1 //===-- sanitizer_procmaps_mac.cpp ----------------------------------------===//
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
7 //===----------------------------------------------------------------------===//
9 // Information about the process mappings (Mac-specific parts).
10 //===----------------------------------------------------------------------===//
12 #include "sanitizer_platform.h"
14 #include "sanitizer_common.h"
15 #include "sanitizer_placement_new.h"
16 #include "sanitizer_procmaps.h"
18 #include <mach-o/dyld.h>
19 #include <mach-o/loader.h>
20 #include <mach/mach.h>
22 // These are not available in older macOS SDKs.
23 #ifndef CPU_SUBTYPE_X86_64_H
24 #define CPU_SUBTYPE_X86_64_H ((cpu_subtype_t)8) /* Haswell */
26 #ifndef CPU_SUBTYPE_ARM_V7S
27 #define CPU_SUBTYPE_ARM_V7S ((cpu_subtype_t)11) /* Swift */
29 #ifndef CPU_SUBTYPE_ARM_V7K
30 #define CPU_SUBTYPE_ARM_V7K ((cpu_subtype_t)12)
32 #ifndef CPU_TYPE_ARM64
33 #define CPU_TYPE_ARM64 (CPU_TYPE_ARM | CPU_ARCH_ABI64)
36 namespace __sanitizer
{
38 // Contains information used to iterate through sections.
39 struct MemoryMappedSegmentData
{
40 char name
[kMaxSegName
];
42 const char *current_load_cmd_addr
;
48 template <typename Section
>
49 static void NextSectionLoad(LoadedModule
*module
, MemoryMappedSegmentData
*data
,
51 const Section
*sc
= (const Section
*)data
->current_load_cmd_addr
;
52 data
->current_load_cmd_addr
+= sizeof(Section
);
54 uptr sec_start
= (sc
->addr
& data
->addr_mask
) + data
->base_virt_addr
;
55 uptr sec_end
= sec_start
+ sc
->size
;
56 module
->addAddressRange(sec_start
, sec_end
, /*executable=*/false, isWritable
,
60 void MemoryMappedSegment::AddAddressRanges(LoadedModule
*module
) {
61 // Don't iterate over sections when the caller hasn't set up the
62 // data pointer, when there are no sections, or when the segment
63 // is executable. Avoid iterating over executable sections because
64 // it will confuse libignore, and because the extra granularity
65 // of information is not needed by any sanitizers.
66 if (!data_
|| !data_
->nsects
|| IsExecutable()) {
67 module
->addAddressRange(start
, end
, IsExecutable(), IsWritable(),
68 data_
? data_
->name
: nullptr);
73 if (data_
->lc_type
== LC_SEGMENT
) {
74 NextSectionLoad
<struct section
>(module
, data_
, IsWritable());
76 } else if (data_
->lc_type
== LC_SEGMENT_64
) {
77 NextSectionLoad
<struct section_64
>(module
, data_
, IsWritable());
80 } while (--data_
->nsects
);
83 MemoryMappingLayout::MemoryMappingLayout(bool cache_enabled
) {
87 MemoryMappingLayout::~MemoryMappingLayout() {
90 bool MemoryMappingLayout::Error() const {
94 // More information about Mach-O headers can be found in mach-o/loader.h
95 // Each Mach-O image has a header (mach_header or mach_header_64) starting with
96 // a magic number, and a list of linker load commands directly following the
98 // A load command is at least two 32-bit words: the command type and the
99 // command size in bytes. We're interested only in segment load commands
100 // (LC_SEGMENT and LC_SEGMENT_64), which tell that a part of the file is mapped
101 // into the task's address space.
102 // The |vmaddr|, |vmsize| and |fileoff| fields of segment_command or
103 // segment_command_64 correspond to the memory address, memory size and the
104 // file offset of the current memory segment.
105 // Because these fields are taken from the images as is, one needs to add
106 // _dyld_get_image_vmaddr_slide() to get the actual addresses at runtime.
108 void MemoryMappingLayout::Reset() {
109 // Count down from the top.
110 // TODO(glider): as per man 3 dyld, iterating over the headers with
111 // _dyld_image_count is thread-unsafe. We need to register callbacks for
112 // adding and removing images which will invalidate the MemoryMappingLayout
114 data_
.current_image
= _dyld_image_count();
115 data_
.current_load_cmd_count
= -1;
116 data_
.current_load_cmd_addr
= 0;
117 data_
.current_magic
= 0;
118 data_
.current_filetype
= 0;
119 data_
.current_arch
= kModuleArchUnknown
;
120 internal_memset(data_
.current_uuid
, 0, kModuleUUIDSize
);
123 // The dyld load address should be unchanged throughout process execution,
124 // and it is expensive to compute once many libraries have been loaded,
125 // so cache it here and do not reset.
126 static mach_header
*dyld_hdr
= 0;
127 static const char kDyldPath
[] = "/usr/lib/dyld";
128 static const int kDyldImageIdx
= -1;
131 void MemoryMappingLayout::CacheMemoryMappings() {
132 // No-op on Mac for now.
135 void MemoryMappingLayout::LoadFromCache() {
136 // No-op on Mac for now.
139 static bool IsDyldHdr(const mach_header
*hdr
) {
140 return (hdr
->magic
== MH_MAGIC
|| hdr
->magic
== MH_MAGIC_64
) &&
141 hdr
->filetype
== MH_DYLINKER
;
144 // _dyld_get_image_header() and related APIs don't report dyld itself.
145 // We work around this by manually recursing through the memory map
146 // until we hit a Mach header matching dyld instead. These recurse
147 // calls are expensive, but the first memory map generation occurs
148 // early in the process, when dyld is one of the only images loaded,
149 // so it will be hit after only a few iterations. These assumptions don't
150 // hold on macOS 13+ anymore (dyld itself has moved into the shared cache).
152 // FIXME: Unfortunately, the upstream revised version to deal with macOS 13+
153 // is incompatible with GCC and also uses APIs not available on earlier
154 // systems which we support; backed out for now.
156 static mach_header
*GetDyldImageHeaderViaVMRegion() {
157 vm_address_t address
= 0;
162 struct vm_region_submap_info_64 info
;
163 mach_msg_type_number_t count
= VM_REGION_SUBMAP_INFO_COUNT_64
;
165 vm_region_recurse_64(mach_task_self(), &address
, &size
, &depth
,
166 (vm_region_info_t
)&info
, &count
);
167 if (err
!= KERN_SUCCESS
) return nullptr;
169 if (size
>= sizeof(mach_header
) && info
.protection
& kProtectionRead
) {
170 mach_header
*hdr
= (mach_header
*)address
;
171 if (IsDyldHdr(hdr
)) {
179 const mach_header
*get_dyld_hdr() {
181 // On macOS 13+, dyld itself has moved into the shared cache. Looking it up
182 // via vm_region_recurse_64() causes spins/hangs/crashes.
183 // FIXME: find a way to do this compatible with GCC.
184 if (GetMacosAlignedVersion() >= MacosVersion(13, 0)) {
186 "looking up the dyld image header in the shared cache on "
187 "macOS 13+ is not yet supported. Falling back to "
188 "lookup via vm_region_recurse_64().\n");
189 dyld_hdr
= GetDyldImageHeaderViaVMRegion();
191 dyld_hdr
= GetDyldImageHeaderViaVMRegion();
199 // Next and NextSegmentLoad were inspired by base/sysinfo.cc in
200 // Google Perftools, https://github.com/gperftools/gperftools.
202 // NextSegmentLoad scans the current image for the next segment load command
203 // and returns the start and end addresses and file offset of the corresponding
205 // Note that the segment addresses are not necessarily sorted.
206 template <u32 kLCSegment
, typename SegmentCommand
>
207 static bool NextSegmentLoad(MemoryMappedSegment
*segment
,
208 MemoryMappedSegmentData
*seg_data
,
209 MemoryMappingLayoutData
*layout_data
) {
210 const char *lc
= layout_data
->current_load_cmd_addr
;
212 layout_data
->current_load_cmd_addr
+= ((const load_command
*)lc
)->cmdsize
;
213 layout_data
->current_load_cmd_count
--;
214 if (((const load_command
*)lc
)->cmd
== kLCSegment
) {
215 const SegmentCommand
* sc
= (const SegmentCommand
*)lc
;
216 uptr base_virt_addr
, addr_mask
;
217 if (layout_data
->current_image
== kDyldImageIdx
) {
218 base_virt_addr
= (uptr
)get_dyld_hdr();
219 // vmaddr is masked with 0xfffff because on macOS versions < 10.12,
220 // it contains an absolute address rather than an offset for dyld.
221 // To make matters even more complicated, this absolute address
222 // isn't actually the absolute segment address, but the offset portion
223 // of the address is accurate when combined with the dyld base address,
224 // and the mask will give just this offset.
228 (uptr
)_dyld_get_image_vmaddr_slide(layout_data
->current_image
);
232 segment
->start
= (sc
->vmaddr
& addr_mask
) + base_virt_addr
;
233 segment
->end
= segment
->start
+ sc
->vmsize
;
234 // Most callers don't need section information, so only fill this struct
237 seg_data
->nsects
= sc
->nsects
;
238 seg_data
->current_load_cmd_addr
=
239 (const char *)lc
+ sizeof(SegmentCommand
);
240 seg_data
->lc_type
= kLCSegment
;
241 seg_data
->base_virt_addr
= base_virt_addr
;
242 seg_data
->addr_mask
= addr_mask
;
243 internal_strncpy(seg_data
->name
, sc
->segname
,
244 ARRAY_SIZE(seg_data
->name
));
247 // Return the initial protection.
248 segment
->protection
= sc
->initprot
;
249 segment
->offset
= (layout_data
->current_filetype
==
253 if (segment
->filename
) {
254 const char *src
= (layout_data
->current_image
== kDyldImageIdx
)
256 : _dyld_get_image_name(layout_data
->current_image
);
257 internal_strncpy(segment
->filename
, src
, segment
->filename_size
);
259 segment
->arch
= layout_data
->current_arch
;
260 internal_memcpy(segment
->uuid
, layout_data
->current_uuid
, kModuleUUIDSize
);
266 ModuleArch
ModuleArchFromCpuType(cpu_type_t cputype
, cpu_subtype_t cpusubtype
) {
267 cpusubtype
= cpusubtype
& ~CPU_SUBTYPE_MASK
;
270 return kModuleArchI386
;
271 case CPU_TYPE_X86_64
:
272 if (cpusubtype
== CPU_SUBTYPE_X86_64_ALL
) return kModuleArchX86_64
;
273 if (cpusubtype
== CPU_SUBTYPE_X86_64_H
) return kModuleArchX86_64H
;
274 CHECK(0 && "Invalid subtype of x86_64");
275 return kModuleArchUnknown
;
277 if (cpusubtype
== CPU_SUBTYPE_ARM_V6
) return kModuleArchARMV6
;
278 if (cpusubtype
== CPU_SUBTYPE_ARM_V7
) return kModuleArchARMV7
;
279 if (cpusubtype
== CPU_SUBTYPE_ARM_V7S
) return kModuleArchARMV7S
;
280 if (cpusubtype
== CPU_SUBTYPE_ARM_V7K
) return kModuleArchARMV7K
;
281 CHECK(0 && "Invalid subtype of ARM");
282 return kModuleArchUnknown
;
284 return kModuleArchARM64
;
286 CHECK(0 && "Invalid CPU type");
287 return kModuleArchUnknown
;
291 static const load_command
*NextCommand(const load_command
*lc
) {
292 return (const load_command
*)((const char *)lc
+ lc
->cmdsize
);
295 static void FindUUID(const load_command
*first_lc
, u8
*uuid_output
) {
296 for (const load_command
*lc
= first_lc
; lc
->cmd
!= 0; lc
= NextCommand(lc
)) {
297 if (lc
->cmd
!= LC_UUID
) continue;
299 const uuid_command
*uuid_lc
= (const uuid_command
*)lc
;
300 const uint8_t *uuid
= &uuid_lc
->uuid
[0];
301 internal_memcpy(uuid_output
, uuid
, kModuleUUIDSize
);
306 static bool IsModuleInstrumented(const load_command
*first_lc
) {
307 for (const load_command
*lc
= first_lc
; lc
->cmd
!= 0; lc
= NextCommand(lc
)) {
308 if (lc
->cmd
!= LC_LOAD_DYLIB
) continue;
310 const dylib_command
*dylib_lc
= (const dylib_command
*)lc
;
311 uint32_t dylib_name_offset
= dylib_lc
->dylib
.name
.offset
;
312 const char *dylib_name
= ((const char *)dylib_lc
) + dylib_name_offset
;
313 dylib_name
= StripModuleName(dylib_name
);
314 if (dylib_name
!= 0 && (internal_strstr(dylib_name
, "libclang_rt."))) {
321 const ImageHeader
*MemoryMappingLayout::CurrentImageHeader() {
322 const mach_header
*hdr
= (data_
.current_image
== kDyldImageIdx
)
324 : _dyld_get_image_header(data_
.current_image
);
325 return (const ImageHeader
*)hdr
;
328 bool MemoryMappingLayout::Next(MemoryMappedSegment
*segment
) {
329 for (; data_
.current_image
>= kDyldImageIdx
; data_
.current_image
--) {
330 const mach_header
*hdr
= (const mach_header
*)CurrentImageHeader();
332 if (data_
.current_load_cmd_count
< 0) {
333 // Set up for this image;
334 data_
.current_load_cmd_count
= hdr
->ncmds
;
335 data_
.current_magic
= hdr
->magic
;
336 data_
.current_filetype
= hdr
->filetype
;
337 data_
.current_arch
= ModuleArchFromCpuType(hdr
->cputype
, hdr
->cpusubtype
);
338 switch (data_
.current_magic
) {
341 data_
.current_load_cmd_addr
=
342 (const char *)hdr
+ sizeof(mach_header_64
);
347 data_
.current_load_cmd_addr
= (const char *)hdr
+ sizeof(mach_header
);
354 FindUUID((const load_command
*)data_
.current_load_cmd_addr
,
356 data_
.current_instrumented
= IsModuleInstrumented(
357 (const load_command
*)data_
.current_load_cmd_addr
);
360 while (data_
.current_load_cmd_count
> 0) {
361 switch (data_
.current_magic
) {
362 // data_.current_magic may be only one of MH_MAGIC, MH_MAGIC_64.
365 if (NextSegmentLoad
<LC_SEGMENT_64
, struct segment_command_64
>(
366 segment
, segment
->data_
, &data_
))
372 if (NextSegmentLoad
<LC_SEGMENT
, struct segment_command
>(
373 segment
, segment
->data_
, &data_
))
379 // If we get here, no more load_cmd's in this image talk about
380 // segments. Go on to the next image.
381 data_
.current_load_cmd_count
= -1; // This will trigger loading next image
386 void MemoryMappingLayout::DumpListOfModules(
387 InternalMmapVectorNoCtor
<LoadedModule
> *modules
) {
389 InternalMmapVector
<char> module_name(kMaxPathLength
);
390 MemoryMappedSegment
segment(module_name
.data(), module_name
.size());
391 MemoryMappedSegmentData data
;
392 segment
.data_
= &data
;
393 while (Next(&segment
)) {
394 if (segment
.filename
[0] == '\0') continue;
395 LoadedModule
*cur_module
= nullptr;
396 if (!modules
->empty() &&
397 0 == internal_strcmp(segment
.filename
, modules
->back().full_name())) {
398 cur_module
= &modules
->back();
400 modules
->push_back(LoadedModule());
401 cur_module
= &modules
->back();
402 cur_module
->set(segment
.filename
, segment
.start
, segment
.arch
,
403 segment
.uuid
, data_
.current_instrumented
);
405 segment
.AddAddressRanges(cur_module
);
409 } // namespace __sanitizer
411 #endif // SANITIZER_APPLE