Re: How should I run dr memory on Android?

[Derek Bruening]

bin/drmemory is the program to run.  This should be clear from the docs.  The 1.9.1-RC1 docs say "On Linux, Mac, or Android: drmemory -- <app>", right?  Could you point out where you were looking that wasn't clear so that we can improve the docs?  It looks like the README doesn't have an explicit Android section, but the Linux and Mac parts all say "drmemory".

Please note that there is a bug in running multi-threaded Android apps that was introduced in the private Bionic support (https://github.com/dynamorio/dynamorio/issues/1875) and is present in the 1.9.1-RC1 build.

On Mon, Feb 22, 2016 at 3:18 AM, Rongyu Zhou <rongy...@gmail.com> wrote:

I downloaded Dr. Memory Android package version 1.9.1 and pushed the extracted package to /data/local/tmp/ on my Android device.

I tried to run from /bin/launcher. But the I got the error: "CANNOT LINK EXECUTABLE DEPENDENCIES: library "libdynamorio.so" not found"

I've read the document and wiki but have not get any help. Did I get the correct entry? Or shall I configure something before running? And how?

A little background. I'm focused on Android security research. Currently I'm interested in Android memory instrumentation. Before Dr. Memory, I had tried valgrind and Address Sanitizer, both of which had some limitations. Luckily, I found Dr. Memory's latest release covered Android. So I hope to have a try.

--

---
You received this message because you are subscribed to the Google Groups "Dr. Memory Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to drmemory-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Rongyu Zhou]

Thanks for the reply. 

Luckily, I've managed to run drmemory on my Android device. And I successfully used it to find bugs from my test program, which was a native C application.

So I hope to move a step forward, using drmemory to instrument Android Apps, not only native applications. Now I had some progress.

Android App's launch process is sophisticated. Generally, a App is started by forking from Zygote process and passing several important parameters to it to get the thread entry to run. 

In order to use drmemory to start a Android app, we could use the wrap function. 

First, make a shell script as follows, androidWrapper.sh

#!/system/bin/sh
exec /system/xbin/DrMemory/bin/drmemory -show_reachable -v -logdir /data/local/tmp/drlog -- $*

Then, activate the wrap function for the test App

setprop wrap.com.ryu.asandemo "logwrapper /system/xbin/DrMemory/bin/androidWrapper.sh"

Here logwrapper is used to redirect the print log to JNI log.

So, while we start the asandemo App from the Launcher, Android will follow the execution process as app_process -> logwrapper -> drmemory -> app_process -> activityThread

Theoretically, this way shall works. But now I am stuck at below error(bold texts) which made the app fail to start.

I/ActivityManager(  694): START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=com.ryu.asandemo/.MainActivity (has extras)} from uid 10034 on display 0
I/androidWrapper.sh(32376): INFO: targeting application: "/system/bin/app_process32"
I/androidWrapper.sh(32376): INFO: app cmdline: "/system/bin/app_process" "/system/bin" "--application" "--nice-name=com.ryu.asandemo" "com.android.internal.os.WrapperInit" "14" "21" "android.app.ActivityThread"
I/androidWrapper.sh(32376): INFO: logdir is "/data/local/tmp/drlog"
I/androidWrapper.sh(32376): INFO: symcache_dir is "/data/local/tmp/drlog/symcache"
I/androidWrapper.sh(32376): INFO: DynamoRIO configuration directory is /system/xbin/DrMemory/bin/../dynamorio/lib32/release/libdynamorio.so
I/androidWrapper.sh(32376): INFO: configuring app_process32 pid=32378 dr_ops="-disable_traces -bb_single_restore_prefix -max_bb_instrs 256 -vm_size 256M -no_enable_reset -logdir `/data/local/tmp/drlog/dynamorio` "
I/androidWrapper.sh(32376): ERROR: failed to register DynamoRIO configuration for "app_process32"(32378) dr_ops="-disable_traces -bb_single_restore_prefix -max_bb_instrs 256 -vm_size 256M -no_enable_reset -logdir `/data/local/tmp/drlog/dynamorio` ".
I/androidWrapper.sh(32376): Error code 13 (failed to locate a valid config directory)
I/androidWrapper.sh(32376): androidWrapper.sh terminated by exit(1)
W/Zygote  (  201): Error reading pid from wrapped process, child may have died
W/Zygote  (  201): java.io.EOFException
W/Zygote  (  201): at libcore.io.Streams.readFully(Streams.java:83)
W/Zygote  (  201): at java.io.DataInputStream.readInt(DataInputStream.java:103)
W/Zygote  (  201): at com.android.internal.os.ZygoteConnection.handleParentProc(ZygoteConnection.java:979)
W/Zygote  (  201): at com.android.internal.os.ZygoteConnection.runOnce(ZygoteConnection.java:276)
W/Zygote  (  201): at com.android.internal.os.ZygoteInit.runSelectLoop(ZygoteInit.java:788)
W/Zygote  (  201): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:694)
I/ActivityManager(  694): Start proc 32360:com.ryu.asandemo/u0a55 for activity com.ryu.asandemo/.MainActivity

I tried to use below command to reg app_process32.

drconfig -reg app_process32

But I got the error:

process app_process32 registration failed: check config dir /system/xbin/DrMemory/dynamorio/bin32/.dynamorio permissions

Actually I'm sure the permission configuration is correct. 

So what shall I do? I think if I could fix this error, I would have much more chance the start the App.

在 2016年2月23日星期二 UTC+8上午12:15:29，Derek Bruening写道：

[Derek Bruening]

A writable temp directory was not found.  We would like to know why: does /data/local/tmp exist and is writable by the user this app is run as?

A workaround is to set the DYNAMORIO_CONFIGDIR env var to point to a writable temp dir.

[Rongyu Zhou]

I'm sure the directory /data/local/tmp exists and is writable. But I failed 

root@hammerhead:/system/xbin/DrMemory/dynamorio/bin32 # ls -l /data/local/
drwxrwxrwx shell    shell             2016-02-25 16:33 tmp
/drconfig -reg app_process32                                                  <
ERROR: process app_process32 registration failed: check config dir /data/local/tmp/.dynamorio permissions

I enter /data/local/tmp and could not find .dynamorio

在 2016年2月26日星期五 UTC+8上午1:46:49，Derek Bruening写道：

[Rongyu Zhou]

This is strange. I tried to use drmemory to run app_process directly. And it worked. I didn't get the configuration permission error.

/drmemory -- /system/bin/app_process                                          <
~~Dr.M~~ Dr. Memory version 1.9.1
~~Dr.M~~ (Uninitialized read checking is not yet supported for ARM)
~~Dr.M~~ WARNING: application is missing line number information.
~~Dr.M~~
~~Dr.M~~ Error #1: INVALID HEAP ARGUMENT: allocated with operator new[], freed with operator delete

I guess it could be because of the permission of the App process. But what makes no sense is the permission of /data/local/tmp is 777.

在 2016年2月26日星期五 UTC+8下午1:45:30，Rongyu Zhou写道：

[Steve Madsen]

On my rooted android device the permissions on /data/local/tmp were weird, I think it was rwxrwxx-x [sic]
So explicitly changed to 777
After that, the /data/local/tmp/.dynamorio got created OK
but now getting "unable to inject" failure

[Steve Madsen]

P.S.
For me the permissions for drlog/dynamorio and drlog/symcache were too restrictive,
had to set those to 777 as well, it was only after this step that /data/local/tmp/.dynamorio got created...
essentially had to run app, let it create folders and crash, then fix these two folder permissions
and re-run app...

[Derek Bruening]

SElinux was causing some of the additional issues here.  Please see the information posted to the other Android thread on the 1.10.1 release fixing config issues and getting DR to work but asking for help from the community on getting DrM to work: 

https://groups.google.com/forum/#!topic/drmemory-users/gVYxH867Mds

--