ASSERT target beyond 8-bit reach in drmemtrace with -prof_pcs
Running drmemtrace with -prof_pcs results in an assert:
#5 0x000000000987f681 in external_error (file=0xe0eee90 <.L.str.209> "core/arch/x86/encode.c", line=2208,
msg=0xe0ef7b4 <.L.str.278> "encode_cti error: target beyond 8-bit reach") at core/utils.c:197
#6 0x0000000009516bf6 in encode_cti (instr=0x4ff90410, copy_pc=0x4feb5093 "㫫", '\253' <repeats 197 times>..., final_pc=0x4feb5093 "㫫", '\253' <repeats 197 times>...,
check_reachable=1 '\001', assert_reachable=1 '\001') at core/arch/x86/encode.c:2207
#7 0x0000000009514f5b in instr_encode_arch (dcontext=0x4ff60600, instr=0x4ff90410, copy_pc=0x4feb5093 "㫫", '\253' <repeats 197 times>...,
final_pc=0x4feb5093 "㫫", '\253' <repeats 197 times>..., check_reachable=1 '\001', has_instr_opnds=0x0, assert_reachable=1 '\001')
at core/arch/x86/encode.c:2360
#8 0x0000000009486fdf in instr_encode_to_copy (dcontext=0x4ff60600, instr=0x4ff90410, copy_pc=0x4feb5093 "㫫", '\253' <repeats 197 times>...,
final_pc=0x4feb5093 "㫫", '\253' <repeats 197 times>...) at core/arch/encode_shared.c:120
#9 0x0000000009487019 in instr_encode (dcontext=0x4ff60600, instr=0x4ff90410, pc=0x4feb5093 "㫫", '\253' <repeats 197 times>...)
at core/arch/encode_shared.c:127
#10 0x00000000095a1a31 in set_linkstub_fields (dcontext=0x4ff60600, f=0x4fe89e60, ilist=0x4ff8f610, num_direct_stubs=1, num_indirect_stubs=0, emit=1 '\001')
at core/emit.c:371
#11 0x00000000095b1696 in emit_fragment_common (dcontext=0x4ff60600, tag=0x7f46353b087d <poll+45> "H\213<$H\211\302\350\347\034", ilist=0x4ff8f610, flags=16777216,
vmlist=0x4fe89e18, link_fragment=1 '\001', add_to_htable=1 '\001', replace_fragment=0x0) at core/emit.c:682
#12 0x00000000095bd133 in emit_fragment_ex (dcontext=0x4ff60600, tag=0x7f46353b087d <poll+45> "H\213<$H\211\302\350\347\034", ilist=0x4ff8f610, flags=16777216,
vmlist=0x4fe89e18, link=1 '\001', visible=1 '\001') at core/emit.c:1011
#13 0x00000000094aabe0 in build_basic_block_fragment (dcontext=0x4ff60600, start=0x7f46353b087d <poll+45> "H\213<$H\211\302\350\347\034", initial_flags=0, link=1 '\001',
visible=1 '\001', for_trace=0 '\000', unmangled_ilist=0x0) at core/arch/interp.c:5133
(gdb) x/30i f->start_pc
0x4feb5008: add $0x7f,%al
0x4feb500a: sahf
0x4feb500b: addr32 mov %gs:0x0,%rax
0x4feb5013: mov %gs:0x10,%rcx
0x4feb501c: mov %rcx,%gs:0x98
0x4feb5025: mov %gs:0xa8,%rcx
0x4feb502e: movabs $0x2000600a0003687d,%rdx
0x4feb5038: mov %rdx,(%rcx)
0x4feb503b: lea (%rsp),%rdx
0x4feb503f: mov %gs:0xa8,%rcx
0x4feb5048: mov %rdx,0x8(%rcx)
0x4feb504c: lea 0x10(%rcx),%rcx
0x4feb5050: mov %rcx,%gs:0xa8
0x4feb5059: mov (%rsp),%rdi
0x4feb505d: mov %rax,%rdx
0x4feb5060: mov %rbx,%gs:0xa0
0x4feb5069: mov %gs:0xa8,%rcx
0x4feb5072: lea -0x8(%rsp),%rbx
0x4feb5077: mov %gs:0xa8,%rcx
0x4feb5080: mov %rbx,(%rcx)
0x4feb5083: lea 0x8(%rcx),%rcx
0x4feb5087: mov %rcx,%gs:0xa8
0x4feb5090: mov (%rcx),%rcx
0x4feb5093: jrcxz 0x4feb5040
0x4feb5095: stos %eax,%es:(%rdi)
0x4feb5096: stos %eax,%es:(%rdi)
(gdb) p /x target
$2 = 0x4feb5127
(gdb) p target - (int)final_pc
$6 = 148instrument_clean_call in tracer.cpp puts in this jrcxz:
/* i#2049: we use DR_CLEANCALL_ALWAYS_OUT_OF_LINE to ensure our jecxz
* reaches across the clean call (o/w we need 2 jmps to invert the jecxz).
* Long-term we should try a fault instead (xref drx_buf) or a lean
* proc to clean call gencode.(gdb) p instrlist_disassemble(dcontext, tag, ilist, 1)
$7 = void
+0 m4 @0x000000004ff8fa38 65 48 89 0c 25 98 00 mov %rcx -> %gs:0x00000098[8byte]
00 00
+9 m4 @0x000000004ff8fab0 65 48 8b 0c 25 a8 00 mov %gs:0x000000a8[8byte] -> %rcx
00 00
+18 m4 @0x000000004ff8fb28 48 ba 7d 68 03 00 0a mov $0x2000600a0003687d -> %rdx
60 00 20
+28 m4 @0x000000004ff8fba0 48 89 11 mov %rdx -> (%rcx)[8byte]
+31 m4 @0x000000004ff8fc18 <label>
+31 m4 @0x000000004ff8fc78 48 8d 14 24 lea (%rsp) -> %rdx
+35 m4 @0x000000004ff8fcf0 65 48 8b 0c 25 a8 00 mov %gs:0x000000a8[8byte] -> %rcx
00 00
+44 m4 @0x000000004ff8fd68 48 89 51 08 mov %rdx -> 0x08(%rcx)[8byte]
+48 m4 @0x000000004ff8fde0 <label>
+48 m4 @0x000000004ff8fe40 48 8d 49 10 lea 0x10(%rcx) -> %rcx
+52 m4 @0x000000004ff8feb8 65 48 89 0c 25 a8 00 mov %rcx -> %gs:0x000000a8[8byte]
00 00
+61 L3 48 8b 3c 24 mov (%rsp)[8byte] -> %rdi
+65 L3 48 89 c2 mov %rax -> %rdx
+68 m4 @0x000000004ff8ff30 65 48 89 1c 25 a0 00 mov %rbx -> %gs:0x000000a0[8byte]
00 00
+77 m4 @0x000000004ff8ffa8 65 48 8b 0c 25 a8 00 mov %gs:0x000000a8[8byte] -> %rcx
00 00
+86 m4 @0x000000004ff90020 <label>
+86 m4 @0x000000004ff90080 48 8d 5c 24 f8 lea 0xfffffff8(%rsp) -> %rbx
+91 m4 @0x000000004ff900f8 65 48 8b 0c 25 a8 00 mov %gs:0x000000a8[8byte] -> %rcx
00 00
+100 m4 @0x000000004ff90170 48 89 19 mov %rbx -> (%rcx)[8byte]
+103 m4 @0x000000004ff901e8 <label>
+103 m4 @0x000000004ff90248 48 8d 49 08 lea 0x08(%rcx) -> %rcx
+107 m4 @0x000000004ff902c0 65 48 89 0c 25 a8 00 mov %rcx -> %gs:0x000000a8[8byte]
00 00
+116 m4 @0x000000004ff90398 48 8b 09 mov (%rcx)[8byte] -> %rcx
+119 m4 @0x000000004ff90410 e3 92 jrcxz @0x000000004ff90338[8byte] %rcx
+121 m4 @0x000000004ff904e8 65 48 a3 00 00 00 00 mov %rax -> %gs:0x00[8byte]
00 00 00 00
+132 m4 @0x000000004ff90548 65 48 a1 20 00 00 00 mov %gs:0x20[8byte] -> %rax
00 00 00 00
+143 m4 @0x000000004ff905c0 48 89 60 18 mov %rsp -> 0x18(%rax)[8byte]
+147 m4 @0x000000004ff90638 48 8b a0 e8 02 00 00 mov 0x000002e8(%rax)[8byte] -> %rsp
+154 m4 @0x000000004ff906b0 65 48 a1 00 00 00 00 mov %gs:0x00[8byte] -> %rax
00 00 00 00
+165 m4 @0x000000004ff90728 48 8d a4 24 58 fd ff lea 0xfffffd58(%rsp) -> %rsp
ff
+173 m4 @0x000000004ff907a0 e8 5b 6e f2 ff call $0x000000004feafd80 %rsp -> %rsp 0xfffffff8(%rsp)[8byte]
+178 m4 @0x000000004ff90818 <label>
+178 m4 @0x000000004ff90878 65 48 a1 20 00 00 00 mov %gs:0x20[8byte] -> %rax
00 00 00 00
+189 m4 @0x000000004ff908f0 c7 80 00 03 00 00 0a mov $0x0000000a -> 0x00000300(%rax)[4byte]
00 00 00
+199 m4 @0x000000004ff90968 e8 0b 75 4b b9 call $0x0000000009440430 %rsp -> %rsp 0xfffffff8(%rsp)[8byte]
+204 m4 @0x000000004ff90a28 65 48 a1 20 00 00 00 mov %gs:0x20[8byte] -> %rax
00 00 00 00
+215 m4 @0x000000004ff90aa0 c7 80 00 03 00 00 09 mov $0x00000009 -> 0x00000300(%rax)[4byte]
00 00 00
+225 m4 @0x000000004ff90b18 e8 1b 6f f2 ff call $0x000000004feafe40 %rsp -> %rsp 0xfffffff8(%rsp)[8byte]
+230 m4 @0x000000004ff90bd8 65 48 a3 00 00 00 00 mov %rax -> %gs:0x00[8byte]
00 00 00 00
+241 m4 @0x000000004ff90c50 65 48 a1 20 00 00 00 mov %gs:0x20[8byte] -> %rax
00 00 00 00
+252 m4 @0x000000004ff90cc8 48 8b 60 18 mov 0x18(%rax)[8byte] -> %rsp
+256 m4 @0x000000004ff90d40 65 48 a1 00 00 00 00 mov %gs:0x00[8byte] -> %rax
00 00 00 00
+267 m4 @0x000000004ff90338 <label>
+267 m4 @0x000000004ff90db8 65 48 8b 0c 25 98 00 mov %gs:0x00000098[8byte] -> %rcx
00 00
+276 m4 @0x000000004ff90e30 65 48 8b 1c 25 a0 00 mov %gs:0x000000a0[8byte] -> %rbx
00 00
+285 m4 @0x000000004ff90f58 68 89 08 3b 35 push $0x353b0889 %rsp -> %rsp 0xfffffff8(%rsp)[8byte]
+290 m4 @0x000000004ff90fb8 c7 44 24 04 46 7f 00 mov $0x00007f46 -> 0x04(%rsp)[4byte]
00
+298 L4 @0x000000004ff90ef8 e9 4b 96 42 e5 jmp $0x00007f46353b2570
END 0x00007f46353b087dVs local run:
# bin64/drrun -loglevel 4 -c clients/lib64/debug/libdrmemtrace.so -offline -outdir /tmp -- suite/tests/bin/common.eflags
+100 m4 @0x0000000046c29e70 e3 fe jrcxz @0x0000000046c29df8[8byte] %rcx
+102 m4 @0x0000000046c29fc0 65 48 a3 00 00 00 00 mov %rax -> %gs:0x00[8byte]
00 00 00 00
+113 m4 @0x0000000046c2a128 65 48 a1 20 00 00 00 mov %gs:0x20[8byte] -> %rax
00 00 00 00
+124 m4 @0x0000000046c2a350 48 89 60 18 mov %rsp -> 0x18(%rax)[8byte]
+128 m4 @0x0000000046c29f48 48 8b a0 e8 02 00 00 mov 0x000002e8(%rax)[8byte] -> %rsp
+135 m4 @0x0000000046c2a830 65 48 a1 00 00 00 00 mov %gs:0x00[8byte] -> %rax
00 00 00 00
+146 m4 @0x0000000046c2a038 48 8d a4 24 58 fd ff lea 0xfffffd58(%rsp) -> %rsp
ff
+154 m4 @0x0000000046c29d38 e8 bb 54 f9 ff call $0x0000000046bbbd80 %rsp -> %rsp 0xfffffff8(%rsp)[8byte]
+159 m4 @0x0000000046c2a1a0 <label>
+159 m4 @0x0000000046c2aa28 e8 52 37 3e 2b call $0x000000007200a017 %rsp -> %rsp 0xfffffff8(%rsp)[8byte]
+164 m4 @0x0000000046c2a9c8 e8 7b 55 f9 ff call $0x0000000046bbbe40 %rsp -> %rsp 0xfffffff8(%rsp)[8byte]
+169 m4 @0x0000000046c2a5c0 65 48 a3 00 00 00 00 mov %rax -> %gs:0x00[8byte]
00 00 00 00
+180 m4 @0x0000000046c2a488 65 48 a1 20 00 00 00 mov %gs:0x20[8byte] -> %rax
00 00 00 00
+191 m4 @0x0000000046c299f0 48 8b 60 18 mov 0x18(%rax)[8byte] -> %rsp
+195 m4 @0x0000000046c2a758 65 48 a1 00 00 00 00 mov %gs:0x00[8byte] -> %rax
00 00 00 00
+206 m4 @0x0000000046c29df8 <label>There are two pairs of <11 byte, 10 byte> instrs adding 42 bytes.
Aha, it's -profile_pcs-specific code in insert_meta_call_vargs() which sets whereami.