Comments on: Counterfactual Debugging: Dereference Fixpoints

By: Crash Dump Analysis » Blog Archive » Modeling C++ Object Corruption

Crash Dump Analysis » Blog Archive » Modeling C++ Object Corruption — Wed, 18 Aug 2010 15:45:32 +0000

[…] class memory layout I made sure that it points to the same heap address by making vtable pointer a dereference fixpoint. Here is a source code based on how Visual C++ compiler implements objects in […]

By: Crash Dump Analysis » Blog Archive » MemD Category (Categories for the Working Software Defect Researcher, Part 1)

Fri, 08 Jan 2010 09:36:09 +0000

[…] Pointers and their links are also objects and arrows to form a category, called MemP(tr). The following picture illustrates it with the last pointer shown as a dereference fixpoint: […]

By: Dmitry Vostokov

Dmitry Vostokov — Tue, 22 Sep 2009 16:26:18 +0000

Thanks! Dmitry

By: Sol_Ksacap

Sol_Ksacap — Sat, 19 Sep 2009 23:28:11 +0000

Yeah, in case of fixpoint both comparisons indeed are the same. We tried to say what extra-indirection-level comparison will return true even if ‘pc’ is not a fixpoint itself – but rather a pointer to the fixpoint.

Example:

init:
lea eax, [pcx]
mov [eax], eax ; pcx is a fixpoint now
mov [pc], eax ; ‘pc’ and ‘pcx’ have different addresses

check0:
lea eax, [pc]
mov ecx, [eax]
cmp eax, ecx
je PcIsFixpoint ; check will fail

check1:
mov eax, [pc]
mov ecx, [eax]
cmp eax, ecx
je PcIsFixpointOrPointerToFixpoint ; check will succeed

Btw,.. This blog is awesome

By: Crash Dump Analysis » Blog Archive » Counterfactual Debugging: Data Ordering

Tue, 15 Sep 2009 21:19:45 +0000

[…] discussed dereference fixpoints we come back to the quiz code and see what happens when we execute it after compilation as default […]

By: Dmitry Vostokov

Dmitry Vostokov — Mon, 14 Sep 2009 10:54:17 +0000

Both comparisons do the same thing in the case of a fixpoint and any multiple dereferencing by definition of a fixpont:

if (&pc == (int **)*(int *)*pc)

mov eax,dword ptr [pc] mov ecx,dword ptr [eax] lea edx,[pc] cmp edx,dword ptr [ecx]

Originally I myself believed in underflow in all situations until I suddenly got an infinite loop. I couldn’t believe my eyes and after the investigation as a byproduct I came to the definition of a fixpoint. I plan to write more about this later today.

By: Sol_Ksacap

Sol_Ksacap — Sat, 12 Sep 2009 00:59:29 +0000

>if (pc == (int *)*pc) {…}
Shouldn’t that be “if (&pc == (int**)pc) {…}”?
Otherwise, this comparison can _reliable_ tell what ‘pc’ is a pointer to the fixpoint, not a fixpoint itself, right?

>overflow with an exception, or stack underflow with an exception or loop indefinitely?
Our guess is what if this code will be optimized, it will almost certainly lead to underflow in all situations. But for usual non-optimized “all vars are volatile vars” fetches – this single loop definitely produces lot’s of possibilities

By: dragos

dragos — Fri, 11 Sep 2009 17:35:09 +0000

It will overwrite the thread stack with zeros and it will crash with access violation when reaching StackBase.