| blob | 3afc9911a4fb593fd0d36fc8f30c5671ffa6a16e |
1 /* -*- mode: C; c-basic-offset: 3; -*- */
3 /*--------------------------------------------------------------------*/
4 /*--- MemCheck: Maintain bitmaps of memory, tracking the ---*/
5 /*--- accessibility (A) and validity (V) status of each byte. ---*/
6 /*--- mc_main.c ---*/
7 /*--------------------------------------------------------------------*/
9 /*
10 This file is part of MemCheck, a heavyweight Valgrind tool for
11 detecting memory errors.
13 Copyright (C) 2000-2017 Julian Seward
14 jseward@acm.org
16 This program is free software; you can redistribute it and/or
17 modify it under the terms of the GNU General Public License as
18 published by the Free Software Foundation; either version 2 of the
19 License, or (at your option) any later version.
21 This program is distributed in the hope that it will be useful, but
22 WITHOUT ANY WARRANTY; without even the implied warranty of
23 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
24 General Public License for more details.
26 You should have received a copy of the GNU General Public License
27 along with this program; if not, see <http://www.gnu.org/licenses/>.
29 The GNU General Public License is contained in the file COPYING.
30 */
55 /* Set to 1 to do a little more sanity checking */
56 #define VG_DEBUG_MEMORY 0
64 /*------------------------------------------------------------*/
65 /*--- Fast-case knobs ---*/
66 /*------------------------------------------------------------*/
68 // Comment these out to disable the fast cases (don't just set them to zero).
70 /* PERF_FAST_LOADV is in mc_include.h */
71 #define PERF_FAST_STOREV 1
73 #define PERF_FAST_SARP 1
75 #define PERF_FAST_STACK 1
76 #define PERF_FAST_STACK2 1
78 /* Change this to 1 to enable assertions on origin tracking cache fast
79 paths */
80 #define OC_ENABLE_ASSERTIONS 0
83 /*------------------------------------------------------------*/
84 /*--- Comments on the origin tracking implementation ---*/
85 /*------------------------------------------------------------*/
87 /* See detailed comment entitled
88 AN OVERVIEW OF THE ORIGIN TRACKING IMPLEMENTATION
89 which is contained further on in this file. */
92 /*------------------------------------------------------------*/
93 /*--- V bits and A bits ---*/
94 /*------------------------------------------------------------*/
96 /* Conceptually, every byte value has 8 V bits, which track whether Memcheck
97 thinks the corresponding value bit is defined. And every memory byte
98 has an A bit, which tracks whether Memcheck thinks the program can access
99 it safely (ie. it's mapped, and has at least one of the RWX permission bits
100 set). So every N-bit register is shadowed with N V bits, and every memory
101 byte is shadowed with 8 V bits and one A bit.
103 In the implementation, we use two forms of compression (compressed V bits
104 and distinguished secondary maps) to avoid the 9-bit-per-byte overhead
105 for memory.
107 Memcheck also tracks extra information about each heap block that is
108 allocated, for detecting memory leaks and other purposes.
109 */
111 /*------------------------------------------------------------*/
112 /*--- Basic A/V bitmap representation. ---*/
113 /*------------------------------------------------------------*/
115 /* All reads and writes are checked against a memory map (a.k.a. shadow
116 memory), which records the state of all memory in the process.
118 On 32-bit machines the memory map is organised as follows.
119 The top 16 bits of an address are used to index into a top-level
120 map table, containing 65536 entries. Each entry is a pointer to a
121 second-level map, which records the accesibililty and validity
122 permissions for the 65536 bytes indexed by the lower 16 bits of the
123 address. Each byte is represented by two bits (details are below). So
124 each second-level map contains 16384 bytes. This two-level arrangement
125 conveniently divides the 4G address space into 64k lumps, each size 64k
126 bytes.
128 All entries in the primary (top-level) map must point to a valid
129 secondary (second-level) map. Since many of the 64kB chunks will
130 have the same status for every bit -- ie. noaccess (for unused
131 address space) or entirely addressable and defined (for code segments) --
132 there are three distinguished secondary maps, which indicate 'noaccess',
133 'undefined' and 'defined'. For these uniform 64kB chunks, the primary
134 map entry points to the relevant distinguished map. In practice,
135 typically more than half of the addressable memory is represented with
136 the 'undefined' or 'defined' distinguished secondary map, so it gives a
137 good saving. It also lets us set the V+A bits of large address regions
138 quickly in set_address_range_perms().
140 On 64-bit machines it's more complicated. If we followed the same basic
141 scheme we'd have a four-level table which would require too many memory
142 accesses. So instead the top-level map table has 2^20 entries (indexed
143 using bits 16..35 of the address); this covers the bottom 64GB. Any
144 accesses above 64GB are handled with a slow, sparse auxiliary table.
145 Valgrind's address space manager tries very hard to keep things below
146 this 64GB barrier so that performance doesn't suffer too much.
148 Note that this file has a lot of different functions for reading and
149 writing shadow memory. Only a couple are strictly necessary (eg.
150 get_vabits2 and set_vabits2), most are just specialised for specific
151 common cases to improve performance.
153 Aside: the V+A bits are less precise than they could be -- we have no way
154 of marking memory as read-only. It would be great if we could add an
155 extra state VA_BITSn_READONLY. But then we'd have 5 different states,
156 which requires 2.3 bits to hold, and there's no way to do that elegantly
157 -- we'd have to double up to 4 bits of metadata per byte, which doesn't
158 seem worth it.
159 */
161 /* --------------- Basic configuration --------------- */
163 /* Only change this. N_PRIMARY_MAP *must* be a power of 2. */
165 #if VG_WORDSIZE == 4
167 /* cover the entire address space */
168 # define N_PRIMARY_BITS 16
170 #else
172 /* Just handle the first 128G fast and the rest via auxiliary
173 primaries. If you change this, Memcheck will assert at startup.
174 See the definition of UNALIGNED_OR_HIGH for extensive comments. */
175 # define N_PRIMARY_BITS 21
177 #endif
180 /* Do not change this. */
181 #define N_PRIMARY_MAP ( ((UWord)1) << N_PRIMARY_BITS)
183 /* Do not change this. */
184 #define MAX_PRIMARY_ADDRESS (Addr)((((Addr)65536) * N_PRIMARY_MAP)-1)
187 /* --------------- Secondary maps --------------- */
189 // Each byte of memory conceptually has an A bit, which indicates its
190 // addressability, and 8 V bits, which indicates its definedness.
191 //
192 // But because very few bytes are partially defined, we can use a nice
193 // compression scheme to reduce the size of shadow memory. Each byte of
194 // memory has 2 bits which indicates its state (ie. V+A bits):
195 //
196 // 00: noaccess (unaddressable but treated as fully defined)
197 // 01: undefined (addressable and fully undefined)
198 // 10: defined (addressable and fully defined)
199 // 11: partdefined (addressable and partially defined)
200 //
201 // In the "partdefined" case, we use a secondary table to store the V bits.
202 // Each entry in the secondary-V-bits table maps a byte address to its 8 V
203 // bits.
204 //
205 // We store the compressed V+A bits in 8-bit chunks, ie. the V+A bits for
206 // four bytes (32 bits) of memory are in each chunk. Hence the name
207 // "vabits8". This lets us get the V+A bits for four bytes at a time
208 // easily (without having to do any shifting and/or masking), and that is a
209 // very common operation. (Note that although each vabits8 chunk
210 // is 8 bits in size, it represents 32 bits of memory.)
211 //
212 // The representation is "inverse" little-endian... each 4 bytes of
213 // memory is represented by a 1 byte value, where:
214 //
215 // - the status of byte (a+0) is held in bits [1..0]
216 // - the status of byte (a+1) is held in bits [3..2]
217 // - the status of byte (a+2) is held in bits [5..4]
218 // - the status of byte (a+3) is held in bits [7..6]
219 //
220 // It's "inverse" because endianness normally describes a mapping from
221 // value bits to memory addresses; in this case the mapping is inverted.
222 // Ie. instead of particular value bits being held in certain addresses, in
223 // this case certain addresses are represented by particular value bits.
224 // See insert_vabits2_into_vabits8() for an example.
225 //
226 // But note that we don't compress the V bits stored in registers; they
227 // need to be explicit to made the shadow operations possible. Therefore
228 // when moving values between registers and memory we need to convert
229 // between the expanded in-register format and the compressed in-memory
230 // format. This isn't so difficult, it just requires careful attention in a
231 // few places.
233 // These represent eight bits of memory.
239 // These represent 16 bits of memory.
244 // These represent 32 bits of memory.
249 // These represent 64 bits of memory.
254 // These represent 128 bits of memory.
259 #define SM_OFF(aaa) (((aaa) & 0xffff) >> 2)
260 #define SM_OFF_16(aaa) (((aaa) & 0xffff) >> 3)
262 // Paranoia: it's critical for performance that the requested inlining
263 // occurs. So try extra hard.
264 #define INLINE inline __attribute__((always_inline))
268 }
271 }
275 typedef
279 }
280 SecMap;
282 // 3 distinguished secondary maps, one for no-access, one for
283 // accessible but undefined, and one for accessible and defined.
284 // Distinguished secondaries may never be modified.
285 #define SM_DIST_NOACCESS 0
286 #define SM_DIST_UNDEFINED 1
287 #define SM_DIST_DEFINED 2
293 }
295 // Forward declaration
298 /* dist_sm points to one of our three distinguished secondaries. Make
299 a copy of it so that we can write to it.
300 */
302 {
315 }
317 /* --------------- Stats --------------- */
330 /* # searches initiated in auxmap_L1, and # base cmps required */
333 /* # of searches that missed in auxmap_L1 and therefore had to
334 be handed to auxmap_L2. And the number of nodes inserted. */
345 {
350 n_deissued_SMs ++; }
356 n_issued_SMs ++; }
362 }
364 /* --------------- Primary maps --------------- */
366 /* The main primary map. This covers some initial part of the address
367 space, addresses 0 .. (N_PRIMARY_MAP << 16)-1. The rest of it is
368 handled using the auxiliary primary map.
369 */
370 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
371 && (defined(VGP_arm_linux) \
372 || defined(VGP_x86_linux) || defined(VGP_x86_solaris))
373 /* mc_main_asm.c needs visibility on a few things declared in this file.
374 MC_MAIN_STATIC allows to define them static if ok, i.e. on
375 platforms that are not using hand-coded asm statements. */
376 #define MC_MAIN_STATIC
377 #else
378 #define MC_MAIN_STATIC static
379 #endif
383 /* An entry in the auxiliary primary map. base must be a 64k-aligned
384 value, and sm points at the relevant secondary map. As with the
385 main primary map, the secondary may be either a real secondary, or
386 one of the three distinguished secondaries. DO NOT CHANGE THIS
387 LAYOUT: the first word has to be the key for OSet fast lookups.
388 */
389 typedef
391 Addr base;
393 }
394 AuxMapEnt;
396 /* Tunable parameter: How big is the L1 queue? */
397 #define N_AUXMAP_L1 24
399 /* Tunable parameter: How far along the L1 queue to insert
400 entries resulting from L2 lookups? */
401 #define AUXMAP_L1_INSERT_IX 12
404 Addr base;
406 }
412 {
413 Int i;
417 }
424 }
426 /* Check representation invariants; if OK return NULL; else a
427 descriptive bit of text. Also return the number of
428 non-distinguished secondary maps referred to from the auxiliary
429 primary maps. */
432 {
434 /* On a 32-bit platform, the L2 and L1 tables should
435 both remain empty forever.
437 On a 64-bit platform:
438 In the L2 table:
439 all .base & 0xFFFF == 0
440 all .base > MAX_PRIMARY_ADDRESS
441 In the L1 table:
442 all .base & 0xFFFF == 0
443 all (.base > MAX_PRIMARY_ADDRESS
444 .base & 0xFFFF == 0
445 and .ent points to an AuxMapEnt with the same .base)
446 or
447 (.base == 0 and .ent == NULL)
448 */
451 /* 32-bit platform */
458 /* 64-bit platform */
461 AuxMapEnt key;
462 /* L2 table */
465 elems_seen++;
474 }
477 /* Check L1-L2 correspondence */
489 /* Look it up in auxmap_L2. */
497 }
498 /* Check L1 contains no duplicates */
507 }
508 }
509 }
511 }
514 {
515 Word i;
522 }
525 {
526 AuxMapEnt key;
528 Word i;
533 /* First search the front-cache, which is a self-organising
534 list containing the most popular entries. */
546 }
548 n_auxmap_L1_searches++;
553 }
554 }
567 i--;
568 }
570 }
572 n_auxmap_L2_searches++;
574 /* First see if we already have it. */
582 }
585 {
588 /* First see if we already have it. */
593 /* Ok, there's no entry in the secondary map, so we'll have
594 to allocate one. */
602 n_auxmap_L2_nodes++;
604 }
606 /* --------------- SecMap fundamentals --------------- */
608 // In all these, 'low' means it's definitely in the main primary map,
609 // 'high' means it's definitely in the auxiliary table.
612 {
615 }
618 {
620 # if VG_DEBUG_MEMORY >= 1
622 # endif
624 }
627 {
630 }
633 {
637 }
640 {
642 }
645 {
647 }
650 {
655 }
658 {
663 }
665 /* Produce the secmap for 'a', either from the primary map or by
666 ensuring there is an entry for it in the aux primary map. The
667 secmap may be a distinguished one as the caller will only want to
668 be able to read it.
669 */
671 {
675 }
677 /* Produce the secmap for 'a', either from the primary map or by
678 ensuring there is an entry for it in the aux primary map. The
679 secmap may not be a distinguished one, since the caller will want
680 to be able to write it. If it is a distinguished secondary, make a
681 writable copy of it, install it, and return the copy instead. (COW
682 semantics).
683 */
685 {
689 }
691 /* If 'a' has a SecMap, produce it. Else produce NULL. But don't
692 allocate one if one doesn't already exist. This is used by the
693 leak checker.
694 */
696 {
702 }
703 }
705 /* --------------- Fundamental functions --------------- */
707 static INLINE
709 {
713 }
715 static INLINE
717 {
718 UInt shift;
723 }
725 static INLINE
727 {
731 }
733 static INLINE
735 {
736 UInt shift;
741 }
743 // Note that these four are only used in slow cases. The fast cases do
744 // clever things like combine the auxmap check (in
745 // get_secmap_{read,writ}able) with alignment checks.
747 // *** WARNING! ***
748 // Any time this function is called, if it is possible that vabits2
749 // is equal to VA_BITS2_PARTDEFINED, then the corresponding entry in the
750 // sec-V-bits table must also be set!
751 static INLINE
753 {
757 }
759 static INLINE
761 {
766 }
768 // *** WARNING! ***
769 // Any time this function is called, if it is possible that any of the
770 // 4 2-bit fields in vabits8 are equal to VA_BITS2_PARTDEFINED, then the
771 // corresponding entry(s) in the sec-V-bits table must also be set!
772 static INLINE
774 {
779 }
781 static INLINE
783 {
787 }
790 // Forward declarations
794 // Returns False if there was an addressability error.
795 static INLINE
797 {
801 // Addressable. Convert in-register format to in-memory format.
802 // Also remove any existing sec V bit entry for the byte if no
803 // longer necessary.
811 // Unaddressable! Do nothing -- when writing to unaddressable
812 // memory it acts as a black hole, and the V bits can never be seen
813 // again. So we don't have to write them at all.
815 }
817 }
819 // Returns False if there was an addressability error. In that case, we put
820 // all defined bits into vbits8.
821 static INLINE
823 {
827 // Convert the in-memory format to in-register format.
836 }
838 }
841 /* --------------- Secondary V bit table ------------ */
843 // This table holds the full V bit pattern for partially-defined bytes
844 // (PDBs) that are represented by VA_BITS2_PARTDEFINED in the main shadow
845 // memory.
846 //
847 // Note: the nodes in this table can become stale. Eg. if you write a PDB,
848 // then overwrite the same address with a fully defined byte, the sec-V-bit
849 // node will not necessarily be removed. This is because checking for
850 // whether removal is necessary would slow down the fast paths.
851 //
852 // To avoid the stale nodes building up too much, we periodically (once the
853 // table reaches a certain size) garbage collect (GC) the table by
854 // traversing it and evicting any nodes not having PDB.
855 // If more than a certain proportion of nodes survived, we increase the
856 // table size so that GCs occur less often.
857 //
858 // This policy is designed to avoid bad table bloat in the worst case where
859 // a program creates huge numbers of stale PDBs -- we would get this bloat
860 // if we had no GC -- while handling well the case where a node becomes
861 // stale but shortly afterwards is rewritten with a PDB and so becomes
862 // non-stale again (which happens quite often, eg. in perf/bz2). If we just
863 // remove all stale nodes as soon as possible, we just end up re-adding a
864 // lot of them in later again. The "sufficiently stale" approach avoids
865 // this. (If a program has many live PDBs, performance will just suck,
866 // there's no way around that.)
867 //
868 // Further comments, JRS 14 Feb 2012. It turns out that the policy of
869 // holding on to stale entries for 2 GCs before discarding them can lead
870 // to massive space leaks. So we're changing to an arrangement where
871 // lines are evicted as soon as they are observed to be stale during a
872 // GC. This also has a side benefit of allowing the sufficiently_stale
873 // field to be removed from the SecVBitNode struct, reducing its size by
874 // 8 bytes, which is a substantial space saving considering that the
875 // struct was previously 32 or so bytes, on a 64 bit target.
876 //
877 // In order to try and mitigate the problem that the "sufficiently stale"
878 // heuristic was designed to avoid, the table size is allowed to drift
879 // up ("DRIFTUP") slowly to 80000, even if the residency is low. This
880 // means that nodes will exist in the table longer on average, and hopefully
881 // will be deleted and re-added less frequently.
882 //
883 // The previous scaling up mechanism (now called STEPUP) is retained:
884 // if residency exceeds 50%, the table is scaled up, although by a
885 // factor sqrt(2) rather than 2 as before. This effectively doubles the
886 // frequency of GCs when there are many PDBs at reduces the tendency of
887 // stale PDBs to reside for long periods in the table.
891 // Stats
895 // This must be a power of two; this is checked in mc_pre_clo_init().
896 // The size chosen here is a trade-off: if the nodes are bigger (ie. cover
897 // a larger address range) they take more space but we can get multiple
898 // partially-defined bytes in one if they are close to each other, reducing
899 // the number of total nodes. In practice sometimes they are clustered (eg.
900 // perf/bz2 repeatedly writes then reads more than 20,000 in a contiguous
901 // row), but often not. So we choose something intermediate.
902 #define BYTES_PER_SEC_VBIT_NODE 16
904 // We make the table bigger by a factor of STEPUP_GROWTH_FACTOR if
905 // more than this many nodes survive a GC.
906 #define STEPUP_SURVIVOR_PROPORTION 0.5
907 #define STEPUP_GROWTH_FACTOR 1.414213562
909 // If the above heuristic doesn't apply, then we may make the table
910 // slightly bigger, by a factor of DRIFTUP_GROWTH_FACTOR, if more than
911 // this many nodes survive a GC, _and_ the total table size does
912 // not exceed a fixed limit. The numbers are somewhat arbitrary, but
913 // work tolerably well on long Firefox runs. The scaleup ratio of 1.5%
914 // effectively although gradually reduces residency and increases time
915 // between GCs for programs with small numbers of PDBs. The 80000 limit
916 // effectively limits the table size to around 2MB for programs with
917 // small numbers of PDBs, whilst giving a reasonably long lifetime to
918 // entries, to try and reduce the costs resulting from deleting and
919 // re-adding of entries.
920 #define DRIFTUP_SURVIVOR_PROPORTION 0.15
921 #define DRIFTUP_GROWTH_FACTOR 1.015
922 #define DRIFTUP_MAX_SIZE 80000
924 // We GC the table when it gets this many nodes in it, ie. it's effectively
925 // the table size. It can change.
928 // The number of GCs done, used to age sec-V-bit nodes for eviction.
929 // Because it's unsigned, wrapping doesn't matter -- the right answer will
930 // come out anyway.
933 typedef
935 Addr a;
937 }
938 SecVBitNode;
941 {
951 }
954 {
959 GCs_done++;
961 // Create the new table.
964 // Traverse the table, moving fresh nodes into the new table.
967 // Keep node if any of its bytes are non-stale. Using
968 // get_vabits2() for the lookup is not very efficient, but I don't
969 // think it matters.
972 // Found a non-stale byte, so keep =>
973 // Insert a copy of the node into the new table.
979 }
980 }
981 }
983 // Get the before and after sizes.
987 // Destroy the old table, and put the new one in its place.
994 }
996 // Increase table size if necessary.
1003 secVBitLimit);
1004 }
1005 else
1013 secVBitLimit);
1014 }
1015 }
1018 {
1022 UChar vbits8;
1024 // Shouldn't be fully defined or fully undefined -- those cases shouldn't
1025 // make it to the secondary V bits table.
1029 }
1032 {
1036 // Shouldn't be fully defined or fully undefined -- those cases shouldn't
1037 // make it to the secondary V bits table.
1041 sec_vbits_updates++;
1043 // Do a table GC if necessary. Nb: do this before creating and
1044 // inserting the new node, to avoid erroneously GC'ing the new node.
1047 }
1049 // New node: assign the specific byte, make the rest invalid (they
1050 // should never be read as-is, but be cautious).
1055 }
1058 // Insert the new node.
1060 sec_vbits_new_nodes++;
1065 }
1066 }
1068 /* --------------- Endianness helpers --------------- */
1070 /* Returns the offset in memory of the byteno-th most significant byte
1071 in a wordszB-sized word, given the specified endianness. */
1073 UWord byteno ) {
1075 }
1078 /* --------------- Ignored address ranges --------------- */
1080 /* Denotes the address-error-reportability status for address ranges:
1081 IAR_NotIgnored: the usual case -- report errors in this range
1082 IAR_CommandLine: don't report errors -- from command line setting
1083 IAR_ClientReq: don't report errors -- from client request
1084 */
1085 typedef
1087 IAR_NotIgnored,
1088 IAR_CommandLine,
1089 IAR_ClientReq }
1090 IARKind;
1093 {
1100 }
1101 }
1103 // RangeMap<IARKind>
1107 {
1112 }
1115 {
1128 }
1130 /*NOTREACHED*/
1131 }
1134 {
1143 /* Bizarre. We have a wraparound situation. What should we do? */
1146 /* This is the expected case. */
1149 else
1151 }
1152 /*NOTREACHED*/
1154 }
1156 /* Parse two Addrs (in hex) separated by a dash, or fail. */
1159 {
1170 }
1172 /* Parse two UInts (32 bit unsigned, in decimal) separated by a dash,
1173 or fail. */
1176 {
1187 }
1189 /* Parse a set of ranges separated by commas into 'ignoreRanges', or
1190 fail. If they are valid, add them to the global set of ignored
1191 ranges. */
1193 {
1211 }
1212 /*NOTREACHED*/
1214 }
1216 /* Add or remove [start, +len) from the set of ignored ranges. */
1218 {
1223 }
1236 }
1240 UInt i;
1249 }
1250 }
1252 }
1255 /* --------------- Load/store slow cases. --------------- */
1257 static
1261 {
1267 Addr ai;
1268 UChar vbits8;
1269 Bool ok;
1271 /* Code below assumes load size is a power of two and at least 64
1272 bits. */
1275 /* If this triggers, you probably just need to increase the size of
1276 the pessim array. */
1282 }
1284 /* Make up a result V word, which contains the loaded data for
1285 valid addresses and Defined for invalid addresses. Iterate over
1286 the bytes in the word, from the most significant down to the
1287 least. The vbits to return are calculated into vbits128. Also
1288 compute the pessimising value to be used when
1289 --partial-loads-ok=yes. n_addrs_bad is redundant (the relevant
1290 info can be gleaned from the pessim array) but is used as a
1291 cross-check. */
1305 }
1308 }
1310 /* In the common case, all the addresses involved are valid, so we
1311 just return the computed V bits and have done. */
1315 /* If there's no possibility of getting a partial-loads-ok
1316 exemption, report the error and quit. */
1320 }
1322 /* The partial-loads-ok excemption might apply. Find out if it
1323 does. If so, don't report an addressing error, but do return
1324 Undefined for the bytes that are out of range, so as to avoid
1325 false negatives. If it doesn't apply, just report an addressing
1326 error in the usual way. */
1328 /* Some code steps along byte strings in aligned chunks
1329 even when there is only a partially defined word at the end (eg,
1330 optimised strlen). This is allowed by the memory model of
1331 modern machines, since an aligned load cannot span two pages and
1332 thus cannot "partially fault".
1334 Therefore, a load from a partially-addressible place is allowed
1335 if all of the following hold:
1336 - the command-line flag is set [by default, it isn't]
1337 - it's an aligned load
1338 - at least one of the addresses in the word *is* valid
1340 Since this suppresses the addressing error, we avoid false
1341 negatives by marking bytes undefined when they come from an
1342 invalid address.
1343 */
1345 /* "at least one of the addresses is invalid" */
1351 # if defined(VGP_s390x_linux)
1353 /* OK if all loaded bytes are from the same page. */
1355 # elif defined(VGA_ppc64be) || defined(VGA_ppc64le)
1356 /* lxvd2x might generate an unaligned 128 bit vector load. */
1358 # else
1359 /* OK if the address is aligned by the load size. */
1361 # endif
1364 /* Exemption applies. Use the previously computed pessimising
1365 value and return the combined result, but don't flag an
1366 addressing error. The pessimising value is Defined for valid
1367 addresses and Undefined for invalid addresses. */
1368 /* for assumption that doing bitwise or implements UifU */
1370 /* (really need "UifU" here...)
1371 vbits[j] UifU= pessim[j] (is pessimised by it, iow) */
1375 }
1377 /* Exemption doesn't apply. Flag an addressing error in the normal
1378 way. */
1380 }
1382 MC_MAIN_STATIC
1388 MC_MAIN_STATIC
1392 this function may get called from hand written assembly. */
1394 {
1397 /* ------------ BEGIN semi-fast cases ------------ */
1398 /* These deal quickly-ish with the common auxiliary primary map
1399 cases on 64-bit platforms. Are merely a speedup hack; can be
1400 omitted without loss of correctness/functionality. Note that in
1401 both cases the "sizeof(void*) == 8" causes these cases to be
1402 folded out by compilers on 32-bit platforms. These are derived
1403 from LOADV64 and LOADV32.
1404 */
1406 # if defined(VGA_mips64) && defined(VGABI_N32)
1408 # else
1410 # endif
1411 {
1419 /* else fall into the slow case */
1420 }
1422 # if defined(VGA_mips64) && defined(VGABI_N32)
1424 # else
1426 # endif
1427 {
1435 /* else fall into slow case */
1436 }
1438 /* ------------ END semi-fast cases ------------ */
1445 Addr ai;
1446 UChar vbits8;
1447 Bool ok;
1451 /* Make up a 64-bit result V word, which contains the loaded data
1452 for valid addresses and Defined for invalid addresses. Iterate
1453 over the bytes in the word, from the most significant down to
1454 the least. The vbits to return are calculated into vbits64.
1455 Also compute the pessimising value to be used when
1456 --partial-loads-ok=yes. n_addrs_bad is redundant (the relevant
1457 info can be gleaned from pessim64) but is used as a
1458 cross-check. */
1468 }
1470 /* In the common case, all the addresses involved are valid, so we
1471 just return the computed V bits and have done. */
1475 /* If there's no possibility of getting a partial-loads-ok
1476 exemption, report the error and quit. */
1480 }
1482 /* The partial-loads-ok excemption might apply. Find out if it
1483 does. If so, don't report an addressing error, but do return
1484 Undefined for the bytes that are out of range, so as to avoid
1485 false negatives. If it doesn't apply, just report an addressing
1486 error in the usual way. */
1488 /* Some code steps along byte strings in aligned word-sized chunks
1489 even when there is only a partially defined word at the end (eg,
1490 optimised strlen). This is allowed by the memory model of
1491 modern machines, since an aligned load cannot span two pages and
1492 thus cannot "partially fault". Despite such behaviour being
1493 declared undefined by ANSI C/C++.
1495 Therefore, a load from a partially-addressible place is allowed
1496 if all of the following hold:
1497 - the command-line flag is set [by default, it isn't]
1498 - it's a word-sized, word-aligned load
1499 - at least one of the addresses in the word *is* valid
1501 Since this suppresses the addressing error, we avoid false
1502 negatives by marking bytes undefined when they come from an
1503 invalid address.
1504 */
1506 /* "at least one of the addresses is invalid" */
1509 # if defined(VGA_mips64) && defined(VGABI_N32)
1512 # elif defined(VGA_ppc64be) || defined(VGA_ppc64le)
1513 /* On power unaligned loads of words are OK. */
1515 # else
1518 # endif
1519 {
1520 /* Exemption applies. Use the previously computed pessimising
1521 value for vbits64 and return the combined result, but don't
1522 flag an addressing error. The pessimising value is Defined
1523 for valid addresses and Undefined for invalid addresses. */
1524 /* for assumption that doing bitwise or implements UifU */
1526 /* (really need "UifU" here...)
1527 vbits64 UifU= pessim64 (is pessimised by it, iow) */
1530 }
1532 /* Also, in appears that gcc generates string-stepping code in
1533 32-bit chunks on 64 bit platforms. So, also grant an exception
1534 for this case. Note that the first clause of the conditional
1535 (VG_WORDSIZE == 8) is known at compile time, so the whole clause
1536 will get folded out in 32 bit builds. */
1537 # if defined(VGA_mips64) && defined(VGABI_N32)
1540 # else
1543 # endif
1544 {
1546 /* (really need "UifU" here...)
1547 vbits64 UifU= pessim64 (is pessimised by it, iow) */
1549 /* Mark the upper 32 bits as undefined, just to be on the safe
1550 side. */
1553 }
1555 /* Exemption doesn't apply. Flag an addressing error in the normal
1556 way. */
1560 }
1563 static
1566 {
1569 UChar vbits8;
1570 Addr ai;
1571 Bool ok;
1575 /* ------------ BEGIN semi-fast cases ------------ */
1576 /* These deal quickly-ish with the common auxiliary primary map
1577 cases on 64-bit platforms. Are merely a speedup hack; can be
1578 omitted without loss of correctness/functionality. Note that in
1579 both cases the "sizeof(void*) == 8" causes these cases to be
1580 folded out by compilers on 32-bit platforms. The logic below
1581 is somewhat similar to some cases extensively commented in
1582 MC_(helperc_STOREV8).
1583 */
1584 # if defined(VGA_mips64) && defined(VGABI_N32)
1586 # else
1588 # endif
1589 {
1596 /* Handle common case quickly: a is suitably aligned, */
1597 /* is mapped, and is addressible. */
1598 // Convert full V-bits in register to compact 2-bit form.
1605 }
1606 /* else fall into the slow case */
1607 }
1608 /* else fall into the slow case */
1609 }
1611 # if defined(VGA_mips64) && defined(VGABI_N32)
1613 # else
1615 # endif
1616 {
1623 /* Handle common case quickly: a is suitably aligned, */
1624 /* is mapped, and is addressible. */
1625 // Convert full V-bits in register to compact 2-bit form.
1632 }
1633 /* else fall into the slow case */
1634 }
1635 /* else fall into the slow case */
1636 }
1637 /* ------------ END semi-fast cases ------------ */
1641 /* Dump vbytes in memory, iterating from least to most significant
1642 byte. At the same time establish addressibility of the location. */
1650 }
1652 /* If an address error has happened, report it. */
1655 }
1658 /*------------------------------------------------------------*/
1659 /*--- Setting permissions over address ranges. ---*/
1660 /*------------------------------------------------------------*/
1663 UWord dsm_num )
1664 {
1668 Addr aNext;
1675 /* Check the V+A bits make sense. */
1680 // This code should never write PDBs; ensure this. (See comment above
1681 // set_vabits2().)
1696 }
1697 }
1699 #ifndef PERF_FAST_SARP
1700 /*------------------ debug-only case ------------------ */
1701 {
1702 // Endianness doesn't matter here because all bytes are being set to
1703 // the same value.
1704 // Nb: We don't have to worry about updating the sec-V-bits table
1705 // after these set_vabits2() calls because this code never writes
1706 // VA_BITS2_PARTDEFINED values.
1707 SizeT i;
1710 }
1712 }
1713 #endif
1715 /*------------------ standard handling ------------------ */
1717 /* Get the distinguished secondary that we might want
1718 to use (part of the space-compression scheme). */
1721 // We have to handle ranges covering various combinations of partial and
1722 // whole sec-maps. Here is how parts 1, 2 and 3 are used in each case.
1723 // Cases marked with a '*' are common.
1724 //
1725 // TYPE PARTS USED
1726 // ---- ----------
1727 // * one partial sec-map (p) 1
1728 // - one whole sec-map (P) 2
1729 //
1730 // * two partial sec-maps (pp) 1,3
1731 // - one partial, one whole sec-map (pP) 1,2
1732 // - one whole, one partial sec-map (Pp) 2,3
1733 // - two whole sec-maps (PP) 2,2
1734 //
1735 // * one partial, one whole, one partial (pPp) 1,2,3
1736 // - one partial, two whole (pPP) 1,2,2
1737 // - two whole, one partial (PPp) 2,2,3
1738 // - three whole (PPP) 2,2,2
1739 //
1740 // * one partial, N-2 whole, one partial (pP...Pp) 1,2...2,3
1741 // - one partial, N-1 whole (pP...PP) 1,2...2,2
1742 // - N-1 whole, one partial (PP...Pp) 2,2...2,3
1743 // - N whole (PP...PP) 2,2...2,3
1745 // Break up total length (lenT) into two parts: length in the first
1746 // sec-map (lenA), and the rest (lenB); lenT == lenA + lenB.
1750 // Range entirely within one sec-map. Covers almost all cases.
1755 // Range spans at least one whole sec-map, and starts at the beginning
1756 // of a sec-map; skip to Part 2.
1762 // Range spans two or more sec-maps, first one is partial.
1766 }
1768 //------------------------------------------------------------------------
1769 // Part 1: Deal with the first sec_map. Most of the time the range will be
1770 // entirely within a sec_map and this part alone will suffice. Also,
1771 // doing it this way lets us avoid repeatedly testing for the crossing of
1772 // a sec-map boundary within these loops.
1773 //------------------------------------------------------------------------
1775 // If it's distinguished, make it undistinguished if necessary.
1779 // Sec-map already has the V+A bits that we want, so skip.
1786 }
1787 }
1790 // 1 byte steps
1799 }
1800 // 8-aligned, 8 byte steps
1808 }
1809 // 1 byte steps
1817 }
1819 // We've finished the first sec-map. Is that it?
1823 //------------------------------------------------------------------------
1824 // Part 2: Fast-set entire sec-maps at a time.
1825 //------------------------------------------------------------------------
1826 part2:
1827 // 64KB-aligned, 64KB steps.
1828 // Nb: we can reach here with lenB < SM_SIZE
1837 // Free the non-distinguished sec-map that we're replacing. This
1838 // case happens moderately often, enough to be worthwhile.
1841 }
1843 // Make the sec-map entry point to the example DSM
1847 }
1849 // We've finished the whole sec-maps. Is that it?
1853 //------------------------------------------------------------------------
1854 // Part 3: Finish off the final partial sec-map, if necessary.
1855 //------------------------------------------------------------------------
1859 // If it's distinguished, make it undistinguished if necessary.
1863 // Sec-map already has the V+A bits that we want, so stop.
1869 }
1870 }
1873 // 8-aligned, 8 byte steps
1881 }
1882 // 1 byte steps
1890 }
1891 }
1894 /* --- Set permissions for arbitrary address ranges --- */
1897 {
1903 }
1906 {
1910 }
1913 {
1919 }
1921 static
1924 {
1925 UInt ecu;
1927 /* VG_(record_ExeContext) checks for validity of tid, and asserts
1928 if it is invalid. So no need to do it here. */
1935 }
1937 static
1939 {
1941 }
1943 static
1945 {
1947 }
1950 {
1956 }
1960 {
1962 }
1964 /* For each byte in [a,a+len), if the byte is addressable, make it be
1965 defined, but if it isn't addressible, leave it alone. In other
1966 words a version of MC_(make_mem_defined) that doesn't mess with
1967 addressibility. Low-performance implementation. */
1969 {
1970 SizeT i;
1971 UChar vabits2;
1979 }
1980 }
1981 }
1982 }
1984 /* Similarly (needed for mprotect handling ..) */
1986 {
1987 SizeT i;
1988 UChar vabits2;
1996 }
1997 }
1998 }
1999 }
2001 /* --- Block-copy permissions (needed for implementing realloc() and
2002 sys_mremap). --- */
2005 {
2021 /* Vectorised fast case, when no overlap and suitably aligned */
2022 /* vector loop */
2030 /* do nothing */
2032 /* have to copy secondary map info */
2041 }
2044 }
2045 /* fixup loop */
2051 }
2052 i++;
2053 len--;
2054 }
2058 /* We have to do things the slow way */
2066 }
2067 }
2068 }
2077 }
2078 }
2079 }
2080 }
2082 }
2085 /*------------------------------------------------------------*/
2086 /*--- Origin tracking stuff - cache basics ---*/
2087 /*------------------------------------------------------------*/
2089 /* AN OVERVIEW OF THE ORIGIN TRACKING IMPLEMENTATION
2090 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2092 Note that this implementation draws inspiration from the "origin
2093 tracking by value piggybacking" scheme described in "Tracking Bad
2094 Apples: Reporting the Origin of Null and Undefined Value Errors"
2095 (Michael Bond, Nicholas Nethercote, Stephen Kent, Samuel Guyer,
2096 Kathryn McKinley, OOPSLA07, Montreal, Oct 2007) but in fact it is
2097 implemented completely differently.
2099 Origin tags and ECUs -- about the shadow values
2100 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2102 This implementation tracks the defining point of all uninitialised
2103 values using so called "origin tags", which are 32-bit integers,
2104 rather than using the values themselves to encode the origins. The
2105 latter, so-called value piggybacking", is what the OOPSLA07 paper
2106 describes.
2108 Origin tags, as tracked by the machinery below, are 32-bit unsigned
2109 ints (UInts), regardless of the machine's word size. Each tag
2110 comprises an upper 30-bit ECU field and a lower 2-bit
2111 'kind' field. The ECU field is a number given out by m_execontext
2112 and has a 1-1 mapping with ExeContext*s. An ECU can be used
2113 directly as an origin tag (otag), but in fact we want to put
2114 additional information 'kind' field to indicate roughly where the
2115 tag came from. This helps print more understandable error messages
2116 for the user -- it has no other purpose. In summary:
2118 * Both ECUs and origin tags are represented as 32-bit words
2120 * m_execontext and the core-tool interface deal purely in ECUs.
2121 They have no knowledge of origin tags - that is a purely
2122 Memcheck-internal matter.
2124 * all valid ECUs have the lowest 2 bits zero and at least
2125 one of the upper 30 bits nonzero (see VG_(is_plausible_ECU))
2127 * to convert from an ECU to an otag, OR in one of the MC_OKIND_
2128 constants defined in mc_include.h.
2130 * to convert an otag back to an ECU, AND it with ~3
2132 One important fact is that no valid otag is zero. A zero otag is
2133 used by the implementation to indicate "no origin", which could
2134 mean that either the value is defined, or it is undefined but the
2135 implementation somehow managed to lose the origin.
2137 The ECU used for memory created by malloc etc is derived from the
2138 stack trace at the time the malloc etc happens. This means the
2139 mechanism can show the exact allocation point for heap-created
2140 uninitialised values.
2142 In contrast, it is simply too expensive to create a complete
2143 backtrace for each stack allocation. Therefore we merely use a
2144 depth-1 backtrace for stack allocations, which can be done once at
2145 translation time, rather than N times at run time. The result of
2146 this is that, for stack created uninitialised values, Memcheck can
2147 only show the allocating function, and not what called it.
2148 Furthermore, compilers tend to move the stack pointer just once at
2149 the start of the function, to allocate all locals, and so in fact
2150 the stack origin almost always simply points to the opening brace
2151 of the function. Net result is, for stack origins, the mechanism
2152 can tell you in which function the undefined value was created, but
2153 that's all. Users will need to carefully check all locals in the
2154 specified function.
2156 Shadowing registers and memory
2157 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2159 Memory is shadowed using a two level cache structure (ocacheL1 and
2160 ocacheL2). Memory references are first directed to ocacheL1. This
2161 is a traditional 2-way set associative cache with 32-byte lines and
2162 approximate LRU replacement within each set.
2164 A naive implementation would require storing one 32 bit otag for
2165 each byte of memory covered, a 4:1 space overhead. Instead, there
2166 is one otag for every 4 bytes of memory covered, plus a 4-bit mask
2167 that shows which of the 4 bytes have that shadow value and which
2168 have a shadow value of zero (indicating no origin). Hence a lot of
2169 space is saved, but the cost is that only one different origin per
2170 4 bytes of address space can be represented. This is a source of
2171 imprecision, but how much of a problem it really is remains to be
2172 seen.
2174 A cache line that contains all zeroes ("no origins") contains no
2175 useful information, and can be ejected from the L1 cache "for
2176 free", in the sense that a read miss on the L1 causes a line of
2177 zeroes to be installed. However, ejecting a line containing
2178 nonzeroes risks losing origin information permanently. In order to
2179 prevent such lossage, ejected nonzero lines are placed in a
2180 secondary cache (ocacheL2), which is an OSet (AVL tree) of cache
2181 lines. This can grow arbitrarily large, and so should ensure that
2182 Memcheck runs out of memory in preference to losing useful origin
2183 info due to cache size limitations.
2185 Shadowing registers is a bit tricky, because the shadow values are
2186 32 bits, regardless of the size of the register. That gives a
2187 problem for registers smaller than 32 bits. The solution is to
2188 find spaces in the guest state that are unused, and use those to
2189 shadow guest state fragments smaller than 32 bits. For example, on
2190 ppc32/64, each vector register is 16 bytes long. If 4 bytes of the
2191 shadow are allocated for the register's otag, then there are still
2192 12 bytes left over which could be used to shadow 3 other values.
2194 This implies there is some non-obvious mapping from guest state
2195 (start,length) pairs to the relevant shadow offset (for the origin
2196 tags). And it is unfortunately guest-architecture specific. The
2197 mapping is contained in mc_machine.c, which is quite lengthy but
2198 straightforward.
2200 Instrumenting the IR
2201 ~~~~~~~~~~~~~~~~~~~~
2203 Instrumentation is largely straightforward, and done by the
2204 functions schemeE and schemeS in mc_translate.c. These generate
2205 code for handling the origin tags of expressions (E) and statements
2206 (S) respectively. The rather strange names are a reference to the
2207 "compilation schemes" shown in Simon Peyton Jones' book "The
2208 Implementation of Functional Programming Languages" (Prentice Hall,
2209 1987, see
2210 http://research.microsoft.com/~simonpj/papers/slpj-book-1987/index.htm).
2212 schemeS merely arranges to move shadow values around the guest
2213 state to track the incoming IR. schemeE is largely trivial too.
2214 The only significant point is how to compute the otag corresponding
2215 to binary (or ternary, quaternary, etc) operator applications. The
2216 rule is simple: just take whichever value is larger (32-bit
2217 unsigned max). Constants get the special value zero. Hence this
2218 rule always propagates a nonzero (known) otag in preference to a
2219 zero (unknown, or more likely, value-is-defined) tag, as we want.
2220 If two different undefined values are inputs to a binary operator
2221 application, then which is propagated is arbitrary, but that
2222 doesn't matter, since the program is erroneous in using either of
2223 the values, and so there's no point in attempting to propagate
2224 both.
2226 Since constants are abstracted to (otag) zero, much of the
2227 instrumentation code can be folded out without difficulty by the
2228 generic post-instrumentation IR cleanup pass, using these rules:
2229 Max32U(0,x) -> x, Max32U(x,0) -> x, Max32(x,y) where x and y are
2230 constants is evaluated at JIT time. And the resulting dead code
2231 removal. In practice this causes surprisingly few Max32Us to
2232 survive through to backend code generation.
2234 Integration with the V-bits machinery
2235 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2237 This is again largely straightforward. Mostly the otag and V bits
2238 stuff are independent. The only point of interaction is when the V
2239 bits instrumenter creates a call to a helper function to report an
2240 uninitialised value error -- in that case it must first use schemeE
2241 to get hold of the origin tag expression for the value, and pass
2242 that to the helper too.
2244 There is the usual stuff to do with setting address range
2245 permissions. When memory is painted undefined, we must also know
2246 the origin tag to paint with, which involves some tedious plumbing,
2247 particularly to do with the fast case stack handlers. When memory
2248 is painted defined or noaccess then the origin tags must be forced
2249 to zero.
2251 One of the goals of the implementation was to ensure that the
2252 non-origin tracking mode isn't slowed down at all. To do this,
2253 various functions to do with memory permissions setting (again,
2254 mostly pertaining to the stack) are duplicated for the with- and
2255 without-otag case.
2257 Dealing with stack redzones, and the NIA cache
2258 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2260 This is one of the few non-obvious parts of the implementation.
2262 Some ABIs (amd64-ELF, ppc64-ELF, ppc32/64-XCOFF) define a small
2263 reserved area below the stack pointer, that can be used as scratch
2264 space by compiler generated code for functions. In the Memcheck
2265 sources this is referred to as the "stack redzone". The important
2266 thing here is that such redzones are considered volatile across
2267 function calls and returns. So Memcheck takes care to mark them as
2268 undefined for each call and return, on the afflicted platforms.
2269 Past experience shows this is essential in order to get reliable
2270 messages about uninitialised values that come from the stack.
2272 So the question is, when we paint a redzone undefined, what origin
2273 tag should we use for it? Consider a function f() calling g(). If
2274 we paint the redzone using an otag derived from the ExeContext of
2275 the CALL/BL instruction in f, then any errors in g causing it to
2276 use uninitialised values that happen to lie in the redzone, will be
2277 reported as having their origin in f. Which is highly confusing.
2279 The same applies for returns: if, on a return, we paint the redzone
2280 using a origin tag derived from the ExeContext of the RET/BLR
2281 instruction in g, then any later errors in f causing it to use
2282 uninitialised values in the redzone, will be reported as having
2283 their origin in g. Which is just as confusing.
2285 To do it right, in both cases we need to use an origin tag which
2286 pertains to the instruction which dynamically follows the CALL/BL
2287 or RET/BLR. In short, one derived from the NIA - the "next
2288 instruction address".
2290 To make this work, Memcheck's redzone-painting helper,
2291 MC_(helperc_MAKE_STACK_UNINIT), now takes a third argument, the
2292 NIA. It converts the NIA to a 1-element ExeContext, and uses that
2293 ExeContext's ECU as the basis for the otag used to paint the
2294 redzone. The expensive part of this is converting an NIA into an
2295 ECU, since this happens once for every call and every return. So
2296 we use a simple 511-line, 2-way set associative cache
2297 (nia_to_ecu_cache) to cache the mappings, and that knocks most of
2298 the cost out.
2300 Further background comments
2301 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
2303 > Question: why is otag a UInt? Wouldn't a UWord be better? Isn't
2304 > it really just the address of the relevant ExeContext?
2306 Well, it's not the address, but a value which has a 1-1 mapping
2307 with ExeContexts, and is guaranteed not to be zero, since zero
2308 denotes (to memcheck) "unknown origin or defined value". So these
2309 UInts are just numbers starting at 4 and incrementing by 4; each
2310 ExeContext is given a number when it is created. (*** NOTE this
2311 confuses otags and ECUs; see comments above ***).
2313 Making these otags 32-bit regardless of the machine's word size
2314 makes the 64-bit implementation easier (next para). And it doesn't
2315 really limit us in any way, since for the tags to overflow would
2316 require that the program somehow caused 2^30-1 different
2317 ExeContexts to be created, in which case it is probably in deep
2318 trouble. Not to mention V will have soaked up many tens of
2319 gigabytes of memory merely to store them all.
2321 So having 64-bit origins doesn't really buy you anything, and has
2322 the following downsides:
2324 Suppose that instead, an otag is a UWord. This would mean that, on
2325 a 64-bit target,
2327 1. It becomes hard to shadow any element of guest state which is
2328 smaller than 8 bytes. To do so means you'd need to find some
2329 8-byte-sized hole in the guest state which you don't want to
2330 shadow, and use that instead to hold the otag. On ppc64, the
2331 condition code register(s) are split into 20 UChar sized pieces,
2332 all of which need to be tracked (guest_XER_SO .. guest_CR7_0)
2333 and so that would entail finding 160 bytes somewhere else in the
2334 guest state.
2336 Even on x86, I want to track origins for %AH .. %DH (bits 15:8
2337 of %EAX .. %EDX) that are separate from %AL .. %DL (bits 7:0 of
2338 same) and so I had to look for 4 untracked otag-sized areas in
2339 the guest state to make that possible.
2341 The same problem exists of course when origin tags are only 32
2342 bits, but it's less extreme.
2344 2. (More compelling) it doubles the size of the origin shadow
2345 memory. Given that the shadow memory is organised as a fixed
2346 size cache, and that accuracy of tracking is limited by origins
2347 falling out the cache due to space conflicts, this isn't good.
2349 > Another question: is the origin tracking perfect, or are there
2350 > cases where it fails to determine an origin?
2352 It is imperfect for at least for the following reasons, and
2353 probably more:
2355 * Insufficient capacity in the origin cache. When a line is
2356 evicted from the cache it is gone forever, and so subsequent
2357 queries for the line produce zero, indicating no origin
2358 information. Interestingly, a line containing all zeroes can be
2359 evicted "free" from the cache, since it contains no useful
2360 information, so there is scope perhaps for some cleverer cache
2361 management schemes. (*** NOTE, with the introduction of the
2362 second level origin tag cache, ocacheL2, this is no longer a
2363 problem. ***)
2365 * The origin cache only stores one otag per 32-bits of address
2366 space, plus 4 bits indicating which of the 4 bytes has that tag
2367 and which are considered defined. The result is that if two
2368 undefined bytes in the same word are stored in memory, the first
2369 stored byte's origin will be lost and replaced by the origin for
2370 the second byte.
2372 * Nonzero origin tags for defined values. Consider a binary
2373 operator application op(x,y). Suppose y is undefined (and so has
2374 a valid nonzero origin tag), and x is defined, but erroneously
2375 has a nonzero origin tag (defined values should have tag zero).
2376 If the erroneous tag has a numeric value greater than y's tag,
2377 then the rule for propagating origin tags though binary
2378 operations, which is simply to take the unsigned max of the two
2379 tags, will erroneously propagate x's tag rather than y's.
2381 * Some obscure uses of x86/amd64 byte registers can cause lossage
2382 or confusion of origins. %AH .. %DH are treated as different
2383 from, and unrelated to, their parent registers, %EAX .. %EDX.
2384 So some weird sequences like
2386 movb undefined-value, %AH
2387 movb defined-value, %AL
2388 .. use %AX or %EAX ..
2390 will cause the origin attributed to %AH to be ignored, since %AL,
2391 %AX, %EAX are treated as the same register, and %AH as a
2392 completely separate one.
2394 But having said all that, it actually seems to work fairly well in
2395 practice.
2396 */
2409 /* Cache of 32-bit values, one every 32 bits of address space */
2411 #define OC_BITS_PER_LINE 5
2412 #define OC_W32S_PER_LINE (1 << (OC_BITS_PER_LINE - 2))
2416 }
2419 }
2421 #define OC_LINES_PER_SET 2
2423 #define OC_N_SET_BITS 20
2424 #define OC_N_SETS (1 << OC_N_SET_BITS)
2426 /* These settings give:
2427 64 bit host: ocache: 100,663,296 sizeB 67,108,864 useful
2428 32 bit host: ocache: 92,274,688 sizeB 67,108,864 useful
2429 */
2431 #define OC_MOVE_FORWARDS_EVERY_BITS 7
2434 typedef
2436 Addr tag;
2439 }
2440 OCacheLine;
2442 /* Classify and also sanity-check 'line'. Return 'e' (empty) if not
2443 in use, 'n' (nonzero) if it contains at least one valid origin tag,
2444 and 'z' if all the represented tags are zero. */
2446 {
2447 UWord i;
2455 }
2457 }
2459 typedef
2462 }
2463 OCacheSet;
2465 typedef
2468 }
2469 OCache;
2476 {
2484 }
2489 }
2490 }
2492 }
2495 {
2496 OCacheLine tmp;
2497 stats_ocacheL1_movefwds++;
2502 }
2505 UWord i;
2509 }
2511 }
2513 //////////////////////////////////////////////////////////////
2514 //// OCache backing store
2520 }
2523 }
2525 /* Stats: # nodes currently in tree */
2529 {
2533 ocacheL2
2538 }
2540 /* Find line with the given tag in the tree, or NULL if not found. */
2542 {
2545 stats__ocacheL2_refs++;
2548 }
2550 /* Delete the line with the given tag from the tree, if it is present, and
2551 free up the associated memory. */
2553 {
2556 stats__ocacheL2_refs++;
2561 stats__ocacheL2_n_nodes--;
2562 }
2563 }
2565 /* Add a copy of the given line to the tree. It must not already be
2566 present. */
2568 {
2573 stats__ocacheL2_refs++;
2575 stats__ocacheL2_n_nodes++;
2578 }
2580 ////
2581 //////////////////////////////////////////////////////////////
2585 {
2587 UChar c;
2588 UWord line;
2594 /* we already tried line == 0; skip therefore. */
2598 stats_ocacheL1_found_at_1++;
2600 stats_ocacheL1_found_at_N++;
2601 }
2605 line--;
2606 }
2608 }
2609 }
2611 /* A miss. Use the last slot. Implicitly this means we're
2612 ejecting the line in the last slot. */
2613 stats_ocacheL1_misses++;
2615 line--;
2618 /* First, move the to-be-ejected line to the L2 cache. */
2623 /* the line is empty (has invalid tag); ignore it. */
2626 /* line contains zeroes. We must ensure the backing store is
2627 updated accordingly, either by copying the line there
2628 verbatim, or by ensuring it isn't present there. We
2629 chosse the latter on the basis that it reduces the size of
2630 the backing store. */
2634 /* line contains at least one real, useful origin. Copy it
2635 to the backing store. */
2636 stats_ocacheL1_lossage++;
2642 }
2646 }
2648 /* Now we must reload the L1 cache from the backing tree, if
2649 possible. */
2653 /* We're in luck. It's in the L2. */
2656 /* Missed at both levels of the cache hierarchy. We have to
2657 declare it as full of zeroes (unknown origins). */
2658 stats__ocacheL2_misses++;
2660 }
2662 /* Move it one forwards */
2664 line--;
2667 }
2670 {
2675 stats_ocacheL1_find++;
2680 }
2684 }
2687 }
2690 {
2691 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2692 //// Set the origins for a+0 .. a+7
2698 }
2704 }
2705 //// END inlined, specialised version of MC_(helperc_b_store8)
2706 }
2709 /*------------------------------------------------------------*/
2710 /*--- Aligned fast case permission setters, ---*/
2711 /*--- for dealing with stacks ---*/
2712 /*------------------------------------------------------------*/
2714 /*--------------------- 32-bit ---------------------*/
2716 /* Nb: by "aligned" here we mean 4-byte aligned */
2719 {
2722 #ifndef PERF_FAST_STACK2
2724 #else
2725 {
2726 UWord sm_off;
2733 }
2738 }
2739 #endif
2740 }
2742 static INLINE
2744 {
2746 //// BEGIN inlined, specialised version of MC_(helperc_b_store4)
2747 //// Set the origins for a+0 .. a+3
2752 }
2756 }
2757 //// END inlined, specialised version of MC_(helperc_b_store4)
2758 }
2760 static INLINE
2762 {
2765 #ifndef PERF_FAST_STACK2
2767 #else
2768 {
2769 UWord sm_off;
2776 }
2782 //// BEGIN inlined, specialised version of MC_(helperc_b_store4)
2783 //// Set the origins for a+0 .. a+3.
2789 }
2792 }
2793 //// END inlined, specialised version of MC_(helperc_b_store4)
2794 }
2795 #endif
2796 }
2798 /*--------------------- 64-bit ---------------------*/
2800 /* Nb: by "aligned" here we mean 8-byte aligned */
2803 {
2806 #ifndef PERF_FAST_STACK2
2808 #else
2809 {
2810 UWord sm_off16;
2817 }
2822 }
2823 #endif
2824 }
2826 static INLINE
2828 {
2830 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2831 //// Set the origins for a+0 .. a+7
2841 }
2842 //// END inlined, specialised version of MC_(helperc_b_store8)
2843 }
2845 static INLINE
2847 {
2850 #ifndef PERF_FAST_STACK2
2852 #else
2853 {
2854 UWord sm_off16;
2861 }
2867 //// BEGIN inlined, specialised version of MC_(helperc_b_store8)
2868 //// Clear the origins for a+0 .. a+7.
2877 }
2878 //// END inlined, specialised version of MC_(helperc_b_store8)
2879 }
2880 #endif
2881 }
2884 /*------------------------------------------------------------*/
2885 /*--- Stack pointer adjustment ---*/
2886 /*------------------------------------------------------------*/
2888 #ifdef PERF_FAST_STACK
2889 # define MAYBE_USED
2890 #else
2891 # define MAYBE_USED __attribute__((unused))
2892 #endif
2894 /*--------------- adjustment by 4 bytes ---------------*/
2896 MAYBE_USED
2898 {
2905 }
2906 }
2908 MAYBE_USED
2910 {
2916 }
2917 }
2919 MAYBE_USED
2921 {
2927 }
2928 }
2930 /*--------------- adjustment by 8 bytes ---------------*/
2932 MAYBE_USED
2934 {
2944 }
2945 }
2947 MAYBE_USED
2949 {
2958 }
2959 }
2961 MAYBE_USED
2963 {
2972 }
2973 }
2975 /*--------------- adjustment by 12 bytes ---------------*/
2977 MAYBE_USED
2979 {
2986 /* from previous test we don't have 8-alignment at offset +0,
2987 hence must have 8 alignment at offsets +4/-4. Hence safe to
2988 do 4 at +0 and then 8 at +4/. */
2993 }
2994 }
2996 MAYBE_USED
2998 {
3004 /* from previous test we don't have 8-alignment at offset +0,
3005 hence must have 8 alignment at offsets +4/-4. Hence safe to
3006 do 4 at +0 and then 8 at +4/. */
3011 }
3012 }
3014 MAYBE_USED
3016 {
3018 /* Note the -12 in the test */
3020 /* We have 8-alignment at -12, hence ok to do 8 at -12 and 4 at
3021 -4. */
3025 /* We have 4-alignment at +0, but we don't have 8-alignment at
3026 -12. So we must have 8-alignment at -8. Hence do 4 at -12
3027 and then 8 at -8. */
3032 }
3033 }
3035 /*--------------- adjustment by 16 bytes ---------------*/
3037 MAYBE_USED
3039 {
3043 /* Have 8-alignment at +0, hence do 8 at +0 and 8 at +8. */
3047 /* Have 4 alignment at +0 but not 8; hence 8 must be at +4.
3048 Hence do 4 at +0, 8 at +4, 4 at +12. */
3054 }
3055 }
3057 MAYBE_USED
3059 {
3062 /* Have 8-alignment at +0, hence do 8 at +0 and 8 at +8. */
3066 /* Have 4 alignment at +0 but not 8; hence 8 must be at +4.
3067 Hence do 4 at +0, 8 at +4, 4 at +12. */
3073 }
3074 }
3076 MAYBE_USED
3078 {
3081 /* Have 8-alignment at +0, hence do 8 at -16 and 8 at -8. */
3085 /* 8 alignment must be at -12. Do 4 at -16, 8 at -12, 4 at -4. */
3091 }
3092 }
3094 /*--------------- adjustment by 32 bytes ---------------*/
3096 MAYBE_USED
3098 {
3102 /* Straightforward */
3108 /* 8 alignment must be at +4. Hence do 8 at +4,+12,+20 and 4 at
3109 +0,+28. */
3117 }
3118 }
3120 MAYBE_USED
3122 {
3125 /* Straightforward */
3131 /* 8 alignment must be at +4. Hence do 8 at +4,+12,+20 and 4 at
3132 +0,+28. */
3140 }
3141 }
3143 MAYBE_USED
3145 {
3148 /* Straightforward */
3154 /* 8 alignment must be at -4 etc. Hence do 8 at -12,-20,-28 and
3155 4 at -32,-4. */
3163 }
3164 }
3166 /*--------------- adjustment by 112 bytes ---------------*/
3168 MAYBE_USED
3170 {
3190 }
3191 }
3193 MAYBE_USED
3195 {
3214 }
3215 }
3217 MAYBE_USED
3219 {
3238 }
3239 }
3241 /*--------------- adjustment by 128 bytes ---------------*/
3243 MAYBE_USED
3245 {
3267 }
3268 }
3270 MAYBE_USED
3272 {
3293 }
3294 }
3296 MAYBE_USED
3298 {
3319 }
3320 }
3322 /*--------------- adjustment by 144 bytes ---------------*/
3324 MAYBE_USED
3326 {
3350 }
3351 }
3353 MAYBE_USED
3355 {
3378 }
3379 }
3381 MAYBE_USED
3383 {
3406 }
3407 }
3409 /*--------------- adjustment by 160 bytes ---------------*/
3411 MAYBE_USED
3413 {
3439 }
3440 }
3442 MAYBE_USED
3444 {
3469 }
3470 }
3472 MAYBE_USED
3474 {
3499 }
3500 }
3502 /*--------------- adjustment by N bytes ---------------*/
3505 {
3509 }
3512 {
3515 }
3518 {
3521 }
3524 /* The AMD64 ABI says:
3526 "The 128-byte area beyond the location pointed to by %rsp is considered
3527 to be reserved and shall not be modified by signal or interrupt
3528 handlers. Therefore, functions may use this area for temporary data
3529 that is not needed across function calls. In particular, leaf functions
3530 may use this area for their entire stack frame, rather than adjusting
3531 the stack pointer in the prologue and epilogue. This area is known as
3532 red zone [sic]."
3534 So after any call or return we need to mark this redzone as containing
3535 undefined values.
3537 Consider this: we're in function f. f calls g. g moves rsp down
3538 modestly (say 16 bytes) and writes stuff all over the red zone, making it
3539 defined. g returns. f is buggy and reads from parts of the red zone
3540 that it didn't write on. But because g filled that area in, f is going
3541 to be picking up defined V bits and so any errors from reading bits of
3542 the red zone it didn't write, will be missed. The only solution I could
3543 think of was to make the red zone undefined when g returns to f.
3545 This is in accordance with the ABI, which makes it clear the redzone
3546 is volatile across function calls.
3548 The problem occurs the other way round too: f could fill the RZ up
3549 with defined values and g could mistakenly read them. So the RZ
3550 also needs to be nuked on function calls.
3551 */
3554 /* Here's a simple cache to hold nia -> ECU mappings. It could be
3555 improved so as to have a lower miss rate. */
3560 typedef
3563 WCacheEnt;
3565 #define N_NIA_TO_ECU_CACHE 511
3570 {
3571 UWord i;
3574 UInt zero_ecu;
3575 /* Fill all the slots with an entry for address zero, and the
3576 relevant otags accordingly. Hence the cache is initially filled
3577 with valid data. */
3587 }
3588 }
3591 {
3592 UWord i;
3593 UInt ecu;
3598 stats__nia_cache_queries++;
3606 # define SWAP(_w1,_w2) { UWord _t = _w1; _w1 = _w2; _w2 = _t; }
3609 # undef SWAP
3611 }
3613 stats__nia_cache_misses++;
3625 }
3628 /* This marks the stack as addressible but undefined, after a call or
3629 return for a target that has an ABI defined stack redzone. It
3630 happens quite a lot and needs to be fast. This is the version for
3631 origin tracking. The non-origin-tracking version is below. */
3634 {
3645 # if 0
3646 /* Slow(ish) version, which is fairly easily seen to be correct.
3647 */
3670 }
3671 # endif
3673 /* Idea is: go fast when
3674 * 8-aligned and length is 128
3675 * the sm is available in the main primary map
3676 * the address range falls entirely with a single secondary map
3677 If all those conditions hold, just update the V+A bits by writing
3678 directly into the vabits array. (If the sm was distinguished, this
3679 will make a copy and then write to it.)
3680 */
3682 /* Now we know the address range is suitably sized and aligned. */
3687 /* Now we know the entire range is within the main primary map. */
3691 /* Now we know that the entire address range falls within a
3692 single secondary map, and that that secondary 'lives' in
3693 the main primary map. */
3730 }
3731 }
3732 }
3734 /* 288 bytes (36 ULongs) is the magic value for ELF ppc64. */
3736 /* Now we know the address range is suitably sized and aligned. */
3744 /* Now we know that the entire address range falls within a
3745 single secondary map, and that that secondary 'lives' in
3746 the main primary map. */
3823 }
3824 }
3825 }
3827 /* else fall into slow case */
3829 }
3832 /* This is a version of MC_(helperc_MAKE_STACK_UNINIT_w_o) that is
3833 specialised for the non-origin-tracking case. */
3836 {
3842 # if 0
3843 /* Slow(ish) version, which is fairly easily seen to be correct.
3844 */
3867 }
3868 # endif
3870 /* Idea is: go fast when
3871 * 8-aligned and length is 128
3872 * the sm is available in the main primary map
3873 * the address range falls entirely with a single secondary map
3874 If all those conditions hold, just update the V+A bits by writing
3875 directly into the vabits array. (If the sm was distinguished, this
3876 will make a copy and then write to it.)
3877 */
3879 /* Now we know the address range is suitably sized and aligned. */
3884 /* Now we know the entire range is within the main primary map. */
3888 /* Now we know that the entire address range falls within a
3889 single secondary map, and that that secondary 'lives' in
3890 the main primary map. */
3911 }
3912 }
3913 }
3915 /* 288 bytes (36 ULongs) is the magic value for ELF ppc64. */
3917 /* Now we know the address range is suitably sized and aligned. */
3925 /* Now we know that the entire address range falls within a
3926 single secondary map, and that that secondary 'lives' in
3927 the main primary map. */
3968 }
3969 }
3970 }
3972 /* else fall into slow case */
3974 }
3977 /* And this is an even more specialised case, for the case where there
3978 is no origin tracking, and the length is 128. */
3981 {
3986 # if 0
3987 /* Slow(ish) version, which is fairly easily seen to be correct.
3988 */
4011 }
4012 # endif
4014 /* Idea is: go fast when
4015 * 16-aligned and length is 128
4016 * the sm is available in the main primary map
4017 * the address range falls entirely with a single secondary map
4018 If all those conditions hold, just update the V+A bits by writing
4019 directly into the vabits array. (If the sm was distinguished, this
4020 will make a copy and then write to it.)
4022 Typically this applies to amd64 'ret' instructions, since RSP is
4023 16-aligned (0 % 16) after the instruction (per the amd64-ELF ABI).
4024 */
4026 /* Now we know the address range is suitably sized and aligned. */
4029 /* FIXME: come up with a sane story on the wraparound case
4030 (which of course cnanot happen, but still..) */
4033 /* Now we know the entire range is within the main primary map. */
4037 /* Now we know that the entire address range falls within a
4038 single secondary map, and that that secondary 'lives' in
4039 the main primary map. */
4053 }
4054 }
4055 }
4057 /* The same, but for when base is 8 % 16, which is the situation
4058 with RSP for amd64-ELF immediately after call instructions.
4059 */
4061 /* Now we know the address range is suitably sized and aligned. */
4064 /* FIXME: come up with a sane story on the wraparound case
4065 (which of course cnanot happen, but still..) */
4068 /* Now we know the entire range is within the main primary map. */
4073 /* Now we know that the entire address range falls within a
4074 single secondary map, and that that secondary 'lives' in
4075 the main primary map. */
4080 /* The following assertion is commented out for obvious
4081 performance reasons, but was verified as valid when
4082 running the entire testsuite and also Firefox. */
4083 /* tl_assert(VG_IS_4_ALIGNED(w32)); */
4094 }
4095 }
4096 }
4098 /* else fall into slow case */
4101 }
4104 /*------------------------------------------------------------*/
4105 /*--- Checking memory ---*/
4106 /*------------------------------------------------------------*/
4108 typedef
4113 }
4114 MC_ReadResult;
4117 /* Check permissions for address range. If inadequate permissions
4118 exist, *bad_addr is set to the offending address, so the caller can
4119 know what it is. */
4121 /* Returns True if [a .. a+len) is not addressible. Otherwise,
4122 returns False, and if bad_addr is non-NULL, sets *bad_addr to
4123 indicate the lowest failing address. Functions below are
4124 similar. */
4126 {
4127 SizeT i;
4128 UWord vabits2;
4137 }
4138 a++;
4139 }
4141 }
4145 {
4146 SizeT i;
4147 UWord vabits2;
4156 }
4157 a++;
4158 }
4160 }
4165 {
4166 SizeT i;
4167 UWord vabits2;
4178 // Error! Nb: Report addressability errors in preference to
4179 // definedness errors. And don't report definedeness errors unless
4180 // --undef-value-errors=yes.
4183 }
4186 }
4190 }
4192 }
4193 }
4194 a++;
4195 }
4197 }
4200 /* Like is_mem_defined but doesn't give up at the first uninitialised
4201 byte -- the entire range is always checked. This is important for
4202 detecting errors in the case where a checked range strays into
4203 invalid memory, but that fact is not detected by the ordinary
4204 is_mem_defined(), because of an undefined section that precedes the
4205 out of range section, possibly as a result of an alignment hole in
4206 the checked data. This version always checks the entire range and
4207 can report both a definedness and an accessbility error, if
4208 necessary. */
4216 )
4217 {
4218 SizeT i;
4219 UWord vabits2;
4232 a++;
4243 }
4245 }
4254 }
4255 }
4256 }
4259 /* Check a zero-terminated ascii string. Tricky -- don't want to
4260 examine the actual bytes, to find the end, until we're sure it is
4261 safe to do so. */
4264 {
4265 UWord vabits2;
4276 // Error! Nb: Report addressability errors in preference to
4277 // definedness errors. And don't report definedeness errors unless
4278 // --undef-value-errors=yes.
4281 }
4284 }
4288 }
4290 }
4291 }
4292 /* Ok, a is safe to read. */
4295 }
4296 a++;
4297 }
4298 }
4301 /*------------------------------------------------------------*/
4302 /*--- Memory event handlers ---*/
4303 /*------------------------------------------------------------*/
4305 static
4308 {
4309 Addr bad_addr;
4325 }
4326 }
4327 }
4329 static
4332 {
4334 Addr bad_addr;
4350 /* If we're being asked to jump to a silly address, record an error
4351 message before potentially crashing the entire system. */
4358 }
4359 }
4360 }
4362 static
4365 {
4366 MC_ReadResult res;
4376 }
4377 }
4379 /* Handling of mmap and mprotect is not as simple as it seems.
4381 The underlying semantics are that memory obtained from mmap is
4382 always initialised, but may be inaccessible. And changes to the
4383 protection of memory do not change its contents and hence not its
4384 definedness state. Problem is we can't model
4385 inaccessible-but-with-some-definedness state; once we mark memory
4386 as inaccessible we lose all info about definedness, and so can't
4387 restore that if it is later made accessible again.
4389 One obvious thing to do is this:
4391 mmap/mprotect NONE -> noaccess
4392 mmap/mprotect other -> defined
4394 The problem case here is: taking accessible memory, writing
4395 uninitialised data to it, mprotecting it NONE and later mprotecting
4396 it back to some accessible state causes the undefinedness to be
4397 lost.
4399 A better proposal is:
4401 (1) mmap NONE -> make noaccess
4402 (2) mmap other -> make defined
4404 (3) mprotect NONE -> # no change
4405 (4) mprotect other -> change any "noaccess" to "defined"
4407 (2) is OK because memory newly obtained from mmap really is defined
4408 (zeroed out by the kernel -- doing anything else would
4409 constitute a massive security hole.)
4411 (1) is OK because the only way to make the memory usable is via
4412 (4), in which case we also wind up correctly marking it all as
4413 defined.
4415 (3) is the weak case. We choose not to change memory state.
4416 (presumably the range is in some mixture of "defined" and
4417 "undefined", viz, accessible but with arbitrary V bits). Doing
4418 nothing means we retain the V bits, so that if the memory is
4419 later mprotected "other", the V bits remain unchanged, so there
4420 can be no false negatives. The bad effect is that if there's
4421 an access in the area, then MC cannot warn; but at least we'll
4422 get a SEGV to show, so it's better than nothing.
4424 Consider the sequence (3) followed by (4). Any memory that was
4425 "defined" or "undefined" previously retains its state (as
4426 required). Any memory that was "noaccess" before can only have
4427 been made that way by (1), and so it's OK to change it to
4428 "defined".
4430 See https://bugs.kde.org/show_bug.cgi?id=205541
4431 and https://bugs.kde.org/show_bug.cgi?id=210268
4432 */
4433 static
4435 ULong di_handle )
4436 {
4438 /* (2) mmap/mprotect other -> defined */
4441 /* (1) mmap/mprotect NONE -> noaccess */
4443 }
4444 }
4446 static
4448 {
4450 /* (4) mprotect other -> change any "noaccess" to "defined" */
4453 /* (3) mprotect NONE -> # no change */
4454 /* do nothing */
4455 }
4456 }
4459 static
4462 {
4463 // Because code is defined, initialised variables get put in the data
4464 // segment and are defined, and uninitialised variables get put in the
4465 // bss segment and are auto-zeroed (and so defined).
4466 //
4467 // It's possible that there will be padding between global variables.
4468 // This will also be auto-zeroed, and marked as defined by Memcheck. If
4469 // a program uses it, Memcheck will not complain. This is arguably a
4470 // false negative, but it's a grey area -- the behaviour is defined (the
4471 // padding is zeroed) but it's probably not what the user intended. And
4472 // we can't avoid it.
4473 //
4474 // Note: we generally ignore RWX permissions, because we can't track them
4475 // without requiring more than one A bit which would slow things down a
4476 // lot. But on Darwin the 0th page is mapped but !R and !W and !X.
4477 // So we mark any such pages as "unaddressable".
4481 }
4483 static
4485 {
4487 }
4490 /*------------------------------------------------------------*/
4491 /*--- Register event handlers ---*/
4492 /*------------------------------------------------------------*/
4494 /* Try and get a nonzero origin for the guest state section of thread
4495 tid characterised by (offset,size). Return 0 if nothing to show
4496 for it. */
4499 {
4500 Int sh2off;
4502 UInt otag;
4515 }
4518 /* When some chunk of guest state is written, mark the corresponding
4519 shadow area as valid. This is used to initialise arbitrarily large
4520 chunks of guest state, hence the _SIZE value, which has to be as
4521 big as the biggest guest state.
4522 */
4525 {
4526 # define MAX_REG_WRITE_SIZE 1744
4531 # undef MAX_REG_WRITE_SIZE
4532 }
4534 static
4537 {
4539 }
4541 /* Look at the definedness of the guest's shadow state for
4542 [offset, offset+len). If any part of that is undefined, record
4543 a parameter error.
4544 */
4547 {
4548 Int i;
4549 Bool bad;
4550 UInt otag;
4562 }
4563 }
4568 /* We've found some undefinedness. See if we can also find an
4569 origin for it. */
4572 }
4575 /*------------------------------------------------------------*/
4576 /*--- Register-memory event handlers ---*/
4577 /*------------------------------------------------------------*/
4581 {
4582 SizeT i;
4583 UChar vbits8;
4584 Int offset;
4585 UInt d32;
4587 /* Slow loop. */
4592 }
4597 /* Track origins. */
4623 }
4626 }
4630 SizeT size )
4631 {
4632 SizeT i;
4633 UChar vbits8;
4634 Int offset;
4635 UInt d32;
4637 /* Slow loop. */
4642 }
4647 /* Track origins. */
4674 }
4675 }
4678 /*------------------------------------------------------------*/
4679 /*--- Some static assertions ---*/
4680 /*------------------------------------------------------------*/
4682 /* The handwritten assembly helpers below have baked-in assumptions
4683 about various constant values. These assertions attempt to make
4684 that a bit safer by checking those values and flagging changes that
4685 would make the assembly invalid. Not perfect but it's better than
4686 nothing. */
4709 /*------------------------------------------------------------*/
4710 /*--- Functions called directly from generated code: ---*/
4711 /*--- Load/store handlers. ---*/
4712 /*------------------------------------------------------------*/
4714 /* Types: LOADV32, LOADV16, LOADV8 are:
4715 UWord fn ( Addr a )
4716 so they return 32-bits on 32-bit machines and 64-bits on
4717 64-bit machines. Addr has the same size as a host word.
4719 LOADV64 is always ULong fn ( Addr a )
4721 Similarly for STOREV8, STOREV16, STOREV32, the supplied vbits
4722 are a UWord, and for STOREV64 they are a ULong.
4723 */
4725 /* If any part of '_a' indicated by the mask is 1, either '_a' is not
4726 naturally '_sz/8'-aligned, or it exceeds the range covered by the
4727 primary map. This is all very tricky (and important!), so let's
4728 work through the maths by hand (below), *and* assert for these
4729 values at startup. */
4730 #define MASK(_szInBytes) \
4731 ( ~((0x10000UL-(_szInBytes)) | ((N_PRIMARY_MAP-1) << 16)) )
4733 /* MASK only exists so as to define this macro. */
4734 #define UNALIGNED_OR_HIGH(_a,_szInBits) \
4735 ((_a) & MASK((_szInBits>>3)))
4737 /* On a 32-bit machine:
4739 N_PRIMARY_BITS == 16, so
4740 N_PRIMARY_MAP == 0x10000, so
4741 N_PRIMARY_MAP-1 == 0xFFFF, so
4742 (N_PRIMARY_MAP-1) << 16 == 0xFFFF0000, and so
4744 MASK(1) = ~ ( (0x10000 - 1) | 0xFFFF0000 )
4745 = ~ ( 0xFFFF | 0xFFFF0000 )
4746 = ~ 0xFFFF'FFFF
4747 = 0
4749 MASK(2) = ~ ( (0x10000 - 2) | 0xFFFF0000 )
4750 = ~ ( 0xFFFE | 0xFFFF0000 )
4751 = ~ 0xFFFF'FFFE
4752 = 1
4754 MASK(4) = ~ ( (0x10000 - 4) | 0xFFFF0000 )
4755 = ~ ( 0xFFFC | 0xFFFF0000 )
4756 = ~ 0xFFFF'FFFC
4757 = 3
4759 MASK(8) = ~ ( (0x10000 - 8) | 0xFFFF0000 )
4760 = ~ ( 0xFFF8 | 0xFFFF0000 )
4761 = ~ 0xFFFF'FFF8
4762 = 7
4764 Hence in the 32-bit case, "a & MASK(1/2/4/8)" is a nonzero value
4765 precisely when a is not 1/2/4/8-bytes aligned. And obviously, for
4766 the 1-byte alignment case, it is always a zero value, since MASK(1)
4767 is zero. All as expected.
4769 On a 64-bit machine, it's more complex, since we're testing
4770 simultaneously for misalignment and for the address being at or
4771 above 64G:
4773 N_PRIMARY_BITS == 20, so
4774 N_PRIMARY_MAP == 0x100000, so
4775 N_PRIMARY_MAP-1 == 0xFFFFF, so
4776 (N_PRIMARY_MAP-1) << 16 == 0xF'FFFF'0000, and so
4778 MASK(1) = ~ ( (0x10000 - 1) | 0xF'FFFF'0000 )
4779 = ~ ( 0xFFFF | 0xF'FFFF'0000 )
4780 = ~ 0xF'FFFF'FFFF
4781 = 0xFFFF'FFF0'0000'0000
4783 MASK(2) = ~ ( (0x10000 - 2) | 0xF'FFFF'0000 )
4784 = ~ ( 0xFFFE | 0xF'FFFF'0000 )
4785 = ~ 0xF'FFFF'FFFE
4786 = 0xFFFF'FFF0'0000'0001
4788 MASK(4) = ~ ( (0x10000 - 4) | 0xF'FFFF'0000 )
4789 = ~ ( 0xFFFC | 0xF'FFFF'0000 )
4790 = ~ 0xF'FFFF'FFFC
4791 = 0xFFFF'FFF0'0000'0003
4793 MASK(8) = ~ ( (0x10000 - 8) | 0xF'FFFF'0000 )
4794 = ~ ( 0xFFF8 | 0xF'FFFF'0000 )
4795 = ~ 0xF'FFFF'FFF8
4796 = 0xFFFF'FFF0'0000'0007
4797 */
4799 /*------------------------------------------------------------*/
4800 /*--- LOADV256 and LOADV128 ---*/
4801 /*------------------------------------------------------------*/
4803 static INLINE
4806 {
4809 #ifndef PERF_FAST_LOADV
4812 #else
4813 {
4823 }
4825 /* Handle common cases quickly: a (and a+8 and a+16 etc.) is
4826 suitably aligned, is mapped, and addressible. */
4832 // Convert V bits from compact memory form to expanded
4833 // register form.
4839 /* Slow case: some block of 8 bytes are not all-defined or
4840 all-undefined. */
4844 }
4845 }
4847 }
4848 #endif
4849 }
4852 {
4854 }
4856 {
4858 }
4861 {
4863 }
4865 {
4867 }
4869 /*------------------------------------------------------------*/
4870 /*--- LOADV64 ---*/
4871 /*------------------------------------------------------------*/
4873 static INLINE
4875 {
4878 #ifndef PERF_FAST_LOADV
4880 #else
4881 {
4888 }
4894 // Handle common case quickly: a is suitably aligned, is mapped, and
4895 // addressible.
4896 // Convert V bits from compact memory form to expanded register form.
4902 /* Slow case: the 8 bytes are not all-defined or all-undefined. */
4905 }
4906 }
4907 #endif
4908 }
4910 // Generic for all platforms
4912 {
4914 }
4916 // Non-generic assembly for arm32-linux
4917 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
4918 && defined(VGP_arm_linux)
4919 /* See mc_main_asm.c */
4921 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
4922 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris))
4923 /* See mc_main_asm.c */
4925 #else
4926 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
4928 {
4930 }
4931 #endif
4933 /*------------------------------------------------------------*/
4934 /*--- STOREV64 ---*/
4935 /*------------------------------------------------------------*/
4937 static INLINE
4939 {
4942 #ifndef PERF_FAST_STOREV
4943 // XXX: this slow case seems to be marginally faster than the fast case!
4944 // Investigate further.
4946 #else
4947 {
4955 }
4961 // To understand the below cleverness, see the extensive comments
4962 // in MC_(helperc_STOREV8).
4966 }
4970 }
4974 }
4978 }
4982 }
4986 }
4990 }
4991 #endif
4992 }
4995 {
4997 }
4999 {
5001 }
5003 /*------------------------------------------------------------*/
5004 /*--- LOADV32 ---*/
5005 /*------------------------------------------------------------*/
5007 static INLINE
5009 {
5012 #ifndef PERF_FAST_LOADV
5014 #else
5015 {
5022 }
5028 // Handle common case quickly: a is suitably aligned, is mapped, and the
5029 // entire word32 it lives in is addressible.
5030 // Convert V bits from compact memory form to expanded register form.
5031 // For 64-bit platforms, set the high 32 bits of retval to 1 (undefined).
5032 // Almost certainly not necessary, but be paranoid.
5038 /* Slow case: the 4 bytes are not all-defined or all-undefined. */
5041 }
5042 }
5043 #endif
5044 }
5046 // Generic for all platforms
5048 {
5050 }
5052 // Non-generic assembly for arm32-linux
5053 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5054 && defined(VGP_arm_linux)
5055 /* See mc_main_asm.c */
5057 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5058 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris))
5059 /* See mc_main_asm.c */
5061 #else
5062 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5064 {
5066 }
5067 #endif
5069 /*------------------------------------------------------------*/
5070 /*--- STOREV32 ---*/
5071 /*------------------------------------------------------------*/
5073 static INLINE
5075 {
5078 #ifndef PERF_FAST_STOREV
5080 #else
5081 {
5089 }
5095 // To understand the below cleverness, see the extensive comments
5096 // in MC_(helperc_STOREV8).
5100 }
5104 }
5108 }
5112 }
5116 }
5120 }
5124 }
5125 #endif
5126 }
5129 {
5131 }
5133 {
5135 }
5137 /*------------------------------------------------------------*/
5138 /*--- LOADV16 ---*/
5139 /*------------------------------------------------------------*/
5141 static INLINE
5143 {
5146 #ifndef PERF_FAST_LOADV
5148 #else
5149 {
5156 }
5161 // Handle common case quickly: a is suitably aligned, is mapped, and is
5162 // addressible.
5163 // Convert V bits from compact memory form to expanded register form
5167 // The 4 (yes, 4) bytes are not all-defined or all-undefined, check
5168 // the two sub-bytes.
5173 /* Slow case: the two bytes are not all-defined or all-undefined. */
5176 }
5177 }
5178 }
5179 #endif
5180 }
5182 // Generic for all platforms
5184 {
5186 }
5188 // Non-generic assembly for arm32-linux
5189 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5190 && defined(VGP_arm_linux)
5218 // r1 holds sec-map-VABITS8. r0 holds the address and is 2-aligned.
5219 // Extract the relevant 4 bits and inspect.
5239 );
5241 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5242 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris))
5284 );
5286 #else
5287 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5289 {
5291 }
5292 #endif
5294 /*------------------------------------------------------------*/
5295 /*--- STOREV16 ---*/
5296 /*------------------------------------------------------------*/
5298 /* True if the vabits4 in vabits8 indicate a and a+1 are accessible. */
5299 static INLINE
5301 {
5302 UInt shift;
5306 // check 2 x vabits2 != VA_BITS2_NOACCESS
5309 }
5311 static INLINE
5313 {
5316 #ifndef PERF_FAST_STOREV
5318 #else
5319 {
5327 }
5333 // To understand the below cleverness, see the extensive comments
5334 // in MC_(helperc_STOREV8).
5338 }
5344 }
5347 }
5351 }
5357 }
5361 }
5365 }
5366 #endif
5367 }
5371 {
5373 }
5375 {
5377 }
5379 /*------------------------------------------------------------*/
5380 /*--- LOADV8 ---*/
5381 /*------------------------------------------------------------*/
5383 /* Note: endianness is irrelevant for size == 1 */
5385 // Non-generic assembly for arm32-linux
5386 #if ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5387 && defined(VGP_arm_linux)
5412 // r1 holds sec-map-VABITS8
5413 // r0 holds the address. Extract the relevant 2 bits and inspect.
5432 );
5434 /* Non-generic assembly for x86-linux */
5435 #elif ENABLE_ASSEMBLY_HELPERS && defined(PERF_FAST_LOADV) \
5436 && (defined(VGP_x86_linux) || defined(VGP_x86_solaris))
5475 );
5477 #else
5478 // Generic for all platforms except {arm32,x86}-linux and x86-solaris
5481 {
5484 #ifndef PERF_FAST_LOADV
5486 #else
5487 {
5494 }
5499 // Convert V bits from compact memory form to expanded register form
5500 // Handle common case quickly: a is mapped, and the entire
5501 // word32 it lives in is addressible.
5505 // The 4 (yes, 4) bytes are not all-defined or all-undefined, check
5506 // the single byte.
5511 /* Slow case: the byte is not all-defined or all-undefined. */
5514 }
5515 }
5516 }
5517 #endif
5518 }
5519 #endif
5521 /*------------------------------------------------------------*/
5522 /*--- STOREV8 ---*/
5523 /*------------------------------------------------------------*/
5527 {
5530 #ifndef PERF_FAST_STOREV
5532 #else
5533 {
5541 }
5547 // Clevernesses to speed up storing V bits.
5548 // The 64/32/16 bit cases also have similar clevernesses, but it
5549 // works a little differently to the code below.
5550 //
5551 // Cleverness 1: sometimes we don't have to write the shadow memory at
5552 // all, if we can tell that what we want to write is the same as what is
5553 // already there. These cases are marked below as "defined on defined" and
5554 // "undefined on undefined".
5555 //
5556 // Cleverness 2:
5557 // We also avoid to call mc_STOREVn_slow if the V bits can directly
5558 // be written in the secondary map. V bits can be directly written
5559 // if 4 conditions are respected:
5560 // * The address for which V bits are written is naturally aligned
5561 // on 1 byte for STOREV8 (this is always true)
5562 // on 2 bytes for STOREV16
5563 // on 4 bytes for STOREV32
5564 // on 8 bytes for STOREV64.
5565 // * V bits being written are either fully defined or fully undefined.
5566 // (for partially defined V bits, V bits cannot be directly written,
5567 // as the secondary vbits table must be maintained).
5568 // * the secmap is not distinguished (distinguished maps cannot be
5569 // modified).
5570 // * the memory corresponding to the V bits being written is
5571 // accessible (if one or more bytes are not accessible,
5572 // we must call mc_STOREVn_slow in order to report accessibility
5573 // errors).
5574 // Note that for STOREV32 and STOREV64, it is too expensive
5575 // to verify the accessibility of each byte for the benefit it
5576 // brings. Instead, a quicker check is done by comparing to
5577 // VA_BITS(8|16)_(UN)DEFINED. This guarantees accessibility,
5578 // but misses some opportunity of direct modifications.
5579 // Checking each byte accessibility was measured for
5580 // STOREV32+perf tests and was slowing down all perf tests.
5581 // The cases corresponding to cleverness 2 are marked below as
5582 // "direct mod".
5586 }
5589 // direct mod
5593 }
5597 }
5601 }
5603 && (VA_BITS2_NOACCESS
5605 // direct mod
5609 }
5613 }
5615 // Partially defined word
5618 }
5619 #endif
5620 }
5623 /*------------------------------------------------------------*/
5624 /*--- Functions called directly from generated code: ---*/
5625 /*--- Value-check failure handlers. ---*/
5626 /*------------------------------------------------------------*/
5628 /* Call these ones when an origin is available ... */
5632 }
5637 }
5642 }
5647 }
5652 }
5654 /* ... and these when an origin isn't available. */
5659 }
5664 }
5669 }
5674 }
5679 }
5682 /*------------------------------------------------------------*/
5683 /*--- Metadata get/set functions, for client requests. ---*/
5684 /*------------------------------------------------------------*/
5686 // Nb: this expands the V+A bits out into register-form V bits, even though
5687 // they're in memory. This is for backward compatibility, and because it's
5688 // probably what the user wants.
5690 /* Copy Vbits from/to address 'a'. Returns: 1 == OK, 2 == alignment
5691 error [no longer used], 3 == addressing error. */
5692 /* Nb: We used to issue various definedness/addressability errors from here,
5693 but we took them out because they ranged from not-very-helpful to
5694 downright annoying, and they complicated the error data structures. */
5696 Addr a,
5697 Addr vbits,
5698 SizeT szB,
5700 Bool is_client_request /* True <=> real user request
5701 False <=> internal call from gdbserver */
5702 )
5703 {
5704 SizeT i;
5705 Bool ok;
5706 UChar vbits8;
5708 /* Check that arrays are addressible before doing any getting/setting.
5709 vbits to be checked only for real user request. */
5714 }
5715 }
5717 /* Do the copy */
5719 /* setting */
5723 }
5725 /* getting */
5730 }
5732 // The bytes in vbits[] have now been set, so mark them as such.
5734 }
5737 }
5740 /*------------------------------------------------------------*/
5741 /*--- Detecting leaked (unreachable) malloc'd blocks. ---*/
5742 /*------------------------------------------------------------*/
5744 /* For the memory leak detector, say whether an entire 64k chunk of
5745 address space is possibly in use, or not. If in doubt return
5746 True.
5747 */
5749 {
5752 /* Definitely not in use. */
5756 }
5757 }
5760 /* For the memory leak detector, say whether or not a given word
5761 address is to be regarded as valid. */
5763 {
5771 }
5774 else
5776 }
5779 /*------------------------------------------------------------*/
5780 /*--- Initialisation ---*/
5781 /*------------------------------------------------------------*/
5784 {
5785 Int i;
5793 /* Build the 3 distinguished secondaries */
5803 /* Set up the primary map. */
5804 /* These entries gradually get overwritten as the used address
5805 space expands. */
5809 /* Auxiliary primary maps */
5812 /* auxmap_size = auxmap_used = 0;
5813 no ... these are statically initialised */
5815 /* Secondary V bit table */
5817 }
5820 /*------------------------------------------------------------*/
5821 /*--- Sanity check machinery (permanently engaged) ---*/
5822 /*------------------------------------------------------------*/
5825 {
5826 n_sanity_cheap++;
5828 /* Check for sane operating level */
5831 /* nothing else useful we can rapidly check */
5833 }
5836 {
5837 Int i;
5838 Word n_secmaps_found;
5846 n_sanity_expensive++;
5849 /* Check for sane operating level */
5853 /* Check that the 3 distinguished SMs are still as they should be. */
5855 /* Check noaccess DSM. */
5861 /* Check undefined DSM. */
5867 /* Check defined DSM. */
5877 }
5879 /* If we're not checking for undefined value errors, the secondary V bit
5880 * table should be empty. */
5884 }
5886 /* check the auxiliary maps, very thoroughly */
5892 }
5894 /* n_secmaps_found is now the number referred to by the auxiliary
5895 primary map. Now add on the ones referred to by the main
5896 primary map. */
5902 n_secmaps_found++;
5903 }
5904 }
5906 /* check that the number of secmaps issued matches the number that
5907 are reachable (iow, no secmap leaks) */
5915 }
5921 }
5923 /* there is only one pointer to each secmap (expensive) */
5926 }
5928 /*------------------------------------------------------------*/
5929 /*--- Command line args ---*/
5930 /*------------------------------------------------------------*/
5932 /* 31 Aug 2015: Vectorised code is now so widespread that
5933 --partial-loads-ok needs to be enabled by default on all platforms.
5934 Not doing so causes lots of false errors. */
5955 ExpensiveDefinednessChecks
5964 /* The first heuristic value (LchNone) has no keyword, as this is
5965 a fake heuristic used to collect the blocks found without any
5966 heuristic. */
5969 {
5971 Int tmp_show;
5975 /* Set MC_(clo_mc_level):
5976 1 = A bit tracking only
5977 2 = A and V bit tracking, but no V bit origins
5978 3 = A and V bit tracking, and V bit origins
5980 Do this by inspecting --undef-value-errors= and
5981 --track-origins=. Reject the case --undef-value-errors=no
5982 --track-origins=yes as meaningless.
5983 */
5993 }
5994 }
5995 }
6002 }
6006 }
6007 }
6023 }
6024 }
6030 }
6031 }
6062 "ERROR: --ignore-ranges: "
6065 }
6067 UInt i;
6083 }
6084 }
6085 }
6086 }
6089 /* This seems at first a bit weird, but: in order to imply
6090 a non-wrapped-around address range, the first offset needs to be
6091 larger than the second one. For example
6092 --ignore-range-below-sp=8192,8189
6093 would cause accesses to in the range [SP-8192, SP-8189] to be
6094 ignored. */
6097 // Ensure we used all the text after the '=' sign.
6101 "ERROR: --ignore-range-below-sp: invalid syntax. "
6104 }
6107 "ERROR: --ignore-range-below-sp: suspiciously large "
6110 }
6113 "ERROR: --ignore-range-below-sp: invalid offsets "
6116 }
6120 "ERROR: --ignore-range-below-sp: suspiciously large "
6123 }
6128 }
6159 else
6165 bad_level:
6169 }
6172 {
6210 );
6211 }
6214 {
6217 );
6218 }
6221 /*------------------------------------------------------------*/
6222 /*--- Client blocks ---*/
6223 /*------------------------------------------------------------*/
6225 /* Client block management:
6227 This is managed as an expanding array of client block descriptors.
6228 Indices of live descriptors are issued to the client, so it can ask
6229 to free them later. Therefore we cannot slide live entries down
6230 over dead ones. Instead we must use free/inuse flags and scan for
6231 an empty slot at allocation time. This in turn means allocation is
6232 relatively expensive, so we hope this does not happen too often.
6234 An unused block has start == size == 0
6235 */
6237 /* type CGenBlock is defined in mc_include.h */
6239 /* This subsystem is self-initialising. */
6244 /* Stats for this subsystem. */
6251 /* Get access to the client block array. */
6254 {
6257 }
6260 static
6262 {
6266 cgb_allocs++;
6269 cgb_search++;
6272 }
6274 /* Not found. Try to allocate one at the end. */
6276 cgb_used++;
6278 }
6280 /* Ok, we have to allocate a new one. */
6293 cgb_used++;
6297 }
6301 {
6305 );
6306 }
6308 {
6310 (
6356 }
6358 /* Print szB bytes at address, with a format similar to the gdb command
6359 x /<szB>xb address.
6360 res[i] == 1 indicates the corresponding byte is addressable. */
6362 {
6363 UInt i;
6371 }
6374 else
6376 }
6378 }
6381 /* Returns the address of the next non space character,
6382 or address of the string terminator. */
6384 {
6386 s++;
6388 }
6390 /* Parse an integer slice, i.e. a single integer or a range of integer.
6391 Syntax is:
6392 <integer>[..<integer> ]
6393 (spaces are allowed before and/or after ..).
6394 Return True if range correctly parsed, False otherwise. */
6397 {
6403 /* slice must start with an integer. */
6407 }
6412 }
6415 /* wl token is an integer terminating the string
6416 or else next token does not start with .
6417 In both cases, the slice is a single integer. */
6420 }
6423 // iii .. => get the next token
6426 // It must be iii..
6430 }
6432 // It must be iii.. jjj => get the next token
6435 // It must be iii..jjj
6437 }
6438 }
6444 }
6450 }
6453 }
6455 /* return True if request recognised, False otherwise */
6457 {
6465 /* NB: if possible, avoid introducing a new command below which
6466 starts with the same first letter(s) as an already existing
6467 command. This ensures a shorter abbreviation for the user. */
6480 Addr address;
6483 UChar vbits;
6484 Int i;
6487 Int res = mc_get_or_set_vbits_for_client
6491 /* we are before the first character on next line, print a \n. */
6494 /* we are before the next block of 4 starts, print a space. */
6501 unaddressable++;
6503 }
6504 }
6510 }
6511 }
6513 }
6516 LeakCheckParams lcp;
6534 "kinds reachable possibleleak definiteleak "
6535 "heuristics "
6536 "increased changed any "
6547 xt_filename
6557 wcmd,
6560 err++;
6561 }
6563 }
6568 lcp.show_leak_kinds
6579 wcmd,
6582 err++;
6583 }
6585 }
6595 Int int_value;
6606 }
6611 else
6615 }
6618 }
6619 }
6625 }
6628 Addr address;
6644 }
6646 }
6649 Addr address;
6651 Addr bad_addr;
6652 UInt okind;
6654 UInt otag;
6655 UInt ecu;
6657 MC_ReadResult res;
6671 else
6675 // Describe this (probably live) address with current epoch
6696 }
6705 }
6706 }
6707 else
6710 // Describe this (probably live) address with current epoch
6714 }
6716 }
6726 Int int_value;
6743 }
6748 }
6753 }
6761 wcmd,
6765 }
6769 }
6770 }
6771 /* substract 1 from lr_nr_from/lr_nr_to as what is shown to the user
6772 is 1 more than the index in lr_array. */
6775 limit_blocks,
6776 heuristics))
6778 }
6780 }
6783 Addr address;
6791 }
6794 }
6797 Addr address;
6802 Int i;
6806 /* We going to print the first vabits of a new line.
6807 Terminate the previous line if needed: prints a line with the
6808 address and the data. */
6813 }
6815 }
6824 unaddressable++;
6826 }
6827 }
6831 else
6837 }
6838 }
6840 }
6847 }
6852 }
6853 }
6855 /*------------------------------------------------------------*/
6856 /*--- Client requests ---*/
6857 /*------------------------------------------------------------*/
6860 {
6861 Int i;
6862 Addr bad_addr;
6888 }
6899 );
6903 }
6907 }
6908 /* Return the lower of the two erring addresses, if any. */
6912 }
6915 }
6918 }
6920 }
6923 LeakCheckParams lcp;
6933 }
6950 }
6958 }
6967 MC_OKIND_USER );
6984 /* VG_(printf)("allocated %d %p\n", i, cgbs); */
7003 cgb_discards++;
7005 }
7024 // MC_(bytes_leaked) et al were set by the last leak check (or zero
7025 // if no prior leak checks performed).
7030 // there is no argp[5]
7031 //*argp[5] = MC_(bytes_indirect);
7032 // XXX need to make *argp[1-4] defined; currently done in the
7033 // VALGRIND_COUNT_LEAKS_MACRO by initialising them to zero.
7036 }
7039 // MC_(blocks_leaked) et al were set by the last leak check (or zero
7040 // if no prior leak checks performed).
7045 // there is no argp[5]
7046 //*argp[5] = MC_(blocks_indirect);
7047 // XXX need to make *argp[1-4] defined; currently done in the
7048 // VALGRIND_COUNT_LEAK_BLOCKS_MACRO by initialising them to zero.
7051 }
7063 }
7065 }
7074 }
7081 }
7090 }
7098 // The create_mempool function does not know these mempool flags,
7099 // pass as booleans.
7104 }
7111 }
7120 }
7128 }
7137 }
7145 }
7155 }
7162 }
7168 else
7171 }
7175 Bool addRange
7177 Bool ok
7181 }
7185 Vg_UserMsg,
7188 );
7190 }
7192 }
7195 /*------------------------------------------------------------*/
7196 /*--- Crude profiling machinery. ---*/
7197 /*------------------------------------------------------------*/
7199 // We track a number of interesting events (using PROF_EVENT)
7200 // if MC_PROFILE_MEMORY is defined.
7202 #ifdef MC_PROFILE_MEMORY
7206 /* Event counter names. Use the name of the function that increases the
7207 event counter. Drop any MC_() and mc_ prefices. */
7335 };
7338 {
7345 }
7347 /* Make sure every profiling event has a name */
7349 }
7352 {
7359 }
7366 }
7367 }
7368 }
7370 #else
7375 #endif
7378 /*------------------------------------------------------------*/
7379 /*--- Origin tracking stuff ---*/
7380 /*------------------------------------------------------------*/
7382 /*--------------------------------------------*/
7383 /*--- Origin tracking: load handlers ---*/
7384 /*--------------------------------------------*/
7388 }
7392 UChar descr;
7398 }
7405 }
7411 }
7412 }
7416 UChar descr;
7420 /* Handle misaligned case, slowly. */
7424 }
7431 }
7437 }
7443 }
7444 }
7448 UChar descr;
7449 UWord lineoff;
7452 /* Handle misaligned case, slowly. */
7456 }
7461 }
7468 }
7474 }
7475 }
7480 UWord lineoff;
7483 /* Handle misaligned case, slowly. */
7487 }
7492 }
7501 }
7509 }
7510 }
7517 }
7527 }
7530 /*--------------------------------------------*/
7531 /*--- Origin tracking: store handlers ---*/
7532 /*--------------------------------------------*/
7541 }
7550 }
7551 }
7558 /* Handle misaligned case, slowly. */
7562 }
7569 }
7578 }
7579 }
7583 UWord lineoff;
7586 /* Handle misaligned case, slowly. */
7590 }
7595 }
7604 }
7605 }
7609 UWord lineoff;
7612 /* Handle misaligned case, slowly. */
7616 }
7621 }
7633 }
7634 }
7639 }
7646 }
7649 /*--------------------------------------------*/
7650 /*--- Origin tracking: sarp handlers ---*/
7651 /*--------------------------------------------*/
7657 a++;
7658 len--;
7659 }
7664 }
7671 }
7676 }
7679 //a++;
7680 len--;
7681 }
7683 }
7689 a++;
7690 len--;
7691 }
7696 }
7703 }
7708 }
7711 //a++;
7712 len--;
7713 }
7715 }
7718 /*------------------------------------------------------------*/
7719 /*--- Setup and finalisation ---*/
7720 /*------------------------------------------------------------*/
7723 {
7724 /* If we've been asked to emit XML, mash around various other
7725 options so as to constrain the output somewhat. */
7727 /* Extract as much info as possible from the leak checker. */
7729 }
7738 }
7746 );
7747 }
7752 /* We're doing origin tracking. */
7753 # ifdef PERF_FAST_STACK
7763 # endif
7767 /* Not doing origin tracking */
7768 # ifdef PERF_FAST_STACK
7778 # endif
7781 }
7783 // We assume that brk()/sbrk() does not initialise new memory. Is this
7784 // accurate? John Reiser says:
7785 //
7786 // 0) sbrk() can *decrease* process address space. No zero fill is done
7787 // for a decrease, not even the fragment on the high end of the last page
7788 // that is beyond the new highest address. For maximum safety and
7789 // portability, then the bytes in the last page that reside above [the
7790 // new] sbrk(0) should be considered to be uninitialized, but in practice
7791 // it is exceedingly likely that they will retain their previous
7792 // contents.
7793 //
7794 // 1) If an increase is large enough to require new whole pages, then
7795 // those new whole pages (like all new pages) are zero-filled by the
7796 // operating system. So if sbrk(0) already is page aligned, then
7797 // sbrk(PAGE_SIZE) *does* zero-fill the new memory.
7798 //
7799 // 2) Any increase that lies within an existing allocated page is not
7800 // changed. So if (x = sbrk(0)) is not page aligned, then
7801 // sbrk(PAGE_SIZE) yields ((PAGE_SIZE -1) & -x) bytes which keep their
7802 // existing contents, and an additional PAGE_SIZE bytes which are zeroed.
7803 // ((PAGE_SIZE -1) & x) of them are "covered" by the sbrk(), and the rest
7804 // of them come along for the ride because the operating system deals
7805 // only in whole pages. Again, for maximum safety and portability, then
7806 // anything that lives above [the new] sbrk(0) should be considered
7807 // uninitialized, but in practice will retain previous contents [zero in
7808 // this case.]"
7809 //
7810 // In short:
7811 //
7812 // A key property of sbrk/brk is that new whole pages that are supplied
7813 // by the operating system *do* get initialized to zero.
7814 //
7815 // As for the portability of all this:
7816 //
7817 // sbrk and brk are not POSIX. However, any system that is a derivative
7818 // of *nix has sbrk and brk because there are too many software (such as
7819 // the Bourne shell) which rely on the traditional memory map (.text,
7820 // .data+.bss, stack) and the existence of sbrk/brk.
7821 //
7822 // So we should arguably observe all this. However:
7823 // - The current inaccuracy has caused maybe one complaint in seven years(?)
7824 // - Relying on the zeroed-ness of whole brk'd pages is pretty grotty... I
7825 // doubt most programmers know the above information.
7826 // So I'm not terribly unhappy with marking it as undefined. --njn.
7827 //
7828 // [More: I think most of what John said only applies to sbrk(). It seems
7829 // that brk() always deals in whole pages. And since this event deals
7830 // directly with brk(), not with sbrk(), perhaps it would be reasonable to
7831 // just mark all memory it allocates as defined.]
7832 //
7833 # if !defined(VGO_solaris)
7836 else
7838 # else
7839 // On Solaris, brk memory has to be marked as defined, otherwise we get
7840 // many false positives.
7842 # endif
7844 /* This origin tracking cache is huge (~100M), so only initialise
7845 if we need it. */
7853 }
7862 /* Do not check definedness of guest state if --undef-value-errors=no */
7870 "To use --xtree-memory=full, you must"
7872 // Activate full xtree memory profiling.
7874 }
7876 }
7879 {
7882 type,
7883 n_SMs,
7886 }
7889 {
7899 n_auxmap_L2_nodes,
7907 );
7910 n_auxmap_L2_searches, n_auxmap_L2_nodes
7911 );
7920 // Three DSMs, plus the non-DSM ones
7922 // The 3*sizeof(Word) bytes is the AVL node metadata size.
7923 // The VG_ROUNDUP is because the OSet pool allocator will/must align
7924 // the elements on pointer size.
7925 // Note that the pool allocator has some additional small overhead
7926 // which is not counted in the below.
7927 // Hardwiring this logic sucks, but I don't see how else to do it.
7947 stats_ocacheL1_find,
7948 stats_ocacheL1_misses,
7949 stats_ocacheL1_lossage );
7952 stats_ocacheL1_find - stats_ocacheL1_misses
7953 - stats_ocacheL1_found_at_1
7955 stats_ocacheL1_found_at_1 );
7958 stats_ocacheL1_found_at_N,
7959 stats_ocacheL1_movefwds );
7966 stats__ocacheL2_refs,
7967 stats__ocacheL2_misses );
7970 stats__ocacheL2_n_nodes_max,
7971 stats__ocacheL2_n_nodes );
7978 }
7979 }
7983 {
7988 LeakCheckParams lcp;
8003 }
8004 else
8014 );
8015 }
8016 }
8021 "Use --track-origins=yes to see where "
8023 }
8025 /* Print a warning if any client-request generated ignore-ranges
8026 still exist. It would be reasonable to expect that a properly
8027 written program would remove any such ranges before exiting, and
8028 since they are a bit on the dangerous side, let's comment. By
8029 contrast ranges which are specified on the command line normally
8030 pertain to hardware mapped into the address space, and so we
8031 can't expect the client to have got rid of them. */
8042 /* Print the offending range. Also, if it is the first,
8043 print a banner before it. */
8044 nBad++;
8049 "WARNING: "
8051 "WARNING: "
8053 );
8054 }
8057 }
8058 }
8069 }
8070 }
8072 /* mark the given addr/len unaddressable for watchpoint implementation
8073 The PointKind will be handled at access time */
8076 {
8077 /* GDBTD this is somewhat fishy. We might rather have to save the previous
8078 accessibility and definedness in gdbserver so as to allow restoring it
8079 properly. Currently, we assume that the user only watches things
8080 which are properly addressable and defined */
8083 else
8086 }
8089 {
8100 mc_fini);
8121 mc_print_usage,
8122 mc_print_debug_usage);
8125 mc_expensive_sanity_check);
8138 MC_MALLOC_DEFAULT_REDZONE_SZB );
8145 // Handling of mmap and mprotect isn't simple (well, it is simple,
8146 // but the justification isn't.) See comments above, just prior to
8147 // mc_new_mem_mmap.
8157 /* Defer the specification of the new_mem_stack functions to the
8158 post_clo_init function, since we need to first parse the command
8159 line before deciding which set to use. */
8161 # ifdef PERF_FAST_STACK
8171 # endif
8187 }
8192 // MC_(chunk_poolalloc) must be allocated in post_clo_init
8200 // {LOADV,STOREV}[8421] will all fail horribly if this isn't true.
8202 // Call me paranoid. I don't care.
8205 // BYTES_PER_SEC_VBIT_NODE must be a power of two.
8208 /* This is small. Always initialise it. */
8211 /* We can't initialise ocacheL1/ocacheL2 yet, since we don't know
8212 if we need to, since the command line args haven't been
8213 processed yet. Hence defer it to mc_post_clo_init. */
8217 /* Check some important stuff. See extensive comments above
8218 re UNALIGNED_OR_HIGH for background. */
8219 # if VG_WORDSIZE == 4
8229 # else
8240 # endif
8242 /* Check some assertions to do with the instrumentation machinery. */
8244 }
8250 /*--------------------------------------------------------------------*/
8251 /*--- end mc_main.c ---*/
8252 /*--------------------------------------------------------------------*/