CRASH in client arg parsing code due to failure to copy enough app TLS
I added "-verbose 1" to the drmemtrace client options and a simple test now crashes trying to parse it:
(gdb) bt
#0 0x00007fffed85093f in ____strtoll_l_internal () from libc.so.6
#1 0x00007fffed84bff0 in atoi () from libc.so.6
#2 0x00007ffff7fef0a4 in droption_t<unsigned int>::convert_from_string (this=0x7ffff7ff70b0 <op_verbose>, s=...) at dynamorio/trunk/ext/droption/droption.h:443
#3 0x00007ffff7feb9c7 in droption_parser_t::parse_argv (scope=1, argc=6, argv=0x4b53ca08, error_msg=0x7fffe9a53030, last_index=0x0)
at dynamorio/trunk/ext/droption/droption.h:191
#4 0x00007ffff7fe84b6 in drmemtrace_client_main (id=4294967295, argc=6, argv=0x4b53ca08) at dynamorio/trunk/clients/drcachesim/tracer/tracer.cpp:851
#5 0x00000000004282ee in dr_client_main (id=4294967295, argc=6, argv=0x4b53ca08) at
#6 0x00000000006e77b7 in instrument_init () at dynamorio/trunk/core/lib/instrument.c:681
#7 0x0000000000559466 in dynamorio_app_init () at dynamorio/trunk/core/dynamo.c:648
#8 0x000000000056fd04 in dr_app_setup () at dynamorio/trunk/core/dynamo.c:2584
(gdb) x/4i $pc
=> 0x7fffed85093f <____strtoll_l_internal+31>: mov 0x8(%r8),%rax
(gdb) p /x $r8
$14 = 0xabababababababab
r8 is unmodified earlier in that function.
(gdb) x/10i 0x00007fffed84bff0-5
0x7fffed84bfeb <atoi+11>: callq 0x7fffed8508c0 <strtoq>
(gdb) disas strtoq
Dump of assembler code for function strtoq:
0x00007fffed8508c0 <+0>: push %rbp
0x00007fffed8508c1 <+1>: mov 0x3714f8(%rip),%rax # 0x7fffedbc1dc0
0x00007fffed8508c8 <+8>: xor %ecx,%ecx
0x00007fffed8508ca <+10>: mov %rsp,%rbp
0x00007fffed8508cd <+13>: pop %rbp
0x00007fffed8508ce <+14>: mov %fs:(%rax),%r8
0x00007fffed8508d2 <+18>: jmpq 0x7fffed850920 <____strtoll_l_internal>
(gdb) x/1gx 0x7fffedbc1dc0
0x7fffedbc1dc0: 0xfffffffffffffab8
(gdb) x/1gd 0x7fffedbc1dc0
0x7fffedbc1dc0: -1352
So DR has set up TLS for this thread, and saved away the app's TLS and swapped to the privlib TLS.
But if I add -verbose 1 to the burst_static test it works fine. And if TLS were this messed up how did anything run so far on google3?
On laptop it reads this value:
Breakpoint 2, 0x00007f21f3ca13ed in strtoq () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) p /x $r8
$1 = 0x7f21f4023060
(gdb) p $rax
$2 = -208
On desktop w/ DR build (i.e., system libc):
(gdb) x/1gx 0x7f21f4021dc0
0x7f21f4021dc0: 0xffffffffffffff30
Is it this in loader_linux.c being too small -- maybe some libc update or sthg increased what we need?
# define APP_LIBC_TLS_SIZE 0x400
When I increase that to 0x600, the crash goes away.