Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRASH during leak scan on WSL #2122

Closed
derekbruening opened this issue Sep 25, 2018 · 0 comments
Closed

CRASH during leak scan on WSL #2122

derekbruening opened this issue Sep 25, 2018 · 0 comments
Assignees
@derekbruening
Labels
Bug-AppCrash Component-LeakCheck OpSys-Linux

Comments

@derekbruening
Copy link
Contributor

This is happening running a simple app on WSL, a crash during the leak
scan:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffffeb3bafa in ?? ()
(gdb) x/10i $pc
=> 0x7ffffeb3bafa <__memchr_sse2+394>:  movdqa (%rdi),%xmm0
   0x7ffffeb3bafe <__memchr_sse2+398>:  movdqa 0x10(%rdi),%xmm2
   0x7ffffeb3bb03 <__memchr_sse2+403>:  movdqa 0x20(%rdi),%xmm3
   0x7ffffeb3bb08 <__memchr_sse2+408>:  movdqa 0x30(%rdi),%xmm4
   0x7ffffeb3bb0d <__memchr_sse2+413>:  pcmpeqb %xmm1,%xmm0
(gdb) info reg
rdi            0x14fffee00000   23089725308928

14fffed70000-14fffee00000 rw-p 00000000 00:00 0
14ffff630000-14ffff990000 rw-p 00000000 00:00 0

7ffffb7e3000-7ffffb7e4000 rw-p 00003000 00:00 175021             /home/derek/bugs/studentSep18-B/HW3DRMemCrash - Devak Patel/a.out
7ffffb7e4000-7ffffb7e5000 ---p 00000000 00:00 0
7ffffb7e5000-7ffffb7fe000 rw-p 00000000 00:00 0

7ffffea90000-7ffffec77000 r-xp 00000000 00:00 108731             /lib/x86_64-linux-gnu/libc-2.27.so

(gdb) bt
#0  __memchr_sse2 () at ../sysdeps/x86_64/multiarch/../memchr.S:172
#1  0x00000000738ac9e3 in umbra_value_in_shadow_memory_arch (map=0x510db4c8, app_addr=0x5109c788, app_size=2, value=0, value_size=2,
    found=0x5109c787 "") at /drmemory_package/umbra/umbra_64.c:1043
#2  0x00000000738aaf25 in umbra_value_in_shadow_memory (map=<optimized out>, app_addr=app_addr@entry=0x5109c788,
    app_size=<optimized out>, value=<optimized out>, value_size=value_size@entry=2, found=found@entry=0x5109c787 "")
    at /drmemory_package/umbra/umbra.c:586
#3  0x000000007382a86c in shadow_next_ptrsz (start=<optimized out>, end=<optimized out>, expect=<optimized out>)
    at /drmemory_package/drmemory/shadow.c:956
#4  0x000000007385f778 in check_reachability_helper (start=<optimized out>, end=0x7ffffb7fd622 "",
    skip_heap=skip_heap@entry=0 '\000', data=data@entry=0x5109c870) at /drmemory_package/drmemory/leak.c:1140
#5  0x000000007385fc69 in leak_scan_for_leaks (at_exit=at_exit@entry=1 '\001') at /drmemory_package/drmemory/leak.c:1439
#6  0x0000000073851ee1 in check_reachability (at_exit=at_exit@entry=1 '\001') at /drmemory_package/drmemory/alloc_drmem.c:2523
#7  0x000000007381deb0 in event_exit () at /drmemory_package/drmemory/drmemory.c:437

Xref i#1916: Umbra does not handle unlimited stack mmap region: but I don't
see how that can be the case here since I built this app and it doesn't set
personality.
Xref i#1889: Umbra Linux library bounds are incorrect: but that's about 7e..'*.

shadow_table_init
new segment: app [0x00007f0000000000, 0x00007fffff400000), shadow [0x000014c000000000, 0x000014ffffd00000), reserve [0x0000123000000000, 0x0000123ffff40000)
new segment: app [0x0000000000000000, 0x0000010000000000), shadow [0x0000110000000000, 0x0000114000000000), reserve [0x0000114000000000, 0x0000115000000000)

Mistake in lazy alloc?
Should umbra's fault handler handle this, or should the loop detect it
ahead of time?

More logging:

umbra_value_in_shadow_memory_arch: 0x00007fa7ae0fd620-0x00007fa7ae0fd622
umbra_value_in_shadow_memory_arch: blk=0x00007fa7ae0c0000-0x00007fa7ae0fffff 0x00007fa7ae0fd620-0x00007fa7ae0fd621 shadow=0x000014e9eb83f588
umbra_value_in_shadow_memory_arch: memchr 0x000014e9eb83f588 size=-1 (shsz=0)
umbra_value_in_shadow_memory_arch: memchr 0x000014e9eb83f5b9 size=-50 (shsz=0)
umbra_value_in_shadow_memory_arch: memchr 0x000014e9eb83f5c5 size=-62 (shsz=0)
umbra_value_in_shadow_memory_arch: memchr 0x000014e9eb83f5dd size=-86 (shsz=0)
umbra_value_in_shadow_memory_arch: memchr 0x000014e9eb83f5e9 size=-98 (shsz=0)

So it's underflow. This 2-byte query shifts down to 0.
@derekbruening derekbruening self-assigned this Sep 25, 2018
derekbruening added a commit that referenced this issue Sep 25, 2018
@derekbruening
i#2122: fix shadow size underflow
68ac4b6 
When scaling down, if we hit 0, we should bump up to 1.  Leaving at 0 leads
to an underflow in umbra_value_in_shadow_memory() which leads to a crash.

Fixes #2122
@derekbruening derekbruening mentioned this issue Sep 25, 2018
Merged
derekbruening added a commit that referenced this issue Sep 25, 2018
@derekbruening
i#2122: fix shadow size underflow (#2123)
6699e1b 
Fixes an underflow in umbra_value_in_shadow_memory() when shadow scaledown
drops the size to 0.

Fixes #2122
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@derekbruening derekbruening

Labels
Bug-AppCrash Component-LeakCheck OpSys-Linux
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@derekbruening