AOSP Insider
AOSP Framework & Internals
3 min read

HAL Debugging Techniques

Learn about HAL Debugging Techniques.

Debugging Hardware Abstraction Layers (HALs) in Android is a critical skill for platform engineers, especially when integrating new hardware or stabilizing a device bring-up. HALs act as the bridge between the Android framework and the underlying Linux kernel drivers. When a HAL fails, it can bring down system services or cause silent feature failures.

Checking HAL Process Status

Since HALs run as independent processes (in the binderized model), the first step in debugging is verifying that the HAL process is running. You can use standard Linux utilities via adb shell to check the process status.

# Find the audio HAL process
adb shell ps -A | grep android.hardware.audio

If the process is continually restarting, it indicates a crash loop. You can monitor the kernel logs for out-of-memory (OOM) kills or segmentation faults:

adb shell dmesg | grep -i "kill"
adb shell logcat -b crash

lshal: Listing Registered HAL Services

The lshal tool is a powerful command-line utility used to query the hwservicemanager. It lists all registered HALs, their implementations, and the processes providing them.

# List all registered HALs
adb shell lshal

# List only binderized HALs
adb shell lshal --binderize

# Check the specific interface for the camera HAL
adb shell lshal | grep camera

lshal is invaluable for verifying whether your newly implemented HAL has successfully registered with the system. If your HAL is not listed, check the hwservicemanager logs in logcat for registration errors, often caused by missing SELinux permissions or incorrect VINTF manifest entries.

HAL Crash Analysis

When a HAL crashes, the tombstoned daemon generates a tombstone file in /data/tombstones/. These files contain a wealth of information, including the thread stack trace, registers, and memory maps at the time of the crash.

To analyze a HAL crash:

  1. Pull the tombstones from the device: adb pull /data/tombstones/
  2. Open the latest tombstone and locate the crashing thread.
  3. Look for the signal (e.g., SIGSEGV, SIGABRT) and the fault address.

You can use the ndk-stack tool or addr2line to symbolize the stack trace if it is not already symbolized:

ndk-stack -sym out/target/product/<device>/symbols -dump tombstone_00

Passthrough HAL Debugging

While most modern HALs are binderized, some legacy HALs or same-process HALs operate in passthrough mode, meaning they are loaded directly into the client process's memory space via dlopen.

Debugging passthrough HALs involves debugging the client process (e.g., system_server or surfaceflinger). If the HAL crashes, it brings down the client process. You will need to look at the tombstone of the client process and trace the stack back to the HAL library (.so file).

Tombstone Analysis for HAL Crashes

When analyzing tombstones, pay special attention to:

  • Build fingerprint: Ensure the tombstone matches your current build.
  • Abort message: HALs often use LOG_ALWAYS_FATAL or abort() when an invariant is violated. The abort message will be printed at the top of the tombstone.
  • Registers: Check for null pointers or corrupted addresses.
  • Stack trace: Trace the calls from the framework boundary down to the hardware interaction layer to identify where the failure occurred.
Previous Lesson
Power HAL & USB HAL
Next Lesson
Domains and Types