mambo
mambo copied to clipboard
beehive-lab
Building on Android
I know Android is not officially supported (#17), but figured I'd document my progress in an open ticket until I finish it.
Using Termux (and clang, see #27):
apt install libelf-dev git ruby make clang-6.0
$ make
MAMBO: detected architecture "arm"
PIE: detected architecture "arm"
make --no-print-directory ARCH=arm pie
ruby generate_decoder.rb arm > pie-arm-decoder.c
ruby generate_decoder.rb arm header > pie-arm-decoder.h
cc -c -Os -Wall -g -std=c99 pie-arm-decoder.c -o pie-arm-decoder.o
ruby generate_encoder.rb arm > pie-arm-encoder.c
ruby generate_encoder.rb arm header > pie-arm-encoder.h
cc -c -Os -Wall -g -std=c99 pie-arm-encoder.c -o pie-arm-encoder.o
ruby generate_field-decoder.rb arm > pie-arm-field-decoder.c
ruby generate_field-decoder.rb arm header > pie-arm-field-decoder.h
cc -c -Os -Wall -g -std=c99 pie-arm-field-decoder.c -o pie-arm-field-decoder.o
make --no-print-directory ARCH=thumb pie
ruby generate_decoder.rb thumb > pie-thumb-decoder.c
ruby generate_decoder.rb thumb header > pie-thumb-decoder.h
cc -c -Os -Wall -g -std=c99 pie-thumb-decoder.c -o pie-thumb-decoder.o
ruby generate_encoder.rb thumb > pie-thumb-encoder.c
ruby generate_encoder.rb thumb header > pie-thumb-encoder.h
cc -c -Os -Wall -g -std=c99 pie-thumb-encoder.c -o pie-thumb-encoder.o
ruby generate_field-decoder.rb thumb > pie-thumb-field-decoder.c
ruby generate_field-decoder.rb thumb header > pie-thumb-field-decoder.h
cc -c -Os -Wall -g -std=c99 pie-thumb-field-decoder.c -o pie-thumb-field-decoder.o
ruby api/generate_emit_wrapper.rb pie/pie-arm-encoder.c header > api/emit_arm.h
ruby api/generate_emit_wrapper.rb pie/pie-thumb-encoder.c header > api/emit_thumb.h
cc -D_GNU_SOURCE -g -std=gnu99 -O2 -fno-integrated-as -mfpu=neon -DPLUGINS_NEW -c -o elf_loader/elf_loader.o elf_loader/elf_loader.c
In file included from elf_loader/elf_loader.c:32:
elf_loader/../api/../dbm.h:363:9: warning: 'PAGE_SIZE' macro redefined [-Wmacro-redefined]
#define PAGE_SIZE (page_size)
^
/data/data/com.termux/files/usr/include/sys/user.h:38:9: note: previous definition is here
#define PAGE_SIZE 4096
^
elf_loader/elf_loader.c:269:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
2 warnings generated.
ruby api/generate_emit_wrapper.rb pie/pie-arm-encoder.c > api/emit_arm.c
ruby api/generate_emit_wrapper.rb pie/pie-thumb-encoder.c > api/emit_thumb.c
cc -D_GNU_SOURCE -g -std=gnu99 -O2 -fno-integrated-as -mfpu=neon -DPLUGINS_NEW -static -ldl -Wl,-Ttext-segment=0xa8000000 -fno-integrated-as -DDBM_LINK_UNCOND_IMM -DDBM_INLINE_UNCOND_IMM -DDBM_LINK_COND_IMM -DDBM_LINK_CBZ -DDBM_LINK_TBZ -DDBM_TB_DIRECT -DLINK_BX_ALT -DDBM_INLINE_HASH -DDBM_TRACES -I/usr/include/libelf -o dbm dispatcher.S common.c dbm.c traces.c syscalls.c dispatcher.c signals.c util.S api/helpers.c api/plugin_support.c api/branch_decoder_support.c api/load_store.c elf_loader/elf_loader.o scanner_thumb.c scanner_arm.c api/emit_arm.c api/emit_thumb.c plugins/branch_count.c pie/pie-arm-encoder.o pie/pie-arm-decoder.o pie/pie-arm-field-decoder.o pie/pie-thumb-encoder.o pie/pie-thumb-decoder.o pie/pie-thumb-field-decoder.o -lelf -lpthread
/data/data/com.termux/files/usr/tmp/dispatcher-59fa24.s: Assembler messages:
/data/data/com.termux/files/usr/tmp/dispatcher-59fa24.s: Warning: end of file in comment; newline inserted
In file included from common.c:30:
./api/../dbm.h:363:9: warning: 'PAGE_SIZE' macro redefined [-Wmacro-redefined]
#define PAGE_SIZE (page_size)
^
/data/data/com.termux/files/usr/include/sys/user.h:38:9: note: previous definition is here
#define PAGE_SIZE 4096
^
1 warning generated.
In file included from dbm.c:35:
./api/../dbm.h:363:9: warning: 'PAGE_SIZE' macro redefined [-Wmacro-redefined]
#define PAGE_SIZE (page_size)
^
/data/data/com.termux/files/usr/include/sys/user.h:38:9: note: previous definition is here
#define PAGE_SIZE 4096
^
dbm.c:624:1: warning: return type of 'main' is not 'int' [-Wmain-return-type]
void main(int argc, char **argv, char **envp) {
^
dbm.c:624:1: note: change return type to 'int'
void main(int argc, char **argv, char **envp) {
^~~~
int
2 warnings generated.
In file included from traces.c:28:
./api/../dbm.h:363:9: warning: 'PAGE_SIZE' macro redefined [-Wmacro-redefined]
#define PAGE_SIZE (page_size)
^
/data/data/com.termux/files/usr/include/sys/user.h:38:9: note: previous definition is here
#define PAGE_SIZE 4096
^
traces.c:321:12: warning: 21 enumeration values not handled in switch: 'unknown', 'stub', 'uncond_b_to_bl_thumb'... [-Wswitch]
switch(thread_data->code_cache_meta[trace_id].exit_branch_type) {
^
traces.c:543:10: warning: 19 enumeration values not handled in switch: 'unknown', 'stub', 'uncond_b_to_bl_thumb'... [-Wswitch]
switch(thread_data->code_cache_meta[fragment_id].exit_branch_type) {
^
3 warnings generated.
In file included from syscalls.c:32:
./api/../dbm.h:363:9: warning: 'PAGE_SIZE' macro redefined [-Wmacro-redefined]
#define PAGE_SIZE (page_size)
^
/data/data/com.termux/files/usr/include/sys/user.h:38:9: note: previous definition is here
#define PAGE_SIZE 4096
^
syscalls.c:113:3: warning: implicit declaration of function 'pthread_attr_setinheritsched' is invalid in C99 [-Wimplicit-function-declaration]
pthread_attr_setinheritsched(&attr, PTHREAD_INHERIT_SCHED);
^
2 warnings generated.
/data/data/com.termux/files/usr/tmp/syscalls-53fc5f.s: Assembler messages:
/data/data/com.termux/files/usr/tmp/syscalls-53fc5f.s:170: Error: selected processor does not support `dmb SY' in ARM mode
/data/data/com.termux/files/usr/tmp/syscalls-53fc5f.s:1789: Error: selected processor does not support `dmb SY' in ARM mode
In file included from dispatcher.c:25:
./api/../dbm.h:363:9: warning: 'PAGE_SIZE' macro redefined [-Wmacro-redefined]
#define PAGE_SIZE (page_size)
^
/data/data/com.termux/files/usr/include/sys/user.h:38:9: note: previous definition is here
#define PAGE_SIZE 4096
^
dispatcher.c:142:11: warning: 17 enumeration values not handled in switch: 'unknown', 'stub', 'trace_inline_max'... [-Wswitch]
switch (source_branch_type) {
^
2 warnings generated.
In file included from signals.c:27:
./api/../dbm.h:363:9: warning: 'PAGE_SIZE' macro redefined [-Wmacro-redefined]
#define PAGE_SIZE (page_size)
^
/data/data/com.termux/files/usr/include/sys/user.h:38:9: note: previous definition is here
#define PAGE_SIZE 4096
^
1 warning generated.
/data/data/com.termux/files/usr/tmp/util-8c1fb3.s: Assembler messages:
/data/data/com.termux/files/usr/tmp/util-8c1fb3.s: Warning: end of file in comment; newline inserted
In file included from api/helpers.c:25:
In file included from api/../plugins.h:20:
api/../dbm.h:363:9: warning: 'PAGE_SIZE' macro redefined [-Wmacro-redefined]
#define PAGE_SIZE (page_size)
^
/data/data/com.termux/files/usr/include/sys/user.h:38:9: note: previous definition is here
#define PAGE_SIZE 4096
^
api/helpers.c:135:35: warning: implicit conversion from enumeration type 'enum reg_alt' to different enumeration type 'enum reg' [-Wenum-conversion]
emit_arm_copy_to_reg_32bit(ctx, lr, (uint32_t)function_ptr);
~~~~~~~~~~~~~~~~~~~~~~~~~~ ^~
api/helpers.c:140:37: warning: implicit conversion from enumeration type 'enum reg_alt' to different enumeration type 'enum reg' [-Wenum-conversion]
emit_thumb_copy_to_reg_32bit(ctx, lr, (uint32_t)function_ptr);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^~
api/helpers.c:339:21: warning: implicit conversion from enumeration type 'enum reg_alt' to different enumeration type 'enum reg' [-Wenum-conversion]
emit_set_reg(ctx, lr, (uintptr_t)function_ptr);
~~~~~~~~~~~~ ^~
api/helpers.c:619:10: warning: enumeration value 'A64_INST' not handled in switch [-Wswitch]
switch(mambo_get_inst_type(ctx)) {
^
5 warnings generated.
In file included from api/plugin_support.c:26:
api/../dbm.h:363:9: warning: 'PAGE_SIZE' macro redefined [-Wmacro-redefined]
#define PAGE_SIZE (page_size)
^
/data/data/com.termux/files/usr/include/sys/user.h:38:9: note: previous definition is here
#define PAGE_SIZE 4096
^
1 warning generated.
In file included from api/branch_decoder_support.c:23:
api/../dbm.h:363:9: warning: 'PAGE_SIZE' macro redefined [-Wmacro-redefined]
#define PAGE_SIZE (page_size)
^
/data/data/com.termux/files/usr/include/sys/user.h:38:9: note: previous definition is here
#define PAGE_SIZE 4096
^
1 warning generated.
In file included from api/load_store.c:26:
In file included from api/../plugins.h:20:
api/../dbm.h:363:9: warning: 'PAGE_SIZE' macro redefined [-Wmacro-redefined]
#define PAGE_SIZE (page_size)
^
/data/data/com.termux/files/usr/include/sys/user.h:38:9: note: previous definition is here
#define PAGE_SIZE 4096
^
api/load_store.c:609:49: warning: passing 'int *' to parameter of type 'uint32_t *' (aka 'unsigned int *') converts between pointers to integer types with different sign
[-Wpointer-sign]
_decode_arm(i == IMM_LDR, p, u, operand2, &rm, &imm);
^~~
api/load_store.c:574:79: note: passing argument to parameter 'rm' here
void _decode_arm(bool is_imm, uint32_t p, uint32_t u, uint32_t op2, uint32_t *rm, int *imm) {
^
api/load_store.c:627:53: warning: passing 'int *' to parameter of type 'uint32_t *' (aka 'unsigned int *') converts between pointers to integer types with different sign
[-Wpointer-sign]
_decode_arm(i, p, u, (imm4h << 4) | rm_imm4l, &rm, &imm);
^~~
api/load_store.c:574:79: note: passing argument to parameter 'rm' here
void _decode_arm(bool is_imm, uint32_t p, uint32_t u, uint32_t op2, uint32_t *rm, int *imm) {
^
3 warnings generated.
In file included from scanner_thumb.c:30:
./api/../dbm.h:363:9: warning: 'PAGE_SIZE' macro redefined [-Wmacro-redefined]
#define PAGE_SIZE (page_size)
^
/data/data/com.termux/files/usr/include/sys/user.h:38:9: note: previous definition is here
#define PAGE_SIZE 4096
^
scanner_thumb.c:150:19: warning: '&' within '|' [-Wbitwise-op-parentheses]
mask = mask & 0x8 | 0x4;
~~~~~^~~~~ ~
scanner_thumb.c:150:19: note: place parentheses around the '&' expression to silence this warning
mask = mask & 0x8 | 0x4;
^
( )
scanner_thumb.c:153:19: warning: '&' within '|' [-Wbitwise-op-parentheses]
mask = mask & 0xc | 0x2;
~~~~~^~~~~ ~
scanner_thumb.c:153:19: note: place parentheses around the '&' expression to silence this warning
mask = mask & 0xc | 0x2;
^
( )
scanner_thumb.c:156:19: warning: '&' within '|' [-Wbitwise-op-parentheses]
mask = mask & 0xe | 0x1;
~~~~~^~~~~ ~
scanner_thumb.c:156:19: note: place parentheses around the '&' expression to silence this warning
mask = mask & 0xe | 0x1;
^
( )
scanner_thumb.c:568:33: warning: passing 'uint16_t *' (aka 'unsigned short *') to parameter of type 'int16_t *' (aka 'short *') converts between pointers to integer types with
different sign [-Wpointer-sign]
set_cc_imm_links(thread_data, *o_write_p, basic_block, address_taken, address_skipped, taken_in_cache, skipped_in_cache);
^~~~~~~~~~
scanner_thumb.c:463:35: note: passing argument to parameter 'write_p' here
int16_t *write_p,
^
scanner_thumb.c:647:33: warning: passing 'uint16_t *' (aka 'unsigned short *') to parameter of type 'int16_t *' (aka 'short *') converts between pointers to integer types with
different sign [-Wpointer-sign]
set_cc_imm_links(thread_data, *o_write_p, basic_block, address_taken, address_skipped, taken_in_cache, skipped_in_cache);
^~~~~~~~~~
scanner_thumb.c:463:35: note: passing argument to parameter 'write_p' here
int16_t *write_p,
^
scanner_thumb.c:767:12: warning: 494 enumeration values not handled in switch: 'THUMB_ADC16', 'THUMB_ADD16', 'THUMB_ADD_FROM_PC16'... [-Wswitch]
switch(inst) {
^
scanner_thumb.c:1289:18: warning: 515 enumeration values not handled in switch: 'THUMB_ADC16', 'THUMB_ADD16', 'THUMB_ADD_FROM_PC16'... [-Wswitch]
switch(inst) {
^
scanner_thumb.c:1412:39: warning: implicit conversion from enumeration type 'enum reg_alt' to different enumeration type 'enum reg' [-Wenum-conversion]
copy_to_reg_32bit(&write_p, lr, ((uint32_t)read_address) + 2 + 1);
~~~~~~~~~~~~~~~~~ ^~
scanner_thumb.c:2403:39: warning: implicit conversion from enumeration type 'enum reg_alt' to different enumeration type 'enum reg' [-Wenum-conversion]
copy_to_reg_32bit(&write_p, lr, ((uint32_t)read_address) + 4 + 1);
~~~~~~~~~~~~~~~~~ ^~
scanner_thumb.c:2564:16: warning: 516 enumeration values not handled in switch: 'THUMB_ADC16', 'THUMB_ADD16', 'THUMB_ADD_FROM_PC16'... [-Wswitch]
switch(inst) {
^
11 warnings generated.
In file included from scanner_arm.c:30:
./api/../dbm.h:363:9: warning: 'PAGE_SIZE' macro redefined [-Wmacro-redefined]
#define PAGE_SIZE (page_size)
^
/data/data/com.termux/files/usr/include/sys/user.h:38:9: note: previous definition is here
#define PAGE_SIZE 4096
^
scanner_arm.c:318:12: warning: 370 enumeration values not handled in switch: 'ARM_AND', 'ARM_BFC', 'ARM_BFI'... [-Wswitch]
switch(inst) {
^
scanner_arm.c:680:43: warning: implicit conversion from enumeration type 'enum reg_alt' to different enumeration type 'enum reg' [-Wenum-conversion]
arm_copy_to_reg_32bit(&write_p, lr, (uint32_t)read_address + 4);
~~~~~~~~~~~~~~~~~~~~~ ^~
scanner_arm.c:733:43: warning: implicit conversion from enumeration type 'enum reg_alt' to different enumeration type 'enum reg' [-Wenum-conversion]
arm_copy_to_reg_32bit(&write_p, lr, (uint32_t)read_address + 4);
~~~~~~~~~~~~~~~~~~~~~ ^~
scanner_arm.c:773:41: warning: implicit conversion from enumeration type 'enum reg_alt' to different enumeration type 'enum reg' [-Wenum-conversion]
arm_copy_to_reg_32bit(&write_p, lr, (uint32_t)read_address + 4);
~~~~~~~~~~~~~~~~~~~~~ ^~
scanner_arm.c:859:17: warning: 383 enumeration values not handled in switch: 'ARM_ADC', 'ARM_ADD', 'ARM_AND'... [-Wswitch]
switch (inst) {
^
scanner_arm.c:959:19: warning: 383 enumeration values not handled in switch: 'ARM_ADC', 'ARM_ADD', 'ARM_AND'... [-Wswitch]
switch (inst) {
^
scanner_arm.c:1061:17: warning: 383 enumeration values not handled in switch: 'ARM_ADC', 'ARM_ADD', 'ARM_AND'... [-Wswitch]
switch (inst) {
^
scanner_arm.c:1073:51: warning: & has lower precedence than ==; == will be evaluated first [-Wparentheses]
assert(condition_code == AL && rn == sp & prepostindex && !updown && writeback); // PUSH {PC}
~~~~~~~~~^
/data/data/com.termux/files/usr/include/assert.h:51:23: note: expanded from macro 'assert'
# define assert(e) ((e) ? __assert_no_op : __assert2(__FILE__, __LINE__, __PRETTY_FUNCTION__, #e))
^
scanner_arm.c:1073:51: note: place parentheses around the '==' expression to silence this warning
assert(condition_code == AL && rn == sp & prepostindex && !updown && writeback); // PUSH {PC}
~~~~~~~~ ^
/data/data/com.termux/files/usr/include/assert.h:51:23: note: expanded from macro 'assert'
# define assert(e) ((e) ? __assert_no_op : __assert2(__FILE__, __LINE__, __PRETTY_FUNCTION__, #e))
^
scanner_arm.c:1073:51: note: place parentheses around the & expression to evaluate it first
assert(condition_code == AL && rn == sp & prepostindex && !updown && writeback); // PUSH {PC}
~~~^~~~~~~~~~~~~~
/data/data/com.termux/files/usr/include/assert.h:51:23: note: expanded from macro 'assert'
# define assert(e) ((e) ? __assert_no_op : __assert2(__FILE__, __LINE__, __PRETTY_FUNCTION__, #e))
^
scanner_arm.c:1076:40: warning: implicit conversion from enumeration type 'enum reg_alt' to different enumeration type 'enum reg' [-Wenum-conversion]
arm_add_sub_32_bit(&write_p, sp, sp, -8);
~~~~~~~~~~~~~~~~~~ ^~
scanner_arm.c:1076:44: warning: implicit conversion from enumeration type 'enum reg_alt' to different enumeration type 'enum reg' [-Wenum-conversion]
arm_add_sub_32_bit(&write_p, sp, sp, -8);
~~~~~~~~~~~~~~~~~~ ^~
scanner_arm.c:1102:19: warning: 383 enumeration values not handled in switch: 'ARM_ADC', 'ARM_ADD', 'ARM_AND'... [-Wswitch]
switch (inst) {
^
12 warnings generated.
In file included from api/emit_arm.c:2:
api/../dbm.h:363:9: warning: 'PAGE_SIZE' macro redefined [-Wmacro-redefined]
#define PAGE_SIZE (page_size)
^
/data/data/com.termux/files/usr/include/sys/user.h:38:9: note: previous definition is here
#define PAGE_SIZE 4096
^
1 warning generated.
In file included from api/emit_thumb.c:2:
api/../dbm.h:363:9: warning: 'PAGE_SIZE' macro redefined [-Wmacro-redefined]
#define PAGE_SIZE (page_size)
^
/data/data/com.termux/files/usr/include/sys/user.h:38:9: note: previous definition is here
#define PAGE_SIZE 4096
^
1 warning generated.
In file included from plugins/branch_count.c:27:
In file included from plugins/../plugins.h:20:
plugins/../api/../dbm.h:363:9: warning: 'PAGE_SIZE' macro redefined [-Wmacro-redefined]
#define PAGE_SIZE (page_size)
^
/data/data/com.termux/files/usr/include/sys/user.h:38:9: note: previous definition is here
#define PAGE_SIZE 4096
^
plugins/branch_count.c:45:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
plugins/branch_count.c:65:1: warning: control reaches end of non-void function [-Wreturn-type]
}
^
plugins/branch_count.c:70:1: warning: control reaches end of non-void function [-Wreturn-type]
}
^
plugins/branch_count.c:88:1: warning: control reaches end of non-void function [-Wreturn-type]
}
^
5 warnings generated.
clang-7: error: assembler command failed with exit code 1 (use -v to see invocation)
make[1]: *** [makefile:65: dbm] Error 1
make: *** [makefile:56: all] Error 2
I see @HuErr appears to have a working Android based off of #15. Would you mind sharing mambondk? =)
Was able to get a bit further with Termux by setting CFLAGS+=-mcpu=krait in the makefile.
@amimo, it seems that you merged multiple non-related modifications in a single commit. Is there any other branch/repo where we can find the modifications in a series of atomic commits?
@umarcor I split this single commit into smaller ones. You can see all the change I made here android-ndk-build.
I’m not sure why I forgot to share this, but I sponsored @liamwhite to poke around with building Mambo for Android. https://gist.github.com/Manouchehri/7263b3231a755d8f34cf719006b2c393
Note that the mixtape link in this gist is dead. The package in question is, however, part of the gist. (You will need to clone it or download it directly.)
@Manouchehri @liamwhite really nice patches, can I port them to my ndk-build? I also have a question about the disp_thread_data variable, it looks like a tls variable, is it still so after putting it in the data section?
@Manouchehri @liamwhite I only had a quick look at the patches, but I've noticed fix-sigaction.patch is going to break signal handling. The POSIX / libc struct sigaction is different from the kernel's, which is why MAMBO has a kernel_sigaction.h.
I tried building https://gist.github.com/Manouchehri/7263b3231a755d8f34cf719006b2c393 on Termux v0.92 (Android v8.1.0). The build is successful, executing without args is correct, but trying to use it produces a segmentation fault:
$ ./dbm "$(which ls)"
Segmentation fault
$ cd test
$ ../dbm mmap_munmap
Segmentation fault
$ ../dbm mprotect_exec
Segmentation fault
$ ../dbm self_modifying
Segmentation fault
I tried three different commits: https://github.com/umarcor/mambo/commits/termux
- @Manouchehri's and @liamwhite's GIST rebased on top of master: https://github.com/umarcor/mambo/commit/04181f528e00d2fb7bde275754c069b05ef0683a
- Reverting some changes to the makefile: https://github.com/umarcor/mambo/commit/7ca37859ef29cd2accb9f461f6b5168410728111
- Reverting the changes to
syscalls.c: https://github.com/umarcor/mambo/commit/82d4c4af51c8359363620a33ad32efcf291f0bce
All of them produce the same result: successful build but segfult.
Note that building other tests (hw_div, load_store and/or sirgnals) fails because of unknown directive .func.
These are the binaries that correspond to the last commit: termux-bins.zip
Any further information since the latest comment created?
Recently I try to run mambo on Android, successfully built with latest master of this repository. I got SIGSEGV when run on real device.
Below this the debug output of adb shell console.
$ ./mambo /system/bin/toybox ls -al INTERP field found
p_type: 0x6 p_offset: 0x40 p_vaddr: 0x40 p_paddr: 0x40 p_filesz: 0x230 p_memsz: 0x230 p_flags: 0x4 p_align: 0x8 Unhandled program header table entry type
p_type: 0x1 p_offset: 0x0 p_vaddr: 0x0 p_paddr: 0x0 p_filesz: 0x301b4 p_memsz: 0x301b4 p_flags: 0x4 p_align: 0x1000
p_type: 0x1 p_offset: 0x31000 p_vaddr: 0x31000 p_paddr: 0x31000 p_filesz: 0xb37d0 p_memsz: 0xb37d0 p_flags: 0x5 p_align: 0x1000 imap added: 76361be000 7636272000 imap 0x5859a7b0a8: 76361be000 - 7636272000
p_type: 0x1 p_offset: 0xe5000 p_vaddr: 0xe5000 p_paddr: 0xe5000 p_filesz: 0x6478 p_memsz: 0x6478 p_flags: 0x6 p_align: 0x1000
p_type: 0x1 p_offset: 0xeb480 p_vaddr: 0xec480 p_paddr: 0xec480 p_filesz: 0xcf8 p_memsz: 0xc938 p_flags: 0x6 p_align: 0x1000
p_type: 0x2 p_offset: 0xeac78 p_vaddr: 0xeac78 p_paddr: 0xeac78 p_filesz: 0x120 p_memsz: 0x120 p_flags: 0x6 p_align: 0x8 Unhandled program header table entry type
p_type: 0x6474e552 p_offset: 0xe5000 p_vaddr: 0xe5000 p_paddr: 0xe5000 p_filesz: 0x6478 p_memsz: 0x7000 p_flags: 0x4 p_align: 0x1 Unhandled program header table entry type
p_type: 0x6474e550 p_offset: 0x16ee0 p_vaddr: 0x16ee0 p_paddr: 0x16ee0 p_filesz: 0x4b8c p_memsz: 0x4b8c p_flags: 0x4 p_align: 0x4 Unhandled program header table entry type
p_type: 0x6474e551 p_offset: 0x0 p_vaddr: 0x0 p_paddr: 0x0 p_filesz: 0x0 p_memsz: 0x0 p_flags: 0x6 p_align: 0x0 Unhandled program header table entry type
p_type: 0x4 p_offset: 0x270 p_vaddr: 0x270 p_paddr: 0x270 p_filesz: 0x20 p_memsz: 0x20 p_flags: 0x4 p_align: 0x4 Unhandled program header table entry type
p_type: 0x6 p_offset: 0x40 p_vaddr: 0x40 p_paddr: 0x40 p_filesz: 0x2a0 p_memsz: 0x2a0 p_flags: 0x4 p_align: 0x8 Unhandled program header table entry type
p_type: 0x3 p_offset: 0x2e0 p_vaddr: 0x2e0 p_paddr: 0x2e0 p_filesz: 0x15 p_memsz: 0x15 p_flags: 0x4 p_align: 0x1 Unhandled program header table entry type
p_type: 0x1 p_offset: 0x0 p_vaddr: 0x0 p_paddr: 0x0 p_filesz: 0x2a004 p_memsz: 0x2a004 p_flags: 0x4 p_align: 0x1000
p_type: 0x1 p_offset: 0x2b000 p_vaddr: 0x2b000 p_paddr: 0x2b000 p_filesz: 0x42700 p_memsz: 0x42700 p_flags: 0x5 p_align: 0x1000 imap added: 76362b1000 76362f4000 imap 0x5859a7b0a8: 76361be000 - 7636272000 76362b1000 - 76362f4000
p_type: 0x1 p_offset: 0x6e000 p_vaddr: 0x6e000 p_paddr: 0x6e000 p_filesz: 0x3de0 p_memsz: 0x3de0 p_flags: 0x6 p_align: 0x1000
p_type: 0x1 p_offset: 0x71de0 p_vaddr: 0x72de0 p_paddr: 0x72de0 p_filesz: 0x2878 p_memsz: 0x6ae8 p_flags: 0x6 p_align: 0x1000
p_type: 0x7 p_offset: 0x6e000 p_vaddr: 0x6e000 p_paddr: 0x6e000 p_filesz: 0x0 p_memsz: 0x0 p_flags: 0x4 p_align: 0x40 Unhandled program header table entry type
p_type: 0x2 p_offset: 0x71060 p_vaddr: 0x71060 p_paddr: 0x71060 p_filesz: 0x240 p_memsz: 0x240 p_flags: 0x6 p_align: 0x8 Unhandled program header table entry type
p_type: 0x6474e552 p_offset: 0x6e000 p_vaddr: 0x6e000 p_paddr: 0x6e000 p_filesz: 0x3de0 p_memsz: 0x4000 p_flags: 0x4 p_align: 0x1 Unhandled program header table entry type
p_type: 0x6474e550 p_offset: 0x21aa4 p_vaddr: 0x21aa4 p_paddr: 0x21aa4 p_filesz: 0x17e4 p_memsz: 0x17e4 p_flags: 0x4 p_align: 0x4 Unhandled program header table entry type
p_type: 0x6474e551 p_offset: 0x0 p_vaddr: 0x0 p_paddr: 0x0 p_filesz: 0x0 p_memsz: 0x0 p_flags: 0x6 p_align: 0x0 Unhandled program header table entry type
p_type: 0x4 p_offset: 0x2f8 p_vaddr: 0x2f8 p_paddr: 0x2f8 p_filesz: 0x38 p_memsz: 0x38 p_flags: 0x4 p_align: 0x4 Unhandled program header table entry type entry address: 0x76361d9ac0 Code cache: 0x7633ef7000 *thread_data in dispatcher at: 0x7633ef7268 Traces start at: 0x7634c64800 Syscall wrapper addr: 0x33ef71b4 scan(0x76361d9ac0) A64 scan read_address: 0x76361d9ac0, w: : 0x7633ef7414, bb: 4 instruction enum: 36 instruction word: 0x910003e0 A64 scan read_address: 0x76361d9ac4, w: : 0x7633ef7418, bb: 4 instruction enum: 20 instruction word: 0x9400cc58 A64 branch target: 0x763620cc24 Address of first basic block is: 0x7633ef7400 Segmentation fault
And below is the crash information
2021-11-25 14:53:58.639 7258-7258/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2021-11-25 14:53:58.639 7258-7258/? A/DEBUG: Revision: '0'
2021-11-25 14:53:58.639 7258-7258/? A/DEBUG: ABI: 'arm64'
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG: Timestamp: 2021-11-25 14:53:58+0800
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG: pid: 7255, tid: 7255, name: mambo >>> ./mambo <<<
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG: uid: 2000
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG: signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7633ef45e4
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG: x0 000000763620cc24 x1 0000000000000004 x2 0000007633d6f140 x3 0000007634ef7000
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG: x4 0000000000000038 x5 8080808080808080 x6 fefefefefefefeff x7 7f7f7f7f7f7f7f7f
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG: x8 0000007633d6f380 x9 0000007633ef45e4 x10 0000000000000010 x11 0000000000001c57
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG: x12 636f6c6220636973 x13 7830203a7369206b x14 0000000000000010 x15 00e8000000000000
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG: x16 0000005859a7ae38 x17 0000007633ef7268 x18 00000076b7c08000 x19 0000000020000000
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG: x20 0000000000000000 x21 0000000000000000 x22 0000007633d6f386 x23 0000007fd2744508
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG: x24 0000007633d6f370 x25 0000000000000042 x26 0000007fd27444f0 x27 0000005859a7647e
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG: x28 0000007633d6f170 x29 0000007fd27441d0
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG: lr 0000007633ef710c sp 0000007633d6ee90 pc 0000007633ef45e4 pst 0000000020001000
2021-11-25 14:53:58.653 7258-7258/? A/DEBUG: backtrace:
2021-11-25 14:53:58.653 7258-7258/? A/DEBUG: #00 pc 00000000001845e4 <anonymous:7633d70000>
How can I fix this SIGSEGV to make it work on Android platform?
The attached file is the binary I compile with cmake + clang for aarch64, can run on API >= 28 Android device.
mambo.zip
Hi @WanghongLin. Our position is the same as before: we don't officially support Android. But if you do a standard build of MAMBO on an Arm GNU/Linux system and copy the statically linked executable to an Android device, it should work. You don't need any of the patches from this issue.
Here's the current master branch HEAD running on my phone with the cachesim plugin enabled:
p:/data/local/tmp $ ./dbm /system/bin/toybox ls -al
total 1898
drwxrwx--x 2 shell shell 3488 2021-11-25 18:18 .
drwxr-x--x 4 root root 3488 1970-01-02 07:00 ..
-rwxrwxrwx 1 shell shell 1935024 2021-11-25 18:18 dbm
We're done; exiting with status: 0
-- MAMBO cachesim 569b5f90-dirty --
Cache L1i: 49152 bytes, 64 byte lines, 3-way set-associative, LRU replacement policy
2471364 references
2471364 reads
0 writes
5156 misses total (0.21% of references)
5156 misses reads (0.21% of references)
0 misses writes (0.00% of references)
0 writebacks total (0.00% of references)
0 writebacks reads (0.00% of references)
0 writebacks writes (0.00% of references)
Cache L1d: 32768 bytes, 64 byte lines, 2-way set-associative, LRU replacement policy
1718398 references
1225298 reads
493100 writes
44277 misses total (2.58% of references)
37377 misses reads (2.18% of references)
6900 misses writes (0.40% of references)
11255 writebacks total (0.65% of references)
7766 writebacks reads (0.45% of references)
3489 writebacks writes (0.20% of references)
Cache L2: 1048576 bytes, 64 byte lines, 16-way set-associative, random replacement policy
49433 references
42533 reads
6900 writes
13445 misses total (27.20% of references)
10880 misses reads (22.01% of references)
2565 misses writes (5.19% of references)
910 writebacks total (1.84% of references)
752 writebacks reads (1.52% of references)
158 writebacks writes (0.32% of references)
Note that the latest commit from the master branch is required because the Android libraries were trying to create an executable mapping without read permissions, which was previously making an assert fail.