| blob | 3f34e3dc19c53619329b373f47fc90d813bf283c |
1 /* -*- mode: C; c-basic-offset: 3; -*- */
3 /*--------------------------------------------------------------------*/
4 /*--- MemCheck: Maintain bitmaps of memory, tracking the ---*/
5 /*--- accessibility (A) and validity (V) status of each byte. ---*/
6 /*--- mc_main.c ---*/
7 /*--------------------------------------------------------------------*/
9 /*
10 This file is part of MemCheck, a heavyweight Valgrind tool for
11 detecting memory errors.
13 Copyright (C) 2000-2017 Julian Seward
14 jseward@acm.org
16 This program is free software; you can redistribute it and/or
17 modify it under the terms of the GNU General Public License as
18 published by the Free Software Foundation; either version 2 of the
19 License, or (at your option) any later version.
21 This program is distributed in the hope that it will be useful, but
22 WITHOUT ANY WARRANTY; without even the implied warranty of
23 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
24 General Public License for more details.
26 You should have received a copy of the GNU General Public License
27 along with this program; if not, see <http://www.gnu.org/licenses/>.
29 The GNU General Public License is contained in the file COPYING.
30 */
55 /* Set to 1 to do a little more sanity checking */
56 #define VG_DEBUG_MEMORY 0
64 /*------------------------------------------------------------*/
65 /*--- Fast-case knobs ---*/
66 /*------------------------------------------------------------*/
68 // Comment these out to disable the fast cases (don't just set them to zero).
70 /* PERF_FAST_LOADV is in mc_include.h */
71 #define PERF_FAST_STOREV 1
73 #define PERF_FAST_SARP 1
75 #define PERF_FAST_STACK 1
76 #define PERF_FAST_STACK2 1
78 /* Change this to 1 to enable assertions on origin tracking cache fast
79 paths */
80 #define OC_ENABLE_ASSERTIONS 0
82 /* Change this to 1 for experimental, higher precision origin tracking
83 8- and 16-bit store handling. */
84 #define OC_PRECISION_STORE 1
87 /*------------------------------------------------------------*/
88 /*--- Comments on the origin tracking implementation ---*/
89 /*------------------------------------------------------------*/
91 /* See detailed comment entitled
92 AN OVERVIEW OF THE ORIGIN TRACKING IMPLEMENTATION
93 which is contained further on in this file. */
96 /*------------------------------------------------------------*/
97 /*--- V bits and A bits ---*/
98 /*------------------------------------------------------------*/
100 /* Conceptually, every byte value has 8 V bits, which track whether Memcheck
101 thinks the corresponding value bit is defined. And every memory byte
102 has an A bit, which tracks whether Memcheck thinks the program can access
103 it safely (ie. it's mapped, and has at least one of the RWX permission bits
104 set). So every N-bit register is shadowed with N V bits, and every memory
105 byte is shadowed with 8 V bits and one A bit.
107 In the implementation, we use two forms of compression (compressed V bits
108 and distinguished secondary maps) to avoid the 9-bit-per-byte overhead
109 for memory.
111 Memcheck also tracks extra information about each heap block that is
112 allocated, for detecting memory leaks and other purposes.
113 */
115 /*------------------------------------------------------------*/
116 /*--- Basic A/V bitmap representation. ---*/
117 /*------------------------------------------------------------*/
119 /* All reads and writes are checked against a memory map (a.k.a. shadow
120 memory), which records the state of all memory in the process.
122 On 32-bit machines the memory map is organised as follows.
123 The top 16 bits of an address are used to index into a top-level
124 map table, containing 65536 entries. Each entry is a pointer to a
125 second-level map, which records the accesibililty and validity
126 permissions for the 65536 bytes indexed by the lower 16 bits of the
127 address. Each byte is represented by two bits (details are below). So
128 each second-level map contains 16384 bytes. This two-level arrangement
129 conveniently divides the 4G address space into 64k lumps, each size 64k
130 bytes.
132 All entries in the primary (top-level) map must point to a valid
133 secondary (second-level) map. Since many of the 64kB chunks will
134 have the same status for every bit -- ie. noaccess (for unused
135 address space) or entirely addressable and defined (for code segments) --
136 there are three distinguished secondary maps, which indicate 'noaccess',
137 'undefined' and 'defined'. For these uniform 64kB chunks, the primary
138 map entry points to the relevant distinguished map. In practice,
139 typically more than half of the addressable memory is represented with
140 the 'undefined' or 'defined' distinguished secondary map, so it gives a
141 good saving. It also lets us set the V+A bits of large address regions
142 quickly in set_address_range_perms().
144 On 64-bit machines it's more complicated. If we followed the same basic
145 scheme we'd have a four-level table which would require too many memory
146 accesses. So instead the top-level map table has 2^20 entries (indexed
147 using bits 16..35 of the address); this covers the bottom 64GB. Any
148 accesses above 64GB are handled with a slow, sparse auxiliary table.
149 Valgrind's address space manager tries very hard to keep things below
150 this 64GB barrier so that performance doesn't suffer too much.
152 Note that this file has a lot of different functions for reading and
153 writing shadow memory. Only a couple are strictly necessary (eg.
154 get_vabits2 and set_vabits2), most are just specialised for specific
155 common cases to improve performance.
157 Aside: the V+A bits are less precise than they could be -- we have no way
158 of marking memory as read-only. It would be great if we could add an
159 extra state VA_BITSn_READONLY. But then we'd have 5 different states,
160 which requires 2.3 bits to hold, and there's no way to do that elegantly
161 -- we'd have to double up to 4 bits of metadata per byte, which doesn't
162 seem worth it.
163 */
165 /* --------------- Basic configuration --------------- */
167 /* Only change this. N_PRIMARY_MAP *must* be a power of 2. */
169 #if VG_WORDSIZE == 4
171 /* cover the entire address space */
172 # define N_PRIMARY_BITS 16
174 #else
176 /* Just handle the first 128G fast and the rest via auxiliary
177 primaries. If you change this, Memcheck will assert at startup.
178 See the definition of UNALIGNED_OR_HIGH for extensive comments. */
179 # define N_PRIMARY_BITS 21
181 #endif
184 /* Do not change this. */
185 #define N_PRIMARY_MAP ( ((UWord)1) << N_PRIMARY_BITS)
187 /* Do not change this. */
188 #define MAX_PRIMARY_ADDRESS (Addr)((((Addr)65536) * N_PRIMARY_MAP)-1)
191 /* --------------- Secondary maps --------------- */
193 // Each byte of memory conceptually has an A bit, which indicates its
194 // addressability, and 8 V bits, which indicates its definedness.
195 //
196 // But because very few bytes are partially defined, we can use a nice
197 // compression scheme to reduce the size of shadow memory. Each byte of
198 // memory has 2 bits which indicates its state (ie. V+A bits):
199 //
200 // 00: noaccess (unaddressable but treated as fully defined)
201 // 01: undefined (addressable and fully undefined)
202 // 10: defined (addressable and fully defined)
203 // 11: partdefined (addressable and partially defined)
204 //
205 // In the "partdefined" case, we use a secondary table to store the V bits.
206 // Each entry in the secondary-V-bits table maps a byte address to its 8 V
207 // bits.
208 //
209 // We store the compressed V+A bits in 8-bit chunks, ie. the V+A bits for
210 // four bytes (32 bits) of memory are in each chunk. Hence the name
211 // "vabits8". This lets us get the V+A bits for four bytes at a time
212 // easily (without having to do any shifting and/or masking), and that is a
213 // very common operation. (Note that although each vabits8 chunk
214 // is 8 bits in size, it represents 32 bits of memory.)
215 //
216 // The representation is "inverse" little-endian... each 4 bytes of
217 // memory is represented by a 1 byte value, where:
218 //
219 // - the status of byte (a+0) is held in bits [1..0]
220 // - the status of byte (a+1) is held in bits [3..2]
221 // - the status of byte (a+2) is held in bits [5..4]
222 // - the status of byte (a+3) is held in bits [7..6]
223 //
224 // It's "inverse" because endianness normally describes a mapping from
225 // value bits to memory addresses; in this case the mapping is inverted.
226 // Ie. instead of particular value bits being held in certain addresses, in
227 // this case certain addresses are represented by particular value bits.
228 // See insert_vabits2_into_vabits8() for an example.
229 //
230 // But note that we don't compress the V bits stored in registers; they
231 // need to be explicit to made the shadow operations possible. Therefore
232 // when moving values between registers and memory we need to convert
233 // between the expanded in-register format and the compressed in-memory
234 // format. This isn't so difficult, it just requires careful attention in a
235 // few places.
237 // These represent eight bits of memory.
243 // These represent 16 bits of memory.
248 // These represent 32 bits of memory.
253 // These represent 64 bits of memory.
258 // These represent 128 bits of memory.
263 #define SM_OFF(aaa) (((aaa) & 0xffff) >> 2)
264 #define SM_OFF_16(aaa) (((aaa) & 0xffff) >> 3)
266 // Paranoia: it's critical for performance that the requested inlining
267 // occurs. So try extra hard.
268 #define INLINE inline __attribute__((always_inline))
272 }
275 }
279 typedef
283 }
284 SecMap;
286 // 3 distinguished secondary maps, one for no-access, one for
287 // accessible but undefined, and one for accessible and defined.
288 // Distinguished secondaries may never be modified.
289 #define SM_DIST_NOACCESS 0
290 #define SM_DIST_UNDEFINED 1
291 #define SM_DIST_DEFINED 2
297 }
299 // Forward declaration
302 /* dist_sm points to one of our three distinguished secondaries. Make
303 a copy of it so that we can write to it.
304 */
306 {
320 }
322 /* --------------- Stats --------------- */
335 /* # searches initiated in auxmap_L1, and # base cmps required */
338 /* # of searches that missed in auxmap_L1 and therefore had to
339 be handed to auxmap_L2. And the number of nodes inserted. */
350 {
355 n_deissued_SMs ++; }
361 n_issued_SMs ++; }
367 }
369 /* --------------- Primary maps --------------- */
371 /* The main primary map. This covers some initial part of the address
372 space, addresses 0 .. (N_PRIMARY_MAP << 16)-1. The rest of it is
373 handled using the auxiliary primary map.
374 */
375 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
376 && (defined(VGP_arm_linux) \
377 || defined(VGP_x86_linux) || defined(VGP_x86_solaris) || defined(VGP_x86_freebsd))
378 /* mc_main_asm.c needs visibility on a few things declared in this file.
379 MC_MAIN_STATIC allows to define them static if ok, i.e. on
380 platforms that are not using hand-coded asm statements. */
381 #define MC_MAIN_STATIC
382 #else
383 #define MC_MAIN_STATIC static
384 #endif
388 /* An entry in the auxiliary primary map. base must be a 64k-aligned
389 value, and sm points at the relevant secondary map. As with the
390 main primary map, the secondary may be either a real secondary, or
391 one of the three distinguished secondaries. DO NOT CHANGE THIS
392 LAYOUT: the first word has to be the key for OSet fast lookups.
393 */
394 typedef
396 Addr base;
398 }
399 AuxMapEnt;
401 /* Tunable parameter: How big is the L1 queue? */
402 #define N_AUXMAP_L1 24
404 /* Tunable parameter: How far along the L1 queue to insert
405 entries resulting from L2 lookups? */
406 #define AUXMAP_L1_INSERT_IX 12
409 Addr base;
411 }
417 {
418 Int i;
422 }
429 }
431 /* Check representation invariants; if OK return NULL; else a
432 descriptive bit of text. Also return the number of
433 non-distinguished secondary maps referred to from the auxiliary
434 primary maps. */
437 {
439 /* On a 32-bit platform, the L2 and L1 tables should
440 both remain empty forever.
442 On a 64-bit platform:
443 In the L2 table:
444 all .base & 0xFFFF == 0
445 all .base > MAX_PRIMARY_ADDRESS
446 In the L1 table:
447 all .base & 0xFFFF == 0
448 all (.base > MAX_PRIMARY_ADDRESS
449 .base & 0xFFFF == 0
450 and .ent points to an AuxMapEnt with the same .base)
451 or
452 (.base == 0 and .ent == NULL)
453 */
456 /* 32-bit platform */
463 /* 64-bit platform */
466 AuxMapEnt key;
467 /* L2 table */
470 elems_seen++;
479 }
482 /* Check L1-L2 correspondence */
494 /* Look it up in auxmap_L2. */
502 }
503 /* Check L1 contains no duplicates */
512 }
513 }
514 }
516 }
519 {
520 Word i;
527 }
530 {
531 AuxMapEnt key;
533 Word i;
538 /* First search the front-cache, which is a self-organising
539 list containing the most popular entries. */
551 }
553 n_auxmap_L1_searches++;
558 }
559 }
572 i--;
573 }
575 }
577 n_auxmap_L2_searches++;
579 /* First see if we already have it. */
587 }
590 {
593 /* First see if we already have it. */
598 /* Ok, there's no entry in the secondary map, so we'll have
599 to allocate one. */
607 n_auxmap_L2_nodes++;
609 }
611 /* --------------- SecMap fundamentals --------------- */
613 // In all these, 'low' means it's definitely in the main primary map,
614 // 'high' means it's definitely in the auxiliary table.
617 {
620 }
623 {
625 # if VG_DEBUG_MEMORY >= 1
627 # endif
629 }
632 {
635 }
638 {
642 }
645 {
647 }
650 {
652 }
655 {
660 }
663 {
668 }
670 /* Produce the secmap for 'a', either from the primary map or by
671 ensuring there is an entry for it in the aux primary map. The
672 secmap may be a distinguished one as the caller will only want to
673 be able to read it.
674 */
676 {
680 }
682 /* Produce the secmap for 'a', either from the primary map or by
683 ensuring there is an entry for it in the aux primary map. The
684 secmap may not be a distinguished one, since the caller will want
685 to be able to write it. If it is a distinguished secondary, make a
686 writable copy of it, install it, and return the copy instead. (COW
687 semantics).
688 */
690 {
694 }
696 /* If 'a' has a SecMap, produce it. Else produce NULL. But don't
697 allocate one if one doesn't already exist. This is used by the
698 leak checker.
699 */
701 {
707 }
708 }
710 /* --------------- Fundamental functions --------------- */
712 static INLINE
714 {
718 }
720 static INLINE
722 {
723 UInt shift;
728 }
730 static INLINE
732 {
736 }
738 static INLINE
740 {
741 UInt shift;
746 }
748 // Note that these four are only used in slow cases. The fast cases do
749 // clever things like combine the auxmap check (in
750 // get_secmap_{read,writ}able) with alignment checks.
752 // *** WARNING! ***
753 // Any time this function is called, if it is possible that vabits2
754 // is equal to VA_BITS2_PARTDEFINED, then the corresponding entry in the
755 // sec-V-bits table must also be set!
756 static INLINE
758 {
762 }
764 static INLINE
766 {
771 }
773 // *** WARNING! ***
774 // Any time this function is called, if it is possible that any of the
775 // 4 2-bit fields in vabits8 are equal to VA_BITS2_PARTDEFINED, then the
776 // corresponding entry(s) in the sec-V-bits table must also be set!
777 static INLINE
779 {
784 }
786 static INLINE
788 {
792 }
795 // Forward declarations
799 // Returns False if there was an addressability error.
800 static INLINE
802 {
806 // Addressable. Convert in-register format to in-memory format.
807 // Also remove any existing sec V bit entry for the byte if no
808 // longer necessary.
816 // Unaddressable! Do nothing -- when writing to unaddressable
817 // memory it acts as a black hole, and the V bits can never be seen
818 // again. So we don't have to write them at all.
820 }
822 }
824 // Returns False if there was an addressability error. In that case, we put
825 // all defined bits into vbits8.
826 static INLINE
828 {
832 // Convert the in-memory format to in-register format.
841 }
843 }
846 /* --------------- Secondary V bit table ------------ */
848 // This table holds the full V bit pattern for partially-defined bytes
849 // (PDBs) that are represented by VA_BITS2_PARTDEFINED in the main shadow
850 // memory.
851 //
852 // Note: the nodes in this table can become stale. Eg. if you write a PDB,
853 // then overwrite the same address with a fully defined byte, the sec-V-bit
854 // node will not necessarily be removed. This is because checking for
855 // whether removal is necessary would slow down the fast paths.
856 //
857 // To avoid the stale nodes building up too much, we periodically (once the
858 // table reaches a certain size) garbage collect (GC) the table by
859 // traversing it and evicting any nodes not having PDB.
860 // If more than a certain proportion of nodes survived, we increase the
861 // table size so that GCs occur less often.
862 //
863 // This policy is designed to avoid bad table bloat in the worst case where
864 // a program creates huge numbers of stale PDBs -- we would get this bloat
865 // if we had no GC -- while handling well the case where a node becomes
866 // stale but shortly afterwards is rewritten with a PDB and so becomes
867 // non-stale again (which happens quite often, eg. in perf/bz2). If we just
868 // remove all stale nodes as soon as possible, we just end up re-adding a
869 // lot of them in later again. The "sufficiently stale" approach avoids
870 // this. (If a program has many live PDBs, performance will just suck,
871 // there's no way around that.)
872 //
873 // Further comments, JRS 14 Feb 2012. It turns out that the policy of
874 // holding on to stale entries for 2 GCs before discarding them can lead
875 // to massive space leaks. So we're changing to an arrangement where
876 // lines are evicted as soon as they are observed to be stale during a
877 // GC. This also has a side benefit of allowing the sufficiently_stale
878 // field to be removed from the SecVBitNode struct, reducing its size by
879 // 8 bytes, which is a substantial space saving considering that the
880 // struct was previously 32 or so bytes, on a 64 bit target.
881 //
882 // In order to try and mitigate the problem that the "sufficiently stale"
883 // heuristic was designed to avoid, the table size is allowed to drift
884 // up ("DRIFTUP") slowly to 80000, even if the residency is low. This
885 // means that nodes will exist in the table longer on average, and hopefully
886 // will be deleted and re-added less frequently.
887 //
888 // The previous scaling up mechanism (now called STEPUP) is retained:
889 // if residency exceeds 50%, the table is scaled up, although by a
890 // factor sqrt(2) rather than 2 as before. This effectively doubles the
891 // frequency of GCs when there are many PDBs at reduces the tendency of
892 // stale PDBs to reside for long periods in the table.
896 // Stats
900 // This must be a power of two; this is checked in mc_pre_clo_init().
901 // The size chosen here is a trade-off: if the nodes are bigger (ie. cover
902 // a larger address range) they take more space but we can get multiple
903 // partially-defined bytes in one if they are close to each other, reducing
904 // the number of total nodes. In practice sometimes they are clustered (eg.
905 // perf/bz2 repeatedly writes then reads more than 20,000 in a contiguous
906 // row), but often not. So we choose something intermediate.
907 #define BYTES_PER_SEC_VBIT_NODE 16
909 // We make the table bigger by a factor of STEPUP_GROWTH_FACTOR if
910 // more than this many nodes survive a GC.
911 #define STEPUP_SURVIVOR_PROPORTION 0.5
912 #define STEPUP_GROWTH_FACTOR 1.414213562
914 // If the above heuristic doesn't apply, then we may make the table
915 // slightly bigger, by a factor of DRIFTUP_GROWTH_FACTOR, if more than
916 // this many nodes survive a GC, _and_ the total table size does
917 // not exceed a fixed limit. The numbers are somewhat arbitrary, but
918 // work tolerably well on long Firefox runs. The scaleup ratio of 1.5%
919 // effectively although gradually reduces residency and increases time
920 // between GCs for programs with small numbers of PDBs. The 80000 limit
921 // effectively limits the table size to around 2MB for programs with
922 // small numbers of PDBs, whilst giving a reasonably long lifetime to
923 // entries, to try and reduce the costs resulting from deleting and
924 // re-adding of entries.
925 #define DRIFTUP_SURVIVOR_PROPORTION 0.15
926 #define DRIFTUP_GROWTH_FACTOR 1.015
927 #define DRIFTUP_MAX_SIZE 80000
929 // We GC the table when it gets this many nodes in it, ie. it's effectively
930 // the table size. It can change.
933 // The number of GCs done, used to age sec-V-bit nodes for eviction.
934 // Because it's unsigned, wrapping doesn't matter -- the right answer will
935 // come out anyway.
938 typedef
940 Addr a;
942 }
943 SecVBitNode;
946 {
956 }
959 {
964 GCs_done++;
966 // Create the new table.
969 // Traverse the table, moving fresh nodes into the new table.
972 // Keep node if any of its bytes are non-stale. Using
973 // get_vabits2() for the lookup is not very efficient, but I don't
974 // think it matters.
977 // Found a non-stale byte, so keep =>
978 // Insert a copy of the node into the new table.
984 }
985 }
986 }
988 // Get the before and after sizes.
992 // Destroy the old table, and put the new one in its place.
999 }
1001 // Increase table size if necessary.
1008 secVBitLimit);
1009 }
1010 else
1018 secVBitLimit);
1019 }
1020 }
1023 {
1027 UChar vbits8;
1029 // Shouldn't be fully defined or fully undefined -- those cases shouldn't
1030 // make it to the secondary V bits table.
1034 }
1037 {
1041 // Shouldn't be fully defined or fully undefined -- those cases shouldn't
1042 // make it to the secondary V bits table.
1046 sec_vbits_updates++;
1048 // Do a table GC if necessary. Nb: do this before creating and
1049 // inserting the new node, to avoid erroneously GC'ing the new node.
1052 }
1054 // New node: assign the specific byte, make the rest invalid (they
1055 // should never be read as-is, but be cautious).
1060 }
1063 // Insert the new node.
1065 sec_vbits_new_nodes++;
1070 }
1071 }
1073 /* --------------- Endianness helpers --------------- */
1075 /* Returns the offset in memory of the byteno-th most significant byte
1076 in a wordszB-sized word, given the specified endianness. */
1078 UWord byteno ) {
1080 }
1083 /* --------------- Ignored address ranges --------------- */
1085 /* Denotes the address-error-reportability status for address ranges:
1086 IAR_NotIgnored: the usual case -- report errors in this range
1087 IAR_CommandLine: don't report errors -- from command line setting
1088 IAR_ClientReq: don't report errors -- from client request
1089 */
1090 typedef
1092 IAR_NotIgnored,
1093 IAR_CommandLine,
1094 IAR_ClientReq }
1095 IARKind;
1098 {
1105 }
1106 }
1108 // RangeMap<IARKind>
1112 {
1117 }
1120 {
1133 }
1135 /*NOTREACHED*/
1136 }
1139 {
1148 /* Bizarre. We have a wraparound situation. What should we do? */
1151 /* This is the expected case. */
1154 else
1156 }
1157 /*NOTREACHED*/
1159 }
1161 /* Parse two Addrs (in hex) separated by a dash, or fail. */
1164 {
1175 }
1177 /* Parse two UInts (32 bit unsigned, in decimal) separated by a dash,
1178 or fail. */
1181 {
1192 }
1194 /* Parse a set of ranges separated by commas into 'ignoreRanges', or
1195 fail. If they are valid, add them to the global set of ignored
1196 ranges. */
1198 {
1216 }
1217 /*NOTREACHED*/
1219 }
1221 /* Add or remove [start, +len) from the set of ignored ranges. */
1223 {
1228 }
1241 }
1245 UInt i;
1254 }
1255 }
1257 }
1260 /* --------------- Load/store slow cases. --------------- */
1262 static
1266 {
1272 Addr ai;
1273 UChar vbits8;
1274 Bool ok;
1276 /* Code below assumes load size is a power of two and at least 64
1277 bits. */
1280 /* If this triggers, you probably just need to increase the size of
1281 the pessim array. */
1287 }
1289 /* Make up a result V word, which contains the loaded data for
1290 valid addresses and Defined for invalid addresses. Iterate over
1291 the bytes in the word, from the most significant down to the
1292 least. The vbits to return are calculated into vbits128. Also
1293 compute the pessimising value to be used when
1294 --partial-loads-ok=yes. n_addrs_bad is redundant (the relevant
1295 info can be gleaned from the pessim array) but is used as a
1296 cross-check. */
1310 }
1313 }
1315 /* In the common case, all the addresses involved are valid, so we
1316 just return the computed V bits and have done. */
1320 /* If there's no possibility of getting a partial-loads-ok
1321 exemption, report the error and quit. */
1325 }
1327 /* The partial-loads-ok excemption might apply. Find out if it
1328 does. If so, don't report an addressing error, but do return
1329 Undefined for the bytes that are out of range, so as to avoid
1330 false negatives. If it doesn't apply, just report an addressing
1331 error in the usual way. */
1333 /* Some code steps along byte strings in aligned chunks
1334 even when there is only a partially defined word at the end (eg,
1335 optimised strlen). This is allowed by the memory model of
1336 modern machines, since an aligned load cannot span two pages and
1337 thus cannot "partially fault".
1339 Therefore, a load from a partially-addressible place is allowed
1340 if all of the following hold:
1341 - the command-line flag is set [by default, it isn't]
1342 - it's an aligned load
1343 - at least one of the addresses in the word *is* valid
1345 Since this suppresses the addressing error, we avoid false
1346 negatives by marking bytes undefined when they come from an
1347 invalid address.
1348 */
1350 /* "at least one of the addresses is invalid" */
1356 # if defined(VGP_s390x_linux)
1358 /* OK if all loaded bytes are from the same page. */
1360 # elif defined(VGA_ppc64be) || defined(VGA_ppc64le)
1361 /* lxvd2x might generate an unaligned 128 bit vector load. */
1363 # else
1364 /* OK if the address is aligned by the load size. */
1366 # endif
1369 /* Exemption applies. Use the previously computed pessimising
1370 value and return the combined result, but don't flag an
1371 addressing error. The pessimising value is Defined for valid
1372 addresses and Undefined for invalid addresses. */
1373 /* for assumption that doing bitwise or implements UifU */
1375 /* (really need "UifU" here...)
1376 vbits[j] UifU= pessim[j] (is pessimised by it, iow) */
1380 }
1382 /* Exemption doesn't apply. Flag an addressing error in the normal
1383 way. */
1385 }
1387 MC_MAIN_STATIC
1393 MC_MAIN_STATIC
1397 this function may get called from hand written assembly. */
1399 {
1402 /* ------------ BEGIN semi-fast cases ------------ */
1403 /* These deal quickly-ish with the common auxiliary primary map
1404 cases on 64-bit platforms. Are merely a speedup hack; can be
1405 omitted without loss of correctness/functionality. Note that in
1406 both cases the "sizeof(void*) == 8" causes these cases to be
1407 folded out by compilers on 32-bit platforms. These are derived
1408 from LOADV64 and LOADV32.
1409 */
1411 # if defined(VGA_mips64) && defined(VGABI_N32)
1413 # else
1415 # endif
1416 {
1424 /* else fall into the slow case */
1425 }
1427 # if defined(VGA_mips64) && defined(VGABI_N32)
1429 # else
1431 # endif
1432 {
1440 /* else fall into slow case */
1441 }
1443 /* ------------ END semi-fast cases ------------ */
1450 Addr ai;
1451 UChar vbits8;
1452 Bool ok;
1456 /* Make up a 64-bit result V word, which contains the loaded data
1457 for valid addresses and Defined for invalid addresses. Iterate
1458 over the bytes in the word, from the most significant down to
1459 the least. The vbits to return are calculated into vbits64.
1460 Also compute the pessimising value to be used when
1461 --partial-loads-ok=yes. n_addrs_bad is redundant (the relevant
1462 info can be gleaned from pessim64) but is used as a
1463 cross-check. */
1473 }
1475 /* In the common case, all the addresses involved are valid, so we
1476 just return the computed V bits and have done. */
1480 /* If there's no possibility of getting a partial-loads-ok
1481 exemption, report the error and quit. */
1485 }
1487 /* The partial-loads-ok excemption might apply. Find out if it
1488 does. If so, don't report an addressing error, but do return
1489 Undefined for the bytes that are out of range, so as to avoid
1490 false negatives. If it doesn't apply, just report an addressing
1491 error in the usual way. */
1493 /* Some code steps along byte strings in aligned word-sized chunks
1494 even when there is only a partially defined word at the end (eg,
1495 optimised strlen). This is allowed by the memory model of
1496 modern machines, since an aligned load cannot span two pages and
1497 thus cannot "partially fault". Despite such behaviour being
1498 declared undefined by ANSI C/C++.
1500 Therefore, a load from a partially-addressible place is allowed
1501 if all of the following hold:
1502 - the command-line flag is set [by default, it isn't]
1503 - it's a word-sized, word-aligned load
1504 - at least one of the addresses in the word *is* valid
1506 Since this suppresses the addressing error, we avoid false
1507 negatives by marking bytes undefined when they come from an
1508 invalid address.
1509 */
1511 /* "at least one of the addresses is invalid" */
1514 # if defined(VGA_mips64) && defined(VGABI_N32)
1517 # elif defined(VGA_ppc64be) || defined(VGA_ppc64le)
1518 /* On power unaligned loads of words are OK. */
1520 # else
1523 # endif
1524 {
1525 /* Exemption applies. Use the previously computed pessimising
1526 value for vbits64 and return the combined result, but don't
1527 flag an addressing error. The pessimising value is Defined
1528 for valid addresses and Undefined for invalid addresses. */
1529 /* for assumption that doing bitwise or implements UifU */
1531 /* (really need "UifU" here...)
1532 vbits64 UifU= pessim64 (is pessimised by it, iow) */
1535 }
1537 /* Also, in appears that gcc generates string-stepping code in
1538 32-bit chunks on 64 bit platforms. So, also grant an exception
1539 for this case. Note that the first clause of the conditional
1540 (VG_WORDSIZE == 8) is known at compile time, so the whole clause
1541 will get folded out in 32 bit builds. */
1542 # if defined(VGA_mips64) && defined(VGABI_N32)
1545 # else
1548 # endif
1549 {
1551 /* (really need "UifU" here...)
1552 vbits64 UifU= pessim64 (is pessimised by it, iow) */
1554 /* Mark the upper 32 bits as undefined, just to be on the safe
1555 side. */
1558 }
1560 /* Exemption doesn't apply. Flag an addressing error in the normal
1561 way. */
1565 }
1568 static
1571 {
1574 UChar vbits8;
1575 Addr ai;
1576 Bool ok;
1580 /* ------------ BEGIN semi-fast cases ------------ */
1581 /* These deal quickly-ish with the common auxiliary primary map
1582 cases on 64-bit platforms. Are merely a speedup hack; can be
1583 omitted without loss of correctness/functionality. Note that in
1584 both cases the "sizeof(void*) == 8" causes these cases to be
1585 folded out by compilers on 32-bit platforms. The logic below
1586 is somewhat similar to some cases extensively commented in
1587 MC_(helperc_STOREV8).
1588 */
1589 # if defined(VGA_mips64) && defined(VGABI_N32)
1591 # else
1593 # endif
1594 {
1601 /* Handle common case quickly: a is suitably aligned, */
1602 /* is mapped, and is addressible. */
1603 // Convert full V-bits in register to compact 2-bit form.
1610 }
1611 /* else fall into the slow case */
1612 }
1613 /* else fall into the slow case */
1614 }
1616 # if defined(VGA_mips64) && defined(VGABI_N32)
1618 # else
1620 # endif
1621 {
1628 /* Handle common case quickly: a is suitably aligned, */
1629 /* is mapped, and is addressible. */
1630 // Convert full V-bits in register to compact 2-bit form.
1637 }
1638 /* else fall into the slow case */
1639 }
1640 /* else fall into the slow case */
1641 }
1642 /* ------------ END semi-fast cases ------------ */
1646 /* Dump vbytes in memory, iterating from least to most significant
1647 byte. At the same time establish addressibility of the location. */
1655 }
1657 /* If an address error has happened, report it. */
1660 }
1663 /*------------------------------------------------------------*/
1664 /*--- Setting permissions over address ranges. ---*/
1665 /*------------------------------------------------------------*/
1668 UWord dsm_num )
1669 {
1673 Addr aNext;
1680 /* Check the V+A bits make sense. */
1685 // This code should never write PDBs; ensure this. (See comment above
1686 // set_vabits2().)
1701 }
1702 }
1704 #ifndef PERF_FAST_SARP
1705 /*------------------ debug-only case ------------------ */
1706 {
1707 // Endianness doesn't matter here because all bytes are being set to
1708 // the same value.
1709 // Nb: We don't have to worry about updating the sec-V-bits table
1710 // after these set_vabits2() calls because this code never writes
1711 // VA_BITS2_PARTDEFINED values.
1712 SizeT i;
1715 }
1717 }
1718 #endif
1720 /*------------------ standard handling ------------------ */
1722 /* Get the distinguished secondary that we might want
1723 to use (part of the space-compression scheme). */
1726 // We have to handle ranges covering various combinations of partial and
1727 // whole sec-maps. Here is how parts 1, 2 and 3 are used in each case.
1728 // Cases marked with a '*' are common.
1729 //
1730 // TYPE PARTS USED
1731 // ---- ----------
1732 // * one partial sec-map (p) 1
1733 // - one whole sec-map (P) 2
1734 //
1735 // * two partial sec-maps (pp) 1,3
1736 // - one partial, one whole sec-map (pP) 1,2
1737 // - one whole, one partial sec-map (Pp) 2,3
1738 // - two whole sec-maps (PP) 2,2
1739 //
1740 // * one partial, one whole, one partial (pPp) 1,2,3
1741 // - one partial, two whole (pPP) 1,2,2
1742 // - two whole, one partial (PPp) 2,2,3
1743 // - three whole (PPP) 2,2,2
1744 //
1745 // * one partial, N-2 whole, one partial (pP...Pp) 1,2...2,3
1746 // - one partial, N-1 whole (pP...PP) 1,2...2,2
1747 // - N-1 whole, one partial (PP...Pp) 2,2...2,3
1748 // - N whole (PP...PP) 2,2...2,3
1750 // Break up total length (lenT) into two parts: length in the first
1751 // sec-map (lenA), and the rest (lenB); lenT == lenA + lenB.
1755 // Range entirely within one sec-map. Covers almost all cases.
1760 // Range spans at least one whole sec-map, and starts at the beginning
1761 // of a sec-map; skip to Part 2.
1767 // Range spans two or more sec-maps, first one is partial.
1771 }
1773 //------------------------------------------------------------------------
1774 // Part 1: Deal with the first sec_map. Most of the time the range will be
1775 // entirely within a sec_map and this part alone will suffice. Also,
1776 // doing it this way lets us avoid repeatedly testing for the crossing of
1777 // a sec-map boundary within these loops.
1778 //------------------------------------------------------------------------
1780 // If it's distinguished, make it undistinguished if necessary.
1784 // Sec-map already has the V+A bits that we want, so skip.
1791 }
1792 }
1795 // 1 byte steps
1804 }
1805 // 8-aligned, 8 byte steps
1813 }
1814 // 1 byte steps
1822 }
1824 // We've finished the first sec-map. Is that it?
1828 //------------------------------------------------------------------------
1829 // Part 2: Fast-set entire sec-maps at a time.
1830 //------------------------------------------------------------------------
1831 part2:
1832 // 64KB-aligned, 64KB steps.
1833 // Nb: we can reach here with lenB < SM_SIZE
1842 // Free the non-distinguished sec-map that we're replacing. This
1843 // case happens moderately often, enough to be worthwhile.
1846 }
1848 // Make the sec-map entry point to the example DSM
1852 }
1854 // We've finished the whole sec-maps. Is that it?
1858 //------------------------------------------------------------------------
1859 // Part 3: Finish off the final partial sec-map, if necessary.
1860 //------------------------------------------------------------------------
1864 // If it's distinguished, make it undistinguished if necessary.
1868 // Sec-map already has the V+A bits that we want, so stop.
1874 }
1875 }
1878 // 8-aligned, 8 byte steps
1886 }
1887 // 1 byte steps
1895 }
1896 }
1899 /* --- Set permissions for arbitrary address ranges --- */
1902 {
1908 }
1911 {
1915 }
1918 {
1924 }
1926 static
1929 {
1930 UInt ecu;
1932 /* VG_(record_ExeContext) checks for validity of tid, and asserts
1933 if it is invalid. So no need to do it here. */
1940 }
1942 static
1944 {
1946 }
1948 static
1950 {
1952 }
1955 {
1961 }
1965 {
1967 }
1969 /* For each byte in [a,a+len), if the byte is addressable, make it be
1970 defined, but if it isn't addressible, leave it alone. In other
1971 words a version of MC_(make_mem_defined) that doesn't mess with
1972 addressibility. Low-performance implementation. */
1974 {
1975 SizeT i;
1976 UChar vabits2;
1984 }
1985 }
1986 }
1987 }
1989 /* Similarly (needed for mprotect handling ..) */
1991 {
1992 SizeT i;
1993 UChar vabits2;
2001 }
2002 }
2003 }
2004 }
2006 /* --- Block-copy permissions (needed for implementing realloc() and
2007 sys_mremap). --- */
2010 {
2026 /* Vectorised fast case, when no overlap and suitably aligned */
2027 /* vector loop */
2035 /* do nothing */
2037 /* have to copy secondary map info */
2046 }
2049 }
2050 /* fixup loop */
2056 }
2057 i++;
2058 len--;
2059 }
2063 /* We have to do things the slow way */
2071 }
2072 }
2073 }
2082 }
2083 }
2084 }
2085 }
2087 }
2090 /*------------------------------------------------------------*/
2091 /*--- Origin tracking stuff - cache basics ---*/
2092 /*------------------------------------------------------------*/
2094 /* AN OVERVIEW OF THE ORIGIN TRACKING IMPLEMENTATION
2095 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2097 Note that this implementation draws inspiration from the "origin
2098 tracking by value piggybacking" scheme described in "Tracking Bad
2099 Apples: Reporting the Origin of Null and Undefined Value Errors"
2100 (Michael Bond, Nicholas Nethercote, Stephen Kent, Samuel Guyer,
2101 Kathryn McKinley, OOPSLA07, Montreal, Oct 2007) but in fact it is
2102 implemented completely differently.
2104 Origin tags and ECUs -- about the shadow values
2105 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2107 This implementation tracks the defining point of all uninitialised
2108 values using so called "origin tags", which are 32-bit integers,
2109 rather than using the values themselves to encode the origins. The
2110 latter, so-called value piggybacking", is what the OOPSLA07 paper
2111 describes.
2113 Origin tags, as tracked by the machinery below, are 32-bit unsigned
2114 ints (UInts), regardless of the machine's word size. Each tag
2115 comprises an upper 30-bit ECU field and a lower 2-bit
2116 'kind' field. The ECU field is a number given out by m_execontext
2117 and has a 1-1 mapping with ExeContext*s. An ECU can be used
2118 directly as an origin tag (otag), but in fact we want to put
2119 additional information 'kind' field to indicate roughly where the
2120 tag came from. This helps print more understandable error messages
2121 for the user -- it has no other purpose. In summary:
2123 * Both ECUs and origin tags are represented as 32-bit words
2125 * m_execontext and the core-tool interface deal purely in ECUs.
2126 They have no knowledge of origin tags - that is a purely
2127 Memcheck-internal matter.
2129 * all valid ECUs have the lowest 2 bits zero and at least
2130 one of the upper 30 bits nonzero (see VG_(is_plausible_ECU))
2132 * to convert from an ECU to an otag, OR in one of the MC_OKIND_
2133 constants defined in mc_include.h.
2135 * to convert an otag back to an ECU, AND it with ~3
2137 One important fact is that no valid otag is zero. A zero otag is
2138 used by the implementation to indicate "no origin", which could
2139 mean that either the value is defined, or it is undefined but the
2140 implementation somehow managed to lose the origin.
2142 The ECU used for memory created by malloc etc is derived from the
2143 stack trace at the time the malloc etc happens. This means the
2144 mechanism can show the exact allocation point for heap-created
2145 uninitialised values.
2147 In contrast, it is simply too expensive to create a complete
2148 backtrace for each stack allocation. Therefore we merely use a
2149 depth-1 backtrace for stack allocations, which can be done once at
2150 translation time, rather than N times at run time. The result of
2151 this is that, for stack created uninitialised values, Memcheck can
2152 only show the allocating function, and not what called it.
2153 Furthermore, compilers tend to move the stack pointer just once at
2154 the start of the function, to allocate all locals, and so in fact
2155 the stack origin almost always simply points to the opening brace
2156 of the function. Net result is, for stack origins, the mechanism
2157 can tell you in which function the undefined value was created, but
2158 that's all. Users will need to carefully check all locals in the
2159 specified function.
2161 Shadowing registers and memory
2162 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2164 Memory is shadowed using a two level cache structure (ocacheL1 and
2165 ocacheL2). Memory references are first directed to ocacheL1. This
2166 is a traditional 2-way set associative cache with 32-byte lines and
2167 approximate LRU replacement within each set.
2169 A naive implementation would require storing one 32 bit otag for
2170 each byte of memory covered, a 4:1 space overhead. Instead, there
2171 is one otag for every 4 bytes of memory covered, plus a 4-bit mask
2172 that shows which of the 4 bytes have that shadow value and which
2173 have a shadow value of zero (indicating no origin). Hence a lot of
2174 space is saved, but the cost is that only one different origin per
2175 4 bytes of address space can be represented. This is a source of
2176 imprecision, but how much of a problem it really is remains to be
2177 seen.
2179 A cache line that contains all zeroes ("no origins") contains no
2180 useful information, and can be ejected from the L1 cache "for
2181 free", in the sense that a read miss on the L1 causes a line of
2182 zeroes to be installed. However, ejecting a line containing
2183 nonzeroes risks losing origin information permanently. In order to
2184 prevent such lossage, ejected nonzero lines are placed in a
2185 secondary cache (ocacheL2), which is an OSet (AVL tree) of cache
2186 lines. This can grow arbitrarily large, and so should ensure that
2187 Memcheck runs out of memory in preference to losing useful origin
2188 info due to cache size limitations.
2190 Shadowing registers is a bit tricky, because the shadow values are
2191 32 bits, regardless of the size of the register. That gives a
2192 problem for registers smaller than 32 bits. The solution is to
2193 find spaces in the guest state that are unused, and use those to
2194 shadow guest state fragments smaller than 32 bits. For example, on
2195 ppc32/64, each vector register is 16 bytes long. If 4 bytes of the
2196 shadow are allocated for the register's otag, then there are still
2197 12 bytes left over which could be used to shadow 3 other values.
2199 This implies there is some non-obvious mapping from guest state
2200 (start,length) pairs to the relevant shadow offset (for the origin
2201 tags). And it is unfortunately guest-architecture specific. The
2202 mapping is contained in mc_machine.c, which is quite lengthy but
2203 straightforward.
2205 Instrumenting the IR
2206 ~~~~~~~~~~~~~~~~~~~~
2208 Instrumentation is largely straightforward, and done by the
2209 functions schemeE and schemeS in mc_translate.c. These generate
2210 code for handling the origin tags of expressions (E) and statements
2211 (S) respectively. The rather strange names are a reference to the
2212 "compilation schemes" shown in Simon Peyton Jones' book "The
2213 Implementation of Functional Programming Languages" (Prentice Hall,
2214 1987, see
2215 http://research.microsoft.com/~simonpj/papers/slpj-book-1987/index.htm).
2217 schemeS merely arranges to move shadow values around the guest
2218 state to track the incoming IR. schemeE is largely trivial too.
2219 The only significant point is how to compute the otag corresponding
2220 to binary (or ternary, quaternary, etc) operator applications. The
2221 rule is simple: just take whichever value is larger (32-bit
2222 unsigned max). Constants get the special value zero. Hence this
2223 rule always propagates a nonzero (known) otag in preference to a
2224 zero (unknown, or more likely, value-is-defined) tag, as we want.
2225 If two different undefined values are inputs to a binary operator
2226 application, then which is propagated is arbitrary, but that
2227 doesn't matter, since the program is erroneous in using either of
2228 the values, and so there's no point in attempting to propagate
2229 both.
2231 Since constants are abstracted to (otag) zero, much of the
2232 instrumentation code can be folded out without difficulty by the
2233 generic post-instrumentation IR cleanup pass, using these rules:
2234 Max32U(0,x) -> x, Max32U(x,0) -> x, Max32(x,y) where x and y are
2235 constants is evaluated at JIT time. And the resulting dead code
2236 removal. In practice this causes surprisingly few Max32Us to
2237 survive through to backend code generation.
2239 Integration with the V-bits machinery
2240 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2242 This is again largely straightforward. Mostly the otag and V bits
2243 stuff are independent. The only point of interaction is when the V
2244 bits instrumenter creates a call to a helper function to report an
2245 uninitialised value error -- in that case it must first use schemeE
2246 to get hold of the origin tag expression for the value, and pass
2247 that to the helper too.
2249 There is the usual stuff to do with setting address range
2250 permissions. When memory is painted undefined, we must also know
2251 the origin tag to paint with, which involves some tedious plumbing,
2252 particularly to do with the fast case stack handlers. When memory
2253 is painted defined or noaccess then the origin tags must be forced
2254 to zero.
2256 One of the goals of the implementation was to ensure that the
2257 non-origin tracking mode isn't slowed down at all. To do this,
2258 various functions to do with memory permissions setting (again,
2259 mostly pertaining to the stack) are duplicated for the with- and
2260 without-otag case.
2262 Dealing with stack redzones, and the NIA cache
2263 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2265 This is one of the few non-obvious parts of the implementation.
2267 Some ABIs (amd64-ELF, ppc64-ELF, ppc32/64-XCOFF) define a small
2268 reserved area below the stack pointer, that can be used as scratch
2269 space by compiler generated code for functions. In the Memcheck
2270 sources this is referred to as the "stack redzone". The important
2271 thing here is that such redzones are considered volatile across
2272 function calls and returns. So Memcheck takes care to mark them as
2273 undefined for each call and return, on the afflicted platforms.
2274 Past experience shows this is essential in order to get reliable
2275 messages about uninitialised values that come from the stack.
2277 So the question is, when we paint a redzone undefined, what origin
2278 tag should we use for it? Consider a function f() calling g(). If
2279 we paint the redzone using an otag derived from the ExeContext of
2280 the CALL/BL instruction in f, then any errors in g causing it to
2281 use uninitialised values that happen to lie in the redzone, will be
2282 reported as having their origin in f. Which is highly confusing.
2284 The same applies for returns: if, on a return, we paint the redzone
2285 using a origin tag derived from the ExeContext of the RET/BLR
2286 instruction in g, then any later errors in f causing it to use
2287 uninitialised values in the redzone, will be reported as having
2288 their origin in g. Which is just as confusing.
2290 To do it right, in both cases we need to use an origin tag which
2291 pertains to the instruction which dynamically follows the CALL/BL
2292 or RET/BLR. In short, one derived from the NIA - the "next
2293 instruction address".
2295 To make this work, Memcheck's redzone-painting helper,
2296 MC_(helperc_MAKE_STACK_UNINIT), now takes a third argument, the
2297 NIA. It converts the NIA to a 1-element ExeContext, and uses that
2298 ExeContext's ECU as the basis for the otag used to paint the
2299 redzone. The expensive part of this is converting an NIA into an
2300 ECU, since this happens once for every call and every return. So
2301 we use a simple 511-line, 2-way set associative cache
2302 (nia_to_ecu_cache) to cache the mappings, and that knocks most of
2303 the cost out.
2305 Further background comments
2306 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
2308 > Question: why is otag a UInt? Wouldn't a UWord be better? Isn't
2309 > it really just the address of the relevant ExeContext?
2311 Well, it's not the address, but a value which has a 1-1 mapping
2312 with ExeContexts, and is guaranteed not to be zero, since zero
2313 denotes (to memcheck) "unknown origin or defined value". So these
2314 UInts are just numbers starting at 4 and incrementing by 4; each
2315 ExeContext is given a number when it is created. (*** NOTE this
2316 confuses otags and ECUs; see comments above ***).
2318 Making these otags 32-bit regardless of the machine's word size
2319 makes the 64-bit implementation easier (next para). And it doesn't
2320 really limit us in any way, since for the tags to overflow would
2321 require that the program somehow caused 2^30-1 different
2322 ExeContexts to be created, in which case it is probably in deep
2323 trouble. Not to mention V will have soaked up many tens of
2324 gigabytes of memory merely to store them all.
2326 So having 64-bit origins doesn't really buy you anything, and has
2327 the following downsides:
2329 Suppose that instead, an otag is a UWord. This would mean that, on
2330 a 64-bit target,
2332 1. It becomes hard to shadow any element of guest state which is
2333 smaller than 8 bytes. To do so means you'd need to find some
2334 8-byte-sized hole in the guest state which you don't want to
2335 shadow, and use that instead to hold the otag. On ppc64, the
2336 condition code register(s) are split into 20 UChar sized pieces,
2337 all of which need to be tracked (guest_XER_SO .. guest_CR7_0)
2338 and so that would entail finding 160 bytes somewhere else in the
2339 guest state.
2341 Even on x86, I want to track origins for %AH .. %DH (bits 15:8
2342 of %EAX .. %EDX) that are separate from %AL .. %DL (bits 7:0 of
2343 same) and so I had to look for 4 untracked otag-sized areas in
2344 the guest state to make that possible.
2346 The same problem exists of course when origin tags are only 32
2347 bits, but it's less extreme.
2349 2. (More compelling) it doubles the size of the origin shadow
2350 memory. Given that the shadow memory is organised as a fixed
2351 size cache, and that accuracy of tracking is limited by origins
2352 falling out the cache due to space conflicts, this isn't good.
2354 > Another question: is the origin tracking perfect, or are there
2355 > cases where it fails to determine an origin?
2357 It is imperfect for at least for the following reasons, and
2358 probably more:
2360 * Insufficient capacity in the origin cache. When a line is
2361 evicted from the cache it is gone forever, and so subsequent
2362 queries for the line produce zero, indicating no origin
2363 information. Interestingly, a line containing all zeroes can be
2364 evicted "free" from the cache, since it contains no useful
2365 information, so there is scope perhaps for some cleverer cache
2366 management schemes. (*** NOTE, with the introduction of the
2367 second level origin tag cache, ocacheL2, this is no longer a
2368 problem. ***)
2370 * The origin cache only stores one otag per 32-bits of address
2371 space, plus 4 bits indicating which of the 4 bytes has that tag
2372 and which are considered defined. The result is that if two
2373 undefined bytes in the same word are stored in memory, the first
2374 stored byte's origin will be lost and replaced by the origin for
2375 the second byte.
2377 * Nonzero origin tags for defined values. Consider a binary
2378 operator application op(x,y). Suppose y is undefined (and so has
2379 a valid nonzero origin tag), and x is defined, but erroneously
2380 has a nonzero origin tag (defined values should have tag zero).
2381 If the erroneous tag has a numeric value greater than y's tag,
2382 then the rule for propagating origin tags though binary
2383 operations, which is simply to take the unsigned max of the two
2384 tags, will erroneously propagate x's tag rather than y's.
2386 * Some obscure uses of x86/amd64 byte registers can cause lossage
2387 or confusion of origins. %AH .. %DH are treated as different
2388 from, and unrelated to, their parent registers, %EAX .. %EDX.
2389 So some weird sequences like
2391 movb undefined-value, %AH
2392 movb defined-value, %AL
2393 .. use %AX or %EAX ..
2395 will cause the origin attributed to %AH to be ignored, since %AL,
2396 %AX, %EAX are treated as the same register, and %AH as a
2397 completely separate one.
2399 But having said all that, it actually seems to work fairly well in
2400 practice.
2401 */
2416 /* Cache of 32-bit values, one every 32 bits of address space */
2418 #define OC_BITS_PER_LINE 5
2419 #define OC_W32S_PER_LINE (1 << (OC_BITS_PER_LINE - 2))
2423 }
2426 }
2428 #define OC_LINES_PER_SET 2
2430 #define OC_N_SET_BITS 20
2431 #define OC_N_SETS (1 << OC_N_SET_BITS)
2433 /* These settings give:
2434 64 bit host: ocache: 100,663,296 sizeB 67,108,864 useful
2435 32 bit host: ocache: 92,274,688 sizeB 67,108,864 useful
2436 */
2438 #define OC_MOVE_FORWARDS_EVERY_BITS 7
2441 /* Originally (pre Dec 2021) it was the case that this code had a
2442 parameterizable cache line size, set by changing OC_BITS_PER_LINE.
2443 However, as a result of the speedup fixes necessitated by bug 446103, that
2444 is no longer really the case, and much of the L1 and L2 cache code has been
2445 tuned specifically for the case OC_BITS_PER_LINE == 5 (that is, the line
2446 size is 32 bytes). Changing that would require a bunch of re-tuning
2447 effort. So let's set it in stone for now. */
2451 /* Fundamentally we want an OCacheLine structure (see below) as follows:
2452 struct {
2453 Addr tag;
2454 UInt w32 [OC_W32S_PER_LINE];
2455 UChar descr[OC_W32S_PER_LINE];
2456 }
2457 However, in various places, we want to set the w32[] and descr[] arrays to
2458 zero, or check if they are zero. This can be a very hot path (per bug
2459 446103). So, instead, we have a union which is either those two arrays
2460 (OCacheLine_Main) or simply an array of ULongs (OCacheLine_W64s). For the
2461 set-zero/test-zero operations, the OCacheLine_W64s are used.
2462 */
2464 // To ensure that OCacheLine.descr[] will fit in an integral number of ULongs.
2472 typedef
2475 typedef
2479 }
2480 OCacheLine_Main;
2484 typedef
2486 Addr tag;
2488 OCacheLine_W64s w64s;
2489 OCacheLine_Main main;
2491 }
2492 OCacheLine;
2494 /* Classify and also sanity-check 'line'. Return 'e' (empty) if not
2495 in use, 'n' (nonzero) if it contains at least one valid origin tag,
2496 and 'z' if all the represented tags are zero. */
2498 {
2499 UWord i;
2504 // BEGIN fast special-case of the test loop below. This will detect
2505 // zero-ness (case 'z') for a subset of cases that the loop below will,
2506 // hence is safe.
2512 }
2515 }
2516 // END fast special-case of the test loop below.
2522 }
2524 }
2526 typedef
2529 }
2530 OCacheSet;
2532 typedef
2535 }
2536 OCache;
2543 {
2551 }
2557 }
2558 }
2560 }
2563 {
2564 OCacheLine tmp;
2565 stats_ocacheL1_movefwds++;
2570 }
2573 UWord i;
2575 // BEGIN fast special-case of the loop below
2582 // END fast special-case of the loop below
2588 }
2589 }
2591 }
2593 //////////////////////////////////////////////////////////////
2594 //// OCache backing store
2596 // The backing store for ocacheL1 is, conceptually, an AVL tree of lines that
2597 // got ejected from the L1 (a "victim cache"), and which actually contain
2598 // useful info -- that is, for which classify_OCacheLine would return 'n' and
2599 // no other value. However, the tree can grow large, and searching/updating
2600 // it can be hot paths. Hence we "take out" 12 significant bits of the key by
2601 // having 4096 trees, and select one using HASH_OCACHE_TAG.
2602 //
2603 // What that hash function returns isn't important so long as it is a pure
2604 // function of the tag values, and is < 4096. However, it is critical for
2605 // performance of long SARPs. Hence the extra shift of 11 bits. This means
2606 // each tree conceptually is assigned to contiguous sequences of 2048 lines in
2607 // the "line address space", giving some locality of reference when scanning
2608 // linearly through address space, as is done by a SARP. Changing that 11 to
2609 // 0 gives terrible performance on long SARPs, presumably because each new
2610 // line is in a different tree, hence we wind up thrashing the (CPU's) caches.
2611 //
2612 // On 32-bit targets, we have to be a bit careful not to shift out so many
2613 // bits that not all 2^12 trees get used. That leads to the constraint
2614 // (OC_BITS_PER_LINE + 11 + 12) < 32. Note that the 11 is the only thing we
2615 // can change here. In this case we have OC_BITS_PER_LINE == 5, hence the
2616 // inequality is (28 < 32) and so we're good.
2617 //
2618 // The value 11 was determined empirically from various Firefox runs. 10 or
2619 // 12 also work pretty well.
2626 }
2630 }
2633 }
2635 /* Stats: # nodes currently in tree */
2639 {
2648 }
2650 }
2652 /* Find line with the given tag in the tree, or NULL if not found. */
2654 {
2657 stats__ocacheL2_finds++;
2661 }
2663 /* Delete the line with the given tag from the tree, if it is present, and
2664 free up the associated memory. */
2666 {
2669 stats__ocacheL2_dels++;
2675 stats__ocacheL2_n_nodes--;
2676 }
2677 }
2679 /* Add a copy of the given line to the tree. It must not already be
2680 present. */
2682 {
2688 stats__ocacheL2_adds++;
2690 stats__ocacheL2_n_nodes++;
2693 }
2695 ////
2696 //////////////////////////////////////////////////////////////
2700 {
2702 UChar c;
2703 UWord line;
2709 /* we already tried line == 0; skip therefore. */
2713 stats_ocacheL1_found_at_1++;
2715 stats_ocacheL1_found_at_N++;
2716 }
2720 line--;
2721 }
2723 }
2724 }
2726 /* A miss. Use the last slot. Implicitly this means we're
2727 ejecting the line in the last slot. */
2728 stats_ocacheL1_misses++;
2730 line--;
2733 /* First, move the to-be-ejected line to the L2 cache. */
2738 /* the line is empty (has invalid tag); ignore it. */
2741 /* line contains zeroes. We must ensure the backing store is
2742 updated accordingly, either by copying the line there
2743 verbatim, or by ensuring it isn't present there. We
2744 choose the latter on the basis that it reduces the size of
2745 the backing store. */
2749 /* line contains at least one real, useful origin. Copy it
2750 to the backing store. */
2751 stats_ocacheL1_lossage++;
2757 }
2761 }
2763 /* Now we must reload the L1 cache from the backing tree, if
2764 possible. */
2768 /* We're in luck. It's in the L2. */
2771 /* Missed at both levels of the cache hierarchy. We have to
2772 declare it as full of zeroes (unknown origins). */
2773 stats__ocacheL2_misses++;
2775 }
2777 /* Move it one forwards */
2779 line--;
2782 }
2785 {
2790 stats_ocacheL1_find++;
2795 }
2799 }
2802 }
2805 {
2806 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2807 //// Set the origins for a+0 .. a+7
2813 }
2819 }
2820 //// END inlined, specialised version of MC_(helperc_b_store8)
2821 }
2824 /*------------------------------------------------------------*/
2825 /*--- Aligned fast case permission setters, ---*/
2826 /*--- for dealing with stacks ---*/
2827 /*------------------------------------------------------------*/
2829 /*--------------------- 32-bit ---------------------*/
2831 /* Nb: by "aligned" here we mean 4-byte aligned */
2834 {
2837 #ifndef PERF_FAST_STACK2
2839 #else
2840 {
2841 UWord sm_off;
2848 }
2853 }
2854 #endif
2855 }
2857 static INLINE
2859 {
2861 //// BEGIN inlined, specialised version of MC_(helperc_b_store4)
2862 //// Set the origins for a+0 .. a+3
2867 }
2871 }
2872 //// END inlined, specialised version of MC_(helperc_b_store4)
2873 }
2875 static INLINE
2877 {
2880 #ifndef PERF_FAST_STACK2
2882 #else
2883 {
2884 UWord sm_off;
2891 }
2897 //// BEGIN inlined, specialised version of MC_(helperc_b_store4)
2898 //// Set the origins for a+0 .. a+3.
2904 }
2907 }
2908 //// END inlined, specialised version of MC_(helperc_b_store4)
2909 }
2910 #endif
2911 }
2913 /*--------------------- 64-bit ---------------------*/
2915 /* Nb: by "aligned" here we mean 8-byte aligned */
2918 {
2921 #ifndef PERF_FAST_STACK2
2923 #else
2924 {
2925 UWord sm_off16;
2932 }
2937 }
2938 #endif
2939 }
2941 static INLINE
2943 {
2945 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2946 //// Set the origins for a+0 .. a+7
2956 }
2957 //// END inlined, specialised version of MC_(helperc_b_store8)
2958 }
2960 static INLINE
2962 {
2965 #ifndef PERF_FAST_STACK2
2967 #else
2968 {
2969 UWord sm_off16;
2976 }
2982 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2983 //// Clear the origins for a+0 .. a+7.
2992 }
2993 //// END inlined, specialised version of MC_(helperc_b_store8)
2994 }
2995 #endif
2996 }
2999 /*------------------------------------------------------------*/
3000 /*--- Stack pointer adjustment ---*/
3001 /*------------------------------------------------------------*/
3003 #ifdef PERF_FAST_STACK
3004 # define MAYBE_USED
3005 #else
3006 # define MAYBE_USED __attribute__((unused))
3007 #endif
3009 /*--------------- adjustment by 4 bytes ---------------*/
3011 MAYBE_USED
3013 {
3020 }
3021 }
3023 MAYBE_USED
3025 {
3031 }
3032 }
3034 MAYBE_USED
3036 {
3042 }
3043 }
3045 /*--------------- adjustment by 8 bytes ---------------*/
3047 MAYBE_USED
3049 {
3059 }
3060 }
3062 MAYBE_USED
3064 {
3073 }
3074 }
3076 MAYBE_USED
3078 {
3087 }
3088 }
3090 /*--------------- adjustment by 12 bytes ---------------*/
3092 MAYBE_USED
3094 {
3101 /* from previous test we don't have 8-alignment at offset +0,
3102 hence must have 8 alignment at offsets +4/-4. Hence safe to
3103 do 4 at +0 and then 8 at +4/. */
3108 }
3109 }
3111 MAYBE_USED
3113 {
3119 /* from previous test we don't have 8-alignment at offset +0,
3120 hence must have 8 alignment at offsets +4/-4. Hence safe to
3121 do 4 at +0 and then 8 at +4/. */
3126 }
3127 }
3129 MAYBE_USED
3131 {
3133 /* Note the -12 in the test */
3135 /* We have 8-alignment at -12, hence ok to do 8 at -12 and 4 at
3136 -4. */
3140 /* We have 4-alignment at +0, but we don't have 8-alignment at
3141 -12. So we must have 8-alignment at -8. Hence do 4 at -12
3142 and then 8 at -8. */
3147 }
3148 }
3150 /*--------------- adjustment by 16 bytes ---------------*/
3152 MAYBE_USED
3154 {
3158 /* Have 8-alignment at +0, hence do 8 at +0 and 8 at +8. */
3162 /* Have 4 alignment at +0 but not 8; hence 8 must be at +4.
3163 Hence do 4 at +0, 8 at +4, 4 at +12. */
3169 }
3170 }
3172 MAYBE_USED
3174 {
3177 /* Have 8-alignment at +0, hence do 8 at +0 and 8 at +8. */
3181 /* Have 4 alignment at +0 but not 8; hence 8 must be at +4.
3182 Hence do 4 at +0, 8 at +4, 4 at +12. */
3188 }
3189 }
3191 MAYBE_USED
3193 {
3196 /* Have 8-alignment at +0, hence do 8 at -16 and 8 at -8. */
3200 /* 8 alignment must be at -12. Do 4 at -16, 8 at -12, 4 at -4. */
3206 }
3207 }
3209 /*--------------- adjustment by 32 bytes ---------------*/
3211 MAYBE_USED
3213 {
3217 /* Straightforward */
3223 /* 8 alignment must be at +4. Hence do 8 at +4,+12,+20 and 4 at
3224 +0,+28. */
3232 }
3233 }
3235 MAYBE_USED
3237 {
3240 /* Straightforward */
3246 /* 8 alignment must be at +4. Hence do 8 at +4,+12,+20 and 4 at
3247 +0,+28. */
3255 }
3256 }
3258 MAYBE_USED
3260 {
3263 /* Straightforward */
3269 /* 8 alignment must be at -4 etc. Hence do 8 at -12,-20,-28 and
3270 4 at -32,-4. */
3278 }
3279 }
3281 /*--------------- adjustment by 112 bytes ---------------*/
3283 MAYBE_USED
3285 {
3305 }
3306 }
3308 MAYBE_USED
3310 {
3329 }
3330 }
3332 MAYBE_USED
3334 {
3353 }
3354 }
3356 /*--------------- adjustment by 128 bytes ---------------*/
3358 MAYBE_USED
3360 {
3382 }
3383 }
3385 MAYBE_USED
3387 {
3408 }
3409 }
3411 MAYBE_USED
3413 {
3434 }
3435 }
3437 /*--------------- adjustment by 144 bytes ---------------*/
3439 MAYBE_USED
3441 {
3465 }
3466 }
3468 MAYBE_USED
3470 {
3493 }
3494 }
3496 MAYBE_USED
3498 {
3521 }
3522 }
3524 /*--------------- adjustment by 160 bytes ---------------*/
3526 MAYBE_USED
3528 {
3554 }
3555 }
3557 MAYBE_USED
3559 {
3584 }
3585 }
3587 MAYBE_USED
3589 {
3614 }
3615 }
3617 /*--------------- adjustment by N bytes ---------------*/
3620 {
3624 }
3627 {
3630 }
3633 {
3636 }
3639 /* The AMD64 ABI says:
3641 "The 128-byte area beyond the location pointed to by %rsp is considered
3642 to be reserved and shall not be modified by signal or interrupt
3643 handlers. Therefore, functions may use this area for temporary data
3644 that is not needed across function calls. In particular, leaf functions
3645 may use this area for their entire stack frame, rather than adjusting
3646 the stack pointer in the prologue and epilogue. This area is known as
3647 red zone [sic]."
3649 So after any call or return we need to mark this redzone as containing
3650 undefined values.
3652 Consider this: we're in function f. f calls g. g moves rsp down
3653 modestly (say 16 bytes) and writes stuff all over the red zone, making it
3654 defined. g returns. f is buggy and reads from parts of the red zone
3655 that it didn't write on. But because g filled that area in, f is going
3656 to be picking up defined V bits and so any errors from reading bits of
3657 the red zone it didn't write, will be missed. The only solution I could
3658 think of was to make the red zone undefined when g returns to f.
3660 This is in accordance with the ABI, which makes it clear the redzone
3661 is volatile across function calls.
3663 The problem occurs the other way round too: f could fill the RZ up
3664 with defined values and g could mistakenly read them. So the RZ
3665 also needs to be nuked on function calls.
3666 */
3669 /* Here's a simple cache to hold nia -> ECU mappings. It could be
3670 improved so as to have a lower miss rate. */
3675 typedef
3678 WCacheEnt;
3680 #define N_NIA_TO_ECU_CACHE 511
3685 {
3686 UWord i;
3689 UInt zero_ecu;
3690 /* Fill all the slots with an entry for address zero, and the
3691 relevant otags accordingly. Hence the cache is initially filled
3692 with valid data. */
3702 }
3703 }
3706 {
3707 UWord i;
3708 UInt ecu;
3713 stats__nia_cache_queries++;
3721 # define SWAP(_w1,_w2) { UWord _t = _w1; _w1 = _w2; _w2 = _t; }
3724 # undef SWAP
3726 }
3728 stats__nia_cache_misses++;
3740 }
3743 /* This marks the stack as addressible but undefined, after a call or
3744 return for a target that has an ABI defined stack redzone. It
3745 happens quite a lot and needs to be fast. This is the version for
3746 origin tracking. The non-origin-tracking version is below. */
3749 {
3760 # if 0
3761 /* Slow(ish) version, which is fairly easily seen to be correct.
3762 */
3785 }
3786 # endif
3788 /* Idea is: go fast when
3789 * 8-aligned and length is 128
3790 * the sm is available in the main primary map
3791 * the address range falls entirely with a single secondary map
3792 If all those conditions hold, just update the V+A bits by writing
3793 directly into the vabits array. (If the sm was distinguished, this
3794 will make a copy and then write to it.)
3795 */
3797 /* Now we know the address range is suitably sized and aligned. */
3802 /* Now we know the entire range is within the main primary map. */
3806 /* Now we know that the entire address range falls within a
3807 single secondary map, and that that secondary 'lives' in
3808 the main primary map. */
3845 }
3846 }
3847 }
3849 /* 288 bytes (36 ULongs) is the magic value for ELF ppc64. */
3851 /* Now we know the address range is suitably sized and aligned. */
3859 /* Now we know that the entire address range falls within a
3860 single secondary map, and that that secondary 'lives' in
3861 the main primary map. */
3938 }
3939 }
3940 }
3942 /* else fall into slow case */
3944 }
3947 /* This is a version of MC_(helperc_MAKE_STACK_UNINIT_w_o) that is
3948 specialised for the non-origin-tracking case. */
3951 {
3957 # if 0
3958 /* Slow(ish) version, which is fairly easily seen to be correct.
3959 */
3982 }
3983 # endif
3985 /* Idea is: go fast when
3986 * 8-aligned and length is 128
3987 * the sm is available in the main primary map
3988 * the address range falls entirely with a single secondary map
3989 If all those conditions hold, just update the V+A bits by writing
3990 directly into the vabits array. (If the sm was distinguished, this
3991 will make a copy and then write to it.)
3992 */
3994 /* Now we know the address range is suitably sized and aligned. */
3999 /* Now we know the entire range is within the main primary map. */
4003 /* Now we know that the entire address range falls within a
4004 single secondary map, and that that secondary 'lives' in
4005 the main primary map. */
4026 }
4027 }
4028 }
4030 /* 288 bytes (36 ULongs) is the magic value for ELF ppc64. */
4032 /* Now we know the address range is suitably sized and aligned. */
4040 /* Now we know that the entire address range falls within a
4041 single secondary map, and that that secondary 'lives' in
4042 the main primary map. */
4083 }
4084 }
4085 }
4087 /* else fall into slow case */
4089 }
4092 /* And this is an even more specialised case, for the case where there
4093 is no origin tracking, and the length is 128. */
4096 {
4101 # if 0
4102 /* Slow(ish) version, which is fairly easily seen to be correct.
4103 */
4126 }
4127 # endif
4129 /* Idea is: go fast when
4130 * 16-aligned and length is 128
4131 * the sm is available in the main primary map
4132 * the address range falls entirely with a single secondary map
4133 If all those conditions hold, just update the V+A bits by writing
4134 directly into the vabits array. (If the sm was distinguished, this
4135 will make a copy and then write to it.)
4137 Typically this applies to amd64 'ret' instructions, since RSP is
4138 16-aligned (0 % 16) after the instruction (per the amd64-ELF ABI).
4139 */
4141 /* Now we know the address range is suitably sized and aligned. */
4144 /* FIXME: come up with a sane story on the wraparound case
4145 (which of course cnanot happen, but still..) */
4148 /* Now we know the entire range is within the main primary map. */
4152 /* Now we know that the entire address range falls within a
4153 single secondary map, and that that secondary 'lives' in
4154 the main primary map. */
4168 }
4169 }
4170 }
4172 /* The same, but for when base is 8 % 16, which is the situation
4173 with RSP for amd64-ELF immediately after call instructions.
4174 */
4176 /* Now we know the address range is suitably sized and aligned. */
4179 /* FIXME: come up with a sane story on the wraparound case
4180 (which of course cnanot happen, but still..) */
4183 /* Now we know the entire range is within the main primary map. */
4188 /* Now we know that the entire address range falls within a
4189 single secondary map, and that that secondary 'lives' in
4190 the main primary map. */
4195 /* The following assertion is commented out for obvious
4196 performance reasons, but was verified as valid when
4197 running the entire testsuite and also Firefox. */
4198 /* tl_assert(VG_IS_4_ALIGNED(w32)); */
4209 }
4210 }
4211 }
4213 /* else fall into slow case */
4216 }
4219 /*------------------------------------------------------------*/
4220 /*--- Checking memory ---*/
4221 /*------------------------------------------------------------*/
4223 typedef
4228 }
4229 MC_ReadResult;
4232 /* Check permissions for address range. If inadequate permissions
4233 exist, *bad_addr is set to the offending address, so the caller can
4234 know what it is. */
4236 /* Returns True if [a .. a+len) is not addressible. Otherwise,
4237 returns False, and if bad_addr is non-NULL, sets *bad_addr to
4238 indicate the lowest failing address. Functions below are
4239 similar. */
4241 {
4242 SizeT i;
4243 UWord vabits2;
4252 }
4253 a++;
4254 }
4256 }
4260 {
4261 SizeT i;
4262 UWord vabits2;
4271 }
4272 a++;
4273 }
4275 }
4280 {
4281 SizeT i;
4282 UWord vabits2;
4293 // Error! Nb: Report addressability errors in preference to
4294 // definedness errors. And don't report definedeness errors unless
4295 // --undef-value-errors=yes.
4298 }
4301 }
4305 }
4307 }
4308 }
4309 a++;
4310 }
4312 }
4315 /* Like is_mem_defined but doesn't give up at the first uninitialised
4316 byte -- the entire range is always checked. This is important for
4317 detecting errors in the case where a checked range strays into
4318 invalid memory, but that fact is not detected by the ordinary
4319 is_mem_defined(), because of an undefined section that precedes the
4320 out of range section, possibly as a result of an alignment hole in
4321 the checked data. This version always checks the entire range and
4322 can report both a definedness and an accessbility error, if
4323 necessary. */
4331 )
4332 {
4333 SizeT i;
4334 UWord vabits2;
4347 a++;
4358 }
4360 }
4369 }
4370 }
4371 }
4374 /* Check a zero-terminated ascii string. Tricky -- don't want to
4375 examine the actual bytes, to find the end, until we're sure it is
4376 safe to do so. */
4379 {
4380 UWord vabits2;
4391 // Error! Nb: Report addressability errors in preference to
4392 // definedness errors. And don't report definedeness errors unless
4393 // --undef-value-errors=yes.
4396 }
4399 }
4403 }
4405 }
4406 }
4407 /* Ok, a is safe to read. */
4410 }
4411 a++;
4412 }
4413 }
4416 /*------------------------------------------------------------*/
4417 /*--- Memory event handlers ---*/
4418 /*------------------------------------------------------------*/
4420 static
4423 {
4424 Addr bad_addr;
4440 }
4441 }
4442 }
4444 static
4447 {
4449 Addr bad_addr;
4465 /* If we're being asked to jump to a silly address, record an error
4466 message before potentially crashing the entire system. */
4473 }
4474 }
4475 }
4477 static
4480 {
4481 MC_ReadResult res;
4491 }
4492 }
4494 /* Handling of mmap and mprotect is not as simple as it seems.
4496 The underlying semantics are that memory obtained from mmap is
4497 always initialised, but may be inaccessible. And changes to the
4498 protection of memory do not change its contents and hence not its
4499 definedness state. Problem is we can't model
4500 inaccessible-but-with-some-definedness state; once we mark memory
4501 as inaccessible we lose all info about definedness, and so can't
4502 restore that if it is later made accessible again.
4504 One obvious thing to do is this:
4506 mmap/mprotect NONE -> noaccess
4507 mmap/mprotect other -> defined
4509 The problem case here is: taking accessible memory, writing
4510 uninitialised data to it, mprotecting it NONE and later mprotecting
4511 it back to some accessible state causes the undefinedness to be
4512 lost.
4514 A better proposal is:
4516 (1) mmap NONE -> make noaccess
4517 (2) mmap other -> make defined
4519 (3) mprotect NONE -> # no change
4520 (4) mprotect other -> change any "noaccess" to "defined"
4522 (2) is OK because memory newly obtained from mmap really is defined
4523 (zeroed out by the kernel -- doing anything else would
4524 constitute a massive security hole.)
4526 (1) is OK because the only way to make the memory usable is via
4527 (4), in which case we also wind up correctly marking it all as
4528 defined.
4530 (3) is the weak case. We choose not to change memory state.
4531 (presumably the range is in some mixture of "defined" and
4532 "undefined", viz, accessible but with arbitrary V bits). Doing
4533 nothing means we retain the V bits, so that if the memory is
4534 later mprotected "other", the V bits remain unchanged, so there
4535 can be no false negatives. The bad effect is that if there's
4536 an access in the area, then MC cannot warn; but at least we'll
4537 get a SEGV to show, so it's better than nothing.
4539 Consider the sequence (3) followed by (4). Any memory that was
4540 "defined" or "undefined" previously retains its state (as
4541 required). Any memory that was "noaccess" before can only have
4542 been made that way by (1), and so it's OK to change it to
4543 "defined".
4545 See https://bugs.kde.org/show_bug.cgi?id=205541
4546 and https://bugs.kde.org/show_bug.cgi?id=210268
4547 */
4548 static
4550 ULong di_handle )
4551 {
4553 /* (2) mmap/mprotect other -> defined */
4556 /* (1) mmap/mprotect NONE -> noaccess */
4558 }
4559 }
4561 static
4563 {
4565 /* (4) mprotect other -> change any "noaccess" to "defined" */
4568 /* (3) mprotect NONE -> # no change */
4569 /* do nothing */
4570 }
4571 }
4574 static
4577 {
4578 // Because code is defined, initialised variables get put in the data
4579 // segment and are defined, and uninitialised variables get put in the
4580 // bss segment and are auto-zeroed (and so defined).
4581 //
4582 // It's possible that there will be padding between global variables.
4583 // This will also be auto-zeroed, and marked as defined by Memcheck. If
4584 // a program uses it, Memcheck will not complain. This is arguably a
4585 // false negative, but it's a grey area -- the behaviour is defined (the
4586 // padding is zeroed) but it's probably not what the user intended. And
4587 // we can't avoid it.
4588 //
4589 // Note: we generally ignore RWX permissions, because we can't track them
4590 // without requiring more than one A bit which would slow things down a
4591 // lot. But on Darwin the 0th page is mapped but !R and !W and !X.
4592 // So we mark any such pages as "unaddressable".
4596 }
4598 static
4600 {
4602 }
4605 /*------------------------------------------------------------*/
4606 /*--- Register event handlers ---*/
4607 /*------------------------------------------------------------*/
4609 /* Try and get a nonzero origin for the guest state section of thread
4610 tid characterised by (offset,size). Return 0 if nothing to show
4611 for it. */
4614 {
4615 Int sh2off;
4617 UInt otag;
4630 }
4633 /* When some chunk of guest state is written, mark the corresponding
4634 shadow area as valid. This is used to initialise arbitrarily large
4635 chunks of guest state, hence the _SIZE value, which has to be as
4636 big as the biggest guest state.
4637 */
4640 {
4641 # define MAX_REG_WRITE_SIZE 2264
4646 # undef MAX_REG_WRITE_SIZE
4647 }
4649 static
4652 {
4654 }
4656 /* Look at the definedness of the guest's shadow state for
4657 [offset, offset+len). If any part of that is undefined, record
4658 a parameter error.
4659 */
4662 {
4663 Int i;
4664 Bool bad;
4665 UInt otag;
4677 }
4678 }
4683 /* We've found some undefinedness. See if we can also find an
4684 origin for it. */
4687 }
4690 /*------------------------------------------------------------*/
4691 /*--- Register-memory event handlers ---*/
4692 /*------------------------------------------------------------*/
4696 {
4697 SizeT i;
4698 UChar vbits8;
4699 Int offset;
4700 UInt d32;
4702 /* Slow loop. */
4707 }
4712 /* Track origins. */
4738 }
4741 }
4745 SizeT size )
4746 {
4747 SizeT i;
4748 UChar vbits8;
4749 Int offset;
4750 UInt d32;
4752 /* Slow loop. */
4757 }
4762 /* Track origins. */
4789 }
4790 }
4793 /*------------------------------------------------------------*/
4794 /*--- Some static assertions ---*/
4795 /*------------------------------------------------------------*/
4797 /* The handwritten assembly helpers below have baked-in assumptions
4798 about various constant values. These assertions attempt to make
4799 that a bit safer by checking those values and flagging changes that
4800 would make the assembly invalid. Not perfect but it's better than
4801 nothing. */
4824 /*------------------------------------------------------------*/
4825 /*--- Functions called directly from generated code: ---*/
4826 /*--- Load/store handlers. ---*/
4827 /*------------------------------------------------------------*/
4829 /* Types: LOADV32, LOADV16, LOADV8 are:
4830 UWord fn ( Addr a )
4831 so they return 32-bits on 32-bit machines and 64-bits on
4832 64-bit machines. Addr has the same size as a host word.
4834 LOADV64 is always ULong fn ( Addr a )
4836 Similarly for STOREV8, STOREV16, STOREV32, the supplied vbits
4837 are a UWord, and for STOREV64 they are a ULong.
4838 */
4840 /* If any part of '_a' indicated by the mask is 1, either '_a' is not
4841 naturally '_sz/8'-aligned, or it exceeds the range covered by the
4842 primary map. This is all very tricky (and important!), so let's
4843 work through the maths by hand (below), *and* assert for these
4844 values at startup. */
4845 #define MASK(_szInBytes) \
4846 ( ~((0x10000UL-(_szInBytes)) | ((N_PRIMARY_MAP-1) << 16)) )
4848 /* MASK only exists so as to define this macro. */
4849 #define UNALIGNED_OR_HIGH(_a,_szInBits) \
4850 ((_a) & MASK((_szInBits>>3)))
4852 /* On a 32-bit machine:
4854 N_PRIMARY_BITS == 16, so
4855 N_PRIMARY_MAP == 0x10000, so
4856 N_PRIMARY_MAP-1 == 0xFFFF, so
4857 (N_PRIMARY_MAP-1) << 16 == 0xFFFF0000, and so
4859 MASK(1) = ~ ( (0x10000 - 1) | 0xFFFF0000 )
4860 = ~ ( 0xFFFF | 0xFFFF0000 )
4861 = ~ 0xFFFF'FFFF
4862 = 0
4864 MASK(2) = ~ ( (0x10000 - 2) | 0xFFFF0000 )
4865 = ~ ( 0xFFFE | 0xFFFF0000 )
4866 = ~ 0xFFFF'FFFE
4867 = 1
4869 MASK(4) = ~ ( (0x10000 - 4) | 0xFFFF0000 )
4870 = ~ ( 0xFFFC | 0xFFFF0000 )
4871 = ~ 0xFFFF'FFFC
4872 = 3
4874 MASK(8) = ~ ( (0x10000 - 8) | 0xFFFF0000 )
4875 = ~ ( 0xFFF8 | 0xFFFF0000 )
4876 = ~ 0xFFFF'FFF8
4877 = 7
4879 Hence in the 32-bit case, "a & MASK(1/2/4/8)" is a nonzero value
4880 precisely when a is not 1/2/4/8-bytes aligned. And obviously, for
4881 the 1-byte alignment case, it is always a zero value, since MASK(1)
4882 is zero. All as expected.
4884 On a 64-bit machine, it's more complex, since we're testing
4885 simultaneously for misalignment and for the address being at or
4886 above 64G:
4888 N_PRIMARY_BITS == 20, so
4889 N_PRIMARY_MAP == 0x100000, so
4890 N_PRIMARY_MAP-1 == 0xFFFFF, so
4891 (N_PRIMARY_MAP-1) << 16 == 0xF'FFFF'0000, and so
4893 MASK(1) = ~ ( (0x10000 - 1) | 0xF'FFFF'0000 )
4894 = ~ ( 0xFFFF | 0xF'FFFF'0000 )
4895 = ~ 0xF'FFFF'FFFF
4896 = 0xFFFF'FFF0'0000'0000
4898 MASK(2) = ~ ( (0x10000 - 2) | 0xF'FFFF'0000 )
4899 = ~ ( 0xFFFE | 0xF'FFFF'0000 )
4900 = ~ 0xF'FFFF'FFFE
4901 = 0xFFFF'FFF0'0000'0001
4903 MASK(4) = ~ ( (0x10000 - 4) | 0xF'FFFF'0000 )
4904 = ~ ( 0xFFFC | 0xF'FFFF'0000 )
4905 = ~ 0xF'FFFF'FFFC
4906 = 0xFFFF'FFF0'0000'0003
4908 MASK(8) = ~ ( (0x10000 - 8) | 0xF'FFFF'0000 )
4909 = ~ ( 0xFFF8 | 0xF'FFFF'0000 )
4910 = ~ 0xF'FFFF'FFF8
4911 = 0xFFFF'FFF0'0000'0007
4912 */
4914 /*------------------------------------------------------------*/
4915 /*--- LOADV256 and LOADV128 ---*/
4916 /*------------------------------------------------------------*/
4918 static INLINE
4921 {
4924 #ifndef PERF_FAST_LOADV
4927 #else
4928 {
4938 }
4940 /* Handle common cases quickly: a (and a+8 and a+16 etc.) is
4941 suitably aligned, is mapped, and addressible. */
4947 // Convert V bits from compact memory form to expanded
4948 // register form.
4954 /* Slow case: some block of 8 bytes are not all-defined or
4955 all-undefined. */
4959 }
4960 }
4962 }
4963 #endif
4964 }
4967 {
4969 }
4971 {
4973 }
4976 {
4978 }
4980 {
4982 }
4984 /*------------------------------------------------------------*/
4985 /*--- LOADV64 ---*/
4986 /*------------------------------------------------------------*/
4988 static INLINE
4990 {
4993 #ifndef PERF_FAST_LOADV
4995 #else
4996 {
5003 }
5009 // Handle common case quickly: a is suitably aligned, is mapped, and
5010 // addressible.
5011 // Convert V bits from compact memory form to expanded register form.
5017 /* Slow case: the 8 bytes are not all-defined or all-undefined. */
5020 }
5021 }
5022 #endif
5023 }
5025 // Generic for all platforms
5027 {
5029 }
5031 // Non-generic assembly for arm32-linux
5032 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5033 && defined(VGP_arm_linux)
5034 /* See mc_main_asm.c */
5036 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5037 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris) || defined(VGP_x86_freebsd))
5038 /* See mc_main_asm.c */
5040 #else
5041 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5043 {
5045 }
5046 #endif
5048 /*------------------------------------------------------------*/
5049 /*--- STOREV64 ---*/
5050 /*------------------------------------------------------------*/
5052 static INLINE
5054 {
5057 #ifndef PERF_FAST_STOREV
5058 // XXX: this slow case seems to be marginally faster than the fast case!
5059 // Investigate further.
5061 #else
5062 {
5070 }
5076 // To understand the below cleverness, see the extensive comments
5077 // in MC_(helperc_STOREV8).
5081 }
5085 }
5089 }
5093 }
5097 }
5101 }
5105 }
5106 #endif
5107 }
5110 {
5112 }
5114 {
5116 }
5118 /*------------------------------------------------------------*/
5119 /*--- LOADV32 ---*/
5120 /*------------------------------------------------------------*/
5122 static INLINE
5124 {
5127 #ifndef PERF_FAST_LOADV
5129 #else
5130 {
5137 }
5143 // Handle common case quickly: a is suitably aligned, is mapped, and the
5144 // entire word32 it lives in is addressible.
5145 // Convert V bits from compact memory form to expanded register form.
5146 // For 64-bit platforms, set the high 32 bits of retval to 1 (undefined).
5147 // Almost certainly not necessary, but be paranoid.
5153 /* Slow case: the 4 bytes are not all-defined or all-undefined. */
5156 }
5157 }
5158 #endif
5159 }
5161 // Generic for all platforms
5163 {
5165 }
5167 // Non-generic assembly for arm32-linux
5168 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5169 && defined(VGP_arm_linux)
5170 /* See mc_main_asm.c */
5172 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5173 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris))
5174 /* See mc_main_asm.c */
5176 #else
5177 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5179 {
5181 }
5182 #endif
5184 /*------------------------------------------------------------*/
5185 /*--- STOREV32 ---*/
5186 /*------------------------------------------------------------*/
5188 static INLINE
5190 {
5193 #ifndef PERF_FAST_STOREV
5195 #else
5196 {
5204 }
5210 // To understand the below cleverness, see the extensive comments
5211 // in MC_(helperc_STOREV8).
5215 }
5219 }
5223 }
5227 }
5231 }
5235 }
5239 }
5240 #endif
5241 }
5244 {
5246 }
5248 {
5250 }
5252 /*------------------------------------------------------------*/
5253 /*--- LOADV16 ---*/
5254 /*------------------------------------------------------------*/
5256 static INLINE
5258 {
5261 #ifndef PERF_FAST_LOADV
5263 #else
5264 {
5271 }
5276 // Handle common case quickly: a is suitably aligned, is mapped, and is
5277 // addressible.
5278 // Convert V bits from compact memory form to expanded register form
5282 // The 4 (yes, 4) bytes are not all-defined or all-undefined, check
5283 // the two sub-bytes.
5288 /* Slow case: the two bytes are not all-defined or all-undefined. */
5291 }
5292 }
5293 }
5294 #endif
5295 }
5297 // Generic for all platforms
5299 {
5301 }
5303 // Non-generic assembly for arm32-linux
5304 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5305 && defined(VGP_arm_linux)
5333 // r1 holds sec-map-VABITS8. r0 holds the address and is 2-aligned.
5334 // Extract the relevant 4 bits and inspect.
5354 );
5356 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5357 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris))
5399 );
5401 #else
5402 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5404 {
5406 }
5407 #endif
5409 /*------------------------------------------------------------*/
5410 /*--- STOREV16 ---*/
5411 /*------------------------------------------------------------*/
5413 /* True if the vabits4 in vabits8 indicate a and a+1 are accessible. */
5414 static INLINE
5416 {
5417 UInt shift;
5421 // check 2 x vabits2 != VA_BITS2_NOACCESS
5424 }
5426 static INLINE
5428 {
5431 #ifndef PERF_FAST_STOREV
5433 #else
5434 {
5442 }
5448 // To understand the below cleverness, see the extensive comments
5449 // in MC_(helperc_STOREV8).
5453 }
5459 }
5462 }
5466 }
5472 }
5476 }
5480 }
5481 #endif
5482 }
5486 {
5488 }
5490 {
5492 }
5494 /*------------------------------------------------------------*/
5495 /*--- LOADV8 ---*/
5496 /*------------------------------------------------------------*/
5498 /* Note: endianness is irrelevant for size == 1 */
5500 // Non-generic assembly for arm32-linux
5501 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5502 && defined(VGP_arm_linux)
5527 // r1 holds sec-map-VABITS8
5528 // r0 holds the address. Extract the relevant 2 bits and inspect.
5547 );
5549 /* Non-generic assembly for x86-linux */
5550 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5551 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris))
5590 );
5592 #else
5593 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5596 {
5599 #ifndef PERF_FAST_LOADV
5601 #else
5602 {
5609 }
5614 // Convert V bits from compact memory form to expanded register form
5615 // Handle common case quickly: a is mapped, and the entire
5616 // word32 it lives in is addressible.
5620 // The 4 (yes, 4) bytes are not all-defined or all-undefined, check
5621 // the single byte.
5626 /* Slow case: the byte is not all-defined or all-undefined. */
5629 }
5630 }
5631 }
5632 #endif
5633 }
5634 #endif
5636 /*------------------------------------------------------------*/
5637 /*--- STOREV8 ---*/
5638 /*------------------------------------------------------------*/
5642 {
5645 #ifndef PERF_FAST_STOREV
5647 #else
5648 {
5656 }
5662 // Clevernesses to speed up storing V bits.
5663 // The 64/32/16 bit cases also have similar clevernesses, but it
5664 // works a little differently to the code below.
5665 //
5666 // Cleverness 1: sometimes we don't have to write the shadow memory at
5667 // all, if we can tell that what we want to write is the same as what is
5668 // already there. These cases are marked below as "defined on defined" and
5669 // "undefined on undefined".
5670 //
5671 // Cleverness 2:
5672 // We also avoid to call mc_STOREVn_slow if the V bits can directly
5673 // be written in the secondary map. V bits can be directly written
5674 // if 4 conditions are respected:
5675 // * The address for which V bits are written is naturally aligned
5676 // on 1 byte for STOREV8 (this is always true)
5677 // on 2 bytes for STOREV16
5678 // on 4 bytes for STOREV32
5679 // on 8 bytes for STOREV64.
5680 // * V bits being written are either fully defined or fully undefined.
5681 // (for partially defined V bits, V bits cannot be directly written,
5682 // as the secondary vbits table must be maintained).
5683 // * the secmap is not distinguished (distinguished maps cannot be
5684 // modified).
5685 // * the memory corresponding to the V bits being written is
5686 // accessible (if one or more bytes are not accessible,
5687 // we must call mc_STOREVn_slow in order to report accessibility
5688 // errors).
5689 // Note that for STOREV32 and STOREV64, it is too expensive
5690 // to verify the accessibility of each byte for the benefit it
5691 // brings. Instead, a quicker check is done by comparing to
5692 // VA_BITS(8|16)_(UN)DEFINED. This guarantees accessibility,
5693 // but misses some opportunity of direct modifications.
5694 // Checking each byte accessibility was measured for
5695 // STOREV32+perf tests and was slowing down all perf tests.
5696 // The cases corresponding to cleverness 2 are marked below as
5697 // "direct mod".
5701 }
5704 // direct mod
5708 }
5712 }
5716 }
5718 && (VA_BITS2_NOACCESS
5720 // direct mod
5724 }
5728 }
5730 // Partially defined word
5733 }
5734 #endif
5735 }
5738 /*------------------------------------------------------------*/
5739 /*--- Functions called directly from generated code: ---*/
5740 /*--- Value-check failure handlers. ---*/
5741 /*------------------------------------------------------------*/
5743 /* Call these ones when an origin is available ... */
5747 }
5752 }
5757 }
5762 }
5767 }
5769 /* ... and these when an origin isn't available. */
5774 }
5779 }
5784 }
5789 }
5794 }
5797 /*------------------------------------------------------------*/
5798 /*--- Metadata get/set functions, for client requests. ---*/
5799 /*------------------------------------------------------------*/
5801 // Nb: this expands the V+A bits out into register-form V bits, even though
5802 // they're in memory. This is for backward compatibility, and because it's
5803 // probably what the user wants.
5805 /* Copy Vbits from/to address 'a'. Returns: 1 == OK, 2 == alignment
5806 error [no longer used], 3 == addressing error. */
5807 /* Nb: We used to issue various definedness/addressability errors from here,
5808 but we took them out because they ranged from not-very-helpful to
5809 downright annoying, and they complicated the error data structures. */
5811 Addr a,
5812 Addr vbits,
5813 SizeT szB,
5815 Bool is_client_request /* True <=> real user request
5816 False <=> internal call from gdbserver */
5817 )
5818 {
5819 SizeT i;
5820 Bool ok;
5821 UChar vbits8;
5823 /* Check that arrays are addressible before doing any getting/setting.
5824 vbits to be checked only for real user request. */
5829 }
5830 }
5832 /* Do the copy */
5834 /* setting */
5838 }
5840 /* getting */
5845 }
5847 // The bytes in vbits[] have now been set, so mark them as such.
5849 }
5852 }
5855 /*------------------------------------------------------------*/
5856 /*--- Detecting leaked (unreachable) malloc'd blocks. ---*/
5857 /*------------------------------------------------------------*/
5859 /* For the memory leak detector, say whether an entire 64k chunk of
5860 address space is possibly in use, or not. If in doubt return
5861 True.
5862 */
5864 {
5867 /* Definitely not in use. */
5871 }
5872 }
5875 /* For the memory leak detector, say whether or not a given word
5876 address is to be regarded as valid. */
5878 {
5886 }
5889 else
5891 }
5894 /*------------------------------------------------------------*/
5895 /*--- Initialisation ---*/
5896 /*------------------------------------------------------------*/
5899 {
5900 Int i;
5908 /* Build the 3 distinguished secondaries */
5918 /* Set up the primary map. */
5919 /* These entries gradually get overwritten as the used address
5920 space expands. */
5924 /* Auxiliary primary maps */
5927 /* auxmap_size = auxmap_used = 0;
5928 no ... these are statically initialised */
5930 /* Secondary V bit table */
5932 }
5935 /*------------------------------------------------------------*/
5936 /*--- Sanity check machinery (permanently engaged) ---*/
5937 /*------------------------------------------------------------*/
5940 {
5941 n_sanity_cheap++;
5943 /* Check for sane operating level */
5946 /* nothing else useful we can rapidly check */
5948 }
5951 {
5952 Int i;
5953 Word n_secmaps_found;
5961 n_sanity_expensive++;
5964 /* Check for sane operating level */
5968 /* Check that the 3 distinguished SMs are still as they should be. */
5970 /* Check noaccess DSM. */
5976 /* Check undefined DSM. */
5982 /* Check defined DSM. */
5992 }
5994 /* If we're not checking for undefined value errors, the secondary V bit
5995 * table should be empty. */
5999 }
6001 /* check the auxiliary maps, very thoroughly */
6007 }
6009 /* n_secmaps_found is now the number referred to by the auxiliary
6010 primary map. Now add on the ones referred to by the main
6011 primary map. */
6017 n_secmaps_found++;
6018 }
6019 }
6021 /* check that the number of secmaps issued matches the number that
6022 are reachable (iow, no secmap leaks) */
6030 }
6036 }
6038 /* there is only one pointer to each secmap (expensive) */
6041 }
6043 /*------------------------------------------------------------*/
6044 /*--- Command line args ---*/
6045 /*------------------------------------------------------------*/
6047 /* 31 Aug 2015: Vectorised code is now so widespread that
6048 --partial-loads-ok needs to be enabled by default on all platforms.
6049 Not doing so causes lots of false errors. */
6071 ExpensiveDefinednessChecks
6080 /* The first heuristic value (LchNone) has no keyword, as this is
6081 a fake heuristic used to collect the blocks found without any
6082 heuristic. */
6085 {
6087 Bool tmp_show;
6091 /* Set MC_(clo_mc_level):
6092 1 = A bit tracking only
6093 2 = A and V bit tracking, but no V bit origins
6094 3 = A and V bit tracking, and V bit origins
6096 Do this by inspecting --undef-value-errors= and
6097 --track-origins=. Reject the case --undef-value-errors=no
6098 --track-origins=yes as meaningless.
6099 */
6109 }
6110 }
6111 }
6118 }
6122 }
6123 }
6139 }
6140 }
6146 }
6147 }
6178 "ERROR: --ignore-ranges: "
6181 }
6183 UInt i;
6199 }
6200 }
6201 }
6202 }
6205 /* This seems at first a bit weird, but: in order to imply
6206 a non-wrapped-around address range, the first offset needs to be
6207 larger than the second one. For example
6208 --ignore-range-below-sp=8192,8189
6209 would cause accesses to in the range [SP-8192, SP-8189] to be
6210 ignored. */
6213 // Ensure we used all the text after the '=' sign.
6217 "ERROR: --ignore-range-below-sp: invalid syntax. "
6220 }
6223 "ERROR: --ignore-range-below-sp: suspiciously large "
6226 }
6229 "ERROR: --ignore-range-below-sp: invalid offsets "
6232 }
6236 "ERROR: --ignore-range-below-sp: suspiciously large "
6239 }
6244 }
6277 else
6283 bad_level:
6287 }
6290 {
6329 );
6330 }
6333 {
6336 );
6337 }
6340 /*------------------------------------------------------------*/
6341 /*--- Client blocks ---*/
6342 /*------------------------------------------------------------*/
6344 /* Client block management:
6346 This is managed as an expanding array of client block descriptors.
6347 Indices of live descriptors are issued to the client, so it can ask
6348 to free them later. Therefore we cannot slide live entries down
6349 over dead ones. Instead we must use free/inuse flags and scan for
6350 an empty slot at allocation time. This in turn means allocation is
6351 relatively expensive, so we hope this does not happen too often.
6353 An unused block has start == size == 0
6354 */
6356 /* type CGenBlock is defined in mc_include.h */
6358 /* This subsystem is self-initialising. */
6363 /* Stats for this subsystem. */
6370 /* Get access to the client block array. */
6373 {
6376 }
6379 static
6381 {
6385 cgb_allocs++;
6388 cgb_search++;
6391 }
6393 /* Not found. Try to allocate one at the end. */
6395 cgb_used++;
6397 }
6399 /* Ok, we have to allocate a new one. */
6412 cgb_used++;
6416 }
6420 {
6424 );
6425 }
6427 {
6429 (
6475 }
6477 /* Print szB bytes at address, with a format similar to the gdb command
6478 x /<szB>xb address.
6479 res[i] == 1 indicates the corresponding byte is addressable. */
6481 {
6482 UInt i;
6490 }
6493 else
6495 }
6497 }
6500 /* Returns the address of the next non space character,
6501 or address of the string terminator. */
6503 {
6505 s++;
6507 }
6509 /* Parse an integer slice, i.e. a single integer or a range of integer.
6510 Syntax is:
6511 <integer>[..<integer> ]
6512 (spaces are allowed before and/or after ..).
6513 Return True if range correctly parsed, False otherwise. */
6516 {
6522 /* slice must start with an integer. */
6526 }
6531 }
6534 /* wl token is an integer terminating the string
6535 or else next token does not start with .
6536 In both cases, the slice is a single integer. */
6539 }
6542 // iii .. => get the next token
6545 // It must be iii..
6549 }
6551 // It must be iii.. jjj => get the next token
6554 // It must be iii..jjj
6556 }
6557 }
6563 }
6569 }
6572 }
6574 /* return True if request recognised, False otherwise */
6576 {
6584 /* NB: if possible, avoid introducing a new command below which
6585 starts with the same first letter(s) as an already existing
6586 command. This ensures a shorter abbreviation for the user. */
6599 Addr address;
6602 UChar vbits;
6603 Int i;
6606 Int res = mc_get_or_set_vbits_for_client
6610 /* we are before the first character on next line, print a \n. */
6613 /* we are before the next block of 4 starts, print a space. */
6620 unaddressable++;
6622 }
6623 }
6629 }
6630 }
6632 }
6635 LeakCheckParams lcp;
6653 "kinds reachable possibleleak definiteleak "
6654 "heuristics "
6655 "new increased changed any "
6666 xt_filename
6676 wcmd,
6679 err++;
6680 }
6682 }
6687 lcp.show_leak_kinds
6698 wcmd,
6701 err++;
6702 }
6704 }
6716 Int int_value;
6727 }
6732 else
6736 }
6739 }
6740 }
6746 }
6749 Addr address;
6765 }
6767 }
6770 Addr address;
6772 Addr bad_addr;
6773 UInt okind;
6775 UInt otag;
6776 UInt ecu;
6778 MC_ReadResult res;
6792 else
6796 // Describe this (probably live) address with current epoch
6817 }
6826 }
6827 }
6828 else
6831 // Describe this (probably live) address with current epoch
6835 }
6837 }
6847 Int int_value;
6864 }
6869 }
6874 }
6882 wcmd,
6886 }
6890 }
6891 }
6892 /* substract 1 from lr_nr_from/lr_nr_to as what is shown to the user
6893 is 1 more than the index in lr_array. */
6896 limit_blocks,
6897 heuristics))
6899 }
6901 }
6904 Addr address;
6912 }
6915 }
6918 Addr address;
6923 Int i;
6927 /* We going to print the first vabits of a new line.
6928 Terminate the previous line if needed: prints a line with the
6929 address and the data. */
6934 }
6936 }
6945 unaddressable++;
6947 }
6948 }
6952 else
6958 }
6959 }
6961 }
6968 }
6973 }
6974 }
6976 /*------------------------------------------------------------*/
6977 /*--- Client requests ---*/
6978 /*------------------------------------------------------------*/
6981 {
6982 Int i;
6983 Addr bad_addr;
7010 }
7021 );
7025 }
7029 }
7030 /* Return the lower of the two erring addresses, if any. */
7034 }
7037 }
7040 }
7042 }
7045 LeakCheckParams lcp;
7055 }
7074 }
7082 }
7091 MC_OKIND_USER );
7108 /* VG_(printf)("allocated %d %p\n", i, cgbs); */
7127 cgb_discards++;
7129 }
7148 // MC_(bytes_leaked) et al were set by the last leak check (or zero
7149 // if no prior leak checks performed).
7154 // there is no argp[5]
7155 //*argp[5] = MC_(bytes_indirect);
7156 // XXX need to make *argp[1-4] defined; currently done in the
7157 // VALGRIND_COUNT_LEAKS_MACRO by initialising them to zero.
7160 }
7163 // MC_(blocks_leaked) et al were set by the last leak check (or zero
7164 // if no prior leak checks performed).
7169 // there is no argp[5]
7170 //*argp[5] = MC_(blocks_indirect);
7171 // XXX need to make *argp[1-4] defined; currently done in the
7172 // VALGRIND_COUNT_LEAK_BLOCKS_MACRO by initialising them to zero.
7175 }
7187 }
7189 }
7198 }
7205 }
7214 }
7222 // other platforms just ensure it is a power of 2
7223 // ignore Illumos only enforcing multiple of 4 (probably a bug)
7226 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be power of 2)" );
7227 }
7228 // size zero not allowed on all platforms (e.g. Illumos)
7231 }
7234 // must be power of 2
7235 // alignment at least sizeof(size_t)
7236 // size of 0 implementation defined
7239 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero, a power of 2 and a multiple of sizeof(void*))" );
7240 }
7243 }
7246 // must be power of 2
7248 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be a power of 2)" );
7249 }
7250 // size should be integral multiple of alignment
7253 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , aligned_alloc_info->size, " (size should be a multiple of alignment)" );
7254 }
7257 }
7263 }
7269 }
7274 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7275 }
7280 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7281 }
7286 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7287 }
7291 }
7296 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7297 }
7300 MC_(record_align_mismatch_error) ( tid, mc, aligned_alloc_info->orig_alignment, "new[]/delete[]");
7301 }
7307 }
7310 }
7313 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7314 }
7320 }
7322 MC_(record_align_mismatch_error) ( tid, mc, aligned_alloc_info->orig_alignment, "new[]/delete[]");
7323 }
7326 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7327 }
7331 }
7334 }
7342 // The create_mempool function does not know these mempool flags,
7343 // pass as booleans.
7348 }
7355 }
7364 }
7372 }
7381 }
7389 }
7399 }
7406 }
7412 else
7415 }
7419 Bool addRange
7421 Bool ok
7425 }
7429 Vg_UserMsg,
7432 );
7434 }
7436 }
7439 /*------------------------------------------------------------*/
7440 /*--- Crude profiling machinery. ---*/
7441 /*------------------------------------------------------------*/
7443 // We track a number of interesting events (using PROF_EVENT)
7444 // if MC_PROFILE_MEMORY is defined.
7446 #ifdef MC_PROFILE_MEMORY
7450 /* Event counter names. Use the name of the function that increases the
7451 event counter. Drop any MC_() and mc_ prefices. */
7579 };
7582 {
7589 }
7591 /* Make sure every profiling event has a name */
7593 }
7596 {
7603 }
7610 }
7611 }
7612 }
7614 #else
7619 #endif
7622 /*------------------------------------------------------------*/
7623 /*--- Origin tracking stuff ---*/
7624 /*------------------------------------------------------------*/
7626 /*--------------------------------------------*/
7627 /*--- Origin tracking: load handlers ---*/
7628 /*--------------------------------------------*/
7632 }
7636 UChar descr;
7642 }
7649 }
7655 }
7656 }
7660 UChar descr;
7664 /* Handle misaligned case, slowly. */
7668 }
7675 }
7681 }
7687 }
7688 }
7692 UChar descr;
7693 UWord lineoff;
7696 /* Handle misaligned case, slowly. */
7700 }
7705 }
7712 }
7718 }
7719 }
7724 UWord lineoff;
7727 /* Handle misaligned case, slowly. */
7731 }
7736 }
7745 }
7753 }
7754 }
7761 }
7771 }
7774 /*--------------------------------------------*/
7775 /*--- Origin tracking: store handlers ---*/
7776 /*--------------------------------------------*/
7785 }
7789 #if OC_PRECISION_STORE
7791 // The byte is defined. Just mark it as so in the descr and leave the w32
7792 // unchanged. This may make the descr become zero, so the line no longer
7793 // contains useful info, but that's OK. No loss of information.
7796 // At least one of the four bytes in the w32 is undefined with the same
7797 // origin. Just extend the mask. No loss of information.
7800 // Here, we have a conflict: at least one byte in the group is undefined
7801 // but with some other origin. We can't represent both origins, so we
7802 // forget about the previous origin and install this one instead.
7805 }
7806 #else
7812 }
7813 #endif
7814 }
7821 /* Handle misaligned case, slowly. */
7825 }
7832 }
7836 #if OC_PRECISION_STORE
7837 // Same logic as in the store1 case above.
7846 }
7847 #else
7853 }
7854 #endif
7855 }
7859 UWord lineoff;
7862 /* Handle misaligned case, slowly. */
7866 }
7871 }
7880 }
7881 }
7886 UWord lineoff;
7889 /* Handle misaligned case, slowly. */
7893 }
7898 }
7910 }
7911 }
7916 UWord lineoff;
7919 /* Handle misaligned case, slowly. */
7923 }
7928 }
7946 }
7947 }
7952 UWord lineoff;
7955 /* Handle misaligned case, slowly. */
7959 }
7964 }
7994 }
7995 }
7998 /*--------------------------------------------*/
7999 /*--- Origin tracking: sarp handlers ---*/
8000 /*--------------------------------------------*/
8002 // We may get asked to do very large SARPs (bug 446103), hence it is important
8003 // to process 32-byte chunks at a time when possible.
8009 a++;
8010 len--;
8011 }
8016 }
8021 }
8026 }
8031 }
8038 }
8039 }
8044 }
8049 }
8054 }
8059 }
8062 //a++;
8063 len--;
8064 }
8066 }
8072 a++;
8073 len--;
8074 }
8079 }
8084 }
8089 }
8094 }
8101 }
8102 }
8107 }
8112 }
8117 }
8122 }
8125 //a++;
8126 len--;
8127 }
8129 }
8132 /*------------------------------------------------------------*/
8133 /*--- Setup and finalisation ---*/
8134 /*------------------------------------------------------------*/
8137 {
8138 /* If we've been asked to emit XML, mash around various other
8139 options so as to constrain the output somewhat. */
8141 /* Extract as much info as possible from the leak checker. */
8143 }
8152 }
8160 );
8161 }
8166 /* We're doing origin tracking. */
8167 # ifdef PERF_FAST_STACK
8177 # endif
8181 /* Not doing origin tracking */
8182 # ifdef PERF_FAST_STACK
8192 # endif
8195 }
8197 // We assume that brk()/sbrk() does not initialise new memory. Is this
8198 // accurate? John Reiser says:
8199 //
8200 // 0) sbrk() can *decrease* process address space. No zero fill is done
8201 // for a decrease, not even the fragment on the high end of the last page
8202 // that is beyond the new highest address. For maximum safety and
8203 // portability, then the bytes in the last page that reside above [the
8204 // new] sbrk(0) should be considered to be uninitialized, but in practice
8205 // it is exceedingly likely that they will retain their previous
8206 // contents.
8207 //
8208 // 1) If an increase is large enough to require new whole pages, then
8209 // those new whole pages (like all new pages) are zero-filled by the
8210 // operating system. So if sbrk(0) already is page aligned, then
8211 // sbrk(PAGE_SIZE) *does* zero-fill the new memory.
8212 //
8213 // 2) Any increase that lies within an existing allocated page is not
8214 // changed. So if (x = sbrk(0)) is not page aligned, then
8215 // sbrk(PAGE_SIZE) yields ((PAGE_SIZE -1) & -x) bytes which keep their
8216 // existing contents, and an additional PAGE_SIZE bytes which are zeroed.
8217 // ((PAGE_SIZE -1) & x) of them are "covered" by the sbrk(), and the rest
8218 // of them come along for the ride because the operating system deals
8219 // only in whole pages. Again, for maximum safety and portability, then
8220 // anything that lives above [the new] sbrk(0) should be considered
8221 // uninitialized, but in practice will retain previous contents [zero in
8222 // this case.]"
8223 //
8224 // In short:
8225 //
8226 // A key property of sbrk/brk is that new whole pages that are supplied
8227 // by the operating system *do* get initialized to zero.
8228 //
8229 // As for the portability of all this:
8230 //
8231 // sbrk and brk are not POSIX. However, any system that is a derivative
8232 // of *nix has sbrk and brk because there are too many software (such as
8233 // the Bourne shell) which rely on the traditional memory map (.text,
8234 // .data+.bss, stack) and the existence of sbrk/brk.
8235 //
8236 // So we should arguably observe all this. However:
8237 // - The current inaccuracy has caused maybe one complaint in seven years(?)
8238 // - Relying on the zeroed-ness of whole brk'd pages is pretty grotty... I
8239 // doubt most programmers know the above information.
8240 // So I'm not terribly unhappy with marking it as undefined. --njn.
8241 //
8242 // [More: I think most of what John said only applies to sbrk(). It seems
8243 // that brk() always deals in whole pages. And since this event deals
8244 // directly with brk(), not with sbrk(), perhaps it would be reasonable to
8245 // just mark all memory it allocates as defined.]
8246 //
8247 # if !defined(VGO_solaris)
8250 else
8252 # else
8253 // On Solaris, brk memory has to be marked as defined, otherwise we get
8254 // many false positives.
8256 # endif
8258 /* This origin tracking cache is huge (~100M), so only initialise
8259 if we need it. */
8265 }
8270 }
8271 }
8280 /* Do not check definedness of guest state if --undef-value-errors=no */
8288 "To use --xtree-memory=full, you must"
8290 // Activate full xtree memory profiling.
8292 }
8294 }
8297 {
8300 type,
8301 n_SMs,
8304 }
8307 {
8317 n_auxmap_L2_nodes,
8325 );
8328 n_auxmap_L2_searches, n_auxmap_L2_nodes
8329 );
8338 // Three DSMs, plus the non-DSM ones
8340 // The 3*sizeof(Word) bytes is the AVL node metadata size.
8341 // The VG_ROUNDUP is because the OSet pool allocator will/must align
8342 // the elements on pointer size.
8343 // Note that the pool allocator has some additional small overhead
8344 // which is not counted in the below.
8345 // Hardwiring this logic sucks, but I don't see how else to do it.
8365 stats_ocacheL1_find,
8366 stats_ocacheL1_misses,
8367 stats_ocacheL1_lossage );
8370 stats_ocacheL1_find - stats_ocacheL1_misses
8371 - stats_ocacheL1_found_at_1
8373 stats_ocacheL1_found_at_1 );
8376 stats_ocacheL1_found_at_N,
8377 stats_ocacheL1_movefwds );
8384 stats__ocacheL2_finds,
8385 stats__ocacheL2_misses );
8388 stats__ocacheL2_adds,
8389 stats__ocacheL2_dels );
8392 stats__ocacheL2_n_nodes_max,
8393 stats__ocacheL2_n_nodes );
8401 }
8402 }
8403 }
8407 {
8412 LeakCheckParams lcp;
8427 }
8428 else
8438 );
8439 }
8440 }
8445 "Use --track-origins=yes to see where "
8447 }
8449 /* Print a warning if any client-request generated ignore-ranges
8450 still exist. It would be reasonable to expect that a properly
8451 written program would remove any such ranges before exiting, and
8452 since they are a bit on the dangerous side, let's comment. By
8453 contrast ranges which are specified on the command line normally
8454 pertain to hardware mapped into the address space, and so we
8455 can't expect the client to have got rid of them. */
8466 /* Print the offending range. Also, if it is the first,
8467 print a banner before it. */
8468 nBad++;
8473 "WARNING: "
8475 "WARNING: "
8477 );
8478 }
8481 }
8482 }
8493 }
8494 }
8496 /* mark the given addr/len unaddressable for watchpoint implementation
8497 The PointKind will be handled at access time */
8500 {
8501 /* GDBTD this is somewhat fishy. We might rather have to save the previous
8502 accessibility and definedness in gdbserver so as to allow restoring it
8503 properly. Currently, we assume that the user only watches things
8504 which are properly addressable and defined */
8507 else
8510 }
8513 {
8524 mc_fini);
8545 mc_print_usage,
8546 mc_print_debug_usage);
8549 mc_expensive_sanity_check);
8566 MC_MALLOC_DEFAULT_REDZONE_SZB );
8573 // Handling of mmap and mprotect isn't simple (well, it is simple,
8574 // but the justification isn't.) See comments above, just prior to
8575 // mc_new_mem_mmap.
8585 /* Defer the specification of the new_mem_stack functions to the
8586 post_clo_init function, since we need to first parse the command
8587 line before deciding which set to use. */
8589 # ifdef PERF_FAST_STACK
8599 # endif
8615 }
8620 // MC_(chunk_poolalloc) must be allocated in post_clo_init
8628 // {LOADV,STOREV}[8421] will all fail horribly if this isn't true.
8630 // Call me paranoid. I don't care.
8633 // BYTES_PER_SEC_VBIT_NODE must be a power of two.
8636 /* This is small. Always initialise it. */
8639 /* We can't initialise ocacheL1/ocacheL2 yet, since we don't know
8640 if we need to, since the command line args haven't been
8641 processed yet. Hence defer it to mc_post_clo_init. */
8645 }
8647 /* Check some important stuff. See extensive comments above
8648 re UNALIGNED_OR_HIGH for background. */
8649 # if VG_WORDSIZE == 4
8659 # else
8670 # endif
8672 /* Check some assertions to do with the instrumentation machinery. */
8674 }
8680 /*--------------------------------------------------------------------*/
8681 /*--- end mc_main.c ---*/
8682 /*--------------------------------------------------------------------*/