dr_save_reg & dr_insert_clean_call Acrobat Reader 8.1.2

[derekbruening]

From analysis...@gmail.com on March 13, 2010 08:11:03

What steps will reproduce the problem? 1. Run the attached plugin on Windows XP SP3 registered with AcroRd32.exe What is the expected output? What do you see instead? Acrobat Reader does not start, after some seconds it terminates. What version of the product are you using? On what operating system? DynamoRIO-Windows-1.5.0-1, Windows XP SP3 32bit, Acrobat Reader 8.1.2 Please provide any additional information below. Is there a 32bit version of opnd_is_rel_addr?

Attachment: memtrace.c

Original issue: http://code.google.com/p/dynamorio/issues/detail?id=272

[derekbruening]

From derek.br...@gmail.com on March 13, 2010 09:05:48

Acrobat Reader does not start, after some seconds it terminates.

Does it work fine without your client (i.e., with plain DR)?

Is there a 32bit version of opnd_is_rel_addr?

No, because there is no x86 32-bit pc-relative data addressing mode

Status: NeedInfo

[derekbruening]

From analysis...@gmail.com on March 14, 2010 06:38:37

Does it work fine without your client (i.e., with plain DR)?

Yes works for many applications without problem. I tried to located the error:

static void instrument_mem_write(void drcontext, instrlist_t ilist, instr_t where, int pos) { instr_t instr; opnd_t ref = instr_get_dst(where, pos); reg_id_t reg = REG_XAX;

/* save %xax */
dr_save_reg(drcontext, ilist, where, reg, SPILL_SLOT_2);

/* clean call */
dr_insert_clean_call(drcontext, ilist, where, memwrite_callback, false,
                    0);

/* restore %xax */
dr_restore_reg(drcontext, ilist, where, REG_XAX, SPILL_SLOT_2);

}

This still crashes. Thanks for the answer.

[derekbruening]

From qin.zhao@gmail.com on March 14, 2010 09:37:09

It might because of huge code cache size caused by instrumented clean call. Try to set the code cache infinite.

[derekbruening]

From derek.br...@gmail.com on March 14, 2010 11:27:08

qin, can you elaborate on what you mean: the code cache will grow unbounded by default for thread-shared. thread-private uses working-set estimation but there is no default hard upper bound. I don't see how code cache size would impact correctness here.

did you do the usual debugging steps: run in debug build and see if any asserts fire.

is the termination silent or does DR pop up a msgbox about an error?

[derekbruening]

From analysis...@gmail.com on March 14, 2010 15:03:20

Hi

I tried with -debug and I get the error message (see attachement). I tried to increase the bbl size with max_trace_bbs 10000, but still I get the error.

Attachment: Untitled.png

[derekbruening]

From analysis...@gmail.com on March 14, 2010 15:34:57

Err I mean I tried to increase the bbl size with max_bb_instrs.

[derekbruening]

From derek.br...@gmail.com on March 14, 2010 17:18:51

As the messagebox says, you want to decrease, not increase, max_bb_instrs and max_trace_bbs

[derekbruening]

From analysis...@gmail.com on March 21, 2010 08:09:11

Hi

Ok this works now perfectly. But I have another problem with Acrobat 8.1.2 with this plugin:

include "dr_api.h"

static dr_emit_flags_t event_basic_block(void drcontext, void tag, instrlist_t *bb, bool for_trace, bool translating);

static void event_exit();

thread_id_t reportThreadID = 0;

file_t execute;

DR_EXPORT void dr_init(client_id_t id) { execute = dr_open_file("C:\exe.log", DR_FILE_WRITE_APPEND);

dr_register_bb_event(event_basic_block);
dr_register_exit_event(event_exit);

}

static void event_exit() { dr_close_file(execute); }

static dr_emit_flags_t event_basic_block(void drcontext, void tag, instrlist_t *bb, bool for_trace, bool translating) { int size = 0;

for (instr_t* instr  = instrlist_first(bb); 
     instr != NULL; 
     instr  = instr_get_next(instr)) {

    if(!instr_valid(instr))
        continue;

    size += instr_length(drcontext, instr);
}

dr_fprintf(execute, "E %X %X\n", instr_get_app_pc(instrlist_first(bb)), size);

return DR_EMIT_DEFAULT;

}

Acrobat Reader crashes if I open a pdf found on the internet. No msg box in debug mode, always a crash in ace.dll at 000296f7. Changing max_bb_instrs doesn't help.

Cheers