| blob | be237eeb422039a3cd04a02ab52aa4b4736fb33d |
1 /* -*- mode: C; c-basic-offset: 3; -*- */
3 /*--------------------------------------------------------------------*/
4 /*--- MemCheck: Maintain bitmaps of memory, tracking the ---*/
5 /*--- accessibility (A) and validity (V) status of each byte. ---*/
6 /*--- mc_main.c ---*/
7 /*--------------------------------------------------------------------*/
9 /*
10 This file is part of MemCheck, a heavyweight Valgrind tool for
11 detecting memory errors.
13 Copyright (C) 2000-2017 Julian Seward
14 jseward@acm.org
16 This program is free software; you can redistribute it and/or
17 modify it under the terms of the GNU General Public License as
18 published by the Free Software Foundation; either version 2 of the
19 License, or (at your option) any later version.
21 This program is distributed in the hope that it will be useful, but
22 WITHOUT ANY WARRANTY; without even the implied warranty of
23 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
24 General Public License for more details.
26 You should have received a copy of the GNU General Public License
27 along with this program; if not, see <http://www.gnu.org/licenses/>.
29 The GNU General Public License is contained in the file COPYING.
30 */
55 /* Set to 1 to do a little more sanity checking */
56 #define VG_DEBUG_MEMORY 0
64 /*------------------------------------------------------------*/
65 /*--- Fast-case knobs ---*/
66 /*------------------------------------------------------------*/
68 // Comment these out to disable the fast cases (don't just set them to zero).
70 /* PERF_FAST_LOADV is in mc_include.h */
71 #define PERF_FAST_STOREV 1
73 #define PERF_FAST_SARP 1
75 #define PERF_FAST_STACK 1
76 #define PERF_FAST_STACK2 1
78 /* Change this to 1 to enable assertions on origin tracking cache fast
79 paths */
80 #define OC_ENABLE_ASSERTIONS 0
82 /* Change this to 1 for experimental, higher precision origin tracking
83 8- and 16-bit store handling. */
84 #define OC_PRECISION_STORE 1
87 /*------------------------------------------------------------*/
88 /*--- Comments on the origin tracking implementation ---*/
89 /*------------------------------------------------------------*/
91 /* See detailed comment entitled
92 AN OVERVIEW OF THE ORIGIN TRACKING IMPLEMENTATION
93 which is contained further on in this file. */
96 /*------------------------------------------------------------*/
97 /*--- V bits and A bits ---*/
98 /*------------------------------------------------------------*/
100 /* Conceptually, every byte value has 8 V bits, which track whether Memcheck
101 thinks the corresponding value bit is defined. And every memory byte
102 has an A bit, which tracks whether Memcheck thinks the program can access
103 it safely (ie. it's mapped, and has at least one of the RWX permission bits
104 set). So every N-bit register is shadowed with N V bits, and every memory
105 byte is shadowed with 8 V bits and one A bit.
107 In the implementation, we use two forms of compression (compressed V bits
108 and distinguished secondary maps) to avoid the 9-bit-per-byte overhead
109 for memory.
111 Memcheck also tracks extra information about each heap block that is
112 allocated, for detecting memory leaks and other purposes.
113 */
115 /*------------------------------------------------------------*/
116 /*--- Basic A/V bitmap representation. ---*/
117 /*------------------------------------------------------------*/
119 /* All reads and writes are checked against a memory map (a.k.a. shadow
120 memory), which records the state of all memory in the process.
122 On 32-bit machines the memory map is organised as follows.
123 The top 16 bits of an address are used to index into a top-level
124 map table, containing 65536 entries. Each entry is a pointer to a
125 second-level map, which records the accesibililty and validity
126 permissions for the 65536 bytes indexed by the lower 16 bits of the
127 address. Each byte is represented by two bits (details are below). So
128 each second-level map contains 16384 bytes. This two-level arrangement
129 conveniently divides the 4G address space into 64k lumps, each size 64k
130 bytes.
132 All entries in the primary (top-level) map must point to a valid
133 secondary (second-level) map. Since many of the 64kB chunks will
134 have the same status for every bit -- ie. noaccess (for unused
135 address space) or entirely addressable and defined (for code segments) --
136 there are three distinguished secondary maps, which indicate 'noaccess',
137 'undefined' and 'defined'. For these uniform 64kB chunks, the primary
138 map entry points to the relevant distinguished map. In practice,
139 typically more than half of the addressable memory is represented with
140 the 'undefined' or 'defined' distinguished secondary map, so it gives a
141 good saving. It also lets us set the V+A bits of large address regions
142 quickly in set_address_range_perms().
144 On 64-bit machines it's more complicated. If we followed the same basic
145 scheme we'd have a four-level table which would require too many memory
146 accesses. So instead the top-level map table has 2^20 entries (indexed
147 using bits 16..35 of the address); this covers the bottom 64GB. Any
148 accesses above 64GB are handled with a slow, sparse auxiliary table.
149 Valgrind's address space manager tries very hard to keep things below
150 this 64GB barrier so that performance doesn't suffer too much.
152 Note that this file has a lot of different functions for reading and
153 writing shadow memory. Only a couple are strictly necessary (eg.
154 get_vabits2 and set_vabits2), most are just specialised for specific
155 common cases to improve performance.
157 Aside: the V+A bits are less precise than they could be -- we have no way
158 of marking memory as read-only. It would be great if we could add an
159 extra state VA_BITSn_READONLY. But then we'd have 5 different states,
160 which requires 2.3 bits to hold, and there's no way to do that elegantly
161 -- we'd have to double up to 4 bits of metadata per byte, which doesn't
162 seem worth it.
163 */
165 /* --------------- Basic configuration --------------- */
167 /* Only change this. N_PRIMARY_MAP *must* be a power of 2. */
169 #if VG_WORDSIZE == 4
171 /* cover the entire address space */
172 # define N_PRIMARY_BITS 16
174 #else
176 /* Just handle the first 128G fast and the rest via auxiliary
177 primaries. If you change this, Memcheck will assert at startup.
178 See the definition of UNALIGNED_OR_HIGH for extensive comments. */
179 # define N_PRIMARY_BITS 21
181 #endif
184 /* Do not change this. */
185 #define N_PRIMARY_MAP ( ((UWord)1) << N_PRIMARY_BITS)
187 /* Do not change this. */
188 #define MAX_PRIMARY_ADDRESS (Addr)((((Addr)65536) * N_PRIMARY_MAP)-1)
191 /* --------------- Secondary maps --------------- */
193 // Each byte of memory conceptually has an A bit, which indicates its
194 // addressability, and 8 V bits, which indicates its definedness.
195 //
196 // But because very few bytes are partially defined, we can use a nice
197 // compression scheme to reduce the size of shadow memory. Each byte of
198 // memory has 2 bits which indicates its state (ie. V+A bits):
199 //
200 // 00: noaccess (unaddressable but treated as fully defined)
201 // 01: undefined (addressable and fully undefined)
202 // 10: defined (addressable and fully defined)
203 // 11: partdefined (addressable and partially defined)
204 //
205 // In the "partdefined" case, we use a secondary table to store the V bits.
206 // Each entry in the secondary-V-bits table maps a byte address to its 8 V
207 // bits.
208 //
209 // We store the compressed V+A bits in 8-bit chunks, ie. the V+A bits for
210 // four bytes (32 bits) of memory are in each chunk. Hence the name
211 // "vabits8". This lets us get the V+A bits for four bytes at a time
212 // easily (without having to do any shifting and/or masking), and that is a
213 // very common operation. (Note that although each vabits8 chunk
214 // is 8 bits in size, it represents 32 bits of memory.)
215 //
216 // The representation is "inverse" little-endian... each 4 bytes of
217 // memory is represented by a 1 byte value, where:
218 //
219 // - the status of byte (a+0) is held in bits [1..0]
220 // - the status of byte (a+1) is held in bits [3..2]
221 // - the status of byte (a+2) is held in bits [5..4]
222 // - the status of byte (a+3) is held in bits [7..6]
223 //
224 // It's "inverse" because endianness normally describes a mapping from
225 // value bits to memory addresses; in this case the mapping is inverted.
226 // Ie. instead of particular value bits being held in certain addresses, in
227 // this case certain addresses are represented by particular value bits.
228 // See insert_vabits2_into_vabits8() for an example.
229 //
230 // But note that we don't compress the V bits stored in registers; they
231 // need to be explicit to made the shadow operations possible. Therefore
232 // when moving values between registers and memory we need to convert
233 // between the expanded in-register format and the compressed in-memory
234 // format. This isn't so difficult, it just requires careful attention in a
235 // few places.
237 // These represent eight bits of memory.
243 // These represent 16 bits of memory.
248 // These represent 32 bits of memory.
253 // These represent 64 bits of memory.
258 // These represent 128 bits of memory.
263 #define SM_OFF(aaa) (((aaa) & 0xffff) >> 2)
264 #define SM_OFF_16(aaa) (((aaa) & 0xffff) >> 3)
266 // Paranoia: it's critical for performance that the requested inlining
267 // occurs. So try extra hard.
268 #define INLINE inline __attribute__((always_inline))
272 }
275 }
279 typedef
283 }
284 SecMap;
286 // 3 distinguished secondary maps, one for no-access, one for
287 // accessible but undefined, and one for accessible and defined.
288 // Distinguished secondaries may never be modified.
289 #define SM_DIST_NOACCESS 0
290 #define SM_DIST_UNDEFINED 1
291 #define SM_DIST_DEFINED 2
297 }
299 // Forward declaration
302 /* dist_sm points to one of our three distinguished secondaries. Make
303 a copy of it so that we can write to it.
304 */
306 {
320 }
322 /* --------------- Stats --------------- */
335 /* # searches initiated in auxmap_L1, and # base cmps required */
338 /* # of searches that missed in auxmap_L1 and therefore had to
339 be handed to auxmap_L2. And the number of nodes inserted. */
350 {
355 n_deissued_SMs ++; }
361 n_issued_SMs ++; }
367 }
369 /* --------------- Primary maps --------------- */
371 /* The main primary map. This covers some initial part of the address
372 space, addresses 0 .. (N_PRIMARY_MAP << 16)-1. The rest of it is
373 handled using the auxiliary primary map.
374 */
375 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
376 && (defined(VGP_arm_linux) \
377 || defined(VGP_x86_linux) || defined(VGP_x86_solaris) || defined(VGP_x86_freebsd))
378 /* mc_main_asm.c needs visibility on a few things declared in this file.
379 MC_MAIN_STATIC allows to define them static if ok, i.e. on
380 platforms that are not using hand-coded asm statements. */
381 #define MC_MAIN_STATIC
382 #else
383 #define MC_MAIN_STATIC static
384 #endif
388 /* An entry in the auxiliary primary map. base must be a 64k-aligned
389 value, and sm points at the relevant secondary map. As with the
390 main primary map, the secondary may be either a real secondary, or
391 one of the three distinguished secondaries. DO NOT CHANGE THIS
392 LAYOUT: the first word has to be the key for OSet fast lookups.
393 */
394 typedef
396 Addr base;
398 }
399 AuxMapEnt;
401 /* Tunable parameter: How big is the L1 queue? */
402 #define N_AUXMAP_L1 24
404 /* Tunable parameter: How far along the L1 queue to insert
405 entries resulting from L2 lookups? */
406 #define AUXMAP_L1_INSERT_IX 12
409 Addr base;
411 }
417 {
418 Int i;
422 }
429 }
431 /* Check representation invariants; if OK return NULL; else a
432 descriptive bit of text. Also return the number of
433 non-distinguished secondary maps referred to from the auxiliary
434 primary maps. */
437 {
439 /* On a 32-bit platform, the L2 and L1 tables should
440 both remain empty forever.
442 On a 64-bit platform:
443 In the L2 table:
444 all .base & 0xFFFF == 0
445 all .base > MAX_PRIMARY_ADDRESS
446 In the L1 table:
447 all .base & 0xFFFF == 0
448 all (.base > MAX_PRIMARY_ADDRESS
449 .base & 0xFFFF == 0
450 and .ent points to an AuxMapEnt with the same .base)
451 or
452 (.base == 0 and .ent == NULL)
453 */
456 /* 32-bit platform */
463 /* 64-bit platform */
466 AuxMapEnt key;
467 /* L2 table */
470 elems_seen++;
479 }
482 /* Check L1-L2 correspondence */
494 /* Look it up in auxmap_L2. */
502 }
503 /* Check L1 contains no duplicates */
512 }
513 }
514 }
516 }
519 {
520 Word i;
527 }
530 {
531 AuxMapEnt key;
533 Word i;
538 /* First search the front-cache, which is a self-organising
539 list containing the most popular entries. */
551 }
553 n_auxmap_L1_searches++;
558 }
559 }
572 i--;
573 }
575 }
577 n_auxmap_L2_searches++;
579 /* First see if we already have it. */
587 }
590 {
593 /* First see if we already have it. */
598 /* Ok, there's no entry in the secondary map, so we'll have
599 to allocate one. */
607 n_auxmap_L2_nodes++;
609 }
611 /* --------------- SecMap fundamentals --------------- */
613 // In all these, 'low' means it's definitely in the main primary map,
614 // 'high' means it's definitely in the auxiliary table.
617 {
620 }
623 {
625 # if VG_DEBUG_MEMORY >= 1
627 # endif
629 }
632 {
635 }
638 {
642 }
645 {
647 }
650 {
652 }
655 {
660 }
663 {
668 }
670 /* Produce the secmap for 'a', either from the primary map or by
671 ensuring there is an entry for it in the aux primary map. The
672 secmap may be a distinguished one as the caller will only want to
673 be able to read it.
674 */
676 {
680 }
682 /* Produce the secmap for 'a', either from the primary map or by
683 ensuring there is an entry for it in the aux primary map. The
684 secmap may not be a distinguished one, since the caller will want
685 to be able to write it. If it is a distinguished secondary, make a
686 writable copy of it, install it, and return the copy instead. (COW
687 semantics).
688 */
690 {
694 }
696 /* If 'a' has a SecMap, produce it. Else produce NULL. But don't
697 allocate one if one doesn't already exist. This is used by the
698 leak checker.
699 */
701 {
707 }
708 }
710 /* --------------- Fundamental functions --------------- */
712 static INLINE
714 {
718 }
720 static INLINE
722 {
723 UInt shift;
728 }
730 static INLINE
732 {
736 }
738 static INLINE
740 {
741 UInt shift;
746 }
748 // Note that these four are only used in slow cases. The fast cases do
749 // clever things like combine the auxmap check (in
750 // get_secmap_{read,writ}able) with alignment checks.
752 // *** WARNING! ***
753 // Any time this function is called, if it is possible that vabits2
754 // is equal to VA_BITS2_PARTDEFINED, then the corresponding entry in the
755 // sec-V-bits table must also be set!
756 static INLINE
758 {
762 }
764 static INLINE
766 {
771 }
773 // *** WARNING! ***
774 // Any time this function is called, if it is possible that any of the
775 // 4 2-bit fields in vabits8 are equal to VA_BITS2_PARTDEFINED, then the
776 // corresponding entry(s) in the sec-V-bits table must also be set!
777 static INLINE
779 {
784 }
786 static INLINE
788 {
792 }
795 // Forward declarations
799 // Returns False if there was an addressability error.
800 static INLINE
802 {
806 // Addressable. Convert in-register format to in-memory format.
807 // Also remove any existing sec V bit entry for the byte if no
808 // longer necessary.
816 // Unaddressable! Do nothing -- when writing to unaddressable
817 // memory it acts as a black hole, and the V bits can never be seen
818 // again. So we don't have to write them at all.
820 }
822 }
824 // Returns False if there was an addressability error. In that case, we put
825 // all defined bits into vbits8.
826 static INLINE
828 {
832 // Convert the in-memory format to in-register format.
841 }
843 }
846 /* --------------- Secondary V bit table ------------ */
848 // This table holds the full V bit pattern for partially-defined bytes
849 // (PDBs) that are represented by VA_BITS2_PARTDEFINED in the main shadow
850 // memory.
851 //
852 // Note: the nodes in this table can become stale. Eg. if you write a PDB,
853 // then overwrite the same address with a fully defined byte, the sec-V-bit
854 // node will not necessarily be removed. This is because checking for
855 // whether removal is necessary would slow down the fast paths.
856 //
857 // To avoid the stale nodes building up too much, we periodically (once the
858 // table reaches a certain size) garbage collect (GC) the table by
859 // traversing it and evicting any nodes not having PDB.
860 // If more than a certain proportion of nodes survived, we increase the
861 // table size so that GCs occur less often.
862 //
863 // This policy is designed to avoid bad table bloat in the worst case where
864 // a program creates huge numbers of stale PDBs -- we would get this bloat
865 // if we had no GC -- while handling well the case where a node becomes
866 // stale but shortly afterwards is rewritten with a PDB and so becomes
867 // non-stale again (which happens quite often, eg. in perf/bz2). If we just
868 // remove all stale nodes as soon as possible, we just end up re-adding a
869 // lot of them in later again. The "sufficiently stale" approach avoids
870 // this. (If a program has many live PDBs, performance will just suck,
871 // there's no way around that.)
872 //
873 // Further comments, JRS 14 Feb 2012. It turns out that the policy of
874 // holding on to stale entries for 2 GCs before discarding them can lead
875 // to massive space leaks. So we're changing to an arrangement where
876 // lines are evicted as soon as they are observed to be stale during a
877 // GC. This also has a side benefit of allowing the sufficiently_stale
878 // field to be removed from the SecVBitNode struct, reducing its size by
879 // 8 bytes, which is a substantial space saving considering that the
880 // struct was previously 32 or so bytes, on a 64 bit target.
881 //
882 // In order to try and mitigate the problem that the "sufficiently stale"
883 // heuristic was designed to avoid, the table size is allowed to drift
884 // up ("DRIFTUP") slowly to 80000, even if the residency is low. This
885 // means that nodes will exist in the table longer on average, and hopefully
886 // will be deleted and re-added less frequently.
887 //
888 // The previous scaling up mechanism (now called STEPUP) is retained:
889 // if residency exceeds 50%, the table is scaled up, although by a
890 // factor sqrt(2) rather than 2 as before. This effectively doubles the
891 // frequency of GCs when there are many PDBs at reduces the tendency of
892 // stale PDBs to reside for long periods in the table.
896 // Stats
900 // This must be a power of two; this is checked in mc_pre_clo_init().
901 // The size chosen here is a trade-off: if the nodes are bigger (ie. cover
902 // a larger address range) they take more space but we can get multiple
903 // partially-defined bytes in one if they are close to each other, reducing
904 // the number of total nodes. In practice sometimes they are clustered (eg.
905 // perf/bz2 repeatedly writes then reads more than 20,000 in a contiguous
906 // row), but often not. So we choose something intermediate.
907 #define BYTES_PER_SEC_VBIT_NODE 16
909 // We make the table bigger by a factor of STEPUP_GROWTH_FACTOR if
910 // more than this many nodes survive a GC.
911 #define STEPUP_SURVIVOR_PROPORTION 0.5
912 #define STEPUP_GROWTH_FACTOR 1.414213562
914 // If the above heuristic doesn't apply, then we may make the table
915 // slightly bigger, by a factor of DRIFTUP_GROWTH_FACTOR, if more than
916 // this many nodes survive a GC, _and_ the total table size does
917 // not exceed a fixed limit. The numbers are somewhat arbitrary, but
918 // work tolerably well on long Firefox runs. The scaleup ratio of 1.5%
919 // effectively although gradually reduces residency and increases time
920 // between GCs for programs with small numbers of PDBs. The 80000 limit
921 // effectively limits the table size to around 2MB for programs with
922 // small numbers of PDBs, whilst giving a reasonably long lifetime to
923 // entries, to try and reduce the costs resulting from deleting and
924 // re-adding of entries.
925 #define DRIFTUP_SURVIVOR_PROPORTION 0.15
926 #define DRIFTUP_GROWTH_FACTOR 1.015
927 #define DRIFTUP_MAX_SIZE 80000
929 // We GC the table when it gets this many nodes in it, ie. it's effectively
930 // the table size. It can change.
933 // The number of GCs done, used to age sec-V-bit nodes for eviction.
934 // Because it's unsigned, wrapping doesn't matter -- the right answer will
935 // come out anyway.
938 typedef
940 Addr a;
942 }
943 SecVBitNode;
946 {
956 }
959 {
964 GCs_done++;
966 // Create the new table.
969 // Traverse the table, moving fresh nodes into the new table.
972 // Keep node if any of its bytes are non-stale. Using
973 // get_vabits2() for the lookup is not very efficient, but I don't
974 // think it matters.
977 // Found a non-stale byte, so keep =>
978 // Insert a copy of the node into the new table.
984 }
985 }
986 }
988 // Get the before and after sizes.
992 // Destroy the old table, and put the new one in its place.
999 }
1001 // Increase table size if necessary.
1008 secVBitLimit);
1009 }
1010 else
1018 secVBitLimit);
1019 }
1020 }
1023 {
1027 UChar vbits8;
1029 // Shouldn't be fully defined or fully undefined -- those cases shouldn't
1030 // make it to the secondary V bits table.
1034 }
1037 {
1041 // Shouldn't be fully defined or fully undefined -- those cases shouldn't
1042 // make it to the secondary V bits table.
1046 sec_vbits_updates++;
1048 // Do a table GC if necessary. Nb: do this before creating and
1049 // inserting the new node, to avoid erroneously GC'ing the new node.
1052 }
1054 // New node: assign the specific byte, make the rest invalid (they
1055 // should never be read as-is, but be cautious).
1060 }
1063 // Insert the new node.
1065 sec_vbits_new_nodes++;
1070 }
1071 }
1073 /* --------------- Endianness helpers --------------- */
1075 /* Returns the offset in memory of the byteno-th most significant byte
1076 in a wordszB-sized word, given the specified endianness. */
1078 UWord byteno ) {
1080 }
1083 /* --------------- Ignored address ranges --------------- */
1085 /* Denotes the address-error-reportability status for address ranges:
1086 IAR_NotIgnored: the usual case -- report errors in this range
1087 IAR_CommandLine: don't report errors -- from command line setting
1088 IAR_ClientReq: don't report errors -- from client request
1089 */
1090 typedef
1092 IAR_NotIgnored,
1093 IAR_CommandLine,
1094 IAR_ClientReq }
1095 IARKind;
1098 {
1105 }
1106 }
1108 // RangeMap<IARKind>
1112 {
1117 }
1120 {
1133 }
1135 /*NOTREACHED*/
1136 }
1139 {
1148 /* Bizarre. We have a wraparound situation. What should we do? */
1151 /* This is the expected case. */
1154 else
1156 }
1157 /*NOTREACHED*/
1159 }
1161 /* Parse two Addrs (in hex) separated by a dash, or fail. */
1164 {
1175 }
1177 /* Parse two UInts (32 bit unsigned, in decimal) separated by a dash,
1178 or fail. */
1181 {
1192 }
1194 /* Parse a set of ranges separated by commas into 'ignoreRanges', or
1195 fail. If they are valid, add them to the global set of ignored
1196 ranges. */
1198 {
1216 }
1217 /*NOTREACHED*/
1219 }
1221 /* Add or remove [start, +len) from the set of ignored ranges. */
1223 {
1228 }
1241 }
1245 UInt i;
1254 }
1255 }
1257 }
1260 /* --------------- Load/store slow cases. --------------- */
1262 static
1266 {
1272 Addr ai;
1273 UChar vbits8;
1274 Bool ok;
1276 /* Code below assumes load size is a power of two and at least 64
1277 bits. */
1280 /* If this triggers, you probably just need to increase the size of
1281 the pessim array. */
1287 }
1289 /* Make up a result V word, which contains the loaded data for
1290 valid addresses and Defined for invalid addresses. Iterate over
1291 the bytes in the word, from the most significant down to the
1292 least. The vbits to return are calculated into vbits128. Also
1293 compute the pessimising value to be used when
1294 --partial-loads-ok=yes. n_addrs_bad is redundant (the relevant
1295 info can be gleaned from the pessim array) but is used as a
1296 cross-check. */
1310 }
1313 }
1315 /* In the common case, all the addresses involved are valid, so we
1316 just return the computed V bits and have done. */
1320 /* If there's no possibility of getting a partial-loads-ok
1321 exemption, report the error and quit. */
1325 }
1327 /* The partial-loads-ok excemption might apply. Find out if it
1328 does. If so, don't report an addressing error, but do return
1329 Undefined for the bytes that are out of range, so as to avoid
1330 false negatives. If it doesn't apply, just report an addressing
1331 error in the usual way. */
1333 /* Some code steps along byte strings in aligned chunks
1334 even when there is only a partially defined word at the end (eg,
1335 optimised strlen). This is allowed by the memory model of
1336 modern machines, since an aligned load cannot span two pages and
1337 thus cannot "partially fault".
1339 Therefore, a load from a partially-addressible place is allowed
1340 if all of the following hold:
1341 - the command-line flag is set [by default, it isn't]
1342 - it's an aligned load
1343 - at least one of the addresses in the word *is* valid
1345 Since this suppresses the addressing error, we avoid false
1346 negatives by marking bytes undefined when they come from an
1347 invalid address.
1348 */
1350 /* "at least one of the addresses is invalid" */
1356 # if defined(VGP_s390x_linux)
1358 /* OK if all loaded bytes are from the same page. */
1360 # elif defined(VGA_ppc64be) || defined(VGA_ppc64le)
1361 /* lxvd2x might generate an unaligned 128 bit vector load. */
1363 # else
1364 /* OK if the address is aligned by the load size. */
1366 # endif
1369 /* Exemption applies. Use the previously computed pessimising
1370 value and return the combined result, but don't flag an
1371 addressing error. The pessimising value is Defined for valid
1372 addresses and Undefined for invalid addresses. */
1373 /* for assumption that doing bitwise or implements UifU */
1375 /* (really need "UifU" here...)
1376 vbits[j] UifU= pessim[j] (is pessimised by it, iow) */
1380 }
1382 /* Exemption doesn't apply. Flag an addressing error in the normal
1383 way. */
1385 }
1387 MC_MAIN_STATIC
1393 MC_MAIN_STATIC
1397 this function may get called from hand written assembly. */
1399 {
1402 /* ------------ BEGIN semi-fast cases ------------ */
1403 /* These deal quickly-ish with the common auxiliary primary map
1404 cases on 64-bit platforms. Are merely a speedup hack; can be
1405 omitted without loss of correctness/functionality. Note that in
1406 both cases the "sizeof(void*) == 8" causes these cases to be
1407 folded out by compilers on 32-bit platforms. These are derived
1408 from LOADV64 and LOADV32.
1409 */
1411 # if defined(VGA_mips64) && defined(VGABI_N32)
1413 # else
1415 # endif
1416 {
1424 /* else fall into the slow case */
1425 }
1427 # if defined(VGA_mips64) && defined(VGABI_N32)
1429 # else
1431 # endif
1432 {
1440 /* else fall into slow case */
1441 }
1443 /* ------------ END semi-fast cases ------------ */
1450 Addr ai;
1451 UChar vbits8;
1452 Bool ok;
1456 /* Make up a 64-bit result V word, which contains the loaded data
1457 for valid addresses and Defined for invalid addresses. Iterate
1458 over the bytes in the word, from the most significant down to
1459 the least. The vbits to return are calculated into vbits64.
1460 Also compute the pessimising value to be used when
1461 --partial-loads-ok=yes. n_addrs_bad is redundant (the relevant
1462 info can be gleaned from pessim64) but is used as a
1463 cross-check. */
1473 }
1475 /* In the common case, all the addresses involved are valid, so we
1476 just return the computed V bits and have done. */
1480 /* If there's no possibility of getting a partial-loads-ok
1481 exemption, report the error and quit. */
1485 }
1487 /* The partial-loads-ok excemption might apply. Find out if it
1488 does. If so, don't report an addressing error, but do return
1489 Undefined for the bytes that are out of range, so as to avoid
1490 false negatives. If it doesn't apply, just report an addressing
1491 error in the usual way. */
1493 /* Some code steps along byte strings in aligned word-sized chunks
1494 even when there is only a partially defined word at the end (eg,
1495 optimised strlen). This is allowed by the memory model of
1496 modern machines, since an aligned load cannot span two pages and
1497 thus cannot "partially fault". Despite such behaviour being
1498 declared undefined by ANSI C/C++.
1500 Therefore, a load from a partially-addressible place is allowed
1501 if all of the following hold:
1502 - the command-line flag is set [by default, it isn't]
1503 - it's a word-sized, word-aligned load
1504 - at least one of the addresses in the word *is* valid
1506 Since this suppresses the addressing error, we avoid false
1507 negatives by marking bytes undefined when they come from an
1508 invalid address.
1509 */
1511 /* "at least one of the addresses is invalid" */
1514 # if defined(VGA_mips64) && defined(VGABI_N32)
1517 # elif defined(VGA_ppc64be) || defined(VGA_ppc64le)
1518 /* On power unaligned loads of words are OK. */
1520 # else
1523 # endif
1524 {
1525 /* Exemption applies. Use the previously computed pessimising
1526 value for vbits64 and return the combined result, but don't
1527 flag an addressing error. The pessimising value is Defined
1528 for valid addresses and Undefined for invalid addresses. */
1529 /* for assumption that doing bitwise or implements UifU */
1531 /* (really need "UifU" here...)
1532 vbits64 UifU= pessim64 (is pessimised by it, iow) */
1535 }
1537 /* Also, in appears that gcc generates string-stepping code in
1538 32-bit chunks on 64 bit platforms. So, also grant an exception
1539 for this case. Note that the first clause of the conditional
1540 (VG_WORDSIZE == 8) is known at compile time, so the whole clause
1541 will get folded out in 32 bit builds. */
1542 # if defined(VGA_mips64) && defined(VGABI_N32)
1545 # else
1548 # endif
1549 {
1551 /* (really need "UifU" here...)
1552 vbits64 UifU= pessim64 (is pessimised by it, iow) */
1554 /* Mark the upper 32 bits as undefined, just to be on the safe
1555 side. */
1558 }
1560 /* Exemption doesn't apply. Flag an addressing error in the normal
1561 way. */
1565 }
1568 static
1571 {
1574 UChar vbits8;
1575 Addr ai;
1576 Bool ok;
1580 /* ------------ BEGIN semi-fast cases ------------ */
1581 /* These deal quickly-ish with the common auxiliary primary map
1582 cases on 64-bit platforms. Are merely a speedup hack; can be
1583 omitted without loss of correctness/functionality. Note that in
1584 both cases the "sizeof(void*) == 8" causes these cases to be
1585 folded out by compilers on 32-bit platforms. The logic below
1586 is somewhat similar to some cases extensively commented in
1587 MC_(helperc_STOREV8).
1588 */
1589 # if defined(VGA_mips64) && defined(VGABI_N32)
1591 # else
1593 # endif
1594 {
1601 /* Handle common case quickly: a is suitably aligned, */
1602 /* is mapped, and is addressible. */
1603 // Convert full V-bits in register to compact 2-bit form.
1610 }
1611 /* else fall into the slow case */
1612 }
1613 /* else fall into the slow case */
1614 }
1616 # if defined(VGA_mips64) && defined(VGABI_N32)
1618 # else
1620 # endif
1621 {
1628 /* Handle common case quickly: a is suitably aligned, */
1629 /* is mapped, and is addressible. */
1630 // Convert full V-bits in register to compact 2-bit form.
1637 }
1638 /* else fall into the slow case */
1639 }
1640 /* else fall into the slow case */
1641 }
1642 /* ------------ END semi-fast cases ------------ */
1646 /* Dump vbytes in memory, iterating from least to most significant
1647 byte. At the same time establish addressibility of the location. */
1655 }
1657 /* If an address error has happened, report it. */
1660 }
1663 /*------------------------------------------------------------*/
1664 /*--- Setting permissions over address ranges. ---*/
1665 /*------------------------------------------------------------*/
1668 UWord dsm_num )
1669 {
1673 Addr aNext;
1680 /* Check the V+A bits make sense. */
1685 // This code should never write PDBs; ensure this. (See comment above
1686 // set_vabits2().)
1701 }
1702 }
1704 #ifndef PERF_FAST_SARP
1705 /*------------------ debug-only case ------------------ */
1706 {
1707 // Endianness doesn't matter here because all bytes are being set to
1708 // the same value.
1709 // Nb: We don't have to worry about updating the sec-V-bits table
1710 // after these set_vabits2() calls because this code never writes
1711 // VA_BITS2_PARTDEFINED values.
1712 SizeT i;
1715 }
1717 }
1718 #endif
1720 /*------------------ standard handling ------------------ */
1722 /* Get the distinguished secondary that we might want
1723 to use (part of the space-compression scheme). */
1726 // We have to handle ranges covering various combinations of partial and
1727 // whole sec-maps. Here is how parts 1, 2 and 3 are used in each case.
1728 // Cases marked with a '*' are common.
1729 //
1730 // TYPE PARTS USED
1731 // ---- ----------
1732 // * one partial sec-map (p) 1
1733 // - one whole sec-map (P) 2
1734 //
1735 // * two partial sec-maps (pp) 1,3
1736 // - one partial, one whole sec-map (pP) 1,2
1737 // - one whole, one partial sec-map (Pp) 2,3
1738 // - two whole sec-maps (PP) 2,2
1739 //
1740 // * one partial, one whole, one partial (pPp) 1,2,3
1741 // - one partial, two whole (pPP) 1,2,2
1742 // - two whole, one partial (PPp) 2,2,3
1743 // - three whole (PPP) 2,2,2
1744 //
1745 // * one partial, N-2 whole, one partial (pP...Pp) 1,2...2,3
1746 // - one partial, N-1 whole (pP...PP) 1,2...2,2
1747 // - N-1 whole, one partial (PP...Pp) 2,2...2,3
1748 // - N whole (PP...PP) 2,2...2,3
1750 // Break up total length (lenT) into two parts: length in the first
1751 // sec-map (lenA), and the rest (lenB); lenT == lenA + lenB.
1755 // Range entirely within one sec-map. Covers almost all cases.
1760 // Range spans at least one whole sec-map, and starts at the beginning
1761 // of a sec-map; skip to Part 2.
1767 // Range spans two or more sec-maps, first one is partial.
1771 }
1773 //------------------------------------------------------------------------
1774 // Part 1: Deal with the first sec_map. Most of the time the range will be
1775 // entirely within a sec_map and this part alone will suffice. Also,
1776 // doing it this way lets us avoid repeatedly testing for the crossing of
1777 // a sec-map boundary within these loops.
1778 //------------------------------------------------------------------------
1780 // If it's distinguished, make it undistinguished if necessary.
1784 // Sec-map already has the V+A bits that we want, so skip.
1791 }
1792 }
1795 // 1 byte steps
1804 }
1805 // 8-aligned, 8 byte steps
1813 }
1814 // 1 byte steps
1822 }
1824 // We've finished the first sec-map. Is that it?
1828 //------------------------------------------------------------------------
1829 // Part 2: Fast-set entire sec-maps at a time.
1830 //------------------------------------------------------------------------
1831 part2:
1832 // 64KB-aligned, 64KB steps.
1833 // Nb: we can reach here with lenB < SM_SIZE
1842 // Free the non-distinguished sec-map that we're replacing. This
1843 // case happens moderately often, enough to be worthwhile.
1846 }
1848 // Make the sec-map entry point to the example DSM
1852 }
1854 // We've finished the whole sec-maps. Is that it?
1858 //------------------------------------------------------------------------
1859 // Part 3: Finish off the final partial sec-map, if necessary.
1860 //------------------------------------------------------------------------
1864 // If it's distinguished, make it undistinguished if necessary.
1868 // Sec-map already has the V+A bits that we want, so stop.
1874 }
1875 }
1878 // 8-aligned, 8 byte steps
1886 }
1887 // 1 byte steps
1895 }
1896 }
1899 /* --- Set permissions for arbitrary address ranges --- */
1902 {
1908 }
1911 {
1915 }
1918 {
1924 }
1926 static
1929 {
1930 UInt ecu;
1932 /* VG_(record_ExeContext) checks for validity of tid, and asserts
1933 if it is invalid. So no need to do it here. */
1940 }
1942 static
1944 {
1946 }
1948 static
1950 {
1952 }
1955 {
1961 }
1965 {
1967 }
1969 /* For each byte in [a,a+len), if the byte is addressable, make it be
1970 defined, but if it isn't addressible, leave it alone. In other
1971 words a version of MC_(make_mem_defined) that doesn't mess with
1972 addressibility. Low-performance implementation. */
1974 {
1975 SizeT i;
1976 UChar vabits2;
1984 }
1985 }
1986 }
1987 }
1989 /* Similarly (needed for mprotect handling ..) */
1991 {
1992 SizeT i;
1993 UChar vabits2;
2001 }
2002 }
2003 }
2004 }
2006 /* --- Block-copy permissions (needed for implementing realloc() and
2007 sys_mremap). --- */
2010 {
2026 /* Vectorised fast case, when no overlap and suitably aligned */
2027 /* vector loop */
2035 /* do nothing */
2037 /* have to copy secondary map info */
2046 }
2049 }
2050 /* fixup loop */
2056 }
2057 i++;
2058 len--;
2059 }
2063 /* We have to do things the slow way */
2071 }
2072 }
2073 }
2082 }
2083 }
2084 }
2085 }
2087 }
2090 /*------------------------------------------------------------*/
2091 /*--- Origin tracking stuff - cache basics ---*/
2092 /*------------------------------------------------------------*/
2094 /* AN OVERVIEW OF THE ORIGIN TRACKING IMPLEMENTATION
2095 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2097 Note that this implementation draws inspiration from the "origin
2098 tracking by value piggybacking" scheme described in "Tracking Bad
2099 Apples: Reporting the Origin of Null and Undefined Value Errors"
2100 (Michael Bond, Nicholas Nethercote, Stephen Kent, Samuel Guyer,
2101 Kathryn McKinley, OOPSLA07, Montreal, Oct 2007) but in fact it is
2102 implemented completely differently.
2104 Origin tags and ECUs -- about the shadow values
2105 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2107 This implementation tracks the defining point of all uninitialised
2108 values using so called "origin tags", which are 32-bit integers,
2109 rather than using the values themselves to encode the origins. The
2110 latter, so-called value piggybacking", is what the OOPSLA07 paper
2111 describes.
2113 Origin tags, as tracked by the machinery below, are 32-bit unsigned
2114 ints (UInts), regardless of the machine's word size. Each tag
2115 comprises an upper 30-bit ECU field and a lower 2-bit
2116 'kind' field. The ECU field is a number given out by m_execontext
2117 and has a 1-1 mapping with ExeContext*s. An ECU can be used
2118 directly as an origin tag (otag), but in fact we want to put
2119 additional information 'kind' field to indicate roughly where the
2120 tag came from. This helps print more understandable error messages
2121 for the user -- it has no other purpose. In summary:
2123 * Both ECUs and origin tags are represented as 32-bit words
2125 * m_execontext and the core-tool interface deal purely in ECUs.
2126 They have no knowledge of origin tags - that is a purely
2127 Memcheck-internal matter.
2129 * all valid ECUs have the lowest 2 bits zero and at least
2130 one of the upper 30 bits nonzero (see VG_(is_plausible_ECU))
2132 * to convert from an ECU to an otag, OR in one of the MC_OKIND_
2133 constants defined in mc_include.h.
2135 * to convert an otag back to an ECU, AND it with ~3
2137 One important fact is that no valid otag is zero. A zero otag is
2138 used by the implementation to indicate "no origin", which could
2139 mean that either the value is defined, or it is undefined but the
2140 implementation somehow managed to lose the origin.
2142 The ECU used for memory created by malloc etc is derived from the
2143 stack trace at the time the malloc etc happens. This means the
2144 mechanism can show the exact allocation point for heap-created
2145 uninitialised values.
2147 In contrast, it is simply too expensive to create a complete
2148 backtrace for each stack allocation. Therefore we merely use a
2149 depth-1 backtrace for stack allocations, which can be done once at
2150 translation time, rather than N times at run time. The result of
2151 this is that, for stack created uninitialised values, Memcheck can
2152 only show the allocating function, and not what called it.
2153 Furthermore, compilers tend to move the stack pointer just once at
2154 the start of the function, to allocate all locals, and so in fact
2155 the stack origin almost always simply points to the opening brace
2156 of the function. Net result is, for stack origins, the mechanism
2157 can tell you in which function the undefined value was created, but
2158 that's all. Users will need to carefully check all locals in the
2159 specified function.
2161 Shadowing registers and memory
2162 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2164 Memory is shadowed using a two level cache structure (ocacheL1 and
2165 ocacheL2). Memory references are first directed to ocacheL1. This
2166 is a traditional 2-way set associative cache with 32-byte lines and
2167 approximate LRU replacement within each set.
2169 A naive implementation would require storing one 32 bit otag for
2170 each byte of memory covered, a 4:1 space overhead. Instead, there
2171 is one otag for every 4 bytes of memory covered, plus a 4-bit mask
2172 that shows which of the 4 bytes have that shadow value and which
2173 have a shadow value of zero (indicating no origin). Hence a lot of
2174 space is saved, but the cost is that only one different origin per
2175 4 bytes of address space can be represented. This is a source of
2176 imprecision, but how much of a problem it really is remains to be
2177 seen.
2179 A cache line that contains all zeroes ("no origins") contains no
2180 useful information, and can be ejected from the L1 cache "for
2181 free", in the sense that a read miss on the L1 causes a line of
2182 zeroes to be installed. However, ejecting a line containing
2183 nonzeroes risks losing origin information permanently. In order to
2184 prevent such lossage, ejected nonzero lines are placed in a
2185 secondary cache (ocacheL2), which is an OSet (AVL tree) of cache
2186 lines. This can grow arbitrarily large, and so should ensure that
2187 Memcheck runs out of memory in preference to losing useful origin
2188 info due to cache size limitations.
2190 Shadowing registers is a bit tricky, because the shadow values are
2191 32 bits, regardless of the size of the register. That gives a
2192 problem for registers smaller than 32 bits. The solution is to
2193 find spaces in the guest state that are unused, and use those to
2194 shadow guest state fragments smaller than 32 bits. For example, on
2195 ppc32/64, each vector register is 16 bytes long. If 4 bytes of the
2196 shadow are allocated for the register's otag, then there are still
2197 12 bytes left over which could be used to shadow 3 other values.
2199 This implies there is some non-obvious mapping from guest state
2200 (start,length) pairs to the relevant shadow offset (for the origin
2201 tags). And it is unfortunately guest-architecture specific. The
2202 mapping is contained in mc_machine.c, which is quite lengthy but
2203 straightforward.
2205 Instrumenting the IR
2206 ~~~~~~~~~~~~~~~~~~~~
2208 Instrumentation is largely straightforward, and done by the
2209 functions schemeE and schemeS in mc_translate.c. These generate
2210 code for handling the origin tags of expressions (E) and statements
2211 (S) respectively. The rather strange names are a reference to the
2212 "compilation schemes" shown in Simon Peyton Jones' book "The
2213 Implementation of Functional Programming Languages" (Prentice Hall,
2214 1987, see
2215 http://research.microsoft.com/~simonpj/papers/slpj-book-1987/index.htm).
2217 schemeS merely arranges to move shadow values around the guest
2218 state to track the incoming IR. schemeE is largely trivial too.
2219 The only significant point is how to compute the otag corresponding
2220 to binary (or ternary, quaternary, etc) operator applications. The
2221 rule is simple: just take whichever value is larger (32-bit
2222 unsigned max). Constants get the special value zero. Hence this
2223 rule always propagates a nonzero (known) otag in preference to a
2224 zero (unknown, or more likely, value-is-defined) tag, as we want.
2225 If two different undefined values are inputs to a binary operator
2226 application, then which is propagated is arbitrary, but that
2227 doesn't matter, since the program is erroneous in using either of
2228 the values, and so there's no point in attempting to propagate
2229 both.
2231 Since constants are abstracted to (otag) zero, much of the
2232 instrumentation code can be folded out without difficulty by the
2233 generic post-instrumentation IR cleanup pass, using these rules:
2234 Max32U(0,x) -> x, Max32U(x,0) -> x, Max32(x,y) where x and y are
2235 constants is evaluated at JIT time. And the resulting dead code
2236 removal. In practice this causes surprisingly few Max32Us to
2237 survive through to backend code generation.
2239 Integration with the V-bits machinery
2240 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2242 This is again largely straightforward. Mostly the otag and V bits
2243 stuff are independent. The only point of interaction is when the V
2244 bits instrumenter creates a call to a helper function to report an
2245 uninitialised value error -- in that case it must first use schemeE
2246 to get hold of the origin tag expression for the value, and pass
2247 that to the helper too.
2249 There is the usual stuff to do with setting address range
2250 permissions. When memory is painted undefined, we must also know
2251 the origin tag to paint with, which involves some tedious plumbing,
2252 particularly to do with the fast case stack handlers. When memory
2253 is painted defined or noaccess then the origin tags must be forced
2254 to zero.
2256 One of the goals of the implementation was to ensure that the
2257 non-origin tracking mode isn't slowed down at all. To do this,
2258 various functions to do with memory permissions setting (again,
2259 mostly pertaining to the stack) are duplicated for the with- and
2260 without-otag case.
2262 Dealing with stack redzones, and the NIA cache
2263 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2265 This is one of the few non-obvious parts of the implementation.
2267 Some ABIs (amd64-ELF, ppc64-ELF, ppc32/64-XCOFF) define a small
2268 reserved area below the stack pointer, that can be used as scratch
2269 space by compiler generated code for functions. In the Memcheck
2270 sources this is referred to as the "stack redzone". The important
2271 thing here is that such redzones are considered volatile across
2272 function calls and returns. So Memcheck takes care to mark them as
2273 undefined for each call and return, on the afflicted platforms.
2274 Past experience shows this is essential in order to get reliable
2275 messages about uninitialised values that come from the stack.
2277 So the question is, when we paint a redzone undefined, what origin
2278 tag should we use for it? Consider a function f() calling g(). If
2279 we paint the redzone using an otag derived from the ExeContext of
2280 the CALL/BL instruction in f, then any errors in g causing it to
2281 use uninitialised values that happen to lie in the redzone, will be
2282 reported as having their origin in f. Which is highly confusing.
2284 The same applies for returns: if, on a return, we paint the redzone
2285 using a origin tag derived from the ExeContext of the RET/BLR
2286 instruction in g, then any later errors in f causing it to use
2287 uninitialised values in the redzone, will be reported as having
2288 their origin in g. Which is just as confusing.
2290 To do it right, in both cases we need to use an origin tag which
2291 pertains to the instruction which dynamically follows the CALL/BL
2292 or RET/BLR. In short, one derived from the NIA - the "next
2293 instruction address".
2295 To make this work, Memcheck's redzone-painting helper,
2296 MC_(helperc_MAKE_STACK_UNINIT), now takes a third argument, the
2297 NIA. It converts the NIA to a 1-element ExeContext, and uses that
2298 ExeContext's ECU as the basis for the otag used to paint the
2299 redzone. The expensive part of this is converting an NIA into an
2300 ECU, since this happens once for every call and every return. So
2301 we use a simple 511-line, 2-way set associative cache
2302 (nia_to_ecu_cache) to cache the mappings, and that knocks most of
2303 the cost out.
2305 Further background comments
2306 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
2308 > Question: why is otag a UInt? Wouldn't a UWord be better? Isn't
2309 > it really just the address of the relevant ExeContext?
2311 Well, it's not the address, but a value which has a 1-1 mapping
2312 with ExeContexts, and is guaranteed not to be zero, since zero
2313 denotes (to memcheck) "unknown origin or defined value". So these
2314 UInts are just numbers starting at 4 and incrementing by 4; each
2315 ExeContext is given a number when it is created. (*** NOTE this
2316 confuses otags and ECUs; see comments above ***).
2318 Making these otags 32-bit regardless of the machine's word size
2319 makes the 64-bit implementation easier (next para). And it doesn't
2320 really limit us in any way, since for the tags to overflow would
2321 require that the program somehow caused 2^30-1 different
2322 ExeContexts to be created, in which case it is probably in deep
2323 trouble. Not to mention V will have soaked up many tens of
2324 gigabytes of memory merely to store them all.
2326 So having 64-bit origins doesn't really buy you anything, and has
2327 the following downsides:
2329 Suppose that instead, an otag is a UWord. This would mean that, on
2330 a 64-bit target,
2332 1. It becomes hard to shadow any element of guest state which is
2333 smaller than 8 bytes. To do so means you'd need to find some
2334 8-byte-sized hole in the guest state which you don't want to
2335 shadow, and use that instead to hold the otag. On ppc64, the
2336 condition code register(s) are split into 20 UChar sized pieces,
2337 all of which need to be tracked (guest_XER_SO .. guest_CR7_0)
2338 and so that would entail finding 160 bytes somewhere else in the
2339 guest state.
2341 Even on x86, I want to track origins for %AH .. %DH (bits 15:8
2342 of %EAX .. %EDX) that are separate from %AL .. %DL (bits 7:0 of
2343 same) and so I had to look for 4 untracked otag-sized areas in
2344 the guest state to make that possible.
2346 The same problem exists of course when origin tags are only 32
2347 bits, but it's less extreme.
2349 2. (More compelling) it doubles the size of the origin shadow
2350 memory. Given that the shadow memory is organised as a fixed
2351 size cache, and that accuracy of tracking is limited by origins
2352 falling out the cache due to space conflicts, this isn't good.
2354 > Another question: is the origin tracking perfect, or are there
2355 > cases where it fails to determine an origin?
2357 It is imperfect for at least for the following reasons, and
2358 probably more:
2360 * Insufficient capacity in the origin cache. When a line is
2361 evicted from the cache it is gone forever, and so subsequent
2362 queries for the line produce zero, indicating no origin
2363 information. Interestingly, a line containing all zeroes can be
2364 evicted "free" from the cache, since it contains no useful
2365 information, so there is scope perhaps for some cleverer cache
2366 management schemes. (*** NOTE, with the introduction of the
2367 second level origin tag cache, ocacheL2, this is no longer a
2368 problem. ***)
2370 * The origin cache only stores one otag per 32-bits of address
2371 space, plus 4 bits indicating which of the 4 bytes has that tag
2372 and which are considered defined. The result is that if two
2373 undefined bytes in the same word are stored in memory, the first
2374 stored byte's origin will be lost and replaced by the origin for
2375 the second byte.
2377 * Nonzero origin tags for defined values. Consider a binary
2378 operator application op(x,y). Suppose y is undefined (and so has
2379 a valid nonzero origin tag), and x is defined, but erroneously
2380 has a nonzero origin tag (defined values should have tag zero).
2381 If the erroneous tag has a numeric value greater than y's tag,
2382 then the rule for propagating origin tags though binary
2383 operations, which is simply to take the unsigned max of the two
2384 tags, will erroneously propagate x's tag rather than y's.
2386 * Some obscure uses of x86/amd64 byte registers can cause lossage
2387 or confusion of origins. %AH .. %DH are treated as different
2388 from, and unrelated to, their parent registers, %EAX .. %EDX.
2389 So some weird sequences like
2391 movb undefined-value, %AH
2392 movb defined-value, %AL
2393 .. use %AX or %EAX ..
2395 will cause the origin attributed to %AH to be ignored, since %AL,
2396 %AX, %EAX are treated as the same register, and %AH as a
2397 completely separate one.
2399 But having said all that, it actually seems to work fairly well in
2400 practice.
2401 */
2416 /* Cache of 32-bit values, one every 32 bits of address space */
2418 #define OC_BITS_PER_LINE 5
2419 #define OC_W32S_PER_LINE (1 << (OC_BITS_PER_LINE - 2))
2423 }
2426 }
2428 #define OC_LINES_PER_SET 2
2430 #define OC_N_SET_BITS 20
2431 #define OC_N_SETS (1 << OC_N_SET_BITS)
2433 /* These settings give:
2434 64 bit host: ocache: 100,663,296 sizeB 67,108,864 useful
2435 32 bit host: ocache: 92,274,688 sizeB 67,108,864 useful
2436 */
2438 #define OC_MOVE_FORWARDS_EVERY_BITS 7
2441 /* Originally (pre Dec 2021) it was the case that this code had a
2442 parameterizable cache line size, set by changing OC_BITS_PER_LINE.
2443 However, as a result of the speedup fixes necessitated by bug 446103, that
2444 is no longer really the case, and much of the L1 and L2 cache code has been
2445 tuned specifically for the case OC_BITS_PER_LINE == 5 (that is, the line
2446 size is 32 bytes). Changing that would require a bunch of re-tuning
2447 effort. So let's set it in stone for now. */
2451 /* Fundamentally we want an OCacheLine structure (see below) as follows:
2452 struct {
2453 Addr tag;
2454 UInt w32 [OC_W32S_PER_LINE];
2455 UChar descr[OC_W32S_PER_LINE];
2456 }
2457 However, in various places, we want to set the w32[] and descr[] arrays to
2458 zero, or check if they are zero. This can be a very hot path (per bug
2459 446103). So, instead, we have a union which is either those two arrays
2460 (OCacheLine_Main) or simply an array of ULongs (OCacheLine_W64s). For the
2461 set-zero/test-zero operations, the OCacheLine_W64s are used.
2462 */
2464 // To ensure that OCacheLine.descr[] will fit in an integral number of ULongs.
2472 typedef
2475 typedef
2479 }
2480 OCacheLine_Main;
2484 typedef
2486 Addr tag;
2488 OCacheLine_W64s w64s;
2489 OCacheLine_Main main;
2491 }
2492 OCacheLine;
2494 /* Classify and also sanity-check 'line'. Return 'e' (empty) if not
2495 in use, 'n' (nonzero) if it contains at least one valid origin tag,
2496 and 'z' if all the represented tags are zero. */
2498 {
2499 UWord i;
2504 // BEGIN fast special-case of the test loop below. This will detect
2505 // zero-ness (case 'z') for a subset of cases that the loop below will,
2506 // hence is safe.
2512 }
2515 }
2516 // END fast special-case of the test loop below.
2522 }
2524 }
2526 typedef
2529 }
2530 OCacheSet;
2532 typedef
2535 }
2536 OCache;
2543 {
2551 }
2557 }
2558 }
2560 }
2563 {
2564 OCacheLine tmp;
2565 stats_ocacheL1_movefwds++;
2570 }
2573 UWord i;
2575 // BEGIN fast special-case of the loop below
2582 // END fast special-case of the loop below
2588 }
2589 }
2591 }
2593 //////////////////////////////////////////////////////////////
2594 //// OCache backing store
2596 // The backing store for ocacheL1 is, conceptually, an AVL tree of lines that
2597 // got ejected from the L1 (a "victim cache"), and which actually contain
2598 // useful info -- that is, for which classify_OCacheLine would return 'n' and
2599 // no other value. However, the tree can grow large, and searching/updating
2600 // it can be hot paths. Hence we "take out" 12 significant bits of the key by
2601 // having 4096 trees, and select one using HASH_OCACHE_TAG.
2602 //
2603 // What that hash function returns isn't important so long as it is a pure
2604 // function of the tag values, and is < 4096. However, it is critical for
2605 // performance of long SARPs. Hence the extra shift of 11 bits. This means
2606 // each tree conceptually is assigned to contiguous sequences of 2048 lines in
2607 // the "line address space", giving some locality of reference when scanning
2608 // linearly through address space, as is done by a SARP. Changing that 11 to
2609 // 0 gives terrible performance on long SARPs, presumably because each new
2610 // line is in a different tree, hence we wind up thrashing the (CPU's) caches.
2611 //
2612 // On 32-bit targets, we have to be a bit careful not to shift out so many
2613 // bits that not all 2^12 trees get used. That leads to the constraint
2614 // (OC_BITS_PER_LINE + 11 + 12) < 32. Note that the 11 is the only thing we
2615 // can change here. In this case we have OC_BITS_PER_LINE == 5, hence the
2616 // inequality is (28 < 32) and so we're good.
2617 //
2618 // The value 11 was determined empirically from various Firefox runs. 10 or
2619 // 12 also work pretty well.
2626 }
2630 }
2633 }
2635 /* Stats: # nodes currently in tree */
2639 {
2648 }
2650 }
2652 /* Find line with the given tag in the tree, or NULL if not found. */
2654 {
2657 stats__ocacheL2_finds++;
2661 }
2663 /* Delete the line with the given tag from the tree, if it is present, and
2664 free up the associated memory. */
2666 {
2669 stats__ocacheL2_dels++;
2675 stats__ocacheL2_n_nodes--;
2676 }
2677 }
2679 /* Add a copy of the given line to the tree. It must not already be
2680 present. */
2682 {
2688 stats__ocacheL2_adds++;
2690 stats__ocacheL2_n_nodes++;
2693 }
2695 ////
2696 //////////////////////////////////////////////////////////////
2700 {
2702 UChar c;
2703 UWord line;
2709 /* we already tried line == 0; skip therefore. */
2713 stats_ocacheL1_found_at_1++;
2715 stats_ocacheL1_found_at_N++;
2716 }
2720 line--;
2721 }
2723 }
2724 }
2726 /* A miss. Use the last slot. Implicitly this means we're
2727 ejecting the line in the last slot. */
2728 stats_ocacheL1_misses++;
2730 line--;
2733 /* First, move the to-be-ejected line to the L2 cache. */
2738 /* the line is empty (has invalid tag); ignore it. */
2741 /* line contains zeroes. We must ensure the backing store is
2742 updated accordingly, either by copying the line there
2743 verbatim, or by ensuring it isn't present there. We
2744 choose the latter on the basis that it reduces the size of
2745 the backing store. */
2749 /* line contains at least one real, useful origin. Copy it
2750 to the backing store. */
2751 stats_ocacheL1_lossage++;
2757 }
2761 }
2763 /* Now we must reload the L1 cache from the backing tree, if
2764 possible. */
2768 /* We're in luck. It's in the L2. */
2771 /* Missed at both levels of the cache hierarchy. We have to
2772 declare it as full of zeroes (unknown origins). */
2773 stats__ocacheL2_misses++;
2775 }
2777 /* Move it one forwards */
2779 line--;
2782 }
2785 {
2790 stats_ocacheL1_find++;
2795 }
2799 }
2802 }
2805 {
2806 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2807 //// Set the origins for a+0 .. a+7
2813 }
2819 }
2820 //// END inlined, specialised version of MC_(helperc_b_store8)
2821 }
2824 /*------------------------------------------------------------*/
2825 /*--- Aligned fast case permission setters, ---*/
2826 /*--- for dealing with stacks ---*/
2827 /*------------------------------------------------------------*/
2829 /*--------------------- 32-bit ---------------------*/
2831 /* Nb: by "aligned" here we mean 4-byte aligned */
2834 {
2837 #ifndef PERF_FAST_STACK2
2839 #else
2840 {
2841 UWord sm_off;
2848 }
2853 }
2854 #endif
2855 }
2857 static INLINE
2859 {
2861 //// BEGIN inlined, specialised version of MC_(helperc_b_store4)
2862 //// Set the origins for a+0 .. a+3
2867 }
2871 }
2872 //// END inlined, specialised version of MC_(helperc_b_store4)
2873 }
2875 static INLINE
2877 {
2880 #ifndef PERF_FAST_STACK2
2882 #else
2883 {
2884 UWord sm_off;
2891 }
2897 //// BEGIN inlined, specialised version of MC_(helperc_b_store4)
2898 //// Set the origins for a+0 .. a+3.
2904 }
2907 }
2908 //// END inlined, specialised version of MC_(helperc_b_store4)
2909 }
2910 #endif
2911 }
2913 /*--------------------- 64-bit ---------------------*/
2915 /* Nb: by "aligned" here we mean 8-byte aligned */
2918 {
2921 #ifndef PERF_FAST_STACK2
2923 #else
2924 {
2925 UWord sm_off16;
2932 }
2937 }
2938 #endif
2939 }
2941 static INLINE
2943 {
2945 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2946 //// Set the origins for a+0 .. a+7
2955 }
2956 //// END inlined, specialised version of MC_(helperc_b_store8)
2957 }
2959 static INLINE
2961 {
2964 #ifndef PERF_FAST_STACK2
2966 #else
2967 {
2968 UWord sm_off16;
2975 }
2981 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2982 //// Clear the origins for a+0 .. a+7.
2990 }
2991 //// END inlined, specialised version of MC_(helperc_b_store8)
2992 }
2993 #endif
2994 }
2997 /*------------------------------------------------------------*/
2998 /*--- Stack pointer adjustment ---*/
2999 /*------------------------------------------------------------*/
3001 #ifdef PERF_FAST_STACK
3002 # define MAYBE_USED
3003 #else
3004 # define MAYBE_USED __attribute__((unused))
3005 #endif
3007 /*--------------- adjustment by 4 bytes ---------------*/
3009 MAYBE_USED
3011 {
3018 }
3019 }
3021 MAYBE_USED
3023 {
3029 }
3030 }
3032 MAYBE_USED
3034 {
3040 }
3041 }
3043 /*--------------- adjustment by 8 bytes ---------------*/
3045 MAYBE_USED
3047 {
3057 }
3058 }
3060 MAYBE_USED
3062 {
3071 }
3072 }
3074 MAYBE_USED
3076 {
3085 }
3086 }
3088 /*--------------- adjustment by 12 bytes ---------------*/
3090 MAYBE_USED
3092 {
3099 /* from previous test we don't have 8-alignment at offset +0,
3100 hence must have 8 alignment at offsets +4/-4. Hence safe to
3101 do 4 at +0 and then 8 at +4/. */
3106 }
3107 }
3109 MAYBE_USED
3111 {
3117 /* from previous test we don't have 8-alignment at offset +0,
3118 hence must have 8 alignment at offsets +4/-4. Hence safe to
3119 do 4 at +0 and then 8 at +4/. */
3124 }
3125 }
3127 MAYBE_USED
3129 {
3131 /* Note the -12 in the test */
3133 /* We have 8-alignment at -12, hence ok to do 8 at -12 and 4 at
3134 -4. */
3138 /* We have 4-alignment at +0, but we don't have 8-alignment at
3139 -12. So we must have 8-alignment at -8. Hence do 4 at -12
3140 and then 8 at -8. */
3145 }
3146 }
3148 /*--------------- adjustment by 16 bytes ---------------*/
3150 MAYBE_USED
3152 {
3156 /* Have 8-alignment at +0, hence do 8 at +0 and 8 at +8. */
3160 /* Have 4 alignment at +0 but not 8; hence 8 must be at +4.
3161 Hence do 4 at +0, 8 at +4, 4 at +12. */
3167 }
3168 }
3170 MAYBE_USED
3172 {
3175 /* Have 8-alignment at +0, hence do 8 at +0 and 8 at +8. */
3179 /* Have 4 alignment at +0 but not 8; hence 8 must be at +4.
3180 Hence do 4 at +0, 8 at +4, 4 at +12. */
3186 }
3187 }
3189 MAYBE_USED
3191 {
3194 /* Have 8-alignment at +0, hence do 8 at -16 and 8 at -8. */
3198 /* 8 alignment must be at -12. Do 4 at -16, 8 at -12, 4 at -4. */
3204 }
3205 }
3207 /*--------------- adjustment by 32 bytes ---------------*/
3209 MAYBE_USED
3211 {
3215 /* Straightforward */
3221 /* 8 alignment must be at +4. Hence do 8 at +4,+12,+20 and 4 at
3222 +0,+28. */
3230 }
3231 }
3233 MAYBE_USED
3235 {
3238 /* Straightforward */
3244 /* 8 alignment must be at +4. Hence do 8 at +4,+12,+20 and 4 at
3245 +0,+28. */
3253 }
3254 }
3256 MAYBE_USED
3258 {
3261 /* Straightforward */
3267 /* 8 alignment must be at -4 etc. Hence do 8 at -12,-20,-28 and
3268 4 at -32,-4. */
3276 }
3277 }
3279 /*--------------- adjustment by 112 bytes ---------------*/
3281 MAYBE_USED
3283 {
3303 }
3304 }
3306 MAYBE_USED
3308 {
3327 }
3328 }
3330 MAYBE_USED
3332 {
3351 }
3352 }
3354 /*--------------- adjustment by 128 bytes ---------------*/
3356 MAYBE_USED
3358 {
3380 }
3381 }
3383 MAYBE_USED
3385 {
3406 }
3407 }
3409 MAYBE_USED
3411 {
3432 }
3433 }
3435 /*--------------- adjustment by 144 bytes ---------------*/
3437 MAYBE_USED
3439 {
3463 }
3464 }
3466 MAYBE_USED
3468 {
3491 }
3492 }
3494 MAYBE_USED
3496 {
3519 }
3520 }
3522 /*--------------- adjustment by 160 bytes ---------------*/
3524 MAYBE_USED
3526 {
3552 }
3553 }
3555 MAYBE_USED
3557 {
3582 }
3583 }
3585 MAYBE_USED
3587 {
3612 }
3613 }
3615 /*--------------- adjustment by N bytes ---------------*/
3618 {
3622 }
3625 {
3628 }
3631 {
3634 }
3637 /* The AMD64 ABI says:
3639 "The 128-byte area beyond the location pointed to by %rsp is considered
3640 to be reserved and shall not be modified by signal or interrupt
3641 handlers. Therefore, functions may use this area for temporary data
3642 that is not needed across function calls. In particular, leaf functions
3643 may use this area for their entire stack frame, rather than adjusting
3644 the stack pointer in the prologue and epilogue. This area is known as
3645 red zone [sic]."
3647 So after any call or return we need to mark this redzone as containing
3648 undefined values.
3650 Consider this: we're in function f. f calls g. g moves rsp down
3651 modestly (say 16 bytes) and writes stuff all over the red zone, making it
3652 defined. g returns. f is buggy and reads from parts of the red zone
3653 that it didn't write on. But because g filled that area in, f is going
3654 to be picking up defined V bits and so any errors from reading bits of
3655 the red zone it didn't write, will be missed. The only solution I could
3656 think of was to make the red zone undefined when g returns to f.
3658 This is in accordance with the ABI, which makes it clear the redzone
3659 is volatile across function calls.
3661 The problem occurs the other way round too: f could fill the RZ up
3662 with defined values and g could mistakenly read them. So the RZ
3663 also needs to be nuked on function calls.
3664 */
3667 /* Here's a simple cache to hold nia -> ECU mappings. It could be
3668 improved so as to have a lower miss rate. */
3673 typedef
3676 WCacheEnt;
3678 #define N_NIA_TO_ECU_CACHE 511
3683 {
3684 UWord i;
3687 UInt zero_ecu;
3688 /* Fill all the slots with an entry for address zero, and the
3689 relevant otags accordingly. Hence the cache is initially filled
3690 with valid data. */
3700 }
3701 }
3704 {
3705 UWord i;
3706 UInt ecu;
3711 stats__nia_cache_queries++;
3719 # define SWAP(_w1,_w2) { UWord _t = _w1; _w1 = _w2; _w2 = _t; }
3722 # undef SWAP
3724 }
3726 stats__nia_cache_misses++;
3738 }
3741 /* This marks the stack as addressible but undefined, after a call or
3742 return for a target that has an ABI defined stack redzone. It
3743 happens quite a lot and needs to be fast. This is the version for
3744 origin tracking. The non-origin-tracking version is below. */
3747 {
3758 # if 0
3759 /* Slow(ish) version, which is fairly easily seen to be correct.
3760 */
3783 }
3784 # endif
3786 /* Idea is: go fast when
3787 * 8-aligned and length is 128
3788 * the sm is available in the main primary map
3789 * the address range falls entirely with a single secondary map
3790 If all those conditions hold, just update the V+A bits by writing
3791 directly into the vabits array. (If the sm was distinguished, this
3792 will make a copy and then write to it.)
3793 */
3795 /* Now we know the address range is suitably sized and aligned. */
3800 /* Now we know the entire range is within the main primary map. */
3804 /* Now we know that the entire address range falls within a
3805 single secondary map, and that that secondary 'lives' in
3806 the main primary map. */
3843 }
3844 }
3845 }
3847 /* 288 bytes (36 ULongs) is the magic value for ELF ppc64. */
3849 /* Now we know the address range is suitably sized and aligned. */
3857 /* Now we know that the entire address range falls within a
3858 single secondary map, and that that secondary 'lives' in
3859 the main primary map. */
3936 }
3937 }
3938 }
3940 /* else fall into slow case */
3942 }
3945 /* This is a version of MC_(helperc_MAKE_STACK_UNINIT_w_o) that is
3946 specialised for the non-origin-tracking case. */
3949 {
3955 # if 0
3956 /* Slow(ish) version, which is fairly easily seen to be correct.
3957 */
3980 }
3981 # endif
3983 /* Idea is: go fast when
3984 * 8-aligned and length is 128
3985 * the sm is available in the main primary map
3986 * the address range falls entirely with a single secondary map
3987 If all those conditions hold, just update the V+A bits by writing
3988 directly into the vabits array. (If the sm was distinguished, this
3989 will make a copy and then write to it.)
3990 */
3992 /* Now we know the address range is suitably sized and aligned. */
3997 /* Now we know the entire range is within the main primary map. */
4001 /* Now we know that the entire address range falls within a
4002 single secondary map, and that that secondary 'lives' in
4003 the main primary map. */
4024 }
4025 }
4026 }
4028 /* 288 bytes (36 ULongs) is the magic value for ELF ppc64. */
4030 /* Now we know the address range is suitably sized and aligned. */
4038 /* Now we know that the entire address range falls within a
4039 single secondary map, and that that secondary 'lives' in
4040 the main primary map. */
4081 }
4082 }
4083 }
4085 /* else fall into slow case */
4087 }
4090 /* And this is an even more specialised case, for the case where there
4091 is no origin tracking, and the length is 128. */
4094 {
4099 # if 0
4100 /* Slow(ish) version, which is fairly easily seen to be correct.
4101 */
4124 }
4125 # endif
4127 /* Idea is: go fast when
4128 * 16-aligned and length is 128
4129 * the sm is available in the main primary map
4130 * the address range falls entirely with a single secondary map
4131 If all those conditions hold, just update the V+A bits by writing
4132 directly into the vabits array. (If the sm was distinguished, this
4133 will make a copy and then write to it.)
4135 Typically this applies to amd64 'ret' instructions, since RSP is
4136 16-aligned (0 % 16) after the instruction (per the amd64-ELF ABI).
4137 */
4139 /* Now we know the address range is suitably sized and aligned. */
4142 /* FIXME: come up with a sane story on the wraparound case
4143 (which of course cnanot happen, but still..) */
4146 /* Now we know the entire range is within the main primary map. */
4150 /* Now we know that the entire address range falls within a
4151 single secondary map, and that that secondary 'lives' in
4152 the main primary map. */
4166 }
4167 }
4168 }
4170 /* The same, but for when base is 8 % 16, which is the situation
4171 with RSP for amd64-ELF immediately after call instructions.
4172 */
4174 /* Now we know the address range is suitably sized and aligned. */
4177 /* FIXME: come up with a sane story on the wraparound case
4178 (which of course cnanot happen, but still..) */
4181 /* Now we know the entire range is within the main primary map. */
4186 /* Now we know that the entire address range falls within a
4187 single secondary map, and that that secondary 'lives' in
4188 the main primary map. */
4193 /* The following assertion is commented out for obvious
4194 performance reasons, but was verified as valid when
4195 running the entire testsuite and also Firefox. */
4196 /* tl_assert(VG_IS_4_ALIGNED(w32)); */
4207 }
4208 }
4209 }
4211 /* else fall into slow case */
4214 }
4217 /*------------------------------------------------------------*/
4218 /*--- Checking memory ---*/
4219 /*------------------------------------------------------------*/
4221 typedef
4226 }
4227 MC_ReadResult;
4230 /* Check permissions for address range. If inadequate permissions
4231 exist, *bad_addr is set to the offending address, so the caller can
4232 know what it is. */
4234 /* Returns True if [a .. a+len) is not addressible. Otherwise,
4235 returns False, and if bad_addr is non-NULL, sets *bad_addr to
4236 indicate the lowest failing address. Functions below are
4237 similar. */
4239 {
4240 SizeT i;
4241 UWord vabits2;
4250 }
4251 a++;
4252 }
4254 }
4258 {
4259 SizeT i;
4260 UWord vabits2;
4269 }
4270 a++;
4271 }
4273 }
4278 {
4279 SizeT i;
4280 UWord vabits2;
4291 // Error! Nb: Report addressability errors in preference to
4292 // definedness errors. And don't report definedeness errors unless
4293 // --undef-value-errors=yes.
4296 }
4299 }
4303 }
4305 }
4306 }
4307 a++;
4308 }
4310 }
4313 /* Like is_mem_defined but doesn't give up at the first uninitialised
4314 byte -- the entire range is always checked. This is important for
4315 detecting errors in the case where a checked range strays into
4316 invalid memory, but that fact is not detected by the ordinary
4317 is_mem_defined(), because of an undefined section that precedes the
4318 out of range section, possibly as a result of an alignment hole in
4319 the checked data. This version always checks the entire range and
4320 can report both a definedness and an accessbility error, if
4321 necessary. */
4329 )
4330 {
4331 SizeT i;
4332 UWord vabits2;
4345 a++;
4356 }
4358 }
4367 }
4368 }
4369 }
4372 /* Check a zero-terminated ascii string. Tricky -- don't want to
4373 examine the actual bytes, to find the end, until we're sure it is
4374 safe to do so. */
4377 {
4378 UWord vabits2;
4389 // Error! Nb: Report addressability errors in preference to
4390 // definedness errors. And don't report definedeness errors unless
4391 // --undef-value-errors=yes.
4394 }
4397 }
4401 }
4403 }
4404 }
4405 /* Ok, a is safe to read. */
4408 }
4409 a++;
4410 }
4411 }
4414 /*------------------------------------------------------------*/
4415 /*--- Memory event handlers ---*/
4416 /*------------------------------------------------------------*/
4418 static
4421 {
4422 Addr bad_addr;
4438 }
4439 }
4440 }
4442 static
4445 {
4447 Addr bad_addr;
4463 /* If we're being asked to jump to a silly address, record an error
4464 message before potentially crashing the entire system. */
4471 }
4472 }
4473 }
4475 static
4478 {
4479 MC_ReadResult res;
4489 }
4490 }
4492 /* Handling of mmap and mprotect is not as simple as it seems.
4494 The underlying semantics are that memory obtained from mmap is
4495 always initialised, but may be inaccessible. And changes to the
4496 protection of memory do not change its contents and hence not its
4497 definedness state. Problem is we can't model
4498 inaccessible-but-with-some-definedness state; once we mark memory
4499 as inaccessible we lose all info about definedness, and so can't
4500 restore that if it is later made accessible again.
4502 One obvious thing to do is this:
4504 mmap/mprotect NONE -> noaccess
4505 mmap/mprotect other -> defined
4507 The problem case here is: taking accessible memory, writing
4508 uninitialised data to it, mprotecting it NONE and later mprotecting
4509 it back to some accessible state causes the undefinedness to be
4510 lost.
4512 A better proposal is:
4514 (1) mmap NONE -> make noaccess
4515 (2) mmap other -> make defined
4517 (3) mprotect NONE -> # no change
4518 (4) mprotect other -> change any "noaccess" to "defined"
4520 (2) is OK because memory newly obtained from mmap really is defined
4521 (zeroed out by the kernel -- doing anything else would
4522 constitute a massive security hole.)
4524 (1) is OK because the only way to make the memory usable is via
4525 (4), in which case we also wind up correctly marking it all as
4526 defined.
4528 (3) is the weak case. We choose not to change memory state.
4529 (presumably the range is in some mixture of "defined" and
4530 "undefined", viz, accessible but with arbitrary V bits). Doing
4531 nothing means we retain the V bits, so that if the memory is
4532 later mprotected "other", the V bits remain unchanged, so there
4533 can be no false negatives. The bad effect is that if there's
4534 an access in the area, then MC cannot warn; but at least we'll
4535 get a SEGV to show, so it's better than nothing.
4537 Consider the sequence (3) followed by (4). Any memory that was
4538 "defined" or "undefined" previously retains its state (as
4539 required). Any memory that was "noaccess" before can only have
4540 been made that way by (1), and so it's OK to change it to
4541 "defined".
4543 See https://bugs.kde.org/show_bug.cgi?id=205541
4544 and https://bugs.kde.org/show_bug.cgi?id=210268
4545 */
4546 static
4548 ULong di_handle )
4549 {
4551 /* (2) mmap/mprotect other -> defined */
4554 /* (1) mmap/mprotect NONE -> noaccess */
4556 }
4557 }
4559 static
4561 {
4563 /* (4) mprotect other -> change any "noaccess" to "defined" */
4566 /* (3) mprotect NONE -> # no change */
4567 /* do nothing */
4568 }
4569 }
4572 static
4575 {
4576 // Because code is defined, initialised variables get put in the data
4577 // segment and are defined, and uninitialised variables get put in the
4578 // bss segment and are auto-zeroed (and so defined).
4579 //
4580 // It's possible that there will be padding between global variables.
4581 // This will also be auto-zeroed, and marked as defined by Memcheck. If
4582 // a program uses it, Memcheck will not complain. This is arguably a
4583 // false negative, but it's a grey area -- the behaviour is defined (the
4584 // padding is zeroed) but it's probably not what the user intended. And
4585 // we can't avoid it.
4586 //
4587 // Note: we generally ignore RWX permissions, because we can't track them
4588 // without requiring more than one A bit which would slow things down a
4589 // lot. But on Darwin the 0th page is mapped but !R and !W and !X.
4590 // So we mark any such pages as "unaddressable".
4594 }
4596 static
4598 {
4600 }
4603 /*------------------------------------------------------------*/
4604 /*--- Register event handlers ---*/
4605 /*------------------------------------------------------------*/
4607 /* Try and get a nonzero origin for the guest state section of thread
4608 tid characterised by (offset,size). Return 0 if nothing to show
4609 for it. */
4612 {
4613 Int sh2off;
4615 UInt otag;
4628 }
4631 /* When some chunk of guest state is written, mark the corresponding
4632 shadow area as valid. This is used to initialise arbitrarily large
4633 chunks of guest state, hence the _SIZE value, which has to be as
4634 big as the biggest guest state.
4635 */
4638 {
4639 # define MAX_REG_WRITE_SIZE 2264
4644 # undef MAX_REG_WRITE_SIZE
4645 }
4647 static
4650 {
4652 }
4654 /* Look at the definedness of the guest's shadow state for
4655 [offset, offset+len). If any part of that is undefined, record
4656 a parameter error.
4657 */
4660 {
4661 Int i;
4662 Bool bad;
4663 UInt otag;
4675 }
4676 }
4681 /* We've found some undefinedness. See if we can also find an
4682 origin for it. */
4685 }
4688 /*------------------------------------------------------------*/
4689 /*--- Register-memory event handlers ---*/
4690 /*------------------------------------------------------------*/
4694 {
4695 SizeT i;
4696 UChar vbits8;
4697 Int offset;
4698 UInt d32;
4700 /* Slow loop. */
4705 }
4710 /* Track origins. */
4736 }
4739 }
4743 SizeT size )
4744 {
4745 SizeT i;
4746 UChar vbits8;
4747 Int offset;
4748 UInt d32;
4750 /* Slow loop. */
4755 }
4760 /* Track origins. */
4787 }
4788 }
4791 /*------------------------------------------------------------*/
4792 /*--- Some static assertions ---*/
4793 /*------------------------------------------------------------*/
4795 /* The handwritten assembly helpers below have baked-in assumptions
4796 about various constant values. These assertions attempt to make
4797 that a bit safer by checking those values and flagging changes that
4798 would make the assembly invalid. Not perfect but it's better than
4799 nothing. */
4822 /*------------------------------------------------------------*/
4823 /*--- Functions called directly from generated code: ---*/
4824 /*--- Load/store handlers. ---*/
4825 /*------------------------------------------------------------*/
4827 /* Types: LOADV32, LOADV16, LOADV8 are:
4828 UWord fn ( Addr a )
4829 so they return 32-bits on 32-bit machines and 64-bits on
4830 64-bit machines. Addr has the same size as a host word.
4832 LOADV64 is always ULong fn ( Addr a )
4834 Similarly for STOREV8, STOREV16, STOREV32, the supplied vbits
4835 are a UWord, and for STOREV64 they are a ULong.
4836 */
4838 /* If any part of '_a' indicated by the mask is 1, either '_a' is not
4839 naturally '_sz/8'-aligned, or it exceeds the range covered by the
4840 primary map. This is all very tricky (and important!), so let's
4841 work through the maths by hand (below), *and* assert for these
4842 values at startup. */
4843 #define MASK(_szInBytes) \
4844 ( ~((0x10000UL-(_szInBytes)) | ((N_PRIMARY_MAP-1) << 16)) )
4846 /* MASK only exists so as to define this macro. */
4847 #define UNALIGNED_OR_HIGH(_a,_szInBits) \
4848 ((_a) & MASK((_szInBits>>3)))
4850 /* On a 32-bit machine:
4852 N_PRIMARY_BITS == 16, so
4853 N_PRIMARY_MAP == 0x10000, so
4854 N_PRIMARY_MAP-1 == 0xFFFF, so
4855 (N_PRIMARY_MAP-1) << 16 == 0xFFFF0000, and so
4857 MASK(1) = ~ ( (0x10000 - 1) | 0xFFFF0000 )
4858 = ~ ( 0xFFFF | 0xFFFF0000 )
4859 = ~ 0xFFFF'FFFF
4860 = 0
4862 MASK(2) = ~ ( (0x10000 - 2) | 0xFFFF0000 )
4863 = ~ ( 0xFFFE | 0xFFFF0000 )
4864 = ~ 0xFFFF'FFFE
4865 = 1
4867 MASK(4) = ~ ( (0x10000 - 4) | 0xFFFF0000 )
4868 = ~ ( 0xFFFC | 0xFFFF0000 )
4869 = ~ 0xFFFF'FFFC
4870 = 3
4872 MASK(8) = ~ ( (0x10000 - 8) | 0xFFFF0000 )
4873 = ~ ( 0xFFF8 | 0xFFFF0000 )
4874 = ~ 0xFFFF'FFF8
4875 = 7
4877 Hence in the 32-bit case, "a & MASK(1/2/4/8)" is a nonzero value
4878 precisely when a is not 1/2/4/8-bytes aligned. And obviously, for
4879 the 1-byte alignment case, it is always a zero value, since MASK(1)
4880 is zero. All as expected.
4882 On a 64-bit machine, it's more complex, since we're testing
4883 simultaneously for misalignment and for the address being at or
4884 above 64G:
4886 N_PRIMARY_BITS == 20, so
4887 N_PRIMARY_MAP == 0x100000, so
4888 N_PRIMARY_MAP-1 == 0xFFFFF, so
4889 (N_PRIMARY_MAP-1) << 16 == 0xF'FFFF'0000, and so
4891 MASK(1) = ~ ( (0x10000 - 1) | 0xF'FFFF'0000 )
4892 = ~ ( 0xFFFF | 0xF'FFFF'0000 )
4893 = ~ 0xF'FFFF'FFFF
4894 = 0xFFFF'FFF0'0000'0000
4896 MASK(2) = ~ ( (0x10000 - 2) | 0xF'FFFF'0000 )
4897 = ~ ( 0xFFFE | 0xF'FFFF'0000 )
4898 = ~ 0xF'FFFF'FFFE
4899 = 0xFFFF'FFF0'0000'0001
4901 MASK(4) = ~ ( (0x10000 - 4) | 0xF'FFFF'0000 )
4902 = ~ ( 0xFFFC | 0xF'FFFF'0000 )
4903 = ~ 0xF'FFFF'FFFC
4904 = 0xFFFF'FFF0'0000'0003
4906 MASK(8) = ~ ( (0x10000 - 8) | 0xF'FFFF'0000 )
4907 = ~ ( 0xFFF8 | 0xF'FFFF'0000 )
4908 = ~ 0xF'FFFF'FFF8
4909 = 0xFFFF'FFF0'0000'0007
4910 */
4912 /*------------------------------------------------------------*/
4913 /*--- LOADV256 and LOADV128 ---*/
4914 /*------------------------------------------------------------*/
4916 static INLINE
4919 {
4922 #ifndef PERF_FAST_LOADV
4925 #else
4926 {
4936 }
4938 /* Handle common cases quickly: a (and a+8 and a+16 etc.) is
4939 suitably aligned, is mapped, and addressible. */
4945 // Convert V bits from compact memory form to expanded
4946 // register form.
4952 /* Slow case: some block of 8 bytes are not all-defined or
4953 all-undefined. */
4957 }
4958 }
4960 }
4961 #endif
4962 }
4965 {
4967 }
4969 {
4971 }
4974 {
4976 }
4978 {
4980 }
4982 /*------------------------------------------------------------*/
4983 /*--- LOADV64 ---*/
4984 /*------------------------------------------------------------*/
4986 static INLINE
4988 {
4991 #ifndef PERF_FAST_LOADV
4993 #else
4994 {
5001 }
5007 // Handle common case quickly: a is suitably aligned, is mapped, and
5008 // addressible.
5009 // Convert V bits from compact memory form to expanded register form.
5015 /* Slow case: the 8 bytes are not all-defined or all-undefined. */
5018 }
5019 }
5020 #endif
5021 }
5023 // Generic for all platforms
5025 {
5027 }
5029 // Non-generic assembly for arm32-linux
5030 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5031 && defined(VGP_arm_linux)
5032 /* See mc_main_asm.c */
5034 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5035 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris) || defined(VGP_x86_freebsd))
5036 /* See mc_main_asm.c */
5038 #else
5039 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5041 {
5043 }
5044 #endif
5046 /*------------------------------------------------------------*/
5047 /*--- STOREV64 ---*/
5048 /*------------------------------------------------------------*/
5050 static INLINE
5052 {
5055 #ifndef PERF_FAST_STOREV
5056 // XXX: this slow case seems to be marginally faster than the fast case!
5057 // Investigate further.
5059 #else
5060 {
5068 }
5074 // To understand the below cleverness, see the extensive comments
5075 // in MC_(helperc_STOREV8).
5079 }
5083 }
5087 }
5091 }
5095 }
5099 }
5103 }
5104 #endif
5105 }
5108 {
5110 }
5112 {
5114 }
5116 /*------------------------------------------------------------*/
5117 /*--- LOADV32 ---*/
5118 /*------------------------------------------------------------*/
5120 static INLINE
5122 {
5125 #ifndef PERF_FAST_LOADV
5127 #else
5128 {
5135 }
5141 // Handle common case quickly: a is suitably aligned, is mapped, and the
5142 // entire word32 it lives in is addressible.
5143 // Convert V bits from compact memory form to expanded register form.
5144 // For 64-bit platforms, set the high 32 bits of retval to 1 (undefined).
5145 // Almost certainly not necessary, but be paranoid.
5151 /* Slow case: the 4 bytes are not all-defined or all-undefined. */
5154 }
5155 }
5156 #endif
5157 }
5159 // Generic for all platforms
5161 {
5163 }
5165 // Non-generic assembly for arm32-linux
5166 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5167 && defined(VGP_arm_linux)
5168 /* See mc_main_asm.c */
5170 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5171 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris))
5172 /* See mc_main_asm.c */
5174 #else
5175 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5177 {
5179 }
5180 #endif
5182 /*------------------------------------------------------------*/
5183 /*--- STOREV32 ---*/
5184 /*------------------------------------------------------------*/
5186 static INLINE
5188 {
5191 #ifndef PERF_FAST_STOREV
5193 #else
5194 {
5202 }
5208 // To understand the below cleverness, see the extensive comments
5209 // in MC_(helperc_STOREV8).
5213 }
5217 }
5221 }
5225 }
5229 }
5233 }
5237 }
5238 #endif
5239 }
5242 {
5244 }
5246 {
5248 }
5250 /*------------------------------------------------------------*/
5251 /*--- LOADV16 ---*/
5252 /*------------------------------------------------------------*/
5254 static INLINE
5256 {
5259 #ifndef PERF_FAST_LOADV
5261 #else
5262 {
5269 }
5274 // Handle common case quickly: a is suitably aligned, is mapped, and is
5275 // addressible.
5276 // Convert V bits from compact memory form to expanded register form
5280 // The 4 (yes, 4) bytes are not all-defined or all-undefined, check
5281 // the two sub-bytes.
5286 /* Slow case: the two bytes are not all-defined or all-undefined. */
5289 }
5290 }
5291 }
5292 #endif
5293 }
5295 // Generic for all platforms
5297 {
5299 }
5301 // Non-generic assembly for arm32-linux
5302 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5303 && defined(VGP_arm_linux)
5331 // r1 holds sec-map-VABITS8. r0 holds the address and is 2-aligned.
5332 // Extract the relevant 4 bits and inspect.
5352 );
5354 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5355 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris))
5397 );
5399 #else
5400 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5402 {
5404 }
5405 #endif
5407 /*------------------------------------------------------------*/
5408 /*--- STOREV16 ---*/
5409 /*------------------------------------------------------------*/
5411 /* True if the vabits4 in vabits8 indicate a and a+1 are accessible. */
5412 static INLINE
5414 {
5415 UInt shift;
5419 // check 2 x vabits2 != VA_BITS2_NOACCESS
5422 }
5424 static INLINE
5426 {
5429 #ifndef PERF_FAST_STOREV
5431 #else
5432 {
5440 }
5446 // To understand the below cleverness, see the extensive comments
5447 // in MC_(helperc_STOREV8).
5451 }
5457 }
5460 }
5464 }
5470 }
5474 }
5478 }
5479 #endif
5480 }
5484 {
5486 }
5488 {
5490 }
5492 /*------------------------------------------------------------*/
5493 /*--- LOADV8 ---*/
5494 /*------------------------------------------------------------*/
5496 /* Note: endianness is irrelevant for size == 1 */
5498 // Non-generic assembly for arm32-linux
5499 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5500 && defined(VGP_arm_linux)
5525 // r1 holds sec-map-VABITS8
5526 // r0 holds the address. Extract the relevant 2 bits and inspect.
5545 );
5547 /* Non-generic assembly for x86-linux */
5548 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5549 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris))
5588 );
5590 #else
5591 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5594 {
5597 #ifndef PERF_FAST_LOADV
5599 #else
5600 {
5607 }
5612 // Convert V bits from compact memory form to expanded register form
5613 // Handle common case quickly: a is mapped, and the entire
5614 // word32 it lives in is addressible.
5618 // The 4 (yes, 4) bytes are not all-defined or all-undefined, check
5619 // the single byte.
5624 /* Slow case: the byte is not all-defined or all-undefined. */
5627 }
5628 }
5629 }
5630 #endif
5631 }
5632 #endif
5634 /*------------------------------------------------------------*/
5635 /*--- STOREV8 ---*/
5636 /*------------------------------------------------------------*/
5640 {
5643 #ifndef PERF_FAST_STOREV
5645 #else
5646 {
5654 }
5660 // Clevernesses to speed up storing V bits.
5661 // The 64/32/16 bit cases also have similar clevernesses, but it
5662 // works a little differently to the code below.
5663 //
5664 // Cleverness 1: sometimes we don't have to write the shadow memory at
5665 // all, if we can tell that what we want to write is the same as what is
5666 // already there. These cases are marked below as "defined on defined" and
5667 // "undefined on undefined".
5668 //
5669 // Cleverness 2:
5670 // We also avoid to call mc_STOREVn_slow if the V bits can directly
5671 // be written in the secondary map. V bits can be directly written
5672 // if 4 conditions are respected:
5673 // * The address for which V bits are written is naturally aligned
5674 // on 1 byte for STOREV8 (this is always true)
5675 // on 2 bytes for STOREV16
5676 // on 4 bytes for STOREV32
5677 // on 8 bytes for STOREV64.
5678 // * V bits being written are either fully defined or fully undefined.
5679 // (for partially defined V bits, V bits cannot be directly written,
5680 // as the secondary vbits table must be maintained).
5681 // * the secmap is not distinguished (distinguished maps cannot be
5682 // modified).
5683 // * the memory corresponding to the V bits being written is
5684 // accessible (if one or more bytes are not accessible,
5685 // we must call mc_STOREVn_slow in order to report accessibility
5686 // errors).
5687 // Note that for STOREV32 and STOREV64, it is too expensive
5688 // to verify the accessibility of each byte for the benefit it
5689 // brings. Instead, a quicker check is done by comparing to
5690 // VA_BITS(8|16)_(UN)DEFINED. This guarantees accessibility,
5691 // but misses some opportunity of direct modifications.
5692 // Checking each byte accessibility was measured for
5693 // STOREV32+perf tests and was slowing down all perf tests.
5694 // The cases corresponding to cleverness 2 are marked below as
5695 // "direct mod".
5699 }
5702 // direct mod
5706 }
5710 }
5714 }
5716 && (VA_BITS2_NOACCESS
5718 // direct mod
5722 }
5726 }
5728 // Partially defined word
5731 }
5732 #endif
5733 }
5736 /*------------------------------------------------------------*/
5737 /*--- Functions called directly from generated code: ---*/
5738 /*--- Value-check failure handlers. ---*/
5739 /*------------------------------------------------------------*/
5741 /* Call these ones when an origin is available ... */
5745 }
5750 }
5755 }
5760 }
5765 }
5767 /* ... and these when an origin isn't available. */
5772 }
5777 }
5782 }
5787 }
5792 }
5795 /*------------------------------------------------------------*/
5796 /*--- Metadata get/set functions, for client requests. ---*/
5797 /*------------------------------------------------------------*/
5799 // Nb: this expands the V+A bits out into register-form V bits, even though
5800 // they're in memory. This is for backward compatibility, and because it's
5801 // probably what the user wants.
5803 /* Copy Vbits from/to address 'a'. Returns: 1 == OK, 2 == alignment
5804 error [no longer used], 3 == addressing error. */
5805 /* Nb: We used to issue various definedness/addressability errors from here,
5806 but we took them out because they ranged from not-very-helpful to
5807 downright annoying, and they complicated the error data structures. */
5809 Addr a,
5810 Addr vbits,
5811 SizeT szB,
5813 Bool is_client_request /* True <=> real user request
5814 False <=> internal call from gdbserver */
5815 )
5816 {
5817 SizeT i;
5818 Bool ok;
5819 UChar vbits8;
5821 /* Check that arrays are addressible before doing any getting/setting.
5822 vbits to be checked only for real user request. */
5827 }
5828 }
5830 /* Do the copy */
5832 /* setting */
5836 }
5838 /* getting */
5843 }
5845 // The bytes in vbits[] have now been set, so mark them as such.
5847 }
5850 }
5853 /*------------------------------------------------------------*/
5854 /*--- Detecting leaked (unreachable) malloc'd blocks. ---*/
5855 /*------------------------------------------------------------*/
5857 /* For the memory leak detector, say whether an entire 64k chunk of
5858 address space is possibly in use, or not. If in doubt return
5859 True.
5860 */
5862 {
5865 /* Definitely not in use. */
5869 }
5870 }
5873 /* For the memory leak detector, say whether or not a given word
5874 address is to be regarded as valid. */
5876 {
5884 }
5887 else
5889 }
5892 /*------------------------------------------------------------*/
5893 /*--- Initialisation ---*/
5894 /*------------------------------------------------------------*/
5897 {
5898 Int i;
5906 /* Build the 3 distinguished secondaries */
5916 /* Set up the primary map. */
5917 /* These entries gradually get overwritten as the used address
5918 space expands. */
5922 /* Auxiliary primary maps */
5925 /* auxmap_size = auxmap_used = 0;
5926 no ... these are statically initialised */
5928 /* Secondary V bit table */
5930 }
5933 /*------------------------------------------------------------*/
5934 /*--- Sanity check machinery (permanently engaged) ---*/
5935 /*------------------------------------------------------------*/
5938 {
5939 n_sanity_cheap++;
5941 /* Check for sane operating level */
5944 /* nothing else useful we can rapidly check */
5946 }
5949 {
5950 Int i;
5951 Word n_secmaps_found;
5959 n_sanity_expensive++;
5962 /* Check for sane operating level */
5966 /* Check that the 3 distinguished SMs are still as they should be. */
5968 /* Check noaccess DSM. */
5974 /* Check undefined DSM. */
5980 /* Check defined DSM. */
5990 }
5992 /* If we're not checking for undefined value errors, the secondary V bit
5993 * table should be empty. */
5997 }
5999 /* check the auxiliary maps, very thoroughly */
6005 }
6007 /* n_secmaps_found is now the number referred to by the auxiliary
6008 primary map. Now add on the ones referred to by the main
6009 primary map. */
6015 n_secmaps_found++;
6016 }
6017 }
6019 /* check that the number of secmaps issued matches the number that
6020 are reachable (iow, no secmap leaks) */
6028 }
6034 }
6036 /* there is only one pointer to each secmap (expensive) */
6039 }
6041 /*------------------------------------------------------------*/
6042 /*--- Command line args ---*/
6043 /*------------------------------------------------------------*/
6045 /* 31 Aug 2015: Vectorised code is now so widespread that
6046 --partial-loads-ok needs to be enabled by default on all platforms.
6047 Not doing so causes lots of false errors. */
6069 ExpensiveDefinednessChecks
6078 /* The first heuristic value (LchNone) has no keyword, as this is
6079 a fake heuristic used to collect the blocks found without any
6080 heuristic. */
6083 {
6085 Bool tmp_show;
6089 /* Set MC_(clo_mc_level):
6090 1 = A bit tracking only
6091 2 = A and V bit tracking, but no V bit origins
6092 3 = A and V bit tracking, and V bit origins
6094 Do this by inspecting --undef-value-errors= and
6095 --track-origins=. Reject the case --undef-value-errors=no
6096 --track-origins=yes as meaningless.
6097 */
6107 }
6108 }
6109 }
6116 }
6120 }
6121 }
6137 }
6138 }
6144 }
6145 }
6176 "ERROR: --ignore-ranges: "
6179 }
6181 UInt i;
6197 }
6198 }
6199 }
6200 }
6203 /* This seems at first a bit weird, but: in order to imply
6204 a non-wrapped-around address range, the first offset needs to be
6205 larger than the second one. For example
6206 --ignore-range-below-sp=8192,8189
6207 would cause accesses to in the range [SP-8192, SP-8189] to be
6208 ignored. */
6211 // Ensure we used all the text after the '=' sign.
6215 "ERROR: --ignore-range-below-sp: invalid syntax. "
6218 }
6221 "ERROR: --ignore-range-below-sp: suspiciously large "
6224 }
6227 "ERROR: --ignore-range-below-sp: invalid offsets "
6230 }
6234 "ERROR: --ignore-range-below-sp: suspiciously large "
6237 }
6242 }
6275 else
6281 bad_level:
6285 }
6288 {
6327 );
6328 }
6331 {
6334 );
6335 }
6338 /*------------------------------------------------------------*/
6339 /*--- Client blocks ---*/
6340 /*------------------------------------------------------------*/
6342 /* Client block management:
6344 This is managed as an expanding array of client block descriptors.
6345 Indices of live descriptors are issued to the client, so it can ask
6346 to free them later. Therefore we cannot slide live entries down
6347 over dead ones. Instead we must use free/inuse flags and scan for
6348 an empty slot at allocation time. This in turn means allocation is
6349 relatively expensive, so we hope this does not happen too often.
6351 An unused block has start == size == 0
6352 */
6354 /* type CGenBlock is defined in mc_include.h */
6356 /* This subsystem is self-initialising. */
6361 /* Stats for this subsystem. */
6368 /* Get access to the client block array. */
6371 {
6374 }
6377 static
6379 {
6383 cgb_allocs++;
6386 cgb_search++;
6389 }
6391 /* Not found. Try to allocate one at the end. */
6393 cgb_used++;
6395 }
6397 /* Ok, we have to allocate a new one. */
6410 cgb_used++;
6414 }
6418 {
6422 );
6423 }
6425 {
6427 (
6473 }
6475 /* Print szB bytes at address, with a format similar to the gdb command
6476 x /<szB>xb address.
6477 res[i] == 1 indicates the corresponding byte is addressable. */
6479 {
6480 UInt i;
6488 }
6491 else
6493 }
6495 }
6498 /* Returns the address of the next non space character,
6499 or address of the string terminator. */
6501 {
6503 s++;
6505 }
6507 /* Parse an integer slice, i.e. a single integer or a range of integer.
6508 Syntax is:
6509 <integer>[..<integer> ]
6510 (spaces are allowed before and/or after ..).
6511 Return True if range correctly parsed, False otherwise. */
6514 {
6520 /* slice must start with an integer. */
6524 }
6529 }
6532 /* wl token is an integer terminating the string
6533 or else next token does not start with .
6534 In both cases, the slice is a single integer. */
6537 }
6540 // iii .. => get the next token
6543 // It must be iii..
6547 }
6549 // It must be iii.. jjj => get the next token
6552 // It must be iii..jjj
6554 }
6555 }
6561 }
6567 }
6570 }
6572 /* return True if request recognised, False otherwise */
6574 {
6582 /* NB: if possible, avoid introducing a new command below which
6583 starts with the same first letter(s) as an already existing
6584 command. This ensures a shorter abbreviation for the user. */
6597 Addr address;
6600 UChar vbits;
6601 Int i;
6604 Int res = mc_get_or_set_vbits_for_client
6608 /* we are before the first character on next line, print a \n. */
6611 /* we are before the next block of 4 starts, print a space. */
6618 unaddressable++;
6620 }
6621 }
6627 }
6628 }
6630 }
6633 LeakCheckParams lcp;
6651 "kinds reachable possibleleak definiteleak "
6652 "heuristics "
6653 "new increased changed any "
6664 xt_filename
6674 wcmd,
6677 err++;
6678 }
6680 }
6685 lcp.show_leak_kinds
6696 wcmd,
6699 err++;
6700 }
6702 }
6714 Int int_value;
6725 }
6730 else
6734 }
6737 }
6738 }
6744 }
6747 Addr address;
6763 }
6765 }
6768 Addr address;
6770 Addr bad_addr;
6771 UInt okind;
6773 UInt otag;
6774 UInt ecu;
6776 MC_ReadResult res;
6790 else
6794 // Describe this (probably live) address with current epoch
6815 }
6824 }
6825 }
6826 else
6829 // Describe this (probably live) address with current epoch
6833 }
6835 }
6845 Int int_value;
6862 }
6867 }
6872 }
6880 wcmd,
6884 }
6888 }
6889 }
6890 /* substract 1 from lr_nr_from/lr_nr_to as what is shown to the user
6891 is 1 more than the index in lr_array. */
6894 limit_blocks,
6895 heuristics))
6897 }
6899 }
6902 Addr address;
6910 }
6913 }
6916 Addr address;
6921 Int i;
6925 /* We going to print the first vabits of a new line.
6926 Terminate the previous line if needed: prints a line with the
6927 address and the data. */
6932 }
6934 }
6943 unaddressable++;
6945 }
6946 }
6950 else
6956 }
6957 }
6959 }
6966 }
6971 }
6972 }
6974 /*------------------------------------------------------------*/
6975 /*--- Client requests ---*/
6976 /*------------------------------------------------------------*/
6979 {
6980 Int i;
6981 Addr bad_addr;
7008 }
7019 );
7023 }
7027 }
7028 /* Return the lower of the two erring addresses, if any. */
7032 }
7035 }
7038 }
7040 }
7043 LeakCheckParams lcp;
7053 }
7072 }
7080 }
7089 MC_OKIND_USER );
7106 /* VG_(printf)("allocated %d %p\n", i, cgbs); */
7125 cgb_discards++;
7127 }
7146 // MC_(bytes_leaked) et al were set by the last leak check (or zero
7147 // if no prior leak checks performed).
7152 // there is no argp[5]
7153 //*argp[5] = MC_(bytes_indirect);
7154 // XXX need to make *argp[1-4] defined; currently done in the
7155 // VALGRIND_COUNT_LEAKS_MACRO by initialising them to zero.
7158 }
7161 // MC_(blocks_leaked) et al were set by the last leak check (or zero
7162 // if no prior leak checks performed).
7167 // there is no argp[5]
7168 //*argp[5] = MC_(blocks_indirect);
7169 // XXX need to make *argp[1-4] defined; currently done in the
7170 // VALGRIND_COUNT_LEAK_BLOCKS_MACRO by initialising them to zero.
7173 }
7185 }
7187 }
7196 }
7203 }
7212 }
7220 // other platforms just ensure it is a power of 2
7221 // ignore Illumos only enforcing multiple of 4 (probably a bug)
7224 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be power of 2)" );
7225 }
7226 // size zero not allowed on all platforms (e.g. Illumos)
7229 }
7232 // must be power of 2
7233 // alignment at least sizeof(size_t)
7234 // size of 0 implementation defined
7237 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero, a power of 2 and a multiple of sizeof(void*))" );
7238 }
7241 }
7244 // must be power of 2
7246 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be a power of 2)" );
7247 }
7248 // size should be integral multiple of alignment
7251 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , aligned_alloc_info->size, " (size should be a multiple of alignment)" );
7252 }
7255 }
7261 }
7267 }
7272 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7273 }
7278 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7279 }
7285 }
7290 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7291 }
7294 MC_(record_align_mismatch_error) ( tid, mc, aligned_alloc_info->orig_alignment, False, "new/delete");
7295 }
7301 }
7306 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7307 }
7310 MC_(record_align_mismatch_error) ( tid, mc, aligned_alloc_info->orig_alignment, False, "new[]/delete[]");
7311 }
7317 }
7319 MC_(record_align_mismatch_error) ( tid, mc, aligned_alloc_info->orig_alignment, False, "new/delete");
7320 }
7323 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7324 }
7330 }
7332 MC_(record_align_mismatch_error) ( tid, mc, aligned_alloc_info->orig_alignment, False, "new[]/delete[]");
7333 }
7336 MC_(record_bad_alignment) ( tid, aligned_alloc_info->orig_alignment , 0U, " (should be non-zero and a power of 2)" );
7337 }
7341 }
7344 }
7352 // The create_mempool function does not know these mempool flags,
7353 // pass as booleans.
7358 }
7365 }
7374 }
7382 }
7391 }
7399 }
7409 }
7416 }
7422 else
7425 }
7429 Bool addRange
7431 Bool ok
7435 }
7442 }
7444 }
7447 /*------------------------------------------------------------*/
7448 /*--- Crude profiling machinery. ---*/
7449 /*------------------------------------------------------------*/
7451 // We track a number of interesting events (using PROF_EVENT)
7452 // if MC_PROFILE_MEMORY is defined.
7454 #ifdef MC_PROFILE_MEMORY
7458 /* Event counter names. Use the name of the function that increases the
7459 event counter. Drop any MC_() and mc_ prefices. */
7587 };
7590 {
7597 }
7599 /* Make sure every profiling event has a name */
7601 }
7604 {
7611 }
7618 }
7619 }
7620 }
7622 #else
7627 #endif
7630 /*------------------------------------------------------------*/
7631 /*--- Origin tracking stuff ---*/
7632 /*------------------------------------------------------------*/
7634 /*--------------------------------------------*/
7635 /*--- Origin tracking: load handlers ---*/
7636 /*--------------------------------------------*/
7640 }
7644 UChar descr;
7650 }
7657 }
7663 }
7664 }
7668 UChar descr;
7672 /* Handle misaligned case, slowly. */
7676 }
7683 }
7689 }
7695 }
7696 }
7700 UChar descr;
7701 UWord lineoff;
7704 /* Handle misaligned case, slowly. */
7708 }
7713 }
7720 }
7726 }
7727 }
7732 UWord lineoff;
7735 /* Handle misaligned case, slowly. */
7739 }
7744 }
7753 }
7761 }
7762 }
7769 }
7779 }
7782 /*--------------------------------------------*/
7783 /*--- Origin tracking: store handlers ---*/
7784 /*--------------------------------------------*/
7793 }
7797 #if OC_PRECISION_STORE
7799 // The byte is defined. Just mark it as so in the descr and leave the w32
7800 // unchanged. This may make the descr become zero, so the line no longer
7801 // contains useful info, but that's OK. No loss of information.
7804 // At least one of the four bytes in the w32 is undefined with the same
7805 // origin. Just extend the mask. No loss of information.
7808 // Here, we have a conflict: at least one byte in the group is undefined
7809 // but with some other origin. We can't represent both origins, so we
7810 // forget about the previous origin and install this one instead.
7813 }
7814 #else
7820 }
7821 #endif
7822 }
7829 /* Handle misaligned case, slowly. */
7833 }
7840 }
7844 #if OC_PRECISION_STORE
7845 // Same logic as in the store1 case above.
7854 }
7855 #else
7861 }
7862 #endif
7863 }
7867 UWord lineoff;
7870 /* Handle misaligned case, slowly. */
7874 }
7879 }
7888 }
7889 }
7894 UWord lineoff;
7897 /* Handle misaligned case, slowly. */
7901 }
7906 }
7918 }
7919 }
7924 UWord lineoff;
7927 /* Handle misaligned case, slowly. */
7931 }
7936 }
7954 }
7955 }
7960 UWord lineoff;
7963 /* Handle misaligned case, slowly. */
7967 }
7972 }
8002 }
8003 }
8006 /*--------------------------------------------*/
8007 /*--- Origin tracking: sarp handlers ---*/
8008 /*--------------------------------------------*/
8010 // We may get asked to do very large SARPs (bug 446103), hence it is important
8011 // to process 32-byte chunks at a time when possible.
8017 a++;
8018 len--;
8019 }
8024 }
8029 }
8034 }
8039 }
8046 }
8047 }
8052 }
8057 }
8062 }
8067 }
8070 //a++;
8071 len--;
8072 }
8074 }
8080 a++;
8081 len--;
8082 }
8087 }
8092 }
8097 }
8102 }
8109 }
8110 }
8115 }
8120 }
8125 }
8130 }
8133 //a++;
8134 len--;
8135 }
8137 }
8140 /*------------------------------------------------------------*/
8141 /*--- Setup and finalisation ---*/
8142 /*------------------------------------------------------------*/
8145 {
8146 /* If we've been asked to emit XML, mash around various other
8147 options so as to constrain the output somewhat. */
8149 /* Extract as much info as possible from the leak checker. */
8151 }
8160 }
8168 );
8169 }
8174 /* We're doing origin tracking. */
8175 # ifdef PERF_FAST_STACK
8185 # endif
8189 /* Not doing origin tracking */
8190 # ifdef PERF_FAST_STACK
8200 # endif
8203 }
8205 // We assume that brk()/sbrk() does not initialise new memory. Is this
8206 // accurate? John Reiser says:
8207 //
8208 // 0) sbrk() can *decrease* process address space. No zero fill is done
8209 // for a decrease, not even the fragment on the high end of the last page
8210 // that is beyond the new highest address. For maximum safety and
8211 // portability, then the bytes in the last page that reside above [the
8212 // new] sbrk(0) should be considered to be uninitialized, but in practice
8213 // it is exceedingly likely that they will retain their previous
8214 // contents.
8215 //
8216 // 1) If an increase is large enough to require new whole pages, then
8217 // those new whole pages (like all new pages) are zero-filled by the
8218 // operating system. So if sbrk(0) already is page aligned, then
8219 // sbrk(PAGE_SIZE) *does* zero-fill the new memory.
8220 //
8221 // 2) Any increase that lies within an existing allocated page is not
8222 // changed. So if (x = sbrk(0)) is not page aligned, then
8223 // sbrk(PAGE_SIZE) yields ((PAGE_SIZE -1) & -x) bytes which keep their
8224 // existing contents, and an additional PAGE_SIZE bytes which are zeroed.
8225 // ((PAGE_SIZE -1) & x) of them are "covered" by the sbrk(), and the rest
8226 // of them come along for the ride because the operating system deals
8227 // only in whole pages. Again, for maximum safety and portability, then
8228 // anything that lives above [the new] sbrk(0) should be considered
8229 // uninitialized, but in practice will retain previous contents [zero in
8230 // this case.]"
8231 //
8232 // In short:
8233 //
8234 // A key property of sbrk/brk is that new whole pages that are supplied
8235 // by the operating system *do* get initialized to zero.
8236 //
8237 // As for the portability of all this:
8238 //
8239 // sbrk and brk are not POSIX. However, any system that is a derivative
8240 // of *nix has sbrk and brk because there are too many software (such as
8241 // the Bourne shell) which rely on the traditional memory map (.text,
8242 // .data+.bss, stack) and the existence of sbrk/brk.
8243 //
8244 // So we should arguably observe all this. However:
8245 // - The current inaccuracy has caused maybe one complaint in seven years(?)
8246 // - Relying on the zeroed-ness of whole brk'd pages is pretty grotty... I
8247 // doubt most programmers know the above information.
8248 // So I'm not terribly unhappy with marking it as undefined. --njn.
8249 //
8250 // [More: I think most of what John said only applies to sbrk(). It seems
8251 // that brk() always deals in whole pages. And since this event deals
8252 // directly with brk(), not with sbrk(), perhaps it would be reasonable to
8253 // just mark all memory it allocates as defined.]
8254 //
8255 # if !defined(VGO_solaris)
8258 else
8260 # else
8261 // On Solaris, brk memory has to be marked as defined, otherwise we get
8262 // many false positives.
8264 # endif
8266 /* This origin tracking cache is huge (~100M), so only initialise
8267 if we need it. */
8273 }
8278 }
8279 }
8288 /* Do not check definedness of guest state if --undef-value-errors=no */
8296 "To use --xtree-memory=full, you must"
8298 // Activate full xtree memory profiling.
8300 }
8302 }
8305 {
8308 type,
8309 n_SMs,
8312 }
8315 {
8325 n_auxmap_L2_nodes,
8333 );
8336 n_auxmap_L2_searches, n_auxmap_L2_nodes
8337 );
8346 // Three DSMs, plus the non-DSM ones
8348 // The 3*sizeof(Word) bytes is the AVL node metadata size.
8349 // The VG_ROUNDUP is because the OSet pool allocator will/must align
8350 // the elements on pointer size.
8351 // Note that the pool allocator has some additional small overhead
8352 // which is not counted in the below.
8353 // Hardwiring this logic sucks, but I don't see how else to do it.
8373 stats_ocacheL1_find,
8374 stats_ocacheL1_misses,
8375 stats_ocacheL1_lossage );
8378 stats_ocacheL1_find - stats_ocacheL1_misses
8379 - stats_ocacheL1_found_at_1
8381 stats_ocacheL1_found_at_1 );
8384 stats_ocacheL1_found_at_N,
8385 stats_ocacheL1_movefwds );
8392 stats__ocacheL2_finds,
8393 stats__ocacheL2_misses );
8396 stats__ocacheL2_adds,
8397 stats__ocacheL2_dels );
8400 stats__ocacheL2_n_nodes_max,
8401 stats__ocacheL2_n_nodes );
8409 }
8410 }
8411 }
8415 {
8420 LeakCheckParams lcp;
8435 }
8436 else
8446 );
8447 }
8448 }
8453 "Use --track-origins=yes to see where "
8455 }
8457 /* Print a warning if any client-request generated ignore-ranges
8458 still exist. It would be reasonable to expect that a properly
8459 written program would remove any such ranges before exiting, and
8460 since they are a bit on the dangerous side, let's comment. By
8461 contrast ranges which are specified on the command line normally
8462 pertain to hardware mapped into the address space, and so we
8463 can't expect the client to have got rid of them. */
8474 /* Print the offending range. Also, if it is the first,
8475 print a banner before it. */
8476 nBad++;
8481 "WARNING: "
8483 "WARNING: "
8485 );
8486 }
8489 }
8490 }
8501 }
8502 }
8504 /* mark the given addr/len unaddressable for watchpoint implementation
8505 The PointKind will be handled at access time */
8508 {
8509 /* GDBTD this is somewhat fishy. We might rather have to save the previous
8510 accessibility and definedness in gdbserver so as to allow restoring it
8511 properly. Currently, we assume that the user only watches things
8512 which are properly addressable and defined */
8515 else
8518 }
8521 {
8532 mc_fini);
8553 mc_print_usage,
8554 mc_print_debug_usage);
8557 mc_expensive_sanity_check);
8574 MC_MALLOC_DEFAULT_REDZONE_SZB );
8581 // Handling of mmap and mprotect isn't simple (well, it is simple,
8582 // but the justification isn't.) See comments above, just prior to
8583 // mc_new_mem_mmap.
8593 /* Defer the specification of the new_mem_stack functions to the
8594 post_clo_init function, since we need to first parse the command
8595 line before deciding which set to use. */
8597 # ifdef PERF_FAST_STACK
8607 # endif
8623 }
8628 // MC_(chunk_poolalloc) must be allocated in post_clo_init
8636 // {LOADV,STOREV}[8421] will all fail horribly if this isn't true.
8638 // Call me paranoid. I don't care.
8641 // BYTES_PER_SEC_VBIT_NODE must be a power of two.
8644 /* This is small. Always initialise it. */
8647 /* We can't initialise ocacheL1/ocacheL2 yet, since we don't know
8648 if we need to, since the command line args haven't been
8649 processed yet. Hence defer it to mc_post_clo_init. */
8653 }
8655 /* Check some important stuff. See extensive comments above
8656 re UNALIGNED_OR_HIGH for background. */
8657 # if VG_WORDSIZE == 4
8667 # else
8678 # endif
8680 /* Check some assertions to do with the instrumentation machinery. */
8682 }
8688 /*--------------------------------------------------------------------*/
8689 /*--- end mc_main.c ---*/
8690 /*--------------------------------------------------------------------*/