Prolog sanity check failed - multiple inheritance offsets #275
Comments
|
Forgot the facts: |
|
Thanks, I will take a look at this. The threading problem is probably #267. |
|
Working backwards... |
% This rule is a special case of the reasonObjectInObject_E, that relies on the fact that it
% does not matter whether the InnerClass and OuterClass are provably different or whether
% they're just currently not assigned to the same class. The key observation is that the
% distinction only matters when offset is non-zero, because that fact alone rules out the
% possibility that the two classes are in fact the same class. |
|
0x587970 is the vftable for .?AVCMFCPropertyGridCtrl@@ |
|
According to this:
So what is going on with the offset at 0x244? |
|
Just to add some more information in case it's relevant. I identified 3 new operators and 2 delete operators, in a potentially strange configuration:
Having double checked these just now I've found a wrapper for the main delete operator as well, I will try running again with that one defined. |
|
At 0x50b92d of 0x50b8db (probably MFCPropertyGridCtrl's constructor), we call 0x426738 at offset 0x244. |
|
|
According to OOAnalyzer, 0x426738 is CWnd::CWnd. |
|
I think the MFC classes in this program are triggered a rare-but-not-unknown problem in a sanity rule, insanityInheritTwice. Comment out this line and try to run again. |
|
Initial results are promising, it's on to the guess phase. As an aside, are any of the errors in the analysis log concerning? I'm assuming it will just result in slightly less information extracted than otherwise. |
|
Nothing too concerning, especially for a program of that size |
|
After a few adjustments to memory and swap on the container I'm now getting: Full log: prolog.zip |
|
This is pretty unusual. Most times it happens it is a problem with fact generation. I'll try to look on Monday. |
|
From a quick glance, it does look like a constructor to me. |
So no matter what guess we make about 0x52b9d4, we decide that 0x426738 is both a constructor and not a constructor. 0x52b9d4 is probably CScrollView::CScrollView. 0x426738 is probably CWnd::CWnd. 0x52b9d4 calls 0x4f7de3, which calls 0x426738.
NOTConstructor_F is:
So that makes sense if we guess that 0x52b9d4 is not a constructor. What about when we guess it is a constructor?
So there we decide that 0x4f7de3 is not a constructor because of _G, which is:
Interesting. |
|
So, the puzzle here is What the heck is 0x4f7de3? |
|
Oops, back to work persona. I think I figured out what is going wrong with the help of https://github.com/edmcman/MFCApplication. This confirms that CScrollView::CScrollView calls CView::View:
Now, surprisingly to me, CView::CView does not have a vftable installation:
This is at odds with |
|
What should we do about this? In general, I'm not sure. If I were you for the moment, I would hack reasonNOTConstructor_G so that it ignores the vftable for CScrollView. % Because you can't be a constructor on a class that's already known to have a VFTable if you
% you don't have a VFTable. This rule was added largely to reach the correct conclusions on
% methods like operator=.
% ED_PAPER_INTERESTING
reasonNOTConstructor_G(Method) :-
% There's another method that calls this method on the same object pointer.
validMethodCallAtOffset(_, Caller, Method, 0),
% The caller is known to be a constructor or destructor.
(factConstructor(Caller); factRealDestructor(Caller)),
% The caller is already known to have a VFTable write.
factVFTableWrite(_Insn1, Caller, 0, VFTable1),
% HACK: NOT CScrollView::vftable
iso_dif(VFTable1, 0x58eb84),
% But this method doesn't have the required write.
not(possibleVFTableWrite(_Insn2, Method, _ThisPtr, 0, _VFTable2)),
% Since we don't have visibility into VFTable writes from imported constructors and
% destructors this rule does not apply to imported methods.
not(symbolClass(Method, _, _, _)),
% Debugging
logtraceln('~@~Q.', [not(factNOTConstructor(Method)),
reasonNOTConstructor_G(Caller, Method)]). |
|
Judging by the MSDN it seems that 0x4f7de3 is CView::CView. This leads to the documented inheritance of CScrollView : CView : CWnd. So _G seems to be at issue. What does "if you don't have a VFTable" actually mean in this context? |
|
Oops, the window hadn't updated. I'll do that hack and see if I can make progress. |
|
After a couple of false starts and a switch to a machine with more memory, it finally completed. There was one more mod needed to avoid tripping up reasonNOTConstructor_G again. |
|
Glad to hear it! I'm going to close this since we created #276 to keep track of the more general problem. |
I'm getting this error trying to run OOProlog on a Kensington firmware update utility:
There are several warnings/errors at the OOAnalyzer stage which may be related.
Container Version: seipharos/pharos:latest (sha256:fe09ad8e492115b7a1cfe0899995fa37057089d695d73332aa633b7f696f33bd)
Input file: KensingtonUpdate.exe
API database JSON files: ApiJson.zip
Logs: Logs.zip
Partition command:
partition --serialize=kensington/kensington-sem.ser --maximum-memory=10240 kensington/KensingtonUpdate.exeAnalyzer command:
ooanalyzer --serialize=kensington/kensington-sem.ser --new-method=0x4116a6 --new-method=0x4116d8 --new-method=0x42f692 --delete-method=0x42f6ae --delete-method=0x53b4c0 --maximum-memory 18000 --per-function-maximum-memory=0 --prolog-facts=kensington/kensington-facts.pl --threads=1 --per-function-timeout=600 --apidb=/usr/local/share/pharos/contrib/winspool.json --apidb=kensington/hid.xml.json --apidb=kensington/gdiplus.xml.json --apidb=kensington/SetupAPI.xml.json --apidb=kensington/UxTheme.xml.json --apidb=kensington/Imm32.xml.json --apidb=kensington/Msimg32.xml.json --apidb=kensington/Oleacc.xml.json --apidb=kensington/User32.xml.json --apidb=kensington/OleDlg.xml.json kensington/KensingtonUpdate.exeNote: --threads=1 is to avoid a multithread issue that I'll submit/add to another issue for.
Prolog command:
ooprolog --facts kensington/kensington-facts.pl --results kensington/kensington-results.pl --log-level=6The text was updated successfully, but these errors were encountered: