New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support msvcr*d.dll (/MDd) #607
Comments
From bruen...@google.com on April 09, 2012 10:59:48 some users are unable to avoid the debug crt dll: "However, my real app is a dll dynamically loaded by an exe. I don't |
From bruen...@google.com on July 02, 2012 20:47:06 note that there are multiple challenges with supporting /MDd: in addition to LFH ( issue #606 ) there are operator issues ( issue #832 , issue #26 , issue #500 ). replacing malloc ( issue #794 ), if it works, and if it can also replace the operators, can solve several of the issues, but not all. we have to give up on reporting invalid frees on pre-us allocs, or support earliest injection. attach exacerbates the problem. Status: Accepted |
From bruen...@google.com on August 06, 2012 20:29:55 raising priority. this has ties into -replace_malloc even w/o debug crt: xref issue #960 where -replace_malloc wants to use libc arena but misses the Labels: -Priority-Medium Priority-Critical |
From bruen...@google.com on August 06, 2012 21:32:20 dividing the work here into two issues (ignoring problems solved previously in other ways like eliminating redzones, namely issue #26 and issue #500 ; issue #832 covers re-enabling those): part A: internal alloc + redzone vs exported free A is by far the worst as it leads to app crashes based on tests w/ small apps (not yet tested on chrome component build), I can get MDd working in controlled environments (like chrome buildbots). still working on more general solution. |
From bruen...@google.com on August 06, 2012 22:39:07 pasting in more notes: ** TODO solving issue #606 part A: internal alloc + redzone vs exported free xref issue #960 where -replace_malloc wants to use libc arena but misses the here's the internal-alloc point w/ release msvcrt (which has the same ChildEBP RetAddr00 00d7dc94 693a75e1 ntdll!NtRaiseHardError+0x12 if we had symbols we would intercept _calloc_impl (release) (added for issue #940) and possible solutions: *** TODO require msvcr* symbols and have frontend download them? xref issue #143 and issue #388 which have some discussion of auto-downloading *** TODO locate w/o symbols? it calls _callnewh so do many routines probably best bet is to find callers of HeapAlloc. only a few in crt. but then have to work backward to find start of function. ugh. *** TODO identify at HeapAlloc callee and retroactively fix up? ideally would either have syms or analyze ahead of time. but if had to see whether caller is in msvcr* and we didn't intercept it:
add the libc layer retroactively.
*** INFO disasm, etc.: cut for brevity ** TODO solving issue #606 part B: LFH pre-us chunks the heap iteration seems to treat LFH chunks as mallocs rather than note that the invalid args and app crashes we've seen (issue #606, or just potential solutions: *** TODO can we look inside LFH during heap walk? *** TODO early injection: or just earlier injection. quoting from issue #960: *** TODO give up on distinguishing during heap walk and instead handle later if see invalid heap args (for ptr to free or query) that are inside pre-us
** TODO testing: even helloMDd.exe crashes w/ symbols and issue #960/issue #607 private sym search for libc which fixes part A => runs w/ just 4 invalid heap args from pre_us which is part B ** TODO test chrome component build ** TODO evaluate and test on other than win7 |
From bruen...@google.com on August 09, 2012 06:48:18 ** TODO solving issue #606 part B: LFH pre-us chunks => no, just dbgcrt chunks *** TODO can we look inside LFH during heap walk? => it's not LFH: it's dbgcrt helloMDd's 4 invalid heap args:
% grep -A 1 walking
|
From bruen...@google.com on August 09, 2012 06:49:02 ** TODO solving issue #606 part C: need private syms for issue #722
% grep 'allocated with' Error 0 MSVCP100D.dll!std::basic_streambuf<char,std::char_traits >::setp +0x22e (0x6f6a800f <MSVCP100D.dll+0x1800f>)1 MSVCP100D.dll!std::basic_streambuf<char,std::char_traits >::~basic_streambuf<char,std::char_traits >+0x43 (0x6f6a5274 <MSVCP100D.dll+0x15274>)2 std::basic_stringbuf<char,std::char_traits,std::allocator >::~basic_stringbuf<char,std::char_traits,std::allocator > [c:\program files (x86)\microsoft visual studio 10.0\vc\include\sstream:77]3 std::basic_stringstream<char,std::char_traits,std::allocator >::~basic_stringstream<char,std::char_traits,std::allocator > [c:\program files (x86)\microsoft visual studio 10.0\vc\include\sstream:705]4 std::basic_stringstream<char,std::char_traits,std::allocator >::`vbase destructor'# 5 testing::Message::GetString [d:\derek\chromium\src\testing\gtest\include\gtest\gtest-message.h:191] 9 __tmainCRTStartup [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c:473]#10 mainCRTStartup [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c:370] in event_basic_block(tag=0x77ae2c7c) 0:000> U 0x6f6a6dc1 0:000> U 0x688a9c70 w/o syms: w/ syms: => it's issue #722 and it needs private syms: hmm perhaps a symbol-based solution to part A should be considered after note that -replace_malloc does not solve this as it also needs to find the *** DONE std::_DebugHeapDelete looks different: indirect call to free even w/ syms and doing full lookup for msvcp*.dll: so a maintenance issue for issue #722's decoding hack for VS2010 I guess: 0:000> U 0x66055261 L10 |
From bruen...@google.com on August 09, 2012 06:49:02 ... eax,[esi] 0:000> U 0x660dda60 L10 => need to handle indirect call via IAT to free also need to look up possible_crtdbg_routines in msvcrp*.dll even though it |
From bruen...@google.com on August 09, 2012 06:49:33 ** TODO part D: MSVCP100D.dll pdb does not have type info for operators operator new[] in MSVCP100D.dll @0x66352f80 generic type=11 => drsyms res=1, 3472380 args 0:000> x msvcp100d!operator* 0:000> lm m msvcp100d this is an issue for -replace_malloc operator replacement (from issue #882) for need to look at mangled syms. fortunately these are exports so that should |
From bruen...@google.com on August 09, 2012 10:00:01 ** TODO symbol solution discussion xref DRi#450: symsrv.dll is redistributable. but, we can use hacky solutions for part A, and for part C we can just once we have the symsrv in place we can use it to get system lib syms which OTOH, implementing the hack solns requires extra code at runtime: is that |
From bruen...@google.com on August 13, 2012 21:20:17 splitting automatically retrieving symbols into issue #143 |
From bruen...@google.com on August 15, 2012 08:06:02 for part A nosyms wrap we hit an unaddr from internal alloc routine touching headers: heap 1 0x003fbec8-0x003fbed1-0x003fbf10 0 0x00390048,0x00490000 3f 3f 0 0 (0x00000000) modid:0heap 1 0x003fbf10-0x003fbf1c-0x003fbf58 0 0x00390048,0x00490000 3c 3c 0 0 (0x00000000) modid:0heap 1 0x003fbf58-0x003fbf64-0x003fbfa0 0 0x00390048,0x00490000 3c 3c 0 0 (0x00000000) modid:0heap 0 0x003fbfa0-0x003fbfa8-0x003fbfe8 0 0x00390048,0x00490000 40 0 0 Error 0 MSVCR100D.dll!malloc_dbg (0x68726a5b <MSVCR100D.dll+0x116a5b>) modid:31 MSVCR100D.dll!malloc_dbg (0x6872671f <MSVCR100D.dll+0x11671f>) modid:32 MSVCR100D.dll!malloc_dbg (0x68726ba4 <MSVCR100D.dll+0x116ba4>) modid:33 MSVCR100D.dll!initptd (0x6865a801 <MSVCR100D.dll+0x4a801>) modid:34 MSVCR100D.dll!getptd (0x6865a88b <MSVCR100D.dll+0x4a88b>) modid:35 MSVCR100D.dll!isalpha_l (0x686c808f <MSVCR100D.dll+0xb808f>) modid:36 MSVCR100D.dll!ismbbkana (0x686cfe73 <MSVCR100D.dll+0xbfe73>) modid:37 MSVCR100D.dll!ismbblead (0x686cfd54 <MSVCR100D.dll+0xbfd54>) modid:38 MSVCR100D.dll!unlock (0x686598f9 <MSVCR100D.dll+0x498f9>) modid:39 MSVCR100D.dll!unlock (0x686597b7 <MSVCR100D.dll+0x497b7>) modid:3#10 MSVCR100D.dll!_getmainargs (0x68658d96 <MSVCR100D.dll+0x48d96>) modid:3 I'm just going to suppress it |
From bruen...@google.com on August 15, 2012 08:24:47 so in the end we see that replacing doesn't make correctly handling /MDd |
From bruen...@google.com on April 25, 2013 19:07:22 I just discovered that the calls to _calloc{,_dbg}_impl that kept triggering all of these /MD and /MDd problems only show up due to transparency bugs that were fixed in DR r1728 (DRi#985), pulled into DrMem in r1115 . Normally the FLS slot for _getptd_noexit() is set up during MSVCR*.dll initialization. Although we'd see the same problems anyway if we did earlier injection. |
From derek.br...@gmail.com on April 30, 2013 20:33:44 This issue was closed by revision r1310 . Status: Fixed |
From bruen...@google.com on September 27, 2011 22:08:51
for issue #606 the decision is to not support /MDd at all until we have early injection in DR.
once we do there is still an issue: how get msvcr90d.pdb in order to
intercept _calloc_dbg_impl, etc.? xref issue #388 .
Original issue: http://code.google.com/p/drmemory/issues/detail?id=607
The text was updated successfully, but these errors were encountered: