Annotation clean call inserted during mangling requires app values but is hidden from drreg and clients
This showed up as a failure in the mmap Dr. Memory test on upgrading GA CI to Ubuntu20 where it fails to report an error, due to the annotation there failing to mark the proper memory region due to the wrong argument reaching the annotation callback:
marking 0xf6ec0000-0xf6fc0000 unaddr
...
handle_make_unaddressable: 0x00000000-0x00100000 printf("marking %p-%p unaddr\n", ptr2, ptr2+malloc_size);//NOCHECK
1292: 8b 55 e8 mov -0x18(%ebp),%edx
1295: 8b 83 88 e0 ff ff mov -0x1f78(%ebx),%eax
129b: 01 c2 add %eax,%edx
129d: 8b 45 e8 mov -0x18(%ebp),%eax
12a0: 83 ec 04 sub $0x4,%esp
12a3: 52 push %edx
12a4: 50 push %eax
12a5: 8d 83 67 e0 ff ff lea -0x1f99(%ebx),%eax
12ab: 50 push %eax
12ac: e8 7f fd ff ff call 1030 <printf@plt>
12b1: 83 c4 10 add $0x10,%esp
12b4: eb 0c jmp 12c2 <main+0xe9>
DRMEMORY_ANNOTATE_MAKE_UNADDRESSABLE(ptr2, malloc_size);
12b6: a1 4a 2d 00 00 mov 0x2d4a,%eax
12bb: 0f bc 80 f0 ff ff ff bsf -0x10(%eax),%eax
12c2: eb 13 jmp 12d7 <main+0xfe>
12c4: 8b 83 88 e0 ff ff mov -0x1f78(%ebx),%eax
12ca: 89 c2 mov %eax,%edx
12cc: 8b 45 e8 mov -0x18(%ebp),%eax
12cf: 89 c1 mov %eax,%ecx
12d1: e8 84 00 00 00 call 135a <drmemory_make_unaddressable>
12d6: 90 nop
char *end = (char*) ALIGN_FORWARD((char*)ptr2 + malloc_size, 256*1024);
12d7: 8b 45 e8 mov -0x18(%ebp),%eax
0000135a <drmemory_make_unaddressable>:
135a: 55 push %ebp
135b: 89 e5 mov %esp,%ebp
135d: 83 ec 08 sub $0x8,%esp
1360: e8 1f 00 00 00 call 1384 <__x86.get_pc_thunk.ax>
1365: 05 9b 2c 00 00 add $0x2c9b,%eax
136a: 89 4d fc mov %ecx,-0x4(%ebp)
136d: 89 55 f8 mov %edx,-0x8(%ebp)
1370: eb 0c jmp 137e <drmemory_make_unaddressable+0x24>
1372: a1 8e 2c 00 00 mov 0x2c8e,%eax
1377: 0f bd 80 f0 ff ff ff bsr -0x10(%eax),%eax
137e: eb 01 jmp 1381 <drmemory_make_unaddressable+0x27>
1380: 90 nop
1381: 90 nop
1382: c9 leave
1383: c3 ret
00001384 <__x86.get_pc_thunk.ax>:
1384: 8b 04 24 mov (%esp),%eax
1387: c3 ret interp: start_pc = 0xf3b97365
0xf3b97365 05 9b 2c 00 00 add $0x00002c9b %eax -> %eax
wrote all 6 flags now!
0xf3b9736a 89 4d fc mov %ecx -> 0xfffffffc(%ebp)[4byte]
0xf3b9736d 89 55 f8 mov %edx -> 0xfffffff8(%ebp)[4byte]
0xf3b97370 eb 0c jmp $0xf3b9737e
0xf3b97380 90 nop
0xf3b97381 90 nop
0xf3b97382 c9 leave %ebp %esp (%ebp)[4byte] -> %esp %ebp
0xf3b97383 c3 ret %esp (%esp)[4byte] -> %esp
mbr exit target = 0x4e61a000
end_pc = 0xf3b97384
before instrumentation:
TAG 0xf3b97365
+0 L3 @0x4e723278 05 9b 2c 00 00 add $0x00002c9b %eax -> %eax
+5 L3 @0x4e7224a0 89 4d fc mov %ecx -> 0xfffffffc(%ebp)[4byte]
+8 L3 @0x4e726f68 89 55 f8 mov %edx -> 0xfffffff8(%ebp)[4byte]
+11 m4 @0x4e666f18 <label>
+11 L3 @0x4e70d1b8 90 nop
+12 L3 @0x4e66929c 90 nop
+13 L3 @0x4e70d290 c9 leave %ebp %esp (%ebp)[4byte] -> %esp %ebp
+14 L3 @0x4e7273ac c3 ret %esp (%esp)[4byte] -> %esp
END 0xf3b97365
New basic block @0xf3b97365 == mmap!drmemory_make_unaddressable+0xb
shadow register values:
eax=00 ecx=00 edx=00 ebx=00 esp=00 ebp=00 esi=00 edi=00 efl=0
xmm0=00000000 xmm1=00000000 xmm2=00000000 xmm3=00000000
xmm4=00000000 xmm5=00000000 xmm6=00000000 xmm7=00000000
mm0=0000 mm1=0000 mm2=0000 mm3=0000 mm4=0000 mm5=0000 mm6=0000 mm7=0000
whole-bb scratch: r1=%ebxspill#0 x0, r2=%ecxspill#1 x1
scratch: add $0x00002c9b %eax -> %eax| r1=%ebxspill#0, r2=%ecxspill#1
fastpath: add $0x00002c9b %eax -> %eax| prop=1 srcsz=4 dstsz=4 checkdef=0 markdef=0 checkunaddr=0
src shadow = %bl sz=1
dst shadow = sz=0
src offs = $0x00 sz=1
dst offs = $0x00 sz=1
scratch: mov %ecx -> 0xfffffffc(%ebp)[4byte]| r1=%ebxspill#0, r2=%ecxspill#1
fastpath: mov %ecx -> 0xfffffffc(%ebp)[4byte]| prop=1 srcsz=4 dstsz=4 checkdef=0 markdef=0 checkunaddr=0
marking eflags used => spilling if live
src shadow = %cl sz=1
dst shadow = (%ebx) sz=1
src offs = $0x00 sz=1
dst offs = $0x00 sz=1
scratch: mov %edx -> 0xfffffff8(%ebp)[4byte]| r1=%ebxspill#0, r2=%ecxspill#1
fastpath: mov %edx -> 0xfffffff8(%ebp)[4byte]| prop=1 srcsz=4 dstsz=4 checkdef=0 markdef=0 checkunaddr=0
src shadow = %cl sz=1
dst shadow = (%ebx) sz=1
src offs = $0x00 sz=1
dst offs = $0x00 sz=1
scratch: leave %ebp %esp (%ebp)[4byte] -> %esp %ebp| r1=%ebxspill#0, r2=%ecxspill#1
checking definedness for: leave %ebp %esp (%ebp)[4byte] -> %esp %ebp
fastpath: leave %ebp %esp (%ebp)[4byte] -> %esp %ebp| prop=2 srcsz=4 dstsz=4 checkdef=1 markdef=0 checkunaddr=0
checking definedness of src2 => 1 to propagate
checking definedness of src1 => 0 to propagate
src shadow = $0x55 sz=1
dst shadow = (%ebx) sz=1
src offs = sz=0
dst offs = sz=0
src shadow = $0x00 sz=1
dst shadow = %fs:0x000000a9 sz=1
src offs = $0x00 sz=1
dst offs = $0x00 sz=1
scratch: leave %ebp %esp (%ebp)[4byte] -> %esp %ebp| r1=%ebxspill#0, r2=%edxspill#3, r3=%ecxspill#1
scratch: ret %esp (%esp)[4byte] -> %esp| r1=%ebxspill#0, r2=%ecxspill#1
checking definedness for: ret %esp (%esp)[4byte] -> %esp
fastpath: ret %esp (%esp)[4byte] -> %esp| prop=1 srcsz=4 dstsz=0 checkdef=1 markdef=0 checkunaddr=0
checking definedness of src1 => 0 to propagate
src shadow = $0x55 sz=1
dst shadow = (%ebx) sz=1
src offs = sz=0
dst offs = sz=0
whole-bb scratch: r1=used, r2=used, efl=used
after instrumentation:
TAG 0xf3b97365
<...>
+205 L3 @0x4e726f68 89 55 f8 mov %edx -> 0xfffffff8(%ebp)[4byte]
+208 m4 @0x4e666f18 <label>
+208 L3 @0x4e70d1b8 90 nop
+209 L3 @0x4e66929c 90 nop
+210 m4 @0x4e724900 <label>
<...>
bb ilist before mangling:
<...>
CLEANCALL: insert clean call to 0x738152cc
CLEANCALL: analyze callee 0x738152cc
CLEANCALL: decoding callee starting at: 0x738152cc
<...>
bb ilist after mangling:
TAG 0xf3b97365
+0 m4 @0x4e7235e8 64 89 1d b4 00 00 00 mov %ebx -> %fs:0x000000b4[4byte]
+7 m4 @0x4e726dcc <label>
+7 m4 @0x4e70e934 64 8a 1d a4 00 00 00 mov %fs:0x000000a4[1byte] -> %bl
+14 m4 @0x4e70d87c 64 88 1d ac 00 00 00 mov %bl -> %fs:0x000000ac[1byte]
+21 m4 @0x4e721938 <label>
+21 m4 @0x4e71e83c <label>
+21 m4 @0x4e724790 <label>
+21 m4 @0x4e70df28 <label>
+21 m4 @0x4e728bc8 <label>
+21 L3 @0x4e723278 05 9b 2c 00 00 add $0x00002c9b %eax -> %eax
+26 m4 @0x4e722cfc 64 89 0d b8 00 00 00 mov %ecx -> %fs:0x000000b8[4byte]
+33 m4 @0x4e721c10 87 c8 xchg %eax %ecx -> %eax %ecx
+35 m4 @0x4e722de0 9f lahf -> %ah
+36 m4 @0x4e7270d4 0f 90 c0 seto -> %al
+39 m4 @0x4e727f3c 64 a3 bc 00 00 00 mov %eax -> %fs:0x000000bc[4byte]
+45 m4 @0x4e727e34 87 c8 xchg %eax %ecx -> %eax %ecx
+47 m4 @0x4e723068 <label>
+47 m4 @0x4e728fa8 8d 5d fc lea 0xfffffffc(%ebp) -> %ebx
+50 m4 @0x4e7274c0 64 80 3d a9 00 00 00 cmp %fs:0x000000a9[1byte] $0x00
00
+58 m4 @0x4e70dfe0 75 fe jnz @0x4e728cf0[4byte]
+60 m4 @0x4e722834 f6 c3 03 test %bl $0x03
+63 m4 @0x4e7219c0 0f 85 fa ff ff ff jnz @0x4e728cf0[4byte]
+69 m4 @0x4e70d44c 8b cb mov %ebx -> %ecx
+71 m4 @0x4e669c78 c1 e9 10 shr $0x00000010 %ecx -> %ecx
+74 m4 @0x4e722190 c1 eb 02 shr $0x00000002 %ebx -> %ebx
+77 m4 @0x4e728820 03 1c 8d 00 70 68 4e add 0x4e687000(,%ecx,4)[4byte] %ebx -> %ebx
+84 m4 @0x4e721dc4 0f b6 0b movzx (%ebx)[1byte] -> %ecx
+87 m4 @0x4e723f94 80 b9 20 2d a3 73 01 cmp 0x73a32d20(%ecx)[1byte] $0x01
+94 m4 @0x4e7208bc 75 fe jnz @0x4e728cf0[4byte]
+96 m4 @0x4e71e880 64 8a 0d a5 00 00 00 mov %fs:0x000000a5[1byte] -> %cl
+103 m4 @0x4e723ebc 38 0b cmp (%ebx)[1byte] %cl
+105 m4 @0x4e723170 74 fe jz @0x4e72640c[4byte]
+107 m4 @0x4e728110 88 0b mov %cl -> (%ebx)[1byte]
+109 m4 @0x4e72640c <label>
+109 m4 @0x4e6691a0 <label>
+109 m4 @0x4e722648 eb fe jmp @0x4e7246e4[4byte]
+111 m4 @0x4e72692c <label>
+111 m4 @0x4e728cf0 <label>
+111 m4 @0x4e70e080 bb 6a 73 b9 f3 mov $0xf3b9736a -> %ebx
+116 m4 @0x4e7286ec b9 d8 1b 66 4e mov @0x4e70dc44[4byte] -> %ecx
+121 m4 @0x4e723c80 e9 78 a0 08 00 jmp $0x4e6ebc55
+126 m4 @0x4e70dc44 <label>
+126 m4 @0x4e7246e4 <label>
+126 m4 @0x4e724ea8 64 8b 0d b8 00 00 00 mov %fs:0x000000b8[4byte] -> %ecx
+133 L3 @0x4e7224a0 89 4d fc mov %ecx -> 0xfffffffc(%ebp)[4byte]
+136 m4 @0x4e669720 <label>
+136 m4 @0x4e7224f0 8d 5d f8 lea 0xfffffff8(%ebp) -> %ebx
+139 m4 @0x4e70cfc0 f6 c3 03 test %bl $0x03
+142 m4 @0x4e71eb20 0f 85 fa ff ff ff jnz @0x4e669618[4byte]
===> can clobber ecx b/c app value is still in %fs:0x000000b8
+148 m4 @0x4e70d49c 8b cb mov %ebx -> %ecx
+150 m4 @0x4e7244cc c1 e9 10 shr $0x00000010 %ecx -> %ecx
+153 m4 @0x4e724034 c1 eb 02 shr $0x00000002 %ebx -> %ebx
+156 m4 @0x4e724734 03 1c 8d 00 70 68 4e add 0x4e687000(,%ecx,4)[4byte] %ebx -> %ebx
+163 m4 @0x4e728620 0f b6 0b movzx (%ebx)[1byte] -> %ecx
+166 m4 @0x4e668b84 80 b9 20 2d a3 73 01 cmp 0x73a32d20(%ecx)[1byte] $0x01
+173 m4 @0x4e728238 75 fe jnz @0x4e669618[4byte]
+175 m4 @0x4e727408 64 8a 0d a6 00 00 00 mov %fs:0x000000a6[1byte] -> %cl
+182 m4 @0x4e723a80 38 0b cmp (%ebx)[1byte] %cl
+184 m4 @0x4e725554 74 fe jz @0x4e7226f4[4byte]
+186 m4 @0x4e726c8c 88 0b mov %cl -> (%ebx)[1byte]
+188 m4 @0x4e7226f4 <label>
+188 m4 @0x4e7284f8 <label>
+188 m4 @0x4e70e314 eb fe jmp @0x4e70df84[4byte]
+190 m4 @0x4e664cc0 <label>
+190 m4 @0x4e669618 <label>
+190 m4 @0x4e6686bc bb 6d 73 b9 f3 mov $0xf3b9736d -> %ebx
+195 m4 @0x4e70db60 b9 d8 1b 66 4e mov @0x4e722268[4byte] -> %ecx
+200 m4 @0x4e7223d4 e9 78 a0 08 00 jmp $0x4e6ebc55
+205 m4 @0x4e722268 <label>
+205 m4 @0x4e70df84 <label>
+205 L3 @0x4e726f68 89 55 f8 mov %edx -> 0xfffffff8(%ebp)[4byte]
===> clean call to annot callback
+208 m4 @0x4e727bb8 64 a3 00 00 00 00 mov %eax -> %fs:0x00[4byte]
+214 m4 @0x4e7265bc 64 a1 10 00 00 00 mov %fs:0x10[4byte] -> %eax
+220 m4 @0x4e71edac 89 60 0c mov %esp -> 0x0c(%eax)[4byte]
+223 m4 @0x4e7234e0 8b a0 a8 02 00 00 mov 0x000002a8(%eax)[4byte] -> %esp
+229 m4 @0x4e721adc 64 a1 00 00 00 00 mov %fs:0x00[4byte] -> %eax
+235 m4 @0x4e7249e4 8d a4 24 7c fd ff ff lea 0xfffffd7c(%esp) -> %esp
+242 m4 @0x4e725934 e8 63 8a fb ff call $0x4e61a640 %esp -> %esp 0xfffffffc(%esp)[4byte]
+247 m4 @0x4e726a54 8d 64 24 f8 lea 0xfffffff8(%esp) -> %esp
+251 m4 @0x4e665df4 <label>
===> the 2 params to the annot callback: but never restored %ecx. need equiv of drreg barrier
+251 m4 @0x4e70e3f8 52 push %edx %esp -> %esp 0xfffffffc(%esp)[4byte]
+252 m4 @0x4e668df8 51 push %ecx %esp -> %esp 0xfffffffc(%esp)[4byte]
+253 m4 @0x4e669420 e8 ef 36 1b 25 call $0x738152cc %esp -> %esp 0xfffffffc(%esp)[4byte]
+258 m4 @0x4e6697f8 8d 64 24 10 lea 0x10(%esp) -> %esp
+262 m4 @0x4e725d94 e8 e3 8a fb ff call $0x4e61a6c0 %esp -> %esp 0xfffffffc(%esp)[4byte]
+267 m4 @0x4e723d94 64 a3 00 00 00 00 mov %eax -> %fs:0x00[4byte]
+273 m4 @0x4e669a80 64 a1 10 00 00 00 mov %fs:0x10[4byte] -> %eax
+279 m4 @0x4e70e364 8b 60 0c mov 0x0c(%eax)[4byte] -> %esp
+282 m4 @0x4e669b14 64 a1 00 00 00 00 mov %fs:0x00[4byte] -> %eax
+288 m4 @0x4e71f368 <label>
+288 m4 @0x4e666f18 <label>
+288 L3 @0x4e70d1b8 90 nop
+289 L3 @0x4e66929c 90 nop
+290 m4 @0x4e724900 <label>
+290 m4 @0x4e723914 8d 5d 00 lea (%ebp) -> %ebx
+293 m4 @0x4e72807c f6 c3 03 test %bl $0x03
+296 m4 @0x4e728d34 0f 85 fa ff ff ff jnz @0x4e669bcc[4byte]
+302 m4 @0x4e727b68 8b cb mov %ebx -> %ecx
+304 m4 @0x4e723a3c c1 e9 10 shr $0x00000010 %ecx -> %ecx
+307 m4 @0x4e70ce98 c1 eb 02 shr $0x00000002 %ebx -> %ebx
+310 m4 @0x4e721854 03 1c 8d 00 70 68 4e add 0x4e687000(,%ecx,4)[4byte] %ebx -> %ebx
+317 m4 @0x4e723b4c 0f b6 0b movzx (%ebx)[1byte] -> %ecx
+320 m4 @0x4e722fd4 84 c9 test %cl %cl
+322 m4 @0x4e7220a0 75 fe jnz @0x4e669bcc[4byte]
+324 m4 @0x4e70e784 64 80 3d a9 00 00 00 cmp %fs:0x000000a9[1byte] $0x00
00
+332 m4 @0x4e723434 75 fe jnz @0x4e669bcc[4byte]
+334 m4 @0x4e6698d0 c6 03 55 mov $0x55 -> (%ebx)[1byte]
+337 m4 @0x4e72125c <label>
+337 m4 @0x4e721a48 64 c6 05 a9 00 00 00 mov $0x00 -> %fs:0x000000a9[1byte]
00
+345 m4 @0x4e668b28 <label>
+345 m4 @0x4e70e85c <label>
+345 m4 @0x4e721d74 eb fe jmp @0x4e70ea18[4byte]
+347 m4 @0x4e7285dc <label>
+347 m4 @0x4e669bcc <label>
+347 m4 @0x4e727d50 bb 82 73 b9 f3 mov $0xf3b97382 -> %ebx
+352 m4 @0x4e722b6c b9 d8 1b 66 4e mov @0x4e726450[4byte] -> %ecx
+357 m4 @0x4e6693d0 e9 78 a0 08 00 jmp $0x4e6ebc55
+362 m4 @0x4e726450 <label>
+362 m4 @0x4e70ea18 <label>
+362 m4 @0x4e724d44 8b cd mov %ebp -> %ecx
+364 m4 @0x4e70ea68 64 89 15 c0 00 00 00 mov %edx -> %fs:0x000000c0[4byte]
+371 m4 @0x4e723318 ba d8 1b 66 4e mov @0x4e72560c[4byte] -> %edx
+376 m4 @0x4e725734 e9 de da 08 00 jmp $0x4e6ef6bb
+381 m4 @0x4e72560c <label>
+381 m4 @0x4e66924c 64 8b 15 c0 00 00 00 mov %fs:0x000000c0[4byte] -> %edx
+388 m4 @0x4e727694 <label>
+388 L3 @0x4e70d290 c9 leave %ebp %esp (%ebp)[4byte] -> %esp %ebp
+389 m4 @0x4e70d5f0 <label>
+389 m4 @0x4e664e70 8d 1c 24 lea (%esp) -> %ebx
+392 m4 @0x4e7233ac 64 80 3d a8 00 00 00 cmp %fs:0x000000a8[1byte] $0x00
00
+400 m4 @0x4e725c98 75 fe jnz @0x4e725e1c[4byte]
+402 m4 @0x4e72367c f6 c3 03 test %bl $0x03
+405 m4 @0x4e725d44 0f 85 fa ff ff ff jnz @0x4e725e1c[4byte]
+411 m4 @0x4e7254f8 8b cb mov %ebx -> %ecx
+413 m4 @0x4e725380 c1 e9 10 shr $0x00000010 %ecx -> %ecx
+416 m4 @0x4e723e78 c1 eb 02 shr $0x00000002 %ebx -> %ebx
+419 m4 @0x4e70dd98 03 1c 8d 00 70 68 4e add 0x4e687000(,%ecx,4)[4byte] %ebx -> %ebx
+426 m4 @0x4e66898c 0f b6 0b movzx (%ebx)[1byte] -> %ecx
+429 m4 @0x4e669b70 84 c9 test %cl %cl
+431 m4 @0x4e666410 75 fe jnz @0x4e725e1c[4byte]
+433 m4 @0x4e728360 c6 03 55 mov $0x55 -> (%ebx)[1byte]
+436 m4 @0x4e723114 <label>
+436 m4 @0x4e7266c4 <label>
+436 m4 @0x4e7263c8 eb fe jmp @0x4e722418[4byte]
+438 m4 @0x4e668bec <label>
+438 m4 @0x4e725e1c <label>
+438 m4 @0x4e664d54 bb 83 73 b9 f3 mov $0xf3b97383 -> %ebx
+443 m4 @0x4e669f5c b9 d8 1b 66 4e mov @0x4e71fb34[4byte] -> %ecx
+448 m4 @0x4e668ec4 e9 78 a0 08 00 jmp $0x4e6ebc55
+453 m4 @0x4e71fb34 <label>
+453 m4 @0x4e722418 <label>
+453 m4 @0x4e7286a8 87 c8 xchg %eax %ecx -> %eax %ecx
+455 m4 @0x4e7288d8 64 a1 bc 00 00 00 mov %fs:0x000000bc[4byte] -> %eax
+461 m4 @0x4e669848 04 7f add $0x7f %al -> %al
+463 m4 @0x4e727c84 9e sahf %ah
+464 m4 @0x4e724bd8 87 c8 xchg %eax %ecx -> %eax %ecx
+466 m4 @0x4e7222b8 64 8b 1d b4 00 00 00 mov %fs:0x000000b4[4byte] -> %ebx
+473 m4 @0x4e72735c 64 8b 0d b8 00 00 00 mov %fs:0x000000b8[4byte] -> %ecx
+480 m4 @0x4e723ac4 64 89 0d 08 00 00 00 mov %ecx -> %fs:0x08[4byte]
+487 m4 @0x4e722eac 59 pop %esp (%esp)[4byte] -> %ecx %esp
+488 L4 @0x4e72421c e9 23 84 fb ff jmp $0x4e61a000 <shared_bb_ibl_ret>
END 0xf3b97365
xcx = 0xf6e40000
xdx = 0x00100000
xsi = 0xf714d000
xdi = 0xf714d000
xbp = 0xffc65208
xsp = 0xffc65200
ymm0= 0x0000000000000000000000000000000000000000000000000000000000000000
ymm1= 0x0000000000000000000000000000000000000000000000000000000000000000
ymm2= 0x0000000000000000000000000000000000000000000000000000000000000000
ymm3= 0x0000000000000000000000000000000000000000000000000000000000000000
ymm4= 0x0000000000000000000000000000000000000000000000000000000000000000
ymm5= 0x0000000000000000000000000000000000000000000000000000000000000000
ymm6= 0x0000000000000000000000000000000000000000000000000000000000000000
ymm7= 0x0000000000000000000000000000000000000000000000000000000000000000
k0= 0x00000000
k1= 0x00000000
k2= 0x00000000
k3= 0x00000000
k4= 0x00000000
k5= 0x00000000
k6= 0x00000000
k7= 0x00000000
mxcsr=0x00001f80
eflags = 0x00000286
pc = 0x5006f1bf
Entry into F1892(0xf3b97365).0x5006f297 (shared)Looks like a missing app-reg-value barrier for %ecx prior to the annotation clean call: but the problem is it's an invisibly-added clean call inserted during mangling, so how can a client or drreg know to insert a barrier??
And here drmem isn't using drreg so it needs its own version of a barrier, at least until https://github.com/DynamoRIO/drmemory/issues/1795 is finished.
How was this test working on 16.04, or 64-bit? Just got lucky and it picked different scratch regs that weren't %ecx or %ecx (the two annotation args) I assume.
For regular clean calls, we have drreg documentation that a barrier needs to be used if app registers are needed in the call. For this situation though we need the core to tell drreg/clients that there will be an annotation clean call there.
One idea is to have the core insert a special label (I think the core has some label id's reserved right?). Should it be a general "restore all app values" request, or should it say which registers should be restored? Or should it be an "annotation call will be here" label and list the arg count (is the annot param-to-register mapping known?)