1 //===-- IRDynamicChecks.cpp -------------------------------------------*- C++ -*-===//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9
10 #include "lldb/Expression/IRDynamicChecks.h"
11
12 #include "lldb/Core/ConstString.h"
13 #include "lldb/Core/Log.h"
14 #include "lldb/Expression/ClangUtilityFunction.h"
15 #include "lldb/Target/ExecutionContext.h"
16 #include "lldb/Target/ObjCLanguageRuntime.h"
17 #include "lldb/Target/Process.h"
18 #include "lldb/Target/StackFrame.h"
19
20 #include "llvm/Support/raw_ostream.h"
21 #include "llvm/IR/Constants.h"
22 #include "llvm/IR/Function.h"
23 #include "llvm/IR/Instructions.h"
24 #include "llvm/IR/Module.h"
25 #include "llvm/IR/Value.h"
26
27 using namespace llvm;
28 using namespace lldb_private;
29
30 static char ID;
31
32 #define VALID_POINTER_CHECK_NAME "$__lldb_valid_pointer_check"
33 #define VALID_OBJC_OBJECT_CHECK_NAME "$__lldb_objc_object_check"
34
35 static const char g_valid_pointer_check_text[] =
36 "extern \"C\" void\n"
37 "$__lldb_valid_pointer_check (unsigned char *$__lldb_arg_ptr)\n"
38 "{\n"
39 " unsigned char $__lldb_local_val = *$__lldb_arg_ptr;\n"
40 "}";
41
DynamicCheckerFunctions()42 DynamicCheckerFunctions::DynamicCheckerFunctions ()
43 {
44 }
45
~DynamicCheckerFunctions()46 DynamicCheckerFunctions::~DynamicCheckerFunctions ()
47 {
48 }
49
50 bool
Install(Stream & error_stream,ExecutionContext & exe_ctx)51 DynamicCheckerFunctions::Install(Stream &error_stream,
52 ExecutionContext &exe_ctx)
53 {
54 m_valid_pointer_check.reset(new ClangUtilityFunction(g_valid_pointer_check_text,
55 VALID_POINTER_CHECK_NAME));
56 if (!m_valid_pointer_check->Install(error_stream, exe_ctx))
57 return false;
58
59 Process *process = exe_ctx.GetProcessPtr();
60
61 if (process)
62 {
63 ObjCLanguageRuntime *objc_language_runtime = process->GetObjCLanguageRuntime();
64
65 if (objc_language_runtime)
66 {
67 m_objc_object_check.reset(objc_language_runtime->CreateObjectChecker(VALID_OBJC_OBJECT_CHECK_NAME));
68
69 if (!m_objc_object_check->Install(error_stream, exe_ctx))
70 return false;
71 }
72 }
73
74 return true;
75 }
76
77 bool
DoCheckersExplainStop(lldb::addr_t addr,Stream & message)78 DynamicCheckerFunctions::DoCheckersExplainStop (lldb::addr_t addr, Stream &message)
79 {
80 // FIXME: We have to get the checkers to know why they scotched the call in more detail,
81 // so we can print a better message here.
82 if (m_valid_pointer_check.get() != NULL && m_valid_pointer_check->ContainsAddress(addr))
83 {
84 message.Printf ("Attempted to dereference an invalid pointer.");
85 return true;
86 }
87 else if (m_objc_object_check.get() != NULL && m_objc_object_check->ContainsAddress(addr))
88 {
89 message.Printf ("Attempted to dereference an invalid ObjC Object or send it an unrecognized selector");
90 return true;
91 }
92 return false;
93 }
94
95
96 static std::string
PrintValue(llvm::Value * V,bool truncate=false)97 PrintValue(llvm::Value *V, bool truncate = false)
98 {
99 std::string s;
100 raw_string_ostream rso(s);
101 V->print(rso);
102 rso.flush();
103 if (truncate)
104 s.resize(s.length() - 1);
105 return s;
106 }
107
108 //----------------------------------------------------------------------
109 /// @class Instrumenter IRDynamicChecks.cpp
110 /// @brief Finds and instruments individual LLVM IR instructions
111 ///
112 /// When instrumenting LLVM IR, it is frequently desirable to first search
113 /// for instructions, and then later modify them. This way iterators
114 /// remain intact, and multiple passes can look at the same code base without
115 /// treading on each other's toes.
116 ///
117 /// The Instrumenter class implements this functionality. A client first
118 /// calls Inspect on a function, which populates a list of instructions to
119 /// be instrumented. Then, later, when all passes' Inspect functions have
120 /// been called, the client calls Instrument, which adds the desired
121 /// instrumentation.
122 ///
123 /// A subclass of Instrumenter must override InstrumentInstruction, which
124 /// is responsible for adding whatever instrumentation is necessary.
125 ///
126 /// A subclass of Instrumenter may override:
127 ///
128 /// - InspectInstruction [default: does nothing]
129 ///
130 /// - InspectBasicBlock [default: iterates through the instructions in a
131 /// basic block calling InspectInstruction]
132 ///
133 /// - InspectFunction [default: iterates through the basic blocks in a
134 /// function calling InspectBasicBlock]
135 //----------------------------------------------------------------------
136 class Instrumenter {
137 public:
138 //------------------------------------------------------------------
139 /// Constructor
140 ///
141 /// @param[in] module
142 /// The module being instrumented.
143 //------------------------------------------------------------------
Instrumenter(llvm::Module & module,DynamicCheckerFunctions & checker_functions)144 Instrumenter (llvm::Module &module,
145 DynamicCheckerFunctions &checker_functions) :
146 m_module(module),
147 m_checker_functions(checker_functions),
148 m_i8ptr_ty(NULL)
149 {
150 }
151
~Instrumenter()152 virtual~Instrumenter ()
153 {
154 }
155
156 //------------------------------------------------------------------
157 /// Inspect a function to find instructions to instrument
158 ///
159 /// @param[in] function
160 /// The function to inspect.
161 ///
162 /// @return
163 /// True on success; false on error.
164 //------------------------------------------------------------------
Inspect(llvm::Function & function)165 bool Inspect (llvm::Function &function)
166 {
167 return InspectFunction(function);
168 }
169
170 //------------------------------------------------------------------
171 /// Instrument all the instructions found by Inspect()
172 ///
173 /// @return
174 /// True on success; false on error.
175 //------------------------------------------------------------------
Instrument()176 bool Instrument ()
177 {
178 for (InstIterator ii = m_to_instrument.begin(), last_ii = m_to_instrument.end();
179 ii != last_ii;
180 ++ii)
181 {
182 if (!InstrumentInstruction(*ii))
183 return false;
184 }
185
186 return true;
187 }
188 protected:
189 //------------------------------------------------------------------
190 /// Add instrumentation to a single instruction
191 ///
192 /// @param[in] inst
193 /// The instruction to be instrumented.
194 ///
195 /// @return
196 /// True on success; false otherwise.
197 //------------------------------------------------------------------
198 virtual bool InstrumentInstruction(llvm::Instruction *inst) = 0;
199
200 //------------------------------------------------------------------
201 /// Register a single instruction to be instrumented
202 ///
203 /// @param[in] inst
204 /// The instruction to be instrumented.
205 //------------------------------------------------------------------
RegisterInstruction(llvm::Instruction & i)206 void RegisterInstruction(llvm::Instruction &i)
207 {
208 m_to_instrument.push_back(&i);
209 }
210
211 //------------------------------------------------------------------
212 /// Determine whether a single instruction is interesting to
213 /// instrument, and, if so, call RegisterInstruction
214 ///
215 /// @param[in] i
216 /// The instruction to be inspected.
217 ///
218 /// @return
219 /// False if there was an error scanning; true otherwise.
220 //------------------------------------------------------------------
InspectInstruction(llvm::Instruction & i)221 virtual bool InspectInstruction(llvm::Instruction &i)
222 {
223 return true;
224 }
225
226 //------------------------------------------------------------------
227 /// Scan a basic block to see if any instructions are interesting
228 ///
229 /// @param[in] bb
230 /// The basic block to be inspected.
231 ///
232 /// @return
233 /// False if there was an error scanning; true otherwise.
234 //------------------------------------------------------------------
InspectBasicBlock(llvm::BasicBlock & bb)235 virtual bool InspectBasicBlock(llvm::BasicBlock &bb)
236 {
237 for (llvm::BasicBlock::iterator ii = bb.begin(), last_ii = bb.end();
238 ii != last_ii;
239 ++ii)
240 {
241 if (!InspectInstruction(*ii))
242 return false;
243 }
244
245 return true;
246 }
247
248 //------------------------------------------------------------------
249 /// Scan a function to see if any instructions are interesting
250 ///
251 /// @param[in] f
252 /// The function to be inspected.
253 ///
254 /// @return
255 /// False if there was an error scanning; true otherwise.
256 //------------------------------------------------------------------
InspectFunction(llvm::Function & f)257 virtual bool InspectFunction(llvm::Function &f)
258 {
259 for (llvm::Function::iterator bbi = f.begin(), last_bbi = f.end();
260 bbi != last_bbi;
261 ++bbi)
262 {
263 if (!InspectBasicBlock(*bbi))
264 return false;
265 }
266
267 return true;
268 }
269
270 //------------------------------------------------------------------
271 /// Build a function pointer for a function with signature
272 /// void (*)(uint8_t*) with a given address
273 ///
274 /// @param[in] start_address
275 /// The address of the function.
276 ///
277 /// @return
278 /// The function pointer, for use in a CallInst.
279 //------------------------------------------------------------------
BuildPointerValidatorFunc(lldb::addr_t start_address)280 llvm::Value *BuildPointerValidatorFunc(lldb::addr_t start_address)
281 {
282 IntegerType *intptr_ty = llvm::Type::getIntNTy(m_module.getContext(),
283 (m_module.getPointerSize() == llvm::Module::Pointer64) ? 64 : 32);
284
285 llvm::Type *param_array[1];
286
287 param_array[0] = const_cast<llvm::PointerType*>(GetI8PtrTy());
288
289 ArrayRef<llvm::Type*> params(param_array, 1);
290
291 FunctionType *fun_ty = FunctionType::get(llvm::Type::getVoidTy(m_module.getContext()), params, true);
292 PointerType *fun_ptr_ty = PointerType::getUnqual(fun_ty);
293 Constant *fun_addr_int = ConstantInt::get(intptr_ty, start_address, false);
294 return ConstantExpr::getIntToPtr(fun_addr_int, fun_ptr_ty);
295 }
296
297 //------------------------------------------------------------------
298 /// Build a function pointer for a function with signature
299 /// void (*)(uint8_t*, uint8_t*) with a given address
300 ///
301 /// @param[in] start_address
302 /// The address of the function.
303 ///
304 /// @return
305 /// The function pointer, for use in a CallInst.
306 //------------------------------------------------------------------
BuildObjectCheckerFunc(lldb::addr_t start_address)307 llvm::Value *BuildObjectCheckerFunc(lldb::addr_t start_address)
308 {
309 IntegerType *intptr_ty = llvm::Type::getIntNTy(m_module.getContext(),
310 (m_module.getPointerSize() == llvm::Module::Pointer64) ? 64 : 32);
311
312 llvm::Type *param_array[2];
313
314 param_array[0] = const_cast<llvm::PointerType*>(GetI8PtrTy());
315 param_array[1] = const_cast<llvm::PointerType*>(GetI8PtrTy());
316
317 ArrayRef<llvm::Type*> params(param_array, 2);
318
319 FunctionType *fun_ty = FunctionType::get(llvm::Type::getVoidTy(m_module.getContext()), params, true);
320 PointerType *fun_ptr_ty = PointerType::getUnqual(fun_ty);
321 Constant *fun_addr_int = ConstantInt::get(intptr_ty, start_address, false);
322 return ConstantExpr::getIntToPtr(fun_addr_int, fun_ptr_ty);
323 }
324
GetI8PtrTy()325 PointerType *GetI8PtrTy()
326 {
327 if (!m_i8ptr_ty)
328 m_i8ptr_ty = llvm::Type::getInt8PtrTy(m_module.getContext());
329
330 return m_i8ptr_ty;
331 }
332
333 typedef std::vector <llvm::Instruction *> InstVector;
334 typedef InstVector::iterator InstIterator;
335
336 InstVector m_to_instrument; ///< List of instructions the inspector found
337 llvm::Module &m_module; ///< The module which is being instrumented
338 DynamicCheckerFunctions &m_checker_functions; ///< The dynamic checker functions for the process
339 private:
340 PointerType *m_i8ptr_ty;
341 };
342
343 class ValidPointerChecker : public Instrumenter
344 {
345 public:
ValidPointerChecker(llvm::Module & module,DynamicCheckerFunctions & checker_functions)346 ValidPointerChecker (llvm::Module &module,
347 DynamicCheckerFunctions &checker_functions) :
348 Instrumenter(module, checker_functions),
349 m_valid_pointer_check_func(NULL)
350 {
351 }
352
~ValidPointerChecker()353 virtual ~ValidPointerChecker ()
354 {
355 }
356 private:
InstrumentInstruction(llvm::Instruction * inst)357 bool InstrumentInstruction(llvm::Instruction *inst)
358 {
359 Log *log(lldb_private::GetLogIfAllCategoriesSet (LIBLLDB_LOG_EXPRESSIONS));
360
361 if (log)
362 log->Printf("Instrumenting load/store instruction: %s\n",
363 PrintValue(inst).c_str());
364
365 if (!m_valid_pointer_check_func)
366 m_valid_pointer_check_func = BuildPointerValidatorFunc(m_checker_functions.m_valid_pointer_check->StartAddress());
367
368 llvm::Value *dereferenced_ptr = NULL;
369
370 if (llvm::LoadInst *li = dyn_cast<llvm::LoadInst> (inst))
371 dereferenced_ptr = li->getPointerOperand();
372 else if (llvm::StoreInst *si = dyn_cast<llvm::StoreInst> (inst))
373 dereferenced_ptr = si->getPointerOperand();
374 else
375 return false;
376
377 // Insert an instruction to cast the loaded value to int8_t*
378
379 BitCastInst *bit_cast = new BitCastInst(dereferenced_ptr,
380 GetI8PtrTy(),
381 "",
382 inst);
383
384 // Insert an instruction to call the helper with the result
385
386 llvm::Value *arg_array[1];
387
388 arg_array[0] = bit_cast;
389
390 llvm::ArrayRef<llvm::Value *> args(arg_array, 1);
391
392 CallInst::Create(m_valid_pointer_check_func,
393 args,
394 "",
395 inst);
396
397 return true;
398 }
399
InspectInstruction(llvm::Instruction & i)400 bool InspectInstruction(llvm::Instruction &i)
401 {
402 if (dyn_cast<llvm::LoadInst> (&i) ||
403 dyn_cast<llvm::StoreInst> (&i))
404 RegisterInstruction(i);
405
406 return true;
407 }
408
409 llvm::Value *m_valid_pointer_check_func;
410 };
411
412 class ObjcObjectChecker : public Instrumenter
413 {
414 public:
ObjcObjectChecker(llvm::Module & module,DynamicCheckerFunctions & checker_functions)415 ObjcObjectChecker(llvm::Module &module,
416 DynamicCheckerFunctions &checker_functions) :
417 Instrumenter(module, checker_functions),
418 m_objc_object_check_func(NULL)
419 {
420 }
421
422 virtual
~ObjcObjectChecker()423 ~ObjcObjectChecker ()
424 {
425 }
426
427 enum msgSend_type
428 {
429 eMsgSend = 0,
430 eMsgSendSuper,
431 eMsgSendSuper_stret,
432 eMsgSend_fpret,
433 eMsgSend_stret
434 };
435
436 std::map <llvm::Instruction *, msgSend_type> msgSend_types;
437
438 private:
InstrumentInstruction(llvm::Instruction * inst)439 bool InstrumentInstruction(llvm::Instruction *inst)
440 {
441 CallInst *call_inst = dyn_cast<CallInst>(inst);
442
443 if (!call_inst)
444 return false; // call_inst really shouldn't be NULL, because otherwise InspectInstruction wouldn't have registered it
445
446 if (!m_objc_object_check_func)
447 m_objc_object_check_func = BuildObjectCheckerFunc(m_checker_functions.m_objc_object_check->StartAddress());
448
449 // id objc_msgSend(id theReceiver, SEL theSelector, ...)
450
451 llvm::Value *target_object;
452 llvm::Value *selector;
453
454 switch (msgSend_types[inst])
455 {
456 case eMsgSend:
457 case eMsgSend_fpret:
458 target_object = call_inst->getArgOperand(0);
459 selector = call_inst->getArgOperand(1);
460 break;
461 case eMsgSend_stret:
462 target_object = call_inst->getArgOperand(1);
463 selector = call_inst->getArgOperand(2);
464 break;
465 case eMsgSendSuper:
466 case eMsgSendSuper_stret:
467 return true;
468 }
469
470 // These objects should always be valid according to Sean Calannan
471 assert (target_object);
472 assert (selector);
473
474 // Insert an instruction to cast the receiver id to int8_t*
475
476 BitCastInst *bit_cast = new BitCastInst(target_object,
477 GetI8PtrTy(),
478 "",
479 inst);
480
481 // Insert an instruction to call the helper with the result
482
483 llvm::Value *arg_array[2];
484
485 arg_array[0] = bit_cast;
486 arg_array[1] = selector;
487
488 ArrayRef<llvm::Value*> args(arg_array, 2);
489
490 CallInst::Create(m_objc_object_check_func,
491 args,
492 "",
493 inst);
494
495 return true;
496 }
497
InspectInstruction(llvm::Instruction & i)498 bool InspectInstruction(llvm::Instruction &i)
499 {
500 Log *log(lldb_private::GetLogIfAllCategoriesSet (LIBLLDB_LOG_EXPRESSIONS));
501
502 CallInst *call_inst = dyn_cast<CallInst>(&i);
503
504 if (call_inst)
505 {
506 // This metadata is set by IRForTarget::MaybeHandleCall().
507
508 MDNode *metadata = call_inst->getMetadata("lldb.call.realName");
509
510 if (!metadata)
511 return true;
512
513 if (metadata->getNumOperands() != 1)
514 {
515 if (log)
516 log->Printf("Function call metadata has %d operands for [%p] %s", metadata->getNumOperands(), call_inst, PrintValue(call_inst).c_str());
517 return false;
518 }
519
520 MDString *real_name = dyn_cast<MDString>(metadata->getOperand(0));
521
522 if (!real_name)
523 {
524 if (log)
525 log->Printf("Function call metadata is not an MDString for [%p] %s", call_inst, PrintValue(call_inst).c_str());
526 return false;
527 }
528
529 std::string name_str = real_name->getString();
530 const char* name_cstr = name_str.c_str();
531
532 if (log)
533 log->Printf("Found call to %s: %s\n", name_cstr, PrintValue(call_inst).c_str());
534
535 if (name_str.find("objc_msgSend") == std::string::npos)
536 return true;
537
538 if (!strcmp(name_cstr, "objc_msgSend"))
539 {
540 RegisterInstruction(i);
541 msgSend_types[&i] = eMsgSend;
542 return true;
543 }
544
545 if (!strcmp(name_cstr, "objc_msgSend_stret"))
546 {
547 RegisterInstruction(i);
548 msgSend_types[&i] = eMsgSend_stret;
549 return true;
550 }
551
552 if (!strcmp(name_cstr, "objc_msgSend_fpret"))
553 {
554 RegisterInstruction(i);
555 msgSend_types[&i] = eMsgSend_fpret;
556 return true;
557 }
558
559 if (!strcmp(name_cstr, "objc_msgSendSuper"))
560 {
561 RegisterInstruction(i);
562 msgSend_types[&i] = eMsgSendSuper;
563 return true;
564 }
565
566 if (!strcmp(name_cstr, "objc_msgSendSuper_stret"))
567 {
568 RegisterInstruction(i);
569 msgSend_types[&i] = eMsgSendSuper_stret;
570 return true;
571 }
572
573 if (log)
574 log->Printf("Function name '%s' contains 'objc_msgSend' but is not handled", name_str.c_str());
575
576 return true;
577 }
578
579 return true;
580 }
581
582 llvm::Value *m_objc_object_check_func;
583 };
584
IRDynamicChecks(DynamicCheckerFunctions & checker_functions,const char * func_name)585 IRDynamicChecks::IRDynamicChecks(DynamicCheckerFunctions &checker_functions,
586 const char *func_name) :
587 ModulePass(ID),
588 m_func_name(func_name),
589 m_checker_functions(checker_functions)
590 {
591 }
592
~IRDynamicChecks()593 IRDynamicChecks::~IRDynamicChecks()
594 {
595 }
596
597 bool
runOnModule(llvm::Module & M)598 IRDynamicChecks::runOnModule(llvm::Module &M)
599 {
600 Log *log(lldb_private::GetLogIfAllCategoriesSet (LIBLLDB_LOG_EXPRESSIONS));
601
602 llvm::Function* function = M.getFunction(StringRef(m_func_name.c_str()));
603
604 if (!function)
605 {
606 if (log)
607 log->Printf("Couldn't find %s() in the module", m_func_name.c_str());
608
609 return false;
610 }
611
612 if (m_checker_functions.m_valid_pointer_check.get())
613 {
614 ValidPointerChecker vpc(M, m_checker_functions);
615
616 if (!vpc.Inspect(*function))
617 return false;
618
619 if (!vpc.Instrument())
620 return false;
621 }
622
623 if (m_checker_functions.m_objc_object_check.get())
624 {
625 ObjcObjectChecker ooc(M, m_checker_functions);
626
627 if (!ooc.Inspect(*function))
628 return false;
629
630 if (!ooc.Instrument())
631 return false;
632 }
633
634 if (log && log->GetVerbose())
635 {
636 std::string s;
637 raw_string_ostream oss(s);
638
639 M.print(oss, NULL);
640
641 oss.flush();
642
643 log->Printf ("Module after dynamic checks: \n%s", s.c_str());
644 }
645
646 return true;
647 }
648
649 void
assignPassManager(PMStack & PMS,PassManagerType T)650 IRDynamicChecks::assignPassManager(PMStack &PMS,
651 PassManagerType T)
652 {
653 }
654
655 PassManagerType
getPotentialPassManagerType() const656 IRDynamicChecks::getPotentialPassManagerType() const
657 {
658 return PMT_ModulePassManager;
659 }
660