1page.title=Diagnosing Native Crashes 2@jd:body 3 4<!-- 5 Copyright 2015 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18--> 19<div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25</div> 26 27<p> 28If you've never seen a native crash before, start with 29<a href="{@docRoot}devices/tech/debug/index.html">Debugging Native Android 30Platform Code</a>. 31</p> 32 33<h2 id=crashtypes>Types of native crash</h2> 34<p> 35The sections below detail the most common kinds of native crash. Each includes 36an example chunk of <code>debuggerd</code> output, with the key evidence that helps you 37distinguish that specific kind of crash highlighted in orange italic text. 38</p> 39<h3 id=abort>Abort</h3> 40<p> 41Aborts are interesting because they're deliberate. There are many different ways 42to abort (including calling <code><a 43href="http://man7.org/linux/man-pages/man3/abort.3.html">abort(3)</a></code>, 44failing an <code><a 45href="http://man7.org/linux/man-pages/man3/assert.3.html">assert(3)</a></code>, 46using one of the Android-specific fatal logging types), but they all involve 47calling <code>abort</code>. A call to <code>abort</code> basically signals the 48calling thread with SIGABRT, so a frame showing "abort" in <code>libc.so</code> 49plus SIGABRT are the things to look for in the <code>debuggerd</code> output to 50recognize this case. 51 52<p> 53As mentioned above, there may be an explicit "abort message" line. But you 54should also look in the <code>logcat</code> output to see what this thread logged before 55deliberately killing itself, because the basic abort primitive doesn't accept a 56message. 57</p> 58<p> 59Older versions of Android (especially on 32-bit ARM) followed a convoluted path 60between the original abort call (frame 4 here) and the actual sending of the 61signal (frame 0 here): 62</p> 63<pre class="no-pretty-print"> 64pid: 1656, tid: 1656, name: crasher >>> crasher <<< 65signal 6 (<i style="color:Orange">SIGABRT</i>), code -6 (SI_TKILL), fault addr -------- 66<i style="color:Orange">Abort message</i>: 'some_file.c:123: some_function: assertion "false" failed' 67 r0 00000000 r1 00000678 r2 00000006 r3 f70b6dc8 68 r4 f70b6dd0 r5 f70b6d80 r6 00000002 r7 0000010c 69 r8 ffffffed r9 00000000 sl 00000000 fp ff96ae1c 70 ip 00000006 sp ff96ad18 lr f700ced5 pc f700dc98 cpsr 400b0010 71backtrace: 72 #00 pc 00042c98 /system/lib/libc.so (tgkill+12) 73 #01 pc 00041ed1 /system/lib/libc.so (pthread_kill+32) 74 #02 pc 0001bb87 /system/lib/libc.so (raise+10) 75 #03 pc 00018cad /system/lib/libc.so (__libc_android_abort+34) 76 #04 pc 000168e8 /system/lib/<i style="color:Orange">libc.so</i> (<i style="color:Orange">abort</i>+4) 77 #05 pc 0001a78f /system/lib/libc.so (__libc_fatal+16) 78 #06 pc 00018d35 /system/lib/libc.so (__assert2+20) 79 #07 pc 00000f21 /system/xbin/crasher 80 #08 pc 00016795 /system/lib/libc.so (__libc_init+44) 81 #09 pc 00000abc /system/xbin/crasher 82</pre> 83<p> 84More recent versions call <code><a 85href="http://man7.org/linux/man-pages/man2/tgkill.2.html">tgkill(2)</a></code> 86directly from <code>abort</code>, so there are fewer stack frames for you to 87skip over before you get to the interesting frames: 88 89<pre class="no-pretty-print">pid: 25301, tid: 25301, name: crasher >>> crasher <<< 90signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- 91 r0 00000000 r1 000062d5 r2 00000006 r3 00000008 92 r4 ffa09dd8 r5 000062d5 r6 000062d5 r7 0000010c 93 r8 00000000 r9 00000000 sl 00000000 fp ffa09f0c 94 ip 00000000 sp ffa09dc8 lr eac63ce3 pc eac93f0c cpsr 000d0010 95backtrace: 96 #00 pc 00049f0c /system/lib/libc.so (tgkill+12) 97 #01 pc 00019cdf /system/lib/libc.so (abort+50) 98 #02 pc 000012db /system/xbin/crasher (maybe_abort+26) 99 #03 pc 000015b7 /system/xbin/crasher (do_action+414) 100 #04 pc 000020d5 /system/xbin/crasher (main+100) 101 #05 pc 000177a1 /system/lib/libc.so (__libc_init+48) 102 #06 pc 000010e4 /system/xbin/crasher (_start+96) 103</pre> 104<p> 105You can reproduce an instance of this type of crash using: <code>crasher 106abort</code> 107</p> 108<h3 id=nullpointer>Pure null pointer dereference</h3> 109<p> 110This is the classic native crash, and although it's just a special case of the 111next crash type, it's worth mentioning separately because it usually requires 112the least thought. 113</p> 114<p> 115In the example below, even though the crashing function is in 116<code>libc.so</code>, because the string functions just operate on the pointers 117they're given, you can infer that <code><a 118href="http://man7.org/linux/man-pages/man3/strlen.3.html">strlen(3)</a></code> 119was called with a null pointer; and this crash should go straight to the author 120of the calling code. In this case, frame #01 is the bad caller. 121</p> 122 123<pre class="no-pretty-print">pid: 25326, tid: 25326, name: crasher >>> crasher <<< 124signal 11 (<i style="color:Orange">SIGSEGV</i>), code 1 (SEGV_MAPERR), <i style="color:Orange">fault addr 0x0</i> 125 r0 00000000 r1 00000000 r2 00004c00 r3 00000000 126 r4 ab088071 r5 fff92b34 r6 00000002 r7 fff92b40 127 r8 00000000 r9 00000000 sl 00000000 fp fff92b2c 128 ip ab08cfc4 sp fff92a08 lr ab087a93 pc efb78988 cpsr 600d0030 129 130backtrace: 131 #00 pc 00019988 /system/lib/libc.so (strlen+71) 132 #01 pc 00001a8f /system/xbin/crasher (strlen_null+22) 133 #02 pc 000017cd /system/xbin/crasher (do_action+948) 134 #03 pc 000020d5 /system/xbin/crasher (main+100) 135 #04 pc 000177a1 /system/lib/libc.so (__libc_init+48) 136 #05 pc 000010e4 /system/xbin/crasher (_start+96) 137</pre> 138<p> 139You can reproduce an instance of this type of crash using: <code>crasher 140strlen-NULL</code> 141</p> 142<h3 id=lowaddress>Low-address null pointer dereference</h3> 143<p> 144In many cases the fault address won't be 0, but some other low number. Two- or 145three-digit addresses in particular are very common, whereas a six-digit address 146is almost certainly not a null pointer dereference—that would require a 1MiB 147offset. This usually occurs when you have code that dereferences a null pointer 148as if it was a valid struct. Common functions are <code><a 149href="http://man7.org/linux/man-pages/man3/fprintf.3.html">fprintf(3)</a></code> 150(or any other function taking a FILE*) and <code><a 151href="http://man7.org/linux/man-pages/man3/readdir.3.html">readdir(3)</a></code>, 152because code often fails to check that the <code><a 153href="http://man7.org/linux/man-pages/man3/fopen.3.html">fopen(3)</a></code> or 154<code><a 155href="http://man7.org/linux/man-pages/man3/opendir.3.html">opendir(3)</a></code> 156call actually succeeded first. 157 158<p> 159Here's an example of <code>readdir</code>: 160</p> 161<pre class="no-pretty-print">pid: 25405, tid: 25405, name: crasher >>> crasher <<< 162signal 11 (<i style="color:Orange">SIGSEGV</i>), code 1 (SEGV_MAPERR), <i style="color:Orange">fault addr 0xc</i> 163 r0 0000000c r1 00000000 r2 00000000 r3 3d5f0000 164 r4 00000000 r5 0000000c r6 00000002 r7 ff8618f0 165 r8 00000000 r9 00000000 sl 00000000 fp ff8618dc 166 ip edaa6834 sp ff8617a8 lr eda34a1f pc eda618f6 cpsr 600d0030 167 168backtrace: 169 #00 pc 000478f6 /system/lib/libc.so (pthread_mutex_lock+1) 170 #01 pc 0001aa1b /system/lib/libc.so (readdir+10) 171 #02 pc 00001b35 /system/xbin/crasher (readdir_null+20) 172 #03 pc 00001815 /system/xbin/crasher (do_action+976) 173 #04 pc 000021e5 /system/xbin/crasher (main+100) 174 #05 pc 000177a1 /system/lib/libc.so (__libc_init+48) 175 #06 pc 00001110 /system/xbin/crasher (_start+96) 176</pre> 177<p> 178Here the direct cause of the crash is that <code><a 179href="http://man7.org/linux/man-pages/man3/pthread_mutex_lock.3p.html">pthread_mutex_lock(3)</a></code> 180has tried to access address 0xc (frame 0). But the first thing 181<code>pthread_mutex_lock</code> does is dereference the <code>state</code> 182element of the <code>pthread_mutex_t*</code> it was given. If you look at the 183source, you can see that element is at offset 0 in the struct, which tells you 184that <code>pthread_mutex_lock</code> was given the invalid pointer 0xc. From the 185frame 1 you can see that it was given that pointer by <code>readdir</code>, 186which extracts the <code>mutex_</code> field from the <code>DIR*</code> it's 187given. Looking at that structure, you can see that <code>mutex_</code> is at 188offset <code>sizeof(int) + sizeof(size_t) + sizeof(dirent*)</code> into 189<code>struct DIR</code>, which on a 32-bit device is 4 + 4 + 4 = 12 = 0xc, so 190you found the bug: <code>readdir</code> was passed a null pointer by the caller. 191At this point you can paste the stack into the stack tool to find out 192<em>where</em> in logcat this happened. 193 194<pre class="no-pretty-print"> 195 struct DIR { 196 int fd_; 197 size_t available_bytes_; 198 dirent* next_; 199 pthread_mutex_t mutex_; 200 dirent buff_[15]; 201 long current_pos_; 202 }; 203</pre> 204<p> 205In most cases you can actually skip this analysis. A sufficiently low fault 206address usually means you can just skip any <code>libc.so</code> frames in the 207stack and directly accuse the calling code. But not always, and this is how you 208would present a compelling case. 209</p> 210<p> 211You can reproduce instances of this kind of crash using: <code>crasher 212fprintf-NULL</code> or <code>crasher readdir-NULL</code> 213</p> 214<h3 id=fortify>FORTIFY failure</h3> 215<p> 216A FORTIFY failure is a special case of an abort that occurs when the C library 217detects a problem that might lead to a security vulnerability. Many C library 218functions are <em>fortified</em>; they take an extra argument that tells them how large 219a buffer actually is and check at run time whether the operation you're trying 220to perform actually fits. Here's an example where the code tries to 221<code>read(fd, buf, 32)</code> into a buffer that's actually only 10 bytes 222long... 223</p> 224<pre class="no-pretty-print">pid: 25579, tid: 25579, name: crasher >>> crasher <<< 225signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- 226Abort message: '<i style="color:Orange">FORTIFY: read: prevented 32-byte write into 10-byte buffer'</i> 227 r0 00000000 r1 000063eb r2 00000006 r3 00000008 228 r4 ff96f350 r5 000063eb r6 000063eb r7 0000010c 229 r8 00000000 r9 00000000 sl 00000000 fp ff96f49c 230 ip 00000000 sp ff96f340 lr ee83ece3 pc ee86ef0c cpsr 000d0010 231 232backtrace: 233 #00 pc 00049f0c /system/lib/libc.so (tgkill+12) 234 #01 pc 00019cdf /system/lib/libc.so (abort+50) 235 #02 pc 0001e197 /system/lib/libc.so (<i style="color:Orange">__fortify_fatal</i>+30) 236 #03 pc 0001baf9 /system/lib/libc.so (__read_chk+48) 237 #04 pc 0000165b /system/xbin/crasher (do_action+534) 238 #05 pc 000021e5 /system/xbin/crasher (main+100) 239 #06 pc 000177a1 /system/lib/libc.so (__libc_init+48) 240 #07 pc 00001110 /system/xbin/crasher (_start+96) 241</pre> 242<p> 243You can reproduce an instance of this type of crash using: <code>crasher 244fortify</code> 245</p> 246<h3 id=stackcorruption>Stack corruption detected by -fstack-protector</h3> 247<p> 248The compiler's <code>-fstack-protector</code> option inserts checks into 249functions with on-stack buffers to guard against buffer overruns. This option is 250on by default for platform code but not for apps. When this option is enabled, 251the compiler adds instructions to the <a 252href="https://en.wikipedia.org/wiki/Function_prologue">function prologue</a> to 253write a random value just past the last local on the stack and to the function 254epilogue to read it back and check that it's not changed. If that value changed, 255it was overwritten by a buffer overrun, so the epilogue calls 256<code>__stack_chk_fail</code> to log a message and abort. 257</p> 258<pre class="no-pretty-print">pid: 26717, tid: 26717, name: crasher >>> crasher <<< 259signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- 260<i style="color:Orange">Abort message: 'stack corruption detected'</i> 261 r0 00000000 r1 0000685d r2 00000006 r3 00000008 262 r4 ffd516d8 r5 0000685d r6 0000685d r7 0000010c 263 r8 00000000 r9 00000000 sl 00000000 fp ffd518bc 264 ip 00000000 sp ffd516c8 lr ee63ece3 pc ee66ef0c cpsr 000e0010 265 266backtrace: 267 #00 pc 00049f0c /system/lib/libc.so (tgkill+12) 268 #01 pc 00019cdf /system/lib/libc.so (abort+50) 269 #02 pc 0001e07d /system/lib/libc.so (__libc_fatal+24) 270 #03 pc 0004863f /system/lib/libc.so (<i style="color:Orange">__stack_chk_fail</i>+6) 271 #04 pc 000013ed /system/xbin/crasher (smash_stack+76) 272 #05 pc 00001591 /system/xbin/crasher (do_action+280) 273 #06 pc 00002219 /system/xbin/crasher (main+100) 274 #07 pc 000177a1 /system/lib/libc.so (__libc_init+48) 275 #08 pc 00001144 /system/xbin/crasher (_start+96) 276</pre> 277<p> 278You can distinguish this from other kinds of abort by the presence of 279<code>__stack_chk_fail</code> in the backtrace and the specific abort message. 280</p> 281<p> 282You can reproduce an instance of this type of crash using: <code>crasher 283smash-stack</code> 284</p> 285 286<h2 id=crashdump>Crash dumps</h2> 287 288<p>If you don't have a specific crash that you're investigating right now, 289the platform source includes a tool for testing <code>debuggerd</code> called crasher. If 290you <code>mm</code> in <code>system/core/debuggerd/</code> you'll get both a <code>crasher</code> 291and a <code>crasher64</code> on your path (the latter allowing you to test 29264-bit crashes). Crasher can crash in a large number of interesting ways based 293on the command line arguments you provide. Use <code>crasher --help</code> 294to see the currently supported selection.</p> 295 296<p>To introduce the different pieces in a crash dump, let's work through this example crash dump:</p> 297 298<pre class="no-pretty-print"> 299*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 300Build fingerprint: 'Android/aosp_flounder/flounder:5.1.51/AOSP/enh08201009:eng/test-keys' 301Revision: '0' 302ABI: 'arm' 303pid: 1656, tid: 1656, name: crasher >>> crasher <<< 304signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- 305Abort message: 'some_file.c:123: some_function: assertion "false" failed' 306 r0 00000000 r1 00000678 r2 00000006 r3 f70b6dc8 307 r4 f70b6dd0 r5 f70b6d80 r6 00000002 r7 0000010c 308 r8 ffffffed r9 00000000 sl 00000000 fp ff96ae1c 309 ip 00000006 sp ff96ad18 lr f700ced5 pc f700dc98 cpsr 400b0010 310backtrace: 311 #00 pc 00042c98 /system/lib/libc.so (tgkill+12) 312 #01 pc 00041ed1 /system/lib/libc.so (pthread_kill+32) 313 #02 pc 0001bb87 /system/lib/libc.so (raise+10) 314 #03 pc 00018cad /system/lib/libc.so (__libc_android_abort+34) 315 #04 pc 000168e8 /system/lib/libc.so (abort+4) 316 #05 pc 0001a78f /system/lib/libc.so (__libc_fatal+16) 317 #06 pc 00018d35 /system/lib/libc.so (__assert2+20) 318 #07 pc 00000f21 /system/xbin/crasher 319 #08 pc 00016795 /system/lib/libc.so (__libc_init+44) 320 #09 pc 00000abc /system/xbin/crasher 321Tombstone written to: /data/tombstones/tombstone_06 322</pre> 323 324<pre class="no-pretty-print">*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***</pre> 325 326<p>The line of asterisks with spaces is helpful if you're searching a log 327for native crashes. The string "*** ***" rarely shows up in logs other than 328at the beginning of a native crash.</p> 329 330<pre class="no-pretty-print"> 331Build fingerprint: 332'Android/aosp_flounder/flounder:5.1.51/AOSP/enh08201009:eng/test-keys' 333</pre> 334 335<p>The fingerprint lets you identify exactly which build the crash occurred 336on. This is exactly the same as the <code>ro.build.fingerprint</code> system property.</p> 337 338<pre class="no-pretty-print"> 339Revision: '0' 340</pre> 341 342<p>The revision refers to the hardware rather than the software. This is 343usually unused but can be useful to help you automatically ignore bugs known 344to be caused by bad hardware. This is exactly the same as the <code>ro.revision</code> 345system property.</p> 346 347<pre class="no-pretty-print"> 348ABI: 'arm' 349</pre> 350 351<p>The ABI is one of arm, arm64, mips, mips64, x86, or x86-64. This is 352mostly useful for the <code>stack</code> script mentioned above, so that it knows 353what toolchain to use.</p> 354 355<pre class="no-pretty-print"> 356pid: 1656, tid: 1656, name: crasher >>> crasher <<< 357</pre> 358 359<p>This line identifies the specific thread in the process that crashed. In 360this case, it was the process' main thread, so the process ID and thread 361ID match. The first name is the thread name, and the name surrounded by 362>>> and <<< is the process name. For an app, the process name 363is typically the fully-qualified package name (such as com.facebook.katana), 364which is useful when filing bugs or trying to find the app in Google Play. The 365pid and tid can also be useful in finding the relevant log lines preceding 366the crash.</p> 367 368<pre class="no-pretty-print"> 369signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- 370</pre> 371 372<p>This line tells you which signal (SIGABRT) was received, and more about 373how it was received (SI_TKILL). The signals reported by <code>debuggerd</code> are SIGABRT, 374SIGBUS, SIGFPE, SIGILL, SIGSEGV, and SIGTRAP. The signal-specific codes vary 375based on the specific signal.</p> 376 377<pre class="no-pretty-print"> 378Abort message: 'some_file.c:123: some_function: assertion "false" failed' 379</pre> 380 381<p>Not all crashes will have an abort message line, but aborts will. This 382is automatically gathered from the last line of fatal logcat output for 383this pid/tid, and in the case of a deliberate abort is likely to give an 384explanation of why the program killed itself.</p> 385 386<pre class="no-pretty-print"> 387r0 00000000 r1 00000678 r2 00000006 r3 f70b6dc8 388r4 f70b6dd0 r5 f70b6d80 r6 00000002 r7 0000010c 389r8 ffffffed r9 00000000 sl 00000000 fp ff96ae1c 390ip 00000006 sp ff96ad18 lr f700ced5 pc f700dc98 cpsr 400b0010 391</pre> 392 393<p>The register dump shows the content of the CPU registers at the time the 394signal was received. (This section varies wildly between ABIs.) How useful 395these are will depend on the exact crash.<p> 396 397<pre class="no-pretty-print"> 398backtrace: 399 #00 pc 00042c98 /system/lib/libc.so (tgkill+12) 400 #01 pc 00041ed1 /system/lib/libc.so (pthread_kill+32) 401 #02 pc 0001bb87 /system/lib/libc.so (raise+10) 402 #03 pc 00018cad /system/lib/libc.so (__libc_android_abort+34) 403 #04 pc 000168e8 /system/lib/libc.so (abort+4) 404 #05 pc 0001a78f /system/lib/libc.so (__libc_fatal+16) 405 #06 pc 00018d35 /system/lib/libc.so (__assert2+20) 406 #07 pc 00000f21 /system/xbin/crasher 407 #08 pc 00016795 /system/lib/libc.so (__libc_init+44) 408 #09 pc 00000abc /system/xbin/crasher 409</pre> 410 411<p>The backtrace shows you where in the code we were at the time of 412crash. The first column is the frame number (matching gdb's style where 413the deepest frame is 0). The PC values are relative to the location of the 414shared library rather than absolute addresses. The next column is the name 415of the mapped region (which is usually a shared library or executable, but 416might not be for, say, JIT-compiled code). Finally, if symbols are available, 417the symbol that the PC value corresponds to is shown, along with the offset 418into that symbol in bytes. You can use this in conjunction with <code>objdump(1)</code> 419to find the corresponding assembler instruction.</p> 420 421<h2 id=tombstones>Tombstones</h2> 422 423<pre class="no-pretty-print"> 424Tombstone written to: /data/tombstones/tombstone_06 425</pre> 426 427<p>This tells you where <code>debuggerd</code> wrote extra information. 428<code>debuggerd</code> will keep up to 10 tombstones, cycling through 429the numbers 00 to 09 and overwriting existing tombstones as necessary.</p> 430 431<p>The tombstone contains the same information as the crash dump, plus a 432few extras. For example, it includes backtraces for <i>all</i> threads (not 433just the crashing thread), the floating point registers, raw stack dumps, 434and memory dumps around the addresses in registers. Most usefully it also 435includes a full memory map (similar to <code>/proc/<i>pid</i>/maps</code>). Here's an 436annotated example from a 32-bit ARM process crash:</p> 437 438<pre class="no-pretty-print"> 439memory map: (fault address prefixed with --->) 440--->ab15f000-ab162fff r-x 0 4000 /system/xbin/crasher (BuildId: 441b9527db01b5cf8f5402f899f64b9b121) 442</pre> 443 444<p>There are two things to note here. The first is that this line is prefixed 445with "--->". The maps are most useful when your crash isn't just a null 446pointer dereference. If the fault address is small, it's probably some variant 447of a null pointer dereference. Otherwise looking at the maps around the fault 448address can often give you a clue as to what happened. Some possible issues 449that can be recognized by looking at the maps include:</p> 450 451<ul> 452<li>Reads/writes past the end of a block of memory.</li> 453<li>Reads/writes before the beginning of a block of memory.</li> 454<li>Attempts to execute non-code.</li> 455<li>Running off the end of a stack.</li> 456<li>Attempts to write to code (as in the example above).</li> 457</ul> 458 459<p>The second thing to note is that executables and shared libraries files 460will show the BuildId (if present) in Android M and later, so you can see 461exactly which version of your code crashed. (Platform binaries include a 462BuildId by default since Android M. NDK r12 and later automatically pass 463<code>-Wl,--build-id</code> to the linker too.)<p> 464 465<pre class="no-pretty-print"> 466ab163000-ab163fff r-- 3000 1000 /system/xbin/crasher 467ab164000-ab164fff rw- 0 1000 468f6c80000-f6d7ffff rw- 0 100000 [anon:libc_malloc] 469</pre> 470 471<p>On Android the heap isn't necessarily a single region. Heap regions will 472be labeled <code>[anon:libc_malloc]</code>.</p> 473 474<pre class="no-pretty-print"> 475f6d82000-f6da1fff r-- 0 20000 /dev/__properties__/u:object_r:logd_prop:s0 476f6da2000-f6dc1fff r-- 0 20000 /dev/__properties__/u:object_r:default_prop:s0 477f6dc2000-f6de1fff r-- 0 20000 /dev/__properties__/u:object_r:logd_prop:s0 478f6de2000-f6de5fff r-x 0 4000 /system/lib/libnetd_client.so (BuildId: 08020aa06ed48cf9f6971861abf06c9d) 479f6de6000-f6de6fff r-- 3000 1000 /system/lib/libnetd_client.so 480f6de7000-f6de7fff rw- 4000 1000 /system/lib/libnetd_client.so 481f6dec000-f6e74fff r-x 0 89000 /system/lib/libc++.so (BuildId: 8f1f2be4b37d7067d366543fafececa2) (load base 0x2000) 482f6e75000-f6e75fff --- 0 1000 483f6e76000-f6e79fff r-- 89000 4000 /system/lib/libc++.so 484f6e7a000-f6e7afff rw- 8d000 1000 /system/lib/libc++.so 485f6e7b000-f6e7bfff rw- 0 1000 [anon:.bss] 486f6e7c000-f6efdfff r-x 0 82000 /system/lib/libc.so (BuildId: d189b369d1aafe11feb7014d411bb9c3) 487f6efe000-f6f01fff r-- 81000 4000 /system/lib/libc.so 488f6f02000-f6f03fff rw- 85000 2000 /system/lib/libc.so 489f6f04000-f6f04fff rw- 0 1000 [anon:.bss] 490f6f05000-f6f05fff r-- 0 1000 [anon:.bss] 491f6f06000-f6f0bfff rw- 0 6000 [anon:.bss] 492f6f0c000-f6f21fff r-x 0 16000 /system/lib/libcutils.so (BuildId: d6d68a419dadd645ca852cd339f89741) 493f6f22000-f6f22fff r-- 15000 1000 /system/lib/libcutils.so 494f6f23000-f6f23fff rw- 16000 1000 /system/lib/libcutils.so 495f6f24000-f6f31fff r-x 0 e000 /system/lib/liblog.so (BuildId: e4d30918d1b1028a1ba23d2ab72536fc) 496f6f32000-f6f32fff r-- d000 1000 /system/lib/liblog.so 497f6f33000-f6f33fff rw- e000 1000 /system/lib/liblog.so 498</pre> 499 500<p>Typically a shared library will have three adjacent entries. One will be 501readable and executable (code), one will be read-only (read-only 502data), and one will be read-write (mutable data). The first column 503shows the address ranges for the mapping, the second column the permissions 504(in the usual Unix <code>ls(1)</code> style), the third column the offset into the file 505(in hex), the fourth column the size of the region (in hex), and the fifth 506column the file (or other region name).</p> 507 508<pre class="no-pretty-print"> 509f6f34000-f6f53fff r-x 0 20000 /system/lib/libm.so (BuildId: 76ba45dcd9247e60227200976a02c69b) 510f6f54000-f6f54fff --- 0 1000 511f6f55000-f6f55fff r-- 20000 1000 /system/lib/libm.so 512f6f56000-f6f56fff rw- 21000 1000 /system/lib/libm.so 513f6f58000-f6f58fff rw- 0 1000 514f6f59000-f6f78fff r-- 0 20000 /dev/__properties__/u:object_r:default_prop:s0 515f6f79000-f6f98fff r-- 0 20000 /dev/__properties__/properties_serial 516f6f99000-f6f99fff rw- 0 1000 [anon:linker_alloc_vector] 517f6f9a000-f6f9afff r-- 0 1000 [anon:atexit handlers] 518f6f9b000-f6fbafff r-- 0 20000 /dev/__properties__/properties_serial 519f6fbb000-f6fbbfff rw- 0 1000 [anon:linker_alloc_vector] 520f6fbc000-f6fbcfff rw- 0 1000 [anon:linker_alloc_small_objects] 521f6fbd000-f6fbdfff rw- 0 1000 [anon:linker_alloc_vector] 522f6fbe000-f6fbffff rw- 0 2000 [anon:linker_alloc] 523f6fc0000-f6fc0fff r-- 0 1000 [anon:linker_alloc] 524f6fc1000-f6fc1fff rw- 0 1000 [anon:linker_alloc_lob] 525f6fc2000-f6fc2fff r-- 0 1000 [anon:linker_alloc] 526f6fc3000-f6fc3fff rw- 0 1000 [anon:linker_alloc_vector] 527f6fc4000-f6fc4fff rw- 0 1000 [anon:linker_alloc_small_objects] 528f6fc5000-f6fc5fff rw- 0 1000 [anon:linker_alloc_vector] 529f6fc6000-f6fc6fff rw- 0 1000 [anon:linker_alloc_small_objects] 530f6fc7000-f6fc7fff rw- 0 1000 [anon:arc4random _rsx structure] 531f6fc8000-f6fc8fff rw- 0 1000 [anon:arc4random _rs structure] 532f6fc9000-f6fc9fff r-- 0 1000 [anon:atexit handlers] 533f6fca000-f6fcafff --- 0 1000 [anon:thread signal stack guard page] 534</pre> 535 536<p> 537Note that since Android 5.0 (Lollipop), the C library names most of its anonymous mapped 538regions so there are fewer mystery regions. 539</p> 540 541<pre class="no-pretty-print"> 542f6fcb000-f6fccfff rw- 0 2000 [stack:5081] 543</pre> 544 545<p> 546Regions named <code>[stack:<i>tid</i>]</code> are the stacks for the given threads. 547</p> 548 549<pre class="no-pretty-print"> 550f6fcd000-f702afff r-x 0 5e000 /system/bin/linker (BuildId: 84f1316198deee0591c8ac7f158f28b7) 551f702b000-f702cfff r-- 5d000 2000 /system/bin/linker 552f702d000-f702dfff rw- 5f000 1000 /system/bin/linker 553f702e000-f702ffff rw- 0 2000 554f7030000-f7030fff r-- 0 1000 555f7031000-f7032fff rw- 0 2000 556ffcd7000-ffcf7fff rw- 0 21000 557ffff0000-ffff0fff r-x 0 1000 [vectors] 558</pre> 559 560<p>Whether you see <code>[vector]</code> or <code>[vdso]</code> depends on the architecture. ARM uses [vector], while all other architectures use <a href="http://man7.org/linux/man-pages/man7/vdso.7.html">[vdso].</a></p>