Skip to content
GitLab
Closed
Issue created by Derek Bruening@derekbrueningContributor

CRASH in client arg parsing code due to failure to copy enough app TLS

I added "-verbose 1" to the drmemtrace client options and a simple test now crashes trying to parse it:

(gdb) bt
#0  0x00007fffed85093f in ____strtoll_l_internal () from libc.so.6
#1  0x00007fffed84bff0 in atoi () from libc.so.6
#2  0x00007ffff7fef0a4 in droption_t<unsigned int>::convert_from_string (this=0x7ffff7ff70b0 <op_verbose>, s=...) at dynamorio/trunk/ext/droption/droption.h:443
#3  0x00007ffff7feb9c7 in droption_parser_t::parse_argv (scope=1, argc=6, argv=0x4b53ca08, error_msg=0x7fffe9a53030, last_index=0x0)
    at dynamorio/trunk/ext/droption/droption.h:191
#4  0x00007ffff7fe84b6 in drmemtrace_client_main (id=4294967295, argc=6, argv=0x4b53ca08) at dynamorio/trunk/clients/drcachesim/tracer/tracer.cpp:851
#5  0x00000000004282ee in dr_client_main (id=4294967295, argc=6, argv=0x4b53ca08) at 
#6  0x00000000006e77b7 in instrument_init () at dynamorio/trunk/core/lib/instrument.c:681
#7  0x0000000000559466 in dynamorio_app_init () at dynamorio/trunk/core/dynamo.c:648
#8  0x000000000056fd04 in dr_app_setup () at dynamorio/trunk/core/dynamo.c:2584

(gdb) x/4i $pc
=> 0x7fffed85093f <____strtoll_l_internal+31>:  mov    0x8(%r8),%rax
(gdb) p /x $r8
$14 = 0xabababababababab

r8 is unmodified earlier in that function.

(gdb) x/10i 0x00007fffed84bff0-5
   0x7fffed84bfeb <atoi+11>:    callq  0x7fffed8508c0 <strtoq>
(gdb) disas strtoq
Dump of assembler code for function strtoq:
   0x00007fffed8508c0 <+0>:     push   %rbp
   0x00007fffed8508c1 <+1>:     mov    0x3714f8(%rip),%rax        # 0x7fffedbc1dc0
   0x00007fffed8508c8 <+8>:     xor    %ecx,%ecx
   0x00007fffed8508ca <+10>:    mov    %rsp,%rbp
   0x00007fffed8508cd <+13>:    pop    %rbp
   0x00007fffed8508ce <+14>:    mov    %fs:(%rax),%r8
   0x00007fffed8508d2 <+18>:    jmpq   0x7fffed850920 <____strtoll_l_internal>

(gdb) x/1gx 0x7fffedbc1dc0
0x7fffedbc1dc0: 0xfffffffffffffab8
(gdb) x/1gd 0x7fffedbc1dc0
0x7fffedbc1dc0: -1352

So DR has set up TLS for this thread, and saved away the app's TLS and swapped to the privlib TLS.

But if I add -verbose 1 to the burst_static test it works fine. And if TLS were this messed up how did anything run so far on google3?

On laptop it reads this value:

Breakpoint 2, 0x00007f21f3ca13ed in strtoq () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) p /x $r8
$1 = 0x7f21f4023060
(gdb) p $rax
$2 = -208

On desktop w/ DR build (i.e., system libc):

(gdb) x/1gx 0x7f21f4021dc0
0x7f21f4021dc0:	0xffffffffffffff30

Is it this in loader_linux.c being too small -- maybe some libc update or sthg increased what we need?

# define APP_LIBC_TLS_SIZE 0x400

When I increase that to 0x600, the crash goes away.