| Issue |
184332
|
| Summary |
[BOLT] Android Chromium crashes after the instrumentation
|
| Labels |
BOLT
|
| Assignees |
|
| Reporter |
kaadam
|
1) Instrument Android Chromium (libchrome.so) with the following command:
```
llvm-bolt libchrome.so -instrument -o libchrome.so.inst --runtime-instrumentation-lib=/path/to/lib/AArch64/libbolt_rt_instr.a --instrumentation-file=/data/cr/prof.fdata --instrumentation-no-counters-clear --instrumentation-sleep-time=10 --update-debug-sections --instrumentation-wait-forks --skip-funcs-file=skipFuncs.txt-recent
```
2) Needs to skip some v8 (buildin) and blink functions (cannot relax ADR in non-simple function) please see the attached:
[skipFuncs-recent.txt](https://github.com/user-attachments/files/25715465/skipFuncs-recent.txt)
The instrumented Android Chromium crashes with the following issue:
```
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x643c0053b97fe in tid 8482 (Thread-2), pid 8460 (chromium.chrome)
Symbolizing stack using ABI=arm64
Build fingerprint: 'Android/aosp_shiba/shiba:14/UD1A.230803.041/eng.kadam.20231201.002508:userdebug/test-keys'
Revision: 'MP1.0'
pid: 8460, tid: 8482, name: Thread-2 >>> org.chromium.chrome <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x000643c0053b97fe
Stack Trace:
RELADDR FUNCTION FILE:LINE
0000000012fec0a0 rx::vk::Renderer::enableDeviceExtensions(rx::vk::ErrorContext*, angle::FeatureOverrides const&, rx::vk::UseVulkanSwapchain, angle::NativeWindowSystem)+1332) (BuildId: 05b9abecf0af36e3a5677b54a088ac350dcc99df /data/app/~~7NCUMR8Z5c1PCM5YlBu0Ew==/org.chromium.chrome-hnPKXock3AnjS_0bFpRTTg==/lib/arm64/libchrome.so
00000000000553b4 __dl__Z9do_dlopenPKciPK17android_dlextinfoPKv+2692) (BuildId: eaf10c3be822b0206f1f8878c81c4631 /apex/com.android.runtime/bin/linker64
0000000000050100 __loader_android_dlopen_ext+80) (BuildId: eaf10c3be822b0206f1f8878c81c4631 /apex/com.android.runtime/bin/linker64
0000000000010110 android_dlopen_ext+16) (BuildId: a7d79503d3b8b118d95b8dfd513c9de5 /apex/com.android.runtime/lib64/bionic/libdl.so
0000000000021908 android::NativeLoaderNamespace::Load(char const*) const+184) (BuildId: 497f56b260e1b28fda840a3f0f7a4b5a /apex/com.android.art/lib64/libnativeloader.so
0000000000010e54 OpenNativeLibraryInNamespace+68) (BuildId: 497f56b260e1b28fda840a3f0f7a4b5a /apex/com.android.art/lib64/libnativeloader.so
0000000000010584 OpenNativeLibrary+132) (BuildId: 497f56b260e1b28fda840a3f0f7a4b5a /apex/com.android.art/lib64/libnativeloader.so
0000000000463594 art::JavaVMExt::LoadNativeLibrary(_JNIEnv*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, _jobject*, _jclass*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*)+2260) (BuildId: 0067829f53e86a9990bb571adb7b9715 /apex/com.android.art/lib64/libart.so
000000000001135c JVM_NativeLoad+412) (BuildId: 66cd35b3f81bfec87bc8b245191de2b4 /apex/com.android.art/lib64/libopenjdkjvm.so
000000000009c93c art_jni_trampoline+156) (BuildId: 95d01aa237cf4233ec4b83639c07dd2d1305eb92 /system/framework/arm64/boot.oat
00000000000ac648 java.lang.Runtime.loadLibrary0+328) (BuildId: 95d01aa237cf4233ec4b83639c07dd2d1305eb92 /system/framework/arm64/boot.oat
00000000000ad840 java.lang.Runtime.loadLibrary0+368) (BuildId: 95d01aa237cf4233ec4b83639c07dd2d1305eb92 /system/framework/arm64/boot.oat
00000000000b127c java.lang.System.loadLibrary+92) (BuildId: 95d01aa237cf4233ec4b83639c07dd2d1305eb92 /system/framework/arm64/boot.oat
0000000000209418 nterp_helper+152) (BuildId: 0067829f53e86a9990bb571adb7b9715 /apex/com.android.art/lib64/libart.so
0000000000399f0c nn5.e+100 /data/app/~~7NCUMR8Z5c1PCM5YlBu0Ew==/org.chromium.chrome-hnPKXock3AnjS_0bFpRTTg==/base.apk/libmonochrome.so
000000000020a2d4 nterp_helper+3924) (BuildId: 0067829f53e86a9990bb571adb7b9715 /apex/com.android.art/lib64/libart.so
0000000000399c86 nn5.b+18 /data/app/~~7NCUMR8Z5c1PCM5YlBu0Ew==/org.chromium.chrome-hnPKXock3AnjS_0bFpRTTg==/base.apk/libmonochrome.so
000000000020a2d4 nterp_helper+3924) (BuildId: 0067829f53e86a9990bb571adb7b9715 /apex/com.android.art/lib64/libart.so
0000000000399c56 nn5.a+14 /data/app/~~7NCUMR8Z5c1PCM5YlBu0Ew==/org.chromium.chrome-hnPKXock3AnjS_0bFpRTTg==/base.apk/libmonochrome.so
000000000020a2d4 nterp_helper+3924) (BuildId: 0067829f53e86a9990bb571adb7b9715 /apex/com.android.art/lib64/libart.so
000000000026dd10 cg1.run+4 /data/app/~~7NCUMR8Z5c1PCM5YlBu0Ew==/org.chromium.chrome-hnPKXock3AnjS_0bFpRTTg==/base.apk/libmonochrome.so
0000000000160778 java.lang.Thread.run+72) (BuildId: 95d01aa237cf4233ec4b83639c07dd2d1305eb92 /system/framework/arm64/boot.oat
00000000002109a4 art_quick_invoke_stub+612) (BuildId: 0067829f53e86a9990bb571adb7b9715 /apex/com.android.art/lib64/libart.so
0000000000253b0c art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+172) (BuildId: 0067829f53e86a9990bb571adb7b9715 /apex/com.android.art/lib64/libart.so
0000000000699dc8 art::Thread::CreateCallback(void*)+1416) (BuildId: 0067829f53e86a9990bb571adb7b9715 /apex/com.android.art/lib64/libart.so
00000000000d6ccc __pthread_start(void*)+204) (BuildId: a017f07431ff6692304a0cae225962fb /apex/com.android.runtime/lib64/bionic/libc.so
000000000006ab00 __start_thread+64) (BuildId: a017f07431ff6692304a0cae225962fb /apex/com.android.runtime/lib64/bionic/libc.so
```
The linker [calls](https://android.googlesource.com/platform/bionic/+/master/linker/linker_soinfo.cpp#463) 'soinfo::call_constructors()' where the init functions DT_INIT and DT_INIT_ARRAY are invoked. In our cases Bolt hooked its runtime functions via DT_INIT_ARRAY. Seems to me the hooking process is correct, and it refers to the '__bolt_runtime_start'. However the last address in the init_array is a wrong address, so the execution jumps to a wrong place during the initialization. That causes the crash.
Disassembly of section .init_array (**original**)
```
000000000ad0ab38 <.init_array>:
ad0ab38: 021a60e0 .inst 0x021a60e0 ; undefined
ad0ab3c: 00000000 udf #0
ad0ab40: 021a63c8 .inst 0x021a63c8 ; undefined
ad0ab44: 00000000 udf #0
ad0ab48: 0745336c .inst 0x0745336c ; undefined
ad0ab4c: 00000000 udf #0
```
Symbols for these addresses:
```
00000000021a60e0 t init_have_lse_atomics
00000000021a63c8 t __init_cpu_features
000000000745336c t _GLOBAL__I_000100
```
After the instrumentation the init_array:
Disassembly of section .init_array (**instrumented**)
```
000000000ad0ab38 <.init_array>:
ad0ab38: 1ab2387c .inst 0x1ab2387c ; undefined
ad0ab3c: 00000000 udf #0
ad0ab40: 0b46e708 .inst 0x0b46e708 ; undefined
ad0ab44: 00000000 udf #0
ad0ab48: 12fe9124 .inst 0x12fe9124 ; undefined
ad0ab4c: 00000000 udf #0
```
Symbols for this addresses:
```
000000001ab2387c W __bolt_runtime_start // good
000000000b46e708 t __init_cpu_features
0000000012fe9124 // points to wrong place, most probably this should be:
0000000012fb317c <_GLOBAL__I_000100>
```
Dissassembly around 12fe9124:
```
0000000012fe8bfc <_ZN2rx2vk8Renderer22enableDeviceExtensionsEPNS0_12ErrorContextERKN5angle16FeatureOverridesENS0_18UseVulkanSwapchainENS4_18NativeWindowSystemE>:
12fe8bfc: a9ba7bfd stp x29, x30, [sp, #-0x60]!
12fe8c00: a9016ffc stp x28, x27, [sp, #0x10]
12fe8c04: a90267fa stp x26, x25, [sp, #0x20]
12fe8c08: a9035ff8 stp x24, x23, [sp, #0x30]
12fe8c0c: a90457f6 stp x22, x21, [sp, #0x40]
....
12fe911c: 52862b0a mov w10, #0x3158
12fe9120: 8b0a028a add x10, x20, x10
**12fe9124**: b930a28b str w11, [x20, #0x30a0] // Points here,
12fe9128: 5286310b mov w11, #0x3188
12fe912c: f90107ea str x10, [sp, #0x208]
12fe9130: 3d800140 str q0, [x10]
12fe9134: 111f466a add w10, w19, #0x7d1
12fe9138: b9315a8a str w10, [x20, #0x3158]
12fe913c: 110fa30a add w10, w24, #0x3e8
12fe9140: b931728a str w10, [x20, #0x3170]
12fe9144: 8b0b028a add x10, x20, x11
12fe9148: 5286350b mov w11, #0x31a8
12fe914c: ad000140 stp q0, q0, [x10]
```
I will update this issue, how the fix is progress.
![]()
_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
