[Bug]: Clang 19 AddressSanitizer crash: terminated by signal SIGSEGV (address boundary error).

[funsafe-ptr]

Problem description

Clang 18 worked just fine, but after upgrading to Clang 19, the executable with Address Sanitizer crashes with signal SIGSEGV.

What steps will reproduce the bug?

echo "int main(){}" | cc -x c -; ./a.out working just fine.

echo "int main(){}" | cc -x c - -fsanitize=address -Wl,-rpath,"/data/data/com.termux/files/usr/lib/clang/19/lib/linux"; ./a.out crash: './a.out' terminated by signal SIGSEGV (Address boundary error)

with valgrind

==18451== Memcheck, a memory error detector
==18451== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==18451== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
==18451== Command: ./a.out
==18451== 
==18451== Invalid read of size 8
==18451==    at 0x4B3E7E8: getauxval (in /system/lib64/libc.so)
==18451==    by 0x4C7B80B: ??? (in /data/data/com.termux/files/usr/lib/clang/19/lib/linux/libclang_rt.asan-aarch64-android.so)
==18451==    by 0x4C814E3: ??? (in /data/data/com.termux/files/usr/lib/clang/19/lib/linux/libclang_rt.asan-aarch64-android.so)
==18451==    by 0x4C791E7: ??? (in /data/data/com.termux/files/usr/lib/clang/19/lib/linux/libclang_rt.asan-aarch64-android.so)
==18451==    by 0x4D1891B: ??? (in /data/data/com.termux/files/usr/lib/clang/19/lib/linux/libclang_rt.asan-aarch64-android.so)
==18451==    by 0x4D18B3B: ??? (in /data/data/com.termux/files/usr/lib/clang/19/lib/linux/libclang_rt.asan-aarch64-android.so)
==18451==    by 0x4CBDC47: __interceptor_read (in /data/data/com.termux/files/usr/lib/clang/19/lib/linux/libclang_rt.asan-aarch64-android.so)
==18451==    by 0x4BBDB2F: je_pages_boot (in /system/lib64/libc.so)
==18451==    by 0x4BBCFDB: malloc_init_hard_a0_locked (in /system/lib64/libc.so)
==18451==    by 0x4BBB0AF: jemalloc_constructor (in /system/lib64/libc.so)
==18451==    by 0x40213E3: __dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_mbS5_ (in /system/bin/linker64)
==18451==    by 0x402160F: __dl__ZN6soinfo17call_constructorsEv (in /system/bin/linker64)
==18451==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==18451== 
==18451== Unsupported clone() flags: 0x1210900
==18451== 
==18451== The only supported clone() uses are:
==18451==  - via a threads library (LinuxThreads or NPTL)
==18451==  - via the implementation of fork or vfork
==18451== 
==18451== Valgrind detected that your program requires
==18451== the following unimplemented functionality:
==18451==    Valgrind does not support general clone().
==18451== This may be because the functionality is hard to implement,
==18451== or because no reasonable program would behave this way,
==18451== or because nobody has yet needed it.  In any case, let us know at
==18451== www.valgrind.org and/or try to work around the problem, if you can.
==18451== 
==18451== Valgrind has to exit now.  Sorry.  Bye!
==18451== 

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable syscall 220 (lwpid 18451)
==18451==    at 0x40B7E5C: __dl___bionic_clone (in /system/bin/linker64)
==18451==    by 0x409F957: __dl_clone (in /system/bin/linker64)
==18451==    by 0x4029C5B: __dl__ZL24debuggerd_signal_handleriP7siginfoPv (in /system/bin/linker64)
==18451==    by 0x58043713: ??? (in /data/data/com.termux/files/usr/libexec/valgrind/memcheck-arm64-linux)

What is the expected behavior?

working just fine.

System information

Termux Variables:
TERMUX_API_VERSION=0.50.1
TERMUX_APK_RELEASE=F_DROID
TERMUX_APP_PACKAGE_MANAGER=apt
TERMUX_APP_PID=5647
TERMUX_IS_DEBUGGABLE_BUILD=0
TERMUX_MAIN_PACKAGE_FORMAT=debian
TERMUX_VERSION=0.118.0
TERMUX__USER_ID=0
Packages CPU architecture:
aarch64
Subscribed repositories:
# sources.list
deb https://packages-cf.termux.dev/apt/termux-main stable main
# root-repo (sources.list.d/root.list)
deb https://packages-cf.termux.dev/apt/termux-root root stable
# x11-repo (sources.list.d/x11.list)
deb https://packages-cf.termux.dev/apt/termux-x11 x11 main
# tur-repo (sources.list.d/tur.list)
deb https://tur.kcubeterm.com tur-packages tur tur-on-device tur-continuous
Updatable packages:
cups/stable 2.4.11 aarch64 [upgradable from: 2.4.10]
gradle/stable 1:8.10.2 all [upgradable from: 1:8.7]
openjdk-17-x/stable 17.0-37 aarch64 [upgradable from: 17.0-31]
openjdk-17/stable 17.0-37 aarch64 [upgradable from: 17.0-31]
vulkan-headers/stable 1.3.299 all [upgradable from: 1.3.298]
xfce4-taskmanager/x11 1.5.7-2 aarch64 [upgradable from: 1.5.7-1]
termux-tools version:
1.44.1
Android version:
8.1.0
Kernel build information:
Linux localhost 4.9.77+ #2 SMP PREEMPT Fri Mar 19 20:17:40 CST 2021 aarch64 Android
Device manufacturer:
OPPO
Device model:
CPH1909
LD Variables:
LD_LIBRARY_PATH=
LD_PRELOAD=/data/data/com.termux/files/usr/lib/libtermux-exec.so
Installed termux plugins:
com.termux.api versionCode:51
com.termux.styling versionCode:32
com.termux.widget versionCode:13
com.termux.window versionCode:15

[truboxl]

I highly doubt valgrind is working

Can you try lldb -- ./a.out and r?

[funsafe-ptr]

same stuff.

(lldb) target create "./a.out"
Current executable set to '/data/data/com.termux/files/home/a.out' (aarch64).
(lldb) r
Process 2637 launched: '/data/data/com.termux/files/home/a.out' (aarch64)
Process 2637 stopped
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
    frame #0: 0x0000007fb7b617e8 libc.so`getauxval + 8
libc.so`getauxval:
->  0x7fb7b617e8 <+8>:  ldr    x9, [x8]
    0x7fb7b617ec <+12>: cbz    x9, 0x7fb7b61804 ; <+36>
    0x7fb7b617f0 <+16>: add    x8, x8, #0x10
    0x7fb7b617f4 <+20>: cmp    x9, x0
(lldb) 

[truboxl]

After r then bt all?

[funsafe-ptr]

* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
  * frame #0: 0x0000007fb73b47e8 libc.so`getauxval + 8
    frame #1: 0x0000007fb76b280c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2654 + 84
    frame #2: 0x0000007fb76b84e4 libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2780 + 60
    frame #3: 0x0000007fb76b01e8 libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2614 + 60
    frame #4: 0x0000007fb774f91c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol3645 + 72
    frame #5: 0x0000007fb774fb3c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol3646 + 76
    frame #6: 0x0000007fb76f4c48 libclang_rt.asan-aarch64-android.so`___interceptor_read + 40
    frame #7: 0x0000007fb7433b30 libc.so`je_pages_boot + 92
    frame #8: 0x0000007fb7432fdc libc.so`malloc_init_hard_a0_locked + 2940
    frame #9: 0x0000007fb74310b0 libc.so`jemalloc_constructor + 348
    frame #10: 0x0000007fb7eb33e4 linker64`__dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_mbS5_ + 284
    frame #11: 0x0000007fb7eb3610 linker64`__dl__ZN6soinfo17call_constructorsEv + 400
    frame #12: 0x0000007fb7eb3508 linker64`__dl__ZN6soinfo17call_constructorsEv + 136
    frame #13: 0x0000007fb7eb3508 linker64`__dl__ZN6soinfo17call_constructorsEv + 136
    frame #14: 0x0000007fb7eaedf4 linker64`__dl___linker_init + 3192
    frame #15: 0x0000007fb7eb5bf4 linker64`__dl__start + 8
(lldb) 

[truboxl]

I think I need logcat for this

Any ideas? @finagolfin @licy183 @sylirre

[licy183]

The support for aarch64 16kb pagesize in asan is added in llvm/llvm-project@c6049e6. Maybe it breaks the usage of asan on older Android devices.

[licy183]

I can't reproduce it on my Android 7.x device.

# termux-info
Termux Variables:
TERMUX_APK_RELEASE=GITHUB
TERMUX_APP_PACKAGE_MANAGER=apt
TERMUX_APP_PID=15447
TERMUX_IS_DEBUGGABLE_BUILD=1
TERMUX_VERSION=0.118.0
TERMUX__USER_ID=0
Packages CPU architecture:
aarch64
Subscribed repositories:
# sources.list
deb https://mirrors.ustc.edu.cn/termux/termux-main stable main
Updatable packages:
All packages up to date
termux-tools version:
1.44.1
Android version:
7.1.1
Kernel build information:
Linux localhost 3.18.41+ #1 SMP PREEMPT Fri Jul 10 10:30:30 CST 2020 aarch64 Android
Device manufacturer:
Meizu
Device model:
PRO 6s
LD Variables:
LD_LIBRARY_PATH=
LD_PRELOAD=/data/data/com.termux/files/usr/lib/libtermux-exec.so

[finagolfin]

I cannot reproduce with your example on Android 13 AArch64, where I regularly run some Swift tests with Asan also. Maybe a specific incompatibility with 8.1 or your device?

[funsafe-ptr]

(lldb) b getauxval
Breakpoint 7: no locations (pending).
WARNING:  Unable to resolve breakpoint to any actual locations.
(lldb) run
Process 3233 launched: '/data/data/com.termux/files/home/a.out' (aarch64)
1 location added to breakpoint 1
Process 3233 stopped
* thread #1, name = 'a.out', stop reason = breakpoint 1.1 5.1 7.1
    frame #0: 0x0000007fb73b37e0 libc.so`getauxval
libc.so`getauxval:
->  0x7fb73b37e0 <+0>:  adrp   x8, 181
    0x7fb73b37e4 <+4>:  ldr    x8, [x8, #0x58]
    0x7fb73b37e8 <+8>:  ldr    x9, [x8]
    0x7fb73b37ec <+12>: cbz    x9, 0x7fb73b3804 ; <+36>
(lldb) register read
General Purpose Registers:
        x0 = 0x0000000000000006
        x1 = 0x0000007fffffd358
        x2 = 0x0000007fffffd348
        x3 = 0x0000007fffffd340
        x4 = 0x0000000000100000
        x5 = 0x0000000000000000
        x6 = 0x2f6d65747379732f
        x7 = 0x696c2f343662696c
        x8 = 0xaaaaaaaaaaaaaaaa
        x9 = 0x0000007fb768fc47  
       x10 = 0x0000000000000000
       x11 = 0x0000007fb746c960  libc.so`key_map
       x12 = 0x0000000000000000
       x13 = 0x0000000000000000
       x14 = 0x0000000000000000
       x15 = 0x0000007fb7e7d000
       x16 = 0x0000007fb775e790  
       x17 = 0x0000007fb73b37e0  libc.so`getauxval
       x18 = 0x00000000dd4bab49
       x19 = 0x0000007fffffd348
       x20 = 0x0000000000000000
       x21 = 0x0000000000100000
       x22 = 0x0000007fffffd358
       x23 = 0x0000007fffffd340
       x24 = 0x0000007fb768853d  
       x25 = 0x0000007fb7831460  
       x26 = 0x0000007fb746d000  libc.so`key_map + 1696
       x27 = 0x0000000000000003
       x28 = 0x0000007fb742ff54  libc.so`jemalloc_constructor
        fp = 0x0000007fffffdbf0
        lr = 0x0000007fb76b480c  libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2654 + 84
        sp = 0x0000007fffffd2e0
        pc = 0x0000007fb73b37e0  libc.so`getauxval
      cpsr = 0x00000000

I think that register x0 is the first parameter to getauxval, and AT_PAGESZ defined to 6

(lldb) step 
Process 3233 stopped
* thread #1, name = 'a.out', stop reason = instruction step into
    frame #0: 0x0000007fb73b37e4 libc.so`getauxval + 4
libc.so`getauxval:
->  0x7fb73b37e4 <+4>:  ldr    x8, [x8, #0x58]
    0x7fb73b37e8 <+8>:  ldr    x9, [x8]
    0x7fb73b37ec <+12>: cbz    x9, 0x7fb73b3804 ; <+36>
    0x7fb73b37f0 <+16>: add    x8, x8, #0x10
(lldb) step
Process 3233 stopped
* thread #1, name = 'a.out', stop reason = instruction step into
    frame #0: 0x0000007fb73b37e8 libc.so`getauxval + 8
libc.so`getauxval:
->  0x7fb73b37e8 <+8>:  ldr    x9, [x8]
    0x7fb73b37ec <+12>: cbz    x9, 0x7fb73b3804 ; <+36>
    0x7fb73b37f0 <+16>: add    x8, x8, #0x10
    0x7fb73b37f4 <+20>: cmp    x9, x0
(lldb) step
Process 3233 stopped
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
    frame #0: 0x0000007fb73b37e8 libc.so`getauxval + 8
libc.so`getauxval:
->  0x7fb73b37e8 <+8>:  ldr    x9, [x8]
    0x7fb73b37ec <+12>: cbz    x9, 0x7fb73b3804 ; <+36>
    0x7fb73b37f0 <+16>: add    x8, x8, #0x10
    0x7fb73b37f4 <+20>: cmp    x9, x0
(lldb) 

[funsafe-ptr]

and getauxval working just fine in this

~ $ echo $'#include <sys/auxv.h>\n#include <stdio.h>\nint main(){printf("%zu", getauxval(AT_PAGESZ));}' | cc -x c - -o ./aux.out; ./aux.out
4096~ $ 

full

(lldb) target create "./a.out"
Current executable set to '/data/data/com.termux/files/home/a.out' (aarch64).
(lldb) b getauxval
Breakpoint 1: no locations (pending).
WARNING:  Unable to resolve breakpoint to any actual locations.
(lldb) run
Process 10590 launched: '/data/data/com.termux/files/home/a.out' (aarch64)
1 location added to breakpoint 1
Process 10590 stopped
* thread #1, name = 'a.out', stop reason = breakpoint 1.1
    frame #0: 0x0000007fb732a7e0 libc.so`getauxval
libc.so`getauxval:
->  0x7fb732a7e0 <+0>:  adrp   x8, 181
    0x7fb732a7e4 <+4>:  ldr    x8, [x8, #0x58]
    0x7fb732a7e8 <+8>:  ldr    x9, [x8]
    0x7fb732a7ec <+12>: cbz    x9, 0x7fb732a804 ; <+36>
(lldb) register read
General Purpose Registers:
        x0 = 0x0000000000000006
        x1 = 0x0000007fffffd358
        x2 = 0x0000007fffffd348
        x3 = 0x0000007fffffd340
        x4 = 0x0000000000100000
        x5 = 0x0000000000000000
        x6 = 0x2f6d65747379732f
        x7 = 0x696c2f343662696c
        x8 = 0xaaaaaaaaaaaaaaaa
        x9 = 0x0000007fb745ec47  
       x10 = 0x0000000000000000
       x11 = 0x0000007fb73e3960  libc.so`key_map
       x12 = 0x0000000000000000
       x13 = 0x0000000000000000
       x14 = 0x0000000000000000
       x15 = 0x0000007fb7e7d000
       x16 = 0x0000007fb752d790  
       x17 = 0x0000007fb732a7e0  libc.so`getauxval
       x18 = 0x00000000fedd5cca
       x19 = 0x0000007fffffd348
       x20 = 0x0000000000000000
       x21 = 0x0000000000100000
       x22 = 0x0000007fffffd358
       x23 = 0x0000007fffffd340
       x24 = 0x0000007fb745753d  
       x25 = 0x0000007fb7600460  
       x26 = 0x0000007fb73e4000  libc.so`key_map + 1696
       x27 = 0x0000000000000003
       x28 = 0x0000007fb73a6f54  libc.so`jemalloc_constructor
        fp = 0x0000007fffffdbf0
        lr = 0x0000007fb748380c  libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2654 + 84
        sp = 0x0000007fffffd2e0
        pc = 0x0000007fb732a7e0  libc.so`getauxval
      cpsr = 0x00000000

(lldb) step
Process 10590 stopped
* thread #1, name = 'a.out', stop reason = instruction step into
    frame #0: 0x0000007fb732a7e4 libc.so`getauxval + 4
libc.so`getauxval:
->  0x7fb732a7e4 <+4>:  ldr    x8, [x8, #0x58]
    0x7fb732a7e8 <+8>:  ldr    x9, [x8]
    0x7fb732a7ec <+12>: cbz    x9, 0x7fb732a804 ; <+36>
    0x7fb732a7f0 <+16>: add    x8, x8, #0x10
(lldb) register read
General Purpose Registers:
        x0 = 0x0000000000000006
        x1 = 0x0000007fffffd358
        x2 = 0x0000007fffffd348
        x3 = 0x0000007fffffd340
        x4 = 0x0000000000100000
        x5 = 0x0000000000000000
        x6 = 0x2f6d65747379732f
        x7 = 0x696c2f343662696c
        x8 = 0x0000007fb73df000  libc.so`__find_icu_symbol(char const*)::found_icu
        x9 = 0x0000007fb745ec47  
       x10 = 0x0000000000000000
       x11 = 0x0000007fb73e3960  libc.so`key_map
       x12 = 0x0000000000000000
       x13 = 0x0000000000000000
       x14 = 0x0000000000000000
       x15 = 0x0000007fb7e7d000
       x16 = 0x0000007fb752d790  
       x17 = 0x0000007fb732a7e0  libc.so`getauxval
       x18 = 0x00000000fedd5cca
       x19 = 0x0000007fffffd348
       x20 = 0x0000000000000000
       x21 = 0x0000000000100000
       x22 = 0x0000007fffffd358
       x23 = 0x0000007fffffd340
       x24 = 0x0000007fb745753d  
       x25 = 0x0000007fb7600460  
       x26 = 0x0000007fb73e4000  libc.so`key_map + 1696
       x27 = 0x0000000000000003
       x28 = 0x0000007fb73a6f54  libc.so`jemalloc_constructor
        fp = 0x0000007fffffdbf0
        lr = 0x0000007fb748380c  libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2654 + 84
        sp = 0x0000007fffffd2e0
        pc = 0x0000007fb732a7e4  libc.so`getauxval + 4
      cpsr = 0x00200000

(lldb) step
Process 10590 stopped
* thread #1, name = 'a.out', stop reason = instruction step into
    frame #0: 0x0000007fb732a7e8 libc.so`getauxval + 8
libc.so`getauxval:
->  0x7fb732a7e8 <+8>:  ldr    x9, [x8]
    0x7fb732a7ec <+12>: cbz    x9, 0x7fb732a804 ; <+36>
    0x7fb732a7f0 <+16>: add    x8, x8, #0x10
    0x7fb732a7f4 <+20>: cmp    x9, x0
(lldb) register read
General Purpose Registers:
        x0 = 0x0000000000000006
        x1 = 0x0000007fffffd358
        x2 = 0x0000007fffffd348
        x3 = 0x0000007fffffd340
        x4 = 0x0000000000100000
        x5 = 0x0000000000000000
        x6 = 0x2f6d65747379732f
        x7 = 0x696c2f343662696c
        x8 = 0x0000000000000000
        x9 = 0x0000007fb745ec47  
       x10 = 0x0000000000000000
       x11 = 0x0000007fb73e3960  libc.so`key_map
       x12 = 0x0000000000000000
       x13 = 0x0000000000000000
       x14 = 0x0000000000000000
       x15 = 0x0000007fb7e7d000
       x16 = 0x0000007fb752d790  
       x17 = 0x0000007fb732a7e0  libc.so`getauxval
       x18 = 0x00000000fedd5cca
       x19 = 0x0000007fffffd348
       x20 = 0x0000000000000000
       x21 = 0x0000000000100000
       x22 = 0x0000007fffffd358
       x23 = 0x0000007fffffd340
       x24 = 0x0000007fb745753d  
       x25 = 0x0000007fb7600460  
       x26 = 0x0000007fb73e4000  libc.so`key_map + 1696
       x27 = 0x0000000000000003
       x28 = 0x0000007fb73a6f54  libc.so`jemalloc_constructor
        fp = 0x0000007fffffdbf0
        lr = 0x0000007fb748380c  libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2654 + 84
        sp = 0x0000007fffffd2e0
        pc = 0x0000007fb732a7e8  libc.so`getauxval + 8
      cpsr = 0x00200000

(lldb) step
Process 10590 stopped
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
    frame #0: 0x0000007fb732a7e8 libc.so`getauxval + 8
libc.so`getauxval:
->  0x7fb732a7e8 <+8>:  ldr    x9, [x8]
    0x7fb732a7ec <+12>: cbz    x9, 0x7fb732a804 ; <+36>
    0x7fb732a7f0 <+16>: add    x8, x8, #0x10
    0x7fb732a7f4 <+20>: cmp    x9, x0
(lldb) 

(lldb) disassemble
libc.so`getauxval:
    0x7fb732a7e0 <+0>:  adrp   x8, 181
    0x7fb732a7e4 <+4>:  ldr    x8, [x8, #0x58]
->  0x7fb732a7e8 <+8>:  ldr    x9, [x8]
    0x7fb732a7ec <+12>: cbz    x9, 0x7fb732a804 ; <+36>
    0x7fb732a7f0 <+16>: add    x8, x8, #0x10
    0x7fb732a7f4 <+20>: cmp    x9, x0
    0x7fb732a7f8 <+24>: b.eq   0x7fb732a828   ; <+72>
    0x7fb732a7fc <+28>: ldr    x9, [x8], #0x10
    0x7fb732a800 <+32>: cbnz   x9, 0x7fb732a7f4 ; <+20>
    0x7fb732a804 <+36>: stp    x29, x30, [sp, #-0x10]!
    0x7fb732a808 <+40>: mov    x29, sp
    0x7fb732a80c <+44>: bl     0x7fb7327eb0   ; symbol stub for: __errno
    0x7fb732a810 <+48>: mov    x8, x0
    0x7fb732a814 <+52>: orr    w9, wzr, #0x2
    0x7fb732a818 <+56>: mov    x0, xzr
    0x7fb732a81c <+60>: str    w9, [x8]
    0x7fb732a820 <+64>: ldp    x29, x30, [sp], #0x10
    0x7fb732a824 <+68>: ret    
    0x7fb732a828 <+72>: ldur   x0, [x8, #-0x8]
    0x7fb732a82c <+76>: ret    
(lldb) 

this is the source i think, getauxval

[truboxl]

* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
  * frame #0: 0x0000007fb73b47e8 libc.so`getauxval + 8
    frame #1: 0x0000007fb76b280c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2654 + 84
    frame #2: 0x0000007fb76b84e4 libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2780 + 60
    frame #3: 0x0000007fb76b01e8 libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2614 + 60
    frame #4: 0x0000007fb774f91c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol3645 + 72
    frame #5: 0x0000007fb774fb3c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol3646 + 76
    frame #6: 0x0000007fb76f4c48 libclang_rt.asan-aarch64-android.so`___interceptor_read + 40
    frame #7: 0x0000007fb7433b30 libc.so`je_pages_boot + 92
    frame #8: 0x0000007fb7432fdc libc.so`malloc_init_hard_a0_locked + 2940
    frame #9: 0x0000007fb74310b0 libc.so`jemalloc_constructor + 348
    frame #10: 0x0000007fb7eb33e4 linker64`__dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_mbS5_ + 284
    frame #11: 0x0000007fb7eb3610 linker64`__dl__ZN6soinfo17call_constructorsEv + 400
    frame #12: 0x0000007fb7eb3508 linker64`__dl__ZN6soinfo17call_constructorsEv + 136
    frame #13: 0x0000007fb7eb3508 linker64`__dl__ZN6soinfo17call_constructorsEv + 136
    frame #14: 0x0000007fb7eaedf4 linker64`__dl___linker_init + 3192
    frame #15: 0x0000007fb7eb5bf4 linker64`__dl__start + 8
(lldb) 

Can you post this with more up? I still think you need to provide us logcat.

[licy183]

It seems that __libc_auxv is not properly initialized by __libc_init, but this is really strange.

[funsafe-ptr]

@truboxl what did you mean with up?

logcat V

logcat V
--------- beginning of main
10-20 18:25:28.981 28083 28083 W app_process: type=1400 audit(0.0:230707): avc: denied { read } for name="uptime" dev="proc" ino=4026532066 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file permissive=0
10-20 18:25:55.041 28189 28189 W crash_dump64: type=1400 audit(0.0:230710): avc: denied { read write } for path="/dev/pts/34" dev="devpts" ino=37 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:untrusted_app_devpts:s0:c512,c768 tclass=chr_file permissive=0
10-20 18:25:55.065 28190 28190 W crash_dump64: type=1400 audit(0.0:230711): avc: denied { search } for name="com.termux" dev="dm-0" ino=1269891 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
10-20 18:25:55.069 28190 28190 I chatty  : uid=10148(com.termux.api) crash_dump64 identical 2 lines
10-20 18:25:55.069 28190 28190 W crash_dump64: type=1400 audit(0.0:230714): avc: denied { search } for name="com.termux" dev="dm-0" ino=1269891 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
10-20 18:25:55.069 28190 28190 W crash_dump64: type=1400 audit(0.0:230715): avc: denied { search } for name="home" dev="dm-0" ino=1279354 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
10-20 18:25:55.077 28190 28190 W crash_dump64: type=1400 audit(0.0:230716): avc: denied { search } for name="com.termux" dev="dm-0" ino=1269891 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0

something about SELinux. https://stackoverflow.com/questions/51231326/what-is-the-meaning-of-avc-denied-read-for-name-line-in-logcat

[funsafe-ptr]

(lldb) up
frame #1: 0x0000007fb73ae80c libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2654 + 84
libclang_rt.asan-aarch64-android.so`___lldb_unnamed_symbol2654:
->  0x7fb73ae80c <+84>: str    x0, [x25]
    0x7fb73ae810 <+88>: cmp    x0, x21
    0x7fb73ae814 <+92>: adrp   x26, -43
    0x7fb73ae818 <+96>: add    x26, x26, #0x558

i think maybe from this.
https://github.com/llvm/llvm-project/blob/e6c01432b6fb6077e1bdf2e0abf05d2c2dd3fd3e/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L1212
https://github.com/llvm/llvm-project/blob/e6c01432b6fb6077e1bdf2e0abf05d2c2dd3fd3e/compiler-rt/lib/sanitizer_common/sanitizer_common.h#L65

[funsafe-ptr]

@licy183 i dont know if __libc_auxv not yet initialized or set to null, i dont know how to breakpoint to the symbol.
__libc_auxv is assigned in here
before linker_so.call_constructors(); which is in backtrace frame #11: 0x0000007fb7eb3610 linker64`__dl__ZN6soinfo17call_constructorsEv + 400 link

[truboxl]

There is an alternate copy of lib in ndk-multilib.
Can you try echo "int main(){}" | cc -x c - -fsanitize=address -Wl,-rpath,"/data/data/com.termux/files/usr/opt/ndk-multilib/cross-compiler-rt/lib"; ./a.out? If the same happens, please attach the logs with up too

For logcat, I expect output like this https://source.android.com/docs/core/tests/debug#debuggerd
That SELinux warning is expected and normal

[funsafe-ptr]

i think you mean echo "int main(){}" | cc -x c - -fsanitize=address -Wl,-rpath,"/data/data/com.termux/files/usr/opt/ndk-multilib/cross-compiler-rt/"; ./a.out without lib.

and yes it is working.
i tried to invoke the sanitizer and it is working

echo "int main(){*(volatile int*)0xdead = 0xbad;}" | cc -x c - -fsanitize=address -Wl,-rpath,"/data/data/com.termux/files/usr/opt/ndk-multilib/cross-compiler-rt/"; ./a.out
AddressSanitizer:DEADLYSIGNAL
=================================================================
==8845==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000dead (pc 0x005cafb7f2d8 bp 0x007ffb2dd520 sp 0x007ffb2dd510 T0)
==8845==The signal is caused by a WRITE memory access.
    #0 0x5cafb7f2d8 in main (/data/data/com.termux/files/home/a.out+0x52d8)
    #1 0x78861809c0 in __libc_init (/system/lib64/libc.so+0xa39c0) (BuildId: 8dc90cf7149cde2ed9c5e76ba8ba5a22)
    #2 0x5cafb7f158 in _start_main crtbegin.c

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/data/data/com.termux/files/home/a.out+0x52d8) in main
==8845==ABORTING
fish: Job 1, './a.out' terminated by signal SIGABRT (Abort)

about logcat, what do you think i should do? i cant access
ls: cannot access '/data/tombstones/': Permission denied

[funsafe-ptr]

one more thing i think the lib should be implicitly linked.
https://clang.llvm.org/docs/AddressSanitizer.html#usage

echo "int main(){}" | cc -x c - -fsanitize=address; ./a.out
CANNOT LINK EXECUTABLE "./a.out": library "libclang_rt.asan-aarch64-android.so" not found

[truboxl]

Ah yes sorry about that

I suppose something really broke

Can you help try
curl -L https://android.googlesource.com/platform/prebuilts/clang/host/linux-x86/+/refs/heads/main/clang-r530567/lib/clang/19/lib/linux/libclang_rt.asan-aarch64-android.so?format=TEXT | base64 -d > libclang_rt.asan-aarch64-android.so
and then change the rpath so that it uses that lib?
Just want to confirm this should error also

[funsafe-ptr]

echo "int main(){}" | cc -x c - -fsanitize=address -Wl,-rpath,"./"; ./a.out
WARNING: linker: "/data/data/com.termux/files/home/libclang_rt.asan-aarch64-android.so" unused DT entry: type 0x70000001 arg 0x0
fish: Job 1, './a.out' terminated by signal SIGSEGV (Address boundary error)

(lldb) target create "./a.out"
Current executable set to '/data/data/com.termux/files/home/a.out' (aarch64).
(lldb) run
Process 8767 launched: '/data/data/com.termux/files/home/a.out' (aarch64)
WARNING: linker: "/data/data/com.termux/files/home/libclang_rt.asan-aarch64-android.so" unused DT entry: type 0x70000001 arg 0x0
Process 8767 stopped
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
    frame #0: 0x0000007fb7cb67e8 libc.so`getauxval + 8
libc.so`getauxval:
->  0x7fb7cb67e8 <+8>:  ldr    x9, [x8]
    0x7fb7cb67ec <+12>: cbz    x9, 0x7fb7cb6804 ; <+36>
    0x7fb7cb67f0 <+16>: add    x8, x8, #0x10
    0x7fb7cb67f4 <+20>: cmp    x9, x0
(lldb) bt all
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
  * frame #0: 0x0000007fb7cb67e8 libc.so`getauxval + 8
    frame #1: 0x0000007fb782acb4 libclang_rt.asan-aarch64-android.so`::ReadFileToBuffer() [inlined] GetPageSizeCached at sanitizer_common.h:72:22
    frame #2: 0x0000007fb782ac88 libclang_rt.asan-aarch64-android.so`::ReadFileToBuffer() at sanitizer_file.cpp:134:19
    frame #3: 0x0000007fb782fd0c libclang_rt.asan-aarch64-android.so`::ReadLongProcessName() at sanitizer_linux.cpp:1203:7
    frame #4: 0x0000007fb782a2e0 libclang_rt.asan-aarch64-android.so`::CacheBinaryName() [inlined] ReadProcessName at sanitizer_common.cpp:279:3
    frame #5: 0x0000007fb782a2cc libclang_rt.asan-aarch64-android.so`::CacheBinaryName() at sanitizer_common.cpp:298:3
    frame #6: 0x0000007fb78c489c libclang_rt.asan-aarch64-android.so`::AsanInitInternal() at asan_rtl.cpp:398:3
    frame #7: 0x0000007fb78c4adc libclang_rt.asan-aarch64-android.so`::TryAsanInitFromRtl() at asan_rtl.cpp:533:17
    frame #8: 0x0000007fb78685ac libclang_rt.asan-aarch64-android.so`::___interceptor_read() at sanitizer_common_interceptors.inc:972:3
    frame #9: 0x0000007fb7d35b30 libc.so`je_pages_boot + 92
    frame #10: 0x0000007fb7d34fdc libc.so`malloc_init_hard_a0_locked + 2940
    frame #11: 0x0000007fb7d330b0 libc.so`jemalloc_constructor + 348
    frame #12: 0x0000007fb7eb33e4 linker64`__dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_mbS5_ + 284
    frame #13: 0x0000007fb7eb3610 linker64`__dl__ZN6soinfo17call_constructorsEv + 400
    frame #14: 0x0000007fb7eb3508 linker64`__dl__ZN6soinfo17call_constructorsEv + 136
    frame #15: 0x0000007fb7eb3508 linker64`__dl__ZN6soinfo17call_constructorsEv + 136
    frame #16: 0x0000007fb7eaedf4 linker64`__dl___linker_init + 3192
    frame #17: 0x0000007fb7eb5bf4 linker64`__dl__start + 8
(lldb) up
frame #1: 0x0000007fb782acb4 libclang_rt.asan-aarch64-android.so`::ReadFileToBuffer() [inlined] GetPageSizeCached at sanitizer_common.h:72:22
(lldb) up
frame #2: 0x0000007fb782ac88 libclang_rt.asan-aarch64-android.so`::ReadFileToBuffer() at sanitizer_file.cpp:134:19
(lldb) up
frame #3: 0x0000007fb782fd0c libclang_rt.asan-aarch64-android.so`::ReadLongProcessName() at sanitizer_linux.cpp:1203:7
(lldb) up
frame #4: 0x0000007fb782a2e0 libclang_rt.asan-aarch64-android.so`::CacheBinaryName() [inlined] ReadProcessName at sanitizer_common.cpp:279:3
(lldb) up
frame #5: 0x0000007fb782a2cc libclang_rt.asan-aarch64-android.so`::CacheBinaryName() at sanitizer_common.cpp:298:3
(lldb) up
frame #6: 0x0000007fb78c489c libclang_rt.asan-aarch64-android.so`::AsanInitInternal() at asan_rtl.cpp:398:3
(lldb) up
frame #7: 0x0000007fb78c4adc libclang_rt.asan-aarch64-android.so`::TryAsanInitFromRtl() at asan_rtl.cpp:533:17
(lldb) up
frame #8: 0x0000007fb78685ac libclang_rt.asan-aarch64-android.so`::___interceptor_read() at sanitizer_common_interceptors.inc:972:3
(lldb) up
frame #9: 0x0000007fb7d35b30 libc.so`je_pages_boot + 92
libc.so`je_pages_boot:
->  0x7fb7d35b30 <+92>:  mov    x20, x0
    0x7fb7d35b34 <+96>:  mov    w0, w19
    0x7fb7d35b38 <+100>: bl     0x7fb7cb3f10   ; symbol stub for: close
    0x7fb7d35b3c <+104>: cmp    x20, #0x0
(lldb) 

and logcat pretty much same as before, this is what i do, create new terminal, logcat v, go to previous terminal, ./a.out, and the logcat just print

--------- beginning of main
10-20 23:56:02.284  8934  8934 W app_process: type=1400 audit(0.0:241017): avc: denied { read } for name="uptime" dev="proc" ino=4026532066 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file permissive=0
10-20 23:56:15.516  9035  9035 W crash_dump64: type=1400 audit(0.0:241021): avc: denied { read write } for path="/dev/pts/34" dev="devpts" ino=37 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:untrusted_app_devpts:s0:c512,c768 tclass=chr_file permissive=0
10-20 23:56:15.548  9036  9036 W crash_dump64: type=1400 audit(0.0:241022): avc: denied { search } for name="com.termux" dev="dm-0" ino=1269891 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
10-20 23:56:15.564  9036  9036 W crash_dump64: type=1400 audit(0.0:241026): avc: denied { search } for name="com.termux" dev="dm-0" ino=1269891 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0

no crash dump

[truboxl]

Thanks! This confirms the upcoming NDK r28 will have the same issue. We should report to https://github.com/android/ndk

The support for aarch64 16kb pagesize in asan is added in llvm/llvm-project@c6049e6. Maybe it breaks the usage of asan on older Android devices.

Yes with the latest log should point to checking sanitizer_common.h:72:22

Curiously llvm/llvm-project@c6049e6#diff-7aa35d74ad2634ba31a6fede2910e32d837220fd761b6898542d8a0b71ccfe5aL65 mentions Android post-M sysconf(_SC_PAGESIZE) crashes if called from .preinit_array but was removed in the commit.