CRASH (7.91.18219) pc is null in decode_sizeof
Created by: TomSie
Describe the bug I am trying to run a linux x64 application, that I unfortunately cannot publish, in dynamorio. When I run "drrun -t drcov -- application" dynamorio crashes in "decode_sizeof" as "pc" is "null" (core/arch/x86/decode_fast.c:469)
Callstack: decode_sizeof in decode_fast.c:465 decode_cti in decode_fast.c:1314 decode_fragment in interp.c:7267
The error output is
Application application (14798). DrCov internal crash at PC 0x00000000712564f0. Please report this at http://dynamorio.org/issues. Program aborted. Received SIGSEGV at pc 0x00000000712564f0 in thread 15154 Base: 0x0000000071000000 Registers:eax=0x0000000000000000 ebx=0x0000000000000200 ecx=0x00007fff34045a54 edx=0x00007fff34045a58 esi=0x0000000000000000 edi=0x00007fff33b45b40 esp=0x00007fff340459d0 ebp=0x00007fff34045a20 r8 =0x00007fff34045a5e r9 =0x00007fff34045ca4 r10=0x0000000000000000 r11=0x0000000000000246 r12=0x524409d81dfa1097 r13=0xfdb854c350745776 r14=0x23f6b0b430d5da0f r15=0x4bf3295900c90260 eflags=0x0000000000010202 version 7.91.18219, custom build -no_dynamic_options -client_lib '/home/csafuzz/fluffi/persistent/x64/dynamorio/bin64/../clients/lib64/debug/libdrcov.so;0;' -code_api -stack_size 56K -signal_stack_size 32K -nop_initial_bblock -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native 0x00007fff34045a20 0x00000000712571d4 0x00007fff34045ae0 0x0000000071273127 0x00007fff34045c60 0x0000000071270999 0x00007fff34045cf0 0x0000000071186677 0x00007fff34045d40 0x000000007118a0aa 0x00007fff34045f10 0x00000000710c3e83 0x00007fff34045ff0 0x00007fffb3c52f0d 0x00007fff2c025140 0x90789812acf12b15
When I run "drrun -- application", I get signal 4 (SIGILL?) in libcrypto.
Application application (48921). Application exception at PC 0x00007ffff68dae60. Signal 4 delivered to application as default action. Callstack: 0x00007ffff68dae60 libcrypto.so.1.1+0xdce60 0xcbf6244203b11a7f
The crash seems to be inside the "__bn_postx4x_internal" function. The dissassembly there is
0x00007ffff68dae50: mov 0x0(%rbp),%r12 0x00007ffff68dae54: mov 0x8(%rbp),%r13 0x00007ffff68dae58: mov 0x10(%rbp),%r14 0x00007ffff68dae5c: mov 0x18(%rbp),%r15 0x00007ffff68dae60: andn %rax,%r12,%r12 0x00007ffff68dae65: lea 0x20(%rbp),%rbp 0x00007ffff68dae69: andn %rax,%r13,%r13 0x00007ffff68dae6e: andn %rax,%r14,%r14
Versions I am using dynamorio commit dadb8ff2, with "-DDEBUG=ON"
Reproducing I am aware that most likely you cannot reproduce the issue on your side without me giving you the binary. However, maybe you could tell me how I could extract the info you need to understand the issue.