|
From: Yeshurun, M. <mei...@in...> - 2005-12-08 20:28:49
|
You're probably wondering about the title :) =20 The first try was with Valgrind 3.1.0 - the result was a bizarre mixture of Valgrind's and my application's output which I couldn't understand. =20 Then I tried valgrind 3.0.0 and got the message below. After looking at the message below, I was able to see that this was probably the same error message that valgrind 3.1.0 wrote. =20 ________________________________ From: val...@li... [mailto:val...@li...] On Behalf Of Yeshurun, Meir Sent: Thursday, December 08, 2005 10:21 PM To: val...@li... Subject: [Valgrind-users] Valgrind log file corruption =20 Hi, =20 I ran Valgrind and got this: =20 valgrind: the 'impossible' happened: Killed by fatal signal =3D=3D4019=3D=3D at 0x8000D55FA: disInstr_AMD64_WRK (toIR.c:7809) =3D=3D4019=3D=3D by 0x8000E5492: disInstr_AMD64 (toIR.c:13376) =3D=3D4019=3D=3D by 0x80009ED3E: bb_to_IR (bb_to_IR.c:187) =3D=3D4019=3D=3D by 0x800074B75: LibVEX_Translate (vex_main.c:408) =3D=3D4019=3D=3D by 0x80003300A: vgPlain_translate = (libvex_basictypes.h:154) =3D=3D4019=3D=3D by 0x80004A156: handle_tt_miss (scheduler.c:566) =3D=3D4019=3D=3D by 0x80004A537: vgPlain_scheduler (scheduler.c:680) =3D=3D4019=3D=3D by 0x80006A863: vgModuleLocal_thread_wrapper (syswrap-linux.c:80) =3D=3D4019=3D=3D by 0x800065753: run_a_thread_NORETURN (syswrap-amd64-linux.c:144) =20 sched status: running_tid=3D1 =20 Thread 1: status =3D VgTs_Runnable =20 =20 Is this an unsupported instruction? Any suggestions would be greatly appreciated. =20 =20 Thanks, Meir |
|
From: Yeshurun, M. <mei...@in...> - 2005-12-09 07:02:16
|
Hi,
=20
Below is the context of line 7809 of toIR.c
=20
Could it be that I hit something very close to a magic number (my
application is very large), which caused more expressions inside the
'if' condition to be evaluated, until an invalid read occurred?
=20
Thanks,
Meir
=20
=20
/* We may be asked to update the guest RIP before going further. */
if (put_IP)
stmt( IRStmt_Put( OFFB_RIP, mkU64(guest_RIP_curr_instr)) );
=20
/* Spot the client-request magic sequence. */
{
UChar* code =3D (UChar*)(guest_code + delta);
/* Spot this:
C1C01D roll $29, %eax
C1C003 roll $3, %eax
C1C81B rorl $27, %eax
C1C805 rorl $5, %eax
C1C00D roll $13, %eax
C1C013 roll $19, %eax =20
*/
if (code[ 0] =3D=3D 0xC1 && code[ 1] =3D=3D 0xC0 && code[ 2] =
=3D=3D 0x1D && -
line 7809
code[ 3] =3D=3D 0xC1 && code[ 4] =3D=3D 0xC0 && code[ 5] =
=3D=3D 0x03 &&
code[ 6] =3D=3D 0xC1 && code[ 7] =3D=3D 0xC8 && code[ 8] =
=3D=3D 0x1B &&
code[ 9] =3D=3D 0xC1 && code[10] =3D=3D 0xC8 && code[11] =
=3D=3D 0x05 &&
code[12] =3D=3D 0xC1 && code[13] =3D=3D 0xC0 && code[14] =
=3D=3D 0x0D &&
code[15] =3D=3D 0xC1 && code[16] =3D=3D 0xC0 && code[17] =
=3D=3D 0x13
) {
DIP("%%edx =3D client_request ( %%eax )\n"); =20
delta +=3D 18;
jmp_lit(Ijk_ClientReq, guest_RIP_bbstart+delta);
dres.whatNext =3D Dis_StopHere;
goto decode_success;
}
}
=20
/* Eat prefixes, summarising the result in pfx and sz, and rejecting
as many invalid combinations as possible. */
n_prefixes =3D 0;
while (True) {
if (n_prefixes > 5) goto decode_failure;
=20
________________________________
From: val...@li...
[mailto:val...@li...] On Behalf Of
Yeshurun, Meir
Sent: Thursday, December 08, 2005 10:21 PM
To: val...@li...
Subject: [Valgrind-users] Valgrind log file corruption
=20
Hi,
=20
I ran Valgrind and got this:
=20
valgrind: the 'impossible' happened:
Killed by fatal signal
=3D=3D4019=3D=3D at 0x8000D55FA: disInstr_AMD64_WRK (toIR.c:7809)
=3D=3D4019=3D=3D by 0x8000E5492: disInstr_AMD64 (toIR.c:13376)
=3D=3D4019=3D=3D by 0x80009ED3E: bb_to_IR (bb_to_IR.c:187)
=3D=3D4019=3D=3D by 0x800074B75: LibVEX_Translate (vex_main.c:408)
=3D=3D4019=3D=3D by 0x80003300A: vgPlain_translate =
(libvex_basictypes.h:154)
=3D=3D4019=3D=3D by 0x80004A156: handle_tt_miss (scheduler.c:566)
=3D=3D4019=3D=3D by 0x80004A537: vgPlain_scheduler (scheduler.c:680)
=3D=3D4019=3D=3D by 0x80006A863: vgModuleLocal_thread_wrapper
(syswrap-linux.c:80)
=3D=3D4019=3D=3D by 0x800065753: run_a_thread_NORETURN
(syswrap-amd64-linux.c:144)
=20
sched status:
running_tid=3D1
=20
Thread 1: status =3D VgTs_Runnable
=20
=20
Is this an unsupported instruction? Any suggestions would be greatly
appreciated.
=20
=20
Thanks,
Meir
|
|
From: Julian S. <js...@ac...> - 2005-12-09 14:37:30
|
Meir,
Line 7809 is the first place at which the JIT picks up insn bytes. If it
segfaults at this point it generally means V's idea of what parts of the
address space are valid have diverged from what the kernel thinks,
because V would not have attempted to translate at this address if
it thought the area did not have x permission.
I suggest you re-run with --sanity-level=3. This should pick up any
V/kernel disagreements about page permissions. If you do get a
complaint (I can't remember the exact wording) then run yet again
but also adding --trace-syscalls=yes, so we can see if the disagreement
was caused by V mishandling a syscall somewhere.
J
On Friday 09 December 2005 07:02, Yeshurun, Meir wrote:
> Hi,
>
>
>
> Below is the context of line 7809 of toIR.c
>
>
>
> Could it be that I hit something very close to a magic number (my
> application is very large), which caused more expressions inside the
> 'if' condition to be evaluated, until an invalid read occurred?
>
>
>
> Thanks,
>
> Meir
>
>
>
>
>
> /* We may be asked to update the guest RIP before going further. */
>
> if (put_IP)
>
> stmt( IRStmt_Put( OFFB_RIP, mkU64(guest_RIP_curr_instr)) );
>
>
>
> /* Spot the client-request magic sequence. */
>
> {
>
> UChar* code = (UChar*)(guest_code + delta);
>
> /* Spot this:
>
> C1C01D roll $29, %eax
>
> C1C003 roll $3, %eax
>
> C1C81B rorl $27, %eax
>
> C1C805 rorl $5, %eax
>
> C1C00D roll $13, %eax
>
> C1C013 roll $19, %eax
>
> */
>
> if (code[ 0] == 0xC1 && code[ 1] == 0xC0 && code[ 2] == 0x1D && -
> line 7809
>
> code[ 3] == 0xC1 && code[ 4] == 0xC0 && code[ 5] == 0x03 &&
>
> code[ 6] == 0xC1 && code[ 7] == 0xC8 && code[ 8] == 0x1B &&
>
> code[ 9] == 0xC1 && code[10] == 0xC8 && code[11] == 0x05 &&
>
> code[12] == 0xC1 && code[13] == 0xC0 && code[14] == 0x0D &&
>
> code[15] == 0xC1 && code[16] == 0xC0 && code[17] == 0x13
>
> ) {
>
> DIP("%%edx = client_request ( %%eax )\n");
>
> delta += 18;
>
> jmp_lit(Ijk_ClientReq, guest_RIP_bbstart+delta);
>
> dres.whatNext = Dis_StopHere;
>
> goto decode_success;
>
> }
>
> }
>
>
>
> /* Eat prefixes, summarising the result in pfx and sz, and rejecting
>
> as many invalid combinations as possible. */
>
> n_prefixes = 0;
>
> while (True) {
>
> if (n_prefixes > 5) goto decode_failure;
>
>
>
> ________________________________
>
> From: val...@li...
> [mailto:val...@li...] On Behalf Of
> Yeshurun, Meir
> Sent: Thursday, December 08, 2005 10:21 PM
> To: val...@li...
> Subject: [Valgrind-users] Valgrind log file corruption
>
>
>
> Hi,
>
>
>
> I ran Valgrind and got this:
>
>
>
> valgrind: the 'impossible' happened:
>
> Killed by fatal signal
>
> ==4019== at 0x8000D55FA: disInstr_AMD64_WRK (toIR.c:7809)
>
> ==4019== by 0x8000E5492: disInstr_AMD64 (toIR.c:13376)
>
> ==4019== by 0x80009ED3E: bb_to_IR (bb_to_IR.c:187)
>
> ==4019== by 0x800074B75: LibVEX_Translate (vex_main.c:408)
>
> ==4019== by 0x80003300A: vgPlain_translate (libvex_basictypes.h:154)
>
> ==4019== by 0x80004A156: handle_tt_miss (scheduler.c:566)
>
> ==4019== by 0x80004A537: vgPlain_scheduler (scheduler.c:680)
>
> ==4019== by 0x80006A863: vgModuleLocal_thread_wrapper
> (syswrap-linux.c:80)
>
> ==4019== by 0x800065753: run_a_thread_NORETURN
> (syswrap-amd64-linux.c:144)
>
>
>
> sched status:
>
> running_tid=1
>
>
>
> Thread 1: status = VgTs_Runnable
>
>
>
>
>
> Is this an unsupported instruction? Any suggestions would be greatly
> appreciated.
>
>
>
>
>
> Thanks,
>
> Meir
|