Debugger broken after perform additional experimental analysis

[sasdf]

As the title, it got sigsegv after aaaa.
rip register seems be destroyed after the analysis that continuing execution will got sigsegv.

$ uname -a
Linux linux8 4.8.4-1-ARCH #1 SMP PREEMPT Sat Oct 22 18:26:57 CEST 2016 x86_64 GNU/Linux
$ r2 -v
radare2 1.2.0-git 13477 @ linux-x86-64 git.1.1.0-203-gb3b81aa92
commit: b3b81aa926f18fd3e930826ae97712acaae2a925 build: 2017-01-14
$ r2 -d /bin/ls
Process with PID 17544 started...
= attach 17544 17544
bin.baddr 0x00400000
USING 400000
Assuming filepath /bin/ls
asm.bits 64
 -- Control the height of the terminal on serial consoles with e scr.height
[0x7f7dbceb5d70]> dr?rip
0x7f7dbceb5d70
[0x7f7dbceb5d70]> aaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze len bytes of instructions for references (aar)
[Oops invalid rangen calls (aac)
[x] Analyze function calls (aac)
[x] Emulate code to find computed references (aae)
[Cannot find section boundaries in here
[x] Analyze consecutive function (aat)
[aav: using from to 0x7f7dbceb5000 0x7f7dbced8000
Using vmin 0x7f7dbceb5000 and vmax 0x7f7dbced8000
aav: using from to 0x7f7dbceb5000 0x7f7dbced8000
Using vmin 0x7f7dbceb5000 and vmax 0x7f7dbced8000
[x] Analyze value pointers (aav)
[Deinitialized mem.0x100000_0xf0000 functions (afta)unc.* functions (aan)
[x] Type matching analysis for all functions (afta)
[x] Type matching analysis for all functions (afta)
[0x7f7dbceb5d70]> dr?rip
0x004022a0
[0x7f7dbceb5d70]> dc
Selecting and continuing: 17544
child stopped with signal 11
[+] SIGNAL 11 errno=0 addr=0x00177ff8 code=1 ret=0
[0x004022a6]>

[leberus]

Somehow the register values are changing after aaaa. I could reproduce it with build: 2017-01-19 too.

[sasdf]

It seems caused by afta in aaaa

[0x7f345f6c5d70]> dr~!0x000000
rsp = 0x7ffc9cc2ff90
rip = 0x7f345f6c5d70
rflags = 0x00000200
[0x7f345f6c5d70]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x7f345f6c5d70]> dr~!0x000000
rsp = 0x7ffc9cc2ff90
rip = 0x7f345f6c5d70
rflags = 0x00000200
[0x7f345f6c5d70]> afta
Deinitialized mem.0x100000_0xf0000
[0x7f345f6c5d70]> dr~!0x000000
rsp = 0x00178000
rbp = 0x00178000
rip = 0x004022a0
rflags = 0x00000200
[0x7f345f6c5d70]>

[radare]

because its using esil to emulate code and this will modify the registers in anal->reg, but this is somewhat mixed with debug->reg, so we should probably save the registers before doing esil analysis and restore it back after that. this will be consistent for non-debugger uses too. also, the debugger registers shouldt change with emulation

…

On 19 Jan 2017, at 18:19, sasdf ***@***.***> wrote: It seems caused by afta in aaaa [0x7f2ba0293d70]> dr orax = 0x0000003b rax = 0x00000000 rbx = 0x00000000 rcx = 0x00000000 rdx = 0x00000000 r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 r11 = 0x00000000 r12 = 0x00000000 r13 = 0x00000000 r14 = 0x00000000 r15 = 0x00000000 rsi = 0x00000000 rdi = 0x00000000 rsp = 0x7fff1198ae90 rbp = 0x00000000 rip = 0x7f2ba0293d70 rflags = 0x00000200 [0x7f2ba0293d70]> aa [x] Analyze all flags starting with sym. and entry0 (aa) [0x7f2ba0293d70]> dr?rip 0x7f2ba0293d70 [0x7f2ba0293d70]> afta Deinitialized mem.0x100000_0xf0000 [0x7f2ba0293d70]> dr?rip 0x004022a0 [0x7f2ba0293d70]> dr orax = 0x0000003b rax = 0x00000000 rbx = 0x00000000 rcx = 0x00000000 rdx = 0x00000000 r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 r11 = 0x00000000 r12 = 0x00000000 r13 = 0x00000000 r14 = 0x00000000 r15 = 0x00000000 rsi = 0x00000000 rdi = 0x00000000 rsp = 0x00178000 rbp = 0x00178000 rip = 0x004022a0 rflags = 0x00000200 [0x7f2ba0293d70]> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#6538 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA3-lmJl9vM8TGWcwPiXqJaHAEBXca6Jks5rT5s1gaJpZM4LoWWC>.

[Maijin]

@oddcoder ^

[radare]

can be "solved" by swapping to a different debugger backend temporarily:

r2 -d ls
dh esil
aeim
aaaa
dh native
dc