CRASH - AArch64 dr_create_client_thread segmentation fault app_lib_tls
Created by: AlfiePowers
Describe the bug
Following the various setup functions required for the client to run, calling dr_create_client_thread on the main client thread segfaults as a result of a attempt to dereference the os_tls->app_lib_tls_base (core/unix/os.c:6400). The address points to NULL + Offset. Tracing this backwards it seems like DynamoRIO reads the tpidr_el0 register when calling get_segment_base however we do not appear to set this register at any point.
My assumption is that the intended behaviour is we create a TLS struct for the app within the os_tls_init function and are storing a pointer to this struct within the tpidr register however for some reason this is not happening on AArch64. I have been unable to narrow down the reason for this. Thus, when we attempt to read the register back within the os_switch_seg_to_context function, there is invalid TLS storage for the app.
I have not been able to test on x86 how the behaviour is expected to work however fairly sure this is specific to AArch64.
To Reproduce Steps to reproduce the behavior:
- On an AArch64 machine set-up a base client with the example .
- Call dr_create_client_thread with some handler function.
- DynamoRIO should segfault and exit.
Please also answer these questions:
- What happens when you run without any client? -> Haven't been able to test
- What happens when you run with debug build ("-debug" flag to drrun/drconfig/drinject)?
Received SIGSEGV at pc 0x0000ffffaddc05b8 in thread 8619 Base: 0x0000ffffadad0000 Registers: eflags=0x0000000080000000 version 7.91.18278, custom build
0x0000ffffcfb5c850 0x0000ffffaddc0430 0x0000ffffcfb5c8e0 0x0000ffffaddb5fe8 0x0000ffffcfb5c900 0x0000ffffaddb8e80 0x0000ffffcfb5c920 0x0000000043cc1df0 0x0000ffffcfb5c980 0x0000ffffadc9a608 0x0000ffffcfb5ca50 0x0000ffffadaf9590 0x0000ffffcfb5ca90 0x0000ffffadde9368 0x0000ffffcfb5d2c0 0x0000ffffaddb23e0>
Expected behavior The callback function to be executed on a seperate thread.