alessandrocarminati
commented
2 years ago glibc-2.34-40.el9.x86_64_libc.so.tar.gz Test bench
Open alessandrocarminati opened 2 years ago
alessandrocarminati
commented
2 years ago glibc-2.34-40.el9.x86_64_libc.so.tar.gz Test bench
trufae
commented
1 year ago Can you try again? I have improved this functionality at least for arm64 but other targets may be fixed too
alessandrocarminati
commented
1 year ago Hello, Thank you for your work. Not sure on how it performs on arm64, but for this issue here, there's no change.
$ r2 -v
radare2 5.7.9 29326 @ linux-x86-64 git.5.7.8-415-g432791f8ce
commit: 432791f8cedb675703c477fc8842968e48e9acab build: 2022-10-28__17:32:04
$ r2 glibc-2.34-40.el9.x86_64_libc.so
WARN: run r2 with -e bin.cache=true to fix relocations in disassembly
-- Using radare2 to generate intelligence ...
[0x00040070]> aa
INFO: Analyze all flags starting with sym. and entry0 (aa)
ERROR: Cannot find basic block for switch case at 0x0012c3a2 bbdelta = 18
ERROR: Cannot find basic block for switch case at 0x000d6556 bbdelta = 34
ERROR: Cannot find basic block for switch case at 0x001980d9 bbdelta = 23
INFO: Analyze all functions arguments/locals (afva@@@F)
[0x00040070]> s sym.__pthread_mutex_lock_full
[0x000a2380]> pdf
Do you want to print 443 lines? (y/N) y
; CODE XREF from sym.pthread_mutex_lock @ 0xa2bd0(x)
┌ 1875: sym.__pthread_mutex_lock_full (int64_t arg1, int64_t arg2, int64_t arg_4h, int64_t arg_8h, int64_t arg_ch, int64_t arg_10h, int64_t arg_18h, int64_t arg_20h);
│ ; arg int64_t arg1 @ rdi
│ ; arg int64_t arg2 @ rsi
│ ; arg int64_t arg_4h @ rbp+0x4
│ ; arg int64_t arg_8h @ rbp+0x8
│ ; arg int64_t arg_ch @ rbp+0xc
│ ; arg int64_t arg_10h @ rbp+0x10
│ ; arg int64_t arg_18h @ rbp+0x18
│ ; arg int64_t arg_20h @ rbp+0x20
│ ; var int64_t var_ch @ rsp-0x4c
│ ; var int64_t var_14h @ rsp-0x44
│ ; var int64_t var_18h @ rsp-0x40
│ 0x000a2380 4157 push r15
│ 0x000a2382 4156 push r14
│ 0x000a2384 4155 push r13
│ 0x000a2386 4154 push r12
│ 0x000a2388 55 push rbp
│ 0x000a2389 4889fd mov rbp, rdi ; arg1
│ 0x000a238c 53 push rbx
│ 0x000a238d 4883ec28 sub rsp, 0x28
│ 0x000a2391 64488b042528. mov rax, qword fs:[0x28]
│ 0x000a239a 4889442418 mov qword [var_18h], rax
│ 0x000a239f 31c0 xor eax, eax
│ 0x000a23a1 648b0425d002. mov eax, dword fs:[0x2d0]
│ 0x000a23a9 8944240c mov dword [var_ch], eax
│ 0x000a23ad 8b5710 mov edx, dword [rdi + 0x10] ; arg1
│ 0x000a23b0 4c8d7710 lea r14, [rdi + 0x10] ; arg1
│ 0x000a23b4 89d0 mov eax, edx
│ 0x000a23b6 83e07f and eax, 0x7f
│ 0x000a23b9 83f833 cmp eax, 0x33
│ ┌─< 0x000a23bc 0f8fd6010000 jg 0xa2598
│ │ 0x000a23c2 83f82f cmp eax, 0x2f
│ ┌──< 0x000a23c5 0f8ff5000000 jg 0xa24c0
│ ││ 0x000a23cb 83f813 cmp eax, 0x13
│ ┌───< 0x000a23ce 0f8fe4000000 jg 0xa24b8
│ │││ 0x000a23d4 83e270 and edx, 0x70
│ ┌────< 0x000a23d7 0f84ab000000 je 0xa2488
│ ││││ 0x000a23dd 4c8d4f20 lea r9, [rdi + 0x20] ; arg1
│ ││││ 0x000a23e1 644c890c25f0. mov qword fs:[0x2f0], r9
│ ││││ 0x000a23ea 8b17 mov edx, dword [rdi] ; arg1
│ ││││ 0x000a23ec 31c9 xor ecx, ecx
│ ││││ 0x000a23ee 41bdca000000 mov r13d, 0xca
│ ││││ 0x000a23f4 bb81080000 mov ebx, 0x881
│ ││││ ; CODE XREFS from sym.__pthread_mutex_lock_full @ 0xa2833(x), 0xa28df(x), 0xa2974(x)
│ ┌┌┌─────> 0x000a23f9 85d2 test edx, edx
│ ────────< 0x000a23fb 0f85e4030000 jne 0xa27e5
│ ╎╎╎││││ 0x000a2401 8b74240c mov esi, dword [var_ch]
│ ╎╎╎││││ 0x000a2405 89d0 mov eax, edx
│ ╎╎╎││││ 0x000a2407 09ce or esi, ecx
│ ╎╎╎││││ 0x000a2409 f00fb17500 lock cmpxchg dword [rbp], esi
│ ╎╎╎││││ 0x000a240e 89c2 mov edx, eax
│ ╎╎╎││││ 0x000a2410 85c0 test eax, eax
│ ────────< 0x000a2412 0f85cd030000 jne 0xa27e5
│ ╎╎╎││││ 0x000a2418 817d08feffff. cmp dword [arg_8h], 0x7ffffffe
│ ────────< 0x000a241f 0f840e050000 je 0xa2933
│ ╎╎╎││││ 0x000a2425 c74504010000. mov dword [arg_4h], 1
│ ╎╎╎││││ 0x000a242c 64488b0425e0. mov rax, qword fs:[0x2e0]
│ ╎╎╎││││ 0x000a2435 4883e0fe and rax, 0xfffffffffffffffe
│ ╎╎╎││││ 0x000a2439 4c8948f8 mov qword [rax - 8], r9
│ ╎╎╎││││ 0x000a243d 64488b0425e0. mov rax, qword fs:[0x2e0]
│ ╎╎╎││││ 0x000a2446 48894520 mov qword [arg_20h], rax
│ ╎╎╎││││ 0x000a244a 64488b042510. mov rax, qword fs:[0x10]
│ ╎╎╎││││ 0x000a2453 4805e0020000 add rax, 0x2e0
│ ╎╎╎││││ 0x000a2459 48894518 mov qword [arg_18h], rax
│ ╎╎╎││││ 0x000a245d 644c890c25e0. mov qword fs:[0x2e0], r9
│ ╎╎╎││││ 0x000a2466 6448c70425f0. mov qword fs:[0x2f0], 0
│ ╎╎╎││││ ; CODE XREFS from sym.__pthread_mutex_lock_full @ 0xa2692(x), 0xa2727(x)
│ ────────> 0x000a2473 8b44240c mov eax, dword [var_ch]
│ ╎╎╎││││ 0x000a2477 83450c01 add dword [arg_ch], 1
│ ╎╎╎││││ 0x000a247b 894508 mov dword [arg_8h], eax
│ ╎╎╎││││ 0x000a247e 90 nop
│ ╎╎╎││││ 0x000a247f 4531c0 xor r8d, r8d
│ ────────< 0x000a2482 eb0a jmp 0xa248e
..
│ ───└────> 0x000a2488 41b816000000 mov r8d, 0x16
│ ╎╎╎ │││ ; XREFS: CODE 0x000a2482 CODE 0x000a2756 CODE 0x000a27e0 CODE 0x000a285f CODE 0x000a292e CODE 0x000a2959
│ ╎╎╎ │││ ; XREFS: CODE 0x000a29de CODE 0x000a2a3e CODE 0x000a2a91 CODE 0x000a2ac5
│ ───┌────> 0x000a248e 488b442418 mov rax, qword [var_18h]
│ ╎╎╎╎│││ 0x000a2493 64482b042528. sub rax, qword fs:[0x28]
│ ────────< 0x000a249c 0f8566060000 jne 0xa2b08
│ ╎╎╎╎│││ 0x000a24a2 4883c428 add rsp, 0x28
│ ╎╎╎╎│││ 0x000a24a6 4489c0 mov eax, r8d
│ ╎╎╎╎│││ 0x000a24a9 5b pop rbx
│ ╎╎╎╎│││ 0x000a24aa 5d pop rbp
│ ╎╎╎╎│││ 0x000a24ab 415c pop r12
│ ╎╎╎╎│││ 0x000a24ad 415d pop r13
│ ╎╎╎╎│││ 0x000a24af 415e pop r14
│ ╎╎╎╎│││ 0x000a24b1 415f pop r15
│ ╎╎╎╎│││ 0x000a24b3 c3 ret
..
│ ╎╎╎╎└───> 0x000a24b8 83e820 sub eax, 0x20 ; sym.__libc_tsd_CTYPE_TOUPPER ; "@"
│ ╎╎╎╎ ││ 0x000a24bb 83f803 cmp eax, 3
│ ────────< 0x000a24be 77c8 ja 0xa2488
│ ╎╎╎╎ └──> 0x000a24c0 8b4510 mov eax, dword [arg_10h]
│ ╎╎╎╎ │ 0x000a24c3 4189c1 mov r9d, eax
│ ╎╎╎╎ │ 0x000a24c6 4183e103 and r9d, 3
│ ╎╎╎╎ │ 0x000a24ca 83e010 and eax, 0x10 ; sym.__libc_errno
│ ╎╎╎╎ │ 0x000a24cd 4189c0 mov r8d, eax
│ ╎╎╎╎ ┌──< 0x000a24d0 0f85d2010000 jne 0xa26a8
│ ╎╎╎╎ ││ ; CODE XREF from sym.__pthread_mutex_lock_full @ 0xa26b9(x)
│ ╎╎╎╎┌───> 0x000a24d6 8b4500 mov eax, dword [rbp]
│ ╎╎╎╎╎││ 0x000a24d9 25ffffff3f and eax, 0x3fffffff
│ ╎╎╎╎╎││ 0x000a24de 3944240c cmp dword [var_ch], eax
│ ────────< 0x000a24e2 0f8413040000 je 0xa28fb
│ ────────> 0x000a24e8 8b5c240c mov ebx, dword [var_ch]
│ ╎╎╎╎╎││ 0x000a24ec 31c0 xor eax, eax
│ ╎╎╎╎╎││ 0x000a24ee f00fb15d00 lock cmpxchg dword [rbp], ebx
│ ╎╎╎╎╎││ 0x000a24f3 85c0 test eax, eax
│ ────────< 0x000a24f5 0f84c3010000 je 0xa26be
│ ╎╎╎╎╎││ 0x000a24fb be06000000 mov esi, 6
│ ╎╎╎╎╎││ 0x000a2500 41bd80000000 mov r13d, 0x80 ; sym.thread_rpc_vars ; " 7\x1c"
│ ╎╎╎╎╎││ 0x000a2506 4585c0 test r8d, r8d
│ ────────< 0x000a2509 0f84d5030000 je 0xa28e4
│ ╎╎╎╎╎││ ; CODE XREF from sym.__pthread_mutex_lock_full @ 0xa28f6(x)
│ ────────> 0x000a250f 4531d2 xor r10d, r10d
│ ╎╎╎╎╎││ 0x000a2512 31d2 xor edx, edx
│ ╎╎╎╎╎││ 0x000a2514 4889ef mov rdi, rbp
│ ╎╎╎╎╎││ 0x000a2517 b8ca000000 mov eax, 0xca
│ ╎╎╎╎╎││ 0x000a251c 0f05 syscall
│ ╎╎╎╎╎││ 0x000a251e 83f892 cmp eax, 0xffffff92
│ ────────< 0x000a2521 0f8434020000 je 0xa275b
│ ╎╎╎╎╎││ 0x000a2527 8d5023 lea edx, [rax + 0x23]
│ ╎╎╎╎╎││ 0x000a252a 83fa23 cmp edx, 0x23
│ ────────< 0x000a252d 0f873d010000 ja 0xa2670
│ ╎╎╎╎╎││ 0x000a2533 48b901200081. movabs rcx, 0x981002001
│ ╎╎╎╎╎││ 0x000a253d 480fa3d1 bt rcx, rdx
│ ────────< 0x000a2541 0f8329010000 jae 0xa2670
│ ╎╎╎╎╎││ 0x000a2547 89c2 mov edx, eax
│ ╎╎╎╎╎││ 0x000a2549 83e2df and edx, 0xffffffdf ; 4294967263
│ ╎╎╎╎╎││ 0x000a254c 83fadd cmp edx, 0xffffffdd
│ ────────< 0x000a254f 0f8506020000 jne 0xa275b
│ ╎╎╎╎╎││ 0x000a2555 83f8dd cmp eax, 0xffffffdd
│ ────────< 0x000a2558 0f8432030000 je 0xa2890
│ ╎╎╎╎╎││ 0x000a255e 83f8fd cmp eax, 0xfffffffd
│ ────────< 0x000a2561 7509 jne 0xa256c
│ ╎╎╎╎╎││ 0x000a2563 4585c0 test r8d, r8d
│ ────────< 0x000a2566 0f855e050000 jne 0xa2aca
│ ────────> 0x000a256c 488d5c2414 lea rbx, [var_14h]
│ ╎╎╎╎╎││ 0x000a2571 0f1f80000000. nop dword [rax]
│ ╎╎╎╎╎││ ; CODE XREF from sym.__pthread_mutex_lock_full @ 0xa2591(x)
│ ────────> 0x000a2578 4589e8 mov r8d, r13d
│ ╎╎╎╎╎││ 0x000a257b 31c9 xor ecx, ecx
│ ╎╎╎╎╎││ 0x000a257d 31d2 xor edx, edx
│ ╎╎╎╎╎││ 0x000a257f 31f6 xor esi, esi
│ ╎╎╎╎╎││ 0x000a2581 4889df mov rdi, rbx
│ ╎╎╎╎╎││ 0x000a2584 c74424140000. mov dword [var_14h], 0
│ ╎╎╎╎╎││ 0x000a258c e84f9effff call sym.__GI___futex_abstimed_wait64
│ ────────< 0x000a2591 ebe5 jmp 0xa2578
..
│ ╎╎╎╎╎│└─> 0x000a2598 83e840 sub eax, 0x40 ; case.0x18e554.1
│ ╎╎╎╎╎│ 0x000a259b 83f803 cmp eax, 3
│ ────────< 0x000a259e 0f87e4feffff ja 0xa2488
│ ╎╎╎╎╎│ 0x000a25a4 8b4710 mov eax, dword [rdi + 0x10] ; arg1
│ ╎╎╎╎╎│ 0x000a25a7 41bdffffffff mov r13d, 0xffffffff ; -1
│ ╎╎╎╎╎│ 0x000a25ad 448b27 mov r12d, dword [rdi] ; arg1
│ ╎╎╎╎╎│ 0x000a25b0 8b5c240c mov ebx, dword [var_ch]
│ ╎╎╎╎╎│ 0x000a25b4 3b5f08 cmp ebx, dword [rdi + 8] ; arg1
│ ╎╎╎╎╎│┌─< 0x000a25b7 0f846f010000 je 0xa272c
│ ────────> 0x000a25bd 41bfca000000 mov r15d, 0xca
│ ╎╎╎╎╎││ 0x000a25c3 0f1f440000 nop dword [rax + rax]
│ ╎╎╎╎╎││ ; CODE XREF from sym.__pthread_mutex_lock_full @ 0xa26a3(x)
│ ────────> 0x000a25c8 4489e3 mov ebx, r12d
│ ╎╎╎╎╎││ 0x000a25cb c1eb13 shr ebx, 0x13
│ ╎╎╎╎╎││ 0x000a25ce e84d570000 call sym.__GI___pthread_current_priority
│ ╎╎╎╎╎││ 0x000a25d3 39d8 cmp eax, ebx
│ ────────< 0x000a25d5 0f8f5d020000 jg 0xa2838
│ ╎╎╎╎╎││ 0x000a25db 89de mov esi, ebx
│ ╎╎╎╎╎││ 0x000a25dd 4489ef mov edi, r13d
│ ╎╎╎╎╎││ 0x000a25e0 e83b530000 call sym.__pthread_tpp_change_priority
│ ╎╎╎╎╎││ 0x000a25e5 4189c0 mov r8d, eax
│ ╎╎╎╎╎││ 0x000a25e8 85c0 test eax, eax
│ ────────< 0x000a25ea 0f859efeffff jne 0xa248e
│ ╎╎╎╎╎││ 0x000a25f0 4589e0 mov r8d, r12d
│ ╎╎╎╎╎││ 0x000a25f3 4181e00000f8. and r8d, 0xfff80000
│ ╎╎╎╎╎││ 0x000a25fa 4589c1 mov r9d, r8d
│ ╎╎╎╎╎││ 0x000a25fd 4489c0 mov eax, r8d
│ ╎╎╎╎╎││ 0x000a2600 4183c901 or r9d, 1
│ ╎╎╎╎╎││ 0x000a2604 f0440fb14d00 lock cmpxchg dword [rbp], r9d
│ ────────< 0x000a260a 7474 je 0xa2680
│ ╎╎╎╎╎││ 0x000a260c 4489c2 mov edx, r8d
│ ╎╎╎╎╎││ 0x000a260f 83ca02 or edx, 2
│ ────────< 0x000a2612 eb0e jmp 0xa2622
..
│ ────────> 0x000a2618 4489c0 mov eax, r8d
│ ╎╎╎╎╎││ 0x000a261b f00fb15500 lock cmpxchg dword [rbp], edx
│ ────────< 0x000a2620 745e je 0xa2680
│ ╎╎╎╎╎││ ; CODE XREF from sym.__pthread_mutex_lock_full @ 0xa2612(x)
│ ────────> 0x000a2622 4489c8 mov eax, r9d
│ ╎╎╎╎╎││ 0x000a2625 f00fb15500 lock cmpxchg dword [rbp], edx
│ ╎╎╎╎╎││ 0x000a262a 89c1 mov ecx, eax
│ ╎╎╎╎╎││ 0x000a262c 4189c4 mov r12d, eax
│ ╎╎╎╎╎││ 0x000a262f 81e10000f8ff and ecx, 0xfff80000
│ ╎╎╎╎╎││ 0x000a2635 4139c8 cmp r8d, ecx
│ ────────< 0x000a2638 7566 jne 0xa26a0
│ ╎╎╎╎╎││ 0x000a263a 4139c0 cmp r8d, eax
│ ────────< 0x000a263d 74d9 je 0xa2618
│ ╎╎╎╎╎││ 0x000a263f 418b36 mov esi, dword [r14]
│ ╎╎╎╎╎││ 0x000a2642 4531d2 xor r10d, r10d
│ ╎╎╎╎╎││ 0x000a2645 4889ef mov rdi, rbp
│ ╎╎╎╎╎││ 0x000a2648 4489f8 mov eax, r15d
│ ╎╎╎╎╎││ 0x000a264b f7d6 not esi
│ ╎╎╎╎╎││ 0x000a264d 81e680000000 and esi, 0x80 ; sym.thread_rpc_vars ; " 7\x1c"
│ ╎╎╎╎╎││ 0x000a2653 0f05 syscall
│ ╎╎╎╎╎││ 0x000a2655 483d00f0ffff cmp rax, 0xfffffffffffff000
│ ────────< 0x000a265b 76bb jbe 0xa2618
│ ╎╎╎╎╎││ 0x000a265d 83c00b add eax, 0xb
│ ╎╎╎╎╎││ 0x000a2660 83f80b cmp eax, 0xb
│ ────────< 0x000a2663 770b ja 0xa2670
│ ╎╎╎╎╎││ 0x000a2665 bf81080000 mov edi, 0x881
│ ╎╎╎╎╎││ 0x000a266a 480fa3c7 bt rdi, rax
│ ────────< 0x000a266e 72a8 jb 0xa2618
│ ────────> 0x000a2670 488d3dc1b111. lea rdi, str.The_futex_facility_returned_an_unexpected_error_code._n ; 0x1bd838 ; "The futex facility returned an unexpected error code.\n"
│ ╎╎╎╎╎││ 0x000a2677 e8242fffff call sym.__libc_fatal
│ ╎╎╎╎╎││ 0x000a267c 0f1f4000 nop dword [rax]
│ ────────> 0x000a2680 8b4508 mov eax, dword [arg_8h]
│ ╎╎╎╎╎││ 0x000a2683 85c0 test eax, eax
│ ────────< 0x000a2685 0f855e040000 jne 0xa2ae9
│ ────────> 0x000a268b c74504010000. mov dword [arg_4h], 1
│ ────────< 0x000a2692 e9dcfdffff jmp 0xa2473
..
│ ────────> 0x000a26a0 4189dd mov r13d, ebx
│ ────────< 0x000a26a3 e920ffffff jmp 0xa25c8
│ ╎╎╎╎╎└──> 0x000a26a8 488d4520 lea rax, [arg_20h]
│ ╎╎╎╎╎ │ 0x000a26ac 4883c801 or rax, 1
│ ╎╎╎╎╎ │ 0x000a26b0 6448890425f0. mov qword fs:[0x2f0], rax
│ ╎╎╎╎└───< 0x000a26b9 e918feffff jmp 0xa24d6
│ ────────> 0x000a26be 4585c0 test r8d, r8d
│ ────────< 0x000a26c1 74c8 je 0xa268b
│ ╎╎╎╎ ┌──> 0x000a26c3 817d08feffff. cmp dword [arg_8h], 0x7ffffffe
│ ╎╎╎╎┌───< 0x000a26ca 0f84b0020000 je 0xa2980
│ ╎╎╎╎│╎│ 0x000a26d0 c74504010000. mov dword [arg_4h], 1
│ ╎╎╎╎│╎│ 0x000a26d7 64488b1425e0. mov rdx, qword fs:[0x2e0]
│ ╎╎╎╎│╎│ 0x000a26e0 488d4520 lea rax, [arg_20h]
│ ╎╎╎╎│╎│ 0x000a26e4 4883e2fe and rdx, 0xfffffffffffffffe
│ ╎╎╎╎│╎│ 0x000a26e8 488942f8 mov qword [rdx - 8], rax
│ ╎╎╎╎│╎│ 0x000a26ec 64488b1425e0. mov rdx, qword fs:[0x2e0]
│ ╎╎╎╎│╎│ 0x000a26f5 48895520 mov qword [arg_20h], rdx
│ ╎╎╎╎│╎│ 0x000a26f9 64488b1c2510. mov rbx, qword fs:[0x10]
│ ╎╎╎╎│╎│ 0x000a2702 488d93e00200. lea rdx, [rbx + 0x2e0]
│ ╎╎╎╎│╎│ 0x000a2709 48895518 mov qword [arg_18h], rdx
│ ╎╎╎╎│╎│ 0x000a270d 4883c801 or rax, 1
│ ╎╎╎╎│╎│ 0x000a2711 6448890425e0. mov qword fs:[0x2e0], rax
│ ╎╎╎╎│╎│ 0x000a271a 6448c70425f0. mov qword fs:[0x2f0], 0
│ ────────< 0x000a2727 e947fdffff jmp 0xa2473
│ ╎╎╎╎│╎└─> 0x000a272c 83e003 and eax, 3
│ ╎╎╎╎│╎ 0x000a272f 83f802 cmp eax, 2
│ ╎╎╎╎│╎┌─< 0x000a2732 0f84a0020000 je 0xa29d8
│ ╎╎╎╎│╎│ 0x000a2738 83f801 cmp eax, 1
│ ────────< 0x000a273b 0f857cfeffff jne 0xa25bd
│ ╎╎╎╎│╎│ 0x000a2741 8b4704 mov eax, dword [rdi + 4] ; arg1
│ ╎╎╎╎│╎│ 0x000a2744 83f8ff cmp eax, 0xffffffff
│ ────────< 0x000a2747 0f84db010000 je 0xa2928
│ ────────> 0x000a274d 83c001 add eax, 1
│ ╎╎╎╎│╎│ 0x000a2750 4531c0 xor r8d, r8d
│ ╎╎╎╎│╎│ 0x000a2753 894504 mov dword [arg_4h], eax
│ ────────< 0x000a2756 e933fdffff jmp 0xa248e
│ ────────> 0x000a275b 8b4500 mov eax, dword [rbp]
│ ╎╎╎╎│╎│ 0x000a275e 2500000040 and eax, 0x40000000
│ ╎╎╎╎│╎│ 0x000a2763 4585c0 test r8d, r8d
│ ────────< 0x000a2766 0f84f8000000 je 0xa2864
│ ╎╎╎╎│╎│ 0x000a276c 85c0 test eax, eax
│ ╎╎╎╎│└──< 0x000a276e 0f844fffffff je 0xa26c3
│ ╎╎╎╎│ │ 0x000a2774 f0816500ffff. lock and dword [rbp], 0xbfffffff ; [0xbfffffff:4]=-1
│ ╎╎╎╎│ │ 0x000a277c 48b801000000. movabs rax, 0x7fffffff00000001 ; 9223372032559808513
│ ╎╎╎╎│ │ 0x000a2786 48894504 mov qword [arg_4h], rax
│ ╎╎╎╎│ │ 0x000a278a 64488b1425e0. mov rdx, qword fs:[0x2e0]
│ ╎╎╎╎│ │ 0x000a2793 488d4520 lea rax, [arg_20h]
│ ╎╎╎╎│ │ 0x000a2797 4883e2fe and rdx, 0xfffffffffffffffe
│ ╎╎╎╎│ │ 0x000a279b 488942f8 mov qword [rdx - 8], rax
│ ╎╎╎╎│ │ 0x000a279f 64488b1425e0. mov rdx, qword fs:[0x2e0]
│ ╎╎╎╎│ │ 0x000a27a8 48895520 mov qword [arg_20h], rdx
│ ╎╎╎╎│ │ 0x000a27ac 64488b1c2510. mov rbx, qword fs:[0x10]
│ ╎╎╎╎│ │ 0x000a27b5 488d93e00200. lea rdx, [rbx + 0x2e0]
│ ╎╎╎╎│ │ 0x000a27bc 48895518 mov qword [arg_18h], rdx
│ ╎╎╎╎│ │ 0x000a27c0 4883c801 or rax, 1
│ ╎╎╎╎│ │ 0x000a27c4 6448890425e0. mov qword fs:[0x2e0], rax
│ ╎╎╎╎│ │ 0x000a27cd 6448c70425f0. mov qword fs:[0x2f0], 0
│ ╎╎╎╎│ │ 0x000a27da 41b882000000 mov r8d, 0x82
│ ────────< 0x000a27e0 e9a9fcffff jmp 0xa248e
│ ────────> 0x000a27e5 4189d0 mov r8d, edx
│ ╎╎╎╎│ │ 0x000a27e8 4181e0000000. and r8d, 0x40000000
│ ╎╎╎╎│┌──< 0x000a27ef 0f85cb000000 jne 0xa28c0
│ ╎╎╎╎│││ 0x000a27f5 89d0 mov eax, edx
│ ╎╎╎╎│││ 0x000a27f7 25ffffff3f and eax, 0x3fffffff
│ ╎╎╎╎│││ 0x000a27fc 3944240c cmp dword [var_ch], eax
│ ────────< 0x000a2800 0f8458020000 je 0xa2a5e
│ ────────> 0x000a2806 89d6 mov esi, edx
│ ╎╎╎╎│││ 0x000a2808 85d2 test edx, edx
│ ────────< 0x000a280a 0f894e010000 jns 0xa295e
│ ────────> 0x000a2810 89f2 mov edx, esi
│ ╎╎╎╎│││ 0x000a2812 4531d2 xor r10d, r10d
│ ╎╎╎╎│││ 0x000a2815 31f6 xor esi, esi
│ ╎╎╎╎│││ 0x000a2817 4889ef mov rdi, rbp
│ ╎╎╎╎│││ 0x000a281a 4489e8 mov eax, r13d
│ ╎╎╎╎│││ 0x000a281d 0f05 syscall
│ ╎╎╎╎│││ 0x000a281f 483d00f0ffff cmp rax, 0xfffffffffffff000
│ ────────< 0x000a2825 0f8718020000 ja 0xa2a43
│ ╎╎╎╎│││ ; CODE XREF from sym.__pthread_mutex_lock_full @ 0xa2a59(x)
│ ────────> 0x000a282b 8b5500 mov edx, dword [rbp]
│ ╎╎╎╎│││ 0x000a282e b900000080 mov ecx, 0x80000000
│ └───────< 0x000a2833 e9c1fbffff jmp 0xa23f9
│ ────────> 0x000a2838 41b816000000 mov r8d, 0x16
│ ╎╎╎│││ 0x000a283e 4183fdff cmp r13d, 0xffffffff
│ ────────< 0x000a2842 0f8446fcffff je 0xa248e
│ ╎╎╎│││ 0x000a2848 beffffffff mov esi, 0xffffffff ; -1
│ ╎╎╎│││ 0x000a284d 4489ef mov edi, r13d
│ ╎╎╎│││ 0x000a2850 448944240c mov dword [var_ch], r8d
│ ╎╎╎│││ 0x000a2855 e8c6500000 call sym.__pthread_tpp_change_priority
│ ╎╎╎│││ 0x000a285a 448b44240c mov r8d, dword [var_ch]
│ ────────< 0x000a285f e92afcffff jmp 0xa248e
│ ────────> 0x000a2864 85c0 test eax, eax
│ ────────< 0x000a2866 0f841ffeffff je 0xa268b
│ ╎╎╎│││ 0x000a286c 488d0dfdea11. lea rcx, str.__pthread_mutex_lock_full ; 0x1c1370 ; "__pthread_mutex_lock_full"
│ ╎╎╎│││ 0x000a2873 babb010000 mov edx, 0x1bb
│ ╎╎╎│││ 0x000a2878 488d35b26711. lea rsi, [0x001b9031] ; "pthread_mutex_lock.c"
│ ╎╎╎│││ 0x000a287f 488d3d1ab111. lea rdi, str.robust___oldval__FUTEX_OWNER_DIED___0 ; 0x1bd9a0 ; "robust || (oldval & FUTEX_OWNER_DIED) == 0"
│ ╎╎╎│││ 0x000a2886 e895b3faff call sym.__assert_fail ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
..
│ ────────> 0x000a2890 4183e901 sub r9d, 1
│ ╎╎╎│││ 0x000a2894 4183f901 cmp r9d, 1
│ ────────< 0x000a2898 0f87cefcffff ja 0xa256c
│ ╎╎╎│││ 0x000a289e 488d0dcbea11. lea rcx, str.__pthread_mutex_lock_full ; 0x1c1370 ; "__pthread_mutex_lock_full"
│ ╎╎╎│││ 0x000a28a5 baac010000 mov edx, 0x1ac
│ ╎╎╎│││ 0x000a28aa 488d35806711. lea rsi, [0x001b9031] ; "pthread_mutex_lock.c"
│ ╎╎╎│││ 0x000a28b1 488d3d88b011. lea rdi, str.e___EDEADLK___kind___PTHREAD_MUTEX_ERRORCHECK_NP__kind___PTHREAD_MUTEX_RECURSIVE_NP_ ; 0x1bd940 ; "e != EDEADLK || (kind != PTHREAD_MUTEX_ERRORCHECK_NP && kind != PTHREAD_MUTEX_RECURSIVE_NP)"
│ ╎╎╎│││ 0x000a28b8 e863b3faff call sym.__assert_fail ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
..
│ ╎╎╎│└──> 0x000a28c0 8b44240c mov eax, dword [var_ch]
│ ╎╎╎│ │ 0x000a28c4 89d6 mov esi, edx
│ ╎╎╎│ │ 0x000a28c6 81e600000080 and esi, 0x80000000
│ ╎╎╎│ │ 0x000a28cc 09c8 or eax, ecx
│ ╎╎╎│ │ 0x000a28ce 09c6 or esi, eax
│ ╎╎╎│ │ 0x000a28d0 89d0 mov eax, edx
│ ╎╎╎│ │ 0x000a28d2 f00fb17500 lock cmpxchg dword [rbp], esi
│ ╎╎╎│┌──< 0x000a28d7 0f8406010000 je 0xa29e3
│ ╎╎╎│││ 0x000a28dd 89c2 mov edx, eax
│ └──────< 0x000a28df e915fbffff jmp 0xa23f9
│ ────────> 0x000a28e4 448b6d10 mov r13d, dword [arg_10h]
│ ╎╎│││ 0x000a28e8 4181e5800000. and r13d, 0x80 ; sym.thread_rpc_vars ; " 7\x1c"
│ ╎╎│││ 0x000a28ef 4489ee mov esi, r13d
│ ╎╎│││ 0x000a28f2 4080f686 xor sil, 0x86
│ ────────< 0x000a28f6 e914fcffff jmp 0xa250f
│ ────────> 0x000a28fb 4183f902 cmp r9d, 2
│ ┌──────< 0x000a28ff 0f84ad010000 je 0xa2ab2
│ │╎╎│││ 0x000a2905 4183f901 cmp r9d, 1
│ ────────< 0x000a2909 0f85d9fbffff jne 0xa24e8
│ │╎╎│││ 0x000a290f 6448c70425f0. mov qword fs:[0x2f0], 0
│ │╎╎│││ 0x000a291c 8b4504 mov eax, dword [arg_4h]
│ │╎╎│││ 0x000a291f 83f8ff cmp eax, 0xffffffff
│ ────────< 0x000a2922 0f8525feffff jne 0xa274d
│ ┌───────> 0x000a2928 41b80b000000 mov r8d, 0xb
│ ────────< 0x000a292e e95bfbffff jmp 0xa248e
│ ────────> 0x000a2933 c74504000000. mov dword [arg_4h], 0
│ ╎│╎╎│││ 0x000a293a 875500 xchg dword [rbp], edx
│ ╎│╎╎│││ 0x000a293d 83fa01 cmp edx, 1
│ ────────< 0x000a2940 0f8f5a010000 jg 0xa2aa0
│ ╎│╎╎│││ ; CODE XREFS from sym.__pthread_mutex_lock_full @ 0xa29cc(x), 0xa2aad(x)
│ ────────> 0x000a2946 6448c70425f0. mov qword fs:[0x2f0], 0
│ ╎│╎╎│││ 0x000a2953 41b883000000 mov r8d, 0x83
│ ────────< 0x000a2959 e930fbffff jmp 0xa248e
│ ────────> 0x000a295e 81ce00000080 or esi, 0x80000000
│ ╎│╎╎│││ 0x000a2964 89d0 mov eax, edx
│ ╎│╎╎│││ 0x000a2966 f00fb17500 lock cmpxchg dword [rbp], esi
│ ────────< 0x000a296b 0f849ffeffff je 0xa2810
│ ╎│╎╎│││ 0x000a2971 8b5500 mov edx, dword [rbp]
│ ╎│└─────< 0x000a2974 e980faffff jmp 0xa23f9
..
│ ╎│ ╎└───> 0x000a2980 c74504000000. mov dword [arg_4h], 0
│ ╎│ ╎ ││ 0x000a2987 4531d2 xor r10d, r10d
│ ╎│ ╎ ││ 0x000a298a 31d2 xor edx, edx
│ ╎│ ╎ ││ 0x000a298c 4889ef mov rdi, rbp
│ ╎│ ╎ ││ 0x000a298f be07000000 mov esi, 7
│ ╎│ ╎ ││ 0x000a2994 b8ca000000 mov eax, 0xca
│ ╎│ ╎ ││ 0x000a2999 0f05 syscall
│ ╎│ ╎ ││ 0x000a299b 483d00f0ffff cmp rax, 0xfffffffffffff000
│ ────────< 0x000a29a1 76a3 jbe 0xa2946
│ ╎│ ╎ ││ 0x000a29a3 83f892 cmp eax, 0xffffff92
│ ────────< 0x000a29a6 749e je 0xa2946
│ ╎│ ╎ ││ 0x000a29a8 83c026 add eax, 0x26
│ ╎│ ╎ ││ 0x000a29ab 83f826 cmp eax, 0x26
│ ────────< 0x000a29ae 0f87bcfcffff ja 0xa2670
│ ╎│ ╎ ││ 0x000a29b4 48ba09000008. movabs rdx, 0x6c08000009
│ ╎│ ╎ ││ 0x000a29be 89c1 mov ecx, eax
│ ╎│ ╎ ││ 0x000a29c0 48d3ea shr rdx, cl
│ ╎│ ╎ ││ 0x000a29c3 80e201 and dl, 1
│ ────────< 0x000a29c6 0f84a4fcffff je 0xa2670
│ ────────< 0x000a29cc e975ffffff jmp 0xa2946
..
│ ╎│ ╎ │└─> 0x000a29d8 41b823000000 mov r8d, 0x23 ; '#'
│ ────────< 0x000a29de e9abfaffff jmp 0xa248e
│ ╎│ ╎ └──> 0x000a29e3 48b801000000. movabs rax, 0x7fffffff00000001 ; 9223372032559808513
│ ╎│ ╎ 0x000a29ed 48894504 mov qword [arg_4h], rax
│ ╎│ ╎ 0x000a29f1 64488b0425e0. mov rax, qword fs:[0x2e0]
│ ╎│ ╎ 0x000a29fa 4883e0fe and rax, 0xfffffffffffffffe
│ ╎│ ╎ 0x000a29fe 4c8948f8 mov qword [rax - 8], r9
│ ╎│ ╎ 0x000a2a02 64488b0425e0. mov rax, qword fs:[0x2e0]
│ ╎│ ╎ 0x000a2a0b 48894520 mov qword [arg_20h], rax
│ ╎│ ╎ 0x000a2a0f 64488b042510. mov rax, qword fs:[0x10]
│ ╎│ ╎ 0x000a2a18 4805e0020000 add rax, 0x2e0
│ ╎│ ╎ 0x000a2a1e 48894518 mov qword [arg_18h], rax
│ ╎│ ╎ 0x000a2a22 644c890c25e0. mov qword fs:[0x2e0], r9
│ ╎│ ╎ 0x000a2a2b 6448c70425f0. mov qword fs:[0x2f0], 0
│ ╎│ ╎ 0x000a2a38 41b882000000 mov r8d, 0x82
│ ────────< 0x000a2a3e e94bfaffff jmp 0xa248e
│ ────────> 0x000a2a43 83c00b add eax, 0xb
│ ╎│ ╎ 0x000a2a46 83f80b cmp eax, 0xb
│ ────────< 0x000a2a49 0f8721fcffff ja 0xa2670
│ ╎│ ╎ 0x000a2a4f 480fa3c3 bt rbx, rax
│ ────────< 0x000a2a53 0f8317fcffff jae 0xa2670
│ ────────< 0x000a2a59 e9cdfdffff jmp 0xa282b
│ ────────> 0x000a2a5e 418b06 mov eax, dword [r14]
│ ╎│ ╎ 0x000a2a61 83e07f and eax, 0x7f
│ ╎│ ╎ 0x000a2a64 83f812 cmp eax, 0x12
│ ╎│ ╎ ┌─< 0x000a2a67 7449 je 0xa2ab2
│ ╎│ ╎ │ 0x000a2a69 83f811 cmp eax, 0x11
│ ────────< 0x000a2a6c 0f8594fdffff jne 0xa2806
│ ╎│ ╎ │ 0x000a2a72 6448c70425f0. mov qword fs:[0x2f0], 0
│ ╎│ ╎ │ 0x000a2a7f 8b4504 mov eax, dword [arg_4h]
│ ╎│ ╎ │ 0x000a2a82 83f8ff cmp eax, 0xffffffff
│ └───────< 0x000a2a85 0f849dfeffff je 0xa2928
│ │ ╎ │ 0x000a2a8b 83c001 add eax, 1
│ │ ╎ │ 0x000a2a8e 894504 mov dword [arg_4h], eax
│ ────────< 0x000a2a91 e9f8f9ffff jmp 0xa248e
..
│ ────────> 0x000a2aa0 be80000000 mov esi, 0x80 ; sym.thread_rpc_vars ; " 7\x1c"
│ │ ╎ │ 0x000a2aa5 4889ef mov rdi, rbp
│ │ ╎ │ 0x000a2aa8 e8139bffff call sym.__GI___lll_lock_wake
│ ────────< 0x000a2aad e994feffff jmp 0xa2946
│ └────└─> 0x000a2ab2 6448c70425f0. mov qword fs:[0x2f0], 0
│ ╎ 0x000a2abf 41b823000000 mov r8d, 0x23 ; '#'
│ └────< 0x000a2ac5 e9c4f9ffff jmp 0xa248e
│ ────────> 0x000a2aca 488d0d9fe811. lea rcx, str.__pthread_mutex_lock_full ; 0x1c1370 ; "__pthread_mutex_lock_full"
│ 0x000a2ad1 bab1010000 mov edx, 0x1b1
│ 0x000a2ad6 488d35546511. lea rsi, [0x001b9031] ; "pthread_mutex_lock.c"
│ 0x000a2add 488d3d626511. lea rdi, str.e___ESRCH___robust ; 0x1b9046 ; "e != ESRCH || !robust"
│ 0x000a2ae4 e837b1faff call sym.__assert_fail ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
│ ────────> 0x000a2ae9 488d0d80e811. lea rcx, str.__pthread_mutex_lock_full ; 0x1c1370 ; "__pthread_mutex_lock_full"
│ 0x000a2af0 ba4e020000 mov edx, 0x24e
│ 0x000a2af5 488d35356511. lea rsi, [0x001b9031] ; "pthread_mutex_lock.c"
│ 0x000a2afc 488d3d596511. lea rdi, str.mutex____data.__owner__0 ; 0x1b905c ; "mutex->__data.__owner == 0"
│ 0x000a2b03 e818b1faff call sym.__assert_fail ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
└ ────────> 0x000a2b08 e873a70b00 call sym.__stack_chk_fail ; void __stack_chk_fail(void)
[0x000a2380]> aei
[0x000a2380]> /as | grep 0x000a281d
0x000a281d read
[0x000a2380]> /as | grep 0x000a2
0x000a2315 futex
0x000a251c futex
0x000a2653 rt_sigprocmask
0x000a2ec9 rt_sigprocmask
0x000a2f43 futex
[0x000a2380]> /as | grep 0x000a281d
[0x000a2380]> Syscalls @0x000a2999 and @0x000a281d are not detected nor identified.
Trivial note: if I try to complete "ver" by using tab, the system crashes consistently.
trufae
commented
1 year ago Can you try again? i did some improvements and updated tests too :)
alessandrocarminati
commented
1 year ago Hello,
Please forgive me for my late answer.
From my standpoint, the problem remains, but it is slightly different from what it was back in August.
The syscall @0x000a281d is now wrongly reported as read.
This smells fishy, since read is the syscall 0 in x86_64.
I argue this is somehow related to ESIL registers initialization.
Couldn't be registers initialized with -1?
In this way, we could at least be able to say a syscall is detected, but we couldn't determine which one.
Please note that this syscall detection is somehow more complicated than others (at least for humans), because it loads eax with r13d and r13d is loaded @0x000a23EE (distant more than 1k) with 0xca (futex).
The other syscall @0x000a2999 is still not listed, not sure why since it should be trivial to spot. Its number is loaded at the previous instruction.
$ r2 -v
radare2 5.8.3 30140 @ linux-x86-64 git.5.8.2-98-gf58373e00d
commit: f58373e00d86bcab3638c7e1d87285258a15ac9a build: 2023-02-16__10:42:09
$ r2 glibc-2.34-40.el9.x86_64_libc.so
WARN: run r2 with -e bin.cache=true to fix relocations in disassembly
-- The motion picture contained in this videodisc is protected under the copyright laws.
[0x00040070]> aa
INFO: Analyze all flags starting with sym. and entry0 (aa)
WARN: Cannot find basic block for switch case at 0x0012c3a2 bbdelta = 18
WARN: Cannot find basic block for switch case at 0x000d6556 bbdelta = 34
WARN: Cannot find basic block for switch case at 0x001980d9 bbdelta = 23
INFO: Analyze all functions arguments/locals (afva@@@F)
[0x00040070]> s sym.__pthread_mutex_lock_full
[0x000a2380]> pdf
Do you want to print 443 lines? (y/N) y
; JUMP XREF from sym.pthread_mutex_lock @ 0xa2bd0(x)
┌ 1875: sym.__pthread_mutex_lock_full (int64_t arg1, int64_t arg2, int64_t arg_4h, int64_t arg_8h, int64_t arg_ch, int64_t arg_10h, int64_t arg_18h, int64_t arg_20h);
│ ; arg int64_t arg1 @ rdi
│ ; arg int64_t arg2 @ rsi
│ ; arg int64_t arg_4h @ rbp+0x4
│ ; arg int64_t arg_8h @ rbp+0x8
│ ; arg int64_t arg_ch @ rbp+0xc
│ ; arg int64_t arg_10h @ rbp+0x10
│ ; arg int64_t arg_18h @ rbp+0x18
│ ; arg int64_t arg_20h @ rbp+0x20
│ ; var int64_t var_ch @ rsp-0x4c
│ ; var int64_t var_14h @ rsp-0x44
│ ; var int64_t var_18h @ rsp-0x40
│ 0x000a2380 4157 push r15
│ 0x000a2382 4156 push r14
│ 0x000a2384 4155 push r13
│ 0x000a2386 4154 push r12
│ 0x000a2388 55 push rbp
│ 0x000a2389 4889fd mov rbp, rdi ; arg1
│ 0x000a238c 53 push rbx
│ 0x000a238d 4883ec28 sub rsp, 0x28
│ 0x000a2391 64488b042528. mov rax, qword fs:[0x28]
│ 0x000a239a 4889442418 mov qword [var_18h], rax
│ 0x000a239f 31c0 xor eax, eax
│ 0x000a23a1 648b0425d002. mov eax, dword fs:[0x2d0]
│ 0x000a23a9 8944240c mov dword [var_ch], eax
│ 0x000a23ad 8b5710 mov edx, dword [rdi + 0x10] ; arg1
│ 0x000a23b0 4c8d7710 lea r14, [rdi + 0x10] ; arg1
│ 0x000a23b4 89d0 mov eax, edx
│ 0x000a23b6 83e07f and eax, 0x7f
│ 0x000a23b9 83f833 cmp eax, 0x33 ; '3'
│ ┌─< 0x000a23bc 0f8fd6010000 jg 0xa2598
│ │ 0x000a23c2 83f82f cmp eax, 0x2f ; '/'
│ ┌──< 0x000a23c5 0f8ff5000000 jg 0xa24c0
│ ││ 0x000a23cb 83f813 cmp eax, 0x13
│ ┌───< 0x000a23ce 0f8fe4000000 jg 0xa24b8
│ │││ 0x000a23d4 83e270 and edx, 0x70
│ ┌────< 0x000a23d7 0f84ab000000 je 0xa2488
│ ││││ 0x000a23dd 4c8d4f20 lea r9, [rdi + 0x20] ; arg1
│ ││││ 0x000a23e1 644c890c25f0. mov qword fs:[0x2f0], r9
│ ││││ 0x000a23ea 8b17 mov edx, dword [rdi] ; arg1
│ ││││ 0x000a23ec 31c9 xor ecx, ecx
│ ││││ 0x000a23ee 41bdca000000 mov r13d, 0xca
│ ││││ 0x000a23f4 bb81080000 mov ebx, 0x881
│ ││││ ; CODE XREFS from sym.__pthread_mutex_lock_full @ 0xa2833(x), 0xa28df(x), 0xa2974(x)
│ ┌┌┌─────> 0x000a23f9 85d2 test edx, edx
│ ────────< 0x000a23fb 0f85e4030000 jne 0xa27e5
│ ╎╎╎││││ 0x000a2401 8b74240c mov esi, dword [var_ch]
│ ╎╎╎││││ 0x000a2405 89d0 mov eax, edx
│ ╎╎╎││││ 0x000a2407 09ce or esi, ecx
│ ╎╎╎││││ 0x000a2409 f00fb17500 lock cmpxchg dword [rbp], esi
│ ╎╎╎││││ 0x000a240e 89c2 mov edx, eax
│ ╎╎╎││││ 0x000a2410 85c0 test eax, eax
│ ────────< 0x000a2412 0f85cd030000 jne 0xa27e5
│ ╎╎╎││││ 0x000a2418 817d08feffff. cmp dword [arg_8h], 0x7ffffffe
│ ────────< 0x000a241f 0f840e050000 je 0xa2933
│ ╎╎╎││││ 0x000a2425 c74504010000. mov dword [arg_4h], 1
│ ╎╎╎││││ 0x000a242c 64488b0425e0. mov rax, qword fs:[0x2e0]
│ ╎╎╎││││ 0x000a2435 4883e0fe and rax, 0xfffffffffffffffe
│ ╎╎╎││││ 0x000a2439 4c8948f8 mov qword [rax - 8], r9
│ ╎╎╎││││ 0x000a243d 64488b0425e0. mov rax, qword fs:[0x2e0]
│ ╎╎╎││││ 0x000a2446 48894520 mov qword [arg_20h], rax
│ ╎╎╎││││ 0x000a244a 64488b042510. mov rax, qword fs:[0x10]
│ ╎╎╎││││ 0x000a2453 4805e0020000 add rax, 0x2e0
│ ╎╎╎││││ 0x000a2459 48894518 mov qword [arg_18h], rax
│ ╎╎╎││││ 0x000a245d 644c890c25e0. mov qword fs:[0x2e0], r9
│ ╎╎╎││││ 0x000a2466 6448c70425f0. mov qword fs:[0x2f0], 0
│ ╎╎╎││││ ; CODE XREFS from sym.__pthread_mutex_lock_full @ 0xa2692(x), 0xa2727(x)
│ ────────> 0x000a2473 8b44240c mov eax, dword [var_ch]
│ ╎╎╎││││ 0x000a2477 83450c01 add dword [arg_ch], 1
│ ╎╎╎││││ 0x000a247b 894508 mov dword [arg_8h], eax
│ ╎╎╎││││ 0x000a247e 90 nop
│ ╎╎╎││││ 0x000a247f 4531c0 xor r8d, r8d
│ ────────< 0x000a2482 eb0a jmp 0xa248e
..
│ ───└────> 0x000a2488 41b816000000 mov r8d, 0x16
│ ╎╎╎ │││ ; XREFS: CODE 0x000a2482 CODE 0x000a2756 CODE 0x000a27e0 CODE 0x000a285f CODE 0x000a292e CODE 0x000a2959
│ ╎╎╎ │││ ; XREFS: CODE 0x000a29de CODE 0x000a2a3e CODE 0x000a2a91 CODE 0x000a2ac5
│ ───┌────> 0x000a248e 488b442418 mov rax, qword [var_18h]
│ ╎╎╎╎│││ 0x000a2493 64482b042528. sub rax, qword fs:[0x28]
│ ────────< 0x000a249c 0f8566060000 jne 0xa2b08
│ ╎╎╎╎│││ 0x000a24a2 4883c428 add rsp, 0x28
│ ╎╎╎╎│││ 0x000a24a6 4489c0 mov eax, r8d
│ ╎╎╎╎│││ 0x000a24a9 5b pop rbx
│ ╎╎╎╎│││ 0x000a24aa 5d pop rbp
│ ╎╎╎╎│││ 0x000a24ab 415c pop r12
│ ╎╎╎╎│││ 0x000a24ad 415d pop r13
│ ╎╎╎╎│││ 0x000a24af 415e pop r14
│ ╎╎╎╎│││ 0x000a24b1 415f pop r15
│ ╎╎╎╎│││ 0x000a24b3 c3 ret
..
│ ╎╎╎╎└───> 0x000a24b8 83e820 sub eax, 0x20 ; sym.__libc_tsd_CTYPE_TOUPPER ; "@"
│ ╎╎╎╎ ││ 0x000a24bb 83f803 cmp eax, 3
│ ────────< 0x000a24be 77c8 ja 0xa2488
│ ╎╎╎╎ └──> 0x000a24c0 8b4510 mov eax, dword [arg_10h]
│ ╎╎╎╎ │ 0x000a24c3 4189c1 mov r9d, eax
│ ╎╎╎╎ │ 0x000a24c6 4183e103 and r9d, 3
│ ╎╎╎╎ │ 0x000a24ca 83e010 and eax, 0x10 ; sym.__libc_errno
│ ╎╎╎╎ │ 0x000a24cd 4189c0 mov r8d, eax
│ ╎╎╎╎ ┌──< 0x000a24d0 0f85d2010000 jne 0xa26a8
│ ╎╎╎╎ ││ ; CODE XREF from sym.__pthread_mutex_lock_full @ 0xa26b9(x)
│ ╎╎╎╎┌───> 0x000a24d6 8b4500 mov eax, dword [rbp]
│ ╎╎╎╎╎││ 0x000a24d9 25ffffff3f and eax, 0x3fffffff
│ ╎╎╎╎╎││ 0x000a24de 3944240c cmp dword [var_ch], eax
│ ────────< 0x000a24e2 0f8413040000 je 0xa28fb
│ ────────> 0x000a24e8 8b5c240c mov ebx, dword [var_ch]
│ ╎╎╎╎╎││ 0x000a24ec 31c0 xor eax, eax
│ ╎╎╎╎╎││ 0x000a24ee f00fb15d00 lock cmpxchg dword [rbp], ebx
│ ╎╎╎╎╎││ 0x000a24f3 85c0 test eax, eax
│ ────────< 0x000a24f5 0f84c3010000 je 0xa26be
│ ╎╎╎╎╎││ 0x000a24fb be06000000 mov esi, 6
│ ╎╎╎╎╎││ 0x000a2500 41bd80000000 mov r13d, 0x80 ; sym.thread_rpc_vars ; " 7\x1c"
│ ╎╎╎╎╎││ 0x000a2506 4585c0 test r8d, r8d
│ ────────< 0x000a2509 0f84d5030000 je 0xa28e4
│ ╎╎╎╎╎││ ; CODE XREF from sym.__pthread_mutex_lock_full @ 0xa28f6(x)
│ ────────> 0x000a250f 4531d2 xor r10d, r10d
│ ╎╎╎╎╎││ 0x000a2512 31d2 xor edx, edx
│ ╎╎╎╎╎││ 0x000a2514 4889ef mov rdi, rbp
│ ╎╎╎╎╎││ 0x000a2517 b8ca000000 mov eax, 0xca
│ ╎╎╎╎╎││ 0x000a251c 0f05 syscall
│ ╎╎╎╎╎││ 0x000a251e 83f892 cmp eax, 0xffffff92
│ ────────< 0x000a2521 0f8434020000 je 0xa275b
│ ╎╎╎╎╎││ 0x000a2527 8d5023 lea edx, [rax + 0x23]
│ ╎╎╎╎╎││ 0x000a252a 83fa23 cmp edx, 0x23 ; '#'
│ ────────< 0x000a252d 0f873d010000 ja 0xa2670
│ ╎╎╎╎╎││ 0x000a2533 48b901200081. movabs rcx, 0x981002001
│ ╎╎╎╎╎││ 0x000a253d 480fa3d1 bt rcx, rdx
│ ────────< 0x000a2541 0f8329010000 jae 0xa2670
│ ╎╎╎╎╎││ 0x000a2547 89c2 mov edx, eax
│ ╎╎╎╎╎││ 0x000a2549 83e2df and edx, 0xffffffdf ; 4294967263
│ ╎╎╎╎╎││ 0x000a254c 83fadd cmp edx, 0xffffffdd
│ ────────< 0x000a254f 0f8506020000 jne 0xa275b
│ ╎╎╎╎╎││ 0x000a2555 83f8dd cmp eax, 0xffffffdd
│ ────────< 0x000a2558 0f8432030000 je 0xa2890
│ ╎╎╎╎╎││ 0x000a255e 83f8fd cmp eax, 0xfffffffd
│ ────────< 0x000a2561 7509 jne 0xa256c
│ ╎╎╎╎╎││ 0x000a2563 4585c0 test r8d, r8d
│ ────────< 0x000a2566 0f855e050000 jne 0xa2aca
│ ────────> 0x000a256c 488d5c2414 lea rbx, [var_14h]
│ ╎╎╎╎╎││ 0x000a2571 0f1f80000000. nop dword [rax]
│ ╎╎╎╎╎││ ; CODE XREF from sym.__pthread_mutex_lock_full @ 0xa2591(x)
│ ────────> 0x000a2578 4589e8 mov r8d, r13d
│ ╎╎╎╎╎││ 0x000a257b 31c9 xor ecx, ecx
│ ╎╎╎╎╎││ 0x000a257d 31d2 xor edx, edx
│ ╎╎╎╎╎││ 0x000a257f 31f6 xor esi, esi
│ ╎╎╎╎╎││ 0x000a2581 4889df mov rdi, rbx
│ ╎╎╎╎╎││ 0x000a2584 c74424140000. mov dword [var_14h], 0
│ ╎╎╎╎╎││ 0x000a258c e84f9effff call sym.__GI___futex_abstimed_wait64
│ ────────< 0x000a2591 ebe5 jmp 0xa2578
..
│ ╎╎╎╎╎│└─> 0x000a2598 83e840 sub eax, 0x40 ; case.0x18e554.1
│ ╎╎╎╎╎│ 0x000a259b 83f803 cmp eax, 3
│ ────────< 0x000a259e 0f87e4feffff ja 0xa2488
│ ╎╎╎╎╎│ 0x000a25a4 8b4710 mov eax, dword [rdi + 0x10] ; arg1
│ ╎╎╎╎╎│ 0x000a25a7 41bdffffffff mov r13d, 0xffffffff ; -1
│ ╎╎╎╎╎│ 0x000a25ad 448b27 mov r12d, dword [rdi] ; arg1
│ ╎╎╎╎╎│ 0x000a25b0 8b5c240c mov ebx, dword [var_ch]
│ ╎╎╎╎╎│ 0x000a25b4 3b5f08 cmp ebx, dword [rdi + 8] ; arg1
│ ╎╎╎╎╎│┌─< 0x000a25b7 0f846f010000 je 0xa272c
│ ────────> 0x000a25bd 41bfca000000 mov r15d, 0xca
│ ╎╎╎╎╎││ 0x000a25c3 0f1f440000 nop dword [rax + rax]
│ ╎╎╎╎╎││ ; CODE XREF from sym.__pthread_mutex_lock_full @ 0xa26a3(x)
│ ────────> 0x000a25c8 4489e3 mov ebx, r12d
│ ╎╎╎╎╎││ 0x000a25cb c1eb13 shr ebx, 0x13
│ ╎╎╎╎╎││ 0x000a25ce e84d570000 call sym.__GI___pthread_current_priority
│ ╎╎╎╎╎││ 0x000a25d3 39d8 cmp eax, ebx
│ ────────< 0x000a25d5 0f8f5d020000 jg 0xa2838
│ ╎╎╎╎╎││ 0x000a25db 89de mov esi, ebx
│ ╎╎╎╎╎││ 0x000a25dd 4489ef mov edi, r13d
│ ╎╎╎╎╎││ 0x000a25e0 e83b530000 call sym.__pthread_tpp_change_priority
│ ╎╎╎╎╎││ 0x000a25e5 4189c0 mov r8d, eax
│ ╎╎╎╎╎││ 0x000a25e8 85c0 test eax, eax
│ ────────< 0x000a25ea 0f859efeffff jne 0xa248e
│ ╎╎╎╎╎││ 0x000a25f0 4589e0 mov r8d, r12d
│ ╎╎╎╎╎││ 0x000a25f3 4181e00000f8. and r8d, 0xfff80000
│ ╎╎╎╎╎││ 0x000a25fa 4589c1 mov r9d, r8d
│ ╎╎╎╎╎││ 0x000a25fd 4489c0 mov eax, r8d
│ ╎╎╎╎╎││ 0x000a2600 4183c901 or r9d, 1
│ ╎╎╎╎╎││ 0x000a2604 f0440fb14d00 lock cmpxchg dword [rbp], r9d
│ ────────< 0x000a260a 7474 je 0xa2680
│ ╎╎╎╎╎││ 0x000a260c 4489c2 mov edx, r8d
│ ╎╎╎╎╎││ 0x000a260f 83ca02 or edx, 2
│ ────────< 0x000a2612 eb0e jmp 0xa2622
..
│ ────────> 0x000a2618 4489c0 mov eax, r8d
│ ╎╎╎╎╎││ 0x000a261b f00fb15500 lock cmpxchg dword [rbp], edx
│ ────────< 0x000a2620 745e je 0xa2680
│ ╎╎╎╎╎││ ; CODE XREF from sym.__pthread_mutex_lock_full @ 0xa2612(x)
│ ────────> 0x000a2622 4489c8 mov eax, r9d
│ ╎╎╎╎╎││ 0x000a2625 f00fb15500 lock cmpxchg dword [rbp], edx
│ ╎╎╎╎╎││ 0x000a262a 89c1 mov ecx, eax
│ ╎╎╎╎╎││ 0x000a262c 4189c4 mov r12d, eax
│ ╎╎╎╎╎││ 0x000a262f 81e10000f8ff and ecx, 0xfff80000
│ ╎╎╎╎╎││ 0x000a2635 4139c8 cmp r8d, ecx
│ ────────< 0x000a2638 7566 jne 0xa26a0
│ ╎╎╎╎╎││ 0x000a263a 4139c0 cmp r8d, eax
│ ────────< 0x000a263d 74d9 je 0xa2618
│ ╎╎╎╎╎││ 0x000a263f 418b36 mov esi, dword [r14]
│ ╎╎╎╎╎││ 0x000a2642 4531d2 xor r10d, r10d
│ ╎╎╎╎╎││ 0x000a2645 4889ef mov rdi, rbp
│ ╎╎╎╎╎││ 0x000a2648 4489f8 mov eax, r15d
│ ╎╎╎╎╎││ 0x000a264b f7d6 not esi
│ ╎╎╎╎╎││ 0x000a264d 81e680000000 and esi, 0x80 ; sym.thread_rpc_vars ; " 7\x1c"
│ ╎╎╎╎╎││ 0x000a2653 0f05 syscall
│ ╎╎╎╎╎││ 0x000a2655 483d00f0ffff cmp rax, 0xfffffffffffff000
│ ────────< 0x000a265b 76bb jbe 0xa2618
│ ╎╎╎╎╎││ 0x000a265d 83c00b add eax, 0xb
│ ╎╎╎╎╎││ 0x000a2660 83f80b cmp eax, 0xb
│ ────────< 0x000a2663 770b ja 0xa2670
│ ╎╎╎╎╎││ 0x000a2665 bf81080000 mov edi, 0x881
│ ╎╎╎╎╎││ 0x000a266a 480fa3c7 bt rdi, rax
│ ────────< 0x000a266e 72a8 jb 0xa2618
│ ────────> 0x000a2670 488d3dc1b111. lea rdi, str.The_futex_facility_returned_an_unexpected_error_code._n ; 0x1bd838 ; "The futex facility returned an unexpected error code.\n"
│ ╎╎╎╎╎││ 0x000a2677 e8242fffff call sym.__libc_fatal
│ ╎╎╎╎╎││ 0x000a267c 0f1f4000 nop dword [rax]
│ ────────> 0x000a2680 8b4508 mov eax, dword [arg_8h]
│ ╎╎╎╎╎││ 0x000a2683 85c0 test eax, eax
│ ────────< 0x000a2685 0f855e040000 jne 0xa2ae9
│ ────────> 0x000a268b c74504010000. mov dword [arg_4h], 1
│ ────────< 0x000a2692 e9dcfdffff jmp 0xa2473
..
│ ────────> 0x000a26a0 4189dd mov r13d, ebx
│ ────────< 0x000a26a3 e920ffffff jmp 0xa25c8
│ ╎╎╎╎╎└──> 0x000a26a8 488d4520 lea rax, [arg_20h]
│ ╎╎╎╎╎ │ 0x000a26ac 4883c801 or rax, 1
│ ╎╎╎╎╎ │ 0x000a26b0 6448890425f0. mov qword fs:[0x2f0], rax
│ ╎╎╎╎└───< 0x000a26b9 e918feffff jmp 0xa24d6
│ ────────> 0x000a26be 4585c0 test r8d, r8d
│ ────────< 0x000a26c1 74c8 je 0xa268b
│ ╎╎╎╎ ┌──> 0x000a26c3 817d08feffff. cmp dword [arg_8h], 0x7ffffffe
│ ╎╎╎╎┌───< 0x000a26ca 0f84b0020000 je 0xa2980
│ ╎╎╎╎│╎│ 0x000a26d0 c74504010000. mov dword [arg_4h], 1
│ ╎╎╎╎│╎│ 0x000a26d7 64488b1425e0. mov rdx, qword fs:[0x2e0]
│ ╎╎╎╎│╎│ 0x000a26e0 488d4520 lea rax, [arg_20h]
│ ╎╎╎╎│╎│ 0x000a26e4 4883e2fe and rdx, 0xfffffffffffffffe
│ ╎╎╎╎│╎│ 0x000a26e8 488942f8 mov qword [rdx - 8], rax
│ ╎╎╎╎│╎│ 0x000a26ec 64488b1425e0. mov rdx, qword fs:[0x2e0]
│ ╎╎╎╎│╎│ 0x000a26f5 48895520 mov qword [arg_20h], rdx
│ ╎╎╎╎│╎│ 0x000a26f9 64488b1c2510. mov rbx, qword fs:[0x10]
│ ╎╎╎╎│╎│ 0x000a2702 488d93e00200. lea rdx, [rbx + 0x2e0]
│ ╎╎╎╎│╎│ 0x000a2709 48895518 mov qword [arg_18h], rdx
│ ╎╎╎╎│╎│ 0x000a270d 4883c801 or rax, 1
│ ╎╎╎╎│╎│ 0x000a2711 6448890425e0. mov qword fs:[0x2e0], rax
│ ╎╎╎╎│╎│ 0x000a271a 6448c70425f0. mov qword fs:[0x2f0], 0
│ ────────< 0x000a2727 e947fdffff jmp 0xa2473
│ ╎╎╎╎│╎└─> 0x000a272c 83e003 and eax, 3
│ ╎╎╎╎│╎ 0x000a272f 83f802 cmp eax, 2
│ ╎╎╎╎│╎┌─< 0x000a2732 0f84a0020000 je 0xa29d8
│ ╎╎╎╎│╎│ 0x000a2738 83f801 cmp eax, 1
│ ────────< 0x000a273b 0f857cfeffff jne 0xa25bd
│ ╎╎╎╎│╎│ 0x000a2741 8b4704 mov eax, dword [rdi + 4] ; arg1
│ ╎╎╎╎│╎│ 0x000a2744 83f8ff cmp eax, 0xffffffff
│ ────────< 0x000a2747 0f84db010000 je 0xa2928
│ ────────> 0x000a274d 83c001 add eax, 1
│ ╎╎╎╎│╎│ 0x000a2750 4531c0 xor r8d, r8d
│ ╎╎╎╎│╎│ 0x000a2753 894504 mov dword [arg_4h], eax
│ ────────< 0x000a2756 e933fdffff jmp 0xa248e
│ ────────> 0x000a275b 8b4500 mov eax, dword [rbp]
│ ╎╎╎╎│╎│ 0x000a275e 2500000040 and eax, 0x40000000
│ ╎╎╎╎│╎│ 0x000a2763 4585c0 test r8d, r8d
│ ────────< 0x000a2766 0f84f8000000 je 0xa2864
│ ╎╎╎╎│╎│ 0x000a276c 85c0 test eax, eax
│ ╎╎╎╎│└──< 0x000a276e 0f844fffffff je 0xa26c3
│ ╎╎╎╎│ │ 0x000a2774 f0816500ffff. lock and dword [rbp], 0xbfffffff ; [0xbfffffff:4]=-1
│ ╎╎╎╎│ │ 0x000a277c 48b801000000. movabs rax, 0x7fffffff00000001 ; 9223372032559808513
│ ╎╎╎╎│ │ 0x000a2786 48894504 mov qword [arg_4h], rax
│ ╎╎╎╎│ │ 0x000a278a 64488b1425e0. mov rdx, qword fs:[0x2e0]
│ ╎╎╎╎│ │ 0x000a2793 488d4520 lea rax, [arg_20h]
│ ╎╎╎╎│ │ 0x000a2797 4883e2fe and rdx, 0xfffffffffffffffe
│ ╎╎╎╎│ │ 0x000a279b 488942f8 mov qword [rdx - 8], rax
│ ╎╎╎╎│ │ 0x000a279f 64488b1425e0. mov rdx, qword fs:[0x2e0]
│ ╎╎╎╎│ │ 0x000a27a8 48895520 mov qword [arg_20h], rdx
│ ╎╎╎╎│ │ 0x000a27ac 64488b1c2510. mov rbx, qword fs:[0x10]
│ ╎╎╎╎│ │ 0x000a27b5 488d93e00200. lea rdx, [rbx + 0x2e0]
│ ╎╎╎╎│ │ 0x000a27bc 48895518 mov qword [arg_18h], rdx
│ ╎╎╎╎│ │ 0x000a27c0 4883c801 or rax, 1
│ ╎╎╎╎│ │ 0x000a27c4 6448890425e0. mov qword fs:[0x2e0], rax
│ ╎╎╎╎│ │ 0x000a27cd 6448c70425f0. mov qword fs:[0x2f0], 0
│ ╎╎╎╎│ │ 0x000a27da 41b882000000 mov r8d, 0x82
│ ────────< 0x000a27e0 e9a9fcffff jmp 0xa248e
│ ────────> 0x000a27e5 4189d0 mov r8d, edx
│ ╎╎╎╎│ │ 0x000a27e8 4181e0000000. and r8d, 0x40000000
│ ╎╎╎╎│┌──< 0x000a27ef 0f85cb000000 jne 0xa28c0
│ ╎╎╎╎│││ 0x000a27f5 89d0 mov eax, edx
│ ╎╎╎╎│││ 0x000a27f7 25ffffff3f and eax, 0x3fffffff
│ ╎╎╎╎│││ 0x000a27fc 3944240c cmp dword [var_ch], eax
│ ────────< 0x000a2800 0f8458020000 je 0xa2a5e
│ ────────> 0x000a2806 89d6 mov esi, edx
│ ╎╎╎╎│││ 0x000a2808 85d2 test edx, edx
│ ────────< 0x000a280a 0f894e010000 jns 0xa295e
│ ────────> 0x000a2810 89f2 mov edx, esi
│ ╎╎╎╎│││ 0x000a2812 4531d2 xor r10d, r10d
│ ╎╎╎╎│││ 0x000a2815 31f6 xor esi, esi
│ ╎╎╎╎│││ 0x000a2817 4889ef mov rdi, rbp
│ ╎╎╎╎│││ 0x000a281a 4489e8 mov eax, r13d
│ ╎╎╎╎│││ 0x000a281d 0f05 syscall ; <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< this
│ ╎╎╎╎│││ 0x000a281f 483d00f0ffff cmp rax, 0xfffffffffffff000
│ ────────< 0x000a2825 0f8718020000 ja 0xa2a43
│ ╎╎╎╎│││ ; CODE XREF from sym.__pthread_mutex_lock_full @ 0xa2a59(x)
│ ────────> 0x000a282b 8b5500 mov edx, dword [rbp]
│ ╎╎╎╎│││ 0x000a282e b900000080 mov ecx, 0x80000000
│ └───────< 0x000a2833 e9c1fbffff jmp 0xa23f9
│ ────────> 0x000a2838 41b816000000 mov r8d, 0x16
│ ╎╎╎│││ 0x000a283e 4183fdff cmp r13d, 0xffffffff
│ ────────< 0x000a2842 0f8446fcffff je 0xa248e
│ ╎╎╎│││ 0x000a2848 beffffffff mov esi, 0xffffffff ; -1
│ ╎╎╎│││ 0x000a284d 4489ef mov edi, r13d
│ ╎╎╎│││ 0x000a2850 448944240c mov dword [var_ch], r8d
│ ╎╎╎│││ 0x000a2855 e8c6500000 call sym.__pthread_tpp_change_priority
│ ╎╎╎│││ 0x000a285a 448b44240c mov r8d, dword [var_ch]
│ ────────< 0x000a285f e92afcffff jmp 0xa248e
│ ────────> 0x000a2864 85c0 test eax, eax
│ ────────< 0x000a2866 0f841ffeffff je 0xa268b
│ ╎╎╎│││ 0x000a286c 488d0dfdea11. lea rcx, str.__pthread_mutex_lock_full ; 0x1c1370 ; "__pthread_mutex_lock_full"
│ ╎╎╎│││ 0x000a2873 babb010000 mov edx, 0x1bb
│ ╎╎╎│││ 0x000a2878 488d35b26711. lea rsi, [0x001b9031] ; "pthread_mutex_lock.c"
│ ╎╎╎│││ 0x000a287f 488d3d1ab111. lea rdi, str.robust___oldval__FUTEX_OWNER_DIED___0 ; 0x1bd9a0 ; "robust || (oldval & FUTEX_OWNER_DIED) == 0"
│ ╎╎╎│││ 0x000a2886 e895b3faff call sym.__assert_fail ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
..
│ ────────> 0x000a2890 4183e901 sub r9d, 1
│ ╎╎╎│││ 0x000a2894 4183f901 cmp r9d, 1
│ ────────< 0x000a2898 0f87cefcffff ja 0xa256c
│ ╎╎╎│││ 0x000a289e 488d0dcbea11. lea rcx, str.__pthread_mutex_lock_full ; 0x1c1370 ; "__pthread_mutex_lock_full"
│ ╎╎╎│││ 0x000a28a5 baac010000 mov edx, 0x1ac
│ ╎╎╎│││ 0x000a28aa 488d35806711. lea rsi, [0x001b9031] ; "pthread_mutex_lock.c"
│ ╎╎╎│││ 0x000a28b1 488d3d88b011. lea rdi, str.e___EDEADLK___kind___PTHREAD_MUTEX_ERRORCHECK_NP__kind___PTHREAD_MUTEX_RECURSIVE_NP_ ; 0x1bd940 ; "e != EDEADLK || (kind != PTHREAD_MUTEX_ERRORCHECK_NP && kind != PTHREAD_MUTEX_RECURSIVE_NP)"
│ ╎╎╎│││ 0x000a28b8 e863b3faff call sym.__assert_fail ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
..
│ ╎╎╎│└──> 0x000a28c0 8b44240c mov eax, dword [var_ch]
│ ╎╎╎│ │ 0x000a28c4 89d6 mov esi, edx
│ ╎╎╎│ │ 0x000a28c6 81e600000080 and esi, 0x80000000
│ ╎╎╎│ │ 0x000a28cc 09c8 or eax, ecx
│ ╎╎╎│ │ 0x000a28ce 09c6 or esi, eax
│ ╎╎╎│ │ 0x000a28d0 89d0 mov eax, edx
│ ╎╎╎│ │ 0x000a28d2 f00fb17500 lock cmpxchg dword [rbp], esi
│ ╎╎╎│┌──< 0x000a28d7 0f8406010000 je 0xa29e3
│ ╎╎╎│││ 0x000a28dd 89c2 mov edx, eax
│ └──────< 0x000a28df e915fbffff jmp 0xa23f9
│ ────────> 0x000a28e4 448b6d10 mov r13d, dword [arg_10h]
│ ╎╎│││ 0x000a28e8 4181e5800000. and r13d, 0x80 ; sym.thread_rpc_vars ; " 7\x1c"
│ ╎╎│││ 0x000a28ef 4489ee mov esi, r13d
│ ╎╎│││ 0x000a28f2 4080f686 xor sil, 0x86
│ ────────< 0x000a28f6 e914fcffff jmp 0xa250f
│ ────────> 0x000a28fb 4183f902 cmp r9d, 2
│ ┌──────< 0x000a28ff 0f84ad010000 je 0xa2ab2
│ │╎╎│││ 0x000a2905 4183f901 cmp r9d, 1
│ ────────< 0x000a2909 0f85d9fbffff jne 0xa24e8
│ │╎╎│││ 0x000a290f 6448c70425f0. mov qword fs:[0x2f0], 0
│ │╎╎│││ 0x000a291c 8b4504 mov eax, dword [arg_4h]
│ │╎╎│││ 0x000a291f 83f8ff cmp eax, 0xffffffff
│ ────────< 0x000a2922 0f8525feffff jne 0xa274d
│ ┌───────> 0x000a2928 41b80b000000 mov r8d, 0xb
│ ────────< 0x000a292e e95bfbffff jmp 0xa248e
│ ────────> 0x000a2933 c74504000000. mov dword [arg_4h], 0
│ ╎│╎╎│││ 0x000a293a 875500 xchg dword [rbp], edx
│ ╎│╎╎│││ 0x000a293d 83fa01 cmp edx, 1
│ ────────< 0x000a2940 0f8f5a010000 jg 0xa2aa0
│ ╎│╎╎│││ ; CODE XREFS from sym.__pthread_mutex_lock_full @ 0xa29cc(x), 0xa2aad(x)
│ ────────> 0x000a2946 6448c70425f0. mov qword fs:[0x2f0], 0
│ ╎│╎╎│││ 0x000a2953 41b883000000 mov r8d, 0x83
│ ────────< 0x000a2959 e930fbffff jmp 0xa248e
│ ────────> 0x000a295e 81ce00000080 or esi, 0x80000000
│ ╎│╎╎│││ 0x000a2964 89d0 mov eax, edx
│ ╎│╎╎│││ 0x000a2966 f00fb17500 lock cmpxchg dword [rbp], esi
│ ────────< 0x000a296b 0f849ffeffff je 0xa2810
│ ╎│╎╎│││ 0x000a2971 8b5500 mov edx, dword [rbp]
│ ╎│└─────< 0x000a2974 e980faffff jmp 0xa23f9
..
│ ╎│ ╎└───> 0x000a2980 c74504000000. mov dword [arg_4h], 0
│ ╎│ ╎ ││ 0x000a2987 4531d2 xor r10d, r10d
│ ╎│ ╎ ││ 0x000a298a 31d2 xor edx, edx
│ ╎│ ╎ ││ 0x000a298c 4889ef mov rdi, rbp
│ ╎│ ╎ ││ 0x000a298f be07000000 mov esi, 7
│ ╎│ ╎ ││ 0x000a2994 b8ca000000 mov eax, 0xca
│ ╎│ ╎ ││ 0x000a2999 0f05 syscall ; <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< this
│ ╎│ ╎ ││ 0x000a299b 483d00f0ffff cmp rax, 0xfffffffffffff000
│ ────────< 0x000a29a1 76a3 jbe 0xa2946
│ ╎│ ╎ ││ 0x000a29a3 83f892 cmp eax, 0xffffff92
│ ────────< 0x000a29a6 749e je 0xa2946
│ ╎│ ╎ ││ 0x000a29a8 83c026 add eax, 0x26
│ ╎│ ╎ ││ 0x000a29ab 83f826 cmp eax, 0x26 ; '&'
│ ────────< 0x000a29ae 0f87bcfcffff ja 0xa2670
│ ╎│ ╎ ││ 0x000a29b4 48ba09000008. movabs rdx, 0x6c08000009
│ ╎│ ╎ ││ 0x000a29be 89c1 mov ecx, eax
│ ╎│ ╎ ││ 0x000a29c0 48d3ea shr rdx, cl
│ ╎│ ╎ ││ 0x000a29c3 80e201 and dl, 1
│ ────────< 0x000a29c6 0f84a4fcffff je 0xa2670
│ ────────< 0x000a29cc e975ffffff jmp 0xa2946
..
│ ╎│ ╎ │└─> 0x000a29d8 41b823000000 mov r8d, 0x23 ; '#'
│ ────────< 0x000a29de e9abfaffff jmp 0xa248e
│ ╎│ ╎ └──> 0x000a29e3 48b801000000. movabs rax, 0x7fffffff00000001 ; 9223372032559808513
│ ╎│ ╎ 0x000a29ed 48894504 mov qword [arg_4h], rax
│ ╎│ ╎ 0x000a29f1 64488b0425e0. mov rax, qword fs:[0x2e0]
│ ╎│ ╎ 0x000a29fa 4883e0fe and rax, 0xfffffffffffffffe
│ ╎│ ╎ 0x000a29fe 4c8948f8 mov qword [rax - 8], r9
│ ╎│ ╎ 0x000a2a02 64488b0425e0. mov rax, qword fs:[0x2e0]
│ ╎│ ╎ 0x000a2a0b 48894520 mov qword [arg_20h], rax
│ ╎│ ╎ 0x000a2a0f 64488b042510. mov rax, qword fs:[0x10]
│ ╎│ ╎ 0x000a2a18 4805e0020000 add rax, 0x2e0
│ ╎│ ╎ 0x000a2a1e 48894518 mov qword [arg_18h], rax
│ ╎│ ╎ 0x000a2a22 644c890c25e0. mov qword fs:[0x2e0], r9
│ ╎│ ╎ 0x000a2a2b 6448c70425f0. mov qword fs:[0x2f0], 0
│ ╎│ ╎ 0x000a2a38 41b882000000 mov r8d, 0x82
│ ────────< 0x000a2a3e e94bfaffff jmp 0xa248e
│ ────────> 0x000a2a43 83c00b add eax, 0xb
│ ╎│ ╎ 0x000a2a46 83f80b cmp eax, 0xb
│ ────────< 0x000a2a49 0f8721fcffff ja 0xa2670
│ ╎│ ╎ 0x000a2a4f 480fa3c3 bt rbx, rax
│ ────────< 0x000a2a53 0f8317fcffff jae 0xa2670
│ ────────< 0x000a2a59 e9cdfdffff jmp 0xa282b
│ ────────> 0x000a2a5e 418b06 mov eax, dword [r14]
│ ╎│ ╎ 0x000a2a61 83e07f and eax, 0x7f
│ ╎│ ╎ 0x000a2a64 83f812 cmp eax, 0x12
│ ╎│ ╎ ┌─< 0x000a2a67 7449 je 0xa2ab2
│ ╎│ ╎ │ 0x000a2a69 83f811 cmp eax, 0x11
│ ────────< 0x000a2a6c 0f8594fdffff jne 0xa2806
│ ╎│ ╎ │ 0x000a2a72 6448c70425f0. mov qword fs:[0x2f0], 0
│ ╎│ ╎ │ 0x000a2a7f 8b4504 mov eax, dword [arg_4h]
│ ╎│ ╎ │ 0x000a2a82 83f8ff cmp eax, 0xffffffff
│ └───────< 0x000a2a85 0f849dfeffff je 0xa2928
│ │ ╎ │ 0x000a2a8b 83c001 add eax, 1
│ │ ╎ │ 0x000a2a8e 894504 mov dword [arg_4h], eax
│ ────────< 0x000a2a91 e9f8f9ffff jmp 0xa248e
..
│ ────────> 0x000a2aa0 be80000000 mov esi, 0x80 ; sym.thread_rpc_vars ; " 7\x1c"
│ │ ╎ │ 0x000a2aa5 4889ef mov rdi, rbp
│ │ ╎ │ 0x000a2aa8 e8139bffff call sym.__GI___lll_lock_wake
│ ────────< 0x000a2aad e994feffff jmp 0xa2946
│ └────└─> 0x000a2ab2 6448c70425f0. mov qword fs:[0x2f0], 0
│ ╎ 0x000a2abf 41b823000000 mov r8d, 0x23 ; '#'
│ └────< 0x000a2ac5 e9c4f9ffff jmp 0xa248e
│ ────────> 0x000a2aca 488d0d9fe811. lea rcx, str.__pthread_mutex_lock_full ; 0x1c1370 ; "__pthread_mutex_lock_full"
│ 0x000a2ad1 bab1010000 mov edx, 0x1b1
│ 0x000a2ad6 488d35546511. lea rsi, [0x001b9031] ; "pthread_mutex_lock.c"
│ 0x000a2add 488d3d626511. lea rdi, str.e___ESRCH___robust ; 0x1b9046 ; "e != ESRCH || !robust"
│ 0x000a2ae4 e837b1faff call sym.__assert_fail ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
│ ────────> 0x000a2ae9 488d0d80e811. lea rcx, str.__pthread_mutex_lock_full ; 0x1c1370 ; "__pthread_mutex_lock_full"
│ 0x000a2af0 ba4e020000 mov edx, 0x24e
│ 0x000a2af5 488d35356511. lea rsi, [0x001b9031] ; "pthread_mutex_lock.c"
│ 0x000a2afc 488d3d596511. lea rdi, str.mutex____data.__owner__0 ; 0x1b905c ; "mutex->__data.__owner == 0"
│ 0x000a2b03 e818b1faff call sym.__assert_fail ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
└ ────────> 0x000a2b08 e873a70b00 call sym.__stack_chk_fail ; void __stack_chk_fail(void)
[0x000a2380]> aei
[0x000a2380]> /as | grep 0x000a281d
0x000a281d read
[0x000a2380]> /as | grep 0x000a2
0x000a2315 futex
0x000a251c futex
0x000a2653 read
0x000a281d read
0x000a2ec9 read
0x000a2f43 futex
[0x000a2380]> can you try again? i did a bunch of improvements in this logic
alessandrocarminati
commented
10 months ago Hello,
I apologize for the delay in my response. Regarding the issue, there has indeed been a change in the radare2 response, but it may not be substantial enough to declare the issue as completely resolved.
Back in August 2022, when I initially reported the issue, we observed the following situation:
The function I was concerned about was located at memory address 0x000a2380 and contained four syscalls:
(0x000a251c, 0x000a2653, 0x000a281d, 0x000a2999).When I asked radare2 to print syscalls within a range of addresses where the function resides, it yielded the following results:
[0x000a2380]> /as | grep 0x000a2
0x000a2315 futex
0x000a251c futex <----------------- interest
0x000a2653 rt_sigprocmask <----------------- interest
0x000a281d <----------------- missing
0x000a2999 <----------------- missing
0x000a2ec9 rt_sigprocmask
0x000a2f43 futexNow, with the current version of radare2 (5.8.9), there have been improvements.
$ r2 -v
radare2 5.8.9 31590 @ linux-x86-64
birth: git.5.8.8-716-gf4d0517be4 2023-10-25__09:27:41
commit: f4d0517be497fd00eedbdd9a73eccf9bd38f4189
options: gpl -O? cs:5 cl:2 make
$ r2 -e bin.cache=true glibc-2.34-40.el9.x86_64_libc.so
-- I script in C, because I can.
[0x00040070]> aaa
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze imports (af@@@i)
INFO: Analyze entrypoint (af@ entry0)
INFO: Analyze symbols (af@@@s)
WARN: Cannot find basic block for switch case at 0x0012c3a2 bbdelta = 18
WARN: Cannot find basic block for switch case at 0x000d6556 bbdelta = 34
WARN: Cannot find basic block for switch case at 0x001980d9 bbdelta = 23
INFO: Recovering variables
INFO: Analyze all functions arguments/locals (afva@@@F)
INFO: Analyze function calls (aac)
INFO: Analyze len bytes of instructions for references (aar)
INFO: Finding and parsing C++ vtables (avrr)
INFO: Analyzing methods
INFO: Recovering local variables (afva)
INFO: Type matching analysis for all functions (aaft)
Segmentation fault (core dumped)
$ r2 -e bin.cache=true glibc-2.34-40.el9.x86_64_libc.so
-- Add comments using the ';' key in visual mode or the 'CC' command from the radare2 shell
[0x00040070]> aa
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze imports (af@@@i)
INFO: Analyze entrypoint (af@ entry0)
INFO: Analyze symbols (af@@@s)
WARN: Cannot find basic block for switch case at 0x0012c3a2 bbdelta = 18
WARN: Cannot find basic block for switch case at 0x000d6556 bbdelta = 34
WARN: Cannot find basic block for switch case at 0x001980d9 bbdelta = 23
INFO: Recovering variables
INFO: Analyze all functions arguments/locals (afva@@@F)
[0x00040070]> aei
[0x00040070]> s sym.__pthread_mutex_lock_full
[0x000a2380]> /as | grep 0x000a2
Segmentation fault (core dumped)
$ r2 glibc-2.34-40.el9.x86_64_libc.so
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
-- Beer in mind.
[0x00040070]> aaa
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze imports (af@@@i)
INFO: Analyze entrypoint (af@ entry0)
INFO: Analyze symbols (af@@@s)
WARN: Cannot find basic block for switch case at 0x0012c3a2 bbdelta = 18
WARN: Cannot find basic block for switch case at 0x000d6556 bbdelta = 34
WARN: Cannot find basic block for switch case at 0x001980d9 bbdelta = 23
INFO: Recovering variables
INFO: Analyze all functions arguments/locals (afva@@@F)
INFO: Analyze function calls (aac)
INFO: Analyze len bytes of instructions for references (aar)
INFO: Finding and parsing C++ vtables (avrr)
INFO: Analyzing methods
INFO: Recovering local variables (afva)
INFO: Type matching analysis for all functions (aaft)
INFO: Propagate noreturn information (aanr)
INFO: Use -AA or aaaa to perform additional experimental analysis
[0x00040070]> aei
[0x00040070]> s sym.__pthread_mutex_lock_full
[0x000a2380]> /as | grep 0x000a2
0x000a2315 futex
0x000a251c futex <----------------- interest
0x000a2653 read <----------------- interest
0x000a281d rt_sigtimedwait <----------------- interest
0x000a2999 futex <----------------- interest
0x000a2ec9 read
0x000a2f43 futexAll syscalls are reported, but the accuracy of the syscall numbers still needs refinement. To make a comparison, this is the output of the plugin[1] I'm working on:
[0x000a2380]> sysno
[*] sysno is starting computation
[*] Generating cfg for the given function
[*] checking a path
0x000a2380,0x000a23c2,0x000a23cb,0x000a23d4,0x000a23dd,0x000a23f9,0x000a2401,0x000a27e5,0x000a27f5,0x000a2806,0x000a2810,
[*] checking a path
0x000a2380,0x000a23c2,0x000a23cb,0x000a24b8,0x000a24c0,0x000a24d6,0x000a24e8,0x000a24fb,0x000a250f,
[*] checking a path
0x000a2380,0x000a23c2,0x000a23cb,0x000a24b8,0x000a24c0,0x000a24d6,0x000a24e8,0x000a24fb,0x000a250f,0x000a2527,0x000a2533,0x000a2547,0x000a275b,0x000a276c,0x000a26c3,0x000a2980,
[*] checking a path
0x000a2380,0x000a2598,0x000a25a4,0x000a25bd,0x000a25c8,0x000a25db,0x000a25f0,0x000a260c,0x000a2622,0x000a263a,0x000a263f,
[*] Syscall found are 4, cfg results are 4, there are 0 still to figure out.!!!
[*] Skip block at 0x000a250f syscall at 0x000a251c is known
[*] Skip block at 0x000a263f syscall at 0x000a2653 is known
[*] Skip block at 0x000a2810 syscall at 0x000a281d is known
[*] Skip block at 0x000a2980 syscall at 0x000a2999 is known
[*] Results:
{address: "0x000a281d", number:"202"}{address: "0x000a251c", number:"202"}{address: "0x000a2999", number:"202"}{address: "0x000a2653", number:"202"}The numbers have been verified manually, and I can confirm the tools are accurate.
Basically, this means that all the syscalls in this function corresponds to futex.
Please note that the tool development is extremely slow, and for the moment can not be considered an alternative to the radare2 syscall function.
[1]. https://github.com/alessandrocarminati/sys_no/tree/ac-radare2-plugin Thank you for your hard work, but I can not say the issue is solved yet.
Environment
Description
The last PR #20471 is meant to introduce the ESIL feature to have a more accurate syscall detection. Although it solves some corner cases, it takes a step back on the overall quality of the feature. The test bench where I verified my claims is the glibc-2.34-40.el9.x86_64 (md5 f9a583d92191dc57dc5996a55c936892). In this binary the
__pthread_mutex_lock_fullstarts @ 0x000a2380, ends @0x000a2b08, and has four syscall in its body ash shown below.The syscall list is missing 2 of its 4 syscall as shown below:
the syscall @0x000a281d, and @0x000a2999 are not listed. The syscall@0x000a2653 is identified as
rt_sigprocmask, where in reality it is afutex. The syscall_nr is loaded at 0x000a23ee.I attach to this issue the glibc version where I verified this issue.
Test