CRASH (1.5.0 64-bit firefox) copy_and_re_relativize_raw_instr

[derekbruening]

From [email protected] on January 07, 2010 12:55:07

just starting up firefox we hit a crash:

rio /usr/bin/firefox
<Starting application sh (7153)>
<Starting application basename (7154)>
<Stopping application basename (7154)>
<Starting application uname (7155)>
<Stopping application uname (7155)>
<Starting application sh (7156)>
<Starting application uname (7157)>
<Stopping application uname (7157)>
<Stopping application sh (7156)>
<Stopping application sh (7181)>
<Starting application sed (7182)>
<Stopping application sed (7182)>
<Stopping application sh (7180)>
<Stopping application sh (7184)>
<Starting application sed (7185)>
<Stopping application sed (7185)>
<Stopping application sh (7183)>
<Starting application sh (7153)>
<Starting application basename (7186)>
<Stopping application basename (7186)>
<Starting application dirname (7187)>
<Stopping application dirname (7187)>
<Starting application uname (7188)>
<Stopping application uname (7188)>
<Starting application firefox (7189)>
<Application firefox (7189)
** Received SIGSEGV at DynamoRIO pc 0xd2882651 in thread 7189>

(gdb) x/8i sc->rip
0x3cd2882651 <memcpy+17>: mov %cl,(%rdi)
0x3cd2882653 <memcpy+19>: inc %rsi
0x3cd2882656 <memcpy+22>: inc %rdi
0x3cd2882659 <memcpy+25>: test $0x2,%dl
0x3cd288265c <memcpy+28>: je 0x3cd2882670 <memcpy+48>
(gdb) p/x *sc

$2 = { r8 = 0x0, r9 = 0x1, r10 = 0x0, r11 = 0x1, r12 = 0x416360c0, r13 =
0x0, r14 = 0x1, r15 = 0x451463b0, rdi = 0x0, rsi = 0x422a2908, rbp = 0x0, rbx =
0x416c6610, rdx = 0x3,
rax = 0x0, rcx = 0xf, rsp = 0x416a1b48, rip = 0x3cd2882651, eflags =
0x10202,
cs = 0x33, gs = 0x0, fs = 0x0, __pad0 = 0x0, err = 0x6, trapno = 0xe,
oldmask = 0x0,
cr2 = 0x0, fpstate = 0x416aa200, reserved1 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}}
(gdb) set $rsp=0x416a1b48
(gdb) bt
#0 0x00000000710cafd0 in syscall_ready ()
from /work/opensource/builds/build64rel/lib/libdynamorio.so
#1 0x000000007109b2f8 in copy_and_re_relativize_raw_instr
(dcontext=0x710eadae,
instr=0x3, dst_pc=0x71314000 "\1")
at /work/opensource/dynamorio/core/x86/encode.c:1861
#2 0x000000007109ecbe in instr_encode_common (dcontext=0x416360c0,
instr=0x416c6610,
pc=0x0, check_reachable=1) at
/work/opensource/dynamorio/core/x86/encode.c:1896
#3 0x00000000710619c5 in set_linkstub_fields (num_indirect_stubs=,
num_direct_stubs=, ilist=,
f=, dcontext=, emit=)
at /work/opensource/dynamorio/core/emit.c:390
#4 emit_fragment_common (num_indirect_stubs=,
num_direct_stubs=, ilist=,
f=, dcontext=, emit=)
at /work/opensource/dynamorio/core/emit.c:678
#5 0x0000000071062709 in emit_fragment_ex (dcontext=0x0, tag=0x416a9d8f
"", ilist=0x1,
flags=4294967295, vmlist=0x1, link=0, visible=1)
at /work/opensource/dynamorio/core/emit.c:1009
#6 0x00000000710b92ba in build_basic_block_fragment (dcontext=0x416360c0,
start=0x3cdf6323a7 "A\215I\377\17o%f"!", initial_flags=0,
link=, visible=1, for_trace=,
unmangled_ilist=0x0) at /work/opensource/dynamorio/core/x86/interp.c:4067
#7 0x000000007105fe4f in dispatch (dcontext=0x416360c0)
at /work/opensource/dynamorio/core/dispatch.c:185
#8 0x000000004164a2d9 in ?? ()
#9 0x0000000000000000 in ?? ()
(gdb) info symbol 0x71314000
dynamo_options in section .data of
/work/opensource/builds/build64rel/lib/libdynamorio.so

Looks like our "Received SIGSEGV" message, which is coming from events.mc,
is truncating the address to 32-bit -- should fix that as well.

Original issue: http://code.google.com/p/dynamorio/issues/detail?id=247

[derekbruening]

From [email protected] on January 12, 2010 14:38:18

xref issue #174