static void
test_cti_prefixes(void *dc)
{
/* case 10689: test decoding jmp/call w/ 16-bit prefixes
* 0x00428844 66 e9 ab cd data16 jmp $0x55f3
* 0x00428844 67 e9 ab cd ef 12 addr16 jmp $0x133255f5
*/
buf[0] = 0x66;
buf[1] = 0xe9;
buf[2] = 0xab;
buf[3] = 0xcd;
buf[4] = 0xef;
buf[5] = 0x12;
/* data16 (0x66) == 4 bytes, while addr16 (0x67) == 6 bytes */
#ifndef X64 /* no jmp16 for x64 */
# if VERBOSE
disassemble_with_info(dc, buf, STDOUT, true, true);
# endif
ASSERT(decode_next_pc(dc, buf) == (byte *) &buf[4]);
#endif
buf[0] = 0x67;
#if VERBOSE
disassemble_with_info(dc, buf, STDOUT, true, true);
#endif
ASSERT(decode_next_pc(dc, buf) == (byte *) &buf[6]);
}
orig_t *new_orig(size_t size, void *pc, void *drcontext, malloc_t *block,
ctx_t *ctx)
{
orig_t *orig;
void *next_pc;
if (!(orig = alloc_orig(block)))
{
dr_printf("dr_malloc fail\n");
return NULL;
}
ds_memset(orig, 0, sizeof(*orig));
orig->size = size;
orig->nb_hit = 1;
orig->addr = pc;
next_pc = decode_next_pc(drcontext, pc);
orig->instr_size = next_pc - pc;
orig->raw_instr = alloc_instr(block, orig->instr_size);
copy_instr(orig->addr, orig->instr_size, orig->raw_instr);
// get ctx isntruction to have information in structure recovery
if (ctx->dr_addr)
{
orig->ctx_addr = ctx->addr;
orig->ctx_instr_size = (void*)decode_next_pc(drcontext, ctx->dr_addr) - ctx->dr_addr;
orig->raw_ctx_instr = alloc_instr(block, orig->ctx_instr_size);
copy_instr(ctx->dr_addr, orig->ctx_instr_size, orig->raw_ctx_instr);
}
else
{
orig->ctx_addr = NULL;
orig->ctx_instr_size = 0;
}
// get the start addr of the function doing the access
get_caller_data(&(orig->start_func_addr),
&(orig->start_func_sym),
&(orig->module_name), drcontext, 0);
return orig;
}
static
dr_signal_action_t event_signal(void *drcontext, dr_siginfo_t *info)
{
ATOMIC_INC(num_signals);
if (info->sig == SIGTERM) {
/* Ignore TERM */
return DR_SIGNAL_SUPPRESS;
} else if (info->sig == SIGSEGV) {
/* Skip the faulting instruction. This is a sample only! */
app_pc pc = decode_next_pc(drcontext, info->mcontext->xip);
if (pc != NULL)
info->mcontext->xip = pc;
return DR_SIGNAL_REDIRECT;
}
return DR_SIGNAL_DELIVER;
}
// return the addr of the previous instructions
// a bad addr can be return in some specific case but generally work good
void *get_prev_instr_pc(void *pc, void *drc)
{
instr_t *instr = instr_create(drc);
void *tmp_pc;
for (int ct = 1; ; ct++)
{
tmp_pc = dr_app_pc_for_decoding(pc - ct);
if (decode(drc, tmp_pc, instr))
{
if (instr_is_call(instr) && decode_next_pc(drc, tmp_pc) == pc)
break;
}
instr_reuse(drc, instr);
}
instr_destroy(drc, instr);
return tmp_pc;
}
static dr_emit_flags_t
bb_event(void *drcontext, void *tag, instrlist_t *bb, bool for_trace, bool translating)
{
instr_t *instr, *next_instr;
for (instr = instrlist_first(bb); instr != NULL; instr = next_instr) {
next_instr = instr_get_next(instr);
if (instr_is_cbr(instr)) {
/* Conditional branch. We can determine the target and
* fallthrough addresses here, but we want to note the
* edge if and when it actually executes at runtime.
* Instead of using dr_insert_cbr_instrumentation(), we'll
* insert separate instrumentation for the taken and not
* taken cases and remove the instrumentation for an edge
* after it executes.
*/
cbr_state_t state;
bool insert_taken, insert_not_taken;
app_pc src = instr_get_app_pc(instr);
/* First look up the state of this branch so we
* know what instrumentation to insert, if any.
*/
elem_t *elem = lookup(table, src);
if (elem == NULL) {
state = CBR_NEITHER;
insert(table, src, CBR_NEITHER);
}
else {
state = elem->state;
}
insert_taken = (state & CBR_TAKEN) == 0;
insert_not_taken = (state & CBR_NOT_TAKEN) == 0;
if (insert_taken || insert_not_taken) {
app_pc fall = (app_pc)decode_next_pc(drcontext, (byte *)src);
app_pc targ = instr_get_branch_target_pc(instr);
/* Redirect the existing cbr to jump to a callout for
* the 'taken' case. We'll insert a 'not-taken'
* callout at the fallthrough address.
*/
instr_t *label = INSTR_CREATE_label(drcontext);
/* should be meta, and meta-instrs shouldn't have translations */
instr_set_meta_no_translation(instr);
/* it may not reach (in particular for x64) w/ our added clean call */
if (instr_is_cti_short(instr)) {
/* if jecxz/loop we want to set the target of the long-taken
* so set instr to the return value
*/
instr = instr_convert_short_meta_jmp_to_long(drcontext, bb, instr);
}
instr_set_target(instr, opnd_create_instr(label));
if (insert_not_taken) {
/* Callout for the not-taken case. Insert after
* the cbr (i.e., 3rd argument is NULL).
*/
dr_insert_clean_call(drcontext, bb, NULL,
(void*)at_not_taken,
false /* don't save fp state */,
2 /* 2 args for at_not_taken */,
OPND_CREATE_INTPTR(src),
OPND_CREATE_INTPTR(fall));
}
/* After the callout, jump to the original fallthrough
* address. Note that this is an exit cti, and should
* not be a meta-instruction. Therefore, we use
* preinsert instead of meta_preinsert, and we must
* set the translation field. On Windows, this jump
* and the final jump below never execute since the
* at_taken and at_not_taken callouts redirect
* execution and never return. However, since the API
* expects clients to produced well-formed code, we
* insert explicit exits from the block for Windows as
* well as Linux.
*/
instrlist_preinsert(bb, NULL,
INSTR_XL8(INSTR_CREATE_jmp
(drcontext, opnd_create_pc(fall)), fall));
/* label goes before the 'taken' callout */
MINSERT(bb, NULL, label);
if (insert_taken) {
/* Callout for the taken case */
dr_insert_clean_call(drcontext, bb, NULL,
(void*)at_taken,
false /* don't save fp state */,
2 /* 2 args for at_taken */,
OPND_CREATE_INTPTR(src),
OPND_CREATE_INTPTR(targ));
}
/* After the callout, jump to the original target
* block (this should not be a meta-instruction).
*/
instrlist_preinsert(bb, NULL,
INSTR_XL8(INSTR_CREATE_jmp
(drcontext, opnd_create_pc(targ)), targ));
}
}
}
/* since our added instrumentation is not constant, we ask to store
* translations now
*/
return DR_EMIT_STORE_TRANSLATIONS;
}
dr_emit_flags_t
bb_event(void *drcontext, void *tag, instrlist_t *bb, bool for_trace, bool translating)
{
instr_t *instr, *next_instr;
app_pc bb_addr = dr_fragment_app_pc(tag);
if (bb_addr == start_pc) {
instrument = true;
} else if (bb_addr == stop_pc) {
instrument = false;
}
if (!instrument) {
return DR_EMIT_DEFAULT;
}
for (instr = instrlist_first(bb); instr != NULL; instr = next_instr) {
next_instr = instr_get_next(instr);
/*
* Conditional branch. We can determine the target and
* fallthrough addresses here, but we need to instrument if we
* want to record the edge only if it actually executes at
* runtime. Instead of using dr_insert_cbr_instrumentation,
* we'll insert separate instrumentation for the taken and not
* taken cases and remove it separately after we see each
* case.
*/
if (instr_is_cbr(instr)) {
app_pc src = instr_get_app_pc(instr);
cbr_state_t state;
bool insert_taken, insert_not_taken;
/* First look up the state of this branch so we
* know what instrumentation to insert, if any.
*/
elem_t *elem = lookup(table, src);
if (elem == NULL) {
state = CBR_NONE;
insert(table, src, CBR_NONE);
} else {
state = elem->state;
}
insert_taken = (state & CBR_TAKEN) == 0;
insert_not_taken = (state & CBR_NOT_TAKEN) == 0;
if (insert_taken || insert_not_taken) {
app_pc fall = (app_pc)decode_next_pc(drcontext, (byte *)src);
app_pc targ = instr_get_branch_target_pc(instr);
/*
* Redirect the cbr to jump to the 'taken' callout.
* We'll insert a 'not-taken' callout at fallthrough
* address.
*/
instr_t *label = INSTR_CREATE_label(drcontext);
instr_set_meta(instr);
instr_set_translation(instr, NULL);
/* If this is a short cti, make sure it can reach its new target */
if (instr_is_cti_short(instr)) {
/* if jecxz/loop we want to set the target of the long-taken
* so set instr to the return value
*/
instr = instr_convert_short_meta_jmp_to_long(drcontext, bb, instr);
}
instr_set_target(instr, opnd_create_instr(label));
if (insert_not_taken) {
/*
* Callout for the not-taken case
*/
dr_insert_clean_call(drcontext, bb, NULL, (void *)at_not_taken,
false /* don't save fp state */,
2 /* 2 args for at_not_taken */,
OPND_CREATE_INTPTR((ptr_uint_t)src),
OPND_CREATE_INTPTR((ptr_uint_t)fall));
}
/*
* Jump to the original fall-through address.
* (This should not be a meta-instruction).
*/
instrlist_preinsert(
bb, NULL,
INSTR_XL8(INSTR_CREATE_jmp(drcontext, opnd_create_pc(fall)), fall));
/* label goes before the 'taken' callout */
MINSERT(bb, NULL, label);
if (insert_taken) {
/*
* Callout for the taken case
*/
dr_insert_clean_call(drcontext, bb, NULL, (void *)at_taken,
false /* don't save fp state */,
2 /* 2 args for at_taken */,
OPND_CREATE_INTPTR((ptr_uint_t)src),
OPND_CREATE_INTPTR((ptr_uint_t)targ));
}
/*
* Jump to the original target block (this should
* not be a meta-instruction).
*/
instrlist_preinsert(
bb, NULL,
INSTR_XL8(INSTR_CREATE_jmp(drcontext, opnd_create_pc(targ)), targ));
}
}
}
/* since our added instrumentation is not constant, we ask to store
* translations now
*/
return DR_EMIT_STORE_TRANSLATIONS;
}
static reg_id_t
instrument_mem(void *drcontext, instrlist_t *ilist, instr_t *where, opnd_t ref)
{
reg_id_t reg_ptr, reg_tmp, reg_addr;
ushort type, size;
bool ok;
if (drreg_reserve_register(drcontext, ilist, where, NULL, ®_tmp) !=
DRREG_SUCCESS) {
DR_ASSERT(false);
return DR_REG_NULL;
}
if (drreg_reserve_register(drcontext, ilist, where, NULL, ®_ptr) !=
DRREG_SUCCESS) {
DR_ASSERT(false);
return DR_REG_NULL;
}
/* i#2449: In the situation that instrument_post_write, instrument_mem and ref all
* have the same register reserved, drutil_insert_get_mem_addr will compute the
* address of an operand using an incorrect register value, as drreg will elide the
* save/restore.
*/
if (opnd_uses_reg(ref, reg_tmp) &&
drreg_get_app_value(drcontext, ilist, where, reg_tmp, reg_tmp) != DRREG_SUCCESS) {
DR_ASSERT(false);
return DR_REG_NULL;
}
if (opnd_uses_reg(ref, reg_ptr) &&
drreg_get_app_value(drcontext, ilist, where, reg_ptr, reg_ptr) != DRREG_SUCCESS) {
DR_ASSERT(false);
return DR_REG_NULL;
}
/* We use reg_ptr as scratch to get addr. Note we do this first as reg_ptr or reg_tmp
* may be used in ref.
*/
ok = drutil_insert_get_mem_addr(drcontext, ilist, where, ref, reg_tmp, reg_ptr);
DR_ASSERT(ok);
drx_buf_insert_load_buf_ptr(drcontext, trace_buffer, ilist, where, reg_ptr);
/* inserts memref addr */
drx_buf_insert_buf_store(drcontext, trace_buffer, ilist, where, reg_ptr, DR_REG_NULL,
opnd_create_reg(reg_tmp), OPSZ_PTR,
offsetof(mem_ref_t, addr));
if (IF_AARCHXX_ELSE(true, false)) {
/* At this point we save the write address for later, because reg_tmp's value
* will get clobbered on ARM.
*/
if (drreg_reserve_register(drcontext, ilist, where, NULL, ®_addr) !=
DRREG_SUCCESS) {
DR_ASSERT(false);
return DR_REG_NULL;
}
MINSERT(ilist, where,
XINST_CREATE_move(drcontext, opnd_create_reg(reg_addr),
opnd_create_reg(reg_tmp)));
}
/* inserts type */
type = (ushort)instr_get_opcode(where);
drx_buf_insert_buf_store(drcontext, trace_buffer, ilist, where, reg_ptr, reg_tmp,
OPND_CREATE_INT16(type), OPSZ_2, offsetof(mem_ref_t, type));
/* inserts size */
size = (ushort)drutil_opnd_mem_size_in_bytes(ref, where);
drx_buf_insert_buf_store(drcontext, trace_buffer, ilist, where, reg_ptr, reg_tmp,
OPND_CREATE_INT16(size), OPSZ_2, offsetof(mem_ref_t, size));
drx_buf_insert_update_buf_ptr(drcontext, trace_buffer, ilist, where, reg_ptr,
DR_REG_NULL, sizeof(mem_ref_t));
if (instr_is_call(where)) {
app_pc pc;
/* Note that on ARM the call instruction writes only to the link register, so
* we would never even get into instrument_mem() on ARM if this was a call.
*/
IF_AARCHXX(DR_ASSERT(false));
/* We simulate the call instruction's written memory by writing the next app_pc
* to the written buffer, since we can't do this after the call has happened.
*/
drx_buf_insert_load_buf_ptr(drcontext, write_buffer, ilist, where, reg_ptr);
pc = decode_next_pc(drcontext, instr_get_app_pc(where));
/* note that for a circular buffer, we don't need to specify a scratch register */
drx_buf_insert_buf_store(drcontext, trace_buffer, ilist, where, reg_ptr,
DR_REG_NULL, OPND_CREATE_INTPTR((ptr_int_t)pc), OPSZ_PTR,
0);
drx_buf_insert_update_buf_ptr(drcontext, write_buffer, ilist, where, reg_ptr,
reg_tmp, sizeof(app_pc));
/* we don't need to persist reg_tmp to the next instruction */
if (drreg_unreserve_register(drcontext, ilist, where, reg_tmp) != DRREG_SUCCESS)
DR_ASSERT(false);
reg_tmp = DR_REG_NULL;
} else if (IF_AARCHXX_ELSE(true, false)) {
/* Now reg_tmp has the address of the write again. */
MINSERT(ilist, where,
XINST_CREATE_move(drcontext, opnd_create_reg(reg_tmp),
opnd_create_reg(reg_addr)));
if (drreg_unreserve_register(drcontext, ilist, where, reg_addr) != DRREG_SUCCESS)
DR_ASSERT(false);
}
if (drreg_unreserve_register(drcontext, ilist, where, reg_ptr) != DRREG_SUCCESS)
DR_ASSERT(false);
return reg_tmp;
}
