Bug 369409 - vex amd64->IR: unhandled instruction bytes: 0x48 0xF 0xC7 0xF0 0x72 0x2 0xE2 0xF8
Summary: vex amd64->IR: unhandled instruction bytes: 0x48 0xF 0xC7 0xF0 0x72 0x2 0xE2 ...
Status: REPORTED
Alias: None
Product: valgrind
Classification: Developer tools
Component: memcheck (other bugs)
Version First Reported In: 3.11.0
Platform: Ubuntu Linux
: NOR crash
Target Milestone: ---
Assignee: Julian Seward
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-27 06:35 UTC by ssl
Modified: 2017-05-05 15:15 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
get from openssl test (2.31 MB, application/x-bzip2)
2016-09-27 06:35 UTC, ssl 		Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description ssl 2016-09-27 06:35:26 UTC 
Created attachment 101311 [details]
get from openssl test

process 41826 is executing new program: /usr/lib/valgrind/memcheck-amd64-linux
==41826== Memcheck, a memory error detector
==41826== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==41826== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==41826== Command: ./sslapitest ./server.pem ./server.pem
==41826== 
./sslapitest: 91 test cases
vex amd64->IR: unhandled instruction bytes: 0x48 0xF 0xC7 0xF0 0x72 0x2 0xE2 0xF8
vex amd64->IR:   REX=1 REX.W=1 REX.R=0 REX.X=0 REX.B=0
vex amd64->IR:   VEX=0 VEX.L=0 VEX.nVVVV=0x0 ESC=0F
vex amd64->IR:   PFX.66=0 PFX.F2=0 PFX.F3=0
==41826== valgrind: Unrecognised instruction at address 0x52f02e5.
==41826==    at 0x52F02E5: OPENSSL_ia32_rdrand (x86_64cpuid.s:336)
==41826==    by 0x5277CE7: rand_bytes (md_rand.c:456)
==41826==    by 0x5278076: rand_nopseudo_bytes (md_rand.c:525)
==41826==    by 0x527859F: RAND_bytes (rand_lib.c:106)
==41826==    by 0x4E74A53: SSL_CTX_new (ssl_lib.c:2431)
==41826==    by 0x404F0B: create_ssl_ctx_pair (ssltestlib.c:532)
==41826==    by 0x40251E: execute_test_large_message (sslapitest.c:50)
==41826==    by 0x4026CB: test_large_message_tls (sslapitest.c:104)
==41826==    by 0x40558C: run_tests (testutil.c:69)
==41826==    by 0x403F11: main (sslapitest.c:871)
==41826== Your program just tried to execute an instruction that Valgrind
==41826== did not recognise.  There are two possible reasons for this.
==41826== 1. Your program has a bug and erroneously jumped to a non-code
==41826==    location.  If you are running Memcheck and you just saw a
==41826==    warning about a bad jump, it's probably your program's fault.
==41826== 2. The instruction is legitimate but Valgrind doesn't handle it,
==41826==    i.e. it's Valgrind's fault.  If you think this is the case or
==41826==    you are not sure, please let us know and we'll try to fix it.
==41826== Either way, Valgrind will now raise a SIGILL signal which will
==41826== probably kill your program.
==41826== 
==41826== Process terminating with default action of signal 4 (SIGILL)
==41826==  Illegal opcode at address 0x52F02E5
==41826==    at 0x52F02E5: OPENSSL_ia32_rdrand (x86_64cpuid.s:336)
==41826==    by 0x5277CE7: rand_bytes (md_rand.c:456)
==41826==    by 0x5278076: rand_nopseudo_bytes (md_rand.c:525)
==41826==    by 0x527859F: RAND_bytes (rand_lib.c:106)
==41826==    by 0x4E74A53: SSL_CTX_new (ssl_lib.c:2431)
==41826==    by 0x404F0B: create_ssl_ctx_pair (ssltestlib.c:532)
==41826==    by 0x40251E: execute_test_large_message (sslapitest.c:50)
==41826==    by 0x4026CB: test_large_message_tls (sslapitest.c:104)
==41826==    by 0x40558C: run_tests (testutil.c:69)
==41826==    by 0x403F11: main (sslapitest.c:871)
==41826== 
==41826== HEAP SUMMARY:
==41826==     in use at exit: 102,889 bytes in 3,206 blocks
==41826==   total heap usage: 3,510 allocs, 304 frees, 155,677 bytes allocated
==41826== 
==41826== LEAK SUMMARY:
==41826==    definitely lost: 0 bytes in 0 blocks
==41826==    indirectly lost: 0 bytes in 0 blocks
==41826==      possibly lost: 0 bytes in 0 blocks
==41826==    still reachable: 102,889 bytes in 3,206 blocks
==41826==         suppressed: 0 bytes in 0 blocks
==41826== Reachable blocks (those to which a pointer was found) are not shown.
==41826== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==41826== 
==41826== For counts of detected and suppressed errors, rerun with: -v
==41826== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

Program received signal SIGILL, Illegal instruction.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x4 
RCX: 0x3809c159 (<do_syscall_WRK+25>:	ret)
RDX: 0x0 
RSI: 0x4 
RDI: 0xa362 
RBP: 0x3 
RSP: 0x802bade68 --> 0x3809c23d (<vgPlain_do_syscall+13>:	mov    rdx,rax)
RIP: 0x3809c159 (<do_syscall_WRK+25>:	ret)
R8 : 0x0 
R9 : 0x0 
R10: 0x0 
R11: 0x206 
R12: 0x1c00 
R13: 0x3 
R14: 0x0 
R15: 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x3809c14f <do_syscall_WRK+15>:	mov    r8,r9
   0x3809c152 <do_syscall_WRK+18>:	mov    r9,QWORD PTR [rsp+0x8]
   0x3809c157 <do_syscall_WRK+23>:	syscall 
=> 0x3809c159 <do_syscall_WRK+25>:	ret    
   0x3809c15a <do_syscall_WRK+26>:	nop    WORD PTR [rax+rax*1+0x0]
   0x3809c160 <vgPlain_mk_SysRes_ppc32_linux>:	and    esi,0x1
   0x3809c163 <vgPlain_mk_SysRes_ppc32_linux+3>:	xor    eax,eax
   0x3809c165 <vgPlain_mk_SysRes_ppc32_linux+5>:	mov    edx,edi
[------------------------------------stack-------------------------------------]
0000| 0x802bade68 --> 0x3809c23d (<vgPlain_do_syscall+13>:	mov    rdx,rax)
0008| 0x802bade70 --> 0x0 
0016| 0x802bade78 --> 0x1 
0024| 0x802bade80 --> 0x3819b990 ("mk_free_bszB")
0032| 0x802bade88 --> 0x38087ef2 (<vgPlain_kill+34>:	test   al,al)
0040| 0x802bade90 --> 0x0 
0048| 0x802bade98 --> 0x0 
0056| 0x802badea0 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGILL
0x000000003809c159 in do_syscall_WRK ()
─── Assembly ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x000000003809c14f do_syscall_WRK+15 mov    r8,r9
0x000000003809c152 do_syscall_WRK+18 mov    r9,QWORD PTR [rsp+0x8]
0x000000003809c157 do_syscall_WRK+23 syscall 
0x000000003809c159 do_syscall_WRK+25 ret    
0x000000003809c15a do_syscall_WRK+26 nop    WORD PTR [rax+rax*1+0x0]
─── Expressions ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── History ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Memory ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Registers ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   rax 0x0000000000000000     rbx 0x0000000000000004     rcx 0x000000003809c159     rdx 0x0000000000000000     rsi 0x0000000000000004     rdi 0x000000000000a362     rbp 0x0000000000000003     rsp 0x0000000802bade68      r8 0x0000000000000000      r9 0x0000000000000000 
   r10 0x0000000000000000     r11 0x0000000000000206     r12 0x0000000000001c00     r13 0x0000000000000003     r14 0x0000000000000000     r15 0x0000000000000000     rip 0x000000003809c159  eflags [ PF IF ]               cs 0x00000033              ss 0x0000002b         
    ds 0x00000000              es 0x00000000              fs 0x00000000              gs 0x00000000         
─── Source ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Stack ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[0] from 0x000000003809c159 in do_syscall_WRK+25
(no arguments)
[1] from 0x000000003809c23d in vgPlain_do_syscall+13 at m_syscall.c:956
arg sysno = 0x3e
arg a1 = <optimized out>
arg a2 = 0x4
arg a3 = 0x0
arg a4 = 0x0
arg a5 = 0x0
arg a6 = 0x0
arg a7 = 0x0
arg a8 = 0x0
[+]
─── Threads ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[1] id 41826 name memcheck-amd64- from 0x000000003809c159 in do_syscall_WRK+25
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
>>> bt
#0  0x000000003809c159 in do_syscall_WRK ()
#1  0x000000003809c23d in vgPlain_do_syscall (sysno=sysno@entry=0x3e, a1=<optimized out>, a2=a2@entry=0x4, a3=a3@entry=0x0, a4=a4@entry=0x0, a5=a5@entry=0x0, a6=0x0, a7=0x0, a8=0x0) at m_syscall.c:956
#2  0x0000000038087ef2 in vgPlain_kill (pid=<optimized out>, signo=signo@entry=0x4) at m_libcsignal.c:350
#3  0x00000000380999cf in vgPlain_kill_self (sigNo=0x4) at m_signals.c:1595
#4  0x0000000038089051 in shutdown_actions_NORETURN (tid=0x1, tids_schedretcode=VgSrc_FatalSig) at m_main.c:2725
#5  0x00000000380e3a89 in run_a_thread_NORETURN (tidW=0x1) at m_syswrap/syswrap-linux.c:198
#6  0x0000000000000000 in ?? ()
Comment 1 Mark Wielaard 2016-09-27 06:48:37 UTC 
The description and second backtrace don't match the illegal instruction message you are seeing.
Given this is with ubuntu I suspect this is:
https://bugs.launchpad.net/ubuntu/+source/valgrind/+bug/1501545
Which was fixed upstream with:
https://bugs.kde.org/show_bug.cgi?id=353370
Comment 2 ssl 2016-09-28 03:15:08 UTC 
It crashed too when I built it from valgrind SVN source code.
Comment 3 Ivo Raisr 2017-05-05 15:13:42 UTC 
Please can you try with the latest Valgrind from upstream SVN?
We need the unrecognized instruction - you can obtain it from gdb, objdump...