1//===-- IRDynamicChecks.cpp -------------------------------------------*- C++ -*-===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9 10#include "lldb/Expression/IRDynamicChecks.h" 11 12#include "lldb/Core/ConstString.h" 13#include "lldb/Core/Log.h" 14#include "lldb/Expression/ClangUtilityFunction.h" 15#include "lldb/Target/ExecutionContext.h" 16#include "lldb/Target/ObjCLanguageRuntime.h" 17#include "lldb/Target/Process.h" 18#include "lldb/Target/StackFrame.h" 19 20#include "llvm/Support/raw_ostream.h" 21#include "llvm/IR/Constants.h" 22#include "llvm/IR/DataLayout.h" 23#include "llvm/IR/Function.h" 24#include "llvm/IR/Instructions.h" 25#include "llvm/IR/Module.h" 26#include "llvm/IR/Value.h" 27 28using namespace llvm; 29using namespace lldb_private; 30 31static char ID; 32 33#define VALID_POINTER_CHECK_NAME "$__lldb_valid_pointer_check" 34#define VALID_OBJC_OBJECT_CHECK_NAME "$__lldb_objc_object_check" 35 36static const char g_valid_pointer_check_text[] = 37"extern \"C\" void\n" 38"$__lldb_valid_pointer_check (unsigned char *$__lldb_arg_ptr)\n" 39"{\n" 40" unsigned char $__lldb_local_val = *$__lldb_arg_ptr;\n" 41"}"; 42 43DynamicCheckerFunctions::DynamicCheckerFunctions () 44{ 45} 46 47DynamicCheckerFunctions::~DynamicCheckerFunctions () 48{ 49} 50 51bool 52DynamicCheckerFunctions::Install(Stream &error_stream, 53 ExecutionContext &exe_ctx) 54{ 55 m_valid_pointer_check.reset(new ClangUtilityFunction(g_valid_pointer_check_text, 56 VALID_POINTER_CHECK_NAME)); 57 if (!m_valid_pointer_check->Install(error_stream, exe_ctx)) 58 return false; 59 60 Process *process = exe_ctx.GetProcessPtr(); 61 62 if (process) 63 { 64 ObjCLanguageRuntime *objc_language_runtime = process->GetObjCLanguageRuntime(); 65 66 if (objc_language_runtime) 67 { 68 m_objc_object_check.reset(objc_language_runtime->CreateObjectChecker(VALID_OBJC_OBJECT_CHECK_NAME)); 69 70 if (!m_objc_object_check->Install(error_stream, exe_ctx)) 71 return false; 72 } 73 } 74 75 return true; 76} 77 78bool 79DynamicCheckerFunctions::DoCheckersExplainStop (lldb::addr_t addr, Stream &message) 80{ 81 // FIXME: We have to get the checkers to know why they scotched the call in more detail, 82 // so we can print a better message here. 83 if (m_valid_pointer_check.get() != NULL && m_valid_pointer_check->ContainsAddress(addr)) 84 { 85 message.Printf ("Attempted to dereference an invalid pointer."); 86 return true; 87 } 88 else if (m_objc_object_check.get() != NULL && m_objc_object_check->ContainsAddress(addr)) 89 { 90 message.Printf ("Attempted to dereference an invalid ObjC Object or send it an unrecognized selector"); 91 return true; 92 } 93 return false; 94} 95 96 97static std::string 98PrintValue(llvm::Value *V, bool truncate = false) 99{ 100 std::string s; 101 raw_string_ostream rso(s); 102 V->print(rso); 103 rso.flush(); 104 if (truncate) 105 s.resize(s.length() - 1); 106 return s; 107} 108 109//---------------------------------------------------------------------- 110/// @class Instrumenter IRDynamicChecks.cpp 111/// @brief Finds and instruments individual LLVM IR instructions 112/// 113/// When instrumenting LLVM IR, it is frequently desirable to first search 114/// for instructions, and then later modify them. This way iterators 115/// remain intact, and multiple passes can look at the same code base without 116/// treading on each other's toes. 117/// 118/// The Instrumenter class implements this functionality. A client first 119/// calls Inspect on a function, which populates a list of instructions to 120/// be instrumented. Then, later, when all passes' Inspect functions have 121/// been called, the client calls Instrument, which adds the desired 122/// instrumentation. 123/// 124/// A subclass of Instrumenter must override InstrumentInstruction, which 125/// is responsible for adding whatever instrumentation is necessary. 126/// 127/// A subclass of Instrumenter may override: 128/// 129/// - InspectInstruction [default: does nothing] 130/// 131/// - InspectBasicBlock [default: iterates through the instructions in a 132/// basic block calling InspectInstruction] 133/// 134/// - InspectFunction [default: iterates through the basic blocks in a 135/// function calling InspectBasicBlock] 136//---------------------------------------------------------------------- 137class Instrumenter { 138public: 139 //------------------------------------------------------------------ 140 /// Constructor 141 /// 142 /// @param[in] module 143 /// The module being instrumented. 144 //------------------------------------------------------------------ 145 Instrumenter (llvm::Module &module, 146 DynamicCheckerFunctions &checker_functions) : 147 m_module(module), 148 m_checker_functions(checker_functions), 149 m_i8ptr_ty(NULL), 150 m_intptr_ty(NULL) 151 { 152 } 153 154 virtual~Instrumenter () 155 { 156 } 157 158 //------------------------------------------------------------------ 159 /// Inspect a function to find instructions to instrument 160 /// 161 /// @param[in] function 162 /// The function to inspect. 163 /// 164 /// @return 165 /// True on success; false on error. 166 //------------------------------------------------------------------ 167 bool Inspect (llvm::Function &function) 168 { 169 return InspectFunction(function); 170 } 171 172 //------------------------------------------------------------------ 173 /// Instrument all the instructions found by Inspect() 174 /// 175 /// @return 176 /// True on success; false on error. 177 //------------------------------------------------------------------ 178 bool Instrument () 179 { 180 for (InstIterator ii = m_to_instrument.begin(), last_ii = m_to_instrument.end(); 181 ii != last_ii; 182 ++ii) 183 { 184 if (!InstrumentInstruction(*ii)) 185 return false; 186 } 187 188 return true; 189 } 190protected: 191 //------------------------------------------------------------------ 192 /// Add instrumentation to a single instruction 193 /// 194 /// @param[in] inst 195 /// The instruction to be instrumented. 196 /// 197 /// @return 198 /// True on success; false otherwise. 199 //------------------------------------------------------------------ 200 virtual bool InstrumentInstruction(llvm::Instruction *inst) = 0; 201 202 //------------------------------------------------------------------ 203 /// Register a single instruction to be instrumented 204 /// 205 /// @param[in] inst 206 /// The instruction to be instrumented. 207 //------------------------------------------------------------------ 208 void RegisterInstruction(llvm::Instruction &i) 209 { 210 m_to_instrument.push_back(&i); 211 } 212 213 //------------------------------------------------------------------ 214 /// Determine whether a single instruction is interesting to 215 /// instrument, and, if so, call RegisterInstruction 216 /// 217 /// @param[in] i 218 /// The instruction to be inspected. 219 /// 220 /// @return 221 /// False if there was an error scanning; true otherwise. 222 //------------------------------------------------------------------ 223 virtual bool InspectInstruction(llvm::Instruction &i) 224 { 225 return true; 226 } 227 228 //------------------------------------------------------------------ 229 /// Scan a basic block to see if any instructions are interesting 230 /// 231 /// @param[in] bb 232 /// The basic block to be inspected. 233 /// 234 /// @return 235 /// False if there was an error scanning; true otherwise. 236 //------------------------------------------------------------------ 237 virtual bool InspectBasicBlock(llvm::BasicBlock &bb) 238 { 239 for (llvm::BasicBlock::iterator ii = bb.begin(), last_ii = bb.end(); 240 ii != last_ii; 241 ++ii) 242 { 243 if (!InspectInstruction(*ii)) 244 return false; 245 } 246 247 return true; 248 } 249 250 //------------------------------------------------------------------ 251 /// Scan a function to see if any instructions are interesting 252 /// 253 /// @param[in] f 254 /// The function to be inspected. 255 /// 256 /// @return 257 /// False if there was an error scanning; true otherwise. 258 //------------------------------------------------------------------ 259 virtual bool InspectFunction(llvm::Function &f) 260 { 261 for (llvm::Function::iterator bbi = f.begin(), last_bbi = f.end(); 262 bbi != last_bbi; 263 ++bbi) 264 { 265 if (!InspectBasicBlock(*bbi)) 266 return false; 267 } 268 269 return true; 270 } 271 272 //------------------------------------------------------------------ 273 /// Build a function pointer for a function with signature 274 /// void (*)(uint8_t*) with a given address 275 /// 276 /// @param[in] start_address 277 /// The address of the function. 278 /// 279 /// @return 280 /// The function pointer, for use in a CallInst. 281 //------------------------------------------------------------------ 282 llvm::Value *BuildPointerValidatorFunc(lldb::addr_t start_address) 283 { 284 llvm::Type *param_array[1]; 285 286 param_array[0] = const_cast<llvm::PointerType*>(GetI8PtrTy()); 287 288 ArrayRef<llvm::Type*> params(param_array, 1); 289 290 FunctionType *fun_ty = FunctionType::get(llvm::Type::getVoidTy(m_module.getContext()), params, true); 291 PointerType *fun_ptr_ty = PointerType::getUnqual(fun_ty); 292 Constant *fun_addr_int = ConstantInt::get(GetIntptrTy(), start_address, false); 293 return ConstantExpr::getIntToPtr(fun_addr_int, fun_ptr_ty); 294 } 295 296 //------------------------------------------------------------------ 297 /// Build a function pointer for a function with signature 298 /// void (*)(uint8_t*, uint8_t*) with a given address 299 /// 300 /// @param[in] start_address 301 /// The address of the function. 302 /// 303 /// @return 304 /// The function pointer, for use in a CallInst. 305 //------------------------------------------------------------------ 306 llvm::Value *BuildObjectCheckerFunc(lldb::addr_t start_address) 307 { 308 llvm::Type *param_array[2]; 309 310 param_array[0] = const_cast<llvm::PointerType*>(GetI8PtrTy()); 311 param_array[1] = const_cast<llvm::PointerType*>(GetI8PtrTy()); 312 313 ArrayRef<llvm::Type*> params(param_array, 2); 314 315 FunctionType *fun_ty = FunctionType::get(llvm::Type::getVoidTy(m_module.getContext()), params, true); 316 PointerType *fun_ptr_ty = PointerType::getUnqual(fun_ty); 317 Constant *fun_addr_int = ConstantInt::get(GetIntptrTy(), start_address, false); 318 return ConstantExpr::getIntToPtr(fun_addr_int, fun_ptr_ty); 319 } 320 321 PointerType *GetI8PtrTy() 322 { 323 if (!m_i8ptr_ty) 324 m_i8ptr_ty = llvm::Type::getInt8PtrTy(m_module.getContext()); 325 326 return m_i8ptr_ty; 327 } 328 329 IntegerType *GetIntptrTy() 330 { 331 if (!m_intptr_ty) 332 { 333 llvm::DataLayout data_layout(&m_module); 334 335 m_intptr_ty = llvm::Type::getIntNTy(m_module.getContext(), data_layout.getPointerSizeInBits()); 336 } 337 338 return m_intptr_ty; 339 } 340 341 typedef std::vector <llvm::Instruction *> InstVector; 342 typedef InstVector::iterator InstIterator; 343 344 InstVector m_to_instrument; ///< List of instructions the inspector found 345 llvm::Module &m_module; ///< The module which is being instrumented 346 DynamicCheckerFunctions &m_checker_functions; ///< The dynamic checker functions for the process 347private: 348 PointerType *m_i8ptr_ty; 349 IntegerType *m_intptr_ty; 350}; 351 352class ValidPointerChecker : public Instrumenter 353{ 354public: 355 ValidPointerChecker (llvm::Module &module, 356 DynamicCheckerFunctions &checker_functions) : 357 Instrumenter(module, checker_functions), 358 m_valid_pointer_check_func(NULL) 359 { 360 } 361 362 virtual ~ValidPointerChecker () 363 { 364 } 365private: 366 bool InstrumentInstruction(llvm::Instruction *inst) 367 { 368 Log *log(lldb_private::GetLogIfAllCategoriesSet (LIBLLDB_LOG_EXPRESSIONS)); 369 370 if (log) 371 log->Printf("Instrumenting load/store instruction: %s\n", 372 PrintValue(inst).c_str()); 373 374 if (!m_valid_pointer_check_func) 375 m_valid_pointer_check_func = BuildPointerValidatorFunc(m_checker_functions.m_valid_pointer_check->StartAddress()); 376 377 llvm::Value *dereferenced_ptr = NULL; 378 379 if (llvm::LoadInst *li = dyn_cast<llvm::LoadInst> (inst)) 380 dereferenced_ptr = li->getPointerOperand(); 381 else if (llvm::StoreInst *si = dyn_cast<llvm::StoreInst> (inst)) 382 dereferenced_ptr = si->getPointerOperand(); 383 else 384 return false; 385 386 // Insert an instruction to cast the loaded value to int8_t* 387 388 BitCastInst *bit_cast = new BitCastInst(dereferenced_ptr, 389 GetI8PtrTy(), 390 "", 391 inst); 392 393 // Insert an instruction to call the helper with the result 394 395 llvm::Value *arg_array[1]; 396 397 arg_array[0] = bit_cast; 398 399 llvm::ArrayRef<llvm::Value *> args(arg_array, 1); 400 401 CallInst::Create(m_valid_pointer_check_func, 402 args, 403 "", 404 inst); 405 406 return true; 407 } 408 409 bool InspectInstruction(llvm::Instruction &i) 410 { 411 if (dyn_cast<llvm::LoadInst> (&i) || 412 dyn_cast<llvm::StoreInst> (&i)) 413 RegisterInstruction(i); 414 415 return true; 416 } 417 418 llvm::Value *m_valid_pointer_check_func; 419}; 420 421class ObjcObjectChecker : public Instrumenter 422{ 423public: 424 ObjcObjectChecker(llvm::Module &module, 425 DynamicCheckerFunctions &checker_functions) : 426 Instrumenter(module, checker_functions), 427 m_objc_object_check_func(NULL) 428 { 429 } 430 431 virtual 432 ~ObjcObjectChecker () 433 { 434 } 435 436 enum msgSend_type 437 { 438 eMsgSend = 0, 439 eMsgSendSuper, 440 eMsgSendSuper_stret, 441 eMsgSend_fpret, 442 eMsgSend_stret 443 }; 444 445 std::map <llvm::Instruction *, msgSend_type> msgSend_types; 446 447private: 448 bool InstrumentInstruction(llvm::Instruction *inst) 449 { 450 CallInst *call_inst = dyn_cast<CallInst>(inst); 451 452 if (!call_inst) 453 return false; // call_inst really shouldn't be NULL, because otherwise InspectInstruction wouldn't have registered it 454 455 if (!m_objc_object_check_func) 456 m_objc_object_check_func = BuildObjectCheckerFunc(m_checker_functions.m_objc_object_check->StartAddress()); 457 458 // id objc_msgSend(id theReceiver, SEL theSelector, ...) 459 460 llvm::Value *target_object; 461 llvm::Value *selector; 462 463 switch (msgSend_types[inst]) 464 { 465 case eMsgSend: 466 case eMsgSend_fpret: 467 target_object = call_inst->getArgOperand(0); 468 selector = call_inst->getArgOperand(1); 469 break; 470 case eMsgSend_stret: 471 target_object = call_inst->getArgOperand(1); 472 selector = call_inst->getArgOperand(2); 473 break; 474 case eMsgSendSuper: 475 case eMsgSendSuper_stret: 476 return true; 477 } 478 479 // These objects should always be valid according to Sean Calannan 480 assert (target_object); 481 assert (selector); 482 483 // Insert an instruction to cast the receiver id to int8_t* 484 485 BitCastInst *bit_cast = new BitCastInst(target_object, 486 GetI8PtrTy(), 487 "", 488 inst); 489 490 // Insert an instruction to call the helper with the result 491 492 llvm::Value *arg_array[2]; 493 494 arg_array[0] = bit_cast; 495 arg_array[1] = selector; 496 497 ArrayRef<llvm::Value*> args(arg_array, 2); 498 499 CallInst::Create(m_objc_object_check_func, 500 args, 501 "", 502 inst); 503 504 return true; 505 } 506 507 bool InspectInstruction(llvm::Instruction &i) 508 { 509 Log *log(lldb_private::GetLogIfAllCategoriesSet (LIBLLDB_LOG_EXPRESSIONS)); 510 511 CallInst *call_inst = dyn_cast<CallInst>(&i); 512 513 if (call_inst) 514 { 515 // This metadata is set by IRForTarget::MaybeHandleCall(). 516 517 MDNode *metadata = call_inst->getMetadata("lldb.call.realName"); 518 519 if (!metadata) 520 return true; 521 522 if (metadata->getNumOperands() != 1) 523 { 524 if (log) 525 log->Printf("Function call metadata has %d operands for [%p] %s", metadata->getNumOperands(), call_inst, PrintValue(call_inst).c_str()); 526 return false; 527 } 528 529 MDString *real_name = dyn_cast<MDString>(metadata->getOperand(0)); 530 531 if (!real_name) 532 { 533 if (log) 534 log->Printf("Function call metadata is not an MDString for [%p] %s", call_inst, PrintValue(call_inst).c_str()); 535 return false; 536 } 537 538 std::string name_str = real_name->getString(); 539 const char* name_cstr = name_str.c_str(); 540 541 if (log) 542 log->Printf("Found call to %s: %s\n", name_cstr, PrintValue(call_inst).c_str()); 543 544 if (name_str.find("objc_msgSend") == std::string::npos) 545 return true; 546 547 if (!strcmp(name_cstr, "objc_msgSend")) 548 { 549 RegisterInstruction(i); 550 msgSend_types[&i] = eMsgSend; 551 return true; 552 } 553 554 if (!strcmp(name_cstr, "objc_msgSend_stret")) 555 { 556 RegisterInstruction(i); 557 msgSend_types[&i] = eMsgSend_stret; 558 return true; 559 } 560 561 if (!strcmp(name_cstr, "objc_msgSend_fpret")) 562 { 563 RegisterInstruction(i); 564 msgSend_types[&i] = eMsgSend_fpret; 565 return true; 566 } 567 568 if (!strcmp(name_cstr, "objc_msgSendSuper")) 569 { 570 RegisterInstruction(i); 571 msgSend_types[&i] = eMsgSendSuper; 572 return true; 573 } 574 575 if (!strcmp(name_cstr, "objc_msgSendSuper_stret")) 576 { 577 RegisterInstruction(i); 578 msgSend_types[&i] = eMsgSendSuper_stret; 579 return true; 580 } 581 582 if (log) 583 log->Printf("Function name '%s' contains 'objc_msgSend' but is not handled", name_str.c_str()); 584 585 return true; 586 } 587 588 return true; 589 } 590 591 llvm::Value *m_objc_object_check_func; 592}; 593 594IRDynamicChecks::IRDynamicChecks(DynamicCheckerFunctions &checker_functions, 595 const char *func_name) : 596 ModulePass(ID), 597 m_func_name(func_name), 598 m_checker_functions(checker_functions) 599{ 600} 601 602IRDynamicChecks::~IRDynamicChecks() 603{ 604} 605 606bool 607IRDynamicChecks::runOnModule(llvm::Module &M) 608{ 609 Log *log(lldb_private::GetLogIfAllCategoriesSet (LIBLLDB_LOG_EXPRESSIONS)); 610 611 llvm::Function* function = M.getFunction(StringRef(m_func_name.c_str())); 612 613 if (!function) 614 { 615 if (log) 616 log->Printf("Couldn't find %s() in the module", m_func_name.c_str()); 617 618 return false; 619 } 620 621 if (m_checker_functions.m_valid_pointer_check.get()) 622 { 623 ValidPointerChecker vpc(M, m_checker_functions); 624 625 if (!vpc.Inspect(*function)) 626 return false; 627 628 if (!vpc.Instrument()) 629 return false; 630 } 631 632 if (m_checker_functions.m_objc_object_check.get()) 633 { 634 ObjcObjectChecker ooc(M, m_checker_functions); 635 636 if (!ooc.Inspect(*function)) 637 return false; 638 639 if (!ooc.Instrument()) 640 return false; 641 } 642 643 if (log && log->GetVerbose()) 644 { 645 std::string s; 646 raw_string_ostream oss(s); 647 648 M.print(oss, NULL); 649 650 oss.flush(); 651 652 log->Printf ("Module after dynamic checks: \n%s", s.c_str()); 653 } 654 655 return true; 656} 657 658void 659IRDynamicChecks::assignPassManager(PMStack &PMS, 660 PassManagerType T) 661{ 662} 663 664PassManagerType 665IRDynamicChecks::getPotentialPassManagerType() const 666{ 667 return PMT_ModulePassManager; 668} 669