| blob | c6939e2dba35b8bc303df21445718d2942baa738 |
2 /*--------------------------------------------------------------------*/
3 /*--- Ptrcheck: a pointer-use checker. ---*/
4 /*--- This file checks stack and global array accesses. ---*/
5 /*--- sg_main.c ---*/
6 /*--------------------------------------------------------------------*/
8 /*
9 This file is part of Ptrcheck, a Valgrind tool for checking pointer
10 use in programs.
12 Copyright (C) 2008-2011 OpenWorks Ltd
13 info@open-works.co.uk
15 This program is free software; you can redistribute it and/or
16 modify it under the terms of the GNU General Public License as
17 published by the Free Software Foundation; either version 2 of the
18 License, or (at your option) any later version.
20 This program is distributed in the hope that it will be useful, but
21 WITHOUT ANY WARRANTY; without even the implied warranty of
22 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
23 General Public License for more details.
25 You should have received a copy of the GNU General Public License
26 along with this program; if not, write to the Free Software
27 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
28 02111-1307, USA.
30 The GNU General Public License is contained in the file COPYING.
32 Neither the names of the U.S. Department of Energy nor the
33 University of California nor the names of its contributors may be
34 used to endorse or promote products derived from this software
35 without prior written permission.
36 */
56 static
60 //////////////////////////////////////////////////////////////
61 // //
62 // Basic Stuff //
63 // //
64 //////////////////////////////////////////////////////////////
67 {
70 }
78 }
83 }
86 /* Compare the intervals [a1,a1+n1) and [a2,a2+n2). Return -1 if the
87 first interval is lower, 1 if the first interval is higher, and 0
88 if there is any overlap. Redundant paranoia with casting is there
89 following what looked distinctly like a bug in gcc-4.1.2, in which
90 some of the comparisons were done signedly instead of
91 unsignedly. */
92 inline
103 }
105 /* Return true iff [aSmall,aSmall+nSmall) is entirely contained
106 within [aBig,aBig+nBig). */
107 inline
112 }
114 inline
117 }
119 inline
122 }
125 //////////////////////////////////////////////////////////////
126 // //
127 // StackBlocks Persistent Cache //
128 // //
129 //////////////////////////////////////////////////////////////
131 /* We maintain a set of XArray* of StackBlocks. These are never
132 freed. When a new StackBlock vector is acquired from
133 VG_(di_get_local_blocks_at_ip), we compare it to the existing set.
134 If not present, it is added. If present, the just-acquired one is
135 freed and the copy used.
137 This simplifies storage management elsewhere. It allows us to
138 assume that a pointer to an XArray* of StackBlock is valid forever.
139 It also means there are no duplicates anywhere, which could be
140 important from a space point of view for programs that generate a
141 lot of translations, or where translations are frequently discarded
142 and re-made.
144 Note that we normalise the arrays by sorting the elements according
145 to an arbitrary total order, so as to avoid the situation that two
146 vectors describe the same set of variables but are not structurally
147 identical. */
150 {
158 }
160 /* Generate an arbitrary total ordering on StackBlocks. */
162 {
163 Word r;
166 /* Hopefully the .base test hits most of the time. For the blocks
167 associated with any particular instruction, if the .base values
168 are the same then probably it doesn't make sense for the other
169 fields to be different. But this is supposed to be a completely
170 general structural total order, so we have to compare everything
171 anyway. */
174 /* compare sizes */
177 /* compare sp/fp flag */
180 /* compare is/is-not array-typed flag */
183 /* compare the name */
186 }
188 /* Returns True if all fields except .szB are the same. szBs may or
189 may not be the same; they are simply not consulted. */
192 StackBlock* fb2
193 )
194 {
201 }
204 /* Generate an arbitrary total ordering on vectors of StackBlocks. */
206 {
218 }
221 }
224 {
233 );
234 }
236 }
239 /* ---------- The StackBlock vector cache ---------- */
245 {
247 frameBlocks_set
251 }
253 /* Find the given StackBlock-vector in our collection thereof. If
254 found, deallocate the supplied one, and return the address of the
255 copy. If not found, add the supplied one to our collection and
256 return its address. */
258 StackBlocks__find_and_dealloc__or_add
260 {
263 /* First, normalise, as per comments above. */
267 /* Now get rid of any exact duplicates. */
268 nuke_dups:
280 }
285 }
286 w++;
287 }
292 }
294 }
295 }
297 /* Deal with the following strangeness, where two otherwise
298 identical blocks are claimed to have different sizes. In which
299 case we use the larger size. */
300 /* StackBlock{ off 16 szB 66 spRel:Y isVec:Y "sz" }
301 StackBlock{ off 16 szB 130 spRel:Y isVec:Y "sz" }
302 StackBlock{ off 208 szB 16 spRel:Y isVec:Y "ar" }
303 */
310 /* They can't be identical because the previous tidying
311 pass would have removed the duplicates. And they
312 can't be > because the earlier sorting pass would
313 have ordered otherwise-identical descriptors
314 according to < on .szB fields. Hence: */
317 /* This makes the blocks identical, at the size of the
318 larger one. Rather than go to all the hassle of
319 sliding the rest down, simply go back to the
320 remove-duplicates stage. The assertion guarantees
321 that we eventually make progress, since the rm-dups
322 stage will get rid of one of the blocks. This is
323 expected to happen only exceedingly rarely. */
326 }
327 }
328 }
329 }
331 /* If there are any blocks which overlap and have the same
332 fpRel-ness, junk the whole descriptor; it's obviously bogus.
333 Icc11 certainly generates bogus info from time to time.
335 This check is pretty weak; really we ought to have a stronger
336 sanity check. */
346 moans--;
354 }
357 }
358 }
359 }
361 /* Now, do we have it already? */
363 /* yes */
371 /* no */
374 }
375 }
377 /* Top level function for getting the StackBlock vector for a given
378 instruction. It is guaranteed that the returned pointer will be
379 valid for the entire rest of the run, and also that the addresses
380 of the individual elements of the array will not change. */
383 {
387 }
390 //////////////////////////////////////////////////////////////
391 // //
392 // GlobalBlocks Persistent Cache //
393 // //
394 //////////////////////////////////////////////////////////////
396 /* Generate an arbitrary total ordering on GlobalBlocks. */
398 {
399 Word r;
400 /* compare addrs */
403 /* compare sizes */
406 /* compare is/is-not array-typed flag */
409 /* compare the name */
412 /* compare the soname */
415 }
421 {
423 globalBlock_set
427 }
430 /* Top level function for making GlobalBlocks persistent. Call here
431 with a non-persistent version, and the returned one is guaranteed
432 to be valid for the entire rest of the run. The supplied one is
433 copied, not stored, so can be freed after the call. */
436 {
438 /* Now, do we have it already? */
440 /* yes, return the copy */
447 /* no. clone it, store the clone and return the clone's
448 address. */
455 }
456 }
459 //////////////////////////////////////////////////////////////
460 // //
461 // Interval tree of StackTreeBlock //
462 // //
463 //////////////////////////////////////////////////////////////
465 /* A node in a stack interval tree. Zero length intervals (.szB == 0)
466 are not allowed.
468 A stack interval tree is a (WordFM StackTreeNode* void). There is
469 one stack interval tree for each thread.
470 */
471 typedef
473 Addr addr;
477 }
478 StackTreeNode;
481 {
489 }
491 }
493 /* Interval comparison function for StackTreeNode */
496 {
499 }
501 /* Find the node holding 'a', if any. */
503 {
505 StackTreeNode key;
516 }
517 }
519 /* Note that the supplied XArray of FrameBlock must have been
520 made persistent already. */
526 UWord depth
527 )
528 {
543 }
546 Bool already_present;
558 /* The interval can't already be there; else we have
559 overlapping stack blocks. */
563 }
564 }
568 }
569 }
573 {
577 Bool b;
580 /* The interval must be there; we added it earlier when
581 the associated frame was created. */
584 /* we just found the block! */
589 }
590 }
597 }
600 }
602 {
605 }
610 }
613 //////////////////////////////////////////////////////////////
614 // //
615 // Interval tree of GlobalTreeBlock //
616 // //
617 //////////////////////////////////////////////////////////////
619 /* A node in a global interval tree. Zero length intervals
620 (.szB == 0) are not allowed.
622 A global interval tree is a (WordFM GlobalTreeNode* void). There
623 is one global interval tree for the entire process.
624 */
625 typedef
630 }
631 GlobalTreeNode;
637 }
641 {
652 }
655 }
657 /* Interval comparison function for GlobalTreeNode */
660 {
663 }
665 /* Find the node holding 'a', if any. */
667 {
669 GlobalTreeNode key;
679 }
680 }
682 /* Note that the supplied GlobalBlock must have been made persistent
683 already. */
686 GlobalBlock* descr
687 )
688 {
689 Bool already_present;
700 /* Basically it's an error to add a global block to the tree that
701 is already in the tree. However, detect and ignore attempts to
702 insert exact duplicates; they do appear for some reason
703 (possible a bug in m_debuginfo?) */
713 /* && 0 == VG_(strcmp)(nd->descr->name, nyu->descr->name) */
714 /* Although it seems reasonable to demand that duplicate
715 blocks have identical names, that is too strict. For
716 example, reading debuginfo from glibc produces two
717 otherwise identical blocks with names "tzname" and
718 "__tzname". A constraint of the form "must be identical,
719 or one must be a substring of the other" would fix that.
720 However, such trickery is scuppered by the fact that we
721 truncate all variable names to 15 characters to make
722 storage management simpler, hence giving pairs like
723 "__EI___pthread_" (truncated) vs "__pthread_keys". So
724 it's simplest just to skip the name comparison
725 completely. */
727 /* exact duplicate; ignore it */
730 }
731 /* else fall through; the assertion below will catch it */
732 }
735 /* The interval can't already be there; else we have
736 overlapping global blocks. */
737 /* Unfortunately (25 Jan 09) at least icc11 has been seen to
738 generate overlapping block descriptions in the Dwarf3; clearly
739 bogus. */
741 moans--;
750 }
754 }
755 /* tl_assert(!already_present); */
756 }
760 {
761 /* One easy way to do this: look up [a,a+szB) in the tree. That
762 will either succeed, producing a block which intersects that
763 range, in which case we delete it and repeat; or it will fail,
764 in which case there are no blocks intersecting the range, and we
765 can bring the process to a halt. */
788 }
791 }
794 //////////////////////////////////////////////////////////////
795 // //
796 // Invar //
797 // //
798 //////////////////////////////////////////////////////////////
800 /* An invariant, as resulting from watching the destination of a
801 memory referencing instruction. Initially is Inv_Unset until the
802 instruction makes a first access. */
804 typedef
811 }
812 InvarTag;
814 typedef
816 InvarTag tag;
823 Addr addr;
824 SizeT szB;
828 /* Pointer to a node in the interval tree for
829 this thread. */
833 /* Pointer to a GlobalBlock in the interval tree of
834 global blocks. */
837 }
838 Inv;
839 }
840 Invar;
842 /* Partial debugging printing for an Invar. */
844 {
866 }
867 }
869 /* Compare two Invars for equality. */
871 {
888 }
889 /*NOTREACHED*/
891 }
893 /* Generate a piece of text showing 'ea' is relative to 'invar', if
894 known. If unknown, generate an empty string. 'buf' must be at
895 least 32 bytes in size. Also return the absolute value of the
896 delta, if known, or zero if not known.
897 */
901 {
926 }
931 }
935 }
937 // Leave *absDelta at zero.
939 }
940 }
943 /* Print selected parts of an Invar, suitable for use in error
944 messages. */
946 {
979 }
980 }
983 //////////////////////////////////////////////////////////////
984 // //
985 // our globals //
986 // //
987 //////////////////////////////////////////////////////////////
989 //////////////////////////////////////////////////////////////
990 ///
992 #define N_QCACHE 16
994 /* Powers of two only, else the result will be chaos */
995 #define QCACHE_ADVANCE_EVERY 16
997 /* Per-thread query cache. Note that the invar can only be Inv_StackN
998 (but not Inv_Stack0), Inv_Global or Inv_Unknown. */
999 typedef
1001 Addr addr;
1002 SizeT szB;
1003 Invar inv;
1004 }
1005 QCElem;
1007 typedef
1009 Word nInUse;
1011 }
1012 QCache;
1017 }
1020 {
1021 Word i;
1027 }
1029 }
1035 ///
1036 //////////////////////////////////////////////////////////////
1038 /* Each thread has:
1039 * a shadow stack of StackFrames, which is a double-linked list
1040 * an stack block interval tree
1041 */
1049 /* Additionally, there is one global variable interval tree
1050 for the entire process.
1051 */
1056 {
1057 Word i;
1060 }
1061 }
1064 {
1065 Word i;
1069 }
1073 }
1076 //////////////////////////////////////////////////////////////
1077 // //
1078 // Handle global variable load/unload events //
1079 // //
1080 //////////////////////////////////////////////////////////////
1083 {
1098 /* Make a persistent copy of each GlobalBlock, and add it
1099 to the tree. */
1102 }
1105 }
1108 /* We only intercept these two because we need to see any di_handles
1109 that might arise from the mappings/allocations. */
1112 {
1115 }
1118 {
1121 }
1123 {
1143 }
1145 }
1150 /* Ok, the range contained some blocks. Therefore we'll need to
1151 visit all the Invars in all the thread shadow stacks, and
1152 convert all Inv_Global entries that intersect [a,a+len) to
1153 Inv_Unknown. */
1157 }
1160 //////////////////////////////////////////////////////////////
1161 // //
1162 // StackFrame //
1163 // //
1164 //////////////////////////////////////////////////////////////
1180 /* A dynamic instance of an instruction */
1181 typedef
1183 /* IMMUTABLE */
1186 /* MUTABLE */
1187 Invar invar;
1188 }
1189 IInstance;
1192 #define N_HTAB_FIXED 64
1194 typedef
1196 /* The sp when the frame was created, so we know when to get rid
1197 of it. */
1198 Addr creation_sp;
1199 /* The stack frames for a thread are arranged as a doubly linked
1200 list. Obviously the outermost frame in the stack has .outer
1201 as NULL and the innermost in theory has .inner as NULL.
1202 However, when a function returns, we don't delete the
1203 just-vacated StackFrame. Instead, it is retained in the list
1204 and will be re-used when the next call happens. This is so
1205 as to avoid constantly having to dynamically allocate and
1206 deallocate frames. */
1210 /* Information for each memory referencing instruction, for this
1211 instantiation of the function. The iinstances array is
1212 operated as a simple linear-probe hash table, which is
1213 dynamically expanded as necessary. Once critical thing is
1214 that an IInstance with a .insn_addr of zero is interpreted to
1215 mean that hash table slot is unused. This means we can't
1216 store an IInstance for address zero. */
1217 /* Note that htab initially points to htab_fixed. If htab_fixed
1218 turns out not to be big enough then htab is made to point to
1219 dynamically allocated memory. But it's often the case that
1220 htab_fixed is big enough, so this optimisation saves a huge
1221 number of sg_malloc/sg_free call pairs. */
1225 /* If this frame is currently making a call, then the following
1226 are relevant. */
1227 Addr sp_at_call;
1228 Addr fp_at_call;
1230 /* See comment just above */
1232 }
1233 StackFrame;
1239 /* Move this somewhere else? */
1240 /* Visit all Invars in the entire system. If 'isHeap' is True, change
1241 all Inv_Heap Invars that intersect [a,a+len) to Inv_Unknown. If
1242 'isHeap' is False, do the same but to the Inv_Global{S,V} Invars
1243 instead. */
1247 {
1248 stats__Invars_preened++;
1261 stats__Invars_changed++;
1262 }
1270 }
1271 }
1275 {
1276 Int i;
1277 UWord u;
1284 /* start from the innermost frame */
1288 /* work through the frames from innermost to outermost. The
1289 order isn't important; we just need to ensure we visit each
1290 frame once (including those which are not actually active,
1291 more 'inner' than the 'innermost active frame', viz, just
1292 hanging around waiting to be used, when the current innermost
1293 active frame makes more calls. See comments on definition of
1294 struct _StackFrame. */
1305 xx++;
1306 }
1308 }
1309 }
1310 }
1313 /* XXX this should be >> 2 on ppc32/64 since the bottom two bits
1314 of the ip are guaranteed to be zero */
1317 }
1321 {
1322 UWord i;
1329 }
1334 {
1346 }
1352 /* find out where to put this, in the new table */
1357 /* This can't ever happen, because it would mean the new
1358 table is full; that isn't allowed -- even the old table is
1359 only allowed to become half full. */
1361 j--;
1363 }
1364 /* copy the old entry to this location */
1369 }
1370 /* all entries copied; free old table. */
1375 /* check sf->htab_used is correct. Optional and a bit expensive
1376 but anyway: */
1380 j++;
1381 }
1382 }
1385 }
1391 Addr ip,
1393 )
1394 {
1397 stats__htab_searches++;
1402 /* Make sure the table loading doesn't get too high. */
1404 stats__htab_resizes++;
1406 }
1412 stats__htab_probes++;
1413 /* Note that because of the way the fast-case handler works,
1414 these two tests are actually redundant in the first iteration
1415 of this loop. (Except they aren't redundant if the code just
1416 above resized the table first. :-) */
1421 /* If i ever gets to zero and we have found neither what we're
1422 looking for nor an empty slot, the table must be full. Which
1423 isn't possible -- we monitor the load factor to ensure it
1424 doesn't get above say 50%; if that ever does happen the table
1425 is resized. */
1427 i--;
1428 ix++;
1430 }
1432 /* So now we've found a free slot at ix, and we can use that. */
1435 /* Add a new record in this slot. */
1442 }
1445 inline
1448 Addr ip,
1450 )
1451 {
1453 /* Is it in the first slot we come to? */
1455 stats__htab_fast++;
1457 }
1458 /* If the first slot we come to is empty, bag it. */
1460 stats__htab_fast++;
1467 }
1468 /* Otherwise we hand off to the slow case, which searches other
1469 slots, and optionally resizes the table if necessary. */
1471 }
1481 }
1483 /* Given an array of StackBlocks, return an array of Addrs, holding
1484 their effective addresses. Caller deallocates result array. */
1488 Addr sp, Addr fp
1489 )
1490 {
1499 }
1501 }
1504 /* Try to classify the block into which a memory access falls, and
1505 write the result in 'inv'. This writes all relevant fields of
1506 'inv'. */
1509 ThreadId tid,
1511 UWord szB,
1513 {
1515 /* First, look in the stack blocks accessible in this instruction's
1516 frame. */
1517 {
1524 /* found it */
1529 stats__classify_Stack0++;
1531 }
1532 }
1533 }
1534 /* Look in this thread's query cache */
1538 stats__qcache_queries++;
1542 stats__qcache_probes++;
1547 QCElem tmp;
1551 i--;
1552 }
1555 }
1556 }
1557 stats__qcache_misses++;
1558 }
1559 /* Ok, so it's not a block in the top frame. Perhaps it's a block
1560 in some calling frame? Consult this thread's stack-block
1561 interval tree to find out. */
1563 /* We know that [ea,ea+1) is in the block, but we need to
1564 restrict to the case where the whole access falls within
1565 it. */
1568 }
1570 /* found it */
1573 stats__classify_StackN++;
1575 }
1576 }
1577 /* Not in a stack block. Try the global pool. */
1579 /* We know that [ea,ea+1) is in the block, but we need to
1580 restrict to the case where the whole access falls within
1581 it. */
1584 }
1586 /* found it */
1589 stats__classify_Global++;
1591 }
1592 }
1593 /* No idea - give up. */
1595 stats__classify_Unknown++;
1597 /* Update the cache */
1598 out:
1619 /* This is more complex. We need to figure out the
1620 intersection of the "holes" in the global and stack
1621 interval trees into which [ea,ea+szB) falls. This is
1622 further complicated by the fact that [ea,ea+szB) might
1623 not fall cleanly into a hole; it may instead fall across
1624 the boundary of a stack or global block. In that case
1625 we just ignore it and don't update the cache, since we
1626 have no way to represent this situation precisely. */
1658 /* If this happens, then [ea,ea+szB) partially overlaps
1659 a heap or stack block. We can't represent that, so
1660 just forget it (should be very rare). However, do
1661 maximum sanity checks first. In such a
1662 partial overlap case, it can't be the case that both
1663 [ea] and [ea+szB-1] overlap the same block, since if
1664 that were indeed the case then it wouldn't be a
1665 partial overlap; rather it would simply fall inside
1666 that block entirely and we shouldn't be inside this
1667 conditional at all. */
1672 /* if both ends of the range fall inside a block,
1673 they can't be in the same block. */
1676 /* for each end of the range, if it is in a block,
1677 the range as a whole can't be entirely within the
1678 block. */
1685 }
1690 /* if both ends of the range fall inside a block,
1691 they can't be in the same block. */
1694 /* for each end of the range, if it is in a block,
1695 the range as a whole can't be entirely within the
1696 block. */
1703 }
1706 }
1713 /* [sMin,sMax] and [gMin,gMax] must both contain
1714 [ea,ea+szB) (right?) That implies they must overlap at
1715 at least over [ea,ea+szB). */
1718 /* So now compute their intersection. */
1724 /* Finally, we can park [uMin,uMax] in the cache. However,
1725 if uMax is ~0, we can't represent the difference; hence
1726 fudge uMax. */
1728 uMax--;
1732 }
1734 /* We should only be caching info for the above 3 cases */
1739 Word i;
1746 }
1752 }
1756 }
1757 }
1760 /* CALLED FROM GENERATED CODE */
1761 static
1765 /* Known at translation time: */
1767 {
1768 UWord szB;
1771 Invar new_inv;
1776 stats__total_accesses++;
1782 /* Find the instance info for this instruction. */
1793 /* Deal with first uses of instruction instances. */
1795 /* This is the first use of this instance of the instruction, so
1796 we can't make any check; we merely record what we saw, so we
1797 can compare it against what happens for 2nd and subsequent
1798 accesses. */
1803 }
1805 /* So generate an Invar and see if it's different from what
1806 we had before. */
1811 /* Did we see something different from before? If no, then there's
1812 no error. */
1825 UWord absDelta;
1831 /* And now install the new observation as "standard", so as to
1832 make future error messages make more sense. */
1834 }
1837 ////////////////////////////////////////
1838 /* Primary push-a-new-frame routine. Called indirectly from
1839 generated code. */
1844 static
1846 Addr sp_at_call_insn,
1847 Addr sp_post_call_insn,
1848 Addr fp_at_call_insn,
1849 Addr ip_post_call_insn,
1851 {
1864 }
1871 caller->blocks_added_by_call
1876 descrs_at_call_insn,
1879 these blocks are
1890 "exp-sgcheck: new max tree sizes: "
1893 }
1896 }
1898 /* caller->blocks_added_by_call is used again (and then freed) when
1899 this frame is removed from the stack. */
1910 }
1912 /* This sets up .htab, .htab_size and .htab_used */
1920 /* record the new running stack frame */
1923 /* and this thread's query cache is now invalid */
1929 Bool ok;
1934 d--;
1935 }
1937 }
1938 }
1940 /* CALLED FROM GENERATED CODE */
1941 static
1944 Addr fp_at_call_insn,
1945 Addr ip_post_call_insn,
1947 Word sp_adjust )
1948 {
1952 sp_at_call_insn,
1953 sp_post_call_insn,
1954 fp_at_call_insn,
1955 ip_post_call_insn,
1956 blocks_at_call_insn );
1957 }
1960 ////////////////////////////////////////
1961 /* Primary remove-frame(s) routine. Called indirectly from
1962 generated code. */
1966 {
1972 //VG_(printf)("UNWIND sp_new = %p\n", sp_now);
1981 //VG_(printf)("UNWIND dump %p\n", innermost->creation_sp);
1985 /* be on the safe side */
1995 /* So now we're "back" in the calling frame. Remove from this
1996 thread's stack-interval-tree, the blocks added at the time of
1997 the call. */
2006 }
2007 }
2008 /* That completes the required tidying of the interval tree
2009 associated with the frame we just removed. */
2015 d--;
2016 }
2018 }
2020 }
2026 /* this thread's query cache is now invalid */
2028 }
2029 }
2033 //////////////////////////////////////////////////////////////
2034 // //
2035 // Instrumentation //
2036 // //
2037 //////////////////////////////////////////////////////////////
2039 /* What does instrumentation need to do?
2041 - at each Call transfer, generate a call to shadowStack_new_frame
2042 do this by manually inspecting the IR
2044 - at each sp change, if the sp change is negative,
2045 call shadowStack_unwind
2046 do this by asking for SP-change analysis
2048 - for each memory referencing instruction,
2049 call helperc__mem_access
2050 */
2052 /* A complication: sg_ instrumentation and h_ instrumentation need to
2053 be interleaved. Since the latter is a lot more complex than the
2054 former, we split the sg_ instrumentation here into four functions
2055 and let the h_ instrumenter call the four functions as it goes.
2056 Hence the h_ instrumenter drives the sg_ instrumenter.
2058 To make this viable, the sg_ instrumenter carries what running
2059 state it needs in 'struct _SGEnv'. This is exported only
2060 abstractly from this file.
2061 */
2064 /* the current insn's IP */
2065 Addr64 curr_IP;
2066 /* whether the above is actually known */
2067 Bool curr_IP_known;
2068 /* if we find a mem ref, is it the first for this insn? Used for
2069 detecting insns which make more than one memory ref, a situation
2070 we basically can't really handle properly; and so we ignore all
2071 but the first ref. */
2072 Bool firstRef;
2073 /* READONLY */
2076 };
2079 /* --- Helper fns for instrumentation --- */
2084 Int hWordTy_szB )
2085 {
2087 IRTemp sp_temp;
2088 IRType sp_type;
2089 /* This in effect forces the host and guest word sizes to be the
2090 same. */
2097 }
2102 Int hWordTy_szB )
2103 {
2105 IRTemp fp_temp;
2106 IRType fp_type;
2107 /* This in effect forces the host and guest word sizes to be the
2108 same. */
2115 }
2120 Int szB,
2121 Bool isStore,
2122 Int hWordTy_szB,
2123 Addr curr_IP,
2125 {
2135 #if defined(VGA_x86)
2137 // pop %ebp; RET
2139 // pop %ebp; RET $imm16
2141 // PUSH %EBP; mov %esp,%ebp
2143 }
2144 #endif
2146 /* First off, find or create the StackBlocks for this instruction. */
2149 //if (VG_(sizeXA)( frameBlocks ) == 0)
2150 // frameBlocks = NULL;
2152 /* Generate a call to "helperc__mem_access", passing:
2153 addr current_SP current_FP szB curr_IP frameBlocks
2154 */
2157 IRExpr** args
2164 IRDirty* di
2168 args );
2171 }
2172 }
2175 /* --- Instrumentation main (4 fns) --- */
2179 {
2189 }
2192 {
2194 }
2196 /* Add instrumentation for 'st' to 'sbOut', and possibly modify 'env'
2197 as required. This must be called before 'st' itself is added to
2198 'sbOut'. */
2204 {
2216 /* None of these can contain any memory references. */
2221 /* else we must deal with a conditional call */
2240 );
2242 }
2257 );
2259 }
2260 }
2262 }
2265 Int dataSize;
2268 /* This dirty helper accesses memory. Collect the
2269 details. */
2279 );
2280 }
2285 );
2286 }
2288 }
2292 }
2294 }
2297 /* We treat it as a read and a write of the location. I
2298 think that is the same behaviour as it was before IRCAS
2299 was introduced, since prior to that point, the Vex front
2300 ends would translate a lock-prefixed instruction into a
2301 (normal) read followed by a (normal) write. */
2303 Int dataSize;
2313 );
2317 );
2319 }
2321 }
2327 }
2330 /* Add instrumentation for the final jump of an IRSB 'sbOut', and
2331 possibly modify 'env' as required. This must be the last
2332 instrumentation statement in the block. */
2336 IRJumpKind jumpkind,
2339 {
2344 // Assumes x86 or amd64
2349 sp_post_call_insn
2351 fp_post_call_insn
2358 args
2362 /* assume the call doesn't change FP */
2363 next,
2366 );
2371 args );
2373 }
2374 }
2377 //////////////////////////////////////////////////////////////
2378 // //
2379 // end Instrumentation //
2380 // //
2381 //////////////////////////////////////////////////////////////
2384 //////////////////////////////////////////////////////////////
2385 // //
2386 // misc //
2387 // //
2388 //////////////////////////////////////////////////////////////
2390 /* Make a new empty stack frame that is suitable for being the
2391 outermost frame in a stack. It has a creation_sp of effectively
2392 infinity, so it can never be removed. */
2394 {
2399 /* This sets up .htab, .htab_size and .htab_used */
2402 /* ->depth, ->outer, ->inner are 0, NULL, NULL */
2405 }
2407 /* Primary routine for setting up the shadow stack for a new thread.
2408 Note that this is used to create not only child thread stacks, but
2409 the root thread's stack too. We create a new stack with
2410 .creation_sp set to infinity, so that the outermost frame can never
2411 be removed (by shadowStack_unwind). The core calls this function
2412 as soon as a thread is created. We cannot yet get its SP value,
2413 since that may not yet be set. */
2415 {
2418 /* creating the main thread's stack */
2424 }
2426 /* Create the child's stack. Bear in mind we may be re-using
2427 it. */
2429 /* First use of this stack. Just allocate an initial frame. */
2433 /* re-using a stack. */
2434 /* get rid of the interval tree */
2438 /* Throw away all existing frames. */
2448 }
2450 }
2455 /* Set up the initial stack frame. */
2458 /* and set up the child's stack block interval tree. */
2460 }
2462 /* Once a thread is ready to go, the core calls here. We take the
2463 opportunity to push a second frame on its stack, with the
2464 presumably valid SP value that is going to be used for the thread's
2465 startup. Hence we should always wind up with a valid outermost
2466 frame for the thread. */
2468 {
2478 }
2481 //////////////////////////////////////////////////////////////
2482 // //
2483 // main-ish //
2484 // //
2485 //////////////////////////////////////////////////////////////
2487 /* CALLED indirectly FROM GENERATED CODE. Calls here are created by
2488 sp-change analysis, as requested in pc_pre_clo_int(). */
2492 }
2498 }
2501 }
2505 }
2509 }
2512 {
2518 stats__classify_Stack0);
2521 stats__classify_StackN);
2524 stats__classify_Global);
2527 stats__classify_Unknown);
2538 stats__htab_fast);
2542 }
2543 }
2546 /*--------------------------------------------------------------------*/
2547 /*--- end sg_main.c ---*/
2548 /*--------------------------------------------------------------------*/