Bug 487111

Summary: Massif crash on Android API >= 30 due to tagged pointers
Product: [Developer tools] valgrind Reporter: maxime.coutant
Component: massifAssignee: Nicholas Nethercote <njn>
Status: REPORTED ---    
Severity: crash CC: pjfloyd
Priority: NOR    
Version First Reported In: 3.23.0   
Target Milestone: ---   
Platform: Android   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description maxime.coutant 2024-05-16 15:49:09 UTC 
uname -a (TARGET) :  
Linux localhost 5.10.66-android12-9-25281636-abS908BXXU2BVJA #2 SMP PREEMPT Thu Oct 13 21:01:13 KST 2022 aarch64 Toybox
uname -a (HOST) : 
Linux mcoutant-telecom 6.5.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue May  7 09:00:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux


COMMAND:
$ valgrind -v --tool=massif echo "pouet"     

FULL OUTPUT:                                                                     
==24568== Massif, a heap profiler
==24568== Copyright (C) 2003-2024, and GNU GPL'd, by Nicholas Nethercote et al.
==24568== Using Valgrind-3.23.0-c54d316124-20240426 and LibVEX; rerun with -h for copyright info
==24568== Command: echo pouet
==24568== 
--24568-- Valgrind options:
--24568--    -v
--24568--    --tool=massif
--24568-- Contents of /proc/version:
--24568--   Linux version 5.10.66-android12-9-25281636-abS908BXXU2BVJA (dpi@21DJ6B18) (Android (7211189, based on r416183) clang version 12.0.4 (https://android.googlesource.com/toolchain/llvm-project c935d99d7cf2016289302412d708641d52d2f7ee), LLD 12.0.4 (/buildbot/src/android/llvm-toolchain/out/llvm-project/lld c935d99d7cf2016289302412d708641d52d2f7ee)) #2 SMP PREEMPT Thu Oct 13 21:01:13 KST 2022
--24568-- 
--24568-- Arch and hwcaps: ARM64, LittleEndian, v8-fhm-dpbcvadp-sm3-sm4-sha3-rdm-i8mm-atomics-bf16-fp16-vfp16
--24568-- Page sizes: currently 4096, max supported 65536
--24568-- Valgrind library directory: /data/local/tmp/valgrind/libexec/valgrind
--24568-- Massif: alloc-fns:
--24568-- Massif:   malloc
--24568-- Massif:   __builtin_new
--24568-- Massif:   operator new(unsigned long)
--24568-- Massif:   __builtin_vec_new
--24568-- Massif:   operator new[](unsigned long)
--24568-- Massif:   calloc
--24568-- Massif:   aligned_alloc
--24568-- Massif:   realloc
--24568-- Massif:   memalign
--24568-- Massif:   posix_memalign
--24568-- Massif:   valloc
--24568-- Massif:   operator new(unsigned long, std::nothrow_t const&)
--24568-- Massif:   operator new[](unsigned long, std::nothrow_t const&)
--24568-- Massif:   operator new(unsigned long, std::align_val_t)
--24568-- Massif:   operator new[](unsigned long, std::align_val_t)
--24568-- Massif:   operator new(unsigned long, std::align_val_t, std::nothrow_t const&)
--24568-- Massif:   operator new[](unsigned long, std::align_val_t, std::nothrow_t const&)
--24568-- Massif: ignore-fns:
--24568-- Massif:   <empty>
--24568-- Reading syms from /system/bin/toybox
--24568-- Reading syms from /apex/com.android.runtime/bin/linker64
--24568-- Reading syms from /data/local/tmp/valgrind/libexec/valgrind/massif-arm64-linux
--24568--    object doesn't have a dynamic symbol table
--24568-- Scheduler: using generic scheduler lock implementation.
--24568-- Reading syms from /system/lib64/libprocessgroup.so
--24568-- Reading syms from /system/lib64/libcrypto.so
--24568-- Reading syms from /system/lib64/libz.so
--24568-- Reading syms from /system/lib64/libpackagelistparser.so
--24568-- warning: DiCfSI 0x5cd8000 .. 0x5cd800b outside mapped rx segments (libpackagelistparser.so)
--24568-- warning: DiCfSI 0x5cd800c .. 0x5cd800f outside mapped rx segments (libpackagelistparser.so)
--24568-- warning: DiCfSI 0x5cd8010 .. 0x5cd8013 outside mapped rx segments (libpackagelistparser.so)
--24568-- warning: DiCfSI 0x5cd8014 .. 0x5cd8033 outside mapped rx segments (libpackagelistparser.so)
--24568-- warning: DiCfSI 0x5cd8034 .. 0x5cd8367 outside mapped rx segments (libpackagelistparser.so)
--24568-- warning: DiCfSI 0x5cd8368 .. 0x5cd8377 outside mapped rx segments (libpackagelistparser.so)
--24568-- warning: DiCfSI 0x5cd8378 .. 0x5cd83b3 outside mapped rx segments (libpackagelistparser.so)
--24568-- warning: DiCfSI 0x5cd83b4 .. 0x5cd83c7 outside mapped rx segments (libpackagelistparser.so)
--24568-- Reading syms from /system/lib64/libcutils.so
--24568-- Reading syms from /apex/com.android.runtime/lib64/bionic/libc.so
--24568-- Reading syms from /data/local/tmp/valgrind/libexec/valgrind/vgpreload_core-arm64-linux.so
--24568-- warning: DiCfSI 0x5ad9324 .. 0x5ad9327 outside mapped rx segments (NONE)
--24568-- warning: DiCfSI 0x5ad9328 .. 0x5ad9383 outside mapped rx segments (NONE)
--24568-- Reading syms from /system/lib64/libpcre2.so
--24568-- Reading syms from /apex/com.android.runtime/lib64/bionic/libm.so
--24568-- Reading syms from /system/lib64/libselinux.so
--24568-- Reading syms from /system/lib64/libc++.so
--24568-- Reading syms from /data/local/tmp/valgrind/libexec/valgrind/vgpreload_massif-arm64-linux.so
--24568-- Reading syms from /system/lib64/libbase.so
--24568-- Reading syms from /system/lib64/liblog.so
--24568-- Reading syms from /system/lib64/libcgrouprc.so
WARNING: linker: Warning: "/data/local/tmp/valgrind/libexec/valgrind/vgpreload_core-arm64-linux.so" has unsupported flags DT_FLAGS_1=0x421 (ignoring unsupported flags)
WARNING: linker: Warning: "/data/local/tmp/valgrind/libexec/valgrind/vgpreload_massif-arm64-linux.so" has unsupported flags DT_FLAGS_1=0x421 (ignoring unsupported flags)
--24568-- REDIR: 0x84b400c (libc.so:malloc) redirected to 0x8386460 (malloc)
--24568-- Discarding syms at 0x821e000-0x82278d0 in /system/lib64/libcutils.so (have_dinfo 1)
--24568-- Discarding syms at 0x8386154-0x838ef2c in /data/local/tmp/valgrind/libexec/valgrind/vgpreload_massif-arm64-linux.so (have_dinfo 1)
--24568-- Reading syms from /system/lib64/libnetd_client.so
Pointer tag for 0xc400190 was truncated, see 'https://source.android.com/devices/tech/debug/tagged-pointers'.
==24568== 
==24568== Process terminating with default action of signal 6 (SIGABRT)
==24568==    at 0x8519188: __rt_sigprocmask (in /apex/com.android.runtime/lib64/bionic/libc.so)
==24568==    by 0x84D6EFB: sigprocmask64 (in /apex/com.android.runtime/lib64/bionic/libc.so)
==24568==    by 0x84C7D13: abort (in /apex/com.android.runtime/lib64/bionic/libc.so)
==24568==    by 0x84B3F23: free (in /apex/com.android.runtime/lib64/bionic/libc.so)
==24568==    by 0x5F33E43: HMAC_CTX_cleanup (in /system/lib64/libcrypto.so)
==24568==    by 0x5F33897: HMAC (in /system/lib64/libcrypto.so)
==24568==    by 0x5F4298F: BORINGSSL_integrity_test (in /system/lib64/libcrypto.so)
==24568==    by 0x5F42707: ??? (in /system/lib64/libcrypto.so)
==24568==    by 0x40522E3: __dl__ZN6soinfo17call_constructorsEv (in /apex/com.android.runtime/bin/linker64)
==24568==    by 0x405208B: __dl__ZN6soinfo17call_constructorsEv (in /apex/com.android.runtime/bin/linker64)
==24568==    by 0x40B7BBB: __dl__ZL29__linker_init_post_relocationR19KernelArgumentBlockR6soinfo (in /apex/com.android.runtime/bin/linker64)
==24568==    by 0x40B6AFF: __dl___linker_init (in /apex/com.android.runtime/bin/linker64)
==24568==    by 0x4054AD7: __dl__start (in /apex/com.android.runtime/bin/linker64)
==24568== 
Aborted

STEPS TO REPRODUCE
valgrind 3.23.0 was cross-compiled with the Android NDK 25.2.9519653 on an Ubuntu 22.04 machine.

The following flags were set (relative to my Android NDK installation path) :
export TRIPLE="aarch64-none-linux-android30"
export CC=".../Android/Sdk/ndk/25.2.9519653/toolchains/llvm/prebuilt/linux-x86_64/bin/clang"
export CXX=".../Android/Sdk/ndk/25.2.9519653/toolchains/llvm/prebuilt/linux-x86_64/bin/clang++"
export CFLAGS="-O3 --target=${TRIPLE} --gcc-toolchain=.../Android/Sdk/ndk/25.2.9519653/toolchains/llvm/prebuilt/linux-x86_64 --sysroot=.../Android/Sdk/ndk/25.2.9519653/toolchains/llvm/prebuilt/linux-x86_64/sysroot -mno-outline-atomics"
export CPPFLAGS="-O3 --target=${TRIPLE} --gcc-toolchain=.../Android/Sdk/ndk/25.2.9519653/toolchains/llvm/prebuilt/linux-x86_64 --sysroot=.../Android/Sdk/ndk/25.2.9519653/toolchains/llvm/prebuilt/linux-x86_64/sysroot -mno-outline-atomics"
export CXXFLAGS="-O3 --target=${TRIPLE} --gcc-toolchain=.../Android/Sdk/ndk/25.2.9519653/toolchains/llvm/prebuilt/linux-x86_64 --sysroot=.../Android/Sdk/ndk/25.2.9519653/toolchains/llvm/prebuilt/linux-x86_64/sysroot -mno-outline-atomics"
export LD=".../Android/Sdk/ndk/25.2.9519653/toolchains/llvm/prebuilt/linux-x86_64/bin/llvm-ld"
export AR=".../Android/Sdk/ndk/25.2.9519653/toolchains/llvm/prebuilt/linux-x86_64/bin/llvm-ar"

./configure  --host="aarch64-unknown-linux" --target="aarch64-unknown-linux" --enable-only64bit

Once built you can push the binary on your android platform using `adb push` command.


OBSERVED RESULT
The massif tool aborted. The following message can be seen in the output :
Pointer tag for 0xc400190 was truncated, see 'https://source.android.com/devices/tech/debug/tagged-pointers'.

Quoting the page :
"Starting in Android 11, for 64-bit processes, all heap allocations have an implementation defined tag set in the top byte of the pointer on devices with kernel support for ARM Top-byte Ignore (TBI). Any application that modifies this tag is terminated when the tag is checked during deallocation. This is necessary for future hardware with ARM Memory Tagging Extension (MTE) support."

They do mention ways to disable this behavior for apps, but it didn't worked for binaries I was profiling

EXPECTED RESULT
Either to run or Android API >= 30 to be mentionned as not supported anymore
Comment 1 Paul Floyd 2024-05-17 09:30:31 UTC 
It looks like malloc is getting redirected but not free, which would probably crash anyway even without MTE.

Has Android changed the visibility of 'free' in any way?