Skip to content
GitLab
Closed
Issue created by Derek Bruening@derekbrueningContributor

CRASH all VS2013-built clients on xp

For #2406 we want to drop VS2010 support. However, VS2013-built clients are crashing on XP due to CRT issues.

RC1, built with VS2010, or "RC3" latest sources (where bbcount uses drx) built with VS2010:

% bin32/drrun -debug -c samples/bin32/bbcount.dll -- ../hello.exe 
<Starting application C:\derek\hello.exe (3216)>
<Initial options = -no_dynamic_options -client_lib 'C:\derek\DynamoRIO-Windows-7.0.0-RC1\samples\bin32\bbcount.dll;0;' -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct -no_aslr_dr -pad_jmps_mark_no_trace >
Client bbcount is running
Hello world!
<Stopping application C:\derek\hello.exe (3216)>

"RC3" built with VS2013:

% bin32/drrun -debug -c samples/bin32/bbcount.dll -- ../hello.exe 
<Starting application C:\derek\hello.exe (1576)>
Segmentation fault
0:000> kp
ChildEBP RetAddr  
00dbf278 1535c229 dynamorio!redirect_RtlProcessFlsData(struct _LIST_ENTRY * fls_data = 0x00000000)+0x20 [d:\dynamorio_package\core\win32\drwinapi\ntdll_redir.c @ 1046]
00dbf28c 1000254e dynamorio!redirect_FlsSetValue(unsigned long index = 1, void * value = 0x1d3fdc50)+0x39 [d:\dynamorio_package\core\win32\drwinapi\kernel32_proc.c @ 190]
00dbf29c 1000190e bbcount!__crtFlsSetValue(unsigned long dwFlsIndex = 1, void * lpFlsData = 0x1d3fdc50)+0x18 [f:\dd\vctools\crt\crtw32\misc\winapisupp.c @ 446]
00dbf2ac 10001205 bbcount!_mtinit(void)+0x4c [f:\dd\vctools\crt\crtw32\startup\tidtable.c @ 115]
00dbf2dc 100013cb bbcount!_CRT_INIT(void * hDllHandle = 0x10000000, unsigned long dwReason = 1, void * lpreserved = 0x00000000)+0x29 [f:\dd\vctools\crt\crtw32\startup\dllcrt0.c @ 102]
00dbf31c 1000136a bbcount!__DllMainCRTStartup(void * hDllHandle = 0x10000000, unsigned long dwReason = 1, void * lpreserved = 0x00000000)+0x5a [f:\dd\vctools\crt\crtw32\startup\dllcrt0.c @ 371]
00dbf330 15353890 bbcount!_DllMainCRTStartup(void * hDllHandle = 0x10000000, unsigned long dwReason = 1, void * lpreserved = 0x00000000)+0x1c [f:\dd\vctools\crt\crtw32\startup\dllcrt0.c @ 340]
00dbf39c 15213ba7 dynamorio!privload_call_entry(struct _privmod_t * privmod = 0x1d3fa558, unsigned int reason = 1)+0x220 [d:\dynamorio_package\core\win32\loader.c @ 1321]
00dbf3b4 152128db dynamorio!privload_load_finalize(struct _privmod_t * privmod = 0x1d3fa558)+0x137 [d:\dynamorio_package\core\loader_shared.c @ 718]
00dbf538 15073d3f dynamorio!loader_init(void)+0x19b [d:\dynamorio_package\core\loader_shared.c @ 127]
    size_t fls_data_sz = sizeof(LIST_ENTRY) +
        sizeof(void*) * peb->FlsBitmap->SizeOfBitMap;

PEB
   +0x20c FlsCallback      : (null) 
   +0x210 FlsListHead      : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0x218 FlsBitmap        : (null) 
   +0x21c FlsBitmapBits    : [4] 0
   +0x22c FlsHighIndex     : 0

TEB
   +0xfb4 FlsData          : (null) 
 
DRstats (native process) fully initialized:
0:001> dd 7ffdf000+218
7ffdf218  00000000 00000000 00000000 00000000

0:001> !teb
    FiberData:            00001e00

0:000> x kernel32!Fls*
<nothing>

The VS2013 CRT code is supposed to fall back to Tls if there's no Fls. It checks more than just FlsAlloc so all we have to do is expand this code:

    if (get_proc_address_ex(mod->base, "FlsAlloc", NULL) == NULL) {
        /* i#1385: msvc110+ calls GetProcAddress on FlsAlloc and we want it to
         * return NULL if there is no underlying FlsAlloc.
         */
        IF_DEBUG(bool found =)
            strhash_hash_remove(GLOBAL_DCONTEXT, kernel32_table, "FlsAlloc");
        ASSERT(found);