Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

uninits in calc on xp32 #1149

Open
derekbruening opened this issue Nov 28, 2014 · 9 comments
Open

uninits in calc on xp32 #1149

derekbruening opened this issue Nov 28, 2014 · 9 comments

Comments

@derekbruening
Copy link
Contributor

From bruen...@google.com on February 22, 2013 19:14:36

xp32, surprisingly, has more uninits than xp64 or win7:

start up and shut down:

1.5.0:
ERRORS FOUND:
0 unique, 0 total unaddressable access(es)
6 unique, 29 total uninitialized access(es)
0 unique, 0 total invalid heap argument(s)
4 unique, 61 total GDI usage error(s)
0 unique, 0 total warning(s)
31 unique, 31 total, 2668 byte(s) of leak(s)
0 unique, 0 total, 0 byte(s) of possible leak(s)

1.5.1:
ERRORS FOUND:
0 unique, 0 total unaddressable access(es)
6 unique, 46 total uninitialized access(es)
0 unique, 0 total invalid heap argument(s)
5 unique, 71 total GDI usage error(s)
0 unique, 0 total warning(s)
31 unique, 31 total, 2668 byte(s) of leak(s)
0 unique, 0 total, 0 byte(s) of possible leak(s)

but Qin hit a bunch of button and got xp32 calc up to:
0 unique, 0 total unaddressable access(es)
174 unique, 434 total uninitialized access(es)

this is another issue filed for "try to get to zero false positive uninits"

Original issue: http://code.google.com/p/drmemory/issues/detail?id=1149

@derekbruening
Copy link
Contributor Author

From bruen...@google.com on February 22, 2013 16:16:42

I'm attaching 1.5.1 on startup/shutdown

Attachment: results.txt

@derekbruening
Copy link
Contributor Author

From bruen...@google.com on February 24, 2013 22:13:06

calc on win7x86 has 15 uninits:
ERRORS FOUND:
0 unique, 0 total unaddressable access(es)
15 unique, 38 total uninitialized access(es)
0 unique, 0 total invalid heap argument(s)
3 unique, 53 total GDI usage error(s)
0 unique, 0 total warning(s)
7 unique, 63 total, 5848 byte(s) of leak(s)
1 unique, 1 total, 24 byte(s) of possible leak(s)

should look at that as well

@derekbruening
Copy link
Contributor Author

From SDenbo...@gmail.com on April 12, 2013 15:11:54

Owner: SDenbo...@gmail.com

@derekbruening
Copy link
Contributor Author

From zhao...@google.com on August 26, 2013 15:10:49

Investigating on
Error #1: UNINITIALIZED READ: reading 0x0007f980-0x0007f984 4 byte(s)

0 UxTheme.dll!GetThemeBackgroundContentRect +0x95 (0x5ad73f1f <UxTheme.dll+0x3f1f>)

1 UxTheme.dll!DrawThemeText +0xce2 (0x5ad73cdb <UxTheme.dll+0x3cdb>)

2 UxTheme.dll!DrawThemeText +0xd21 (0x5ad73d1a <UxTheme.dll+0x3d1a>)

3 UxTheme.dll!GetThemeBackgroundContentRect +0x80 (0x5ad73f0b <UxTheme.dll+0x3f0b>)

4 COMCTL32.dll!Ordinal384 +0xc60f (0x773f84cb <COMCTL32.dll+0x284cb>)

5 COMCTL32.dll!Ordinal384 +0xc8f5 (0x773f87b1 <COMCTL32.dll+0x287b1>)

6 COMCTL32.dll!Ordinal384 +0xcf3f (0x773f8dfb <COMCTL32.dll+0x28dfb>)

7 COMCTL32.dll!Ordinal384 +0xd274 (0x773f9130 <COMCTL32.dll+0x29130>)

8 USER32.dll!GetDC +0x6c (0x7e418734 <USER32.dll+0x8734>)

9 USER32.dll!GetDC +0x14e (0x7e418816 <USER32.dll+0x8816>)

#10 USER32.dll!DefWindowProcW +0x17f (0x7e428ea0 <USER32.dll+0x18ea0>)
#11 USER32.dll!DefWindowProcW +0x1cb (0x7e428eec <USER32.dll+0x18eec>)
Note: @0:00:08.359 in thread 128
Note: instruction: cmp (%eax) %edx

0x5ad73f1f: cmp [eax],edx
the eax value is 0007f980, which is an address passed from caller.

The caller function:
5ad73c9a 8bff mov edi,edi
5ad73c9c 55 push ebp
5ad73c9d 8bec mov ebp,esp
5ad73c9f 83ec18 sub esp,0x18 <== allocate memory at 0007f980 from stack
5ad73ca2 53 push ebx
5ad73ca3 56 push esi
...
5ad73cc6 8bf8 mov edi,eax
5ad73cc8 8d45f8 lea eax,[ebp-0x8]
5ad73ccb 50 push eax
5ad73ccc 8d45e8 lea eax,[ebp-0x18] <== 0007f980
5ad73ccf 50 push eax
5ad73cd0 ff7510 push dword ptr [ebp+0x10]
5ad73cd3 8bcb mov ecx,ebx
5ad73cd5 57 push edi
5ad73cd6 e89ae7ffff call UxTheme+0x2475 (5ad72475)

There is no initialization on the caller.

It seems there is no init code for that memory in callee either.
5ad72475 8bff mov edi,edi
5ad72477 55 push ebp
5ad72478 8bec mov ebp,esp
5ad7247a 83ec10 sub esp,0x10
5ad7247d 56 push esi
5ad7247e 57 push edi
5ad7247f 8b7d08 mov edi,[ebp+0x8]
5ad72482 33d2 xor edx,edx
5ad72484 395714 cmp [edi+0x14],edx
5ad72487 894dfc mov [ebp-0x4],ecx
5ad7248a 0f848c1a0000 je UxTheme!GetThemeBackgroundContentRect+0x92 (5ad73f1c)
...
5ad73f1c 8b4510 mov eax,[ebp+0x10]
5ad73f1f 3910 cmp [eax],edx <== Uninit error report

ebp = 0x7f95c
app stack:
0:000> dds 0x7f944
0007f944 00f64e88
0007f948 00000000
0007f94c 00f64d3c
0007f950 00000010
0007f954 00000023
0007f958 00f64d3c
0007f95c 0007f998
0007f960 5ad73cdb UxTheme!DrawThemeText+0xce3
0007f964 00f64e88
0007f968 0007fad0
0007f96c 0007f980
0007f970 0007f990
0007f974 0007fa78
0007f978 0007fad0
0007f97c 00b61800
0007f980 00000000
0007f984 0000000e
0007f988 773d30c0 comctl32!Ordinal249+0x30c0
0007f98c 5ad7153d UxTheme+0x153d
0007f990 00383d34
0007f994 00383d20
0007f998 0007f9c4
0007f99c 5ad73d1a UxTheme!DrawThemeText+0xd22
0007f9a0 020215f8
0007f9a4 d8010847

It seems more likely to be a real uninit read error.

@derekbruening
Copy link
Contributor Author

From bruen...@google.com on August 26, 2013 17:25:44

xref real uninit bugs in calc.exe already discovered: issue #495 , issue #496

@derekbruening
Copy link
Contributor Author

From zhao...@google.com on August 27, 2013 11:31:47

split c#4 to issue #1316

@derekbruening
Copy link
Contributor Author

From zhao...@google.com on August 27, 2013 12:52:26

Another uninit error:

Error #4: UNINITIALIZED READ: reading 0x00b7dac4-0x00b7dac8 4 byte(s)

0 MSCTF.dll!TF_CreateCicLoadMutex +0x6056 (0x7473d041 <MSCTF.dll+0x1d041>)

1 MSCTF.dll!TF_CheckThreadInputIdle +0x34f6 (0x74742e6c <MSCTF.dll+0x22e6c>)

2 MSCTF.dll!TF_CheckThreadInputIdle +0x443 (0x7473fdb9 <MSCTF.dll+0x1fdb9>)

3 MSCTF.dll!TF_CheckThreadInputIdle +0xa09 (0x7474037f <MSCTF.dll+0x2037f>)

4 USER32.dll!GetDC +0x6c (0x7e418734 <USER32.dll+0x8734>)

5 USER32.dll!GetDC +0x14e (0x7e418816 <USER32.dll+0x8816>)

6 USER32.dll!GetWindowLongW +0x126 (0x7e4189cd <USER32.dll+0x89cd>)

7 USER32.dll!DispatchMessageW +0xe (0x7e418a10 <USER32.dll+0x8a10>)

8 calc.exe!? +0x0 (0x010021a7 <calc.exe+0x21a7>)

9 calc.exe!? +0x0 (0x010125e9 <calc.exe+0x125e9>)

#10 KERNEL32.dll!RegisterWaitForInputIdle +0x48 (0x7c817077 <KERNEL32.dll+0x17077>)
Note: @0:00:10.203 in thread 1448
Note: instruction: rep cmps %ds:(%esi) %es:(%edi) %esi %edi %ecx -> %esi %edi %ecx

0:000> dt sz
Local var @ 0x1856df78 Type unsigned int
4
0:000> dt container_start
Local var @ 0x1856df7c Type unsigned char*
0x00b7cf3c "???"

0:000> dt container_end
Local var @ 0x1856df80 Type unsigned char*
0x00b7cf40 "???"

0:000> dt mc
Local var @ 0x1856df84 Type _dr_mcontext_t*
0x1856ed60
+0x000 size : 0x148
+0x004 flags : 3 (No matching name)
+0x008 xdi : 0xb7cf3c
+0x008 edi : 0xb7cf3c
+0x00c xsi : 0xb75348
+0x00c esi : 0xb75348

0:000> dd 0x00b7cf38
00b7cf38 58c99d96 42ce2f9b ef37be91 82f86018

0:000> dd 0xb75344
00b75344 58c99d96 42ce2f9b ef37be91 82f86018

From the value, it looks like the the memory are initialized.

7473d036 8b7d10 mov edi,[ebp+0x10]
7473d039 6a04 push 0x4
7473d03b 59 pop ecx
7473d03c 8d702c lea esi,[eax+0x2c]
7473d03f 33db xor ebx,ebx
7473d041 f3a7 rep cmpsd

The edi comes from the caller's 3rd parameter,
74742df2 8bff mov edi,edi
...
74742e09 c1e604 shl esi,0x4
74742e0c 56 push esi
74742e0d e8ecf7fdff call MSCTF!DllCanUnloadNow+0x7ae (747225fe) <== allocate buffer
74742e12 85c0 test eax,eax
74742e14 59 pop ecx
74742e15 8945fc mov [ebp-0x4],eax <= assign the buffer pointer
74742e18 7437 jz MSCTF!TF_CheckThreadInputIdle+0x34dc (74742e51)
74742e1a 8b5740 mov edx,[edi+0x40]
74742e1d 8bce mov ecx,esi
74742e1f 8d743a08 lea esi,[edx+edi+0x8]
74742e23 8bf8 mov edi,eax
74742e25 8bc1 mov eax,ecx
74742e27 c1e902 shr ecx,0x2
74742e2a f3a5 rep movsd
74742e2c 8bc8 mov ecx,eax
74742e2e 8bc3 mov eax,ebx
74742e30 c1e002 shl eax,0x2
74742e33 83e103 and ecx,0x3
74742e36 50 push eax
74742e37 f3a4 rep movsb
74742e39 e8c0f7fdff call MSCTF!DllCanUnloadNow+0x7ae (747225fe)
74742e3e 8bf8 mov edi,eax
74742e40 33f6 xor esi,esi
74742e42 3bfe cmp edi,esi
74742e44 59 pop ecx
74742e45 7514 jnz MSCTF!TF_CheckThreadInputIdle+0x34e6 (74742e5b)
74742e47 be0e000780 mov esi,0x8007000e
74742e4c e98d000000 jmp MSCTF!TF_CheckThreadInputIdle+0x3569 (74742ede)
74742e51 b80e000780 mov eax,0x8007000e
74742e56 e98e000000 jmp MSCTF!TF_CheckThreadInputIdle+0x3574 (74742ee9)
74742e5b 8b4508 mov eax,[ebp+0x8]
74742e5e 8b4018 mov eax,[eax+0x18]
74742e61 8b08 mov ecx,[eax]
74742e63 57 push edi
74742e64 ff75fc push dword ptr [ebp-0x4] <= the actual buffer
74742e67 53 push ebx
74742e68 50 push eax
74742e69 ff5128 call dword ptr [ecx+0x28]

74742e0d e8ecf7fdff call MSCTF!DllCanUnloadNow+0x7ae (747225fe)
actually directly calls to LocalAlloc(0x40, size) without initializing the buffer.

@derekbruening
Copy link
Contributor Author

From zhao...@google.com on August 27, 2013 14:55:18

It seems the data is initialized by the code after

74742e0d e8ecf7fdff call MSCTF!DllCanUnloadNow+0x7ae (747225fe) <== allocate buffer
74742e12 85c0 test eax,eax
74742e14 59 pop ecx
74742e15 8945fc mov [ebp-0x4],eax <== assign the buffer pointer
74742e18 7437 jz MSCTF!TF_CheckThreadInputIdle+0x34dc (74742e51)
74742e1a 8b5740 mov edx,[edi+0x40]
74742e1d 8bce mov ecx,esi
74742e1f 8d743a08 lea esi,[edx+edi+0x8]
74742e23 8bf8 mov edi,eax
74742e25 8bc1 mov eax,ecx
74742e27 c1e902 shr ecx,0x2
74742e2a f3a5 rep movsd <== update target memory

so the data came from buffer pointed by esi, which is [edx+edi+0x8], where the edi came from caller ([ebp+0xc]),

Look around, did not see system calls, not sure what really cause the problem, rep movsd handling?

@derekbruening
Copy link
Contributor Author

From zhao...@google.com on August 28, 2013 10:55:24

with more symbols:

Error #4: UNINITIALIZED READ: reading 0x00bccf3c-0x00bccf40 4 byte(s)

0 MSCTF.dll!CLangBarItemMgr::GetItemsStatus

1 MSCTF.dll!CStubITfLangBarItemMgr::stub_GetItemsStatus

2 MSCTF.dll!HandleSendReceiveMsg

3 MSCTF.dll!CicMarshalWndProc

4 USER32.dll!InternalCallWinProc

5 USER32.dll!UserCallWinProcCheckWow

6 USER32.dll!DispatchMessageWorker

7 USER32.dll!DispatchMessageW

8 WinMain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant