CRASH in ARM Android while adding a client
Created by: sudakshina-das-arm
While adding a client to DynamoRIO, I get a SIGSEGV
07-07 17:07:52.556 I/wrap.sh (14542): referenceTable GDEF length=814 1
07-07 17:07:52.587 I/wrap.sh (14542): referenceTable GSUB length=11364 1
07-07 17:07:52.652 I/wrap.sh (14542): referenceTable GPOS length=47302 1
07-07 17:08:16.878 I/wrap.sh (14542): <Application /system/bin/app_process32 (14543). Tool internal crash at PC 0xb6e7a128. Please report this at your tool's issue tracker. Program aborted.
07-07 17:08:16.878 I/wrap.sh (14542): Received SIGSEGV at pc 0xb6e7a128 in thread 14626
07-07 17:08:16.878 I/wrap.sh (14542): Base: 0xb6e06000
07-07 17:08:16.878 I/wrap.sh (14542): Registers: r0 =0x0000000b r1 =0x0000000c r2 =0x0000044c r3 =0x4a9fa054
07-07 17:08:16.879 I/wrap.sh (14542): r4 =0x0000000c r5 =0xb6f45000 r6 =0x4a9fa050 r7 =0x4c739000
07-07 17:08:16.879 I/wrap.sh (14542): r8 =0x0000000c r9 =0x00000001 r10=0x0000000c r11=0x0003dfe0
07-07 17:08:16.879 I/wrap.sh (14542): r12=0x00002e68 r13=0x4c5b6cb8 r14=0xb6e7a1d3 r15=0xb6e7a128
07-07 17:08:16.879 I/wrap.sh (14542): eflags=0x800f0030
07-07 17:08:16.879 I/wrap.sh (14542): version 6.2.17301, custom build
07-07 17:08:16.879 I/wrap.sh (14542): -no_dynamic_options -client_lib '/data/local/tmp/fresh-build/clients/libCFG.so;0;"-human-readable" "-o" "/data/local/tmp/fresh-build/client.json"' -code_api -no_use_all_memory_areas -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_n>The crash seems to occurring from the common_heap_alloc
Thread 10 "android.youtube" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 5454.5610]
common_heap_alloc (tu=tu@entry=0x4ccd2050, size=size@entry=8) at /dynamorio/core/heap.c:3421
3421 tu->free_list[bucket] = *((heap_pc *)p);
(gdb) where
#0 common_heap_alloc (tu=tu@entry=0x4ccd2050, size=size@entry=8) at /dynamorio/core/heap.c:3421
#1 0x2a07649a in common_global_heap_alloc (size=8, tu=0x4ccd2050) at /dynamorio/fresh/core/heap.c:2658
#2 global_heap_alloc (size=8) at /dynamorio/core/heap.c:2705
#3 heap_alloc (dcontext=dcontext@entry=0xffffffff, size=size@entry=8) at /dynamorio/core/heap.c:3604
#4 0x2a06aa30 in dr_strdup (str=0x4cd29320 "libc.so") at /dynamorio/core/utils.c:4542
#5 0x2a09a688 in create_and_initialize_module_data (flags=0, names=0x4cd2d4f0, names=0x4cd2d4f0, timestamp=0, segments=0x0, os_segments=0x4cd2d5e0, num_segments=2,
contiguous=true, full_path=0x4cd2d4bc "/system/lib/libc.so", entry_point=0xb6a6e000 "\177ELF\001\001\001", end=0xb6af1000 "\177ELF\001\001\001",
start=0xb6a6e000 "\177ELF\001\001\001") at /dynamorio/core/lib/instrument.c:1769
#6 copy_module_area_to_module_data (area=0x4cd2d4e0) at /dynamorio/core/lib/instrument.c:1815
#7 0x2a09c222 in dr_lookup_module (pc=0xb6aaf564 "\a\300\240\341\334p\240", <incomplete sequence \343>) at /dynamorio/core/lib/instrument.c:3683
#8 0xb6f486dc in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) p p
$1 = (heap_pc) 0xb <error: Cannot access memory at address 0xb>
(gdb) p tu->free_list
$2 = {0xb <error: Cannot access memory at address 0xb>, 0x4e42c87c " \306qM.oat", 0x4d719fb0 "ȟqM", 0x4e4244d4 "\b\320BNem@framework@boot.oat", 0x4e42cfd0 "",
0x4ccf2670 "\260\037\317La/app/com.google.android.youtube-2/oat/arm/base.odex", 0x0, 0x0, 0x4d1d09f4 "\230\t\035M\001", 0x0, 0x0, 0x0, 0x4ccd5e14 "\220[\315L?"}
(gdb) list
3416 p = NULL;
3417 }
3418 } else {
3419 /* fixed-length free block available */
3420 p = tu->free_list[bucket];
3421 tu->free_list[bucket] = *((heap_pc *)p);
3422 ASSERT(ALIGNED(tu->free_list[bucket], HEAP_ALIGNMENT));
3423 #ifdef DEBUG_MEMORY
3424 /* ensure memory we got from the free list is in a heap unit */
3425 DOCHECK(CHKLVL_DEFAULT, { /* expensive check */It does not always crash and the back trace does not always originate from the same point, though the crash is always at the same place.
Thread 9 "background2-2" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 6785.6907]
common_heap_alloc (tu=tu@entry=0x51f1e050, size=size@entry=12) at /dynamorio/core/heap.c:3421
3421 tu->free_list[bucket] = *((heap_pc *)p);
(gdb) where
#0 common_heap_alloc (tu=tu@entry=0x51f1e050, size=size@entry=12) at /dynamorio/core/heap.c:3421
#1 0x2a07649a in common_global_heap_alloc (size=12, tu=0x51f1e050) at dynamorio/core/heap.c:2658
#2 global_heap_alloc (size=12) at /dynamorio/core/heap.c:2705
#3 heap_alloc (dcontext=dcontext@entry=0xffffffff, size=size@entry=12) at /dynamorio/core/heap.c:3604
#4 0x2a0e6e26 in add_all_memory_area (shareable=false, type=2, prot=9, end=0xb6ca8000 "", start=0xb6ca7000 "") at /dynamorio/core/unix/memcache.c:227
#5 memcache_update (start=start@entry=0xb6ca7000 "", end_in=end_in@entry=0xb6ca8000 "", prot=prot@entry=9, type=type@entry=-1)
at /dynamorio/core/unix/memcache.c:304
#6 0x2a0e6f1a in memcache_update_locked (start=start@entry=0xb6ca7000 "", end=end@entry=0xb6ca8000 "", prot=9, type=type@entry=-1, exists=exists@entry=true)
at /dynamorio/core/unix/memcache.c:335
#7 0x2a0da714 in pre_system_call (dcontext=dcontext@entry=0x534446a0) at /dynamorio/core/unix/os.c:6849
#8 0x2a064402 in handle_system_call (dcontext=dcontext@entry=0x534446a0) at /dynamorio/core/dispatch.c:1983
#9 0x2a065438 in dispatch_enter_dynamorio (dcontext=0x534446a0) at /dynamorio/core/dispatch.c:883
#10 dispatch (dcontext=0x534446a0) at /dynamorio/core/dispatch.c:164
#11 0xb6fdc532 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) p tu
$1 = (thread_units_t *) 0x51f1e050
(gdb) p *tu
$2 = {top_unit = 0x51f1d000, cur_unit = 0x53c8d000, free_list = {0x5205ac3c "4u\311S\001", 0x65736162 <error: Cannot access memory at address 0x65736162>, 0x53440968 "HtCS\a",
0x53c946ac "\320F\311S", 0x53c97548 "", 0x0, 0x0, 0x0, 0x5283bd20 "p\371\203Ra/dalvik-cache/arm/system@framework@com.android.media.remotedisplay.jar@classes.dex", 0x0, 0x0,
0x53c97dac "", 0x52040454 "\320\001\004R\001"}, dcontext = 0xffffffff, writable = true} Also it does not crash for smaller APKs like Calculator and Calender. Would anyone know what could be causing the heapmgt->global_units->free_list to have such invalid values? Also because these are non-NULL invalid values, I can not even hack it to prevent the SEGV
@egrimley suggested it could be related to the race issue #2502
Sudi