debuggerd of Android

If you port Android to your system or develop native libraries using NDK, you have a experience to see crash dump on logcat. That shows CPU registers and stack dumps of the process caused memory fault or other exception.

Who and how does the crash dump generate?
(Japanese version)

Example of crash dump

This is a log when the exception of SIGBUS (bus error) occurred on the page written before (in Japanese).

I/DEBUG   (  543): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   (  543): Build fingerprint: 'generic/generic/generic/:Donut/Donut/eng.koba
I/DEBUG   (  543): pid: 590, tid: 590  >>> zygote <<<
I/DEBUG   (  543): signal 7 (SIGBUS), fault addr 00000000
I/DEBUG   (  543):  r0 00001412  r1 4104bbe4  r2 4104bbdc  r3 4104bbe4
I/DEBUG   (  543):  r4 41748086  r5 4104bb94  r6 bef614e8  r7 ad00e640
I/DEBUG   (  543):  r8 000012ad  r9 4104bbdc  10 4104bb84  fp 00000000
I/DEBUG   (  543):  ip 000000ad  sp bef614a8  lr ad01071c  pc ad01119c  cpsr 20000010
I/DEBUG   (  543):          #00  pc 0001119c  /system/lib/
I/DEBUG   (  543):          #01  pc 00017d90  /system/lib/
I/DEBUG   (  543):          #02  pc 000177d4  /system/lib/
I/DEBUG   (  543):          #03  pc 00052974  /system/lib/
I/DEBUG   (  543):          #04  pc 00052992  /system/lib/


It is a process named debuggerd that has actually given this log.


It is started from init at boot time, and this process generates UNIX domain socket “Android:debuggerd” and waits to be connected.

Because tid (thread ID obtained by the gettid system call) is supposed to be written in the socket when connected, the ptrace system call is used and attached for the tid.

In a word, the process that caused the exception and dropped to the state of the neardeath, is put into the halt condition by debuggerd. In addition, the register and the memory of the process are read by the ptrace system call and it dumps it to the log.


I think this is good example to learn how to use the ptrace system call.

dynamic linker

Well, What part is there connecting it with socket “Android:debuggerd” where debuggerd opens? and how?

The source in the part is here.


void debugger_init()
    signal(SIGILL, debugger_signal_handler);
    signal(SIGABRT, debugger_signal_handler);
    signal(SIGBUS, debugger_signal_handler);
    signal(SIGFPE, debugger_signal_handler);
    signal(SIGSEGV, debugger_signal_handler);
    signal(SIGSTKFLT, debugger_signal_handler);
    signal(SIGPIPE, debugger_signal_handler);

This is the last part of bionic/linker/debugger.c. The handler of these signal is registered here. It connects it with socket “Android:debuggerd” where debuggerd opens by debugger_signal_handler.

In fact, this source is a part of the dynamic linker of bionic.

At first a dynamic linker works before main function is carried out. Then the dynamic linker maps dynamic link libraries on memory. At the time, it calls this function(debugger_init).

In other words, all programs which is dynamic linked have functionality to connect to debuggerd and generate crash dump, automatically and implicitly.

I think that this is a very good and smart way.

Related pages

How to examine the problem occurrence point on the source code from a crash dump of Android (in Japanese)


About tetsu_koba

This entry was posted in Android. Bookmark the permalink.

3 Responses to debuggerd of Android

  1. Pingback: How to read crash dump of Android « Koba's blog

  2. VF says:

    Thank you for this overview, it’s inspiring.
    Having read it, it is only logical to debug init-started programs
    by inserting getpid()+kill(, SIGSEGV) at the right place.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s