| blob | da3db87fcdc088a056879821c9a2f18464c66409 |
1 /* -*- mode: C; c-basic-offset: 3; -*- */
3 /*--------------------------------------------------------------------*/
4 /*--- The address space manager: segment initialisation and ---*/
5 /*--- tracking, stack operations ---*/
6 /*--- ---*/
7 /*--- Implementation for Linux, Darwin, Solaris and FreeBSD ---*/
8 /*--------------------------------------------------------------------*/
10 /*
11 This file is part of Valgrind, a dynamic binary instrumentation
12 framework.
14 Copyright (C) 2000-2017 Julian Seward
15 jseward@acm.org
17 This program is free software; you can redistribute it and/or
18 modify it under the terms of the GNU General Public License as
19 published by the Free Software Foundation; either version 2 of the
20 License, or (at your option) any later version.
22 This program is distributed in the hope that it will be useful, but
23 WITHOUT ANY WARRANTY; without even the implied warranty of
24 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
25 General Public License for more details.
27 You should have received a copy of the GNU General Public License
28 along with this program; if not, see <http://www.gnu.org/licenses/>.
30 The GNU General Public License is contained in the file COPYING.
31 */
33 #if defined(VGO_linux) || defined(VGO_darwin) || defined(VGO_solaris) || defined(VGO_freebsd)
35 /* *************************************************************
36 DO NOT INCLUDE ANY OTHER FILES HERE.
37 ADD NEW INCLUDES ONLY TO priv_aspacemgr.h
38 AND THEN ONLY AFTER READING DIRE WARNINGS THERE TOO.
39 ************************************************************* */
45 /* Note: many of the exported functions implemented below are
46 described more fully in comments in pub_core_aspacemgr.h.
47 */
50 /*-----------------------------------------------------------------*/
51 /*--- ---*/
52 /*--- Overview. ---*/
53 /*--- ---*/
54 /*-----------------------------------------------------------------*/
56 /* Purpose
57 ~~~~~~~
58 The purpose of the address space manager (aspacem) is:
60 (1) to record the disposition of all parts of the process' address
61 space at all times.
63 (2) to the extent that it can, influence layout in ways favourable
64 to our purposes.
66 It is important to appreciate that whilst it can and does attempt
67 to influence layout, and usually succeeds, it isn't possible to
68 impose absolute control: in the end, the kernel is the final
69 arbiter, and can always bounce our requests.
71 Strategy
72 ~~~~~~~~
73 The strategy is therefore as follows:
75 * Track ownership of mappings. Each one can belong either to
76 Valgrind or to the client.
78 * Try to place the client's fixed and hinted mappings at the
79 requested addresses. Fixed mappings are allowed anywhere except
80 in areas reserved by Valgrind; the client can trash its own
81 mappings if it wants. Hinted mappings are allowed providing they
82 fall entirely in free areas; if not, they will be placed by
83 aspacem in a free area.
85 * Anonymous mappings are allocated so as to keep Valgrind and
86 client areas widely separated when possible. If address space
87 runs low, then they may become intermingled: aspacem will attempt
88 to use all possible space. But under most circumstances lack of
89 address space is not a problem and so the areas will remain far
90 apart.
92 Searches for client space start at aspacem_cStart and will wrap
93 around the end of the available space if needed. Searches for
94 Valgrind space start at aspacem_vStart and will also wrap around.
95 Because aspacem_cStart is approximately at the start of the
96 available space and aspacem_vStart is approximately in the
97 middle, for the most part the client anonymous mappings will be
98 clustered towards the start of available space, and Valgrind ones
99 in the middle.
101 On Solaris, searches for client space start at (aspacem_vStart - 1)
102 and for Valgrind space start at (aspacem_maxAddr - 1) and go backwards.
103 This simulates what kernel does - brk limit grows from bottom and mmap'ed
104 objects from top. It is in contrary with Linux where data segment
105 and mmap'ed objects grow from bottom (leading to early data segment
106 exhaustion for tools which do not use m_replacemalloc). While Linux glibc
107 can cope with this problem by employing mmap, Solaris libc treats inability
108 to grow brk limit as a hard failure.
110 The available space is delimited by aspacem_minAddr and
111 aspacem_maxAddr. aspacem is flexible and can operate with these
112 at any (sane) setting. For 32-bit Linux, aspacem_minAddr is set
113 to some low-ish value at startup (64M) and aspacem_maxAddr is
114 derived from the stack pointer at system startup. This seems a
115 reliable way to establish the initial boundaries.
116 A command line option allows to change the value of aspacem_minAddr,
117 so as to allow memory hungry applications to use the lowest
118 part of the memory.
120 64-bit Linux is similar except for the important detail that the
121 upper boundary is set to 64G. The reason is so that all
122 anonymous mappings (basically all client data areas) are kept
123 below 64G, since that is the maximum range that memcheck can
124 track shadow memory using a fast 2-level sparse array. It can go
125 beyond that but runs much more slowly. The 64G limit is
126 arbitrary and is trivially changed. So, with the current
127 settings, programs on 64-bit Linux will appear to run out of
128 address space and presumably fail at the 64G limit. Given the
129 considerable space overhead of Memcheck, that means you should be
130 able to memcheckify programs that use up to about 32G natively.
132 Note that the aspacem_minAddr/aspacem_maxAddr limits apply only to
133 anonymous mappings. The client can still do fixed and hinted maps
134 at any addresses provided they do not overlap Valgrind's segments.
135 This makes Valgrind able to load prelinked .so's at their requested
136 addresses on 64-bit platforms, even if they are very high (eg,
137 112TB).
139 At startup, aspacem establishes the usable limits, and advises
140 m_main to place the client stack at the top of the range, which on
141 a 32-bit machine will be just below the real initial stack. One
142 effect of this is that self-hosting sort-of works, because an inner
143 valgrind will then place its client's stack just below its own
144 initial stack.
146 The segment array and segment kinds
147 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
148 The central data structure is the segment array (segments[0
149 .. nsegments_used-1]). This covers the entire address space in
150 order, giving account of every byte of it. Free spaces are
151 represented explicitly as this makes many operations simpler.
152 Mergeable adjacent segments are aggressively merged so as to create
153 a "normalised" representation (preen_nsegments).
155 There are 7 (mutually-exclusive) segment kinds, the meaning of
156 which is important:
158 SkFree: a free space, which may be allocated either to Valgrind (V)
159 or the client (C).
161 SkAnonC: an anonymous mapping belonging to C. For these, aspacem
162 tracks a boolean indicating whether or not is is part of the
163 client's heap area (can't remember why).
165 SkFileC: a file mapping belonging to C.
167 SkShmC: a shared memory segment belonging to C.
169 SkAnonV: an anonymous mapping belonging to V. These cover all V's
170 dynamic memory needs, including non-client malloc/free areas,
171 shadow memory, and the translation cache.
173 SkFileV: a file mapping belonging to V. As far as I know these are
174 only created transiently for the purposes of reading debug info.
176 SkResvn: a reservation segment.
178 These are mostly straightforward. Reservation segments have some
179 subtlety, however.
181 A reservation segment is unmapped from the kernel's point of view,
182 but is an area in which aspacem will not create anonymous maps
183 (either Vs or Cs). The idea is that we will try to keep it clear
184 when the choice to do so is ours. Reservation segments are
185 'invisible' from the client's point of view: it may choose to park
186 a fixed mapping in the middle of one, and that's just tough -- we
187 can't do anything about that. From the client's perspective
188 reservations are semantically equivalent to (although
189 distinguishable from, if it makes enquiries) free areas.
191 Reservations are a primitive mechanism provided for whatever
192 purposes the rest of the system wants. Currently they are used to
193 reserve the expansion space into which a growdown stack is
194 expanded, and into which the data segment is extended. Note,
195 though, those uses are entirely external to this module, which only
196 supplies the primitives.
198 Reservations may be shrunk in order that an adjoining anonymous
199 mapping may be extended. This makes dataseg/stack expansion work.
200 A reservation may not be shrunk below one page.
202 The advise/notify concept
203 ~~~~~~~~~~~~~~~~~~~~~~~~~
204 All mmap-related calls must be routed via aspacem. Calling
205 sys_mmap directly from the rest of the system is very dangerous
206 because aspacem's data structures will become out of date.
208 The fundamental mode of operation of aspacem is to support client
209 mmaps. Here's what happens (in ML_(generic_PRE_sys_mmap)):
211 * m_syswrap intercepts the mmap call. It examines the parameters
212 and identifies the requested placement constraints. There are
213 three possibilities: no constraint (MAny), hinted (MHint, "I
214 prefer X but will accept anything"), and fixed (MFixed, "X or
215 nothing").
217 * This request is passed to VG_(am_get_advisory). This decides on
218 a placement as described in detail in Strategy above. It may
219 also indicate that the map should fail, because it would trash
220 one of Valgrind's areas, which would probably kill the system.
222 * Control returns to the wrapper. If VG_(am_get_advisory) has
223 declared that the map should fail, then it must be made to do so.
224 Usually, though, the request is considered acceptable, in which
225 case an "advised" address is supplied. The advised address
226 replaces the original address supplied by the client, and
227 MAP_FIXED is set.
229 Note at this point that although aspacem has been asked for
230 advice on where to place the mapping, no commitment has yet been
231 made by either it or the kernel.
233 * The adjusted request is handed off to the kernel.
235 * The kernel's result is examined. If the map succeeded, aspacem
236 is told of the outcome (VG_(am_notify_client_mmap)), so it can
237 update its records accordingly.
239 This then is the central advise-notify idiom for handling client
240 mmap/munmap/mprotect/shmat:
242 * ask aspacem for an advised placement (or a veto)
244 * if not vetoed, hand request to kernel, using the advised placement
246 * examine result, and if successful, notify aspacem of the result.
248 There are also many convenience functions, eg
249 VG_(am_mmap_anon_fixed_client), which do both phases entirely within
250 aspacem.
252 To debug all this, a sync-checker is provided. It reads
253 /proc/self/maps, compares what it sees with aspacem's records, and
254 complains if there is a difference. --sanity-level=3 runs it before
255 and after each syscall, which is a powerful, if slow way of finding
256 buggy syscall wrappers.
258 Loss of pointercheck
259 ~~~~~~~~~~~~~~~~~~~~
260 Up to and including Valgrind 2.4.1, x86 segmentation was used to
261 enforce separation of V and C, so that wild writes by C could not
262 trash V. This got called "pointercheck". Unfortunately, the new
263 more flexible memory layout, plus the need to be portable across
264 different architectures, means doing this in hardware is no longer
265 viable, and doing it in software is expensive. So at the moment we
266 don't do it at all.
267 */
270 /*-----------------------------------------------------------------*/
271 /*--- ---*/
272 /*--- The Address Space Manager's state. ---*/
273 /*--- ---*/
274 /*-----------------------------------------------------------------*/
276 /* ------ start of STATE for the address-space manager ------ */
278 /* Max number of segments we can track. On Android, virtual address
279 space is limited, so keep a low limit -- 5000 x sizef(NSegment) is
280 360KB. */
281 #if defined(VGPV_arm_linux_android) \
282 || defined(VGPV_x86_linux_android) \
283 || defined(VGPV_mips32_linux_android) \
284 || defined(VGPV_arm64_linux_android)
285 # define VG_N_SEGMENTS 5000
286 #else
287 # define VG_N_SEGMENTS 30000
288 #endif
290 /* Array [0 .. nsegments_used-1] of all mappings. */
291 /* Sorted by .addr field. */
292 /* I: len may not be zero. */
293 /* I: overlapping segments are not allowed. */
294 /* I: the segments cover the entire address space precisely. */
295 /* Each segment can optionally hold an index into the filename table. */
300 #define Addr_MIN ((Addr)0)
301 #define Addr_MAX ((Addr)(-1ULL))
303 /* Limits etc */
307 #if defined(VGO_linux)
309 #elif defined(VGO_darwin)
310 # if VG_WORDSIZE == 4
312 # else
314 # endif
315 #elif defined(VGO_solaris)
317 #elif defined(VGO_freebsd)
319 #else
320 #endif
323 // The smallest address that aspacem will try to allocate
326 // The largest address that aspacem will try to allocate
329 // Where aspacem will start looking for client space
332 // Where aspacem will start looking for Valgrind space
335 #define AM_SANITY_CHECK \
336 do { \
337 if (VG_(clo_sanity_level) >= 3) \
338 aspacem_assert(VG_(am_do_sync_check) \
339 (__PRETTY_FUNCTION__,__FILE__,__LINE__)); \
340 } while (0)
342 /* ------ end of STATE for the address-space manager ------ */
344 /* ------ Forwards decls ------ */
345 inline
353 );
355 /* ----- Hacks to do with the "commpage" on arm-linux ----- */
356 /* Not that I have anything against the commpage per se. It's just
357 that it's not listed in /proc/self/maps, which is a royal PITA --
358 we have to fake it up, in parse_procselfmaps.
360 But note also bug 254556 comment #2: this is now fixed in newer
361 kernels -- it is listed as a "[vectors]" entry. Presumably the
362 fake entry made here duplicates the [vectors] entry, and so, if at
363 some point in the future, we can stop supporting buggy kernels,
364 then this kludge can be removed entirely, since the procmap parser
365 below will read that entry in the normal way. */
366 #if defined(VGP_arm_linux)
367 # define ARM_LINUX_FAKE_COMMPAGE_START 0xFFFF0000
368 # define ARM_LINUX_FAKE_COMMPAGE_END1 0xFFFF1000
369 #endif
371 #if !defined(VKI_MAP_STACK)
372 /* this is only defined for FreeBSD
373 * for readability, define it to 0
374 * for other platforms */
375 #define VKI_MAP_STACK 0
376 #endif
378 /*-----------------------------------------------------------------*/
379 /*--- ---*/
380 /*--- Displaying the segment array. ---*/
381 /*--- ---*/
382 /*-----------------------------------------------------------------*/
385 {
395 }
396 }
399 {
405 }
406 }
409 {
415 }
419 }
423 }
427 }
431 }
433 }
435 /* Show full details of an NSegment */
438 {
449 "%3d: %s %010lx-%010lx %s %c%c%c%c%c %s "
459 name
460 );
461 }
464 /* Show an NSegment in a user-friendly-ish way. */
467 {
479 );
491 );
497 "%3d: %s %010lx-%010lx %s %c%c%c%c%c d=0x%03llx "
506 );
519 );
526 segNo
527 );
529 }
530 }
532 /* Print out the segment array (debugging only!). */
534 {
535 Int i;
544 }
547 /* Get the filename corresponding to this segment, if known and if it
548 has one. */
550 {
553 }
555 /* Collect up the start addresses of segments whose kind matches one of
556 the kinds specified in kind_mask.
557 The interface is a bit strange in order to avoid potential
558 segment-creation races caused by dynamic allocation of the result
559 buffer *starts.
561 The function first computes how many entries in the result
562 buffer *starts will be needed. If this number <= nStarts,
563 they are placed in starts[0..], and the number is returned.
564 If nStarts is not large enough, nothing is written to
565 starts[0..], and the negation of the size is returned.
567 Correct use of this function may mean calling it multiple times in
568 order to establish a suitably-sized buffer. */
571 {
574 /* don't pass dumbass arguments */
580 nSegs++;
581 }
584 /* The buffer isn't big enough. Tell the caller how big it needs
585 to be. */
587 }
589 /* There's enough space. So write into the result buffer. */
596 }
600 }
603 /*-----------------------------------------------------------------*/
604 /*--- ---*/
605 /*--- Sanity checking and preening of the segment array. ---*/
606 /*--- ---*/
607 /*-----------------------------------------------------------------*/
609 /* Check representational invariants for NSegments. */
612 {
615 /* No zero sized segments and no wraparounds. */
618 /* require page alignment */
625 return
632 return
638 return
644 return
651 }
652 }
655 /* Try merging s2 into s1, if possible. If successful, s1 is
656 modified, and True is returned. Otherwise s1 is unchanged and
657 False is returned. */
660 {
667 /* reject cases which would cause wraparound */
683 }
696 }
706 }
711 }
714 }
717 /* Sanity-check and canonicalise the segment array (merge mergable
718 segments). Returns True if any segments were merged. */
721 {
724 /* Pass 1: check the segment array covers the entire address space
725 exactly once, and also that each segment is sane. */
734 }
736 /* Pass 2: merge as much as possible, using
737 maybe_merge_segments. */
741 /* nothing */
743 w++;
746 }
747 }
748 w++;
753 }
756 /* Check the segment array corresponds with the kernel's view of
757 memory layout. sync_check_ok returns True if no anomalies were
758 found, else False. In the latter case the mismatching segments are
759 displayed.
761 The general idea is: we get the kernel to show us all its segments
762 and also the gaps in between. For each such interval, try and find
763 a sequence of appropriate intervals in our segment array which
764 cover or more than cover the kernel's interval, and which all have
765 suitable kinds/permissions etc.
767 Although any specific kernel interval is not matched exactly to a
768 valgrind interval or sequence thereof, eventually any disagreement
769 on mapping boundaries will be detected. This is because, if for
770 example valgrind's intervals cover a greater range than the current
771 kernel interval, it must be the case that a neighbouring free-space
772 interval belonging to valgrind cannot cover the neighbouring
773 free-space interval belonging to the kernel. So the disagreement
774 is detected.
776 In other words, we examine each kernel interval in turn, and check
777 we do not disagree over the range of that interval. Because all of
778 the address space is examined, any disagreements must eventually be
779 detected.
780 */
787 {
791 /* If a problem has already been detected, don't continue comparing
792 segments, so as to avoid flooding the output with error
793 messages. */
794 #if !defined(VGO_darwin)
795 /* GrP fixme not */
798 #endif
802 /* The kernel should not give us wraparounds. */
808 /* These 5 should be guaranteed by find_nsegment_idx. */
815 /* x86 doesn't differentiate 'x' and 'r' (at least, all except the
816 most recent NX-bit enabled CPUs) and so recent kernels attempt
817 to provide execute protection by placing all executable mappings
818 low down in the address space and then reducing the size of the
819 code segment to prevent code at higher addresses being executed.
821 These kernels report which mappings are really executable in
822 the /proc/self/maps output rather than mirroring what was asked
823 for when each mapping was created. In order to cope with this we
824 have a sloppyXcheck mode which we enable on x86 and s390 - in this
825 mode we allow the kernel to report execute permission when we weren't
826 expecting it but not vice versa. */
827 # if defined(VGA_x86) || defined (VGA_s390x) || \
828 defined(VGA_mips32) || defined(VGA_mips64)
830 # else
832 # endif
834 /* Some kernels on s390 provide 'r' permission even when it was not
835 explicitly requested. It seems that 'x' permission implies 'r'.
836 This behaviour also occurs on OS X. */
837 # if defined(VGA_s390x) || defined(VGO_darwin)
839 # else
841 # endif
843 /* NSegments iLo .. iHi inclusive should agree with the presented
844 data. */
848 UInt seg_prot;
850 /* compare the kernel's offering against ours. */
862 #if defined(VGO_darwin) || defined(VGO_freebsd)
863 // GrP fixme kernel info doesn't have dev/inode
866 // GrP fixme V and kernel don't agree on offsets
868 #else
869 cmp_offsets
872 cmp_devino
874 #endif
876 /* Consider other reasons to not compare dev/inode */
877 #if defined(VGO_linux)
878 /* bproc does some godawful hack on /dev/zero at process
879 migration, which changes the name of it, and its dev & ino */
883 /* hack apparently needed on MontaVista Linux */
886 #endif
888 /* If we are doing sloppy execute permission checks then we
889 allow segment to have X permission when we weren't expecting
890 it (but not vice versa) so if the kernel reported execute
891 permission then pretend that this segment has it regardless
892 of what we were expecting. */
895 }
900 }
902 same = same
904 && (cmp_devino
907 && (cmp_offsets
923 "...: .... %010lx-%010lx %s %c%c%c.. ....... "
932 }
933 }
935 /* Looks harmless. Keep going. */
937 }
940 {
943 /* If a problem has already been detected, don't continue comparing
944 segments, so as to avoid flooding the output with error
945 messages. */
946 #if !defined(VGO_darwin)
947 /* GrP fixme not */
950 #endif
954 /* The kernel should not give us wraparounds. */
960 /* These 5 should be guaranteed by find_nsegment_idx. */
967 /* NSegments iLo .. iHi inclusive should agree with the presented
968 data. */
971 Bool same;
973 /* compare the kernel's offering against ours. */
993 }
994 }
996 /* Looks harmless. Keep going. */
998 }
1001 /* Sanity check: check that Valgrind and the kernel agree on the
1002 address space layout. Prints offending segments and call point if
1003 a discrepancy is detected, but does not abort the system. Returned
1004 Bool is False if a discrepancy was found. */
1008 {
1013 sync_check_gap_callback );
1020 # if 0
1021 {
1026 }
1027 # endif
1029 }
1031 }
1033 /* Hook to allow sanity checks to be done from aspacemgr-common.c. */
1035 {
1036 AM_SANITY_CHECK;
1037 }
1040 /*-----------------------------------------------------------------*/
1041 /*--- ---*/
1042 /*--- Low level access / modification of the segment array. ---*/
1043 /*--- ---*/
1044 /*-----------------------------------------------------------------*/
1046 /* Binary search the interval array for a given address. Since the
1047 array covers the entire address space the search cannot fail. The
1048 _WRK function does the real work. Its caller (just below) caches
1049 the results thereof, to save time. With N_CACHE of 63 we get a hit
1050 rate exceeding 90% when running OpenOffice.
1052 Re ">> 12", it doesn't matter that the page size of some targets
1053 might be different from 12. Really "(a >> 12) % N_CACHE" is merely
1054 a hash function, and the actual cache entry is always validated
1055 correctly against the selected cache entry before use.
1056 */
1057 /* Don't call find_nsegment_idx_WRK; use find_nsegment_idx instead. */
1060 {
1062 Int mid,
1066 /* current unsearched space is from lo to hi, inclusive. */
1068 /* Not found. This can't happen. */
1070 }
1080 }
1081 }
1084 {
1090 # ifdef N_Q_M_STATS
1093 n_q++;
1096 # endif
1098 UWord ix;
1101 /* do nothing */
1106 }
1108 }
1117 /* hit */
1118 /* aspacem_assert( cache_segidx[ix] == find_nsegment_idx_WRK(a) ); */
1120 }
1121 /* miss */
1122 # ifdef N_Q_M_STATS
1123 n_m++;
1124 # endif
1128 # undef N_CACHE
1129 }
1132 /* Finds the segment containing 'a'. Only returns non-SkFree segments. */
1134 {
1141 else
1143 }
1145 /* Finds an anonymous segment containing 'a'. Returned pointer is read only. */
1147 {
1154 else
1156 }
1158 /* Map segment pointer to segment index. */
1160 {
1164 }
1167 /* Find the next segment along from 'here', if it is a non-SkFree segment. */
1169 {
1173 i++;
1177 i--;
1180 }
1183 else
1185 }
1188 /* Trivial fn: return the total amount of space in anonymous mappings,
1189 both for V and the client. Is used for printing stats in
1190 out-of-memory messages. */
1192 {
1193 Int i;
1199 }
1200 }
1202 }
1205 /* Test if a piece of memory is addressable by client or by valgrind with at
1206 least the "prot" protection permissions by examining the underlying
1207 segments. The KINDS argument specifies the allowed segments ADDR may
1208 belong to in order to be considered "valid".
1209 */
1210 static
1212 {
1229 /* This is a speedup hack which avoids calling find_nsegment_idx
1230 a second time when possible. It is always correct to just
1231 use the "else" clause below, but is_valid_for_client is
1232 called a lot by the leak checker, so avoiding pointless calls
1233 to find_nsegment_idx, which can be expensive, is helpful. */
1237 }
1244 /* ok */
1247 }
1248 }
1251 }
1253 /* Test if a piece of memory is addressable by the client with at
1254 least the "prot" protection permissions by examining the underlying
1255 segments. */
1257 UInt prot )
1258 {
1262 }
1264 /* Variant of VG_(am_is_valid_for_client) which allows free areas to
1265 be consider part of the client's addressable space. It also
1266 considers reservations to be allowable, since from the client's
1267 point of view they don't exist. */
1270 {
1274 }
1276 /* Checks if a piece of memory consists of either free or reservation
1277 segments. */
1279 {
1283 }
1287 {
1291 }
1294 /* Returns True if any part of the address range is marked as having
1295 translations made from it. This is used to determine when to
1296 discard code, so if in doubt return True. */
1299 {
1308 }
1310 }
1313 /* Check whether ADDR looks like an address or address-to-be located in an
1314 extensible client stack segment. Return true if
1315 (1) ADDR is located in an already mapped stack segment, OR
1316 (2) ADDR is located in a reservation segment into which an abutting SkAnonC
1317 segment can be extended. */
1319 {
1332 /* If the abutting segment towards higher addresses is an SkAnonC
1333 segment, then ADDR is a future stack pointer. */
1337 /* OK; looks like a stack segment */
1339 }
1342 /* If the abutting segment towards lower addresses is an SkResvn
1343 segment, then ADDR is a stack pointer into mapped memory. */
1348 /* OK; looks like a stack segment */
1350 }
1354 }
1355 }
1357 /*-----------------------------------------------------------------*/
1358 /*--- ---*/
1359 /*--- Modifying the segment array, and constructing segments. ---*/
1360 /*--- ---*/
1361 /*-----------------------------------------------------------------*/
1363 /* Split the segment containing 'a' into two, so that 'a' is
1364 guaranteed to be the start of a new segment. If 'a' is already the
1365 start of a segment, do nothing. */
1368 {
1378 /* 'a' is already the start point of a segment, so nothing to be
1379 done. */
1382 /* else we have to slide the segments upwards to make a hole */
1387 nsegments_used++;
1401 }
1404 /* Do the minimum amount of segment splitting necessary to ensure that
1405 sLo is the first address denoted by some segment and sHi is the
1406 highest address denoted by some other segment. Returns the indices
1407 of the lowest and highest segments in the range. */
1409 static
1413 {
1430 /* Not that I'm overly paranoid or anything, definitely not :-) */
1431 }
1434 /* Add SEG to the collection, deleting/truncating any it overlaps.
1435 This deals with all the tricky cases of splitting up segments as
1436 needed. */
1439 {
1441 Bool segment_is_sane;
1456 /* Increase the reference count of SEG's name. We need to do this
1457 *before* decreasing the reference count of the names of the replaced
1458 segments. Consider the case where the segment name of SEG and one of
1459 the replaced segments are the same. If the refcount of that name is 1,
1460 then decrementing first would put the slot for that name on the free
1461 list. Attempting to increment the refcount later would then fail
1462 because the slot is no longer allocated. */
1465 /* Now iLo .. iHi inclusive is the range of segment indices which
1466 seg will replace. If we're replacing more than one segment,
1467 slide those above the range down to fill the hole. Before doing
1468 that decrement the reference counters for the segments names of
1469 the replaced segments. */
1478 }
1484 }
1487 /* Clear out an NSegment record. */
1490 {
1503 #if defined(VGO_freebsd)
1506 #endif
1508 }
1510 /* Make an NSegment which holds a reservation. */
1513 {
1521 }
1524 /*-----------------------------------------------------------------*/
1525 /*--- ---*/
1526 /*--- Startup, including reading /proc/self/maps. ---*/
1527 /*--- ---*/
1528 /*-----------------------------------------------------------------*/
1533 {
1534 NSegment seg;
1541 #if defined(VGO_freebsd)
1543 #endif
1549 /* A segment in the initial /proc/self/maps is considered a FileV
1550 segment if either it has a file name associated with it or both its
1551 device and inode numbers are != 0. See bug #124528. */
1556 # if defined(VGO_darwin)
1557 // GrP fixme no dev/ino on darwin
1562 # if defined(VGP_arm_linux)
1563 /* The standard handling of entries read from /proc/self/maps will
1564 cause the faked up commpage segment to have type SkAnonV, which
1565 is a problem because it contains code we want the client to
1566 execute, and so later m_translate will segfault the client when
1567 it tries to go in there. Hence change the ownership of it here
1568 to the client (SkAnonC). The least-worst kludge I could think
1569 of. */
1581 }
1583 Bool
1585 {
1587 #if VG_WORDSIZE == 4
1589 #else
1591 #endif
1602 }
1603 }
1605 }
1607 /* See description in pub_core_aspacemgr.h */
1609 {
1610 NSegment seg;
1611 Addr suggested_clstack_end;
1618 /* Initialise the string table for segment names. */
1621 /* Check that we can store the largest imaginable dev, ino and
1622 offset numbers in an NSegment. */
1628 /* Add a single interval covering the entire address space. */
1638 // --- Darwin -------------------------------------------
1639 #if defined(VGO_darwin)
1641 # if VG_WORDSIZE == 4
1646 # else
1651 // 0x7fff:5c000000..0x7fff:ffe00000? is stack, dyld, shared cache
1652 # endif
1656 // --- Freebsd ------------------------------------------
1657 #elif defined(VGO_freebsd)
1662 sp_at_startup );
1664 # if VG_WORDSIZE == 4
1667 # else
1669 # ifdef ENABLE_INNER
1673 }
1675 # endif
1680 # ifdef ENABLE_INNER
1684 // starting with FreeBSD 10.4, the stack is created with a zone
1685 // that is marked MAP_GUARD. This zone is reserved but unmapped,
1686 // and fills the space up to the end of the segment
1687 // see man mmap
1689 // Version number from
1690 // https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/versions-10.html
1692 // On x86 this is 0x3FE0000
1693 // And on amd64 it is 0x1FFE0000 (536739840)
1694 // There is less of an issue on amd64 as we just choose some arbitrary address rather then trying
1695 // to squeeze in just below the host stack
1697 // Some of this is in sys/vm/vm_map.c, for instance vm_map_stack and vm_map_stack_locked
1698 // These refer to the kernel global sgrowsiz, which seems to be the initial size
1699 // of the user stack, 128k on my system
1700 //
1701 // This seems to be in the sysctl kern.sgrowsiz
1702 // Then there is kern.maxssiz which is the total stack size (grow size + guard area)
1703 // In other words guard area = maxssiz - sgrowsiz
1705 #if (__FreeBSD_version >= 1003516)
1707 #if 0
1708 // this block implements what is described above
1709 // this makes no changes to the regression tests
1710 // I'm keeping it for a rainy day.
1711 // note this needs
1712 // #include "pub_core_libcproc.h"
1713 SizeT kern_maxssiz;
1714 SizeT kern_sgrowsiz;
1720 #endif
1725 #else
1729 #endif
1731 // --- Solaris ------------------------------------------
1732 #elif defined(VGO_solaris)
1733 # if VG_WORDSIZE == 4
1734 /*
1735 Intended address space partitioning:
1737 ,--------------------------------, 0x00000000
1738 | |
1739 |--------------------------------|
1740 | initial stack given to V by OS |
1741 |--------------------------------| 0x08000000
1742 | client text |
1743 |--------------------------------|
1744 | |
1745 | |
1746 |--------------------------------|
1747 | client stack |
1748 |--------------------------------| 0x58000000
1749 | V's text |
1750 |--------------------------------|
1751 | |
1752 | |
1753 |--------------------------------|
1754 | dynamic shared objects |
1755 '--------------------------------' 0xffffffff
1757 */
1759 /* Anonymous pages need to fit under user limit (USERLIMIT32)
1760 which is 4KB + 16MB below the top of the 32-bit range. */
1761 # ifdef ENABLE_INNER
1764 # else
1767 # endif
1768 # elif VG_WORDSIZE == 8
1769 /*
1770 Intended address space partitioning:
1772 ,--------------------------------, 0x00000000_00000000
1773 | |
1774 |--------------------------------| 0x00000000_00400000
1775 | client text |
1776 |--------------------------------|
1777 | |
1778 | |
1779 |--------------------------------|
1780 | client stack |
1781 |--------------------------------| 0x00000000_58000000
1782 | V's text |
1783 |--------------------------------|
1784 | |
1785 |--------------------------------|
1786 | dynamic shared objects |
1787 |--------------------------------| 0x0000001f_ffffffff
1788 | |
1789 | |
1790 |--------------------------------|
1791 | initial stack given to V by OS |
1792 '--------------------------------' 0xffffffff_ffffffff
1794 */
1796 /* Kernel likes to place objects at the end of the address space.
1797 However accessing memory beyond 128GB makes memcheck slow
1798 (see memcheck/mc_main.c, internal representation). Therefore:
1799 - mmapobj() syscall is emulated so that libraries are subject to
1800 Valgrind's aspacemgr control
1801 - Kernel shared pages (such as schedctl and hrt) are left as they are
1802 because kernel cannot be told where they should be put */
1803 # ifdef ENABLE_INNER
1806 # else
1809 # endif
1810 # else
1812 # endif
1815 # ifdef ENABLE_INNER
1817 # else
1819 # endif
1821 // --- Linux --------------------------------------------
1822 #else
1824 /* Establish address limits and block out unusable parts
1825 accordingly. */
1829 sp_at_startup );
1831 # if VG_WORDSIZE == 8
1833 # ifdef ENABLE_INNER
1837 }
1838 # endif
1839 # else
1841 # endif
1846 # ifdef ENABLE_INNER
1848 # endif
1854 // --- (end) --------------------------------------------
1864 aspacem_minAddr);
1867 aspacem_maxAddr);
1870 aspacem_cStart);
1873 aspacem_vStart);
1876 suggested_clstack_end);
1881 }
1885 }
1887 /* Create a 1-page reservation at the notional initial
1888 client/valgrind boundary. This isn't strictly necessary, but
1889 because the advisor does first-fit and starts searches for
1890 valgrind allocations at the boundary, this is kind of necessary
1891 in order to get it to start allocating in the right place. */
1899 /* NB: on arm-linux, parse_procselfmaps automagically kludges up
1900 (iow, hands to its callbacks) a description of the ARM Commpage,
1901 since that's not listed in /proc/self/maps (kernel bug IMO). We
1902 have to fake up its existence in parse_procselfmaps and not
1903 merely add it here as an extra segment, because doing the latter
1904 causes sync checking to fail: we see we have an extra segment in
1905 the segments array, which isn't listed in /proc/self/maps.
1906 Hence we must make it appear that /proc/self/maps contained this
1907 segment all along. Sigh. */
1911 AM_SANITY_CHECK;
1913 }
1916 /*-----------------------------------------------------------------*/
1917 /*--- ---*/
1918 /*--- The core query-notify mechanism. ---*/
1919 /*--- ---*/
1920 /*-----------------------------------------------------------------*/
1922 /* Query aspacem to ask where a mapping should go. */
1925 Bool forClient,
1927 {
1928 /* This function implements allocation policy.
1930 The nature of the allocation request is determined by req, which
1931 specifies the start and length of the request and indicates
1932 whether the start address is mandatory, a hint, or irrelevant,
1933 and by forClient, which says whether this is for the client or
1934 for V.
1936 Return values: the request can be vetoed (*ok is set to False),
1937 in which case the caller should not attempt to proceed with
1938 making the mapping. Otherwise, *ok is set to True, the caller
1939 may proceed, and the preferred address at which the mapping
1940 should happen is returned.
1942 Note that this is an advisory system only: the kernel can in
1943 fact do whatever it likes as far as placement goes, and we have
1944 no absolute control over it.
1946 Allocations will never be granted in a reserved area.
1948 The Default Policy is:
1950 Search the address space for two free intervals: one of them
1951 big enough to contain the request without regard to the
1952 specified address (viz, as if it was a floating request) and
1953 the other being able to contain the request at the specified
1954 address (viz, as if were a fixed request). Then, depending on
1955 the outcome of the search and the kind of request made, decide
1956 whether the request is allowable and what address to advise.
1958 The Default Policy is overridden by Policy Exception #1:
1960 If the request is for a fixed client map, we are prepared to
1961 grant it providing all areas inside the request are either
1962 free, reservations, or mappings belonging to the client. In
1963 other words we are prepared to let the client trash its own
1964 mappings if it wants to.
1966 The Default Policy is overridden by Policy Exception #2:
1968 If the request is for a hinted client map, we are prepared to
1969 grant it providing all areas inside the request are either
1970 free or reservations. In other words we are prepared to let
1971 the client have a hinted mapping anywhere it likes provided
1972 it does not trash either any of its own mappings or any of
1973 valgrind's mappings.
1974 */
1977 Bool fixed_not_required;
1979 #if defined(VGO_solaris)
1981 #else
1989 /* These hold indices for segments found during search, or -1 if not
1990 found. */
2000 }
2002 /* Reject zero-length requests */
2006 }
2008 /* Reject wraparounds */
2012 }
2014 /* ------ Implement Policy Exception #1 ------ */
2026 /* ok */
2030 }
2031 }
2033 /* Acceptable. Granted. */
2036 }
2037 /* Not acceptable. Fail. */
2040 }
2042 /* ------ Implement Policy Exception #2 ------ */
2051 /* ok */
2055 }
2056 }
2058 /* Acceptable. Granted. */
2061 }
2062 /* Not acceptable. Fall through to the default policy. */
2063 }
2065 /* ------ Implement the Default Policy ------ */
2067 /* Don't waste time looking for a fixed match if not requested to. */
2072 #if defined(VGO_solaris)
2073 # define UPDATE_INDEX(index) \
2074 (index)--; \
2075 if ((index) <= 0) \
2076 (index) = nsegments_used - 1;
2077 # define ADVISE_ADDRESS(segment) \
2078 VG_PGROUNDDN((segment)->end + 1 - reqLen)
2079 # define ADVISE_ADDRESS_ALIGNED(segment) \
2080 VG_ROUNDDN((segment)->end + 1 - reqLen, req->start)
2082 #else
2084 # define UPDATE_INDEX(index) \
2085 (index)++; \
2086 if ((index) >= nsegments_used) \
2087 (index) = 0;
2088 # define ADVISE_ADDRESS(segment) \
2089 (segment)->start
2090 # define ADVISE_ADDRESS_ALIGNED(segment) \
2091 VG_ROUNDUP((segment)->start, req->start)
2094 /* Examine holes from index i back round to i-1. Record the
2095 index first fixed hole and the first floating hole which would
2096 satisfy the request. */
2102 }
2107 /* Stay sane .. */
2115 /* This hole can't be used. */
2118 }
2119 }
2121 /* See if it's any use to us. */
2130 /* Don't waste time searching once we've found what we wanted. */
2135 }
2145 AM_SANITY_CHECK;
2147 /* Now see if we found anything which can satisfy the request. */
2156 }
2162 }
2166 }
2173 }
2180 }
2185 }
2187 /*NOTREACHED*/
2192 #undef UPDATE_INDEX
2193 #undef ADVISE_ADDRESS
2194 #undef ADVISE_ADDRESS_ALIGNED
2195 }
2197 /* Convenience wrapper for VG_(am_get_advisory) for client floating or
2198 fixed requests. If start is zero, a floating request is issued; if
2199 nonzero, a fixed request at that address is issued. Same comments
2200 about return values apply. */
2204 {
2205 MapRequest mreq;
2210 }
2212 /* Similar to VG_(am_find_nsegment) but only returns free segments. */
2214 {
2221 else
2223 }
2227 {
2232 }
2235 /* Notifies aspacem that the client completed an mmap successfully.
2236 The segment array is updated accordingly. If the returned Bool is
2237 True, the caller should immediately discard translations from the
2238 specified address range. */
2240 Bool
2243 {
2246 UInt mode;
2247 NSegment seg;
2248 Bool needDiscard;
2255 /* Discard is needed if any of the just-trashed range had T. */
2266 // Nb: We ignore offset requests in anonymous mmaps (see bug #126722)
2272 }
2275 }
2276 #if defined(VGO_freebsd)
2278 #endif
2279 }
2281 AM_SANITY_CHECK;
2283 }
2285 /* Notifies aspacem that the client completed a shmat successfully.
2286 The segment array is updated accordingly. If the returned Bool is
2287 True, the caller should immediately discard translations from the
2288 specified address range. */
2290 Bool
2292 {
2293 NSegment seg;
2294 Bool needDiscard;
2300 /* Discard is needed if any of the just-trashed range had T. */
2312 AM_SANITY_CHECK;
2314 }
2316 /* Notifies aspacem that an mprotect was completed successfully. The
2317 segment array is updated accordingly. Note, as with
2318 VG_(am_notify_munmap), it is not the job of this function to reject
2319 stupid mprotects, for example the client doing mprotect of
2320 non-client areas. Such requests should be intercepted earlier, by
2321 the syscall wrapper for mprotect. This function merely records
2322 whatever it is told. If the returned Bool is True, the caller
2323 should immediately discard translations from the specified address
2324 range. */
2327 {
2341 /* Discard is needed if we're dumping X permission */
2350 /* Apply the permissions to all relevant segments. */
2360 }
2361 }
2363 /* Changing permissions could have made previously un-mergable
2364 segments mergeable. Therefore have to re-preen them. */
2366 AM_SANITY_CHECK;
2368 }
2371 /* Notifies aspacem that an munmap completed successfully. The
2372 segment array is updated accordingly. As with
2373 VG_(am_notify_mprotect), we merely record the given info, and don't
2374 check it for sensibleness. If the returned Bool is True, the
2375 caller should immediately discard translations from the specified
2376 address range. */
2379 {
2380 NSegment seg;
2381 Bool needDiscard;
2394 /* The segment becomes unused (free). Segments from above
2395 aspacem_maxAddr were originally SkResvn and so we make them so
2396 again. Note, this isn't really right when the segment straddles
2397 the aspacem_maxAddr boundary - then really it should be split in
2398 two, the lower part marked as SkFree and the upper part as
2399 SkResvn. Ah well. */
2404 else
2405 /* Ditto for segments from below aspacem_minAddr. */
2408 else
2413 /* Unmapping could create two adjacent free segments, so a preen is
2414 needed. add_segment() will do that, so no need to here. */
2415 AM_SANITY_CHECK;
2417 }
2420 /*-----------------------------------------------------------------*/
2421 /*--- ---*/
2422 /*--- Handling mappings which do not arise directly from the ---*/
2423 /*--- simulation of the client. ---*/
2424 /*--- ---*/
2425 /*-----------------------------------------------------------------*/
2427 /* --- --- --- map, unmap, protect --- --- --- */
2429 /* Map a file at a fixed address for the client, and update the
2430 segment array accordingly. */
2434 {
2438 }
2442 {
2445 }
2449 {
2453 }
2458 {
2459 SysRes sres;
2460 NSegment seg;
2461 Addr advised;
2462 Bool ok;
2463 MapRequest req;
2465 UInt mode;
2468 /* Not allowable. */
2474 /* Ask for an advisory. If it's negative, fail immediately. */
2482 /* We have been advised that the mapping is allowable at the
2483 specified address. So hand it off to the kernel, and propagate
2484 any resulting failure immediately. */
2485 // DDD: #warning GrP fixme MAP_FIXED can clobber memory!
2488 fd, offset
2489 );
2494 /* I don't think this can happen. It means the kernel made a
2495 fixed map succeed but not at the requested location. Try to
2496 repair the damage, then return saying the mapping failed. */
2499 }
2501 /* Ok, the mapping succeeded. Now notify the interval map. */
2514 }
2519 }
2520 #if defined(VGO_freebsd)
2522 #endif
2525 AM_SANITY_CHECK;
2527 }
2530 /* Map anonymously at a fixed address for the client, and update
2531 the segment array accordingly. */
2534 {
2535 SysRes sres;
2536 NSegment seg;
2537 Addr advised;
2538 Bool ok;
2539 MapRequest req;
2541 /* Not allowable. */
2545 /* Ask for an advisory. If it's negative, fail immediately. */
2553 /* We have been advised that the mapping is allowable at the
2554 specified address. So hand it off to the kernel, and propagate
2555 any resulting failure immediately. */
2556 // DDD: #warning GrP fixme MAP_FIXED can clobber memory!
2561 );
2566 /* I don't think this can happen. It means the kernel made a
2567 fixed map succeed but not at the requested location. Try to
2568 repair the damage, then return saying the mapping failed. */
2571 }
2573 /* Ok, the mapping succeeded. Now notify the interval map. */
2583 AM_SANITY_CHECK;
2585 }
2588 /* Map anonymously at an unconstrained address for the client, and
2589 update the segment array accordingly. */
2592 {
2593 SysRes sres;
2594 NSegment seg;
2595 Addr advised;
2596 Bool ok;
2597 MapRequest req;
2599 /* Not allowable. */
2603 /* Ask for an advisory. If it's negative, fail immediately. */
2611 /* We have been advised that the mapping is allowable at the
2612 advised address. So hand it off to the kernel, and propagate
2613 any resulting failure immediately. */
2614 // DDD: #warning GrP fixme MAP_FIXED can clobber memory!
2619 );
2624 /* I don't think this can happen. It means the kernel made a
2625 fixed map succeed but not at the requested location. Try to
2626 repair the damage, then return saying the mapping failed. */
2629 }
2631 /* Ok, the mapping succeeded. Now notify the interval map. */
2642 AM_SANITY_CHECK;
2644 }
2647 {
2649 }
2651 /* Map anonymously at an unconstrained address for V, and update the
2652 segment array accordingly. This is fundamentally how V allocates
2653 itself more address space when needed. */
2656 {
2657 SysRes sres;
2658 NSegment seg;
2659 Addr advised;
2660 Bool ok;
2661 MapRequest req;
2663 /* Not allowable. */
2667 /* Ask for an advisory. If it's negative, fail immediately. */
2675 // On Darwin, for anonymous maps you can pass in a tag which is used by
2676 // programs like vmmap for statistical purposes.
2677 #ifndef VM_TAG_VALGRIND
2678 # define VM_TAG_VALGRIND 0
2679 #endif
2681 /* We have been advised that the mapping is allowable at the
2682 specified address. So hand it off to the kernel, and propagate
2683 any resulting failure immediately. */
2684 /* GrP fixme darwin: use advisory as a hint only, otherwise syscall in
2685 another thread can pre-empt our spot. [At one point on the DARWIN
2686 branch the VKI_MAP_FIXED was commented out; unclear if this is
2687 necessary or not given the second Darwin-only call that immediately
2688 follows if this one fails. --njn]
2689 Also, an inner valgrind cannot observe the mmap syscalls done by
2690 the outer valgrind. The outer Valgrind might make the mmap
2691 fail here, as the inner valgrind believes that a segment is free,
2692 while it is in fact used by the outer valgrind.
2693 So, for an inner valgrind, similarly to DARWIN, if the fixed mmap
2694 fails, retry the mmap without map fixed.
2695 This is a kludge which on linux is only activated for the inner.
2696 The state of the inner aspacemgr is not made correct by this kludge
2697 and so a.o. VG_(am_do_sync_check) could fail.
2698 A proper solution implies a better collaboration between the
2699 inner and the outer (e.g. inner VG_(am_get_advisory) should do
2700 a client request to call the outer VG_(am_get_advisory). */
2706 );
2707 #if defined(VGO_darwin) || defined(ENABLE_INNER)
2708 /* Kludge on Darwin and inner linux if the fixed mmap failed. */
2710 /* try again, ignoring the advisory */
2716 );
2717 }
2718 #endif
2722 #if defined(VGO_linux) && !defined(ENABLE_INNER)
2723 /* Doing the check only in linux not inner, as the below
2724 check can fail when the kludge above has been used. */
2726 /* I don't think this can happen. It means the kernel made a
2727 fixed map succeed but not at the requested location. Try to
2728 repair the damage, then return saying the mapping failed. */
2731 }
2732 #endif
2734 /* Ok, the mapping succeeded. Now notify the interval map. */
2744 AM_SANITY_CHECK;
2746 }
2748 /* Really just a wrapper around VG_(am_mmap_anon_float_valgrind). */
2751 {
2753 }
2755 /* Map a file at an unconstrained address for V, and update the
2756 segment array accordingly. Use the provided flags */
2759 UInt flags,
2761 {
2762 SysRes sres;
2763 NSegment seg;
2764 Addr advised;
2765 Bool ok;
2766 MapRequest req;
2768 UInt mode;
2771 /* Not allowable. */
2775 /* Ask for an advisory. If it's negative, fail immediately. */
2778 #if defined(VGA_arm) || defined(VGA_arm64) \
2779 || defined(VGA_mips32) || defined(VGA_mips64) || defined(VGA_nanomips)
2781 #else
2783 #endif
2785 /* arm-linux only. See ML_(generic_PRE_sys_shmat) and bug 290974 */
2789 }
2796 /* We have been advised that the mapping is allowable at the
2797 specified address. So hand it off to the kernel, and propagate
2798 any resulting failure immediately. */
2801 flags,
2802 fd, offset
2803 );
2808 /* I don't think this can happen. It means the kernel made a
2809 fixed map succeed but not at the requested location. Try to
2810 repair the damage, then return saying the mapping failed. */
2813 }
2815 /* Ok, the mapping succeeded. Now notify the interval map. */
2828 }
2831 }
2832 #if defined(VGO_freebsd)
2834 #endif
2837 AM_SANITY_CHECK;
2839 }
2840 /* Map privately a file at an unconstrained address for V, and update the
2841 segment array accordingly. This is used by V for transiently
2842 mapping in object files to read their debug info. */
2846 {
2850 }
2854 {
2858 }
2860 /* Similar to VG_(am_mmap_anon_float_client) but also
2861 marks the segment as containing the client heap. This is for the benefit
2862 of the leak checker which needs to be able to identify such segments
2863 so as not to use them as sources of roots during leak checks. */
2865 {
2867 }
2869 /* --- --- munmap helper --- --- */
2871 static
2874 {
2875 Bool d;
2876 SysRes sres;
2878 /* Be safe with this regardless of return path. */
2887 }
2904 }
2913 AM_SANITY_CHECK;
2917 eINVAL:
2919 }
2921 /* Unmap the given address range and update the segment array
2922 accordingly. This fails if the range isn't valid for the client.
2923 If *need_discard is True after a successful return, the caller
2924 should immediately discard translations from the specified address
2925 range. */
2929 {
2931 }
2933 /* Unmap the given address range and update the segment array
2934 accordingly. This fails if the range isn't valid for valgrind. */
2937 {
2938 Bool need_discard;
2941 /* If this assertion fails, it means we allowed translations to be
2942 made from a V-owned section. Which shouldn't happen. */
2946 }
2948 /* Let (start,len) denote an area within a single Valgrind-owned
2949 segment (anon or file). Change the ownership of [start, start+len)
2950 to the client instead. Fails if (start,len) does not denote a
2951 suitable segment. */
2954 {
2973 /* This scheme is like how mprotect works: split the to-be-changed
2974 range into its own segment(s), then mess with them (it). There
2975 should be only one. */
2982 }
2986 }
2988 /* Set the 'hasT' bit on the segment containing ADDR indicating that
2989 translations have or may have been taken from this segment. ADDR is
2990 expected to belong to a client segment. */
2992 {
2997 }
3000 /* --- --- --- reservations --- --- --- */
3002 /* Create a reservation from START .. START+LENGTH-1, with the given
3003 ShrinkMode. When checking whether the reservation can be created,
3004 also ensure that at least abs(EXTRA) extra free bytes will remain
3005 above (> 0) or below (< 0) the reservation.
3007 The reservation will only be created if it, plus the extra-zone,
3008 falls entirely within a single free segment. The returned Bool
3009 indicates whether the creation succeeded. */
3013 {
3015 NSegment seg;
3017 /* start and end, not taking into account the extra space. */
3021 /* start and end, taking into account the extra space. */
3036 /* If the start and end points don't fall within the same (free)
3037 segment, we're hosed. This does rely on the assumption that all
3038 mergeable adjacent segments can be merged, but add_segment()
3039 should ensure that. */
3046 /* Looks good - make the reservation. */
3053 reservation. */
3058 AM_SANITY_CHECK;
3060 }
3063 /* ADDR is the start address of an anonymous client mapping. This fn extends
3064 the mapping by DELTA bytes, taking the space from a reservation section
3065 which must be adjacent. If DELTA is positive, the segment is
3066 extended forwards in the address space, and the reservation must be
3067 the next one along. If DELTA is negative, the segment is extended
3068 backwards in the address space and the reservation must be the
3069 previous one. DELTA must be page aligned. abs(DELTA) must not
3070 exceed the size of the reservation segment minus one page, that is,
3071 the reservation segment after the operation must be at least one
3072 page long. The function returns a pointer to the resized segment. */
3075 SSizeT delta,
3077 {
3079 UInt prot;
3080 SysRes sres;
3098 /* Extending the segment forwards. */
3109 }
3111 /* Extend the kernel's mapping. */
3112 // DDD: #warning GrP fixme MAP_FIXED can clobber memory!
3115 prot,
3118 );
3122 /* kernel bug if this happens? */
3125 }
3127 /* Ok, success with the kernel. Update our structures. */
3134 /* Extending the segment backwards. */
3148 }
3150 /* Extend the kernel's mapping. */
3151 // DDD: #warning GrP fixme MAP_FIXED can clobber memory!
3154 prot,
3157 );
3161 /* kernel bug if this happens? */
3164 }
3166 /* Ok, success with the kernel. Update our structures. */
3170 }
3172 AM_SANITY_CHECK;
3174 }
3177 /* --- --- --- resizing/move a mapping --- --- --- */
3179 #if HAVE_MREMAP
3181 /* This function grows a client mapping in place into an adjacent free segment.
3182 ADDR is the client mapping's start address and DELTA, which must be page
3183 aligned, is the growth amount. The function returns a pointer to the
3184 resized segment. The function is used in support of mremap. */
3186 {
3187 Addr xStart;
3188 SysRes sres;
3193 /* Get the client segment */
3206 /* The segment following the client segment must be a free segment and
3207 it must be large enough to cover the additional memory. */
3215 AM_SANITY_CHECK;
3217 seg_old_len,
3220 AM_SANITY_CHECK;
3223 /* the area must not have moved */
3225 }
3234 AM_SANITY_CHECK;
3236 }
3239 /* Remap the old address range to the new address range. Fails if any
3240 parameter is not page aligned, if the either size is zero, if any
3241 wraparound is implied, if the old address range does not fall
3242 entirely within a single segment, if the new address range overlaps
3243 with the old one, or if the old address range is not a valid client
3244 mapping. If *need_discard is True after a successful return, the
3245 caller should immediately discard translations from both specified
3246 address ranges. */
3251 {
3253 SysRes sres;
3254 NSegment seg;
3269 /* no overlap */
3285 AM_SANITY_CHECK;
3289 }
3296 /* Mark the new area based on the old seg. */
3299 }
3304 /* Create a free hole in the old location. */
3308 /* See comments in VG_(am_notify_munmap) about this SkResvn vs
3309 SkFree thing. */
3314 else
3319 AM_SANITY_CHECK;
3321 }
3326 #if defined(VGO_linux)
3328 /*-----------------------------------------------------------------*/
3329 /*--- ---*/
3330 /*--- A simple parser for /proc/self/maps on Linux 2.4.X/2.6.X. ---*/
3331 /*--- Almost completely independent of the stuff above. The ---*/
3332 /*--- only function it 'exports' to the code above this comment ---*/
3333 /*--- is parse_procselfmaps. ---*/
3334 /*--- ---*/
3335 /*-----------------------------------------------------------------*/
3337 /*------BEGIN-procmaps-parser-for-Linux--------------------------*/
3339 /* Size of a smallish table used to read /proc/self/map entries. */
3340 #define M_PROCMAP_BUF 100000
3342 /* static ... to keep it out of the stack frame. */
3345 /* Records length of /proc/self/maps read into procmap_buf. */
3348 /* Helper fns. */
3351 {
3356 }
3359 {
3362 }
3365 {
3369 }
3372 {
3373 /* Read a word-sized hex number. */
3379 }
3381 }
3384 {
3385 /* Read a potentially 64-bit hex number. */
3391 }
3393 }
3396 {
3402 }
3404 }
3407 /* Get the contents of /proc/self/maps into a static buffer. If
3408 there's a syntax error, it won't fit, or other failure, just
3409 abort. */
3412 {
3413 Int n_chunk;
3414 SysRes fd;
3416 /* Read the initial memory mapping from the /proc filesystem. */
3437 }
3439 /* Parse /proc/self/maps. For each map entry, call
3440 record_mapping, passing it, in this order:
3442 start address in memory
3443 length
3444 page protections (using the VKI_PROT_* flags)
3445 mapped file device and inode
3446 offset in file, or zero if no file
3447 filename, zero terminated, or NULL if no file
3448 ignore_offset, when the exact offset cannot be
3449 obtained
3451 So the sig of the called fn might be
3453 void (*record_mapping)( Addr start, SizeT size, UInt prot,
3454 UInt dev, UInt info,
3455 ULong foffset, UChar* filename,
3456 Bool ignore_offset )
3458 Note that the supplied filename is transiently stored; record_mapping
3459 should make a copy if it wants to keep it.
3461 Nb: it is important that this function does not alter the contents of
3462 procmap_buf!
3463 */
3469 )
3470 {
3475 UInt prot;
3488 /* Ok, it's safely aboard. Parse the entries. */
3494 /* Read (without fscanf :) the pattern %16x-%16x %c%c%c%c %16x %2x:%2x %d */
3511 /* This field is the shared/private flag */
3540 syntaxerror:
3553 }
3555 }
3558 read_line_ok:
3562 /* Try and find the name of the file mapped to this segment, if
3563 it exists. Note that file names can contain spaces. */
3565 // Move i to the next non-space char, which should be either a '/',
3566 // a '[', or a newline.
3569 // Move i_eol to the end of the line.
3573 // If there's a filename...
3575 /* Minor hack: put a '\0' at the filename end for the call to
3576 'record_mapping', then restore the old char with 'tmp'. */
3584 }
3591 /* Linux has two ways to encode a device number when it
3592 is exposed to user space (via fstat etc). The old way
3593 is the traditional unix scheme that produces a 16 bit
3594 device number with the top 8 being the major number and
3595 the bottom 8 the minor number.
3597 The new scheme allows for a 12 bit major number and
3598 a 20 bit minor number by using a 32 bit device number
3599 and putting the top 12 bits of the minor number into
3600 the top 12 bits of the device number thus leaving an
3601 extra 4 bits for the major number.
3603 If the minor and major number are both single byte
3604 values then both schemes give the same result so we
3605 use the new scheme here in case either number is
3606 outside the 0-255 range and then use fstat64 when
3607 available (or fstat on 64 bit systems) so that we
3608 should always have a new style device number and
3609 everything should match. */
3622 }
3626 }
3628 # if defined(VGP_arm_linux)
3629 /* ARM puts code at the end of memory that contains processor
3630 specific stuff (cmpxchg, getting the thread local storage, etc.)
3631 This isn't specified in /proc/self/maps, so do it here. This
3632 kludgery causes the view of memory, as presented to
3633 record_gap/record_mapping, to actually reflect reality. IMO
3634 (JRS, 2010-Jan-03) the fact that /proc/.../maps does not list
3635 the commpage should be regarded as a bug in the kernel. */
3647 }
3648 }
3649 # endif
3653 }
3655 /*------END-procmaps-parser-for-Linux----------------------------*/
3657 /*------BEGIN-procmaps-parser-for-Darwin-------------------------*/
3659 #elif defined(VGO_darwin)
3660 #include <mach/mach.h>
3661 #include <mach/mach_vm.h>
3664 {
3665 return
3669 }
3678 )
3679 {
3680 vm_address_t iter;
3682 vm_address_t last;
3689 mach_vm_size_t size;
3690 vm_region_submap_short_info_data_64_t info;
3691 kern_return_t kr;
3694 mach_msg_type_number_t info_count
3696 stats_machcalls++;
3702 depth++;
3704 }
3706 }
3711 }
3715 }
3717 }
3721 }
3723 // Urr. So much for thread safety.
3735 {
3736 // derived from sync_check_mapping_callback()
3738 /* JRS 2012-Mar-07: this all seems very dubious to me. It would be
3739 safer to see if we can find, in V's segment collection, one
3740 single segment that completely covers the range [addr, +len)
3741 (and possibly more), and that has the exact same other
3742 properties (prot, dev, ino, offset, etc) as the data presented
3743 here. If found, we just skip. Otherwise add the data presented
3744 here into css_local[]. */
3750 /* The kernel should not give us wraparounds. */
3756 /* NSegments iLo .. iHi inclusive should agree with the presented
3757 data. */
3760 UInt seg_prot;
3763 /* Ignore V regions */
3765 }
3767 /* Add mapping for SkResvn regions */
3775 css_used_local++;
3778 }
3781 }
3785 {
3786 /* Check permissions on client regions */
3787 // GrP fixme
3791 # if defined(VGA_x86)
3792 // GrP fixme sloppyXcheck
3793 // darwin: kernel X ignored and spuriously changes? (vm_copy)
3795 # else
3797 # endif
3804 /* Add mapping for regions with protection changes */
3812 css_used_local++;
3815 }
3818 }
3822 }
3823 }
3824 }
3827 {
3828 // derived from sync_check_gap_callback()
3835 /* The kernel should not give us wraparounds. */
3841 /* NSegments iLo .. iHi inclusive should agree with the presented data. */
3844 /* V has a mapping, kernel doesn't. Add to css_local[],
3845 directives to chop off the part of the V mapping that
3846 falls within the gap that the kernel tells us is
3847 present. */
3855 /* I don't think the following should fail. But if it
3856 does, just omit the css_used_local++ in the cases where
3857 it doesn't hold. */
3861 css_used_local++;
3864 }
3865 }
3866 }
3867 }
3870 // Returns False if 'css' wasn't big enough.
3874 {
3882 );
3889 // Get the list of segs that need to be added/removed.
3896 }
3899 }
3902 /*------END-procmaps-parser-for-Darwin---------------------------*/
3904 /*------BEGIN-procmaps-parser-for-Freebsd------------------------*/
3905 #elif defined(VGO_freebsd)
3907 /*
3908 * PJF 2023-09-23
3909 *
3910 * This function is somewhat badly named for FreeBSD, where the
3911 * /proc filesystem is optional so we can't count on users
3912 * having it. Instead we use the KERN_PROC_VMMAP syscall.
3913 * So far so good.
3914 *
3915 * This function is used in two contexts. The heaviest use is from
3916 * VG_(am_do_sync_check) as a sanity check that the contents of the
3917 * global nsegments array is consistent with what the OS reports
3918 * as being memory maps. No known problems with that.
3919 *
3920 * The other use is at startup in order to get the mapping for the
3921 * tool itself. In this case we have a fairly big problem. There is
3922 * a difference in the mapping used when the kernel loads an exe
3923 * and when the link loader ldrt (or Valgrind which does the same
3924 * job for the guest exe. In the case of ldrt, all ELF PT_LOAD
3925 * sections get mmap'd. The kernel, however, does _not_ mmap
3926 * the RW PT_LOAD.
3927 *
3928 * For instance, objdump -p for memcheck-amd64-freebsd contains
3929 * LOAD off 0x0000000000000000 vaddr 0x0000000038000000 paddr 0x0000000038000000 align 2**12
3930 * filesz 0x00000000000c5124 memsz 0x00000000000c5124 flags r--
3931 * LOAD off 0x00000000000c5130 vaddr 0x00000000380c6130 paddr 0x00000000380c6130 align 2**12
3932 * filesz 0x00000000001b10df memsz 0x00000000001b10df flags r-x
3933 * LOAD off 0x0000000000276210 vaddr 0x0000000038278210 paddr 0x0000000038278210 align 2**12
3934 * filesz 0x0000000000000a90 memsz 0x00000000025dd000 flags rw-
3935 *
3936 * Running procstat -v on a running instance gives
3937 * 44814 0x38000000 0x380c6000 r-- 198 2558 2 0 CN--- vn /usr/home/paulf/scratch/valgrind/memcheck/memcheck-amd64-freebsd
3938 * 44814 0x380c6000 0x38278000 r-x 434 2558 2 0 CN--- vn /usr/home/paulf/scratch/valgrind/memcheck/memcheck-amd64-freebsd
3939 * 44814 0x38278000 0x3a856000 rw- 4590 4590 1 0 ----- df
3940 *
3941 * Instead of mmap'ing the RW PT_LOAD the kernel has mmap'd anonymous swap and copied from the exe file.
3942 * See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273956
3943 *
3944 * So what can we do? We can reuse most of the info from the previous 'r-x' mapping.
3945 * The filename, dev and ino are all the same. That leaves the offset. We can
3946 * make a rough estimate of the value as being previous offset + previous size.
3947 * Since the addresses in memory will be page aligned it's not possible to
3948 * obtain the original offset. It isn't good enough for ML_(read_elf_object)
3949 * in readelf.c
3950 *
3951 * As a hack of last resort we force ML_(read_elf_object) to accept this
3952 * mapping by adding an "ignore offset" flag. We can't be wrong that
3953 * there is something mapped roughly there - it's the global data of the
3954 * code that is executing on the CPU! Furthermore, this is not frequently
3955 * used. The main benefit is for Valgrind developers. Without this hack,
3956 * if Valgrind crashes or asserts it will print its own stack without
3957 * debuginfo, which is mostly useless. See the above FreeBSD bugzilla item
3958 * for an example.
3959 */
3961 /* Size of a smallish table used to read /proc/self/map entries. */
3964 /* static ... to keep it out of the stack frame. */
3972 )
3973 {
3977 UInt prot;
3980 vki_size_t len;
3982 SysRes sres;
3984 // this assumes that compiling with clang uses ld.lld which produces 3 LOAD segements
3985 // and that compiling with GCC uses ld.bfd which produces 2 LOAD segments
3986 #if defined(__clang__)
3989 #elif defined(__GNUC__)
3992 #else
3994 #endif
3995 // could copy the whole kinfo_vmentry but it is 1160 bytes
4015 }
4029 }
4044 }
4053 }
4060 /* this is only accurate to the page alignment */
4062 }
4066 }
4070 }
4072 /*------END-procmaps-parser-for-Freebsd--------------------------*/
4074 /*------BEGIN-procmaps-parser-for-Solaris------------------------*/
4076 #elif defined(VGO_solaris)
4078 /* Note: /proc/self/xmap contains extended information about already
4079 materialized mappings whereas /proc/self/rmap contains information about
4080 all mappings including reserved but yet-to-materialize mappings (mmap'ed
4081 with MAP_NORESERVE flag, such as thread stacks). But /proc/self/rmap does
4082 not contain extended information found in /proc/self/xmap. Therefore
4083 information from both sources need to be combined.
4084 */
4087 {
4088 Addr addr;
4089 SizeT size;
4090 UInt prot;
4091 ULong dev;
4092 ULong ino;
4093 Off64T foffset;
4099 SizeT entry_size)
4100 {
4106 }
4115 }
4124 }
4127 }
4131 {
4155 }
4160 }
4162 /* Try to get the filename. */
4170 /* If Valgrind is executed in a non-global zone and the link in
4171 /proc/self/path/ represents a file that is available through lofs
4172 from a global zone then the kernel may not be able to resolve the
4173 link.
4175 In such a case, return a corresponding /proc/self/object/ file to
4176 allow Valgrind to read the file if it is necessary.
4178 This can create some discrepancy for the sanity check. For
4179 instance, if a client program mmaps some file then the address
4180 space manager will have a correct zone-local name of that file,
4181 but the sanity check will receive a different file name from this
4182 code. This currently does not represent a problem because the
4183 sanity check ignores the file names (it uses device and inode
4184 numbers for the comparison).
4185 */
4188 }
4192 }
4193 }
4197 }
4201 {
4228 }
4230 /* Used for two purposes:
4231 1. Establish initial mappings upon the process startup
4232 2. Check mappings during aspacemgr sanity check
4233 */
4239 )
4240 {
4244 #define M_XMAP_BUF (VG_N_SEGMENTS * sizeof(vki_prxmap_t))
4245 /* Static to keep it out of stack frame... */
4249 SizeT xmap_entries;
4250 Mapping xmap_mapping;
4251 Bool advance_xmap;
4253 #define M_RMAP_BUF (VG_N_SEGMENTS * sizeof(vki_prmap_t))
4257 SizeT rmap_entries;
4258 Mapping rmap_mapping;
4259 Bool advance_rmap;
4261 /* Read fully /proc/self/xmap and /proc/self/rmap. */
4268 /* Get the first xmap and rmap. */
4273 /* Get next xmap or rmap if necessary. */
4277 }
4281 }
4283 /* Check if the end has been reached. */
4287 /* Invariants */
4291 }
4294 /* xmap mapping reached. */
4307 }
4309 /* Reserved-only part. */
4310 /* First calculate size until the end of this reserved mapping... */
4312 /* ... but shrink it if some xmap is in a way. */
4319 }
4321 /* Gap. */
4325 }
4331 }
4335 }
4337 /* parse_procselfmaps() callbacks do not allow for easy thread safety. */
4342 /* Reports a new mapping into variables above. */
4345 {
4354 /* Do not perform any sanity checks. That is done in other places.
4355 Just find if a reported mapping is found in aspacemgr's book keeping. */
4362 }
4363 }
4364 }
4366 /* Returns True if a new segment was found. */
4368 {
4379 }
4380 }
4384 /*------END-procmaps-parser-for-Solaris--------------------------*/
4386 #endif // defined(VGO_linux) || defined(VGO_darwin) || defined(VGO_solaris) || defined(VGO_freebsd)
4388 /*--------------------------------------------------------------------*/
4389 /*--- end ---*/
4390 /*--------------------------------------------------------------------*/