| blob | cdf81954eee9024d5cfbc280e310d7b3236ad10c |
1 //===-- LibiptDecoder.cpp --======-----------------------------------------===//
2 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
3 // See https://llvm.org/LICENSE.txt for license information.
4 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
5 //
6 //===----------------------------------------------------------------------===//
11 #include <optional>
24 }
29 }
31 // RAII deleter for libipt's decoders
34 };
38 };
46 /// Create a basic configuration object limited to a given buffer that can be
47 /// used for many different decoders.
54 pt_config config;
62 // The libipt library does not modify the trace buffer, hence the
63 // following casts are safe.
67 }
69 /// Callback used by libipt for reading the process memory.
70 ///
71 /// More information can be found in
72 /// https://github.com/intel/libipt/blob/master/doc/man/pt_image_set_callback.3.md
78 Status error;
83 }
85 /// Set up the memory image callback for the given decoder.
93 }
95 /// Create an instruction decoder for the given buffer and the given process.
113 }
115 /// Create a query decoder for the given buffer. The query decoder is the
116 /// highest level decoder that operates directly on packets and doesn't perform
117 /// actual instruction decoding. That's why it can be useful for inspecting a
118 /// raw trace without pinning it to a particular process.
130 }
132 /// Class used to identify anomalies in traces, which should often indicate a
133 /// fatal error in the trace.
140 m_infinite_decoding_loop_threshold =
143 m_extremely_large_decoding_threshold =
146 m_next_infinite_decoding_loop_threshold =
147 m_infinite_decoding_loop_threshold;
148 }
150 /// \return
151 /// An \a llvm::Error if an anomaly that includes the last instruction item
152 /// in the trace, or \a llvm::Error::success otherwise.
157 m_insn_count_at_last_packet_offset;
159 // We want to check if we might have fallen in an infinite loop. As this
160 // check is not a no-op, we want to do it when we have a strong suggestion
161 // that things went wrong. First, we check how many instructions we have
162 // decoded since we processed an Intel PT packet for the last time. This
163 // number should be low, because at some point we should see branches, jumps
164 // or interrupts that require a new packet to be processed. Once we reach
165 // certain threshold we start analyzing the trace.
166 //
167 // We use the number of decoded instructions since the last Intel PT packet
168 // as a proxy because, in fact, we don't expect a single packet to give,
169 // say, 100k instructions. That would mean that there are 100k sequential
170 // instructions without any single branch, which is highly unlikely, or that
171 // we found an infinite loop using direct jumps, e.g.
172 //
173 // 0x0A: nop or pause
174 // 0x0C: jump to 0x0A
175 //
176 // which is indeed code that is found in the kernel. I presume we reach
177 // this kind of code in the decoder because we don't handle self-modified
178 // code in post-mortem kernel traces.
179 //
180 // We are right now only signaling the anomaly as a trace error, but it
181 // would be more conservative to also discard all the trace items found in
182 // this PSB. I prefer not to do that for the time being to give more
183 // exposure to this kind of anomalies and help debugging. Discarding the
184 // trace items would just make investigation harded.
185 //
186 // Finally, if the user wants to see if a specific thread has an anomaly,
187 // it's enough to run the `thread trace dump info` command and look for the
188 // count of this kind of errors.
191 m_extremely_large_decoding_threshold) {
192 // In this case, we have decoded a massive amount of sequential
193 // instructions that don't loop. Honestly I wonder if this will ever
194 // happen, but better safe than sorry.
198 }
200 m_next_infinite_decoding_loop_threshold) {
206 }
208 }
210 }
214 // The infinite decoding loops we'll encounter are due to sequential
215 // instructions that repeat themselves due to direct jumps, therefore in a
216 // cycle each individual address will only appear once. We use this
217 // information to detect cycles by finding the last 2 ocurrences of the last
218 // instruction added to the trace. Then we traverse the trace making sure
219 // that these two instructions where the ends of a repeating loop.
221 // This is a utility that returns the most recent instruction index given a
222 // position in the trace. If the given position is an instruction, that
223 // position is returned. It skips non-instruction items.
230 }
233 item_index--;
234 }
236 };
237 // Similar to most_recent_insn_index but skips the starting position.
242 };
244 // We first find the most recent instruction.
251 // We then find the most recent previous occurrence of that last
252 // instruction.
260 loop_size++;
261 }
265 // Now we check if the segment between these last positions of the last
266 // instruction address is in fact a repeating loop.
273 else
277 else
282 loop_elements_visited++;
283 }
285 }
287 // Refresh the internal counters if a new packet offset has been visited
293 m_next_infinite_decoding_loop_threshold =
294 m_infinite_decoding_loop_threshold;
295 m_insn_count_at_last_packet_offset =
297 }
298 }
307 };
309 /// Class that decodes a raw buffer for a single PSB block using the low level
310 /// libipt library. It assumes that kernel and user mode instructions are not
311 /// mixed in the same PSB block.
312 ///
313 /// Throughout this code, the status of the decoder will be used to identify
314 /// events needed to be processed or errors in the decoder. The values can be
315 /// - negative: actual errors
316 /// - positive or zero: not an error, but a list of bits signaling the status
317 /// of the decoder, e.g. whether there are events that need to be decoded or
318 /// not.
321 /// \param[in] decoder
322 /// A decoder configured to start and end within the boundaries of the
323 /// given \p psb_block.
324 ///
325 /// \param[in] psb_block
326 /// The PSB block to decode.
327 ///
328 /// \param[in] next_block_ip
329 /// The starting ip at the next PSB block of the same thread if available.
330 ///
331 /// \param[in] decoded_thread
332 /// A \a DecodedThread object where the decoded instructions will be
333 /// appended to. It might have already some instructions.
334 ///
335 /// \param[in] tsc_upper_bound
336 /// Maximum allowed value of TSCs decoded from this PSB block.
337 /// Any of this PSB's data occurring after this TSC will be excluded.
347 /// \param[in] trace_intel_pt
348 /// The main Trace object that own the PSB block.
349 ///
350 /// \param[in] decoder
351 /// A decoder configured to start and end within the boundaries of the
352 /// given \p psb_block.
353 ///
354 /// \param[in] psb_block
355 /// The PSB block to decode.
356 ///
357 /// \param[in] buffer
358 /// The raw intel pt trace for this block.
359 ///
360 /// \param[in] process
361 /// The process to decode. It provides the memory image to use for
362 /// decoding.
363 ///
364 /// \param[in] next_block_ip
365 /// The starting ip at the next PSB block of the same thread if available.
366 ///
367 /// \param[in] decoded_thread
368 /// A \a DecodedThread object where the decoded instructions will be
369 /// appended to. It might have already some instructions.
383 }
388 "Synchronization shouldn't fail because this PSB was previously "
391 // We emit a TSC before a sync event to more easily associate a timestamp to
392 // the sync event. If present, the current block's TSC would be the first
393 // TSC we'll see when processing events.
400 }
403 /// Append an instruction and return \b false if and only if a serious anomaly
404 /// has been detected.
412 }
414 }
415 /// Decode all the instructions and events of the given PSB block. The
416 /// decoding loop might stop abruptly if an infinite decoding loop is
417 /// detected.
419 pt_insn insn;
429 // The status returned by pt_insn_next will need to be processed
430 // by ProcessPTEvents in the next loop if it is not an error.
439 }
443 }
445 // We need to keep querying non-branching instructions until we hit the
446 // starting point of the next PSB. We won't see events at this point. This
447 // is based on
448 // https://github.com/intel/libipt/blob/master/doc/howto_libipt.md#parallel-decode
459 }
460 }
461 }
462 }
464 /// Process the TSC of a decoded PT event. Specifically, check if this TSC
465 /// is below the TSC upper bound for this PSB. If the TSC exceeds the upper
466 /// bound, return an error to abort decoding. Otherwise add the it to the
467 /// underlying DecodedThread and decoding should continue as expected.
468 ///
469 /// \param[in] tsc
470 /// The TSC of the a decoded event.
473 // This event and all the remaining events of this PSB have a TSC
474 // outside the range of the "owning" ThreadContinuousExecution. For
475 // now we drop all of these events/instructions, future work can
476 // improve upon this by determining the "owning"
477 // ThreadContinuousExecution of the remaining PSB data.
479 "maximum TSC value {1}, will skip decoding"
490 }
496 }
497 }
499 /// Before querying instructions, we need to query the events associated with
500 /// that instruction, e.g. timing and trace disablement events.
501 ///
502 /// \param[in] status
503 /// The status gotten from the previous instruction decoding or PSB
504 /// synchronization.
505 ///
506 /// \return
507 /// The pte_status after decoding events.
510 pt_event event;
517 }
523 }
524 }
528 // The CPU paused tracing the program, e.g. due to ip filtering.
532 // The kernel or user code paused tracing the program, e.g.
533 // a breakpoint or a ioctl invocation pausing the trace, or a
534 // context switch happened.
538 // The CPU internal buffer had an overflow error and some instructions
539 // were lost. A OVF packet comes with an FUP packet (harcoded address)
540 // according to the documentation, so we'll continue seeing instructions
541 // after this event.
546 }
547 }
550 }
553 PtInsnDecoderUP m_decoder_up;
554 PSBBlock m_psb_block;
557 PSBBlockAnomalyDetector m_anomaly_detector;
559 };
581 }
584 }
596 // We emit the first valid tsc
605 }
607 // We then emit the CPU, which will be correctly associated with a tsc.
610 // If we haven't seen a PSB yet, then it's fine not to show errors
618 }
620 // A hinted start is a non-initial execution that doesn't have a switch
621 // in. An only end is an initial execution that doesn't have a switch in.
622 // Any of those cases represent a gap because we have seen a PSB before.
630 }
631 }
650 }
652 // If we haven't seen a PSB yet, then it's fine not to show errors
654 // A hinted end is a non-ending execution that doesn't have a switch out.
655 // An only start is an ending execution that doesn't have a switch out.
656 // Any of those cases represent a gap if we still have executions to
657 // process and we have seen a PSB before.
666 }
667 }
668 }
670 }
674 // As the context switch might be incomplete, we look first for the first real
675 // PSB packet, which is a valid TSC. Otherwise, We query the thread execution
676 // itself for some tsc.
680 };
683 }
689 // This follows
690 // https://github.com/intel/libipt/blob/master/doc/howto_libipt.md#parallel-decode
717 // Now we fetch the first TSC that comes after the PSB.
719 pt_event event;
726 }
727 }
729 // We continue to the next PSB. This effectively merges this PSB with the
730 // previous one, and that should be fine because this PSB might be the
731 // direct continuation of the previous thread and it's better to show an
732 // error in the decoded thread than to hide it. If this is the first PSB,
733 // we are okay losing it. Besides that, an error at processing events
734 // means that we wouldn't be able to get any instruction out of it.
736 }
743 psb_offset,
744 tsc,
746 ip,
747 });
748 }
750 // We now adjust the sizes of each block
755 }
756 }
758 }
775 pt_event event;
781 }
783 }