| blob | 1daf65e724aa3c05af09bab2e182a0a577437889 |
2 /*--------------------------------------------------------------------*/
3 /*--- Ptrcheck: a pointer-use checker. ---*/
4 /*--- This file checks stack and global array accesses. ---*/
5 /*--- sg_main.c ---*/
6 /*--------------------------------------------------------------------*/
8 /*
9 This file is part of Ptrcheck, a Valgrind tool for checking pointer
10 use in programs.
12 Copyright (C) 2008-2017 OpenWorks Ltd
13 info@open-works.co.uk
15 This program is free software; you can redistribute it and/or
16 modify it under the terms of the GNU General Public License as
17 published by the Free Software Foundation; either version 2 of the
18 License, or (at your option) any later version.
20 This program is distributed in the hope that it will be useful, but
21 WITHOUT ANY WARRANTY; without even the implied warranty of
22 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
23 General Public License for more details.
25 You should have received a copy of the GNU General Public License
26 along with this program; if not, write to the Free Software
27 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
28 02111-1307, USA.
30 The GNU General Public License is contained in the file COPYING.
32 Neither the names of the U.S. Department of Energy nor the
33 University of California nor the names of its contributors may be
34 used to endorse or promote products derived from this software
35 without prior written permission.
36 */
56 static
60 //////////////////////////////////////////////////////////////
61 // //
62 // Basic Stuff //
63 // //
64 //////////////////////////////////////////////////////////////
67 {
70 }
77 }
82 }
85 /* Compare the intervals [a1,a1+n1) and [a2,a2+n2). Return -1 if the
86 first interval is lower, 1 if the first interval is higher, and 0
87 if there is any overlap. Redundant paranoia with casting is there
88 following what looked distinctly like a bug in gcc-4.1.2, in which
89 some of the comparisons were done signedly instead of
90 unsignedly. */
91 inline
102 }
104 /* Return true iff [aSmall,aSmall+nSmall) is entirely contained
105 within [aBig,aBig+nBig). */
106 inline
111 }
113 inline
116 }
118 inline
121 }
124 //////////////////////////////////////////////////////////////
125 // //
126 // StackBlocks Persistent Cache //
127 // //
128 //////////////////////////////////////////////////////////////
130 /* We maintain a set of XArray* of StackBlocks. These are never
131 freed. When a new StackBlock vector is acquired from
132 VG_(di_get_local_blocks_at_ip), we compare it to the existing set.
133 If not present, it is added. If present, the just-acquired one is
134 freed and the copy used.
136 This simplifies storage management elsewhere. It allows us to
137 assume that a pointer to an XArray* of StackBlock is valid forever.
138 It also means there are no duplicates anywhere, which could be
139 important from a space point of view for programs that generate a
140 lot of translations, or where translations are frequently discarded
141 and re-made.
143 Note that we normalise the arrays by sorting the elements according
144 to an arbitrary total order, so as to avoid the situation that two
145 vectors describe the same set of variables but are not structurally
146 identical. */
149 {
157 }
159 /* Generate an arbitrary total ordering on StackBlocks. */
161 {
162 Word r;
165 /* Hopefully the .base test hits most of the time. For the blocks
166 associated with any particular instruction, if the .base values
167 are the same then probably it doesn't make sense for the other
168 fields to be different. But this is supposed to be a completely
169 general structural total order, so we have to compare everything
170 anyway. */
173 /* compare sizes */
176 /* compare sp/fp flag */
179 /* compare is/is-not array-typed flag */
182 /* compare the name */
185 }
187 /* Returns True if all fields except .szB are the same. szBs may or
188 may not be the same; they are simply not consulted. */
191 StackBlock* fb2
192 )
193 {
200 }
203 /* Generate an arbitrary total ordering on vectors of StackBlocks. */
205 {
217 }
220 }
223 {
232 );
233 }
235 }
238 /* ---------- The StackBlock vector cache ---------- */
244 {
246 frameBlocks_set
250 }
252 /* Find the given StackBlock-vector in our collection thereof. If
253 found, deallocate the supplied one, and return the address of the
254 copy. If not found, add the supplied one to our collection and
255 return its address. */
257 StackBlocks__find_and_dealloc__or_add
259 {
262 /* First, normalise, as per comments above. */
266 /* Now get rid of any exact duplicates. */
267 nuke_dups:
279 }
284 }
285 w++;
286 }
291 }
293 }
294 }
296 /* Deal with the following strangeness, where two otherwise
297 identical blocks are claimed to have different sizes. In which
298 case we use the larger size. */
299 /* StackBlock{ off 16 szB 66 spRel:Y isVec:Y "sz" }
300 StackBlock{ off 16 szB 130 spRel:Y isVec:Y "sz" }
301 StackBlock{ off 208 szB 16 spRel:Y isVec:Y "ar" }
302 */
309 /* They can't be identical because the previous tidying
310 pass would have removed the duplicates. And they
311 can't be > because the earlier sorting pass would
312 have ordered otherwise-identical descriptors
313 according to < on .szB fields. Hence: */
316 /* This makes the blocks identical, at the size of the
317 larger one. Rather than go to all the hassle of
318 sliding the rest down, simply go back to the
319 remove-duplicates stage. The assertion guarantees
320 that we eventually make progress, since the rm-dups
321 stage will get rid of one of the blocks. This is
322 expected to happen only exceedingly rarely. */
325 }
326 }
327 }
328 }
330 /* If there are any blocks which overlap and have the same
331 fpRel-ness, junk the whole descriptor; it's obviously bogus.
332 Icc11 certainly generates bogus info from time to time.
334 This check is pretty weak; really we ought to have a stronger
335 sanity check. */
345 moans--;
353 }
356 }
357 }
358 }
360 /* Now, do we have it already? */
362 /* yes */
370 /* no */
373 }
374 }
376 /* Top level function for getting the StackBlock vector for a given
377 instruction. It is guaranteed that the returned pointer will be
378 valid for the entire rest of the run, and also that the addresses
379 of the individual elements of the array will not change. */
382 {
386 }
389 //////////////////////////////////////////////////////////////
390 // //
391 // GlobalBlocks Persistent Cache //
392 // //
393 //////////////////////////////////////////////////////////////
395 /* Generate an arbitrary total ordering on GlobalBlocks. */
397 {
398 Word r;
399 /* compare addrs */
402 /* compare sizes */
405 /* compare is/is-not array-typed flag */
408 /* compare the name */
411 /* compare the soname */
414 }
420 {
422 globalBlock_set
426 }
429 /* Top level function for making GlobalBlocks persistent. Call here
430 with a non-persistent version, and the returned one is guaranteed
431 to be valid for the entire rest of the run. The supplied one is
432 copied, not stored, so can be freed after the call. */
435 {
437 /* Now, do we have it already? */
439 /* yes, return the copy */
446 /* no. clone it, store the clone and return the clone's
447 address. */
454 }
455 }
458 //////////////////////////////////////////////////////////////
459 // //
460 // Interval tree of StackTreeBlock //
461 // //
462 //////////////////////////////////////////////////////////////
464 /* A node in a stack interval tree. Zero length intervals (.szB == 0)
465 are not allowed.
467 A stack interval tree is a (WordFM StackTreeNode* void). There is
468 one stack interval tree for each thread.
469 */
470 typedef
472 Addr addr;
476 }
477 StackTreeNode;
480 {
488 }
490 }
492 /* Interval comparison function for StackTreeNode */
495 {
498 }
500 /* Find the node holding 'a', if any. */
502 {
504 StackTreeNode key;
515 }
516 }
518 /* Note that the supplied XArray of FrameBlock must have been
519 made persistent already. */
525 UWord depth
526 )
527 {
542 }
545 Bool already_present;
557 /* The interval can't already be there; else we have
558 overlapping stack blocks. */
562 }
563 }
567 }
568 }
572 {
576 Bool b;
579 /* The interval must be there; we added it earlier when
580 the associated frame was created. */
583 /* we just found the block! */
588 }
589 }
596 }
599 }
601 {
604 }
609 }
612 //////////////////////////////////////////////////////////////
613 // //
614 // Interval tree of GlobalTreeBlock //
615 // //
616 //////////////////////////////////////////////////////////////
618 /* A node in a global interval tree. Zero length intervals
619 (.szB == 0) are not allowed.
621 A global interval tree is a (WordFM GlobalTreeNode* void). There
622 is one global interval tree for the entire process.
623 */
624 typedef
629 }
630 GlobalTreeNode;
636 }
640 {
651 }
654 }
656 /* Interval comparison function for GlobalTreeNode */
659 {
662 }
664 /* Find the node holding 'a', if any. */
666 {
668 GlobalTreeNode key;
678 }
679 }
681 /* Note that the supplied GlobalBlock must have been made persistent
682 already. */
685 GlobalBlock* descr
686 )
687 {
688 Bool already_present;
699 /* Basically it's an error to add a global block to the tree that
700 is already in the tree. However, detect and ignore attempts to
701 insert exact duplicates; they do appear for some reason
702 (possible a bug in m_debuginfo?) */
712 /* && 0 == VG_(strcmp)(nd->descr->name, nyu->descr->name) */
713 /* Although it seems reasonable to demand that duplicate
714 blocks have identical names, that is too strict. For
715 example, reading debuginfo from glibc produces two
716 otherwise identical blocks with names "tzname" and
717 "__tzname". A constraint of the form "must be identical,
718 or one must be a substring of the other" would fix that.
719 However, such trickery is scuppered by the fact that we
720 truncate all variable names to 15 characters to make
721 storage management simpler, hence giving pairs like
722 "__EI___pthread_" (truncated) vs "__pthread_keys". So
723 it's simplest just to skip the name comparison
724 completely. */
726 /* exact duplicate; ignore it */
729 }
730 /* else fall through; the assertion below will catch it */
731 }
734 /* The interval can't already be there; else we have
735 overlapping global blocks. */
736 /* Unfortunately (25 Jan 09) at least icc11 has been seen to
737 generate overlapping block descriptions in the Dwarf3; clearly
738 bogus. */
740 moans--;
749 }
753 }
754 /* tl_assert(!already_present); */
755 }
759 {
760 /* One easy way to do this: look up [a,a+szB) in the tree. That
761 will either succeed, producing a block which intersects that
762 range, in which case we delete it and repeat; or it will fail,
763 in which case there are no blocks intersecting the range, and we
764 can bring the process to a halt. */
787 }
790 }
793 //////////////////////////////////////////////////////////////
794 // //
795 // Invar //
796 // //
797 //////////////////////////////////////////////////////////////
799 /* An invariant, as resulting from watching the destination of a
800 memory referencing instruction. Initially is Inv_Unset until the
801 instruction makes a first access. */
803 typedef
810 }
811 InvarTag;
813 typedef
815 InvarTag tag;
822 Addr addr;
823 SizeT szB;
827 /* Pointer to a node in the interval tree for
828 this thread. */
832 /* Pointer to a GlobalBlock in the interval tree of
833 global blocks. */
836 }
837 Inv;
838 }
839 Invar;
841 /* Partial debugging printing for an Invar. */
843 {
865 }
866 }
868 /* Compare two Invars for equality. */
870 {
887 }
888 /*NOTREACHED*/
890 }
892 /* Generate a piece of text showing 'ea' is relative to 'invar', if
893 known. If unknown, generate an empty string. 'buf' must be at
894 least 32 bytes in size. Also return the absolute value of the
895 delta, if known, or zero if not known.
896 */
900 {
925 }
930 }
934 }
936 // Leave *absDelta at zero.
938 }
939 }
942 /* Print selected parts of an Invar, suitable for use in error
943 messages. */
945 {
978 }
979 }
982 //////////////////////////////////////////////////////////////
983 // //
984 // our globals //
985 // //
986 //////////////////////////////////////////////////////////////
988 //////////////////////////////////////////////////////////////
989 ///
991 #define N_QCACHE 16
993 /* Powers of two only, else the result will be chaos */
994 #define QCACHE_ADVANCE_EVERY 16
996 /* Per-thread query cache. Note that the invar can only be Inv_StackN
997 (but not Inv_Stack0), Inv_Global or Inv_Unknown. */
998 typedef
1000 Addr addr;
1001 SizeT szB;
1002 Invar inv;
1003 }
1004 QCElem;
1006 typedef
1008 Word nInUse;
1010 }
1011 QCache;
1016 }
1019 {
1020 Word i;
1026 }
1028 }
1034 ///
1035 //////////////////////////////////////////////////////////////
1037 /* Each thread has:
1038 * a shadow stack of StackFrames, which is a double-linked list
1039 * an stack block interval tree
1040 */
1048 /* Additionally, there is one global variable interval tree
1049 for the entire process.
1050 */
1055 {
1056 Word i;
1059 }
1060 }
1063 {
1064 Word i;
1075 }
1079 }
1082 //////////////////////////////////////////////////////////////
1083 // //
1084 // Handle global variable load/unload events //
1085 // //
1086 //////////////////////////////////////////////////////////////
1089 {
1104 /* Make a persistent copy of each GlobalBlock, and add it
1105 to the tree. */
1108 }
1111 }
1114 /* We only intercept these two because we need to see any di_handles
1115 that might arise from the mappings/allocations. */
1118 {
1121 }
1124 {
1127 }
1129 {
1149 }
1151 }
1156 /* Ok, the range contained some blocks. Therefore we'll need to
1157 visit all the Invars in all the thread shadow stacks, and
1158 convert all Inv_Global entries that intersect [a,a+len) to
1159 Inv_Unknown. */
1163 }
1166 //////////////////////////////////////////////////////////////
1167 // //
1168 // StackFrame //
1169 // //
1170 //////////////////////////////////////////////////////////////
1186 /* A dynamic instance of an instruction */
1187 typedef
1189 /* IMMUTABLE */
1192 /* MUTABLE */
1193 Invar invar;
1194 }
1195 IInstance;
1198 #define N_HTAB_FIXED 64
1200 typedef
1202 /* The sp when the frame was created, so we know when to get rid
1203 of it. */
1204 Addr creation_sp;
1205 /* The stack frames for a thread are arranged as a doubly linked
1206 list. Obviously the outermost frame in the stack has .outer
1207 as NULL and the innermost in theory has .inner as NULL.
1208 However, when a function returns, we don't delete the
1209 just-vacated StackFrame. Instead, it is retained in the list
1210 and will be re-used when the next call happens. This is so
1211 as to avoid constantly having to dynamically allocate and
1212 deallocate frames. */
1216 /* Information for each memory referencing instruction, for this
1217 instantiation of the function. The iinstances array is
1218 operated as a simple linear-probe hash table, which is
1219 dynamically expanded as necessary. Once critical thing is
1220 that an IInstance with a .insn_addr of zero is interpreted to
1221 mean that hash table slot is unused. This means we can't
1222 store an IInstance for address zero. */
1223 /* Note that htab initially points to htab_fixed. If htab_fixed
1224 turns out not to be big enough then htab is made to point to
1225 dynamically allocated memory. But it's often the case that
1226 htab_fixed is big enough, so this optimisation saves a huge
1227 number of sg_malloc/sg_free call pairs. */
1231 /* If this frame is currently making a call, then the following
1232 are relevant. */
1233 Addr sp_at_call;
1234 Addr fp_at_call;
1236 /* See comment just above */
1238 }
1239 StackFrame;
1245 /* Move this somewhere else? */
1246 /* Visit all Invars in the entire system. If 'isHeap' is True, change
1247 all Inv_Heap Invars that intersect [a,a+len) to Inv_Unknown. If
1248 'isHeap' is False, do the same but to the Inv_Global{S,V} Invars
1249 instead. */
1253 {
1254 stats__Invars_preened++;
1267 stats__Invars_changed++;
1268 }
1275 /* fallthrough */
1278 }
1279 }
1283 {
1284 Int i;
1285 UWord u;
1292 /* start from the innermost frame */
1296 /* work through the frames from innermost to outermost. The
1297 order isn't important; we just need to ensure we visit each
1298 frame once (including those which are not actually active,
1299 more 'inner' than the 'innermost active frame', viz, just
1300 hanging around waiting to be used, when the current innermost
1301 active frame makes more calls. See comments on definition of
1302 struct _StackFrame. */
1313 xx++;
1314 }
1316 }
1317 }
1318 }
1321 /* XXX this should be >> 2 on ppc32/64 since the bottom two bits
1322 of the ip are guaranteed to be zero */
1325 }
1329 {
1330 UWord i;
1337 }
1342 {
1354 }
1360 /* find out where to put this, in the new table */
1365 /* This can't ever happen, because it would mean the new
1366 table is full; that isn't allowed -- even the old table is
1367 only allowed to become half full. */
1369 j--;
1371 }
1372 /* copy the old entry to this location */
1377 }
1378 /* all entries copied; free old table. */
1383 /* check sf->htab_used is correct. Optional and a bit expensive
1384 but anyway: */
1388 j++;
1389 }
1390 }
1393 }
1399 Addr ip,
1401 )
1402 {
1405 stats__htab_searches++;
1410 /* Make sure the table loading doesn't get too high. */
1412 stats__htab_resizes++;
1414 }
1420 stats__htab_probes++;
1421 /* Note that because of the way the fast-case handler works,
1422 these two tests are actually redundant in the first iteration
1423 of this loop. (Except they aren't redundant if the code just
1424 above resized the table first. :-) */
1429 /* If i ever gets to zero and we have found neither what we're
1430 looking for nor an empty slot, the table must be full. Which
1431 isn't possible -- we monitor the load factor to ensure it
1432 doesn't get above say 50%; if that ever does happen the table
1433 is resized. */
1435 i--;
1436 ix++;
1438 }
1440 /* So now we've found a free slot at ix, and we can use that. */
1443 /* Add a new record in this slot. */
1450 }
1453 inline
1456 Addr ip,
1458 )
1459 {
1461 /* Is it in the first slot we come to? */
1463 stats__htab_fast++;
1465 }
1466 /* If the first slot we come to is empty, bag it. */
1468 stats__htab_fast++;
1475 }
1476 /* Otherwise we hand off to the slow case, which searches other
1477 slots, and optionally resizes the table if necessary. */
1479 }
1489 }
1491 /* Given an array of StackBlocks, return an array of Addrs, holding
1492 their effective addresses. Caller deallocates result array. */
1496 Addr sp, Addr fp
1497 )
1498 {
1507 }
1509 }
1512 /* Try to classify the block into which a memory access falls, and
1513 write the result in 'inv'. This writes all relevant fields of
1514 'inv'. */
1517 ThreadId tid,
1519 UWord szB,
1521 {
1523 /* First, look in the stack blocks accessible in this instruction's
1524 frame. */
1525 {
1532 /* found it */
1537 stats__classify_Stack0++;
1539 }
1540 }
1541 }
1542 /* Look in this thread's query cache */
1546 stats__qcache_queries++;
1550 stats__qcache_probes++;
1555 QCElem tmp;
1559 i--;
1560 }
1563 }
1564 }
1565 stats__qcache_misses++;
1566 }
1567 /* Ok, so it's not a block in the top frame. Perhaps it's a block
1568 in some calling frame? Consult this thread's stack-block
1569 interval tree to find out. */
1571 /* We know that [ea,ea+1) is in the block, but we need to
1572 restrict to the case where the whole access falls within
1573 it. */
1576 }
1578 /* found it */
1581 stats__classify_StackN++;
1583 }
1584 }
1585 /* Not in a stack block. Try the global pool. */
1587 /* We know that [ea,ea+1) is in the block, but we need to
1588 restrict to the case where the whole access falls within
1589 it. */
1592 }
1594 /* found it */
1597 stats__classify_Global++;
1599 }
1600 }
1601 /* No idea - give up. */
1603 stats__classify_Unknown++;
1605 /* Update the cache */
1606 out:
1627 /* This is more complex. We need to figure out the
1628 intersection of the "holes" in the global and stack
1629 interval trees into which [ea,ea+szB) falls. This is
1630 further complicated by the fact that [ea,ea+szB) might
1631 not fall cleanly into a hole; it may instead fall across
1632 the boundary of a stack or global block. In that case
1633 we just ignore it and don't update the cache, since we
1634 have no way to represent this situation precisely. */
1666 /* If this happens, then [ea,ea+szB) partially overlaps
1667 a heap or stack block. We can't represent that, so
1668 just forget it (should be very rare). However, do
1669 maximum sanity checks first. In such a
1670 partial overlap case, it can't be the case that both
1671 [ea] and [ea+szB-1] overlap the same block, since if
1672 that were indeed the case then it wouldn't be a
1673 partial overlap; rather it would simply fall inside
1674 that block entirely and we shouldn't be inside this
1675 conditional at all. */
1680 /* if both ends of the range fall inside a block,
1681 they can't be in the same block. */
1684 /* for each end of the range, if it is in a block,
1685 the range as a whole can't be entirely within the
1686 block. */
1693 }
1698 /* if both ends of the range fall inside a block,
1699 they can't be in the same block. */
1702 /* for each end of the range, if it is in a block,
1703 the range as a whole can't be entirely within the
1704 block. */
1711 }
1714 }
1721 /* [sMin,sMax] and [gMin,gMax] must both contain
1722 [ea,ea+szB) (right?) That implies they must overlap at
1723 at least over [ea,ea+szB). */
1726 /* So now compute their intersection. */
1732 /* Finally, we can park [uMin,uMax] in the cache. However,
1733 if uMax is ~0, we can't represent the difference; hence
1734 fudge uMax. */
1736 uMax--;
1740 }
1742 /* We should only be caching info for the above 3 cases */
1747 Word i;
1754 }
1760 }
1764 }
1765 }
1768 /* CALLED FROM GENERATED CODE */
1769 static
1773 /* Known at translation time: */
1775 {
1776 UWord szB;
1779 Invar new_inv;
1784 stats__total_accesses++;
1790 /* Find the instance info for this instruction. */
1801 /* Deal with first uses of instruction instances. */
1803 /* This is the first use of this instance of the instruction, so
1804 we can't make any check; we merely record what we saw, so we
1805 can compare it against what happens for 2nd and subsequent
1806 accesses. */
1811 }
1813 /* So generate an Invar and see if it's different from what
1814 we had before. */
1819 /* Did we see something different from before? If no, then there's
1820 no error. */
1833 UWord absDelta;
1839 /* And now install the new observation as "standard", so as to
1840 make future error messages make more sense. */
1842 }
1845 ////////////////////////////////////////
1846 /* Primary push-a-new-frame routine. Called indirectly from
1847 generated code. */
1852 static
1854 Addr sp_at_call_insn,
1855 Addr sp_post_call_insn,
1856 Addr fp_at_call_insn,
1857 Addr ip_post_call_insn,
1859 {
1872 }
1879 caller->blocks_added_by_call
1884 descrs_at_call_insn,
1887 these blocks are
1898 "exp-sgcheck: new max tree sizes: "
1901 }
1904 }
1906 /* caller->blocks_added_by_call is used again (and then freed) when
1907 this frame is removed from the stack. */
1918 }
1920 /* This sets up .htab, .htab_size and .htab_used */
1928 /* record the new running stack frame */
1931 /* and this thread's query cache is now invalid */
1937 Bool ok;
1942 d--;
1943 }
1945 }
1946 }
1948 /* CALLED FROM GENERATED CODE */
1949 static
1952 Addr fp_at_call_insn,
1953 Addr ip_post_call_insn,
1955 Word sp_adjust )
1956 {
1960 sp_at_call_insn,
1961 sp_post_call_insn,
1962 fp_at_call_insn,
1963 ip_post_call_insn,
1964 blocks_at_call_insn );
1965 }
1968 ////////////////////////////////////////
1969 /* Primary remove-frame(s) routine. Called indirectly from
1970 generated code. */
1974 {
1980 //VG_(printf)("UNWIND sp_new = %p\n", sp_now);
1989 //VG_(printf)("UNWIND dump %p\n", innermost->creation_sp);
1993 /* be on the safe side */
2003 /* So now we're "back" in the calling frame. Remove from this
2004 thread's stack-interval-tree, the blocks added at the time of
2005 the call. */
2014 }
2015 }
2016 /* That completes the required tidying of the interval tree
2017 associated with the frame we just removed. */
2023 d--;
2024 }
2026 }
2028 }
2034 /* this thread's query cache is now invalid */
2036 }
2037 }
2041 //////////////////////////////////////////////////////////////
2042 // //
2043 // Instrumentation //
2044 // //
2045 //////////////////////////////////////////////////////////////
2047 /* What does instrumentation need to do?
2049 - at each Call transfer, generate a call to shadowStack_new_frame
2050 do this by manually inspecting the IR
2052 - at each sp change, if the sp change is negative,
2053 call shadowStack_unwind
2054 do this by asking for SP-change analysis
2056 - for each memory referencing instruction,
2057 call helperc__mem_access
2058 */
2060 /* A complication: sg_ instrumentation and h_ instrumentation need to
2061 be interleaved. Since the latter is a lot more complex than the
2062 former, we split the sg_ instrumentation here into four functions
2063 and let the h_ instrumenter call the four functions as it goes.
2064 Hence the h_ instrumenter drives the sg_ instrumenter.
2066 To make this viable, the sg_ instrumenter carries what running
2067 state it needs in 'struct _SGEnv'. This is exported only
2068 abstractly from this file.
2069 */
2072 /* the current insn's IP */
2073 Addr curr_IP;
2074 /* whether the above is actually known */
2075 Bool curr_IP_known;
2076 /* if we find a mem ref, is it the first for this insn? Used for
2077 detecting insns which make more than one memory ref, a situation
2078 we basically can't really handle properly; and so we ignore all
2079 but the first ref. */
2080 Bool firstRef;
2081 /* READONLY */
2084 };
2087 /* --- Helper fns for instrumentation --- */
2092 Int hWordTy_szB )
2093 {
2095 IRTemp sp_temp;
2096 IRType sp_type;
2097 /* This in effect forces the host and guest word sizes to be the
2098 same. */
2105 }
2110 Int hWordTy_szB )
2111 {
2113 IRTemp fp_temp;
2114 IRType fp_type;
2115 /* This in effect forces the host and guest word sizes to be the
2116 same. */
2123 }
2128 Int szB,
2129 Bool isStore,
2130 Int hWordTy_szB,
2131 Addr curr_IP,
2133 {
2143 #if defined(VGA_x86)
2145 // pop %ebp; RET
2147 // pop %ebp; RET $imm16
2149 // PUSH %EBP; mov %esp,%ebp
2151 }
2152 #endif
2154 /* First off, find or create the StackBlocks for this instruction. */
2157 //if (VG_(sizeXA)( frameBlocks ) == 0)
2158 // frameBlocks = NULL;
2160 /* Generate a call to "helperc__mem_access", passing:
2161 addr current_SP current_FP szB curr_IP frameBlocks
2162 */
2165 IRExpr** args
2172 IRDirty* di
2176 args );
2179 }
2180 }
2183 /* --- Instrumentation main (4 fns) --- */
2187 {
2197 }
2200 {
2202 }
2204 /* Add instrumentation for 'st' to 'sbOut', and possibly modify 'env'
2205 as required. This must be called before 'st' itself is added to
2206 'sbOut'. */
2212 {
2224 /* None of these can contain any memory references. */
2229 /* else we must deal with a conditional call */
2248 );
2250 }
2265 );
2267 }
2268 }
2270 }
2273 Int dataSize;
2276 /* This dirty helper accesses memory. Collect the
2277 details. */
2287 );
2288 }
2293 );
2294 }
2296 }
2300 }
2302 }
2305 /* We treat it as a read and a write of the location. I
2306 think that is the same behaviour as it was before IRCAS
2307 was introduced, since prior to that point, the Vex front
2308 ends would translate a lock-prefixed instruction into a
2309 (normal) read followed by a (normal) write. */
2311 Int dataSize;
2321 );
2325 );
2327 }
2329 }
2335 }
2338 /* Add instrumentation for the final jump of an IRSB 'sbOut', and
2339 possibly modify 'env' as required. This must be the last
2340 instrumentation statement in the block. */
2344 IRJumpKind jumpkind,
2347 {
2352 // Assumes x86 or amd64
2357 sp_post_call_insn
2359 fp_post_call_insn
2366 args
2370 /* assume the call doesn't change FP */
2371 next,
2374 );
2379 args );
2381 }
2382 }
2385 //////////////////////////////////////////////////////////////
2386 // //
2387 // end Instrumentation //
2388 // //
2389 //////////////////////////////////////////////////////////////
2392 //////////////////////////////////////////////////////////////
2393 // //
2394 // misc //
2395 // //
2396 //////////////////////////////////////////////////////////////
2398 /* Make a new empty stack frame that is suitable for being the
2399 outermost frame in a stack. It has a creation_sp of effectively
2400 infinity, so it can never be removed. */
2402 {
2407 /* This sets up .htab, .htab_size and .htab_used */
2410 /* ->depth, ->outer, ->inner are 0, NULL, NULL */
2413 }
2415 /* Primary routine for setting up the shadow stack for a new thread.
2416 Note that this is used to create not only child thread stacks, but
2417 the root thread's stack too. We create a new stack with
2418 .creation_sp set to infinity, so that the outermost frame can never
2419 be removed (by shadowStack_unwind). The core calls this function
2420 as soon as a thread is created. We cannot yet get its SP value,
2421 since that may not yet be set. */
2423 {
2426 /* creating the main thread's stack */
2432 }
2434 /* Create the child's stack. Bear in mind we may be re-using
2435 it. */
2437 /* First use of this stack. Just allocate an initial frame. */
2441 /* re-using a stack. */
2442 /* get rid of the interval tree */
2446 /* Throw away all existing frames. */
2456 }
2458 }
2463 /* Set up the initial stack frame. */
2466 /* and set up the child's stack block interval tree. */
2468 }
2470 /* Once a thread is ready to go, the core calls here. We take the
2471 opportunity to push a second frame on its stack, with the
2472 presumably valid SP value that is going to be used for the thread's
2473 startup. Hence we should always wind up with a valid outermost
2474 frame for the thread. */
2476 {
2486 }
2489 //////////////////////////////////////////////////////////////
2490 // //
2491 // main-ish //
2492 // //
2493 //////////////////////////////////////////////////////////////
2495 /* CALLED indirectly FROM GENERATED CODE. Calls here are created by
2496 sp-change analysis, as requested in pc_pre_clo_int(). */
2500 }
2506 }
2509 }
2513 }
2517 }
2520 {
2526 stats__classify_Stack0);
2529 stats__classify_StackN);
2532 stats__classify_Global);
2535 stats__classify_Unknown);
2546 stats__htab_fast);
2550 }
2551 }
2554 /*--------------------------------------------------------------------*/
2555 /*--- end sg_main.c ---*/
2556 /*--------------------------------------------------------------------*/