| blob | 712f7d32899e657422c73453809a31e430e7ccee |
2 /*--------------------------------------------------------------------*/
3 /*--- MemCheck: Maintain bitmaps of memory, tracking the ---*/
4 /*--- accessibility (A) and validity (V) status of each byte. ---*/
5 /*--- mc_main.c ---*/
6 /*--------------------------------------------------------------------*/
8 /*
9 This file is part of MemCheck, a heavyweight Valgrind tool for
10 detecting memory errors.
12 Copyright (C) 2000-2013 Julian Seward
13 jseward@acm.org
15 This program is free software; you can redistribute it and/or
16 modify it under the terms of the GNU General Public License as
17 published by the Free Software Foundation; either version 2 of the
18 License, or (at your option) any later version.
20 This program is distributed in the hope that it will be useful, but
21 WITHOUT ANY WARRANTY; without even the implied warranty of
22 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
23 General Public License for more details.
25 You should have received a copy of the GNU General Public License
26 along with this program; if not, write to the Free Software
27 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
28 02111-1307, USA.
30 The GNU General Public License is contained in the file COPYING.
31 */
54 /* Set to 1 to enable handwritten assembly helpers on targets for
55 which it is supported. */
56 #define ENABLE_ASSEMBLY_HELPERS 1
58 /* Set to 1 to do a little more sanity checking */
59 #define VG_DEBUG_MEMORY 0
67 /*------------------------------------------------------------*/
68 /*--- Fast-case knobs ---*/
69 /*------------------------------------------------------------*/
71 // Comment these out to disable the fast cases (don't just set them to zero).
73 #define PERF_FAST_LOADV 1
74 #define PERF_FAST_STOREV 1
76 #define PERF_FAST_SARP 1
78 #define PERF_FAST_STACK 1
79 #define PERF_FAST_STACK2 1
81 /* Change this to 1 to enable assertions on origin tracking cache fast
82 paths */
83 #define OC_ENABLE_ASSERTIONS 0
86 /*------------------------------------------------------------*/
87 /*--- Comments on the origin tracking implementation ---*/
88 /*------------------------------------------------------------*/
90 /* See detailed comment entitled
91 AN OVERVIEW OF THE ORIGIN TRACKING IMPLEMENTATION
92 which is contained further on in this file. */
95 /*------------------------------------------------------------*/
96 /*--- V bits and A bits ---*/
97 /*------------------------------------------------------------*/
99 /* Conceptually, every byte value has 8 V bits, which track whether Memcheck
100 thinks the corresponding value bit is defined. And every memory byte
101 has an A bit, which tracks whether Memcheck thinks the program can access
102 it safely (ie. it's mapped, and has at least one of the RWX permission bits
103 set). So every N-bit register is shadowed with N V bits, and every memory
104 byte is shadowed with 8 V bits and one A bit.
106 In the implementation, we use two forms of compression (compressed V bits
107 and distinguished secondary maps) to avoid the 9-bit-per-byte overhead
108 for memory.
110 Memcheck also tracks extra information about each heap block that is
111 allocated, for detecting memory leaks and other purposes.
112 */
114 /*------------------------------------------------------------*/
115 /*--- Basic A/V bitmap representation. ---*/
116 /*------------------------------------------------------------*/
118 /* All reads and writes are checked against a memory map (a.k.a. shadow
119 memory), which records the state of all memory in the process.
121 On 32-bit machines the memory map is organised as follows.
122 The top 16 bits of an address are used to index into a top-level
123 map table, containing 65536 entries. Each entry is a pointer to a
124 second-level map, which records the accesibililty and validity
125 permissions for the 65536 bytes indexed by the lower 16 bits of the
126 address. Each byte is represented by two bits (details are below). So
127 each second-level map contains 16384 bytes. This two-level arrangement
128 conveniently divides the 4G address space into 64k lumps, each size 64k
129 bytes.
131 All entries in the primary (top-level) map must point to a valid
132 secondary (second-level) map. Since many of the 64kB chunks will
133 have the same status for every bit -- ie. noaccess (for unused
134 address space) or entirely addressable and defined (for code segments) --
135 there are three distinguished secondary maps, which indicate 'noaccess',
136 'undefined' and 'defined'. For these uniform 64kB chunks, the primary
137 map entry points to the relevant distinguished map. In practice,
138 typically more than half of the addressable memory is represented with
139 the 'undefined' or 'defined' distinguished secondary map, so it gives a
140 good saving. It also lets us set the V+A bits of large address regions
141 quickly in set_address_range_perms().
143 On 64-bit machines it's more complicated. If we followed the same basic
144 scheme we'd have a four-level table which would require too many memory
145 accesses. So instead the top-level map table has 2^20 entries (indexed
146 using bits 16..35 of the address); this covers the bottom 64GB. Any
147 accesses above 64GB are handled with a slow, sparse auxiliary table.
148 Valgrind's address space manager tries very hard to keep things below
149 this 64GB barrier so that performance doesn't suffer too much.
151 Note that this file has a lot of different functions for reading and
152 writing shadow memory. Only a couple are strictly necessary (eg.
153 get_vabits2 and set_vabits2), most are just specialised for specific
154 common cases to improve performance.
156 Aside: the V+A bits are less precise than they could be -- we have no way
157 of marking memory as read-only. It would be great if we could add an
158 extra state VA_BITSn_READONLY. But then we'd have 5 different states,
159 which requires 2.3 bits to hold, and there's no way to do that elegantly
160 -- we'd have to double up to 4 bits of metadata per byte, which doesn't
161 seem worth it.
162 */
164 /* --------------- Basic configuration --------------- */
166 /* Only change this. N_PRIMARY_MAP *must* be a power of 2. */
168 #if VG_WORDSIZE == 4
170 /* cover the entire address space */
171 # define N_PRIMARY_BITS 16
173 #else
175 /* Just handle the first 64G fast and the rest via auxiliary
176 primaries. If you change this, Memcheck will assert at startup.
177 See the definition of UNALIGNED_OR_HIGH for extensive comments. */
178 # define N_PRIMARY_BITS 20
180 #endif
183 /* Do not change this. */
184 #define N_PRIMARY_MAP ( ((UWord)1) << N_PRIMARY_BITS)
186 /* Do not change this. */
187 #define MAX_PRIMARY_ADDRESS (Addr)((((Addr)65536) * N_PRIMARY_MAP)-1)
190 /* --------------- Secondary maps --------------- */
192 // Each byte of memory conceptually has an A bit, which indicates its
193 // addressability, and 8 V bits, which indicates its definedness.
194 //
195 // But because very few bytes are partially defined, we can use a nice
196 // compression scheme to reduce the size of shadow memory. Each byte of
197 // memory has 2 bits which indicates its state (ie. V+A bits):
198 //
199 // 00: noaccess (unaddressable but treated as fully defined)
200 // 01: undefined (addressable and fully undefined)
201 // 10: defined (addressable and fully defined)
202 // 11: partdefined (addressable and partially defined)
203 //
204 // In the "partdefined" case, we use a secondary table to store the V bits.
205 // Each entry in the secondary-V-bits table maps a byte address to its 8 V
206 // bits.
207 //
208 // We store the compressed V+A bits in 8-bit chunks, ie. the V+A bits for
209 // four bytes (32 bits) of memory are in each chunk. Hence the name
210 // "vabits8". This lets us get the V+A bits for four bytes at a time
211 // easily (without having to do any shifting and/or masking), and that is a
212 // very common operation. (Note that although each vabits8 chunk
213 // is 8 bits in size, it represents 32 bits of memory.)
214 //
215 // The representation is "inverse" little-endian... each 4 bytes of
216 // memory is represented by a 1 byte value, where:
217 //
218 // - the status of byte (a+0) is held in bits [1..0]
219 // - the status of byte (a+1) is held in bits [3..2]
220 // - the status of byte (a+2) is held in bits [5..4]
221 // - the status of byte (a+3) is held in bits [7..6]
222 //
223 // It's "inverse" because endianness normally describes a mapping from
224 // value bits to memory addresses; in this case the mapping is inverted.
225 // Ie. instead of particular value bits being held in certain addresses, in
226 // this case certain addresses are represented by particular value bits.
227 // See insert_vabits2_into_vabits8() for an example.
228 //
229 // But note that we don't compress the V bits stored in registers; they
230 // need to be explicit to made the shadow operations possible. Therefore
231 // when moving values between registers and memory we need to convert
232 // between the expanded in-register format and the compressed in-memory
233 // format. This isn't so difficult, it just requires careful attention in a
234 // few places.
236 // These represent eight bits of memory.
242 // These represent 16 bits of memory.
247 // These represent 32 bits of memory.
252 // These represent 64 bits of memory.
259 #define SM_OFF(aaa) (((aaa) & 0xffff) >> 2)
260 #define SM_OFF_16(aaa) (((aaa) & 0xffff) >> 3)
262 // Paranoia: it's critical for performance that the requested inlining
263 // occurs. So try extra hard.
264 #define INLINE inline __attribute__((always_inline))
268 }
271 }
273 typedef
276 }
277 SecMap;
279 // 3 distinguished secondary maps, one for no-access, one for
280 // accessible but undefined, and one for accessible and defined.
281 // Distinguished secondaries may never be modified.
282 #define SM_DIST_NOACCESS 0
283 #define SM_DIST_UNDEFINED 1
284 #define SM_DIST_DEFINED 2
290 }
292 // Forward declaration
295 /* dist_sm points to one of our three distinguished secondaries. Make
296 a copy of it so that we can write to it.
297 */
299 {
312 }
314 /* --------------- Stats --------------- */
327 /* # searches initiated in auxmap_L1, and # base cmps required */
330 /* # of searches that missed in auxmap_L1 and therefore had to
331 be handed to auxmap_L2. And the number of nodes inserted. */
342 {
347 n_deissued_SMs ++; }
353 n_issued_SMs ++; }
359 }
361 /* --------------- Primary maps --------------- */
363 /* The main primary map. This covers some initial part of the address
364 space, addresses 0 .. (N_PRIMARY_MAP << 16)-1. The rest of it is
365 handled using the auxiliary primary map.
366 */
370 /* An entry in the auxiliary primary map. base must be a 64k-aligned
371 value, and sm points at the relevant secondary map. As with the
372 main primary map, the secondary may be either a real secondary, or
373 one of the three distinguished secondaries. DO NOT CHANGE THIS
374 LAYOUT: the first word has to be the key for OSet fast lookups.
375 */
376 typedef
378 Addr base;
380 }
381 AuxMapEnt;
383 /* Tunable parameter: How big is the L1 queue? */
384 #define N_AUXMAP_L1 24
386 /* Tunable parameter: How far along the L1 queue to insert
387 entries resulting from L2 lookups? */
388 #define AUXMAP_L1_INSERT_IX 12
391 Addr base;
393 }
399 {
400 Int i;
404 }
411 }
413 /* Check representation invariants; if OK return NULL; else a
414 descriptive bit of text. Also return the number of
415 non-distinguished secondary maps referred to from the auxiliary
416 primary maps. */
419 {
421 /* On a 32-bit platform, the L2 and L1 tables should
422 both remain empty forever.
424 On a 64-bit platform:
425 In the L2 table:
426 all .base & 0xFFFF == 0
427 all .base > MAX_PRIMARY_ADDRESS
428 In the L1 table:
429 all .base & 0xFFFF == 0
430 all (.base > MAX_PRIMARY_ADDRESS
431 .base & 0xFFFF == 0
432 and .ent points to an AuxMapEnt with the same .base)
433 or
434 (.base == 0 and .ent == NULL)
435 */
438 /* 32-bit platform */
445 /* 64-bit platform */
448 AuxMapEnt key;
449 /* L2 table */
452 elems_seen++;
461 }
464 /* Check L1-L2 correspondence */
476 /* Look it up in auxmap_L2. */
484 }
485 /* Check L1 contains no duplicates */
494 }
495 }
496 }
498 }
501 {
502 Word i;
509 }
512 {
513 AuxMapEnt key;
515 Word i;
520 /* First search the front-cache, which is a self-organising
521 list containing the most popular entries. */
533 }
535 n_auxmap_L1_searches++;
540 }
541 }
554 i--;
555 }
557 }
559 n_auxmap_L2_searches++;
561 /* First see if we already have it. */
569 }
572 {
575 /* First see if we already have it. */
580 /* Ok, there's no entry in the secondary map, so we'll have
581 to allocate one. */
589 n_auxmap_L2_nodes++;
591 }
593 /* --------------- SecMap fundamentals --------------- */
595 // In all these, 'low' means it's definitely in the main primary map,
596 // 'high' means it's definitely in the auxiliary table.
599 {
601 # if VG_DEBUG_MEMORY >= 1
603 # endif
605 }
608 {
611 }
614 {
618 }
621 {
623 }
626 {
628 }
631 {
636 }
639 {
644 }
646 /* Produce the secmap for 'a', either from the primary map or by
647 ensuring there is an entry for it in the aux primary map. The
648 secmap may be a distinguished one as the caller will only want to
649 be able to read it.
650 */
652 {
656 }
658 /* Produce the secmap for 'a', either from the primary map or by
659 ensuring there is an entry for it in the aux primary map. The
660 secmap may not be a distinguished one, since the caller will want
661 to be able to write it. If it is a distinguished secondary, make a
662 writable copy of it, install it, and return the copy instead. (COW
663 semantics).
664 */
666 {
670 }
672 /* If 'a' has a SecMap, produce it. Else produce NULL. But don't
673 allocate one if one doesn't already exist. This is used by the
674 leak checker.
675 */
677 {
683 }
684 }
686 /* --------------- Fundamental functions --------------- */
688 static INLINE
690 {
694 }
696 static INLINE
698 {
699 UInt shift;
704 }
706 static INLINE
708 {
712 }
714 static INLINE
716 {
717 UInt shift;
722 }
724 // Note that these four are only used in slow cases. The fast cases do
725 // clever things like combine the auxmap check (in
726 // get_secmap_{read,writ}able) with alignment checks.
728 // *** WARNING! ***
729 // Any time this function is called, if it is possible that vabits2
730 // is equal to VA_BITS2_PARTDEFINED, then the corresponding entry in the
731 // sec-V-bits table must also be set!
732 static INLINE
734 {
738 }
740 static INLINE
742 {
747 }
749 // *** WARNING! ***
750 // Any time this function is called, if it is possible that any of the
751 // 4 2-bit fields in vabits8 are equal to VA_BITS2_PARTDEFINED, then the
752 // corresponding entry(s) in the sec-V-bits table must also be set!
753 static INLINE
755 {
760 }
762 static INLINE
764 {
768 }
771 // Forward declarations
775 // Returns False if there was an addressability error.
776 static INLINE
778 {
782 // Addressable. Convert in-register format to in-memory format.
783 // Also remove any existing sec V bit entry for the byte if no
784 // longer necessary.
792 // Unaddressable! Do nothing -- when writing to unaddressable
793 // memory it acts as a black hole, and the V bits can never be seen
794 // again. So we don't have to write them at all.
796 }
798 }
800 // Returns False if there was an addressability error. In that case, we put
801 // all defined bits into vbits8.
802 static INLINE
804 {
808 // Convert the in-memory format to in-register format.
817 }
819 }
822 /* --------------- Secondary V bit table ------------ */
824 // This table holds the full V bit pattern for partially-defined bytes
825 // (PDBs) that are represented by VA_BITS2_PARTDEFINED in the main shadow
826 // memory.
827 //
828 // Note: the nodes in this table can become stale. Eg. if you write a PDB,
829 // then overwrite the same address with a fully defined byte, the sec-V-bit
830 // node will not necessarily be removed. This is because checking for
831 // whether removal is necessary would slow down the fast paths.
832 //
833 // To avoid the stale nodes building up too much, we periodically (once the
834 // table reaches a certain size) garbage collect (GC) the table by
835 // traversing it and evicting any nodes not having PDB.
836 // If more than a certain proportion of nodes survived, we increase the
837 // table size so that GCs occur less often.
838 //
839 // This policy is designed to avoid bad table bloat in the worst case where
840 // a program creates huge numbers of stale PDBs -- we would get this bloat
841 // if we had no GC -- while handling well the case where a node becomes
842 // stale but shortly afterwards is rewritten with a PDB and so becomes
843 // non-stale again (which happens quite often, eg. in perf/bz2). If we just
844 // remove all stale nodes as soon as possible, we just end up re-adding a
845 // lot of them in later again. The "sufficiently stale" approach avoids
846 // this. (If a program has many live PDBs, performance will just suck,
847 // there's no way around that.)
848 //
849 // Further comments, JRS 14 Feb 2012. It turns out that the policy of
850 // holding on to stale entries for 2 GCs before discarding them can lead
851 // to massive space leaks. So we're changing to an arrangement where
852 // lines are evicted as soon as they are observed to be stale during a
853 // GC. This also has a side benefit of allowing the sufficiently_stale
854 // field to be removed from the SecVBitNode struct, reducing its size by
855 // 8 bytes, which is a substantial space saving considering that the
856 // struct was previously 32 or so bytes, on a 64 bit target.
857 //
858 // In order to try and mitigate the problem that the "sufficiently stale"
859 // heuristic was designed to avoid, the table size is allowed to drift
860 // up ("DRIFTUP") slowly to 80000, even if the residency is low. This
861 // means that nodes will exist in the table longer on average, and hopefully
862 // will be deleted and re-added less frequently.
863 //
864 // The previous scaling up mechanism (now called STEPUP) is retained:
865 // if residency exceeds 50%, the table is scaled up, although by a
866 // factor sqrt(2) rather than 2 as before. This effectively doubles the
867 // frequency of GCs when there are many PDBs at reduces the tendency of
868 // stale PDBs to reside for long periods in the table.
872 // Stats
876 // This must be a power of two; this is checked in mc_pre_clo_init().
877 // The size chosen here is a trade-off: if the nodes are bigger (ie. cover
878 // a larger address range) they take more space but we can get multiple
879 // partially-defined bytes in one if they are close to each other, reducing
880 // the number of total nodes. In practice sometimes they are clustered (eg.
881 // perf/bz2 repeatedly writes then reads more than 20,000 in a contiguous
882 // row), but often not. So we choose something intermediate.
883 #define BYTES_PER_SEC_VBIT_NODE 16
885 // We make the table bigger by a factor of STEPUP_GROWTH_FACTOR if
886 // more than this many nodes survive a GC.
887 #define STEPUP_SURVIVOR_PROPORTION 0.5
888 #define STEPUP_GROWTH_FACTOR 1.414213562
890 // If the above heuristic doesn't apply, then we may make the table
891 // slightly bigger, by a factor of DRIFTUP_GROWTH_FACTOR, if more than
892 // this many nodes survive a GC, _and_ the total table size does
893 // not exceed a fixed limit. The numbers are somewhat arbitrary, but
894 // work tolerably well on long Firefox runs. The scaleup ratio of 1.5%
895 // effectively although gradually reduces residency and increases time
896 // between GCs for programs with small numbers of PDBs. The 80000 limit
897 // effectively limits the table size to around 2MB for programs with
898 // small numbers of PDBs, whilst giving a reasonably long lifetime to
899 // entries, to try and reduce the costs resulting from deleting and
900 // re-adding of entries.
901 #define DRIFTUP_SURVIVOR_PROPORTION 0.15
902 #define DRIFTUP_GROWTH_FACTOR 1.015
903 #define DRIFTUP_MAX_SIZE 80000
905 // We GC the table when it gets this many nodes in it, ie. it's effectively
906 // the table size. It can change.
909 // The number of GCs done, used to age sec-V-bit nodes for eviction.
910 // Because it's unsigned, wrapping doesn't matter -- the right answer will
911 // come out anyway.
914 typedef
916 Addr a;
918 }
919 SecVBitNode;
922 {
932 }
935 {
940 GCs_done++;
942 // Create the new table.
945 // Traverse the table, moving fresh nodes into the new table.
948 // Keep node if any of its bytes are non-stale. Using
949 // get_vabits2() for the lookup is not very efficient, but I don't
950 // think it matters.
953 // Found a non-stale byte, so keep =>
954 // Insert a copy of the node into the new table.
960 }
961 }
962 }
964 // Get the before and after sizes.
968 // Destroy the old table, and put the new one in its place.
975 }
977 // Increase table size if necessary.
984 secVBitLimit);
985 }
986 else
994 secVBitLimit);
995 }
996 }
999 {
1003 UChar vbits8;
1005 // Shouldn't be fully defined or fully undefined -- those cases shouldn't
1006 // make it to the secondary V bits table.
1010 }
1013 {
1017 // Shouldn't be fully defined or fully undefined -- those cases shouldn't
1018 // make it to the secondary V bits table.
1022 sec_vbits_updates++;
1024 // Do a table GC if necessary. Nb: do this before creating and
1025 // inserting the new node, to avoid erroneously GC'ing the new node.
1028 }
1030 // New node: assign the specific byte, make the rest invalid (they
1031 // should never be read as-is, but be cautious).
1036 }
1039 // Insert the new node.
1041 sec_vbits_new_nodes++;
1046 }
1047 }
1049 /* --------------- Endianness helpers --------------- */
1051 /* Returns the offset in memory of the byteno-th most significant byte
1052 in a wordszB-sized word, given the specified endianness. */
1054 UWord byteno ) {
1056 }
1059 /* --------------- Ignored address ranges --------------- */
1061 /* Denotes the address-error-reportability status for address ranges:
1062 IAR_NotIgnored: the usual case -- report errors in this range
1063 IAR_CommandLine: don't report errors -- from command line setting
1064 IAR_ClientReq: don't report errors -- from client request
1065 */
1066 typedef
1068 IAR_NotIgnored,
1069 IAR_CommandLine,
1070 IAR_ClientReq }
1071 IARKind;
1074 {
1081 }
1082 }
1084 // RangeMap<IARKind>
1088 {
1093 }
1096 {
1109 }
1111 /*NOTREACHED*/
1112 }
1114 /* Parse two Addr separated by a dash, or fail. */
1117 {
1128 }
1130 /* Parse a set of ranges separated by commas into 'ignoreRanges', or
1131 fail. If they are valid, add them to the global set of ignored
1132 ranges. */
1134 {
1152 }
1153 /*NOTREACHED*/
1155 }
1157 /* Add or remove [start, +len) from the set of ignored ranges. */
1159 {
1164 }
1177 }
1181 Word i;
1190 }
1191 }
1193 }
1196 /* --------------- Load/store slow cases. --------------- */
1198 static
1202 {
1208 Addr ai;
1209 UChar vbits8;
1210 Bool ok;
1212 /* Code below assumes load size is a power of two and at least 64
1213 bits. */
1216 /* If this triggers, you probably just need to increase the size of
1217 the pessim array. */
1223 }
1225 /* Make up a result V word, which contains the loaded data for
1226 valid addresses and Defined for invalid addresses. Iterate over
1227 the bytes in the word, from the most significant down to the
1228 least. The vbits to return are calculated into vbits128. Also
1229 compute the pessimising value to be used when
1230 --partial-loads-ok=yes. n_addrs_bad is redundant (the relevant
1231 info can be gleaned from the pessim array) but is used as a
1232 cross-check. */
1246 }
1249 }
1251 /* In the common case, all the addresses involved are valid, so we
1252 just return the computed V bits and have done. */
1256 /* If there's no possibility of getting a partial-loads-ok
1257 exemption, report the error and quit. */
1261 }
1263 /* The partial-loads-ok excemption might apply. Find out if it
1264 does. If so, don't report an addressing error, but do return
1265 Undefined for the bytes that are out of range, so as to avoid
1266 false negatives. If it doesn't apply, just report an addressing
1267 error in the usual way. */
1269 /* Some code steps along byte strings in aligned chunks
1270 even when there is only a partially defined word at the end (eg,
1271 optimised strlen). This is allowed by the memory model of
1272 modern machines, since an aligned load cannot span two pages and
1273 thus cannot "partially fault".
1275 Therefore, a load from a partially-addressible place is allowed
1276 if all of the following hold:
1277 - the command-line flag is set [by default, it isn't]
1278 - it's an aligned load
1279 - at least one of the addresses in the word *is* valid
1281 Since this suppresses the addressing error, we avoid false
1282 negatives by marking bytes undefined when they come from an
1283 invalid address.
1284 */
1286 /* "at least one of the addresses is invalid" */
1293 /* Exemption applies. Use the previously computed pessimising
1294 value and return the combined result, but don't flag an
1295 addressing error. The pessimising value is Defined for valid
1296 addresses and Undefined for invalid addresses. */
1297 /* for assumption that doing bitwise or implements UifU */
1299 /* (really need "UifU" here...)
1300 vbits[j] UifU= pessim[j] (is pessimised by it, iow) */
1304 }
1306 /* Exemption doesn't apply. Flag an addressing error in the normal
1307 way. */
1309 }
1312 static
1316 this function may get called from hand written assembly. */
1318 {
1321 /* ------------ BEGIN semi-fast cases ------------ */
1322 /* These deal quickly-ish with the common auxiliary primary map
1323 cases on 64-bit platforms. Are merely a speedup hack; can be
1324 omitted without loss of correctness/functionality. Note that in
1325 both cases the "sizeof(void*) == 8" causes these cases to be
1326 folded out by compilers on 32-bit platforms. These are derived
1327 from LOADV64 and LOADV32.
1328 */
1338 /* else fall into the slow case */
1339 }
1349 /* else fall into slow case */
1350 }
1351 /* ------------ END semi-fast cases ------------ */
1358 Addr ai;
1359 UChar vbits8;
1360 Bool ok;
1364 /* Make up a 64-bit result V word, which contains the loaded data
1365 for valid addresses and Defined for invalid addresses. Iterate
1366 over the bytes in the word, from the most significant down to
1367 the least. The vbits to return are calculated into vbits64.
1368 Also compute the pessimising value to be used when
1369 --partial-loads-ok=yes. n_addrs_bad is redundant (the relevant
1370 info can be gleaned from pessim64) but is used as a
1371 cross-check. */
1381 }
1383 /* In the common case, all the addresses involved are valid, so we
1384 just return the computed V bits and have done. */
1388 /* If there's no possibility of getting a partial-loads-ok
1389 exemption, report the error and quit. */
1393 }
1395 /* The partial-loads-ok excemption might apply. Find out if it
1396 does. If so, don't report an addressing error, but do return
1397 Undefined for the bytes that are out of range, so as to avoid
1398 false negatives. If it doesn't apply, just report an addressing
1399 error in the usual way. */
1401 /* Some code steps along byte strings in aligned word-sized chunks
1402 even when there is only a partially defined word at the end (eg,
1403 optimised strlen). This is allowed by the memory model of
1404 modern machines, since an aligned load cannot span two pages and
1405 thus cannot "partially fault". Despite such behaviour being
1406 declared undefined by ANSI C/C++.
1408 Therefore, a load from a partially-addressible place is allowed
1409 if all of the following hold:
1410 - the command-line flag is set [by default, it isn't]
1411 - it's a word-sized, word-aligned load
1412 - at least one of the addresses in the word *is* valid
1414 Since this suppresses the addressing error, we avoid false
1415 negatives by marking bytes undefined when they come from an
1416 invalid address.
1417 */
1419 /* "at least one of the addresses is invalid" */
1424 /* Exemption applies. Use the previously computed pessimising
1425 value for vbits64 and return the combined result, but don't
1426 flag an addressing error. The pessimising value is Defined
1427 for valid addresses and Undefined for invalid addresses. */
1428 /* for assumption that doing bitwise or implements UifU */
1430 /* (really need "UifU" here...)
1431 vbits64 UifU= pessim64 (is pessimised by it, iow) */
1434 }
1436 /* Also, in appears that gcc generates string-stepping code in
1437 32-bit chunks on 64 bit platforms. So, also grant an exception
1438 for this case. Note that the first clause of the conditional
1439 (VG_WORDSIZE == 8) is known at compile time, so the whole clause
1440 will get folded out in 32 bit builds. */
1444 /* (really need "UifU" here...)
1445 vbits64 UifU= pessim64 (is pessimised by it, iow) */
1447 /* Mark the upper 32 bits as undefined, just to be on the safe
1448 side. */
1451 }
1453 /* Exemption doesn't apply. Flag an addressing error in the normal
1454 way. */
1458 }
1461 static
1464 {
1467 UChar vbits8;
1468 Addr ai;
1469 Bool ok;
1473 /* ------------ BEGIN semi-fast cases ------------ */
1474 /* These deal quickly-ish with the common auxiliary primary map
1475 cases on 64-bit platforms. Are merely a speedup hack; can be
1476 omitted without loss of correctness/functionality. Note that in
1477 both cases the "sizeof(void*) == 8" causes these cases to be
1478 folded out by compilers on 32-bit platforms. The logic below
1479 is somewhat similar to some cases extensively commented in
1480 MC_(helperc_STOREV8).
1481 */
1490 /* Handle common case quickly: a is suitably aligned, */
1491 /* is mapped, and is addressible. */
1492 // Convert full V-bits in register to compact 2-bit form.
1499 }
1500 /* else fall into the slow case */
1501 }
1502 /* else fall into the slow case */
1503 }
1512 /* Handle common case quickly: a is suitably aligned, */
1513 /* is mapped, and is addressible. */
1514 // Convert full V-bits in register to compact 2-bit form.
1521 }
1522 /* else fall into the slow case */
1523 }
1524 /* else fall into the slow case */
1525 }
1526 /* ------------ END semi-fast cases ------------ */
1530 /* Dump vbytes in memory, iterating from least to most significant
1531 byte. At the same time establish addressibility of the location. */
1539 }
1541 /* If an address error has happened, report it. */
1544 }
1547 /*------------------------------------------------------------*/
1548 /*--- Setting permissions over address ranges. ---*/
1549 /*------------------------------------------------------------*/
1552 UWord dsm_num )
1553 {
1557 Addr aNext;
1564 /* Check the V+A bits make sense. */
1569 // This code should never write PDBs; ensure this. (See comment above
1570 // set_vabits2().)
1585 }
1586 }
1588 #ifndef PERF_FAST_SARP
1589 /*------------------ debug-only case ------------------ */
1590 {
1591 // Endianness doesn't matter here because all bytes are being set to
1592 // the same value.
1593 // Nb: We don't have to worry about updating the sec-V-bits table
1594 // after these set_vabits2() calls because this code never writes
1595 // VA_BITS2_PARTDEFINED values.
1596 SizeT i;
1599 }
1601 }
1602 #endif
1604 /*------------------ standard handling ------------------ */
1606 /* Get the distinguished secondary that we might want
1607 to use (part of the space-compression scheme). */
1610 // We have to handle ranges covering various combinations of partial and
1611 // whole sec-maps. Here is how parts 1, 2 and 3 are used in each case.
1612 // Cases marked with a '*' are common.
1613 //
1614 // TYPE PARTS USED
1615 // ---- ----------
1616 // * one partial sec-map (p) 1
1617 // - one whole sec-map (P) 2
1618 //
1619 // * two partial sec-maps (pp) 1,3
1620 // - one partial, one whole sec-map (pP) 1,2
1621 // - one whole, one partial sec-map (Pp) 2,3
1622 // - two whole sec-maps (PP) 2,2
1623 //
1624 // * one partial, one whole, one partial (pPp) 1,2,3
1625 // - one partial, two whole (pPP) 1,2,2
1626 // - two whole, one partial (PPp) 2,2,3
1627 // - three whole (PPP) 2,2,2
1628 //
1629 // * one partial, N-2 whole, one partial (pP...Pp) 1,2...2,3
1630 // - one partial, N-1 whole (pP...PP) 1,2...2,2
1631 // - N-1 whole, one partial (PP...Pp) 2,2...2,3
1632 // - N whole (PP...PP) 2,2...2,3
1634 // Break up total length (lenT) into two parts: length in the first
1635 // sec-map (lenA), and the rest (lenB); lenT == lenA + lenB.
1639 // Range entirely within one sec-map. Covers almost all cases.
1644 // Range spans at least one whole sec-map, and starts at the beginning
1645 // of a sec-map; skip to Part 2.
1651 // Range spans two or more sec-maps, first one is partial.
1655 }
1657 //------------------------------------------------------------------------
1658 // Part 1: Deal with the first sec_map. Most of the time the range will be
1659 // entirely within a sec_map and this part alone will suffice. Also,
1660 // doing it this way lets us avoid repeatedly testing for the crossing of
1661 // a sec-map boundary within these loops.
1662 //------------------------------------------------------------------------
1664 // If it's distinguished, make it undistinguished if necessary.
1668 // Sec-map already has the V+A bits that we want, so skip.
1675 }
1676 }
1679 // 1 byte steps
1688 }
1689 // 8-aligned, 8 byte steps
1697 }
1698 // 1 byte steps
1706 }
1708 // We've finished the first sec-map. Is that it?
1712 //------------------------------------------------------------------------
1713 // Part 2: Fast-set entire sec-maps at a time.
1714 //------------------------------------------------------------------------
1715 part2:
1716 // 64KB-aligned, 64KB steps.
1717 // Nb: we can reach here with lenB < SM_SIZE
1726 // Free the non-distinguished sec-map that we're replacing. This
1727 // case happens moderately often, enough to be worthwhile.
1730 }
1732 // Make the sec-map entry point to the example DSM
1736 }
1738 // We've finished the whole sec-maps. Is that it?
1742 //------------------------------------------------------------------------
1743 // Part 3: Finish off the final partial sec-map, if necessary.
1744 //------------------------------------------------------------------------
1748 // If it's distinguished, make it undistinguished if necessary.
1752 // Sec-map already has the V+A bits that we want, so stop.
1758 }
1759 }
1762 // 8-aligned, 8 byte steps
1770 }
1771 // 1 byte steps
1779 }
1780 }
1783 /* --- Set permissions for arbitrary address ranges --- */
1786 {
1792 }
1795 {
1799 }
1802 {
1808 }
1810 static
1813 {
1814 UInt ecu;
1816 /* VG_(record_ExeContext) checks for validity of tid, and asserts
1817 if it is invalid. So no need to do it here. */
1824 }
1826 static
1828 {
1830 }
1832 static
1834 {
1836 }
1839 {
1845 }
1849 {
1851 }
1853 /* For each byte in [a,a+len), if the byte is addressable, make it be
1854 defined, but if it isn't addressible, leave it alone. In other
1855 words a version of MC_(make_mem_defined) that doesn't mess with
1856 addressibility. Low-performance implementation. */
1858 {
1859 SizeT i;
1860 UChar vabits2;
1868 }
1869 }
1870 }
1871 }
1873 /* Similarly (needed for mprotect handling ..) */
1875 {
1876 SizeT i;
1877 UChar vabits2;
1885 }
1886 }
1887 }
1888 }
1890 /* --- Block-copy permissions (needed for implementing realloc() and
1891 sys_mremap). --- */
1894 {
1910 /* Vectorised fast case, when no overlap and suitably aligned */
1911 /* vector loop */
1919 /* do nothing */
1921 /* have to copy secondary map info */
1930 }
1933 }
1934 /* fixup loop */
1940 }
1941 i++;
1942 len--;
1943 }
1947 /* We have to do things the slow way */
1955 }
1956 }
1957 }
1966 }
1967 }
1968 }
1969 }
1971 }
1974 /*------------------------------------------------------------*/
1975 /*--- Origin tracking stuff - cache basics ---*/
1976 /*------------------------------------------------------------*/
1978 /* AN OVERVIEW OF THE ORIGIN TRACKING IMPLEMENTATION
1979 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1981 Note that this implementation draws inspiration from the "origin
1982 tracking by value piggybacking" scheme described in "Tracking Bad
1983 Apples: Reporting the Origin of Null and Undefined Value Errors"
1984 (Michael Bond, Nicholas Nethercote, Stephen Kent, Samuel Guyer,
1985 Kathryn McKinley, OOPSLA07, Montreal, Oct 2007) but in fact it is
1986 implemented completely differently.
1988 Origin tags and ECUs -- about the shadow values
1989 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1991 This implementation tracks the defining point of all uninitialised
1992 values using so called "origin tags", which are 32-bit integers,
1993 rather than using the values themselves to encode the origins. The
1994 latter, so-called value piggybacking", is what the OOPSLA07 paper
1995 describes.
1997 Origin tags, as tracked by the machinery below, are 32-bit unsigned
1998 ints (UInts), regardless of the machine's word size. Each tag
1999 comprises an upper 30-bit ECU field and a lower 2-bit
2000 'kind' field. The ECU field is a number given out by m_execontext
2001 and has a 1-1 mapping with ExeContext*s. An ECU can be used
2002 directly as an origin tag (otag), but in fact we want to put
2003 additional information 'kind' field to indicate roughly where the
2004 tag came from. This helps print more understandable error messages
2005 for the user -- it has no other purpose. In summary:
2007 * Both ECUs and origin tags are represented as 32-bit words
2009 * m_execontext and the core-tool interface deal purely in ECUs.
2010 They have no knowledge of origin tags - that is a purely
2011 Memcheck-internal matter.
2013 * all valid ECUs have the lowest 2 bits zero and at least
2014 one of the upper 30 bits nonzero (see VG_(is_plausible_ECU))
2016 * to convert from an ECU to an otag, OR in one of the MC_OKIND_
2017 constants defined in mc_include.h.
2019 * to convert an otag back to an ECU, AND it with ~3
2021 One important fact is that no valid otag is zero. A zero otag is
2022 used by the implementation to indicate "no origin", which could
2023 mean that either the value is defined, or it is undefined but the
2024 implementation somehow managed to lose the origin.
2026 The ECU used for memory created by malloc etc is derived from the
2027 stack trace at the time the malloc etc happens. This means the
2028 mechanism can show the exact allocation point for heap-created
2029 uninitialised values.
2031 In contrast, it is simply too expensive to create a complete
2032 backtrace for each stack allocation. Therefore we merely use a
2033 depth-1 backtrace for stack allocations, which can be done once at
2034 translation time, rather than N times at run time. The result of
2035 this is that, for stack created uninitialised values, Memcheck can
2036 only show the allocating function, and not what called it.
2037 Furthermore, compilers tend to move the stack pointer just once at
2038 the start of the function, to allocate all locals, and so in fact
2039 the stack origin almost always simply points to the opening brace
2040 of the function. Net result is, for stack origins, the mechanism
2041 can tell you in which function the undefined value was created, but
2042 that's all. Users will need to carefully check all locals in the
2043 specified function.
2045 Shadowing registers and memory
2046 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2048 Memory is shadowed using a two level cache structure (ocacheL1 and
2049 ocacheL2). Memory references are first directed to ocacheL1. This
2050 is a traditional 2-way set associative cache with 32-byte lines and
2051 approximate LRU replacement within each set.
2053 A naive implementation would require storing one 32 bit otag for
2054 each byte of memory covered, a 4:1 space overhead. Instead, there
2055 is one otag for every 4 bytes of memory covered, plus a 4-bit mask
2056 that shows which of the 4 bytes have that shadow value and which
2057 have a shadow value of zero (indicating no origin). Hence a lot of
2058 space is saved, but the cost is that only one different origin per
2059 4 bytes of address space can be represented. This is a source of
2060 imprecision, but how much of a problem it really is remains to be
2061 seen.
2063 A cache line that contains all zeroes ("no origins") contains no
2064 useful information, and can be ejected from the L1 cache "for
2065 free", in the sense that a read miss on the L1 causes a line of
2066 zeroes to be installed. However, ejecting a line containing
2067 nonzeroes risks losing origin information permanently. In order to
2068 prevent such lossage, ejected nonzero lines are placed in a
2069 secondary cache (ocacheL2), which is an OSet (AVL tree) of cache
2070 lines. This can grow arbitrarily large, and so should ensure that
2071 Memcheck runs out of memory in preference to losing useful origin
2072 info due to cache size limitations.
2074 Shadowing registers is a bit tricky, because the shadow values are
2075 32 bits, regardless of the size of the register. That gives a
2076 problem for registers smaller than 32 bits. The solution is to
2077 find spaces in the guest state that are unused, and use those to
2078 shadow guest state fragments smaller than 32 bits. For example, on
2079 ppc32/64, each vector register is 16 bytes long. If 4 bytes of the
2080 shadow are allocated for the register's otag, then there are still
2081 12 bytes left over which could be used to shadow 3 other values.
2083 This implies there is some non-obvious mapping from guest state
2084 (start,length) pairs to the relevant shadow offset (for the origin
2085 tags). And it is unfortunately guest-architecture specific. The
2086 mapping is contained in mc_machine.c, which is quite lengthy but
2087 straightforward.
2089 Instrumenting the IR
2090 ~~~~~~~~~~~~~~~~~~~~
2092 Instrumentation is largely straightforward, and done by the
2093 functions schemeE and schemeS in mc_translate.c. These generate
2094 code for handling the origin tags of expressions (E) and statements
2095 (S) respectively. The rather strange names are a reference to the
2096 "compilation schemes" shown in Simon Peyton Jones' book "The
2097 Implementation of Functional Programming Languages" (Prentice Hall,
2098 1987, see
2099 http://research.microsoft.com/~simonpj/papers/slpj-book-1987/index.htm).
2101 schemeS merely arranges to move shadow values around the guest
2102 state to track the incoming IR. schemeE is largely trivial too.
2103 The only significant point is how to compute the otag corresponding
2104 to binary (or ternary, quaternary, etc) operator applications. The
2105 rule is simple: just take whichever value is larger (32-bit
2106 unsigned max). Constants get the special value zero. Hence this
2107 rule always propagates a nonzero (known) otag in preference to a
2108 zero (unknown, or more likely, value-is-defined) tag, as we want.
2109 If two different undefined values are inputs to a binary operator
2110 application, then which is propagated is arbitrary, but that
2111 doesn't matter, since the program is erroneous in using either of
2112 the values, and so there's no point in attempting to propagate
2113 both.
2115 Since constants are abstracted to (otag) zero, much of the
2116 instrumentation code can be folded out without difficulty by the
2117 generic post-instrumentation IR cleanup pass, using these rules:
2118 Max32U(0,x) -> x, Max32U(x,0) -> x, Max32(x,y) where x and y are
2119 constants is evaluated at JIT time. And the resulting dead code
2120 removal. In practice this causes surprisingly few Max32Us to
2121 survive through to backend code generation.
2123 Integration with the V-bits machinery
2124 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2126 This is again largely straightforward. Mostly the otag and V bits
2127 stuff are independent. The only point of interaction is when the V
2128 bits instrumenter creates a call to a helper function to report an
2129 uninitialised value error -- in that case it must first use schemeE
2130 to get hold of the origin tag expression for the value, and pass
2131 that to the helper too.
2133 There is the usual stuff to do with setting address range
2134 permissions. When memory is painted undefined, we must also know
2135 the origin tag to paint with, which involves some tedious plumbing,
2136 particularly to do with the fast case stack handlers. When memory
2137 is painted defined or noaccess then the origin tags must be forced
2138 to zero.
2140 One of the goals of the implementation was to ensure that the
2141 non-origin tracking mode isn't slowed down at all. To do this,
2142 various functions to do with memory permissions setting (again,
2143 mostly pertaining to the stack) are duplicated for the with- and
2144 without-otag case.
2146 Dealing with stack redzones, and the NIA cache
2147 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2149 This is one of the few non-obvious parts of the implementation.
2151 Some ABIs (amd64-ELF, ppc64-ELF, ppc32/64-XCOFF) define a small
2152 reserved area below the stack pointer, that can be used as scratch
2153 space by compiler generated code for functions. In the Memcheck
2154 sources this is referred to as the "stack redzone". The important
2155 thing here is that such redzones are considered volatile across
2156 function calls and returns. So Memcheck takes care to mark them as
2157 undefined for each call and return, on the afflicted platforms.
2158 Past experience shows this is essential in order to get reliable
2159 messages about uninitialised values that come from the stack.
2161 So the question is, when we paint a redzone undefined, what origin
2162 tag should we use for it? Consider a function f() calling g(). If
2163 we paint the redzone using an otag derived from the ExeContext of
2164 the CALL/BL instruction in f, then any errors in g causing it to
2165 use uninitialised values that happen to lie in the redzone, will be
2166 reported as having their origin in f. Which is highly confusing.
2168 The same applies for returns: if, on a return, we paint the redzone
2169 using a origin tag derived from the ExeContext of the RET/BLR
2170 instruction in g, then any later errors in f causing it to use
2171 uninitialised values in the redzone, will be reported as having
2172 their origin in g. Which is just as confusing.
2174 To do it right, in both cases we need to use an origin tag which
2175 pertains to the instruction which dynamically follows the CALL/BL
2176 or RET/BLR. In short, one derived from the NIA - the "next
2177 instruction address".
2179 To make this work, Memcheck's redzone-painting helper,
2180 MC_(helperc_MAKE_STACK_UNINIT), now takes a third argument, the
2181 NIA. It converts the NIA to a 1-element ExeContext, and uses that
2182 ExeContext's ECU as the basis for the otag used to paint the
2183 redzone. The expensive part of this is converting an NIA into an
2184 ECU, since this happens once for every call and every return. So
2185 we use a simple 511-line, 2-way set associative cache
2186 (nia_to_ecu_cache) to cache the mappings, and that knocks most of
2187 the cost out.
2189 Further background comments
2190 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
2192 > Question: why is otag a UInt? Wouldn't a UWord be better? Isn't
2193 > it really just the address of the relevant ExeContext?
2195 Well, it's not the address, but a value which has a 1-1 mapping
2196 with ExeContexts, and is guaranteed not to be zero, since zero
2197 denotes (to memcheck) "unknown origin or defined value". So these
2198 UInts are just numbers starting at 4 and incrementing by 4; each
2199 ExeContext is given a number when it is created. (*** NOTE this
2200 confuses otags and ECUs; see comments above ***).
2202 Making these otags 32-bit regardless of the machine's word size
2203 makes the 64-bit implementation easier (next para). And it doesn't
2204 really limit us in any way, since for the tags to overflow would
2205 require that the program somehow caused 2^30-1 different
2206 ExeContexts to be created, in which case it is probably in deep
2207 trouble. Not to mention V will have soaked up many tens of
2208 gigabytes of memory merely to store them all.
2210 So having 64-bit origins doesn't really buy you anything, and has
2211 the following downsides:
2213 Suppose that instead, an otag is a UWord. This would mean that, on
2214 a 64-bit target,
2216 1. It becomes hard to shadow any element of guest state which is
2217 smaller than 8 bytes. To do so means you'd need to find some
2218 8-byte-sized hole in the guest state which you don't want to
2219 shadow, and use that instead to hold the otag. On ppc64, the
2220 condition code register(s) are split into 20 UChar sized pieces,
2221 all of which need to be tracked (guest_XER_SO .. guest_CR7_0)
2222 and so that would entail finding 160 bytes somewhere else in the
2223 guest state.
2225 Even on x86, I want to track origins for %AH .. %DH (bits 15:8
2226 of %EAX .. %EDX) that are separate from %AL .. %DL (bits 7:0 of
2227 same) and so I had to look for 4 untracked otag-sized areas in
2228 the guest state to make that possible.
2230 The same problem exists of course when origin tags are only 32
2231 bits, but it's less extreme.
2233 2. (More compelling) it doubles the size of the origin shadow
2234 memory. Given that the shadow memory is organised as a fixed
2235 size cache, and that accuracy of tracking is limited by origins
2236 falling out the cache due to space conflicts, this isn't good.
2238 > Another question: is the origin tracking perfect, or are there
2239 > cases where it fails to determine an origin?
2241 It is imperfect for at least for the following reasons, and
2242 probably more:
2244 * Insufficient capacity in the origin cache. When a line is
2245 evicted from the cache it is gone forever, and so subsequent
2246 queries for the line produce zero, indicating no origin
2247 information. Interestingly, a line containing all zeroes can be
2248 evicted "free" from the cache, since it contains no useful
2249 information, so there is scope perhaps for some cleverer cache
2250 management schemes. (*** NOTE, with the introduction of the
2251 second level origin tag cache, ocacheL2, this is no longer a
2252 problem. ***)
2254 * The origin cache only stores one otag per 32-bits of address
2255 space, plus 4 bits indicating which of the 4 bytes has that tag
2256 and which are considered defined. The result is that if two
2257 undefined bytes in the same word are stored in memory, the first
2258 stored byte's origin will be lost and replaced by the origin for
2259 the second byte.
2261 * Nonzero origin tags for defined values. Consider a binary
2262 operator application op(x,y). Suppose y is undefined (and so has
2263 a valid nonzero origin tag), and x is defined, but erroneously
2264 has a nonzero origin tag (defined values should have tag zero).
2265 If the erroneous tag has a numeric value greater than y's tag,
2266 then the rule for propagating origin tags though binary
2267 operations, which is simply to take the unsigned max of the two
2268 tags, will erroneously propagate x's tag rather than y's.
2270 * Some obscure uses of x86/amd64 byte registers can cause lossage
2271 or confusion of origins. %AH .. %DH are treated as different
2272 from, and unrelated to, their parent registers, %EAX .. %EDX.
2273 So some weird sequences like
2275 movb undefined-value, %AH
2276 movb defined-value, %AL
2277 .. use %AX or %EAX ..
2279 will cause the origin attributed to %AH to be ignored, since %AL,
2280 %AX, %EAX are treated as the same register, and %AH as a
2281 completely separate one.
2283 But having said all that, it actually seems to work fairly well in
2284 practice.
2285 */
2298 /* Cache of 32-bit values, one every 32 bits of address space */
2300 #define OC_BITS_PER_LINE 5
2301 #define OC_W32S_PER_LINE (1 << (OC_BITS_PER_LINE - 2))
2305 }
2308 }
2310 #define OC_LINES_PER_SET 2
2312 #define OC_N_SET_BITS 20
2313 #define OC_N_SETS (1 << OC_N_SET_BITS)
2315 /* These settings give:
2316 64 bit host: ocache: 100,663,296 sizeB 67,108,864 useful
2317 32 bit host: ocache: 92,274,688 sizeB 67,108,864 useful
2318 */
2320 #define OC_MOVE_FORWARDS_EVERY_BITS 7
2323 typedef
2325 Addr tag;
2328 }
2329 OCacheLine;
2331 /* Classify and also sanity-check 'line'. Return 'e' (empty) if not
2332 in use, 'n' (nonzero) if it contains at least one valid origin tag,
2333 and 'z' if all the represented tags are zero. */
2335 {
2336 UWord i;
2344 }
2346 }
2348 typedef
2351 }
2352 OCacheSet;
2354 typedef
2357 }
2358 OCache;
2365 {
2373 }
2378 }
2379 }
2381 }
2384 {
2385 OCacheLine tmp;
2386 stats_ocacheL1_movefwds++;
2391 }
2394 UWord i;
2398 }
2400 }
2402 //////////////////////////////////////////////////////////////
2403 //// OCache backing store
2409 }
2412 }
2414 /* Stats: # nodes currently in tree */
2418 {
2422 ocacheL2
2427 }
2429 /* Find line with the given tag in the tree, or NULL if not found. */
2431 {
2434 stats__ocacheL2_refs++;
2437 }
2439 /* Delete the line with the given tag from the tree, if it is present, and
2440 free up the associated memory. */
2442 {
2445 stats__ocacheL2_refs++;
2450 stats__ocacheL2_n_nodes--;
2451 }
2452 }
2454 /* Add a copy of the given line to the tree. It must not already be
2455 present. */
2457 {
2462 stats__ocacheL2_refs++;
2464 stats__ocacheL2_n_nodes++;
2467 }
2469 ////
2470 //////////////////////////////////////////////////////////////
2474 {
2476 UChar c;
2477 UWord line;
2483 /* we already tried line == 0; skip therefore. */
2487 stats_ocacheL1_found_at_1++;
2489 stats_ocacheL1_found_at_N++;
2490 }
2494 line--;
2495 }
2497 }
2498 }
2500 /* A miss. Use the last slot. Implicitly this means we're
2501 ejecting the line in the last slot. */
2502 stats_ocacheL1_misses++;
2504 line--;
2507 /* First, move the to-be-ejected line to the L2 cache. */
2512 /* the line is empty (has invalid tag); ignore it. */
2515 /* line contains zeroes. We must ensure the backing store is
2516 updated accordingly, either by copying the line there
2517 verbatim, or by ensuring it isn't present there. We
2518 chosse the latter on the basis that it reduces the size of
2519 the backing store. */
2523 /* line contains at least one real, useful origin. Copy it
2524 to the backing store. */
2525 stats_ocacheL1_lossage++;
2531 }
2535 }
2537 /* Now we must reload the L1 cache from the backing tree, if
2538 possible. */
2542 /* We're in luck. It's in the L2. */
2545 /* Missed at both levels of the cache hierarchy. We have to
2546 declare it as full of zeroes (unknown origins). */
2547 stats__ocacheL2_misses++;
2549 }
2551 /* Move it one forwards */
2553 line--;
2556 }
2559 {
2564 stats_ocacheL1_find++;
2569 }
2573 }
2576 }
2579 {
2580 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2581 //// Set the origins for a+0 .. a+7
2587 }
2593 }
2594 //// END inlined, specialised version of MC_(helperc_b_store8)
2595 }
2598 /*------------------------------------------------------------*/
2599 /*--- Aligned fast case permission setters, ---*/
2600 /*--- for dealing with stacks ---*/
2601 /*------------------------------------------------------------*/
2603 /*--------------------- 32-bit ---------------------*/
2605 /* Nb: by "aligned" here we mean 4-byte aligned */
2608 {
2611 #ifndef PERF_FAST_STACK2
2613 #else
2614 {
2615 UWord sm_off;
2622 }
2627 }
2628 #endif
2629 }
2631 static INLINE
2633 {
2635 //// BEGIN inlined, specialised version of MC_(helperc_b_store4)
2636 //// Set the origins for a+0 .. a+3
2641 }
2645 }
2646 //// END inlined, specialised version of MC_(helperc_b_store4)
2647 }
2649 static INLINE
2651 {
2654 #ifndef PERF_FAST_STACK2
2656 #else
2657 {
2658 UWord sm_off;
2665 }
2671 //// BEGIN inlined, specialised version of MC_(helperc_b_store4)
2672 //// Set the origins for a+0 .. a+3.
2678 }
2681 }
2682 //// END inlined, specialised version of MC_(helperc_b_store4)
2683 }
2684 #endif
2685 }
2687 /*--------------------- 64-bit ---------------------*/
2689 /* Nb: by "aligned" here we mean 8-byte aligned */
2692 {
2695 #ifndef PERF_FAST_STACK2
2697 #else
2698 {
2699 UWord sm_off16;
2706 }
2711 }
2712 #endif
2713 }
2715 static INLINE
2717 {
2719 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2720 //// Set the origins for a+0 .. a+7
2730 }
2731 //// END inlined, specialised version of MC_(helperc_b_store8)
2732 }
2734 static INLINE
2736 {
2739 #ifndef PERF_FAST_STACK2
2741 #else
2742 {
2743 UWord sm_off16;
2750 }
2756 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2757 //// Clear the origins for a+0 .. a+7.
2766 }
2767 //// END inlined, specialised version of MC_(helperc_b_store8)
2768 }
2769 #endif
2770 }
2773 /*------------------------------------------------------------*/
2774 /*--- Stack pointer adjustment ---*/
2775 /*------------------------------------------------------------*/
2777 #ifdef PERF_FAST_STACK
2778 # define MAYBE_USED
2779 #else
2780 # define MAYBE_USED __attribute__((unused))
2781 #endif
2783 /*--------------- adjustment by 4 bytes ---------------*/
2785 MAYBE_USED
2787 {
2794 }
2795 }
2797 MAYBE_USED
2799 {
2805 }
2806 }
2808 MAYBE_USED
2810 {
2816 }
2817 }
2819 /*--------------- adjustment by 8 bytes ---------------*/
2821 MAYBE_USED
2823 {
2833 }
2834 }
2836 MAYBE_USED
2838 {
2847 }
2848 }
2850 MAYBE_USED
2852 {
2861 }
2862 }
2864 /*--------------- adjustment by 12 bytes ---------------*/
2866 MAYBE_USED
2868 {
2875 /* from previous test we don't have 8-alignment at offset +0,
2876 hence must have 8 alignment at offsets +4/-4. Hence safe to
2877 do 4 at +0 and then 8 at +4/. */
2882 }
2883 }
2885 MAYBE_USED
2887 {
2893 /* from previous test we don't have 8-alignment at offset +0,
2894 hence must have 8 alignment at offsets +4/-4. Hence safe to
2895 do 4 at +0 and then 8 at +4/. */
2900 }
2901 }
2903 MAYBE_USED
2905 {
2907 /* Note the -12 in the test */
2909 /* We have 8-alignment at -12, hence ok to do 8 at -12 and 4 at
2910 -4. */
2914 /* We have 4-alignment at +0, but we don't have 8-alignment at
2915 -12. So we must have 8-alignment at -8. Hence do 4 at -12
2916 and then 8 at -8. */
2921 }
2922 }
2924 /*--------------- adjustment by 16 bytes ---------------*/
2926 MAYBE_USED
2928 {
2932 /* Have 8-alignment at +0, hence do 8 at +0 and 8 at +8. */
2936 /* Have 4 alignment at +0 but not 8; hence 8 must be at +4.
2937 Hence do 4 at +0, 8 at +4, 4 at +12. */
2943 }
2944 }
2946 MAYBE_USED
2948 {
2951 /* Have 8-alignment at +0, hence do 8 at +0 and 8 at +8. */
2955 /* Have 4 alignment at +0 but not 8; hence 8 must be at +4.
2956 Hence do 4 at +0, 8 at +4, 4 at +12. */
2962 }
2963 }
2965 MAYBE_USED
2967 {
2970 /* Have 8-alignment at +0, hence do 8 at -16 and 8 at -8. */
2974 /* 8 alignment must be at -12. Do 4 at -16, 8 at -12, 4 at -4. */
2980 }
2981 }
2983 /*--------------- adjustment by 32 bytes ---------------*/
2985 MAYBE_USED
2987 {
2991 /* Straightforward */
2997 /* 8 alignment must be at +4. Hence do 8 at +4,+12,+20 and 4 at
2998 +0,+28. */
3006 }
3007 }
3009 MAYBE_USED
3011 {
3014 /* Straightforward */
3020 /* 8 alignment must be at +4. Hence do 8 at +4,+12,+20 and 4 at
3021 +0,+28. */
3029 }
3030 }
3032 MAYBE_USED
3034 {
3037 /* Straightforward */
3043 /* 8 alignment must be at -4 etc. Hence do 8 at -12,-20,-28 and
3044 4 at -32,-4. */
3052 }
3053 }
3055 /*--------------- adjustment by 112 bytes ---------------*/
3057 MAYBE_USED
3059 {
3079 }
3080 }
3082 MAYBE_USED
3084 {
3103 }
3104 }
3106 MAYBE_USED
3108 {
3127 }
3128 }
3130 /*--------------- adjustment by 128 bytes ---------------*/
3132 MAYBE_USED
3134 {
3156 }
3157 }
3159 MAYBE_USED
3161 {
3182 }
3183 }
3185 MAYBE_USED
3187 {
3208 }
3209 }
3211 /*--------------- adjustment by 144 bytes ---------------*/
3213 MAYBE_USED
3215 {
3239 }
3240 }
3242 MAYBE_USED
3244 {
3267 }
3268 }
3270 MAYBE_USED
3272 {
3295 }
3296 }
3298 /*--------------- adjustment by 160 bytes ---------------*/
3300 MAYBE_USED
3302 {
3328 }
3329 }
3331 MAYBE_USED
3333 {
3358 }
3359 }
3361 MAYBE_USED
3363 {
3388 }
3389 }
3391 /*--------------- adjustment by N bytes ---------------*/
3394 {
3398 }
3401 {
3404 }
3407 {
3410 }
3413 /* The AMD64 ABI says:
3415 "The 128-byte area beyond the location pointed to by %rsp is considered
3416 to be reserved and shall not be modified by signal or interrupt
3417 handlers. Therefore, functions may use this area for temporary data
3418 that is not needed across function calls. In particular, leaf functions
3419 may use this area for their entire stack frame, rather than adjusting
3420 the stack pointer in the prologue and epilogue. This area is known as
3421 red zone [sic]."
3423 So after any call or return we need to mark this redzone as containing
3424 undefined values.
3426 Consider this: we're in function f. f calls g. g moves rsp down
3427 modestly (say 16 bytes) and writes stuff all over the red zone, making it
3428 defined. g returns. f is buggy and reads from parts of the red zone
3429 that it didn't write on. But because g filled that area in, f is going
3430 to be picking up defined V bits and so any errors from reading bits of
3431 the red zone it didn't write, will be missed. The only solution I could
3432 think of was to make the red zone undefined when g returns to f.
3434 This is in accordance with the ABI, which makes it clear the redzone
3435 is volatile across function calls.
3437 The problem occurs the other way round too: f could fill the RZ up
3438 with defined values and g could mistakenly read them. So the RZ
3439 also needs to be nuked on function calls.
3440 */
3443 /* Here's a simple cache to hold nia -> ECU mappings. It could be
3444 improved so as to have a lower miss rate. */
3449 typedef
3452 WCacheEnt;
3454 #define N_NIA_TO_ECU_CACHE 511
3459 {
3460 UWord i;
3463 UInt zero_ecu;
3464 /* Fill all the slots with an entry for address zero, and the
3465 relevant otags accordingly. Hence the cache is initially filled
3466 with valid data. */
3476 }
3477 }
3480 {
3481 UWord i;
3482 UInt ecu;
3487 stats__nia_cache_queries++;
3495 # define SWAP(_w1,_w2) { UWord _t = _w1; _w1 = _w2; _w2 = _t; }
3498 # undef SWAP
3500 }
3502 stats__nia_cache_misses++;
3514 }
3517 /* Note that this serves both the origin-tracking and
3518 no-origin-tracking modes. We assume that calls to it are
3519 sufficiently infrequent that it isn't worth specialising for the
3520 with/without origin-tracking cases. */
3522 {
3523 UInt otag;
3536 }
3538 # if 0
3539 /* Really slow version */
3541 # endif
3543 # if 0
3544 /* Slow(ish) version, which is fairly easily seen to be correct.
3545 */
3568 }
3569 # endif
3571 /* Idea is: go fast when
3572 * 8-aligned and length is 128
3573 * the sm is available in the main primary map
3574 * the address range falls entirely with a single secondary map
3575 If all those conditions hold, just update the V+A bits by writing
3576 directly into the vabits array. (If the sm was distinguished, this
3577 will make a copy and then write to it.)
3578 */
3581 /* Now we know the address range is suitably sized and aligned. */
3586 // Now we know the entire range is within the main primary map.
3589 /* Now we know that the entire address range falls within a
3590 single secondary map, and that that secondary 'lives' in
3591 the main primary map. */
3593 // Finally, we know that the range is entirely within one secmap.
3629 }
3631 }
3632 }
3633 }
3635 /* 288 bytes (36 ULongs) is the magic value for ELF ppc64. */
3637 /* Now we know the address range is suitably sized and aligned. */
3642 // Now we know the entire range is within the main primary map.
3645 /* Now we know that the entire address range falls within a
3646 single secondary map, and that that secondary 'lives' in
3647 the main primary map. */
3649 // Finally, we know that the range is entirely within one secmap.
3725 }
3727 }
3728 }
3729 }
3731 /* else fall into slow case */
3733 }
3736 /*------------------------------------------------------------*/
3737 /*--- Checking memory ---*/
3738 /*------------------------------------------------------------*/
3740 typedef
3745 }
3746 MC_ReadResult;
3749 /* Check permissions for address range. If inadequate permissions
3750 exist, *bad_addr is set to the offending address, so the caller can
3751 know what it is. */
3753 /* Returns True if [a .. a+len) is not addressible. Otherwise,
3754 returns False, and if bad_addr is non-NULL, sets *bad_addr to
3755 indicate the lowest failing address. Functions below are
3756 similar. */
3758 {
3759 SizeT i;
3760 UWord vabits2;
3769 }
3770 a++;
3771 }
3773 }
3777 {
3778 SizeT i;
3779 UWord vabits2;
3788 }
3789 a++;
3790 }
3792 }
3797 {
3798 SizeT i;
3799 UWord vabits2;
3810 // Error! Nb: Report addressability errors in preference to
3811 // definedness errors. And don't report definedeness errors unless
3812 // --undef-value-errors=yes.
3815 }
3818 }
3822 }
3824 }
3825 }
3826 a++;
3827 }
3829 }
3832 /* Like is_mem_defined but doesn't give up at the first uninitialised
3833 byte -- the entire range is always checked. This is important for
3834 detecting errors in the case where a checked range strays into
3835 invalid memory, but that fact is not detected by the ordinary
3836 is_mem_defined(), because of an undefined section that precedes the
3837 out of range section, possibly as a result of an alignment hole in
3838 the checked data. This version always checks the entire range and
3839 can report both a definedness and an accessbility error, if
3840 necessary. */
3848 )
3849 {
3850 SizeT i;
3851 UWord vabits2;
3864 a++;
3875 }
3877 }
3886 }
3887 }
3888 }
3891 /* Check a zero-terminated ascii string. Tricky -- don't want to
3892 examine the actual bytes, to find the end, until we're sure it is
3893 safe to do so. */
3896 {
3897 UWord vabits2;
3908 // Error! Nb: Report addressability errors in preference to
3909 // definedness errors. And don't report definedeness errors unless
3910 // --undef-value-errors=yes.
3913 }
3916 }
3920 }
3922 }
3923 }
3924 /* Ok, a is safe to read. */
3927 }
3928 a++;
3929 }
3930 }
3933 /*------------------------------------------------------------*/
3934 /*--- Memory event handlers ---*/
3935 /*------------------------------------------------------------*/
3937 static
3940 {
3941 Addr bad_addr;
3957 }
3958 }
3959 }
3961 static
3964 {
3966 Addr bad_addr;
3982 /* If we're being asked to jump to a silly address, record an error
3983 message before potentially crashing the entire system. */
3990 }
3991 }
3992 }
3994 static
3997 {
3998 MC_ReadResult res;
4008 }
4009 }
4011 /* Handling of mmap and mprotect is not as simple as it seems.
4013 The underlying semantics are that memory obtained from mmap is
4014 always initialised, but may be inaccessible. And changes to the
4015 protection of memory do not change its contents and hence not its
4016 definedness state. Problem is we can't model
4017 inaccessible-but-with-some-definedness state; once we mark memory
4018 as inaccessible we lose all info about definedness, and so can't
4019 restore that if it is later made accessible again.
4021 One obvious thing to do is this:
4023 mmap/mprotect NONE -> noaccess
4024 mmap/mprotect other -> defined
4026 The problem case here is: taking accessible memory, writing
4027 uninitialised data to it, mprotecting it NONE and later mprotecting
4028 it back to some accessible state causes the undefinedness to be
4029 lost.
4031 A better proposal is:
4033 (1) mmap NONE -> make noaccess
4034 (2) mmap other -> make defined
4036 (3) mprotect NONE -> # no change
4037 (4) mprotect other -> change any "noaccess" to "defined"
4039 (2) is OK because memory newly obtained from mmap really is defined
4040 (zeroed out by the kernel -- doing anything else would
4041 constitute a massive security hole.)
4043 (1) is OK because the only way to make the memory usable is via
4044 (4), in which case we also wind up correctly marking it all as
4045 defined.
4047 (3) is the weak case. We choose not to change memory state.
4048 (presumably the range is in some mixture of "defined" and
4049 "undefined", viz, accessible but with arbitrary V bits). Doing
4050 nothing means we retain the V bits, so that if the memory is
4051 later mprotected "other", the V bits remain unchanged, so there
4052 can be no false negatives. The bad effect is that if there's
4053 an access in the area, then MC cannot warn; but at least we'll
4054 get a SEGV to show, so it's better than nothing.
4056 Consider the sequence (3) followed by (4). Any memory that was
4057 "defined" or "undefined" previously retains its state (as
4058 required). Any memory that was "noaccess" before can only have
4059 been made that way by (1), and so it's OK to change it to
4060 "defined".
4062 See https://bugs.kde.org/show_bug.cgi?id=205541
4063 and https://bugs.kde.org/show_bug.cgi?id=210268
4064 */
4065 static
4067 ULong di_handle )
4068 {
4070 /* (2) mmap/mprotect other -> defined */
4073 /* (1) mmap/mprotect NONE -> noaccess */
4075 }
4076 }
4078 static
4080 {
4082 /* (4) mprotect other -> change any "noaccess" to "defined" */
4085 /* (3) mprotect NONE -> # no change */
4086 /* do nothing */
4087 }
4088 }
4091 static
4094 {
4095 // Because code is defined, initialised variables get put in the data
4096 // segment and are defined, and uninitialised variables get put in the
4097 // bss segment and are auto-zeroed (and so defined).
4098 //
4099 // It's possible that there will be padding between global variables.
4100 // This will also be auto-zeroed, and marked as defined by Memcheck. If
4101 // a program uses it, Memcheck will not complain. This is arguably a
4102 // false negative, but it's a grey area -- the behaviour is defined (the
4103 // padding is zeroed) but it's probably not what the user intended. And
4104 // we can't avoid it.
4105 //
4106 // Note: we generally ignore RWX permissions, because we can't track them
4107 // without requiring more than one A bit which would slow things down a
4108 // lot. But on Darwin the 0th page is mapped but !R and !W and !X.
4109 // So we mark any such pages as "unaddressable".
4113 }
4115 static
4117 {
4119 }
4122 /*------------------------------------------------------------*/
4123 /*--- Register event handlers ---*/
4124 /*------------------------------------------------------------*/
4126 /* Try and get a nonzero origin for the guest state section of thread
4127 tid characterised by (offset,size). Return 0 if nothing to show
4128 for it. */
4131 {
4132 Int sh2off;
4134 UInt otag;
4147 }
4150 /* When some chunk of guest state is written, mark the corresponding
4151 shadow area as valid. This is used to initialise arbitrarily large
4152 chunks of guest state, hence the _SIZE value, which has to be as
4153 big as the biggest guest state.
4154 */
4157 {
4158 # define MAX_REG_WRITE_SIZE 1712
4163 # undef MAX_REG_WRITE_SIZE
4164 }
4166 static
4169 {
4171 }
4173 /* Look at the definedness of the guest's shadow state for
4174 [offset, offset+len). If any part of that is undefined, record
4175 a parameter error.
4176 */
4179 {
4180 Int i;
4181 Bool bad;
4182 UInt otag;
4194 }
4195 }
4200 /* We've found some undefinedness. See if we can also find an
4201 origin for it. */
4204 }
4207 /*------------------------------------------------------------*/
4208 /*--- Register-memory event handlers ---*/
4209 /*------------------------------------------------------------*/
4213 {
4214 SizeT i;
4215 UChar vbits8;
4216 Int offset;
4217 UInt d32;
4219 /* Slow loop. */
4224 }
4229 /* Track origins. */
4255 }
4258 }
4262 SizeT size )
4263 {
4264 SizeT i;
4265 UChar vbits8;
4266 Int offset;
4267 UInt d32;
4269 /* Slow loop. */
4274 }
4279 /* Track origins. */
4306 }
4307 }
4310 /*------------------------------------------------------------*/
4311 /*--- Some static assertions ---*/
4312 /*------------------------------------------------------------*/
4314 /* The handwritten assembly helpers below have baked-in assumptions
4315 about various constant values. These assertions attempt to make
4316 that a bit safer by checking those values and flagging changes that
4317 would make the assembly invalid. Not perfect but it's better than
4318 nothing. */
4341 /*------------------------------------------------------------*/
4342 /*--- Functions called directly from generated code: ---*/
4343 /*--- Load/store handlers. ---*/
4344 /*------------------------------------------------------------*/
4346 /* Types: LOADV32, LOADV16, LOADV8 are:
4347 UWord fn ( Addr a )
4348 so they return 32-bits on 32-bit machines and 64-bits on
4349 64-bit machines. Addr has the same size as a host word.
4351 LOADV64 is always ULong fn ( Addr a )
4353 Similarly for STOREV8, STOREV16, STOREV32, the supplied vbits
4354 are a UWord, and for STOREV64 they are a ULong.
4355 */
4357 /* If any part of '_a' indicated by the mask is 1, either '_a' is not
4358 naturally '_sz/8'-aligned, or it exceeds the range covered by the
4359 primary map. This is all very tricky (and important!), so let's
4360 work through the maths by hand (below), *and* assert for these
4361 values at startup. */
4362 #define MASK(_szInBytes) \
4363 ( ~((0x10000UL-(_szInBytes)) | ((N_PRIMARY_MAP-1) << 16)) )
4365 /* MASK only exists so as to define this macro. */
4366 #define UNALIGNED_OR_HIGH(_a,_szInBits) \
4367 ((_a) & MASK((_szInBits>>3)))
4369 /* On a 32-bit machine:
4371 N_PRIMARY_BITS == 16, so
4372 N_PRIMARY_MAP == 0x10000, so
4373 N_PRIMARY_MAP-1 == 0xFFFF, so
4374 (N_PRIMARY_MAP-1) << 16 == 0xFFFF0000, and so
4376 MASK(1) = ~ ( (0x10000 - 1) | 0xFFFF0000 )
4377 = ~ ( 0xFFFF | 0xFFFF0000 )
4378 = ~ 0xFFFF'FFFF
4379 = 0
4381 MASK(2) = ~ ( (0x10000 - 2) | 0xFFFF0000 )
4382 = ~ ( 0xFFFE | 0xFFFF0000 )
4383 = ~ 0xFFFF'FFFE
4384 = 1
4386 MASK(4) = ~ ( (0x10000 - 4) | 0xFFFF0000 )
4387 = ~ ( 0xFFFC | 0xFFFF0000 )
4388 = ~ 0xFFFF'FFFC
4389 = 3
4391 MASK(8) = ~ ( (0x10000 - 8) | 0xFFFF0000 )
4392 = ~ ( 0xFFF8 | 0xFFFF0000 )
4393 = ~ 0xFFFF'FFF8
4394 = 7
4396 Hence in the 32-bit case, "a & MASK(1/2/4/8)" is a nonzero value
4397 precisely when a is not 1/2/4/8-bytes aligned. And obviously, for
4398 the 1-byte alignment case, it is always a zero value, since MASK(1)
4399 is zero. All as expected.
4401 On a 64-bit machine, it's more complex, since we're testing
4402 simultaneously for misalignment and for the address being at or
4403 above 64G:
4405 N_PRIMARY_BITS == 20, so
4406 N_PRIMARY_MAP == 0x100000, so
4407 N_PRIMARY_MAP-1 == 0xFFFFF, so
4408 (N_PRIMARY_MAP-1) << 16 == 0xF'FFFF'0000, and so
4410 MASK(1) = ~ ( (0x10000 - 1) | 0xF'FFFF'0000 )
4411 = ~ ( 0xFFFF | 0xF'FFFF'0000 )
4412 = ~ 0xF'FFFF'FFFF
4413 = 0xFFFF'FFF0'0000'0000
4415 MASK(2) = ~ ( (0x10000 - 2) | 0xF'FFFF'0000 )
4416 = ~ ( 0xFFFE | 0xF'FFFF'0000 )
4417 = ~ 0xF'FFFF'FFFE
4418 = 0xFFFF'FFF0'0000'0001
4420 MASK(4) = ~ ( (0x10000 - 4) | 0xF'FFFF'0000 )
4421 = ~ ( 0xFFFC | 0xF'FFFF'0000 )
4422 = ~ 0xF'FFFF'FFFC
4423 = 0xFFFF'FFF0'0000'0003
4425 MASK(8) = ~ ( (0x10000 - 8) | 0xF'FFFF'0000 )
4426 = ~ ( 0xFFF8 | 0xF'FFFF'0000 )
4427 = ~ 0xF'FFFF'FFF8
4428 = 0xFFFF'FFF0'0000'0007
4429 */
4431 /*------------------------------------------------------------*/
4432 /*--- LOADV256 and LOADV128 ---*/
4433 /*------------------------------------------------------------*/
4435 static INLINE
4438 {
4441 #ifndef PERF_FAST_LOADV
4444 #else
4445 {
4455 }
4457 /* Handle common cases quickly: a (and a+8 and a+16 etc.) is
4458 suitably aligned, is mapped, and addressible. */
4464 // Convert V bits from compact memory form to expanded
4465 // register form.
4471 /* Slow case: some block of 8 bytes are not all-defined or
4472 all-undefined. */
4476 }
4477 }
4479 }
4480 #endif
4481 }
4484 {
4486 }
4488 {
4490 }
4493 {
4495 }
4497 {
4499 }
4501 /*------------------------------------------------------------*/
4502 /*--- LOADV64 ---*/
4503 /*------------------------------------------------------------*/
4505 static INLINE
4507 {
4510 #ifndef PERF_FAST_LOADV
4512 #else
4513 {
4520 }
4526 // Handle common case quickly: a is suitably aligned, is mapped, and
4527 // addressible.
4528 // Convert V bits from compact memory form to expanded register form.
4534 /* Slow case: the 8 bytes are not all-defined or all-undefined. */
4537 }
4538 }
4539 #endif
4540 }
4542 // Generic for all platforms
4544 {
4546 }
4548 // Non-generic assembly for arm32-linux
4549 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
4550 && defined(VGP_arm_linux)
4587 );
4589 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
4590 && defined(VGP_x86_linux)
4622 );
4624 #else
4625 // Generic for all platforms except {arm32,x86}-linux
4627 {
4629 }
4630 #endif
4632 /*------------------------------------------------------------*/
4633 /*--- STOREV64 ---*/
4634 /*------------------------------------------------------------*/
4636 static INLINE
4638 {
4641 #ifndef PERF_FAST_STOREV
4642 // XXX: this slow case seems to be marginally faster than the fast case!
4643 // Investigate further.
4645 #else
4646 {
4654 }
4660 // To understand the below cleverness, see the extensive comments
4661 // in MC_(helperc_STOREV8).
4665 }
4669 }
4673 }
4677 }
4681 }
4685 }
4689 }
4690 #endif
4691 }
4694 {
4696 }
4698 {
4700 }
4702 /*------------------------------------------------------------*/
4703 /*--- LOADV32 ---*/
4704 /*------------------------------------------------------------*/
4706 static INLINE
4708 {
4711 #ifndef PERF_FAST_LOADV
4713 #else
4714 {
4721 }
4727 // Handle common case quickly: a is suitably aligned, is mapped, and the
4728 // entire word32 it lives in is addressible.
4729 // Convert V bits from compact memory form to expanded register form.
4730 // For 64-bit platforms, set the high 32 bits of retval to 1 (undefined).
4731 // Almost certainly not necessary, but be paranoid.
4737 /* Slow case: the 4 bytes are not all-defined or all-undefined. */
4740 }
4741 }
4742 #endif
4743 }
4745 // Generic for all platforms
4747 {
4749 }
4751 // Non-generic assembly for arm32-linux
4752 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
4753 && defined(VGP_arm_linux)
4785 );
4787 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
4788 && defined(VGP_x86_linux)
4818 );
4820 #else
4821 // Generic for all platforms except {arm32,x86}-linux
4823 {
4825 }
4826 #endif
4828 /*------------------------------------------------------------*/
4829 /*--- STOREV32 ---*/
4830 /*------------------------------------------------------------*/
4832 static INLINE
4834 {
4837 #ifndef PERF_FAST_STOREV
4839 #else
4840 {
4848 }
4854 // To understand the below cleverness, see the extensive comments
4855 // in MC_(helperc_STOREV8).
4859 }
4863 }
4867 }
4871 }
4875 }
4879 }
4883 }
4884 #endif
4885 }
4888 {
4890 }
4892 {
4894 }
4896 /*------------------------------------------------------------*/
4897 /*--- LOADV16 ---*/
4898 /*------------------------------------------------------------*/
4900 static INLINE
4902 {
4905 #ifndef PERF_FAST_LOADV
4907 #else
4908 {
4915 }
4920 // Handle common case quickly: a is suitably aligned, is mapped, and is
4921 // addressible.
4922 // Convert V bits from compact memory form to expanded register form
4926 // The 4 (yes, 4) bytes are not all-defined or all-undefined, check
4927 // the two sub-bytes.
4932 /* Slow case: the two bytes are not all-defined or all-undefined. */
4935 }
4936 }
4937 }
4938 #endif
4939 }
4941 // Generic for all platforms
4943 {
4945 }
4947 // Non-generic assembly for arm32-linux
4948 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
4949 && defined(VGP_arm_linux)
4977 // r1 holds sec-map-VABITS8. r0 holds the address and is 2-aligned.
4978 // Extract the relevant 4 bits and inspect.
4998 );
5000 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5001 && defined(VGP_x86_linux)
5043 );
5045 #else
5046 // Generic for all platforms except {arm32,x86}-linux
5048 {
5050 }
5051 #endif
5053 /*------------------------------------------------------------*/
5054 /*--- STOREV16 ---*/
5055 /*------------------------------------------------------------*/
5057 /* True if the vabits4 in vabits8 indicate a and a+1 are accessible. */
5058 static INLINE
5060 {
5061 UInt shift;
5065 // check 2 x vabits2 != VA_BITS2_NOACCESS
5068 }
5070 static INLINE
5072 {
5075 #ifndef PERF_FAST_STOREV
5077 #else
5078 {
5086 }
5092 // To understand the below cleverness, see the extensive comments
5093 // in MC_(helperc_STOREV8).
5097 }
5103 }
5106 }
5110 }
5116 }
5120 }
5124 }
5125 #endif
5126 }
5130 {
5132 }
5134 {
5136 }
5138 /*------------------------------------------------------------*/
5139 /*--- LOADV8 ---*/
5140 /*------------------------------------------------------------*/
5142 /* Note: endianness is irrelevant for size == 1 */
5144 // Non-generic assembly for arm32-linux
5145 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5146 && defined(VGP_arm_linux)
5171 // r1 holds sec-map-VABITS8
5172 // r0 holds the address. Extract the relevant 2 bits and inspect.
5191 );
5193 /* Non-generic assembly for x86-linux */
5194 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5195 && defined(VGP_x86_linux)
5234 );
5236 #else
5237 // Generic for all platforms except {arm32,x86}-linux
5240 {
5243 #ifndef PERF_FAST_LOADV
5245 #else
5246 {
5253 }
5258 // Convert V bits from compact memory form to expanded register form
5259 // Handle common case quickly: a is mapped, and the entire
5260 // word32 it lives in is addressible.
5264 // The 4 (yes, 4) bytes are not all-defined or all-undefined, check
5265 // the single byte.
5270 /* Slow case: the byte is not all-defined or all-undefined. */
5273 }
5274 }
5275 }
5276 #endif
5277 }
5278 #endif
5280 /*------------------------------------------------------------*/
5281 /*--- STOREV8 ---*/
5282 /*------------------------------------------------------------*/
5286 {
5289 #ifndef PERF_FAST_STOREV
5291 #else
5292 {
5300 }
5306 // Clevernesses to speed up storing V bits.
5307 // The 64/32/16 bit cases also have similar clevernesses, but it
5308 // works a little differently to the code below.
5309 //
5310 // Cleverness 1: sometimes we don't have to write the shadow memory at
5311 // all, if we can tell that what we want to write is the same as what is
5312 // already there. These cases are marked below as "defined on defined" and
5313 // "undefined on undefined".
5314 //
5315 // Cleverness 2:
5316 // We also avoid to call mc_STOREVn_slow if the V bits can directly
5317 // be written in the secondary map. V bits can be directly written
5318 // if 4 conditions are respected:
5319 // * The address for which V bits are written is naturally aligned
5320 // on 1 byte for STOREV8 (this is always true)
5321 // on 2 bytes for STOREV16
5322 // on 4 bytes for STOREV32
5323 // on 8 bytes for STOREV64.
5324 // * V bits being written are either fully defined or fully undefined.
5325 // (for partially defined V bits, V bits cannot be directly written,
5326 // as the secondary vbits table must be maintained).
5327 // * the secmap is not distinguished (distinguished maps cannot be
5328 // modified).
5329 // * the memory corresponding to the V bits being written is
5330 // accessible (if one or more bytes are not accessible,
5331 // we must call mc_STOREVn_slow in order to report accessibility
5332 // errors).
5333 // Note that for STOREV32 and STOREV64, it is too expensive
5334 // to verify the accessibility of each byte for the benefit it
5335 // brings. Instead, a quicker check is done by comparing to
5336 // VA_BITS(8|16)_(UN)DEFINED. This guarantees accessibility,
5337 // but misses some opportunity of direct modifications.
5338 // Checking each byte accessibility was measured for
5339 // STOREV32+perf tests and was slowing down all perf tests.
5340 // The cases corresponding to cleverness 2 are marked below as
5341 // "direct mod".
5345 }
5348 // direct mod
5352 }
5356 }
5360 }
5362 && (VA_BITS2_NOACCESS
5364 // direct mod
5368 }
5372 }
5374 // Partially defined word
5377 }
5378 #endif
5379 }
5382 /*------------------------------------------------------------*/
5383 /*--- Functions called directly from generated code: ---*/
5384 /*--- Value-check failure handlers. ---*/
5385 /*------------------------------------------------------------*/
5387 /* Call these ones when an origin is available ... */
5391 }
5396 }
5401 }
5406 }
5411 }
5413 /* ... and these when an origin isn't available. */
5418 }
5423 }
5428 }
5433 }
5438 }
5441 /*------------------------------------------------------------*/
5442 /*--- Metadata get/set functions, for client requests. ---*/
5443 /*------------------------------------------------------------*/
5445 // Nb: this expands the V+A bits out into register-form V bits, even though
5446 // they're in memory. This is for backward compatibility, and because it's
5447 // probably what the user wants.
5449 /* Copy Vbits from/to address 'a'. Returns: 1 == OK, 2 == alignment
5450 error [no longer used], 3 == addressing error. */
5451 /* Nb: We used to issue various definedness/addressability errors from here,
5452 but we took them out because they ranged from not-very-helpful to
5453 downright annoying, and they complicated the error data structures. */
5455 Addr a,
5456 Addr vbits,
5457 SizeT szB,
5459 Bool is_client_request /* True <=> real user request
5460 False <=> internal call from gdbserver */
5461 )
5462 {
5463 SizeT i;
5464 Bool ok;
5465 UChar vbits8;
5467 /* Check that arrays are addressible before doing any getting/setting.
5468 vbits to be checked only for real user request. */
5473 }
5474 }
5476 /* Do the copy */
5478 /* setting */
5482 }
5484 /* getting */
5489 }
5491 // The bytes in vbits[] have now been set, so mark them as such.
5493 }
5496 }
5499 /*------------------------------------------------------------*/
5500 /*--- Detecting leaked (unreachable) malloc'd blocks. ---*/
5501 /*------------------------------------------------------------*/
5503 /* For the memory leak detector, say whether an entire 64k chunk of
5504 address space is possibly in use, or not. If in doubt return
5505 True.
5506 */
5508 {
5511 /* Definitely not in use. */
5515 }
5516 }
5519 /* For the memory leak detector, say whether or not a given word
5520 address is to be regarded as valid. */
5522 {
5530 }
5533 else
5535 }
5538 /*------------------------------------------------------------*/
5539 /*--- Initialisation ---*/
5540 /*------------------------------------------------------------*/
5543 {
5544 Int i;
5552 /* Build the 3 distinguished secondaries */
5562 /* Set up the primary map. */
5563 /* These entries gradually get overwritten as the used address
5564 space expands. */
5568 /* Auxiliary primary maps */
5571 /* auxmap_size = auxmap_used = 0;
5572 no ... these are statically initialised */
5574 /* Secondary V bit table */
5576 }
5579 /*------------------------------------------------------------*/
5580 /*--- Sanity check machinery (permanently engaged) ---*/
5581 /*------------------------------------------------------------*/
5584 {
5585 n_sanity_cheap++;
5587 /* Check for sane operating level */
5590 /* nothing else useful we can rapidly check */
5592 }
5595 {
5596 Int i;
5597 Word n_secmaps_found;
5605 n_sanity_expensive++;
5608 /* Check for sane operating level */
5612 /* Check that the 3 distinguished SMs are still as they should be. */
5614 /* Check noaccess DSM. */
5620 /* Check undefined DSM. */
5626 /* Check defined DSM. */
5636 }
5638 /* If we're not checking for undefined value errors, the secondary V bit
5639 * table should be empty. */
5643 }
5645 /* check the auxiliary maps, very thoroughly */
5651 }
5653 /* n_secmaps_found is now the number referred to by the auxiliary
5654 primary map. Now add on the ones referred to by the main
5655 primary map. */
5661 n_secmaps_found++;
5662 }
5663 }
5665 /* check that the number of secmaps issued matches the number that
5666 are reachable (iow, no secmap leaks) */
5674 }
5680 }
5682 /* there is only one pointer to each secmap (expensive) */
5685 }
5687 /*------------------------------------------------------------*/
5688 /*--- Command line args ---*/
5689 /*------------------------------------------------------------*/
5691 /* --partial-loads-ok: enable by default on MacOS. The MacOS system
5692 graphics libraries are heavily vectorised, and not enabling this by
5693 default causes lots of false errors. */
5694 #if defined(VGO_darwin)
5696 #else
5698 #endif
5716 /* The first heuristic value (LchNone) has no keyword, as this is
5717 a fake heuristic used to collect the blocks found without any
5718 heuristic. */
5721 {
5723 Int tmp_show;
5727 /* Set MC_(clo_mc_level):
5728 1 = A bit tracking only
5729 2 = A and V bit tracking, but no V bit origins
5730 3 = A and V bit tracking, and V bit origins
5732 Do this by inspecting --undef-value-errors= and
5733 --track-origins=. Reject the case --undef-value-errors=no
5734 --track-origins=yes as meaningless.
5735 */
5742 }
5743 }
5748 }
5753 }
5760 }
5761 }
5778 }
5779 }
5785 }
5786 }
5817 "ERROR: --ignore-ranges: "
5820 }
5822 Word i;
5838 }
5839 }
5840 }
5841 }
5860 else
5866 bad_level:
5869 }
5872 {
5874 # if defined(VGO_darwin)
5876 # endif
5908 , plo_default
5909 );
5910 }
5913 {
5916 );
5917 }
5920 /*------------------------------------------------------------*/
5921 /*--- Client blocks ---*/
5922 /*------------------------------------------------------------*/
5924 /* Client block management:
5926 This is managed as an expanding array of client block descriptors.
5927 Indices of live descriptors are issued to the client, so it can ask
5928 to free them later. Therefore we cannot slide live entries down
5929 over dead ones. Instead we must use free/inuse flags and scan for
5930 an empty slot at allocation time. This in turn means allocation is
5931 relatively expensive, so we hope this does not happen too often.
5933 An unused block has start == size == 0
5934 */
5936 /* type CGenBlock is defined in mc_include.h */
5938 /* This subsystem is self-initialising. */
5943 /* Stats for this subsystem. */
5950 /* Get access to the client block array. */
5953 {
5956 }
5959 static
5961 {
5965 cgb_allocs++;
5968 cgb_search++;
5971 }
5973 /* Not found. Try to allocate one at the end. */
5975 cgb_used++;
5977 }
5979 /* Ok, we have to allocate a new one. */
5992 cgb_used++;
5996 }
6000 {
6004 );
6005 }
6007 {
6009 (
6043 }
6045 /* return True if request recognised, False otherwise */
6047 {
6055 /* NB: if possible, avoid introducing a new command below which
6056 starts with the same first letter(s) as an already existing
6057 command. This ensures a shorter abbreviation for the user. */
6070 Addr address;
6073 UChar vbits;
6074 Int i;
6077 Int res = mc_get_or_set_vbits_for_client
6081 /* we are before the first character on next line, print a \n. */
6084 /* we are before the next block of 4 starts, print a space. */
6091 unaddressable++;
6093 }
6094 }
6100 }
6101 }
6103 }
6106 LeakCheckParams lcp;
6122 "kinds reachable possibleleak definiteleak "
6123 "heuristics "
6124 "increased changed any "
6138 wcmd,
6141 err++;
6142 }
6144 }
6149 lcp.show_leak_kinds
6160 wcmd,
6163 err++;
6164 }
6166 }
6176 Int int_value;
6187 }
6192 else
6194 int_value);
6196 }
6199 }
6200 }
6204 }
6207 Addr address;
6223 }
6225 }
6228 Addr address;
6230 Addr bad_addr;
6231 UInt okind;
6233 UInt otag;
6234 UInt ecu;
6236 MC_ReadResult res;
6250 else
6274 }
6283 }
6284 }
6285 else
6291 }
6293 }
6305 // lr_nr-1 as what is shown to the user is 1 more than the index in lr_array.
6308 }
6310 }
6313 Addr address;
6321 }
6324 }
6329 }
6330 }
6332 /*------------------------------------------------------------*/
6333 /*--- Client requests ---*/
6334 /*------------------------------------------------------------*/
6337 {
6338 Int i;
6339 Addr bad_addr;
6365 }
6376 );
6380 }
6384 }
6385 /* Return the lower of the two erring addresses, if any. */
6389 }
6392 }
6395 }
6397 }
6400 LeakCheckParams lcp;
6410 }
6427 }
6434 }
6443 MC_OKIND_USER );
6460 /* VG_(printf)("allocated %d %p\n", i, cgbs); */
6479 cgb_discards++;
6481 }
6500 // MC_(bytes_leaked) et al were set by the last leak check (or zero
6501 // if no prior leak checks performed).
6506 // there is no argp[5]
6507 //*argp[5] = MC_(bytes_indirect);
6508 // XXX need to make *argp[1-4] defined; currently done in the
6509 // VALGRIND_COUNT_LEAKS_MACRO by initialising them to zero.
6512 }
6515 // MC_(blocks_leaked) et al were set by the last leak check (or zero
6516 // if no prior leak checks performed).
6521 // there is no argp[5]
6522 //*argp[5] = MC_(blocks_indirect);
6523 // XXX need to make *argp[1-4] defined; currently done in the
6524 // VALGRIND_COUNT_LEAK_BLOCKS_MACRO by initialising them to zero.
6527 }
6539 }
6541 }
6550 }
6557 }
6566 }
6575 }
6582 }
6591 }
6599 }
6608 }
6616 }
6626 }
6633 }
6639 else
6642 }
6646 Bool addRange
6648 Bool ok
6652 }
6656 Vg_UserMsg,
6659 );
6661 }
6663 }
6666 /*------------------------------------------------------------*/
6667 /*--- Crude profiling machinery. ---*/
6668 /*------------------------------------------------------------*/
6670 // We track a number of interesting events (using PROF_EVENT)
6671 // if MC_PROFILE_MEMORY is defined.
6673 #ifdef MC_PROFILE_MEMORY
6679 {
6680 Int i;
6684 }
6685 }
6688 {
6689 Int i;
6695 }
6702 }
6703 }
6704 }
6706 #else
6711 #endif
6714 /*------------------------------------------------------------*/
6715 /*--- Origin tracking stuff ---*/
6716 /*------------------------------------------------------------*/
6718 /*--------------------------------------------*/
6719 /*--- Origin tracking: load handlers ---*/
6720 /*--------------------------------------------*/
6724 }
6728 UChar descr;
6734 }
6741 }
6747 }
6748 }
6752 UChar descr;
6756 /* Handle misaligned case, slowly. */
6760 }
6767 }
6773 }
6779 }
6780 }
6784 UChar descr;
6785 UWord lineoff;
6788 /* Handle misaligned case, slowly. */
6792 }
6797 }
6804 }
6810 }
6811 }
6816 UWord lineoff;
6819 /* Handle misaligned case, slowly. */
6823 }
6828 }
6837 }
6845 }
6846 }
6853 }
6863 }
6866 /*--------------------------------------------*/
6867 /*--- Origin tracking: store handlers ---*/
6868 /*--------------------------------------------*/
6877 }
6886 }
6887 }
6894 /* Handle misaligned case, slowly. */
6898 }
6905 }
6914 }
6915 }
6919 UWord lineoff;
6922 /* Handle misaligned case, slowly. */
6926 }
6931 }
6940 }
6941 }
6945 UWord lineoff;
6948 /* Handle misaligned case, slowly. */
6952 }
6957 }
6969 }
6970 }
6975 }
6982 }
6985 /*--------------------------------------------*/
6986 /*--- Origin tracking: sarp handlers ---*/
6987 /*--------------------------------------------*/
6993 a++;
6994 len--;
6995 }
7000 }
7007 }
7012 }
7015 //a++;
7016 len--;
7017 }
7019 }
7025 a++;
7026 len--;
7027 }
7032 }
7039 }
7044 }
7047 //a++;
7048 len--;
7049 }
7051 }
7054 /*------------------------------------------------------------*/
7055 /*--- Setup and finalisation ---*/
7056 /*------------------------------------------------------------*/
7059 {
7060 /* If we've been asked to emit XML, mash around various other
7061 options so as to constrain the output somewhat. */
7063 /* Extract as much info as possible from the leak checker. */
7065 }
7077 /* We're doing origin tracking. */
7078 # ifdef PERF_FAST_STACK
7088 # endif
7092 /* Not doing origin tracking */
7093 # ifdef PERF_FAST_STACK
7103 # endif
7106 }
7108 // We assume that brk()/sbrk() does not initialise new memory. Is this
7109 // accurate? John Reiser says:
7110 //
7111 // 0) sbrk() can *decrease* process address space. No zero fill is done
7112 // for a decrease, not even the fragment on the high end of the last page
7113 // that is beyond the new highest address. For maximum safety and
7114 // portability, then the bytes in the last page that reside above [the
7115 // new] sbrk(0) should be considered to be uninitialized, but in practice
7116 // it is exceedingly likely that they will retain their previous
7117 // contents.
7118 //
7119 // 1) If an increase is large enough to require new whole pages, then
7120 // those new whole pages (like all new pages) are zero-filled by the
7121 // operating system. So if sbrk(0) already is page aligned, then
7122 // sbrk(PAGE_SIZE) *does* zero-fill the new memory.
7123 //
7124 // 2) Any increase that lies within an existing allocated page is not
7125 // changed. So if (x = sbrk(0)) is not page aligned, then
7126 // sbrk(PAGE_SIZE) yields ((PAGE_SIZE -1) & -x) bytes which keep their
7127 // existing contents, and an additional PAGE_SIZE bytes which are zeroed.
7128 // ((PAGE_SIZE -1) & x) of them are "covered" by the sbrk(), and the rest
7129 // of them come along for the ride because the operating system deals
7130 // only in whole pages. Again, for maximum safety and portability, then
7131 // anything that lives above [the new] sbrk(0) should be considered
7132 // uninitialized, but in practice will retain previous contents [zero in
7133 // this case.]"
7134 //
7135 // In short:
7136 //
7137 // A key property of sbrk/brk is that new whole pages that are supplied
7138 // by the operating system *do* get initialized to zero.
7139 //
7140 // As for the portability of all this:
7141 //
7142 // sbrk and brk are not POSIX. However, any system that is a derivative
7143 // of *nix has sbrk and brk because there are too many softwares (such as
7144 // the Bourne shell) which rely on the traditional memory map (.text,
7145 // .data+.bss, stack) and the existence of sbrk/brk.
7146 //
7147 // So we should arguably observe all this. However:
7148 // - The current inaccuracy has caused maybe one complaint in seven years(?)
7149 // - Relying on the zeroed-ness of whole brk'd pages is pretty grotty... I
7150 // doubt most programmers know the above information.
7151 // So I'm not terribly unhappy with marking it as undefined. --njn.
7152 //
7153 // [More: I think most of what John said only applies to sbrk(). It seems
7154 // that brk() always deals in whole pages. And since this event deals
7155 // directly with brk(), not with sbrk(), perhaps it would be reasonable to
7156 // just mark all memory it allocates as defined.]
7157 //
7158 # if !defined(VGO_solaris)
7161 else
7163 # else
7164 // On Solaris, brk memory has to be marked as defined, otherwise we get
7165 // many false positives.
7167 # endif
7169 /* This origin tracking cache is huge (~100M), so only initialise
7170 if we need it. */
7178 }
7187 /* Do not check definedness of guest state if --undef-value-errors=no */
7190 }
7193 {
7196 type,
7197 n_SMs,
7200 }
7203 {
7213 n_auxmap_L2_nodes,
7221 );
7224 n_auxmap_L2_searches, n_auxmap_L2_nodes
7225 );
7234 // Three DSMs, plus the non-DSM ones
7236 // The 3*sizeof(Word) bytes is the AVL node metadata size.
7237 // The VG_ROUNDUP is because the OSet pool allocator will/must align
7238 // the elements on pointer size.
7239 // Note that the pool allocator has some additional small overhead
7240 // which is not counted in the below.
7241 // Hardwiring this logic sucks, but I don't see how else to do it.
7261 stats_ocacheL1_find,
7262 stats_ocacheL1_misses,
7263 stats_ocacheL1_lossage );
7266 stats_ocacheL1_find - stats_ocacheL1_misses
7267 - stats_ocacheL1_found_at_1
7269 stats_ocacheL1_found_at_1 );
7272 stats_ocacheL1_found_at_N,
7273 stats_ocacheL1_movefwds );
7280 stats__ocacheL2_refs,
7281 stats__ocacheL2_misses );
7284 stats__ocacheL2_n_nodes_max,
7285 stats__ocacheL2_n_nodes );
7292 }
7293 }
7297 {
7301 LeakCheckParams lcp;
7315 );
7316 }
7317 }
7322 }
7327 "Use --track-origins=yes to see where "
7329 }
7331 /* Print a warning if any client-request generated ignore-ranges
7332 still exist. It would be reasonable to expect that a properly
7333 written program would remove any such ranges before exiting, and
7334 since they are a bit on the dangerous side, let's comment. By
7335 contrast ranges which are specified on the command line normally
7336 pertain to hardware mapped into the address space, and so we
7337 can't expect the client to have got rid of them. */
7348 /* Print the offending range. Also, if it is the first,
7349 print a banner before it. */
7350 nBad++;
7355 "WARNING: "
7357 "WARNING: "
7359 );
7360 }
7363 }
7364 }
7375 }
7376 }
7378 /* mark the given addr/len unaddressable for watchpoint implementation
7379 The PointKind will be handled at access time */
7382 {
7383 /* GDBTD this is somewhat fishy. We might rather have to save the previous
7384 accessibility and definedness in gdbserver so as to allow restoring it
7385 properly. Currently, we assume that the user only watches things
7386 which are properly addressable and defined */
7389 else
7392 }
7395 {
7406 mc_fini);
7426 mc_print_usage,
7427 mc_print_debug_usage);
7430 mc_expensive_sanity_check);
7443 MC_MALLOC_DEFAULT_REDZONE_SZB );
7450 // Handling of mmap and mprotect isn't simple (well, it is simple,
7451 // but the justification isn't.) See comments above, just prior to
7452 // mc_new_mem_mmap.
7462 /* Defer the specification of the new_mem_stack functions to the
7463 post_clo_init function, since we need to first parse the command
7464 line before deciding which set to use. */
7466 # ifdef PERF_FAST_STACK
7476 # endif
7492 }
7497 // MC_(chunk_poolalloc) must be allocated in post_clo_init
7505 // {LOADV,STOREV}[8421] will all fail horribly if this isn't true.
7507 // Call me paranoid. I don't care.
7510 // BYTES_PER_SEC_VBIT_NODE must be a power of two.
7513 /* This is small. Always initialise it. */
7516 /* We can't initialise ocacheL1/ocacheL2 yet, since we don't know
7517 if we need to, since the command line args haven't been
7518 processed yet. Hence defer it to mc_post_clo_init. */
7522 /* Check some important stuff. See extensive comments above
7523 re UNALIGNED_OR_HIGH for background. */
7524 # if VG_WORDSIZE == 4
7534 # else
7545 # endif
7546 }
7550 /*--------------------------------------------------------------------*/
7551 /*--- end mc_main.c ---*/
7552 /*--------------------------------------------------------------------*/