CRASH: drrun crashes if specified client tries to create ofstream object (SIGSEGV)

[matevosmehrabyan]

Description:

drrun crashes (SIGSEGV) when the specified client tries to create a std::ofstream object for writing to a file.

OS: Ubuntu 22.04.3 LTS, Compiler: gcc-11.4.0

For reproduction, the default clients can be used. For example:

1. Open clients/drcpusim/drcpusim.cpp and add #include <fstream> at top of the file
2. add std::ofstream mystream("hello_world.txt", std::ofstream::app); to the top of dr_client_main function.
3. Run: drrun -c ./dynamorio/build/bin64/drrun -c ./build/clients/lib64/libdrcpusim.so -- echo hello world

Output (release):

<Application /usr/bin/echo (3389239). DynamoRIO CPU Simulator internal crash at PC 0x000073070af7f1d3. Please report this at http://dynamorio.org/issues. Program aborted. Received SIGSEGV at pc 0x000073070af7f1d3 in thread 3389239 Base: 0x000073070b200000 Registers:eax=0x0000000000000000 ebx=0x00007304c72fb060 ecx=0x0000000000000000 edx=0x00000000fbad248c esi=0x00000000fbad0000 edi=0x00007ffe51087070 esp=0x00007ffe51087068 ebp=0x0000000000000000 r8 =0x000073070b1050c0 r9 =0x000073070adf0e58 r10=0x000073070b3ee000 r11=0x0000000000000246 r12=0x00007ffe51087070 r13=0x000073070b10aa50 r14=0x00007304c723d940 r15=0x00007ffe51087438 eflags=0x0000000000010246 version 10.93.19902, custom build -no_dynamic_options -client_lib '/home/user/dynamorio/build/clients/lib64/release/libdrcpusim.so;0;' -client_lib64 '/home/user/dynamorio/build/clients/lib64/release/libdrcpusim.so;0;' -code_api -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_c 0x00007304c728d080 0x0000000000000000>

Output (debug):

<Starting application /usr/bin/echo (3396868)> <Initial options = -no_dynamic_options -client_lib '/home/user/dynamorio/build/clients/lib64/debug/libdrcpusim.so;0;' -client_lib64 '/home/user/dynamorio/build/clients/lib64/debug/libdrcpusim.so;0;' -code_api -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct > <spurious rep/repne prefix @0x000074ff6b985540 (f3 0f 1e fa): > <Paste into GDB to debug DynamoRIO clients: set confirm off add-symbol-file '/home/user/dynamorio/build/clients/lib64/debug/libdrcpusim.so' 0x000074ff27c07a90 add-symbol-file '/home/user/dynamorio/build/lib64/debug/libdynamorio.so' 0x000074ff6bc4e000 add-symbol-file '/home/user/dynamorio/build/ext/lib64/debug/libdrmgr.so' 0x000074ff27c5acb0 add-symbol-file '/lib/x86_64-linux-gnu/libstdc++.so.6' 0x000074ff6b675420 add-symbol-file '/lib/x86_64-linux-gnu/libm.so.6' 0x000074ff6bb263a0 add-symbol-file '/lib/x86_64-linux-gnu/libc.so.6' 0x000074ff6b916700 add-symbol-file '/usr/lib64/ld-linux-x86-64.so.2' 0x000074ff6c129090 add-symbol-file '/lib/x86_64-linux-gnu/libgcc_s.so.1' 0x000074ff6c109660

<(1+x) Handling our fault in a TRY at 0x000074ff6bec8d80> <Application /usr/bin/echo (3396868). DynamoRIO CPU Simulator internal crash at PC 0x000074ff6b97f1d3. Please report this at http://dynamorio.org/issues. Program aborted. Received SIGSEGV at pc 0x000074ff6b97f1d3 in thread 3396868 Base: 0x000074ff6bc00000 Registers:eax=0x0000000000000000 ebx=0x000074fd27cfc270 ecx=0x0000000000000000 edx=0x00000000fbad248c esi=0x00000000fbad0000 edi=0x00007ffe3f392380 esp=0x00007ffe3f392378 ebp=0x0000000000000000 r8 =0x000074ff6bb050c0 r9 =0x000074ff6b7f0e58 r10=0x000074ff6bf39258 r11=0x0000000000000246 r12=0x00007ffe3f392380 r13=0x000074ff6bb0aa50 r14=0x000074ff27c112c2 r15=0x000074ff6b7f4e70 eflags=0x0000000000010246 version 10.93.19902, custom build -no_dynamic_options -client_lib '/home/user/dynamorio/build/clients/lib64/debug/libdrcpusim.so;0;' -client_lib64 '/home/user/dynamorio/build/clients/lib64/debug/libdrcpusim.so;0;' -code_api -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0x000074fd27cc70b0 0x000074ff6bf0988f 0x000074fd27cc7260 0x000074ff6bf09944 0x000074fd27cc72c0 0x000074ff6bf0fdac 0x000074fd27cc7370 0x000074ff6bec88c3>

[ivankyluk]

I tried to reproduce the crash on my setup, but it didn't crash. I don't have a setup with OS: Ubuntu 22.04.3 LTS, Compiler: gcc-11.4.0.

dynamorio/build$ git diff diff --git a/clients/drcpusim/drcpusim.cpp b/clients/drcpusim/drcpusim.cpp index 65ad5d581..88614b2a6 100644 --- a/clients/drcpusim/drcpusim.cpp +++ b/clients/drcpusim/drcpusim.cpp @@ -39,6 +39,7 @@

• • Add ARM support */

+#include #include "dr_api.h" #include "drmgr.h" #include "droption.h" @@ -850,6 +851,8 @@ set_opcode_and_model() DR_EXPORT void dr_client_main(client_id_t id, int argc, const char *argv[]) {

• std::ofstream mystream("hello_world.txt", std::ofstream::app);
• using ::dynamorio::droption::droption_parser_t; using ::dynamorio::droption::DROPTION_SCOPE_ALL; using ::dynamorio::droption::DROPTION_SCOPE_CLIENT;

dynamorio/build$ ./bin64/drrun -c ./clients/lib64/release/libdrcpusim.so -- echo hello world hello world

dynamorio/build$ ls -lt hello_world.txt -rw-r----- 1 .... primarygroup 0 Jul 12 16:52 hello_world.txt

Here's the version information: dynamorio/build$ uname -a Linux ... 6.6.15-2rodete2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.6.15-2rodete2 (2024-03-19) x86_64 GNU/Linux

dynamorio/build$ gcc --version gcc (Debian 13.2.0-13) 13.2.0 Copyright (C) 2023 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Would you be able to debug it further? For example, missing initialization call, or failed private library constructors.

The private loader is best-effort, and we have seen recent problems due to hidden dependencies in these libraries. #5437 is an example of private loader issue.