site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com Thanks again, Cyrus #include <stdio.h> #include <signal.h> #if defined(__MACH__) #include <sys/_types.h> #include <sys/ucontext.h> typedef struct ucontext os_context_t; #endif #define FROB_EIP void sigtrap_handler(int signal, siginfo_t *info, void *void_context) { os_context_t *context = (os_context_t*)void_context; unsigned int trap; unsigned int eip; #if defined(__MACH__) eip = (context->uc_mcontext->ss.eip); #endif #ifdef FROB_EIP *(&context->uc_mcontext->ss.eip) += 2; #endif void install_sigtrap_handler() { struct sigaction sa; sa.sa_sigaction = sigtrap_handler; sa.sa_flags = SA_SIGINFO | SA_RESTART | SA_NODEFER; sigaction(SIGTRAP, &sa, NULL); } void test_trap() { __asm__ __volatile__ ( "int3\n\t" #ifdef FROB_EIP "int $4" /*".byte 0x90" */ /* "nop" */ #endif ); } int counter; int main(int argc, char** argv) { install_sigtrap_handler(); int i=0; counter = 0; for(i=0; i<100000; i++, counter++) { test_trap(); fprintf(stderr, " i: %d, counter: %d\n", i, counter); } return 0; } < _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... Here's a slightly modified test case that uses an int $4, instead of 0x09 as the bit that gets skipped over. In this case, I'm not seeing the variable corruption, but, with a reasonable frequency (after 1000-4000 iterations or so) . In this case, we die with a SIGFPE, which seems to be an attempt to execute the int $4 instruction, instead of skipping over it, which it successfully does _most of the time_. It's the times when it doesn't that are the problem. fprintf(stderr, "TRAP! PC: %x, *PC: %x", eip, *((unsigned short*) (eip-1)) ); fprintf(stderr, " fixed-up PC: %x", (context->uc_mcontext-
ss.eip));
} This email sent to site_archiver@lists.apple.com