Open derekbruening opened 9 years ago
From bruen...@google.com on February 24, 2013 14:03:34
this case covers usercalls as well. I filled in some known #s from running calc and app_suite, but there are a bunch of newly inserted ones.
from drsyscall/drsyscallusercallx.h: /* XXX issue #484: win7 seems to have added sthg here since the rest are all shifted; win8 removed it / / FIXME issue #1153: win8 added 2 somewhere between 0x05 and 0x24 / / FIXME issue #1153: on win8, 4 more added between 0x45 and 0x5d / /_ FIXME issue #1153: on win8, 1 more added between 0x5d and 0x6f */
*\ TODO cmp #args for all syscalls
NtWaitForWorkViaWorkerFactory 16
1 NtUserBuildHwndList 28
1 NtUserBuildHwndList 32
1 NtUserCreateWindowEx 60
1 NtUserCreateWindowEx 64
1 NtUserDwmStartRedirection 4
1 NtUserDwmStartRedirection 8
1 NtUserRegisterSessionPort 4
1 NtUserRegisterSessionPort 8
1 NtUserSetTimer 16
1 NtUserSetTimer 20
1 NtUserSwitchDesktop 12
1 NtUserSwitchDesktop 8
1 NtGdiBeginGdiRendering 12
1 NtGdiBeginGdiRendering 8
1 NtGdiEndGdiRendering 12
1 NtGdiEndGdiRendering 16
1 NtGdiOpenDCW 32
1 NtGdiOpenDCW 36
From bruen...@google.com on May 13, 2013 10:09:48
**\ DONE uninits from EnumWindows in app_suite: NtUserBuildHwndList extra arg is the in size! CLOSED: [2013-05-13 Mon 13:06]
64: Dr.M ERRORS FOUND:
64: Dr.M 0 unique, 0 total unaddressable access(es)
64: Dr.M 11 unique, 996 total uninitialized access(es)
64: Dr.M 0 unique, 0 total invalid heap argument(s)
64: Dr.M 0 unique, 0 total GDI usage error(s)
64: Dr.M 0 unique, 0 total warning(s)
64: Dr.M 6 unique, 7 total, 1032 byte(s) of leak(s)
64: Dr.M 4 unique, 4 total, 872 byte(s) of possible leak(s)
DUPLICATE ERROR COUNTS: Error # 1: 197 Error # 2: 197 Error # 3: 197 Error # 4: 197 Error # 5: 197 Error # 9: 2 Error # 10: 3 Error # 11: 3 Error # 20: 2
Error #1
: UNINITIALIZED READ: reading 0x00b5f498-0x00b5f49c 4 byte(s)
??:0
??:0
??:0
c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:284
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2075
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2126
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2162
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2338
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2445
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:4237
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2075
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2126
Note: @0:00:12.819 in thread 88 Note: instruction: cmp 0x08(%ebp) $0x00000000
Error #2
: UNINITIALIZED READ: reading register ecx
??:0
??:0
c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:248
??:0
??:0
c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:284
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2075
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2126
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2162
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2338
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2445
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:4237
Note: @0:00:12.835 in thread 88 Note: instruction: cmp %ecx 0x08(%eax)
Error #3
: UNINITIALIZED READ: reading register si
??:0
??:0
c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:248
??:0
??:0
c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:284
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2075
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2126
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2162
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2338
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2445
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:4237
Note: @0:00:12.835 in thread 88 Note: instruction: data16 cmp %si 0x12(%ecx)
Error #4
: UNINITIALIZED READ: reading 0x00b5f458-0x00b5f45c 4 byte(s) within 0x00b5f458-0x00b5f45c
#0
<system call>
??:0
c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:248
??:0
??:0
c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:284
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2075
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2126
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2162
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2338
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2445
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:4237
Note: @0:00:12.850 in thread 88
Error #5
: UNINITIALIZED READ: reading 0x00b5f458-0x00b5f45c 4 byte(s) within 0x00b5f458-0x00b5f45c
#0
<system call>
??:0
c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:248
??:0
??:0
c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:284
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2075
From bruen...@google.com on May 13, 2013 10:09:48
...ExceptionsInMethodIfSupportedtesting::Test,void (0x010aa1eb <app_suite_tests.exe+0x4a1eb>) c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2126
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2162
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2338
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2445
c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:4237
Note: @0:00:12.850 in thread 88
USER32!BuildHwndList+0x39: 760cc7e0 c70640000000 mov dword ptr [esi],0x40 760cc7e6 895e04 mov [esi+0x4],ebx 760cc7e9 57 push edi 760cc7ea 8d7e04 lea edi,[esi+0x4] 760cc7ed 57 push edi 760cc7ee 8d4608 lea eax,[esi+0x8] 760cc7f1 50 push eax 760cc7f2 ff36 push dword ptr [esi] 760cc7f4 ff7518 push dword ptr [ebp+0x18] 760cc7f7 ff7514 push dword ptr [ebp+0x14] 760cc7fa ff7510 push dword ptr [ebp+0x10] 760cc7fd ff750c push dword ptr [ebp+0xc] 760cc800 ff7508 push dword ptr [ebp+0x8] 760cc803 e83d000000 call USER32!NtUserBuildHwndList (760cc845)
NTSTATUS NTAPI NtUserBuildHwndList( HDESK hDesktop, HWND hwndParent, BOOLEAN bChildren, ULONG dwThreadId, ULONG lParam, HWND* pWnd, ULONG* pBufSize);
app xsp=0x01b0fb84
arg 0 = 0x0
arg 1 = 0x0
arg 2 = 0x0
arg 3 = 0x1
arg 4 = 0x0
arg 5 = 0x40
arg 6 = 0x38d9108
arg 7 = 0x38d9104
arg 8 = 0x0
processing pre system call #0x101d.0x0 NtUserBuildHwndList
pre considering arg 2 1 80
pre considering arg 6 -7 62
pre storing size 0x0 for arg 6
pre considering arg 7 4 3
pre storing size 0x4 for arg 7
memarg iter pre param 7 parameter #7
0x38d9104-0x38d9108 rw
memref: read @0x0000101d 0x038d9104 0x4 bytes (pre-dword 0x00 0xff)
replace_RtlFreeHeap heap=0x00ad0000 flags=0x0 ptr=0x038d9100 check_type_match: alloc flags=0x804 vs free=0x804 free 0x038d9100-0x038d9208
but the new param in the middle is clearly not a pointer param.
native run shows that the 5th param seems to hold a size:
0:000> bp NtUserBuildHwndList
0:000> g
Breakpoint 0 hit
0:000> dds esp
01b0fae0 760cc808 USER32!BuildHwndList+0x61
01b0fae4 00000000
01b0fae8 00000000
01b0faec 00000000
01b0faf0 00000001
01b0faf4 00000000
01b0faf8 00000040
01b0fafc 009f91f8
From bruen...@google.com on October 29, 2013 15:34:27
**\ TODO on win8.1, both calc and app_suite_tests have uninit false pos in tiptsf.dll
Error #1
: UNINITIALIZED READ: reading register eax
in.cpp:311](0x010b4856 <app_suite_tests.exe+0x34856) modid:1 Note: @0:00:03.109 in thread 1992 Note: instruction: cmp %eax $0x00000001 error end
w/o syms for tiptsf.dll it matches the calc ones above:
Error #2
: UNINITIALIZED READ: reading register eax
The test is doing: DestroyWindow(hwnd);
likely culprit:
system call #4977
==4977.0 NtUserGetWindowBand
I don't know why the unknown syscall handling doesn't detect the single-dword change here:
iterating over args for syscall #0x1371.0x0 NtUserGetWindowBand processing pre system call #0x1371.0x0 NtUserGetWindowBand pre considering arg 0 0 0 processing pre system call #0x1371.0x0 NtUserGetWindowBand pre considering arg 0 0 0 unknown system call #0x1371.0x0 NtUserGetWindowBand pre-unknown-syscall #0x1371.0x0: param 0 == 0x004902bc pre-unknown-syscall #0x1371.0x0: param 1 == 0x012bf30c pre-unknown-syscall #0x1371: param 0 == 0x00000001 19657484 bytes pre-unknown-syscall #0x1371.0x0: param 2 == 0x1a99ba10 pre-unknown-syscall #0x1371.0x0: param 3 == 0x00000000 pre-unknown-syscall #0x1371.0x0: param 4 == 0x004902bc pre-unknown-syscall #0x1371.0x0: param 5 == 0x00008001 pre-unknown-syscall #0x1371.0x0: param 6 == 0x004902bc pre-unknown-syscall #0x1371.0x0: param 9 == 0x00000000 pre-unknown-syscall #0x1371.0x0: param 11 == 0x00000000 processing post system call #0x1371.0x0 NtUserGetWindowBand res=0x1 post considering arg 0 0 0 0x004902bc
From disasm: looks like the OUT param is a single value, which is compared to 1, 2, and 0x10: we'll assume dword type. Return value is compared to 0 only: BOOL?
Live call showing return value of 0x1 and writing to DWORD:
0:000> dds esp L4 001ad650 753d194d tiptsf!CARET::_ProcessCaretEvents+0x9c 001ad654 0012031e 001ad658 001ad684 001ad65c f3545991 0:000> dd 001ad684 001ad684 00340000 004b0490 000001fc 004b0000 001ad694 004b0000 00000000 004b0000 001ad6d0 001ad6a4 77b649ed 50000163 004b0000 00000000 001ad6b4 00310030 001ad764 004bc478 004b0000 001ad6c4 00000000 001ad71c 77b63464 004b0248 0:000> p eax=00001371 ebx=75d59adf ecx=001ad684 edx=00000000 esi=0012031e edi=ffff0000 eip=75d5b2f1 esp=001ad650 ebp=001adb48 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202 USER32!NtUserGetWindowBand+0x5: 75d5b2f1 64ff15c0000000 call dword ptr fs:[0C0h] fs:0053:000000c0=779b11d8 0:000> p eax=00000001 ebx=75d59adf ecx=94a00000 edx=00000000 esi=0012031e edi=ffff0000 eip=75d5b2f8 esp=001ad650 ebp=001adb48 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202 USER32!NtUserGetWindowBand+0xc: 75d5b2f8 c20800 ret 8 0:000> dds esp L4 001ad650 753d194d tiptsf!CARET::_ProcessCaretEvents+0x9c 001ad654 0012031e 001ad658 001ad684 001ad65c f3545991 0:000> dd 001ad684 001ad684 00000001 004b0490 000001fc 004b0000 001ad694 004b0000 00000000 004b0000 001ad6d0 001ad6a4 77b649ed 50000163 004b0000 00000000 001ad6b4 00310030 001ad764 004bc478 004b0000 001ad6c4 00000000 001ad71c 77b63464 004b0248
so I propose:
BOOL NtUserGetWindowBand(in HANDLE hwnd, out DWORD *value);
From bruen...@google.com on June 13, 2014 10:28:10
NtUnmapViewOfSectionEx notes: https://code.google.com/p/dynamorio/issues/detail?id=899#c1
From bruen...@google.com on February 24, 2013 10:55:14
as part of issue #772 I'm adding entries to the tables but most are unknown
xref DRi#899
Original issue: http://code.google.com/p/drmemory/issues/detail?id=1153