Skip to content
GitLab
Closed
Issue created by Derek Bruening@derekbrueningContributor

regression in drutil_insert_get_mem_addr

While working on https://github.com/DynamoRIO/drmemory/issues/1795 I hit a false positive unaddr due to getting the wrong address from a far ref:

~~Dr.M~~ Error #1: UNADDRESSABLE ACCESS: writing 0xef8444c0-0xef8444c4 4 byte(s)
~~Dr.M~~ # 0 libc.so.6!__GI___ctype_init
~~Dr.M~~ # 1 libc.so.6!_init    
~~Dr.M~~ # 2 ld-linux.so.2!call_init.part.0
~~Dr.M~~ # 3 ld-linux.so.2!_dl_init     
~~Dr.M~~ # 4 ld-linux.so.2!_dl_start_user
~~Dr.M~~ Note: @0:00:06.822 in thread 23665
~~Dr.M~~ Note: instruction: mov    %ecx -> %gs:(%ebx)

It turns out to incorrectly get the address. It's a regression from the "DrMi#2041: improve drutil_insert_get_mem_addr_x8" commit for https://github.com/DynamoRIO/drmemory/issues/2041 which tried to limit when the scratch reg was used on x86:

       L3              65 89 0b             mov    %ecx -> %gs:(%ebx)[4byte]
=>
 +616  m4 @0xe7832150  64 8b 1d 70 00 00 00 mov    %fs:0x00000070[4byte] -> %ebx //getapp
 +623  m4 @0xe783a0c0  64 89 2d 74 00 00 00 mov    %ebp -> %fs:0x00000074[4byte] //spill
 +630  m4 @0xe7833868  64 8b 1d 48 00 00 00 mov    %fs:0x48[4byte] -> %ebx  //gsbase
 +637  m4 @0xe783fba4  65 8d 2b             lea    %gs:(%ebx) -> %ebp
 +640  m4 @0xe7838674  8d 1c 2b             lea    (%ebx,%ebp) -> %ebx

The move of dr_insert_get_seg_base() up above the 1st lea is the problem.

This causes an exit to the slowpath, which computes the correct address. But in my in-progress implementation the slowpath fails to restore the app %ebx value, raising the error.

After the fix:

 +616  m4 @0xe77e109c  64 8b 1d 70 00 00 00 mov    %fs:0x00000070[4byte] -> %ebx
 +623  m4 @0xe7876708  64 89 2d 74 00 00 00 mov    %ebp -> %fs:0x00000074[4byte]
 +630  m4 @0xe786e9bc  65 8d 2b             lea    %gs:(%ebx) -> %ebp
 +633  m4 @0xe786f410  64 8b 1d 48 00 00 00 mov    %fs:0x48[4byte] -> %ebx
 +640  m4 @0xe78786e8  8d 1c 2b             lea    (%ebx,%ebp) -> %ebx

Hmm, we can do better here: one step, by swapping dst and scratch:

 +616  m4 @0xe779d09c  64 8b 1d 70 00 00 00 mov    %fs:0x00000070[4byte] -> %ebx
 +623  m4 @0xe7832708  64 89 2d 74 00 00 00 mov    %ebp -> %fs:0x00000074[4byte]
 +630  m4 @0xe782a9bc  64 8b 2d 48 00 00 00 mov    %fs:0x48[4byte] -> %ebp
 +637  m4 @0xe782b410  8d 1c 2b             lea    (%ebx,%ebp) -> %ebx