vm: fix potential null deref
[minix.git] / commands / swifi / db_sym.c
blob72964fc72fc7aa48a1999e90a7f13092e9df03ad
1 /*
2 * Mach Operating System
3 * Copyright (c) 1991,1990 Carnegie Mellon University
4 * All Rights Reserved.
6 * Permission to use, copy, modify and distribute this software and its
7 * documentation is hereby granted, provided that both the copyright
8 * notice and this permission notice appear in all copies of the
9 * software, derivative works or modified versions, and any portions
10 * thereof, and that both notices appear in supporting documentation.
12 * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS
13 * CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR
14 * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
16 * Carnegie Mellon requests users of this software to return to
18 * Software Distribution Coordinator or Software.Distribution@CS.CMU.EDU
19 * School of Computer Science
20 * Carnegie Mellon University
21 * Pittsburgh PA 15213-3890
23 * any improvements or extensions that they make and grant Carnegie the
24 * rights to redistribute these changes.
28 * Author: David B. Golub, Carnegie Mellon University
29 * Date: 7/90
31 #if 0
32 //#include <sys/param.h>
33 //#include <sys/systm.h>
34 #endif
35 #if 0
36 #include <linux/kernel.h>
37 #include <linux/string.h>
38 #include <linux/kallsyms.h>
39 #endif
40 #include "ddb.h"
41 #include "db_sym.h"
42 #include "swifi.h"
44 #include "extra.h"
47 * Multiple symbol tables
49 #ifndef MAXNOSYMTABS
50 #define MAXNOSYMTABS 3 /* mach, ux, emulator */
51 #endif
52 #if 0
54 static db_symtab_t db_symtabs[MAXNOSYMTABS] = {{0,},};
55 static int db_nsymtab = 0;
57 static db_symtab_t *db_last_symtab;
59 static db_sym_t db_lookup __P(( char *symstr));
60 static char *db_qualify __P((db_sym_t sym, char *symtabname));
61 static boolean_t db_symbol_is_ambiguous __P((db_sym_t sym));
62 static boolean_t db_line_at_pc __P((db_sym_t, char **, int *,
63 db_expr_t));
66 * Add symbol table, with given name, to list of symbol tables.
68 void
69 db_add_symbol_table(start, end, name, ref)
70 char *start;
71 char *end;
72 char *name;
73 char *ref;
75 if (db_nsymtab >= MAXNOSYMTABS) {
76 printk ("No slots left for %s symbol table", name);
77 panic ("db_sym.c: db_add_symbol_table");
80 db_symtabs[db_nsymtab].start = start;
81 db_symtabs[db_nsymtab].end = end;
82 db_symtabs[db_nsymtab].name = name;
83 db_symtabs[db_nsymtab].private = ref;
84 db_nsymtab++;
88 * db_qualify("vm_map", "ux") returns "unix:vm_map".
90 * Note: return value points to static data whose content is
91 * overwritten by each call... but in practice this seems okay.
93 static char *
94 db_qualify(sym, symtabname)
95 db_sym_t sym;
96 register char *symtabname;
98 char *symname;
99 static char tmp[256];
101 db_symbol_values(sym, &symname, 0);
102 strcpy(tmp,symtabname);
103 strcat(tmp,":");
104 strcat(tmp,symname);
105 return tmp;
109 boolean_t
110 db_eqname(src, dst, c)
111 char *src;
112 char *dst;
113 char c;
115 if (!strcmp(src, dst))
116 return (TRUE);
117 if (src[0] == c)
118 return (!strcmp(src+1,dst));
119 return (FALSE);
122 boolean_t
123 db_value_of_name(name, valuep)
124 char *name;
125 db_expr_t *valuep;
127 db_sym_t sym;
129 sym = db_lookup(name);
130 if (sym == DB_SYM_NULL)
131 return (FALSE);
132 db_symbol_values(sym, &name, valuep);
133 return (TRUE);
138 * Lookup a symbol.
139 * If the symbol has a qualifier (e.g., ux:vm_map),
140 * then only the specified symbol table will be searched;
141 * otherwise, all symbol tables will be searched.
143 static db_sym_t
144 db_lookup(symstr)
145 char *symstr;
147 db_sym_t sp;
148 register int i;
149 int symtab_start = 0;
150 int symtab_end = db_nsymtab;
151 register char *cp;
154 * Look for, remove, and remember any symbol table specifier.
156 for (cp = symstr; *cp; cp++) {
157 if (*cp == ':') {
158 *cp = '\0';
159 for (i = 0; i < db_nsymtab; i++) {
160 if (! strcmp(symstr, db_symtabs[i].name)) {
161 symtab_start = i;
162 symtab_end = i + 1;
163 break;
166 *cp = ':';
167 if (i == db_nsymtab) {
168 db_error("invalid symbol table name");
170 symstr = cp+1;
175 * Look in the specified set of symbol tables.
176 * Return on first match.
178 for (i = symtab_start; i < symtab_end; i++) {
179 sp = X_db_lookup(&db_symtabs[i], symstr);
180 if (sp) {
181 db_last_symtab = &db_symtabs[i];
182 return sp;
185 return 0;
189 * Does this symbol name appear in more than one symbol table?
190 * Used by db_symbol_values to decide whether to qualify a symbol.
192 static boolean_t db_qualify_ambiguous_names = FALSE;
194 static boolean_t
195 db_symbol_is_ambiguous(sym)
196 db_sym_t sym;
198 char *sym_name;
199 register int i;
200 register
201 boolean_t found_once = FALSE;
203 if (!db_qualify_ambiguous_names)
204 return FALSE;
206 db_symbol_values(sym, &sym_name, 0);
207 for (i = 0; i < db_nsymtab; i++) {
208 if (X_db_lookup(&db_symtabs[i], sym_name)) {
209 if (found_once)
210 return TRUE;
211 found_once = TRUE;
214 return FALSE;
218 * Find the closest symbol to val, and return its name
219 * and the difference between val and the symbol found.
221 db_sym_t
222 db_search_symbol( val, strategy, offp)
223 register db_addr_t val;
224 db_strategy_t strategy;
225 db_expr_t *offp;
227 register
228 unsigned int diff;
229 unsigned int newdiff;
230 register int i;
231 db_sym_t ret = DB_SYM_NULL, sym;
233 newdiff = diff = ~0;
234 db_last_symtab = 0;
235 for (i = 0; i < db_nsymtab; i++) {
236 sym = X_db_search_symbol(&db_symtabs[i], val, strategy, &newdiff);
237 if (newdiff < diff) {
238 db_last_symtab = &db_symtabs[i];
239 diff = newdiff;
240 ret = sym;
243 *offp = diff;
244 return ret;
248 * Return name and value of a symbol
250 void
251 db_symbol_values(sym, namep, valuep)
252 db_sym_t sym;
253 char **namep;
254 db_expr_t *valuep;
256 db_expr_t value;
258 if (sym == DB_SYM_NULL) {
259 *namep = 0;
260 return;
263 X_db_symbol_values(sym, namep, &value);
264 if (db_symbol_is_ambiguous(sym))
265 *namep = db_qualify(sym, db_last_symtab->name);
266 if (valuep)
267 *valuep = value;
272 * Print a the closest symbol to value
274 * After matching the symbol according to the given strategy
275 * we print it in the name+offset format, provided the symbol's
276 * value is close enough (eg smaller than db_maxoff).
277 * We also attempt to print [filename:linenum] when applicable
278 * (eg for procedure names).
280 * If we could not find a reasonable name+offset representation,
281 * then we just print the value in hex. Small values might get
282 * bogus symbol associations, e.g. 3 might get some absolute
283 * value like _INCLUDE_VERSION or something, therefore we do
284 * not accept symbols whose value is "small" (and use plain hex).
288 void
289 db_printsym(off, strategy)
290 db_expr_t off;
291 db_strategy_t strategy;
293 db_expr_t d;
294 char *filename;
295 char *name;
296 db_expr_t value;
297 int linenum;
298 db_sym_t cursym;
300 cursym = db_search_symbol(off, strategy, &d);
301 db_symbol_values(cursym, &name, &value);
302 if (name == 0)
303 value = off;
304 if (value >= DB_SMALL_VALUE_MIN && value <= DB_SMALL_VALUE_MAX) {
305 printk("0x%x", off);
306 return;
308 if (name == 0 || d >= db_maxoff) {
309 printk("0x%x", off);
310 return;
312 printk("%s", name);
313 if (d)
314 printk("+0x%x", d);
315 if (strategy == DB_STGY_PROC) {
316 // if (db_line_at_pc(cursym, &filename, &linenum, off))
317 // printk(" [%s:%d]", filename, linenum);
321 #endif
323 unsigned int db_maxoff = 0x10000;
324 unsigned long modAddr = 0;
326 /* NWT: fault injection routine only.
327 * figure out start of function address given an address (off) in kernel text.
328 * name = function name
329 * value = function address
330 * d = difference between off and function address
331 * input is the desired address off and fault type
332 * returns closest instruction address (if found), NULL otherwise
334 unsigned long
335 find_faulty_instr(db_expr_t off, int type, int *instr_len)
337 db_expr_t d;
338 char *name;
339 db_expr_t value, cur_value, prev_value = 0;
340 int verbose=0, found=0;
341 const char * mod_name = NULL;
342 unsigned long mod_start;
343 unsigned long mod_end;
344 const char * sec_name = NULL;
345 unsigned long sec_start;
346 unsigned long sec_end;
347 const char * sym_name = NULL;
348 unsigned long sym_start;
349 unsigned long sym_end;
352 *instr_len = 0;
353 if (kallsyms_address_to_symbol(off,
354 &mod_name, &mod_start, &mod_end,
355 &sec_name, &sec_start, &sec_end,
356 &sym_name, &sym_start, &sym_end) == 0) {
357 return(0);
360 value = (db_expr_t) sym_start;
361 d = off - sym_start;
362 name = (char *) sym_name;
364 if (name == 0) {
365 value = off;
368 if (value >= DB_SMALL_VALUE_MIN && value <= DB_SMALL_VALUE_MAX) {
369 printk("0x%x", off);
370 return 0;
373 if (name == 0 || d >= db_maxoff) {
374 printk("0x%x", off);
375 return 0 ;
377 /* 2) backup to start of function (SOF)
378 * 3) delineate instruction boundaries, find instruction length too.
381 if(verbose) {
382 printk("function %s", sym_name);
385 /* 4) skip instructions until we get to our faulty address */
386 cur_value = value;
387 while(cur_value < sec_end) {
388 if(verbose) {
389 #if 0
390 // db_printsym(cur_value, DB_STGY_PROC);
391 // printk(":\t");
392 #endif
394 prev_value=cur_value;
395 modAddr=0;
396 if(verbose) {
397 #if 0
398 //cur_value=db_disasm(prev_value, FALSE);
399 #endif
400 } else {
401 cur_value=my_disasm(prev_value, FALSE);
404 /* 4a) bail out if instruction is leave (0xc9) */
405 if(cur_value-prev_value == 1) {
406 unsigned char *c;
407 c=(unsigned char *) prev_value;
408 if(text_read_ub(c)==0xc9) {
409 if(verbose) printk("bailing out as we hit a leave\n");
410 found=0;
411 break;
414 /* 5a) init fault: from SOF, look for movl $X, -Y(%ebp),
415 * (C645Fxxx or C745Fxxx) and replace with nop.
417 if(type==INIT_FAULT) {
418 unsigned char *c;
419 c=(unsigned char *) prev_value;
421 if(*c==0x66 || *c==0x67)
422 c++; /* override prefix */
424 if(*c==0xC6 || *c==0xC7)
425 c++; /* movb or movl imm */
426 else
427 continue;
429 if(*c==0x45)
430 c++; /* [ebp] */
431 else
432 continue;
434 if(*c & 0x80)
435 found=1; /* negative displacement */
436 else
437 continue;
439 found=1;
440 break;
441 } else if(type==NOP_FAULT) {
442 /* 5b) nop*: replace instruction with nop */
443 if(cur_value> off) {
444 found=1;
445 break;
447 } else if(type==DST_FAULT || type==SRC_FAULT) {
448 /* 5c) dst/src: flip bits in mod/rm, sib, disp or imm fields */
449 if(cur_value>off && (cur_value-prev_value) > 1) {
450 found=1;
451 break;
453 } else if(type==BRANCH_FAULT || type==LOOP_FAULT) {
454 /* 5e) brc*: search forward utnil we hit a Jxx or rep (F3 or F2).
455 * replace instr with nop.
457 unsigned char *c;
459 c=(unsigned char *) prev_value;
461 /* look for repX prefix */
463 if(text_read_ub(c)==0xf3 || text_read_ub(c)==0xf2) {
464 if(verbose)
465 printk("found repX prefix\n");
466 /* take out repX prefix only */
467 found=1;
468 cur_value=prev_value+1;
469 break;
470 } else if( (text_read_ub(c)&0xf0)==0x70 ||
471 (text_read_ub(c)>=0xe0 && text_read_ub(c)<=0xe2) ) {
472 /* look for jXX 8 (7X), loop,jcx (e0-3), jXX 16/32 (0f 8X) */
473 found=1;
474 if(verbose)
475 printk("found jXX rel8, loop or jcx\n");
476 break;
477 } else if(text_read_ub(c)==0x66 ||
478 text_read_ub(c)==0x67) { /* override prefix */
479 c++;
480 } else if(text_read_ub(c++)==0xf && (text_read_ub(c)&0xf0)==0x80 ) {
481 found=1; /* 0x0f 0x8X */
482 if(verbose) printk("found branch!\n");
483 break;
485 } else if(type==PTR_FAULT) {
486 /* 5f) ptr: if instruction has regmodrm byte (i_has_modrm),
487 * and mod field has address ([eyy]dispxx), eyy!=ebp
488 * flip 1 bit in lower byte (0x0f) or any bit in following
489 * bytes (sib, imm or disp).
491 if(cur_value>off && modAddr) {
492 unsigned char *c;
493 c=(unsigned char *) modAddr;
494 if( text_read_ub(c)>0x3f && text_read_ub(c)<0xc0 &&
495 (text_read_ub(c)&7)!=5 ) {
496 found=1;
497 break;
500 } else if(type==INTERFACE_FAULT) {
501 /* 5f) i/f: look for movl XX(ebp), reg or movb XX(ebp), reg,
502 * where XX is positive. replace instr with nop.
503 * movl=0x8a, movb=0x8b, mod=01XXX101 (disp8[ebp]), disp>0
505 unsigned char *c;
506 c=(unsigned char *) prev_value;
507 if( text_read_ub(c)==0x8a || text_read_ub(c)==0x8b) {
508 c++;
509 if( ((text_read_ub(c++))&0xc7)==0x45 && (text_read_ub(c)&0x80)==0 ) {
510 /* 75% chance that we'll choose the next arg */
511 if(random()&0x3) {
512 found=1;
513 break;
514 } else {
515 if(verbose) printk("skipped...\n");
519 }else if(type==IRQ_FAULT) {
520 /* 5g) i/f: look for push reg or offset(reg) / popf,
521 * where XX is positive. replace instr with nop.
522 * movl=0x8a, movb=0x8b, mod=01XXX101 (disp8[ebp]), disp>0
524 unsigned char *c;
525 c=(unsigned char *) prev_value;
526 if (((text_read_ub(c) & 0xf8) == 0x50) ||
527 (text_read_ub(c) == 0xff)) {
528 if (text_read_ub(c) == 0xff) {
529 c++;
530 #if 0
532 // Look for push x(ebp)
533 #endif
534 if ((text_read_ub(c) & 0x78) != 0x70) {
535 continue;
538 // Skip the offset
540 c++;
542 c++;
543 if (text_read_ub(c) == 0x9d) {
545 // Increment cur_value to include the
546 // popf instruction
548 cur_value++;
549 found = 1;
550 break;
556 /* if we're doing nop fault, then we're done.
558 if(found) {
559 *instr_len=cur_value-prev_value;
560 off=prev_value;
561 if(verbose) {
562 printk("%s", name);
563 if (d) printk("+0x%x", d);
564 printk(" @ %x, ", value);
565 printk("instr @ %x, len=%d, ", off, *instr_len);
566 #if 0
567 // db_disasm(prev_value, FALSE);
568 #endif
570 return off;
571 } else {
572 if(verbose) printk("cannot locate instruction in function\n");
573 *instr_len=0;
574 return 0;
578 #if 0
579 static boolean_t
580 db_line_at_pc( sym, filename, linenum, pc)
581 db_sym_t sym;
582 char **filename;
583 int *linenum;
584 db_expr_t pc;
586 return X_db_line_at_pc( db_last_symtab, sym, filename, linenum, pc);
590 db_sym_numargs(sym, nargp, argnames)
591 db_sym_t sym;
592 int *nargp;
593 char **argnames;
595 return X_db_sym_numargs(db_last_symtab, sym, nargp, argnames);
598 #endif