CRASH non-det running C++11 threaded app on Android

[derekbruening]

Please see prior email discussion at https://groups.google.com/forum/#!topic/dynamorio-users/eL1__o7m4AQ

Pasting from the most recent email there:

I'm going to look deeper into the log files now. I've put together a set of files containing the binaries I am currently working with as well as the log files produced from a series of runs. I'm detailing these runs below, and I reference files from the attached directory. Additionally, I am wondering if there any details pertaining to the 6.1-3 release that would be specific to a version of Android other than API 21. gdb doesn't seem to recognize the addresses of my segmentation faults has having meaningful instructions at them. I'm wondering if something is causing a branch to a random part of memory.

—————————————————————————————————————————————————————————————————————————

How I built NDK:

root@ctrippel-VirtualBox:/usr/local/tools# ./android-ndk-r11c/build/tools/make-standalone-toolchain.sh --arch=arm --platform=android-21 --install-dir=./android-ndk-21
HOST_OS=linux
HOST_EXE=
HOST_ARCH=x86_64
HOST_TAG=linux-x86_64
HOST_NUM_CPUS=1
BUILD_NUM_CPUS=2
Auto-config: --toolchain=arm-linux-androideabi-4.9
Copying prebuilt binaries...
Copying sysroot headers and libraries...
Copying c++ runtime headers and libraries...
Copying files to: ./android-ndk-21
Cleaning up...
Done.

—————————————————————————————————————————————————————————————————————————

_See simple.cpp file_

—————————————————————————————————————————————————————————————————————————

How I compiled simple.cpp to cppthread and pushed to phone

root@ctrippel-VirtualBox:/usr/local/tools# ./android-ndk-21/bin/arm-linux-androideabi-g++ -std=c++11 -g -fpie -pie -o cppthread simple.cpp
root@ctrippel-VirtualBox:/usr/local/tools# adb push cppthread /data/local/tmp/apps
344 KB/s (4207476 bytes in 11.921s)

Phone specs: Nexus 6, Quad-core, running Android 5.0

—————————————————————————————————————————————————————————————————————————

Running uninstrumented app on phone

root@shamu:/data/local/tmp # ./apps/cppthread                                  
Hello from main
Greetings from thread2
Hi from thread1
root@shamu:/data/local/tmp # 
root@shamu:/data/local/tmp # ./apps/cppthread                                  
Hello from main
Hi from thread1
Greetings from thread2

—————————————————————————————————————————————————————————————————————————

Phone file hierarchy:

/data/local/tmp/
——> build_android/
————> lib32 // from DynamoRIO-ARM-Android-EABI-6.1.1-3/lib32
————> bin32 // from DynamoRIO-ARM-Android-EABI-6.1.1-3/bin32
————> ext // from DynamoRIO-ARM-Android-EABI-6.1.1-3/ext
——> apps/ 
————> cppthread

—————————————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————————————

Running drrun with no client on cppthread

root@shamu:/data/local/tmp # ./build_android/bin32/drrun -- ./apps/cppthread
Hello from main
Segmentation fault 

—————————————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————————————

Now running with -debug -loglevel 4

Runs fine the first time…

root@shamu:/data/local/tmp # ./build_android/bin32/drrun -debug -loglevel 4  ->
<log dir=/data/local/tmp/build_android/bin32/../logs/cppthread.9278.00000000>
<Starting application /data/local/tmp/apps/cppthread (9278)>
<Paste into GDB to debug DynamoRIO clients:
set confirm off
add-symbol-file '/data/local/tmp/build_android/lib32/debug/libdynamorio.so' 0x00021508
>
<Initial options = -no_dynamic_options -loglevel 4 -code_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
<get_memory_info mismatch! (can happen if os combines entries in /proc/pid/maps)
os says: 0xb6802000-0xb6900000 prot=0x00000003
cache says: 0xb6802000-0xb6b00000 prot=0x00000003
>
HiGreetingsHello from thread2
 from main
 from thread1
<Stopping application /data/local/tmp/apps/cppthread (9278)>

****************************************See cppthread.9278.00000000/ directory***************************************

Segmentation fault the second time…

/bin32/drrun -debug -loglevel 4  -- ./apps/cppthread                          <
<log dir=/data/local/tmp/build_android/bin32/../logs/cppthread.9286.00000000>
<Starting application /data/local/tmp/apps/cppthread (9286)>
<Paste into GDB to debug DynamoRIO clients:
set confirm off
add-symbol-file '/data/local/tmp/build_android/lib32/debug/libdynamorio.so' 0x00021508
>
<Initial options = -no_dynamic_options -loglevel 4 -code_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
<get_memory_info mismatch! (can happen if os combines entries in /proc/pid/maps)
os says: 0xb6802000-0xb6900000 prot=0x00000003
cache says: 0xb6802000-0xb6b00000 prot=0x00000003
>
Segmentation fault 

*_See cppthread.9286.00000000/ directory_

—————————————————————————————————————————————————————————————————————————

Now running with -debug -loglevel 4 and gdb/gdbserver (This time does not create logs)

root@ctrippel-VirtualBox:/usr/local/tools# ./android-ndk-r11c/prebuilt/linux-x86_64/bin/gdb
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) set solib-search-path ~/android/:~/android/system_lib:~/android/vendor_lib:~/android/vendor_lib/egl/:/usr/local/tools/DynamoRIO-ARM-Android-EABI-6.1.1-3/lib32/debug/
(gdb) add-symbol-file '/data/local/tmp/build_android/lib32/debug/libdynamorio.so' 0x00021508
add symbol table from file "/data/local/tmp/build_android/lib32/debug/libdynamorio.so" at
.text_addr = 0x21508
(y or n) y
Reading symbols from /data/local/tmp/build_android/lib32/debug/libdynamorio.so...Reading symbols from /data/local/tmp/build_android/lib32/debug/libdynamorio.so.debug...done.
done.
(gdb) target remote :1234
Remote debugging using :1234
warning: Architecture rejected target-supplied description
Reading /data/local/tmp/build_android/bin32/drrun from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /data/local/tmp/build_android/bin32/drrun from remote target...
Load new symbol table from "target:/data/local/tmp/build_android/bin32/drrun"? (y or n) y
Reading symbols from target:/data/local/tmp/build_android/bin32/drrun...Reading /data/local/tmp/build_android/bin32/drrun.debug from remote target...
Reading /data/local/tmp/build_android/bin32/drrun.debug from remote target...
Load new symbol table from "target:/data/local/tmp/build_android/bin32/drrun.debug"? (y or n) y
Reading symbols from target:/data/local/tmp/build_android/bin32/drrun.debug...done.
done.
Reading /system/bin/linker from remote target...
Reading /system/bin/linker from remote target...
Reading symbols from target:/system/bin/linker...Reading /system/bin/.debug/linker from remote target...
(no debugging symbols found)...done.
0xb6ff0a18 in __dl__start () from target:/system/bin/linker
(gdb) break main
Breakpoint 1 at 0x2a01aa60: file /dynamorio_package/tools/drdeploy.c, line 976.
(gdb) cont
Continuing.
Breakpoint 1, main (argc=6, argv=0xbefff9e4) at /dynamorio_package/tools/drdeploy.c:976
976 /dynamorio_package/tools/drdeploy.c: No such file or directory.
(gdb) x/100i 0x2a01aa60
=> 0x2a01aa60 <main>:   stmdb   sp!, {r4, r5, r6, r7, r8, r9, r10, r11, lr}
   … 
   0x2a01ab72 <main+274>:   str r1, [sp, #16]
(gdb) 
(gdb) break *0x2a01ab72
Breakpoint 2 at 0x2a01ab72: file /dynamorio_package/tools/drdeploy.c, line 1088.
(gdb) cont
Continuing.
Breakpoint 2, 0x2a01ab72 in main (argc=6, argv=0xbefff9e4) at /dynamorio_package/tools/drdeploy.c:1088
1088    in /dynamorio_package/tools/drdeploy.c
(gdb) x/100i 0x2a01aa60
   0x2a01aa60 <main>:   stmdb   sp!, {r4, r5, r6, r7, r8, r9, r10, r11, lr}
   …
   => 0x2a01ab72 <main+274>:    str r1, [sp, #16]
(gdb) 
(gdb) break *0x2a01ab70
Breakpoint 3 at 0x2a01ab70: file /dynamorio_package/tools/drdeploy.c, line 1088.
(gdb) cont
Continuing.
Program received signal SIGTRAP, Trace/breakpoint trap.
0x2a20f5f8 in ?? ()
(gdb) ni
0x2a20f5fc in ?? ()
(gdb) x/100i 0x2a01ab70
   0x2a01ab70 <main+272>:   add r1, pc
   …
   0x2a01ac36 <main+470>:   movs    r0, r0
(gdb) break *0x2a01ac36
Breakpoint 4 at 0x2a01ac36: file /dynamorio_package/tools/drdeploy.c, line 344.
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x2a232d06 in ?? ()
(gdb) Quit

—————————————————————————————————————————————————————————————————————————

Running again with -debug -loglevel 4 and gdb… (This time does not create logs and fails at the same place as the previous)

root@ctrippel-VirtualBox:/usr/local/tools# ./android-ndk-r11c/prebuilt/linux-x86_64/bin/gdb
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) add-symbol-file '/data/local/tmp/build_android/lib32/debug/libdynamorio.so' 0x00021508
add symbol table from file "/data/local/tmp/build_android/lib32/debug/libdynamorio.so" at
.text_addr = 0x21508
(y or n) y
Reading symbols from /data/local/tmp/build_android/lib32/debug/libdynamorio.so...Reading symbols from /data/local/tmp/build_android/lib32/debug/libdynamorio.so.debug...done.
done.
(gdb) set solib-search-path ~/android/:~/android/system_lib:~/android/vendor_lib:~/android/vendor_lib/egl/:/usr/local/tools/DynamoRIO-ARM-Android-EABI-6.1.1-3/lib32/debug/
(gdb) target remote :1234
Remote debugging using :1234
warning: Architecture rejected target-supplied description
Reading /data/local/tmp/build_android/bin32/drrun from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /data/local/tmp/build_android/bin32/drrun from remote target...
Load new symbol table from "target:/data/local/tmp/build_android/bin32/drrun"? (y or n) y
Reading symbols from target:/data/local/tmp/build_android/bin32/drrun...Reading /data/local/tmp/build_android/bin32/drrun.debug from remote target...
Reading /data/local/tmp/build_android/bin32/drrun.debug from remote target...
Load new symbol table from "target:/data/local/tmp/build_android/bin32/drrun.debug"? (y or n) y
Reading symbols from target:/data/local/tmp/build_android/bin32/drrun.debug...done.
done.
Reading /system/bin/linker from remote target...
Reading /system/bin/linker from remote target...
Reading symbols from target:/system/bin/linker...Reading /system/bin/.debug/linker from remote target...
(no debugging symbols found)...done.
0xb6ff0a18 in __dl__start () from target:/system/bin/linker
(gdb) break main
Breakpoint 1 at 0x2a01aa60: file /dynamorio_package/tools/drdeploy.c, line 976.
(gdb) cont
Continuing.
Breakpoint 1, main (argc=6, argv=0xbefff9e4) at /dynamorio_package/tools/drdeploy.c:976
976 /dynamorio_package/tools/drdeploy.c: No such file or directory.
(gdb) cont
Continuing.
Program received signal SIGTRAP, Trace/breakpoint trap.
0x2a20f5f8 in ?? ()
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x2a232d06 in ?? ()
(gdb) Quit

—————————————————————————————————————————————————————————————————————————

Running again with -debug -loglevel 4 and gdb… (This time fails elsewhere and create logs)

root@ctrippel-VirtualBox:/usr/local/tools# ./android-ndk-r11c/prebuilt/linux-x86_64/bin/gdb
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) add-symbol-file '/data/local/tmp/build_android/lib32/debug/libdynamorio.so' 0x00021508
add symbol table from file "/data/local/tmp/build_android/lib32/debug/libdynamorio.so" at
.text_addr = 0x21508
(y or n) y
Reading symbols from /data/local/tmp/build_android/lib32/debug/libdynamorio.so...Reading symbols from /data/local/tmp/build_android/lib32/debug/libdynamorio.so.debug...done.
done.
(gdb) set solib-search-path ~/android/:~/android/system_lib:~/android/vendor_lib:~/android/vendor_lib/egl/:/usr/local/tools/DynamoRIO-ARM-Android-EABI-6.1.1-3/lib32/debug/
(gdb) cont
The program is not being run.
(gdb) target remote :1234
Remote debugging using :1234
warning: Architecture rejected target-supplied description
Reading /data/local/tmp/build_android/bin32/drrun from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /data/local/tmp/build_android/bin32/drrun from remote target...
Load new symbol table from "target:/data/local/tmp/build_android/bin32/drrun"? (y or n) y
Reading symbols from target:/data/local/tmp/build_android/bin32/drrun...Reading /data/local/tmp/build_android/bin32/drrun.debug from remote target...
Reading /data/local/tmp/build_android/bin32/drrun.debug from remote target...
Load new symbol table from "target:/data/local/tmp/build_android/bin32/drrun.debug"? (y or n) y
Reading symbols from target:/data/local/tmp/build_android/bin32/drrun.debug...done.
done.
Reading /system/bin/linker from remote target...
Reading /system/bin/linker from remote target...
Reading symbols from target:/system/bin/linker...Reading /system/bin/.debug/linker from remote target...
(no debugging symbols found)...done.
0xb6ff0a18 in __dl__start () from target:/system/bin/linker
(gdb) cont
Continuing.
Program received signal SIGTRAP, Trace/breakpoint trap.
0x2a20f5f8 in ?? ()
(gdb) cont
Continuing.
[New Thread 9372]
[New Thread 9371]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 9372]
0x2a21118e in ?? ()
(gdb) disassemble main
Dump of assembler code for function main:
   0x2a01aa60 <+0>: str r3, [sp, #352]  ; 0x160
   …
   0x2a01aabc <+92>:    movs    r7, r2
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) info line  *0x2a232d06
No line number information available for address 0x2a232d06
(gdb) info line *0x2a21118e
No line number information available for address 0x2a21118e
(gdb) disas 0x2a232d06,0x2a232d06
Dump of assembler code from 0x2a232d06 to 0x2a232d06:
End of assembler dump.
(gdb) Quit

*_See cppthread.9361.00000000/ directory_

—————————————————————————————————————————————————————————————————————————

/********************************************************
 * An example source module to accompany...
 *
 * "Using POSIX Threads: Programming with Pthreads"
 *     by Brad nichols, Dick Buttlar, Jackie Farrell
 *     O'Reilly & Associates, Inc.
 *
 ********************************************************
 * simple_threads.c
 *
 * Simple multi-threaded example.
 */

#include <string>
#include <iostream>
#include <thread>
#include <mutex>
using namespace std;
int counter;

void thread1(string msg)
{
  cout << msg << " from thread1\n"; 
}

void thread2(string msg)
{
  cout << msg << " from thread2\n"; 
}

int main()
{
  counter = 0;

  thread t1(thread1, "Hi");
  thread t2(thread2, "Greetings");

  cout << "Hello" << " from main\n";

  t1.join();
  t2.join();
}

[derekbruening]

On Sat, Apr 30, 2016 at 12:25 PM, Caroline Trippel wrote:

gdb doesn't seem to recognize the addresses of my segmentation faults has having meaningful instructions at them. I'm wondering if something is causing a branch to a random part of memory.

You're not actually disassembling the instructions there.  Please examine the instructions, machine context, and get the corresponding lines from /proc/self/maps.  Use something like  "x/15i $pc" and "info reg" in gdb when at the fault.  Do not expect source-level debugger commands to work for the code cache or other locations.

Segmentation fault the second time…

/bin32/drrun -debug -loglevel 4  -- ./apps/cppthread                          <
Segmentation fault 

*_See cppthread.9286.00000000/ directory_

There are no messages about a fault in the logs, which is odd.  Both thread logs are truncated, and there is a clone call for a 3rd thread from the initial thread but no log or any messages in the global log for the new thread 9289.  The debugger will have to be used to examine the fault.

Program received signal SIGSEGV, Segmentation fault.
0x2a232d06 in ?? ()
(gdb) Quit

Please disassemble (x/15i $pc), get the register values (info reg), get the maps lines near $pc.

Program received signal SIGSEGV, Segmentation fault.
0x2a232d06 in ?? ()
(gdb) Quit

Ditto.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 9372]
0x2a21118e in ?? ()
(gdb) disassemble main
Dump of assembler code for function main:
   0x2a01aa60 <+0>: str r3, [sp, #352] ; 0x160
   …
   0x2a01aabc <+92>: movs r7, r2
---Type to continue, or q to quit---q
Quit
(gdb) info line  *0x2a232d06
No line number information available for address 0x2a232d06
(gdb) info line *0x2a21118e
No line number information available for address 0x2a21118e
(gdb) disas 0x2a232d06,0x2a232d06
Dump of assembler code from 0x2a232d06 to 0x2a232d06:
End of assembler dump.
(gdb) Quit

0x2a232d06 was the address from the last run, so I'm not sure why it's being examined here.  Please run "x/15i $pc" and "info reg" and acquire the /proc//maps lines near $pc (which is 0x2a21118e).

[derekbruening]

This is rather strange, the fault happening without DR's signal handler catching it: it must be during thread init with the stack messed up and the alt signal stack not set up yet. Just to check other possibilities, are you out of disk space and that's why the logs were truncated in the faulting run?

[ctrippel]

Here is some new gdb output where I have tried to include the information you requested. On the host side (Anroid 5.0), I am running ./gdbserver ./drrun -debug -loglevel 4 -- ./apps/cppthread.

Right now, the SIGTRAP signal is happening consistencly at 0x2020f5f8, and the SIGSEGV at 0x2a232d06. However, although I have plenty of disk space, the output logs are not being created when running under gdb. When running without gdb, I get the output provided below as well as the attached log files.
cppthread-logs.tar.gz

**No-GDB output**
d/bin32/drrun -debug -loglevel 4 -- ./apps/cppthread                          <
<log dir=/data/local/tmp/build_android/bin32/../logs/cppthread.4450.00000000>
<Starting application /data/local/tmp/apps/cppthread (4450)>
<Paste into GDB to debug DynamoRIO clients:
set confirm off
add-symbol-file '/data/local/tmp/build_android/lib32/debug/libdynamorio.so' 0x00021508
>
<Initial options = -no_dynamic_options -loglevel 4 -code_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
<get_memory_info mismatch! (can happen if os combines entries in /proc/pid/maps)
    os says: 0xb6802000-0xb6900000 prot=0x00000003
    cache says: 0xb6802000-0xb6b00000 prot=0x00000003
>
Segmentation fault 

**GDB output**
root@ctrippel-VirtualBox:/usr/local/tools# ./android-ndk-r11c/prebuilt/linux-x86_64/bin/gdb
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) set solib-search-path ~/android/:~/android/system_lib:~/android/vendor_lib:~/android/vendor_lib/egl/:/usr/local/tools/DynamoRIO-ARM-Android-EABI-6.1.1-3/lib32/debug/
(gdb) target remote :1234
Remote debugging using :1234
warning: Architecture rejected target-supplied description
Reading /data/local/tmp/build_android/bin32/drrun from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /data/local/tmp/build_android/bin32/drrun from remote target...
Reading symbols from target:/data/local/tmp/build_android/bin32/drrun...Reading /data/local/tmp/build_android/bin32/drrun.debug from remote target...
Reading /data/local/tmp/build_android/bin32/drrun.debug from remote target...
Reading symbols from target:/data/local/tmp/build_android/bin32/drrun.debug...done.
done.
Reading /system/bin/linker from remote target...
Reading /system/bin/linker from remote target...
Reading symbols from target:/system/bin/linker...Reading /system/bin/.debug/linker from remote target...
(no debugging symbols found)...done.
0xb6ff0a18 in __dl__start () from target:/system/bin/linker
(gdb) break main
Breakpoint 1 at 0x2a01aa60: file /dynamorio_package/tools/drdeploy.c, line 976.
(gdb) break __dl_pthread_attr_init
Breakpoint 2 at 0xb6ff5dea
(gdb) c
Continuing.

Breakpoint 2, 0xb6ff5dea in __dl_pthread_attr_init () from target:/system/bin/linker
(gdb) c
Continuing.

Breakpoint 1, main (argc=6, argv=0xbefff9e4) at /dynamorio_package/tools/drdeploy.c:976
976 /dynamorio_package/tools/drdeploy.c: No such file or directory.
(gdb) display/i $pc
1: x/i $pc
=> 0x2a01aa60 <main>:   stmdb   sp!, {r4, r5, r6, r7, r8, r9, r10, r11, lr}
(gdb) ni
0x2a01aa64  976 in /dynamorio_package/tools/drdeploy.c
1: x/i $pc
=> 0x2a01aa64 <main+4>: sub.w   sp, sp, #10688  ; 0x29c0
(gdb) ni
0x2a01aa68  976 in /dynamorio_package/tools/drdeploy.c
1: x/i $pc
=> 0x2a01aa68 <main+8>: sub sp, #12
(gdb) ni
976 in /dynamorio_package/tools/drdeploy.c
1: x/i $pc
=> 0x2a01aa6a <main+10>:    mov r11, r0
(gdb) ni
981 in /dynamorio_package/tools/drdeploy.c
1: x/i $pc
=> 0x2a01aa6c <main+12>:    add r3, sp, #264    ; 0x108
(gdb) next 10
983 in /dynamorio_package/tools/drdeploy.c
1: x/i $pc
=> 0x2a01aa8a <main+42>:    movs    r4, #0
(gdb) ni
982 in /dynamorio_package/tools/drdeploy.c
1: x/i $pc
=> 0x2a01aa8c <main+44>:    mov r6, r2
(gdb) next 10
1060    in /dynamorio_package/tools/drdeploy.c
1: x/i $pc
=> 0x2a01aab8 <main+88>:    add.w   r3, sp, #1160   ; 0x488
(gdb) next 10
1066    in /dynamorio_package/tools/drdeploy.c
1: x/i $pc
=> 0x2a01aae0 <main+128>:   mov r0, r9
(gdb) next 100
1376    in /dynamorio_package/tools/drdeploy.c
1: x/i $pc
=> 0x2a01b282 <main+2082>:  mov r0, r5
(gdb) cont
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0x2a20f5f8 in ?? ()
1: x/i $pc
=> 0x2a20f5f8:  mov r1, #0
(gdb) x/15i $pc
=> 0x2a20f5f8:  mov r1, #0
   0x2a20f5fc:  mov r0, #0
   0x2a20f600:  blx 0x2a2337f8
   0x2a20f604:  eor r1, r1, r1
   0x2a20f608:  eor r2, r2, r2
   0x2a20f60c:  eor r11, r11, r11
   0x2a20f610:  mov r0, sp
   0x2a20f614:  blx 0x2a233ba8
   0x2a20f618:  bl  0x2a23e98c
   0x2a20f61c:  mov r5, r0
   0x2a20f620:  mov sp, r1
   0x2a20f624:  sub r0, pc, #32
   0x2a20f628:  sub r1, pc, #56 ; 0x38
   0x2a20f62c:  sub r0, r0, r1
   0x2a20f630:  add r5, r5, r0
(gdb) info reg
r0             0x0  0
r1             0x0  0
r2             0x0  0
r3             0x0  0
r4             0x0  0
r5             0x0  0
r6             0x0  0
r7             0x0  0
r8             0x0  0
r9             0x0  0
r10            0x0  0
r11            0x0  0
r12            0x0  0
sp             0xbefff9a0   0xbefff9a0
lr             0x0  0
pc             0x2a20f5f8   0x2a20f5f8
cpsr           0x10 16

(gdb) info proc all
process 4206
cmdline = './apps/cppthread'
cwd = '/data/local/tmp'
exe = '/data/local/tmp/build_android/lib32/debug/libdynamorio.so'
Mapped address spaces:

    Start Addr   End Addr       Size     Offset objfile
    0x2a000000 0x2a2c9000   0x2c9000        0x0 /data/local/tmp/build_android/lib32/debug/libdynamorio.so
    0x2a2d0000 0x2a32f000    0x5f000   0x2d0000 /data/local/tmp/build_android/lib32/debug/libdynamorio.so
    0x2a32f000 0x2a352000    0x23000        0x0 [heap]
    0xb6fff000 0xb7000000     0x1000        0x0 [sigpage]
    0xbefdf000 0xbf000000    0x21000        0x0 [stack]
    0xffff0000 0xffff1000     0x1000        0x0 [vectors]
Name:   libdynamorio.so
State:  t (tracing stop)
Tgid:   4206
Pid:    4206
PPid:   4203
TracerPid:  4203
Uid:    0   0   0   0
Gid:    0   0   0   0
FDSize: 32
Groups: 
VmPeak:     3512 kB
VmSize:     3512 kB
VmLck:         0 kB
VmPin:         0 kB
VmHWM:        12 kB
VmRSS:        12 kB
VmData:      144 kB
VmStk:       136 kB
VmExe:      2852 kB
VmLib:         0 kB
VmPTE:         6 kB
VmSwap:        0 kB
Threads:    1
SigQ:   7/21334
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000010000000
SigCgt: 0000000000000000
CapInh: 0000000000000000
CapPrm: 0000001fffffffff
CapEff: 0000001fffffffff
CapBnd: 0000001fffffffff
Seccomp:    0
Cpus_allowed:   f
Cpus_allowed_list:  0-3
voluntary_ctxt_switches:    542
nonvoluntary_ctxt_switches: 5
Process: 4206
Exec file: libdynamorio.so
State: t
Parent process: 4203
Process group: 4206
Session id: 2958
TTY: 34818
---Type <return> to continue, or q <return> to quit---
TTY owner process group: 4206
Flags: 0x40000100
Minor faults (no memory page): 4061
Minor faults, children: 0
Major faults (memory page faults): 0
Major faults, children: 0
utime: 3
stime: 5
utime, children: 0
stime, children: 0
jiffies remaining in current time slice: 20
'nice' value: 0
jiffies until next timeout: 1
jiffies until next SIGALRM: 0
start time (jiffies since system boot): 434874
Virtual memory size: 3596288
Resident set size: 3
rlim: 4294967295
Start of text: 0x2a000000
End of text: 0x2a2c8b4c
Start of stack: 0xbefff9a0
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x2a232d06 in ?? ()
1: x/i $pc
=> 0x2a232d06:  ldr r3, [r3, #0]
(gdb) x/15i $pc
=> 0x2a232d06:  ldr r3, [r3, #0]
   0x2a232d08:  ldr r2, [r7, #8]
   0x2a232d0a:  ldr r2, [r2, #92]   ; 0x5c
   0x2a232d0c:  add r2, r3
   0x2a232d0e:  ldr r3, [r7, #24]
   0x2a232d10:  str r2, [r3, #0]
   0x2a232d12:  b.n 0x2a232d20
   0x2a232d14:  ldr r3, [r7, #20]
   0x2a232d16:  cmp r3, #0
   0x2a232d18:  bne.n   0x2a232d1c
   0x2a232d1a:  b.n 0x2a232d20
   0x2a232d1c:  bl  0x2a232c78
   0x2a232d20:  adds    r7, #32
   0x2a232d22:  mov sp, r7
   0x2a232d24:  pop {r7, pc}
(gdb) info reg
r0             0x2a01aa60   704752224
r1             0xbefff8b8   3204446392
r2             0x2a000000   704643072
r3             0xca00f7f0   3389061104
r4             0x2a007438   704672824
r5             0x2a007438   704672824
r6             0x0  0
r7             0xbefff850   3204446288
r8             0x0  0
r9             0x0  0
r10            0x0  0
r11            0x0  0
r12            0xbefff8b8   3204446392
sp             0xbefff850   0xbefff850
lr             0x2a232d45   706948421
pc             0x2a232d06   0x2a232d06
cpsr           0x60000030   1610612784
(gdb) info proc all
process 4206
cmdline = './apps/cppthread'
cwd = '/data/local/tmp'
exe = '/data/local/tmp/build_android/lib32/debug/libdynamorio.so'
Mapped address spaces:

    Start Addr   End Addr       Size     Offset objfile
    0x2a000000 0x2a2c9000   0x2c9000        0x0 /data/local/tmp/build_android/lib32/debug/libdynamorio.so
    0x2a2d0000 0x2a32f000    0x5f000   0x2d0000 /data/local/tmp/build_android/lib32/debug/libdynamorio.so
    0x2a32f000 0x2a352000    0x23000        0x0 [heap]
    0xb6fff000 0xb7000000     0x1000        0x0 [sigpage]
    0xbefdf000 0xbf000000    0x21000        0x0 [stack]
    0xffff0000 0xffff1000     0x1000        0x0 [vectors]
Name:   libdynamorio.so
State:  t (tracing stop)
Tgid:   4206
Pid:    4206
PPid:   4203
TracerPid:  4203
Uid:    0   0   0   0
Gid:    0   0   0   0
FDSize: 32
Groups: 
VmPeak:     3512 kB
VmSize:     3512 kB
VmLck:         0 kB
VmPin:         0 kB
VmHWM:      2464 kB
VmRSS:      2464 kB
VmData:      144 kB
VmStk:       136 kB
VmExe:      2852 kB
VmLib:         0 kB
VmPTE:         6 kB
VmSwap:        0 kB
Threads:    1
SigQ:   7/21334
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000010000000
SigCgt: 0000000000000000
CapInh: 0000000000000000
CapPrm: 0000001fffffffff
CapEff: 0000001fffffffff
CapBnd: 0000001fffffffff
Seccomp:    0
Cpus_allowed:   f
Cpus_allowed_list:  0-3
voluntary_ctxt_switches:    543
nonvoluntary_ctxt_switches: 7
Process: 4206
Exec file: libdynamorio.so
State: t
Parent process: 4203
Process group: 4206
Session id: 2958
TTY: 34818
---Type <return> to continue, or q <return> to quit---
TTY owner process group: 4206
Flags: 0x40000100
Minor faults (no memory page): 4744
Minor faults, children: 0
Major faults (memory page faults): 0
Major faults, children: 0
utime: 3
stime: 7
utime, children: 0
stime, children: 0
jiffies remaining in current time slice: 20
'nice' value: 0
jiffies until next timeout: 1
jiffies until next SIGALRM: 0
start time (jiffies since system boot): 434874
Virtual memory size: 3596288
Resident set size: 616
rlim: 4294967295
Start of text: 0x2a000000
End of text: 0x2a2c8b4c
Start of stack: 0xbefff9a0
(gdb) n
Cannot find bounds of current function
(gdb) c
Continuing.

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb) Quit

[derekbruening]

So the crash is in the DR library itself:

Program received signal SIGSEGV, Segmentation fault.
0x2a232d06 in ?? ()
1: x/i $pc
=> 0x2a232d06:  ldr r3, [r3, #0]
(gdb) x/15i $pc
=> 0x2a232d06:  ldr r3, [r3, #0]
   0x2a232d08:  ldr r2, [r7, #8]

    Start Addr   End Addr       Size     Offset objfile
    0x2a000000 0x2a2c9000   0x2c9000        0x0 /data/local/tmp/build_android/lib32/debug/libdynamorio.so

Please use add-symbol-file to tell gdb about libdynamorio.so and then get the function and line number of the fault address. This is your own build so there's no way for us to translate the address. Please get the callstack as well (after adding the DR symbols).

[ctrippel]

I tried adding the symbol table and was still unable to get the necessary information on the fault address. It seems that there was no ./debug/linker binary found. In an attempt to fix this I created a debug linker file with the commands:

 arm-linux-gnueabihf-objcopy --only-keep-debug linker .debug/linker 
 arm-linux-gnueabihf-strip linker  
 arm-linux-gnueabihf-objcopy --add-gnu-debuglink=.debug/linker linker

This did not work either. Do you see something that I am missing?

root@ctrippel-VirtualBox:/usr/local/tools# ./android-ndk-r11c/prebuilt/linux-x86_64/bin/gdb
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) set solib-search-path ~/android/:~/android/system_lib:~/android/vendor_lib:~/android/vendor_lib/egl/:/usr/local/tools/DynamoRIO-ARM-Android-EABI-6.1.1-3/lib32/debug/
(gdb) add-symbol-file '/data/local/tmp/build_android/lib32/debug/libdynamorio.so' 0x00021508
add symbol table from file "/data/local/tmp/build_android/lib32/debug/libdynamorio.so" at
    .text_addr = 0x21508
(y or n) y
Reading symbols from /data/local/tmp/build_android/lib32/debug/libdynamorio.so...Reading symbols from /data/local/tmp/build_android/lib32/debug/libdynamorio.so.debug...done.
done.
(gdb) target remote :1234
Remote debugging using :1234
warning: Architecture rejected target-supplied description
Reading /data/local/tmp/build_android/bin32/drrun from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /data/local/tmp/build_android/bin32/drrun from remote target...
Load new symbol table from "target:/data/local/tmp/build_android/bin32/drrun"? (y or n) y
Reading symbols from target:/data/local/tmp/build_android/bin32/drrun...Reading /data/local/tmp/build_android/bin32/drrun.debug from remote target...
Reading /data/local/tmp/build_android/bin32/drrun.debug from remote target...
Load new symbol table from "target:/data/local/tmp/build_android/bin32/drrun.debug"? (y or n) y
Reading symbols from target:/data/local/tmp/build_android/bin32/drrun.debug...done.
done.
Reading /system/bin/linker from remote target...
Reading /system/bin/linker from remote target...
Reading symbols from target:/system/bin/linker...Reading /system/bin/.debug/linker from remote target...
(no debugging symbols found)...done.
0xb6ff0a18 in __dl__start () from target:/system/bin/linker
(gdb) info sharedlibrary
From        To          Syms Read   Shared Object Library
0xb6ff0970  0xb6ff8e38  Yes (*)     target:/system/bin/linker
(*): Shared library is missing debugging information.
(gdb) break main
Breakpoint 1 at 0x2a01aa60: file /dynamorio_package/tools/drdeploy.c, line 976.
(gdb) c
Continuing.

Breakpoint 1, main (argc=6, argv=0xbefff9e4) at /dynamorio_package/tools/drdeploy.c:976
976 /dynamorio_package/tools/drdeploy.c: No such file or directory.
(gdb) ni
0x2a01aa64  976 in /dynamorio_package/tools/drdeploy.c
(gdb) ni
0x2a01aa68  976 in /dynamorio_package/tools/drdeploy.c
(gdb) bt
#0  0x2a01aa68 in main (argc=6, argv=0xbefff9e4) at /dynamorio_package/tools/drdeploy.c:976
(gdb) info symbol 0x2a01aa68
main + 8 in section .text of target:/data/local/tmp/build_android/bin32/drrun
(gdb) c
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0x2a20f5f8 in ?? ()
(gdb) info symbol 0x2a20f5f8
No symbol matches 0x2a20f5f8.
(gdb) bt
#0  0x2a20f5f8 in ?? ()
#1  0x00000000 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x2a232d06 in ?? ()
(gdb) bt
#0  0x2a232d06 in ?? ()
#1  0x2a232d44 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) info symbol 0x2a232d44
No symbol matches 0x2a232d44.
(gdb) info symbol 0x2a232d06
No symbol matches 0x2a232d06.
(gdb) Quit
A debugging session is active.

    Inferior 1 [process 8470] will be killed.

Quit anyway? (y or n) y

[derekbruening]

The symbols for libdynamorio.so need to be added after the exec, not while in the initial drrun process. Typically you would wait for the SIGSEGV and add the symbol file there. The linker symbols should not matter.

[ctrippel]

OK, I see. Here's what happens when I load later after knowing the fault address:

root@ctrippel-VirtualBox:/usr/local/tools# ./android-ndk-r11c/prebuilt/linux-x86_64/bin/gdb
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) ward tcp:1234 tcp:1234
Undefined command: "ward".  Try "help".
(gdb) ./android-ndk-r11c/prebuilt/linux-x86_64/bin/gdb
Undefined command: "".  Try "help".
(gdb) (gdb)  set solib-search-path ~/android/:~/android/system_lib:~/android/vendor_lib:~/android/vendor_lib/egl/:/usr/local/tools/DynamoRIO-ARM-Android-EABI-6.1.1-3/lib32/debug/
Undefined command: "".  Try "help".
(gdb) set solib-search-path ~/android/:~/android/system_lib:~/android/vendor_lib:~/android/vendor_lib/egl/:/usr/local/tools/DynamoRIO-ARM-Android-EABI-6.1.1-3/lib32/debug/
(gdb) target remote :1234
Remote debugging using :1234
warning: Architecture rejected target-supplied description
Reading /data/local/tmp/build_android/bin32/drrun from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /data/local/tmp/build_android/bin32/drrun from remote target...
Reading symbols from target:/data/local/tmp/build_android/bin32/drrun...Reading /data/local/tmp/build_android/bin32/drrun.debug from remote target...
Reading /data/local/tmp/build_android/bin32/drrun.debug from remote target...
Reading symbols from target:/data/local/tmp/build_android/bin32/drrun.debug...done.
done.
Reading /system/bin/linker from remote target...
Reading /system/bin/linker from remote target...
Reading symbols from target:/system/bin/linker...Reading /system/bin/.debug/linker from remote target...
(no debugging symbols found)...done.
0xb6ff0a18 in __dl__start () from target:/system/bin/linker
(gdb) c
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0x2a20f5f8 in ?? ()
(gdb) c
Continuing.
[New Thread 10963]
[New Thread 10962]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 10963]
0x2a21118e in ?? ()
(gdb) add-symbol-file '/data/local/tmp/build_android/lib32/debug/libdynamorio.so' 0x2a21118e
add symbol table from file "/data/local/tmp/build_android/lib32/debug/libdynamorio.so" at
    .text_addr = 0x2a21118e
(y or n) y
Reading symbols from /data/local/tmp/build_android/lib32/debug/libdynamorio.so...Reading symbols from /data/local/tmp/build_android/lib32/debug/libdynamorio.so.debug...done.
done.
(gdb) info symbol 0x2a21118e
string_option_read_lock in section .text of /data/local/tmp/build_android/lib32/debug/libdynamorio.so
(gdb) bt
#0  string_option_read_lock () at /dynamorio_package/core/options.h:394
#1  0x2a23b64e in has_pcache_dynamo_options (options=0xb6b021fc, pcache_effect=(OP_PCACHE_LOCAL | OP_PCACHE_GLOBAL | unknown: 2880154536))
    at /dynamorio_package/core/optionsx.h:1413
#2  0x2a21269a in set_dynamo_options_common (options=0x2a212673 <set_dynamo_options_common+1276>, optstr=0x4a6cea5c "\253\253\253\253", for_this_process=74)
    at /dynamorio_package/core/optionsx.h:230
#3  0x00000000 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

(gdb) Quit
A debugging session is active.

    Inferior 1 [process 10954] will be killed.

Quit anyway? (y or n) y
root@ctrippel-VirtualBox:/usr/local/tools# 

[derekbruening]

The address given for libdynamorio.so should be the address of the .text section, not the address of the SIGSEGV. This will be printed out to stderr at startup in debug builds, including the whole add-symbol-file command so you can just paste it (modulo remote vs local paths for Android): see https://github.com/DynamoRIO/dynamorio/wiki/Debugging#loading-client-symbols. Or it can be obtained with:

objdump -h <path-to-build>/lib32/debug/libdynamorio.so | grep text | awk '{print $4}'

[derekbruening]

In case it wasn't clear, I'm saying that the string_option_read_lock callstack is incorrect (no, gdb does not try to detect that you gave it the wrong address, so you get no error message) -- the .text address needs to be used to load the symbols.

[ctrippel]

Crash call stack:

(gdb) bt #0 0x2a21118e in is_thread_tls_initialized () at /dynamorio_package/core/unix/os.c:1396 #1 0x2a21269a in get_tls_thread_id () at /dynamorio_package/core/unix/os.c:2290 #2 0x2a212672 in get_thread_id () at /dynamorio_package/core/unix/os.c:2279 #3 0x2a20f3b6 in new_thread_setup (mc=0x4b8f6aac) at /dynamorio_package/core/arch/x86_code.c:268 #4 0xb6f071d8 in ?? ()

(gdb) x/i $pc
=> 0x2a21118e <is_thread_tls_initialized+34>:   ldr r3, [r3, #0]
(gdb) p $r3
$2 = 3064996348
(gdb) p/x $r3
$3 = 0xb6b021fc

b6a05000-b6b02000 rw-p 00000000 00:00 0
b6b02000-b6b03000 ---p 00000000 00:00 0
b6b03000-b6c00000 rw-p 00000000 00:00 0
b6c00000-b6e00000 rw-p 00000000 00:00 0
b6ea7000-b6ea9000 rw-p 00000000 00:00 0

root@ctrippel-VirtualBox:/home/ctrippel/06_06_logs# grep -2 ^args: !$
grep -2 ^args: log.0.12496.html
system call 120
syscall: clone with flags = 0x003d0f00
args: 0x003d0f00, 0xb6bffdb0, 0xb6c19088, 0xb6bffdb0, 0xb6c19088
handle_clone: CLONE_SIGHAND set!
make_unwritable: pc 0x4b8a9000 -> 0x4b8a9000-0x4b8aa000
--
system call 120
syscall: clone with flags = 0x003d0f00
args: 0x003d0f00, 0xb6b01db0, 0xb6c19308, 0xb6b01db0, 0xb6c19308
handle_clone: CLONE_SIGHAND set!
make_unwritable: pc 0x4b8e9000 -> 0x4b8e9000-0x4b8ea000```

[derekbruening]

The crash is in this code:

    dr_tls_base_addr = (byte **)get_dr_tls_base_addr();
    if (dr_tls_base_addr == NULL ||
        *dr_tls_base_addr == NULL ||

Which uses this offset:

    byte *lib_tls_base = (byte *)read_thread_register(TLS_REG_LIB);
    if (lib_tls_base == NULL)
        return NULL;
    return (byte **)(lib_tls_base + DR_TLS_BASE_OFFSET);

Which is:

#   define DR_TLS_BASE_OFFSET  1100 == 0x44c

And we see our address here:

0xb6b021fc == 0x44c + 0xb6b01db0

For ARM Linux we rely on the field after dtv to be NULL, and on Android we rely on unused space at the end of the mmap to be NULL, but with #1920 expanding the offset to the 2nd page, on Android 5 we now de-reference onto a 2nd page. So this seems to be a regression coming from #1920, and we'd expect the 6.1.0 release to work (though it sounds like that's not the case?).

Xref #1936 if we want to get ambitious and try to solve both at once.

[derekbruening]

Elaborating further: the first new thread got lucky and there happens to be a mapping on the subsequent page, so it does not crash (and probably reads a 0 too), which is why this only happened on the 2nd thread here and why it's non-deterministic in general.

[derekbruening]

We now have confirmation that 6.1.0 does work, so the analysis above seems confirmed.

[derekbruening]

Xref #1986 where we have TLS problems as well: perhaps there's some broad solution that would address Android, WSL, and corner-case Linux apps.

[derekbruening]

To fix the offset I am putting in indirection of the tls offs through a variable. This makes the assembly more painful, and requires an initial value that returns 0 prior to proper initialization of the variable, but it seems workable. I do not have a good way to test it unfortunately without an Android 5 device.