AddressSanitizer is a fast compiler-based tool for detecting memory bugs in native code. It is comparable to Valgrind (Memcheck tool), but, unlike it, ASan
This document describes how to build and run parts of Android platform with AddressSanitizer.
If you are looking to build a standalone (i.e. SDK/NDK) application with AddressSanitizer, see these docs instead(link, link).
To build the entire platform with AddressSanitizer, run the following commands in the same build tree.
make -j42 make SANITIZE_TARGET=address -j42
In this mode, userdata.img contains extra libraries and must be flashed to the device as well. Use the following command line:
fastboot flash userdata && fastboot flashall
AddressSanitizer checks are inserted into the binary at compilation time and can not be turned off at runtime. There is also a requirement that if a library is instrumented (built with ASan), then the main executable has to be instrumented as well. It works fine the other way around: instrumented executable can load both instrumented and non-instrumented libraries.
In the context of whole-system sanitization this means that a device needs to carry two sets of system libraries to accomodate both instrumented and non-instrumented executables. With SANITIZE_TARGET
, regular libraries are installed under /system/lib
, and ASan-ified libraries - under /data/asan/system/lib
.
ASan-ified executables refer to the loader as /system/bin/linker_asan
in PT_INTERP
field. This is used as a signal that the executable is fine with, and prefers ASan-ified shared libraries; such executables have /data/asan/system/lib
prepended to their default library search path.
Due to limitations of Android build system we can not build two copies of each library at once (Soong is expected to fix this). The second invocation of make builds ASan-ified binaries (overriding regular binaries from the first invocation), and ASan-ified libraries (installed in /data
).
Build system clobbers intermediate object directories when SANITIZE_TARGET
value has changed. This forces a rebuild of all targets while preserving installed binaries under /system/lib
.
Some targets can not be built with ASan:
LOCAL_CLANG:=false
targetsLOCAL_SANITIZE:=never
targetsExecutables like this are skipped in the SANITIZE_TARGET
build, and the version from the first make invocation is left in /system/bin
.
Initially, ASan reports contain references to offsets in binaries and shared libraries. To obtain source file and line information, filter the report through either stack
tool, or the external/compiler-rt/lib/asan/scripts/symbolize.py
script.
AddressSanitizer will attempt to symbolize reports online if it finds llvm-symbolizer
in $PATH
(ex. /system/bin
). Replace device binaries with copies from the symbols
directory for good results, or simply use offline symbolization.
AddressSanitizer behavior can be changed with a large number of runtime flags. Most of them are documented here and here.
Flags can be passed to standalone binaries by setting an environment variable:
adb shell ASAN_OPTIONS=verbosity=2 /system/bin/ping
In SANITIZE_TARGET=address
build, default system environment is set up to read flags from /system/asan.options
. Changing that file will affect all future processes.
To set flags for individual processes, create and/or edit /system/asan.options.%b
, where %b
stands for the process name as seen in adb shell ps
.