| blob | 253f091dc312c187ece6787fc7107e491b3c787b |
1 /* -*- mode: C; c-basic-offset: 3; -*- */
3 /*--------------------------------------------------------------------*/
4 /*--- MemCheck: Maintain bitmaps of memory, tracking the ---*/
5 /*--- accessibility (A) and validity (V) status of each byte. ---*/
6 /*--- mc_main.c ---*/
7 /*--------------------------------------------------------------------*/
9 /*
10 This file is part of MemCheck, a heavyweight Valgrind tool for
11 detecting memory errors.
13 Copyright (C) 2000-2017 Julian Seward
14 jseward@acm.org
16 This program is free software; you can redistribute it and/or
17 modify it under the terms of the GNU General Public License as
18 published by the Free Software Foundation; either version 2 of the
19 License, or (at your option) any later version.
21 This program is distributed in the hope that it will be useful, but
22 WITHOUT ANY WARRANTY; without even the implied warranty of
23 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
24 General Public License for more details.
26 You should have received a copy of the GNU General Public License
27 along with this program; if not, write to the Free Software
28 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
29 02111-1307, USA.
31 The GNU General Public License is contained in the file COPYING.
32 */
57 /* Set to 1 to do a little more sanity checking */
58 #define VG_DEBUG_MEMORY 0
66 /*------------------------------------------------------------*/
67 /*--- Fast-case knobs ---*/
68 /*------------------------------------------------------------*/
70 // Comment these out to disable the fast cases (don't just set them to zero).
72 /* PERF_FAST_LOADV is in mc_include.h */
73 #define PERF_FAST_STOREV 1
75 #define PERF_FAST_SARP 1
77 #define PERF_FAST_STACK 1
78 #define PERF_FAST_STACK2 1
80 /* Change this to 1 to enable assertions on origin tracking cache fast
81 paths */
82 #define OC_ENABLE_ASSERTIONS 0
85 /*------------------------------------------------------------*/
86 /*--- Comments on the origin tracking implementation ---*/
87 /*------------------------------------------------------------*/
89 /* See detailed comment entitled
90 AN OVERVIEW OF THE ORIGIN TRACKING IMPLEMENTATION
91 which is contained further on in this file. */
94 /*------------------------------------------------------------*/
95 /*--- V bits and A bits ---*/
96 /*------------------------------------------------------------*/
98 /* Conceptually, every byte value has 8 V bits, which track whether Memcheck
99 thinks the corresponding value bit is defined. And every memory byte
100 has an A bit, which tracks whether Memcheck thinks the program can access
101 it safely (ie. it's mapped, and has at least one of the RWX permission bits
102 set). So every N-bit register is shadowed with N V bits, and every memory
103 byte is shadowed with 8 V bits and one A bit.
105 In the implementation, we use two forms of compression (compressed V bits
106 and distinguished secondary maps) to avoid the 9-bit-per-byte overhead
107 for memory.
109 Memcheck also tracks extra information about each heap block that is
110 allocated, for detecting memory leaks and other purposes.
111 */
113 /*------------------------------------------------------------*/
114 /*--- Basic A/V bitmap representation. ---*/
115 /*------------------------------------------------------------*/
117 /* All reads and writes are checked against a memory map (a.k.a. shadow
118 memory), which records the state of all memory in the process.
120 On 32-bit machines the memory map is organised as follows.
121 The top 16 bits of an address are used to index into a top-level
122 map table, containing 65536 entries. Each entry is a pointer to a
123 second-level map, which records the accesibililty and validity
124 permissions for the 65536 bytes indexed by the lower 16 bits of the
125 address. Each byte is represented by two bits (details are below). So
126 each second-level map contains 16384 bytes. This two-level arrangement
127 conveniently divides the 4G address space into 64k lumps, each size 64k
128 bytes.
130 All entries in the primary (top-level) map must point to a valid
131 secondary (second-level) map. Since many of the 64kB chunks will
132 have the same status for every bit -- ie. noaccess (for unused
133 address space) or entirely addressable and defined (for code segments) --
134 there are three distinguished secondary maps, which indicate 'noaccess',
135 'undefined' and 'defined'. For these uniform 64kB chunks, the primary
136 map entry points to the relevant distinguished map. In practice,
137 typically more than half of the addressable memory is represented with
138 the 'undefined' or 'defined' distinguished secondary map, so it gives a
139 good saving. It also lets us set the V+A bits of large address regions
140 quickly in set_address_range_perms().
142 On 64-bit machines it's more complicated. If we followed the same basic
143 scheme we'd have a four-level table which would require too many memory
144 accesses. So instead the top-level map table has 2^20 entries (indexed
145 using bits 16..35 of the address); this covers the bottom 64GB. Any
146 accesses above 64GB are handled with a slow, sparse auxiliary table.
147 Valgrind's address space manager tries very hard to keep things below
148 this 64GB barrier so that performance doesn't suffer too much.
150 Note that this file has a lot of different functions for reading and
151 writing shadow memory. Only a couple are strictly necessary (eg.
152 get_vabits2 and set_vabits2), most are just specialised for specific
153 common cases to improve performance.
155 Aside: the V+A bits are less precise than they could be -- we have no way
156 of marking memory as read-only. It would be great if we could add an
157 extra state VA_BITSn_READONLY. But then we'd have 5 different states,
158 which requires 2.3 bits to hold, and there's no way to do that elegantly
159 -- we'd have to double up to 4 bits of metadata per byte, which doesn't
160 seem worth it.
161 */
163 /* --------------- Basic configuration --------------- */
165 /* Only change this. N_PRIMARY_MAP *must* be a power of 2. */
167 #if VG_WORDSIZE == 4
169 /* cover the entire address space */
170 # define N_PRIMARY_BITS 16
172 #else
174 /* Just handle the first 128G fast and the rest via auxiliary
175 primaries. If you change this, Memcheck will assert at startup.
176 See the definition of UNALIGNED_OR_HIGH for extensive comments. */
177 # define N_PRIMARY_BITS 21
179 #endif
182 /* Do not change this. */
183 #define N_PRIMARY_MAP ( ((UWord)1) << N_PRIMARY_BITS)
185 /* Do not change this. */
186 #define MAX_PRIMARY_ADDRESS (Addr)((((Addr)65536) * N_PRIMARY_MAP)-1)
189 /* --------------- Secondary maps --------------- */
191 // Each byte of memory conceptually has an A bit, which indicates its
192 // addressability, and 8 V bits, which indicates its definedness.
193 //
194 // But because very few bytes are partially defined, we can use a nice
195 // compression scheme to reduce the size of shadow memory. Each byte of
196 // memory has 2 bits which indicates its state (ie. V+A bits):
197 //
198 // 00: noaccess (unaddressable but treated as fully defined)
199 // 01: undefined (addressable and fully undefined)
200 // 10: defined (addressable and fully defined)
201 // 11: partdefined (addressable and partially defined)
202 //
203 // In the "partdefined" case, we use a secondary table to store the V bits.
204 // Each entry in the secondary-V-bits table maps a byte address to its 8 V
205 // bits.
206 //
207 // We store the compressed V+A bits in 8-bit chunks, ie. the V+A bits for
208 // four bytes (32 bits) of memory are in each chunk. Hence the name
209 // "vabits8". This lets us get the V+A bits for four bytes at a time
210 // easily (without having to do any shifting and/or masking), and that is a
211 // very common operation. (Note that although each vabits8 chunk
212 // is 8 bits in size, it represents 32 bits of memory.)
213 //
214 // The representation is "inverse" little-endian... each 4 bytes of
215 // memory is represented by a 1 byte value, where:
216 //
217 // - the status of byte (a+0) is held in bits [1..0]
218 // - the status of byte (a+1) is held in bits [3..2]
219 // - the status of byte (a+2) is held in bits [5..4]
220 // - the status of byte (a+3) is held in bits [7..6]
221 //
222 // It's "inverse" because endianness normally describes a mapping from
223 // value bits to memory addresses; in this case the mapping is inverted.
224 // Ie. instead of particular value bits being held in certain addresses, in
225 // this case certain addresses are represented by particular value bits.
226 // See insert_vabits2_into_vabits8() for an example.
227 //
228 // But note that we don't compress the V bits stored in registers; they
229 // need to be explicit to made the shadow operations possible. Therefore
230 // when moving values between registers and memory we need to convert
231 // between the expanded in-register format and the compressed in-memory
232 // format. This isn't so difficult, it just requires careful attention in a
233 // few places.
235 // These represent eight bits of memory.
241 // These represent 16 bits of memory.
246 // These represent 32 bits of memory.
251 // These represent 64 bits of memory.
256 // These represent 128 bits of memory.
261 #define SM_OFF(aaa) (((aaa) & 0xffff) >> 2)
262 #define SM_OFF_16(aaa) (((aaa) & 0xffff) >> 3)
264 // Paranoia: it's critical for performance that the requested inlining
265 // occurs. So try extra hard.
266 #define INLINE inline __attribute__((always_inline))
270 }
273 }
277 typedef
281 }
282 SecMap;
284 // 3 distinguished secondary maps, one for no-access, one for
285 // accessible but undefined, and one for accessible and defined.
286 // Distinguished secondaries may never be modified.
287 #define SM_DIST_NOACCESS 0
288 #define SM_DIST_UNDEFINED 1
289 #define SM_DIST_DEFINED 2
295 }
297 // Forward declaration
300 /* dist_sm points to one of our three distinguished secondaries. Make
301 a copy of it so that we can write to it.
302 */
304 {
317 }
319 /* --------------- Stats --------------- */
332 /* # searches initiated in auxmap_L1, and # base cmps required */
335 /* # of searches that missed in auxmap_L1 and therefore had to
336 be handed to auxmap_L2. And the number of nodes inserted. */
347 {
352 n_deissued_SMs ++; }
358 n_issued_SMs ++; }
364 }
366 /* --------------- Primary maps --------------- */
368 /* The main primary map. This covers some initial part of the address
369 space, addresses 0 .. (N_PRIMARY_MAP << 16)-1. The rest of it is
370 handled using the auxiliary primary map.
371 */
372 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
373 && (defined(VGP_arm_linux) \
374 || defined(VGP_x86_linux) || defined(VGP_x86_solaris))
375 /* mc_main_asm.c needs visibility on a few things declared in this file.
376 MC_MAIN_STATIC allows to define them static if ok, i.e. on
377 platforms that are not using hand-coded asm statements. */
378 #define MC_MAIN_STATIC
379 #else
380 #define MC_MAIN_STATIC static
381 #endif
385 /* An entry in the auxiliary primary map. base must be a 64k-aligned
386 value, and sm points at the relevant secondary map. As with the
387 main primary map, the secondary may be either a real secondary, or
388 one of the three distinguished secondaries. DO NOT CHANGE THIS
389 LAYOUT: the first word has to be the key for OSet fast lookups.
390 */
391 typedef
393 Addr base;
395 }
396 AuxMapEnt;
398 /* Tunable parameter: How big is the L1 queue? */
399 #define N_AUXMAP_L1 24
401 /* Tunable parameter: How far along the L1 queue to insert
402 entries resulting from L2 lookups? */
403 #define AUXMAP_L1_INSERT_IX 12
406 Addr base;
408 }
414 {
415 Int i;
419 }
426 }
428 /* Check representation invariants; if OK return NULL; else a
429 descriptive bit of text. Also return the number of
430 non-distinguished secondary maps referred to from the auxiliary
431 primary maps. */
434 {
436 /* On a 32-bit platform, the L2 and L1 tables should
437 both remain empty forever.
439 On a 64-bit platform:
440 In the L2 table:
441 all .base & 0xFFFF == 0
442 all .base > MAX_PRIMARY_ADDRESS
443 In the L1 table:
444 all .base & 0xFFFF == 0
445 all (.base > MAX_PRIMARY_ADDRESS
446 .base & 0xFFFF == 0
447 and .ent points to an AuxMapEnt with the same .base)
448 or
449 (.base == 0 and .ent == NULL)
450 */
453 /* 32-bit platform */
460 /* 64-bit platform */
463 AuxMapEnt key;
464 /* L2 table */
467 elems_seen++;
476 }
479 /* Check L1-L2 correspondence */
491 /* Look it up in auxmap_L2. */
499 }
500 /* Check L1 contains no duplicates */
509 }
510 }
511 }
513 }
516 {
517 Word i;
524 }
527 {
528 AuxMapEnt key;
530 Word i;
535 /* First search the front-cache, which is a self-organising
536 list containing the most popular entries. */
548 }
550 n_auxmap_L1_searches++;
555 }
556 }
569 i--;
570 }
572 }
574 n_auxmap_L2_searches++;
576 /* First see if we already have it. */
584 }
587 {
590 /* First see if we already have it. */
595 /* Ok, there's no entry in the secondary map, so we'll have
596 to allocate one. */
604 n_auxmap_L2_nodes++;
606 }
608 /* --------------- SecMap fundamentals --------------- */
610 // In all these, 'low' means it's definitely in the main primary map,
611 // 'high' means it's definitely in the auxiliary table.
614 {
617 }
620 {
622 # if VG_DEBUG_MEMORY >= 1
624 # endif
626 }
629 {
632 }
635 {
639 }
642 {
644 }
647 {
649 }
652 {
657 }
660 {
665 }
667 /* Produce the secmap for 'a', either from the primary map or by
668 ensuring there is an entry for it in the aux primary map. The
669 secmap may be a distinguished one as the caller will only want to
670 be able to read it.
671 */
673 {
677 }
679 /* Produce the secmap for 'a', either from the primary map or by
680 ensuring there is an entry for it in the aux primary map. The
681 secmap may not be a distinguished one, since the caller will want
682 to be able to write it. If it is a distinguished secondary, make a
683 writable copy of it, install it, and return the copy instead. (COW
684 semantics).
685 */
687 {
691 }
693 /* If 'a' has a SecMap, produce it. Else produce NULL. But don't
694 allocate one if one doesn't already exist. This is used by the
695 leak checker.
696 */
698 {
704 }
705 }
707 /* --------------- Fundamental functions --------------- */
709 static INLINE
711 {
715 }
717 static INLINE
719 {
720 UInt shift;
725 }
727 static INLINE
729 {
733 }
735 static INLINE
737 {
738 UInt shift;
743 }
745 // Note that these four are only used in slow cases. The fast cases do
746 // clever things like combine the auxmap check (in
747 // get_secmap_{read,writ}able) with alignment checks.
749 // *** WARNING! ***
750 // Any time this function is called, if it is possible that vabits2
751 // is equal to VA_BITS2_PARTDEFINED, then the corresponding entry in the
752 // sec-V-bits table must also be set!
753 static INLINE
755 {
759 }
761 static INLINE
763 {
768 }
770 // *** WARNING! ***
771 // Any time this function is called, if it is possible that any of the
772 // 4 2-bit fields in vabits8 are equal to VA_BITS2_PARTDEFINED, then the
773 // corresponding entry(s) in the sec-V-bits table must also be set!
774 static INLINE
776 {
781 }
783 static INLINE
785 {
789 }
792 // Forward declarations
796 // Returns False if there was an addressability error.
797 static INLINE
799 {
803 // Addressable. Convert in-register format to in-memory format.
804 // Also remove any existing sec V bit entry for the byte if no
805 // longer necessary.
813 // Unaddressable! Do nothing -- when writing to unaddressable
814 // memory it acts as a black hole, and the V bits can never be seen
815 // again. So we don't have to write them at all.
817 }
819 }
821 // Returns False if there was an addressability error. In that case, we put
822 // all defined bits into vbits8.
823 static INLINE
825 {
829 // Convert the in-memory format to in-register format.
838 }
840 }
843 /* --------------- Secondary V bit table ------------ */
845 // This table holds the full V bit pattern for partially-defined bytes
846 // (PDBs) that are represented by VA_BITS2_PARTDEFINED in the main shadow
847 // memory.
848 //
849 // Note: the nodes in this table can become stale. Eg. if you write a PDB,
850 // then overwrite the same address with a fully defined byte, the sec-V-bit
851 // node will not necessarily be removed. This is because checking for
852 // whether removal is necessary would slow down the fast paths.
853 //
854 // To avoid the stale nodes building up too much, we periodically (once the
855 // table reaches a certain size) garbage collect (GC) the table by
856 // traversing it and evicting any nodes not having PDB.
857 // If more than a certain proportion of nodes survived, we increase the
858 // table size so that GCs occur less often.
859 //
860 // This policy is designed to avoid bad table bloat in the worst case where
861 // a program creates huge numbers of stale PDBs -- we would get this bloat
862 // if we had no GC -- while handling well the case where a node becomes
863 // stale but shortly afterwards is rewritten with a PDB and so becomes
864 // non-stale again (which happens quite often, eg. in perf/bz2). If we just
865 // remove all stale nodes as soon as possible, we just end up re-adding a
866 // lot of them in later again. The "sufficiently stale" approach avoids
867 // this. (If a program has many live PDBs, performance will just suck,
868 // there's no way around that.)
869 //
870 // Further comments, JRS 14 Feb 2012. It turns out that the policy of
871 // holding on to stale entries for 2 GCs before discarding them can lead
872 // to massive space leaks. So we're changing to an arrangement where
873 // lines are evicted as soon as they are observed to be stale during a
874 // GC. This also has a side benefit of allowing the sufficiently_stale
875 // field to be removed from the SecVBitNode struct, reducing its size by
876 // 8 bytes, which is a substantial space saving considering that the
877 // struct was previously 32 or so bytes, on a 64 bit target.
878 //
879 // In order to try and mitigate the problem that the "sufficiently stale"
880 // heuristic was designed to avoid, the table size is allowed to drift
881 // up ("DRIFTUP") slowly to 80000, even if the residency is low. This
882 // means that nodes will exist in the table longer on average, and hopefully
883 // will be deleted and re-added less frequently.
884 //
885 // The previous scaling up mechanism (now called STEPUP) is retained:
886 // if residency exceeds 50%, the table is scaled up, although by a
887 // factor sqrt(2) rather than 2 as before. This effectively doubles the
888 // frequency of GCs when there are many PDBs at reduces the tendency of
889 // stale PDBs to reside for long periods in the table.
893 // Stats
897 // This must be a power of two; this is checked in mc_pre_clo_init().
898 // The size chosen here is a trade-off: if the nodes are bigger (ie. cover
899 // a larger address range) they take more space but we can get multiple
900 // partially-defined bytes in one if they are close to each other, reducing
901 // the number of total nodes. In practice sometimes they are clustered (eg.
902 // perf/bz2 repeatedly writes then reads more than 20,000 in a contiguous
903 // row), but often not. So we choose something intermediate.
904 #define BYTES_PER_SEC_VBIT_NODE 16
906 // We make the table bigger by a factor of STEPUP_GROWTH_FACTOR if
907 // more than this many nodes survive a GC.
908 #define STEPUP_SURVIVOR_PROPORTION 0.5
909 #define STEPUP_GROWTH_FACTOR 1.414213562
911 // If the above heuristic doesn't apply, then we may make the table
912 // slightly bigger, by a factor of DRIFTUP_GROWTH_FACTOR, if more than
913 // this many nodes survive a GC, _and_ the total table size does
914 // not exceed a fixed limit. The numbers are somewhat arbitrary, but
915 // work tolerably well on long Firefox runs. The scaleup ratio of 1.5%
916 // effectively although gradually reduces residency and increases time
917 // between GCs for programs with small numbers of PDBs. The 80000 limit
918 // effectively limits the table size to around 2MB for programs with
919 // small numbers of PDBs, whilst giving a reasonably long lifetime to
920 // entries, to try and reduce the costs resulting from deleting and
921 // re-adding of entries.
922 #define DRIFTUP_SURVIVOR_PROPORTION 0.15
923 #define DRIFTUP_GROWTH_FACTOR 1.015
924 #define DRIFTUP_MAX_SIZE 80000
926 // We GC the table when it gets this many nodes in it, ie. it's effectively
927 // the table size. It can change.
930 // The number of GCs done, used to age sec-V-bit nodes for eviction.
931 // Because it's unsigned, wrapping doesn't matter -- the right answer will
932 // come out anyway.
935 typedef
937 Addr a;
939 }
940 SecVBitNode;
943 {
953 }
956 {
961 GCs_done++;
963 // Create the new table.
966 // Traverse the table, moving fresh nodes into the new table.
969 // Keep node if any of its bytes are non-stale. Using
970 // get_vabits2() for the lookup is not very efficient, but I don't
971 // think it matters.
974 // Found a non-stale byte, so keep =>
975 // Insert a copy of the node into the new table.
981 }
982 }
983 }
985 // Get the before and after sizes.
989 // Destroy the old table, and put the new one in its place.
996 }
998 // Increase table size if necessary.
1005 secVBitLimit);
1006 }
1007 else
1015 secVBitLimit);
1016 }
1017 }
1020 {
1024 UChar vbits8;
1026 // Shouldn't be fully defined or fully undefined -- those cases shouldn't
1027 // make it to the secondary V bits table.
1031 }
1034 {
1038 // Shouldn't be fully defined or fully undefined -- those cases shouldn't
1039 // make it to the secondary V bits table.
1043 sec_vbits_updates++;
1045 // Do a table GC if necessary. Nb: do this before creating and
1046 // inserting the new node, to avoid erroneously GC'ing the new node.
1049 }
1051 // New node: assign the specific byte, make the rest invalid (they
1052 // should never be read as-is, but be cautious).
1057 }
1060 // Insert the new node.
1062 sec_vbits_new_nodes++;
1067 }
1068 }
1070 /* --------------- Endianness helpers --------------- */
1072 /* Returns the offset in memory of the byteno-th most significant byte
1073 in a wordszB-sized word, given the specified endianness. */
1075 UWord byteno ) {
1077 }
1080 /* --------------- Ignored address ranges --------------- */
1082 /* Denotes the address-error-reportability status for address ranges:
1083 IAR_NotIgnored: the usual case -- report errors in this range
1084 IAR_CommandLine: don't report errors -- from command line setting
1085 IAR_ClientReq: don't report errors -- from client request
1086 */
1087 typedef
1089 IAR_NotIgnored,
1090 IAR_CommandLine,
1091 IAR_ClientReq }
1092 IARKind;
1095 {
1102 }
1103 }
1105 // RangeMap<IARKind>
1109 {
1114 }
1117 {
1130 }
1132 /*NOTREACHED*/
1133 }
1136 {
1145 /* Bizarre. We have a wraparound situation. What should we do? */
1148 /* This is the expected case. */
1151 else
1153 }
1154 /*NOTREACHED*/
1156 }
1158 /* Parse two Addrs (in hex) separated by a dash, or fail. */
1161 {
1172 }
1174 /* Parse two UInts (32 bit unsigned, in decimal) separated by a dash,
1175 or fail. */
1178 {
1189 }
1191 /* Parse a set of ranges separated by commas into 'ignoreRanges', or
1192 fail. If they are valid, add them to the global set of ignored
1193 ranges. */
1195 {
1213 }
1214 /*NOTREACHED*/
1216 }
1218 /* Add or remove [start, +len) from the set of ignored ranges. */
1220 {
1225 }
1238 }
1242 UInt i;
1251 }
1252 }
1254 }
1257 /* --------------- Load/store slow cases. --------------- */
1259 static
1263 {
1269 Addr ai;
1270 UChar vbits8;
1271 Bool ok;
1273 /* Code below assumes load size is a power of two and at least 64
1274 bits. */
1277 /* If this triggers, you probably just need to increase the size of
1278 the pessim array. */
1284 }
1286 /* Make up a result V word, which contains the loaded data for
1287 valid addresses and Defined for invalid addresses. Iterate over
1288 the bytes in the word, from the most significant down to the
1289 least. The vbits to return are calculated into vbits128. Also
1290 compute the pessimising value to be used when
1291 --partial-loads-ok=yes. n_addrs_bad is redundant (the relevant
1292 info can be gleaned from the pessim array) but is used as a
1293 cross-check. */
1307 }
1310 }
1312 /* In the common case, all the addresses involved are valid, so we
1313 just return the computed V bits and have done. */
1317 /* If there's no possibility of getting a partial-loads-ok
1318 exemption, report the error and quit. */
1322 }
1324 /* The partial-loads-ok excemption might apply. Find out if it
1325 does. If so, don't report an addressing error, but do return
1326 Undefined for the bytes that are out of range, so as to avoid
1327 false negatives. If it doesn't apply, just report an addressing
1328 error in the usual way. */
1330 /* Some code steps along byte strings in aligned chunks
1331 even when there is only a partially defined word at the end (eg,
1332 optimised strlen). This is allowed by the memory model of
1333 modern machines, since an aligned load cannot span two pages and
1334 thus cannot "partially fault".
1336 Therefore, a load from a partially-addressible place is allowed
1337 if all of the following hold:
1338 - the command-line flag is set [by default, it isn't]
1339 - it's an aligned load
1340 - at least one of the addresses in the word *is* valid
1342 Since this suppresses the addressing error, we avoid false
1343 negatives by marking bytes undefined when they come from an
1344 invalid address.
1345 */
1347 /* "at least one of the addresses is invalid" */
1353 # if defined(VGP_s390x_linux)
1355 /* OK if all loaded bytes are from the same page. */
1357 # elif defined(VGA_ppc64be) || defined(VGA_ppc64le)
1358 /* lxvd2x might generate an unaligned 128 bit vector load. */
1360 # else
1361 /* OK if the address is aligned by the load size. */
1363 # endif
1366 /* Exemption applies. Use the previously computed pessimising
1367 value and return the combined result, but don't flag an
1368 addressing error. The pessimising value is Defined for valid
1369 addresses and Undefined for invalid addresses. */
1370 /* for assumption that doing bitwise or implements UifU */
1372 /* (really need "UifU" here...)
1373 vbits[j] UifU= pessim[j] (is pessimised by it, iow) */
1377 }
1379 /* Exemption doesn't apply. Flag an addressing error in the normal
1380 way. */
1382 }
1384 MC_MAIN_STATIC
1390 MC_MAIN_STATIC
1394 this function may get called from hand written assembly. */
1396 {
1399 /* ------------ BEGIN semi-fast cases ------------ */
1400 /* These deal quickly-ish with the common auxiliary primary map
1401 cases on 64-bit platforms. Are merely a speedup hack; can be
1402 omitted without loss of correctness/functionality. Note that in
1403 both cases the "sizeof(void*) == 8" causes these cases to be
1404 folded out by compilers on 32-bit platforms. These are derived
1405 from LOADV64 and LOADV32.
1406 */
1408 # if defined(VGA_mips64) && defined(VGABI_N32)
1410 # else
1412 # endif
1413 {
1421 /* else fall into the slow case */
1422 }
1424 # if defined(VGA_mips64) && defined(VGABI_N32)
1426 # else
1428 # endif
1429 {
1437 /* else fall into slow case */
1438 }
1440 /* ------------ END semi-fast cases ------------ */
1447 Addr ai;
1448 UChar vbits8;
1449 Bool ok;
1453 /* Make up a 64-bit result V word, which contains the loaded data
1454 for valid addresses and Defined for invalid addresses. Iterate
1455 over the bytes in the word, from the most significant down to
1456 the least. The vbits to return are calculated into vbits64.
1457 Also compute the pessimising value to be used when
1458 --partial-loads-ok=yes. n_addrs_bad is redundant (the relevant
1459 info can be gleaned from pessim64) but is used as a
1460 cross-check. */
1470 }
1472 /* In the common case, all the addresses involved are valid, so we
1473 just return the computed V bits and have done. */
1477 /* If there's no possibility of getting a partial-loads-ok
1478 exemption, report the error and quit. */
1482 }
1484 /* The partial-loads-ok excemption might apply. Find out if it
1485 does. If so, don't report an addressing error, but do return
1486 Undefined for the bytes that are out of range, so as to avoid
1487 false negatives. If it doesn't apply, just report an addressing
1488 error in the usual way. */
1490 /* Some code steps along byte strings in aligned word-sized chunks
1491 even when there is only a partially defined word at the end (eg,
1492 optimised strlen). This is allowed by the memory model of
1493 modern machines, since an aligned load cannot span two pages and
1494 thus cannot "partially fault". Despite such behaviour being
1495 declared undefined by ANSI C/C++.
1497 Therefore, a load from a partially-addressible place is allowed
1498 if all of the following hold:
1499 - the command-line flag is set [by default, it isn't]
1500 - it's a word-sized, word-aligned load
1501 - at least one of the addresses in the word *is* valid
1503 Since this suppresses the addressing error, we avoid false
1504 negatives by marking bytes undefined when they come from an
1505 invalid address.
1506 */
1508 /* "at least one of the addresses is invalid" */
1511 # if defined(VGA_mips64) && defined(VGABI_N32)
1514 # elif defined(VGA_ppc64be) || defined(VGA_ppc64le)
1515 /* On power unaligned loads of words are OK. */
1517 # else
1520 # endif
1521 {
1522 /* Exemption applies. Use the previously computed pessimising
1523 value for vbits64 and return the combined result, but don't
1524 flag an addressing error. The pessimising value is Defined
1525 for valid addresses and Undefined for invalid addresses. */
1526 /* for assumption that doing bitwise or implements UifU */
1528 /* (really need "UifU" here...)
1529 vbits64 UifU= pessim64 (is pessimised by it, iow) */
1532 }
1534 /* Also, in appears that gcc generates string-stepping code in
1535 32-bit chunks on 64 bit platforms. So, also grant an exception
1536 for this case. Note that the first clause of the conditional
1537 (VG_WORDSIZE == 8) is known at compile time, so the whole clause
1538 will get folded out in 32 bit builds. */
1539 # if defined(VGA_mips64) && defined(VGABI_N32)
1542 # else
1545 # endif
1546 {
1548 /* (really need "UifU" here...)
1549 vbits64 UifU= pessim64 (is pessimised by it, iow) */
1551 /* Mark the upper 32 bits as undefined, just to be on the safe
1552 side. */
1555 }
1557 /* Exemption doesn't apply. Flag an addressing error in the normal
1558 way. */
1562 }
1565 static
1568 {
1571 UChar vbits8;
1572 Addr ai;
1573 Bool ok;
1577 /* ------------ BEGIN semi-fast cases ------------ */
1578 /* These deal quickly-ish with the common auxiliary primary map
1579 cases on 64-bit platforms. Are merely a speedup hack; can be
1580 omitted without loss of correctness/functionality. Note that in
1581 both cases the "sizeof(void*) == 8" causes these cases to be
1582 folded out by compilers on 32-bit platforms. The logic below
1583 is somewhat similar to some cases extensively commented in
1584 MC_(helperc_STOREV8).
1585 */
1586 # if defined(VGA_mips64) && defined(VGABI_N32)
1588 # else
1590 # endif
1591 {
1598 /* Handle common case quickly: a is suitably aligned, */
1599 /* is mapped, and is addressible. */
1600 // Convert full V-bits in register to compact 2-bit form.
1607 }
1608 /* else fall into the slow case */
1609 }
1610 /* else fall into the slow case */
1611 }
1613 # if defined(VGA_mips64) && defined(VGABI_N32)
1615 # else
1617 # endif
1618 {
1625 /* Handle common case quickly: a is suitably aligned, */
1626 /* is mapped, and is addressible. */
1627 // Convert full V-bits in register to compact 2-bit form.
1634 }
1635 /* else fall into the slow case */
1636 }
1637 /* else fall into the slow case */
1638 }
1639 /* ------------ END semi-fast cases ------------ */
1643 /* Dump vbytes in memory, iterating from least to most significant
1644 byte. At the same time establish addressibility of the location. */
1652 }
1654 /* If an address error has happened, report it. */
1657 }
1660 /*------------------------------------------------------------*/
1661 /*--- Setting permissions over address ranges. ---*/
1662 /*------------------------------------------------------------*/
1665 UWord dsm_num )
1666 {
1670 Addr aNext;
1677 /* Check the V+A bits make sense. */
1682 // This code should never write PDBs; ensure this. (See comment above
1683 // set_vabits2().)
1698 }
1699 }
1701 #ifndef PERF_FAST_SARP
1702 /*------------------ debug-only case ------------------ */
1703 {
1704 // Endianness doesn't matter here because all bytes are being set to
1705 // the same value.
1706 // Nb: We don't have to worry about updating the sec-V-bits table
1707 // after these set_vabits2() calls because this code never writes
1708 // VA_BITS2_PARTDEFINED values.
1709 SizeT i;
1712 }
1714 }
1715 #endif
1717 /*------------------ standard handling ------------------ */
1719 /* Get the distinguished secondary that we might want
1720 to use (part of the space-compression scheme). */
1723 // We have to handle ranges covering various combinations of partial and
1724 // whole sec-maps. Here is how parts 1, 2 and 3 are used in each case.
1725 // Cases marked with a '*' are common.
1726 //
1727 // TYPE PARTS USED
1728 // ---- ----------
1729 // * one partial sec-map (p) 1
1730 // - one whole sec-map (P) 2
1731 //
1732 // * two partial sec-maps (pp) 1,3
1733 // - one partial, one whole sec-map (pP) 1,2
1734 // - one whole, one partial sec-map (Pp) 2,3
1735 // - two whole sec-maps (PP) 2,2
1736 //
1737 // * one partial, one whole, one partial (pPp) 1,2,3
1738 // - one partial, two whole (pPP) 1,2,2
1739 // - two whole, one partial (PPp) 2,2,3
1740 // - three whole (PPP) 2,2,2
1741 //
1742 // * one partial, N-2 whole, one partial (pP...Pp) 1,2...2,3
1743 // - one partial, N-1 whole (pP...PP) 1,2...2,2
1744 // - N-1 whole, one partial (PP...Pp) 2,2...2,3
1745 // - N whole (PP...PP) 2,2...2,3
1747 // Break up total length (lenT) into two parts: length in the first
1748 // sec-map (lenA), and the rest (lenB); lenT == lenA + lenB.
1752 // Range entirely within one sec-map. Covers almost all cases.
1757 // Range spans at least one whole sec-map, and starts at the beginning
1758 // of a sec-map; skip to Part 2.
1764 // Range spans two or more sec-maps, first one is partial.
1768 }
1770 //------------------------------------------------------------------------
1771 // Part 1: Deal with the first sec_map. Most of the time the range will be
1772 // entirely within a sec_map and this part alone will suffice. Also,
1773 // doing it this way lets us avoid repeatedly testing for the crossing of
1774 // a sec-map boundary within these loops.
1775 //------------------------------------------------------------------------
1777 // If it's distinguished, make it undistinguished if necessary.
1781 // Sec-map already has the V+A bits that we want, so skip.
1788 }
1789 }
1792 // 1 byte steps
1801 }
1802 // 8-aligned, 8 byte steps
1810 }
1811 // 1 byte steps
1819 }
1821 // We've finished the first sec-map. Is that it?
1825 //------------------------------------------------------------------------
1826 // Part 2: Fast-set entire sec-maps at a time.
1827 //------------------------------------------------------------------------
1828 part2:
1829 // 64KB-aligned, 64KB steps.
1830 // Nb: we can reach here with lenB < SM_SIZE
1839 // Free the non-distinguished sec-map that we're replacing. This
1840 // case happens moderately often, enough to be worthwhile.
1843 }
1845 // Make the sec-map entry point to the example DSM
1849 }
1851 // We've finished the whole sec-maps. Is that it?
1855 //------------------------------------------------------------------------
1856 // Part 3: Finish off the final partial sec-map, if necessary.
1857 //------------------------------------------------------------------------
1861 // If it's distinguished, make it undistinguished if necessary.
1865 // Sec-map already has the V+A bits that we want, so stop.
1871 }
1872 }
1875 // 8-aligned, 8 byte steps
1883 }
1884 // 1 byte steps
1892 }
1893 }
1896 /* --- Set permissions for arbitrary address ranges --- */
1899 {
1905 }
1908 {
1912 }
1915 {
1921 }
1923 static
1926 {
1927 UInt ecu;
1929 /* VG_(record_ExeContext) checks for validity of tid, and asserts
1930 if it is invalid. So no need to do it here. */
1937 }
1939 static
1941 {
1943 }
1945 static
1947 {
1949 }
1952 {
1958 }
1962 {
1964 }
1966 /* For each byte in [a,a+len), if the byte is addressable, make it be
1967 defined, but if it isn't addressible, leave it alone. In other
1968 words a version of MC_(make_mem_defined) that doesn't mess with
1969 addressibility. Low-performance implementation. */
1971 {
1972 SizeT i;
1973 UChar vabits2;
1981 }
1982 }
1983 }
1984 }
1986 /* Similarly (needed for mprotect handling ..) */
1988 {
1989 SizeT i;
1990 UChar vabits2;
1998 }
1999 }
2000 }
2001 }
2003 /* --- Block-copy permissions (needed for implementing realloc() and
2004 sys_mremap). --- */
2007 {
2023 /* Vectorised fast case, when no overlap and suitably aligned */
2024 /* vector loop */
2032 /* do nothing */
2034 /* have to copy secondary map info */
2043 }
2046 }
2047 /* fixup loop */
2053 }
2054 i++;
2055 len--;
2056 }
2060 /* We have to do things the slow way */
2068 }
2069 }
2070 }
2079 }
2080 }
2081 }
2082 }
2084 }
2087 /*------------------------------------------------------------*/
2088 /*--- Origin tracking stuff - cache basics ---*/
2089 /*------------------------------------------------------------*/
2091 /* AN OVERVIEW OF THE ORIGIN TRACKING IMPLEMENTATION
2092 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2094 Note that this implementation draws inspiration from the "origin
2095 tracking by value piggybacking" scheme described in "Tracking Bad
2096 Apples: Reporting the Origin of Null and Undefined Value Errors"
2097 (Michael Bond, Nicholas Nethercote, Stephen Kent, Samuel Guyer,
2098 Kathryn McKinley, OOPSLA07, Montreal, Oct 2007) but in fact it is
2099 implemented completely differently.
2101 Origin tags and ECUs -- about the shadow values
2102 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2104 This implementation tracks the defining point of all uninitialised
2105 values using so called "origin tags", which are 32-bit integers,
2106 rather than using the values themselves to encode the origins. The
2107 latter, so-called value piggybacking", is what the OOPSLA07 paper
2108 describes.
2110 Origin tags, as tracked by the machinery below, are 32-bit unsigned
2111 ints (UInts), regardless of the machine's word size. Each tag
2112 comprises an upper 30-bit ECU field and a lower 2-bit
2113 'kind' field. The ECU field is a number given out by m_execontext
2114 and has a 1-1 mapping with ExeContext*s. An ECU can be used
2115 directly as an origin tag (otag), but in fact we want to put
2116 additional information 'kind' field to indicate roughly where the
2117 tag came from. This helps print more understandable error messages
2118 for the user -- it has no other purpose. In summary:
2120 * Both ECUs and origin tags are represented as 32-bit words
2122 * m_execontext and the core-tool interface deal purely in ECUs.
2123 They have no knowledge of origin tags - that is a purely
2124 Memcheck-internal matter.
2126 * all valid ECUs have the lowest 2 bits zero and at least
2127 one of the upper 30 bits nonzero (see VG_(is_plausible_ECU))
2129 * to convert from an ECU to an otag, OR in one of the MC_OKIND_
2130 constants defined in mc_include.h.
2132 * to convert an otag back to an ECU, AND it with ~3
2134 One important fact is that no valid otag is zero. A zero otag is
2135 used by the implementation to indicate "no origin", which could
2136 mean that either the value is defined, or it is undefined but the
2137 implementation somehow managed to lose the origin.
2139 The ECU used for memory created by malloc etc is derived from the
2140 stack trace at the time the malloc etc happens. This means the
2141 mechanism can show the exact allocation point for heap-created
2142 uninitialised values.
2144 In contrast, it is simply too expensive to create a complete
2145 backtrace for each stack allocation. Therefore we merely use a
2146 depth-1 backtrace for stack allocations, which can be done once at
2147 translation time, rather than N times at run time. The result of
2148 this is that, for stack created uninitialised values, Memcheck can
2149 only show the allocating function, and not what called it.
2150 Furthermore, compilers tend to move the stack pointer just once at
2151 the start of the function, to allocate all locals, and so in fact
2152 the stack origin almost always simply points to the opening brace
2153 of the function. Net result is, for stack origins, the mechanism
2154 can tell you in which function the undefined value was created, but
2155 that's all. Users will need to carefully check all locals in the
2156 specified function.
2158 Shadowing registers and memory
2159 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2161 Memory is shadowed using a two level cache structure (ocacheL1 and
2162 ocacheL2). Memory references are first directed to ocacheL1. This
2163 is a traditional 2-way set associative cache with 32-byte lines and
2164 approximate LRU replacement within each set.
2166 A naive implementation would require storing one 32 bit otag for
2167 each byte of memory covered, a 4:1 space overhead. Instead, there
2168 is one otag for every 4 bytes of memory covered, plus a 4-bit mask
2169 that shows which of the 4 bytes have that shadow value and which
2170 have a shadow value of zero (indicating no origin). Hence a lot of
2171 space is saved, but the cost is that only one different origin per
2172 4 bytes of address space can be represented. This is a source of
2173 imprecision, but how much of a problem it really is remains to be
2174 seen.
2176 A cache line that contains all zeroes ("no origins") contains no
2177 useful information, and can be ejected from the L1 cache "for
2178 free", in the sense that a read miss on the L1 causes a line of
2179 zeroes to be installed. However, ejecting a line containing
2180 nonzeroes risks losing origin information permanently. In order to
2181 prevent such lossage, ejected nonzero lines are placed in a
2182 secondary cache (ocacheL2), which is an OSet (AVL tree) of cache
2183 lines. This can grow arbitrarily large, and so should ensure that
2184 Memcheck runs out of memory in preference to losing useful origin
2185 info due to cache size limitations.
2187 Shadowing registers is a bit tricky, because the shadow values are
2188 32 bits, regardless of the size of the register. That gives a
2189 problem for registers smaller than 32 bits. The solution is to
2190 find spaces in the guest state that are unused, and use those to
2191 shadow guest state fragments smaller than 32 bits. For example, on
2192 ppc32/64, each vector register is 16 bytes long. If 4 bytes of the
2193 shadow are allocated for the register's otag, then there are still
2194 12 bytes left over which could be used to shadow 3 other values.
2196 This implies there is some non-obvious mapping from guest state
2197 (start,length) pairs to the relevant shadow offset (for the origin
2198 tags). And it is unfortunately guest-architecture specific. The
2199 mapping is contained in mc_machine.c, which is quite lengthy but
2200 straightforward.
2202 Instrumenting the IR
2203 ~~~~~~~~~~~~~~~~~~~~
2205 Instrumentation is largely straightforward, and done by the
2206 functions schemeE and schemeS in mc_translate.c. These generate
2207 code for handling the origin tags of expressions (E) and statements
2208 (S) respectively. The rather strange names are a reference to the
2209 "compilation schemes" shown in Simon Peyton Jones' book "The
2210 Implementation of Functional Programming Languages" (Prentice Hall,
2211 1987, see
2212 http://research.microsoft.com/~simonpj/papers/slpj-book-1987/index.htm).
2214 schemeS merely arranges to move shadow values around the guest
2215 state to track the incoming IR. schemeE is largely trivial too.
2216 The only significant point is how to compute the otag corresponding
2217 to binary (or ternary, quaternary, etc) operator applications. The
2218 rule is simple: just take whichever value is larger (32-bit
2219 unsigned max). Constants get the special value zero. Hence this
2220 rule always propagates a nonzero (known) otag in preference to a
2221 zero (unknown, or more likely, value-is-defined) tag, as we want.
2222 If two different undefined values are inputs to a binary operator
2223 application, then which is propagated is arbitrary, but that
2224 doesn't matter, since the program is erroneous in using either of
2225 the values, and so there's no point in attempting to propagate
2226 both.
2228 Since constants are abstracted to (otag) zero, much of the
2229 instrumentation code can be folded out without difficulty by the
2230 generic post-instrumentation IR cleanup pass, using these rules:
2231 Max32U(0,x) -> x, Max32U(x,0) -> x, Max32(x,y) where x and y are
2232 constants is evaluated at JIT time. And the resulting dead code
2233 removal. In practice this causes surprisingly few Max32Us to
2234 survive through to backend code generation.
2236 Integration with the V-bits machinery
2237 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2239 This is again largely straightforward. Mostly the otag and V bits
2240 stuff are independent. The only point of interaction is when the V
2241 bits instrumenter creates a call to a helper function to report an
2242 uninitialised value error -- in that case it must first use schemeE
2243 to get hold of the origin tag expression for the value, and pass
2244 that to the helper too.
2246 There is the usual stuff to do with setting address range
2247 permissions. When memory is painted undefined, we must also know
2248 the origin tag to paint with, which involves some tedious plumbing,
2249 particularly to do with the fast case stack handlers. When memory
2250 is painted defined or noaccess then the origin tags must be forced
2251 to zero.
2253 One of the goals of the implementation was to ensure that the
2254 non-origin tracking mode isn't slowed down at all. To do this,
2255 various functions to do with memory permissions setting (again,
2256 mostly pertaining to the stack) are duplicated for the with- and
2257 without-otag case.
2259 Dealing with stack redzones, and the NIA cache
2260 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2262 This is one of the few non-obvious parts of the implementation.
2264 Some ABIs (amd64-ELF, ppc64-ELF, ppc32/64-XCOFF) define a small
2265 reserved area below the stack pointer, that can be used as scratch
2266 space by compiler generated code for functions. In the Memcheck
2267 sources this is referred to as the "stack redzone". The important
2268 thing here is that such redzones are considered volatile across
2269 function calls and returns. So Memcheck takes care to mark them as
2270 undefined for each call and return, on the afflicted platforms.
2271 Past experience shows this is essential in order to get reliable
2272 messages about uninitialised values that come from the stack.
2274 So the question is, when we paint a redzone undefined, what origin
2275 tag should we use for it? Consider a function f() calling g(). If
2276 we paint the redzone using an otag derived from the ExeContext of
2277 the CALL/BL instruction in f, then any errors in g causing it to
2278 use uninitialised values that happen to lie in the redzone, will be
2279 reported as having their origin in f. Which is highly confusing.
2281 The same applies for returns: if, on a return, we paint the redzone
2282 using a origin tag derived from the ExeContext of the RET/BLR
2283 instruction in g, then any later errors in f causing it to use
2284 uninitialised values in the redzone, will be reported as having
2285 their origin in g. Which is just as confusing.
2287 To do it right, in both cases we need to use an origin tag which
2288 pertains to the instruction which dynamically follows the CALL/BL
2289 or RET/BLR. In short, one derived from the NIA - the "next
2290 instruction address".
2292 To make this work, Memcheck's redzone-painting helper,
2293 MC_(helperc_MAKE_STACK_UNINIT), now takes a third argument, the
2294 NIA. It converts the NIA to a 1-element ExeContext, and uses that
2295 ExeContext's ECU as the basis for the otag used to paint the
2296 redzone. The expensive part of this is converting an NIA into an
2297 ECU, since this happens once for every call and every return. So
2298 we use a simple 511-line, 2-way set associative cache
2299 (nia_to_ecu_cache) to cache the mappings, and that knocks most of
2300 the cost out.
2302 Further background comments
2303 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
2305 > Question: why is otag a UInt? Wouldn't a UWord be better? Isn't
2306 > it really just the address of the relevant ExeContext?
2308 Well, it's not the address, but a value which has a 1-1 mapping
2309 with ExeContexts, and is guaranteed not to be zero, since zero
2310 denotes (to memcheck) "unknown origin or defined value". So these
2311 UInts are just numbers starting at 4 and incrementing by 4; each
2312 ExeContext is given a number when it is created. (*** NOTE this
2313 confuses otags and ECUs; see comments above ***).
2315 Making these otags 32-bit regardless of the machine's word size
2316 makes the 64-bit implementation easier (next para). And it doesn't
2317 really limit us in any way, since for the tags to overflow would
2318 require that the program somehow caused 2^30-1 different
2319 ExeContexts to be created, in which case it is probably in deep
2320 trouble. Not to mention V will have soaked up many tens of
2321 gigabytes of memory merely to store them all.
2323 So having 64-bit origins doesn't really buy you anything, and has
2324 the following downsides:
2326 Suppose that instead, an otag is a UWord. This would mean that, on
2327 a 64-bit target,
2329 1. It becomes hard to shadow any element of guest state which is
2330 smaller than 8 bytes. To do so means you'd need to find some
2331 8-byte-sized hole in the guest state which you don't want to
2332 shadow, and use that instead to hold the otag. On ppc64, the
2333 condition code register(s) are split into 20 UChar sized pieces,
2334 all of which need to be tracked (guest_XER_SO .. guest_CR7_0)
2335 and so that would entail finding 160 bytes somewhere else in the
2336 guest state.
2338 Even on x86, I want to track origins for %AH .. %DH (bits 15:8
2339 of %EAX .. %EDX) that are separate from %AL .. %DL (bits 7:0 of
2340 same) and so I had to look for 4 untracked otag-sized areas in
2341 the guest state to make that possible.
2343 The same problem exists of course when origin tags are only 32
2344 bits, but it's less extreme.
2346 2. (More compelling) it doubles the size of the origin shadow
2347 memory. Given that the shadow memory is organised as a fixed
2348 size cache, and that accuracy of tracking is limited by origins
2349 falling out the cache due to space conflicts, this isn't good.
2351 > Another question: is the origin tracking perfect, or are there
2352 > cases where it fails to determine an origin?
2354 It is imperfect for at least for the following reasons, and
2355 probably more:
2357 * Insufficient capacity in the origin cache. When a line is
2358 evicted from the cache it is gone forever, and so subsequent
2359 queries for the line produce zero, indicating no origin
2360 information. Interestingly, a line containing all zeroes can be
2361 evicted "free" from the cache, since it contains no useful
2362 information, so there is scope perhaps for some cleverer cache
2363 management schemes. (*** NOTE, with the introduction of the
2364 second level origin tag cache, ocacheL2, this is no longer a
2365 problem. ***)
2367 * The origin cache only stores one otag per 32-bits of address
2368 space, plus 4 bits indicating which of the 4 bytes has that tag
2369 and which are considered defined. The result is that if two
2370 undefined bytes in the same word are stored in memory, the first
2371 stored byte's origin will be lost and replaced by the origin for
2372 the second byte.
2374 * Nonzero origin tags for defined values. Consider a binary
2375 operator application op(x,y). Suppose y is undefined (and so has
2376 a valid nonzero origin tag), and x is defined, but erroneously
2377 has a nonzero origin tag (defined values should have tag zero).
2378 If the erroneous tag has a numeric value greater than y's tag,
2379 then the rule for propagating origin tags though binary
2380 operations, which is simply to take the unsigned max of the two
2381 tags, will erroneously propagate x's tag rather than y's.
2383 * Some obscure uses of x86/amd64 byte registers can cause lossage
2384 or confusion of origins. %AH .. %DH are treated as different
2385 from, and unrelated to, their parent registers, %EAX .. %EDX.
2386 So some weird sequences like
2388 movb undefined-value, %AH
2389 movb defined-value, %AL
2390 .. use %AX or %EAX ..
2392 will cause the origin attributed to %AH to be ignored, since %AL,
2393 %AX, %EAX are treated as the same register, and %AH as a
2394 completely separate one.
2396 But having said all that, it actually seems to work fairly well in
2397 practice.
2398 */
2411 /* Cache of 32-bit values, one every 32 bits of address space */
2413 #define OC_BITS_PER_LINE 5
2414 #define OC_W32S_PER_LINE (1 << (OC_BITS_PER_LINE - 2))
2418 }
2421 }
2423 #define OC_LINES_PER_SET 2
2425 #define OC_N_SET_BITS 20
2426 #define OC_N_SETS (1 << OC_N_SET_BITS)
2428 /* These settings give:
2429 64 bit host: ocache: 100,663,296 sizeB 67,108,864 useful
2430 32 bit host: ocache: 92,274,688 sizeB 67,108,864 useful
2431 */
2433 #define OC_MOVE_FORWARDS_EVERY_BITS 7
2436 typedef
2438 Addr tag;
2441 }
2442 OCacheLine;
2444 /* Classify and also sanity-check 'line'. Return 'e' (empty) if not
2445 in use, 'n' (nonzero) if it contains at least one valid origin tag,
2446 and 'z' if all the represented tags are zero. */
2448 {
2449 UWord i;
2457 }
2459 }
2461 typedef
2464 }
2465 OCacheSet;
2467 typedef
2470 }
2471 OCache;
2478 {
2486 }
2491 }
2492 }
2494 }
2497 {
2498 OCacheLine tmp;
2499 stats_ocacheL1_movefwds++;
2504 }
2507 UWord i;
2511 }
2513 }
2515 //////////////////////////////////////////////////////////////
2516 //// OCache backing store
2522 }
2525 }
2527 /* Stats: # nodes currently in tree */
2531 {
2535 ocacheL2
2540 }
2542 /* Find line with the given tag in the tree, or NULL if not found. */
2544 {
2547 stats__ocacheL2_refs++;
2550 }
2552 /* Delete the line with the given tag from the tree, if it is present, and
2553 free up the associated memory. */
2555 {
2558 stats__ocacheL2_refs++;
2563 stats__ocacheL2_n_nodes--;
2564 }
2565 }
2567 /* Add a copy of the given line to the tree. It must not already be
2568 present. */
2570 {
2575 stats__ocacheL2_refs++;
2577 stats__ocacheL2_n_nodes++;
2580 }
2582 ////
2583 //////////////////////////////////////////////////////////////
2587 {
2589 UChar c;
2590 UWord line;
2596 /* we already tried line == 0; skip therefore. */
2600 stats_ocacheL1_found_at_1++;
2602 stats_ocacheL1_found_at_N++;
2603 }
2607 line--;
2608 }
2610 }
2611 }
2613 /* A miss. Use the last slot. Implicitly this means we're
2614 ejecting the line in the last slot. */
2615 stats_ocacheL1_misses++;
2617 line--;
2620 /* First, move the to-be-ejected line to the L2 cache. */
2625 /* the line is empty (has invalid tag); ignore it. */
2628 /* line contains zeroes. We must ensure the backing store is
2629 updated accordingly, either by copying the line there
2630 verbatim, or by ensuring it isn't present there. We
2631 chosse the latter on the basis that it reduces the size of
2632 the backing store. */
2636 /* line contains at least one real, useful origin. Copy it
2637 to the backing store. */
2638 stats_ocacheL1_lossage++;
2644 }
2648 }
2650 /* Now we must reload the L1 cache from the backing tree, if
2651 possible. */
2655 /* We're in luck. It's in the L2. */
2658 /* Missed at both levels of the cache hierarchy. We have to
2659 declare it as full of zeroes (unknown origins). */
2660 stats__ocacheL2_misses++;
2662 }
2664 /* Move it one forwards */
2666 line--;
2669 }
2672 {
2677 stats_ocacheL1_find++;
2682 }
2686 }
2689 }
2692 {
2693 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2694 //// Set the origins for a+0 .. a+7
2700 }
2706 }
2707 //// END inlined, specialised version of MC_(helperc_b_store8)
2708 }
2711 /*------------------------------------------------------------*/
2712 /*--- Aligned fast case permission setters, ---*/
2713 /*--- for dealing with stacks ---*/
2714 /*------------------------------------------------------------*/
2716 /*--------------------- 32-bit ---------------------*/
2718 /* Nb: by "aligned" here we mean 4-byte aligned */
2721 {
2724 #ifndef PERF_FAST_STACK2
2726 #else
2727 {
2728 UWord sm_off;
2735 }
2740 }
2741 #endif
2742 }
2744 static INLINE
2746 {
2748 //// BEGIN inlined, specialised version of MC_(helperc_b_store4)
2749 //// Set the origins for a+0 .. a+3
2754 }
2758 }
2759 //// END inlined, specialised version of MC_(helperc_b_store4)
2760 }
2762 static INLINE
2764 {
2767 #ifndef PERF_FAST_STACK2
2769 #else
2770 {
2771 UWord sm_off;
2778 }
2784 //// BEGIN inlined, specialised version of MC_(helperc_b_store4)
2785 //// Set the origins for a+0 .. a+3.
2791 }
2794 }
2795 //// END inlined, specialised version of MC_(helperc_b_store4)
2796 }
2797 #endif
2798 }
2800 /*--------------------- 64-bit ---------------------*/
2802 /* Nb: by "aligned" here we mean 8-byte aligned */
2805 {
2808 #ifndef PERF_FAST_STACK2
2810 #else
2811 {
2812 UWord sm_off16;
2819 }
2824 }
2825 #endif
2826 }
2828 static INLINE
2830 {
2832 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2833 //// Set the origins for a+0 .. a+7
2843 }
2844 //// END inlined, specialised version of MC_(helperc_b_store8)
2845 }
2847 static INLINE
2849 {
2852 #ifndef PERF_FAST_STACK2
2854 #else
2855 {
2856 UWord sm_off16;
2863 }
2869 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2870 //// Clear the origins for a+0 .. a+7.
2879 }
2880 //// END inlined, specialised version of MC_(helperc_b_store8)
2881 }
2882 #endif
2883 }
2886 /*------------------------------------------------------------*/
2887 /*--- Stack pointer adjustment ---*/
2888 /*------------------------------------------------------------*/
2890 #ifdef PERF_FAST_STACK
2891 # define MAYBE_USED
2892 #else
2893 # define MAYBE_USED __attribute__((unused))
2894 #endif
2896 /*--------------- adjustment by 4 bytes ---------------*/
2898 MAYBE_USED
2900 {
2907 }
2908 }
2910 MAYBE_USED
2912 {
2918 }
2919 }
2921 MAYBE_USED
2923 {
2929 }
2930 }
2932 /*--------------- adjustment by 8 bytes ---------------*/
2934 MAYBE_USED
2936 {
2946 }
2947 }
2949 MAYBE_USED
2951 {
2960 }
2961 }
2963 MAYBE_USED
2965 {
2974 }
2975 }
2977 /*--------------- adjustment by 12 bytes ---------------*/
2979 MAYBE_USED
2981 {
2988 /* from previous test we don't have 8-alignment at offset +0,
2989 hence must have 8 alignment at offsets +4/-4. Hence safe to
2990 do 4 at +0 and then 8 at +4/. */
2995 }
2996 }
2998 MAYBE_USED
3000 {
3006 /* from previous test we don't have 8-alignment at offset +0,
3007 hence must have 8 alignment at offsets +4/-4. Hence safe to
3008 do 4 at +0 and then 8 at +4/. */
3013 }
3014 }
3016 MAYBE_USED
3018 {
3020 /* Note the -12 in the test */
3022 /* We have 8-alignment at -12, hence ok to do 8 at -12 and 4 at
3023 -4. */
3027 /* We have 4-alignment at +0, but we don't have 8-alignment at
3028 -12. So we must have 8-alignment at -8. Hence do 4 at -12
3029 and then 8 at -8. */
3034 }
3035 }
3037 /*--------------- adjustment by 16 bytes ---------------*/
3039 MAYBE_USED
3041 {
3045 /* Have 8-alignment at +0, hence do 8 at +0 and 8 at +8. */
3049 /* Have 4 alignment at +0 but not 8; hence 8 must be at +4.
3050 Hence do 4 at +0, 8 at +4, 4 at +12. */
3056 }
3057 }
3059 MAYBE_USED
3061 {
3064 /* Have 8-alignment at +0, hence do 8 at +0 and 8 at +8. */
3068 /* Have 4 alignment at +0 but not 8; hence 8 must be at +4.
3069 Hence do 4 at +0, 8 at +4, 4 at +12. */
3075 }
3076 }
3078 MAYBE_USED
3080 {
3083 /* Have 8-alignment at +0, hence do 8 at -16 and 8 at -8. */
3087 /* 8 alignment must be at -12. Do 4 at -16, 8 at -12, 4 at -4. */
3093 }
3094 }
3096 /*--------------- adjustment by 32 bytes ---------------*/
3098 MAYBE_USED
3100 {
3104 /* Straightforward */
3110 /* 8 alignment must be at +4. Hence do 8 at +4,+12,+20 and 4 at
3111 +0,+28. */
3119 }
3120 }
3122 MAYBE_USED
3124 {
3127 /* Straightforward */
3133 /* 8 alignment must be at +4. Hence do 8 at +4,+12,+20 and 4 at
3134 +0,+28. */
3142 }
3143 }
3145 MAYBE_USED
3147 {
3150 /* Straightforward */
3156 /* 8 alignment must be at -4 etc. Hence do 8 at -12,-20,-28 and
3157 4 at -32,-4. */
3165 }
3166 }
3168 /*--------------- adjustment by 112 bytes ---------------*/
3170 MAYBE_USED
3172 {
3192 }
3193 }
3195 MAYBE_USED
3197 {
3216 }
3217 }
3219 MAYBE_USED
3221 {
3240 }
3241 }
3243 /*--------------- adjustment by 128 bytes ---------------*/
3245 MAYBE_USED
3247 {
3269 }
3270 }
3272 MAYBE_USED
3274 {
3295 }
3296 }
3298 MAYBE_USED
3300 {
3321 }
3322 }
3324 /*--------------- adjustment by 144 bytes ---------------*/
3326 MAYBE_USED
3328 {
3352 }
3353 }
3355 MAYBE_USED
3357 {
3380 }
3381 }
3383 MAYBE_USED
3385 {
3408 }
3409 }
3411 /*--------------- adjustment by 160 bytes ---------------*/
3413 MAYBE_USED
3415 {
3441 }
3442 }
3444 MAYBE_USED
3446 {
3471 }
3472 }
3474 MAYBE_USED
3476 {
3501 }
3502 }
3504 /*--------------- adjustment by N bytes ---------------*/
3507 {
3511 }
3514 {
3517 }
3520 {
3523 }
3526 /* The AMD64 ABI says:
3528 "The 128-byte area beyond the location pointed to by %rsp is considered
3529 to be reserved and shall not be modified by signal or interrupt
3530 handlers. Therefore, functions may use this area for temporary data
3531 that is not needed across function calls. In particular, leaf functions
3532 may use this area for their entire stack frame, rather than adjusting
3533 the stack pointer in the prologue and epilogue. This area is known as
3534 red zone [sic]."
3536 So after any call or return we need to mark this redzone as containing
3537 undefined values.
3539 Consider this: we're in function f. f calls g. g moves rsp down
3540 modestly (say 16 bytes) and writes stuff all over the red zone, making it
3541 defined. g returns. f is buggy and reads from parts of the red zone
3542 that it didn't write on. But because g filled that area in, f is going
3543 to be picking up defined V bits and so any errors from reading bits of
3544 the red zone it didn't write, will be missed. The only solution I could
3545 think of was to make the red zone undefined when g returns to f.
3547 This is in accordance with the ABI, which makes it clear the redzone
3548 is volatile across function calls.
3550 The problem occurs the other way round too: f could fill the RZ up
3551 with defined values and g could mistakenly read them. So the RZ
3552 also needs to be nuked on function calls.
3553 */
3556 /* Here's a simple cache to hold nia -> ECU mappings. It could be
3557 improved so as to have a lower miss rate. */
3562 typedef
3565 WCacheEnt;
3567 #define N_NIA_TO_ECU_CACHE 511
3572 {
3573 UWord i;
3576 UInt zero_ecu;
3577 /* Fill all the slots with an entry for address zero, and the
3578 relevant otags accordingly. Hence the cache is initially filled
3579 with valid data. */
3589 }
3590 }
3593 {
3594 UWord i;
3595 UInt ecu;
3600 stats__nia_cache_queries++;
3608 # define SWAP(_w1,_w2) { UWord _t = _w1; _w1 = _w2; _w2 = _t; }
3611 # undef SWAP
3613 }
3615 stats__nia_cache_misses++;
3627 }
3630 /* This marks the stack as addressible but undefined, after a call or
3631 return for a target that has an ABI defined stack redzone. It
3632 happens quite a lot and needs to be fast. This is the version for
3633 origin tracking. The non-origin-tracking version is below. */
3636 {
3647 # if 0
3648 /* Slow(ish) version, which is fairly easily seen to be correct.
3649 */
3672 }
3673 # endif
3675 /* Idea is: go fast when
3676 * 8-aligned and length is 128
3677 * the sm is available in the main primary map
3678 * the address range falls entirely with a single secondary map
3679 If all those conditions hold, just update the V+A bits by writing
3680 directly into the vabits array. (If the sm was distinguished, this
3681 will make a copy and then write to it.)
3682 */
3684 /* Now we know the address range is suitably sized and aligned. */
3689 /* Now we know the entire range is within the main primary map. */
3693 /* Now we know that the entire address range falls within a
3694 single secondary map, and that that secondary 'lives' in
3695 the main primary map. */
3732 }
3733 }
3734 }
3736 /* 288 bytes (36 ULongs) is the magic value for ELF ppc64. */
3738 /* Now we know the address range is suitably sized and aligned. */
3746 /* Now we know that the entire address range falls within a
3747 single secondary map, and that that secondary 'lives' in
3748 the main primary map. */
3825 }
3826 }
3827 }
3829 /* else fall into slow case */
3831 }
3834 /* This is a version of MC_(helperc_MAKE_STACK_UNINIT_w_o) that is
3835 specialised for the non-origin-tracking case. */
3838 {
3844 # if 0
3845 /* Slow(ish) version, which is fairly easily seen to be correct.
3846 */
3869 }
3870 # endif
3872 /* Idea is: go fast when
3873 * 8-aligned and length is 128
3874 * the sm is available in the main primary map
3875 * the address range falls entirely with a single secondary map
3876 If all those conditions hold, just update the V+A bits by writing
3877 directly into the vabits array. (If the sm was distinguished, this
3878 will make a copy and then write to it.)
3879 */
3881 /* Now we know the address range is suitably sized and aligned. */
3886 /* Now we know the entire range is within the main primary map. */
3890 /* Now we know that the entire address range falls within a
3891 single secondary map, and that that secondary 'lives' in
3892 the main primary map. */
3913 }
3914 }
3915 }
3917 /* 288 bytes (36 ULongs) is the magic value for ELF ppc64. */
3919 /* Now we know the address range is suitably sized and aligned. */
3927 /* Now we know that the entire address range falls within a
3928 single secondary map, and that that secondary 'lives' in
3929 the main primary map. */
3970 }
3971 }
3972 }
3974 /* else fall into slow case */
3976 }
3979 /* And this is an even more specialised case, for the case where there
3980 is no origin tracking, and the length is 128. */
3983 {
3988 # if 0
3989 /* Slow(ish) version, which is fairly easily seen to be correct.
3990 */
4013 }
4014 # endif
4016 /* Idea is: go fast when
4017 * 16-aligned and length is 128
4018 * the sm is available in the main primary map
4019 * the address range falls entirely with a single secondary map
4020 If all those conditions hold, just update the V+A bits by writing
4021 directly into the vabits array. (If the sm was distinguished, this
4022 will make a copy and then write to it.)
4024 Typically this applies to amd64 'ret' instructions, since RSP is
4025 16-aligned (0 % 16) after the instruction (per the amd64-ELF ABI).
4026 */
4028 /* Now we know the address range is suitably sized and aligned. */
4031 /* FIXME: come up with a sane story on the wraparound case
4032 (which of course cnanot happen, but still..) */
4035 /* Now we know the entire range is within the main primary map. */
4039 /* Now we know that the entire address range falls within a
4040 single secondary map, and that that secondary 'lives' in
4041 the main primary map. */
4055 }
4056 }
4057 }
4059 /* The same, but for when base is 8 % 16, which is the situation
4060 with RSP for amd64-ELF immediately after call instructions.
4061 */
4063 /* Now we know the address range is suitably sized and aligned. */
4066 /* FIXME: come up with a sane story on the wraparound case
4067 (which of course cnanot happen, but still..) */
4070 /* Now we know the entire range is within the main primary map. */
4075 /* Now we know that the entire address range falls within a
4076 single secondary map, and that that secondary 'lives' in
4077 the main primary map. */
4082 /* The following assertion is commented out for obvious
4083 performance reasons, but was verified as valid when
4084 running the entire testsuite and also Firefox. */
4085 /* tl_assert(VG_IS_4_ALIGNED(w32)); */
4096 }
4097 }
4098 }
4100 /* else fall into slow case */
4103 }
4106 /*------------------------------------------------------------*/
4107 /*--- Checking memory ---*/
4108 /*------------------------------------------------------------*/
4110 typedef
4115 }
4116 MC_ReadResult;
4119 /* Check permissions for address range. If inadequate permissions
4120 exist, *bad_addr is set to the offending address, so the caller can
4121 know what it is. */
4123 /* Returns True if [a .. a+len) is not addressible. Otherwise,
4124 returns False, and if bad_addr is non-NULL, sets *bad_addr to
4125 indicate the lowest failing address. Functions below are
4126 similar. */
4128 {
4129 SizeT i;
4130 UWord vabits2;
4139 }
4140 a++;
4141 }
4143 }
4147 {
4148 SizeT i;
4149 UWord vabits2;
4158 }
4159 a++;
4160 }
4162 }
4167 {
4168 SizeT i;
4169 UWord vabits2;
4180 // Error! Nb: Report addressability errors in preference to
4181 // definedness errors. And don't report definedeness errors unless
4182 // --undef-value-errors=yes.
4185 }
4188 }
4192 }
4194 }
4195 }
4196 a++;
4197 }
4199 }
4202 /* Like is_mem_defined but doesn't give up at the first uninitialised
4203 byte -- the entire range is always checked. This is important for
4204 detecting errors in the case where a checked range strays into
4205 invalid memory, but that fact is not detected by the ordinary
4206 is_mem_defined(), because of an undefined section that precedes the
4207 out of range section, possibly as a result of an alignment hole in
4208 the checked data. This version always checks the entire range and
4209 can report both a definedness and an accessbility error, if
4210 necessary. */
4218 )
4219 {
4220 SizeT i;
4221 UWord vabits2;
4234 a++;
4245 }
4247 }
4256 }
4257 }
4258 }
4261 /* Check a zero-terminated ascii string. Tricky -- don't want to
4262 examine the actual bytes, to find the end, until we're sure it is
4263 safe to do so. */
4266 {
4267 UWord vabits2;
4278 // Error! Nb: Report addressability errors in preference to
4279 // definedness errors. And don't report definedeness errors unless
4280 // --undef-value-errors=yes.
4283 }
4286 }
4290 }
4292 }
4293 }
4294 /* Ok, a is safe to read. */
4297 }
4298 a++;
4299 }
4300 }
4303 /*------------------------------------------------------------*/
4304 /*--- Memory event handlers ---*/
4305 /*------------------------------------------------------------*/
4307 static
4310 {
4311 Addr bad_addr;
4327 }
4328 }
4329 }
4331 static
4334 {
4336 Addr bad_addr;
4352 /* If we're being asked to jump to a silly address, record an error
4353 message before potentially crashing the entire system. */
4360 }
4361 }
4362 }
4364 static
4367 {
4368 MC_ReadResult res;
4378 }
4379 }
4381 /* Handling of mmap and mprotect is not as simple as it seems.
4383 The underlying semantics are that memory obtained from mmap is
4384 always initialised, but may be inaccessible. And changes to the
4385 protection of memory do not change its contents and hence not its
4386 definedness state. Problem is we can't model
4387 inaccessible-but-with-some-definedness state; once we mark memory
4388 as inaccessible we lose all info about definedness, and so can't
4389 restore that if it is later made accessible again.
4391 One obvious thing to do is this:
4393 mmap/mprotect NONE -> noaccess
4394 mmap/mprotect other -> defined
4396 The problem case here is: taking accessible memory, writing
4397 uninitialised data to it, mprotecting it NONE and later mprotecting
4398 it back to some accessible state causes the undefinedness to be
4399 lost.
4401 A better proposal is:
4403 (1) mmap NONE -> make noaccess
4404 (2) mmap other -> make defined
4406 (3) mprotect NONE -> # no change
4407 (4) mprotect other -> change any "noaccess" to "defined"
4409 (2) is OK because memory newly obtained from mmap really is defined
4410 (zeroed out by the kernel -- doing anything else would
4411 constitute a massive security hole.)
4413 (1) is OK because the only way to make the memory usable is via
4414 (4), in which case we also wind up correctly marking it all as
4415 defined.
4417 (3) is the weak case. We choose not to change memory state.
4418 (presumably the range is in some mixture of "defined" and
4419 "undefined", viz, accessible but with arbitrary V bits). Doing
4420 nothing means we retain the V bits, so that if the memory is
4421 later mprotected "other", the V bits remain unchanged, so there
4422 can be no false negatives. The bad effect is that if there's
4423 an access in the area, then MC cannot warn; but at least we'll
4424 get a SEGV to show, so it's better than nothing.
4426 Consider the sequence (3) followed by (4). Any memory that was
4427 "defined" or "undefined" previously retains its state (as
4428 required). Any memory that was "noaccess" before can only have
4429 been made that way by (1), and so it's OK to change it to
4430 "defined".
4432 See https://bugs.kde.org/show_bug.cgi?id=205541
4433 and https://bugs.kde.org/show_bug.cgi?id=210268
4434 */
4435 static
4437 ULong di_handle )
4438 {
4440 /* (2) mmap/mprotect other -> defined */
4443 /* (1) mmap/mprotect NONE -> noaccess */
4445 }
4446 }
4448 static
4450 {
4452 /* (4) mprotect other -> change any "noaccess" to "defined" */
4455 /* (3) mprotect NONE -> # no change */
4456 /* do nothing */
4457 }
4458 }
4461 static
4464 {
4465 // Because code is defined, initialised variables get put in the data
4466 // segment and are defined, and uninitialised variables get put in the
4467 // bss segment and are auto-zeroed (and so defined).
4468 //
4469 // It's possible that there will be padding between global variables.
4470 // This will also be auto-zeroed, and marked as defined by Memcheck. If
4471 // a program uses it, Memcheck will not complain. This is arguably a
4472 // false negative, but it's a grey area -- the behaviour is defined (the
4473 // padding is zeroed) but it's probably not what the user intended. And
4474 // we can't avoid it.
4475 //
4476 // Note: we generally ignore RWX permissions, because we can't track them
4477 // without requiring more than one A bit which would slow things down a
4478 // lot. But on Darwin the 0th page is mapped but !R and !W and !X.
4479 // So we mark any such pages as "unaddressable".
4483 }
4485 static
4487 {
4489 }
4492 /*------------------------------------------------------------*/
4493 /*--- Register event handlers ---*/
4494 /*------------------------------------------------------------*/
4496 /* Try and get a nonzero origin for the guest state section of thread
4497 tid characterised by (offset,size). Return 0 if nothing to show
4498 for it. */
4501 {
4502 Int sh2off;
4504 UInt otag;
4517 }
4520 /* When some chunk of guest state is written, mark the corresponding
4521 shadow area as valid. This is used to initialise arbitrarily large
4522 chunks of guest state, hence the _SIZE value, which has to be as
4523 big as the biggest guest state.
4524 */
4527 {
4528 # define MAX_REG_WRITE_SIZE 1744
4533 # undef MAX_REG_WRITE_SIZE
4534 }
4536 static
4539 {
4541 }
4543 /* Look at the definedness of the guest's shadow state for
4544 [offset, offset+len). If any part of that is undefined, record
4545 a parameter error.
4546 */
4549 {
4550 Int i;
4551 Bool bad;
4552 UInt otag;
4564 }
4565 }
4570 /* We've found some undefinedness. See if we can also find an
4571 origin for it. */
4574 }
4577 /*------------------------------------------------------------*/
4578 /*--- Register-memory event handlers ---*/
4579 /*------------------------------------------------------------*/
4583 {
4584 SizeT i;
4585 UChar vbits8;
4586 Int offset;
4587 UInt d32;
4589 /* Slow loop. */
4594 }
4599 /* Track origins. */
4625 }
4628 }
4632 SizeT size )
4633 {
4634 SizeT i;
4635 UChar vbits8;
4636 Int offset;
4637 UInt d32;
4639 /* Slow loop. */
4644 }
4649 /* Track origins. */
4676 }
4677 }
4680 /*------------------------------------------------------------*/
4681 /*--- Some static assertions ---*/
4682 /*------------------------------------------------------------*/
4684 /* The handwritten assembly helpers below have baked-in assumptions
4685 about various constant values. These assertions attempt to make
4686 that a bit safer by checking those values and flagging changes that
4687 would make the assembly invalid. Not perfect but it's better than
4688 nothing. */
4711 /*------------------------------------------------------------*/
4712 /*--- Functions called directly from generated code: ---*/
4713 /*--- Load/store handlers. ---*/
4714 /*------------------------------------------------------------*/
4716 /* Types: LOADV32, LOADV16, LOADV8 are:
4717 UWord fn ( Addr a )
4718 so they return 32-bits on 32-bit machines and 64-bits on
4719 64-bit machines. Addr has the same size as a host word.
4721 LOADV64 is always ULong fn ( Addr a )
4723 Similarly for STOREV8, STOREV16, STOREV32, the supplied vbits
4724 are a UWord, and for STOREV64 they are a ULong.
4725 */
4727 /* If any part of '_a' indicated by the mask is 1, either '_a' is not
4728 naturally '_sz/8'-aligned, or it exceeds the range covered by the
4729 primary map. This is all very tricky (and important!), so let's
4730 work through the maths by hand (below), *and* assert for these
4731 values at startup. */
4732 #define MASK(_szInBytes) \
4733 ( ~((0x10000UL-(_szInBytes)) | ((N_PRIMARY_MAP-1) << 16)) )
4735 /* MASK only exists so as to define this macro. */
4736 #define UNALIGNED_OR_HIGH(_a,_szInBits) \
4737 ((_a) & MASK((_szInBits>>3)))
4739 /* On a 32-bit machine:
4741 N_PRIMARY_BITS == 16, so
4742 N_PRIMARY_MAP == 0x10000, so
4743 N_PRIMARY_MAP-1 == 0xFFFF, so
4744 (N_PRIMARY_MAP-1) << 16 == 0xFFFF0000, and so
4746 MASK(1) = ~ ( (0x10000 - 1) | 0xFFFF0000 )
4747 = ~ ( 0xFFFF | 0xFFFF0000 )
4748 = ~ 0xFFFF'FFFF
4749 = 0
4751 MASK(2) = ~ ( (0x10000 - 2) | 0xFFFF0000 )
4752 = ~ ( 0xFFFE | 0xFFFF0000 )
4753 = ~ 0xFFFF'FFFE
4754 = 1
4756 MASK(4) = ~ ( (0x10000 - 4) | 0xFFFF0000 )
4757 = ~ ( 0xFFFC | 0xFFFF0000 )
4758 = ~ 0xFFFF'FFFC
4759 = 3
4761 MASK(8) = ~ ( (0x10000 - 8) | 0xFFFF0000 )
4762 = ~ ( 0xFFF8 | 0xFFFF0000 )
4763 = ~ 0xFFFF'FFF8
4764 = 7
4766 Hence in the 32-bit case, "a & MASK(1/2/4/8)" is a nonzero value
4767 precisely when a is not 1/2/4/8-bytes aligned. And obviously, for
4768 the 1-byte alignment case, it is always a zero value, since MASK(1)
4769 is zero. All as expected.
4771 On a 64-bit machine, it's more complex, since we're testing
4772 simultaneously for misalignment and for the address being at or
4773 above 64G:
4775 N_PRIMARY_BITS == 20, so
4776 N_PRIMARY_MAP == 0x100000, so
4777 N_PRIMARY_MAP-1 == 0xFFFFF, so
4778 (N_PRIMARY_MAP-1) << 16 == 0xF'FFFF'0000, and so
4780 MASK(1) = ~ ( (0x10000 - 1) | 0xF'FFFF'0000 )
4781 = ~ ( 0xFFFF | 0xF'FFFF'0000 )
4782 = ~ 0xF'FFFF'FFFF
4783 = 0xFFFF'FFF0'0000'0000
4785 MASK(2) = ~ ( (0x10000 - 2) | 0xF'FFFF'0000 )
4786 = ~ ( 0xFFFE | 0xF'FFFF'0000 )
4787 = ~ 0xF'FFFF'FFFE
4788 = 0xFFFF'FFF0'0000'0001
4790 MASK(4) = ~ ( (0x10000 - 4) | 0xF'FFFF'0000 )
4791 = ~ ( 0xFFFC | 0xF'FFFF'0000 )
4792 = ~ 0xF'FFFF'FFFC
4793 = 0xFFFF'FFF0'0000'0003
4795 MASK(8) = ~ ( (0x10000 - 8) | 0xF'FFFF'0000 )
4796 = ~ ( 0xFFF8 | 0xF'FFFF'0000 )
4797 = ~ 0xF'FFFF'FFF8
4798 = 0xFFFF'FFF0'0000'0007
4799 */
4801 /*------------------------------------------------------------*/
4802 /*--- LOADV256 and LOADV128 ---*/
4803 /*------------------------------------------------------------*/
4805 static INLINE
4808 {
4811 #ifndef PERF_FAST_LOADV
4814 #else
4815 {
4825 }
4827 /* Handle common cases quickly: a (and a+8 and a+16 etc.) is
4828 suitably aligned, is mapped, and addressible. */
4834 // Convert V bits from compact memory form to expanded
4835 // register form.
4841 /* Slow case: some block of 8 bytes are not all-defined or
4842 all-undefined. */
4846 }
4847 }
4849 }
4850 #endif
4851 }
4854 {
4856 }
4858 {
4860 }
4863 {
4865 }
4867 {
4869 }
4871 /*------------------------------------------------------------*/
4872 /*--- LOADV64 ---*/
4873 /*------------------------------------------------------------*/
4875 static INLINE
4877 {
4880 #ifndef PERF_FAST_LOADV
4882 #else
4883 {
4890 }
4896 // Handle common case quickly: a is suitably aligned, is mapped, and
4897 // addressible.
4898 // Convert V bits from compact memory form to expanded register form.
4904 /* Slow case: the 8 bytes are not all-defined or all-undefined. */
4907 }
4908 }
4909 #endif
4910 }
4912 // Generic for all platforms
4914 {
4916 }
4918 // Non-generic assembly for arm32-linux
4919 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
4920 && defined(VGP_arm_linux)
4921 /* See mc_main_asm.c */
4923 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
4924 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris))
4925 /* See mc_main_asm.c */
4927 #else
4928 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
4930 {
4932 }
4933 #endif
4935 /*------------------------------------------------------------*/
4936 /*--- STOREV64 ---*/
4937 /*------------------------------------------------------------*/
4939 static INLINE
4941 {
4944 #ifndef PERF_FAST_STOREV
4945 // XXX: this slow case seems to be marginally faster than the fast case!
4946 // Investigate further.
4948 #else
4949 {
4957 }
4963 // To understand the below cleverness, see the extensive comments
4964 // in MC_(helperc_STOREV8).
4968 }
4972 }
4976 }
4980 }
4984 }
4988 }
4992 }
4993 #endif
4994 }
4997 {
4999 }
5001 {
5003 }
5005 /*------------------------------------------------------------*/
5006 /*--- LOADV32 ---*/
5007 /*------------------------------------------------------------*/
5009 static INLINE
5011 {
5014 #ifndef PERF_FAST_LOADV
5016 #else
5017 {
5024 }
5030 // Handle common case quickly: a is suitably aligned, is mapped, and the
5031 // entire word32 it lives in is addressible.
5032 // Convert V bits from compact memory form to expanded register form.
5033 // For 64-bit platforms, set the high 32 bits of retval to 1 (undefined).
5034 // Almost certainly not necessary, but be paranoid.
5040 /* Slow case: the 4 bytes are not all-defined or all-undefined. */
5043 }
5044 }
5045 #endif
5046 }
5048 // Generic for all platforms
5050 {
5052 }
5054 // Non-generic assembly for arm32-linux
5055 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5056 && defined(VGP_arm_linux)
5057 /* See mc_main_asm.c */
5059 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5060 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris))
5061 /* See mc_main_asm.c */
5063 #else
5064 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5066 {
5068 }
5069 #endif
5071 /*------------------------------------------------------------*/
5072 /*--- STOREV32 ---*/
5073 /*------------------------------------------------------------*/
5075 static INLINE
5077 {
5080 #ifndef PERF_FAST_STOREV
5082 #else
5083 {
5091 }
5097 // To understand the below cleverness, see the extensive comments
5098 // in MC_(helperc_STOREV8).
5102 }
5106 }
5110 }
5114 }
5118 }
5122 }
5126 }
5127 #endif
5128 }
5131 {
5133 }
5135 {
5137 }
5139 /*------------------------------------------------------------*/
5140 /*--- LOADV16 ---*/
5141 /*------------------------------------------------------------*/
5143 static INLINE
5145 {
5148 #ifndef PERF_FAST_LOADV
5150 #else
5151 {
5158 }
5163 // Handle common case quickly: a is suitably aligned, is mapped, and is
5164 // addressible.
5165 // Convert V bits from compact memory form to expanded register form
5169 // The 4 (yes, 4) bytes are not all-defined or all-undefined, check
5170 // the two sub-bytes.
5175 /* Slow case: the two bytes are not all-defined or all-undefined. */
5178 }
5179 }
5180 }
5181 #endif
5182 }
5184 // Generic for all platforms
5186 {
5188 }
5190 // Non-generic assembly for arm32-linux
5191 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5192 && defined(VGP_arm_linux)
5220 // r1 holds sec-map-VABITS8. r0 holds the address and is 2-aligned.
5221 // Extract the relevant 4 bits and inspect.
5241 );
5243 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5244 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris))
5286 );
5288 #else
5289 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5291 {
5293 }
5294 #endif
5296 /*------------------------------------------------------------*/
5297 /*--- STOREV16 ---*/
5298 /*------------------------------------------------------------*/
5300 /* True if the vabits4 in vabits8 indicate a and a+1 are accessible. */
5301 static INLINE
5303 {
5304 UInt shift;
5308 // check 2 x vabits2 != VA_BITS2_NOACCESS
5311 }
5313 static INLINE
5315 {
5318 #ifndef PERF_FAST_STOREV
5320 #else
5321 {
5329 }
5335 // To understand the below cleverness, see the extensive comments
5336 // in MC_(helperc_STOREV8).
5340 }
5346 }
5349 }
5353 }
5359 }
5363 }
5367 }
5368 #endif
5369 }
5373 {
5375 }
5377 {
5379 }
5381 /*------------------------------------------------------------*/
5382 /*--- LOADV8 ---*/
5383 /*------------------------------------------------------------*/
5385 /* Note: endianness is irrelevant for size == 1 */
5387 // Non-generic assembly for arm32-linux
5388 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5389 && defined(VGP_arm_linux)
5414 // r1 holds sec-map-VABITS8
5415 // r0 holds the address. Extract the relevant 2 bits and inspect.
5434 );
5436 /* Non-generic assembly for x86-linux */
5437 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5438 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris))
5477 );
5479 #else
5480 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5483 {
5486 #ifndef PERF_FAST_LOADV
5488 #else
5489 {
5496 }
5501 // Convert V bits from compact memory form to expanded register form
5502 // Handle common case quickly: a is mapped, and the entire
5503 // word32 it lives in is addressible.
5507 // The 4 (yes, 4) bytes are not all-defined or all-undefined, check
5508 // the single byte.
5513 /* Slow case: the byte is not all-defined or all-undefined. */
5516 }
5517 }
5518 }
5519 #endif
5520 }
5521 #endif
5523 /*------------------------------------------------------------*/
5524 /*--- STOREV8 ---*/
5525 /*------------------------------------------------------------*/
5529 {
5532 #ifndef PERF_FAST_STOREV
5534 #else
5535 {
5543 }
5549 // Clevernesses to speed up storing V bits.
5550 // The 64/32/16 bit cases also have similar clevernesses, but it
5551 // works a little differently to the code below.
5552 //
5553 // Cleverness 1: sometimes we don't have to write the shadow memory at
5554 // all, if we can tell that what we want to write is the same as what is
5555 // already there. These cases are marked below as "defined on defined" and
5556 // "undefined on undefined".
5557 //
5558 // Cleverness 2:
5559 // We also avoid to call mc_STOREVn_slow if the V bits can directly
5560 // be written in the secondary map. V bits can be directly written
5561 // if 4 conditions are respected:
5562 // * The address for which V bits are written is naturally aligned
5563 // on 1 byte for STOREV8 (this is always true)
5564 // on 2 bytes for STOREV16
5565 // on 4 bytes for STOREV32
5566 // on 8 bytes for STOREV64.
5567 // * V bits being written are either fully defined or fully undefined.
5568 // (for partially defined V bits, V bits cannot be directly written,
5569 // as the secondary vbits table must be maintained).
5570 // * the secmap is not distinguished (distinguished maps cannot be
5571 // modified).
5572 // * the memory corresponding to the V bits being written is
5573 // accessible (if one or more bytes are not accessible,
5574 // we must call mc_STOREVn_slow in order to report accessibility
5575 // errors).
5576 // Note that for STOREV32 and STOREV64, it is too expensive
5577 // to verify the accessibility of each byte for the benefit it
5578 // brings. Instead, a quicker check is done by comparing to
5579 // VA_BITS(8|16)_(UN)DEFINED. This guarantees accessibility,
5580 // but misses some opportunity of direct modifications.
5581 // Checking each byte accessibility was measured for
5582 // STOREV32+perf tests and was slowing down all perf tests.
5583 // The cases corresponding to cleverness 2 are marked below as
5584 // "direct mod".
5588 }
5591 // direct mod
5595 }
5599 }
5603 }
5605 && (VA_BITS2_NOACCESS
5607 // direct mod
5611 }
5615 }
5617 // Partially defined word
5620 }
5621 #endif
5622 }
5625 /*------------------------------------------------------------*/
5626 /*--- Functions called directly from generated code: ---*/
5627 /*--- Value-check failure handlers. ---*/
5628 /*------------------------------------------------------------*/
5630 /* Call these ones when an origin is available ... */
5634 }
5639 }
5644 }
5649 }
5654 }
5656 /* ... and these when an origin isn't available. */
5661 }
5666 }
5671 }
5676 }
5681 }
5684 /*------------------------------------------------------------*/
5685 /*--- Metadata get/set functions, for client requests. ---*/
5686 /*------------------------------------------------------------*/
5688 // Nb: this expands the V+A bits out into register-form V bits, even though
5689 // they're in memory. This is for backward compatibility, and because it's
5690 // probably what the user wants.
5692 /* Copy Vbits from/to address 'a'. Returns: 1 == OK, 2 == alignment
5693 error [no longer used], 3 == addressing error. */
5694 /* Nb: We used to issue various definedness/addressability errors from here,
5695 but we took them out because they ranged from not-very-helpful to
5696 downright annoying, and they complicated the error data structures. */
5698 Addr a,
5699 Addr vbits,
5700 SizeT szB,
5702 Bool is_client_request /* True <=> real user request
5703 False <=> internal call from gdbserver */
5704 )
5705 {
5706 SizeT i;
5707 Bool ok;
5708 UChar vbits8;
5710 /* Check that arrays are addressible before doing any getting/setting.
5711 vbits to be checked only for real user request. */
5716 }
5717 }
5719 /* Do the copy */
5721 /* setting */
5725 }
5727 /* getting */
5732 }
5734 // The bytes in vbits[] have now been set, so mark them as such.
5736 }
5739 }
5742 /*------------------------------------------------------------*/
5743 /*--- Detecting leaked (unreachable) malloc'd blocks. ---*/
5744 /*------------------------------------------------------------*/
5746 /* For the memory leak detector, say whether an entire 64k chunk of
5747 address space is possibly in use, or not. If in doubt return
5748 True.
5749 */
5751 {
5754 /* Definitely not in use. */
5758 }
5759 }
5762 /* For the memory leak detector, say whether or not a given word
5763 address is to be regarded as valid. */
5765 {
5773 }
5776 else
5778 }
5781 /*------------------------------------------------------------*/
5782 /*--- Initialisation ---*/
5783 /*------------------------------------------------------------*/
5786 {
5787 Int i;
5795 /* Build the 3 distinguished secondaries */
5805 /* Set up the primary map. */
5806 /* These entries gradually get overwritten as the used address
5807 space expands. */
5811 /* Auxiliary primary maps */
5814 /* auxmap_size = auxmap_used = 0;
5815 no ... these are statically initialised */
5817 /* Secondary V bit table */
5819 }
5822 /*------------------------------------------------------------*/
5823 /*--- Sanity check machinery (permanently engaged) ---*/
5824 /*------------------------------------------------------------*/
5827 {
5828 n_sanity_cheap++;
5830 /* Check for sane operating level */
5833 /* nothing else useful we can rapidly check */
5835 }
5838 {
5839 Int i;
5840 Word n_secmaps_found;
5848 n_sanity_expensive++;
5851 /* Check for sane operating level */
5855 /* Check that the 3 distinguished SMs are still as they should be. */
5857 /* Check noaccess DSM. */
5863 /* Check undefined DSM. */
5869 /* Check defined DSM. */
5879 }
5881 /* If we're not checking for undefined value errors, the secondary V bit
5882 * table should be empty. */
5886 }
5888 /* check the auxiliary maps, very thoroughly */
5894 }
5896 /* n_secmaps_found is now the number referred to by the auxiliary
5897 primary map. Now add on the ones referred to by the main
5898 primary map. */
5904 n_secmaps_found++;
5905 }
5906 }
5908 /* check that the number of secmaps issued matches the number that
5909 are reachable (iow, no secmap leaks) */
5917 }
5923 }
5925 /* there is only one pointer to each secmap (expensive) */
5928 }
5930 /*------------------------------------------------------------*/
5931 /*--- Command line args ---*/
5932 /*------------------------------------------------------------*/
5934 /* 31 Aug 2015: Vectorised code is now so widespread that
5935 --partial-loads-ok needs to be enabled by default on all platforms.
5936 Not doing so causes lots of false errors. */
5957 ExpensiveDefinednessChecks
5966 /* The first heuristic value (LchNone) has no keyword, as this is
5967 a fake heuristic used to collect the blocks found without any
5968 heuristic. */
5971 {
5973 Int tmp_show;
5977 /* Set MC_(clo_mc_level):
5978 1 = A bit tracking only
5979 2 = A and V bit tracking, but no V bit origins
5980 3 = A and V bit tracking, and V bit origins
5982 Do this by inspecting --undef-value-errors= and
5983 --track-origins=. Reject the case --undef-value-errors=no
5984 --track-origins=yes as meaningless.
5985 */
5992 }
5993 }
5998 }
6003 }
6010 }
6011 }
6028 }
6029 }
6035 }
6036 }
6067 "ERROR: --ignore-ranges: "
6070 }
6072 UInt i;
6088 }
6089 }
6090 }
6091 }
6094 /* This seems at first a bit weird, but: in order to imply
6095 a non-wrapped-around address range, the first offset needs to be
6096 larger than the second one. For example
6097 --ignore-range-below-sp=8192,8189
6098 would cause accesses to in the range [SP-8192, SP-8189] to be
6099 ignored. */
6102 // Ensure we used all the text after the '=' sign.
6106 "ERROR: --ignore-range-below-sp: invalid syntax. "
6109 }
6112 "ERROR: --ignore-range-below-sp: suspiciously large "
6115 }
6118 "ERROR: --ignore-range-below-sp: invalid offsets "
6121 }
6125 "ERROR: --ignore-range-below-sp: suspiciously large "
6128 }
6133 }
6164 else
6170 bad_level:
6173 }
6176 {
6214 );
6215 }
6218 {
6221 );
6222 }
6225 /*------------------------------------------------------------*/
6226 /*--- Client blocks ---*/
6227 /*------------------------------------------------------------*/
6229 /* Client block management:
6231 This is managed as an expanding array of client block descriptors.
6232 Indices of live descriptors are issued to the client, so it can ask
6233 to free them later. Therefore we cannot slide live entries down
6234 over dead ones. Instead we must use free/inuse flags and scan for
6235 an empty slot at allocation time. This in turn means allocation is
6236 relatively expensive, so we hope this does not happen too often.
6238 An unused block has start == size == 0
6239 */
6241 /* type CGenBlock is defined in mc_include.h */
6243 /* This subsystem is self-initialising. */
6248 /* Stats for this subsystem. */
6255 /* Get access to the client block array. */
6258 {
6261 }
6264 static
6266 {
6270 cgb_allocs++;
6273 cgb_search++;
6276 }
6278 /* Not found. Try to allocate one at the end. */
6280 cgb_used++;
6282 }
6284 /* Ok, we have to allocate a new one. */
6297 cgb_used++;
6301 }
6305 {
6309 );
6310 }
6312 {
6314 (
6360 }
6362 /* Print szB bytes at address, with a format similar to the gdb command
6363 x /<szB>xb address.
6364 res[i] == 1 indicates the corresponding byte is addressable. */
6366 {
6367 UInt i;
6375 }
6378 else
6380 }
6382 }
6385 /* Returns the address of the next non space character,
6386 or address of the string terminator. */
6388 {
6390 s++;
6392 }
6394 /* Parse an integer slice, i.e. a single integer or a range of integer.
6395 Syntax is:
6396 <integer>[..<integer> ]
6397 (spaces are allowed before and/or after ..).
6398 Return True if range correctly parsed, False otherwise. */
6401 {
6407 /* slice must start with an integer. */
6411 }
6416 }
6419 /* wl token is an integer terminating the string
6420 or else next token does not start with .
6421 In both cases, the slice is a single integer. */
6424 }
6427 // iii .. => get the next token
6430 // It must be iii..
6434 }
6436 // It must be iii.. jjj => get the next token
6439 // It must be iii..jjj
6441 }
6442 }
6448 }
6454 }
6457 }
6459 /* return True if request recognised, False otherwise */
6461 {
6469 /* NB: if possible, avoid introducing a new command below which
6470 starts with the same first letter(s) as an already existing
6471 command. This ensures a shorter abbreviation for the user. */
6484 Addr address;
6487 UChar vbits;
6488 Int i;
6491 Int res = mc_get_or_set_vbits_for_client
6495 /* we are before the first character on next line, print a \n. */
6498 /* we are before the next block of 4 starts, print a space. */
6505 unaddressable++;
6507 }
6508 }
6514 }
6515 }
6517 }
6520 LeakCheckParams lcp;
6538 "kinds reachable possibleleak definiteleak "
6539 "heuristics "
6540 "increased changed any "
6551 xt_filename
6561 wcmd,
6564 err++;
6565 }
6567 }
6572 lcp.show_leak_kinds
6583 wcmd,
6586 err++;
6587 }
6589 }
6599 Int int_value;
6610 }
6615 else
6619 }
6622 }
6623 }
6629 }
6632 Addr address;
6648 }
6650 }
6653 Addr address;
6655 Addr bad_addr;
6656 UInt okind;
6658 UInt otag;
6659 UInt ecu;
6661 MC_ReadResult res;
6675 else
6679 // Describe this (probably live) address with current epoch
6700 }
6709 }
6710 }
6711 else
6714 // Describe this (probably live) address with current epoch
6718 }
6720 }
6730 Int int_value;
6747 }
6752 }
6757 }
6765 wcmd,
6769 }
6773 }
6774 }
6775 /* substract 1 from lr_nr_from/lr_nr_to as what is shown to the user
6776 is 1 more than the index in lr_array. */
6779 limit_blocks,
6780 heuristics))
6782 }
6784 }
6787 Addr address;
6795 }
6798 }
6801 Addr address;
6806 Int i;
6814 /* We going to print the first vabits of a new line.
6815 Terminate the previous line if needed: prints a line with the
6816 address and the data. */
6821 }
6823 }
6828 unaddressable++;
6830 }
6831 }
6835 else
6841 }
6842 }
6844 }
6851 }
6856 }
6857 }
6859 /*------------------------------------------------------------*/
6860 /*--- Client requests ---*/
6861 /*------------------------------------------------------------*/
6864 {
6865 Int i;
6866 Addr bad_addr;
6892 }
6903 );
6907 }
6911 }
6912 /* Return the lower of the two erring addresses, if any. */
6916 }
6919 }
6922 }
6924 }
6927 LeakCheckParams lcp;
6937 }
6954 }
6962 }
6971 MC_OKIND_USER );
6988 /* VG_(printf)("allocated %d %p\n", i, cgbs); */
7007 cgb_discards++;
7009 }
7028 // MC_(bytes_leaked) et al were set by the last leak check (or zero
7029 // if no prior leak checks performed).
7034 // there is no argp[5]
7035 //*argp[5] = MC_(bytes_indirect);
7036 // XXX need to make *argp[1-4] defined; currently done in the
7037 // VALGRIND_COUNT_LEAKS_MACRO by initialising them to zero.
7040 }
7043 // MC_(blocks_leaked) et al were set by the last leak check (or zero
7044 // if no prior leak checks performed).
7049 // there is no argp[5]
7050 //*argp[5] = MC_(blocks_indirect);
7051 // XXX need to make *argp[1-4] defined; currently done in the
7052 // VALGRIND_COUNT_LEAK_BLOCKS_MACRO by initialising them to zero.
7055 }
7067 }
7069 }
7078 }
7085 }
7094 }
7102 // The create_mempool function does not know these mempool flags,
7103 // pass as booleans.
7108 }
7115 }
7124 }
7132 }
7141 }
7149 }
7159 }
7166 }
7172 else
7175 }
7179 Bool addRange
7181 Bool ok
7185 }
7189 Vg_UserMsg,
7192 );
7194 }
7196 }
7199 /*------------------------------------------------------------*/
7200 /*--- Crude profiling machinery. ---*/
7201 /*------------------------------------------------------------*/
7203 // We track a number of interesting events (using PROF_EVENT)
7204 // if MC_PROFILE_MEMORY is defined.
7206 #ifdef MC_PROFILE_MEMORY
7210 /* Event counter names. Use the name of the function that increases the
7211 event counter. Drop any MC_() and mc_ prefices. */
7339 };
7342 {
7349 }
7351 /* Make sure every profiling event has a name */
7353 }
7356 {
7363 }
7370 }
7371 }
7372 }
7374 #else
7379 #endif
7382 /*------------------------------------------------------------*/
7383 /*--- Origin tracking stuff ---*/
7384 /*------------------------------------------------------------*/
7386 /*--------------------------------------------*/
7387 /*--- Origin tracking: load handlers ---*/
7388 /*--------------------------------------------*/
7392 }
7396 UChar descr;
7402 }
7409 }
7415 }
7416 }
7420 UChar descr;
7424 /* Handle misaligned case, slowly. */
7428 }
7435 }
7441 }
7447 }
7448 }
7452 UChar descr;
7453 UWord lineoff;
7456 /* Handle misaligned case, slowly. */
7460 }
7465 }
7472 }
7478 }
7479 }
7484 UWord lineoff;
7487 /* Handle misaligned case, slowly. */
7491 }
7496 }
7505 }
7513 }
7514 }
7521 }
7531 }
7534 /*--------------------------------------------*/
7535 /*--- Origin tracking: store handlers ---*/
7536 /*--------------------------------------------*/
7545 }
7554 }
7555 }
7562 /* Handle misaligned case, slowly. */
7566 }
7573 }
7582 }
7583 }
7587 UWord lineoff;
7590 /* Handle misaligned case, slowly. */
7594 }
7599 }
7608 }
7609 }
7613 UWord lineoff;
7616 /* Handle misaligned case, slowly. */
7620 }
7625 }
7637 }
7638 }
7643 }
7650 }
7653 /*--------------------------------------------*/
7654 /*--- Origin tracking: sarp handlers ---*/
7655 /*--------------------------------------------*/
7661 a++;
7662 len--;
7663 }
7668 }
7675 }
7680 }
7683 //a++;
7684 len--;
7685 }
7687 }
7693 a++;
7694 len--;
7695 }
7700 }
7707 }
7712 }
7715 //a++;
7716 len--;
7717 }
7719 }
7722 /*------------------------------------------------------------*/
7723 /*--- Setup and finalisation ---*/
7724 /*------------------------------------------------------------*/
7727 {
7728 /* If we've been asked to emit XML, mash around various other
7729 options so as to constrain the output somewhat. */
7731 /* Extract as much info as possible from the leak checker. */
7733 }
7742 }
7750 );
7751 }
7756 /* We're doing origin tracking. */
7757 # ifdef PERF_FAST_STACK
7767 # endif
7771 /* Not doing origin tracking */
7772 # ifdef PERF_FAST_STACK
7782 # endif
7785 }
7787 // We assume that brk()/sbrk() does not initialise new memory. Is this
7788 // accurate? John Reiser says:
7789 //
7790 // 0) sbrk() can *decrease* process address space. No zero fill is done
7791 // for a decrease, not even the fragment on the high end of the last page
7792 // that is beyond the new highest address. For maximum safety and
7793 // portability, then the bytes in the last page that reside above [the
7794 // new] sbrk(0) should be considered to be uninitialized, but in practice
7795 // it is exceedingly likely that they will retain their previous
7796 // contents.
7797 //
7798 // 1) If an increase is large enough to require new whole pages, then
7799 // those new whole pages (like all new pages) are zero-filled by the
7800 // operating system. So if sbrk(0) already is page aligned, then
7801 // sbrk(PAGE_SIZE) *does* zero-fill the new memory.
7802 //
7803 // 2) Any increase that lies within an existing allocated page is not
7804 // changed. So if (x = sbrk(0)) is not page aligned, then
7805 // sbrk(PAGE_SIZE) yields ((PAGE_SIZE -1) & -x) bytes which keep their
7806 // existing contents, and an additional PAGE_SIZE bytes which are zeroed.
7807 // ((PAGE_SIZE -1) & x) of them are "covered" by the sbrk(), and the rest
7808 // of them come along for the ride because the operating system deals
7809 // only in whole pages. Again, for maximum safety and portability, then
7810 // anything that lives above [the new] sbrk(0) should be considered
7811 // uninitialized, but in practice will retain previous contents [zero in
7812 // this case.]"
7813 //
7814 // In short:
7815 //
7816 // A key property of sbrk/brk is that new whole pages that are supplied
7817 // by the operating system *do* get initialized to zero.
7818 //
7819 // As for the portability of all this:
7820 //
7821 // sbrk and brk are not POSIX. However, any system that is a derivative
7822 // of *nix has sbrk and brk because there are too many software (such as
7823 // the Bourne shell) which rely on the traditional memory map (.text,
7824 // .data+.bss, stack) and the existence of sbrk/brk.
7825 //
7826 // So we should arguably observe all this. However:
7827 // - The current inaccuracy has caused maybe one complaint in seven years(?)
7828 // - Relying on the zeroed-ness of whole brk'd pages is pretty grotty... I
7829 // doubt most programmers know the above information.
7830 // So I'm not terribly unhappy with marking it as undefined. --njn.
7831 //
7832 // [More: I think most of what John said only applies to sbrk(). It seems
7833 // that brk() always deals in whole pages. And since this event deals
7834 // directly with brk(), not with sbrk(), perhaps it would be reasonable to
7835 // just mark all memory it allocates as defined.]
7836 //
7837 # if !defined(VGO_solaris)
7840 else
7842 # else
7843 // On Solaris, brk memory has to be marked as defined, otherwise we get
7844 // many false positives.
7846 # endif
7848 /* This origin tracking cache is huge (~100M), so only initialise
7849 if we need it. */
7857 }
7866 /* Do not check definedness of guest state if --undef-value-errors=no */
7874 "To use --xtree-memory=full, you must"
7876 // Activate full xtree memory profiling.
7878 }
7880 }
7883 {
7886 type,
7887 n_SMs,
7890 }
7893 {
7903 n_auxmap_L2_nodes,
7911 );
7914 n_auxmap_L2_searches, n_auxmap_L2_nodes
7915 );
7924 // Three DSMs, plus the non-DSM ones
7926 // The 3*sizeof(Word) bytes is the AVL node metadata size.
7927 // The VG_ROUNDUP is because the OSet pool allocator will/must align
7928 // the elements on pointer size.
7929 // Note that the pool allocator has some additional small overhead
7930 // which is not counted in the below.
7931 // Hardwiring this logic sucks, but I don't see how else to do it.
7951 stats_ocacheL1_find,
7952 stats_ocacheL1_misses,
7953 stats_ocacheL1_lossage );
7956 stats_ocacheL1_find - stats_ocacheL1_misses
7957 - stats_ocacheL1_found_at_1
7959 stats_ocacheL1_found_at_1 );
7962 stats_ocacheL1_found_at_N,
7963 stats_ocacheL1_movefwds );
7970 stats__ocacheL2_refs,
7971 stats__ocacheL2_misses );
7974 stats__ocacheL2_n_nodes_max,
7975 stats__ocacheL2_n_nodes );
7982 }
7983 }
7987 {
7992 LeakCheckParams lcp;
8007 }
8008 else
8018 );
8019 }
8020 }
8025 "Use --track-origins=yes to see where "
8027 }
8029 /* Print a warning if any client-request generated ignore-ranges
8030 still exist. It would be reasonable to expect that a properly
8031 written program would remove any such ranges before exiting, and
8032 since they are a bit on the dangerous side, let's comment. By
8033 contrast ranges which are specified on the command line normally
8034 pertain to hardware mapped into the address space, and so we
8035 can't expect the client to have got rid of them. */
8046 /* Print the offending range. Also, if it is the first,
8047 print a banner before it. */
8048 nBad++;
8053 "WARNING: "
8055 "WARNING: "
8057 );
8058 }
8061 }
8062 }
8073 }
8074 }
8076 /* mark the given addr/len unaddressable for watchpoint implementation
8077 The PointKind will be handled at access time */
8080 {
8081 /* GDBTD this is somewhat fishy. We might rather have to save the previous
8082 accessibility and definedness in gdbserver so as to allow restoring it
8083 properly. Currently, we assume that the user only watches things
8084 which are properly addressable and defined */
8087 else
8090 }
8093 {
8104 mc_fini);
8125 mc_print_usage,
8126 mc_print_debug_usage);
8129 mc_expensive_sanity_check);
8142 MC_MALLOC_DEFAULT_REDZONE_SZB );
8149 // Handling of mmap and mprotect isn't simple (well, it is simple,
8150 // but the justification isn't.) See comments above, just prior to
8151 // mc_new_mem_mmap.
8161 /* Defer the specification of the new_mem_stack functions to the
8162 post_clo_init function, since we need to first parse the command
8163 line before deciding which set to use. */
8165 # ifdef PERF_FAST_STACK
8175 # endif
8191 }
8196 // MC_(chunk_poolalloc) must be allocated in post_clo_init
8204 // {LOADV,STOREV}[8421] will all fail horribly if this isn't true.
8206 // Call me paranoid. I don't care.
8209 // BYTES_PER_SEC_VBIT_NODE must be a power of two.
8212 /* This is small. Always initialise it. */
8215 /* We can't initialise ocacheL1/ocacheL2 yet, since we don't know
8216 if we need to, since the command line args haven't been
8217 processed yet. Hence defer it to mc_post_clo_init. */
8221 /* Check some important stuff. See extensive comments above
8222 re UNALIGNED_OR_HIGH for background. */
8223 # if VG_WORDSIZE == 4
8233 # else
8244 # endif
8246 /* Check some assertions to do with the instrumentation machinery. */
8248 }
8254 /*--------------------------------------------------------------------*/
8255 /*--- end mc_main.c ---*/
8256 /*--------------------------------------------------------------------*/