Uninit error report in EnumDisplayDevices on running mspaint

[derekbruening]

From zhao...@google.com on February 19, 2013 16:57:06

split from issue #878 :

$ ./bin/drmemory.exe -debug -pause_at_error -- mspaint

WARNING: using debug DynamoRIO since release not found Dr.M Dr. Memory version 1.5.1180 Dr.M Running ""mspaint"" Dr.M WARNING: application is missing line number information. Dr.M Dr.M Error #1: UNINITIALIZED READ: reading register cx Dr.M # 0 USER32.dll!WCSToMBEx Dr.M # 1 USER32.dll!EnumDisplayDevicesA Dr.M # 2 gdiplus.dll!DriverMulti::EnumDisplayMonitorsCallback Dr.M # 3 USER32.dll!__ClientMonitorEnumProc Dr.M # 4 gdiplus.dll!DriverMulti::DriverMulti Dr.M # 5 gdiplus.dll!InternalGdiplusStartup Dr.M # 6 gdiplus.dll!GdiplusStartup Dr.M # 7 mspaint.exe!? +0x0 (0x00de98f0 <mspaint.exe+0x298f0>) Dr.M # 8 mspaint.exe!? +0x0 (0x00de98c3 <mspaint.exe+0x298c3>) Dr.M # 9 mspaint.exe!? +0x0 (0x00de8661 <mspaint.exe+0x28661>) Dr.M #10 mspaint.exe!? +0x0 (0x00de8523 <mspaint.exe+0x28523>) Dr.M #11 mspaint.exe!? +0x0 (0x00de6314 <mspaint.exe+0x26314>) Dr.M Note: @0:00:02.087 in thread 5176 Dr.M Note: instruction: data16 test %cx %cx

Original issue: http://code.google.com/p/drmemory/issues/detail?id=1132

[derekbruening]

From zhao...@google.com on February 19, 2013 14:22:50

0:000> dt mc Local var @ 0x1958e6e4 Type _dr_mcontext_t* 0x1958ed60 +0x010 ebp : 0x2bf264 +0x014 esp : 0x2bf258 ... +0x01c edx : 0x2bf2aa +0x020 ecx : 0xea5c005c +0x024 eax : 0x2bf2aa

75a5cf3b 8b450c mov eax,[ebp+0xc] ... 75a5cf54 668b08 mov cx,[eax] 75a5cf57 40 inc eax 75a5cf58 40 inc eax 75a5cf59 6685c9 test cx,cx

0:000> dds 0x2bf264 002bf264 002bf5f0 002bf268 75a64609 USER32!EnumDisplayDevicesA+0xe8 002bf26c 00000000 002bf270 002bf2a8 002bf274 ffffffff 002bf278 002bf2a0

the cx value comes from 0x2bf2a8, which is passed from the caller.

at caller USER32!EnumDisplayDevicesA:

75a645e7 53 push ebx 75a645e8 8d4604 lea eax,[esi+0x4] 75a645eb 6a20 push 0x20 75a645ed 8985b0fcffff mov [ebp-0x350],eax 75a645f3 8d85b0fcffff lea eax,[ebp-0x350] 75a645f9 50 push eax 75a645fa 6aff push 0xff 75a645fc 8d85b8fcffff lea eax,[ebp-0x348] 75a64602 50 push eax 75a64603 53 push ebx 75a64604 e81489ffff call USER32!WCSToMBEx (75a5cf1d)

the buffer is [ebp-0x348]. right before this call to WCSToMBEx, there is a call to NtUserEnumDisplayDevices:

75a645c2 ff7514 push dword ptr [ebp+0x14] 75a645c5 8d85b4fcffff lea eax,[ebp-0x34c] 75a645cb 50 push eax 75a645cc ff750c push dword ptr [ebp+0xc] 75a645cf ffb5b0fcffff push dword ptr [ebp-0x350] 75a645d5 e8e2000000 call USER32!NtUserEnumDisplayDevices (75a646bc)

The 3rd arg pointing to [ebp-0x34c], which should be starting address of DISPLAY_DEVICEW, so the NtUserEnumDisplayDevices should initialize the memory at [ebp-0x348], and DrMemory fail to update somehow.

[derekbruening]

From zhao...@google.com on February 19, 2013 14:26:41

0:000> dd 0x2bf2a4 002bf2a4 00000348 005c005c 005c002e 00490044 002bf2b4 00500053 0041004c 00310059 00000000

0:000> db 0x2bf2a8 002bf2a8 5c 00 5c 00 2e 00 5c 00-44 00 49 00 53 00 50 00 .....D.I.S.P. 002bf2b8 4c 00 41 00 59 00 31 00-00 00 00 00 00 00 00 00 L.A.Y.1......... 002bf2c8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 002bf2d8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 002bf2e8 4e 00 56 00 49 00 44 00-49 00 41 00 20 00 51 00 N.V.I.D.I.A. .Q. 002bf2f8 75 00 61 00 64 00 72 00-6f 00 20 00 36 00 30 00 u.a.d.r.o. .6.0. 002bf308 30 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 0...............

[derekbruening]

From zhao...@google.com on February 19, 2013 14:41:54

how the DISPLAY_DEVICEW is filled can be found here: http://msdn.microsoft.com/en-us/library/windows/desktop/dd162609(v=vs.85).aspx