On Sat, 22 Feb 2014, H. Peter Anvin wrote:
> I'd be interested in how rbp gets set, too. It might just be a
> coincidence and the value in rbp has some other meaning here.
The code in question does this:
i=find_random_active_event();
if (i<0) return;
if ((event_data[i].mmap)) {
value=0xdeadbeef;
memset(event_data[i].mmap,value,getpagesize());
[New LWP 10526]
Core was generated by `./perf_fuzzer -t OCIRMQWPpAi -r 1392938876'.
Program terminated with signal 11, Segmentation fault.
#0 0x0041efab in __memset_sse2 ()
(gdb) bt
#0 0x0041efab in __memset_sse2 ()
#1 0x004017ec in trash_random_mmap () at perf_fuzzer.c:808
#2 main (argc=<optimized out>, argv=<optimized out>) at perf_fuzzer.c:1604
So rbp is set by the imul below, it is the offset into the
event_data[i] array where the elements have size of 0x120
0x004017bd <+3085>: callq 0x402ee0 <find_random_active_event>
0x004017c2 <+3090>: test %eax,%eax
0x004017c4 <+3092>: js 0x4011e8 <main+1592>
0x004017ca <+3098>: imul $0x120,%eax,%ebp
0x004017d0 <+3104>: mov 0x756b2c(%ebp),%eax
0x004017d7 <+3111>: test %eax,%eax
0x004017d9 <+3113>: je 0x40183b <main+3211>
0x004017db <+3115>: mov 0xc(%esp),%edx
0x004017e0 <+3120>: mov %eax,%edi
0x004017e2 <+3122>: mov $0xdeadbeef,%esi
0x004017e7 <+3127>: callq 0x400260
0x004017ec <+3132>: testb $0x20,0x353e76(%rip) # 0x755669 <logging+$
400260: ff 25 ce 0e 2d 00 jmpq *0x2d0ece(%rip) # 6d1134
$
0x6d1134: 0x0041e710
Dump of assembler code for function __memset_sse2:
0x0041e710 <+0>: cmp $0x1,%rdx
0x0041e714 <+4>: mov %rdi,%rax
0x0041e717 <+7>: jne 0x41e71d <__memset_sse2+13>
0x0041e719 <+9>: mov %sil,(%rdi)
and as far as I can tell nothing touches rbp again until the segfault.
Nothing in _memset_sse2 does as far as I can tell.
Vince
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
