I have written a simple gwt application, and when i am using it in chrome browser, it is getting crashed.
So i debug chrome using windbg tool to take dump. And here is my dump..
(cc0.15d8): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\chrome_child.dll -
eax=00000068 ebx=00000000 ecx=6dc299a6 edx=0b73a067 esi=0044d770 edi=01a6d000
eip=6daf00d3 esp=0044d750 ebp=0044d750 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
chrome_child!ovly_debug_event+0xb4d33f:
6daf00d3 cc int 3
7:044> g
#
# Fatal error in , line 0
# API fatal error handler returned after process out of memory
#
(cc0.15d8): Break instruction exception - code 80000003 (first chance)
eax=00000001 ebx=00000000 ecx=6d212db0 edx=ff61f000 esi=6e67b598 edi=0044d754
eip=6d51ff03 esp=0044d734 ebp=0044d740 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
chrome_child!ovly_debug_event+0x57d16f:
6d51ff03 cc int 3
7:044> g
(cc0.15d8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=2ea08261 ebx=00000044 ecx=00000004 edx=01a6d000 esi=0044ded8 edi=00000010
eip=6cffd8db esp=0044dde0 ebp=0044de08 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
chrome_child!ovly_debug_event+0x5ab47:
6cffd8db 8903 mov dword ptr [ebx],eax ds:002b:00000044=????????
7:044> g
(cc0.15d8): Access violation - code c0000005 (!!! second chance !!!)
eax=2ea08261 ebx=00000044 ecx=00000004 edx=01a6d000 esi=0044ded8 edi=00000010
eip=6cffd8db esp=0044dde0 ebp=0044de08 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
chrome_child!ovly_debug_event+0x5ab47:
6cffd8db 8903 mov dword ptr [ebx],eax ds:002b:00000044=????????
7:044> g
(cc0.15d8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=2ea08261 ebx=00000044 ecx=00000004 edx=01a6d000 esi=0044ded8 edi=00000010
eip=6cffd8db esp=0044dde0 ebp=0044de08 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
chrome_child!ovly_debug_event+0x5ab47:
6cffd8db 8903 mov dword ptr [ebx],eax ds:002b:00000044=????????
7:044> g
(cc0.15d8): Access violation - code c0000005 (!!! second chance !!!)
eax=2ea08261 ebx=00000044 ecx=00000004 edx=01a6d000 esi=0044ded8 edi=00000010
eip=6cffd8db esp=0044dde0 ebp=0044de08 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
chrome_child!ovly_debug_event+0x5ab47:
6cffd8db 8903 mov dword ptr [ebx],eax ds:002b:00000044=????????
7:044> g
(cc0.15d8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=2ea08261 ebx=00000044 ecx=00000004 edx=01a6d000 esi=0044ded8 edi=00000010
eip=6cffd8db esp=0044dde0 ebp=0044de08 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
chrome_child!ovly_debug_event+0x5ab47:
6cffd8db 8903 mov dword ptr [ebx],eax ds:002b:00000044=????????
7:044> g
(cc0.15d8): Access violation - code c0000005 (!!! second chance !!!)
eax=2ea08261 ebx=00000044 ecx=00000004 edx=01a6d000 esi=0044ded8 edi=00000010
eip=6cffd8db esp=0044dde0 ebp=0044de08 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
chrome_child!ovly_debug_event+0x5ab47:
6cffd8db 8903 mov dword ptr [ebx],eax ds:002b:00000044=????????
7:044> g
(cc0.15d8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=2ea08261 ebx=00000044 ecx=00000004 edx=01a6d000 esi=0044ded8 edi=00000010
eip=6cffd8db esp=0044dde0 ebp=0044de08 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
chrome_child!ovly_debug_event+0x5ab47:
6cffd8db 8903 mov dword ptr [ebx],eax ds:002b:00000044=????????
7:044> g
(cc0.15d8): Access violation - code c0000005 (!!! second chance !!!)
eax=2ea08261 ebx=00000044 ecx=00000004 edx=01a6d000 esi=0044ded8 edi=00000010
eip=6cffd8db esp=0044dde0 ebp=0044de08 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
chrome_child!ovly_debug_event+0x5ab47:
6cffd8db 8903 mov dword ptr [ebx],eax ds:002b:00000044=????????
7:044> g
(cc0.15d8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=2ea08261 ebx=00000044 ecx=00000004 edx=01a6d000 esi=0044ded8 edi=00000010
eip=6cffd8db esp=0044dde0 ebp=0044de08 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
chrome_child!ovly_debug_event+0x5ab47:
6cffd8db 8903 mov dword ptr [ebx],eax ds:002b:00000044=????????
7:044> g
(cc0.15d8): Access violation - code c0000005 (!!! second chance !!!)
eax=2ea08261 ebx=00000044 ecx=00000004 edx=01a6d000 esi=0044ded8 edi=00000010
eip=6cffd8db esp=0044dde0 ebp=0044de08 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
chrome_child!ovly_debug_event+0x5ab47:
6cffd8db 8903 mov dword ptr [ebx],eax ds:002b:00000044=????????
7:044> g
(cc0.15d8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=2ea08261 ebx=00000044 ecx=00000004 edx=01a6d000 esi=0044ded8 edi=00000010
eip=6cffd8db esp=0044dde0 ebp=0044de08 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
chrome_child!ovly_debug_event+0x5ab47:
6cffd8db 8903 mov dword ptr [ebx],eax ds:002b:00000044=????????
7:044> g
(cc0.15d8): Access violation - code c0000005 (!!! second chance !!!)
eax=2ea08261 ebx=00000044 ecx=00000004 edx=01a6d000 esi=0044ded8 edi=00000010
eip=6cffd8db esp=0044dde0 ebp=0044de08 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
chrome_child!ovly_debug_event+0x5ab47:
6cffd8db 8903 mov dword ptr [ebx],eax ds:002b:00000044=????????
7:044> g
(cc0.15d8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=2ea08261 ebx=00000044 ecx=00000004 edx=01a6d000 esi=0044ded8 edi=00000010
eip=6cffd8db esp=0044dde0 ebp=0044de08 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
chrome_child!ovly_debug_event+0x5ab47:
6cffd8db 8903 mov dword ptr [ebx],eax ds:002b:00000044=????????
7:044> g
(cc0.15d8): Access violation - code c0000005 (!!! second chance !!!)
eax=2ea08261 ebx=00000044 ecx=00000004 edx=01a6d000 esi=0044ded8 edi=00000010
eip=6cffd8db esp=0044dde0 ebp=0044de08 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
chrome_child!ovly_debug_event+0x5ab47:
6cffd8db 8903 mov dword ptr [ebx],eax ds:002b:00000044=????????
7:044> g
(cc0.15d8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=2ea08261 ebx=00000044 ecx=00000004 edx=01a6d000 esi=0044ded8 edi=00000010
eip=6cffd8db esp=0044dde0 ebp=0044de08 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
chrome_child!ovly_debug_event+0x5ab47:
6cffd8db 8903 mov dword ptr [ebx],eax ds:002b:00000044=????????
Please correct me if i am going wrong to find solution.
Any help would be appreciated.
Thanks, PK
First of all, you should load the right symbols of program,otherwise you cannot figure out in which function the exception occurs.For example : if you load the right symbol in windbg,the windbg will tell you the exception occurs in the function FOO()+0x12,otherwise it will tell that you should check the position MAIN()+0x1234 which also point to FOO()+0x12 but have less meaning to human being.
so the first step to take is loading the right debug symbols.
Related
Task: write a program to remove the central character in all words of odd length in a given text.
I did this (the idea of the algorithm is to find and write the indexes by which the space is located (in the first cycle) and then rewrite the string with missing characters where necessary):
.586
.model flat, C
option casemap: none
include c:\masm32\include\msvcrt.inc
include c:\masm32\include\kernel32.inc
includelib c:\masm32\lib\msvcrt.lib
includelib c:\masm32\lib\kernel32.lib
printf PROTO C, :VARARG
.data
src db 'hello masm32_ wrld lb 7',0
len equ $-src
dest db ' ',len dup(0),0
end_index db len/2 dup(0)
msg2 db ' %d ', 0
count_1 db 0
count_2 db 0
.code
start:
symbol equ ' '
xor ecx,ecx
xor ebx,ebx
lea esi,src
dec ebx
next:
inc ebx
cmp byte ptr [esi],symbol
jnz notfound
inc ecx
mov byte ptr [end_index + ecx], bl
notfound:
inc esi
cmp byte ptr [esi],0
jz exit
jmp next
exit:
lea esi, src
lea edi, dest
mov ebx, 1
xor ecx, ecx
##_next:
.if byte ptr [end_index + ebx] == 0
jmp ##_ret
.endif
mov al, byte ptr [end_index + ebx]
mov ah, byte ptr [end_index + ebx - 1]
sub al, ah
xor ah, ah
push ebx
mov bl, 2
div bl
pop ebx
add al, byte ptr [end_index + ebx - 1]
and eax, 000000ffh
.if al == cl
inc count_1
inc count_2
inc ebx
jmp ##_next
.endif
mov al, byte ptr [esi + count_1]
mov byte ptr [edi + count_2], al
inc count_1
inc count_2
jmp ##_next
##_ret:
invoke printf, offset dest , 0
ret
end start
But at the first pass of the loop I get
An exception was thrown at address 0x00042092 in asm_7_deb.exe: 0xC0000005: Read access violation at address 0x0008A045.
dissassembler:
start:
00042020 xor ecx,ecx
00042022 xor ebx,ebx
00042024 lea esi,[src (045000h)]
0004202A dec ebx
next:
0004202B inc ebx
0004202C cmp byte ptr [esi],20h
0004202F jne _start+18h (042038h)
00042031 inc ecx
00042032 mov byte ptr end_index (045032h)[ecx],bl
notfound:
00042038 inc esi
00042039 cmp byte ptr [esi],0
0004203C je _start+20h (042040h)
0004203E jmp _start+0Bh (04202Bh)
exit:
00042040 lea esi,[src (045000h)]
00042046 lea edi,[dest (045018h)]
0004204C mov ebx,1
00042051 xor ecx,ecx
##_next:
00042053 cmp byte ptr end_index (045032h)[ebx],0
0004205A jne _start+3Eh (04205Eh)
0004205C jmp _start+8Ch (0420ACh)
#C0001:
0004205E mov al,byte ptr end_index (045032h)[ebx]
00042064 mov ah,byte ptr [ebx+45031h]
0004206A sub al,ah
0004206C xor ah,ah
0004206E push ebx
0004206F mov bl,2
00042071 div al,bl
00042073 pop ebx
00042074 add al,byte ptr [ebx+45031h]
0004207A and eax,0FFh
0004207F cmp al,cl
00042081 jne _start+72h (042092h)
00042083 inc byte ptr [count_1 (045045h)]
00042089 inc byte ptr [count_2 (045046h)]
0004208F inc ebx
00042090 jmp _start+33h (042053h)
#C0003:
00042092 mov al,byte ptr count_1 (045045h)[esi] ; <==== probably it happend here
00042098 mov byte ptr count_2 (045046h)[edi],al ; but i do not understand why
0004209E inc byte ptr [count_1 (045045h)]
000420A4 inc byte ptr [count_2 (045046h)]
000420AA jmp _start+33h (042053h)
##_ret:
000420AC push 0
000420AE push offset dest (045018h)
000420B3 call _printf (041005h)
000420B8 add esp,8
000420BB ret
In order to load [esi + count_1] you need to load the value of count_1 into a register first. Otherwise it takes the address of count_1 plus the value of esi, which is not what you want.
Since count_1 is a byte, use:
movzx edx, byte ptr [count_1]
mov al, [esi+edx]
Hey so I was looking at the assembly code of a heap-overflow challenge (heap3 in protostar) in which use a vulnerability of an old version of dlmalloc to execute the exploit. Below is the assembler dump
0x08048889 <main+0>: push ebp
0x0804888a <main+1>: mov ebp,esp
0x0804888c <main+3>: and esp,0xfffffff0
0x0804888f <main+6>: sub esp,0x20
0x08048892 <main+9>: mov DWORD PTR [esp],0x20
0x08048899 <main+16>: call 0x8048ff2 <malloc>
0x0804889e <main+21>: mov DWORD PTR [esp+0x14],eax
0x080488a2 <main+25>: mov DWORD PTR [esp],0x20
0x080488a9 <main+32>: call 0x8048ff2 <malloc>
0x080488ae <main+37>: mov DWORD PTR [esp+0x18],eax
0x080488b2 <main+41>: mov DWORD PTR [esp],0x20
0x080488b9 <main+48>: call 0x8048ff2 <malloc>
0x080488be <main+53>: mov DWORD PTR [esp+0x1c],eax
0x080488c2 <main+57>: mov eax,DWORD PTR [ebp+0xc]
0x080488c5 <main+60>: add eax,0x4
0x080488c8 <main+63>: mov eax,DWORD PTR [eax]
0x080488ca <main+65>: mov DWORD PTR [esp+0x4],eax
0x080488ce <main+69>: mov eax,DWORD PTR [esp+0x14]
0x080488d2 <main+73>: mov DWORD PTR [esp],eax
0x080488d5 <main+76>: call 0x8048750 <strcpy#plt>
0x080488da <main+81>: mov eax,DWORD PTR [ebp+0xc]
0x080488dd <main+84>: add eax,0x8
0x080488e0 <main+87>: mov eax,DWORD PTR [eax]
0x080488e2 <main+89>: mov DWORD PTR [esp+0x4],eax
0x080488e6 <main+93>: mov eax,DWORD PTR [esp+0x18]
0x080488ea <main+97>: mov DWORD PTR [esp],eax
0x080488ed <main+100>: call 0x8048750 <strcpy#plt>
0x080488f2 <main+105>: mov eax,DWORD PTR [ebp+0xc]
0x080488f5 <main+108>: add eax,0xc
0x080488f8 <main+111>: mov eax,DWORD PTR [eax]
0x080488fa <main+113>: mov DWORD PTR [esp+0x4],eax
0x080488fe <main+117>: mov eax,DWORD PTR [esp+0x1c]
0x08048902 <main+121>: mov DWORD PTR [esp],eax
0x08048905 <main+124>: call 0x8048750 <strcpy#plt>
0x0804890a <main+129>: mov eax,DWORD PTR [esp+0x1c]
0x0804890e <main+133>: mov DWORD PTR [esp],eax
0x08048911 <main+136>: call 0x8049824 <free>
0x08048916 <main+141>: mov eax,DWORD PTR [esp+0x18]
0x0804891a <main+145>: mov DWORD PTR [esp],eax
0x0804891d <main+148>: call 0x8049824 <free>
0x08048922 <main+153>: mov eax,DWORD PTR [esp+0x14]
0x08048926 <main+157>: mov DWORD PTR [esp],eax
0x08048929 <main+160>: call 0x8049824 <free>
0x0804892e <main+165>: mov DWORD PTR [esp],0x804ac27
0x08048935 <main+172>: call 0x8048790 <puts#plt>
0x0804893a <main+177>: leave
0x0804893b <main+178>: ret
End of assembler dump.
Now looking at the assembler dump what I can understand is malloc and free are linked to the binary statically, while strcpy and puts are linked using PLT.
When I try to compile this program using it's source code, I get malloc#plt and free#plt, which when compiled on my local machine uses the wrong version of dlmalloc. The challenge is compiled and placed on a debian distro which we have to boot up in order to try this challenge but I would like to try it on my local machine. Can someone explain how I will be able to compile it so that malloc and free are statically linked with the binary.
I do call InternetOpenA in assembler
It is failing with EXCEPTION_ACCESS_VIOLATION on this command:
movdqa xmmword ptr [rsp + 0x20], xmm0
source
start:
sub rsp,30h
lea rcx, [userAgent]
mov rdx,INTERNET_OPEN_TYPE_DIRECT
mov r8,0
mov r9,0
mov qword ptr ds:[rsp+20],0
call qword ptr ds:[<&InternetOpenA>] <---------------
i edit 1st post
its entry point
i will add
sub rsp, 8
and its work
start:
sub rsp, 8
sub rsp,30h
lea rcx, [userAgent]
mov rdx,INTERNET_OPEN_TYPE_DIRECT
mov r8,0
mov r9,0
mov qword ptr ds:[rsp+20],0
call qword ptr ds:[<&InternetOpenA>] <---------------
but i dont understand why stack not aligned at start
I know this question is a little general, but I've been going through a large assembly file and I'm up until this function is called:
CPU Disasm
Address Hex dump Command Comments
004149E0 /$ 55 PUSH EBP
004149E1 |. 89E5 MOV EBP,ESP
004149E3 |. 83EC 28 SUB ESP,28
004149E6 |. 895D F4 MOV DWORD PTR SS:[LOCAL.3],EBX
004149E9 |. 8B45 08 MOV EAX,DWORD PTR SS:[ARG.1]
004149EC |. 8975 F8 MOV DWORD PTR SS:[LOCAL.2],ESI
004149EF |. 897D FC MOV DWORD PTR SS:[LOCAL.1],EDI
004149F2 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004149F4 |. 8945 E0 MOV DWORD PTR SS:[LOCAL.8],EAX
004149F7 |. 8B40 F4 MOV EAX,DWORD PTR DS:[EAX-0C]
004149FA |. 8945 E4 MOV DWORD PTR SS:[LOCAL.7],EAX
004149FD |. 8945 F0 MOV DWORD PTR SS:[LOCAL.4],EAX
00414A00 |. 8B45 0C MOV EAX,DWORD PTR SS:[ARG.2]
00414A03 |. 890424 MOV DWORD PTR SS:[LOCAL.10],EAX ;string => [ARG.2]
00414A06 |. E8 35C9FFFF CALL <JMP.&msvcrt.strlen> ;MSVCRT.strlen
00414A0B |. 8945 EC MOV DWORD PTR SS:[LOCAL.5],EAX
00414A0E |. 89C3 MOV EBX,EAX
00414A10 |. 8D45 EC LEA EAX,[LOCAL.5]
00414A13 |. 3B5D E4 CMP EBX,DWORD PTR SS:[LOCAL.7]
00414A16 |. 72 03 JB SHORT 00414A1B
00414A18 |. 8D45 F0 LEA EAX,[LOCAL.4]
00414A1B |> FC CLD
00414A1C |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00414A1E |. 8B75 E0 MOV ESI,DWORD PTR SS:[LOCAL.8]
00414A21 |. 8B7D 0C MOV EDI,DWORD PTR SS:[ARG.2]
00414A24 |. 39C9 CMP ECX,ECX
00414A26 |. F3:A6 REPE CMPS BYTE PTR DS:[ESI],BYTE PTR ES:[EDI]
00414A28 |. 0F92C0 SETB AL
00414A2B |. 0F97C2 SETA DL
00414A2E |. 28C2 SUB DL,AL
00414A30 |. 0FBEC2 MOVSX EAX,DL
00414A33 |. 85C0 TEST EAX,EAX
00414A35 |. 75 05 JNZ SHORT 00414A3C
00414A37 |. 8B45 E4 MOV EAX,DWORD PTR SS:[LOCAL.7]
00414A3A |. 29D8 SUB EAX,EBX
00414A3C |> 8B5D F4 MOV EBX,DWORD PTR SS:[LOCAL.3]
00414A3F |. 8B75 F8 MOV ESI,DWORD PTR SS:[LOCAL.2]
00414A42 |. 8B7D FC MOV EDI,DWORD PTR SS:[LOCAL.1]
00414A45 |. 89EC MOV ESP,EBP
00414A47 |. 5D POP EBP
00414A48 \. C3 RETN
This function is really giving me a hard time, if you guys have any insights at all or can give me a general idea of what's happening with it I'd really appreciate it.
I am guessing it might have something to do with the size of a string being checked (maybe for a length of 10 chars?) Also from what I've seen (again, not sure) AL and EAX are the ones in this code that I'm really worried about.
If more information is needed about any parts of this please don't hesitate to ask me.
Well, unoptimized x86 (not x86-64) assembly is pretty ugly (and in intel-syntax to boot... ugh)
Anyway, it seems this function takes the strlen() of a string, then takes the smaller of this strlen and a parameter passed in an array or struct, and uses it as the length-parameter for a strncmp(). The result of the strncmp is returned.
an application frequently dumped cores due to segmentation fault, and its backtrace looks like below.
(gdb) bt
#0 0x00000039c6c71874 in strncpy () from /lib64/libc.so.6
#1 0x00000000016fab83 in CcString::CcString (this=0x470008e0, str=...) at ../../base/src/ccString.cpp:163
#2 0x00000000016face9 in CcString::operator= (this=0x47000bf0, str=...) at ../../base/src/ccString.cpp:250
#3 0x0000000000441193 in RmsDbMgr::getFormatedNumber(const CallPartyNumber_t *, ._2039, CcString &) (this=0x2af86a4de008, apNumber=0xb90160, aFormatType=NUMBER_FORMAT_TYPE_LDAP, aFormatedNumber=...) at ../main/RmsDbMgr.cpp:4465
#4 0x0000000000b1cacf in SessionMt::sendLdapQueryReq (this=0x2cb8d580, apNumber=0x2cb90160, aRecipient=true) at ../session/SessionMt.cpp:1600
in frame 4, apNumber=0x2cb90160, but in frame 3 its value was changed to 0xb90160 and that pointer caused segmentation fault later.
what could cause that happen? and why backtrace format of frame 3 doesn't look quite similar to other lines?
i tried a little bit with assembly ...
(gdb) disass sendLdapQueryReq
Dump of assembler code for function SessionMt::sendLdapQueryReq(CallPartyNumber_t const*, bool):
0x0000000000b1ca40 <+0>: mov %rbp,-0x28(%rsp)
0x0000000000b1ca45 <+5>: mov %r15,-0x8(%rsp)
0x0000000000b1ca4a <+10>: mov %rdi,%rbp
0x0000000000b1ca4d <+13>: mov %rbx,-0x30(%rsp)
0x0000000000b1ca52 <+18>: mov %r12,-0x20(%rsp)
0x0000000000b1ca57 <+23>: mov %rsi,%r15
0x0000000000b1ca5a <+26>: mov %r13,-0x18(%rsp)
0x0000000000b1ca5f <+31>: mov %r14,-0x10(%rsp)
0x0000000000b1ca64 <+36>: sub $0x208,%rsp
0x0000000000b1ca6b <+43>: mov %fs:0x28,%rax
0x0000000000b1ca74 <+52>: mov %rax,0x1c8(%rsp)
0x0000000000b1ca7c <+60>: xor %eax,%eax
0x0000000000b1ca7e <+62>: mov %dl,0x93(%rsp)
0x0000000000b1ca85 <+69>: movl $0x2,0x1c4(%rsp)
0x0000000000b1ca90 <+80>: callq 0x1c2b406 <mxLog::GetInstance()>
0x0000000000b1ca95 <+85>: movzbl 0x8(%rax),%eax
0x0000000000b1ca99 <+89>: test %al,%al
0x0000000000b1ca9b <+91>: jne 0xb1cbb8 <SessionMt::sendLdapQueryReq(CallPartyNumber_t const*, bool)+376>
0x0000000000b1caa1 <+97>: lea 0x140(%rsp),%rdi
0x0000000000b1caa9 <+105>: callq 0x16f7570 <CcString::CcString()>
0x0000000000b1caae <+110>: mov 0xc8(%rbp),%rax
0x0000000000b1cab5 <+117>: lea 0x140(%rsp),%rcx
0x0000000000b1cabd <+125>: xor %edx,%edx
0x0000000000b1cabf <+127>: mov %r15,%rsi
0x0000000000b1cac2 <+130>: mov 0x28(%rax),%rax
0x0000000000b1cac6 <+134>: mov 0x58(%rax),%rdi
0x0000000000b1caca <+138>: callq 0x441110 <RmsDbMgr::getFormatedNumber(const CallPartyNumber_t *, ._2039, CcString &)>
=> 0x0000000000b1cacf <+143>: cmpq $0x0,0x150(%rsp)
0x0000000000b1cad8 <+152>: je 0xb1cb88 <SessionMt::sendLdapQueryReq(CallPartyNumber_t const*, bool)+328>
0x0000000000b1cade <+158>: movl $0x2,0x1c4(%rsp)
before calling RmsDbMgr::getFormatedNumber(), %rsi (2nd argument considering THIS as first) was set as %r15 which was 0x2cb90160, that was correct.
(gdb) p/x $r15
$9 = 0x2cb90160
and assembly of RmsDbMgr::getFormatedNumber() as below ...
(gdb) disass getFormatedNumber
Dump of assembler code for function RmsDbMgr::getFormatedNumber(const CallPartyNumber_t *, ._2039, CcString &):
0x0000000000441110 <+0>: mov %rbp,-0x28(%rsp)
0x0000000000441115 <+5>: mov %r13,-0x18(%rsp)
0x000000000044111a <+10>: mov %edx,%ebp
0x000000000044111c <+12>: mov %r14,-0x10(%rsp)
0x0000000000441121 <+17>: mov %r15,-0x8(%rsp)
0x0000000000441126 <+22>: mov %rdi,%r14
0x0000000000441129 <+25>: mov %rbx,-0x30(%rsp)
0x000000000044112e <+30>: mov %r12,-0x20(%rsp)
0x0000000000441133 <+35>: sub $0x178,%rsp
0x000000000044113a <+42>: mov %fs:0x28,%rax
0x0000000000441143 <+51>: mov %rax,0x138(%rsp)
0x000000000044114b <+59>: xor %eax,%eax
0x000000000044114d <+61>: test %rsi,%rsi
0x0000000000441150 <+64>: mov %rsi,%r13
0x0000000000441153 <+67>: mov %rcx,%r15
0x0000000000441156 <+70>: je 0x4411e0 <RmsDbMgr::getFormatedNumber(const CallPartyNumber_t *, ._2039, CcString &)+208>
0x000000000044115c <+76>: cmp $0x2,%edx
0x000000000044115f <+79>: jg 0x4411e0 <RmsDbMgr::getFormatedNumber(const CallPartyNumber_t *, ._2039, CcString &)+208>
0x0000000000441165 <+85>: lea 0x100(%rsp),%rdi
0x000000000044116d <+93>: callq 0x16f7570 <CcString::CcString()>
0x0000000000441172 <+98>: movzwl 0x53e74(%r14),%esi
0x000000000044117a <+106>: lea 0x100(%rsp),%rdi
0x0000000000441182 <+114>: callq 0x16f90e0 <CcString::operator+=(u16_t const)>
0x0000000000441187 <+119>: lea 0x8(%r13),%rsi
0x000000000044118b <+123>: mov %r15,%rdi
0x000000000044118e <+126>: callq 0x16facc0 <CcString::operator=(CcString const&)>
=> 0x0000000000441193 <+131>: movl $0x2,0x134(%rsp)
0x000000000044119e <+142>: callq 0x1c2b406 <mxLog::GetInstance()>
0x00000000004411a3 <+147>: movzbl 0x8(%rax),%eax
0x00000000004411a7 <+151>: test %al,%al
in RmsDbMgr::getFormatedNumber(), %r15 was saved at -0x8(%rsp) before sp moving up 0x178 bytes, and it was 0x2cb90160 too.
(gdb) x/a $rsp+0x178-0x8
0x47000aa0: 0x2cb90160
then before doing anything, %rsi was assigned to %r13, but now r13 had a different value which wrong.
(gdb) p/x $r13
$9 = 0xb90160
anyone can help to find out what's wrong with it?