Skip to content
GitLab
Closed
Issue created by Derek Bruening@derekbrueningContributor

CRASH,APP CRASH,ASSERT: common.nzcv crashes natively on Android and causes a DR assert/crash

f03b62f1 ported common.nzcv to ARM and enabled it for Linux and Android, but it crashes natively on Android and DR doesn't handle that fault very well it seems:

Debug asserts:

http://dynamorio.org/CDash/testDetails.php?test=201133&build=18521

OK 1 N
OK 0 N
<Application /data/local/tmp/build_android-debug-internal-32/suite/tests/bin/common.nzcv (28959).  Internal Error: DynamoRIO debug check failure: /work/dr/nightly/src/core/unix/signal.c:5530 sig > 0 && sig <= MAX_SIGNUM && IS_RT_FOR_APP(info, sig)
(Error occurred @3730 frags)
version 6.2.17200, custom build
-no_dynamic_options -code_api -stderr_mask 12 -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct 
0xb6d9e98d 0x78af04b0>

Release crashes:

http://dynamorio.org/CDash/testDetails.php?test=201162&build=18522

OK 1 N
OK 0 N
<Application /data/local/tmp/build_android-release-external-32/suite/tests/bin/common.nzcv (29521).  DynamoRIO internal crash at PC 0xb6ee2de8.  Please report this at http://dynamorio.org/issues/.  Program aborted.
Received SIGSEGV at unknown pc 0xb6ee2de8 in thread 29521
Base: 0xb6ef5000
Registers:  r0 =0x00000000 r1 =0x00000000 r2 =0x00004001 r3 =0x00000064
	r4 =0x0000001f r5 =0xb6ee2df9 r6 =0x00000001 r7 =0xbef9d9f8
	r8 =0x00000000 r9 =0x00000000 r10=0x00000000 r11=0xbef9da3c
	r12=0x00007351 r13=0xbef9d9f8 r14=0xb6ee2df9 r15=0xb6ee2de8
	eflags=0x80070030
version 6.2.17200, custom build
-no_dynamic_options -code_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct 
0xbef9da3c 0x00000001
0xb6ec468f 0xbd46bd77>

Getting on the device, natively common.nzcv crashes:

/data/local/tmp/build_android-debug-internal-32 # suite/tests/bin/common.nzcv 
OK 1 N
OK 0 N
Segmentation fault

All I have time for is a quick run under DR debug -loglevel 4:

bb ilist after mangling:
TAG  0xb6c84de6
 +0    m4 @0x5057fa7c             <label>
 +0    m4 @0x5057f900  f84a 0c00  str    %r0 -> (%r10)[4byte]
 +4    m4 @0x5058071c  f644 50e8  movw   $0x00004de8 -> %r0
 +8    m4 @0x5057f3d4  f2cb 60c8  movt   $0x0000b6c8 -> %r0
 +12   L4 @0x50580780  6b83       ldr    +0x38(%r0)[4byte] -> %r3
 +14   m4 @0x505808b0  f8da 0000  ldr    (%r10)[4byte] -> %r0
 +18   L3              58e3       ldr    (%r4,%r3)[4byte] -> %r3
 +20   L3              461a       mov    %r3 -> %r2
 +22   L3              687b       ldr    +0x04(%r7)[4byte] -> %r3
 +24   L3              f852 3023  ldr    (%r2,%r3,lsl 2)[4byte] -> %r3
 +28   L3              4618       mov    %r3 -> %r0
 +30   m4 @0x5057f068             <label>
 +30   m4 @0x5057f01c  f644 5ef9  movw   $0x00004df9 -> %lr
 +34   m4 @0x5057fb14  f2cb 6ec8  movt   $0x0000b6c8 -> %lr
 +38   m4 @0x50580adc  f8ca 2008  str    %r2 -> +0x08(%r10)[4byte]
 +42   m4 @0x5057e73c  f644 6224  movw   $0x00004e24 -> %r2
 +46   m4 @0x50580ec4  f2cb 62c8  movt   $0x0000b6c8 -> %r2
 +50   L4 @0x5057ff3c  f7d7 baa4  b      $0x505521a0 <shared_bb_ibl_indcall>
END 0xb6c84de6
<...>
Fragment 3379, tag 0xb6c84de6, flags 0x1400030, shared, size 74:
  -------- prefix entry: --------
  0x50626148  f8da 0000  ldr    (%r10)[4byte] -> %r0
  -------- normal entry: --------
  0x5062614c  f84a 0c00  str    %r0 -> (%r10)[4byte]
  0x50626150  f644 50e8  movw   $0x00004de8 -> %r0
  0x50626154  f2cb 60c8  movt   $0xb6c8 -> %r0[2byte]
  0x50626158  6b83       ldr    +0x38(%r0)[4byte] -> %r3
  0x5062615a  f8da 0000  ldr    (%r10)[4byte] -> %r0
  0x5062615e  58e3       ldr    (%r4,%r3)[4byte] -> %r3
  0x50626160  461a       mov    %r3 -> %r2
  0x50626162  687b       ldr    +0x04(%r7)[4byte] -> %r3
  0x50626164  f852 3023  ldr    (%r2,%r3,lsl 2)[4byte] -> %r3
  0x50626168  4618       mov    %r3 -> %r0
  0x5062616a  f644 5ef9  movw   $0x00004df9 -> %lr
  0x5062616e  f2cb 6ec8  movt   $0xb6c8 -> %lr[2byte]
  0x50626172  f8ca 2008  str    %r2 -> +0x08(%r10)[4byte]
  0x50626176  f644 6224  movw   $0x00004e24 -> %r2
  0x5062617a  f2cb 62c8  movt   $0xb6c8 -> %r2[2byte]
  0x5062617e  f000 b800  b      $0x50626182 <exit stub 0> 
  -------- exit stub 0: -------- <target: 0x505521a0> type: indcall
  0x50626182  f8ca 1004  str    %r1 -> +0x04(%r10)[4byte]
  0x50626186  f64b 3124  movw   $0x0000bb24 -> %r1
  0x5062618a  f2c5 0162  movt   $0x5062 -> %r1[2byte]
  0x5062618e  f8da f03c  ldr    +0x3c(%r10)[4byte] -> %pc
<...>
master_signal_handler: sig=11, retaddr=0x0000000b
siginfo: sig = 11, pid = 131, status = -1414812757, errno = 0, si_code = 1
        r0  =0x00000000
        r1  =0x00000000
        r2  =0x00004001
        r3  =0x00000064
        r4  =0x0000001f
        r5  =0xb6c84df9
        r6  =0x00000001
        r7  =0xbec99968
        r8  =0x00000000
        r9  =0x00000000
        r10 =0x50569000
        r11 =0xbec999ac
        r12 =0x00001214
        sp  =0xbec99968
        r14 =0xb6c84df9
        pc  =0x5062615e
        cpsr=0x80070030
computing memory target for 0x5062615e causing SIGSEGV, kernel claims it is 0x00000083
<...>
system call 173
rt_sigreturn()
        xsp is 0xb6c5fc90
SYSLOG_ERROR: Application /data/local/tmp/build_android-debug-internal-32/suite/tests/bin/common.nzcv (4628).  Internal Error: DynamoRIO debug check failure: /work/dr/nightly/src/core/unix/signal.c:5530 sig > 0 && sig <= MAX_SIGNUM && IS_RT_FOR_APP(info, sig)
(Error occurred @3729 frags)

Unfortunately it looks like the ARM-Linux CDash machine hasn't run since Dec 31. Does this work at all on ARM or is this problem limited to Android? If the former, please revert; if the latter, please disable this test on Android until it is made to work both natively and under DR.