Skip to content
GitLab
Closed
Issue created by Derek Bruening@derekbrueningContributor

CRASH at int 0x2e on win10 1909 at DR init

I've hit this in two scenarios now: one investigating Dr. Memory symbol generation problems for 32-bit on win10 1909, and another with plain DR doing a bisect for #4421 .

The second is simpler. I'm just running:

bin32/drrun -stderr_mask 15 -t drcov -- suite/tests/bin/common.segfault.exe

The crash is reported like this:

---------------------------
DrCov Notice: D:\derek\dr\git\build_x86_dbg_tests\suite\tests\bin\common.segfault.exe(9984)
---------------------------
Application D:\derek\dr\git\build_x86_dbg_tests\suite\tests\bin\common.segfault.exe (9984).  DrCov internal crash at PC 0x5fab9a42.  Please report this at http://dynamorio.org/issues.  Program aborted.
0xc0000005 0x00000000 0x5fab9a42 0x5fab9a42 0x00000000 0xffffffff
Base: 0x5f840000
Registers: eax=0x00000023 ebx=0x7682f4b0 ecx=0x0000004c edx=0x00fee42c
	esi=0x00000000 edi=0x00fefe44 esp=0x00fee424 ebp=0x00fee46c
	eflags=0x00010202
version 8.0.18439, custom build
-no_dynamic_options -client_lib 'D:\derek\dr\git\build_x86_dbg_tests\clients\lib32\debug\drcov.dll;0;' -client_lib32 'D:\derek\dr\git\build_x86_dbg_tests\clients\lib32\debug\drcov.dll;0;' -client_lib64 'D:\derek\dr\git\build_x86_dbg_tests\clients\lib32\debug\drcov.dll;0;' -code_api -probe_api -stderr_mask 15 -stack_size 
0x00fee46c 0x5fb10b8d
0x00fee49c 0x5fad8884
0x00fee4cc 0x5f9801d5
0x00fee550 0x5fafb2ab
0x00fee5b4 0x5faeba04
0x00fee5f0 0x5faf9ea7
0x00fef24c 0x5f84cdae
0x00fefb08 0x5fab8ea1
0x00fefb70 0x5fab9808
---------------------------
OK   
---------------------------

The debugger shows that's a read of -1 at int 0x2e during DR init:

0:000> .exr @@(pExcptRec)
ExceptionAddress: 5fac9752 (dynamorio!dynamorio_syscall_int2e+0x00000008)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: ffffffff
Attempt to read from address ffffffff
0:000> .cxr @@(cxt)
eax=00000023 ebx=7682f4b0 ecx=0000004c edx=010fe52c esi=00000000 edi=010fff44
eip=5fac9752 esp=010fe524 ebp=010fe56c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
dynamorio!dynamorio_syscall_int2e+0x8:
5fac9752 cd2e            int     2Eh
0:000> kn
  *** Stack trace for last set context - .thread/.cxr resets it
 # ChildEBP RetAddr  
00 010fe56c 5fb208ad dynamorio!dynamorio_syscall_int2e+0x8 [D:\derek\dr\git\build_x86_dbg_tests\core\CMakeFiles\dynamorio.dir\arch\x86\x86.asm.obj.s @ 2354] 
01 010fe59c 5fae8574 dynamorio!query_virtual_memory+0x1d [d:\derek\dr\git\src\core\win32\ntdll.c @ 2181] 
02 010fe5cc 5f9900d5 dynamorio!get_allocation_base+0x14 [d:\derek\dr\git\src\core\win32\os.c @ 5485] 
03 010fe650 5fb0afab dynamorio!alloc_landing_pad+0x25 [d:\derek\dr\git\src\core\heap.c @ 5686] 
04 010fe6b4 5fafb6f4 dynamorio!intercept_syscall_wrapper+0x17b [d:\derek\dr\git\src\core\win32\callback.c @ 2634] 
05 010fe6f0 5fb09ba7 dynamorio!init_syscall_trampolines+0x114 [d:\derek\dr\git\src\core\win32\syscall.c @ 891] 
06 010ff34c 5f85cd5e dynamorio!callback_interception_init_finish+0x1d7 [d:\derek\dr\git\src\core\win32\callback.c @ 7805] 
07 010ffc08 5fac8bb1 dynamorio!dynamorio_app_init+0x61e [d:\derek\dr\git\src\core\dynamo.c @ 692] 
08 010ffc70 5fac9518 dynamorio!auto_setup+0x21 [d:\derek\dr\git\src\core\arch\x86_code.c @ 169] 
09 00000000 00000000 dynamorio!dynamo_auto_start+0x8 [D:\derek\dr\git\build_x86_dbg_tests\core\CMakeFiles\dynamorio.dir\arch\x86\x86.asm.obj.s

At first I thought that 1909 dropped support for int 0x2e: but DR uses it and works in other builds, including 8.0.0-1 and HEAD.

For the DrM case I did investigate the page for pc:

dynamorio!dynamorio_syscall_int2e+0x8:
6d938a42 cd2e            int     2Eh
0:000> !vprot eip
BaseAddress:       6d938000
AllocationBase:    6d6c0000
AllocationProtect: 00000080  PAGE_EXECUTE_WRITECOPY
RegionSize:        0009f000
State:             00001000  MEM_COMMIT
Protect:           00000020  PAGE_EXECUTE_READ
Type:              01000000  MEM_IMAGE

I made an app that does an int 2e for NtYieldExecution and it also gets a segfault there:

#include <stdio.h>
int main() {
    fprintf(stderr, "about to asm\n");
    __asm {
        mov eax,46h
        lea edx,[esp]
        int 2eh
    };
    fprintf(stderr, "just did asm\n");
    return 0;
}
0:000> g
(3460.1300): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for int2e.exe
eax=00000046 ebx=00456000 ecx=00270a0d edx=006ffdfc esi=002c1c8c edi=00915e50
eip=00266573 esp=006ffdfc ebp=006ffdfc iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
int2e!main+0x23:
00266573 cd2e            int     2Eh
0:000> .exr -1
ExceptionAddress: 00266573 (int2e!main+0x00000023)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: ffffffff
Attempt to read from address ffffffff

Hmm so how does it work with some DR builds?