CRASH (win8 x64 drsyms _chkstk) => must swap TEB.StackLimit!

[derekbruening]

From [email protected] on March 01, 2013 18:19:21

running x64 drsyms test on win8 we hit a crash:

0:000> kn
*** Stack trace for last set context - .thread/.cxr resets it

Child-SP RetAddr Call Site

00 0000000019c9cbb8 000000000003ed58 dbghelp!_chkstk+0x37
01 0000000019c9cbd0 0000000000040038 dbghelp!ExpandPath+0x10
02 0000000019c9cbe0 0000000000040517 dbghelp!FindExecutable+0x99
03 0000000019c9d1b0 000000000004069f dbghelp!FindExe+0x37
04 0000000019c9d1f0 0000000000043e11 dbghelp!FindExecutableImageExW+0x37
05 0000000019c9d250 0000000000042970 dbghelp!imgReadFromDisk+0xdd
06 0000000019c9d290 0000000000042ffa dbghelp!modload+0x2b0
07 0000000019c9d790 000000000003afb3 dbghelp!LoadModule+0x3db
08 0000000019c9dc90 00000000760020fe dbghelp!SymLoadModuleExW+0x3f
09 0000000019c9dce0 0000000076002243 drsyms!load_module+0x16e [c:\derek\dr\git\src\ext\drsyms\drsyms_windows.c @ 338]
0a 0000000019c9df70 0000000076001789 drsyms!lookup_or_load+0x93 [c:\derek\dr\git\src\ext\drsyms\drsyms_windows.c @ 377]
0b 0000000019c9dfb0 0000000072001778 drsyms!drsym_get_module_debug_kind+0x59 [c:\derek\dr\git\src\ext\drsyms\drsyms_windows.c @ 1363]
0c 0000000019c9dff0 0000000015382d55 client_drsyms_test_dll!lookup_dll_syms+0x108 [c:\derek\dr\git\src\suite\tests\client-interface\drsyms-test.dll.cpp @ 479]
0d 0000000019c9e1b0 0000000015382c35 dynamorio!instrument_module_load+0xf5 [c:\derek\dr\git\src\core\x86\instrument.c @ 1746]
0e 0000000019c9e230 00000000153aa763 dynamorio!instrument_module_load_trigger+0xa5 [c:\derek\dr\git\src\core\x86\instrument.c @ 1722]

0:000> U rip
dbghelp!_chkstk+0x37:
0000000000011057 45841b test byte ptr [ r11 ],r11b 0:000> r Last set context: rax=0000000000001490 rbx=0000000000000000 rcx=0000000019f49dc0 rdx=0000000019ebd4b4 rsi=0000000019ebd4b4 rdi=0000000019ebd4b4 rip=0000000000011057 rsp=0000000019c9cbb8 rbp=0000000000000000 r8 =0000000019f49dc0 r9 =0000000019ebc742 r10 =0000000019c9b000 r11 =00000089f0693000 r12 =0000000000000000 r13 =0000000019c9d220 r14 =0000000019cc1a50 r15 =0000000019ebc742 iopl=0 nv up ei ng nz na po cy cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010287 dbghelp!_chkstk+0x37: 0000000000011057 45841b test byte ptr [ r11 ],r11b ds:00000089`f0693000=00
0:000> !teb
TEB at 000007f7333de000
ExceptionList: 0000000000000000
StackBase: 00000089f1020000
StackLimit: 00000089f0691000

xref issue #921 : solved by eliminating _chkstk from DR.
_chkstk reads only StackLimit:

0:000> Uf dbghelp!_chkstk
dbghelp!_chkstk:
0000000000011020 4883ec10 sub rsp,10h 0000000000011024 4c891424 mov qword ptr [rsp], r10 0000000000011028 4c895c2408 mov qword ptr [rsp+8], r11 000000000001102d 4d33db xor r11 , r11 0000000000011030 4c8d542418 lea r10 ,[rsp+18h] 0000000000011035 4c2bd0 sub r10 ,rax
0000000000011038 4d0f42d3 cmovb r10 , r11 000000000001103c 654c8b1c2510000000 mov r11 ,qword ptr gs:[10h]
0000000000011045 4d3bd3 cmp r10 , r11 0000000000011048 7315 jae dbghelp!_chkstk+0x3f (00000000`0001105f)

dbghelp!_chkstk+0x2a:
00000000`0001104a 664181e200f0 and r10w,0F000h

dbghelp!_chkstk+0x30:
0000000000011050 4d8d9b00f0ffff lea r11 ,[ r11 -1000h] 0000000000011057 45841b test byte ptr [ r11 ],r11b
000000000001105a 4d3bd3 cmp r10 , r11 000000000001105d 75f1 jne dbghelp!_chkstk+0x30 (00000000`00011050)

dbghelp!_chkstk+0x3f:
000000000001105f 4c8b1424 mov r10 ,qword ptr [rsp] 0000000000011063 4c8b5c2408 mov r11 ,qword ptr [rsp+8]
0000000000011068 4883c410 add rsp,10h 000000000001106c c3 ret

why haven't we seen this before? related to issue #921 where pre-win8 stacks were always lower than our dstack?

Original issue: http://code.google.com/p/dynamorio/issues/detail?id=1102

[derekbruening]

From [email protected] on March 11, 2013 14:49:04

This issue was closed by revision r1980 .

Status: Fixed