| blob | 073e66a5897b1b452cd519854185337a757c314b |
2 /*--------------------------------------------------------------------*/
3 /*--- Ptrcheck: a pointer-use checker. ---*/
4 /*--- This file checks heap accesses. ---*/
5 /*--- h_main.c ---*/
6 /*--------------------------------------------------------------------*/
8 /*
9 This file is part of Ptrcheck, a Valgrind tool for checking pointer
10 use in programs.
12 Initial version (Annelid):
14 Copyright (C) 2003-2017 Nicholas Nethercote
15 njn@valgrind.org
17 Valgrind-3.X port:
19 Copyright (C) 2008-2017 OpenWorks Ltd
20 info@open-works.co.uk
22 This program is free software; you can redistribute it and/or
23 modify it under the terms of the GNU General Public License as
24 published by the Free Software Foundation; either version 2 of the
25 License, or (at your option) any later version.
27 This program is distributed in the hope that it will be useful, but
28 WITHOUT ANY WARRANTY; without even the implied warranty of
29 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
30 General Public License for more details.
32 You should have received a copy of the GNU General Public License
33 along with this program; if not, write to the Free Software
34 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
35 02111-1307, USA.
37 The GNU General Public License is contained in the file COPYING.
38 */
64 //#include "h_list.h"
71 /*------------------------------------------------------------*/
72 /*--- Debug/trace options ---*/
73 /*------------------------------------------------------------*/
81 //////////////////////////////////////////////////////////////
82 // //
83 // Segments low level storage //
84 // //
85 //////////////////////////////////////////////////////////////
87 // NONPTR, UNKNOWN, BOTTOM defined in h_main.h since
88 // pc_common.c needs to see them, for error processing
90 // we only start recycling segs when this many exist
91 #define N_FREED_SEGS (1 * 1000 * 1000)
94 Addr addr;
97 /* When 1, indicates block is in use. Otherwise, used to form a
98 linked list of freed blocks, running from oldest freed block to
99 the most recently freed block. */
101 };
103 // Determines if 'a' is before, within, or after seg's range. Sets 'cmp' to
104 // -1/0/1 accordingly. Sets 'n' to the number of bytes before/within/after.
106 {
116 }
117 }
120 {
123 else
125 }
128 {
131 }
134 {
137 }
140 {
143 }
146 #define N_SEGS_PER_GROUP 10000
148 typedef
153 }
154 SegGroup;
166 }
168 /* Get a completely new Seg */
170 {
177 }
183 }
187 stats__segs_allocd++;
189 }
192 {
198 }
199 /* else recycle the oldest Seg in the free list */
205 nFreeSegs--;
207 stats__segs_recycled++;
209 }
212 {
221 nFreeSegs++;
229 }
235 nFreeSegs++;
236 }
237 }
242 {
246 }
247 }
250 {
258 }
259 }
262 {
263 Bool b;
267 }
270 {
271 Bool b;
278 }
281 //////////////////////////////////////////////////////////////
282 //////////////////////////////////////////////////////////////
283 //////////////////////////////////////////////////////////////
285 // Returns the added heap segment
287 {
298 }
302 static
305 {
306 Addr p;
315 stats__client_mallocs++;
317 }
320 {
321 // Empty and free the actual block
326 // Remember where freed
332 stats__client_frees++;
333 }
336 {
339 /* freeing a block that wasn't malloc'd. Ignore. */
341 }
343 }
346 /*------------------------------------------------------------*/
347 /*--- malloc() et al replacements ---*/
348 /*------------------------------------------------------------*/
351 {
354 }
357 {
360 }
363 {
366 }
369 {
372 }
375 {
378 }
381 {
382 // Should arguably check here if p.vseg matches the segID of the
383 // pointed-to block... unfortunately, by this stage, we don't know what
384 // p.vseg is, because we don't know the address of p (the p here is a
385 // copy, and we've lost the address of its source). To do so would
386 // require passing &p in, which would require rewriting part of
387 // vg_replace_malloc.c... argh.
388 //
389 // However, Memcheck does free checking, and will catch almost all
390 // violations this checking would have caught. (Would only miss if we
391 // unluckily passed an unrelated pointer to the very start of a heap
392 // block that was unrelated to that block. This is very unlikely!) So
393 // we haven't lost much.
396 }
399 {
401 }
404 {
406 }
409 {
412 /* First try and find the block. */
420 /* new size is smaller: allocate, copy from old to new */
424 /* Free old memory */
427 /* This has to be after die_and_free_mem_heap, otherwise the
428 former succeeds in shorting out the new block, not the
429 old, in the case when both are on the same list. */
434 /* new size is bigger: allocate, copy from old to new */
438 /* Free old memory */
441 /* This has to be after die_and_free_mem_heap, otherwise the
442 former succeeds in shorting out the new block, not the old,
443 in the case when both are on the same list. NB jrs
444 2008-Sept-11: not sure if this comment is valid/correct any
445 more -- I suspect not. */
449 }
450 }
453 {
456 // There may be slop, but pretend there isn't because only the asked-for
457 // area will have been shadowed properly.
459 }
462 /*--------------------------------------------------------------------*/
463 /*--- Instrumentation ---*/
464 /*--------------------------------------------------------------------*/
466 /* The h_ instrumenter that follows is complex, since it deals with
467 shadow value computation.
469 It also needs to generate instrumentation for the sg_ side of
470 things. That's relatively straightforward. However, rather than
471 confuse the code herein any further, we simply delegate the problem
472 to sg_main.c, by using the four functions
473 sg_instrument_{init,fini,IRStmt,final_jump}. These four completely
474 abstractify the sg_ instrumentation. See comments in sg_main.c's
475 instrumentation section for further details. */
478 /* Carries info about a particular tmp. The tmp's number is not
479 recorded, as this is implied by (equal to) its index in the tmpMap
480 in PCEnv. The tmp's type is also not recorded, as this is present
481 in PCEnv.sb->tyenv.
483 When .kind is NonShad, .shadow may give the identity of the temp
484 currently holding the associated shadow value, or it may be
485 IRTemp_INVALID if code to compute the shadow has not yet been
486 emitted.
488 When .kind is Shad tmp holds a shadow value, and so .shadow must be
489 IRTemp_INVALID, since it is illogical for a shadow tmp itself to be
490 shadowed.
491 */
492 typedef
494 TempKind;
496 typedef
498 TempKind kind;
499 IRTemp shadow;
500 }
501 TempMapEnt;
505 /* Carries around state during Ptrcheck instrumentation. */
506 typedef
508 /* MODIFIED: the superblock being constructed. IRStmts are
509 added. */
511 Bool trace;
513 /* MODIFIED: a table [0 .. #temps_in_sb-1] which gives the
514 current kind and possibly shadow temps for each temp in the
515 IRSB being constructed. Note that it does not contain the
516 type of each tmp. If you want to know the type, look at the
517 relevant entry in sb->tyenv. It follows that at all times
518 during the instrumentation process, the valid indices for
519 tmpMap and sb->tyenv are identical, being 0 .. N-1 where N is
520 total number of NonShad and Shad temps allocated so far.
522 The reason for this strange split (types in one place, all
523 other info in another) is that we need the types to be
524 attached to sb so as to make it possible to do
525 "typeOfIRExpr(mce->bb->tyenv, ...)" at various places in the
526 instrumentation process.
528 Note that only integer temps of the guest word size are
529 shadowed, since it is impossible (or meaningless) to hold a
530 pointer in any other type of temp. */
533 /* READONLY: the host word type. Needed for constructing
534 arguments of type 'HWord' to be passed to helper functions.
535 Ity_I32 or Ity_I64 only. */
536 IRType hWordTy;
538 /* READONLY: the guest word type, Ity_I32 or Ity_I64 only. */
539 IRType gWordTy;
541 /* READONLY: the guest state size, so we can generate shadow
542 offsets correctly. */
543 Int guest_state_sizeB;
544 }
545 PCEnv;
547 /* SHADOW TMP MANAGEMENT. Shadow tmps are allocated lazily (on
548 demand), as they are encountered. This is for two reasons.
550 (1) (less important reason): Many original tmps are unused due to
551 initial IR optimisation, and we do not want to spaces in tables
552 tracking them.
554 Shadow IRTemps are therefore allocated on demand. pce.tmpMap is a
555 table indexed [0 .. n_types-1], which gives the current shadow for
556 each original tmp, or INVALID_IRTEMP if none is so far assigned.
557 It is necessary to support making multiple assignments to a shadow
558 -- specifically, after testing a shadow for definedness, it needs
559 to be made defined. But IR's SSA property disallows this.
561 (2) (more important reason): Therefore, when a shadow needs to get
562 a new value, a new temporary is created, the value is assigned to
563 that, and the tmpMap is updated to reflect the new binding.
565 A corollary is that if the tmpMap maps a given tmp to
566 IRTemp_INVALID and we are hoping to read that shadow tmp, it means
567 there's a read-before-write error in the original tmps. The IR
568 sanity checker should catch all such anomalies, however.
569 */
571 /* Create a new IRTemp of type 'ty' and kind 'kind', and add it to
572 both the table in pce->sb and to our auxiliary mapping. Note that
573 newTemp may cause pce->tmpMap to resize, hence previous results
574 from VG_(indexXA)(pce->tmpMap) are invalidated. */
576 {
577 Word newIx;
578 TempMapEnt ent;
585 }
587 /*------------------------------------------------------------*/
588 /*--- Constructing IR fragments ---*/
589 /*------------------------------------------------------------*/
591 /* add stmt to a bb */
597 }
599 }
602 {
605 }
614 {
617 PCEnv pce;
621 /* We don't currently support this case. */
623 }
625 /* Check we're not completely nuts */
635 /* Set up the running environment. Both .sb and .tmpMap are
636 modified as we go along. Note that tmps are added to both
637 .sb->tyenv and .tmpMap together, so the valid index-set for
638 those two arrays should always be identical. */
649 TempMapEnt ent;
653 }
656 /* Also set up for the sg_ instrumenter. See comments at the top
657 of this instrumentation section for details. The two parameters
658 constitute a closure, which sg_ can use to correctly generate
659 new IRTemps as needed. */
663 /* Copy verbatim any IR preamble preceding the first IMark */
671 i++;
672 }
674 /* Iterate over the remaining stmts to generate instrumentation. */
682 /* generate sg_ instrumentation for this stmt */
687 }
689 /* generate sg_ instrumentation for the final jump */
693 /* and finalise .. */
696 /* If this fails, there's been some serious snafu with tmp management,
697 that should be investigated. */
702 }
705 /*--------------------------------------------------------------------*/
706 /*--- Finalisation ---*/
707 /*--------------------------------------------------------------------*/
710 {
713 "For counts of detected and suppressed errors, "
715 }
724 }
725 }
728 /*--------------------------------------------------------------------*/
729 /*--- end h_main.c ---*/
730 /*--------------------------------------------------------------------*/