Skip to content
GitLab
Closed
Issue created by Derek Bruening@derekbrueningContributor

CRASH (win8 wow64 AppInit)

From bruen...@google.com on December 18, 2012 12:38:59

even with no client it crashes. debug DR works. x64 release and debug work. hello.exe release DR works.

dies before -msgbox_mask 15 1st box. under AppInit: crash in WerFault.exe "73xxxxxx can't read 73xxxxxx" pops up, and after dismissing calc comes up normally.

AppInit, launch in debugger: ModLoad: 72ea0000 72eb1000 C:\derek\dr\releases\DYNAMO1.0-6\lib32\DRPREI1.DLL (d50.980): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=7ef46000 ebx=00000001 ecx=ffffffff edx=00f20290 esi=76be5912 edi=900c88a0 eip=72ea2806 esp=00bad8bc ebp=00bae378 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 0:000> U eip DRPREI_1!get_module_handle_64+0x26 [d:\derek\dr\git\src\core\win32\module_shared.c @ 686]: 72ea2806 8b7720 mov esi,dword ptr [edi+20h] 0:000> kn

ChildEBP RetAddr

00 00bad8cc 72ea23b7 DRPREI_1!get_module_handle_64+0x26 [d:\derek\dr\git\src\core\win32\module_shared.c @ 686] 01 00bad8e8 72ea2502 DRPREI_1!read_and_verify_dr_marker_common+0x17 [d:\derek\dr\git\src\core\win32\drmarker.c @ 123] 02 00bad8f8 72ea1252 DRPREI_1!read_and_verify_dr_marker_64+0x12 [d:\derek\dr\git\src\core\win32\drmarker.c @ 175] 03 00bae23c 72ea13cc DRPREI_1!load_dynamorio_lib+0x92 [d:\derek\dr\git\src\core\win32\pre_inject.c @ 268] 04 00bae354 72ea104c DRPREI_1!process_attach+0x5c [d:\derek\dr\git\src\core\win32\pre_inject.c @ 490] 05 00bae378 776e2893 DRPREI_1!DllMain+0xc [D:\derek\dr\releases\build_release-32\core\pre_inject_asm.s @ 753] 06 00bae3c0 776e9cb3 ntdll!LdrpCallInitRoutine+0x60

0:000> dq eax+18 7ef46018 000007f8900c88a0 0000000000d41620

so the bug is that PEB64.LoaderData is up above 4GB. but this is AppInit-specific code and so can't explain the drrun crash, but it may be similar.

heap-alloc data should be below 4GB: only ntdll.dll-located data is high up.

0:000:x86> !sw Switched to 64bit mode 0:000> ln 000007f8900c88a0 (000007f8900c88a0) ntdll!PebLdr | (000007f8900c8504) ntdll!NtdllBaseTag Exact matches: ntdll!PebLdr = \<no type information> 0:000> dd 000007f8900c88a0 000007f8900c88a0 00000058 00000001 00000000 00000000 000007f8900c88b0 011a2030 00000000 011a2b40 00000000 000007f8900c88c0 011a2040 00000000 011a2b50 00000000 000007f8900c88d0 011a1e90 00000000 011a2560 00000000

Original issue: http://code.google.com/p/dynamorio/issues/detail?id=1035