Segment Fault when using PyPanda for Win7 app's dynamic tracing

[windhl]

Hi, everyone, I use the pypanda to trace win7 applications and get a segment fault.

pypanda-tracer.py

from sys import argv
from panda import blocking, Panda, ffi

panda = Panda(generic="win7")

panda.load_plugin("syscalls2")
panda.load_plugin("osi")
panda.load_plugin("win7x86intro")

printed = set()
ctr = 0
@panda.cb_before_block_exec
def bbe(cpu, tb):
proc = panda.plugins['osi'].get_current_process(cpu)
name = ffi.string(proc.name)
if proc.pid not in printed:
printed.add(proc.pid)
print(name, proc.pid)

record_name = "win7test"
panda.run_replay(record_name)

The py can only get few correct process name and pid, then SF comes, here is the call - stack:

#0 convert_to_object (data=0x10 <error: Cannot access memory at address 0x10>, ct=0x7ffff66f3a98) at c/_cffi_backend.c:1041
#1 0x0000000000576f1b in _PyEval_EvalFrameDefault () at ../Python/ceval.c:2872
#2 0x000000000057ed45 in PyEval_EvalFrameEx (throwflag=0,
f=Frame 0x7ffff365b5b8, for file tracer.py, line 19, in bbe (cpu=<_cffi_backend._CDataBase at remote 0x7ffff3726418>, tb=<_cffi_backend._CDataBase at remote 0x7ffff37265a8>, proc=<_cffi_backend._CDataBase at remote 0x7ffff37263f0>)) at ../Python/ceval.c:754
#3 _PyEval_EvalCodeWithName (qualname=0x0, name=0x0, closure=0x0, kwdefs=0x0, defcount=, defs=0x0, kwstep=2, kwcount=, kwargs=0x7ffff7f95068, kwnames=0x7ffff7f95060,
argcount=, args=, locals=, globals=, _co=) at ../Python/ceval.c:4166
#4 PyEval_EvalCodeEx () at ../Python/ceval.c:4187
#5 0x00000000004fc764 in function_call () at ../Objects/funcobject.c:604
#6 0x00000000004e8b5a in PyObject_Call () at ../Objects/abstract.c:2261
#7 0x00000000005785c0 in do_call_core (kwdict={}, callargs=(<_cffi_backend._CDataBase at remote 0x7ffff3726418>, <_cffi_backend._CDataBase at remote 0x7ffff37265a8>), func=<function at remote 0x7ffff372d950>)
at ../Python/ceval.c:5120
#8 _PyEval_EvalFrameDefault () at ../Python/ceval.c:3404
#9 0x000000000057f071 in PyEval_EvalFrameEx (throwflag=0,
f=Frame 0x7fffac011448, for file /usr/local/lib/python3.6/dist-packages/panda/main.py, line 1934, in _run_and_catch (args=(<_cffi_backend._CDataBase at remote 0x7ffff3726418>, <_cffi_backend._CDataBase at remote 0x7ffff37265a8>), kwargs={})) at ../Python/ceval.c:754
#10 _PyEval_EvalCodeWithName (qualname=0x0, name=0x0, closure=(<cell at remote 0x7ffff372b438>, <cell at remote 0x7ffff372b3d8>), kwdefs=0x0, defcount=, defs=0x0, kwstep=2, kwcount=,
kwargs=0x0, kwnames=0x0, argcount=, args=, locals=, globals=, _co=) at ../Python/ceval.c:4166
#11 PyEval_EvalCodeEx () at ../Python/ceval.c:4187
#12 0x00000000004fc663 in function_call () at ../Objects/funcobject.c:604
#13 0x00000000004e8b5a in PyObject_Call () at ../Objects/abstract.c:2261
#14 0x00007ffff51e94e7 in general_invoke_callback (userdata=0x7ffff35edea8, args=0x7fffb1c04c60 "PM\300\261\377\177", result=0x7fffb1c04e00, decode_args_from_libffi=1) at c/_cffi_backend.c:6100
#15 invoke_callback (cif=, result=0x7fffb1c04e00, args=0x7fffb1c04c60, userdata=0x7ffff35edea8) at c/_cffi_backend.c:6175
#16 0x00007ffff4fc8776 in ffi_closure_unix64_inner () from /usr/local/lib/python3.6/dist-packages/cffi.libs/libffi-806b1a9d.so.6.0.4
#17 0x00007ffff4fc8f54 in ffi_closure_unix64 () from /usr/local/lib/python3.6/dist-packages/cffi.libs/libffi-806b1a9d.so.6.0.4
#18 0x00007ffff0810610 in panda_callbacks_before_block_exec (cpu=cpu@entry=0x11622f0, tb=tb@entry=0x7fffb2997498) at /data/panda/panda/src/cb-support.c:49
#19 0x00007ffff086115b in cpu_tb_exec (itb=, cpu=0x11622f0) at /data/panda/cpu-exec.c:188
#20 cpu_loop_exec_tb (sc=0x7fffb1c04ec0, tb_exit=, last_tb=, tb=, cpu=0x11622f0) at /data/panda/cpu-exec.c:673
#21 cpu_exec (cpu=cpu@entry=0x11622f0) at /data/panda/cpu-exec.c:864
#22 0x00007ffff088317b in tcg_cpu_exec (cpu=0x11622f0) at /data/panda/cpus.c:1200
#23 qemu_tcg_cpu_thread_fn (arg=) at /data/panda/cpus.c:1298
#24 0x00007ffff7bc16ba in start_thread (arg=0x7fffb1c05700) at pthread_create.c:333
#25 0x00007ffff6da44dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

It is too far away from QEMU code, so where should I focus on to solve this problem, thanks!

[windhl]

When I replace the implementation of callback_before_block_execute with only a print, there is no bug.
So I think it is the cffi use in callback?