-
Notifications
You must be signed in to change notification settings - Fork 261
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UNINITIALIZED READs related to NtGdi syscalls found on Chromium #502
Comments
From bruen...@google.com on July 20, 2011 13:55:27 what test suite is this on? Owner: timurrrr@google.com |
From timurrrr@google.com on July 21, 2011 02:53:25 I've seen this on reliability_tests which basically runs full Chromium on different URLs. |
From timurrrr@google.com on July 25, 2011 06:27:51 One more: 1 <sys.call> NtGdiIntersectClipRect2 SystemParametersInfoW USER32.dll+0x211553 DrawTextExW USER32.dll+0x213d64 DrawTextW USER32.dll+0x2232e5 `anonymous namespace'::DoDrawText ui\gfx\canvas_skia_win.cc:476 gfx::CanvasSkia::SizeStringInt ui\gfx\canvas_skia_win.cc:3207 gfx::CanvasSkia::DrawFadeTruncatingString ui\gfx\canvas_skia_win.cc:477Summary: UNINITIALIZED READs related to NtGdi syscalls found on Chromium |
From bruen...@google.com on July 25, 2011 10:29:47 suspicious: NtGdiIntersectClipRect doesn't have optional parameters |
From zhao...@google.com on August 28, 2012 13:56:16 See similar error report: This one looks like a false positive: GDI32!EnumFontsInternalW: ecx is pointing to the memory allocated by "7587c3e7 83ec0c: sub esp,0xc", which is not initialized. 7587c3fd 50 push eax then calls to GDI32!bEnumFonts GDI32!bEnumFonts calls to the system call without filling that either: GDI32!bEnumFonts: So the pointer is actually partially initialized. from syscall_wingdi.c |
From zhao...@google.com on August 28, 2012 14:02:58 It seems param |
From zhao...@google.com on August 28, 2012 14:05:40 before and after the system call, the value changed: post-syscall |
From bruen...@google.com on August 28, 2012 14:16:49 the header has it as R|W:
what do you mean, "the pointer is partially initialized": can you point out where it's partially set? at a glance I only see whole-word operations in the disasm. Owner: zhao...@google.com |
From zhao...@google.com on August 28, 2012 14:22:32 7587c401 8945f8 mov [ebp-0x8],eax |
From bruen...@google.com on August 28, 2012 14:26:48
as you yourself showed in the table entry you pasted, it's a pointer to ULONG. I'm asking where that ULONG is partially initialized. |
From zhao...@google.com on August 28, 2012 14:29:45 At beginning, I thought it was a pointer pointing to some data structure (not ULONG) starting at [ebp - 0x4], and later there is an update on [ebp - 0x8], so I said it is partially set. If it is ULONG, then it is not partially set. |
From zhao...@google.com on August 28, 2012 14:33:07 pre-syscall post-syscall 0018f1b8 7587c51e GDI32!bEnumFonts+0x3f |
From bruen...@google.com on August 28, 2012 14:56:21 so the pvUserModeBuffer is NULL. perhaps when NULL is passed, the count is just OUT and the kernel indicates the size so the app can call again. did the syscall fail w/ one of the codes listed for SYSINFO_RET_SMALL_WRITE_LAST? |
From bruen...@google.com on August 28, 2012 15:00:08 ok it returns bool instead of a status. and the buffer is listed as optional. so perhaps when it's NULL it still writes the size needed. |
From zhao...@google.com on August 28, 2012 15:04:46 Does it means the param#6'sR is conditional, i.e. depends on if the pvUserModeBuffer is NULL |
From bruen...@google.com on July 20, 2011 16:54:38
split from issue #501 :
Also seen on Chromium w/o symbols, looks related:
Error
#1
: UNINITIALIZED READ: reading 0x003cbe58-0x003cbe5c 4 byte(s) within 0x003cbe58-0x003cbe5c@0:01:26.148 in thread 2840
system call NtGdiEnumFonts
0x759ec264 <GDI32.dll+0x1c264> GDI32.dll!CreateICW
0x759ec3d9 <GDI32.dll+0x1c3d9> GDI32.dll!EnumFontFamiliesExW
0x726eea4e <RICHED20.dll+0xea4e> RICHED20.dll!CreateTextServices
0x726edc98 <RICHED20.dll+0xdc98> RICHED20.dll!IID_ITextServices
0x726ed54a <RICHED20.dll+0xd54a> RICHED20.dll!IID_IRichEditOleCallback
0x726ee895 <RICHED20.dll+0xe895> RICHED20.dll!CreateTextServices
0x726ee871 <RICHED20.dll+0xe871> RICHED20.dll!CreateTextServices
0x726e220c <RICHED20.dll+0x220c> RICHED20.dll!?
0x75e96238 <USER32.dll+0x16238> USER32.dll!gapfnScSendMessage
0x75e968ea <USER32.dll+0x168ea> USER32.dll!gapfnScSendMessage
0x75ea0ab0 <USER32.dll+0x20ab0> USER32.dll!FillRect
0x75ea0ad6 <USER32.dll+0x20ad6> USER32.dll!CallWindowProcW
0x5d221b87 <chrome.dll+0x1b91b87> chrome.dll!ATL::CWindowImplBaseTWTL::CRichEditCtrlT<ATL::CWindow,ATL::CWinTraits<1342177664,0> >::DefWindowPro
c:\program files (x86)\microsoft visual studio 9.0\vc\atlmfc\include\atlwin.h:3030
0x5d223778 <chrome.dll+0x1b93778> chrome.dll!ATL::CWindowImplBaseTWTL::CRichEditCtrlT<ATL::CWindow,ATL::CWinTraits<1342177664,0> >::WindowProc
c:\program files (x86)\microsoft visual studio 9.0\vc\atlmfc\include\atlwin.h:3089
0x75e96238 <USER32.dll+0x16238> USER32.dll!gapfnScSendMessage
0x75e968ea <USER32.dll+0x168ea> USER32.dll!gapfnScSendMessage
0x75e9cd1a <USER32.dll+0x1cd1a> USER32.dll!GetWindow
0x75e9cd81 <USER32.dll+0x1cd81> USER32.dll!SendMessageW
0x5d21af26 <chrome.dll+0x1b8af26> chrome.dll!ATL::CWindow::SetFont
c:\program files (x86)\microsoft visual studio 9.0\vc\atlmfc\include\atlwin.h:864
Original issue: http://code.google.com/p/drmemory/issues/detail?id=502
The text was updated successfully, but these errors were encountered: