c in JVM_NativeLoad art/openjdkjvm/OpenjdkJvm.cc:333:24