Skip to content
GitLab
Closed
Issue created by Derek Bruening@derekbrueningContributor

drsyms finds symbol "fib" at bogus addresses when searching system libraries

The new func_view test on Windows looks for the symbol "fib" and claims to find it in many system libraries, but the address it reports is instead in some other private library copy:

instru_funcs_module_load for dynamorio.dll
Failed to find symbol fib, drsym_error_t=5
instru_funcs_module_load for drmemtrace.dll
Failed to find symbol fib, drsym_error_t=5
instru_funcs_module_load for drsyms.dll
Failed to find symbol fib, drsym_error_t=5
instru_funcs_module_load for drwrap.dll
Failed to find symbol fib, drsym_error_t=5
instru_funcs_module_load for drmgr.dll
Failed to find symbol fib, drsym_error_t=5
instru_funcs_module_load for drutil.dll
Failed to find symbol fib, drsym_error_t=5
instru_funcs_module_load for drcovlib.dll
Failed to find symbol fib, drsym_error_t=5
instru_funcs_module_load for drx.dll
Failed to find symbol fib, drsym_error_t=5
instru_funcs_module_load for drreg.dll
Failed to find symbol fib, drsym_error_t=5
instru_funcs_module_load for common.fib.exe
drsym_lookup_symbol found symbol fib at pc=0x00007ff70ec51080
Inserted hooks for common.fib.exe!fib @0x00007ff70ec51080 == id 0
instru_funcs_module_load for msvcp_win.dll
drsym_lookup_symbol found symbol fib at pc=0x00007fff61df1080
Inserted hooks for msvcp_win.dll!fib @0x00007fff61df1080 == id 1
instru_funcs_module_load for ucrtbase.dll
drsym_lookup_symbol found symbol fib at pc=0x00007fff61df1080
Duplicate-pc hook: ucrtbase.dll!fib == id 1
instru_funcs_module_load for KERNELBASE.dll
drsym_lookup_symbol found symbol fib at pc=0x00007fff62111080
Inserted hooks for KERNELBASE.dll!fib @0x00007fff62111080 == id 2
instru_funcs_module_load for gdi32full.dll
drsym_lookup_symbol found symbol fib at pc=0x00007fff62111080
Duplicate-pc hook: gdi32full.dll!fib == id 2
instru_funcs_module_load for win32u.dll
drsym_lookup_symbol found symbol fib at pc=0x00007fff628f1080
Inserted hooks for win32u.dll!fib @0x00007fff628f1080 == id 3
instru_funcs_module_load for USER32.dll
drsym_lookup_symbol found symbol fib at pc=0x00007fff637a1080
Inserted hooks for USER32.dll!fib @0x00007fff637a1080 == id 4
instru_funcs_module_load for KERNEL32.dll
drsym_lookup_symbol found symbol fib at pc=0x00007fff638b1080
Inserted hooks for KERNEL32.dll!fib @0x00007fff638b1080 == id 5
instru_funcs_module_load for IMM32.dll
drsym_lookup_symbol found symbol fib at pc=0x00007fff641d1080
Inserted hooks for IMM32.dll!fib @0x00007fff641d1080 == id 6
instru_funcs_module_load for GDI32.dll
drsym_lookup_symbol found symbol fib at pc=0x00007fff64311080
Inserted hooks for GDI32.dll!fib @0x00007fff64311080 == id 7
instru_funcs_module_load for ntdll.dll
drsym_lookup_symbol found symbol fib at pc=0x00007fff64581080
Inserted hooks for ntdll.dll!fib @0x00007fff64581080 == id 8

In reality:

0:004> x *!fib
00007ff7`0ec51080 common_fib!fib (int)

0:004> lm
start             end                 module name
00007ff7`0ec50000 00007ff7`0ecb0000   common_fib   (deferred)             
00007fff`61e50000 00007fff`61eee000   msvcp_win   (deferred)             
00007fff`61ef0000 00007fff`61fea000   ucrtbase   (deferred)             
00007fff`62310000 00007fff`625b3000   KERNELBASE   (deferred)             
00007fff`625c0000 00007fff`62754000   gdi32full   (deferred)             
00007fff`62f40000 00007fff`62f61000   win32u     (deferred)             
00007fff`63e20000 00007fff`63fb4000   USER32     (deferred)             
00007fff`640d0000 00007fff`64182000   KERNEL32   (deferred)             
00007fff`64ab0000 00007fff`64ade000   IMM32      (deferred)             
00007fff`64c20000 00007fff`64c46000   GDI32      (deferred)             
00007fff`64ec0000 00007fff`650b0000   ntdll      (pdb symbols)          d:\derek\symbols\ntdll.pdb\FB60D3E08B5E4960376A4E73BD35F24E1\ntdll.pdb

0:004> $><d:\derek\dr\git\src\tools\windbg-scripts\load_syms64
0:004> lm
start             end                 module name
00000000`15000000 00000000`1559a000   dynamorio   (private pdb symbols)  d:\derek\dr\git\build_x64_dbg_tests\lib64\debug\dynamorio.pdb
00000192`9df00000 00000192`9dfb2000   KERNEL32_1929df00000   (pdb symbols)          d:\derek\symbols\kernel32.pdb\5A77DE8CE8D58731F0EA38F1C92F48D81\kernel32.pdb
00000192`9dff0000 00000192`9e293000   KERNELBASE_1929dff0000   (pdb symbols)          d:\derek\symbols\kernelbase.pdb\7D42F2FCA0F02E76EFBE1EEBF10F31021\kernelbase.pdb
00007ff6`aecc0000 00007ff6`aed7c000   drmemtrace   (private pdb symbols)  d:\derek\dr\git\build_x64_dbg_tests\clients\lib64\debug\drmemtrace.pdb
00007ff6`aed80000 00007ff6`aee0c000   drsyms     (private pdb symbols)  d:\derek\dr\git\build_x64_dbg_tests\ext\lib64\debug\drsyms.pdb
00007ff6`aee10000 00007ff6`aef98000   dbghelp    (pdb symbols)          d:\derek\symbols\dbghelp.pdb\5E01E81CEDF94392B7B2DED487BC6C531\dbghelp.pdb
00007ff6`aefa0000 00007ff6`aefb0000   drwrap     (private pdb symbols)  d:\derek\dr\git\build_x64_dbg_tests\ext\lib64\debug\drwrap.pdb
00007ff6`aefb0000 00007ff6`aefbe000   drmgr      (private pdb symbols)  d:\derek\dr\git\build_x64_dbg_tests\ext\lib64\debug\drmgr.pdb
00007ff6`aefc0000 00007ff6`aefc7000   drutil     (private pdb symbols)  d:\derek\dr\git\build_x64_dbg_tests\ext\lib64\debug\drutil.pdb
00007ff6`aefd0000 00007ff6`aefdc000   drcovlib   (private pdb symbols)  d:\derek\dr\git\build_x64_dbg_tests\ext\lib64\debug\drcovlib.pdb
00007ff6`aefe0000 00007ff6`aeff9000   drx        (private pdb symbols)  d:\derek\dr\git\build_x64_dbg_tests\ext\lib64\debug\drx.pdb
00007ff6`af000000 00007ff6`af00f000   drreg      (private pdb symbols)  d:\derek\dr\git\build_x64_dbg_tests\ext\lib64\debug\drreg.pdb
00007ff7`0ec50000 00007ff7`0ecb0000   common_fib   (private pdb symbols)  d:\derek\dr\git\build_x64_dbg_tests\suite\tests\bin\common.fib.pdb
00007fff`61e50000 00007fff`61eee000   msvcp_win   (deferred)             
00007fff`61ef0000 00007fff`61fea000   ucrtbase   (deferred)             
00007fff`62310000 00007fff`625b3000   KERNELBASE   (deferred)             
00007fff`625c0000 00007fff`62754000   gdi32full   (deferred)             
00007fff`62f40000 00007fff`62f61000   win32u     (deferred)             
00007fff`63580000 00007fff`63623000   ADVAPI32   (pdb symbols)          d:\derek\symbols\advapi32.pdb\78BD0105F3739C0D6BA5583E4FB0D2931\advapi32.pdb
00007fff`63720000 00007fff`63840000   RPCRT4     (deferred)             
00007fff`63860000 00007fff`638f7000   SECHOST    (pdb symbols)          d:\derek\symbols\sechost.pdb\3D15CA72E74F2E4C4EF400CDB437ABFD1\sechost.pdb
00007fff`63900000 00007fff`6399e000   msvcrt     (pdb symbols)          d:\derek\symbols\msvcrt.pdb\1FEA8DB6B57F5FBFA935E090243420D01\msvcrt.pdb
00007fff`63e20000 00007fff`63fb4000   USER32     (deferred)             
00007fff`640d0000 00007fff`64182000   KERNEL32   (deferred)             
00007fff`64ab0000 00007fff`64ade000   IMM32      (deferred)             
00007fff`64c20000 00007fff`64c46000   GDI32      (deferred)             
00007fff`64ec0000 00007fff`650b0000   ntdll      (pdb symbols)          d:\derek\symbols\ntdll.pdb\FB60D3E08B5E4960376A4E73BD35F24E1\ntdll.pdb

0:004> U 0x00007fff638b1080
SECHOST!ParseIsolationConfigConsumesElement+0x21c:
00007fff`638b1080 ff1552ce0100    call    qword ptr [SECHOST!_guard_dispatch_icall_fptr (00007fff`638cded8)]
0:004> U 0x00007fff637a1080
RPCRT4!LRPC_BASE_BINDING_HANDLE::BaseUnbind+0x625b0:
00007fff`637a1080 4c2420          and     al,20h