Hi!
I’m trying to run the CAN automotive hardware interface harness shipped with the AOSP on the official emulator. However, I ran into this aborted message:
WARNING: found 1 unrecognized flag(s):
coverage_counters
==2724==AddressSanitizer: failed to intercept '__strxfrm_l'
==2724==AddressSanitizer: failed to intercept 'bcmp'
==2724==AddressSanitizer: failed to intercept 'wait3'
==2724==AddressSanitizer: failed to intercept '__wait4'
==2724==AddressSanitizer: failed to intercept 'ftime'
==2724==AddressSanitizer: failed to intercept 'pthread_setcancelstate'
==2724==AddressSanitizer: failed to intercept 'pthread_setcanceltype'
==2724==AddressSanitizer: failed to intercept 'getutid'
==2724==AddressSanitizer: failed to intercept 'getutline'
==2724==AddressSanitizer: failed to intercept '__wcsxfrm_l'
==2724==AddressSanitizer: failed to intercept 'bsd_signal'
==2724==AddressSanitizer: failed to intercept 'index'
==2724==AddressSanitizer: libc interceptors initialized
|| `[0x10007fff8000, 0x7fffffffffff]` || HighMem ||
|| `[0x02008fff7000, 0x10007fff7fff]` || HighShadow ||
|| `[0x00008fff7000, 0x02008fff6fff]` || ShadowGap ||
|| `[0x00007fff8000, 0x00008fff6fff]` || LowShadow ||
|| `[0x000000000000, 0x00007fff7fff]` || LowMem ||
MemToShadow(shadow): 0x00008fff7000 0x000091ff6dff 0x004091ff6e00 0x02008fff6fff
redzone=16
max_redzone=2048
quarantine_size_mb=16M
thread_local_quarantine_size_kb=64K
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 0x7fff8000
==2724==Installed the sigaction for signal 11
==2724==Installed the sigaction for signal 7
==2724==Installed the sigaction for signal 8
==2724==T0: stack [0x7fff302e8000,0x7fff30ae8000) size 0x800000; local=0x7fff30ae332c
==2724==AddressSanitizer Init done
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1079642518
INFO: Loaded 1 modules (5113 inline 8-bit counters): 5113 [0x56995dd41de8, 0x56995dd431e1),
INFO: Loaded 1 PC tables (5113 PCs): 5113 [0x56995dd431e8,0x56995dd57178),
==2724==T1: stack [0x7d43440d1000,0x7d43441cacd0) size 0xf9cd0; local=0x7d43441cabac
INFO: 78 files found in inputs
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: seed corpus: files: 78 min: 1b max: 8b total: 509b rss: 34Mb
==2724==T2: stack [0x7d4342302000,0x7d43423fbcd0) size 0xf9cd0; local=0x7d43423fbbac
==2724==T3: stack [0x7d4342102000,0x7d43421fbcd0) size 0xf9cd0; local=0x7d43421fbbac
==2724==T4: stack [0x7d4341f02000,0x7d4341ffbcd0) size 0xf9cd0; local=0x7d4341ffbbac
==2724==T5: stack [0x7d4341d02000,0x7d4341dfbcd0) size 0xf9cd0; local=0x7d4341dfbbac
==2724==T6: stack [0x7d4341b02000,0x7d4341bfbcd0) size 0xf9cd0; local=0x7d4341bfbbac
==2724==T8: stack [0x7d40af8fe000,0x7d40af9f7cd0) size 0xf9cd0; local=0x7d40af9f7bac
==2724==T7: stack [0x7d40af9fc000,0x7d40afaf5cd0) size 0xf9cd0; local=0x7d40afaf5bac
==2724==T9: stack [0x7d40af800000,0x7d40af8f9cd0) size 0xf9cd0; local=0x7d40af8f9bac
==2724==T10: stack [0x7d40af702000,0x7d40af7fbcd0) size 0xf9cd0; local=0x7d40af7fbbac
Aborted
Then I looked on the emulator logcat and I found this interesting finding:
**type or paste code here**04-20 11:34:48.225 0 0 I logd : logdr: UID=0 GID=0 PID=2781 n tail=0 logMask=8 pid=2724 start=0ns deadline=0ns
04-20 11:34:48.229 0 0 I logd : logdr: UID=0 GID=0 PID=2781 n tail=0 logMask=1 pid=2724 start=0ns deadline=0ns
04-20 11:34:48.196 2781 2781 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
04-20 11:34:48.196 2781 2781 F DEBUG : Build fingerprint: 'Android/sdk_car_x86_64/emulator_car_x86_64:13/TQ2A.230405.003.E1/eng.hacker.20230413.001539:userdebug/test-keys'
04-20 11:34:48.196 2781 2781 F DEBUG : Revision: '0'
04-20 11:34:48.196 2781 2781 F DEBUG : ABI: 'x86_64'
04-20 11:34:48.196 2781 2781 F DEBUG : Timestamp: 2023-04-20 11:34:48.043564790+0200
04-20 11:34:48.196 2781 2781 F DEBUG : Process uptime: 2s
04-20 11:34:48.196 2781 2781 F DEBUG : Cmdline: ./automotiveCanV1.0_fuzzer -max_total_time=86400 -detect_leaks=1 -print_pcs=1 -print_final_stats=1 -print_coverage=1 -print_full_coverage=1 inputs
04-20 11:34:48.196 2781 2781 F DEBUG : pid: 2724, tid: 2726, name: HwBinder:2724_1 >>> ./automotiveCanV1.0_fuzzer <<<
04-20 11:34:48.196 2781 2781 F DEBUG : uid: 0
04-20 11:34:48.196 2781 2781 F DEBUG : signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
04-20 11:34:48.196 2781 2781 F DEBUG : Abort message: 'Check failed: !mIsUp Interface is still up while being destroyed'
04-20 11:34:48.196 2781 2781 F DEBUG : rax 0000000000000000 rbx 0000000000000aa4 rcx 00007d43473954af rdx 0000000000000006
04-20 11:34:48.196 2781 2781 F DEBUG : r8 000060700001a8f0 r9 000060700001a8f0 r10 00007d43423fb870 r11 0000000000000217
04-20 11:34:48.196 2781 2781 F DEBUG : r12 000000000000005b r13 0000612000029f6c r14 00007d43423fb868 r15 0000000000000aa6
04-20 11:34:48.196 2781 2781 F DEBUG : rdi 0000000000000aa4 rsi 0000000000000aa6
04-20 11:34:48.196 2781 2781 F DEBUG : rbp 0000000000000000 rsp 00007d43423fb860 rip 00007d43473954af
04-20 11:34:48.196 2781 2781 F DEBUG : backtrace:
04-20 11:34:48.196 2781 2781 F DEBUG : #00 pc 00000000000794af /apex/com.android.runtime/lib64/bionic/libc.so (abort+207) (BuildId: 11dc0b59a8589c2a909151617d66477b)
04-20 11:34:48.196 2781 2781 F DEBUG : #01 pc 000000000000c982 /system/lib64/liblog.so (__android_log_default_aborter+18) (BuildId: 64872ff7d3b12bdb6a8adb97e4a5508f)
04-20 11:34:48.196 2781 2781 F DEBUG : #02 pc 000000000002f1c7 /system/lib64/libbase.so (android::base::LogMessage::~LogMessage()+951) (BuildId: 27c42ea89162e6d909970a78406608d1)
04-20 11:34:48.196 2781 2781 F DEBUG : #03 pc 0000000000056d84 /data/fuzz/x86_64/automotiveCanV1.0_fuzzer/vendor/automotiveCanV1.0_fuzzer (android::hardware::automotive::can::V1_0::implementation::CanBus::~CanBus()+1732) (BuildId: 63834e35df72651eaa1494c0caa26fe7)
04-20 11:34:48.196 2781 2781 F DEBUG : #04 pc 0000000000069400 /data/fuzz/x86_64/automotiveCanV1.0_fuzzer/vendor/automotiveCanV1.0_fuzzer (virtual thunk to android::hardware::automotive::can::V1_0::implementation::CanBusVirtual::~CanBusVirtual()+80) (BuildId: 63834e35df72651eaa1494c0caa26fe7)
04-20 11:34:48.196 2781 2781 F DEBUG : #05 pc 00000000000176bc /system/lib64/libutils.so (android::RefBase::decStrong(void const*) const+140) (BuildId: bf1c018f0326684482c5413dbebda847)
04-20 11:34:48.196 2781 2781 F DEBUG : #06 pc 000000000015bd34 /system/lib64/libhidlbase.so (android::hidl::base::V1_0::BnHwBase::~BnHwBase()+260) (BuildId: 7f3f1f24211393623f87db14ce7b2b55)
04-20 11:34:48.196 2781 2781 F DEBUG : #07 pc 0000000000048d25 /vendor/lib64/android.hardware.automotive.can@1.0.so (android::hardware::automotive::can::V1_0::BnHwCanBus::~BnHwCanBus()+277) (BuildId: 4b83d24048757d91260aa87c6a445076)
04-20 11:34:48.196 2781 2781 F DEBUG : #08 pc 0000000000049001 /vendor/lib64/android.hardware.automotive.can@1.0.so (virtual thunk to android::hardware::automotive::can::V1_0::BnHwCanBus::~BnHwCanBus()+33) (BuildId: 4b83d24048757d91260aa87c6a445076)
04-20 11:34:48.196 2781 2781 F DEBUG : #09 pc 00000000000176bc /system/lib64/libutils.so (android::RefBase::decStrong(void const*) const+140) (BuildId: bf1c018f0326684482c5413dbebda847)
04-20 11:34:48.196 2781 2781 F DEBUG : #10 pc 0000000000175efb /system/lib64/libhidlbase.so (android::hardware::IPCThreadState::processPendingDerefs()+475) (BuildId: 7f3f1f24211393623f87db14ce7b2b55)
04-20 11:34:48.196 2781 2781 F DEBUG : #11 pc 00000000001760f7 /system/lib64/libhidlbase.so (android::hardware::IPCThreadState::joinThreadPool(bool)+119) (BuildId: 7f3f1f24211393623f87db14ce7b2b55)
04-20 11:34:48.196 2781 2781 F DEBUG : #12 pc 0000000000186aaf /system/lib64/libhidlbase.so (android::hardware::PoolThread::threadLoop()+31) (BuildId: 7f3f1f24211393623f87db14ce7b2b55)
04-20 11:34:48.196 2781 2781 F DEBUG : #13 pc 000000000001cb58 /system/lib64/libutils.so (android::Thread::_threadLoop(void*)+776) (BuildId: bf1c018f0326684482c5413dbebda847)
04-20 11:34:48.196 2781 2781 F DEBUG : #14 pc 000000000010fdd2 /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+66) (BuildId: 11dc0b59a8589c2a909151617d66477b)
04-20 11:34:48.196 2781 2781 F DEBUG : #15 pc 000000000007b46f /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+95) (BuildId: 11dc0b59a8589c2a909151617d66477b)
04-20 11:34:48.199 719 896 W NativeCrashListener: Couldn't find ProcessRecord for pid 2724
04-20 11:34:48.200 312 312 E tombstoned: Tombstone written to: tombstone_42
04-20 11:34:48.201 719 789 E NativeTombstoneManager: Tombstone's UID (0) not an app, ignoring
04-20 11:34:48.201 719 789 E NativeTombstoneManager: Tombstone's UID (0) not an app, ignoring
04-20 11:34:48.206 420 462 W HidlServiceManagement: getService: found dead hwbinder service for android.hardware.automotive.can@1.0::ICanBus/aae.
04-20 11:34:48.206 420 462 W ProtoCanBusSrv: Can't fetch ICanBus/aae
04-20 11:34:48.206 420 462 D ProtoCanBusSrv: Got fatal error from CAN bus HAL: INTERFACE_DOWN
04-20 11:34:48.206 420 462 F HidlStatus: Failed HIDL return status not checked. Usually this happens because of a transport error (error parceling, binder driver, or from unparceling). If you see this in code calling into "Bn" classes in for a HAL server process, then it is likely that the code there is returning transport errors there (as opposed to errors defined within its protocol). Error is: Status(EX_TRANSACTION_FAILED): 'DEAD_OBJECT: '
04-20 11:34:48.206 420 462 F libc : Fatal signal 6 (SIGABRT), code -1 (SI_QUEUE) in tid 462 (HwBinder:420_1), pid 420 (binder:420_2)
04-20 11:34:48.245 0 0 I binder : send failed reply for transaction 89726 to 420:462
04-20 11:34:48.245 0 0 I binder : 420:462 transaction failed 29189/-22, size 52-0 line 2920
04-20 11:34:48.211 911 911 D CAR.EVS : Trying to connect to the EVS HAL service.
04-20 11:34:48.211 911 911 I CAR.EVS : Transition requested: UNAVAILABLE -> INACTIVE
04-20 11:34:48.211 220 220 I servicemanager: Could not find android.hardware.automotive.evs.IEvsEnumerator/default in the VINTF manifest.
04-20 11:34:48.211 911 911 E CarServiceJNI: android.hardware.automotive.evs.IEvsEnumerator/default is not available.
04-20 11:34:48.211 911 911 E CarServiceJNI: Failed to initialize a service context
04-20 11:34:48.211 911 911 E CAR.EVS : Transition failed: error = -1
04-20 11:34:48.253 0 0 I init : Untracked pid 2781 exited with status 0
04-20 11:34:48.253 0 0 I init : Untracked pid 2781 did not have an associated service entry and will not be reaped
04-20 11:34:48.253 0 0 I init : Untracked pid 2783 exited with status 0
04-20 11:34:48.254 0 0 I init : Untracked pid 2783 did not have an associated service entry and will not be reaped
04-20 11:34:48.216 2798 2798 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstoneProto
04-20 11:34:48.217 312 312 I tombstoned: received crash request for pid 462
04-20 11:34:48.217 2798 2798 I crash_dump64: performing dump of process 420 (target tid = 462)
04-20 11:34:48.268 0 0 I logd : logdr: UID=1054 GID=1000 PID=2798 n tail=0 logMask=8 pid=420 start=0ns deadline=0ns
04-20 11:34:48.235 2798 2798 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
04-20 11:34:48.235 2798 2798 F DEBUG : Build fingerprint: 'Android/sdk_car_x86_64/emulator_car_x86_64:13/TQ2A.230405.003.E1/eng.hacker.20230413.001539:userdebug/test-keys'
04-20 11:34:48.235 2798 2798 F DEBUG : Revision: '0'
04-20 11:34:48.235 2798 2798 F DEBUG : ABI: 'x86_64'
04-20 11:34:48.235 2798 2798 F DEBUG : Timestamp: 2023-04-20 11:34:48.217728226+0200
04-20 11:34:48.235 2798 2798 F DEBUG : Process uptime: 168s
04-20 11:34:48.235 2798 2798 F DEBUG : Cmdline: /vendor/bin/hw/android.device.generic.car.emulator@1.0-protocanbus-service
04-20 11:34:48.235 2798 2798 F DEBUG : pid: 420, tid: 462, name: HwBinder:420_1 >>> /vendor/bin/hw/android.device.generic.car.emulator@1.0-protocanbus-service <<<
04-20 11:34:48.235 2798 2798 F DEBUG : uid: 1054
04-20 11:34:48.235 2798 2798 F DEBUG : signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
04-20 11:34:48.235 2798 2798 F DEBUG : Abort message: 'Failed HIDL return status not checked. Usually this happens because of a transport error (error parceling, binder driver, or from unparceling). If you see this in code calling into "Bn" classes in for a HAL server process, then it is likely that the code there is returning transport errors there (as opposed to errors defined within its protocol). Error is: Status(EX_TRANSACTION_FAILED): 'DEAD_OBJECT: ''
04-20 11:34:48.235 2798 2798 F DEBUG : rax 0000000000000000 rbx 00000000000001a4 rcx 000076315cb4b4af rdx 0000000000000006
04-20 11:34:48.235 2798 2798 F DEBUG : r8 0000763019262d50 r9 0000763019262d50 r10 0000762ec9157590 r11 0000000000000207
04-20 11:34:48.235 2798 2798 F DEBUG : r12 000000000000008f r13 000076300925c8d0 r14 0000762ec9157588 r15 00000000000001ce
04-20 11:34:48.235 2798 2798 F DEBUG : rdi 00000000000001a4 rsi 00000000000001ce
04-20 11:34:48.235 2798 2798 F DEBUG : rbp 0000763159290429 rsp 0000762ec9157580 rip 000076315cb4b4af
04-20 11:34:48.235 2798 2798 F DEBUG : backtrace:
04-20 11:34:48.235 2798 2798 F DEBUG : #00 pc 00000000000794af /apex/com.android.runtime/lib64/bionic/libc.so (abort+207) (BuildId: 11dc0b59a8589c2a909151617d66477b)
04-20 11:34:48.235 2798 2798 F DEBUG : #01 pc 000000000000c982 /system/lib64/liblog.so (__android_log_default_aborter+18) (BuildId: 64872ff7d3b12bdb6a8adb97e4a5508f)
04-20 11:34:48.235 2798 2798 F DEBUG : #02 pc 000000000002f1c7 /apex/com.android.vndk.v33/lib64/libbase.so (android::base::LogMessage::~LogMessage()+951) (BuildId: af9675ed3eacfaa6fa2391fb337e6080)
04-20 11:34:48.235 2798 2798 F DEBUG : #03 pc 000000000009df2c /apex/com.android.vndk.v33/lib64/libhidlbase.so (android::hardware::details::return_status::assertOk() const+572) (BuildId: 56d5fac53d75ff300bc3b06593256278)
04-20 11:34:48.235 2798 2798 F DEBUG : #04 pc 000000000009df73 /apex/com.android.vndk.v33/lib64/libhidlbase.so (android::hardware::details::return_status::~return_status()+35) (BuildId: 56d5fac53d75ff300bc3b06593256278)
04-20 11:34:48.235 2798 2798 F DEBUG : #05 pc 000000000001eb16 /vendor/bin/hw/android.device.generic.car.emulator@1.0-protocanbus-service (android::hardware::automotive::can::V1_0::utils::CloseHandleWrapper::close()+86) (BuildId: 50d4ec664d0a7ede3020d9a2ef0ab042)
04-20 11:34:48.235 2798 2798 F DEBUG : #06 pc 000000000001a72b /vendor/bin/hw/android.device.generic.car.emulator@1.0-protocanbus-service (android::hardware::automotive::can::V1_0::utils::CanClient::close()+75) (BuildId: 50d4ec664d0a7ede3020d9a2ef0ab042)
04-20 11:34:48.235 2798 2798 F DEBUG : #07 pc 000000000001becb /vendor/bin/hw/android.device.generic.car.emulator@1.0-protocanbus-service (android::hardware::automotive::can::V1_0::utils::CanClient::onError(android::hardware::automotive::can::V1_0::ErrorEvent, bool)+91) (BuildId: 50d4ec664d0a7ede3020d9a2ef0ab042)
04-20 11:34:48.235 2798 2798 F DEBUG : #08 pc 000000000001be4b /vendor/bin/hw/android.device.generic.car.emulator@1.0-protocanbus-service (non-virtual thunk to android::hardware::automotive::can::V1_0::utils::CanClient::serviceDied(unsigned long, android::wp<android::hidl::base::V1_0::IBase> const&)+59) (BuildId: 50d4ec664d0a7ede3020d9a2ef0ab042)
04-20 11:34:48.235 2798 2798 F DEBUG : #09 pc 00000000000a27f6 /apex/com.android.vndk.v33/lib64/libhidlbase.so (android::hardware::hidl_binder_death_recipient::binderDied(android::wp<android::hardware::IBinder> const&)+214) (BuildId: 56d5fac53d75ff300bc3b06593256278)
04-20 11:34:48.235 2798 2798 F DEBUG : #10 pc 00000000001709ca /apex/com.android.vndk.v33/lib64/libhidlbase.so (android::hardware::BpHwBinder::reportOneDeath(android::hardware::BpHwBinder::Obituary const&)+234) (BuildId: 56d5fac53d75ff300bc3b06593256278)
04-20 11:34:48.271 0 0 I logd : logdr: UID=1054 GID=1000 PID=2798 n tail=0 logMask=1 pid=420 start=0ns deadline=0ns
04-20 11:34:48.237 2798 2798 F DEBUG : #11 pc 0000000000170896 /apex/com.android.vndk.v33/lib64/libhidlbase.so (android::hardware::BpHwBinder::sendObituary()+262) (BuildId: 56d5fac53d75ff300bc3b06593256278)
04-20 11:34:48.237 2798 2798 F DEBUG : #12 pc 0000000000174f68 /apex/com.android.vndk.v33/lib64/libhidlbase.so (android::hardware::IPCThreadState::executeCommand(int)+1528) (BuildId: 56d5fac53d75ff300bc3b06593256278)
04-20 11:34:48.237 2798 2798 F DEBUG : #13 pc 0000000000174734 /apex/com.android.vndk.v33/lib64/libhidlbase.so (android::hardware::IPCThreadState::getAndExecuteCommand()+308) (BuildId: 56d5fac53d75ff300bc3b06593256278)
04-20 11:34:48.237 2798 2798 F DEBUG : #14 pc 000000000017590f /apex/com.android.vndk.v33/lib64/libhidlbase.so (android::hardware::IPCThreadState::joinThreadPool(bool)+127) (BuildId: 56d5fac53d75ff300bc3b06593256278)
04-20 11:34:48.237 2798 2798 F DEBUG : #15 pc 00000000001862bf /apex/com.android.vndk.v33/lib64/libhidlbase.so (android::hardware::PoolThread::threadLoop()+31) (BuildId: 56d5fac53d75ff300bc3b06593256278)
04-20 11:34:48.237 2798 2798 F DEBUG : #16 pc 000000000001c6b8 /apex/com.android.vndk.v33/lib64/libutils.so (android::Thread::_threadLoop(void*)+776) (BuildId: 365a8e1cb454871a53f78d246b39d66a)
04-20 11:34:48.237 2798 2798 F DEBUG : #17 pc 000000000010fdd2 /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+66) (BuildId: 11dc0b59a8589c2a909151617d66477b)
04-20 11:34:48.237 2798 2798 F DEBUG : #18 pc 000000000007b46f /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+95) (BuildId: 11dc0b59a8589c2a909151617d66477b)
04-20 11:34:48.238 719 896 W NativeCrashListener: Couldn't find ProcessRecord for pid 420
04-20 11:34:48.239 2798 2798 E crash_dump64: AM data write failed: Broken pipe
04-20 11:34:48.239 312 312 E tombstoned: Tombstone written to: tombstone_43