320546 – valgrind exits with "Assertion 'in_rx' failed" for /system/lib/libva-android.so on Android 4.0.4

Bug 320546 - valgrind exits with "Assertion 'in_rx' failed" for /system/lib/libva-android.so on Android 4.0.4

Summary: valgrind exits with "Assertion 'in_rx' failed" for /system/lib/libva-android....

Status:	REPORTED

Alias:	None

Product:	valgrind
Classification:	Developer tools
Component:	memcheck (show other bugs)
Version:	3.9.0.SVN
Platform:	Android Android 4.x

Importance:	NOR crash
Target Milestone:	---
Assignee:	Julian Seward

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-05-31 17:12 UTC by Bill Dieter
Modified:	2021-02-11 13:16 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Bill Dieter 2013-05-31 17:12:27 UTC

I am trying to build valgrind to help debug a native Android application.  The host I am compiling on is a Mac running Mac OS
10.8.3.  The target is an internal prototype x86 tablet running Android 4.0.4.  I am using Android NDK r8e.

I started with the release version of Valgrind 3.8.1.  When I ran into the premature exit described later, I switched to the 3.9.0.SVN version.

I followed the instructions in README.android, setting HWKIND to generic, and making to following changes to get valgrind to build:

1) In the environment variable definitions for the build tools,
   substituted "darwin-x86_64" for "linux-x86" in the path to each of
   the tools.

2) Added:

       export RANLIB=$NDKROOT/toolchains/x86-4.4.3/prebuilt/linux-x86/bin/i686-android-linux-ranlib

   to get the right ranlib executable.

3) The target cpu/kernel detection logic assumes it is building for
   the host CPU.  The --target and --host options cover most of the
   issues, but the configure script tries to run "uname -r" to get the
   kernel version.  

   The logic in configure.in that matches kernel versions treats 2.6.*
   and 3.0.* the same way, so if you are building on a relatively
   recent Linux system it will probably work fine.  Mac OS is
   returning an OS version of 12.3.0, which is unrelated to the
   Android kernel version.

   I hardcoded configure.in to use version "3.0.8" to match my actual
   device, though maybe calling 'adb shell uname -r' would make more
   sense for android targets.

4) The types uint32_t and uint64_t are referenced in the system elf.h,
   and not defined by default on my system, so I added "#include
   <stdint.h>" prior to each "#include <elf.h>"
   (coregrind/m_main.c:2987, coregrind/m_coredump/coredump-elf.c:57,
   coregrind/m_debuginfo/readelf.c:57,
   coregrind/m_initimg/initimg-linux.c:60, coregrind/m_ume/elf.c:53,
   coregrind/launcher-linux.c:47)

When I run "/data/local/Inst/bin/valgrind ls", ls runs without any errors, and I get the expected output:

==32681== Memcheck, a memory error detector
==32681== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==32681== Using Valgrind-3.9.0.SVN and LibVEX; rerun with -h for copyright info
==32681== Command: ls
==32681== 
		[... ls output deleted ... ]
==32681== 
==32681== HEAP SUMMARY:
==32681==     in use at exit: 1,024 bytes in 1 blocks
==32681==   total heap usage: 41 allocs, 40 frees, 5,967 bytes allocated
==32681== 
==32681== LEAK SUMMARY:
==32681==    definitely lost: 0 bytes in 0 blocks
==32681==    indirectly lost: 0 bytes in 0 blocks
==32681==      possibly lost: 0 bytes in 0 blocks
==32681==    still reachable: 1,024 bytes in 1 blocks
==32681==         suppressed: 0 bytes in 0 blocks
==32681== Rerun with --leak-check=full to see details of leaked memory
==32681== 
==32681== For counts of detected and suppressed errors, rerun with: -v
==32681== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

I then added a wrapper, as described by jseward's blog post (http://blog.mozilla.org/jseward/2011/09/27/valgrind-on-android-current-status/), and included the --smc-check=all in the VGPARAMS, because it sounded like it would be required for an x86 build.  The whole /data/local/start_valgrind_myprog file looks like this (I added the trace-symtab params at Julian Seward's suggestion in reply to my post to the valgrind-users mailing list):

    #!/system/bin/sh
    VGPARAMS='--error-limit=no --smc-check=all -v --trace-symtab=yes --trace-symtab-patt=/system/lib/libva-android.so'
    export TMPDIR=/data/data/com.intel.central
    exec /data/local/Inst/bin/valgrind $VGPARAMS $*

When I start my application with:

    am start -a android.intent.action.MAIN -n com.intel.central/.MainActivity

I see the following from logcat, after filtering logcat's output with "egrep 1644 logcat18.out | sed  -e 's/^[^:]*( 1644):[ ]*//g'" to remove extraneous logcat output at the start of each line (1644 is the pid of the wrapper process):

==1645== Memcheck, a memory error detector
==1645== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==1645== Using Valgrind-3.9.0.SVN and LibVEX; rerun with -h for copyright info
==1645== Command: /system/bin/app_process /system/bin --application --nice-name=com.intel.central com.android.internal.os.WrapperInit 32 17 android.app.ActivityThread
==1645== 
--1645-- Valgrind options:
--1645--    --error-limit=no
--1645--    --smc-check=all
--1645--    -v
--1645--    --trace-symtab=yes
--1645--    --trace-symtab-patt=/system/lib/libva-android.so
--1645-- Contents of /proc/version:
--1645--   Linux version 3.0.8 (lab@cve-lab-ubuntu01) (gcc version 4.4.3 (GCC) ) #1 SMP PREEMPT Tue May 15 16:02:17 PDT 2012
--1645-- Arch and hwcaps: X86, x86-sse1-sse2
--1645-- Page sizes: currently 4096, max supported 4096
--1645-- Valgrind library directory: /data/local/Inst/lib/valgrind
--1645-- Reading syms from /system/bin/app_process
--1645-- Reading syms from /data/local/Inst/lib/valgrind/memcheck-x86-linux
--1645--    object doesn't have a dynamic symbol table
--1645-- Reading syms from /system/bin/linker
--1645--    object doesn't have a dynamic symbol table
--1645-- Scheduler: using generic scheduler lock implementation.
--1645-- Reading suppressions file: /data/local/Inst/lib/valgrind/default.supp
--1645-- Reading syms from /data/local/Inst/lib/valgrind/vgpreload_core-x86-linux.so
--1645-- Reading syms from /data/local/Inst/lib/valgrind/vgpreload_memcheck-x86-linux.so
--1645-- REDIR: 0xb00078c0 (__dl_strcmp) redirected to 0x4008410 (__dl_strcmp)
--1645-- REDIR: 0xb000ab00 (__dl_strrchr) redirected to 0x40077c0 (__dl_strrchr)
--1645-- REDIR: 0xb000a7e0 (__dl_strlen) redirected to 0x4007c50 (__dl_strlen)
--1645-- Reading syms from /system/lib/liblog.so
--1645-- Reading syms from /system/lib/libc.so
--1645-- REDIR: 0x403ee50 (strchr) redirected to 0x40077f0 (strchr)
--1645-- WARNING: Serious error when reading debug info
--1645-- When reading debug info from /dev/__properties__ (deleted):
--1645-- failed to stat64/stat this file
--1645-- REDIR: 0x4035650 (strlen) redirected to 0x4007c10 (strlen)
--1645-- REDIR: 0x4030a60 (memcmp) redirected to 0x4009570 (memcmp)
--1645-- Reading syms from /system/lib/libstdc++.so
--1645-- Reading syms from /system/lib/libm.so
--1645-- Reading syms from /system/lib/libcutils.so
--1645-- Reading syms from /system/lib/libutils.so
--1645-- Reading syms from /system/lib/libz.so
--1645-- REDIR: 0x4027770 (malloc) redirected to 0x40069e5 (malloc)
--1645-- REDIR: 0x40bfc30 (operator new(unsigned int)) redirected to 0x400732e (operator new(unsigned int))
--1645-- Reading syms from /system/lib/libbinder.so
--1645-- Reading syms from /system/lib/libandroid_runtime.so
--1645-- Reading syms from /system/lib/libexpat.so
--1645-- Reading syms from /system/lib/libnativehelper.so
--1645-- Reading syms from /system/lib/libcrypto.so
--1645-- Reading syms from /system/lib/libicui18n.so
--1645-- Reading syms from /system/lib/libicuuc.so
--1645-- Reading syms from /system/lib/libgabi++.so
--1645-- Reading syms from /system/lib/libssl.so
--1645-- Reading syms from /system/lib/libstlport.so
--1645-- REDIR: 0x402c520 (memcpy) redirected to 0x4008a30 (memcpy)
--1645-- REDIR: 0x4046ca0 (wcslen) redirected to 0x400a440 (wcslen)
--1645-- REDIR: 0x402e4f0 (memmove) redirected to 0x4009b70 (memmove)
--1645-- Reading syms from /system/lib/libnetutils.so
--1645-- Reading syms from /system/lib/libui.so
--1645-- Reading syms from /system/lib/libEGL.so
--1645-- Reading syms from /system/lib/libGLESv2_dbg.so
--1645-- REDIR: 0x403e110 (memchr) redirected to 0x4008470 (memchr)
--1645-- REDIR: 0x4032730 (strcmp) redirected to 0x4008290 (strcmp)
--1645-- REDIR: 0x40277a0 (free) redirected to 0x4006470 (free)
--1645-- Reading syms from /system/lib/libpixelflinger.so
--1645-- Reading syms from /system/lib/libhardware_legacy.so
--1645-- Reading syms from /system/lib/libwpa_client.so
--1645-- Reading syms from /system/lib/libasound.so
--1645-- Reading syms from /system/lib/libevent-listener.so
--1645-- Reading syms from /system/lib/libxmlserializer.so
--1645-- Reading syms from /system/lib/libparameter.so
--1645-- REDIR: 0x4032110 (memset) redirected to 0x4009af0 (memset)
--1645-- Reading syms from /system/lib/libhardware.so
--1645-- Reading syms from /system/lib/libskia.so
--1645-- Reading syms from /system/lib/libemoji.so
--1645-- Reading syms from /system/lib/libjpeg.so
------ start ELF OBJECT ------------------------------
------ name = /system/lib/libva-android.so
--1645-- Reading syms from /system/lib/libva-android.so
------ Basic facts about the object ------
object:  img 0x62DF4000 n_oimage 7287
phdr:    img 0x62DF4034 nent 5 ent_szB 32
shdr:    img 0x62DF5224 nent 22 ent_szB 40
rx_map:  avma 0x5441000   size 4096  foff 0
rw_map:  avma 0x5442000   size 4096  foff 4096
shdr:    string table at 0x62DF5175
------ Examining the program headers ------
PT_LOAD[0]: p_vaddr 0x0 (prev 0x0)
PT_LOAD[0]:   p_offset 0, p_filesz 3968, perms r-x
PT_LOAD[0]:   acquired as rx
PT_LOAD[1]: p_vaddr 0x1000 (prev 0x0)
PT_LOAD[1]:   p_offset 4096, p_filesz 356, perms rw-
PT_LOAD[1]:   acquired as rw
Found soname = libva-android.so
------ Examining the section headers ------
rx: at 0x5441000 are mapped foffsets 0 .. 4095
rx: contains these svma regions:
svmas 0x0 .. 0xf7f with bias 0x5441000
rw: at 0x5442000 are mapped foffsets 4096 .. 8191
rw: contains these svma regions:
svmas 0x1000 .. 0x117f with bias 0x5441000
[sec  0]  rx     al 0  foff      0 ..     -1    svma 0x0  name ""
zero sized section "", ignoring
[sec  1]  rx     al 4  foff    212 ..    403    svma 0xD4  name ".hash"
[sec  2]  rx     al 4  foff    404 ..    867    svma 0x194  name ".dynsym"
[sec  3]  rx     al 1  foff    868 ..   1297    svma 0x364  name ".dynstr"
[sec  4]  rx     al 4  foff   1300 ..   1363    svma 0x514  name ".rel.dyn"
[sec  5]  rx     al 4  foff   1364 ..   1507    svma 0x554  name ".rel.plt"
[sec  6]  rx     al 4  foff   1508 ..   1811    svma 0x5E4  name ".plt"
acquiring .plt avma = 0x54415e4
[sec  7]  rx     al16  foff   1824 ..   3443    svma 0x720  name ".text"
acquiring .text svma = 0x720 .. 0xd73
acquiring .text avma = 0x5441720 .. 0x5441d73
acquiring .text bias = 0x5441000
[sec  8]  rx     al 1  foff   3444 ..   3615    svma 0xD74  name ".rodata"
acquiring .rodata svma = 0xd74 .. 0xe1f
acquiring .rodata avma = 0x5441d74 .. 0x5441e1f
acquiring .rodata bias = 0x5441000
[sec  9]  rx     al 4  foff   3616 ..   3675    svma 0xE20  name ".eh_frame_hdr"
[sec 10]  rx     al 4  foff   3676 ..   3967    svma 0xE5C  name ".eh_frame"
acquiring .eh_frame avma = 0x5441e5c
[sec 11]     rw  al 4  foff   4096 ..   4107    svma 0x1000  name ".init_array"
[sec 12]     rw  al 4  foff   4108 ..   4119    svma 0x100C  name ".fini_array"
[sec 13]     rw  al 4  foff   4120 ..   4343    svma 0x1018  name ".dynamic"
[sec 14]     rw  al 4  foff   4344 ..   4363    svma 0x10F8  name ".got"
acquiring .got avma = 0x54420f8
[sec 15]     rw  al 4  foff   4364 ..   4447    svma 0x110C  name ".got.plt"
acquiring .got.plt avma = 0x544210c
[sec 16]     rw  al 4  foff   4448 ..   4451    svma 0x1160  name ".data"
acquiring .data svma = 0x1160 .. 0x1163
acquiring .data avma = 0x5442160 .. 0x5442163
acquiring .data bias = 0x5441000
[sec 17]     rw  al 4  foff   4452 ..   4479    svma 0x1164  name ".bss"
acquiring .bss svma = 0x1164 .. 0x117f
acquiring .bss avma = 0x5442164 .. 0x544217f
acquiring .bss bias = 0x5441000
[sec 18]  rx     al 1  foff   4452 ..   4468    svma 0x0  name ".comment"
[sec 19]  rx     al 1  foff   4469 ..   4640    svma 0x0  name ".shstrtab"
[sec 20]  rx     al 4  foff   5524 ..   6531    svma 0x0  name ".symtab"
[sec 21]  rx     al 1  foff   6532 ..   7286    svma 0x0  name ".strtab"
------ Finding image addresses for debug-info sections ------
.dynsym           :  img 0x62DF4194 .. 0x62DF4363
.dynstr           :  img 0x62DF4364 .. 0x62DF4511
.eh_frame         :  img 0x62DF4E5C .. 0x62DF4F7F
.symtab           :  img 0x62DF5594 .. 0x62DF5983
.strtab           :  img 0x62DF5984 .. 0x62DF5C76
--- Reading (ELF, standard) symbol table (63 entries) ---
raw symbol [   1]: LOC FUN : svma 0x0000000770, sz    0  frame_dummy
rec(t) [   1]:            val 0x0005441770, sz 2048  frame_dummy
raw symbol [   2]: LOC FUN : svma 0x0000000720, sz    0  __do_global_dtors_aux
rec(t) [   2]:            val 0x0005441720, sz 2048  __do_global_dtors_aux
raw symbol [   3]: LOC OBJ : svma 0x0000000e5c, sz    0  __EH_FRAME_BEGIN__
ignore -- 0x5441e5c .. 0x544265c outside .text svma range 0x5441720 .. 0x5441d74
raw symbol [   4]: LOC OBJ : svma 0x0000001164, sz    1  completed.4454
rec(d) [   4]:            val 0x0005442164, sz    1  completed.4454
raw symbol [   5]: LOC OBJ : svma 0x0000001168, sz   24  object.4469
rec(d) [   5]:            val 0x0005442168, sz   24  object.4469
raw symbol [   6]: LOC FUN : svma 0x0000000820, sz   23  _ZL24va_DisplayContextIsValidP16VADisplayContext
rec(t) [   6]:            val 0x0005441820, sz   23  _ZL24va_DisplayContextIsValidP16VADisplayContext
raw symbol [   7]: LOC FUN : svma 0x0000000b10, sz   90  _ZL24va_DisplayContextDestroyP16VADisplayContext
rec(t) [   7]:            val 0x0005441b10, sz   90  _ZL24va_DisplayContextDestroyP16VADisplayContext
raw symbol [   8]: LOC FUN : svma 0x0000000c80, sz  244  _ZL30va_DisplayContextGetDriverNameP16VADisplayContextPPc
rec(t) [   8]:            val 0x0005441c80, sz  244  _ZL30va_DisplayContextGetDriverNameP16VADisplayContextPPc
raw symbol [   9]: LOC FUN : svma 0x0000000b70, sz  268  _ZL11open_devicePc.clone.0
rec(t) [   9]:            val 0x0005441b70, sz  268  _ZL11open_devicePc.clone.0
raw symbol [  10]: LOC OBJ : svma 0x0000000f7c, sz    4  __FRAME_END__
rec(t) [  10]:            val 0x0005441f7c, sz    4  __FRAME_END__
raw symbol [  11]: LOC FUN : svma 0x0000000800, sz   17  __stack_chk_fail_local
rec(t) [  11]:            val 0x0005441800, sz   17  __stack_chk_fail_local
raw symbol [  12]: LOC OBJ : svma 0x0000001018, sz    0  _DYNAMIC
ignore -- 0x5442018 .. 0x5442818 outside .text svma range 0x5441720 .. 0x5441d74
raw symbol [  13]: LOC NOT : svma 0x0000001160, sz    0  __dso_handle
raw symbol [  14]: LOC FUN : svma 0x0000000811, sz    0  __x86.get_pc_thunk.bx
valgrind: m_debuginfo/readelf.c:577 (get_elf_symbol_info): Assertion 'in_rx' failed.
==1645==    at 0x38033455: report_and_quit (m_libcassert.c:260)
==1645==    by 0x38033851: vgPlain_assert_fail (m_libcassert.c:340)
==1645==    by 0x3806D80E: read_elf_symtab__normal (readelf.c:577)
==1645==    by 0x380705F3: vgModuleLocal_read_elf_debug_info (readelf.c:2655)
==1645==    by 0x3806A449: vgPlain_di_notify_mmap (debuginfo.c:629)
==1645==    by 0x38097510: vgModuleLocal_generic_PRE_sys_mmap (syswrap-generic.c:2087)
==1645==    by 0x380C9A0B: vgSysWrap_x86_linux_sys_mmap2_before (syswrap-x86-linux.c:1247)
==1645==    by 0x3808C830: vgPlain_client_syscall (syswrap-main.c:1522)
==1645==    by 0x38089C12: vgPlain_scheduler (scheduler.c:1066)
==1645==    by 0x380C1188: run_a_thread_NORETURN (syswrap-linux.c:103)
sched status:
running_tid=1
Thread 1: status = VgTs_Runnable
==1645==    at 0xB000F261: __dl___mmap2 (in /system/bin/linker)
Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.
If that doesn't help, please report this bug to: www.valgrind.org
In the bug report, send all the above text, the valgrind
version, and what OS and version you are using.  Thanks.

The wrapper script appears to be launching the application, but it looks like valgrind is exiting immediately with an 'in_rx' assertion failure.  I used the '--trace-symtab-patt=/system/lib/libva-android.so' parameter, because libva-android.so looked like the last object loaded before the failure.  If it would help, I can re-run with other parameters.  The .so is from an unreleased product, so I am not sure if can release it.

I cannot send you our application to test with, but I see the same assertion failure when compiling and running the HelloJni example from the Android Maven plug-in samples.  Instructions on how to download and build the examples are at http://code.google.com/p/maven-android-plugin/wiki/Samples.  (The short version is: attach an Android device by USB with debugging enabled, install samples in ${MVN_SAMPLES}, and then "cd ${MVN_SAMPLES}/jayway-maven-android-plugin-samples-0f83bcb/native/mixed-java-native-code ; mvn clean install && mvn android:deploy")

Reproducible: Always

Steps to Reproduce:
1. Build and install valgrind on an x86 Android device as described in the Details section.
2. Run valgrind on a native application (see Details above)
Actual Results:  
Valgrind exits on Assertion 'in_rx' failed.

Expected Results:  
Valgrind tells me where my bugs are :-)

Comment 1 Julian Seward 2013-07-02 21:00:02 UTC

Hmm, tricky.  The simplest way to debug this by having the .so at
this end.

Can you try with a new checkout of V trunk (or svn up your tree?)
The debuginfo reader got overhauled recently and it might produce
some new or different info.

Comment 2 Petar Jovanovic 2017-10-31 17:07:44 UTC

There is a patch [1] on the master branch that fixes an issue that looks similar to this one.
Can you try to build Valgrind ToT and test it with your application?

[1] https://sourceware.org/git/?p=valgrind.git;a=commit;h=0eea388934a228231843d8c13cfd99bb170074f1

Comment 3 Peter Klotz 2021-02-11 13:16:08 UTC

Bug 389412 describes the same assertion for clang under Linux. In our case the upgrade from clang 7 to 11 solved the problem.