Possibly that would fix it. I ended up doing it a different way -
call dr_get_app_arg() to get the address A of an argument string
(any one, argv[0] is fine). I know that A addresses a location in the
stack because that's where the strings are, and that somewhere
lower down the stack, A occurs in its own right, in argv. So I just scan
downwards from address A until I find a location containing A.
And then I know where argv is and can scan upwards through
envv and auxv, and overwrite them in place if desired.
That's a hack, and not entirely without risk, but it's got more
serious problems than that - firstly, it's not simple to extend any
of the vectors (except into the string area, which means moving
some of the strings elsewhere), but worse, overwriting the
original vectors falsifies the information provided to DynamoRIO
and clients.
What I really want is to take a deep copy of the environment
(argv, env and auxv), possibly modify or extend it, and have
the target application under test (and whatever getenv() and
getauxval() it's using) see the new version, but have DynamoRIO
core and clients see the real version.