This is not possible in the real world, so prevent this particular case
to avoid leaking memory and any other issues.
Bug: 165619316
Test: Verified the fuzzer test case that caused a leak no longer leaks.
Change-Id: I352b3bd21a4931432e015af89c256ddbcdaa1070
There are a few bugs in this routine, so fix them and add unit tests
to cover the cases.
Test: Unit tests pass.
Change-Id: I9bcb9b9fbe33d56a17a613ae3aa88036bd1d0ef1
A previous cl missed adding a return in the new path which could result
in a crash if the map info is null. Add the return back.
Added a new test to catch this case.
Bug: 166188440
Test: Unit tests pass. Verified the new test crashes on the old code.
Change-Id: I9420b47dae0f880493c0e6a60d97bb3468ff2906
Currently, while evaluating a Dwarf section, even pseudoregisters are
saved in regs_info. Since pseudoregisters are stored separately from
ordinary registers, trying to read them the usual way will result in
an out-of-bounds read. There's no memory corruption as regs_info is
big enough to store all existing pseudoregisters.
With this patch, pseudoregisters are simply not saved in regs_info.
Added new unit tests to cover the pseudo register cases.
Test: libunwindstack_test
Change-Id: If21b2a79f2fcca85644eec430f3d22e354b001ec
This way, the profilers will know they have to reparse maps.
Bug: 163130539
Test: Verified updated unit tests pass.
Change-Id: I88a801ffdda12811eab5e4833dcf472f2d75c09a
The fuzzer was creating individual maps that overlapped with other maps.
Since this is not possible in the real world unless the kernel is broken,
do not let the fuzzer do this. This resulted in memory leaks, because some
parts of the code have this assumption baked in.
Bug: 160895854
Test: Ran fuzzer test case that leaked memory and verified it no longer does.
Change-Id: I9f3c1e28781093b041b747e1566fb51d40d2bf71
This patch adds support for handling return addresses signed with
pointer authentication. It simply strips the authentication code
without verifying its correctness, and thus works with both A and B
keys and through key-change boundaries.
Additons:
* DW_CFA_AARCH64_negate_ra_state: new CFA operation.
* RA_SIGN_STATE: new pseudo register.
* Pass the arch to DwarfCfa so that the new op is only executed
on aarch64.
The stripping uses the xpaclri instruction. This is a hint space
instruction which is compatible with pre Armv8.3-A devices. For cases
where it cannot be used, a mask can be set instead.
Test: libunwindstack_test
Without this patch all UnwindTest.* testcases should fail if
compiled with Pointer Authentication.
The tests should be executed with both -mbranch-protection=pac-ret and
pac-ret+leaf flags so that either some or all functions have pointer
authentication instructions.
Change-Id: Id7c3f1d0e2fc7fccb19bd1430826264405a9df7c
Adds a fuzzer for Unwinder. This will likely cover a large portion of the library, as it uses many of the library's features
in the process of setting up the Unwinder. Hopefully this, combined with the calls Unwinder makes internally, will provide
sufficient coverage.
Rough coverage estimate (this is drastically lower than the true number due to shared libraries): 6.6%
Test: Ran on device for a few hours
Signed-off-by: Dylan Katz <dylan.katz@leviathansecurity.com>
Change-Id: I813e204df595ff38dccfb73be7fff5c080aaa043
Libunwindstack would remove duplicated items and update the `prev_map`
during reparsing `/proc/self/maps`. But we leave `prev_real_map`
pointing toward a MapInfo that will be deleted soon. It will cause a
dangling pointer issue.
Add new tests to cover this dangling pointer issue.
Bug: 155511785
Test: libunwindstack_test
Change-Id: I62e1b97bcb73f07e9349671f0b758f5ec9de16c0
Relanding unchanged - the build problem was due to a split topic.
Test: m checkbuild
Test: atest libunwindstack_unit_test
Test: lunch fvp-userdebug && mmm system/core/libunwindstack
Bug: 152255951
Change-Id: Ifd1ced65b840ef216630906eec1ec31233e0c5f1
Reason for revert: Breaks rvc-d1-dev-plus-aosp: http://ab/6443190
Reverted Changes:
Ide447b89a:bionic_libc_platform_headers is only available whe...
Ia93cd3ec8:bionic_libc_platform_headers is only available whe...
Icdc495588:Make bionic_platform_headers available only for Bi...
Idfd7c87dc:bionic_libc_platform_headers is only available whe...
Bug: 152255951
Bug: 155269399
Change-Id: I4e6beba5565e604fde3a51cdce5cc4041caffa4e
Tagged pointer for aarch64 since Android R would lead top byte to have
random values. For example of a symbol from libart.so in a hwasan
enabled device in Android R:
1490: 8800000000b094a0 144 OBJECT GLOBAL 24 __dex_debug_descriptor
We need to mask off the top byte so that the address range comparison
would work as intended.
Test: Ran new unit test
Signed-off-by: Yong Li <yongl0722@gmail.com>
Change-Id: Ia8c638e16baff57740c569e9eaf9cfd1f5bd3fad
This function is responsible for majority of CPU time in prefetto.
Reduce the number of memory reads (don't read strings byte-by-byte).
Update all calls of ReadString to include the third parameter to have
a max read.
Add an Elf creation benchmark since this function is on the elf
creation path.
Test: libunwindstack_unit_test
Change-Id: Ia36e1f1a5ba76c9e9f13c43fb9e3691dde7897f2
ELF symbols are not sorted by address. Create remap table
which reshuffles the indices into sorted-by-address order.
This saves over 6x of memory (the remap table needs just
uint32_t per entry, as opposed the FuncInfo cache entry).
ART symbols are sorted. Make use of that fact.
Bug: 110133331
Test: libunwindstack_test
Test: art/test.py -b --host -r -t 137-cfi
Change-Id: I1812d2dd3ad6a69ae93ed50ca387749c649289b9
This uses an experimental Linux kernel API for reading the tags across
processes using ptrace.
Bug: 135772972
Test: Unit tests pass.
Change-Id: Ib1a09d9219166011de80cf250b756bb8a4bcdb0a
If the Dex file we're trying to examine is already within the unwinder's
address space, we don't need to load it from disk or copy it across
processes.
This avoids using up virtual address space to map in dex files, and
also should be a bit faster to read since it won't go out to the file.
Patch by Chris Sarbora
Test: Ran new unit tests.
Test: Ran 137-cfi art test.
Change-Id: I949457856f051cca11b9020e9da3a41bbf6e5c8e
This was sometimes causing build ids to be truncated, probably because
of memory corruption in std::string. A similar off-by-one was fixed in
ReadBuildID in aosp/939619.
Bug: 129873279
Change-Id: I401fe7f991dbd135f5b4836381b48ea3c6a2243f
The DexFile handle is allocated from heap in OpenFromFd/OpenFromMemory.
After releasing the unique_ptr, the DexFile handle itself is no longer
managed by the smart pointer. However, the DexFile handle is not freed
in the constructor of DexFileFromFile/DexFileFromMemory.
This change uses get() method to get the DexFile pointer while allowing
it to be managed by smart pointer so that it can be freed after method
end.
Added new unit tests to detect leaks.
Bug: 151966190
Test: Unwinding can still retrieve dex frame information during crash.
Test: Ran new unit tests before change and verified they fail, ran them
Test: after the change and verified they don't fail.
Signed-off-by: Yong Li <yongl0722@gmail.com>
Change-Id: I0627e1e255eb6644aba51e940c1a79ff78d568d7
We're now using it in contexts that don't have all of the registers available,
such as GWP-ASan and soon MTE, so it doesn't make sense to have it be a
member function of Regs.
Bug: 135772972
Change-Id: I18b104ea0adb78588d7e475d0624cefc701ba52c
Simplify and fix the algorithm.
For consecutive functions (eg [10,20] [20,30]) without
padding in between, the old algorithm would drop FDEs.
Test: libunwindstack_test
Change-Id: Ie886922bec262fb64d4b2ecf01c2961d0652dcdb
The memcpy should be for 31 GPRs, [x0, x30]. Currently it (accidentally)
also copies over the SP register (which ends up being harmless, as the
layouts match, and the value is reassigned again anyway).
Separately, I'm including an optional change for the iteration order,
since LR is the x30 GPR, it makes slightly more sense to print it
immediately after x29. However, this is a change in behaviour, so I can
undo the change if you think it's not worth it.
Tested: atest libunwindstack_unit_test
Change-Id: Ib6b81f8ee3a9a526bfabe4b09b327f083c855fb8
Recently, the maps for an elf in memory might show up looking like:
f0000-f1000 0 r-- /system/lib/libc.so
f1000-f2000 0 ---
f2000-f3000 1000 r-x /system/lib/libc.so
f3000-f4000 2000 rw- /system/lib/libc.so
The problem is that there is logic in the code that assumed that the
map before the execute map must be the read-only map. In the case
above, this is not true. Add a new prev_real_map that will point
to the previous map that is not one of these empty maps.
This will fix the backtraces that look like this:
#00 pc 0000000000050d58 /apex/com.android.runtime/lib64/bionic/libc.so!libc.so (offset 0x50000) (syscall+24) (BuildId: 5252408bf30e395d49ee270b54c77ca4)
To get rid of the !libc.so and the offset value, which is not correct.
Added new unit tests to verify this.
Added new offline test which an empty map between read-only and execute
map. Before this change, the backtraces had lines like
libc.so!libc.so (offset XXX) would be present.
Bug: 148075852
Test: Ran unit tests.
Change-Id: Ie04bfc96b8f91ed885cb1e655cf1e346efe48a45
Recently, the maps for an elf in memory might show up looking like:
f0000-f1000 0 r-- /system/lib/libc.so
f1000-f2000 0 ---
f2000-f3000 1000 r-x /system/lib/libc.so
f3000-f4000 2000 rw- /system/lib/libc.so
That empty map was confusing the logic when looking for a global
variable. Now this case is handled properly.
New unit test added for this case.
Bug: 147910661
Test: Ran unit tests.
Test: Ran original failing test 137-cfi.
Change-Id: Ida2e96d1da5e1bf61f41646949fe5a2d405c0d61
Rather than use a std::vector for backing memory, allocate the memory
using a new with nothrow, and in MemoryBuffer use realloc. Since
the size field is coming from the elf, it could be corrupted or
intentionally crafted to cause problems.
In addition, add some other protections to make sure that overflows
don't occur.
Bug: 146215949
Test: Ran unit tests with jemalloc and scudo to verify that they
Test: both behave the same way.
Change-Id: If14243ce382ba5403a6bacd0ec673452c6b7c3be
The function StepIfSignalHandler assumed that the rel_pc passed
to it was actually an elf offset. A new version of clang created a libc.so
that has a load bias, so tests unwinding through a signal handler
would fail on arm. On other ABIs, there is unwind information that could
be used instead, so the unwind still worked.
The fix is to subtract the load bias from the rel_pc to get an elf
offset to pass to the Register StepIfSignalHandler functions. Change all
of the Register funtions to make it clear what the first parameter means.
Add a unit test for this new code. Also, add an offline test for
this case.
Bug: 145683525
Test: Ran unit tests using the new clang and the old clang.
Change-Id: I3e249653b79bcad6d3a56411a7911fde4888e9d6
The code was not properly getting the variable addresses and using
the offset and address fields of the .data section.
Fix all of that, and update the tests.
Bug: 145162678
Test: Unit tests pass.
Test: ./art/test/run-test --dex2oat-jobs 4 --host --prebuild --compact-dex-level fast --jit --no-relocate --runtime-option -Xcheck:jni 137-cfi
Test: ./art/test/testrunner/testrunner.py -t 137 --host
Change-Id: Ic61c4487334fd2273cda9c56eb1a3b525a03edb7
A thread's PSTATE can sometimes be critical for understanding a crash,
especially with MTE and other new features that store per-thread state
in PSTATE.
Bug: 135772972
Change-Id: I1bee25bffe7eea395f04b6449dc9227298cf866e
Due to a bug, an elf can have FDEs with a length of zero, while still
having another FDE for the same pc with a non-zero length. The
eh_frame_hdr can sometimes point to the zero length FDE, but it should
have pointed to the non-zero length FDE. In order to fix this, if the
eh_frame_hdr points at the zero length FDE then try and find the real FDE
directly from eh_frame.
The change cleans up and removes unused variables from DwarfEhFrameWithHdr
and changes the objects so that all of the DwarfSection objects and
DwarfEhFrameWithHdr object inherit from the same class.
Add new unit tests to verify this functionality.
Bug: 142483624
Test: Unit tests all pass.
Change-Id: I128a916e3ba378931de7d44ee15e57e24d4073df
The bias for the PT_GNU_EH_FRAME was using the paddr instead of vaddr.
This doesn't match the way the load bias is calculated, which always
use vaddr - offset, so change to use vaddr.
Found on an old x86 device that has a vdso that sets vaddr differently
from paddr.
Add a new offline test to catch this case and update the elf interface
unit tests.
Also, fix a small bug in the unwind_for_offline tool.
Bug: 142365899
Test: Unit tests pass.
Change-Id: I5f0bf062dd8ee45aa8553189ba493ec962e0b059
The original code assumed that the load bias in the program headers
would be exactly the same as in eh_frame/eh_frame_hdr/debug_frame.
This isn't guaranteed, so add a section bias for use when creating
a DwarfSection. In addtion, make the load bias and section bias
a signed value. There is no reason that this value needs to be positive,
so don't force it to be.
Add a new offline test that has a different load bias in eh_frame than
in the executable load.
Add additional unit tests to verify the load bias values are set properly.
Clean up the tests in ElfInterfaceTest, making all tests names follow the
same convention.
Bug: 141888859
Bug: 142094469
Test: New units and old unit tests pass on host and taimen.
Change-Id: Ib878123ab5545f0f315c749cfe0d27b012d873ee
The load bias value set in ReadProgramHeaders is out of sync with the
algorithm used in the static GetLoadBias function.
Sync the two and add tests to verify that they stay in sync.
Test: Unit tests pass.
Change-Id: I20ac0104970a22a92a5314a41dcadad0c9c22e64
Avoid accessing nullptr of already deleted entry.
Add new unit tests that pass with the fix and fail without.
Test: fixes unwinding in ART gcstress tests
Test: All unit tests pass.
Change-Id: Ideb00e2adc899904dd6aeb5dad3fb6fad150322d
Created a special target, libunwindstack_unit_test, that doesn't
include the test that dlopen's a shared library. It appears atest
doesn't understand how to handle the require keyword.
Also, move the shared library into the libunwindstack_test directory
itself.
Test: Ran atest libunwindstack_unit_test.
Change-Id: I967919b1d74a08669b61d0363d80861685725609
Add a specific test that __libc_init is the last frame in a stack
when run on device. In addition, it verifies that the return address
register is marked as undefined given the unwind.
Bug: 140008396
Test: New unit test passes on arm/arm64 (taimen device).
Test: New unit test passes on x86 (cuttlefish).
Test: New unit test passes on x86_64 (modified bionic/tests/run-on-host.sh)
Change-Id: Iefc151a7dbf52ab083c2bb78bad3d38b4e9e1254
Modify the MapInfoCreateMemoryTest to work in the isolated mode.
Test: Ran unit tests on host/target.
Change-Id: I84e01d96e852acd813e0f203b4a207cfaf8ca556
The previous versions of the libc++ demangler crashed on bad input.
However, the new version passes a fuzzer and has a lot of tests. Since
it's more complete than the local demangler, use it instead.
Modified the expected output of an offline test since the new demangler
handles a case that didn't work before.
Verified that the time it takes for the check_for_leak tests did not
change after this.
Bug: 136138882
Test: Ran the unit tests.
Test: Verified the __cxa_demangle function passes the fuzzer when run for
Test: hours. Both the 32 bit and 64 bit version of __cxa_demangle were
Test: fuzzed using external/libcxxabi/fuzz.
Change-Id: I10c06b589d57c36d89dbecba020b1ef2da69634a
There are many subclasses of the Memory class and the overwhelming
majority of them don't need to be exposed externally. We move all of
them to internal headers except MemoryOfflineBuffer, which moves to a
separate header. This dramatically reduces the exposed API surface and
makes the code more modular.
Also, remove the Offline code from libbacktrace. It's not used any where.
Test: Unit tests pass, clean tree still builds
Change-Id: I55dacdf080daba0bfe65c1ad53a4b326bb482e83
Christopher Ferris