Re: Should mem sections have overlapping addresses?

2014-03-13 Thread Sam lia...@constrainttec.com 


As a disclaimer I'm new to binutils, memory mapping and Cygwin covered 
in this post.


I'm not sure if I first need to submit a bug report to 
http://sourceware.org/bugzilla/ ?
(I didn't find any "How to submit a bug FAQ" anywhere on the binutils 
home page)


Let me also apologise up-front for the lengthy post as I couldn't 
condense it further.


My brief was to resolve an issue with a Cygwin 'dumper' utility not 
producing a core.


Dumper makes use of binutils to achieve it's purpose hence the reason 
for this post.
(i.e. postings on Cygwin's mailing list led to the suggestion I make 
this post here)


With that I'll proceed with outlining the journey including my findings 
so far.


For a given process dumper works through sections of memory to determine 
which
are to be excluded from the core dump i.e those with CODE or DEBUGGING 
sections.


I'll begin with the error message given by dumper when run in verbose mode:
(Note objects in question are "airdac_.exe", "sechost.dll" and 
"napinsp.dll")


...
$ dumper -d "C:\Program Files (x86)\Airdac 12.6.22\airdac_.exe" 3356
dumping process #3356 to airdac_.exe.core
got debug event 3
excluding section: name=.text base=0x401000 
size=008d8980

excluding section: name=  .debug_aranges base=0x2699000 size=00230850
excluding section: name= .debug_info base=0x28ca000 
size=151e2063   <== NOTE THIS EXE EXCLUDED SECTION

excluding section: name=.debug_abbrev base=0x17aad000 size=0023f840
...
added module 0x40 C:\Program Files (x86)\Airdac 12.6.22\airdac_.exe
...
got debug event 6
excluding section: name=   .text base=0x2b21000 
size=00012c1b<== DLL SEC OVERLAPS with EXCLUSION ABOVE?

added module 0x768d C:\Windows\SysWOW64\sechost.dll
...
got debug event 6
excluding section: name=   .text base=0x3321000 
size=b03c<== DLL SEC OVERLAPS with EXCLUSION ABOVE?

added module 0x73c8 C:\Windows\system32\napinsp.dll
...


I then ran 'objdump' against the EXE and DLLs named above by way of 
comparison:



$ objdump -h airdac_.exe
airpac_.exe: file format pei-i386
Sections:
Idx Name  Size  VMA   LMA   File off  Algn
  0 .text 008d8980  00401000  00401000  0400  2**4
  CONTENTS, ALLOC, LOAD, READONLY, CODE, DATA
  ...
  7 .debug_info   151e2063  028ca000  028ca000  024b3000  2**0 <== VMA 
and SIZE match-up with trace above

  CONTENTS, READONLY, DEBUGGING
...

$ objdump -h "C:\Windows\SysWOW64\sechost.dll"
C:\Windows\SysWOW64\sechost.dll: file format pei-i386
Sections:
Idx Name  Size  VMA   LMA   File off  Algn
  0 .text 00012c1b  02b21000  02b21000  0600 2**2 
<== VMA and SIZE match-up with trace above

  CONTENTS, ALLOC, LOAD, READONLY, CODE
...

$ objdump -h "C:\Windows\system32\napinsp.dll"
C:\Windows\system32\napinsp.dll: file format pei-i386
Sections:
Idx Name  Size  VMA   LMA   File off  Algn
  0 .text b03c  03321000  03321000  0400  2**2   <== 
VMA and SIZE match-up with trace above

  CONTENTS, ALLOC, LOAD, READONLY, CODE
...


Herein lies the issue where both dumper and objdump identify sections 
which overlap by
address for a given process. This leads me to the main question for this 
post:



SHOULD SECTIONS BELONGING TO THE SAME PROCESS(plus it's DLLs) EVER HAVE 
OVERLAPPING VMAs?


Dumper logic suggests it shouldn't occur and fails hence an answer will 
determine the fix.



Not sure there's value in providing the following information but 
nonetheless here it is.


By way of context I'll give a very brief overview on how dumper 
determines which sections
to exclude. The two source files referred to in this post (i.e. 
dumper.cc & parse_pe.cc)

can be accessed via these two links:

http://cygwin.com/cgi-bin/cvsweb.cgi/src/winsup/utils/dumper.cc?cvsroot=src
http://cygwin.com/cgi-bin/cvsweb.cgi/src/winsup/utils/parse_pe.cc?cvsroot=src

Inside dumper.cc there's a while loop acting on debug events for a given 
process.
For PROCESS & DLL DEBUG EVENTs it calls add_module(...) for subsequent 
processing.


dumper::collect_process_information()
{
...
  while (1)
  {
  if (!WaitForDebugEvent (¤t_event, 2))
  ...
  switch (current_event.dwDebugEventCode)
  {
...
case CREATE_PROCESS_DEBUG_EVENT:
  add_module (current_event.u.CreateProcessInfo.lpBaseOfImage);
  ...
  break;
...
case LOAD_DLL_DEBUG_EVENT:
  add_module (current_event.u.LoadDll.lpBaseOfDll);
  ...
  break;
...
   }
   ...
   }
}
...
dumper::add_module (LPVOID base_address)
{
  ...
  parse_pe (module_name, excl_list);
  ...
}


Inside of parse_pe.cc is where the binutil activity occurs. The relevant 
code which
surveys process mem sections to find exclusions & generate trace shown 
above follows:


...
p

Re: Should mem sections have overlapping addresses?

2014-03-17 Thread Sam lia...@constrainttec.com 


I very much appreciate your response Alan.

This is very helpful and explains why Cygwin dumper gets in a bind as it
assumes all CODE & DEBUGGING flagged sections are in memory.

Thanks again,
Sam


On 16/03/14 20:40, Alan Modra wrote:

On Fri, Mar 14, 2014 at 11:15:38AM +1100, Sam Liapis at constrainttec dot com 
wrote:

$ objdump -h airdac_.exe
airpac_.exe: file format pei-i386
Sections:
Idx Name  Size  VMA   LMA   File off  Algn
   0 .text 008d8980  00401000  00401000  0400  2**4
   CONTENTS, ALLOC, LOAD, READONLY, CODE, DATA
   ...
   7 .debug_info   151e2063  028ca000  028ca000  024b3000  2**0 <== VMA and 
SIZE match-up with trace above
   CONTENTS, READONLY, DEBUGGING

As you can see from the flags above, .debug_info is not ALLOC, LOAD.
This means the section is not loaded into memory and the VMA is
irrelevant.  Another DLL could well occupy this space, because
airpac_.exe does not use that memory.



___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

Re: Should mem sections have overlapping addresses?

2014-03-20 Thread Sam lia...@constrainttec.com 


Hi Alan,

Correspondence on Cygwin mailing list and further testing reveals 
loading differs on windows/i386 platform.
i.e windows maps the entire file into memory even the NOLOAD sections 
hence the issue still remains.


My original problem relates to a Cygwin dumper which traverses all 
section of an application plus it's DLLs.
What I've found is that around half of the loaded DLLs have wrong VMAs 
returned for their .text sections.
As it uses binutils to ascertain these memory locations I'm looking for 
some pointers on how to solve this.


Any further insights or suggestions would be greatly appreciated.

Thanks,
Sam


On 18/03/14 09:54, Sam Liapis AT constrainttec dot com wrote:


I very much appreciate your response Alan.

This is very helpful and explains why Cygwin dumper gets in a bind as it
assumes all CODE & DEBUGGING flagged sections are in memory.

Thanks again,
Sam


On 16/03/14 20:40, Alan Modra wrote:
On Fri, Mar 14, 2014 at 11:15:38AM +1100, Sam Liapis at constrainttec 
dot com wrote:

$ objdump -h airdac_.exe
airpac_.exe: file format pei-i386
Sections:
Idx Name  Size  VMA   LMA   File off  Algn
   0 .text 008d8980  00401000  00401000  0400 2**4
   CONTENTS, ALLOC, LOAD, READONLY, CODE, DATA
   ...
   7 .debug_info   151e2063  028ca000  028ca000  024b3000 2**0 <== 
VMA and SIZE match-up with trace above

   CONTENTS, READONLY, DEBUGGING

As you can see from the flags above, .debug_info is not ALLOC, LOAD.
This means the section is not loaded into memory and the VMA is
irrelevant.  Another DLL could well occupy this space, because
airpac_.exe does not use that memory.



___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils