flat assembler
Message board for the users of flat assembler.

Index > High Level Languages > VC++ null pointer dereference

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
I'm writing my thesis in C++ in Visual studio, and somehow got this output:

Code:
00910B39    6A 00           PUSH 0
00910B3B    6A 0B           PUSH 0B
00910B3D    FF15 68A29200   CALL [DWORD DS:92A268]
00910B43    83C4 08         ADD ESP,8
00910B46    A1 00000000     MOV EAX,[DWORD DS:0]
00910B4B    FF05 98599400   INC [DWORD DS:945998]
00910B51    C705 00000000 2 MOV [DWORD DS:0],2A
00910B5B  - FF25 4CA29200   JMP [DWORD DS:92A24C]    


Needless to say, it segfaults at MOV EAX,[DWORD DS:0].

Any idea how this could have happened? Does it serve a purpose? I'm using a proprietary library, so it's possibly not VS's fault.

Here is the possible culprit:

Code:
stringreplace(_switch,"<edge_false>",edge_false->target()->routine()->name()+'_'+int2HEX(edge->target()->find_int("persistent_id")));    


Edit:

before I even posted this I found the error:

Code:
1>e:\_arkiv\skola\exjobb\svn\workdir\src\crl2alf2\crl2alf2.cpp(357): warning C4700: uninitialized local variable 'edge' used    


Code:
stringreplace(_switch,"<edge_false>",edge_false->target()->routine()->name()+'_'+int2HEX(edge[b]_false[/b]->target()->find_int("persistent_id")));    


But how does an uninitialized variable end up as 0? Optimization is disabled.

_________________
This is a block of text that can be added to posts you make.
Post 11 Feb 2011, 17:02
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17247
Location: In your JS exploiting you and your system
revolution
"uninitialized" means just that, uninitialized. It could be anything. Just whatever was left over in memory from the previous usage.
Post 11 Feb 2011, 17:09
View user's profile Send private message Visit poster's website Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
It's not what happens to be at the variable's address, its _address_ is 0.
Post 11 Feb 2011, 17:11
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17247
Location: In your JS exploiting you and your system
revolution
BTW: "MOV [DWORD DS:0],2A" is a '*' character. The code is storing '*' somewhere. Maybe you are looking at the wrong place?
Post 11 Feb 2011, 17:14
View user's profile Send private message Visit poster's website Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
Well, that's where Olly put me when JIT:ing.
Post 11 Feb 2011, 17:25
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17247
Location: In your JS exploiting you and your system
revolution
What I mean is that perhaps the compilation warning is unrelated to the error shown in Olly.

I suppose 0x2a could also be 42. Do you have a constant of 42 or '*' in your source?
Post 11 Feb 2011, 17:33
View user's profile Send private message Visit poster's website Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
The segfault disappears when I use the correct variable instead, so they are clearly linked.

No, I can't say I handle '*':s in my code.
Post 11 Feb 2011, 17:43
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17247
Location: In your JS exploiting you and your system
revolution
You could make a little test program:
Code:
printf("%d",nonce);    
What does it compile to?

And compare to:
Code:
int nonce;
printf("%d",nonce);    
And also compare to:
Code:
int nonce;
nonce=0;
printf("%d",nonce);    
Post 11 Feb 2011, 18:05
View user's profile Send private message Visit poster's website Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
Code:
 int *local;
 printf("%d",*local);    


Works as expected, no segfault.

_________________
This is a block of text that can be added to posts you make.
Post 11 Feb 2011, 18:17
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17247
Location: In your JS exploiting you and your system
revolution
Try with:
Code:
printf("%d",edge->target()->find_int("persistent_id"));    


Otherwise, to fix it I recommend you switch to assembly. Razz
Post 11 Feb 2011, 18:23
View user's profile Send private message Visit poster's website Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
I wish!

Nah, I'll just add this to the list of "why":s regarding C++ and VS.
Post 11 Feb 2011, 18:26
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
It doesn't seem to me that Asm code corresponds to given C code. Maybe if you gave the full proc where it happens, we could make this clear. VC compiler would IMO hardly mess up something simple like this.
Post 11 Feb 2011, 20:09
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
No it's possible that it's not the variable that is [0], but the uninitialized pointer jumps randomly to some place, probably in the library I'm using. Still, why should the library contain something like that except for deliberately generating an exception? Even then it doesn't make sense. And it doesn't look like random data bytes either.
Post 11 Feb 2011, 20:14
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
It does seem to me a bit like deliberate exception (followed by usual "handler wasn't called" mark saved in a variable). You should first identify where that code lies. Is it inside the linked library?
Post 11 Feb 2011, 20:58
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
I don't know how to find the source of the exception in VS, and the sections don't have any names I can identify them with.
Post 11 Feb 2011, 21:39
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Based on address, this IMO isn't part of your code (it would have to be huge), but some allocated memory (most likely a DLL you link to). You should be able to tell what exactly is loaded at given address, using SysInternals VMMap for example.
Post 11 Feb 2011, 22:51
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
madmatt



Joined: 07 Oct 2003
Posts: 1045
Location: Michigan, USA
madmatt
Hello mindcooler,
You said you're using Visual Studio, so, Have you tried turning on Assembly output in your project? It should have a setting in your project properties that will let you output opcodes, assembly source, and c source in one file. This should help you greatly in finding where the problem is.
Here is where you go: Configuration properties -> c/c++ -> Output Files -> Assembler Output
Post 11 Feb 2011, 23:52
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
I only get the code for my c++, and I can't find any null dereferencing there.

VMMap show the address to be in the single .text section of my executable. It's clearly not my own code, but I can't determine whether it is a c++ lib or the proprietary one. Might be c++:s own, as there are references to strings like:

vector<T> too long
Assertion in function %s failed:Failure: %s
Preprocessed: %s
Post 12 Feb 2011, 12:33
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
If it is part of .text section of your executable, compile your executable with map file output enabled. In command line it is "/MAP:filename" linker switch (I don't remember where in GUI it is, you should be able to find it).

You should be able to locate address in map file.
Post 12 Feb 2011, 13:57
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
Seems to be around here:

Code:
 0001:0004fdf0       ?err_crash@@YAXXZ          00450df0 f   ur:callback.cpp.obj
 0001:0004fe30       ?err_exit_1@@YAXHHHPBUErrLocation@@PBD@Z 00450e30 f   ur:callback.cpp.obj
 0001:0004fe60       ?err_abort@@YAXHHHPBUErrLocation@@PBD@Z 00450e60 f   ur:callback.cpp.obj    

_________________
This is a block of text that can be added to posts you make.
Post 12 Feb 2011, 14:40
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.