Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dr. Memory doesn't handle stack expansion properly #49

Closed
derekbruening opened this issue Nov 28, 2014 · 11 comments
Closed

Dr. Memory doesn't handle stack expansion properly #49

derekbruening opened this issue Nov 28, 2014 · 11 comments

Comments

@derekbruening
Copy link
Contributor

From timurrrr@google.com on September 07, 2010 10:25:04

http://build.chromium.org/buildbot/waterfall.fyi/builders/Windows%20Tests%20(DrMemory)/builds/2594/steps/memory%20test:%20remoting/logs/stdio 01:35:51 drmemory_analyze.py [ERROR]
UNADDRESSABLE ACCESS: writing 0x0011f984-0x0011f988 4 byte(s)
#1 0x006c84cf file_util::ReadFileToString base\file_util.cc:153
#2 0x0070c32d remoting::JsonHostConfig::Read remoting\host\json_host_config.cc:27
#3 0x004591fc remoting::JsonHostConfigTest_Read_Test::TestBody remoting\host\json_host_config_unittest.cc:68

01:35:51 drmemory_analyze.py [ERROR]
UNADDRESSABLE ACCESS: writing 0x0011f950-0x0011f954 4 byte(s)
#1 0x006c84cf file_util::ReadFileToString base\file_util.cc:153
#2 0x0070c32d remoting::JsonHostConfig::Read remoting\host\json_host_config.cc:27
#3 0x0045a32c remoting::JsonHostConfigTest_Write_Test::TestBody remoting\host\json_host_config_unittest.cc:92

01:35:51 drmemory_analyze.py [ERROR]
UNADDRESSABLE ACCESS: writing 0x0011f950-0x0011f954 4 byte(s)
#1 0x006c84cf file_util::ReadFileToString base\file_util.cc:153
#2 0x0070c32d remoting::JsonHostConfig::Read remoting\host\json_host_config.cc:27
#3 0x0045a52c remoting::JsonHostConfigTest_Write_Test::TestBody remoting\host\json_host_config_unittest.cc:106

I've run the test under debugger and ESP changes its value from 0x0012F99C to 0x0011F980 when execution enters ReadFileToString function.
This may be related to issue #47 since the same test crashed a in a few seconds after these false reports.

I'm investigating these reports now and will add more details later.

Original issue: http://code.google.com/p/drmemory/issues/detail?id=49

@derekbruening
Copy link
Contributor Author

From timurrrr@google.com on September 07, 2010 08:34:22

r46 on Windows,
===test.cpp===
#include <assert.h>
#include <stdio.h>

#include

void foo(std::string *s) {
FILE *fp = _fsopen("test.cpp", "rb", _SH_DENYNO);
assert(fp);
char buf[1024] = "";
fread(buf, 1, sizeof(buf), fp);
*s = buf;
fclose(fp);
}

void bar() {
std::string s;
foo(&s);
}

int main() {
char buf[65000] = "";
__try {
bar();
} __except(1) {
return 1;
}
return 0;
}

cl /Zi /nologo test.cpp && drmemory.exe -- test.exe

-> 4 UNADDRESSABLE ACCESSES:

Error #1: UNADDRESSABLE ACCESS: writing 0x00120160-0x00120164 4 byte(s)
@0:00:02.640 in thread 5268
0x00425c5e <test.exe+0x25c5e> test.exe!_chkstk
F:\dd\vctools\crt_bld\SELF_X86\crt\src\intel\chkstk.asm:93
0x00403d6b <test.exe+0x3d6b> test.exe!__tmainCRTStartup
f:\dd\vctools\crt_bld\self_x86\crt\src\crt0.c:327
0x7c817077 <KERNEL32.dll+0x17077> KERNEL32.dll!RegisterWaitForInputIdle
??:0

Error #2: UNADDRESSABLE ACCESS: writing 0x00120168-0x00120169 1 byte(s)
@0:00:02.672 in thread 5268
0x004012c5 <test.exe+0x12c5> test.exe!main
z:\dr-sandbox\issues\string_ref_arg\test.cpp:21
0x00403d6b <test.exe+0x3d6b> test.exe!__tmainCRTStartup
f:\dd\vctools\crt_bld\self_x86\crt\src\crt0.c:327
0x7c817077 <KERNEL32.dll+0x17077> KERNEL32.dll!RegisterWaitForInputIdle
??:0

Error #3: UNADDRESSABLE ACCESS: writing 0x00120169-0x0012016a 1 byte(s)
@0:00:03.437 in thread 5268
0x100df020 <drmemorylib.dll+0xdf020> drmemorylib.dll!replace_memset
z:\drmemory\git_svn\drmemory\replace.c:107
0x004012de <test.exe+0x12de> test.exe!main
z:\dr-sandbox\issues\string_ref_arg\test.cpp:21
0x00403d6b <test.exe+0x3d6b> test.exe!__tmainCRTStartup
f:\dd\vctools\crt_bld\self_x86\crt\src\crt0.c:327
0x7c817077 <KERNEL32.dll+0x17077> KERNEL32.dll!RegisterWaitForInputIdle
??:0

Error #4: UNADDRESSABLE ACCESS: writing 0x001537a0-0x001537a4 4 byte(s)
@0:00:05.015 in thread 5268
Note: next higher malloc: 0x001537c8-0x001537e8
Note: prev lower malloc: 0x00153548-0x0015375c
0x7c9115b9 <ntdll.dll+0x115b9> ntdll.dll!RtlInitializeCriticalSectionAndSpinCount
??:0
0x7c80b8de <KERNEL32.dll+0xb8de> KERNEL32.dll!InitializeCriticalSectionAndSpinCount
??:0
0x0040fbb3 <test.exe+0xfbb3> test.exe!__crtInitCritSecAndSpinCount
f:\dd\vctools\crt_bld\self_x86\crt\src\initcrit.c:161
0x0040af33 <test.exe+0xaf33> test.exe!_mtinitlocknum
f:\dd\vctools\crt_bld\self_x86\crt\src\mlock.c:288
0x00407481 <test.exe+0x7481> test.exe!_getstream
f:\dd\vctools\crt_bld\self_x86\crt\src\stream.c:71
0x00402e7a <test.exe+0x2e7a> test.exe!_fsopen
f:\dd\vctools\crt_bld\self_x86\crt\src\fopen.c:61
0x004011b4 <test.exe+0x11b4> test.exe!foo
z:\dr-sandbox\issues\string_ref_arg\test.cpp:7
0x00401261 <test.exe+0x1261> test.exe!bar
z:\dr-sandbox\issues\string_ref_arg\test.cpp:17
0x004012ed <test.exe+0x12ed> test.exe!main
z:\dr-sandbox\issues\string_ref_arg\test.cpp:23
0x00403d6b <test.exe+0x3d6b> test.exe!__tmainCRTStartup
f:\dd\vctools\crt_bld\self_x86\crt\src\crt0.c:327
0x7c817077 <KERNEL32.dll+0x17077> KERNEL32.dll!RegisterWaitForInputIdle
??:0

I saw a number of "RtlInitializeCriticalSectionAndSpinCount" unaddrs on Chromium tests before but couldn't reproduce them stand-alone.
__try {
run_tests()
} __except(1) {}
is what googletest does, now it makes sense why I couldn't create some of the repros before.

This is probably related to issue #11 and issue #22

Owner: derek.bruening
Labels: -Priority-Medium Priority-High

@derekbruening
Copy link
Contributor Author

From timurrrr@google.com on September 07, 2010 08:41:17

Ooops - this gives false reports even without __try/__except!

No warnings if buf in main() is just 65 bytes.

@derekbruening
Copy link
Contributor Author

From timurrrr@google.com on September 21, 2010 04:55:53

Derek,
What's the status of the bug?

@derekbruening
Copy link
Contributor Author

From derek.br...@gmail.com on September 22, 2010 20:05:15

I ran into this independently and have a fix, should verify on your test app though.
the problem is NtQueryVirtualMemory behaving in a way I thought it only did for free memory: switching to a query loop.

@derekbruening
Copy link
Contributor Author

From derek.br...@gmail.com on September 24, 2010 09:52:43

my experiments show that mbi.BaseAddress is ALWAYS just PAGE_START(addr)
whether for an image, data file, or anon memory, on xp64, xp32, or win2k,
and is thus useless.
this is surprising: I remember noticing that for MEM_FREE the BaseAddress
had this behavior, but all this time I was under the impression that it was
the real base of that same-prot region -- certainly the Win32 API routine
docs imply it is. I checked calling VirtualQuery() and I get the same
results, and it looks like it is just a wrapper. Crazy.
inside DR we usually call get_memory_info() just for prot, but there are
some places where we use the base, and we'll get it wrong.
so rather than my Dr. Memory-specific fix it seems that not only the
API-facing dr_query_memory() but also the internal get_memory_info() must
be changed inside DR.

some examples:
dr_query_memory WRONG: 0x00011005 inside 0x00010000-0x00012000 => 0x00011000-0x00012000
dr_query_memory WRONG: 0x00031005 inside 0x00030000-0x00069000 => 0x00031000-0x00069000
dr_query_memory WRONG: 0x0006a005 inside 0x00069000-0x0006b000 => 0x0006a000-0x0006b000
dr_query_memory WRONG: 0x0006c005 inside 0x0006b000-0x00070000 => 0x0006c000-0x00070000
...

@derekbruening
Copy link
Contributor Author

From derek.br...@gmail.com on September 24, 2010 10:36:16

filed https://code.google.com/p/dynamorio/issues/detail?id=345 for the DynamoRIO fix

@derekbruening
Copy link
Contributor Author

From derek.br...@gmail.com on September 24, 2010 16:08:41

on test.cpp pasted above:
w/o the fix:
:::Dr.Memory::: 4 unique, 65002 total unaddressable access(es)
with issue #345 fixed:
:::Dr.Memory::: 0 unique, 0 total unaddressable access(es)

Status: Fixed
Owner: timur...@google.com

@derekbruening
Copy link
Contributor Author

From timurrrr@google.com on September 25, 2010 07:59:26

Thanks for fixing this!

I've uplodaded r57 / r434 to the Chromium bot and it looks like there are still some unaddr reports: http://build.chromium.org/buildbot/waterfall.fyi/builders/Windows%20Tests%20(DrMemory)/builds/2905 but they may not be unrelated to issue #49 .

I'll investigate on Monday

@derekbruening
Copy link
Contributor Author

From timurrrr@google.com on September 27, 2010 08:24:31

Looks like these reports are still Dr. Memory bugs.
I've filed a separate issue ( r55 ) so marking this one as Verified.

Status: Verified

@derekbruening
Copy link
Contributor Author

From timurrrr@google.com on September 27, 2010 08:24:57

Sorry, " issue #55 ", not " r55 "

@derekbruening
Copy link
Contributor Author

From timurrrr@google.com on November 03, 2010 10:23:35

Issue 22 has been merged into this issue.

Cc: derek.bruening

gregcawthorne added a commit that referenced this issue Apr 17, 2021
AArch64 port of drmemory.

Only contains slowpath support with shared_slowpath off.

Pattern mode and fastpath modes are being worked on separately.

Depends on:
https://github.com/DynamoRIO/dynamorio/tree/mem-ref-for-clean-calls-aarch64/core

Current tests we have analysed:
Test project /home/grecaw01/APD-testing/drmem-upstream3/drmemory/build
      Start  1: drmf_proj
 1/49 Test  #1: drmf_proj .........................   Passed    0.45 sec
      Start  2: unit_tests
 2/49 Test  #2: unit_tests ........................   Passed    0.02 sec
      Start  3: hello
 3/49 Test  #3: hello .............................   Passed    3.55 sec
      Start  4: free
 4/49 Test  #4: free ..............................   Passed    3.67 sec
      Start  5: malloc
 5/49 Test  #5: malloc ............................   Passed    3.88 sec
      Start  6: leak_indirect
 6/49 Test  #6: leak_indirect .....................   Passed    3.52 sec
      Start  7: patterns
 7/49 Test  #7: patterns ..........................   Passed    3.93 sec
      Start  8: free.exitcode
 8/49 Test  #8: free.exitcode .....................   Passed    3.64 sec
      Start  9: track_origins
 9/49 Test  #9: track_origins .....................***Failed    0.34 sec
      Start 10: free.pattern
10/49 Test #10: free.pattern ......................***Failed    0.35 sec
      Start 11: malloc.pattern
11/49 Test #11: malloc.pattern ....................***Failed    0.34 sec
      Start 12: track_origins.pattern
12/49 Test #12: track_origins.pattern .............***Failed    0.34 sec
      Start 13: fuzz_corpus
13/49 Test #13: fuzz_corpus .......................   Passed    3.56 sec
      Start 14: fuzz_buffer
14/49 Test #14: fuzz_buffer .......................   Passed    4.62 sec
      Start 15: fuzz_buffer.replace_buffer
15/49 Test #15: fuzz_buffer.replace_buffer ........   Passed    4.62 sec
      Start 16: fuzz_buffer.overflow
16/49 Test #16: fuzz_buffer.overflow ..............***Failed    0.34 sec
      Start 17: fuzz_buffer.mutator.o-b-s-3
17/49 Test #17: fuzz_buffer.mutator.o-b-s-3 .......   Passed    4.59 sec
      Start 18: fuzz_buffer.mutator.r-b-s-3
18/49 Test #18: fuzz_buffer.mutator.r-b-s-3 .......   Passed    4.63 sec
      Start 19: fuzz_buffer.mutator.o-b-3
19/49 Test #19: fuzz_buffer.mutator.o-b-3 .........   Passed    4.60 sec
      Start 20: fuzz_buffer.mutator.r-n
20/49 Test #20: fuzz_buffer.mutator.r-n ...........   Passed    4.54 sec
      Start 21: fuzz_buffer.mutator.random_seed
21/49 Test #21: fuzz_buffer.mutator.random_seed ...   Passed    4.57 sec
      Start 22: fuzz_buffer.one-input
22/49 Test #22: fuzz_buffer.one-input .............   Passed    3.82 sec
      Start 23: fuzz_buffer.load_input
23/49 Test #23: fuzz_buffer.load_input ............   Passed    3.81 sec
      Start 24: fuzz_buffer.skip_initial
24/49 Test #24: fuzz_buffer.skip_initial ..........   Passed    4.01 sec
      Start 25: fuzz_buffer.fixed_size
25/49 Test #25: fuzz_buffer.fixed_size ............   Passed    5.36 sec
      Start 26: fuzz_buffer.offset
26/49 Test #26: fuzz_buffer.offset ................   Passed    5.42 sec
      Start 27: fuzz_buffer.module_name
27/49 Test #27: fuzz_buffer.module_name ...........   Passed    4.58 sec
      Start 28: fuzz_buffer.dictionary
28/49 Test #28: fuzz_buffer.dictionary ............   Passed    4.20 sec
      Start 29: fuzz_buffer.cpp
29/49 Test #29: fuzz_buffer.cpp ...................   Passed   17.77 sec
      Start 30: fuzz_custom_mutator
30/49 Test #30: fuzz_custom_mutator ...............   Passed    4.57 sec
      Start 31: drsyscall_test
31/49 Test #31: drsyscall_test ....................   Passed    0.22 sec
      Start 32: strace_test
32/49 Test #32: strace_test .......................   Passed    0.22 sec
      Start 33: drfuzz_test_empty
33/49 Test #33: drfuzz_test_empty .................   Passed    0.22 sec
      Start 34: drfuzz_test_mutator
34/49 Test #34: drfuzz_test_mutator ...............   Passed    2.38 sec
      Start 35: drfuzz_test_repeat
35/49 Test #35: drfuzz_test_repeat ................***Failed
      Start 36: drfuzz_test_segfault
36/49 Test #36: drfuzz_test_segfault ..............   Passed    0.20 sec
      Start 37: drfuzz_test_app_abort
37/49 Test #37: drfuzz_test_app_abort .............   Passed    0.22 sec
      Start 38: drfuzz_test_no_crash
38/49 Test #38: drfuzz_test_no_crash ..............   Passed    0.22 sec
      Start 39: umbra_test_empty
39/49 Test #39: umbra_test_empty ..................   Passed    0.22 sec
      Start 40: umbra_test_overlap
40/49 Test #40: umbra_test_overlap ................   Passed    0.23 sec
      Start 41: umbra_test_shadow_mem
41/49 Test #41: umbra_test_shadow_mem .............   Passed    0.30 sec
      Start 42: umbra_test_insert_app_to_shadow
42/49 Test #42: umbra_test_insert_app_to_shadow ...   Passed    0.29 sec
      Start 43: umbra_test_consistency
43/49 Test #43: umbra_test_consistency ............   Passed    0.30 sec
      Start 44: umbra_test_allscales
44/49 Test #44: umbra_test_allscales ..............   Passed    0.39 sec
      Start 45: drltrace
45/49 Test #45: drltrace ..........................   Passed    0.35 sec
      Start 46: drltrace_libcalls
46/49 Test #46: drltrace_libcalls .................   Passed    0.36 sec
      Start 47: drltrace_symargs
47/49 Test #47: drltrace_symargs ..................   Passed    0.36 sec
      Start 48: drltrace_libargs
48/49 Test #48: drltrace_libargs ..................   Passed    0.35 sec
      Start 49: strace_sample
49/49 Test #49: strace_sample .....................   Passed    0.22 sec

88% tests passed, 6 tests failed out of 49
gregcawthorne added a commit that referenced this issue Apr 17, 2021
AArch64 port of drmemory.

Only contains slowpath support with shared_slowpath off.

Pattern mode and fastpath modes are being worked on separately.

Currently this build does break some x86 functionality.

Depends on:
https://github.com/DynamoRIO/dynamorio/tree/mem-ref-for-clean-calls-aarch64/core

Current tests we have analysed:
Test project /home/grecaw01/APD-testing/drmem-upstream3/drmemory/build
      Start  1: drmf_proj
 1/49 Test  #1: drmf_proj .........................   Passed    0.45 sec
      Start  2: unit_tests
 2/49 Test  #2: unit_tests ........................   Passed    0.02 sec
      Start  3: hello
 3/49 Test  #3: hello .............................   Passed    3.55 sec
      Start  4: free
 4/49 Test  #4: free ..............................   Passed    3.67 sec
      Start  5: malloc
 5/49 Test  #5: malloc ............................   Passed    3.88 sec
      Start  6: leak_indirect
 6/49 Test  #6: leak_indirect .....................   Passed    3.52 sec
      Start  7: patterns
 7/49 Test  #7: patterns ..........................   Passed    3.93 sec
      Start  8: free.exitcode
 8/49 Test  #8: free.exitcode .....................   Passed    3.64 sec
      Start  9: track_origins
 9/49 Test  #9: track_origins .....................***Failed    0.34 sec
      Start 10: free.pattern
10/49 Test #10: free.pattern ......................***Failed    0.35 sec
      Start 11: malloc.pattern
11/49 Test #11: malloc.pattern ....................***Failed    0.34 sec
      Start 12: track_origins.pattern
12/49 Test #12: track_origins.pattern .............***Failed    0.34 sec
      Start 13: fuzz_corpus
13/49 Test #13: fuzz_corpus .......................   Passed    3.56 sec
      Start 14: fuzz_buffer
14/49 Test #14: fuzz_buffer .......................   Passed    4.62 sec
      Start 15: fuzz_buffer.replace_buffer
15/49 Test #15: fuzz_buffer.replace_buffer ........   Passed    4.62 sec
      Start 16: fuzz_buffer.overflow
16/49 Test #16: fuzz_buffer.overflow ..............***Failed    0.34 sec
      Start 17: fuzz_buffer.mutator.o-b-s-3
17/49 Test #17: fuzz_buffer.mutator.o-b-s-3 .......   Passed    4.59 sec
      Start 18: fuzz_buffer.mutator.r-b-s-3
18/49 Test #18: fuzz_buffer.mutator.r-b-s-3 .......   Passed    4.63 sec
      Start 19: fuzz_buffer.mutator.o-b-3
19/49 Test #19: fuzz_buffer.mutator.o-b-3 .........   Passed    4.60 sec
      Start 20: fuzz_buffer.mutator.r-n
20/49 Test #20: fuzz_buffer.mutator.r-n ...........   Passed    4.54 sec
      Start 21: fuzz_buffer.mutator.random_seed
21/49 Test #21: fuzz_buffer.mutator.random_seed ...   Passed    4.57 sec
      Start 22: fuzz_buffer.one-input
22/49 Test #22: fuzz_buffer.one-input .............   Passed    3.82 sec
      Start 23: fuzz_buffer.load_input
23/49 Test #23: fuzz_buffer.load_input ............   Passed    3.81 sec
      Start 24: fuzz_buffer.skip_initial
24/49 Test #24: fuzz_buffer.skip_initial ..........   Passed    4.01 sec
      Start 25: fuzz_buffer.fixed_size
25/49 Test #25: fuzz_buffer.fixed_size ............   Passed    5.36 sec
      Start 26: fuzz_buffer.offset
26/49 Test #26: fuzz_buffer.offset ................   Passed    5.42 sec
      Start 27: fuzz_buffer.module_name
27/49 Test #27: fuzz_buffer.module_name ...........   Passed    4.58 sec
      Start 28: fuzz_buffer.dictionary
28/49 Test #28: fuzz_buffer.dictionary ............   Passed    4.20 sec
      Start 29: fuzz_buffer.cpp
29/49 Test #29: fuzz_buffer.cpp ...................   Passed   17.77 sec
      Start 30: fuzz_custom_mutator
30/49 Test #30: fuzz_custom_mutator ...............   Passed    4.57 sec
      Start 31: drsyscall_test
31/49 Test #31: drsyscall_test ....................   Passed    0.22 sec
      Start 32: strace_test
32/49 Test #32: strace_test .......................   Passed    0.22 sec
      Start 33: drfuzz_test_empty
33/49 Test #33: drfuzz_test_empty .................   Passed    0.22 sec
      Start 34: drfuzz_test_mutator
34/49 Test #34: drfuzz_test_mutator ...............   Passed    2.38 sec
      Start 35: drfuzz_test_repeat
35/49 Test #35: drfuzz_test_repeat ................***Failed
      Start 36: drfuzz_test_segfault
36/49 Test #36: drfuzz_test_segfault ..............   Passed    0.20 sec
      Start 37: drfuzz_test_app_abort
37/49 Test #37: drfuzz_test_app_abort .............   Passed    0.22 sec
      Start 38: drfuzz_test_no_crash
38/49 Test #38: drfuzz_test_no_crash ..............   Passed    0.22 sec
      Start 39: umbra_test_empty
39/49 Test #39: umbra_test_empty ..................   Passed    0.22 sec
      Start 40: umbra_test_overlap
40/49 Test #40: umbra_test_overlap ................   Passed    0.23 sec
      Start 41: umbra_test_shadow_mem
41/49 Test #41: umbra_test_shadow_mem .............   Passed    0.30 sec
      Start 42: umbra_test_insert_app_to_shadow
42/49 Test #42: umbra_test_insert_app_to_shadow ...   Passed    0.29 sec
      Start 43: umbra_test_consistency
43/49 Test #43: umbra_test_consistency ............   Passed    0.30 sec
      Start 44: umbra_test_allscales
44/49 Test #44: umbra_test_allscales ..............   Passed    0.39 sec
      Start 45: drltrace
45/49 Test #45: drltrace ..........................   Passed    0.35 sec
      Start 46: drltrace_libcalls
46/49 Test #46: drltrace_libcalls .................   Passed    0.36 sec
      Start 47: drltrace_symargs
47/49 Test #47: drltrace_symargs ..................   Passed    0.36 sec
      Start 48: drltrace_libargs
48/49 Test #48: drltrace_libargs ..................   Passed    0.35 sec
      Start 49: strace_sample
49/49 Test #49: strace_sample .....................   Passed    0.22 sec

88% tests passed, 6 tests failed out of 49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant