]> git.proxmox.com Git - rustc.git/blame - src/compiler-rt/lib/msandr/msandr.cc
projects / rustc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Imported Upstream version 1.5.0+dfsg1
[rustc.git] / src / compiler-rt / lib / msandr / msandr.cc
CommitLineData
1a4d82fc
JJ		 1//===-- msandr.cc ---------------------------------------------------------===//
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This file is a part of MemorySanitizer.
11//
12// DynamoRio client for MemorySanitizer.
13//
14// MemorySanitizer requires that all program code is instrumented. Any memory
15// store that can turn an uninitialized value into an initialized value must be
16// observed by the tool, otherwise we risk reporting a false UMR.
17//
18// This also includes any libraries that the program depends on.
19//
20// In the case when rebuilding all program dependencies with MemorySanitizer is
21// problematic, an experimental MSanDR tool (the code you are currently looking
22// at) can be used. It is a DynamoRio-based tool that uses dynamic
23// instrumentation to
24// * Unpoison all memory stores.
25// * Unpoison TLS slots used by MemorySanitizer to pass function arguments and
26// return value shadow on anything that looks like a function call or a return
27// from a function.
28//
29// This tool does not detect the use of uninitialized values in uninstrumented
30// libraries. It merely gets rid of false positives by marking all data that
31// passes through uninstrumented code as fully initialized.
32//===----------------------------------------------------------------------===//
33
34#include <dr_api.h>
35#include <drutil.h>
36#include <drmgr.h>
37#include <drsyscall.h>
38
39#include <sys/mman.h>
40#include <sys/syscall.h> /* for SYS_mmap */
41
42#include <string.h>
43
44// XXX: it seems setting macro in CMakeLists.txt does not work,
45// so manually set it here now.
46
47// Building msandr client for running in DynamoRIO hybrid mode,
48// which allows some module running natively.
49// TODO: turn it on by default when hybrid is stable enough
50// #define MSANDR_NATIVE_EXEC
51
52#ifndef MSANDR_NATIVE_EXEC
53#include <algorithm>
54#include <set>
55#include <string>
56#include <vector>
57#endif
58
59#define TESTALL(mask, var) (((mask) & (var)) == (mask))
60#define TESTANY(mask, var) (((mask) & (var)) != 0)
61
62#define CHECK_IMPL(condition, file, line) \
63 do { \
64 if (!(condition)) { \
65 dr_printf("Check failed: `%s`\nat %s:%d\n", #condition, file, line); \
66 dr_abort(); \
67 } \
68 } while (0) // TODO: stacktrace
69
70#define CHECK(condition) CHECK_IMPL(condition, __FILE__, __LINE__)
71
72#define VERBOSITY 0
73
74// Building msandr client for standalone test that does not need to
75// run with msan build executables. Disable by default.
76// #define MSANDR_STANDALONE_TEST
77
78#define NUM_TLS_RETVAL 1
79#define NUM_TLS_PARAM 6
80
81#ifdef MSANDR_STANDALONE_TEST
82// For testing purpose, we map app to shadow memory at [0x100000, 0x20000).
83// Normally, the app starts at 0x400000:
84// 00400000-004e0000 r-xp 00000000 fc:00 524343 /bin/bash
85// so there should be no problem.
86# define SHADOW_MEMORY_BASE ((void *)0x100000)
87# define SHADOW_MEMORY_SIZE (0x100000)
88# define SHADOW_MEMORY_MASK (SHADOW_MEMORY_SIZE - 4 /* to avoid overflow */)
89#else
90// shadow memory range [0x200000000000, 0x400000000000)
91// assuming no app memory below 0x200000000000
92# define SHADOW_MEMORY_MASK 0x3fffffffffffULL
93#endif /* MSANDR_STANDALONE_TEST */
94
95typedef void *(*WrapperFn)(void *);
96extern "C" void __msan_set_indirect_call_wrapper(WrapperFn wrapper);
97extern "C" void __msan_dr_is_initialized();
98
99namespace {
100
101int msan_retval_tls_offset;
102int msan_param_tls_offset;
103
104#ifndef MSANDR_NATIVE_EXEC
105class ModuleData {
106public:
107 ModuleData();
108 ModuleData(const module_data_t *info);
109 // Yes, we want default copy, assign, and dtor semantics.
110
111public:
112 app_pc start_;
113 app_pc end_;
114 // Full path to the module.
115 std::string path_;
116 module_handle_t handle_;
117 bool should_instrument_;
118 bool executed_;
119};
120
121// A vector of loaded modules sorted by module bounds. We lookup the current PC
122// in here from the bb event. This is better than an rb tree because the lookup
123// is faster and the bb event occurs far more than the module load event.
124std::vector<ModuleData> g_module_list;
125
126ModuleData::ModuleData()
127 : start_(NULL), end_(NULL), path_(""), handle_(NULL),
128 should_instrument_(false), executed_(false) {
129}
130
131ModuleData::ModuleData(const module_data_t *info)
132 : start_(info->start), end_(info->end), path_(info->full_path),
133 handle_(info->handle),
134 // We'll check the black/white lists later and adjust this.
135 should_instrument_(true), executed_(false) {
136}
137#endif /* !MSANDR_NATIVE_EXEC */
138
139int(*__msan_get_retval_tls_offset)();
140int(*__msan_get_param_tls_offset)();
141void (*__msan_unpoison)(void *base, size_t size);
142bool (*__msan_is_in_loader)();
143
144#ifdef MSANDR_STANDALONE_TEST
145uint mock_msan_retval_tls_offset;
146uint mock_msan_param_tls_offset;
147static int mock_msan_get_retval_tls_offset() {
148 return (int)mock_msan_retval_tls_offset;
149}
150
151static int mock_msan_get_param_tls_offset() {
152 return (int)mock_msan_param_tls_offset;
153}
154
155static void mock_msan_unpoison(void *base, size_t size) {
156 /* do nothing */
157}
158
159static bool mock_msan_is_in_loader() {
160 return false;
161}
162#endif /* MSANDR_STANDALONE_TEST */
163
164static generic_func_t LookupCallback(module_data_t *app, const char *name) {
165#ifdef MSANDR_STANDALONE_TEST
166 if (strcmp("__msan_get_retval_tls_offset", name) == 0) {
167 return (generic_func_t)mock_msan_get_retval_tls_offset;
168 } else if (strcmp("__msan_get_param_tls_offset", name) == 0) {
169 return (generic_func_t)mock_msan_get_param_tls_offset;
170 } else if (strcmp("__msan_unpoison", name) == 0) {
171 return (generic_func_t)mock_msan_unpoison;
172 } else if (strcmp("__msan_is_in_loader", name) == 0) {
173 return (generic_func_t)mock_msan_is_in_loader;
174 }
175 CHECK(false);
176 return NULL;
177#else /* !MSANDR_STANDALONE_TEST */
178 generic_func_t callback = dr_get_proc_address(app->handle, name);
179 if (callback == NULL) {
180 dr_printf("Couldn't find `%s` in %s\n", name, app->full_path);
181 CHECK(callback);
182 }
183 return callback;
184#endif /* !MSANDR_STANDALONE_TEST */
185}
186
187void InitializeMSanCallbacks() {
188 module_data_t *app = dr_lookup_module_by_name(dr_get_application_name());
189 if (!app) {
190 dr_printf("%s - oops, dr_lookup_module_by_name failed!\n",
191 dr_get_application_name());
192 CHECK(app);
193 }
194
195 __msan_get_retval_tls_offset = (int (*)())
196 LookupCallback(app, "__msan_get_retval_tls_offset");
197 __msan_get_param_tls_offset = (int (*)())
198 LookupCallback(app, "__msan_get_param_tls_offset");
199 __msan_unpoison = (void(*)(void *, size_t))
200 LookupCallback(app, "__msan_unpoison");
201 __msan_is_in_loader = (bool (*)())
202 LookupCallback(app, "__msan_is_in_loader");
203
204 dr_free_module_data(app);
205}
206
207// FIXME: Handle absolute addresses and PC-relative addresses.
208// FIXME: Handle TLS accesses via FS or GS. DR assumes all other segments have
209// a zero base anyway.
210bool OperandIsInteresting(opnd_t opnd) {
211 return (opnd_is_base_disp(opnd) && opnd_get_segment(opnd) != DR_SEG_FS &&
212 opnd_get_segment(opnd) != DR_SEG_GS);
213}
214
215bool WantToInstrument(instr_t *instr) {
216 // TODO: skip push instructions?
217 switch (instr_get_opcode(instr)) {
218 // FIXME: support the instructions excluded below:
219 case OP_rep_cmps:
220 // f3 a6 rep cmps %ds:(%rsi) %es:(%rdi) %rsi %rdi %rcx -> %rsi %rdi %rcx
221 return false;
222 }
223
224 // Labels appear due to drutil_expand_rep_string()
225 if (instr_is_label(instr))
226 return false;
227
228 CHECK(instr_ok_to_mangle(instr) == true);
229
230 if (instr_writes_memory(instr)) {
231 for (int d = 0; d < instr_num_dsts(instr); d++) {
232 opnd_t op = instr_get_dst(instr, d);
233 if (OperandIsInteresting(op))
234 return true;
235 }
236 }
237
238 return false;
239}
240
241#define PRE(at, what) instrlist_meta_preinsert(bb, at, INSTR_CREATE_##what);
242#define PREF(at, what) instrlist_meta_preinsert(bb, at, what);
243
244void InstrumentMops(void *drcontext, instrlist_t *bb, instr_t *instr, opnd_t op,
245 bool is_write) {
246 bool need_to_restore_eflags = false;
247 uint flags = instr_get_arith_flags(instr);
248 // TODO: do something smarter with flags and spills in general?
249 // For example, spill them only once for a sequence of instrumented
250 // instructions that don't change/read flags.
251
252 if (!TESTALL(EFLAGS_WRITE_6, flags) || TESTANY(EFLAGS_READ_6, flags)) {
253 if (VERBOSITY > 1)
254 dr_printf("Spilling eflags...\n");
255 need_to_restore_eflags = true;
256 // TODO: Maybe sometimes don't need to 'seto'.
257 // TODO: Maybe sometimes don't want to spill XAX here?
258 // TODO: No need to spill XAX here if XAX is not used in the BB.
259 dr_save_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_1);
260 dr_save_arith_flags_to_xax(drcontext, bb, instr);
261 dr_save_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_3);
262 dr_restore_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_1);
263 }
264
265#if 0
266 dr_printf("==DRMSAN== DEBUG: %d %d %d %d %d %d\n",
267 opnd_is_memory_reference(op), opnd_is_base_disp(op),
268 opnd_is_base_disp(op) ? opnd_get_index(op) : -1,
269 opnd_is_far_memory_reference(op), opnd_is_reg_pointer_sized(op),
270 opnd_is_base_disp(op) ? opnd_get_disp(op) : -1);
271#endif
272
273 reg_id_t R1;
274 bool address_in_R1 = false;
275 if (opnd_is_base_disp(op) && opnd_get_index(op) == DR_REG_NULL &&
276 opnd_get_disp(op) == 0) {
277 // If this is a simple access with no offset or index, we can just use the
278 // base for R1.
279 address_in_R1 = true;
280 R1 = opnd_get_base(op);
281 } else {
282 // Otherwise, we need to compute the addr into R1.
283 // TODO: reuse some spare register? e.g. r15 on x64
284 // TODO: might be used as a non-mem-ref register?
285 R1 = DR_REG_XAX;
286 }
287 CHECK(reg_is_pointer_sized(R1)); // otherwise R2 may be wrong.
288
289 // Pick R2 from R8 to R15.
290 // It's OK if the instr uses R2 elsewhere, since we'll restore it before instr.
291 reg_id_t R2;
292 for (R2 = DR_REG_R8; R2 <= DR_REG_R15; R2++) {
293 if (!opnd_uses_reg(op, R2))
294 break;
295 }
296 CHECK((R2 <= DR_REG_R15) && R1 != R2);
297
298 // Save the current values of R1 and R2.
299 dr_save_reg(drcontext, bb, instr, R1, SPILL_SLOT_1);
300 // TODO: Something smarter than spilling a "fixed" register R2?
301 dr_save_reg(drcontext, bb, instr, R2, SPILL_SLOT_2);
302
303 if (!address_in_R1)
304 CHECK(drutil_insert_get_mem_addr(drcontext, bb, instr, op, R1, R2));
305 PRE(instr, mov_imm(drcontext, opnd_create_reg(R2),
306 OPND_CREATE_INT64(SHADOW_MEMORY_MASK)));
307 PRE(instr, and(drcontext, opnd_create_reg(R1), opnd_create_reg(R2)));
308#ifdef MSANDR_STANDALONE_TEST
309 PRE(instr, add(drcontext, opnd_create_reg(R1),
310 OPND_CREATE_INT32(SHADOW_MEMORY_BASE)));
311#endif
312 // There is no mov_st of a 64-bit immediate, so...
313 opnd_size_t op_size = opnd_get_size(op);
314 CHECK(op_size != OPSZ_NA);
315 uint access_size = opnd_size_in_bytes(op_size);
316 if (access_size <= 4 || op_size == OPSZ_PTR /* x64 support sign extension */) {
317 instr_t *label = INSTR_CREATE_label(drcontext);
318 opnd_t immed;
319 if (op_size == OPSZ_PTR || op_size == OPSZ_4)
320 immed = OPND_CREATE_INT32(0);
321 else
322 immed = opnd_create_immed_int((ptr_int_t) 0, op_size);
323 // we check if target is 0 before write to reduce unnecessary memory stores.
324 PRE(instr, cmp(drcontext,
325 opnd_create_base_disp(R1, DR_REG_NULL, 0, 0, op_size),
326 immed));
327 PRE(instr, jcc(drcontext, OP_je, opnd_create_instr(label)));
328 PRE(instr, mov_st(drcontext,
329 opnd_create_base_disp(R1, DR_REG_NULL, 0, 0, op_size),
330 immed));
331 PREF(instr, label);
332 } else {
333 // FIXME: tail?
334 for (uint ofs = 0; ofs < access_size; ofs += 4) {
335 instr_t *label = INSTR_CREATE_label(drcontext);
336 opnd_t immed = OPND_CREATE_INT32(0);
337 PRE(instr, cmp(drcontext, OPND_CREATE_MEM32(R1, ofs), immed));
338 PRE(instr, jcc(drcontext, OP_je, opnd_create_instr(label)));
339 PRE(instr, mov_st(drcontext, OPND_CREATE_MEM32(R1, ofs), immed));
340 PREF(instr, label)
341 }
342 }
343
344 // Restore the registers and flags.
345 dr_restore_reg(drcontext, bb, instr, R1, SPILL_SLOT_1);
346 dr_restore_reg(drcontext, bb, instr, R2, SPILL_SLOT_2);
347
348 // TODO: move aflags save/restore to per instr instead of per opnd
349 if (need_to_restore_eflags) {
350 if (VERBOSITY > 1)
351 dr_printf("Restoring eflags\n");
352 // TODO: Check if it's reverse to the dr_restore_reg above and optimize.
353 dr_save_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_1);
354 dr_restore_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_3);
355 dr_restore_arith_flags_from_xax(drcontext, bb, instr);
356 dr_restore_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_1);
357 }
358
359 // The original instruction is left untouched. The above instrumentation is just
360 // a prefix.
361}
362
363void InstrumentReturn(void *drcontext, instrlist_t *bb, instr_t *instr) {
364#ifdef MSANDR_STANDALONE_TEST
365 PRE(instr,
366 mov_st(drcontext,
367 opnd_create_far_base_disp(DR_SEG_GS /* DR's TLS */,
368 DR_REG_NULL, DR_REG_NULL,
369 0, msan_retval_tls_offset,
370 OPSZ_PTR),
371 OPND_CREATE_INT32(0)));
372#else /* !MSANDR_STANDALONE_TEST */
373# ifdef MSANDR_NATIVE_EXEC
374 /* For optimized native exec, -mangle_app_seg and -private_loader are turned off,
375 * so we can reference msan_retval_tls_offset directly.
376 */
377 PRE(instr,
378 mov_st(drcontext,
379 opnd_create_far_base_disp(DR_SEG_FS, DR_REG_NULL, DR_REG_NULL, 0,
380 msan_retval_tls_offset, OPSZ_PTR),
381 OPND_CREATE_INT32(0)));
382# else /* !MSANDR_NATIVE_EXEC */
383 /* XXX: the code below only works if -mangle_app_seg and -private_loader,
384 * which is turned off for optimized native exec
385 */
386 dr_save_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_1);
387
388 // Clobbers nothing except xax.
389 bool res =
390 dr_insert_get_seg_base(drcontext, bb, instr, DR_SEG_FS, DR_REG_XAX);
391 CHECK(res);
392
393 // TODO: unpoison more bytes?
394 PRE(instr,
395 mov_st(drcontext, OPND_CREATE_MEM64(DR_REG_XAX, msan_retval_tls_offset),
396 OPND_CREATE_INT32(0)));
397
398 dr_restore_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_1);
399# endif /* !MSANDR_NATIVE_EXEC */
400 // The original instruction is left untouched. The above instrumentation is just
401 // a prefix.
402#endif /* !MSANDR_STANDALONE_TEST */
403}
404
405void InstrumentIndirectBranch(void *drcontext, instrlist_t *bb,
406 instr_t *instr) {
407#ifdef MSANDR_STANDALONE_TEST
408 for (int i = 0; i < NUM_TLS_PARAM; ++i) {
409 PRE(instr,
410 mov_st(drcontext,
411 opnd_create_far_base_disp(DR_SEG_GS /* DR's TLS */,
412 DR_REG_NULL, DR_REG_NULL,
413 0,
414 msan_param_tls_offset +
415 i * sizeof(void *),
416 OPSZ_PTR),
417 OPND_CREATE_INT32(0)));
418 }
419#else /* !MSANDR_STANDALONE_TEST */
420# ifdef MSANDR_NATIVE_EXEC
421 for (int i = 0; i < NUM_TLS_PARAM; ++i) {
422 PRE(instr,
423 mov_st(drcontext,
424 opnd_create_far_base_disp(DR_SEG_FS, DR_REG_NULL, DR_REG_NULL, 0,
425 msan_param_tls_offset + i*sizeof(void*),
426 OPSZ_PTR),
427 OPND_CREATE_INT32(0)));
428 }
429# else /* !MSANDR_NATIVE_EXEC */
430 /* XXX: the code below only works if -mangle_app_seg and -private_loader,
431 * which is turned off for optimized native exec
432 */
433 dr_save_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_1);
434
435 // Clobbers nothing except xax.
436 bool res =
437 dr_insert_get_seg_base(drcontext, bb, instr, DR_SEG_FS, DR_REG_XAX);
438 CHECK(res);
439
440 // TODO: unpoison more bytes?
441 for (int i = 0; i < NUM_TLS_PARAM; ++i) {
442 PRE(instr,
443 mov_st(drcontext, OPND_CREATE_MEMPTR(DR_REG_XAX, msan_param_tls_offset +
444 i * sizeof(void *)),
445 OPND_CREATE_INT32(0)));
446 }
447
448 dr_restore_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_1);
449# endif /* !MSANDR_NATIVE_EXEC */
450 // The original instruction is left untouched. The above instrumentation is just
451 // a prefix.
452#endif /* !MSANDR_STANDALONE_TEST */
453}
454
455#ifndef MSANDR_NATIVE_EXEC
456// For use with binary search. Modules shouldn't overlap, so we shouldn't have
457// to look at end_. If that can happen, we won't support such an application.
458bool ModuleDataCompareStart(const ModuleData &left, const ModuleData &right) {
459 return left.start_ < right.start_;
460}
461
462// Look up the module containing PC. Should be relatively fast, as its called
463// for each bb instrumentation.
464ModuleData *LookupModuleByPC(app_pc pc) {
465 ModuleData fake_mod_data;
466 fake_mod_data.start_ = pc;
467 std::vector<ModuleData>::iterator it =
468 lower_bound(g_module_list.begin(), g_module_list.end(), fake_mod_data,
469 ModuleDataCompareStart);
470 // if (it == g_module_list.end())
471 // return NULL;
472 if (it == g_module_list.end() || pc < it->start_)
473 --it;
474 CHECK(it->start_ <= pc);
475 if (pc >= it->end_) {
476 // We're past the end of this module. We shouldn't be in the next module,
477 // or lower_bound lied to us.
478 ++it;
479 CHECK(it == g_module_list.end() || pc < it->start_);
480 return NULL;
481 }
482
483 // OK, we found the module.
484 return &*it;
485}
486
487bool ShouldInstrumentNonModuleCode() { return true; }
488
489bool ShouldInstrumentModule(ModuleData *mod_data) {
490 // TODO(rnk): Flags for blacklist would get wired in here.
491 generic_func_t p =
492 dr_get_proc_address(mod_data->handle_, "__msan_track_origins");
493 return !p;
494}
495
496bool ShouldInstrumentPc(app_pc pc, ModuleData **pmod_data) {
497 ModuleData *mod_data = LookupModuleByPC(pc);
498 if (pmod_data)
499 *pmod_data = mod_data;
500 if (mod_data != NULL) {
501 // This module is on a blacklist.
502 if (!mod_data->should_instrument_) {
503 return false;
504 }
505 } else if (!ShouldInstrumentNonModuleCode()) {
506 return false;
507 }
508 return true;
509}
510#endif /* !MSANDR_NATIVE_CLIENT */
511
512// TODO(rnk): Make sure we instrument after __msan_init.
513dr_emit_flags_t
514event_basic_block_app2app(void *drcontext, void *tag, instrlist_t *bb,
515 bool for_trace, bool translating) {
516#ifndef MSANDR_NATIVE_EXEC
517 app_pc pc = dr_fragment_app_pc(tag);
518 if (ShouldInstrumentPc(pc, NULL))
519 CHECK(drutil_expand_rep_string(drcontext, bb));
520#else /* MSANDR_NATIVE_EXEC */
521 CHECK(drutil_expand_rep_string(drcontext, bb));
522#endif /* MSANDR_NATIVE_EXEC */
523 return DR_EMIT_PERSISTABLE;
524}
525
526dr_emit_flags_t event_basic_block(void *drcontext, void *tag, instrlist_t *bb,
527 bool for_trace, bool translating) {
528 app_pc pc = dr_fragment_app_pc(tag);
529#ifndef MSANDR_NATIVE_EXEC
530 ModuleData *mod_data;
531
532 if (!ShouldInstrumentPc(pc, &mod_data))
533 return DR_EMIT_PERSISTABLE;
534
535 if (VERBOSITY > 1)
536 dr_printf("============================================================\n");
537 if (VERBOSITY > 0) {
538 std::string mod_path = (mod_data ? mod_data->path_ : "<no module, JITed?>");
539 if (mod_data && !mod_data->executed_) {
540 mod_data->executed_ = true; // Nevermind this race.
541 dr_printf("Executing from new module: %s\n", mod_path.c_str());
542 }
543 dr_printf("BB to be instrumented: %p [from %s]; translating = %s\n", pc,
544 mod_path.c_str(), translating ? "true" : "false");
545 if (mod_data) {
546 // Match standard sanitizer trace format for free symbols.
547 // #0 0x7f6e35cf2e45 (/blah/foo.so+0x11fe45)
548 dr_printf(" #0 %p (%s+%p)\n", pc, mod_data->path_.c_str(),
549 pc - mod_data->start_);
550 }
551 }
552#endif /* !MSANDR_NATIVE_EXEC */
553
554 if (VERBOSITY > 1) {
555 instrlist_disassemble(drcontext, pc, bb, STDOUT);
556 instr_t *instr;
557 for (instr = instrlist_first(bb); instr; instr = instr_get_next(instr)) {
558 dr_printf("opcode: %d\n", instr_get_opcode(instr));
559 }
560 }
561
562 for (instr_t *i = instrlist_first(bb); i != NULL; i = instr_get_next(i)) {
563 int opcode = instr_get_opcode(i);
564 if (opcode == OP_ret || opcode == OP_ret_far) {
565 InstrumentReturn(drcontext, bb, i);
566 continue;
567 }
568
569 // These instructions hopefully cover all cases where control is transferred
570 // to a function in a different module (we only care about calls into
571 // compiler-instrumented modules).
572 // * call_ind is used for normal indirect calls.
573 // * jmp_ind is used for indirect tail calls, and calls through PLT (PLT
574 // stub includes a jump to an address from GOT).
575 if (opcode == OP_call_ind || opcode == OP_call_far_ind ||
576 opcode == OP_jmp_ind || opcode == OP_jmp_far_ind) {
577 InstrumentIndirectBranch(drcontext, bb, i);
578 continue;
579 }
580
581 if (!WantToInstrument(i))
582 continue;
583
584 if (VERBOSITY > 1) {
585 app_pc orig_pc = dr_fragment_app_pc(tag);
586 uint flags = instr_get_arith_flags(i);
587 dr_printf("+%d -> to be instrumented! [opcode=%d, flags = 0x%08X]\n",
588 instr_get_app_pc(i) - orig_pc, instr_get_opcode(i), flags);
589 }
590
591 if (instr_writes_memory(i)) {
592 // Instrument memory writes
593 // bool instrumented_anything = false;
594 for (int d = 0; d < instr_num_dsts(i); d++) {
595 opnd_t op = instr_get_dst(i, d);
596 if (!OperandIsInteresting(op))
597 continue;
598
599 // CHECK(!instrumented_anything);
600 // instrumented_anything = true;
601 InstrumentMops(drcontext, bb, i, op, true);
602 break; // only instrumenting the first dst
603 }
604 }
605 }
606
607// TODO: optimize away redundant restore-spill pairs?
608
609 if (VERBOSITY > 1) {
610 pc = dr_fragment_app_pc(tag);
611 dr_printf("\nFinished instrumenting dynamorio_basic_block(PC=" PFX ")\n", pc);
612 instrlist_disassemble(drcontext, pc, bb, STDOUT);
613 }
614 return DR_EMIT_PERSISTABLE;
615}
616
617#ifndef MSANDR_NATIVE_EXEC
618void event_module_load(void *drcontext, const module_data_t *info,
619 bool loaded) {
620 // Insert the module into the list while maintaining the ordering.
621 ModuleData mod_data(info);
622 std::vector<ModuleData>::iterator it =
623 upper_bound(g_module_list.begin(), g_module_list.end(), mod_data,
624 ModuleDataCompareStart);
625 it = g_module_list.insert(it, mod_data);
626 // Check if we should instrument this module.
627 it->should_instrument_ = ShouldInstrumentModule(&*it);
628 dr_module_set_should_instrument(info->handle, it->should_instrument_);
629
630 if (VERBOSITY > 0)
631 dr_printf("==DRMSAN== Loaded module: %s [%p...%p], instrumentation is %s\n",
632 info->full_path, info->start, info->end,
633 it->should_instrument_ ? "on" : "off");
634}
635
636void event_module_unload(void *drcontext, const module_data_t *info) {
637 if (VERBOSITY > 0)
638 dr_printf("==DRMSAN== Unloaded module: %s [%p...%p]\n", info->full_path,
639 info->start, info->end);
640
641 // Remove the module from the list.
642 ModuleData mod_data(info);
643 std::vector<ModuleData>::iterator it =
644 lower_bound(g_module_list.begin(), g_module_list.end(), mod_data,
645 ModuleDataCompareStart);
646 // It's a bug if we didn't actually find the module.
647 CHECK(it != g_module_list.end() && it->start_ == mod_data.start_ &&
648 it->end_ == mod_data.end_ && it->path_ == mod_data.path_);
649 g_module_list.erase(it);
650}
651#endif /* !MSANDR_NATIVE_EXEC */
652
653void event_exit() {
654 // Clean up so DR doesn't tell us we're leaking memory.
655 drsys_exit();
656 drutil_exit();
657 drmgr_exit();
658
659#ifdef MSANDR_STANDALONE_TEST
660 /* free tls */
661 bool res;
662 res = dr_raw_tls_cfree(msan_retval_tls_offset, NUM_TLS_RETVAL);
663 CHECK(res);
664 res = dr_raw_tls_cfree(msan_param_tls_offset, NUM_TLS_PARAM);
665 CHECK(res);
666 /* we do not bother to free the shadow memory */
667#endif /* !MSANDR_STANDALONE_TEST */
668 if (VERBOSITY > 0)
669 dr_printf("==DRMSAN== DONE\n");
670}
671
672bool event_filter_syscall(void *drcontext, int sysnum) {
673 // FIXME: only intercept syscalls with memory effects.
674 return true; /* intercept everything */
675}
676
677bool drsys_iter_memarg_cb(drsys_arg_t *arg, void *user_data) {
678 CHECK(arg->valid);
679
680 if (arg->pre)
681 return true;
682 if (!TESTANY(DRSYS_PARAM_OUT, arg->mode))
683 return true;
684
685 size_t sz = arg->size;
686
687 if (sz > 0xFFFFFFFF) {
688 drmf_status_t res;
689 drsys_syscall_t *syscall = (drsys_syscall_t *)user_data;
690 const char *name;
691 res = drsys_syscall_name(syscall, &name);
692 CHECK(res == DRMF_SUCCESS);
693
694 dr_printf("SANITY: syscall '%s' arg %d writes %llu bytes memory?!"
695 " Clipping to %llu.\n",
696 name, arg->ordinal, (unsigned long long) sz,
697 (unsigned long long)(sz & 0xFFFFFFFF));
698 }
699
700 if (VERBOSITY > 0) {
701 drmf_status_t res;
702 drsys_syscall_t *syscall = (drsys_syscall_t *)user_data;
703 const char *name;
704 res = drsys_syscall_name(syscall, &name);
705 CHECK(res == DRMF_SUCCESS);
706 dr_printf("drsyscall: syscall '%s' arg %d wrote range [%p, %p)\n",
707 name, arg->ordinal, arg->start_addr,
708 (char *)arg->start_addr + sz);
709 }
710
711 // We don't switch to the app context because __msan_unpoison() doesn't need
712 // TLS segments.
713 __msan_unpoison(arg->start_addr, sz);
714
715 return true; /* keep going */
716}
717
718bool event_pre_syscall(void *drcontext, int sysnum) {
719 drsys_syscall_t *syscall;
720 drsys_sysnum_t sysnum_full;
721 bool known;
722 drsys_param_type_t ret_type;
723 drmf_status_t res;
724 const char *name;
725
726 res = drsys_cur_syscall(drcontext, &syscall);
727 CHECK(res == DRMF_SUCCESS);
728
729 res = drsys_syscall_number(syscall, &sysnum_full);
730 CHECK(res == DRMF_SUCCESS);
731 CHECK(sysnum == sysnum_full.number);
732
733 res = drsys_syscall_is_known(syscall, &known);
734 CHECK(res == DRMF_SUCCESS);
735
736 res = drsys_syscall_name(syscall, &name);
737 CHECK(res == DRMF_SUCCESS);
738
739 res = drsys_syscall_return_type(syscall, &ret_type);
740 CHECK(res == DRMF_SUCCESS);
741 CHECK(ret_type != DRSYS_TYPE_INVALID);
742 CHECK(!known || ret_type != DRSYS_TYPE_UNKNOWN);
743
744 res = drsys_iterate_memargs(drcontext, drsys_iter_memarg_cb, NULL);
745 CHECK(res == DRMF_SUCCESS);
746
747 return true;
748}
749
750static bool IsInLoader(void *drcontext) {
751 // TODO: This segment swap is inefficient. DR should just let us query the
752 // app segment base, which it has. Alternatively, if we disable
753 // -mangle_app_seg, then we won't need the swap.
754 bool need_swap = !dr_using_app_state(drcontext);
755 if (need_swap)
756 dr_switch_to_app_state(drcontext);
757 bool is_in_loader = __msan_is_in_loader();
758 if (need_swap)
759 dr_switch_to_dr_state(drcontext);
760 return is_in_loader;
761}
762
763void event_post_syscall(void *drcontext, int sysnum) {
764 drsys_syscall_t *syscall;
765 drsys_sysnum_t sysnum_full;
766 bool success = false;
767 drmf_status_t res;
768
769 res = drsys_cur_syscall(drcontext, &syscall);
770 CHECK(res == DRMF_SUCCESS);
771
772 res = drsys_syscall_number(syscall, &sysnum_full);
773 CHECK(res == DRMF_SUCCESS);
774 CHECK(sysnum == sysnum_full.number);
775
776 res = drsys_syscall_succeeded(syscall, dr_syscall_get_result(drcontext),
777 &success);
778 CHECK(res == DRMF_SUCCESS);
779
780 if (success) {
781 res =
782 drsys_iterate_memargs(drcontext, drsys_iter_memarg_cb, (void *)syscall);
783 CHECK(res == DRMF_SUCCESS);
784 }
785
786 // Our normal mmap interceptor can't intercept calls from the loader itself.
787 // This means we don't clear the shadow for calls to dlopen. For now, we
788 // solve this by intercepting mmap from ld.so here, but ideally we'd have a
789 // solution that doesn't rely on msandr.
790 //
791 // Be careful not to intercept maps done by the msan rtl. Otherwise we end up
792 // unpoisoning vast regions of memory and OOMing.
793 // TODO: __msan_unpoison() could "flush" large regions of memory like tsan
794 // does instead of doing a large memset. However, we need the memory to be
795 // zeroed, where as tsan does not, so plain madvise is not enough.
796 if (success && (sysnum == SYS_mmap IF_NOT_X64(|| sysnum == SYS_mmap2))) {
797 if (IsInLoader(drcontext)) {
798 app_pc base = (app_pc)dr_syscall_get_result(drcontext);
799 ptr_uint_t size;
800 drmf_status_t res = drsys_pre_syscall_arg(drcontext, 1, &size);
801 CHECK(res == DRMF_SUCCESS);
802 if (VERBOSITY > 0)
803 dr_printf("unpoisoning for dlopen: [%p-%p]\n", base, base + size);
804 // We don't switch to the app context because __msan_unpoison() doesn't
805 // need TLS segments.
806 __msan_unpoison(base, size);
807 }
808 }
809}
810
811} // namespace
812
813DR_EXPORT void dr_init(client_id_t id) {
814 drmf_status_t res;
815
816 drmgr_init();
817 drutil_init();
818
819#ifndef MSANDR_NATIVE_EXEC
820 // We should use drconfig to ignore these applications.
821 std::string app_name = dr_get_application_name();
822 // This blacklist will still run these apps through DR's code cache. On the
823 // other hand, we are able to follow children of these apps.
824 // FIXME: Once DR has detach, we could just detach here. Alternatively,
825 // if DR had a fork or exec hook to let us decide there, that would be nice.
826 // FIXME: make the blacklist cmd-adjustable.
827 if (app_name == "python" || app_name == "python2.7" || app_name == "bash" ||
828 app_name == "sh" || app_name == "true" || app_name == "exit" ||
829 app_name == "yes" || app_name == "echo")
830 return;
831#endif /* !MSANDR_NATIVE_EXEC */
832
833 drsys_options_t ops;
834 memset(&ops, 0, sizeof(ops));
835 ops.struct_size = sizeof(ops);
836 ops.analyze_unknown_syscalls = false;
837
838 res = drsys_init(id, &ops);
839 CHECK(res == DRMF_SUCCESS);
840
841 dr_register_filter_syscall_event(event_filter_syscall);
842 drmgr_register_pre_syscall_event(event_pre_syscall);
843 drmgr_register_post_syscall_event(event_post_syscall);
844 res = drsys_filter_all_syscalls();
845 CHECK(res == DRMF_SUCCESS);
846
847#ifdef MSANDR_STANDALONE_TEST
848 reg_id_t reg_seg;
849 /* alloc tls */
850 if (!dr_raw_tls_calloc(&reg_seg, &mock_msan_retval_tls_offset, NUM_TLS_RETVAL, 0))
851 CHECK(false);
852 CHECK(reg_seg == DR_SEG_GS /* x64 only! */);
853 if (!dr_raw_tls_calloc(&reg_seg, &mock_msan_param_tls_offset, NUM_TLS_PARAM, 0))
854 CHECK(false);
855 CHECK(reg_seg == DR_SEG_GS /* x64 only! */);
856 /* alloc shadow memory */
857 if (mmap(SHADOW_MEMORY_BASE, SHADOW_MEMORY_SIZE, PROT_READ|PROT_WRITE,
858 MAP_PRIVATE | MAP_ANON, -1, 0) != SHADOW_MEMORY_BASE) {
859 CHECK(false);
860 }
861#endif /* MSANDR_STANDALONE_TEST */
862 InitializeMSanCallbacks();
863
864 // FIXME: the shadow is initialized earlier when DR calls one of our wrapper
865 // functions. This may change one day.
866 // TODO: make this more robust.
867
868 void *drcontext = dr_get_current_drcontext();
869
870 dr_switch_to_app_state(drcontext);
871 msan_retval_tls_offset = __msan_get_retval_tls_offset();
872 msan_param_tls_offset = __msan_get_param_tls_offset();
873 dr_switch_to_dr_state(drcontext);
874 if (VERBOSITY > 0) {
875 dr_printf("__msan_retval_tls offset: %d\n", msan_retval_tls_offset);
876 dr_printf("__msan_param_tls offset: %d\n", msan_param_tls_offset);
877 }
878
879 // Standard DR events.
880 dr_register_exit_event(event_exit);
881
882 drmgr_priority_t priority = {
883 sizeof(priority), /* size of struct */
884 "msandr", /* name of our operation */
885 NULL, /* optional name of operation we should precede */
886 NULL, /* optional name of operation we should follow */
887 0
888 }; /* numeric priority */
889
890 drmgr_register_bb_app2app_event(event_basic_block_app2app, &priority);
891 drmgr_register_bb_instru2instru_event(event_basic_block, &priority);
892#ifndef MSANDR_NATIVE_EXEC
893 drmgr_register_module_load_event(event_module_load);
894 drmgr_register_module_unload_event(event_module_unload);
895#endif /* MSANDR_NATIVE_EXEC */
896 __msan_dr_is_initialized();
897 __msan_set_indirect_call_wrapper(dr_app_handle_mbr_target);
898 if (VERBOSITY > 0)
899 dr_printf("==MSANDR== Starting!\n");
900}
backport for Debian buster