failure to init Umbra due to segment-spanning 2TB reservation

[StephenHillAtViaivi]

Using DrMemory-Windows-2.1.0-1.msi, I see this with all my Cpputest exe's built with MSVS2017:

C:\Users\SHill\SHill_view\tm_build_system\build\unittest64>"C:\Program` Files (x86)\Dr. Memory\bin64\drmemory.exe" -batch -v -- seg_unittest.exe
INFO: targeting application: "C:\Users\SHill\SHill_view\tm_build_system\build\unittest64\seg_unittest.exe"
INFO: app cmdline: "seg_unittest.exe"
INFO: logdir is "C:\Users\SHill\AppData\Roaming\Dr. Memory"
INFO: symcache_dir is "C:\Users\SHill\AppData\Roaming\Dr. Memory\symcache"
INFO: Setting TZ to GMT Standard Time for i#2164 workaround
INFO: DynamoRIO configuration directory is C:\Users\SHill/dynamorio
INFO: configuring seg_unittest.exe pid=18496 dr_ops="-disable_traces -bb_single_restore_prefix -max_bb_instrs 256 -vm_size 256M -no_enable_reset -no_vm_base_near_app -no_early_inject -msgbox_mask 0 -logdir `C:\Users\SHill\AppData\Roaming\Dr. Memory\dynamorio` "
INFO: configuring client "C:\Program Files (x86)\Dr. Memory\bin64\release\drmemorylib.dll" ops="-logdir `C:\Users\SHill\AppData\Roaming\Dr. Memory` -symcache_dir `C:\Users\SHill\AppData\Roaming\Dr. Memory\symcache` -lib_blacklist `C:\Windows*.d??,C:\Program Files\Common Files\Microsoft Shared*.d??,C:\Program Files (x86)\Common Files\Microsoft Shared*.d??` -resfile 18496 "
INFO: waiting for app to exit...
~~Dr.M~~ Dr. Memory version 2.1.0
~~Dr.M~~ Running "seg_unittest.exe"
~~Dr.M~~ Using system call file C:\Program Files (x86)\Dr. Memory\bin64\syscalls_x64.txt
<Application C:\Users\SHill\SHill_view\tm_build_system\build\unittest64\seg_unittest.exe (18496).  Dr. Memory internal crash at PC 0x0000000000b02ad6.  Please report this at http://drmemory.org/issues along with the results of running '-debug -dr_debug'.  Program aborted.
0xc0000005 0x00000000 0x0000000000b02ad6 0x0000000000b02ad6 0x0000000000000000 0x0000000010160b9d
Base: 0x0000000071000000
Registers: eax=0x00000000000000ff ebx=0x0000000000542e34 ecx=0x0000000000000008 edx=0x00000000fffffcff
        esi=0x0000000000000000 edi=0x000000001ddfe010 esp=0x000000001ddfdfa0 ebp=0x0000000000000000
        r8 =0x0000000010160b9d r9 =0x0000000000000008 r10=0x0000000000000001 r11=0x000000001ddfe050
        r12=0x0000000000af6b50 r13=0x0000000000100000 r14=0x0000000000000001 r15=0x0000000000af6ba0
        eflags=0x0000000000010286
2.1.0-1-(Mar 17 2019 23:59:56) WinVer=105;Rel=1803;Build=17134;Edition=Professional
-no_dynamic_options -disasm_mask 8 -logdir 'C:\Users\SHill\AppData\Roaming\Dr. Memory\dynamorio' -client_lib 'C:\Program Files (x86)\Dr. Memory\bin64\release\drmemorylib.dll;0;-logdir `C:\Users\SHill\AppData\Roaming\Dr. Memory` -symcache_dir `C:\Users\SHill\AppData\Roaming\Dr. Memory\symcache` -lib_blacklist `C:\Windows*
C:\Program Files (x86)\Dr. Memory\bin64\release\drmemorylib.dll=0x0000000000ae0000
C:\Program Files (x86)\Dr. Memory\bin64\release/dbghelp.dll=0x0000000000d80000
C:\Windows/system32/ADVAPI32.dll=0x00007ffe11450000
C:\Windows/system32/sechost.dll=0x00007ffe10860000
C:\Windows/system32/RPCRT4.dll=0x00007ffe10a90000
C:\Windows/system32/msvcrt.dll=0x0000000000940000
C:\Windows/system32/kernel32.dll=0x00000000009e0000
C:\Windows/system32/KERNELBASE.d>
INFO: fetching symbols
~~Dr.M~~ WARNING: application exited with abnormal code 0xffffffff

C:\Users\SHill\SHill_view\tm_build_system\build\unittest64>"C:\Program Files (x86)\Dr. Memory\bin64\drmemory.exe" -batch -debug -v -- seg_unittest.exe
INFO: targeting application: "C:\Users\SHill\SHill_view\tm_build_system\build\unittest64\seg_unittest.exe"
INFO: app cmdline: "seg_unittest.exe"
INFO: logdir is "C:\Users\SHill\AppData\Roaming\Dr. Memory"
INFO: symcache_dir is "C:\Users\SHill\AppData\Roaming\Dr. Memory\symcache"
INFO: Setting TZ to GMT Standard Time for i#2164 workaround
INFO: DynamoRIO configuration directory is C:\Users\SHill/dynamorio
INFO: configuring seg_unittest.exe pid=2584 dr_ops="-disable_traces -bb_single_restore_prefix -max_bb_instrs 256 -vm_size 256M -no_enable_reset -no_vm_base_near_app -no_early_inject -msgbox_mask 0 -logdir `C:\Users\SHill\AppData\Roaming\Dr. Memory\dynamorio` "
INFO: configuring client "C:\Program Files (x86)\Dr. Memory\bin64\debug\drmemorylib.dll" ops="-logdir `C:\Users\SHill\AppData\Roaming\Dr. Memory` -symcache_dir `C:\Users\SHill\AppData\Roaming\Dr. Memory\symcache` -lib_blacklist `C:\Windows*.d??,C:\Program Files\Common Files\Microsoft Shared*.d??,C:\Program Files (x86)\Common Files\Microsoft Shared*.d??` -resfile 2584 "
INFO: waiting for app to exit...
~~Dr.M~~ Dr. Memory version 2.1.0
~~Dr.M~~ Running "seg_unittest.exe"
~~Dr.M~~ ASSERT FAILURE (thread 2936): D:\drmemory_package\drmemory\drmemory.c:1969: false (fail to init Umbra)
INFO: fetching symbols
~~Dr.M~~ WARNING: application exited with abnormal code 0xffffffff

[derekbruening]

Our Appveyor tests are on Windows 8.1 and none of them hit this. I did not hit this in my Windows 8.1 VM either. We will need more information about the address space layout on your machine. I think the logfile named global.<pid>.000.log from a -debug -verbose 2 run should do it.

[StephenHillAtViaivi]

From log above, one can see I'm running Windows 10:
WinVer=105;Rel=1803;Build=17134;Edition=Professional

Ran with more verbose logging:
DrMemory-seg_unittest.exe.1108.000.zip

"C:\Program Files (x86)\Dr. Memory\bin64\drmemory.exe" -debug -verbose 4 -- seg_unittest.exe
~~Dr.M~~ Dr. Memory version 2.1.0
~~Dr.M~~ Running "seg_unittest.exe"
~~Dr.M~~ options are "`-verbose` `4` -logdir `C:\Users\SHill\AppData\Roaming\Dr. Memory` -symcache_dir `C:\Users\SHill\AppData\Roaming\Dr. Memory\symcache` -lib_blacklist `C:\Windows*.d??,C:\Program Files\Common Files\Microsoft Shared*.d??,C:\Program Files (x86)\Common Files\Microsoft Shared*.d??` -resfile 1108 "
~~Dr.M~~ log dir is C:\Users\SHill\AppData\Roaming\Dr. Memory\DrMemory-seg_unittest.exe.1108.000
~~Dr.M~~ ASSERT FAILURE (thread 21120): D:\drmemory_package\drmemory\drmemory.c:1969: false (fail to init Umbra)
~~Dr.M~~ WARNING: application exited with abnormal code 0xffffffff

Failure seen in global.1108.log file

memory [0x00007df605005000, 0x00007ff5e5800000) spanning multiple segments is not supported
ASSERT FAILURE (thread 21120): D:\drmemory_package\drmemory\drmemory.c:1969: false (fail to init Umbra)

[derekbruening]

Right, had Windows 8.1 on the brain from your filing under issue #1693. Same problem though: I cannot reproduce any Umbra issue in my VM with 1803 build 17134 so this is specific to certain machines somehow.

[derekbruening]

This just happened in a test on Appveyor:

https://ci.appveyor.com/project/DynamoRIO/drmemory/builds/27571330

~~Dr.M~~ ASSERT FAILURE (thread 2908): ..\..\drmemory\drmemory.c:1969: false (fail to init Umbra)

[derekbruening]

To help searches: the appveyor failure was in the x64 fuzz_buffer.mutator.o-b-3 test

[pgroke-dt]

We're having problems using Dr.Memory on Windows 10 1903 x64 -- all applications we tried immediately terminate with some error.
Running C:\Program Files (x86)\Dr. Memory\bin64>drmemory.exe -debug -dr_debug calc.exe yields

~~Dr.M~~ Dr. Memory version 2.2.0
~~Dr.M~~ Running "calc.exe"
~~Dr.M~~ ASSERT FAILURE (thread 2456): D:\drmemory_package\drmemory\drmemory.c:1969: false (fail to init Umbra)
~~Dr.M~~ WARNING: application exited with abnormal code 0xffffffff

Running without the debug switches the output is something like

C:\Program Files (x86)\Dr. Memory\bin64>drmemory.exe calc.exe
~~Dr.M~~ Dr. Memory version 2.2.0
~~Dr.M~~ Running "calc.exe"
~~Dr.M~~ Using system call file C:\Users\paul.groke\AppData\Roaming\Dr. Memory\symcache\syscalls_x64.txt
~~Dr.M~~ WARNING: application is missing line number information.
~~Dr.M~~
~~Dr.M~~ Error #1: UNADDRESSABLE ACCESS: executing 0x0000000000000000-0x0000000000000001 1 byte(s)
~~Dr.M~~ # 0 <not in a module> (0x0000000000000000)
~~Dr.M~~ Note: @0:00:00.189 in thread 28480
<Application C:\WINDOWS\system32\calc.exe (19360).  Dr. Memory internal crash at PC 0x0000000000032b06.  Please report this at http://drmemory.org/issues along with the results of running '-debug -dr_debug'.  Program aborted.
0xc0000005 0x00000000 0x0000000000032b06 0x0000000000032b06 0x0000000000000000 0x00000246323fca7c
Base: 0x0000000071000000
Registers: eax=0x0000000000ffffff ebx=0x00000000283329fc ecx=0x0000000000000018 edx=0x00000000fcffffff
        esi=0x0000000000000000 edi=0x0000024629e9df30 esp=0x0000024629e9dec0 ebp=0x0000000000000000
        r8 =0x00000246323fca7c r9 =0x0000000000000018 r10=0x0000000000000001 r11=0x0000024629e9df80
        r12=0x0000000000026b60 r13=0x0000000000100000 r14=0x0000000000000001 r15=0x0000000000026bb0
        eflags=0x0000024600010286
2.2.0-1-(Jul  1 2019 00:40:18) WinVer=105;Rel=1903;Build=18362;Edition=Professional
-no_dynamic_options -disasm_mask 8 -logdir 'C:\Users\paul.groke\AppData\Roaming\Dr. Memory\dynamorio' -client_lib 'C:\Program Files (x86)\Dr. Memory\bin64\release\drmemorylib.dll;0;-logdir `C:\Users\paul.groke\AppData\Roaming\Dr. Memory` -symcache_dir `C:\Users\paul.groke\AppData\Roaming\Dr. Memory\symcache` -lib_blackli
C:\Program Files (x86)\Dr. Memory\bin64\release\drmemorylib.dll=0x0000000000010000
C:\Program Files (x86)\Dr. Memory\bin64\release/dbghelp.dll=0x00000000002b0000
C:\WINDOWS/system32/ADVAPI32.dll=0x00000246aa220000
C:\WINDOWS/system32/sechost.dll=0x00000246aa2d0000
C:\WINDOWS/system32/RPCRT4.dll=0x00000246aa370000
C:\WINDOWS/system32/msvcrt.dll=0x00000246a9e10000
C:\WINDOWS/system32/kernel32.dll=0x00000246a9eb0000
C:\WINDOWS/system32/KERNELBASE.d>
~~Dr.M~~ Fetching 1 symbol files...
~~Dr.M~~ [1/1] Fetching symbols for C:\WINDOWS\System32\msvcp_win.dll
~~Dr.M~~ Fetched 0 symbol files successfully
~~Dr.M~~ WARNING: application exited with abnormal code 0xffffffff

Please let me know if you need any information or if there's something else I can do to help you track this down.

[derekbruening]

This is almost certainly an address space layout issue, but I have not been able to reproduce it.

If you could provide the address space layout in the culprit process? However you want to do it: one way would be in the windbg debugger attached to calc.exe to run !vadump and attach the results in a log file here.

[pgroke-dt]

OK...
What I did was:

• Start C:\Program Files (x86)\Dr. Memory\bin64> drmemory.exe calc.exe
• Wait for the "Dr. Memory internal crash" message box to appear
• Attach WinDbg
• Close the message box
• Run !vadump in WinDbg

If you need something else tell me what I need to do differently :)
I tried to do the same with the 32 bit copy of calc.exe, but then I get no "Dr. Memory internal crash" message box but the process quits and the results immediately open in notepad.

vadump-calc64.txt

[derekbruening]

Thanks. I'm out for the next week but will try to look at it after that.

[derekbruening]

@StephenHillAtViaivi pasted in the error message above which I am duplicating here:

memory [0x00007df605005000, 0x00007ff5e5800000) spanning multiple segments is not supported
ASSERT FAILURE (thread 21120): D:\drmemory_package\drmemory\drmemory.c:1969: false (fail to init Umbra)

From the vadump we see confirmation that there is indeed a massive (2 terabyte!) reservation:

BaseAddress:       00007dfe3a46e000
RegionSize:        000001f782c34000
State:             00002000  MEM_RESERVE
Type:              00040000  MEM_MAPPED

Umbra's segments here are 1TB.

[derekbruening]

My proposal is to eliminate the uniformly-sized-segments invariant from 64-bit Umbra. I believe that asymmetric, differently-sized regions should be fine, with the overlap checks identifying all conflicts.

[pgroke-dt]

The 2TB reservation is probably caused by Control Flow Guard:

In Windows 8.1 x64 and Windows 10 x64, a security mechanism called CFG (Control Flow Guard) requires a 2TB chunk of reserved memory for each process.

http://blogs.microsoft.co.il/sasha/2016/01/05/windows-process-memory-usage-demystified/

[pgroke-dt]

Please let me know if there's anything else I can do to help fix this.

[derekbruening]

The 2TB reservation is probably caused by Control Flow Guard:

Thanks, I will try to reproduce by building with /guard:cf.

[StephenHillAtViaivi]

I had Control Flow Guard enabled...I can confirm that disabling this feature fixes this problem

[derekbruening]

Just an update: It looks like there is no mapping offset that works for CFG's 0x7df0' or earlier (trying for 0x7c00') for UMBRA_MAP_SCALE_UP_2X. This is what I'm stuck on. Just bailing on that in combination with CFG is not simple since the app regions are set up first and expanding across segments is best done then, before any clients request particular map scalings.

[derekbruening]

I came up with a solution for the SCALE_UP_2X by taking another bit for the mask. Now the problem is that DrM tries to set the shadow values for the entire 2TB region which needless to say takes a long time and a lot of memory...

0:000> ~0s; kn
drmemorylib!memset+0x4d:
00007ff6`281ce71d 760a            jbe     drmemorylib!memset+0x59 (00007ff6`281ce729) [br=0]
 # Child-SP          RetAddr           Call Site
00 00000159`eabbc630 00007ff6`2833aae5 drmemorylib!memset+0x4d [d:\derek\drmemory\git\src\common\utils.c @ 93] 
01 00000159`eabbc660 00007ff6`28339e88 drmemorylib!umbra_shadow_set_range_arch+0x265 [d:\derek\drmemory\git\src\umbra\umbra_64.c @ 1004] 
02 00000159`eabbc710 00007ff6`2833aaa4 drmemorylib!umbra_create_shadow_memory_arch+0x778 [d:\derek\drmemory\git\src\umbra\umbra_64.c @ 864] 
03 00000159`eabbc820 00007ff6`28332e6b drmemorylib!umbra_shadow_set_range_arch+0x224 [d:\derek\drmemory\git\src\umbra\umbra_64.c @ 1004] 
04 00000159`eabbc8d0 00007ff6`27fb9949 drmemorylib!umbra_shadow_set_range+0x51b [d:\derek\drmemory\git\src\umbra\umbra.c @ 565] 
05 00000159`eabbc980 00007ff6`2815957a drmemorylib!shadow_set_range+0x10b9 [d:\derek\drmemory\git\src\drmemory\shadow.c @ 649] 
06 00000159`eabbcc20 00007ff6`27fa57d0 drmemorylib!check_unaddressable_exceptions+0x1b1a [d:\derek\drmemory\git\src\drmemory\alloc_drmem.c @ 2466] 
07 00000159`eabbcfb0 00007ff6`27f9f964 drmemorylib!handle_mem_ref_internal+0x2b90 [d:\derek\drmemory\git\src\drmemory\slowpath.c @ 1531] 
08 00000159`eabbdcb0 00007ff6`27f9a2b8 drmemorylib!check_mem_opnd+0xee4 [d:\derek\drmemory\git\src\drmemory\slowpath.c @ 1819] 
09 00000159`eabbde70 00007ff6`27fa1702 drmemorylib!slow_path_with_mc+0x2ae8 [d:\derek\drmemory\git\src\drmemory\slowpath.c @ 731] 
0a 00000159`eabbe9f0 00007ff6`183e0055 drmemorylib!slow_path+0x72 [d:\derek\drmemory\git\src\drmemory\slowpath.c @ 952] 
0b 00000159`eabbed60 00007ffe`6b8ac59e 0x00007ff6`183e0055
0c 00000159`eabbed68 00007ffe`6b8ac59e ntdll!LdrpDispatchUserCallTarget+0xe
0d 00000159`eabbed70 00007ff6`183e0039 ntdll!LdrpDispatchUserCallTarget+0xe
0e 00000159`eabbed78 00000000`00000000 0x00007ff6`183e0039
0:000> dv
            dst = 0x00000a7f`d3f30000
            val = 0n85
           size = 0x3bdb
            ptr = 0x00000a7f`d3f3c424 ""
0:000> .frame 6
06 00000159`eabbcc20 00007ff6`27fa57d0 drmemorylib!check_unaddressable_exceptions+0x1b1a [d:\derek\drmemory\git\src\drmemory\alloc_drmem.c @ 2466] 
0:000> dv
             sz = 0x00000200`00000000
           base = 0x00007df5`c4380000 "--- memory read error at address 0x00007df5`c4380000 ---"
          write = 0n0 ''
            loc = 0x00000159`eabbe0d8
           addr = 0x00007ff5`bde4a5e8 ""
             sz = 8
  addr_on_stack = 0n0 ''
             mc = 0x00000159`eabbea50
   addr_in_heap = 0n0 ''
      drcontext = 0x00000159`eabac480
            teb = 0x0000001b`96d7f000
            peb = 0x0000001b`96d7e000

[derekbruening]

Given that allocation_size for 0x00007ff5`bde4a5e8 returned the whole 2TB region (these are committed pieces inside it) we're going to have to change the strategy here for filling a unknown region.