From 49fae1bdf86d54931776be520595e77b3f9aa150 Mon Sep 17 00:00:00 2001 From: Derek Bruening <bruening@google.com> Date: Tue, 18 Oct 2022 15:45:27 -0400 Subject: [PATCH] i#5688: Fix uninitialized state restore field instrument_restore_nonfcache_state_prealloc() was creating a dr_restore_state_info_t structure but leaving its fragment_info.ilist field unintialized. We fix that here. Tested on the forthcoming drbbdup state restore event (#5686) which crashed walking the bogus ilist without this fix. Fixes #5688 --- core/lib/dr_events.h | 6 ++++-- core/lib/instrument.c | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/core/lib/dr_events.h b/core/lib/dr_events.h index 2d78d678e..c261cc05e 100644 --- a/core/lib/dr_events.h +++ b/core/lib/dr_events.h @@ -682,7 +682,8 @@ typedef struct _dr_fault_fragment_info_t { /** * The start address of the code fragment inside the code cache at * the exception/signal/translation interruption point. NULL for interruption - * not in the code cache. Clients are cautioned when examining + * not in the code cache (in which case generally only unusual cases of clients + * changing memory require restoration). Clients are cautioned when examining * code cache instructions to not rely on any details of code * inserted other than their own. */ @@ -706,7 +707,8 @@ typedef struct _dr_fault_fragment_info_t { * When the recreated ilist is not available, this is set to NULL. This * may happen when a client returns #DR_EMIT_STORE_TRANSLATIONS, or for * DR internal reasons when the app code may not be consistent: for pending - * deletion or self-modifying fragments. + * deletion or self-modifying fragments. It will also be NULL for non-code-cache + * cases where \p cache_start_pc is also NULL. */ instrlist_t *ilist; } dr_fault_fragment_info_t; diff --git a/core/lib/instrument.c b/core/lib/instrument.c index 4cce7bc79..ac08c1c50 100644 --- a/core/lib/instrument.c +++ b/core/lib/instrument.c @@ -1900,6 +1900,7 @@ instrument_restore_nonfcache_state_prealloc(dcontext_t *dcontext, bool restore_m client_info.fragment_info.cache_start_pc = NULL; client_info.fragment_info.is_trace = false; client_info.fragment_info.app_code_consistent = true; + client_info.fragment_info.ilist = NULL; bool res = instrument_restore_state(dcontext, restore_memory, &client_info); dr_mcontext_to_priv_mcontext(mcontext, client_mcontext); return res; -- GitLab