search

DynamoRIO / drmemory

Memory Debugger for Windows, Linux, Mac, and Android
Other
2.42k stars 259 forks source link

drmemory -verify_sysnums failure on handle test #1521

Open derekbruening opened 9 years ago

derekbruening commented 9 years ago

From zhao...@google.com on April 16, 2014 18:31:37

$ ./bin/drmemory.exe -dr_ops "-msgbox_mask 0x0" -verify_sysnums -pause_at_assert -- ./tests/handle.exe WARNING: using debug DynamoRIO since release not found <Starting application D:\src\cygwin\home\zhaoqin\Workspace\DrMemory\builds\build_x86_drm_dbg.git\tests\handle.exe (16892)> ... Dr.M Dr. Memory version 1.6.1885 Dr.M Running "./tests/handle.exe" Dr.M ASSERT FAILURE (thread 13704): D:\src\cygwin\home\zhaoqin\Workspace\DrMemory\drmemory.git\drsyscall\drsyscall_windows.c:3667: !ok || drsys_sysnums_equal(&syslist->num, &num_from_wrapper) (sysnum table does not match wrapper)

0:000> kp ChildEBP RetAddr
00bfd920 5b94253e ntdll!NtRaiseHardError+0x12 00bfd970 5b8f42fe dynamorio!nt_messagebox(unsigned short * msg = 0x00bfd988, unsigned short * title = 0x5ba2f7fc)+0xfe [d:\src\cygwin\home\zhaoqin\workspace\drmemory\drmemory.git\dynamorio\core\win32\ntdll.c @ 3676] 00bff190 739d21b7 dynamorio!dr_messagebox(char * fmt = 0x73bb8534 "%s in pid %d", char * ap = 0x00bff19c "D???")+0xee [d:\src\cygwin\home\zhaoqin\workspace\drmemory\drmemory.git\dynamorio\core\x86\instrument.c @ 4006] 00bff1a4 739d21e8 drmemorylib!wait_for_user(char * message = 0x73bb8544 "Dr. Memory is paused at an assert")+0x17 [d:\src\cygwin\home\zhaoqin\workspace\drmemory\drmemory.git\common\utils.c @ 103] 00bff1b0 73a2f03d drmemorylib!drmemory_abort(void)+0x18 [d:\src\cygwin\home\zhaoqin\workspace\drmemory\drmemory.git\common\utils.c @ 127] 00bff1ec 73a2ed27 drmemorylib!check_syscall_entry(void * drcontext = 0x17dca780, struct _module_data_t * info = 0x17d84e90, struct _syscall_info_t * syslist = 0x73c61cd4, char * optional_prefix = 0x73c06bd8 "NtGdi")+0x30d [d:\src\cygwin\home\zhaoqin\workspace\drmemory\drmemory.git\drsyscall\drsyscall_windows.c @ 3667] 00bff20c 73a2b1f5 drmemorylib!drsyscall_os_module_load(void * drcontext = 0x17dca780, struct _module_data_t * info = 0x17d84e90, char loaded = 1 '')+0x1b7 [d:\src\cygwin\home\zhaoqin\workspace\drmemory\drmemory.git\drsyscall\drsyscall_windows.c @ 3895] 00bff220 73a0d3bd drmemorylib!syscall_module_load(void * drcontext = 0x17dca780, struct _module_data_t * info = 0x17d84e90, char loaded = 1 '')+0x15 [d:\src\cygwin\home\zhaoqin\workspace\drmemory\drmemory.git\drsyscall\drsyscall.c @ 2011] 00bff38c 5b8f0418 drmemorylib!drmgr_modload_event(void * drcontext = 0x17dca780, struct _module_data_t * info = 0x17d84e90, char loaded = 1 '')+0x8d [d:\src\cygwin\home\zhaoqin\workspace\drmemory\drmemory.git\dynamorio\ext\drmgr\drmgr.c @ 1286] 00bff3c8 5b8ed42c dynamorio!instrument_module_load(struct _module_data_t * data = 0x17d84e90, char previously_loaded = 1 '')+0xb8 [d:\src\cygwin\home\zhaoqin\workspace\drmemory\drmemory.git\dynamorio\core\x86\instrument.c @ 1833] 00bff3ec 5b6aa6b5 dynamorio!instrument_init(void)+0x12c [d:\src\cygwin\home\zhaoqin\workspace\drmemory\drmemory.git\dynamorio\core\x86\instrument.c @ 607] 00bffcb0 5b8cd8b1 dynamorio!dynamorio_app_init(void)+0x555 [d:\src\cygwin\home\zhaoqin\workspace\drmemory\drmemory.git\dynamorio\core\dynamo.c @ 640] 00bffd10 5b8d5168 dynamorio!auto_setup(unsigned int appstack = 0xbffd1c)+0x21 [d:\src\cygwin\home\zhaoqin\workspace\drmemory\drmemory.git\dynamorio\core\x86\x86_code.c @ 148] 00000000 00000000 dynamorio!dynamo_auto_start(void)+0x8 [D:\src\cygwin\home\zhaoqin\Workspace\DrMemory\builds\build_x86_drm_dbg.git\dynamorio\core\CMakeFiles\dynamorio.dir\x86\x86.asm.obj.s @ 1042]

0:000> dt syslist Local var @ 0xbff1fc Type _syscall_info_t 0x73c61cd4 +0x000 num : _drsys_sysnum_t +0x008 name : 0x73c4f500 "NtGdiOpenDCW" +0x00c flags : 1 +0x010 return_type : 7 +0x014 arg_count : 7 +0x018 arg : [18] _sysinfo_arg_t +0x138 num_out : (null) 0:000> ?? syslist->name char \ 0x73c4f500 "NtGdiOpenDCW" 0:000> ?? syslist->num struct _drsys_sysnum_t +0x000 number : 0 +0x004 secondary : 52 0:000> ?? num_from_wrapper struct _drsys_sysnum_t +0x000 number : 4314 +0x004 secondary : 0

Original issue: http://code.google.com/p/drmemory/issues/detail?id=1521

derekbruening commented 9 years ago

From zhao...@google.com on April 17, 2014 10:19:57

more investigation: syslist comes from syscall_gdi32_info[0xd5]:

in drsyscall/drsyscall_wingdi.c:4620 {{0,WIN2K3},"NtGdiOpenDCW", OK, DRSYS_TYPE_HANDLE, 7, { {0, sizeof(UNICODE_STRING), R|CT, SYSARG_TYPE_UNICODE_STRING}, {1, sizeof(DEVMODEW)/really var-len/, R|CT, SYSARG_TYPE_DEVMODEW}, {2, sizeof(UNICODE_STRING), R|CT, SYSARG_TYPE_UNICODE_STRING}, {3, sizeof(ULONG), SYSARG_INLINED, DRSYS_TYPE_UNSIGNED_INT}, {4, sizeof(HANDLE), SYSARG_INLINED, DRSYS_TYPE_HANDLE}, {5, sizeof(DRIVER_INFO_2W), R|HT, DRSYS_TYPE_STRUCT}, {6, sizeof(PUMDHPDEV *), W|HT, DRSYS_TYPE_STRUCT}, } },

in add_syscall_entry:

static void add_syscall_entry(void _drcontext, const module_data_t info, syscall_info_t syslist, const char optional_prefix, bool addname2num) { bool ok = false; / Windows version-specific entry feature / if (syslist->num.number != 0 && win_ver.version < syslist->num.number) return; if (syslist->num.secondary != 0 && win_ver.version > syslist->num.secondary) return;

0:000> dt win_ver +0x000 size : 0x10 +0x004 version : 3d ( DR_WINDOWS_VERSION_7 ) +0x008 service_pack_major : 1 +0x00c service_pack_minor : 0

WIN2K3 is 0n52 (0x34), so no it returns from add_syscall_entry without getting the real syscall number. It looks like the bug is if (syslist->num.secondary != 0 && win_ver.version > syslist->num.secondary) return; should be if (syslist->num.secondary != 0 && win_ver.version < syslist->num.secondary) return;

derekbruening commented 9 years ago

From zhao...@google.com on April 17, 2014 10:58:37

ok, this is because check_syscall_entry does not handle the windows version specific entry feature.