• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# AddrSanitizer(地址越界)检测
2<!--Kit: Performance Analysis Kit-->
3<!--Subsystem: HiviewDFX-->
4<!--Owner: @mlkgeek-->
5<!--Designer: @StevenLai1994-->
6<!--Tester: @gcw_KuLfPSbe-->
7<!--Adviser: @foryourself-->
8
9## 简介
10
11地址越界问题是指访问了不合法的地址,导致程序运行出现异常,通常表现为应用崩溃(Crash),其故障原因为释放后使用(use after free)、重复释放(double-free)、栈溢出(stack-overflow)、堆溢出(heap-overflow)等。由于应用崩溃日志信息有限且非崩溃第一现场,地址越界问题定位较为困难,一般依赖ASan、HWASan、GWP-ASan等检测工具以获取更多内存操作信息。从API13开始推荐[使用HWASan检测工具](https://developer.huawei.com/consumer/cn/doc/best-practices/bpta-stability-hwasan-detection#section20672194985111)进行地址越界问题的分析。
12
13## 常见越界类型与影响
14
15常见地址越界类型和影响可参看[地址越界经典问题类型](https://developer.huawei.com/consumer/cn/doc/best-practices/bpta-stability-address-sanitizer-catagory)16
17## 地址越界检测原理
18
19检测原理和使用方法可参看[地址越界类问题检测](https://developer.huawei.com/consumer/cn/doc/best-practices/bpta-stability-ram-detection#title53131231)20
21## 日志获取方式
22
23地址越界日志和进程崩溃日志一致,都是由Faultlogger模块进行管理,可通过以下方式获取:
24
25**方式一:通过DevEco Studio获取日志**
26
27DevEco Studio会收集设备/data/log/faultlog/faultlogger/路径下的进程崩溃故障日志到FaultLog下,根据进程名和故障和时间分类显示。获取日志的方法参见:[DevEco Studio使用指南-FaultLog](https://developer.huawei.com/consumer/cn/doc/harmonyos-guides/ide-fault-log)28
29**方式二:通过HiAppEvent接口订阅**
30
31HiAppEvent给开发者提供了故障订阅接口,详见[HiAppEvent介绍](hiappevent-intro.md)。参考[订阅地址越界事件(ArkTS)](hiappevent-watcher-address-sanitizer-events-arkts.md)或[订阅地址越界事件(C/C++)](hiappevent-watcher-address-sanitizer-events-ndk.md)完成地址越界事件订阅,并通过事件的[external_log](hiappevent-watcher-address-sanitizer-events.md#params字段说明)字段读取故障日志文件内容。
32
33**方式三:通过hdc获取日志,需打开开发者选项**
34
35在运行态,日志默认都落盘至 /data/log/faultlog/faultlogger 下。在开发者选项打开的情况下,开发者可以通过hdc file recv /data/log/faultlog/faultlogger D:\命令导出故障日志到本地,故障日志文件名格式为[检测器类型]-[bundleName]-[uid]-[happenedTime].log。
36
37## 日志规格
38
39### ASan日志规格
40
41ASan日志规格如下,标题头会展示设备信息,故障发生时间,故障进程和故障原因等。日志详细描述了越界访问的地址(0x007fffd59768)、访问大小(WRITE of size 4)、发生的线程和进程信息。通过调用栈,展现了导致此次越界的函数调用路径,列出各个调用层的地址及对应的模块和偏移,帮助开发者快速定位代码位置。日志还提供影子内存(Shadow bytes)跟踪内存状态,帮助确认访问是否合法。同时,日志列出了进程的内存空间映射,帮助分析越界地址所处的具体内存区域。
42
43以下为具体示例:
44
45```text
46Device info:XXX <- 设备信息
47Build info:XXX-XXXX x.x.x.xx(xxxxxxx) <- 版本信息
48Fingerprint:77cdc69cef714391a08c7cb1ceec8b8f9b02900fc6588e4231c2f8750b2bf330 <- 特征信息
49Timestamp:xxxx-xx-xx xx:xx:xx.xxx <- 时间戳
50Module name:com.example.sampleapplication <- 模块名
51Version:1.0.0 <- 版本号
52Pid:62642 <- 进程号
53Uid:20020185 <- 用户ID
54Reason:stack-buffer-overflow <- 触发原因
55
56==appspawn==11766==AddressSanitizer: WARNING: unexpected format specifier in printf interceptor: %{ (reported once per process)
57=================================================================
58==appspawn==11766==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x007fffd59768 at pc 0x007c7e718f54 bp 0x007fffd59710 sp 0x007fffd59708 <- 问题概述
59WRITE of size 4 at 0x007fffd59768 thread T0 (e.myapplication) <- 越界大小
60    #0 0x7c7e718f50  (/data/storage/el1/bundle/libs/arm64/libentry.so+0x58f50) (BuildId: 5e1d4fe4b589921373e51615051105e455462c5f) <- 调用栈信息
61    #1 0x7b5710235c  (/system/lib64/platformsdk/libace_napi.z.so+0x4235c) (BuildId: e6ee1d59b23d2b0d1e746549da572967)
62    #2 0x7b74ee79a4  (/system/lib64/module/arkcompiler/stub.an+0x4f89a4)
63    #3 0x7b749fa8c0  (/system/lib64/module/arkcompiler/stub.an+0xb8c0)
64
65Address 0x007fffd59768 is located in stack of thread T0 (e.myapplication) at offset 72 in frame
66    #0 0x7c7e718de4  (/data/storage/el1/bundle/libs/arm64/libentry.so+0x58de4) (BuildId: 5e1d4fe4b589921373e51615051105e455462c5f)
67
68  This frame has 1 object(s):
69    [32, 72) 'a' (line 66) <== Memory access at offset 72 overflows this variable
70HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
71      (longjmp and C++ exceptions *are* supported)
72SUMMARY: AddressSanitizer: stack-buffer-overflow (/data/storage/el1/bundle/libs/arm64/libentry.so+0x58f50) (BuildId: 5e1d4fe4b589921373e51615051105e455462c5f)
73
74Shadow bytes around the buggy address:  <-影子内存信息
75  0x001ffffab290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
76  0x001ffffab2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
77  0x001ffffab2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
78  0x001ffffab2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
79  0x001ffffab2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
80=>0x001ffffab2e0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00[f3]f3 f3
81  0x001ffffab2f0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
82  0x001ffffab300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
83  0x001ffffab310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
84  0x001ffffab320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
85  0x001ffffab330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
86Shadow byte legend (one shadow byte represents 8 application bytes):
87  Addressable:           00
88  Partially addressable: 01 02 03 04 05 06 07
89  Heap left redzone:       fa
90  Freed heap region:       fd
91  Stack left redzone:      f1
92  Stack mid redzone:       f2
93  Stack right redzone:     f3
94  Stack after return:      f5
95  Stack use after scope:   f8
96  Global redzone:          f9
97  Global init order:       f6
98  Poisoned by user:        f7
99  Container overflow:      fc
100  Array cookie:            ac
101  Intra object redzone:    bb
102  ASan internal:           fe
103  Left alloca redzone:     ca
104  Right alloca redzone:    cb
105==appspawn==11766==ABORTING
106
107==appspawn==11766==Process memory map follows: <- 故障时进程的内存空间
108 0x000ffffff000-0x001200000000 [anon:low shadow]
109 0x001200000000-0x001400000000 [anon:shadow gap]
110 0x001400000000-0x001f6ccb1000 [anon:high shadow]
111 0x001f6ccb1000-0x001f6cd28000
112 0x001f6cd28000-0x001f6e87c000 [anon:high shadow]
113 0x001f6e87c000-0x001f6e89c000
114 0x001f6e89c000-0x001f6e89d000 [anon:high shadow]
115```
116
117### HWASan日志规格
118
119HWASan日志与ASan格式差不多,也会在标题中展示设备信息、故障发生时间、故障进程及触发原因等关键信息。日志中会详细记录越界访问的地址(如0x0002013c0100)、访问大小(如WRITE of size 4)、发生时的线程和进程信息,并通过完整的调用栈展示触发越界的函数执行路径,列出各层地址、所属模块及偏移,便于开发者快速定位代码位置。不同于ASan,HWASan还会输出指针与内存块的标签(tags),并通过对比标签来辅助判断是否存在非法访问。
120
121```text
122Device info:XXX <- 设备信息
123Build info:XXX-XXXX x.x.x.xx(xxxxxxx) <- 版本信息
124Fingerprint:77cdc69cef714391a08c7cb1ceec8b8f9b02900fc6588e4231c2f8750b2bf330 <- 特征信息
125Timestamp:xxxx-xx-xx xx:xx:xx.xxx <- 时间戳
126Module name:com.example.sampleapplication <- 模块名
127Version:1.0.0 <- 版本号
128Pid:62642 <- 进程号
129Uid:20020185 <- 用户ID
130Reason:use-after-free <- 触发原因
131
132==appspawn==62642==ERROR: HWAddressSanitizer: tag-mismatch on address 0x0002013c0100 at pc 0x00651a5c0fa0 <- 问题概述
133WRITE of size 4 at 0x0002013c0100 tags: d2/11 (ptr/mem) in thread T240 <-越界大小
134    #0 0x651a5c0fa0  (/data/storage/el1/bundle/libs/arm64/libijk.so+0x2c0fa0) (BuildId: 84383086df874d94fa191ddbbc25091cc14992c5) <-调用栈信息
135    #1 0x651a49bfb0  (/data/storage/el1/bundle/libs/arm64/libijk.so+0x19bfb0) (BuildId: 84383086df874d94fa191ddbbc25091cc14992c5)
136    #2 0x651a49beb8  (/data/storage/el1/bundle/libs/arm64/libijk.so+0x19beb8) (BuildId: 84383086df874d94fa191ddbbc25091cc14992c5)
137    #3 0x651a5c100c  (/data/storage/el1/bundle/libs/arm64/libijk.so+0x2c100c) (BuildId: 84383086df874d94fa191ddbbc25091cc14992c5)
138    #4 0x651a4eeb60  (/data/storage/el1/bundle/libs/arm64/libijk.so+0x1eeb60) (BuildId: 84383086df874d94fa191ddbbc25091cc14992c5)
139    #5 0x651a4ed864  (/data/storage/el1/bundle/libs/arm64/libijk.so+0x1ed864) (BuildId: 84383086df874d94fa191ddbbc25091cc14992c5)
140    #6 0x651a5c81f8  (/data/storage/el1/bundle/libs/arm64/libijk.so+0x2c81f8) (BuildId: 84383086df874d94fa191ddbbc25091cc14992c5)
141    #7 0x651a5cc450  (/data/storage/el1/bundle/libs/arm64/libijk.so+0x2cc450) (BuildId: 84383086df874d94fa191ddbbc25091cc14992c5)
142    #8 0x651a5c4708  (/data/storage/el1/bundle/libs/arm64/libijk.so+0x2c4708) (BuildId: 84383086df874d94fa191ddbbc25091cc14992c5)
143    #9 0x651a5c48e8  (/data/storage/el1/bundle/libs/arm64/libijk.so+0x2c48e8) (BuildId: 84383086df874d94fa191ddbbc25091cc14992c5)
144    #10 0x5a3e8d0d98  (/lib/ld-musl-aarch64-asan.so.1+0x10ed98) (BuildId: bac03842ac83e537d217a027e9584250)
145
146[0x0002013c0100,0x0002013c0140) is a small allocated heap chunk; size: 64 offset: 0 <-被踩内存信息
147
148Potential Cause: use-after-free <-可能的越界原因1
1490x0002013c0100 (old ptr tags: 5d) is located 0 bytes inside of 48-byte region [0x0002013c0100,0x0002013c0130)
150freed by thread T0 here: <-释放的栈
151    #0 0x5a3f868f98  (/system/asan/lib64/libclang_rt.hwasan.so+0x28f98) (BuildId: a6c55e97d9dbc519020b7732890fe5143f80d175) <- 调用栈信息
152    #1 0x650009d6b4  (/system/asan/lib64/module/file/libfileuri.z.so+0x1d6b4) (BuildId: 7f492df25ba1291065c3cf49b731c56a)
153    #2 0x65000a09ec  (/system/asan/lib64/module/file/libfileuri.z.so+0x209ec) (BuildId: 7f492df25ba1291065c3cf49b731c56a)
154    #3 0x5a3e855790  (/lib/ld-musl-aarch64-asan.so.1+0x93790) (BuildId: bac03842ac83e537d217a027e9584250)
155    #4 0x5a3e85801c  (/lib/ld-musl-aarch64-asan.so.1+0x9601c) (BuildId: bac03842ac83e537d217a027e9584250)
156    #5 0x5ad738d43c  (/system/asan/lib64/platformsdk/libace_napi.z.so+0x4d43c) (BuildId: 90a9e7b85b14f6c805a699672bf8db4a)
157    #6 0x5ad738c2d0  (/system/asan/lib64/platformsdk/libace_napi.z.so+0x4c2d0) (BuildId: 90a9e7b85b14f6c805a699672bf8db4a)
158    #7 0x5ad738b9c0  (/system/asan/lib64/platformsdk/libace_napi.z.so+0x4b9c0) (BuildId: 90a9e7b85b14f6c805a699672bf8db4a)
159    #8 0x5ad73a3b30  (/system/asan/lib64/platformsdk/libace_napi.z.so+0x63b30) (BuildId: 90a9e7b85b14f6c805a699672bf8db4a)
160    #9 0x5ad6e75f1c  (/system/asan/lib64/platformsdk/libark_jsruntime.so+0x8b5f1c) (BuildId: a2f4a88f26244f527994da0cefbab138)
161    #10 0x5af39b2130  (/system/lib64/module/arkcompiler/stub.an+0x332130)
162    #11 0x5af36897d0  (/system/lib64/module/arkcompiler/stub.an+0x97d0)
163    #12 0x212092dc04  ([anon:ArkTS Heap5576local space]+0x2dc04)
164
165previously allocated here: <-申请的栈
166    #0 0x5a3f868ce8  (/system/asan/lib64/libclang_rt.hwasan.so+0x28ce8) (BuildId: a6c55e97d9dbc519020b7732890fe5143f80d175)
167    #1 0x650009a840  (/system/asan/lib64/module/file/libfileuri.z.so+0x1a840) (BuildId: 7f492df25ba1291065c3cf49b731c56a)
168    #2 0x65000a09ec  (/system/asan/lib64/module/file/libfileuri.z.so+0x209ec) (BuildId: 7f492df25ba1291065c3cf49b731c56a)
169    #3 0x5a3e855790  (/lib/ld-musl-aarch64-asan.so.1+0x93790) (BuildId: bac03842ac83e537d217a027e9584250)
170    #4 0x5a3e85801c  (/lib/ld-musl-aarch64-asan.so.1+0x9601c) (BuildId: bac03842ac83e537d217a027e9584250)
171    #5 0x5ad738d43c  (/system/asan/lib64/platformsdk/libace_napi.z.so+0x4d43c) (BuildId: 90a9e7b85b14f6c805a699672bf8db4a)
172    #6 0x5ad738c2d0  (/system/asan/lib64/platformsdk/libace_napi.z.so+0x4c2d0) (BuildId: 90a9e7b85b14f6c805a699672bf8db4a)
173    #7 0x5ad738b9c0  (/system/asan/lib64/platformsdk/libace_napi.z.so+0x4b9c0) (BuildId: 90a9e7b85b14f6c805a699672bf8db4a)
174    #8 0x5ad73a3b30  (/system/asan/lib64/platformsdk/libace_napi.z.so+0x63b30) (BuildId: 90a9e7b85b14f6c805a699672bf8db4a)
175    #9 0x5ad6e75f1c  (/system/asan/lib64/platformsdk/libark_jsruntime.so+0x8b5f1c) (BuildId: a2f4a88f26244f527994da0cefbab138)
176    #10 0x5af39b2130  (/system/lib64/module/arkcompiler/stub.an+0x332130)
177    #11 0x5af36897d0  (/system/lib64/module/arkcompiler/stub.an+0x97d0)
178    #12 0x212092dc04  ([anon:ArkTS Heap5576local space]+0x2dc04)
179
180Cause: heap-buffer-overflow <-可能的越界原因2
1810x0002013c0100 is located 3352 bytes to the right of 40-byte region [0x0002013bf3c0,0x0002013bf3e8)
182allocated here:
183    #0 0x5a3f868ce8  (/system/asan/lib64/libclang_rt.hwasan.so+0x28ce8) (BuildId: a6c55e97d9dbc519020b7732890fe5143f80d175)
184    #1 0x65000a85b8  (/system/asan/lib64/module/file/libfileuri.z.so+0x285b8) (BuildId: 7f492df25ba1291065c3cf49b731c56a)
185    #2 0x65000a09b4  (/system/asan/lib64/module/file/libfileuri.z.so+0x209b4) (BuildId: 7f492df25ba1291065c3cf49b731c56a)
186    #3 0x5a3e855790  (/lib/ld-musl-aarch64-asan.so.1+0x93790) (BuildId: bac03842ac83e537d217a027e9584250)
187    #4 0x5a3e85801c  (/lib/ld-musl-aarch64-asan.so.1+0x9601c) (BuildId: bac03842ac83e537d217a027e9584250)
188    #5 0x5ad738d43c  (/system/asan/lib64/platformsdk/libace_napi.z.so+0x4d43c) (BuildId: 90a9e7b85b14f6c805a699672bf8db4a)
189    #6 0x5ad738c2d0  (/system/asan/lib64/platformsdk/libace_napi.z.so+0x4c2d0) (BuildId: 90a9e7b85b14f6c805a699672bf8db4a)
190    #7 0x5ad738b9c0  (/system/asan/lib64/platformsdk/libace_napi.z.so+0x4b9c0) (BuildId: 90a9e7b85b14f6c805a699672bf8db4a)
191    #8 0x5ad73a3b30  (/system/asan/lib64/platformsdk/libace_napi.z.so+0x63b30) (BuildId: 90a9e7b85b14f6c805a699672bf8db4a)
192    #9 0x5ad6e75f1c  (/system/asan/lib64/platformsdk/libark_jsruntime.so+0x8b5f1c) (BuildId: a2f4a88f26244f527994da0cefbab138)
193    #10 0x5af39b2130  (/system/lib64/module/arkcompiler/stub.an+0x332130)
194    #11 0x5af36897d0  (/system/lib64/module/arkcompiler/stub.an+0x97d0)
195    #12 0x212092dc04  ([anon:ArkTS Heap5576local space]+0x2dc04)
196
197Memory tags around the buggy address (one tag corresponds to 16 bytes): <-shadow memory中储存tag信息,用于和指针的tag做判断
198  0x005c2013bf90: b6  b6  08  00  1f  1f  08  00  5a  5a  08  00  45  45  08  00
199  0x005c2013bfa0: bc  bc  08  00  3b  3b  08  00  35  35  08  00  9c  9c  08  00
200  0x005c2013bfb0: 9e  9e  08  00  d4  d4  08  00  14  14  08  00  ff  ff  08  00
201  0x005c2013bfc0: fe  fe  08  00  ec  ec  08  00  67  67  08  00  26  26  08  00
202  0x005c2013bfd0: 3e  3e  08  00  5f  5f  08  00  fe  fe  08  00  8b  8b  08  00
203  0x005c2013bfe0: 98  98  08  00  c3  c3  08  00  37  37  08  00  87  87  08  00
204  0x005c2013bff0: 3f  3f  08  00  02  02  08  00  b3  b3  08  00  fb  fb  08  00
205  0x005c2013c000: 56  56  08  00  ad  ad  08  00  02  02  08  00  94  94  08  00
206=>0x005c2013c010:[11] 11  08  00  a5  a5  08  00  13  13  08  00  2e  2e  08  00
207  0x005c2013c020: 09  09  08  00  68  68  08  00  df  df  08  00  17  17  08  00
208  0x005c2013c030: 24  24  08  00  5f  5f  08  00  f9  f9  08  00  05  05  08  00
209  0x005c2013c040: 02  02  08  00  78  78  08  00  50  50  08  00  33  33  08  00
210  0x005c2013c050: 57  57  08  63  4a  4a  08  4b  a8  a8  08  00  cd  cd  08  00
211  0x005c2013c060: e6  e6  08  00  0d  0d  08  00  3c  3c  3c  08  83  83  83  08
212  0x005c2013c070: 62  62  62  08  08  08  08  08  35  35  35  08  b5  b5  b5  08
213  0x005c2013c080: 87  87  87  08  4d  4d  4d  08  46  46  46  08  0e  0e  0e  08
214  0x005c2013c090: 6d  6d  6d  08  7a  7a  7a  08  11  11  11  08  af  af  af  08
215Tags for short granules around the buggy address (one tag corresponds to 16 bytes):
216  0x005c2013c000: ..  ..  56  ..  ..  ..  ad  ..  97  00  02  ..  ..  ..  94  ..
217=>0x005c2013c010:[..] ..  11  ..  ..  ..  a5  ..  ..  ..  13  ..  ..  ..  2e  ..
218  0x005c2013c020: 13  00  09  ..  ..  ..  68  ..  ..  ..  df  ..  ..  ..  17  ..
219See https://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html#short-granules for a description of short granule tags
220Registers where the failure occurred (pc 0x00651a5c0fa0):
221    x0  ec00000201e4ee88  x1  3c000004004c6b38  x2  0000000000000000  x3  0000000000000000
222    x4  6e0000652737ff79  x5  e600000201f631b9  x6  3e000002016b0d10  x7  0000056d1a495b07
223    x8  0200005bffffffff  x9  0000006527380ff0  x10 0000006527380f18  x11 0000000000000000
224    x12 073e000002016b0d  x13 000000056d1a495b  x14 000000000000006e  x15 0000000000000000
225    x16 0000005a3f867ef0  x17 000000651a5c0f64  x18 0000000000000005  x19 d2000002013c0100
226    x20 0200005c00000000  x21 3c000004004c6b38  x22 ec00000201e4ee80  x23 0000000000000000
227    x24 b800000000000000  x25 c8000065273804b0  x26 3e000002016b0d08  x27 b8000065273803a0
228    x28 1700000400263f80  x29 000000652737ffa0  x30 000000651a5c0fa4   sp 000000652737ffa0
229
230SUMMARY: HWAddressSanitizer: tag-mismatch (/data/storage/el1/bundle/libs/arm64/libijk.so+0x2c0fa0) (BuildId: 84383086df874d94fa191ddbbc25091cc14992c5)
231
232Memory near registers: <-寄存器周边内存
233x0([anon:native_heap:jemalloc]):
234    0000005a2be445f0 0000000000000000
235    0000005a2be445f8 0000000000000000
236    0000005a2be44600 000000599a8d0208
237    0000005a2be44608 0000005a2be44600
238    0000005a2be44610 0000005a2beee520
239    0000005a2be44618 0000000000000021
240    0000005a2be44620 0000005a2be51800
241    0000005a2be44628 0000005a2be48080
242    0000005a2be44630 00004c94000000fc
243    0000005a2be44638 ffffffffffffffff
244    0000005a2be44640 ffffffffffffffff
245    0000005a2be44648 ffffffffffffffff
246    0000005a2be44650 0000ffffffffffff
247    0000005a2be44658 0000005a2be33600
248
249Process memory map follows: <- 故障时进程的内存空间
250 0x000000010000-0x000100020000 rw-p 00000000 [anon:SizeClassAllocator]
251 0x000100020000-0x000101490000 rw-p 00000000 [anon:SizeClassAllocator: region data]
252 0x000101490000-0x0001df870000 rw-p 00000000 [anon:SizeClassAllocator]
253 0x0001df870000-0x0001e0020000 rw-p 00000000 [anon:SizeClassAllocator: region metadata]
254 0x0001e0020000-0x0001e0140000 rw-p 00000000 [anon:SizeClassAllocator: freearray]
255 0x0001e0140000-0x000200020000 rw-p 00000000 [anon:SizeClassAllocator]
256 0x000200020000-0x000201fd0000 rw-p 00000000 [anon:SizeClassAllocator: region data]
257 0x000201fd0000-0x0002dfa20000 rw-p 00000000 [anon:SizeClassAllocator]
258 0x0002dfa20000-0x0002e0020000 rw-p 00000000 [anon:SizeClassAllocator: region metadata]
259 0x0002e0020000-0x0002e0040000 rw-p 00000000 [anon:SizeClassAllocator: freearray]
260```
261
262### MemDebug日志规格
263
264MemDebug采用隔离区加投毒填充的机制,并复用HWASan的Tag校验的检测工具,对于Double Free类问题,其日志规格和HWASan一致。
265
266```text
267Device info:XXX <- 设备信息
268Build info:XXX-XXXX x.x.x.xx(xxxxxxx) <- 版本信息
269Fingerprint:77cdc69cef714391a08c7cb1ceec8b8f9b02900fc6588e4231c2f8750b2bf330 <- 特征信息
270Timestamp:xxxx-xx-xx xx:xx:xx.xxx <- 时间戳
271Module name:com.example.sampleapplication <- 模块名
272Version:1.0.0 <- 版本号
273Pid:62642 <- 进程号
274Uid:20020185 <- 用户ID
275Reason:use-after-free <- 触发原因
276
277==appspawn==62642==ERROR: HWAddressSanitizer: invalid-free on address 0x000100945e20 at pc 0x005a16a634fc on thread 62642 <- 问题概述
278tags: 57/e9 (ptr/mem)
279    #0 0x5a16a634fc  (/system/lib64/xxxxxxxxx.so+0xxxxxxxx) (BuildId: xxxxxxxxxxxxxxxxxxxxxxxxx) <- 调用栈信息
280    #1 0x5ac1f47c94  (/data/storage/xxxxxxx.so+0xxxxx) (BuildId: xxxxxxxxxxxxxxxxxxxxxxxxxxxx)
281    ...
282
283[0x000100945e20,0x000100945e40) is a small unallocated heap chunk; size: 32 offset: 0, Allocated By 62642 <- 内存块信息概述
284
285Potential Cause: use-after-free <- 可能的触发原因1
2860x000100945e20 (rb[50] tags:57) is located 0 bytes inside of 16-byte region [0x000100945e20,0x000100945e30)
287freed by thread 62642 here: <- 调用栈信息
288    #0 0x5a16a6b070  (/system/lib64/xxxxxx.so+0xxxxxxx) (BuildId: xxxxxxxxxxxxxxxxxxxxxxx)
289    #1 0x5ac2fce684  (/system/lib64/xxxxxxxx.so+0xxxxx) (BuildId: xxxxxxxxxxxxxxxxxxxxxxx)
290    ...
291
292previously allocated by thread 62642 here:
293    #0 0x5a16a6b070  (/system/lib64/xxxxxx.so+0xxxxxxx) (BuildId: xxxxxxxxxxxxxxxxxxxxxxx)
294    #1 0x5ac2fce684  (/system/lib64/xxxxxxxx.so+0xxxxx) (BuildId: xxxxxxxxxxxxxxxxxxxxxxx)
295    ...
296
297hwasan_dev_note_heap_rb_distance: 51 1023000
298Thread: T0 0x005b00002000 stack: [0x007fb3025000,0x007fb3824000) sz: 8384512 tls: [0x005a16107a98,0x005a16108279) rb:(1023000/1023000) records(1301994/o:0) tid: 62642
299Searched 1028682 records, find 1 with same addr 0x000100945e20
300
301
302Cause: heap-buffer-overflow <- 可能的触发原因2
3030x000100945e20 is located 2400 bytes to the left of 24-byte region [0x000100946780,0x000100946798)
304allocated here:
305    #0 0x5a16a6b070  (/system/lib64/xxxxxx.so+0xxxxxxx) (BuildId: xxxxxxxxxxxxxxxxxxxxxxx)
306    #1 0x5ac2fce684  (/system/lib64/xxxxxxxx.so+0xxxxx) (BuildId: xxxxxxxxxxxxxxxxxxxxxxx)
307    ...
308
309每个线程ringbuffer信息
310Thread: T0 0x005b00002000 stack: [0x007fb3025000,0x007fb3824000) sz: 8384512 tls: [0x005a16107a98,0x005a16108279) rb:(1023000/1023000) records(1301994/o:0) tid: 62642
311Thread: T6 0x005b0000a000 stack: [0x005ab7b64000,0x005ab7c64978) sz: 1051000 tls: [0x005ab7c64978,0x005ab7c64bc2) rb:(2/1023) records(2/o:0) tid: 62702
312Thread: T7 0x005b00016000 stack: [0x005abf7b4000,0x005abf8b4978) sz: 1051000 tls: [0x005abf8b4978,0x005abf8b4bc2) rb:(1023/1023) records(1133/o:0) tid: 62703
313Thread: T8 0x005b0000e000 stack: [0x005abf8b7000,0x005abf9b7978) sz: 1051000 tls: [0x005abf9b7978,0x005abf9b7bc2) rb:(123/1023) records(123/o:0) tid: 62704
314...
315
316tag信息
317Memory tags around the buggy address (one tag corresponds to 16 bytes):
318  ...
319  0x005c100945d0: ea  08  fa  fa  ab  ab  cb  08  32  c6  64  08  f7  f7  68  68
320=>0x005c100945e0: 96  08 [e9] e7  c9  c9  36  36  18  08  ef  d9  80  08  8e  08
321  0x005c100945f0: ba  08  98  98  b6  1b  63  63  08  00  bb  52  74  08  84  08
322  ...
323Tags for short granules around the buggy address (one tag corresponds to 16 bytes):
324  0x005c100945d0: ..  ea  ..  ..  ..  ..  ..  cb  ..  ..  ..  64  ..  ..  ..  ..
325=>0x005c100945e0: ..  96 [..] ..  ..  ..  ..  ..  ..  18  ..  ..  ..  80  ..  8e
326  0x005c100945f0: ..  ba  ..  ..  ..  ..  ..  ..  64  ..  ..  ..  ..  74  ..  84
327See https://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html#short-granules for a description of short granule tags
328SUMMARY: HWAddressSanitizer: invalid-free (/system/lib64/xxxxxx.xxxxx.so+0xxxxxx) (BuildId: xxxxxxxxxxxxxxxxxxxxxxxxxxx)
329
330进程maps信息
331==appspawn==62642==Process memory map follows:
332        0x000000010000-0x000100020000
333        0x000100020000-0x000100030000   [anon:SizeClassAllocator: region data]
334        0x000100030000-0x000100040000   [anon:SizeClassAllocator: region data]
335        ...
336```
337
338对于User-After-Free(Write)类问题,日志在问题概述部分会有所不同。示例输出如下:
339
340```
341ptrBeg was re-written after free 0x000100946540[1], 0x000100946548 5555555500000009:5555555555555555
342```
343
344其中,0x000100946540问题内存块起始地址,[1]为检测出问题的内存基于起始地址的8字节偏移数,0x000100946548为实际被修改的地址,5555555500000009:5555555555555555表示内存中的内容被修改后的实际值和预期值的对比。在该信息之后,日志还会输出对应内存块的释放堆栈和分配堆栈,调用栈的格式与HWASan日志一致,此处不再赘述。
345
346### GWP-ASan日志规格
347
348GWP-ASan的日志格式较为简洁,以下示例为典型的Use-After-Free问题日志,包含内存块的分配、释放及违规访问的调用栈信息。
349
350```text
351Device info:XXX <- 设备信息
352Build info:XXX-XXXX x.x.x.xx(xxxxxxx) <- 版本信息
353Fingerprint:c41391f9c18acc1121ea519ffdba5698bfb5342ae7125e20ebf2865e31249f1a<- 特征信息
354Timestamp:xxxx-xx-xx xx:xx:xx.xxx <- 时间戳
355Module name:com.example.sampleapplication <- 模块名
356Version:1.0.0 <- 版本号
357Pid:13305<- 进程号
358Uid:20020181 <- 用户ID
359Reason:GWP-ASAN <- Reason固定为GWP-ASAN
360*** GWP-ASan detected a memory error ***
361Use After Free at 0x5b46ddaff0 (0 bytes into a 16-byte allocation at 0x5b46ddaff0) by thread 13305 here: <- 问题概述,描述了一个UAF问题
362  #0 0x5c474f049c (/data/storage/xxxxxx.so+0x3049c) <- 调用栈信息
363  #1 0x5c474fa8c0 (/data/storage/xxxxxx.so+0x3a8c0)
364  #2 0x5c474fa870 (/data/storage/xxxxxx.so+0x3a870)
365  #3 0x5c474fa834 (/data/storage/xxxxxx.so+0x3a834)
366  #4 0x5c474fa7d4 (/data/storage/xxxxxx.so+0x3a7d4)
367  #5 0x5c474fa4a0 (/data/storage/xxxxxx.so+0x3a4a0)
368  #6 0x5b2d444c04 (/system/lib64/platformsdk/libace_napi.z.so+0x44c04)
369  #7 0x5b401d484c
370  #8 0x5b3fc11d7c
371  #9 0xfffffffffffffffe
3720x5b46ddaff0 was deallocated by thread 13305 here: <- 问题概述,此处是释放的栈
373  #0 0x5aa0c0be2c (/lib/ld-musl-aarch64.so.1+0x13de2c) <- 调用栈信息
374  #1 0x5aa0c0b97c (/lib/ld-musl-aarch64.so.1+0x13d97c)
375  #2 0x5c474f0494 (/data/storage/xxxxxx.so+0x30494)
376  #3 0x5c474fa8c0 (/data/storage/xxxxxx.so+0x3a8c0)
377  #4 0x5c474fa870 (/data/storage/xxxxxx.so+0x3a870)
378  #5 0x5c474fa834 (/data/storage/xxxxxx.so+0x3a834)
379  #6 0x5c474fa7d4 (/data/storage/xxxxxx.so+0x3a7d4)
380  #7 0x5c474fa4a0 (/data/storage/xxxxxx.so+0x3a4a0)
381  #8 0x5b2d444c04 (/system/lib64/xxxxxx.so+0x44c04)
382  #9 0x5b401d484c
383  #10 0x5b3fc11d7c
384  #11 0xfffffffffffffffe
3850x5b46ddaff0 was allocated by thread 13305 here: <- 问题概述,此处是申请的栈
386  #0 0x5aa0c0be2c (/lib/ld-musl-aarch64.so.1+0x13de2c) <- 调用栈信息
387  #1 0x5aa0c0b77c (/lib/ld-musl-aarch64.so.1+0x13d77c)
388  #2 0x5aa0c22e5c (/lib/ld-musl-aarch64.so.1+0x154e5c)
389  #3 0x5c474f047c (/data/storage/xxxxxx.so+0x3047c)
390  #4 0x5c474fa8c0 (/data/storage/xxxxxx.so+0x3a8c0)
391  #5 0x5c474fa870 (/data/storage/xxxxxx.so+0x3a870)
392  #6 0x5c474fa834 (/data/storage/xxxxxx.so+0x3a834)
393  #7 0x5c474fa7d4 (/data/storage/xxxxxx.so+0x3a7d4)
394  #8 0x5c474fa4a0 (/data/storage/xxxxxx.so+0x3a4a0)
395  #9 0x5b2d444c04 (/system/lib64/xxxxxx.so+0x44c04)
396  #10 0x5b401d484c
397  #11 0x5b3fc11d7c
398  #12 0xfffffffffffffffe
399* End GWP-ASan report *
400```
401