android studio address sanitizer using build.gradle

Question

I am trying to build (with clang) my application with the address sanitizer described here (https://github.com/google/sanitizers/wiki/AddressSanitizer, more precisely here: https://github.com/google/sanitizers/wiki/AddressSanitizerOnAndroid), but I am having trouble understanding the whole process, especially using gradle.

It looks like there is at least 3 ways of enabling it:

1°) Following the first link, t says that all you have to do is doing this:

• adding -fsanitize=address to the cppFlags + optional -fno-omit-frame-pointer

• adding -fsanitize=address to the linker flags (is it necessary?)

2°) following the second link, it seems that you have to do:

• same as first
• root a device then run asan_device_setup on it through adb
• add a LD_PRELOAD=libclang_rt.asan-arm-android.so somewhere? I guess it should be put in the 'arguments' part of the gradle externalNativeBuild? But where can the app find this library? Do I have to link it myself? Or is it already somewhere on the device?

3°) I also found a "new" way of doing it, which shouldn't requires roots access (well it does but it is a bug due to be corrected at some point):

https://virtualrealitypop.com/oreo-ndk-secrets-7d075a9b084

This method actually does what is done in first and second point, plus runs the app by launching a shell script that exports some values for asan to work.

---

As far as my investigation goes, I am a bit confused on what is the proper method to have a fully sanitized app (with statically linked libraries) working on my rooted emulator.

The farther I have gone was to actually build and launch the app (using 2°), but without specifying LD_PRELOAD flag), but the app crashes with a container-overflow in some eglMakeCurrent function that isn't even part of my code, and I don't get any stack for it:

02-19 16:26:21.553 28771-28789/com.mycompany.myapp I/zygote: Background concurrent copying GC freed 10159(1175KB) AllocSpace objects, 12(304KB) LOS objects, 50% free, 2MB/4MB, paused 144.861ms total 1.252s
[ 02-19 16:26:21.554 28771:28956 I/         ]
=================================================================
[ 02-19 16:26:21.554 28771:28956 I/         ]
[ 02-19 16:26:21.557 28771:28956 I/         ]
[ 02-19 16:26:21.563 28771:28956 I/         ]
==28771==ERROR: AddressSanitizer: container-overflow on address 0xa136e990 at pc 0xa49849e2 bp 0x82e60558 sp 0x82e60128
[ 02-19 16:26:21.563 28771:28956 I/         ]
[ 02-19 16:26:21.565 28771:28956 I/         ]
[ 02-19 16:26:21.566 28771:28956 I/         ]
WRITE of size 2 at 0xa136e990 thread T334 (GLThread 337)
[ 02-19 16:26:21.566 28771:28956 I/         ]

I am not sure it is a real overflow because I am not sure all my app is built with sanitizer (I have built my so+ all my statics with it but is it enough?), and https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow says that if your whole app isn't built with sanitizer you may get false positives.

So my questions are:

A°) has someone actually managed to build a sanitized app using android studio?

B°) If yes, what is the correct way to do it (meaning the one that will be supported)?

Answer 1

So after a bit of struggle, I have used the method described in https://virtualrealitypop.com/oreo-ndk-secrets-7d075a9b084. I have added a new sanitize_debug target in my build.gradle with the following:

tasks.whenTaskAdded { task ->
    if (task.name == 'generateSanitize_debugBuildConfig') {
        task.dependsOn createWrapScriptAddDir
    }
}

task deleteASAN(type: Delete) {
    delete 'jni/sanitizer/'
}

static def writeWrapScriptToFullyCompileJavaApp(wrapFile, abi) {
    if(abi == "armeabi" || abi == "armeabi-v7a")
        abi = "arm"
    if(abi == "arm64-v8a")
        abi = "aarch64"
    if (abi == "x86")
        abi = "i686"
    wrapFile.withWriter { writer ->
        writer.write('#!/system/bin/sh\n')
        writer.write('HERE="$(cd "$(dirname "$0")" && pwd)"\n')
        writer.write('export ASAN_OPTIONS=log_to_syslog=false,allow_user_segv_handler=1\n')
        writer.write('export ASAN_ACTIVATION_OPTIONS=include_if_exists=/data/local/tmp/asan.options.b\n')
        writer.write("export LD_PRELOAD=\$HERE/libclang_rt.asan-${abi}-android.so\n")
        writer.write('\$@\n')
    }
}


task copyASANLibs {
    def libDirs = android.ndkDirectory.absolutePath + "/toolchains/llvm/prebuilt/"

    for (String abi : rootProject.ext.abiFilters) {
        def destDir = new File("wizards/src/sanitize_debug/jniLibs/" + abi)
        destDir.mkdirs()

        def renamedAbi = abi
        if(abi == "armeabi-v7a" || abi == "armeabi")
            renamedAbi = "arm"
        if(abi == "arm64-v8a")
            renamedAbi = "aarch64"
        if (abi == "x86")
            renamedAbi = "i686"


        FileTree tree = fileTree(dir: libDirs).include("**/*asan*${renamedAbi}*.so")
        tree.each { File file ->
            copy {
                from file
                into destDir.absolutePath
            }
        }
    }
}
task createWrapScriptAddDir(dependsOn: copyASANLibs) {
    for (String abi : rootProject.ext.abiFilters) {
        def dir = new File("wizards/src/sanitize_debug/resources/lib/" + abi)
        dir.mkdirs()
        def wrapFile = new File(dir, "wrap.sh")
        wrapFile.setExecutable(true, false)
        writeWrapScriptToFullyCompileJavaApp(wrapFile, abi)
    }
}

The things that needs to be improved are

1°) the cleanup phase when switching to a non sanitized build must be called manually,

2°) The wrapper script is built and packaged for all arm architectures, which is a workaround the fact that you can't easily specify a target architecture for the wrap.sh scrip (see bug https://issuetracker.google.com/issues/74058603)

Answer 2

In order to also debug you can adjust the answer from downstroy and tweak wrap.sh script, since the simple version of wrap.sh will prevent debugging ( from https://developer.android.com/ndk/guides/wrap-script ) :

        writer.write('#!/system/bin/sh\n')
        writer.write('HERE="$(cd "$(dirname "$0")" && pwd)"\n')
        writer.write('export ASAN_OPTIONS=log_to_syslog=false,allow_user_segv_handler=1\n')
        writer.write('export ASAN_ACTIVATION_OPTIONS=include_if_exists=/data/local/tmp/asan.options.b\n')
        writer.write("export LD_PRELOAD=\$HERE/libclang_rt.asan-${abi}-android.so\n")
        writer.write('cmd=$1\n')
        writer.write('shift\n')
        writer.write('os_version=$(getprop ro.build.version.sdk)\n')
        writer.write('if [ "$os_version" -eq "27" ]; then\n')
        writer.write('cmd="$cmd -Xrunjdwp:transport=dt_android_adb,suspend=n,server=y -Xcompiler-option --debuggable $@"\n')
        writer.write('elif [ "$os_version" -eq "28" ]; then\n')
        writer.write('cmd="$cmd -XjdwpProvider:adbconnection -XjdwpOptions:suspend=n,server=y -Xcompiler-option --debuggable $@"\n')
        writer.write('else\n')
        writer.write('cmd="$cmd -XjdwpProvider:adbconnection $@"\n')
        writer.write('fi\n')
        writer.write('exec $cmd\n')