Skip to content
GitLab
Closed
Issue created by Administrator@rootContributor

CRASH in os_loader_thread_init_prologue

Created by: trylab

Describe the bug Crash happens in os_loader_thread_init_prologue

Screenshots or Pasted Text

2:012> bu dynamorio!os_loader_thread_init_prologue
2:012> g
Breakpoint 0 hit
dynamorio!os_loader_thread_init_prologue:
00000000`710cbd40 48895c2408      mov     qword ptr [rsp+8],rbx ss:00000001`33faf7e0=000001d7aea19080

2:012> p
dynamorio!os_loader_thread_init_prologue+0x5:
00000000`710cbd45 57              push    rdi

2:012> p
dynamorio!os_loader_thread_init_prologue+0x6:
00000000`710cbd46 4883ec20        sub     rsp,20h

2:012> p
dynamorio!os_loader_thread_init_prologue+0xa:
00000000`710cbd4a 488bd9          mov     rbx,rcx

2:012> p
dynamorio!os_loader_thread_init_prologue+0xd:
00000000`710cbd4d 33ff            xor     edi,edi

2:012> p
dynamorio!os_loader_thread_init_prologue+0xf:
00000000`710cbd4f 8b0deb1f0c00    mov     ecx,dword ptr [dynamorio!tls_next_idx (00000000`7118dd40)] ds:00000000`7118dd40=00000001

2:012> p
dynamorio!os_loader_thread_init_prologue+0x15:
00000000`710cbd55 85c9            test    ecx,ecx

2:012> p
dynamorio!os_loader_thread_init_prologue+0x17:
00000000`710cbd57 7e4f            jle     dynamorio!os_loader_thread_init_prologue+0x68 (00000000`710cbda8) [br=0]

2:012> p
dynamorio!os_loader_thread_init_prologue+0x19:
00000000`710cbd59 8b05e51f0c00    mov     eax,dword ptr [dynamorio!tls_array_count (00000000`7118dd44)] ds:00000000`7118dd44=00000000

2:012> p
dynamorio!os_loader_thread_init_prologue+0x1f:
00000000`710cbd5f 85c0            test    eax,eax

2:012> p
dynamorio!os_loader_thread_init_prologue+0x21:
00000000`710cbd61 0f44c1          cmove   eax,ecx

2:012> p
dynamorio!os_loader_thread_init_prologue+0x24:
00000000`710cbd64 488d4fff        lea     rcx,[rdi-1]

2:012> p
dynamorio!os_loader_thread_init_prologue+0x28:
00000000`710cbd68 4863d0          movsxd  rdx,eax

2:012> p
dynamorio!os_loader_thread_init_prologue+0x2b:
00000000`710cbd6b 48c1e203        shl     rdx,3

2:012> p
dynamorio!os_loader_thread_init_prologue+0x2f:
00000000`710cbd6f 8905cf1f0c00    mov     dword ptr [dynamorio!tls_array_count (00000000`7118dd44)],eax ds:00000000`7118dd44=00000000

2:012> !address 00000000`7118dd44
Mapping file section regions...
Mapping module regions...
Mapping PEB regions...
Mapping TEB and stack regions...
Mapping heap regions...
Mapping page heap regions...
Mapping other regions...
Mapping stack trace database regions...
Mapping activation context regions...

Usage:                  Image
Base Address:           00000000`7118d000
End Address:            00000000`71199000
Region Size:            00000000`0000c000 (  48.000 kB)
State:                  00001000          MEM_COMMIT
Protect:                00000004          PAGE_READWRITE
Type:                   01000000          MEM_IMAGE
Allocation Base:        00000000`71000000
Allocation Protect:     00000080          PAGE_EXECUTE_WRITECOPY


2:012> g
Breakpoint 0 hit
dynamorio!os_loader_thread_init_prologue:
00000000`710cbd40 48895c2408      mov     qword ptr [rsp+8],rbx ss:00000001`345fed78=000001d7ae9fd9c0

2:011> p
dynamorio!os_loader_thread_init_prologue+0x5:
00000000`710cbd45 57              push    rdi

2:011> p
dynamorio!os_loader_thread_init_prologue+0x6:
00000000`710cbd46 4883ec20        sub     rsp,20h

2:011> p
dynamorio!os_loader_thread_init_prologue+0xa:
00000000`710cbd4a 488bd9          mov     rbx,rcx

2:011> p
dynamorio!os_loader_thread_init_prologue+0xd:
00000000`710cbd4d 33ff            xor     edi,edi

2:011> p
dynamorio!os_loader_thread_init_prologue+0xf:
00000000`710cbd4f 8b0deb1f0c00    mov     ecx,dword ptr [dynamorio!tls_next_idx (00000000`7118dd40)] ds:00000000`7118dd40=00000001

2:011> p
dynamorio!os_loader_thread_init_prologue+0x15:
00000000`710cbd55 85c9            test    ecx,ecx

2:011> p
dynamorio!os_loader_thread_init_prologue+0x17:
00000000`710cbd57 7e4f            jle     dynamorio!os_loader_thread_init_prologue+0x68 (00000000`710cbda8) [br=0]

2:011> p
dynamorio!os_loader_thread_init_prologue+0x19:
00000000`710cbd59 8b05e51f0c00    mov     eax,dword ptr [dynamorio!tls_array_count (00000000`7118dd44)] ds:00000000`7118dd44=00000001

2:011> p
dynamorio!os_loader_thread_init_prologue+0x1f:
00000000`710cbd5f 85c0            test    eax,eax

2:011> p
dynamorio!os_loader_thread_init_prologue+0x21:
00000000`710cbd61 0f44c1          cmove   eax,ecx

2:011> p
dynamorio!os_loader_thread_init_prologue+0x24:
00000000`710cbd64 488d4fff        lea     rcx,[rdi-1]

2:011> p
dynamorio!os_loader_thread_init_prologue+0x28:
00000000`710cbd68 4863d0          movsxd  rdx,eax

2:011> p
dynamorio!os_loader_thread_init_prologue+0x2b:
00000000`710cbd6b 48c1e203        shl     rdx,3

2:011> p
dynamorio!os_loader_thread_init_prologue+0x2f:
00000000`710cbd6f 8905cf1f0c00    mov     dword ptr [dynamorio!tls_array_count (00000000`7118dd44)],eax ds:00000000`7118dd44=00000001

2:011> !address 00000000`7118dd44
Mapping file section regions...
Mapping module regions...
Mapping PEB regions...
Mapping TEB and stack regions...
Mapping heap regions...
Mapping page heap regions...
Mapping other regions...
Mapping stack trace database regions...
Mapping activation context regions...

Usage:                  Image
Base Address:           00000000`7118d000
End Address:            00000000`711a5000
Region Size:            00000000`00018000 (  96.000 kB)
State:                  00001000          MEM_COMMIT
Protect:                00000002          PAGE_READONLY
Type:                   01000000          MEM_IMAGE
Allocation Base:        00000000`71000000
Allocation Protect:     00000080          PAGE_EXECUTE_WRITECOPY


2:011> !heap -p -a 00000000`7118dd44

2:011> p
(11b0.1248): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
dynamorio!os_loader_thread_init_prologue+0x2f:
00000000`710cbd6f 8905cf1f0c00    mov     dword ptr [dynamorio!tls_array_count (00000000`7118dd44)],eax ds:00000000`7118dd44=00000001


2:011> k
 # Child-SP          RetAddr           Call Site
00 00000001`345fed48 00000000`7104472a dynamorio!os_loader_thread_init_prologue+0x2f [c:\projects\dynamorio\core\win32\loader.c @ 384] 
01 00000001`345fed78 00000000`71005615 dynamorio!loader_thread_init+0x2a [c:\projects\dynamorio\core\loader_shared.c @ 277] 
02 00000001`345feda8 00000000`710b4185 dynamorio!dynamo_thread_init+0x515 [c:\projects\dynamorio\core\dynamo.c @ 2394] 
03 00000001`345fee18 00000000`710b3fa5 dynamorio!intercept_new_thread+0xa5 [c:\projects\dynamorio\core\win32\callback.c @ 3139] 
04 00000001`345ff158 00000000`71184ce5 dynamorio!intercept_ldr_init+0x95 [c:\projects\dynamorio\core\win32\callback.c @ 3390] 
05 00000001`345ff188 00000000`00000000 dynamorio!interception_code_array+0xce5

Versions

  • What version of DynamoRIO are you using? DynamoRIO-Windows-7.91.18308.zip
  • Does the latest build from https://github.com/DynamoRIO/dynamorio/wiki/Latest-Build solve the problem? Not tested
  • What operating system version are you running on? ("Windows 10" is not sufficient: give the release number.) Windows 10 Pro 1909 18363.657
  • Is your application 32-bit or 64-bit? 64-bit

Additional context Please note dynamorio!tls_array_count becomes read only when crash happens.