Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRASH - AArch64 dr_create_client_thread segmentation fault app_lib_tls #5293

Open
AlfiePowers opened this issue Jan 25, 2022 · 1 comment
Open

CRASH - AArch64 dr_create_client_thread segmentation fault app_lib_tls #5293

AlfiePowers opened this issue Jan 25, 2022 · 1 comment
Labels
Bug-DRCrash OpSys-AArch64

Comments

@AlfiePowers
Copy link

Describe the bug

Following the various setup functions required for the client to run, calling dr_create_client_thread on the main client thread segfaults as a result of a attempt to dereference the os_tls->app_lib_tls_base (core/unix/os.c:6400). The address points to NULL + Offset. Tracing this backwards it seems like DynamoRIO reads the tpidr_el0 register when calling get_segment_base however we do not appear to set this register at any point.

My assumption is that the intended behaviour is we create a TLS struct for the app within the os_tls_init function and are storing a pointer to this struct within the tpidr register however for some reason this is not happening on AArch64. I have been unable to narrow down the reason for this. Thus, when we attempt to read the register back within the os_switch_seg_to_context function, there is invalid TLS storage for the app.

I have not been able to test on x86 how the behaviour is expected to work however fairly sure this is specific to AArch64.

To Reproduce
Steps to reproduce the behavior:

  1. On an AArch64 machine set-up a base client with the example .
  2. Call dr_create_client_thread with some handler function.
  3. DynamoRIO should segfault and exit.

Please also answer these questions:

  • What happens when you run without any client?
    -> Haven't been able to test
  • What happens when you run with debug build ("-debug" flag to drrun/drconfig/drinject)?

Received SIGSEGV at pc 0x0000ffffaddc05b8 in thread 8619
Base: 0x0000ffffadad0000
Registers: eflags=0x0000000080000000
version 7.91.18278, custom build

0x0000ffffcfb5c850 0x0000ffffaddc0430
0x0000ffffcfb5c8e0 0x0000ffffaddb5fe8
0x0000ffffcfb5c900 0x0000ffffaddb8e80
0x0000ffffcfb5c920 0x0000000043cc1df0
0x0000ffffcfb5c980 0x0000ffffadc9a608
0x0000ffffcfb5ca50 0x0000ffffadaf9590
0x0000ffffcfb5ca90 0x0000ffffadde9368
0x0000ffffcfb5d2c0 0x0000ffffaddb23e0>

Expected behavior
The callback function to be executed on a seperate thread.
@derekbruening derekbruening mentioned this issue Jan 25, 2022
Open
@derekbruening
Copy link
Contributor

#4524 added dr_create_client_thread support to AArch64 and enabled the client.signal test, which has been passing ever since then. Here is a recent run from yesterday: http://139.178.84.19:8080/job/DynamoRIO-AArch64-Precommit/1206/consoleFull

219/259 Test #112: code_api|client.signal ..........................................   Passed    1.12 sec

I would suggest first seeing whether that test passes on your machine, to see if this is something particular to your OS/hardware or to your client/toolchain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug-DRCrash OpSys-AArch64
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AlfiePowers @derekbruening