参考官网的指导针对use after free的场景使用asan在P上做了测试,现在总结放在这里。以后至少在user space踩内存的问题没那么怕了。
https://source.android.com/devices/tech/debug/asan?tdsourcetag=s_pctim_aiomsg
1.all app
①frameworks/base/cmds/app_process仓
Android.mk添加LOCAL_SANITIZE:=address
②system/core/rootdir仓
init.zygote(32|64).rc里面添加
setenv LD_LIBRARY_PATH /system/lib/asan:/system/lib
setenv ASAN_OPTIONS
allow_user_segv_handler=true
编译大包,执行非法指针操作应用会崩溃并打印堆栈,参考日志见asan_app.txt
2.single app
常规版本即可
①关闭selinux
setenforce 0
②设置wrap prop
setprop com.droidlogic.inputmethod.remote asanwrapper
执行非法指针操作应用会崩溃并打印堆栈,参考日志见asan_single_app.txt
3.bin
①使用CLang编译
LOCAL_CLANG:=true
②将 LOCAL_SANITIZE:=address 添加到可执行文件的编译规则中
LOCAL_SANITIZE:=address
执行非法指针操作应用会崩溃并打印堆栈,参考日志见asan_bin.txt
这边两次释放指针和内存泄漏都没有检测,free after use检测出来了。
4.shared library
①使用共享库的二进制文件也要使用asan编译
②使用asan编译共享库,并且在system(vendor)/lib/asan下面
LOCAL_SANITIZE:=address
LOCAL_MODULE_RELATIVE_PATH := asan
③设置环境变量
export LD_LIBRARY_PATH=/system/lib/asan
如果是系统服务二进制文件,可以在init.rc文件里面添加setenv LD_LIBRARY_PATH /system/lib/asan,
然后执行二进制文件即可以检测。如果要看是不是依赖asan路径下面的库,可以移除这个库看一下。
参考日志asan_sharedlib.txt
--------- beginning of main
11-12 11:46:36.799 3009 3130 D WificondControl: Scan result ready event
11-12 11:46:36.800 3009 3030 I EthernetTracker: interfaceLinkStateChanged, iface: wlan0, up: true
11-12 11:46:36.931 3009 3019 I system_server: Background concurrent copying GC freed 17553(813KB) AllocSpace objects, 9(380KB) LOS objects, 19% free, 4MB/5MB, paused 168us total 121.166ms
11-12 11:46:37.489 3879 3879 D : test main
11-12 11:46:37.490 3879 3879 D TEST : test begin1
11-12 11:46:37.490 3879 3879 D TEST : double free
11-12 11:46:37.490 3879 3879 I : =================================================================
11-12 11:46:37.490 3879 3879 I :
11-12 11:46:37.491 3879 3879 I :
11-12 11:46:37.491 3879 3879 I : ==3879==ERROR: AddressSanitizer: heap-use-after-free on address 0xb0400750 at pc 0xb2137eac bp 0xbee839c8 sp 0xbee839c4
11-12 11:46:37.491 3879 3879 I :
11-12 11:46:37.491 3879 3879 I :
11-12 11:46:37.492 3879 3879 I : READ of size 4 at 0xb0400750 thread T0
11-12 11:46:37.492 3879 3879 I :
11-12 11:46:37.500 3879 3879 I : #0 0xb2137eab (/vendor/lib/asan/libtest.so+0xeab)
11-12 11:46:37.500 3879 3879 I :
11-12 11:46:37.500 3879 3879 I : #1 0xb20d3f55 (/system/lib/libc.so+0x88f55)
11-12 11:46:37.500 3879 3879 I :
11-12 11:46:37.501 3879 3879 I : #2 0x8dfeac65 (/vendor/bin/test+0xc65)
11-12 11:46:37.501 3879 3879 I :
11-12 11:46:37.501 3879 3879 I chatty : uid=0(root) identical 1 line
11-12 11:46:37.501 3879 3879 I :
11-12 11:46:37.501 3879 3879 I : 0xb0400750 is located 0 bytes inside of 8-byte region [0xb0400750,0xb0400758)
11-12 11:46:37.501 3879 3879 I :
11-12 11:46:37.502 3879 3879 I : freed by thread T0 here:
11-12 11:46:37.502 3879 3879 I :
11-12 11:46:37.502 3879 3879 I : #0 0xb1a33e03 (/system/lib/libclang_rt.asan-arm-android.so+0xafe03)
11-12 11:46:37.502 3879 3879 I :
11-12 11:46:37.503 3879 3879 I : #1 0xb2137e27 (/vendor/lib/asan/libtest.so+0xe27)
11-12 11:46:37.503 3879 3879 I :
11-12 11:46:37.503 3879 3879 I chatty : uid=0(root) identical 1 line
11-12 11:46:37.503 3879 3879 I :
11-12 11:46:37.503 3879 3879 I : previously allocated by thread T0 here:
11-12 11:46:37.503 3879 3879 I :
11-12 11:46:37.504 3879 3879 I : #0 0xb1a3414b (/system/lib/libclang_rt.asan-arm-android.so+0xb014b)
11-12 11:46:37.504 3879 3879 I :
11-12 11:46:37.504 3879 3879 I : #1 0xb2137e1f (/vendor/lib/asan/libtest.so+0xe1f)
11-12 11:46:37.504 3879 3879 I :
11-12 11:46:37.505 3879 3879 I chatty : uid=0(root) identical 1 line
11-12 11:46:37.505 3879 3879 I :
11-12 11:46:37.505 3879 3879 I : SUMMARY: AddressSanitizer: heap-use-after-free (/vendor/lib/asan/libtest.so+0xeab)
11-12 11:46:37.505 3879 3879 I :
11-12 11:46:37.507 3879 3879 I : Shadow bytes around the buggy address:
11-12 11:46:37.507 3879 3879 I : 0xa7a00090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
11-12 11:46:37.507 3879 3879 I : 0xa7a000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
11-12 11:46:37.507 3879 3879 I : 0xa7a000b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
11-12 11:46:37.507 3879 3879 I : 0xa7a000c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
11-12 11:46:37.507 3879 3879 I : 0xa7a000d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
11-12 11:46:37.507 3879 3879 I : =>0xa7a000e0: fa fa fa fa fa fa fa fa fa fa[fd]fa fa fa 05 fa
11-12 11:46:37.507 3879 3879 I : 0xa7a000f0: fa fa 04 fa fa fa 04 fa fa fa fa fa fa fa fa fa
11-12 11:46:37.507 3879 3879 I : 0xa7a00100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
11-12 11:46:37.507 3879 3879 I : 0xa7a00110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
11-12 11:46:37.507 3879 3879 I : 0xa7a00120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
11-12 11:46:37.507 3879 3879 I : 0xa7a00130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
11-12 11:46:37.507 3879 3879 I : Shadow byte legend (one shadow byte represents 8 application bytes):
11-12 11:46:37.507 3879 3879 I : Addressable: 00
11-12 11:46:37.507 3879 3879 I : Partially addressable: 01 02 03 04 05 06 07
11-12 11:46:37.507 3879 3879 I : Heap left redzone: fa
11-12 11:46:37.507 3879 3879 I : Freed heap region: fd
11-12 11:46:37.507 3879 3879 I : Stack left redzone: f1
11-12 11:46:37.507 3879 3879 I : Stack mid redzone: f2
11-12 11:46:37.507 3879 3879 I : Stack right redzone: f3
11-12 11:46:37.507 3879 3879 I : Stack after return: f5
11-12 11:46:37.507 3879 3879 I : Stack use after scope: f8
11-12 11:46:37.507 3879 3879 I : Global redzone: f9
11-12 11:46:37.507 3879 3879 I : Global init order: f6
11-12 11:46:37.507 3879 3879 I : Poisoned by user: f7
11-12 11:46:37.507 3879 3879 I : Container overflow: fc
11-12 11:46:37.507 3879 3879 I : Array cookie: ac
11-12 11:46:37.507 3879 3879 I : Intra object redzone: bb
11-12 11:46:37.507 3879 3879 I : ASan internal: fe
11-12 11:46:37.507 3879 3879 I : Left alloca redzone: ca
11-12 11:46:37.507 3879 3879 I : Right alloca redzone: cb
11-12 11:46:37.507 3879 3879 I :
11-12 11:46:37.508 3879 3879 I : ==3879==ABORTING
11-12 11:46:37.508 3879 3879 I :
--------- beginning of crash
11-12 11:46:37.508 3879 3879 F libc : Fatal signal 6 (SIGABRT), code -6 (SI_TKILL) in tid 3879 (test), pid 3879 (test)
11-12 11:46:37.539 3882 3882 I crash_dump32: obtaining output fd from tombstoned, type: kDebuggerdTombstone
11-12 11:46:37.540 2968 2968 I /system/bin/tombstoned: received crash request for pid 3879
11-12 11:46:37.540 3882 3882 I crash_dump32: performing dump of process 3879 (target tid = 3879)
11-12 11:46:37.543 3882 3882 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
11-12 11:46:37.543 3882 3882 F DEBUG : Build fingerprint: 'Droidlogic/ampere/ampere:9/PI/20181109:userdebug/test-keys'
11-12 11:46:37.543 3882 3882 F DEBUG : Revision: '0'
11-12 11:46:37.543 3882 3882 F DEBUG : ABI: 'arm'
11-12 11:46:37.543 3882 3882 F DEBUG : pid: 3879, tid: 3879, name: test >>> vendor/bin/test <<<
11-12 11:46:37.543 3882 3882 F DEBUG : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
11-12 11:46:37.543 3882 3882 F DEBUG : Abort message too long: claimed length = 2209
11-12 11:46:37.543 3882 3882 F DEBUG : r0 00000000 r1 00000f27 r2 00000006 r3 b20e1918
11-12 11:46:37.543 3882 3882 F DEBUG : r4 00000f27 r5 00000f27 r6 bee82efc r7 0000010c
11-12 11:46:37.543 3882 3882 F DEBUG : r8 00000001 r9 bee839c8 r10 00000000 r11 bee839a8
11-12 11:46:37.543 3882 3882 F DEBUG : ip b1eb86a0 sp bee82ee8 lr b20700e5 pc b2067e72
11-12 11:46:37.553 3882 3882 F DEBUG :
11-12 11:46:37.553 3882 3882 F DEBUG : backtrace:
11-12 11:46:37.553 3882 3882 F DEBUG : #00 pc 0001ce72 /system/lib/libc.so (abort+62)
11-12 11:46:37.553 3882 3882 F DEBUG : #01 pc 0002ed8c /system/lib/libclang_rt.asan-arm-android.so (__sanitizer::Abort()+68)
11-12 11:46:37.553 3882 3882 F DEBUG : #02 pc 0002c0b4 /system/lib/libclang_rt.asan-arm-android.so (__sanitizer::Die()+180)
11-12 11:46:37.553 3882 3882 F DEBUG : #03 pc 000b63d4 /system/lib/libclang_rt.asan-arm-android.so (__asan::ScopedInErrorReport::~ScopedInErrorReport()+352)
11-12 11:46:37.553 3882 3882 F DEBUG : #04 pc 000b58d4 /system/lib/libclang_rt.asan-arm-android.so (__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool)+396)
11-12 11:46:37.553 3882 3882 F DEBUG : #05 pc 000b6820 /system/lib/libclang_rt.asan-arm-android.so (__asan_report_load4+52)
11-12 11:46:37.553 3882 3882 F DEBUG : #06 pc 00000ea8 /vendor/lib/asan/libtest.so (doTest()+212)
11-12 11:46:37.553 3882 3882 F DEBUG : #07 pc 00088f55 /system/lib/libc.so (__libc_init+48)
11-12 11:46:37.553 3882 3882 F DEBUG : #08 pc 00000c63 /vendor/bin/test (_start_main+46)
11-12 11:46:37.553 3882 3882 F DEBUG : #09 pc 00018037 /system/bin/linker (__dl__ZN6soinfoD1Ev+14)
11-12 11:46:37.553 3882 3882 F DEBUG : #10 pc 00020b3b [stack:bee63000]
--------- beginning of system
11-12 11:46:37.581 3009 3138 W NativeCrashListener: Couldn't find ProcessRecord for pid 3879
11-12 11:46:37.581 2968 2968 E /system/bin/tombstoned: Tombstone written to: /data/tombstones/tombstone_05
11-12 11:46:37.587 3009 3029 I BootReceiver: Copying /data/tombstones/tombstone_05 to DropBox (SYSTEM_TOMBSTONE)
11-12 11:46:40.890 2961 2980 E storaged: getDiskStats failed with result NOT_SUPPORTED and size 0
11-12 11:46:43.052 3009 3019 I system_server: Background concurrent copying GC freed 15823(686KB) AllocSpace objects, 9(380KB) LOS objects, 19% free, 4MB/5MB, paused 272us total 121.061ms