fail to get any symbols in browser_tests error report due to chrome sandbox ntdll hooks

[derekbruening]

From zhao...@google.com on October 29, 2012 14:31:46

crbug.com/158350

INVALID HEAP ARGUMENT: allocated with operator new[], freed with operator delete
#0 browser_tests.exe!? +0x0 (0x03241dfa <browser_tests.exe+0x2421dfa>)
#1 browser_tests.exe!? +0x0 (0x03241c5f <browser_tests.exe+0x2421c5f>)
#2 browser_tests.exe!? +0x0 (0x03234bec <browser_tests.exe+0x2414bec>)
#3 browser_tests.exe!? +0x0 (0x0322c3b0 <browser_tests.exe+0x240c3b0>)
#4 browser_tests.exe!? +0x0 (0x0322c571 <browser_tests.exe+0x240c571>)
#5 content.dll!? +0x0 (0x6ef9e983 <content.dll+0x1ce983>)
#6 content.dll!? +0x0 (0x6ef9db0b <content.dll+0x1cdb0b>)
#7 content.dll!? +0x0 (0x6ee64a94 <content.dll+0x94a94>)
#8 content.dll!? +0x0 (0x6ee65eb3 <content.dll+0x95eb3>)
#9 content.dll!? +0x0 (0x6ee63d29 <content.dll+0x93d29>)
#10 browser_tests.exe!? +0x0 (0x031d47f3 <browser_tests.exe+0x23b47f3>)
#11 browser_tests.exe!? +0x0 (0x031d4cc4 <browser_tests.exe+0x23b4cc4>)
#12 browser_tests.exe!? +0x0 (0x00fb9215 <browser_tests.exe+0x199215>)
#13 browser_tests.exe!? +0x0 (0x03290c3f <browser_tests.exe+0x2470c3f>)
#14 browser_tests.exe!? +0x0 (0x03290a6f <browser_tests.exe+0x2470a6f>)
#15 KERNEL32.dll!? +0x0 (0x751d339a <KERNEL32.dll+0x1339a>)
#16 ntdll.dll!? +0x0 (0x777a9ef2 <ntdll.dll+0x39ef2>)
#17 ntdll.dll!? +0x0 (0x777a9ec5 <ntdll.dll+0x39ec5>)

Original issue: http://code.google.com/p/drmemory/issues/detail?id=1066

[derekbruening]

From bruen...@google.com on October 30, 2012 09:32:42

this is probably the same issue we've seen in other long runs where dbghelp just stops working. talked about here: https://code.google.com/p/dynamorio/issues/detail?id=449#c5 xref https://code.google.com/p/drmemory/issues/detail?id=723&can=1&q=vista

Summary: fail to get any symbols in browser_tests error report

[derekbruening]

From zhao...@google.com on November 01, 2012 18:23:21

Status: Started
Owner: zhao...@google.com

[derekbruening]

From zhao...@google.com on November 06, 2012 11:19:28

Status: Duplicate
Mergedinto: 1081

[derekbruening]

From bruen...@google.com on November 07, 2012 11:51:23

Qin drilled down to a failure to load symbols.
it seems that the chrome sandbox prevents us from getting symbols :)
DR bypasses it of course, but not the priv libs.
solution: redirect ntdll!NtCreateFile via loader import processing and have it use DR's raw syscall.

[derekbruening]

From zhao...@google.com on November 07, 2012 11:52:34

reopen as the issue #1081 is used for assert failure.

Status: Started
Mergedinto:

[derekbruening]

From bruen...@google.com on November 07, 2012 14:27:33

as mentioned, simplest solution for now is to redirect all the syscalls that chrome hooks.

long-term we may want to re-visit private loader isolation and duplicating ntdll: https://code.google.com/p/dynamorio/issues/detail?id=235

Summary: fail to get any symbols in browser_tests error report due to chrome sandbox ntdll hooks

[derekbruening]

From bruen...@google.com on November 07, 2012 14:50:53

the full list of chrome sandbox hooks includes higher-level funcs. just the Nt ones:

grep -r -E 'INTERCEPT_NT|NT_INTERCEPT' sandbox/win/src/ | grep -o 'Nt[A-Za-z]*' | sort
NtCreateFile
NtCreateKey
NtMapViewOfSection
NtOpenFile
NtOpenKey
NtOpenKeyEx
NtOpenProcess
NtOpenProcessToken
NtOpenProcessTokenEx
NtOpenThread
NtOpenThreadToken
NtOpenThreadTokenEx
NtQueryAttributesFile
NtQueryFullAttributesFile
NtSetInformationFile
NtSetInformationThread
NtUnmapViewOfSection

[derekbruening]

From bruen...@google.com on November 07, 2012 15:26:37

xref https://code.google.com/p/dynamorio/issues/detail?id=464 xref https://code.google.com/p/chromium/issues/detail?id=119131

[derekbruening]

From zhao...@google.com on November 09, 2012 16:02:29

with redirect of the NtCreateFile, we still have trouble to open the file, which returns error code C0000022 (STATUS_ACCESS_DENIED).
If run chrome with option --no_sandbox, it pass and no such callstack shown.
Test program with low integrity, icacls lowcalc.exe /setintegritylevel low
DrM fails to create the directory and file:

Dr.M Dr. Memory version 1.5.1108
Dr.M Running ""./lowcalc.exe""
Dr.M Unable to create subdir in log base dir D:\src\cygwin\home\zhaoqin\Workspace\DrMemory\builds\build_x86_rel.git/logs
WARNING: unable to locate results file since can't open D:\src\cygwin\home\zhaoqin\Workspace\DrMemory\builds\build_x86_rel.git/logs/resfile.5084: 2

So cannot really test it.
But it is possible the fail to open the file due to this low integrity, since it open file successfully in other process.

[derekbruening]

From bruen...@google.com on November 09, 2012 22:15:54

re: running calc as low-integrity: the results there are what we expect and have seen before. you have to use a logdir in %USERPROFILE%\AppData\LocalLow like we do for chrome b/c certainly you can't write arbitrary files at that integrity level. see https://code.google.com/p/chromium/issues/detail?id=119131 for further information on icacls see: http://msdn.microsoft.com/en-us/library/bb625960.aspx but, I thought you could read most files at low integrity, which is why the access denied on reading a symbol file is surprising. what file is it? I would suggest running some experiments in a small app with different params to NtCreateFile on these same pdb and dll files to first verify the issue and second see if there's some workaround other than post-processing syms ( issue #446 ). maybe dbghelp asks for more perms than it needs.

[derekbruening]

From bruen...@google.com on February 13, 2014 10:46:47

xref issue #1101