How to Get meaningful stack trace in Android

[Tan2NT]

I have built my project with Asan, compile with -fsanitize=address -fno-omit-frame-pointer -O1
But the log does not show the file and function where the crash occur.
I see this guide how to get stack trace for asan: https://github.com/google/sanitizers/wiki/AddressSanitizerCallStack
Is this link is for Android too?
What detail should i do?

Thank a lot!

Below is the log cat of crash:

07-18 20:33:00.952: I/(13918): ==13918==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x49933954 at pc 0xa4dcb5b4 bp 0x9e9ff018 sp 0x9e9ff010
07-18 20:33:00.952: I/(13918): READ of size 4 at 0x49933954 thread T324 (Thread-379)
07-18 20:33:00.962: W/System.err(13918): remove failed: ENOENT (No such file or directory) : package.myapp/shared_prefs/com.google.android.gms.appid.xml.bak
07-18 20:33:00.987: I/(13918): #0 0xa4dcb5b3 (/data/app/package-1/lib/arm/libGame.so+0x10245b3)
07-18 20:33:00.992: I/(13918): #1 0xa4dcbbe7 (/package/lib/arm/libGame.so+0x1024be7)
07-18 20:33:00.992: I/(13918): #2 0xa4dd33d7 (/package/lib/arm/libGame.so+0x102c3d7)
07-18 20:33:00.992: I/(13918): #3 0xa51207a3 (/package/lib/arm/libGame.so+0x13797a3)
07-18 20:33:00.992: I/(13918): #4 0xa4d670b7 (/package/lib/arm/libGame.so+0xfc00b7)
07-18 20:33:00.992: I/(13918): #5 0xac18d617 (/package/lib/arm/libGame.so+0x83e6617)
07-18 20:33:00.992: I/(13918): #6 0xac18ca77 (/package/lib/arm/libGame.so+0x83e5a77)
07-18 20:33:00.992: I/(13918): #7 0xb6784e3b (/system/lib/libc.so+0x3fe3b)
07-18 20:33:00.992: I/(13918): #8 0xb675f55b (/system/lib/libc.so+0x1a55b)
07-18 20:33:00.997: D/TimaKeyStoreProvider(14724): TimaSignature is unavailable
07-18 20:33:00.997: D/ActivityThread(14724): Added TimaKeyStore provider
07-18 20:33:01.007: I/(13918): 0x49933954 is located 0 bytes to the right of 4-byte region [0x49933950,0x49933954)
07-18 20:33:01.007: I/(13918): allocated by thread T324 (Thread-379) here:
07-18 20:33:01.007: I/(13918): #0 0xb6a55077 (/system/lib/libclang_rt.asan-arm-android.so+0x82077)
07-18 20:33:01.007: I/(13918): Thread T324 (Thread-379) created by T0 (.ANMP.myapp) here:
07-18 20:33:01.007: I/(13918): #0 0xb6a2f4db (/system/lib/libclang_rt.asan-arm-android.so+0x5c4db)
07-18 20:33:01.007: I/(13918): #1 0xaeb36d3d (/package/oat/arm/base.odex+0xc34d3d)
07-18 20:33:01.012: I/(13918): SUMMARY: AddressSanitizer: heap-buffer-overflow (/package/lib/arm/libGame.so+0x10245b3)
07-18 20:33:01.012: I/(13918): Shadow bytes around the buggy address:
07-18 20:33:01.012: I/(13918): 0x093266d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
07-18 20:33:01.012: I/(13918): 0x093266e0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
07-18 20:33:01.012: I/(13918): 0x093266f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 04
07-18 20:33:01.012: I/(13918): 0x09326700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
07-18 20:33:01.012: I/(13918): 0x09326710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
07-18 20:33:01.012: I/(13918): =>0x09326720: fa fa fa fa fa fa fa fa fa fa[04]fa fa fa fd fd
07-18 20:33:01.012: I/(13918): 0x09326730: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
07-18 20:33:01.012: I/(13918): 0x09326740: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
07-18 20:33:01.012: I/(13918): 0x09326750: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
07-18 20:33:01.012: I/(13918): 0x09326760: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
07-18 20:33:01.012: I/(13918): 0x09326770: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 04
07-18 20:33:01.012: I/(13918): Shadow byte legend (one shadow byte represents 8 application bytes):
07-18 20:33:01.012: I/(13918): Addressable: 00
07-18 20:33:01.012: I/(13918): Partially addressable: 01 02 03 04 05 06 07
07-18 20:33:01.012: I/(13918): Heap left redzone: fa
07-18 20:33:01.012: I/(13918): Heap right redzone: fb
07-18 20:33:01.012: I/(13918): Freed heap region: fd
07-18 20:33:01.012: I/(13918): Stack left redzone: f1
07-18 20:33:01.012: I/(13918): Stack mid redzone: f2
07-18 20:33:01.012: I/(13918): Stack right redzone: f3
07-18 20:33:01.012: I/(13918): Stack partial redzone: f4
07-18 20:33:01.012: I/(13918): Stack after return: f5
07-18 20:33:01.012: I/(13918): Stack use after scope: f8
07-18 20:33:01.012: I/(13918): Global redzone: f9
07-18 20:33:01.012: I/(13918): Global init order: f6
07-18 20:33:01.012: I/(13918): Poisoned by user: f7
07-18 20:33:01.012: I/(13918): Container overflow: fc
07-18 20:33:01.012: I/(13918): Array cookie: ac
07-18 20:33:01.012: I/(13918): Intra object redzone: bb
07-18 20:33:01.012: I/(13918): ASan internal: fe
07-18 20:33:01.012: I/(13918): Left alloca redzone: ca
07-18 20:33:01.012: I/(13918): Right alloca redzone: cb
07-18 20:33:01.012: I/(13918): ==13918==ABORTING

[eugenis]

Does ndk-stack help? See https://developer.android.com/ndk/guides/ndk-stack

If nothing else, you can get debug info manually by passing offsets to addr2line like this:
addr2line -fi -e path/to/lib/arm/libGame.so 0x10245b3 0x1024be7 0x102c3d7 [...]

[Tan2NT]

Hi, Thank for your advice!

• I can get it by use ndk-stack but some case it failed.
• By manually use addr2line, I can get this.
  But I pefer to use llvm-symbolizer as this guide: https://github.com/google/sanitizers/wiki/AddressSanitizerCallStack and http://llvm.org/docs/CommandGuide/llvm-symbolizer.html
  My expected stack trace is content file and line as an example from https://github.com/google/sanitizers/wiki/AddressSanitizerCallStack, so I needn't manually use addr2line to find out it.
  #0 0x4b615d in main /home/you/use-after-free.cc:12:3
  Is this possible to do on android? and if yes, could you provide me detail step for this?

Thank a lot!

[Tan2NT]

One more question:
in asan_device_setup, ASAN_RT_SYMLINK=symlink-to-libclang_rt.asan
could you explane to me what is symlink-to-libclang_rt.asan?
This is" libclang_rt.asan-arm-android.so" (asan runtime lib) or "libGame.so" (share lib)?

[eugenis]

llvm-symbolizer works on Android when pushed to /system/bin, but it needs to be built for android - and I don't know where to get a prebuilt binary for that. The version you find in NDK is for the host, it would not run on device. I've filed android/ndk#753.

symlink-to-libclang_rt.asan is a symlink to libclang_rt.asan-arm-android.so. It is set up near the end of asan_device_setup, with the purpose of giving the same name to the asan runtime library on, say, arm and aarch64. It is needed because a 64-bit app launched with LD_PRELOAD=symlink-to-libclang_rt.asan can spawn a 32-bit process (or the other way around) that would inherit LD_PRELOAD.

[Tan2NT]

Hi eugenis, thank you very much for your information.
Hope that llvm-symbolizer will be include soon in new ndk release.

[jonmcclung]

You can feed the crash report to the symbolize.py script to get the file and line numbers: https://android.googlesource.com/platform/external/compiler-rt/+/56937189e87949cca1964a399c8db3fd2ef0fa2d/lib/asan/scripts/symbolize.py

Note: the script is not very user-friendly in my opinion, and I had to tweak it a bit to get it to work. It does do the job for me now, though.

[infomaniac777]

I agree llvm-symbolizer is need for Android.

[infomaniac777]

Without this, I am not finding ASAN useful.