CRASH due to drbbdup asking drreg to ignore control flow even for rep string expansion
My PR #5393 for #3995 hit a crash due to drbbdup setting DRREG_IGNORE_CONTROL_FLOW for a block with internal flow for rep string expansion.
Here's without drbbdup:
after instrumentation:
TAG 0xf7bc0fd1
+0 m4 @0x4085b90c 64 89 0d 90 00 00 00 mov %ecx -> %fs:0x00000090[4byte]
+7 m4 @0x4085dad8 64 8b 0d b0 00 00 00 mov %fs:0x000000b0[4byte] -> %ecx
+14 m4 @0x4085b57c e3 fe jecxz @0x4085e66c[4byte] %ecx
+16 m4 @0x408573e0 64 a3 94 00 00 00 mov %eax -> %fs:0x00000094[4byte]
+22 m4 @0x4085ccb0 c7 01 1e 00 02 00 mov $0x0002001e -> (%ecx)[4byte]
+28 m4 @0x4085e89c c7 41 04 d1 0f bc f7 mov $0xf7bc0fd1 -> 0x04(%ecx)[4byte]
+35 m4 @0x4085b7a0 <label>
+35 m4 @0x40834880 8d 49 08 lea 0x08(%ecx) -> %ecx
+38 m4 @0x4085bbac 64 89 0d b0 00 00 00 mov %ecx -> %fs:0x000000b0[4byte]
+45 m4 @0x4085c824 64 a1 94 00 00 00 mov %fs:0x00000094[4byte] -> %eax
+51 m4 @0x4085e66c <label>
+51 m4 @0x4085c3bc 64 8b 0d 90 00 00 00 mov %fs:0x00000090[4byte] -> %ecx
+58 m4 @0x4085d8c0 <label>
-----------------------------
+58 m4 @0x4085d9a4 e3 fe jecxz @0x4085c110[4byte] %ecx
+60 m4 @0x4085bf98 eb fe jmp @0x4085ab28[4byte]
+62 L4 @0x4085c110 b9 01 00 00 00 mov $0x00000001 -> %ecx
+67 m4 @0x4085c4d8 e9 fb ff ff ff jmp @0x4085e4e8[4byte]
+72 m4 @0x4085ab28 <label>
+72 m4 @0x4085ce1c 64 89 0d 90 00 00 00 mov %ecx -> %fs:0x00000090[4byte]
+79 m4 @0x4085763c 64 8b 0d b0 00 00 00 mov %fs:0x000000b0[4byte] -> %ecx
+86 m4 @0x408580f8 e3 fe jecxz @0x408580a8[4byte] %ecx
+88 m4 @0x4085c740 64 a3 94 00 00 00 mov %eax -> %fs:0x00000094[4byte]
+94 m4 @0x4085d2e0 3e 8d 06 lea %ds:(%esi) -> %eax
+97 m4 @0x4085ca8c 89 41 04 mov %eax -> 0x04(%ecx)[4byte]
+100 m4 @0x4085e3f8 c7 01 00 00 04 00 mov $0x00040000 -> (%ecx)[4byte]
+106 m4 @0x4085c0c0 <label>
+106 m4 @0x4085dd4c 26 8d 07 lea %es:(%edi) -> %eax
+109 m4 @0x4085ba78 89 41 0c mov %eax -> 0x0c(%ecx)[4byte]
+112 m4 @0x40833328 c7 41 08 01 00 04 00 mov $0x00040001 -> 0x08(%ecx)[4byte]
+119 m4 @0x4085d3b8 <label>
+119 m4 @0x4085e6bc 8d 49 10 lea 0x10(%ecx) -> %ecx
+122 m4 @0x408347e0 64 89 0d b0 00 00 00 mov %ecx -> %fs:0x000000b0[4byte]
+129 m4 @0x4085b4e8 64 a1 94 00 00 00 mov %fs:0x00000094[4byte] -> %eax
+135 m4 @0x408580a8 <label>
+135 m4 @0x4085cadc 64 8b 0d 90 00 00 00 mov %fs:0x00000090[4byte] -> %ecx
+142 L4 @0x4085c36c a5 movs %ds:(%esi)[4byte] %esi %edi -> %es:(%edi)[4byte] %esi %edi
pre_loop:
+143 m4 @0x4085e4e8 <label>
Re-spill of ecx here:
+143 m4 @0x4085c56c 64 89 0d 90 00 00 00 mov %ecx -> %fs:0x00000090[4byte]
+150 m4 @0x40857b44 64 8b 0d b0 00 00 00 mov %fs:0x000000b0[4byte] -> %ecx
+157 m4 @0x4085bac8 e3 fe jecxz @0x4085ca3c[4byte] %ecx
+159 m4 @0x4085b9a0 eb fe jmp @0x40857558[4byte]
+161 m4 @0x4085cc10 90 nop
+162 m4 @0x4085ca3c <label>
+162 m4 @0x40858198 e9 fb ff ff ff jmp @0x4083165c[4byte]
+167 m4 @0x40857558 <label>
+167 m4 @0x4085b454 8b 09 mov (%ecx)[4byte] -> %ecx
+169 m4 @0x4085d1f0 e3 fe jecxz @0x4085b498[4byte] %ecx
+171 m4 @0x4085bfdc 64 a3 00 00 00 00 mov %eax -> %fs:0x00[4byte]
+177 m4 @0x4085e024 64 a1 10 00 00 00 mov %fs:0x10[4byte] -> %eax
+183 m4 @0x40857988 89 60 0c mov %esp -> 0x0c(%eax)[4byte]
+186 m4 @0x4085e61c 8b a0 a8 02 00 00 mov 0x000002a8(%eax)[4byte] -> %esp
+192 m4 @0x4085e84c 64 a1 00 00 00 00 mov %fs:0x00[4byte] -> %eax
+198 m4 @0x4085b61c 8d a4 24 7c fd ff ff lea 0xfffffd7c(%esp) -> %esp
+205 m4 @0x4085ce60 e8 23 8b fb ff call $0x407e5640 %esp -> %esp 0xfffffffc(%esp)[4byte]
+210 m4 @0x4085d324 <label>
+210 m4 @0x408575ec e8 4c 8b 33 b7 call $0xf7b65669 %esp -> %esp 0xfffffffc(%esp)[4byte]
+215 m4 @0x40858148 e8 a3 8b fb ff call $0x407e56c0 %esp -> %esp 0xfffffffc(%esp)[4byte]
+220 m4 @0x40857dac 64 a3 00 00 00 00 mov %eax -> %fs:0x00[4byte]
+226 m4 @0x4085bdc4 64 a1 10 00 00 00 mov %fs:0x10[4byte] -> %eax
+232 m4 @0x4085af28 8b 60 0c mov 0x0c(%eax)[4byte] -> %esp
+235 m4 @0x40857474 64 a1 00 00 00 00 mov %fs:0x00[4byte] -> %eax
+241 m4 @0x408332d8 <label>
+241 m4 @0x4085beb4 <label>
+241 m4 @0x4085b498 <label>
+241 m4 @0x4085c650 <label>
+241 m4 @0x4083165c <label>
+241 m4 @0x40857bd8 64 8b 0d 90 00 00 00 mov %fs:0x00000090[4byte] -> %ecx
+248 L4 @0x40857f74 e2 b7 loop $0xf7bc0fd1 %ecx -> %ecx
END 0xf7bc0fd1And with:
after instrumentation:
TAG 0xf7b31fd1
+0 m4 @0x4ca5d900 64 89 0d b4 00 00 00 mov %ecx -> %fs:0x000000b4[4byte]
+7 m4 @0x4ca53240 8b 0d 80 b9 b0 f7 mov 0xf7b0b980[4byte] -> %ecx
+13 m4 @0x4ca5c6ec <label>
+13 m4 @0x4ca58390 e3 fe jecxz @0x4ca5deb4[4byte] %ecx
+15 m4 @0x4ca5bb88 e9 fb ff ff ff jmp @0x4ca5ed7c[4byte]
+20 m4 @0x4ca5deb4 <label>
+20 m4 @0x4ca526a0 e9 49 00 00 00 jmp @0x4ca5af8c[4byte]
---------------------------------------------------------------------------
+25 m4 @0x4ca5ed7c <label>
+25 m4 @0x4ca5f29c 64 8b 0d b4 00 00 00 mov %fs:0x000000b4[4byte] -> %ecx
+32 m4 @0x4ca5f6f8 <label>
+32 m4 @0x4ca554f0 64 a3 00 00 00 00 mov %eax -> %fs:0x00[4byte]
+38 m4 @0x4ca5cb6c 64 a1 10 00 00 00 mov %fs:0x10[4byte] -> %eax
+44 m4 @0x4ca5f6a8 89 60 0c mov %esp -> 0x0c(%eax)[4byte]
+47 m4 @0x4ca5b720 8b a0 a8 02 00 00 mov 0x000002a8(%eax)[4byte] -> %esp
+53 m4 @0x4ca5da78 64 a1 00 00 00 00 mov %fs:0x00[4byte] -> %eax
+59 m4 @0x4ca5d454 8d a4 24 7c fd ff ff lea 0xfffffd7c(%esp) -> %esp
+66 m4 @0x4c9f0e70 e8 23 8b fb ff call $0x4c9a6640 %esp -> %esp 0xfffffffc(%esp)[4byte]
+71 m4 @0x4ca549b0 8d 64 24 f8 lea 0xfffffff8(%esp) -> %esp
+75 m4 @0x4ca5f780 <label>
+75 m4 @0x4c9f0fbc 68 d2 1f b3 f7 push $0xf7b31fd2 %esp -> %esp 0xfffffffc(%esp)[4byte]
+80 m4 @0x4ca51750 68 06 00 00 00 push $0x00000006 %esp -> %esp 0xfffffffc(%esp)[4byte]
+85 m4 @0x4ca525b8 e8 5d b1 0e ab call $0xf7ad8c7a %esp -> %esp 0xfffffffc(%esp)[4byte]
+90 m4 @0x4ca54188 8d 64 24 10 lea 0x10(%esp) -> %esp
+94 m4 @0x4ca5e288 e8 a3 8b fb ff call $0x4c9a66c0 %esp -> %esp 0xfffffffc(%esp)[4byte]
+99 m4 @0x4ca5d230 64 a3 00 00 00 00 mov %eax -> %fs:0x00[4byte]
+105 m4 @0x4ca5df98 64 a1 10 00 00 00 mov %fs:0x10[4byte] -> %eax
+111 m4 @0x4ca5f028 8b 60 0c mov 0x0c(%eax)[4byte] -> %esp
+114 m4 @0x4ca5d828 64 a1 00 00 00 00 mov %fs:0x00[4byte] -> %eax
+120 m4 @0x4ca593e0 <label>
+120 m4 @0x4ca5cf34 <label>
+120 m4 @0x4ca5dce0 e3 fe jecxz @0x4ca5f168[4byte] %ecx
+122 m4 @0x4ca518e0 eb fe jmp @0x4ca5f614[4byte]
+124 L4 @0x4ca5f168 b9 01 00 00 00 mov $0x00000001 -> %ecx
+129 m4 @0x4ca54d18 e9 fb ff ff ff jmp @0x4ca559c0[4byte]
+134 m4 @0x4ca5f614 <label>
+134 L4 @0x4ca5f118 a5 movs %ds:(%esi)[4byte] %esi %edi -> %es:(%edi)[4byte] %esi %edi
+135 m4 @0x4ca559c0 <label>
+135 m4 @0x4ca5eba8 <label>
+135 m4 @0x4ca5eeb0 e9 4a 00 00 00 jmp @0x4ca585f8[4byte]
+140 m4 @0x4ca5dc40 <label>
---------------------------------------------------------------------------
+140 m4 @0x4ca5af8c <label>
+140 m4 @0x4ca5f5d0 64 8b 0d b4 00 00 00 mov %fs:0x000000b4[4byte] -> %ecx
+147 m4 @0x4ca51b24 64 89 0d 90 00 00 00 mov %ecx -> %fs:0x00000090[4byte]
+154 m4 @0x4ca572ac 64 8b 0d c0 00 00 00 mov %fs:0x000000c0[4byte] -> %ecx
+161 m4 @0x4ca5ce18 e3 fe jecxz @0x4ca5d404[4byte] %ecx
+163 m4 @0x4c9f0600 64 a3 94 00 00 00 mov %eax -> %fs:0x00000094[4byte]
+169 m4 @0x4ca5ddd0 c7 01 1e 00 02 00 mov $0x0002001e -> (%ecx)[4byte]
+175 m4 @0x4ca517a0 c7 41 04 d1 1f b3 f7 mov $0xf7b31fd1 -> 0x04(%ecx)[4byte]
+182 m4 @0x4ca5b244 <label>
+182 m4 @0x4ca5a45c 8d 49 08 lea 0x08(%ecx) -> %ecx
+185 m4 @0x4ca5dbac 64 89 0d c0 00 00 00 mov %ecx -> %fs:0x000000c0[4byte]
+192 m4 @0x4ca5e528 64 a1 94 00 00 00 mov %fs:0x00000094[4byte] -> %eax
+198 m4 @0x4ca5d404 <label>
+198 m4 @0x4ca55238 <label>
+198 m4 @0x4ca5469c 64 8b 0d 90 00 00 00 mov %fs:0x00000090[4byte] -> %ecx
--------------------------------------------------
+205 m4 @0x4ca51b68 e3 fe jecxz @0x4c9f12fc[4byte] %ecx
+207 m4 @0x4ca5e3f4 eb fe jmp @0x4ca52550[4byte]
+209 L4 @0x4c9f12fc b9 01 00 00 00 mov $0x00000001 -> %ecx
+214 m4 @0x4ca58b74 e9 fb ff ff ff jmp @0x4ca5c910[4byte]
+219 m4 @0x4ca52550 <label>
+219 m4 @0x4ca528c4 64 89 0d 90 00 00 00 mov %ecx -> %fs:0x00000090[4byte]
+226 m4 @0x4ca5e360 64 8b 0d c0 00 00 00 mov %fs:0x000000c0[4byte] -> %ecx
+233 m4 @0x4ca5d8bc e3 fe jecxz @0x4ca51ef8[4byte] %ecx
+235 m4 @0x4ca5e200 64 a3 94 00 00 00 mov %eax -> %fs:0x00000094[4byte]
+241 m4 @0x4ca53fd8 3e 8d 06 lea %ds:(%esi) -> %eax
+244 m4 @0x4ca53bec 89 41 04 mov %eax -> 0x04(%ecx)[4byte]
+247 m4 @0x4ca5c7d0 c7 01 00 00 04 00 mov $0x00040000 -> (%ecx)[4byte]
+253 m4 @0x4ca5d538 <label>
+253 m4 @0x4ca51d74 26 8d 07 lea %es:(%edi) -> %eax
+256 m4 @0x4ca5aef8 89 41 0c mov %eax -> 0x0c(%ecx)[4byte]
+259 m4 @0x4ca5c524 c7 41 08 01 00 04 00 mov $0x00040001 -> 0x08(%ecx)[4byte]
+266 m4 @0x4c9f0a70 <label>
+266 m4 @0x4ca5d878 8d 49 10 lea 0x10(%ecx) -> %ecx
+269 m4 @0x4ca5cbbc 64 89 0d c0 00 00 00 mov %ecx -> %fs:0x000000c0[4byte]
+276 m4 @0x4ca596e8 64 a1 94 00 00 00 mov %fs:0x00000094[4byte] -> %eax
+282 m4 @0x4ca51ef8 <label>
+282 L4 @0x4c9f1390 a5 movs %ds:(%esi)[4byte] %esi %edi -> %es:(%edi)[4byte] %esi %edi
pre_loop:
For ecx==0 path, the ecx==1 was not spilled, so this restores the wrong value:
+283 m4 @0x4ca5c910 <label>
<================= MISSING SPILL HERE ===============>
+283 m4 @0x4ca53f94 64 8b 0d c0 00 00 00 mov %fs:0x000000c0[4byte] -> %ecx
+290 m4 @0x4ca5cd84 e3 fe jecxz @0x4ca5e02c[4byte] %ecx
+292 m4 @0x4ca5e244 eb fe jmp @0x4ca5d19c[4byte]
+294 m4 @0x4ca54028 90 nop
+295 m4 @0x4ca5e02c <label>
+295 m4 @0x4ca5dd30 e9 fb ff ff ff jmp @0x4ca527d4[4byte]
+300 m4 @0x4ca5d19c <label>
+300 m4 @0x4ca520ac 8b 09 mov (%ecx)[4byte] -> %ecx
+302 m4 @0x4ca52874 e3 fe jecxz @0x4ca5e6fc[4byte] %ecx
+304 m4 @0x4ca5e494 64 a3 00 00 00 00 mov %eax -> %fs:0x00[4byte]
+310 m4 @0x4ca5ba98 64 a1 10 00 00 00 mov %fs:0x10[4byte] -> %eax
+316 m4 @0x4ca59b00 89 60 0c mov %esp -> 0x0c(%eax)[4byte]
+319 m4 @0x4ca5d994 8b a0 a8 02 00 00 mov 0x000002a8(%eax)[4byte] -> %esp
+325 m4 @0x4ca54100 64 a1 00 00 00 00 mov %fs:0x00[4byte] -> %eax
+331 m4 @0x4ca5c69c 8d a4 24 7c fd ff ff lea 0xfffffd7c(%esp) -> %esp
+338 m4 @0x4c9f0f1c e8 23 8b fb ff call $0x4c9a6640 %esp -> %esp 0xfffffffc(%esp)[4byte]
+343 m4 @0x4ca54ee0 <label>
+343 m4 @0x4ca519c4 e8 5c 7b 0e ab call $0xf7ad5679 %esp -> %esp 0xfffffffc(%esp)[4byte]
+348 m4 @0x4ca5c658 e8 a3 8b fb ff call $0x4c9a66c0 %esp -> %esp 0xfffffffc(%esp)[4byte]
+353 m4 @0x4ca51538 64 a3 00 00 00 00 mov %eax -> %fs:0x00[4byte]
+359 m4 @0x4c9f1340 64 a1 10 00 00 00 mov %fs:0x10[4byte] -> %eax
+365 m4 @0x4ca5d7e4 8b 60 0c mov 0x0c(%eax)[4byte] -> %esp
+368 m4 @0x4ca5464c 64 a1 00 00 00 00 mov %fs:0x00[4byte] -> %eax
+374 m4 @0x4ca53458 <label>
+374 m4 @0x4ca5df48 <label>
+374 m4 @0x4ca5e6fc <label>
+374 m4 @0x4ca539c8 <label>
+374 m4 @0x4ca527d4 <label>
+374 m4 @0x4ca52784 64 8b 0d 90 00 00 00 mov %fs:0x00000090[4byte] -> %ecx
+381 m4 @0x4ca585f8 <label>
+381 L4 @0x4ca55534 e2 b7 loop $0xf7b31fd1 %ecx -> %ecx
END 0xf7b31fd1
xcx = 0x00000000
xsi = 0xf7b34df2
xdi = 0xf7b42ccd
xcx=0xf7895510
xsi = 0xf7b35122
xdi = 0xf7b42ffd
SIGSEGV here:
0x4ca98b62 a5 movs %ds:(%esi)[4byte] %esi %edi -> %es:(%edi)[4byte] %esi %edi
0x4ca98b63 64 8b 0d c0 00 00 00 mov %fs:0xc0[4byte] -> %ecx
0x4ca98b6a e3 03 jecxz $0x4ca98b6f %ecx
0x4ca98b6c eb 06 jmp $0x4ca98b74
0x4ca98b6e 90 nop
0x4ca98b6f e9 4a 00 00 00 jmp $0x4ca98bbe
0x4ca98b74 8b 09 mov (%ecx)[4byte] -> %ecx
0x4ca98b76 e3 46 jecxz $0x4ca98bbe %ecx
0x4ca98b78 64 a3 00 00 00 00 mov %eax -> %fs:0x00[4byte]
0x4ca98b7e 64 a1 10 00 00 00 mov %fs:0x10[4byte] -> %eax
0x4ca98b84 89 60 0c mov %esp -> 0x0c(%eax)[4byte]
0x4ca98b87 8b a0 a8 02 00 00 mov 0x000002a8(%eax)[4byte] -> %esp
0x4ca98b8d 64 a1 00 00 00 00 mov %fs:0x00[4byte] -> %eax
0x4ca98b93 8d a4 24 7c fd ff ff lea 0xfffffd7c(%esp) -> %esp
0x4ca98b9a e8 a1 da f0 ff call $0x4c9a6640 %esp -> %esp 0xfffffffc(%esp)[4byte]
0x4ca98b9f e8 d5 ca 03 ab call $0xf7ad5679 %esp -> %esp 0xfffffffc(%esp)[4byte]
0x4ca98ba4 e8 17 db f0 ff call $0x4c9a66c0 %esp -> %esp 0xfffffffc(%esp)[4byte]
0x4ca98ba9 64 a3 00 00 00 00 mov %eax -> %fs:0x00[4byte]
0x4ca98baf 64 a1 10 00 00 00 mov %fs:0x10[4byte] -> %eax
0x4ca98bb5 8b 60 0c mov 0x0c(%eax)[4byte] -> %esp
0x4ca98bb8 64 a1 00 00 00 00 mov %fs:0x00[4byte] -> %eax
0x4ca98bbe 64 8b 0d 90 00 00 00 mov %fs:0x90[4byte] -> %ecx
0x4ca98bc5 e2 02 loop $0x4ca98bc9 %ecx -> %ecx
0x4ca98bc7 eb 05 jmp $0x4ca98bce
0x4ca98bc9 e9 7a fe ff ff jmp $0x4ca98a48 <fragment 390>
0x4ca98bce e9 80 89 ff ff jmp $0x4ca91553
-------- exit stub 0: -------- <target: 0xf7b31fd1> type: jmp/jcc
0x4ca91553 67 64 a3 00 00 addr16 mov %eax -> %fs:0x00[4byte]
0x4ca91558 b8 8c 5f a7 4c mov $0x4ca75f8c -> %eax
0x4ca9155d e9 de 49 f1 ff jmp $0x4c9a5f40 <fcache_return>
-------- exit stub 1: -------- <target: 0xf7b31fd3> type: fall-through/speculated/IAT
0x4ca91553 67 64 a3 00 00 addr16 mov %eax -> %fs:0x00[4byte]
0x4ca91558 b8 8c 5f a7 4c mov $0x4ca75f8c -> %eax
0x4ca9155d e9 de 49 f1 ff jmp $0x4c9a5f40 <fcache_return> There's a missing spill of ecx before the clean call instrumentation so we clobber what should be 1 and end up looping many many times on our rep movs and crashing.