CRASH: drrun crashes if specified client tries to create ofstream object (SIGSEGV)

[matevosmehrabyan]

Description:

drrun crashes (SIGSEGV) when the specified client tries to create a std::ofstream object for writing to a file.

OS: Ubuntu 22.04.3 LTS, Compiler: gcc-11.4.0

For reproduction, the default clients can be used.
For example:

1. Open clients/drcpusim/drcpusim.cpp and add #include <fstream> at top of the file
2. add std::ofstream mystream("hello_world.txt", std::ofstream::app); to the top of dr_client_main function.
3. Run: drrun -c ./dynamorio/build/bin64/drrun -c ./build/clients/lib64/libdrcpusim.so -- echo hello world

Output (release):

<Application /usr/bin/echo (3389239). DynamoRIO CPU Simulator internal crash at PC 0x000073070af7f1d3. Please report this at http://dynamorio.org/issues. Program aborted.
Received SIGSEGV at pc 0x000073070af7f1d3 in thread 3389239
Base: 0x000073070b200000
Registers:eax=0x0000000000000000 ebx=0x00007304c72fb060 ecx=0x0000000000000000 edx=0x00000000fbad248c
esi=0x00000000fbad0000 edi=0x00007ffe51087070 esp=0x00007ffe51087068 ebp=0x0000000000000000
r8 =0x000073070b1050c0 r9 =0x000073070adf0e58 r10=0x000073070b3ee000 r11=0x0000000000000246
r12=0x00007ffe51087070 r13=0x000073070b10aa50 r14=0x00007304c723d940 r15=0x00007ffe51087438
eflags=0x0000000000010246
version 10.93.19902, custom build
-no_dynamic_options -client_lib '/home/user/dynamorio/build/clients/lib64/release/libdrcpusim.so;0;' -client_lib64 '/home/user/dynamorio/build/clients/lib64/release/libdrcpusim.so;0;' -code_api -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_c
0x00007304c728d080 0x0000000000000000>

Output (debug):

<Starting application /usr/bin/echo (3396868)>
<Initial options = -no_dynamic_options -client_lib '/home/user/dynamorio/build/clients/lib64/debug/libdrcpusim.so;0;' -client_lib64 '/home/user/dynamorio/build/clients/lib64/debug/libdrcpusim.so;0;' -code_api -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
<spurious rep/repne prefix @0x000074ff6b985540 (f3 0f 1e fa): >
<Paste into GDB to debug DynamoRIO clients:
set confirm off
add-symbol-file '/home/user/dynamorio/build/clients/lib64/debug/libdrcpusim.so' 0x000074ff27c07a90
add-symbol-file '/home/user/dynamorio/build/lib64/debug/libdynamorio.so' 0x000074ff6bc4e000
add-symbol-file '/home/user/dynamorio/build/ext/lib64/debug/libdrmgr.so' 0x000074ff27c5acb0
add-symbol-file '/lib/x86_64-linux-gnu/libstdc++.so.6' 0x000074ff6b675420
add-symbol-file '/lib/x86_64-linux-gnu/libm.so.6' 0x000074ff6bb263a0
add-symbol-file '/lib/x86_64-linux-gnu/libc.so.6' 0x000074ff6b916700
add-symbol-file '/usr/lib64/ld-linux-x86-64.so.2' 0x000074ff6c129090
add-symbol-file '/lib/x86_64-linux-gnu/libgcc_s.so.1' 0x000074ff6c109660

<(1+x) Handling our fault in a TRY at 0x000074ff6bec8d80>
<Application /usr/bin/echo (3396868). DynamoRIO CPU Simulator internal crash at PC 0x000074ff6b97f1d3. Please report this at http://dynamorio.org/issues. Program aborted.
Received SIGSEGV at pc 0x000074ff6b97f1d3 in thread 3396868
Base: 0x000074ff6bc00000
Registers:eax=0x0000000000000000 ebx=0x000074fd27cfc270 ecx=0x0000000000000000 edx=0x00000000fbad248c
esi=0x00000000fbad0000 edi=0x00007ffe3f392380 esp=0x00007ffe3f392378 ebp=0x0000000000000000
r8 =0x000074ff6bb050c0 r9 =0x000074ff6b7f0e58 r10=0x000074ff6bf39258 r11=0x0000000000000246
r12=0x00007ffe3f392380 r13=0x000074ff6bb0aa50 r14=0x000074ff27c112c2 r15=0x000074ff6b7f4e70
eflags=0x0000000000010246
version 10.93.19902, custom build
-no_dynamic_options -client_lib '/home/user/dynamorio/build/clients/lib64/debug/libdrcpusim.so;0;' -client_lib64 '/home/user/dynamorio/build/clients/lib64/debug/libdrcpusim.so;0;' -code_api -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call
0x000074fd27cc70b0 0x000074ff6bf0988f
0x000074fd27cc7260 0x000074ff6bf09944
0x000074fd27cc72c0 0x000074ff6bf0fdac
0x000074fd27cc7370 0x000074ff6bec88c3>

[ivankyluk]

I tried to reproduce the crash on my setup, but it didn't crash. I don't have a setup with OS: Ubuntu 22.04.3 LTS, Compiler: gcc-11.4.0.

dynamorio/build$ git diff
diff --git a/clients/drcpusim/drcpusim.cpp b/clients/drcpusim/drcpusim.cpp
index 65ad5d581..88614b2a6 100644
--- a/clients/drcpusim/drcpusim.cpp
+++ b/clients/drcpusim/drcpusim.cpp
@@ -39,6 +39,7 @@

• • Add ARM support
    */

+#include
#include "dr_api.h"
#include "drmgr.h"
#include "droption.h"
@@ -850,6 +851,8 @@ set_opcode_and_model()
DR_EXPORT void
dr_client_main(client_id_t id, int argc, const char *argv[])
{

• std::ofstream mystream("hello_world.txt", std::ofstream::app);
• using ::dynamorio::droption::droption_parser_t;
  using ::dynamorio::droption::DROPTION_SCOPE_ALL;
  using ::dynamorio::droption::DROPTION_SCOPE_CLIENT;

dynamorio/build$ ./bin64/drrun -c ./clients/lib64/release/libdrcpusim.so -- echo hello world
hello world

dynamorio/build$ ls -lt hello_world.txt
-rw-r----- 1 .... primarygroup 0 Jul 12 16:52 hello_world.txt

Here's the version information:
dynamorio/build$ uname -a
Linux ... 6.6.15-2rodete2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.6.15-2rodete2 (2024-03-19) x86_64 GNU/Linux

dynamorio/build$ gcc --version
gcc (Debian 13.2.0-13) 13.2.0
Copyright (C) 2023 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Would you be able to debug it further? For example, missing initialization call, or failed private library constructors.

The private loader is best-effort, and we have seen recent problems due to hidden dependencies in these libraries.
#5437 is an example of private loader issue.