Closed vanhauser-thc closed 6 years ago
It looks like an unexpected vex expression was encountered.
Could you run this command: valgrind --tool=taintgrind --trace-flags=10000000 --trace-notbelow=0 --taint-all=yes --file-filter=/tmp/in/test.rar -- unrar -inul p /tmp/in/test.rar 2>&1 | grep -A 20 "0x4009A13: "
I'm interested to know the vex instructions at the offending address.
here you go!
# valgrind --tool=taintgrind --trace-flags=10000000 --trace-notbelow=0 --taint-all=yes --file-filter=/tmp/test.rar -- unrar -inul p /tmp/in/test.rar 2>&1 | grep -A 20 "0x4009A13: "
0x4009A13: ??? (in /lib/arm-linux-gnueabihf/ld-2.19.so) | t232_20 <- t227_142
0x4009A13: ??? (in /lib/arm-linux-gnueabihf/ld-2.19.so) | STle(t82) = t230 | Store | 0x0 | --343-- warning: evaluate_Dwarf3_Expr: unhandled DW_OP_ 0xf2
--343-- warning: evaluate_Dwarf3_Expr: unhandled DW_OP_ 0xf2
--343-- warning: evaluate_Dwarf3_Expr: unhandled DW_OP_ 0xf2
--343-- warning: evaluate_Dwarf3_Expr: unhandled DW_OP_ 0xf2
--343-- warning: evaluate_Dwarf3_Expr: unhandled DW_OP_ 0xf2
--343-- warning: evaluate_Dwarf3_Expr: unhandled DW_OP_ 0xf2
7de8a5cc_unknownobj <- t230_43
0x4009A17: ??? (in /lib/arm-linux-gnueabihf/ld-2.19.so) | t235_26 <- t226_139
0x4009A17: ??? (in /lib/arm-linux-gnueabihf/ld-2.19.so) | if (t235) { PUT(0) = 0x400986B:I32; exit-Boring } | IfGoto | 0x0 | t235_26
==== SB 864 (evchecks 7223) [tid 1] 0x4009a1b UNKNOWN_FUNCTION /lib/arm-linux-gnueabihf/ld-2.19.so+0x9a1b
------------------------ Front end ------------------------
(thumb) 0x4009A1A: str r3, [r7, #28]
------ IMark(0x4009A1A, 2, 1) ------
t0 = 0x0:I32
PUT(392) = t0
t1 = 0x1:I32
PUT(392) = t0
if (CmpNE32(t1,0x0:I32)) { STle(Add32(GET:I32(36),0x1C:I32)) = GET:I32(20) }
--
0x4009A13: ??? (in /lib/arm-linux-gnueabihf/ld-2.19.so) | t232_21 <- t227_143
0x4009A13: ??? (in /lib/arm-linux-gnueabihf/ld-2.19.so) | STle(
vex: the `impossible' happened:
ppIRExpr
vex storage: T total 83361088 bytes allocated
vex storage: P total 0 bytes allocated
valgrind: the 'impossible' happened:
LibVEX called failure_exit().
host stacktrace:
==343== at 0x58025AAC: show_sched_status_wrk (m_libcassert.c:355)
==343== by 0x58025C0B: report_and_quit (m_libcassert.c:426)
==343== by 0x58025DCF: vgPlain_core_panic_at (m_libcassert.c:502)
==343== by 0x58025DEB: vgPlain_core_panic (m_libcassert.c:512)
==343== by 0x580448A7: failure_exit (m_translate.c:740)
==343== by 0x58104103: vpanic (main_util.c:231)
==343== by 0x581099A7: ppIRExpr (ir_defs.c:1394)
==343== by 0x581099A7: ppIRExpr (ir_defs.c:1394)
==343== by 0x581099A7: ppIRExpr (ir_defs.c:1394)
==343== by 0x581099A7: ppIRExpr (ir_defs.c:1394)
==343== by 0x581099A7: ppIRExpr (ir_defs.c:1394)
Thanks, but I don't quite see the vex instructions from that address. Maybe this command instead: valgrind --tool=taintgrind --trace-flags=10000000 --trace-notbelow=0 --taint-all=yes --file-filter=/tmp/in/test.rar -- unrar -inul p /tmp/in/test.rar 2>&1 | grep -A 20 "IMark(0x4009A13,"
Thanks
that grep found no match. I am attaching the full output in a gzip. taintgrind.debug.gz
Not sure if this solves the issue. Please try it and see.
still crashes, full log is attached taint.log.gz
if you are interested I can set up an ARM device for you to ssh in (in a security enclave, nothing else in it and no sensitive data on the device). just send me a public ssh key
It's still crashing isn't it.. Ok, I'll email you my key. Thanks for setting it up.
with the the last repository changes you did it does not crash anymore. on the other hand it is still not terminating after 5 hours running ... ;) but I think that is an issue in valgrind not taintgrind...
thanks for the fix, I will close the issue then.
if you still want to play around on an ARM I can set this up tomorrow, my current test system is an usbarmory which is super slow, tomorrow I should have an raspberry 3 b+ which should be ok-
That'll be a great help, thanks.
I am experimenting with taintgrind on ARM and it produces tons of lines warning of unhandled DW_OP_0xf2
and in the end it crashes:
the command is: valgrind --tool=taintgrind --taint-all=yes --file-filter=/tmp/in/test.rar -- unrar -inul p /tmp/in/test.rar