I don't think the problem is a buffer overflow perse, or that it has anything to do with an undefined instruction. I think you may have a wild pointer to the instruction memory or the local nugget of instruction memory the x86 predecoder is processing which ends up pointed to some part of the data segment, and it just happens to be near some string constants which belong to the fault objects including the one you're referring to. Note that below that it talks about the 'Abort exception!' string literal being near where you're accessing too.
Gabe On Thu, May 18, 2017 at 2:28 PM, Gross, Joe <[email protected]> wrote: > Hello, > > When running an application internally, with the address sanitizer > enabled, I'm seeing a global buffer overflow in the x86 decoder during > processExtendedOpcode() and wondered if anybody, possibly Gabe, would know > a quick solution for this. If anybody would like a trace then I could > generate this, but unfortunately the binaries that cause the problem are > internal. The problem seems contained to decoding an unexpected opcode. > Also the location changes slightly from application to application, so > there may be several unsupported opcodes. > > Joe > > ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000454bcdf > at pc 0x000000adb323 bp 0x7fff873f1870 sp 0x7fff873f1868 > READ of size 1 at 0x00000454bcdf thread T0 > #0 0xadb322 in X86ISA::Decoder::processExtendedOpcode(unsigned char > const (&) [256]) X86/arch/x86/decoder.cc:460:23 > #1 0xadb322 in X86ISA::Decoder::doOneByteOpcodeState(unsigned char) > X86/arch/x86/decoder.cc:299 > #2 0xad890d in X86ISA::Decoder::process() > X86/arch/x86/decoder.cc:113:21 > #3 0x1f40de7 in X86ISA::Decoder::moreBytes(X86ISA::PCState const&, > unsigned long, unsigned long) X86/arch/x86/decoder.hh:312:9 > #4 0x1f40de7 in DefaultFetch<O3CPUImpl>::fetch(bool&) > X86/cpu/o3/fetch_impl.hh:1313 > #5 0x1f398fc in DefaultFetch<O3CPUImpl>::tick() > X86/cpu/o3/fetch_impl.hh:947:9 > #6 0x1ec2ba6 in FullO3CPU<O3CPUImpl>::tick() X86/cpu/o3/cpu.cc:565:11 > #7 0x2eaa586 in EventQueue::serviceOne() X86/sim/eventq.cc:228:16 > #8 0x2efd8d4 in doSimLoop(EventQueue*) X86/sim/simulate.cc:219:37 > #9 0x2efcd7d in simulate(unsigned long) X86/sim/simulate.cc:132:26 > > 0x00000454bcdf is located 33 bytes to the left of global variable '<string > literal>' defined in 'X86/arch/x86/faults.cc:131:13' (0x454bd00) of size > 47 > '<string literal>' is ascii string 'Unrecognized/invalid instruction > executed: > %s' > 0x00000454bcdf is located 14 bytes to the right of global variable > '<string literal>' defined in 'X86/arch/x86/faults.cc:122:9' (0x454bcc0) of > size 17 > '<string literal>' is ascii string 'Abort exception!' > SUMMARY: AddressSanitizer: global-buffer-overflow > X86/arch/x86/decoder.cc:460:23 in > X86ISA::Decoder::processExtendedOpcode(unsigned > char const (&) [256]) > Shadow bytes around the buggy address: > 0x0000808a1740: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 > 0x0000808a1750: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9 > 0x0000808a1760: f9 f9 f9 f9 00 00 00 00 00 00 00 05 f9 f9 f9 f9 > 0x0000808a1770: 00 02 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 > 0x0000808a1780: 00 00 02 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9 > =>0x0000808a1790: 06 f9 f9 f9 f9 f9 f9 f9 00 00 01[f9]f9 f9 f9 f9 > 0x0000808a17a0: 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 > 0x0000808a17b0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 > 0x0000808a17c0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 > 0x0000808a17d0: 03 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 > 0x0000808a17e0: 00 00 01 f9 f9 f9 f9 f9 00 00 00 00 04 f9 f9 f9 > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > _______________________________________________ > gem5-dev mailing list > [email protected] > http://m5sim.org/mailman/listinfo/gem5-dev _______________________________________________ gem5-dev mailing list [email protected] http://m5sim.org/mailman/listinfo/gem5-dev
