Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRASH with Aarch64 drrun / drcov #4218

Closed
Desperado1985 opened this issue Mar 24, 2020 · 5 comments
Closed

CRASH with Aarch64 drrun / drcov #4218

Desperado1985 opened this issue Mar 24, 2020 · 5 comments
Labels
Bug-DRCrash Component-DRTool Status-Duplicate

Comments

@Desperado1985
Copy link

Desperado1985 commented Mar 24, 2020
edited
Loading

A segfault occured while using drrun / drcov from Arm Aaarch64 target with 4.14.75-ltsi-yocto-standard.

Command line:

/media/mp000/DynamoRIO-AArch64-Linux-7.1.0-1/bin64/drrun -root /media/mp000/DynamoRIO-AArch64-Linux-7.1.0-1 -t drcov -logdir /media/mp000/ -dump_binary --

Application XXXX. DrCov internal crash at PC 0x0000000071115938. Please report this at http://dynamorio.org/issues. Program aborted.
Received SIGSEGV at pc 0x0000000071115938 in thread 1711
Base: 0x0000000071000000
Registers: eflags=0x0000000060000000
version 7.1.0, build 1
-no_dynamic_options -client_lib '/media/mp000/DynamoRIO-AArch64-Linux-7.1.0-1/tools/lib64/release/libdrcov.so;0;"-dump_binary"' -code_api -stack_size 56K -signal_stack_size 32K -nop_initial_bblock -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_na
0x00000000515c2a40 0x000000007110d888
0x00000000515c2a80 0x000000007105502c
0x00000000515c2ee0 0x0000000071055e58
0x00000000515c2f40 0x0000007f88d734cc
0x0000007f847344f0 0x0000007f8cd5e714
0x0000007f84734530 0x0000007f8cd5edfc
0x0000007f84734660 0x0000007f892bf7e8
0x0000007f847346a0 0x0000007f892c23f0
0x0000007f84734710 0x0000007f8923bef8
0x0000007f84734750 0x0000007f88d733dc>

Edit: What else do you need? I have a gdb callstack if thats useful:

#0 set_blocked (dcontext=, absolute=true, set=0x0) at /dynamorio_package/core/unix/signal.c:2047
#1 signal_set_mask (dcontext=, sigset=0x0) at /dynamorio_package/core/unix/signal.c:2062
#2 0x0000000071124790 in handle_pre_extended_syscall_sigmasks (dcontext=dcontext@entry=0x525d4360, sigmask=, sizemask=, pending=pending@entry=0x52ce3bc0) at /dynamorio_package/core/unix/signal_linux.c:369
#3 0x000000007110d888 in pre_system_call (dcontext=dcontext@entry=0x525d4360) at /dynamorio_package/core/unix/os.c:7542
#4 0x000000007105502c in handle_system_call (dcontext=dcontext@entry=0x525d4360) at /dynamorio_package/core/dispatch.c:1971
#5 0x0000000071055e58 in dispatch_enter_dynamorio (dcontext=0x525d4360) at /dynamorio_package/core/dispatch.c:885
#6 dispatch (dcontext=0x525d4360) at /dynamorio_package/core/dispatch.c:165
#7 0x0000007f919ab4cc in ?? ()
#8 0x000000000468cbd0 in ?? ()

for (i = 1; i <= MAX_SIGNUM; i++) {
    if (EMULATE_SIGMASK(info, i) && kernel_sigismember(set, i)) {   <----- here
        kernel_sigaddset(&info->app_sigblocked, i);
    }
}

Apparently set is a nullptr and kernel_sigismember dereferences it without check.
dcontext ptr is inaccessible so it might have been invalid from the start.

Edit: Tried with drrun -debug. Still crashes with SIGBUS, but different callstack:

#0 safe_read_asm_pre () at /dynamorio_package/core/arch/aarch64/aarch64.asm:400
#1 0x00000000712d5fa8 in safe_read_fast (base=0x7f99b39000, size=64, out_buf=0x4a14f910, bytes_read=0x0) at /dynamorio_package/core/arch/x86_code.c:427
#2 0x00000000712df2e8 in safe_read_ex (base=0x7f99b39000, size=64, out_buf=0x4a14f910, bytes_read=0x0) at /dynamorio_package/core/unix/os.c:4714
#3 0x00000000712df384 in safe_read (base=0x7f99b39000, size=64, out_buf=0x4a14f910) at /dynamorio_package/core/unix/os.c:4733
#4 0x0000000071312630 in is_elf_so_header_common (base=0x7f99b39000 <error: Cannot access memory at address 0x7f99b39000>, size=0, memory=true) at /dynamorio_package/core/unix/module_elf.c:189
#5 0x0000000071312978 in is_elf_so_header (base=0x7f99b39000 <error: Cannot access memory at address 0x7f99b39000>, size=0) at /dynamorio_package/core/unix/module_elf.c:244
#6 0x00000000713146c8 in module_is_header (base=0x7f99b39000 <error: Cannot access memory at address 0x7f99b39000>, size=0) at /dynamorio_package/core/unix/module_elf.c:736
#7 0x00000000712ec914 in query_memory_ex_from_os (pc=0x7f99b39000 <error: Cannot access memory at address 0x7f99b39000>, info=0x4a14f9f8) at /dynamorio_package/core/unix/os.c:9601
#8 0x00000000712ec96c in get_memory_info_from_os (pc=0x7f99b39000 <error: Cannot access memory at address 0x7f99b39000>, base_pc=0x4a14fa88, size=0x4a14fa80, prot=0x4a14fa7c) at /dynamorio_package/core/unix/os.c:9618
#9 0x0000000071311a94 in memcache_query_memory (pc=0x7f99b39000 <error: Cannot access memory at address 0x7f99b39000>, out_info=0x4a14fb30) at /dynamorio_package/core/unix/memcache.c:374
#10 0x00000000712ec730 in query_memory_ex (pc=0x7f99b39000 <error: Cannot access memory at address 0x7f99b39000>, out_info=0x4a14fb30) at /dynamorio_package/core/unix/os.c:9545
#11 0x00000000712ec758 in query_memory_cur_base (pc=0x7f99b39000 <error: Cannot access memory at address 0x7f99b39000>, info=0x4a14fb30) at /dynamorio_package/core/unix/os.c:9552
#12 0x0000000071178e58 in app_memory_pre_alloc (dcontext=0x4a123460, base=0x7f99b39000 <error: Cannot access memory at address 0x7f99b39000>, size=12288, prot=3, hint=false) at /dynamorio_package/core/vmareas.c:5964
#13 0x00000000712e555c in pre_system_call (dcontext=0x4a123460) at /dynamorio_package/core/unix/os.c:6828
#14 0x00000000710b1fa8 in handle_system_call (dcontext=0x4a123460) at /dynamorio_package/core/dispatch.c:1971
#15 0x00000000710a910c in dispatch_enter_dynamorio (dcontext=0x4a123460) at /dynamorio_package/core/dispatch.c:885
#16 0x00000000710a485c in dispatch (dcontext=0x4a123460) at /dynamorio_package/core/dispatch.c:165
#17 0x0000007fa21fc6c4 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) p $_siginfo
$4 = {si_signo = 7, si_errno = 0, si_code = 2, _sifields = {_pad = {-1716285440, 127, 6202460, 0, 160, 0, 1, 0, -528001796, 127, 0, 0, -528002608, 127, 4984040, 0, 22484880, 0, 7365728, 0, -528002576, 127, 4984268, 0, 0, 0, 18497472, 0}, _kill = {si_pid = -1716285440, si_uid = 127}, _timer = {si_tid = -1716285440, si_overrun = 127, si_sigval = {sival_int = 6202460,
sival_ptr = 0x5ea45c}}, _rt = {si_pid = -1716285440, si_uid = 127, si_sigval = {sival_int = 6202460, sival_ptr = 0x5ea45c}}, _sigchld = {si_pid = -1716285440, si_uid = 127, si_status = 6202460, si_utime = 687194767360, si_stime = 4294967296}, _sigfault = {si_addr = 0x7f99b39000}, _sigpoll = {si_band = 548039528448, si_fd = 6202460}}}

Even if I don't use gdb it will end in a segfault:

myapp (2812). DrCov internal crash at PC 0x00000000712ef264. Please report this at http://dynamorio.org/issues. Program aborted.
Received SIGSEGV at pc 0x00000000712ef264 in thread 2934
Base: 0x0000000071000000
Registers: eflags=0x0000000020000000
version 7.1.0, build 1
-no_dynamic_options -client_lib '/media/mp000/DynamoRIO-AArch64-Linux-7.1.0-1/tools/lib64/release/libdrcov.so;0;"-logdir" "/media/mp000/" "-dump_binary"' -code_api -stack_size 56K -signal_stack_size 32K -nop_initial_bblock -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_e
0x000000004c107ac0 0x00000000712f4670
0x000000004c107b00 0x00000000713199d0
0x000000004c107b20 0x00000000712e7408
0x000000004c107b70 0x00000000710b1fa8
0x000000004c107d90 0x00000000710a910c
0x000000004c107e80 0x00000000710a485c
0x000000004c107f40 0x0000007fa10854cc
0x0000007f9ca464f0 0x0000007fa5080714
0x0000007f9ca46530 0x0000007fa5080dfc
0x0000007f9ca46660 0x0000007fa15d17e8
0x0000007f9ca466a0 0x0000007fa15d43f0
0x0000007f9ca46710 0x0000007fa154def8
0x0000007f9ca46750 0x0000007fa10853dc>

Edit: TOld gdb to ignore sigbus. Now this here fires:
dynamorio_syscall () at /dynamorio_package/core/arch/aarch64/aarch64_shared.asm:67
67 /dynamorio_package/core/arch/aarch64/aarch64_shared.asm: No such file or directory.
(gdb) bt
#0 dynamorio_syscall () at /dynamorio_package/core/arch/aarch64/aarch64_shared.asm:67
#1 0x00000000712ef450 in sigprocmask_syscall (how=2, set=0x0, oset=0x4cd0eb58, sigsetsize=8) at /dynamorio_package/core/unix/signal.c:342
#2 0x00000000713062e8 in dr_setjmp_sigmask (buf=0x4cd0eaa8) at /dynamorio_package/core/unix/signal.c:7325
#3 0x00000000712d6354 in dr_setjmp () at /dynamorio_package/core/arch/aarch64/aarch64.asm:490
@derekbruening
Copy link
Contributor

Please follow the template content as linked here to provide more information

How did you bypass the template to file this issue? It is supposed to be required. There is a Github bug where if you don't sign in until the last minute they don't show it to you -- maybe that is what happened; we're waiting on them to fix it.

@Desperado1985 Desperado1985 changed the title Segfault with Aarch64 drcov CRASH with Aarch64 drrun / drcov Mar 24, 2020
@Desperado1985
Copy link
Author

Ok, sigmask is a nullptr for some reason and the problem occurs during an SYS_epoll_pwait. In the latest run, the dcontext was valid and it provided the nullptr.

@Desperado1985
Copy link
Author

Could it be this issue? This isn't in the 7.1 release, is it?

#3425

@Desperado1985
Copy link
Author

Tried release_7.91.18342, doesn't crash. Close ticket.

@derekbruening
Copy link
Contributor

Thank you for the update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug-DRCrash Component-DRTool Status-Duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@derekbruening @Desperado1985