stoke testcase sometimes misses a "line" (8 bytes) of valid memory addresses

[bchurchill]

HOTFIX

I have no idea what's causing this.

To reproduce, checkout the feature-stego branch, and navigate to /examples/flowershell

gcc -std=c99 testcase.c -o testcase
stoke testcase --config testcase.conf

To see there's a problem

stoke debug sandbox --target bins/hello.s --index 0 --testcases testcase.tc

You'll notice that all the testcases will have:

[ 00007fff 71855778 - 00007fff 71855760 ]
[ 2 valid rows shown ]

00007fff 71855770 v v v v v v v v 00 00 00 00 00 00 00 00
00007fff 71855760 v v v v v v v v 00 00 00 00 00 00 00 00

(or similar)

but they really need to have

[ 00007fff 71855778 - 00007fff 71855760 ]
[ 3 valid rows shown ]

00007fff 71855770 v v v v v v v v 00 00 00 00 00 00 00 00
00007fff 71855768 v v v v v v v v 00 00 00 00 00 00 00 00
00007fff 71855760 v v v v v v v v 00 00 00 00 00 00 00 00

I'm actually not sure if the two rows included are needed at all -- I'm touching exactly the 8 bytes of memory on the second line.

[eschkufz]

I don't think this is a stoke bug. After following your instructions, disassembling ./testcase using objdump shows this source for myhello:

116 00000000004004ed <myhello>:
117   4004ed: 55                    pushq  %rbp
118   4004ee: 48 89 e5              movq   %rsp,%rbp
119   4004f1: 48 c7 c0 01 00 00 00  movq   $0x1,%rax
120   4004f8: 48 c7 c7 00 00 00 00  movq   $0x0,%rdi
121   4004ff: c7 44 24 f0 48 45 4c  movl   $0x4c4c4548,-0x10(%rsp)
122   400506: 4c
123   400507: c7 44 24 f4 4f 21 20  movl   $0xa20214f,-0xc(%rsp)
124   40050e: 0a
125   40050f: 48 8d 74 24 f0        leaq   -0x10(%rsp),%rsi
126   400514: 48 c7 c2 08 00 00 00  movq   $0x8,%rdx
127   40051b: 5d                    popq   %rbp
128   40051c: c3                    retq

which is generated from your source:

  3   __asm__(
  4       "movq $0x1, %rax\n\t"
  5       "movq $0x0, %rdi\n\t"
  6       "movl $0x4c4c4548, -0x10(%rsp)\n\t"
  7       "movl $0x0a20214F, -0xC(%rsp)\n\t"
  8       "leaq -0x10(%rsp),%rsi\n\t"
  9       "movq $0x8,%rdx\n\t"
 10   );

Notice that gcc has introduced calls to push and pop, which are implicitly affecting rsp. The first row in your example is where the value of rbp is being pushed/popped. The second is where both of your movls are going.

If you want to embed assembly, a safer way to do this is by compiling a separate translation unit for myhello:

# myhello.s
  1   .text
  2   .globl myhello
  3   .type myhello, @function
  4 hello:
  5   movq   $0x1,%rax               # 1  
  6   movq   $0x0,%rdi               # 2  
  7   movq   $0x4c4c4548,-0x10(%rsp)  # 3  
  8   movq   $0xa20214f,-0xC(%rsp)   # 4  
  9   leaq   -0x10(%rsp),%rsi         # 5  
 10   movq   $0x8,%rdx               # 6  
 11   nop
 12   nop
 13   nop
 14   nop
 15   nop
 16   retq
 17 
 18 .size myhello, .-myhello

Compiling this in a separate translation unit:

g++ myhello.s -o myhello.o

Declaring myhello as extern in testcase.cc

extern int myhello();

And then linking against myhello.o

$ gcc -std=c99 testcase.c -o testcase myhello.o

[bchurchill]

Gah. Sorry to take your time. I think I had originally tried your
proposed solution but had problems with an empty testcase file. Would
you like me to see if I can reproduce that? It may have been my user
error as well.

Berkeley

On 06/16/2014 05:22 PM, eric schkufza wrote:

I don't think this is a stoke bug. After following your instructions,
disassembling ./testcase using objdump shows this source for myhello:

|116 00000000004004ed :
117 4004ed: 55 pushq %rbp
118 4004ee: 48 89 e5 movq %rsp,%rbp
119 4004f1: 48 c7 c0 01 00 00 00 movq $0x1,%rax
120 4004f8: 48 c7 c7 00 00 00 00 movq $0x0,%rdi
121 4004ff: c7 44 24 f0 48 45 4c movl $0x4c4c4548,-0x10(%rsp)
122 400506: 4c
123 400507: c7 44 24 f4 4f 21 20 movl $0xa20214f,-0xc(%rsp)
124 40050e: 0a
125 40050f: 48 8d 74 24 f0 leaq -0x10(%rsp),%rsi
126 400514: 48 c7 c2 08 00 00 00 movq $0x8,%rdx
127 40051b: 5d popq %rbp
128 40051c: c3 retq
|

which is generated from your source:

| 3 asm(
4 "movq $0x1, %rax\n\t"
5 "movq $0x0, %rdi\n\t"
6 "movl $0x4c4c4548, -0x10(%rsp)\n\t"
7 "movl $0x0a20214F, -0xC(%rsp)\n\t"
8 "leaq -0x10(%rsp),%rsi\n\t"
9 "movq $0x8,%rdx\n\t"
10 );
|

Notice that gcc has introduced calls to push and pop, which are
implicitly affecting rsp. The first row in your example is where the
value of rbp is being pushed/popped. The second is where both of your
movls are going.

If you want to embed assembly, a safer way to do this is by compiling
a separate translation unit for myhello:

|# myhello.s
1 .text
2 .globl myhello
3 .type myhello, @function
4 hello:
5 movq $0x1,%rax # 1
6 movq $0x0,%rdi # 2
7 movq $0x4c4c4548,-0x10(%rsp) # 3
8 movq $0xa20214f,-0xC(%rsp) # 4
9 leaq -0x10(%rsp),%rsi # 5
10 movq $0x8,%rdx # 6
11 nop
12 nop
13 nop
14 nop
15 nop
16 retq
17
18 .size myhello, .-myhello
|

Compiling this in a separate translation unit:

|g++ myhello.s -o myhello.o
|

Declaring myhello as extern in testcase.cc

|extern int myhello();
|

And then linking against myhello.o

|$ gcc -std=c99 testcase.c -o testcase myhello.o
|

—
Reply to this email directly or view it on GitHub
#27 (comment).

[eschkufz]

Go for it. You can check out some of my example directories for examples of
how to do it.

On Tue, Jun 17, 2014 at 6:26 AM, Berkeley Churchill <
notifications@github.com> wrote:

Gah. Sorry to take your time. I think I had originally tried your
proposed solution but had problems with an empty testcase file. Would
you like me to see if I can reproduce that? It may have been my user
error as well.

Berkeley

On 06/16/2014 05:22 PM, eric schkufza wrote:

I don't think this is a stoke bug. After following your instructions,
disassembling ./testcase using objdump shows this source for myhello:

|116 00000000004004ed :
117 4004ed: 55 pushq %rbp
118 4004ee: 48 89 e5 movq %rsp,%rbp
119 4004f1: 48 c7 c0 01 00 00 00 movq $0x1,%rax
120 4004f8: 48 c7 c7 00 00 00 00 movq $0x0,%rdi
121 4004ff: c7 44 24 f0 48 45 4c movl $0x4c4c4548,-0x10(%rsp)
122 400506: 4c
123 400507: c7 44 24 f4 4f 21 20 movl $0xa20214f,-0xc(%rsp)
124 40050e: 0a
125 40050f: 48 8d 74 24 f0 leaq -0x10(%rsp),%rsi
126 400514: 48 c7 c2 08 00 00 00 movq $0x8,%rdx
127 40051b: 5d popq %rbp
128 40051c: c3 retq
|

which is generated from your source:

| 3 asm(
4 "movq $0x1, %rax\n\t"
5 "movq $0x0, %rdi\n\t"
6 "movl $0x4c4c4548, -0x10(%rsp)\n\t"
7 "movl $0x0a20214F, -0xC(%rsp)\n\t"
8 "leaq -0x10(%rsp),%rsi\n\t"
9 "movq $0x8,%rdx\n\t"
10 );
|

Notice that gcc has introduced calls to push and pop, which are
implicitly affecting rsp. The first row in your example is where the
value of rbp is being pushed/popped. The second is where both of your
movls are going.

If you want to embed assembly, a safer way to do this is by compiling
a separate translation unit for myhello:

|# myhello.s
1 .text
2 .globl myhello
3 .type myhello, @function
4 hello:
5 movq $0x1,%rax # 1
6 movq $0x0,%rdi # 2
7 movq $0x4c4c4548,-0x10(%rsp) # 3
8 movq $0xa20214f,-0xC(%rsp) # 4
9 leaq -0x10(%rsp),%rsi # 5
10 movq $0x8,%rdx # 6
11 nop
12 nop
13 nop
14 nop
15 nop
16 retq
17
18 .size myhello, .-myhello
|

Compiling this in a separate translation unit:

|g++ myhello.s -o myhello.o
|

Declaring myhello as extern in testcase.cc

|extern int myhello();
|

And then linking against myhello.o

|$ gcc -std=c99 testcase.c -o testcase myhello.o

|
|

—
Reply to this email directly or view it on GitHub
#27 (comment).

—
Reply to this email directly or view it on GitHub
#27 (comment).