VOID Trace (TRACE trace, VOID *v)
{
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins))
{
xed_iclass_enum_t iclass1 = static_cast<xed_iclass_enum_t>(INS_Opcode(ins));
if (iclass1 == XED_ICLASS_FLD1 && INS_Valid(INS_Next(ins)))
{
xed_iclass_enum_t iclass2 = static_cast<xed_iclass_enum_t>(INS_Opcode(INS_Next(ins)));
if (iclass2 == XED_ICLASS_FLD1 && INS_Valid(INS_Next(INS_Next(ins))))
{
xed_iclass_enum_t iclass3 = static_cast<xed_iclass_enum_t>(INS_Opcode(INS_Next(INS_Next(ins))));
if (iclass3 == XED_ICLASS_FLD1)
{
printf ("tool: found fld1 sequence at %p\n", (void *)INS_Address(INS_Next(INS_Next(ins))));
fflush (stdout);
// Insert an analysis call that will cause the xmm scratch registers to be spilled
INS_InsertCall(INS_Next(INS_Next(ins)), IPOINT_AFTER, (AFUNPTR)SetXmmScratchesFun, IARG_END);
return;
}
}
}
}
}
}
VOID Trace (TRACE trace, VOID *v)
{
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins))
{
xed_iclass_enum_t iclass1 = static_cast<xed_iclass_enum_t>(INS_Opcode(ins));
if (iclass1 == XED_ICLASS_FLD1 && INS_Valid(INS_Next(ins)))
{
xed_iclass_enum_t iclass2 = static_cast<xed_iclass_enum_t>(INS_Opcode(INS_Next(ins)));
if (iclass2 == XED_ICLASS_FLD1 && INS_Valid(INS_Next(INS_Next(ins))))
{
xed_iclass_enum_t iclass3 = static_cast<xed_iclass_enum_t>(INS_Opcode(INS_Next(INS_Next(ins))));
if (iclass3 == XED_ICLASS_FLD1)
{
printf ("found fld1 sequence at %lx\n", (unsigned long)INS_Address(INS_Next(INS_Next(ins))));
{
INS_InsertCall(INS_Next(INS_Next(ins)), IPOINT_AFTER, AFUNPTR(CallToFldzToTop3), IARG_END);
printf ("Inserted call1 to FldzToTop3 after instruction at %lx\n",
(unsigned long)INS_Address(INS_Next(INS_Next(ins))));
}
}
}
}
}
}
}
VOID Trace(TRACE trace, VOID *v)
{
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
BBL_InsertCall(bbl, IPOINT_ANYWHERE, (AFUNPTR)LogBBL, IARG_FAST_ANALYSIS_CALL, IARG_ADDRINT, BBL_Address(bbl), IARG_END);
}
}
// Pin calls this function every time a new basic block is encountered
// It inserts a call to docount
VOID Trace(TRACE trace, VOID *v)
{
// Visit every basic block in the trace
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins))
{
if (INS_IsMemoryRead(ins))
{
INS_InsertIfCall(ins, IPOINT_BEFORE, (AFUNPTR)ReadAlways, IARG_MEMORYREAD_EA, IARG_END);
INS_InsertThenCall(ins, IPOINT_BEFORE, (AFUNPTR)ReadRare, IARG_MEMORYREAD_EA, IARG_END);
}
}
// Always()->Rare() are partially inlined
BBL_InsertIfCall(bbl, IPOINT_BEFORE, (AFUNPTR)Always, IARG_END);
BBL_InsertThenCall(bbl, IPOINT_BEFORE, (AFUNPTR)Rare, IARG_END);
// Always()->Rare() are partially inlined
BBL_InsertIfCall(bbl, IPOINT_BEFORE, (AFUNPTR)AlwaysNoinline, IARG_END);
BBL_InsertThenCall(bbl, IPOINT_BEFORE, (AFUNPTR)RareNoinline, IARG_END);
// Noinline() is not inlined
BBL_InsertCall(bbl, IPOINT_BEFORE, (AFUNPTR)Noinline, IARG_END);
}
}
// We have to instrument traces in order to instrument each BBL, the API doesn't have a BBL_AddInstrumentFunction
VOID trace_instrumentation(TRACE trace, VOID *v)
{
// We don't want to instrument the BBL contained in the Windows API
if(is_address_in_blacklisted_modules(TRACE_Address(trace)))
return;
for(BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
// What's going on under the hood
// LOG("[INSTRU] BBL Address: " + hexstr(BBL_Address(bbl)) + ", " + hexstr(BBL_NumIns(bbl)) + "\n");
// Insert a call to handle_basic_block before every basic block, passing the number of instructions
BBL_InsertCall(
bbl,
IPOINT_ANYWHERE,
(AFUNPTR)handle_basic_block,
IARG_FAST_ANALYSIS_CALL, // Use a faster linkage for calls to analysis functions. Add PIN_FAST_ANALYSIS_CALL to the declaration between the return type and the function name. You must also add IARG_FAST_ANALYSIS_CALL to the InsertCall. For example:
IARG_UINT32,
BBL_NumIns(bbl),
IARG_ADDRINT,
BBL_Address(bbl),
IARG_END
);
}
}
bool TraceManager::IsNormal(RTN myrtn)
{
BBL my_bbl=RTN_BblTail(myrtn);
if(BBL_Valid(my_bbl))
{
INS my_ins=BBL_InsTail(my_bbl);
while(INS_Valid(my_ins))
{
if(INS_IsRet(my_ins))
{
//cerr<<"Normal Routine::"<<RTN_Name(myrtn)<<endl;
return true;
}
my_ins=INS_Prev(my_ins);
}
/*if(INS_IsBranch(my_ins)|| INS_IsNop(my_ins))
{
cerr<<"!!!Abnormal Routine::"<<RTN_Name(myrtn)<<endl;
return false;
}
my_bbl=BBL_Prev(my_bbl); */
}
//cerr<<"!!!!Abnormal Routine::"<<RTN_Name(myrtn)<<endl;
return false;
}
// Pin calls this function every time a new instruction is encountered
void Trace(TRACE trace , void *v)
{
for(BBL bbl= TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)){
for( INS ins = BBL_InsHead(bbl); INS_Valid(ins) ; ins =INS_Next(ins)){
oepf.IsCurrentInOEP(ins);
}
}
}
VOID Trace(TRACE trace, VOID *)
{
if (!EnableInstrumentation)
return;
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
BBL_InsertCall(bbl, IPOINT_BEFORE, AFUNPTR(CheckPC), IARG_INST_PTR, IARG_END);
}
static VOID Trace(TRACE trace, VOID *v)
{
RTN rtn = TRACE_Rtn(trace);
ADDRINT version = TRACE_Version(trace);
// If we are not in watch_rtn, switch back to base version
if (!RTN_Valid(rtn) || RTN_Name(rtn) != watch_rtn)
{
if (version != VERSION_BASE)
BBL_SetTargetVersion(TRACE_BblHead(trace), VERSION_BASE);
return;
}
if (TRACE_Address(trace) == RTN_Address(rtn)) {
INS ins = BBL_InsHead(TRACE_BblHead(trace));
if (version == VERSION_BASE)
{
// version_reg is used to select the version, use the first
// argument of watch_rtn to set it
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(select_version),
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_RETURN_REGS, version_reg,
IARG_END);
// IF we are in the base version, decide if we should go to the
// other versions
// Note that the version instrumentation will occur before any
// following instrumentation done on this ins
INS_InsertVersionCase(ins, version_reg, 10, VERSION_1, IARG_END);
INS_InsertVersionCase(ins, version_reg, 20, VERSION_2, IARG_END);
printf ("Instrumentation at %p\n", reinterpret_cast<void *>(INS_Address(ins)));
}
}
INS ins = BBL_InsHead(TRACE_BblHead(trace));
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
// Instrumentation depends on version
// These instrumentations occur after the preceeding version instrumentation
// (i.e. the instrumentation inserted by the above INS_InsertVersionCase calls
switch(version) {
case VERSION_BASE:
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(Emit),
IARG_PTR, "version base", IARG_END);
break;
case VERSION_1:
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(Emit),
IARG_PTR, "version 1", IARG_END);
break;
case VERSION_2:
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(Emit),
IARG_PTR, "version 2", IARG_END);
break;
default:
assert(0);
break;
}
}
}
static void instrument_trace(TRACE trace, VOID *v)
{
sse_aligner_t* pthis = static_cast<sse_aligner_t*>(v);
bool is_read = false;
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins))
if (check_for_sse_memop(ins, is_read, pthis))
rewrite_instruction(ins, is_read, pthis);
}
/*!
* Insert call to the CountBbl() analysis routine before every basic block
* of the trace.
* This function is called every time a new trace is encountered.
* @param[in] trace trace to be instrumented
* @param[in] v value specified by the tool in the TRACE_AddInstrumentFunction
* function call
*/
VOID Trace(TRACE trace, VOID *v)
{
// Visit every basic block in the trace
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
// Insert a call to CountBbl() before every basic bloc, passing the number of instructions
BBL_InsertCall(bbl, IPOINT_BEFORE, (AFUNPTR)CountBbl, IARG_UINT32, BBL_NumIns(bbl), IARG_END);
}
}
VOID Trace(TRACE trace, VOID *v)
{
for (BBL bbl = TRACE_BblTail(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) {
if (BBL_HasFallThrough(bbl)) {
INS ins = BBL_InsTail(bbl);
TEST(INS_HasFallThrough(ins), "BBL_HasFallThrough or INS_HasFallThrough failed");
}
}
}
VOID Trace(TRACE trace, VOID *v)
{
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
BBL_InsertCall(bbl, IPOINT_ANYWHERE, AFUNPTR(Count),
IARG_FAST_ANALYSIS_CALL,
IARG_THREAD_ID,
IARG_UINT32, BBL_NumIns(bbl),
IARG_END);
}
VOID Trace(TRACE trace, VOID *v)
{
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins))
{
RewriteIns(ins);
}
}
}
void Trace(TRACE trace, void *v)
{
// for each bbl in the application trace...
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
// args: bbl=bbl, IPOINT_BEFORE=insert before bbl, checkBBL=ptr to function to insert,
// IARG_PTR=function argument type, BBL_Address(bbl)=function argument, IARG_END=end of arguement marker
BBL_InsertCall(bbl, IPOINT_BEFORE, (AFUNPTR)checkBBL, IARG_PTR, BBL_Address(bbl), IARG_END);
}
}
VOID Trace(TRACE trace, VOID *v)
{
// Instrument only at the head of the trace
BBL bbl = TRACE_BblHead(trace);
if (BBL_Valid(bbl))
{
INS_InsertCall(BBL_InsHead(bbl), IPOINT_BEFORE, (AFUNPTR)docount, IARG_UINT32, 1, IARG_END);
}
for (bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins))
{
ASSERTX(INS_Size(ins) != 0);
}
}
}
VOID TraceInserted(TRACE trace, VOID *)
{
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins))
{
cacheInstructions++;
}
}
}
// Pin calls this function every time a new basic block is encountered
// It inserts a call to docount
VOID Trace(TRACE trace, VOID *v)
{
// Visit every basic block in the trace
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
// Insert a call to docount for every bbl, passing the number of instructions.
// IPOINT_ANYWHERE allows Pin to schedule the call anywhere in the bbl to obtain best performance.
// Use a fast linkage for the call.
BBL_InsertCall(bbl, IPOINT_ANYWHERE, AFUNPTR(docount), IARG_FAST_ANALYSIS_CALL, IARG_UINT32, BBL_NumIns(bbl), IARG_END);
}
}
// Pin calls this function every time a new basic block is encountered.
// It inserts a call to docount.
VOID Trace(TRACE trace, VOID *v)
{
// Visit every basic block in the trace
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
// Insert a call to docount for every bbl, passing the number of instructions.
BBL_InsertCall(bbl, IPOINT_ANYWHERE, (AFUNPTR)docount, IARG_FAST_ANALYSIS_CALL,
IARG_UINT32, BBL_NumIns(bbl), IARG_THREAD_ID, IARG_END);
}
}
/*
* trace inspection (instrumentation function)
*
* traverse the basic blocks (BBLs) on the trace and
* inspect every instruction for instrumenting it
* accordingly
*
* @trace: instructions trace; given by PIN
* @v: callback value
*/
static void
trace_inspect(TRACE trace, VOID *v)
{
/* iterators */
BBL bbl;
INS ins;
xed_iclass_enum_t ins_indx;
/* versioning support */
ADDRINT version, version_mask = (ADDRINT)v;
if (version_mask) {
/*
* ignore code cache versions that we
* are not supposed to instrument
*/
version = TRACE_Version(trace);
if ((version & version_mask) == 0)
return;
}
/* traverse all the BBLs in the trace */
for (bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) {
/* traverse all the instructions in the BBL */
for (ins = BBL_InsHead(bbl);
INS_Valid(ins);
ins = INS_Next(ins)) {
/*
* use XED to decode the instruction and
* extract its opcode
*/
ins_indx = (xed_iclass_enum_t)INS_Opcode(ins);
/*
* invoke the pre-ins instrumentation callback
*/
if (ins_desc[ins_indx].pre != NULL)
ins_desc[ins_indx].pre(ins);
/*
* analyze the instruction (default handler)
*/
if (ins_desc[ins_indx].dflact == INSDFL_ENABLE)
ins_inspect(ins);
/*
* invoke the post-ins instrumentation callback
*/
if (ins_desc[ins_indx].post != NULL)
ins_desc[ins_indx].post(ins);
}
}
}
VOID Trace(TRACE trace, VOID *v)
{
static BOOL programStart = TRUE;
if (programStart)
{
programStart = FALSE;
next_pc = (void*)INS_Address(BBL_InsHead(TRACE_BblHead(trace)));
}
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
// check BBL entry PC
INS_InsertCall(
BBL_InsHead(bbl), IPOINT_BEFORE, (AFUNPTR)CheckPc,
IARG_INST_PTR,
IARG_END);
INS tail = BBL_InsTail(bbl);
if (INS_IsBranchOrCall(tail))
{
// record taken branch targets
INS_InsertCall(
tail, IPOINT_BEFORE, AFUNPTR(RecordPc),
IARG_INST_PTR,
IARG_BRANCH_TARGET_ADDR,
IARG_BRANCH_TAKEN,
IARG_END);
}
if (INS_HasFallThrough(tail))
{
// record fall-through
INS_InsertCall(
tail, IPOINT_AFTER, (AFUNPTR)RecordPc,
IARG_INST_PTR,
IARG_FALLTHROUGH_ADDR,
IARG_BOOL,
TRUE,
IARG_END);
}
#if defined(TARGET_IA32) || defined(TARGET_IA32E)
if (INS_IsSysenter(tail) ||
INS_HasRealRep(tail))
{ // sysenter on x86 has some funny control flow that we can't correctly verify for now
// Genuinely REP prefixed instructions are also odd, they appear to stutter.
INS_InsertCall(tail, IPOINT_BEFORE, (AFUNPTR)Skip, IARG_END);
}
#endif
}
}
VOID
Trace(TRACE trace, VOID *v)
{
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) {
BasicBlockTrace(trace, bbl);
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) {
CallTrace(trace, ins);
MemoryTrace(trace, ins);
}
}
}
VOID DumpTrace(CHAR * message, TRACE trace)
{
fprintf(stderr,"\n%s:\n",message);
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins))
{
fprintf(stderr,"%p %s\n",(void*)INS_Address(ins),INS_Disassemble(ins).c_str());
}
}
}
void trace (TRACE trace, void *v)
{
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) {
INS tail = BBL_InsTail(bbl);
if (INS_IsRet(tail)) {
INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(before_return),
IARG_THREAD_ID, IARG_REG_VALUE, REG_ESP, IARG_END);
} else if (INS_IsCall(tail)) {
INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(before_call),
IARG_THREAD_ID, IARG_REG_VALUE, REG_ESP, IARG_ADDRINT, INS_NextAddress(tail), IARG_BRANCH_TARGET_ADDR, IARG_END);
}
}
}
VOID Trace(TRACE trace, VOID *v)
{
if (rand() % 100 > 80) {
UINT32 inscount = 0;
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) {
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) {
inscount++;
}
}
TEST(inscount == 1, "CODECACHE_ChangeMaxInsPerTrace failed");
//cout << "trace in 0x" << TRACE_CodeCacheAddress(trace) << " has " << inscount << " INS. ";
}
}
// Pin calls this function every time a new instruction is encountered
void Trace(TRACE trace , void *v)
{
for(BBL bbl= TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)){
fprintf(file, "----BEGIN BBL---\n");
for( INS ins = BBL_InsHead(bbl); INS_Valid(ins) ; ins =INS_Next(ins)){
fprintf(file , "%s\n" , INS_Disassemble(ins).c_str());
}
fprintf(file, "----END BBL---\n");
}
}
//--------------------------------------------------------------------------
static VOID trace_cb(TRACE trace, VOID *v)
{
// Visit every basic block in the trace
for ( BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl) )
{
for( INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins=INS_Next(ins) )
{
ADDRINT ea = INS_Address(ins);
if ( !valid_ea(ea) )
continue;
if ( was_writen(ea) )
{
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)check_unpacked_cb,
IARG_INST_PTR,
IARG_CONST_CONTEXT,
IARG_THREAD_ID,
IARG_END);
}
// Instruments memory accesses using a predicated call, i.e.
// the instrumentation is called iff the instruction will actually be executed.
//
// The IA-64 architecture has explicitly predicated instructions.
// On the IA-32 and Intel(R) 64 architectures conditional moves and REP
// prefixed instructions appear as predicated instructions in Pin.
UINT32 mem_operands = INS_MemoryOperandCount(ins);
// Iterate over each memory operand of the instruction.
for ( UINT32 mem_op = 0; mem_op < mem_operands; mem_op++ )
{
// Note that in some architectures a single memory operand can be
// both read and written (for instance incl (%eax) on IA-32)
// In that case we instrument it once for read and once for write.
if ( INS_MemoryOperandIsWritten(ins, mem_op) )
{
INS_InsertIfPredicatedCall(ins, IPOINT_BEFORE, (AFUNPTR)valid_ea,
IARG_MEMORYOP_EA,
mem_op,
IARG_END);
INS_InsertThenPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)record_mem_write_cb,
IARG_INST_PTR,
IARG_MEMORYOP_EA, mem_op,
IARG_END);
}
}
}
}
}
VOID Trace(TRACE trace, VOID *v)
{
// Only instrument the main executable, we're not interested in anything in dynamic libraries.
if (!traceFromExecutable(trace))
return;
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins))
{
Instrument(ins);
}
}
}
// Inspect the sequence, but do not instrument
VOID Trace(TRACE trace, VOID *v)
{
fprintf(out, "Trace address %p\n",(CHAR*)(TRACE_Address(trace)));
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins))
{
fprintf(out, " %p\n",(CHAR*)(INS_Address(ins)));
}
}
fprintf(out, "\n");
}
VOID FirstInCC(TRACE trace, VOID * v)
{
if (!test)
return;
test = false;
BBL bbl = TRACE_BblHead(trace);
while (!BBL_Valid(bbl))
bbl = BBL_Next(bbl);
INS_Delete(BBL_InsHead(bbl));
TEST(!TRACE_Original(trace), "TRACE_Original failed");
}