|
From: Julian S. <js...@ac...> - 2005-12-09 14:37:30
|
Meir,
Line 7809 is the first place at which the JIT picks up insn bytes. If it
segfaults at this point it generally means V's idea of what parts of the
address space are valid have diverged from what the kernel thinks,
because V would not have attempted to translate at this address if
it thought the area did not have x permission.
I suggest you re-run with --sanity-level=3. This should pick up any
V/kernel disagreements about page permissions. If you do get a
complaint (I can't remember the exact wording) then run yet again
but also adding --trace-syscalls=yes, so we can see if the disagreement
was caused by V mishandling a syscall somewhere.
J
On Friday 09 December 2005 07:02, Yeshurun, Meir wrote:
> Hi,
>
>
>
> Below is the context of line 7809 of toIR.c
>
>
>
> Could it be that I hit something very close to a magic number (my
> application is very large), which caused more expressions inside the
> 'if' condition to be evaluated, until an invalid read occurred?
>
>
>
> Thanks,
>
> Meir
>
>
>
>
>
> /* We may be asked to update the guest RIP before going further. */
>
> if (put_IP)
>
> stmt( IRStmt_Put( OFFB_RIP, mkU64(guest_RIP_curr_instr)) );
>
>
>
> /* Spot the client-request magic sequence. */
>
> {
>
> UChar* code = (UChar*)(guest_code + delta);
>
> /* Spot this:
>
> C1C01D roll $29, %eax
>
> C1C003 roll $3, %eax
>
> C1C81B rorl $27, %eax
>
> C1C805 rorl $5, %eax
>
> C1C00D roll $13, %eax
>
> C1C013 roll $19, %eax
>
> */
>
> if (code[ 0] == 0xC1 && code[ 1] == 0xC0 && code[ 2] == 0x1D && -
> line 7809
>
> code[ 3] == 0xC1 && code[ 4] == 0xC0 && code[ 5] == 0x03 &&
>
> code[ 6] == 0xC1 && code[ 7] == 0xC8 && code[ 8] == 0x1B &&
>
> code[ 9] == 0xC1 && code[10] == 0xC8 && code[11] == 0x05 &&
>
> code[12] == 0xC1 && code[13] == 0xC0 && code[14] == 0x0D &&
>
> code[15] == 0xC1 && code[16] == 0xC0 && code[17] == 0x13
>
> ) {
>
> DIP("%%edx = client_request ( %%eax )\n");
>
> delta += 18;
>
> jmp_lit(Ijk_ClientReq, guest_RIP_bbstart+delta);
>
> dres.whatNext = Dis_StopHere;
>
> goto decode_success;
>
> }
>
> }
>
>
>
> /* Eat prefixes, summarising the result in pfx and sz, and rejecting
>
> as many invalid combinations as possible. */
>
> n_prefixes = 0;
>
> while (True) {
>
> if (n_prefixes > 5) goto decode_failure;
>
>
>
> ________________________________
>
> From: val...@li...
> [mailto:val...@li...] On Behalf Of
> Yeshurun, Meir
> Sent: Thursday, December 08, 2005 10:21 PM
> To: val...@li...
> Subject: [Valgrind-users] Valgrind log file corruption
>
>
>
> Hi,
>
>
>
> I ran Valgrind and got this:
>
>
>
> valgrind: the 'impossible' happened:
>
> Killed by fatal signal
>
> ==4019== at 0x8000D55FA: disInstr_AMD64_WRK (toIR.c:7809)
>
> ==4019== by 0x8000E5492: disInstr_AMD64 (toIR.c:13376)
>
> ==4019== by 0x80009ED3E: bb_to_IR (bb_to_IR.c:187)
>
> ==4019== by 0x800074B75: LibVEX_Translate (vex_main.c:408)
>
> ==4019== by 0x80003300A: vgPlain_translate (libvex_basictypes.h:154)
>
> ==4019== by 0x80004A156: handle_tt_miss (scheduler.c:566)
>
> ==4019== by 0x80004A537: vgPlain_scheduler (scheduler.c:680)
>
> ==4019== by 0x80006A863: vgModuleLocal_thread_wrapper
> (syswrap-linux.c:80)
>
> ==4019== by 0x800065753: run_a_thread_NORETURN
> (syswrap-amd64-linux.c:144)
>
>
>
> sched status:
>
> running_tid=1
>
>
>
> Thread 1: status = VgTs_Runnable
>
>
>
>
>
> Is this an unsupported instruction? Any suggestions would be greatly
> appreciated.
>
>
>
>
>
> Thanks,
>
> Meir
|