search

DynamoRIO / drmemory

Memory Debugger for Windows, Linux, Mac, and Android
Other
2.42k stars 260 forks source link

CRASH (64-bit calc) on Windows with DrM pattern mode #1038

Open derekbruening opened 9 years ago

derekbruening commented 9 years ago

From zhao...@google.com on September 26, 2012 14:28:02

./bin64/drmemory.exe -pattern 0xf1fd -no_count_leaks -- calc

Abort on: Unrecoverable Error at PC 0x65118b45.

Original issue: http://code.google.com/p/drmemory/issues/detail?id=1038

derekbruening commented 9 years ago

From zhao...@google.com on September 26, 2012 11:57:24

It looks like the crash happens in the dbghelp.

Summary: CRASH (64-bit calc) on Windows with DrM pattern mode
Labels: Bug-ToolCrash

derekbruening commented 9 years ago

From bruen...@google.com on May 02, 2013 14:40:33

Issue 1209 has been merged into this issue.

derekbruening commented 9 years ago

From bruen...@google.com on May 02, 2013 14:41:48

this still happens, with -replace_malloc as well. a simpler MessageBox app has an app crash early (before any visible windows) as well.

derekbruening commented 9 years ago

From zhao...@google.com on May 11, 2013 20:46:34

$ ./bin64/drmemory.exe -verbose 0 -unaddr_only -dr_ops "-msgbox_mask 0xf" -- calc WARNING: using debug DynamoRIO since release not found Dr.M Dr. Memory version 1.5.1356 Dr.M Running ""calc"" Dr.M WARNING: application is missing line number information. Dr.M Dr.M Error #1: UNADDRESSABLE ACCESS: reading 0x000000000233ac08-0x000000000233ac10 8 byte(s) Dr.M # 0 ntdll.dll!RtlpMuiRegGetInstalledLanguageIndexByLangId Dr.M # 1 ntdll.dll!RtlLCIDToCultureName Dr.M # 2 ntdll.dll!RtlpMuiRegTryToAppendLanguageName Dr.M # 3 ntdll.dll!LdrpConvertLangFallbackListToMultiSz Dr.M # 4 ntdll.dll!RtlGetThreadPreferredUILanguages Dr.M # 5 KERNEL32.dll!SearchPathW +0x4d1 (0x00000000777ca2d2 <KERNEL32.dll+0x1a2d2>) Dr.M # 6 KERNEL32.dll!CreateActCtxW +0x4f1 (0x00000000777cb1d2 <KERNEL32.dll+0x1b1d2>) Dr.M # 7 KERNEL32.dll!HeapLock +0xb0 (0x00000000777b1dd1 <KERNEL32.dll+0x1dd1>) Dr.M # 8 ntdll.dll!LdrpProcessStaticImports Dr.M # 9 ntdll.dll!LdrpLoadDll Dr.M #10 ntdll.dll!LdrLoadDll Dr.M #11 KERNELBASE.dll!LoadLibraryExW +0x168 (0x000007fefe199aa9 <KERNELBASE.dll+0x9aa9>) Dr.M Note: @0:01:36.341 in thread 7224 Dr.M Note: instruction: mov 0x08(%rdx) -> %rax

code around the crash: 0000000077a032e7 488d56f0 lea rdx,[rsi-10h] 0000000077a032eb 0f0d0a prefetchw [rdx] 0000000077a032ee 807a0f05 cmp byte ptr [rdx+0Fh],5 0000000077a032f2 0f84428e0400 je ntdll! ?? ::FNODOBFM::string'+0x2695f (0000000077a4c13a) 0000000077a032f8 488b4208 mov rax,qword ptr [rdx+8] 0000000077a032fc 488bda mov rbx,rdx 0000000077a032ff 48b9ffffffffff000000 mov rcx,0FFFFFFFFFFh 0000000077a03309 4833df xor rbx,rdi 0000000077a0330c 4823c1 and rax,rcx 0000000077a0330f 48c1eb04 shr rbx,4 0000000077a03313 4833d8 xor rbx,rax 0000000077a03316 48331dabf00f00 xor rbx,qword ptr [ntdll!RtlpLFHKey (0000000077b023c8)] 0000000077a0331d 48c1e304 shl rbx,4 0000000077a03321 0f0d0b prefetchw [rbx] 0000000077a03324 4c8b6308 mov r12 ,qword ptr [rbx+8] ds:00000acd`234a47f8=????????????????

0:000> r rsi rsi=000000000233ac10 0:000> r rdx rdx=000000000233ac00 0:000> r rbx rbx=00000acd234a47f0 0:000> r rdi rdi=00000000001a0000 0:000> r rax rax=000000fdf1fdf100 0:000> dq 0000000077b023c8 0000000077b023c8 0000005123ebcfbf 0000000000000000

derekbruening commented 9 years ago

From zhao...@google.com on May 12, 2013 08:49:33

When without replace_malloc,

TAG 0x00000000779f6279 +0 L3 48 85 c0 test %rax %rax +3 L3 0f 84 42 5d 00 00 jz $0x00000000779fbfc4 END 0x00000000779f6279 new basic block @0x00000000779f6279 == ntdll.dll!RtlpLowFragHeapAllocFromContext+0xfffffffffffd1349

00000000779f6274 e887a30200 call ntdll!RtlpInterlockedPopEntrySList (0000000077a20600) 00000000779f6279 4885c0 test rax,rax 00000000779f627c 0f84425d0000 je ntdll!RtlpLowFragHeapAllocFromContext+0x8a3 (00000000779fbfc4) 00000000779f6282 4883c0e0 add rax,0FFFFFFFFFFFFFFE0h 00000000`779f6286 48898424f0000000 mov qword ptr [rsp+0F0h],rax

00000000`779f6282 4883c0e0 add rax,0FFFFFFFFFFFFFFE0h is never executed.

However, when only running DR, 779f6282 is seen. dispatch: target = 0x00000000779f6279 Entry into F3958(0x00000000779f6279).0x000000008021a7c8 (trace head)(shared) Exit from F3958(0x00000000779f6279).0x000000008021a7d1 (shared) (target 0x00000000779f6282 not in cache)

dispatch: target = 0x00000000779f6282 Fragment 17400, tag 0x00000000779f6282, flags 0x9000630, shared, size 26: [ntdll.dll~RtlQueryEnvironmentVariable+0x752,~_wcsicmp-0x6fe] Entry into F17400(0x00000000779f6282).0x00000000804f4b7c (shared)

derekbruening commented 8 years ago

update after recent fixes: pattern now works:

% bin64/drmemory.exe -unaddr_only -dr_debug -batch -dr_ops "-msgbox_mask 12" -dr d:/derek/dr/git/exports -- calc
<Starting application C:\Windows\system32\calc.exe (6172)>
<Initial options = -no_dynamic_options -logdir 'D:\derek\drmemory\git\build_x64_dbg\logs\dynamorio' -client_lib 'D:\derek\drmemory\git\build_x64_dbg\bin64\debug\drmemorylib.dll;0;`-unaddr_only` -logdir `D:\derek\drmemory\git\build_x64_dbg\logs` -symcache_dir `D:\derek\drmemory\git\build_x64_dbg\logs\symcache` -lib_blacklist `C:\Windows*.d??,C:\Program Files\Common Files\Microsoft Shared*.d??,C:\Program Files (x86)\Common Files\Microsoft Shared*.d??` -resfile 6172 ' -code_api -probe_api -stack_size 56K -disable_traces -no_enable_traces -max_elide_jmp 0 -max_elide_call 0 -max_bb_instrs 256 -no_shared_traces -bb_ibl_targets -bb_single_restore_prefix -no_shared_trace_ibl_routine -no_enable_reset -no_reset_at_switch_to_os_at_vmm_limit -reset_at_vmm_percent_free_limit 0 -no_reset_at_vmm_full -reset_at_commit_free_limit 0K -reset_every_nth_pending 0 -vm_size 262144K -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct -pad_jmps_mark_no_trace >
~~Dr.M~~ Dr. Memory version 1.9.16729
~~Dr.M~~ Running "calc"
<ASLR sharing assuming KnownDll file \??\C:\Windows\system32\CLBCatQ.DLL hasn't changed>
<Stopping application C:\Windows\system32\calc.exe (6172)>
~~Dr.M~~ 
~~Dr.M~~ NO ERRORS FOUND:
~~Dr.M~~       0 unique,     0 total unaddressable access(es)
~~Dr.M~~       0 unique,     0 total invalid heap argument(s)
~~Dr.M~~       0 unique,     0 total warning(s)
~~Dr.M~~ ERRORS IGNORED:
~~Dr.M~~ Details: D:\derek\drmemory\git\build_x64_dbg\logs\DrMemory-calc.exe.6172.000\results.txt

but shadow doesn't:

% bin64/drmemory.exe -dr_debug -batch -dr_ops "-msgbox_mask 12" -dr d:/derek/dr/git/exports -- calc          WARNING: 64-bit non-pattern modes are experimental
<Starting application C:\Windows\system32\calc.exe (9656)>
<Initial options = -no_dynamic_options -logdir 'D:\derek\drmemory\git\build_x64_dbg\logs\dynamorio' -client_lib 'D:\derek\drmemory\git\build_x64_dbg\bin64\debug\drmemorylib.dll;0;-logdir `D:\derek\drmemory\git\build_x64_dbg\logs` -symcache_dir `D:\derek\drmemory\git\build_x64_dbg\logs\symcache` -lib_blacklist `C:\Windows*.d??,C:\Program Files\Common Files\Microsoft Shared*.d??,C:\Program Files (x86)\Common Files\Microsoft Shared*.d??` -resfile 9656 ' -code_api -probe_api -stack_size 56K -disable_traces -no_enable_traces -max_elide_jmp 0 -max_elide_call 0 -max_bb_instrs 256 -no_shared_traces -bb_ibl_targets -bb_single_restore_prefix -no_shared_trace_ibl_routine -no_enable_reset -no_reset_at_switch_to_os_at_vmm_limit -reset_at_vmm_percent_free_limit 0 -no_reset_at_vmm_full -reset_at_commit_free_limit 0K -reset_every_nth_pending 0 -vm_size 262144K -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct -pad_jmps_mark_no_trace >
~~Dr.M~~ WARNING: 64-bit non-pattern modes are experimental
~~Dr.M~~ Dr. Memory version 1.9.16729
~~Dr.M~~ Running "calc"
~~Dr.M~~ ASSERT FAILURE (thread 10212): D:\derek\drmemory\git\src\drmemory\fastpath.c:838: mi->opsz <= 4 || mi->check_definedness || result_is_always_defined(inst, false ) (no prop eflags to > 4)~~Dr.M~~ WARNING: application exited with abnormal code 0xffffffff