| blob | 2221f8d3d84d6beccac8f23e91367e69b49c3445 |
1 /* -*- mode: C; c-basic-offset: 3; -*- */
3 /*--------------------------------------------------------------------*/
4 /*--- MemCheck: Maintain bitmaps of memory, tracking the ---*/
5 /*--- accessibility (A) and validity (V) status of each byte. ---*/
6 /*--- mc_main.c ---*/
7 /*--------------------------------------------------------------------*/
9 /*
10 This file is part of MemCheck, a heavyweight Valgrind tool for
11 detecting memory errors.
13 Copyright (C) 2000-2017 Julian Seward
14 jseward@acm.org
16 This program is free software; you can redistribute it and/or
17 modify it under the terms of the GNU General Public License as
18 published by the Free Software Foundation; either version 2 of the
19 License, or (at your option) any later version.
21 This program is distributed in the hope that it will be useful, but
22 WITHOUT ANY WARRANTY; without even the implied warranty of
23 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
24 General Public License for more details.
26 You should have received a copy of the GNU General Public License
27 along with this program; if not, see <http://www.gnu.org/licenses/>.
29 The GNU General Public License is contained in the file COPYING.
30 */
55 /* Set to 1 to do a little more sanity checking */
56 #define VG_DEBUG_MEMORY 0
64 /*------------------------------------------------------------*/
65 /*--- Fast-case knobs ---*/
66 /*------------------------------------------------------------*/
68 // Comment these out to disable the fast cases (don't just set them to zero).
70 /* PERF_FAST_LOADV is in mc_include.h */
71 #define PERF_FAST_STOREV 1
73 #define PERF_FAST_SARP 1
75 #define PERF_FAST_STACK 1
76 #define PERF_FAST_STACK2 1
78 /* Change this to 1 to enable assertions on origin tracking cache fast
79 paths */
80 #define OC_ENABLE_ASSERTIONS 0
82 /* Change this to 1 for experimental, higher precision origin tracking
83 8- and 16-bit store handling. */
84 #define OC_PRECISION_STORE 1
87 /*------------------------------------------------------------*/
88 /*--- Comments on the origin tracking implementation ---*/
89 /*------------------------------------------------------------*/
91 /* See detailed comment entitled
92 AN OVERVIEW OF THE ORIGIN TRACKING IMPLEMENTATION
93 which is contained further on in this file. */
96 /*------------------------------------------------------------*/
97 /*--- V bits and A bits ---*/
98 /*------------------------------------------------------------*/
100 /* Conceptually, every byte value has 8 V bits, which track whether Memcheck
101 thinks the corresponding value bit is defined. And every memory byte
102 has an A bit, which tracks whether Memcheck thinks the program can access
103 it safely (ie. it's mapped, and has at least one of the RWX permission bits
104 set). So every N-bit register is shadowed with N V bits, and every memory
105 byte is shadowed with 8 V bits and one A bit.
107 In the implementation, we use two forms of compression (compressed V bits
108 and distinguished secondary maps) to avoid the 9-bit-per-byte overhead
109 for memory.
111 Memcheck also tracks extra information about each heap block that is
112 allocated, for detecting memory leaks and other purposes.
113 */
115 /*------------------------------------------------------------*/
116 /*--- Basic A/V bitmap representation. ---*/
117 /*------------------------------------------------------------*/
119 /* All reads and writes are checked against a memory map (a.k.a. shadow
120 memory), which records the state of all memory in the process.
122 On 32-bit machines the memory map is organised as follows.
123 The top 16 bits of an address are used to index into a top-level
124 map table, containing 65536 entries. Each entry is a pointer to a
125 second-level map, which records the accesibililty and validity
126 permissions for the 65536 bytes indexed by the lower 16 bits of the
127 address. Each byte is represented by two bits (details are below). So
128 each second-level map contains 16384 bytes. This two-level arrangement
129 conveniently divides the 4G address space into 64k lumps, each size 64k
130 bytes.
132 All entries in the primary (top-level) map must point to a valid
133 secondary (second-level) map. Since many of the 64kB chunks will
134 have the same status for every bit -- ie. noaccess (for unused
135 address space) or entirely addressable and defined (for code segments) --
136 there are three distinguished secondary maps, which indicate 'noaccess',
137 'undefined' and 'defined'. For these uniform 64kB chunks, the primary
138 map entry points to the relevant distinguished map. In practice,
139 typically more than half of the addressable memory is represented with
140 the 'undefined' or 'defined' distinguished secondary map, so it gives a
141 good saving. It also lets us set the V+A bits of large address regions
142 quickly in set_address_range_perms().
144 On 64-bit machines it's more complicated. If we followed the same basic
145 scheme we'd have a four-level table which would require too many memory
146 accesses. So instead the top-level map table has 2^20 entries (indexed
147 using bits 16..35 of the address); this covers the bottom 64GB. Any
148 accesses above 64GB are handled with a slow, sparse auxiliary table.
149 Valgrind's address space manager tries very hard to keep things below
150 this 64GB barrier so that performance doesn't suffer too much.
152 Note that this file has a lot of different functions for reading and
153 writing shadow memory. Only a couple are strictly necessary (eg.
154 get_vabits2 and set_vabits2), most are just specialised for specific
155 common cases to improve performance.
157 Aside: the V+A bits are less precise than they could be -- we have no way
158 of marking memory as read-only. It would be great if we could add an
159 extra state VA_BITSn_READONLY. But then we'd have 5 different states,
160 which requires 2.3 bits to hold, and there's no way to do that elegantly
161 -- we'd have to double up to 4 bits of metadata per byte, which doesn't
162 seem worth it.
163 */
165 /* --------------- Basic configuration --------------- */
167 /* Only change this. N_PRIMARY_MAP *must* be a power of 2. */
169 #if VG_WORDSIZE == 4
171 /* cover the entire address space */
172 # define N_PRIMARY_BITS 16
174 #else
176 /* Just handle the first 128G fast and the rest via auxiliary
177 primaries. If you change this, Memcheck will assert at startup.
178 See the definition of UNALIGNED_OR_HIGH for extensive comments. */
179 # define N_PRIMARY_BITS 21
181 #endif
184 /* Do not change this. */
185 #define N_PRIMARY_MAP ( ((UWord)1) << N_PRIMARY_BITS)
187 /* Do not change this. */
188 #define MAX_PRIMARY_ADDRESS (Addr)((((Addr)65536) * N_PRIMARY_MAP)-1)
191 /* --------------- Secondary maps --------------- */
193 // Each byte of memory conceptually has an A bit, which indicates its
194 // addressability, and 8 V bits, which indicates its definedness.
195 //
196 // But because very few bytes are partially defined, we can use a nice
197 // compression scheme to reduce the size of shadow memory. Each byte of
198 // memory has 2 bits which indicates its state (ie. V+A bits):
199 //
200 // 00: noaccess (unaddressable but treated as fully defined)
201 // 01: undefined (addressable and fully undefined)
202 // 10: defined (addressable and fully defined)
203 // 11: partdefined (addressable and partially defined)
204 //
205 // In the "partdefined" case, we use a secondary table to store the V bits.
206 // Each entry in the secondary-V-bits table maps a byte address to its 8 V
207 // bits.
208 //
209 // We store the compressed V+A bits in 8-bit chunks, ie. the V+A bits for
210 // four bytes (32 bits) of memory are in each chunk. Hence the name
211 // "vabits8". This lets us get the V+A bits for four bytes at a time
212 // easily (without having to do any shifting and/or masking), and that is a
213 // very common operation. (Note that although each vabits8 chunk
214 // is 8 bits in size, it represents 32 bits of memory.)
215 //
216 // The representation is "inverse" little-endian... each 4 bytes of
217 // memory is represented by a 1 byte value, where:
218 //
219 // - the status of byte (a+0) is held in bits [1..0]
220 // - the status of byte (a+1) is held in bits [3..2]
221 // - the status of byte (a+2) is held in bits [5..4]
222 // - the status of byte (a+3) is held in bits [7..6]
223 //
224 // It's "inverse" because endianness normally describes a mapping from
225 // value bits to memory addresses; in this case the mapping is inverted.
226 // Ie. instead of particular value bits being held in certain addresses, in
227 // this case certain addresses are represented by particular value bits.
228 // See insert_vabits2_into_vabits8() for an example.
229 //
230 // But note that we don't compress the V bits stored in registers; they
231 // need to be explicit to made the shadow operations possible. Therefore
232 // when moving values between registers and memory we need to convert
233 // between the expanded in-register format and the compressed in-memory
234 // format. This isn't so difficult, it just requires careful attention in a
235 // few places.
237 // These represent eight bits of memory.
243 // These represent 16 bits of memory.
248 // These represent 32 bits of memory.
253 // These represent 64 bits of memory.
258 // These represent 128 bits of memory.
263 #define SM_OFF(aaa) (((aaa) & 0xffff) >> 2)
264 #define SM_OFF_16(aaa) (((aaa) & 0xffff) >> 3)
266 // Paranoia: it's critical for performance that the requested inlining
267 // occurs. So try extra hard.
268 #define INLINE inline __attribute__((always_inline))
272 }
275 }
279 typedef
283 }
284 SecMap;
286 // 3 distinguished secondary maps, one for no-access, one for
287 // accessible but undefined, and one for accessible and defined.
288 // Distinguished secondaries may never be modified.
289 #define SM_DIST_NOACCESS 0
290 #define SM_DIST_UNDEFINED 1
291 #define SM_DIST_DEFINED 2
297 }
299 // Forward declaration
302 /* dist_sm points to one of our three distinguished secondaries. Make
303 a copy of it so that we can write to it.
304 */
306 {
320 }
322 /* --------------- Stats --------------- */
335 /* # searches initiated in auxmap_L1, and # base cmps required */
338 /* # of searches that missed in auxmap_L1 and therefore had to
339 be handed to auxmap_L2. And the number of nodes inserted. */
350 {
355 n_deissued_SMs ++; }
361 n_issued_SMs ++; }
367 }
369 /* --------------- Primary maps --------------- */
371 /* The main primary map. This covers some initial part of the address
372 space, addresses 0 .. (N_PRIMARY_MAP << 16)-1. The rest of it is
373 handled using the auxiliary primary map.
374 */
375 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
376 && (defined(VGP_arm_linux) \
377 || defined(VGP_x86_linux) || defined(VGP_x86_solaris) || defined(VGP_x86_freebsd))
378 /* mc_main_asm.c needs visibility on a few things declared in this file.
379 MC_MAIN_STATIC allows to define them static if ok, i.e. on
380 platforms that are not using hand-coded asm statements. */
381 #define MC_MAIN_STATIC
382 #else
383 #define MC_MAIN_STATIC static
384 #endif
388 /* An entry in the auxiliary primary map. base must be a 64k-aligned
389 value, and sm points at the relevant secondary map. As with the
390 main primary map, the secondary may be either a real secondary, or
391 one of the three distinguished secondaries. DO NOT CHANGE THIS
392 LAYOUT: the first word has to be the key for OSet fast lookups.
393 */
394 typedef
396 Addr base;
398 }
399 AuxMapEnt;
401 /* Tunable parameter: How big is the L1 queue? */
402 #define N_AUXMAP_L1 24
404 /* Tunable parameter: How far along the L1 queue to insert
405 entries resulting from L2 lookups? */
406 #define AUXMAP_L1_INSERT_IX 12
409 Addr base;
411 }
417 {
418 Int i;
422 }
429 }
431 /* Check representation invariants; if OK return NULL; else a
432 descriptive bit of text. Also return the number of
433 non-distinguished secondary maps referred to from the auxiliary
434 primary maps. */
437 {
439 /* On a 32-bit platform, the L2 and L1 tables should
440 both remain empty forever.
442 On a 64-bit platform:
443 In the L2 table:
444 all .base & 0xFFFF == 0
445 all .base > MAX_PRIMARY_ADDRESS
446 In the L1 table:
447 all .base & 0xFFFF == 0
448 all (.base > MAX_PRIMARY_ADDRESS
449 .base & 0xFFFF == 0
450 and .ent points to an AuxMapEnt with the same .base)
451 or
452 (.base == 0 and .ent == NULL)
453 */
456 /* 32-bit platform */
463 /* 64-bit platform */
466 AuxMapEnt key;
467 /* L2 table */
470 elems_seen++;
479 }
482 /* Check L1-L2 correspondence */
494 /* Look it up in auxmap_L2. */
502 }
503 /* Check L1 contains no duplicates */
512 }
513 }
514 }
516 }
519 {
520 Word i;
527 }
530 {
531 AuxMapEnt key;
533 Word i;
538 /* First search the front-cache, which is a self-organising
539 list containing the most popular entries. */
551 }
553 n_auxmap_L1_searches++;
558 }
559 }
572 i--;
573 }
575 }
577 n_auxmap_L2_searches++;
579 /* First see if we already have it. */
587 }
590 {
593 /* First see if we already have it. */
598 /* Ok, there's no entry in the secondary map, so we'll have
599 to allocate one. */
607 n_auxmap_L2_nodes++;
609 }
611 /* --------------- SecMap fundamentals --------------- */
613 // In all these, 'low' means it's definitely in the main primary map,
614 // 'high' means it's definitely in the auxiliary table.
617 {
620 }
623 {
625 # if VG_DEBUG_MEMORY >= 1
627 # endif
629 }
632 {
635 }
638 {
642 }
645 {
647 }
650 {
652 }
655 {
660 }
663 {
668 }
670 /* Produce the secmap for 'a', either from the primary map or by
671 ensuring there is an entry for it in the aux primary map. The
672 secmap may be a distinguished one as the caller will only want to
673 be able to read it.
674 */
676 {
680 }
682 /* Produce the secmap for 'a', either from the primary map or by
683 ensuring there is an entry for it in the aux primary map. The
684 secmap may not be a distinguished one, since the caller will want
685 to be able to write it. If it is a distinguished secondary, make a
686 writable copy of it, install it, and return the copy instead. (COW
687 semantics).
688 */
690 {
694 }
696 /* If 'a' has a SecMap, produce it. Else produce NULL. But don't
697 allocate one if one doesn't already exist. This is used by the
698 leak checker.
699 */
701 {
707 }
708 }
710 /* --------------- Fundamental functions --------------- */
712 static INLINE
714 {
718 }
720 static INLINE
722 {
723 UInt shift;
728 }
730 static INLINE
732 {
736 }
738 static INLINE
740 {
741 UInt shift;
746 }
748 // Note that these four are only used in slow cases. The fast cases do
749 // clever things like combine the auxmap check (in
750 // get_secmap_{read,writ}able) with alignment checks.
752 // *** WARNING! ***
753 // Any time this function is called, if it is possible that vabits2
754 // is equal to VA_BITS2_PARTDEFINED, then the corresponding entry in the
755 // sec-V-bits table must also be set!
756 static INLINE
758 {
762 }
764 static INLINE
766 {
771 }
773 // *** WARNING! ***
774 // Any time this function is called, if it is possible that any of the
775 // 4 2-bit fields in vabits8 are equal to VA_BITS2_PARTDEFINED, then the
776 // corresponding entry(s) in the sec-V-bits table must also be set!
777 static INLINE
779 {
784 }
786 static INLINE
788 {
792 }
795 // Forward declarations
799 // Returns False if there was an addressability error.
800 static INLINE
802 {
806 // Addressable. Convert in-register format to in-memory format.
807 // Also remove any existing sec V bit entry for the byte if no
808 // longer necessary.
816 // Unaddressable! Do nothing -- when writing to unaddressable
817 // memory it acts as a black hole, and the V bits can never be seen
818 // again. So we don't have to write them at all.
820 }
822 }
824 // Returns False if there was an addressability error. In that case, we put
825 // all defined bits into vbits8.
826 static INLINE
828 {
832 // Convert the in-memory format to in-register format.
841 }
843 }
846 /* --------------- Secondary V bit table ------------ */
848 // This table holds the full V bit pattern for partially-defined bytes
849 // (PDBs) that are represented by VA_BITS2_PARTDEFINED in the main shadow
850 // memory.
851 //
852 // Note: the nodes in this table can become stale. Eg. if you write a PDB,
853 // then overwrite the same address with a fully defined byte, the sec-V-bit
854 // node will not necessarily be removed. This is because checking for
855 // whether removal is necessary would slow down the fast paths.
856 //
857 // To avoid the stale nodes building up too much, we periodically (once the
858 // table reaches a certain size) garbage collect (GC) the table by
859 // traversing it and evicting any nodes not having PDB.
860 // If more than a certain proportion of nodes survived, we increase the
861 // table size so that GCs occur less often.
862 //
863 // This policy is designed to avoid bad table bloat in the worst case where
864 // a program creates huge numbers of stale PDBs -- we would get this bloat
865 // if we had no GC -- while handling well the case where a node becomes
866 // stale but shortly afterwards is rewritten with a PDB and so becomes
867 // non-stale again (which happens quite often, eg. in perf/bz2). If we just
868 // remove all stale nodes as soon as possible, we just end up re-adding a
869 // lot of them in later again. The "sufficiently stale" approach avoids
870 // this. (If a program has many live PDBs, performance will just suck,
871 // there's no way around that.)
872 //
873 // Further comments, JRS 14 Feb 2012. It turns out that the policy of
874 // holding on to stale entries for 2 GCs before discarding them can lead
875 // to massive space leaks. So we're changing to an arrangement where
876 // lines are evicted as soon as they are observed to be stale during a
877 // GC. This also has a side benefit of allowing the sufficiently_stale
878 // field to be removed from the SecVBitNode struct, reducing its size by
879 // 8 bytes, which is a substantial space saving considering that the
880 // struct was previously 32 or so bytes, on a 64 bit target.
881 //
882 // In order to try and mitigate the problem that the "sufficiently stale"
883 // heuristic was designed to avoid, the table size is allowed to drift
884 // up ("DRIFTUP") slowly to 80000, even if the residency is low. This
885 // means that nodes will exist in the table longer on average, and hopefully
886 // will be deleted and re-added less frequently.
887 //
888 // The previous scaling up mechanism (now called STEPUP) is retained:
889 // if residency exceeds 50%, the table is scaled up, although by a
890 // factor sqrt(2) rather than 2 as before. This effectively doubles the
891 // frequency of GCs when there are many PDBs at reduces the tendency of
892 // stale PDBs to reside for long periods in the table.
896 // Stats
900 // This must be a power of two; this is checked in mc_pre_clo_init().
901 // The size chosen here is a trade-off: if the nodes are bigger (ie. cover
902 // a larger address range) they take more space but we can get multiple
903 // partially-defined bytes in one if they are close to each other, reducing
904 // the number of total nodes. In practice sometimes they are clustered (eg.
905 // perf/bz2 repeatedly writes then reads more than 20,000 in a contiguous
906 // row), but often not. So we choose something intermediate.
907 #define BYTES_PER_SEC_VBIT_NODE 16
909 // We make the table bigger by a factor of STEPUP_GROWTH_FACTOR if
910 // more than this many nodes survive a GC.
911 #define STEPUP_SURVIVOR_PROPORTION 0.5
912 #define STEPUP_GROWTH_FACTOR 1.414213562
914 // If the above heuristic doesn't apply, then we may make the table
915 // slightly bigger, by a factor of DRIFTUP_GROWTH_FACTOR, if more than
916 // this many nodes survive a GC, _and_ the total table size does
917 // not exceed a fixed limit. The numbers are somewhat arbitrary, but
918 // work tolerably well on long Firefox runs. The scaleup ratio of 1.5%
919 // effectively although gradually reduces residency and increases time
920 // between GCs for programs with small numbers of PDBs. The 80000 limit
921 // effectively limits the table size to around 2MB for programs with
922 // small numbers of PDBs, whilst giving a reasonably long lifetime to
923 // entries, to try and reduce the costs resulting from deleting and
924 // re-adding of entries.
925 #define DRIFTUP_SURVIVOR_PROPORTION 0.15
926 #define DRIFTUP_GROWTH_FACTOR 1.015
927 #define DRIFTUP_MAX_SIZE 80000
929 // We GC the table when it gets this many nodes in it, ie. it's effectively
930 // the table size. It can change.
933 // The number of GCs done, used to age sec-V-bit nodes for eviction.
934 // Because it's unsigned, wrapping doesn't matter -- the right answer will
935 // come out anyway.
938 typedef
940 Addr a;
942 }
943 SecVBitNode;
946 {
956 }
959 {
964 GCs_done++;
966 // Create the new table.
969 // Traverse the table, moving fresh nodes into the new table.
972 // Keep node if any of its bytes are non-stale. Using
973 // get_vabits2() for the lookup is not very efficient, but I don't
974 // think it matters.
977 // Found a non-stale byte, so keep =>
978 // Insert a copy of the node into the new table.
984 }
985 }
986 }
988 // Get the before and after sizes.
992 // Destroy the old table, and put the new one in its place.
999 }
1001 // Increase table size if necessary.
1008 secVBitLimit);
1009 }
1010 else
1018 secVBitLimit);
1019 }
1020 }
1023 {
1027 UChar vbits8;
1029 // Shouldn't be fully defined or fully undefined -- those cases shouldn't
1030 // make it to the secondary V bits table.
1034 }
1037 {
1041 // Shouldn't be fully defined or fully undefined -- those cases shouldn't
1042 // make it to the secondary V bits table.
1046 sec_vbits_updates++;
1048 // Do a table GC if necessary. Nb: do this before creating and
1049 // inserting the new node, to avoid erroneously GC'ing the new node.
1052 }
1054 // New node: assign the specific byte, make the rest invalid (they
1055 // should never be read as-is, but be cautious).
1060 }
1063 // Insert the new node.
1065 sec_vbits_new_nodes++;
1070 }
1071 }
1073 /* --------------- Endianness helpers --------------- */
1075 /* Returns the offset in memory of the byteno-th most significant byte
1076 in a wordszB-sized word, given the specified endianness. */
1078 UWord byteno ) {
1080 }
1083 /* --------------- Ignored address ranges --------------- */
1085 /* Denotes the address-error-reportability status for address ranges:
1086 IAR_NotIgnored: the usual case -- report errors in this range
1087 IAR_CommandLine: don't report errors -- from command line setting
1088 IAR_ClientReq: don't report errors -- from client request
1089 */
1090 typedef
1092 IAR_NotIgnored,
1093 IAR_CommandLine,
1094 IAR_ClientReq }
1095 IARKind;
1098 {
1105 }
1106 }
1108 // RangeMap<IARKind>
1112 {
1117 }
1120 {
1133 }
1135 /*NOTREACHED*/
1136 }
1139 {
1148 /* Bizarre. We have a wraparound situation. What should we do? */
1151 /* This is the expected case. */
1154 else
1156 }
1157 /*NOTREACHED*/
1159 }
1161 /* Parse two Addrs (in hex) separated by a dash, or fail. */
1164 {
1175 }
1177 /* Parse two UInts (32 bit unsigned, in decimal) separated by a dash,
1178 or fail. */
1181 {
1192 }
1194 /* Parse a set of ranges separated by commas into 'ignoreRanges', or
1195 fail. If they are valid, add them to the global set of ignored
1196 ranges. */
1198 {
1216 }
1217 /*NOTREACHED*/
1219 }
1221 /* Add or remove [start, +len) from the set of ignored ranges. */
1223 {
1228 }
1241 }
1245 UInt i;
1254 }
1255 }
1257 }
1260 /* --------------- Load/store slow cases. --------------- */
1262 static
1266 {
1272 Addr ai;
1273 UChar vbits8;
1274 Bool ok;
1276 /* Code below assumes load size is a power of two and at least 64
1277 bits. */
1280 /* If this triggers, you probably just need to increase the size of
1281 the pessim array. */
1287 }
1289 /* Make up a result V word, which contains the loaded data for
1290 valid addresses and Defined for invalid addresses. Iterate over
1291 the bytes in the word, from the most significant down to the
1292 least. The vbits to return are calculated into vbits128. Also
1293 compute the pessimising value to be used when
1294 --partial-loads-ok=yes. n_addrs_bad is redundant (the relevant
1295 info can be gleaned from the pessim array) but is used as a
1296 cross-check. */
1310 }
1313 }
1315 /* In the common case, all the addresses involved are valid, so we
1316 just return the computed V bits and have done. */
1320 /* If there's no possibility of getting a partial-loads-ok
1321 exemption, report the error and quit. */
1325 }
1327 /* The partial-loads-ok excemption might apply. Find out if it
1328 does. If so, don't report an addressing error, but do return
1329 Undefined for the bytes that are out of range, so as to avoid
1330 false negatives. If it doesn't apply, just report an addressing
1331 error in the usual way. */
1333 /* Some code steps along byte strings in aligned chunks
1334 even when there is only a partially defined word at the end (eg,
1335 optimised strlen). This is allowed by the memory model of
1336 modern machines, since an aligned load cannot span two pages and
1337 thus cannot "partially fault".
1339 Therefore, a load from a partially-addressible place is allowed
1340 if all of the following hold:
1341 - the command-line flag is set [by default, it isn't]
1342 - it's an aligned load
1343 - at least one of the addresses in the word *is* valid
1345 Since this suppresses the addressing error, we avoid false
1346 negatives by marking bytes undefined when they come from an
1347 invalid address.
1348 */
1350 /* "at least one of the addresses is invalid" */
1356 # if defined(VGP_s390x_linux)
1358 /* OK if all loaded bytes are from the same page. */
1360 # elif defined(VGA_ppc64be) || defined(VGA_ppc64le)
1361 /* lxvd2x might generate an unaligned 128 bit vector load. */
1363 # else
1364 /* OK if the address is aligned by the load size. */
1366 # endif
1369 /* Exemption applies. Use the previously computed pessimising
1370 value and return the combined result, but don't flag an
1371 addressing error. The pessimising value is Defined for valid
1372 addresses and Undefined for invalid addresses. */
1373 /* for assumption that doing bitwise or implements UifU */
1375 /* (really need "UifU" here...)
1376 vbits[j] UifU= pessim[j] (is pessimised by it, iow) */
1380 }
1382 /* Exemption doesn't apply. Flag an addressing error in the normal
1383 way. */
1385 }
1387 MC_MAIN_STATIC
1393 MC_MAIN_STATIC
1397 this function may get called from hand written assembly. */
1399 {
1402 /* ------------ BEGIN semi-fast cases ------------ */
1403 /* These deal quickly-ish with the common auxiliary primary map
1404 cases on 64-bit platforms. Are merely a speedup hack; can be
1405 omitted without loss of correctness/functionality. Note that in
1406 both cases the "sizeof(void*) == 8" causes these cases to be
1407 folded out by compilers on 32-bit platforms. These are derived
1408 from LOADV64 and LOADV32.
1409 */
1411 # if defined(VGA_mips64) && defined(VGABI_N32)
1413 # else
1415 # endif
1416 {
1424 /* else fall into the slow case */
1425 }
1427 # if defined(VGA_mips64) && defined(VGABI_N32)
1429 # else
1431 # endif
1432 {
1440 /* else fall into slow case */
1441 }
1443 /* ------------ END semi-fast cases ------------ */
1450 Addr ai;
1451 UChar vbits8;
1452 Bool ok;
1456 /* Make up a 64-bit result V word, which contains the loaded data
1457 for valid addresses and Defined for invalid addresses. Iterate
1458 over the bytes in the word, from the most significant down to
1459 the least. The vbits to return are calculated into vbits64.
1460 Also compute the pessimising value to be used when
1461 --partial-loads-ok=yes. n_addrs_bad is redundant (the relevant
1462 info can be gleaned from pessim64) but is used as a
1463 cross-check. */
1473 }
1475 /* In the common case, all the addresses involved are valid, so we
1476 just return the computed V bits and have done. */
1480 /* If there's no possibility of getting a partial-loads-ok
1481 exemption, report the error and quit. */
1485 }
1487 /* The partial-loads-ok excemption might apply. Find out if it
1488 does. If so, don't report an addressing error, but do return
1489 Undefined for the bytes that are out of range, so as to avoid
1490 false negatives. If it doesn't apply, just report an addressing
1491 error in the usual way. */
1493 /* Some code steps along byte strings in aligned word-sized chunks
1494 even when there is only a partially defined word at the end (eg,
1495 optimised strlen). This is allowed by the memory model of
1496 modern machines, since an aligned load cannot span two pages and
1497 thus cannot "partially fault". Despite such behaviour being
1498 declared undefined by ANSI C/C++.
1500 Therefore, a load from a partially-addressible place is allowed
1501 if all of the following hold:
1502 - the command-line flag is set [by default, it isn't]
1503 - it's a word-sized, word-aligned load
1504 - at least one of the addresses in the word *is* valid
1506 Since this suppresses the addressing error, we avoid false
1507 negatives by marking bytes undefined when they come from an
1508 invalid address.
1509 */
1511 /* "at least one of the addresses is invalid" */
1514 # if defined(VGA_mips64) && defined(VGABI_N32)
1517 # elif defined(VGA_ppc64be) || defined(VGA_ppc64le)
1518 /* On power unaligned loads of words are OK. */
1520 # else
1523 # endif
1524 {
1525 /* Exemption applies. Use the previously computed pessimising
1526 value for vbits64 and return the combined result, but don't
1527 flag an addressing error. The pessimising value is Defined
1528 for valid addresses and Undefined for invalid addresses. */
1529 /* for assumption that doing bitwise or implements UifU */
1531 /* (really need "UifU" here...)
1532 vbits64 UifU= pessim64 (is pessimised by it, iow) */
1535 }
1537 /* Also, in appears that gcc generates string-stepping code in
1538 32-bit chunks on 64 bit platforms. So, also grant an exception
1539 for this case. Note that the first clause of the conditional
1540 (VG_WORDSIZE == 8) is known at compile time, so the whole clause
1541 will get folded out in 32 bit builds. */
1542 # if defined(VGA_mips64) && defined(VGABI_N32)
1545 # else
1548 # endif
1549 {
1551 /* (really need "UifU" here...)
1552 vbits64 UifU= pessim64 (is pessimised by it, iow) */
1554 /* Mark the upper 32 bits as undefined, just to be on the safe
1555 side. */
1558 }
1560 /* Exemption doesn't apply. Flag an addressing error in the normal
1561 way. */
1565 }
1568 static
1571 {
1574 UChar vbits8;
1575 Addr ai;
1576 Bool ok;
1580 /* ------------ BEGIN semi-fast cases ------------ */
1581 /* These deal quickly-ish with the common auxiliary primary map
1582 cases on 64-bit platforms. Are merely a speedup hack; can be
1583 omitted without loss of correctness/functionality. Note that in
1584 both cases the "sizeof(void*) == 8" causes these cases to be
1585 folded out by compilers on 32-bit platforms. The logic below
1586 is somewhat similar to some cases extensively commented in
1587 MC_(helperc_STOREV8).
1588 */
1589 # if defined(VGA_mips64) && defined(VGABI_N32)
1591 # else
1593 # endif
1594 {
1601 /* Handle common case quickly: a is suitably aligned, */
1602 /* is mapped, and is addressible. */
1603 // Convert full V-bits in register to compact 2-bit form.
1610 }
1611 /* else fall into the slow case */
1612 }
1613 /* else fall into the slow case */
1614 }
1616 # if defined(VGA_mips64) && defined(VGABI_N32)
1618 # else
1620 # endif
1621 {
1628 /* Handle common case quickly: a is suitably aligned, */
1629 /* is mapped, and is addressible. */
1630 // Convert full V-bits in register to compact 2-bit form.
1637 }
1638 /* else fall into the slow case */
1639 }
1640 /* else fall into the slow case */
1641 }
1642 /* ------------ END semi-fast cases ------------ */
1646 /* Dump vbytes in memory, iterating from least to most significant
1647 byte. At the same time establish addressibility of the location. */
1655 }
1657 /* If an address error has happened, report it. */
1660 }
1663 /*------------------------------------------------------------*/
1664 /*--- Setting permissions over address ranges. ---*/
1665 /*------------------------------------------------------------*/
1668 UWord dsm_num )
1669 {
1673 Addr aNext;
1680 /* Check the V+A bits make sense. */
1685 // This code should never write PDBs; ensure this. (See comment above
1686 // set_vabits2().)
1701 }
1702 }
1704 #ifndef PERF_FAST_SARP
1705 /*------------------ debug-only case ------------------ */
1706 {
1707 // Endianness doesn't matter here because all bytes are being set to
1708 // the same value.
1709 // Nb: We don't have to worry about updating the sec-V-bits table
1710 // after these set_vabits2() calls because this code never writes
1711 // VA_BITS2_PARTDEFINED values.
1712 SizeT i;
1715 }
1717 }
1718 #endif
1720 /*------------------ standard handling ------------------ */
1722 /* Get the distinguished secondary that we might want
1723 to use (part of the space-compression scheme). */
1726 // We have to handle ranges covering various combinations of partial and
1727 // whole sec-maps. Here is how parts 1, 2 and 3 are used in each case.
1728 // Cases marked with a '*' are common.
1729 //
1730 // TYPE PARTS USED
1731 // ---- ----------
1732 // * one partial sec-map (p) 1
1733 // - one whole sec-map (P) 2
1734 //
1735 // * two partial sec-maps (pp) 1,3
1736 // - one partial, one whole sec-map (pP) 1,2
1737 // - one whole, one partial sec-map (Pp) 2,3
1738 // - two whole sec-maps (PP) 2,2
1739 //
1740 // * one partial, one whole, one partial (pPp) 1,2,3
1741 // - one partial, two whole (pPP) 1,2,2
1742 // - two whole, one partial (PPp) 2,2,3
1743 // - three whole (PPP) 2,2,2
1744 //
1745 // * one partial, N-2 whole, one partial (pP...Pp) 1,2...2,3
1746 // - one partial, N-1 whole (pP...PP) 1,2...2,2
1747 // - N-1 whole, one partial (PP...Pp) 2,2...2,3
1748 // - N whole (PP...PP) 2,2...2,3
1750 // Break up total length (lenT) into two parts: length in the first
1751 // sec-map (lenA), and the rest (lenB); lenT == lenA + lenB.
1755 // Range entirely within one sec-map. Covers almost all cases.
1760 // Range spans at least one whole sec-map, and starts at the beginning
1761 // of a sec-map; skip to Part 2.
1767 // Range spans two or more sec-maps, first one is partial.
1771 }
1773 //------------------------------------------------------------------------
1774 // Part 1: Deal with the first sec_map. Most of the time the range will be
1775 // entirely within a sec_map and this part alone will suffice. Also,
1776 // doing it this way lets us avoid repeatedly testing for the crossing of
1777 // a sec-map boundary within these loops.
1778 //------------------------------------------------------------------------
1780 // If it's distinguished, make it undistinguished if necessary.
1784 // Sec-map already has the V+A bits that we want, so skip.
1791 }
1792 }
1795 // 1 byte steps
1804 }
1805 // 8-aligned, 8 byte steps
1813 }
1814 // 1 byte steps
1822 }
1824 // We've finished the first sec-map. Is that it?
1828 //------------------------------------------------------------------------
1829 // Part 2: Fast-set entire sec-maps at a time.
1830 //------------------------------------------------------------------------
1831 part2:
1832 // 64KB-aligned, 64KB steps.
1833 // Nb: we can reach here with lenB < SM_SIZE
1842 // Free the non-distinguished sec-map that we're replacing. This
1843 // case happens moderately often, enough to be worthwhile.
1846 }
1848 // Make the sec-map entry point to the example DSM
1852 }
1854 // We've finished the whole sec-maps. Is that it?
1858 //------------------------------------------------------------------------
1859 // Part 3: Finish off the final partial sec-map, if necessary.
1860 //------------------------------------------------------------------------
1864 // If it's distinguished, make it undistinguished if necessary.
1868 // Sec-map already has the V+A bits that we want, so stop.
1874 }
1875 }
1878 // 8-aligned, 8 byte steps
1886 }
1887 // 1 byte steps
1895 }
1896 }
1899 /* --- Set permissions for arbitrary address ranges --- */
1902 {
1908 }
1911 {
1915 }
1918 {
1924 }
1926 static
1929 {
1930 UInt ecu;
1932 /* VG_(record_ExeContext) checks for validity of tid, and asserts
1933 if it is invalid. So no need to do it here. */
1940 }
1942 static
1944 {
1946 }
1948 static
1950 {
1952 }
1955 {
1961 }
1965 {
1967 }
1969 /* For each byte in [a,a+len), if the byte is addressable, make it be
1970 defined, but if it isn't addressible, leave it alone. In other
1971 words a version of MC_(make_mem_defined) that doesn't mess with
1972 addressibility. Low-performance implementation. */
1974 {
1975 SizeT i;
1976 UChar vabits2;
1984 }
1985 }
1986 }
1987 }
1989 /* Similarly (needed for mprotect handling ..) */
1991 {
1992 SizeT i;
1993 UChar vabits2;
2001 }
2002 }
2003 }
2004 }
2006 /* --- Block-copy permissions (needed for implementing realloc() and
2007 sys_mremap). --- */
2010 {
2026 /* Vectorised fast case, when no overlap and suitably aligned */
2027 /* vector loop */
2035 /* do nothing */
2037 /* have to copy secondary map info */
2046 }
2049 }
2050 /* fixup loop */
2056 }
2057 i++;
2058 len--;
2059 }
2063 /* We have to do things the slow way */
2071 }
2072 }
2073 }
2082 }
2083 }
2084 }
2085 }
2087 }
2090 /*------------------------------------------------------------*/
2091 /*--- Origin tracking stuff - cache basics ---*/
2092 /*------------------------------------------------------------*/
2094 /* AN OVERVIEW OF THE ORIGIN TRACKING IMPLEMENTATION
2095 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2097 Note that this implementation draws inspiration from the "origin
2098 tracking by value piggybacking" scheme described in "Tracking Bad
2099 Apples: Reporting the Origin of Null and Undefined Value Errors"
2100 (Michael Bond, Nicholas Nethercote, Stephen Kent, Samuel Guyer,
2101 Kathryn McKinley, OOPSLA07, Montreal, Oct 2007) but in fact it is
2102 implemented completely differently.
2104 Origin tags and ECUs -- about the shadow values
2105 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2107 This implementation tracks the defining point of all uninitialised
2108 values using so called "origin tags", which are 32-bit integers,
2109 rather than using the values themselves to encode the origins. The
2110 latter, so-called value piggybacking", is what the OOPSLA07 paper
2111 describes.
2113 Origin tags, as tracked by the machinery below, are 32-bit unsigned
2114 ints (UInts), regardless of the machine's word size. Each tag
2115 comprises an upper 30-bit ECU field and a lower 2-bit
2116 'kind' field. The ECU field is a number given out by m_execontext
2117 and has a 1-1 mapping with ExeContext*s. An ECU can be used
2118 directly as an origin tag (otag), but in fact we want to put
2119 additional information 'kind' field to indicate roughly where the
2120 tag came from. This helps print more understandable error messages
2121 for the user -- it has no other purpose. In summary:
2123 * Both ECUs and origin tags are represented as 32-bit words
2125 * m_execontext and the core-tool interface deal purely in ECUs.
2126 They have no knowledge of origin tags - that is a purely
2127 Memcheck-internal matter.
2129 * all valid ECUs have the lowest 2 bits zero and at least
2130 one of the upper 30 bits nonzero (see VG_(is_plausible_ECU))
2132 * to convert from an ECU to an otag, OR in one of the MC_OKIND_
2133 constants defined in mc_include.h.
2135 * to convert an otag back to an ECU, AND it with ~3
2137 One important fact is that no valid otag is zero. A zero otag is
2138 used by the implementation to indicate "no origin", which could
2139 mean that either the value is defined, or it is undefined but the
2140 implementation somehow managed to lose the origin.
2142 The ECU used for memory created by malloc etc is derived from the
2143 stack trace at the time the malloc etc happens. This means the
2144 mechanism can show the exact allocation point for heap-created
2145 uninitialised values.
2147 In contrast, it is simply too expensive to create a complete
2148 backtrace for each stack allocation. Therefore we merely use a
2149 depth-1 backtrace for stack allocations, which can be done once at
2150 translation time, rather than N times at run time. The result of
2151 this is that, for stack created uninitialised values, Memcheck can
2152 only show the allocating function, and not what called it.
2153 Furthermore, compilers tend to move the stack pointer just once at
2154 the start of the function, to allocate all locals, and so in fact
2155 the stack origin almost always simply points to the opening brace
2156 of the function. Net result is, for stack origins, the mechanism
2157 can tell you in which function the undefined value was created, but
2158 that's all. Users will need to carefully check all locals in the
2159 specified function.
2161 Shadowing registers and memory
2162 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2164 Memory is shadowed using a two level cache structure (ocacheL1 and
2165 ocacheL2). Memory references are first directed to ocacheL1. This
2166 is a traditional 2-way set associative cache with 32-byte lines and
2167 approximate LRU replacement within each set.
2169 A naive implementation would require storing one 32 bit otag for
2170 each byte of memory covered, a 4:1 space overhead. Instead, there
2171 is one otag for every 4 bytes of memory covered, plus a 4-bit mask
2172 that shows which of the 4 bytes have that shadow value and which
2173 have a shadow value of zero (indicating no origin). Hence a lot of
2174 space is saved, but the cost is that only one different origin per
2175 4 bytes of address space can be represented. This is a source of
2176 imprecision, but how much of a problem it really is remains to be
2177 seen.
2179 A cache line that contains all zeroes ("no origins") contains no
2180 useful information, and can be ejected from the L1 cache "for
2181 free", in the sense that a read miss on the L1 causes a line of
2182 zeroes to be installed. However, ejecting a line containing
2183 nonzeroes risks losing origin information permanently. In order to
2184 prevent such lossage, ejected nonzero lines are placed in a
2185 secondary cache (ocacheL2), which is an OSet (AVL tree) of cache
2186 lines. This can grow arbitrarily large, and so should ensure that
2187 Memcheck runs out of memory in preference to losing useful origin
2188 info due to cache size limitations.
2190 Shadowing registers is a bit tricky, because the shadow values are
2191 32 bits, regardless of the size of the register. That gives a
2192 problem for registers smaller than 32 bits. The solution is to
2193 find spaces in the guest state that are unused, and use those to
2194 shadow guest state fragments smaller than 32 bits. For example, on
2195 ppc32/64, each vector register is 16 bytes long. If 4 bytes of the
2196 shadow are allocated for the register's otag, then there are still
2197 12 bytes left over which could be used to shadow 3 other values.
2199 This implies there is some non-obvious mapping from guest state
2200 (start,length) pairs to the relevant shadow offset (for the origin
2201 tags). And it is unfortunately guest-architecture specific. The
2202 mapping is contained in mc_machine.c, which is quite lengthy but
2203 straightforward.
2205 Instrumenting the IR
2206 ~~~~~~~~~~~~~~~~~~~~
2208 Instrumentation is largely straightforward, and done by the
2209 functions schemeE and schemeS in mc_translate.c. These generate
2210 code for handling the origin tags of expressions (E) and statements
2211 (S) respectively. The rather strange names are a reference to the
2212 "compilation schemes" shown in Simon Peyton Jones' book "The
2213 Implementation of Functional Programming Languages" (Prentice Hall,
2214 1987, see
2215 http://research.microsoft.com/~simonpj/papers/slpj-book-1987/index.htm).
2217 schemeS merely arranges to move shadow values around the guest
2218 state to track the incoming IR. schemeE is largely trivial too.
2219 The only significant point is how to compute the otag corresponding
2220 to binary (or ternary, quaternary, etc) operator applications. The
2221 rule is simple: just take whichever value is larger (32-bit
2222 unsigned max). Constants get the special value zero. Hence this
2223 rule always propagates a nonzero (known) otag in preference to a
2224 zero (unknown, or more likely, value-is-defined) tag, as we want.
2225 If two different undefined values are inputs to a binary operator
2226 application, then which is propagated is arbitrary, but that
2227 doesn't matter, since the program is erroneous in using either of
2228 the values, and so there's no point in attempting to propagate
2229 both.
2231 Since constants are abstracted to (otag) zero, much of the
2232 instrumentation code can be folded out without difficulty by the
2233 generic post-instrumentation IR cleanup pass, using these rules:
2234 Max32U(0,x) -> x, Max32U(x,0) -> x, Max32(x,y) where x and y are
2235 constants is evaluated at JIT time. And the resulting dead code
2236 removal. In practice this causes surprisingly few Max32Us to
2237 survive through to backend code generation.
2239 Integration with the V-bits machinery
2240 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2242 This is again largely straightforward. Mostly the otag and V bits
2243 stuff are independent. The only point of interaction is when the V
2244 bits instrumenter creates a call to a helper function to report an
2245 uninitialised value error -- in that case it must first use schemeE
2246 to get hold of the origin tag expression for the value, and pass
2247 that to the helper too.
2249 There is the usual stuff to do with setting address range
2250 permissions. When memory is painted undefined, we must also know
2251 the origin tag to paint with, which involves some tedious plumbing,
2252 particularly to do with the fast case stack handlers. When memory
2253 is painted defined or noaccess then the origin tags must be forced
2254 to zero.
2256 One of the goals of the implementation was to ensure that the
2257 non-origin tracking mode isn't slowed down at all. To do this,
2258 various functions to do with memory permissions setting (again,
2259 mostly pertaining to the stack) are duplicated for the with- and
2260 without-otag case.
2262 Dealing with stack redzones, and the NIA cache
2263 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2265 This is one of the few non-obvious parts of the implementation.
2267 Some ABIs (amd64-ELF, ppc64-ELF, ppc32/64-XCOFF) define a small
2268 reserved area below the stack pointer, that can be used as scratch
2269 space by compiler generated code for functions. In the Memcheck
2270 sources this is referred to as the "stack redzone". The important
2271 thing here is that such redzones are considered volatile across
2272 function calls and returns. So Memcheck takes care to mark them as
2273 undefined for each call and return, on the afflicted platforms.
2274 Past experience shows this is essential in order to get reliable
2275 messages about uninitialised values that come from the stack.
2277 So the question is, when we paint a redzone undefined, what origin
2278 tag should we use for it? Consider a function f() calling g(). If
2279 we paint the redzone using an otag derived from the ExeContext of
2280 the CALL/BL instruction in f, then any errors in g causing it to
2281 use uninitialised values that happen to lie in the redzone, will be
2282 reported as having their origin in f. Which is highly confusing.
2284 The same applies for returns: if, on a return, we paint the redzone
2285 using a origin tag derived from the ExeContext of the RET/BLR
2286 instruction in g, then any later errors in f causing it to use
2287 uninitialised values in the redzone, will be reported as having
2288 their origin in g. Which is just as confusing.
2290 To do it right, in both cases we need to use an origin tag which
2291 pertains to the instruction which dynamically follows the CALL/BL
2292 or RET/BLR. In short, one derived from the NIA - the "next
2293 instruction address".
2295 To make this work, Memcheck's redzone-painting helper,
2296 MC_(helperc_MAKE_STACK_UNINIT), now takes a third argument, the
2297 NIA. It converts the NIA to a 1-element ExeContext, and uses that
2298 ExeContext's ECU as the basis for the otag used to paint the
2299 redzone. The expensive part of this is converting an NIA into an
2300 ECU, since this happens once for every call and every return. So
2301 we use a simple 511-line, 2-way set associative cache
2302 (nia_to_ecu_cache) to cache the mappings, and that knocks most of
2303 the cost out.
2305 Further background comments
2306 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
2308 > Question: why is otag a UInt? Wouldn't a UWord be better? Isn't
2309 > it really just the address of the relevant ExeContext?
2311 Well, it's not the address, but a value which has a 1-1 mapping
2312 with ExeContexts, and is guaranteed not to be zero, since zero
2313 denotes (to memcheck) "unknown origin or defined value". So these
2314 UInts are just numbers starting at 4 and incrementing by 4; each
2315 ExeContext is given a number when it is created. (*** NOTE this
2316 confuses otags and ECUs; see comments above ***).
2318 Making these otags 32-bit regardless of the machine's word size
2319 makes the 64-bit implementation easier (next para). And it doesn't
2320 really limit us in any way, since for the tags to overflow would
2321 require that the program somehow caused 2^30-1 different
2322 ExeContexts to be created, in which case it is probably in deep
2323 trouble. Not to mention V will have soaked up many tens of
2324 gigabytes of memory merely to store them all.
2326 So having 64-bit origins doesn't really buy you anything, and has
2327 the following downsides:
2329 Suppose that instead, an otag is a UWord. This would mean that, on
2330 a 64-bit target,
2332 1. It becomes hard to shadow any element of guest state which is
2333 smaller than 8 bytes. To do so means you'd need to find some
2334 8-byte-sized hole in the guest state which you don't want to
2335 shadow, and use that instead to hold the otag. On ppc64, the
2336 condition code register(s) are split into 20 UChar sized pieces,
2337 all of which need to be tracked (guest_XER_SO .. guest_CR7_0)
2338 and so that would entail finding 160 bytes somewhere else in the
2339 guest state.
2341 Even on x86, I want to track origins for %AH .. %DH (bits 15:8
2342 of %EAX .. %EDX) that are separate from %AL .. %DL (bits 7:0 of
2343 same) and so I had to look for 4 untracked otag-sized areas in
2344 the guest state to make that possible.
2346 The same problem exists of course when origin tags are only 32
2347 bits, but it's less extreme.
2349 2. (More compelling) it doubles the size of the origin shadow
2350 memory. Given that the shadow memory is organised as a fixed
2351 size cache, and that accuracy of tracking is limited by origins
2352 falling out the cache due to space conflicts, this isn't good.
2354 > Another question: is the origin tracking perfect, or are there
2355 > cases where it fails to determine an origin?
2357 It is imperfect for at least for the following reasons, and
2358 probably more:
2360 * Insufficient capacity in the origin cache. When a line is
2361 evicted from the cache it is gone forever, and so subsequent
2362 queries for the line produce zero, indicating no origin
2363 information. Interestingly, a line containing all zeroes can be
2364 evicted "free" from the cache, since it contains no useful
2365 information, so there is scope perhaps for some cleverer cache
2366 management schemes. (*** NOTE, with the introduction of the
2367 second level origin tag cache, ocacheL2, this is no longer a
2368 problem. ***)
2370 * The origin cache only stores one otag per 32-bits of address
2371 space, plus 4 bits indicating which of the 4 bytes has that tag
2372 and which are considered defined. The result is that if two
2373 undefined bytes in the same word are stored in memory, the first
2374 stored byte's origin will be lost and replaced by the origin for
2375 the second byte.
2377 * Nonzero origin tags for defined values. Consider a binary
2378 operator application op(x,y). Suppose y is undefined (and so has
2379 a valid nonzero origin tag), and x is defined, but erroneously
2380 has a nonzero origin tag (defined values should have tag zero).
2381 If the erroneous tag has a numeric value greater than y's tag,
2382 then the rule for propagating origin tags though binary
2383 operations, which is simply to take the unsigned max of the two
2384 tags, will erroneously propagate x's tag rather than y's.
2386 * Some obscure uses of x86/amd64 byte registers can cause lossage
2387 or confusion of origins. %AH .. %DH are treated as different
2388 from, and unrelated to, their parent registers, %EAX .. %EDX.
2389 So some weird sequences like
2391 movb undefined-value, %AH
2392 movb defined-value, %AL
2393 .. use %AX or %EAX ..
2395 will cause the origin attributed to %AH to be ignored, since %AL,
2396 %AX, %EAX are treated as the same register, and %AH as a
2397 completely separate one.
2399 But having said all that, it actually seems to work fairly well in
2400 practice.
2401 */
2416 /* Cache of 32-bit values, one every 32 bits of address space */
2418 #define OC_BITS_PER_LINE 5
2419 #define OC_W32S_PER_LINE (1 << (OC_BITS_PER_LINE - 2))
2423 }
2426 }
2428 #define OC_LINES_PER_SET 2
2430 #define OC_N_SET_BITS 20
2431 #define OC_N_SETS (1 << OC_N_SET_BITS)
2433 /* These settings give:
2434 64 bit host: ocache: 100,663,296 sizeB 67,108,864 useful
2435 32 bit host: ocache: 92,274,688 sizeB 67,108,864 useful
2436 */
2438 #define OC_MOVE_FORWARDS_EVERY_BITS 7
2441 /* Originally (pre Dec 2021) it was the case that this code had a
2442 parameterizable cache line size, set by changing OC_BITS_PER_LINE.
2443 However, as a result of the speedup fixes necessitated by bug 446103, that
2444 is no longer really the case, and much of the L1 and L2 cache code has been
2445 tuned specifically for the case OC_BITS_PER_LINE == 5 (that is, the line
2446 size is 32 bytes). Changing that would require a bunch of re-tuning
2447 effort. So let's set it in stone for now. */
2451 /* Fundamentally we want an OCacheLine structure (see below) as follows:
2452 struct {
2453 Addr tag;
2454 UInt w32 [OC_W32S_PER_LINE];
2455 UChar descr[OC_W32S_PER_LINE];
2456 }
2457 However, in various places, we want to set the w32[] and descr[] arrays to
2458 zero, or check if they are zero. This can be a very hot path (per bug
2459 446103). So, instead, we have a union which is either those two arrays
2460 (OCacheLine_Main) or simply an array of ULongs (OCacheLine_W64s). For the
2461 set-zero/test-zero operations, the OCacheLine_W64s are used.
2462 */
2464 // To ensure that OCacheLine.descr[] will fit in an integral number of ULongs.
2472 typedef
2475 typedef
2479 }
2480 OCacheLine_Main;
2484 typedef
2486 Addr tag;
2488 OCacheLine_W64s w64s;
2489 OCacheLine_Main main;
2491 }
2492 OCacheLine;
2494 /* Classify and also sanity-check 'line'. Return 'e' (empty) if not
2495 in use, 'n' (nonzero) if it contains at least one valid origin tag,
2496 and 'z' if all the represented tags are zero. */
2498 {
2499 UWord i;
2504 // BEGIN fast special-case of the test loop below. This will detect
2505 // zero-ness (case 'z') for a subset of cases that the loop below will,
2506 // hence is safe.
2512 }
2515 }
2516 // END fast special-case of the test loop below.
2522 }
2524 }
2526 typedef
2529 }
2530 OCacheSet;
2532 typedef
2535 }
2536 OCache;
2543 {
2551 }
2557 }
2558 }
2560 }
2563 {
2564 OCacheLine tmp;
2565 stats_ocacheL1_movefwds++;
2570 }
2573 UWord i;
2575 // BEGIN fast special-case of the loop below
2582 // END fast special-case of the loop below
2588 }
2589 }
2591 }
2593 //////////////////////////////////////////////////////////////
2594 //// OCache backing store
2596 // The backing store for ocacheL1 is, conceptually, an AVL tree of lines that
2597 // got ejected from the L1 (a "victim cache"), and which actually contain
2598 // useful info -- that is, for which classify_OCacheLine would return 'n' and
2599 // no other value. However, the tree can grow large, and searching/updating
2600 // it can be hot paths. Hence we "take out" 12 significant bits of the key by
2601 // having 4096 trees, and select one using HASH_OCACHE_TAG.
2602 //
2603 // What that hash function returns isn't important so long as it is a pure
2604 // function of the tag values, and is < 4096. However, it is critical for
2605 // performance of long SARPs. Hence the extra shift of 11 bits. This means
2606 // each tree conceptually is assigned to contiguous sequences of 2048 lines in
2607 // the "line address space", giving some locality of reference when scanning
2608 // linearly through address space, as is done by a SARP. Changing that 11 to
2609 // 0 gives terrible performance on long SARPs, presumably because each new
2610 // line is in a different tree, hence we wind up thrashing the (CPU's) caches.
2611 //
2612 // On 32-bit targets, we have to be a bit careful not to shift out so many
2613 // bits that not all 2^12 trees get used. That leads to the constraint
2614 // (OC_BITS_PER_LINE + 11 + 12) < 32. Note that the 11 is the only thing we
2615 // can change here. In this case we have OC_BITS_PER_LINE == 5, hence the
2616 // inequality is (28 < 32) and so we're good.
2617 //
2618 // The value 11 was determined empirically from various Firefox runs. 10 or
2619 // 12 also work pretty well.
2626 }
2630 }
2633 }
2635 /* Stats: # nodes currently in tree */
2639 {
2648 }
2650 }
2652 /* Find line with the given tag in the tree, or NULL if not found. */
2654 {
2657 stats__ocacheL2_finds++;
2661 }
2663 /* Delete the line with the given tag from the tree, if it is present, and
2664 free up the associated memory. */
2666 {
2669 stats__ocacheL2_dels++;
2675 stats__ocacheL2_n_nodes--;
2676 }
2677 }
2679 /* Add a copy of the given line to the tree. It must not already be
2680 present. */
2682 {
2688 stats__ocacheL2_adds++;
2690 stats__ocacheL2_n_nodes++;
2693 }
2695 ////
2696 //////////////////////////////////////////////////////////////
2700 {
2702 UChar c;
2703 UWord line;
2709 /* we already tried line == 0; skip therefore. */
2713 stats_ocacheL1_found_at_1++;
2715 stats_ocacheL1_found_at_N++;
2716 }
2720 line--;
2721 }
2723 }
2724 }
2726 /* A miss. Use the last slot. Implicitly this means we're
2727 ejecting the line in the last slot. */
2728 stats_ocacheL1_misses++;
2730 line--;
2733 /* First, move the to-be-ejected line to the L2 cache. */
2738 /* the line is empty (has invalid tag); ignore it. */
2741 /* line contains zeroes. We must ensure the backing store is
2742 updated accordingly, either by copying the line there
2743 verbatim, or by ensuring it isn't present there. We
2744 choose the latter on the basis that it reduces the size of
2745 the backing store. */
2749 /* line contains at least one real, useful origin. Copy it
2750 to the backing store. */
2751 stats_ocacheL1_lossage++;
2757 }
2761 }
2763 /* Now we must reload the L1 cache from the backing tree, if
2764 possible. */
2768 /* We're in luck. It's in the L2. */
2771 /* Missed at both levels of the cache hierarchy. We have to
2772 declare it as full of zeroes (unknown origins). */
2773 stats__ocacheL2_misses++;
2775 }
2777 /* Move it one forwards */
2779 line--;
2782 }
2785 {
2790 stats_ocacheL1_find++;
2795 }
2799 }
2802 }
2805 {
2806 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2807 //// Set the origins for a+0 .. a+7
2813 }
2819 }
2820 //// END inlined, specialised version of MC_(helperc_b_store8)
2821 }
2824 /*------------------------------------------------------------*/
2825 /*--- Aligned fast case permission setters, ---*/
2826 /*--- for dealing with stacks ---*/
2827 /*------------------------------------------------------------*/
2829 /*--------------------- 32-bit ---------------------*/
2831 /* Nb: by "aligned" here we mean 4-byte aligned */
2834 {
2837 #ifndef PERF_FAST_STACK2
2839 #else
2840 {
2841 UWord sm_off;
2848 }
2853 }
2854 #endif
2855 }
2857 static INLINE
2859 {
2861 //// BEGIN inlined, specialised version of MC_(helperc_b_store4)
2862 //// Set the origins for a+0 .. a+3
2867 }
2871 }
2872 //// END inlined, specialised version of MC_(helperc_b_store4)
2873 }
2875 static INLINE
2877 {
2880 #ifndef PERF_FAST_STACK2
2882 #else
2883 {
2884 UWord sm_off;
2891 }
2897 //// BEGIN inlined, specialised version of MC_(helperc_b_store4)
2898 //// Set the origins for a+0 .. a+3.
2904 }
2907 }
2908 //// END inlined, specialised version of MC_(helperc_b_store4)
2909 }
2910 #endif
2911 }
2913 /*--------------------- 64-bit ---------------------*/
2915 /* Nb: by "aligned" here we mean 8-byte aligned */
2918 {
2921 #ifndef PERF_FAST_STACK2
2923 #else
2924 {
2925 UWord sm_off16;
2932 }
2937 }
2938 #endif
2939 }
2941 static INLINE
2943 {
2945 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2946 //// Set the origins for a+0 .. a+7
2956 }
2957 //// END inlined, specialised version of MC_(helperc_b_store8)
2958 }
2960 static INLINE
2962 {
2965 #ifndef PERF_FAST_STACK2
2967 #else
2968 {
2969 UWord sm_off16;
2976 }
2982 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2983 //// Clear the origins for a+0 .. a+7.
2991 }
2992 //// END inlined, specialised version of MC_(helperc_b_store8)
2993 }
2994 #endif
2995 }
2998 /*------------------------------------------------------------*/
2999 /*--- Stack pointer adjustment ---*/
3000 /*------------------------------------------------------------*/
3002 #ifdef PERF_FAST_STACK
3003 # define MAYBE_USED
3004 #else
3005 # define MAYBE_USED __attribute__((unused))
3006 #endif
3008 /*--------------- adjustment by 4 bytes ---------------*/
3010 MAYBE_USED
3012 {
3019 }
3020 }
3022 MAYBE_USED
3024 {
3030 }
3031 }
3033 MAYBE_USED
3035 {
3041 }
3042 }
3044 /*--------------- adjustment by 8 bytes ---------------*/
3046 MAYBE_USED
3048 {
3058 }
3059 }
3061 MAYBE_USED
3063 {
3072 }
3073 }
3075 MAYBE_USED
3077 {
3086 }
3087 }
3089 /*--------------- adjustment by 12 bytes ---------------*/
3091 MAYBE_USED
3093 {
3100 /* from previous test we don't have 8-alignment at offset +0,
3101 hence must have 8 alignment at offsets +4/-4. Hence safe to
3102 do 4 at +0 and then 8 at +4/. */
3107 }
3108 }
3110 MAYBE_USED
3112 {
3118 /* from previous test we don't have 8-alignment at offset +0,
3119 hence must have 8 alignment at offsets +4/-4. Hence safe to
3120 do 4 at +0 and then 8 at +4/. */
3125 }
3126 }
3128 MAYBE_USED
3130 {
3132 /* Note the -12 in the test */
3134 /* We have 8-alignment at -12, hence ok to do 8 at -12 and 4 at
3135 -4. */
3139 /* We have 4-alignment at +0, but we don't have 8-alignment at
3140 -12. So we must have 8-alignment at -8. Hence do 4 at -12
3141 and then 8 at -8. */
3146 }
3147 }
3149 /*--------------- adjustment by 16 bytes ---------------*/
3151 MAYBE_USED
3153 {
3157 /* Have 8-alignment at +0, hence do 8 at +0 and 8 at +8. */
3161 /* Have 4 alignment at +0 but not 8; hence 8 must be at +4.
3162 Hence do 4 at +0, 8 at +4, 4 at +12. */
3168 }
3169 }
3171 MAYBE_USED
3173 {
3176 /* Have 8-alignment at +0, hence do 8 at +0 and 8 at +8. */
3180 /* Have 4 alignment at +0 but not 8; hence 8 must be at +4.
3181 Hence do 4 at +0, 8 at +4, 4 at +12. */
3187 }
3188 }
3190 MAYBE_USED
3192 {
3195 /* Have 8-alignment at +0, hence do 8 at -16 and 8 at -8. */
3199 /* 8 alignment must be at -12. Do 4 at -16, 8 at -12, 4 at -4. */
3205 }
3206 }
3208 /*--------------- adjustment by 32 bytes ---------------*/
3210 MAYBE_USED
3212 {
3216 /* Straightforward */
3222 /* 8 alignment must be at +4. Hence do 8 at +4,+12,+20 and 4 at
3223 +0,+28. */
3231 }
3232 }
3234 MAYBE_USED
3236 {
3239 /* Straightforward */
3245 /* 8 alignment must be at +4. Hence do 8 at +4,+12,+20 and 4 at
3246 +0,+28. */
3254 }
3255 }
3257 MAYBE_USED
3259 {
3262 /* Straightforward */
3268 /* 8 alignment must be at -4 etc. Hence do 8 at -12,-20,-28 and
3269 4 at -32,-4. */
3277 }
3278 }
3280 /*--------------- adjustment by 112 bytes ---------------*/
3282 MAYBE_USED
3284 {
3304 }
3305 }
3307 MAYBE_USED
3309 {
3328 }
3329 }
3331 MAYBE_USED
3333 {
3352 }
3353 }
3355 /*--------------- adjustment by 128 bytes ---------------*/
3357 MAYBE_USED
3359 {
3381 }
3382 }
3384 MAYBE_USED
3386 {
3407 }
3408 }
3410 MAYBE_USED
3412 {
3433 }
3434 }
3436 /*--------------- adjustment by 144 bytes ---------------*/
3438 MAYBE_USED
3440 {
3464 }
3465 }
3467 MAYBE_USED
3469 {
3492 }
3493 }
3495 MAYBE_USED
3497 {
3520 }
3521 }
3523 /*--------------- adjustment by 160 bytes ---------------*/
3525 MAYBE_USED
3527 {
3553 }
3554 }
3556 MAYBE_USED
3558 {
3583 }
3584 }
3586 MAYBE_USED
3588 {
3613 }
3614 }
3616 /*--------------- adjustment by N bytes ---------------*/
3619 {
3623 }
3626 {
3629 }
3632 {
3635 }
3638 /* The AMD64 ABI says:
3640 "The 128-byte area beyond the location pointed to by %rsp is considered
3641 to be reserved and shall not be modified by signal or interrupt
3642 handlers. Therefore, functions may use this area for temporary data
3643 that is not needed across function calls. In particular, leaf functions
3644 may use this area for their entire stack frame, rather than adjusting
3645 the stack pointer in the prologue and epilogue. This area is known as
3646 red zone [sic]."
3648 So after any call or return we need to mark this redzone as containing
3649 undefined values.
3651 Consider this: we're in function f. f calls g. g moves rsp down
3652 modestly (say 16 bytes) and writes stuff all over the red zone, making it
3653 defined. g returns. f is buggy and reads from parts of the red zone
3654 that it didn't write on. But because g filled that area in, f is going
3655 to be picking up defined V bits and so any errors from reading bits of
3656 the red zone it didn't write, will be missed. The only solution I could
3657 think of was to make the red zone undefined when g returns to f.
3659 This is in accordance with the ABI, which makes it clear the redzone
3660 is volatile across function calls.
3662 The problem occurs the other way round too: f could fill the RZ up
3663 with defined values and g could mistakenly read them. So the RZ
3664 also needs to be nuked on function calls.
3665 */
3668 /* Here's a simple cache to hold nia -> ECU mappings. It could be
3669 improved so as to have a lower miss rate. */
3674 typedef
3677 WCacheEnt;
3679 #define N_NIA_TO_ECU_CACHE 511
3684 {
3685 UWord i;
3688 UInt zero_ecu;
3689 /* Fill all the slots with an entry for address zero, and the
3690 relevant otags accordingly. Hence the cache is initially filled
3691 with valid data. */
3701 }
3702 }
3705 {
3706 UWord i;
3707 UInt ecu;
3712 stats__nia_cache_queries++;
3720 # define SWAP(_w1,_w2) { UWord _t = _w1; _w1 = _w2; _w2 = _t; }
3723 # undef SWAP
3725 }
3727 stats__nia_cache_misses++;
3739 }
3742 /* This marks the stack as addressible but undefined, after a call or
3743 return for a target that has an ABI defined stack redzone. It
3744 happens quite a lot and needs to be fast. This is the version for
3745 origin tracking. The non-origin-tracking version is below. */
3748 {
3759 # if 0
3760 /* Slow(ish) version, which is fairly easily seen to be correct.
3761 */
3784 }
3785 # endif
3787 /* Idea is: go fast when
3788 * 8-aligned and length is 128
3789 * the sm is available in the main primary map
3790 * the address range falls entirely with a single secondary map
3791 If all those conditions hold, just update the V+A bits by writing
3792 directly into the vabits array. (If the sm was distinguished, this
3793 will make a copy and then write to it.)
3794 */
3796 /* Now we know the address range is suitably sized and aligned. */
3801 /* Now we know the entire range is within the main primary map. */
3805 /* Now we know that the entire address range falls within a
3806 single secondary map, and that that secondary 'lives' in
3807 the main primary map. */
3844 }
3845 }
3846 }
3848 /* 288 bytes (36 ULongs) is the magic value for ELF ppc64. */
3850 /* Now we know the address range is suitably sized and aligned. */
3858 /* Now we know that the entire address range falls within a
3859 single secondary map, and that that secondary 'lives' in
3860 the main primary map. */
3937 }
3938 }
3939 }
3941 /* else fall into slow case */
3943 }
3946 /* This is a version of MC_(helperc_MAKE_STACK_UNINIT_w_o) that is
3947 specialised for the non-origin-tracking case. */
3950 {
3956 # if 0
3957 /* Slow(ish) version, which is fairly easily seen to be correct.
3958 */
3981 }
3982 # endif
3984 /* Idea is: go fast when
3985 * 8-aligned and length is 128
3986 * the sm is available in the main primary map
3987 * the address range falls entirely with a single secondary map
3988 If all those conditions hold, just update the V+A bits by writing
3989 directly into the vabits array. (If the sm was distinguished, this
3990 will make a copy and then write to it.)
3991 */
3993 /* Now we know the address range is suitably sized and aligned. */
3998 /* Now we know the entire range is within the main primary map. */
4002 /* Now we know that the entire address range falls within a
4003 single secondary map, and that that secondary 'lives' in
4004 the main primary map. */
4025 }
4026 }
4027 }
4029 /* 288 bytes (36 ULongs) is the magic value for ELF ppc64. */
4031 /* Now we know the address range is suitably sized and aligned. */
4039 /* Now we know that the entire address range falls within a
4040 single secondary map, and that that secondary 'lives' in
4041 the main primary map. */
4082 }
4083 }
4084 }
4086 /* else fall into slow case */
4088 }
4091 /* And this is an even more specialised case, for the case where there
4092 is no origin tracking, and the length is 128. */
4095 {
4100 # if 0
4101 /* Slow(ish) version, which is fairly easily seen to be correct.
4102 */
4125 }
4126 # endif
4128 /* Idea is: go fast when
4129 * 16-aligned and length is 128
4130 * the sm is available in the main primary map
4131 * the address range falls entirely with a single secondary map
4132 If all those conditions hold, just update the V+A bits by writing
4133 directly into the vabits array. (If the sm was distinguished, this
4134 will make a copy and then write to it.)
4136 Typically this applies to amd64 'ret' instructions, since RSP is
4137 16-aligned (0 % 16) after the instruction (per the amd64-ELF ABI).
4138 */
4140 /* Now we know the address range is suitably sized and aligned. */
4143 /* FIXME: come up with a sane story on the wraparound case
4144 (which of course cnanot happen, but still..) */
4147 /* Now we know the entire range is within the main primary map. */
4151 /* Now we know that the entire address range falls within a
4152 single secondary map, and that that secondary 'lives' in
4153 the main primary map. */
4167 }
4168 }
4169 }
4171 /* The same, but for when base is 8 % 16, which is the situation
4172 with RSP for amd64-ELF immediately after call instructions.
4173 */
4175 /* Now we know the address range is suitably sized and aligned. */
4178 /* FIXME: come up with a sane story on the wraparound case
4179 (which of course cnanot happen, but still..) */
4182 /* Now we know the entire range is within the main primary map. */
4187 /* Now we know that the entire address range falls within a
4188 single secondary map, and that that secondary 'lives' in
4189 the main primary map. */
4194 /* The following assertion is commented out for obvious
4195 performance reasons, but was verified as valid when
4196 running the entire testsuite and also Firefox. */
4197 /* tl_assert(VG_IS_4_ALIGNED(w32)); */
4208 }
4209 }
4210 }
4212 /* else fall into slow case */
4215 }
4218 /*------------------------------------------------------------*/
4219 /*--- Checking memory ---*/
4220 /*------------------------------------------------------------*/
4222 typedef
4227 }
4228 MC_ReadResult;
4231 /* Check permissions for address range. If inadequate permissions
4232 exist, *bad_addr is set to the offending address, so the caller can
4233 know what it is. */
4235 /* Returns True if [a .. a+len) is not addressible. Otherwise,
4236 returns False, and if bad_addr is non-NULL, sets *bad_addr to
4237 indicate the lowest failing address. Functions below are
4238 similar. */
4240 {
4241 SizeT i;
4242 UWord vabits2;
4251 }
4252 a++;
4253 }
4255 }
4259 {
4260 SizeT i;
4261 UWord vabits2;
4270 }
4271 a++;
4272 }
4274 }
4279 {
4280 SizeT i;
4281 UWord vabits2;
4292 // Error! Nb: Report addressability errors in preference to
4293 // definedness errors. And don't report definedeness errors unless
4294 // --undef-value-errors=yes.
4297 }
4300 }
4304 }
4306 }
4307 }
4308 a++;
4309 }
4311 }
4314 /* Like is_mem_defined but doesn't give up at the first uninitialised
4315 byte -- the entire range is always checked. This is important for
4316 detecting errors in the case where a checked range strays into
4317 invalid memory, but that fact is not detected by the ordinary
4318 is_mem_defined(), because of an undefined section that precedes the
4319 out of range section, possibly as a result of an alignment hole in
4320 the checked data. This version always checks the entire range and
4321 can report both a definedness and an accessbility error, if
4322 necessary. */
4330 )
4331 {
4332 SizeT i;
4333 UWord vabits2;
4346 a++;
4357 }
4359 }
4368 }
4369 }
4370 }
4373 /* Check a zero-terminated ascii string. Tricky -- don't want to
4374 examine the actual bytes, to find the end, until we're sure it is
4375 safe to do so. */
4378 {
4379 UWord vabits2;
4390 // Error! Nb: Report addressability errors in preference to
4391 // definedness errors. And don't report definedeness errors unless
4392 // --undef-value-errors=yes.
4395 }
4398 }
4402 }
4404 }
4405 }
4406 /* Ok, a is safe to read. */
4409 }
4410 a++;
4411 }
4412 }
4415 /*------------------------------------------------------------*/
4416 /*--- Memory event handlers ---*/
4417 /*------------------------------------------------------------*/
4419 static
4422 {
4423 Addr bad_addr;
4439 }
4440 }
4441 }
4443 static
4446 {
4448 Addr bad_addr;
4464 /* If we're being asked to jump to a silly address, record an error
4465 message before potentially crashing the entire system. */
4472 }
4473 }
4474 }
4476 static
4479 {
4480 MC_ReadResult res;
4490 }
4491 }
4493 /* Handling of mmap and mprotect is not as simple as it seems.
4495 The underlying semantics are that memory obtained from mmap is
4496 always initialised, but may be inaccessible. And changes to the
4497 protection of memory do not change its contents and hence not its
4498 definedness state. Problem is we can't model
4499 inaccessible-but-with-some-definedness state; once we mark memory
4500 as inaccessible we lose all info about definedness, and so can't
4501 restore that if it is later made accessible again.
4503 One obvious thing to do is this:
4505 mmap/mprotect NONE -> noaccess
4506 mmap/mprotect other -> defined
4508 The problem case here is: taking accessible memory, writing
4509 uninitialised data to it, mprotecting it NONE and later mprotecting
4510 it back to some accessible state causes the undefinedness to be
4511 lost.
4513 A better proposal is:
4515 (1) mmap NONE -> make noaccess
4516 (2) mmap other -> make defined
4518 (3) mprotect NONE -> # no change
4519 (4) mprotect other -> change any "noaccess" to "defined"
4521 (2) is OK because memory newly obtained from mmap really is defined
4522 (zeroed out by the kernel -- doing anything else would
4523 constitute a massive security hole.)
4525 (1) is OK because the only way to make the memory usable is via
4526 (4), in which case we also wind up correctly marking it all as
4527 defined.
4529 (3) is the weak case. We choose not to change memory state.
4530 (presumably the range is in some mixture of "defined" and
4531 "undefined", viz, accessible but with arbitrary V bits). Doing
4532 nothing means we retain the V bits, so that if the memory is
4533 later mprotected "other", the V bits remain unchanged, so there
4534 can be no false negatives. The bad effect is that if there's
4535 an access in the area, then MC cannot warn; but at least we'll
4536 get a SEGV to show, so it's better than nothing.
4538 Consider the sequence (3) followed by (4). Any memory that was
4539 "defined" or "undefined" previously retains its state (as
4540 required). Any memory that was "noaccess" before can only have
4541 been made that way by (1), and so it's OK to change it to
4542 "defined".
4544 See https://bugs.kde.org/show_bug.cgi?id=205541
4545 and https://bugs.kde.org/show_bug.cgi?id=210268
4546 */
4547 static
4549 ULong di_handle )
4550 {
4552 /* (2) mmap/mprotect other -> defined */
4555 /* (1) mmap/mprotect NONE -> noaccess */
4557 }
4558 }
4560 static
4562 {
4564 /* (4) mprotect other -> change any "noaccess" to "defined" */
4567 /* (3) mprotect NONE -> # no change */
4568 /* do nothing */
4569 }
4570 }
4573 static
4576 {
4577 // Because code is defined, initialised variables get put in the data
4578 // segment and are defined, and uninitialised variables get put in the
4579 // bss segment and are auto-zeroed (and so defined).
4580 //
4581 // It's possible that there will be padding between global variables.
4582 // This will also be auto-zeroed, and marked as defined by Memcheck. If
4583 // a program uses it, Memcheck will not complain. This is arguably a
4584 // false negative, but it's a grey area -- the behaviour is defined (the
4585 // padding is zeroed) but it's probably not what the user intended. And
4586 // we can't avoid it.
4587 //
4588 // Note: we generally ignore RWX permissions, because we can't track them
4589 // without requiring more than one A bit which would slow things down a
4590 // lot. But on Darwin the 0th page is mapped but !R and !W and !X.
4591 // So we mark any such pages as "unaddressable".
4595 }
4597 static
4599 {
4601 }
4604 /*------------------------------------------------------------*/
4605 /*--- Register event handlers ---*/
4606 /*------------------------------------------------------------*/
4608 /* Try and get a nonzero origin for the guest state section of thread
4609 tid characterised by (offset,size). Return 0 if nothing to show
4610 for it. */
4613 {
4614 Int sh2off;
4616 UInt otag;
4629 }
4632 /* When some chunk of guest state is written, mark the corresponding
4633 shadow area as valid. This is used to initialise arbitrarily large
4634 chunks of guest state, hence the _SIZE value, which has to be as
4635 big as the biggest guest state.
4636 */
4639 {
4640 # define MAX_REG_WRITE_SIZE 2264
4645 # undef MAX_REG_WRITE_SIZE
4646 }
4648 static
4651 {
4653 }
4655 /* Look at the definedness of the guest's shadow state for
4656 [offset, offset+len). If any part of that is undefined, record
4657 a parameter error.
4658 */
4661 {
4662 Int i;
4663 Bool bad;
4664 UInt otag;
4676 }
4677 }
4682 /* We've found some undefinedness. See if we can also find an
4683 origin for it. */
4686 }
4689 /*------------------------------------------------------------*/
4690 /*--- Register-memory event handlers ---*/
4691 /*------------------------------------------------------------*/
4695 {
4696 SizeT i;
4697 UChar vbits8;
4698 Int offset;
4699 UInt d32;
4701 /* Slow loop. */
4706 }
4711 /* Track origins. */
4737 }
4740 }
4744 SizeT size )
4745 {
4746 SizeT i;
4747 UChar vbits8;
4748 Int offset;
4749 UInt d32;
4751 /* Slow loop. */
4756 }
4761 /* Track origins. */
4788 }
4789 }
4792 /*------------------------------------------------------------*/
4793 /*--- Some static assertions ---*/
4794 /*------------------------------------------------------------*/
4796 /* The handwritten assembly helpers below have baked-in assumptions
4797 about various constant values. These assertions attempt to make
4798 that a bit safer by checking those values and flagging changes that
4799 would make the assembly invalid. Not perfect but it's better than
4800 nothing. */
4823 /*------------------------------------------------------------*/
4824 /*--- Functions called directly from generated code: ---*/
4825 /*--- Load/store handlers. ---*/
4826 /*------------------------------------------------------------*/
4828 /* Types: LOADV32, LOADV16, LOADV8 are:
4829 UWord fn ( Addr a )
4830 so they return 32-bits on 32-bit machines and 64-bits on
4831 64-bit machines. Addr has the same size as a host word.
4833 LOADV64 is always ULong fn ( Addr a )
4835 Similarly for STOREV8, STOREV16, STOREV32, the supplied vbits
4836 are a UWord, and for STOREV64 they are a ULong.
4837 */
4839 /* If any part of '_a' indicated by the mask is 1, either '_a' is not
4840 naturally '_sz/8'-aligned, or it exceeds the range covered by the
4841 primary map. This is all very tricky (and important!), so let's
4842 work through the maths by hand (below), *and* assert for these
4843 values at startup. */
4844 #define MASK(_szInBytes) \
4845 ( ~((0x10000UL-(_szInBytes)) | ((N_PRIMARY_MAP-1) << 16)) )
4847 /* MASK only exists so as to define this macro. */
4848 #define UNALIGNED_OR_HIGH(_a,_szInBits) \
4849 ((_a) & MASK((_szInBits>>3)))
4851 /* On a 32-bit machine:
4853 N_PRIMARY_BITS == 16, so
4854 N_PRIMARY_MAP == 0x10000, so
4855 N_PRIMARY_MAP-1 == 0xFFFF, so
4856 (N_PRIMARY_MAP-1) << 16 == 0xFFFF0000, and so
4858 MASK(1) = ~ ( (0x10000 - 1) | 0xFFFF0000 )
4859 = ~ ( 0xFFFF | 0xFFFF0000 )
4860 = ~ 0xFFFF'FFFF
4861 = 0
4863 MASK(2) = ~ ( (0x10000 - 2) | 0xFFFF0000 )
4864 = ~ ( 0xFFFE | 0xFFFF0000 )
4865 = ~ 0xFFFF'FFFE
4866 = 1
4868 MASK(4) = ~ ( (0x10000 - 4) | 0xFFFF0000 )
4869 = ~ ( 0xFFFC | 0xFFFF0000 )
4870 = ~ 0xFFFF'FFFC
4871 = 3
4873 MASK(8) = ~ ( (0x10000 - 8) | 0xFFFF0000 )
4874 = ~ ( 0xFFF8 | 0xFFFF0000 )
4875 = ~ 0xFFFF'FFF8
4876 = 7
4878 Hence in the 32-bit case, "a & MASK(1/2/4/8)" is a nonzero value
4879 precisely when a is not 1/2/4/8-bytes aligned. And obviously, for
4880 the 1-byte alignment case, it is always a zero value, since MASK(1)
4881 is zero. All as expected.
4883 On a 64-bit machine, it's more complex, since we're testing
4884 simultaneously for misalignment and for the address being at or
4885 above 64G:
4887 N_PRIMARY_BITS == 20, so
4888 N_PRIMARY_MAP == 0x100000, so
4889 N_PRIMARY_MAP-1 == 0xFFFFF, so
4890 (N_PRIMARY_MAP-1) << 16 == 0xF'FFFF'0000, and so
4892 MASK(1) = ~ ( (0x10000 - 1) | 0xF'FFFF'0000 )
4893 = ~ ( 0xFFFF | 0xF'FFFF'0000 )
4894 = ~ 0xF'FFFF'FFFF
4895 = 0xFFFF'FFF0'0000'0000
4897 MASK(2) = ~ ( (0x10000 - 2) | 0xF'FFFF'0000 )
4898 = ~ ( 0xFFFE | 0xF'FFFF'0000 )
4899 = ~ 0xF'FFFF'FFFE
4900 = 0xFFFF'FFF0'0000'0001
4902 MASK(4) = ~ ( (0x10000 - 4) | 0xF'FFFF'0000 )
4903 = ~ ( 0xFFFC | 0xF'FFFF'0000 )
4904 = ~ 0xF'FFFF'FFFC
4905 = 0xFFFF'FFF0'0000'0003
4907 MASK(8) = ~ ( (0x10000 - 8) | 0xF'FFFF'0000 )
4908 = ~ ( 0xFFF8 | 0xF'FFFF'0000 )
4909 = ~ 0xF'FFFF'FFF8
4910 = 0xFFFF'FFF0'0000'0007
4911 */
4913 /*------------------------------------------------------------*/
4914 /*--- LOADV256 and LOADV128 ---*/
4915 /*------------------------------------------------------------*/
4917 static INLINE
4920 {
4923 #ifndef PERF_FAST_LOADV
4926 #else
4927 {
4937 }
4939 /* Handle common cases quickly: a (and a+8 and a+16 etc.) is
4940 suitably aligned, is mapped, and addressible. */
4946 // Convert V bits from compact memory form to expanded
4947 // register form.
4953 /* Slow case: some block of 8 bytes are not all-defined or
4954 all-undefined. */
4958 }
4959 }
4961 }
4962 #endif
4963 }
4966 {
4968 }
4970 {
4972 }
4975 {
4977 }
4979 {
4981 }
4983 /*------------------------------------------------------------*/
4984 /*--- LOADV64 ---*/
4985 /*------------------------------------------------------------*/
4987 static INLINE
4989 {
4992 #ifndef PERF_FAST_LOADV
4994 #else
4995 {
5002 }
5008 // Handle common case quickly: a is suitably aligned, is mapped, and
5009 // addressible.
5010 // Convert V bits from compact memory form to expanded register form.
5016 /* Slow case: the 8 bytes are not all-defined or all-undefined. */
5019 }
5020 }
5021 #endif
5022 }
5024 // Generic for all platforms
5026 {
5028 }
5030 // Non-generic assembly for arm32-linux
5031 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5032 && defined(VGP_arm_linux)
5033 /* See mc_main_asm.c */
5035 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5036 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris) || defined(VGP_x86_freebsd))
5037 /* See mc_main_asm.c */
5039 #else
5040 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5042 {
5044 }
5045 #endif
5047 /*------------------------------------------------------------*/
5048 /*--- STOREV64 ---*/
5049 /*------------------------------------------------------------*/
5051 static INLINE
5053 {
5056 #ifndef PERF_FAST_STOREV
5057 // XXX: this slow case seems to be marginally faster than the fast case!
5058 // Investigate further.
5060 #else
5061 {
5069 }
5075 // To understand the below cleverness, see the extensive comments
5076 // in MC_(helperc_STOREV8).
5080 }
5084 }
5088 }
5092 }
5096 }
5100 }
5104 }
5105 #endif
5106 }
5109 {
5111 }
5113 {
5115 }
5117 /*------------------------------------------------------------*/
5118 /*--- LOADV32 ---*/
5119 /*------------------------------------------------------------*/
5121 static INLINE
5123 {
5126 #ifndef PERF_FAST_LOADV
5128 #else
5129 {
5136 }
5142 // Handle common case quickly: a is suitably aligned, is mapped, and the
5143 // entire word32 it lives in is addressible.
5144 // Convert V bits from compact memory form to expanded register form.
5145 // For 64-bit platforms, set the high 32 bits of retval to 1 (undefined).
5146 // Almost certainly not necessary, but be paranoid.
5152 /* Slow case: the 4 bytes are not all-defined or all-undefined. */
5155 }
5156 }
5157 #endif
5158 }
5160 // Generic for all platforms
5162 {
5164 }
5166 // Non-generic assembly for arm32-linux
5167 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5168 && defined(VGP_arm_linux)
5169 /* See mc_main_asm.c */
5171 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5172 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris))
5173 /* See mc_main_asm.c */
5175 #else
5176 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5178 {
5180 }
5181 #endif
5183 /*------------------------------------------------------------*/
5184 /*--- STOREV32 ---*/
5185 /*------------------------------------------------------------*/
5187 static INLINE
5189 {
5192 #ifndef PERF_FAST_STOREV
5194 #else
5195 {
5203 }
5209 // To understand the below cleverness, see the extensive comments
5210 // in MC_(helperc_STOREV8).
5214 }
5218 }
5222 }
5226 }
5230 }
5234 }
5238 }
5239 #endif
5240 }
5243 {
5245 }
5247 {
5249 }
5251 /*------------------------------------------------------------*/
5252 /*--- LOADV16 ---*/
5253 /*------------------------------------------------------------*/
5255 static INLINE
5257 {
5260 #ifndef PERF_FAST_LOADV
5262 #else
5263 {
5270 }
5275 // Handle common case quickly: a is suitably aligned, is mapped, and is
5276 // addressible.
5277 // Convert V bits from compact memory form to expanded register form
5281 // The 4 (yes, 4) bytes are not all-defined or all-undefined, check
5282 // the two sub-bytes.
5287 /* Slow case: the two bytes are not all-defined or all-undefined. */
5290 }
5291 }
5292 }
5293 #endif
5294 }
5296 // Generic for all platforms
5298 {
5300 }
5302 // Non-generic assembly for arm32-linux
5303 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5304 && defined(VGP_arm_linux)
5332 // r1 holds sec-map-VABITS8. r0 holds the address and is 2-aligned.
5333 // Extract the relevant 4 bits and inspect.
5353 );
5355 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5356 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris))
5398 );
5400 #else
5401 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5403 {
5405 }
5406 #endif
5408 /*------------------------------------------------------------*/
5409 /*--- STOREV16 ---*/
5410 /*------------------------------------------------------------*/
5412 /* True if the vabits4 in vabits8 indicate a and a+1 are accessible. */
5413 static INLINE
5415 {
5416 UInt shift;
5420 // check 2 x vabits2 != VA_BITS2_NOACCESS
5423 }
5425 static INLINE
5427 {
5430 #ifndef PERF_FAST_STOREV
5432 #else
5433 {
5441 }
5447 // To understand the below cleverness, see the extensive comments
5448 // in MC_(helperc_STOREV8).
5452 }
5458 }
5461 }
5465 }
5471 }
5475 }
5479 }
5480 #endif
5481 }
5485 {
5487 }
5489 {
5491 }
5493 /*------------------------------------------------------------*/
5494 /*--- LOADV8 ---*/
5495 /*------------------------------------------------------------*/
5497 /* Note: endianness is irrelevant for size == 1 */
5499 // Non-generic assembly for arm32-linux
5500 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5501 && defined(VGP_arm_linux)
5526 // r1 holds sec-map-VABITS8
5527 // r0 holds the address. Extract the relevant 2 bits and inspect.
5546 );
5548 /* Non-generic assembly for x86-linux */
5549 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5550 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris))
5589 );
5591 #else
5592 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5595 {
5598 #ifndef PERF_FAST_LOADV
5600 #else
5601 {
5608 }
5613 // Convert V bits from compact memory form to expanded register form
5614 // Handle common case quickly: a is mapped, and the entire
5615 // word32 it lives in is addressible.
5619 // The 4 (yes, 4) bytes are not all-defined or all-undefined, check
5620 // the single byte.
5625 /* Slow case: the byte is not all-defined or all-undefined. */
5628 }
5629 }
5630 }
5631 #endif
5632 }
5633 #endif
5635 /*------------------------------------------------------------*/
5636 /*--- STOREV8 ---*/
5637 /*------------------------------------------------------------*/
5641 {
5644 #ifndef PERF_FAST_STOREV
5646 #else
5647 {
5655 }
5661 // Clevernesses to speed up storing V bits.
5662 // The 64/32/16 bit cases also have similar clevernesses, but it
5663 // works a little differently to the code below.
5664 //
5665 // Cleverness 1: sometimes we don't have to write the shadow memory at
5666 // all, if we can tell that what we want to write is the same as what is
5667 // already there. These cases are marked below as "defined on defined" and
5668 // "undefined on undefined".
5669 //
5670 // Cleverness 2:
5671 // We also avoid to call mc_STOREVn_slow if the V bits can directly
5672 // be written in the secondary map. V bits can be directly written
5673 // if 4 conditions are respected:
5674 // * The address for which V bits are written is naturally aligned
5675 // on 1 byte for STOREV8 (this is always true)
5676 // on 2 bytes for STOREV16
5677 // on 4 bytes for STOREV32
5678 // on 8 bytes for STOREV64.
5679 // * V bits being written are either fully defined or fully undefined.
5680 // (for partially defined V bits, V bits cannot be directly written,
5681 // as the secondary vbits table must be maintained).
5682 // * the secmap is not distinguished (distinguished maps cannot be
5683 // modified).
5684 // * the memory corresponding to the V bits being written is
5685 // accessible (if one or more bytes are not accessible,
5686 // we must call mc_STOREVn_slow in order to report accessibility
5687 // errors).
5688 // Note that for STOREV32 and STOREV64, it is too expensive
5689 // to verify the accessibility of each byte for the benefit it
5690 // brings. Instead, a quicker check is done by comparing to
5691 // VA_BITS(8|16)_(UN)DEFINED. This guarantees accessibility,
5692 // but misses some opportunity of direct modifications.
5693 // Checking each byte accessibility was measured for
5694 // STOREV32+perf tests and was slowing down all perf tests.
5695 // The cases corresponding to cleverness 2 are marked below as
5696 // "direct mod".
5700 }
5703 // direct mod
5707 }
5711 }
5715 }
5717 && (VA_BITS2_NOACCESS
5719 // direct mod
5723 }
5727 }
5729 // Partially defined word
5732 }
5733 #endif
5734 }
5737 /*------------------------------------------------------------*/
5738 /*--- Functions called directly from generated code: ---*/
5739 /*--- Value-check failure handlers. ---*/
5740 /*------------------------------------------------------------*/
5742 /* Call these ones when an origin is available ... */
5746 }
5751 }
5756 }
5761 }
5766 }
5768 /* ... and these when an origin isn't available. */
5773 }
5778 }
5783 }
5788 }
5793 }
5796 /*------------------------------------------------------------*/
5797 /*--- Metadata get/set functions, for client requests. ---*/
5798 /*------------------------------------------------------------*/
5800 // Nb: this expands the V+A bits out into register-form V bits, even though
5801 // they're in memory. This is for backward compatibility, and because it's
5802 // probably what the user wants.
5804 /* Copy Vbits from/to address 'a'. Returns: 1 == OK, 2 == alignment
5805 error [no longer used], 3 == addressing error. */
5806 /* Nb: We used to issue various definedness/addressability errors from here,
5807 but we took them out because they ranged from not-very-helpful to
5808 downright annoying, and they complicated the error data structures. */
5810 Addr a,
5811 Addr vbits,
5812 SizeT szB,
5814 Bool is_client_request /* True <=> real user request
5815 False <=> internal call from gdbserver */
5816 )
5817 {
5818 SizeT i;
5819 Bool ok;
5820 UChar vbits8;
5822 /* Check that arrays are addressible before doing any getting/setting.
5823 vbits to be checked only for real user request. */
5828 }
5829 }
5831 /* Do the copy */
5833 /* setting */
5837 }
5839 /* getting */
5844 }
5846 // The bytes in vbits[] have now been set, so mark them as such.
5848 }
5851 }
5854 /*------------------------------------------------------------*/
5855 /*--- Detecting leaked (unreachable) malloc'd blocks. ---*/
5856 /*------------------------------------------------------------*/
5858 /* For the memory leak detector, say whether an entire 64k chunk of
5859 address space is possibly in use, or not. If in doubt return
5860 True.
5861 */
5863 {
5866 /* Definitely not in use. */
5870 }
5871 }
5874 /* For the memory leak detector, say whether or not a given word
5875 address is to be regarded as valid. */
5877 {
5885 }
5888 else
5890 }
5893 /*------------------------------------------------------------*/
5894 /*--- Initialisation ---*/
5895 /*------------------------------------------------------------*/
5898 {
5899 Int i;
5907 /* Build the 3 distinguished secondaries */
5917 /* Set up the primary map. */
5918 /* These entries gradually get overwritten as the used address
5919 space expands. */
5923 /* Auxiliary primary maps */
5926 /* auxmap_size = auxmap_used = 0;
5927 no ... these are statically initialised */
5929 /* Secondary V bit table */
5931 }
5934 /*------------------------------------------------------------*/
5935 /*--- Sanity check machinery (permanently engaged) ---*/
5936 /*------------------------------------------------------------*/
5939 {
5940 n_sanity_cheap++;
5942 /* Check for sane operating level */
5945 /* nothing else useful we can rapidly check */
5947 }
5950 {
5951 Int i;
5952 Word n_secmaps_found;
5960 n_sanity_expensive++;
5963 /* Check for sane operating level */
5967 /* Check that the 3 distinguished SMs are still as they should be. */
5969 /* Check noaccess DSM. */
5975 /* Check undefined DSM. */
5981 /* Check defined DSM. */
5991 }
5993 /* If we're not checking for undefined value errors, the secondary V bit
5994 * table should be empty. */
5998 }
6000 /* check the auxiliary maps, very thoroughly */
6006 }
6008 /* n_secmaps_found is now the number referred to by the auxiliary
6009 primary map. Now add on the ones referred to by the main
6010 primary map. */
6016 n_secmaps_found++;
6017 }
6018 }
6020 /* check that the number of secmaps issued matches the number that
6021 are reachable (iow, no secmap leaks) */
6029 }
6035 }
6037 /* there is only one pointer to each secmap (expensive) */
6040 }
6042 /*------------------------------------------------------------*/
6043 /*--- Command line args ---*/
6044 /*------------------------------------------------------------*/
6046 /* 31 Aug 2015: Vectorised code is now so widespread that
6047 --partial-loads-ok needs to be enabled by default on all platforms.
6048 Not doing so causes lots of false errors. */
6070 ExpensiveDefinednessChecks
6079 /* The first heuristic value (LchNone) has no keyword, as this is
6080 a fake heuristic used to collect the blocks found without any
6081 heuristic. */
6084 {
6086 Bool tmp_show;
6090 /* Set MC_(clo_mc_level):
6091 1 = A bit tracking only
6092 2 = A and V bit tracking, but no V bit origins
6093 3 = A and V bit tracking, and V bit origins
6095 Do this by inspecting --undef-value-errors= and
6096 --track-origins=. Reject the case --undef-value-errors=no
6097 --track-origins=yes as meaningless.
6098 */
6108 }
6109 }
6110 }
6117 }
6121 }
6122 }
6138 }
6139 }
6145 }
6146 }
6177 "ERROR: --ignore-ranges: "
6180 }
6182 UInt i;
6198 }
6199 }
6200 }
6201 }
6204 /* This seems at first a bit weird, but: in order to imply
6205 a non-wrapped-around address range, the first offset needs to be
6206 larger than the second one. For example
6207 --ignore-range-below-sp=8192,8189
6208 would cause accesses to in the range [SP-8192, SP-8189] to be
6209 ignored. */
6212 // Ensure we used all the text after the '=' sign.
6216 "ERROR: --ignore-range-below-sp: invalid syntax. "
6219 }
6222 "ERROR: --ignore-range-below-sp: suspiciously large "
6225 }
6228 "ERROR: --ignore-range-below-sp: invalid offsets "
6231 }
6235 "ERROR: --ignore-range-below-sp: suspiciously large "
6238 }
6243 }
6276 else
6282 bad_level:
6286 }
6289 {
6328 );
6329 }
6332 {
6335 );
6336 }
6339 /*------------------------------------------------------------*/
6340 /*--- Client blocks ---*/
6341 /*------------------------------------------------------------*/
6343 /* Client block management:
6345 This is managed as an expanding array of client block descriptors.
6346 Indices of live descriptors are issued to the client, so it can ask
6347 to free them later. Therefore we cannot slide live entries down
6348 over dead ones. Instead we must use free/inuse flags and scan for
6349 an empty slot at allocation time. This in turn means allocation is
6350 relatively expensive, so we hope this does not happen too often.
6352 An unused block has start == size == 0
6353 */
6355 /* type CGenBlock is defined in mc_include.h */
6357 /* This subsystem is self-initialising. */
6362 /* Stats for this subsystem. */
6369 /* Get access to the client block array. */
6372 {
6375 }
6378 static
6380 {
6384 cgb_allocs++;
6387 cgb_search++;
6390 }
6392 /* Not found. Try to allocate one at the end. */
6394 cgb_used++;
6396 }
6398 /* Ok, we have to allocate a new one. */
6411 cgb_used++;
6415 }
6419 {
6423 );
6424 }
6426 {
6428 (
6474 }
6476 /* Print szB bytes at address, with a format similar to the gdb command
6477 x /<szB>xb address.
6478 res[i] == 1 indicates the corresponding byte is addressable. */
6480 {
6481 UInt i;
6489 }
6492 else
6494 }
6496 }
6499 /* Returns the address of the next non space character,
6500 or address of the string terminator. */
6502 {
6504 s++;
6506 }
6508 /* Parse an integer slice, i.e. a single integer or a range of integer.
6509 Syntax is:
6510 <integer>[..<integer> ]
6511 (spaces are allowed before and/or after ..).
6512 Return True if range correctly parsed, False otherwise. */
6515 {
6521 /* slice must start with an integer. */
6525 }
6530 }
6533 /* wl token is an integer terminating the string
6534 or else next token does not start with .
6535 In both cases, the slice is a single integer. */
6538 }
6541 // iii .. => get the next token
6544 // It must be iii..
6548 }
6550 // It must be iii.. jjj => get the next token
6553 // It must be iii..jjj
6555 }
6556 }
6562 }
6568 }
6571 }
6573 /* return True if request recognised, False otherwise */
6575 {
6583 /* NB: if possible, avoid introducing a new command below which
6584 starts with the same first letter(s) as an already existing
6585 command. This ensures a shorter abbreviation for the user. */
6598 Addr address;
6601 UChar vbits;
6602 Int i;
6605 Int res = mc_get_or_set_vbits_for_client
6609 /* we are before the first character on next line, print a \n. */
6612 /* we are before the next block of 4 starts, print a space. */
6619 unaddressable++;
6621 }
6622 }
6628 }
6629 }
6631 }
6634 LeakCheckParams lcp;
6652 "kinds reachable possibleleak definiteleak "
6653 "heuristics "
6654 "new increased changed any "
6665 xt_filename
6675 wcmd,
6678 err++;
6679 }
6681 }
6686 lcp.show_leak_kinds
6697 wcmd,
6700 err++;
6701 }
6703 }
6715 Int int_value;
6726 }
6731 else
6735 }
6738 }
6739 }
6745 }
6748 Addr address;
6764 }
6766 }
6769 Addr address;
6771 Addr bad_addr;
6772 UInt okind;
6774 UInt otag;
6775 UInt ecu;
6777 MC_ReadResult res;
6791 else
6795 // Describe this (probably live) address with current epoch
6816 }
6825 }
6826 }
6827 else
6830 // Describe this (probably live) address with current epoch
6834 }
6836 }
6846 Int int_value;
6863 }
6868 }
6873 }
6881 wcmd,
6885 }
6889 }
6890 }
6891 /* substract 1 from lr_nr_from/lr_nr_to as what is shown to the user
6892 is 1 more than the index in lr_array. */
6895 limit_blocks,
6896 heuristics))
6898 }
6900 }
6903 Addr address;
6911 }
6914 }
6917 Addr address;
6922 Int i;
6926 /* We going to print the first vabits of a new line.
6927 Terminate the previous line if needed: prints a line with the
6928 address and the data. */
6933 }
6935 }
6944 unaddressable++;
6946 }
6947 }
6951 else
6957 }
6958 }
6960 }
6967 }
6972 }
6973 }
6975 /*------------------------------------------------------------*/
6976 /*--- Client requests ---*/
6977 /*------------------------------------------------------------*/
6980 {
6981 Int i;
6982 Addr bad_addr;
7009 }
7020 );
7024 }
7028 }
7029 /* Return the lower of the two erring addresses, if any. */
7033 }
7036 }
7039 }
7041 }
7044 LeakCheckParams lcp;
7054 }
7073 }
7081 }
7090 MC_OKIND_USER );
7107 /* VG_(printf)("allocated %d %p\n", i, cgbs); */
7126 cgb_discards++;
7128 }
7147 // MC_(bytes_leaked) et al were set by the last leak check (or zero
7148 // if no prior leak checks performed).
7153 // there is no argp[5]
7154 //*argp[5] = MC_(bytes_indirect);
7155 // XXX need to make *argp[1-4] defined; currently done in the
7156 // VALGRIND_COUNT_LEAKS_MACRO by initialising them to zero.
7159 }
7162 // MC_(blocks_leaked) et al were set by the last leak check (or zero
7163 // if no prior leak checks performed).
7168 // there is no argp[5]
7169 //*argp[5] = MC_(blocks_indirect);
7170 // XXX need to make *argp[1-4] defined; currently done in the
7171 // VALGRIND_COUNT_LEAK_BLOCKS_MACRO by initialising them to zero.
7174 }
7186 }
7188 }
7197 }
7204 }
7213 }
7221 // other platforms just ensure it is a power of 2
7222 // ignore Illumos only enforcing multiple of 4 (probably a bug)
7225 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be power of 2)" );
7226 }
7227 // size zero not allowed on all platforms (e.g. Illumos)
7230 }
7233 // must be power of 2
7234 // alignment at least sizeof(size_t)
7235 // size of 0 implementation defined
7238 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero, a power of 2 and a multiple of sizeof(void*))" );
7239 }
7242 }
7245 // must be power of 2
7247 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be a power of 2)" );
7248 }
7249 // size should be integral multiple of alignment
7252 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , aligned_alloc_info->size, " (size should be a multiple of alignment)" );
7253 }
7256 }
7262 }
7268 }
7273 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7274 }
7279 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7280 }
7285 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7286 }
7290 }
7295 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7296 }
7299 MC_(record_align_mismatch_error) ( tid, mc, aligned_alloc_info->orig_alignment, "new[]/delete[]");
7300 }
7306 }
7309 }
7312 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7313 }
7319 }
7321 MC_(record_align_mismatch_error) ( tid, mc, aligned_alloc_info->orig_alignment, "new[]/delete[]");
7322 }
7325 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7326 }
7330 }
7333 }
7341 // The create_mempool function does not know these mempool flags,
7342 // pass as booleans.
7347 }
7354 }
7363 }
7371 }
7380 }
7388 }
7398 }
7405 }
7411 else
7414 }
7418 Bool addRange
7420 Bool ok
7424 }
7428 Vg_UserMsg,
7431 );
7433 }
7435 }
7438 /*------------------------------------------------------------*/
7439 /*--- Crude profiling machinery. ---*/
7440 /*------------------------------------------------------------*/
7442 // We track a number of interesting events (using PROF_EVENT)
7443 // if MC_PROFILE_MEMORY is defined.
7445 #ifdef MC_PROFILE_MEMORY
7449 /* Event counter names. Use the name of the function that increases the
7450 event counter. Drop any MC_() and mc_ prefices. */
7578 };
7581 {
7588 }
7590 /* Make sure every profiling event has a name */
7592 }
7595 {
7602 }
7609 }
7610 }
7611 }
7613 #else
7618 #endif
7621 /*------------------------------------------------------------*/
7622 /*--- Origin tracking stuff ---*/
7623 /*------------------------------------------------------------*/
7625 /*--------------------------------------------*/
7626 /*--- Origin tracking: load handlers ---*/
7627 /*--------------------------------------------*/
7631 }
7635 UChar descr;
7641 }
7648 }
7654 }
7655 }
7659 UChar descr;
7663 /* Handle misaligned case, slowly. */
7667 }
7674 }
7680 }
7686 }
7687 }
7691 UChar descr;
7692 UWord lineoff;
7695 /* Handle misaligned case, slowly. */
7699 }
7704 }
7711 }
7717 }
7718 }
7723 UWord lineoff;
7726 /* Handle misaligned case, slowly. */
7730 }
7735 }
7744 }
7752 }
7753 }
7760 }
7770 }
7773 /*--------------------------------------------*/
7774 /*--- Origin tracking: store handlers ---*/
7775 /*--------------------------------------------*/
7784 }
7788 #if OC_PRECISION_STORE
7790 // The byte is defined. Just mark it as so in the descr and leave the w32
7791 // unchanged. This may make the descr become zero, so the line no longer
7792 // contains useful info, but that's OK. No loss of information.
7795 // At least one of the four bytes in the w32 is undefined with the same
7796 // origin. Just extend the mask. No loss of information.
7799 // Here, we have a conflict: at least one byte in the group is undefined
7800 // but with some other origin. We can't represent both origins, so we
7801 // forget about the previous origin and install this one instead.
7804 }
7805 #else
7811 }
7812 #endif
7813 }
7820 /* Handle misaligned case, slowly. */
7824 }
7831 }
7835 #if OC_PRECISION_STORE
7836 // Same logic as in the store1 case above.
7845 }
7846 #else
7852 }
7853 #endif
7854 }
7858 UWord lineoff;
7861 /* Handle misaligned case, slowly. */
7865 }
7870 }
7879 }
7880 }
7885 UWord lineoff;
7888 /* Handle misaligned case, slowly. */
7892 }
7897 }
7909 }
7910 }
7915 UWord lineoff;
7918 /* Handle misaligned case, slowly. */
7922 }
7927 }
7945 }
7946 }
7951 UWord lineoff;
7954 /* Handle misaligned case, slowly. */
7958 }
7963 }
7993 }
7994 }
7997 /*--------------------------------------------*/
7998 /*--- Origin tracking: sarp handlers ---*/
7999 /*--------------------------------------------*/
8001 // We may get asked to do very large SARPs (bug 446103), hence it is important
8002 // to process 32-byte chunks at a time when possible.
8008 a++;
8009 len--;
8010 }
8015 }
8020 }
8025 }
8030 }
8037 }
8038 }
8043 }
8048 }
8053 }
8058 }
8061 //a++;
8062 len--;
8063 }
8065 }
8071 a++;
8072 len--;
8073 }
8078 }
8083 }
8088 }
8093 }
8100 }
8101 }
8106 }
8111 }
8116 }
8121 }
8124 //a++;
8125 len--;
8126 }
8128 }
8131 /*------------------------------------------------------------*/
8132 /*--- Setup and finalisation ---*/
8133 /*------------------------------------------------------------*/
8136 {
8137 /* If we've been asked to emit XML, mash around various other
8138 options so as to constrain the output somewhat. */
8140 /* Extract as much info as possible from the leak checker. */
8142 }
8151 }
8159 );
8160 }
8165 /* We're doing origin tracking. */
8166 # ifdef PERF_FAST_STACK
8176 # endif
8180 /* Not doing origin tracking */
8181 # ifdef PERF_FAST_STACK
8191 # endif
8194 }
8196 // We assume that brk()/sbrk() does not initialise new memory. Is this
8197 // accurate? John Reiser says:
8198 //
8199 // 0) sbrk() can *decrease* process address space. No zero fill is done
8200 // for a decrease, not even the fragment on the high end of the last page
8201 // that is beyond the new highest address. For maximum safety and
8202 // portability, then the bytes in the last page that reside above [the
8203 // new] sbrk(0) should be considered to be uninitialized, but in practice
8204 // it is exceedingly likely that they will retain their previous
8205 // contents.
8206 //
8207 // 1) If an increase is large enough to require new whole pages, then
8208 // those new whole pages (like all new pages) are zero-filled by the
8209 // operating system. So if sbrk(0) already is page aligned, then
8210 // sbrk(PAGE_SIZE) *does* zero-fill the new memory.
8211 //
8212 // 2) Any increase that lies within an existing allocated page is not
8213 // changed. So if (x = sbrk(0)) is not page aligned, then
8214 // sbrk(PAGE_SIZE) yields ((PAGE_SIZE -1) & -x) bytes which keep their
8215 // existing contents, and an additional PAGE_SIZE bytes which are zeroed.
8216 // ((PAGE_SIZE -1) & x) of them are "covered" by the sbrk(), and the rest
8217 // of them come along for the ride because the operating system deals
8218 // only in whole pages. Again, for maximum safety and portability, then
8219 // anything that lives above [the new] sbrk(0) should be considered
8220 // uninitialized, but in practice will retain previous contents [zero in
8221 // this case.]"
8222 //
8223 // In short:
8224 //
8225 // A key property of sbrk/brk is that new whole pages that are supplied
8226 // by the operating system *do* get initialized to zero.
8227 //
8228 // As for the portability of all this:
8229 //
8230 // sbrk and brk are not POSIX. However, any system that is a derivative
8231 // of *nix has sbrk and brk because there are too many software (such as
8232 // the Bourne shell) which rely on the traditional memory map (.text,
8233 // .data+.bss, stack) and the existence of sbrk/brk.
8234 //
8235 // So we should arguably observe all this. However:
8236 // - The current inaccuracy has caused maybe one complaint in seven years(?)
8237 // - Relying on the zeroed-ness of whole brk'd pages is pretty grotty... I
8238 // doubt most programmers know the above information.
8239 // So I'm not terribly unhappy with marking it as undefined. --njn.
8240 //
8241 // [More: I think most of what John said only applies to sbrk(). It seems
8242 // that brk() always deals in whole pages. And since this event deals
8243 // directly with brk(), not with sbrk(), perhaps it would be reasonable to
8244 // just mark all memory it allocates as defined.]
8245 //
8246 # if !defined(VGO_solaris)
8249 else
8251 # else
8252 // On Solaris, brk memory has to be marked as defined, otherwise we get
8253 // many false positives.
8255 # endif
8257 /* This origin tracking cache is huge (~100M), so only initialise
8258 if we need it. */
8264 }
8269 }
8270 }
8279 /* Do not check definedness of guest state if --undef-value-errors=no */
8287 "To use --xtree-memory=full, you must"
8289 // Activate full xtree memory profiling.
8291 }
8293 }
8296 {
8299 type,
8300 n_SMs,
8303 }
8306 {
8316 n_auxmap_L2_nodes,
8324 );
8327 n_auxmap_L2_searches, n_auxmap_L2_nodes
8328 );
8337 // Three DSMs, plus the non-DSM ones
8339 // The 3*sizeof(Word) bytes is the AVL node metadata size.
8340 // The VG_ROUNDUP is because the OSet pool allocator will/must align
8341 // the elements on pointer size.
8342 // Note that the pool allocator has some additional small overhead
8343 // which is not counted in the below.
8344 // Hardwiring this logic sucks, but I don't see how else to do it.
8364 stats_ocacheL1_find,
8365 stats_ocacheL1_misses,
8366 stats_ocacheL1_lossage );
8369 stats_ocacheL1_find - stats_ocacheL1_misses
8370 - stats_ocacheL1_found_at_1
8372 stats_ocacheL1_found_at_1 );
8375 stats_ocacheL1_found_at_N,
8376 stats_ocacheL1_movefwds );
8383 stats__ocacheL2_finds,
8384 stats__ocacheL2_misses );
8387 stats__ocacheL2_adds,
8388 stats__ocacheL2_dels );
8391 stats__ocacheL2_n_nodes_max,
8392 stats__ocacheL2_n_nodes );
8400 }
8401 }
8402 }
8406 {
8411 LeakCheckParams lcp;
8426 }
8427 else
8437 );
8438 }
8439 }
8444 "Use --track-origins=yes to see where "
8446 }
8448 /* Print a warning if any client-request generated ignore-ranges
8449 still exist. It would be reasonable to expect that a properly
8450 written program would remove any such ranges before exiting, and
8451 since they are a bit on the dangerous side, let's comment. By
8452 contrast ranges which are specified on the command line normally
8453 pertain to hardware mapped into the address space, and so we
8454 can't expect the client to have got rid of them. */
8465 /* Print the offending range. Also, if it is the first,
8466 print a banner before it. */
8467 nBad++;
8472 "WARNING: "
8474 "WARNING: "
8476 );
8477 }
8480 }
8481 }
8492 }
8493 }
8495 /* mark the given addr/len unaddressable for watchpoint implementation
8496 The PointKind will be handled at access time */
8499 {
8500 /* GDBTD this is somewhat fishy. We might rather have to save the previous
8501 accessibility and definedness in gdbserver so as to allow restoring it
8502 properly. Currently, we assume that the user only watches things
8503 which are properly addressable and defined */
8506 else
8509 }
8512 {
8523 mc_fini);
8544 mc_print_usage,
8545 mc_print_debug_usage);
8548 mc_expensive_sanity_check);
8565 MC_MALLOC_DEFAULT_REDZONE_SZB );
8572 // Handling of mmap and mprotect isn't simple (well, it is simple,
8573 // but the justification isn't.) See comments above, just prior to
8574 // mc_new_mem_mmap.
8584 /* Defer the specification of the new_mem_stack functions to the
8585 post_clo_init function, since we need to first parse the command
8586 line before deciding which set to use. */
8588 # ifdef PERF_FAST_STACK
8598 # endif
8614 }
8619 // MC_(chunk_poolalloc) must be allocated in post_clo_init
8627 // {LOADV,STOREV}[8421] will all fail horribly if this isn't true.
8629 // Call me paranoid. I don't care.
8632 // BYTES_PER_SEC_VBIT_NODE must be a power of two.
8635 /* This is small. Always initialise it. */
8638 /* We can't initialise ocacheL1/ocacheL2 yet, since we don't know
8639 if we need to, since the command line args haven't been
8640 processed yet. Hence defer it to mc_post_clo_init. */
8644 }
8646 /* Check some important stuff. See extensive comments above
8647 re UNALIGNED_OR_HIGH for background. */
8648 # if VG_WORDSIZE == 4
8658 # else
8669 # endif
8671 /* Check some assertions to do with the instrumentation machinery. */
8673 }
8679 /*--------------------------------------------------------------------*/
8680 /*--- end mc_main.c ---*/
8681 /*--------------------------------------------------------------------*/