void
offline_instru_t::insert_save_pc(void *drcontext, instrlist_t *ilist, instr_t *where,
reg_id_t reg_ptr, reg_id_t scratch, int adjust,
uint64_t value)
{
int disp = adjust;
#ifdef X64
instrlist_insert_mov_immed_ptrsz(drcontext, (ptr_int_t) value,
opnd_create_reg(scratch),
ilist, where, NULL, NULL);
MINSERT(ilist, where,
XINST_CREATE_store(drcontext, OPND_CREATE_MEMPTR(reg_ptr, disp),
opnd_create_reg(scratch)));
#else
instrlist_insert_mov_immed_ptrsz(drcontext, (int)value,
opnd_create_reg(scratch),
ilist, where, NULL, NULL);
MINSERT(ilist, where,
XINST_CREATE_store(drcontext, OPND_CREATE_MEMPTR(reg_ptr, disp),
opnd_create_reg(scratch)));
instrlist_insert_mov_immed_ptrsz(drcontext, (int)(value >> 32),
opnd_create_reg(scratch),
ilist, where, NULL, NULL);
MINSERT(ilist, where,
XINST_CREATE_store(drcontext, OPND_CREATE_MEMPTR(reg_ptr, disp + 4),
opnd_create_reg(scratch)));
#endif
}
static void
insert_save_pc(void *drcontext, instrlist_t *ilist, instr_t *where, reg_id_t base,
reg_id_t scratch, app_pc pc)
{
instrlist_insert_mov_immed_ptrsz(drcontext, (ptr_int_t)pc, opnd_create_reg(scratch),
ilist, where, NULL, NULL);
MINSERT(ilist, where,
XINST_CREATE_store(drcontext,
OPND_CREATE_MEMPTR(base, offsetof(mem_ref_t, addr)),
opnd_create_reg(scratch)));
}
static dr_emit_flags_t
event_bb_insert(void *drcontext, void *tag, instrlist_t *bb, instr_t *inst,
bool for_trace, bool translating, void *user_data)
{
static int freq;
reg_id_t reg1 = IF_X86_ELSE(DR_REG_XAX, DR_REG_R0);
reg_id_t reg2 = IF_X86_ELSE(DR_REG_XCX, DR_REG_R1);
CHECK(drmgr_is_first_instr(drcontext, instrlist_first_app(bb)), "first incorrect");
CHECK(!drmgr_is_first_instr(drcontext, instrlist_last(bb)) ||
instrlist_first_app(bb) == instrlist_last(bb), "first incorrect");
CHECK(drmgr_is_last_instr(drcontext, instrlist_last(bb)), "last incorrect");
CHECK(!drmgr_is_last_instr(drcontext, instrlist_first_app(bb)) ||
instrlist_first_app(bb) == instrlist_last(bb), "last incorrect");
/* hack to instrument every nth bb. assumes DR serializes bb events. */
freq++;
if (freq % 100 == 0 && inst == (instr_t*)user_data/*first instr*/) {
/* test read from cache */
dr_save_reg(drcontext, bb, inst, reg1, SPILL_SLOT_1);
drmgr_insert_read_tls_field(drcontext, tls_idx, bb, inst, reg1);
dr_insert_clean_call(drcontext, bb, inst, (void *)check_tls_from_cache,
false, 1, opnd_create_reg(reg1));
drmgr_insert_read_cls_field(drcontext, cls_idx, bb, inst, reg1);
dr_insert_clean_call(drcontext, bb, inst, (void *)check_cls_from_cache,
false, 1, opnd_create_reg(reg1));
dr_restore_reg(drcontext, bb, inst, reg1, SPILL_SLOT_1);
}
if (freq % 300 == 0 && inst == (instr_t*)user_data/*first instr*/) {
instr_t *first, *second;
/* test write from cache */
dr_save_reg(drcontext, bb, inst, reg1, SPILL_SLOT_1);
dr_save_reg(drcontext, bb, inst, reg2, SPILL_SLOT_2);
instrlist_insert_mov_immed_ptrsz(drcontext,
(ptr_int_t)MAGIC_NUMBER_FROM_CACHE,
opnd_create_reg(reg1),
bb, inst, &first, &second);
instr_set_meta(first);
if (second != NULL)
instr_set_meta(second);
drmgr_insert_write_tls_field(drcontext, tls_idx, bb, inst, reg1, reg2);
dr_insert_clean_call(drcontext, bb, inst, (void *)check_tls_write_from_cache,
false, 0);
drmgr_insert_write_cls_field(drcontext, cls_idx, bb, inst, reg1, reg2);
dr_insert_clean_call(drcontext, bb, inst, (void *)check_cls_write_from_cache,
false, 0);
dr_restore_reg(drcontext, bb, inst, reg2, SPILL_SLOT_2);
dr_restore_reg(drcontext, bb, inst, reg1, SPILL_SLOT_1);
}
return DR_EMIT_DEFAULT;
}
static void dynamic_info_instrumentation(void *drcontext, instrlist_t *ilist, instr_t *where,
instr_t * static_info)
{
/*
issues that may arise
1. pc and eflags is uint but in 64 bit mode 8 byte transfers are done -> so far no problem (need to see this)
need to see whether there is a better way
2. double check all the printing
*/
/*
this function does the acutal instrumentation
arguments -
we get a filled pointer here about the operand types for a given instruction (srcs and dests)
1) increment the pointer to the instr_trace buffers
2) add this pointer to instr_trace_t wrapper
3) check whether any of the srcs and dests have memory operations; if so add a lea instruction and get the dynamic address
Add this address to instr_trace_t structure
4) if the buffer is full call a function to dump it to the file and restore the head ptr of the buffer
(lean function is used utilizing a code cache to limit code bloat needed for a clean call before every instruction.)
*/
instr_t *instr, *call, *restore, *first, *second;
opnd_t ref, opnd1, opnd2;
reg_id_t reg1 = DR_REG_XBX; /* We can optimize it by picking dead reg */
reg_id_t reg2 = DR_REG_XCX; /* reg2 must be ECX or RCX for jecxz */
reg_id_t reg3 = DR_REG_XAX;
per_thread_t *data;
uint pc;
uint i;
module_data_t * module_data;
if (client_arg->instrace_mode == DISASSEMBLY_TRACE){
dr_insert_clean_call(drcontext, ilist, where, clean_call_disassembly_trace, false, 0);
return;
}
data = drmgr_get_tls_field(drcontext, tls_index);
/* Steal the register for memory reference address *
* We can optimize away the unnecessary register save and restore
* by analyzing the code and finding the register is dead.
*/
dr_save_reg(drcontext, ilist, where, reg1, SPILL_SLOT_2);
dr_save_reg(drcontext, ilist, where, reg2, SPILL_SLOT_3);
dr_save_reg(drcontext, ilist, where, reg3, SPILL_SLOT_4);
drmgr_insert_read_tls_field(drcontext, tls_index, ilist, where, reg2);
/* Load data->buf_ptr into reg2 */
opnd1 = opnd_create_reg(reg2);
opnd2 = OPND_CREATE_MEMPTR(reg2, offsetof(per_thread_t, buf_ptr));
instr = INSTR_CREATE_mov_ld(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* buf_ptr->static_info_instr = static_info; */
/* Move static_info to static_info_instr field of buf (which is a instr_trace_t *) */
opnd1 = OPND_CREATE_MEMPTR(reg2, offsetof(instr_trace_t, static_info_instr));
instrlist_insert_mov_immed_ptrsz(drcontext, (ptr_int_t)static_info, opnd1, ilist, where, &first, &second);
/* buf_ptr->num_mem = 0; */
opnd1 = OPND_CREATE_MEMPTR(reg2, offsetof(instr_trace_t, num_mem));
instrlist_insert_mov_immed_ptrsz(drcontext, (ptr_int_t)0, opnd1, ilist, where, &first, &second);
for (i = 0; i<instr_num_dsts(where); i++){
if (opnd_is_memory_reference(instr_get_dst(where, i))){
ref = instr_get_dst(where, i);
DR_ASSERT(opnd_is_null(ref) == false);
dr_restore_reg(drcontext, ilist, where, reg1, SPILL_SLOT_2);
dr_restore_reg(drcontext, ilist, where, reg2, SPILL_SLOT_3);
#ifdef DEBUG_MEM_REGS
dr_insert_clean_call(drcontext, ilist, where, clean_call_disassembly_trace, false, 0);
dr_insert_clean_call(drcontext, ilist, where, clean_call_print_regvalues, false, 0);
#endif
drutil_insert_get_mem_addr(drcontext, ilist, where, ref, reg1, reg2);
#ifdef DEBUG_MEM_REGS
dr_insert_clean_call(drcontext, ilist, where, clean_call_print_regvalues, false, 0);
#endif
#ifdef DEBUG_MEM_STATS
dr_insert_clean_call(drcontext, ilist, where, clean_call_disassembly_trace, false, 0);
dr_insert_clean_call(drcontext, ilist, where, clean_call_mem_stats, false, 1, opnd_create_reg(reg1));
#endif
dr_insert_clean_call(drcontext, ilist, where, clean_call_populate_mem, false, 3, opnd_create_reg(reg1), OPND_CREATE_INT32(i), OPND_CREATE_INT32(DST_TYPE));
}
}
for (i = 0; i<instr_num_srcs(where); i++){
if (opnd_is_memory_reference(instr_get_src(where, i))){
ref = instr_get_src(where, i);
DR_ASSERT(opnd_is_null(ref) == false);
dr_restore_reg(drcontext, ilist, where, reg1, SPILL_SLOT_2);
dr_restore_reg(drcontext, ilist, where, reg2, SPILL_SLOT_3);
#ifdef DEBUG_MEM_REGS
dr_insert_clean_call(drcontext, ilist, where, clean_call_disassembly_trace, false, 0);
dr_insert_clean_call(drcontext, ilist, where, clean_call_print_regvalues, false, 0);
#endif
drutil_insert_get_mem_addr(drcontext, ilist, where, ref, reg1, reg2);
#ifdef DEBUG_MEM_REGS
dr_insert_clean_call(drcontext, ilist, where, clean_call_print_regvalues, false, 0);
#endif
#ifdef DEBUG_MEM_STATS
dr_insert_clean_call(drcontext, ilist, where, clean_call_disassembly_trace, false, 0);
dr_insert_clean_call(drcontext, ilist, where, clean_call_mem_stats, false, 1, opnd_create_reg(reg1));
#endif
dr_insert_clean_call(drcontext, ilist, where, clean_call_populate_mem, false, 3, opnd_create_reg(reg1), OPND_CREATE_INT32(i), OPND_CREATE_INT32(SRC_TYPE));
}
}
drmgr_insert_read_tls_field(drcontext, tls_index, ilist, where, reg2);
/* Load data->buf_ptr into reg2 */
opnd1 = opnd_create_reg(reg2);
opnd2 = OPND_CREATE_MEMPTR(reg2, offsetof(per_thread_t, buf_ptr));
instr = INSTR_CREATE_mov_ld(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* arithmetic flags are saved here for buf_ptr->eflags filling */
dr_save_arith_flags_to_xax(drcontext, ilist, where);
/* load the eflags */
opnd1 = OPND_CREATE_MEMPTR(reg2, offsetof(instr_trace_t, eflags));
opnd2 = opnd_create_reg(reg3);
instr = INSTR_CREATE_mov_st(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* load the app_pc */
opnd1 = OPND_CREATE_MEMPTR(reg2, offsetof(instr_trace_t, pc));
module_data = dr_lookup_module(instr_get_app_pc(where));
//dynamically generated code - module information not available - then just store 0 at the pc slot of the instr_trace data
if (module_data != NULL){
pc = instr_get_app_pc(where) - module_data->start;
dr_free_module_data(module_data);
}
else{
pc = 0;
}
instrlist_insert_mov_immed_ptrsz(drcontext, (ptr_int_t)pc, opnd1, ilist, where, &first, &second);
/* buf_ptr++; */
/* Increment reg value by pointer size using lea instr */
opnd1 = opnd_create_reg(reg2);
opnd2 = opnd_create_base_disp(reg2, DR_REG_NULL, 0,
sizeof(instr_trace_t),
OPSZ_lea);
instr = INSTR_CREATE_lea(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* Update the data->buf_ptr */
drmgr_insert_read_tls_field(drcontext, tls_index, ilist, where, reg1);
opnd1 = OPND_CREATE_MEMPTR(reg1, offsetof(per_thread_t, buf_ptr));
opnd2 = opnd_create_reg(reg2);
instr = INSTR_CREATE_mov_st(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* we use lea + jecxz trick for better performance
* lea and jecxz won't disturb the eflags, so we won't insert
* code to save and restore application's eflags.
*/
/* lea [reg2 - buf_end] => reg2 */
opnd1 = opnd_create_reg(reg1);
opnd2 = OPND_CREATE_MEMPTR(reg1, offsetof(per_thread_t, buf_end));
instr = INSTR_CREATE_mov_ld(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
opnd1 = opnd_create_reg(reg2);
opnd2 = opnd_create_base_disp(reg1, reg2, 1, 0, OPSZ_lea);
instr = INSTR_CREATE_lea(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* jecxz call */
call = INSTR_CREATE_label(drcontext);
opnd1 = opnd_create_instr(call);
instr = INSTR_CREATE_jecxz(drcontext, opnd1);
instrlist_meta_preinsert(ilist, where, instr);
/* jump restore to skip clean call */
restore = INSTR_CREATE_label(drcontext);
opnd1 = opnd_create_instr(restore);
instr = INSTR_CREATE_jmp(drcontext, opnd1);
instrlist_meta_preinsert(ilist, where, instr);
/* clean call */
/* We jump to lean procedure which performs full context switch and
* clean call invocation. This is to reduce the code cache size.
*/
instrlist_meta_preinsert(ilist, where, call);
/* mov restore DR_REG_XCX */
opnd1 = opnd_create_reg(reg2);
/* this is the return address for jumping back from lean procedure */
opnd2 = opnd_create_instr(restore);
/* We could use instrlist_insert_mov_instr_addr(), but with a register
* destination we know we can use a 64-bit immediate.
*/
instr = INSTR_CREATE_mov_imm(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* jmp code_cache */
opnd1 = opnd_create_pc(code_cache);
instr = INSTR_CREATE_jmp(drcontext, opnd1);
instrlist_meta_preinsert(ilist, where, instr);
/* restore %reg */
instrlist_meta_preinsert(ilist, where, restore);
//dr_restore_arith_flags_from_xax(drcontext, ilist, where);
dr_restore_reg(drcontext, ilist, where, reg1, SPILL_SLOT_2);
dr_restore_reg(drcontext, ilist, where, reg2, SPILL_SLOT_3);
dr_restore_reg(drcontext, ilist, where, reg3, SPILL_SLOT_4);
//instrlist_disassemble(drcontext, instr_get_app_pc(instrlist_first(ilist)), ilist, logfile);
}
static dr_emit_flags_t
event_basic_block(void *drcontext, void *tag, instrlist_t *bb,
bool for_trace, bool translating)
{
instr_t *first = instrlist_first(bb);
app_pc pc = dr_fragment_app_pc(tag);
instr_t *mov1, *mov2;
/* We try to avoid register stealing by using "dead" register if possible.
* However, technically, a fault could come in and want the original value
* of the "dead" register, but that's too corner-case for us.
*/
reg_id_t reg = bb_find_dead_reg(bb);
bool steal = (reg == DR_REG_NULL);
if (reg == DR_REG_NULL)
reg = DR_REG_XCX; /* randomly use one if no dead reg found */
/* save register if necessary */
if (steal)
dr_save_reg(drcontext, bb, first, reg, SPILL_SLOT_1);
/* load buffer pointer from TLS field */
MINSERT(bb, first, INSTR_CREATE_mov_ld
(drcontext,
opnd_create_reg(reg),
opnd_create_far_base_disp(tls_seg, DR_REG_NULL, DR_REG_NULL,
0, tls_offs, OPSZ_PTR)));
/* store bb's start pc into the buffer */
instrlist_insert_mov_immed_ptrsz(drcontext, (ptr_int_t)pc,
OPND_CREATE_MEMPTR(reg, 0),
bb, first, &mov1, &mov2);
DR_ASSERT(mov1 != NULL);
instr_set_ok_to_mangle(mov1, false);
if (mov2 != NULL)
instr_set_ok_to_mangle(mov2, false);
/* update the TLS buffer pointer by incrementing just the bottom 16 bits of
* the pointer
*/
if (bb_aflags_are_dead(bb, first)) {
/* if aflags are dead, we use add directly */
MINSERT(bb, first, INSTR_CREATE_add
(drcontext,
opnd_create_far_base_disp(tls_seg, DR_REG_NULL, DR_REG_NULL,
0, tls_offs, OPSZ_2),
OPND_CREATE_INT8(sizeof(app_pc))));
} else {
reg_id_t reg_16;
#ifdef X64
reg_16 = reg_32_to_16(reg_64_to_32(reg));
#else
reg_16 = reg_32_to_16(reg);
#endif
/* we use lea to avoid aflags save/restore */
MINSERT(bb, first, INSTR_CREATE_lea
(drcontext,
opnd_create_reg(reg_16),
opnd_create_base_disp(reg, DR_REG_NULL, 0,
sizeof(app_pc), OPSZ_lea)));
MINSERT(bb, first, INSTR_CREATE_mov_st
(drcontext,
opnd_create_far_base_disp(tls_seg, DR_REG_NULL, DR_REG_NULL,
0, tls_offs, OPSZ_PTR),
opnd_create_reg(reg)));
}
/* restore register if necessary */
if (steal)
dr_restore_reg(drcontext, bb, first, reg, SPILL_SLOT_1);
return DR_EMIT_DEFAULT;
}
/* instrument_instr is called whenever a memory reference is identified.
* It inserts code before the memory reference to to fill the memory buffer
* and jump to our own code cache to call the clean_call when the buffer is full.
*/
static void
instrument_instr(void *drcontext, instrlist_t *ilist, instr_t *where)
{
instr_t *instr, *call, *restore;
opnd_t opnd1, opnd2;
reg_id_t reg1, reg2;
drvector_t allowed;
per_thread_t *data;
app_pc pc;
data = drmgr_get_tls_field(drcontext, tls_index);
/* Steal two scratch registers.
* reg2 must be ECX or RCX for jecxz.
*/
drreg_init_and_fill_vector(&allowed, false);
drreg_set_vector_entry(&allowed, DR_REG_XCX, true);
if (drreg_reserve_register(drcontext, ilist, where, &allowed, ®2) !=
DRREG_SUCCESS ||
drreg_reserve_register(drcontext, ilist, where, NULL, ®1) != DRREG_SUCCESS) {
DR_ASSERT(false); /* cannot recover */
drvector_delete(&allowed);
return;
}
drvector_delete(&allowed);
/* The following assembly performs the following instructions
* buf_ptr->pc = pc;
* buf_ptr->opcode = opcode;
* buf_ptr++;
* if (buf_ptr >= buf_end_ptr)
* clean_call();
*/
drmgr_insert_read_tls_field(drcontext, tls_index, ilist, where, reg2);
/* Load data->buf_ptr into reg2 */
opnd1 = opnd_create_reg(reg2);
opnd2 = OPND_CREATE_MEMPTR(reg2, offsetof(per_thread_t, buf_ptr));
instr = INSTR_CREATE_mov_ld(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* Store pc */
pc = instr_get_app_pc(where);
/* For 64-bit, we can't use a 64-bit immediate so we split pc into two halves.
* We could alternatively load it into reg1 and then store reg1.
* We use a convenience routine that does the two-step store for us.
*/
opnd1 = OPND_CREATE_MEMPTR(reg2, offsetof(ins_ref_t, pc));
instrlist_insert_mov_immed_ptrsz(drcontext, (ptr_int_t) pc, opnd1,
ilist, where, NULL, NULL);
/* Store opcode */
opnd1 = OPND_CREATE_MEMPTR(reg2, offsetof(ins_ref_t, opcode));
opnd2 = OPND_CREATE_INT32(instr_get_opcode(where));
instr = INSTR_CREATE_mov_st(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* Increment reg value by pointer size using lea instr */
opnd1 = opnd_create_reg(reg2);
opnd2 = opnd_create_base_disp(reg2, DR_REG_NULL, 0, sizeof(ins_ref_t), OPSZ_lea);
instr = INSTR_CREATE_lea(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* Update the data->buf_ptr */
drmgr_insert_read_tls_field(drcontext, tls_index, ilist, where, reg1);
opnd1 = OPND_CREATE_MEMPTR(reg1, offsetof(per_thread_t, buf_ptr));
opnd2 = opnd_create_reg(reg2);
instr = INSTR_CREATE_mov_st(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* We use the lea + jecxz trick for better performance.
* lea and jecxz won't disturb the eflags, so we won't need
* code to save and restore the application's eflags.
*/
/* lea [reg2 - buf_end] => reg2 */
opnd1 = opnd_create_reg(reg1);
opnd2 = OPND_CREATE_MEMPTR(reg1, offsetof(per_thread_t, buf_end));
instr = INSTR_CREATE_mov_ld(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
opnd1 = opnd_create_reg(reg2);
opnd2 = opnd_create_base_disp(reg1, reg2, 1, 0, OPSZ_lea);
instr = INSTR_CREATE_lea(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* jecxz call */
call = INSTR_CREATE_label(drcontext);
opnd1 = opnd_create_instr(call);
instr = INSTR_CREATE_jecxz(drcontext, opnd1);
instrlist_meta_preinsert(ilist, where, instr);
/* jump restore to skip clean call */
restore = INSTR_CREATE_label(drcontext);
opnd1 = opnd_create_instr(restore);
instr = INSTR_CREATE_jmp(drcontext, opnd1);
instrlist_meta_preinsert(ilist, where, instr);
/* clean call */
/* We jump to our generated lean procedure which performs a full context
* switch and clean call invocation. This is to reduce the code cache size.
*/
instrlist_meta_preinsert(ilist, where, call);
/* mov restore DR_REG_XCX */
opnd1 = opnd_create_reg(reg2);
/* This is the return address for jumping back from the lean procedure. */
opnd2 = opnd_create_instr(restore);
/* We could use instrlist_insert_mov_instr_addr(), but with a register
* destination we know we can use a 64-bit immediate.
*/
instr = INSTR_CREATE_mov_imm(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* jmp code_cache */
opnd1 = opnd_create_pc(code_cache);
instr = INSTR_CREATE_jmp(drcontext, opnd1);
instrlist_meta_preinsert(ilist, where, instr);
/* Restore scratch registers */
instrlist_meta_preinsert(ilist, where, restore);
if (drreg_unreserve_register(drcontext, ilist, where, reg1) != DRREG_SUCCESS ||
drreg_unreserve_register(drcontext, ilist, where, reg2) != DRREG_SUCCESS)
DR_ASSERT(false);
}
/*
* instrument_mem is called whenever a memory reference is identified.
* It inserts code before the memory reference to to fill the memory buffer
* and jump to our own code cache to call the clean_call when the buffer is full.
*/
static void
instrument_mem(void *drcontext, instrlist_t *ilist, instr_t *where,
int pos, bool write)
{
instr_t *instr, *call, *restore, *first, *second;
opnd_t ref, opnd1, opnd2;
reg_id_t reg1 = DR_REG_XBX; /* We can optimize it by picking dead reg */
reg_id_t reg2 = DR_REG_XCX; /* reg2 must be ECX or RCX for jecxz */
per_thread_t *data;
app_pc pc;
data = drmgr_get_tls_field(drcontext, tls_index);
/* Steal the register for memory reference address *
* We can optimize away the unnecessary register save and restore
* by analyzing the code and finding the register is dead.
*/
dr_save_reg(drcontext, ilist, where, reg1, SPILL_SLOT_2);
dr_save_reg(drcontext, ilist, where, reg2, SPILL_SLOT_3);
if (write)
ref = instr_get_dst(where, pos);
else
ref = instr_get_src(where, pos);
/* use drutil to get mem address */
drutil_insert_get_mem_addr(drcontext, ilist, where, ref, reg1, reg2);
/* The following assembly performs the following instructions
* buf_ptr->write = write;
* buf_ptr->addr = addr;
* buf_ptr->size = size;
* buf_ptr->pc = pc;
* buf_ptr++;
* if (buf_ptr >= buf_end_ptr)
* clean_call();
*/
drmgr_insert_read_tls_field(drcontext, tls_index, ilist, where, reg2);
/* Load data->buf_ptr into reg2 */
opnd1 = opnd_create_reg(reg2);
opnd2 = OPND_CREATE_MEMPTR(reg2, offsetof(per_thread_t, buf_ptr));
instr = INSTR_CREATE_mov_ld(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* Move write/read to write field */
opnd1 = OPND_CREATE_MEM32(reg2, offsetof(mem_ref_t, write));
opnd2 = OPND_CREATE_INT32(write);
instr = INSTR_CREATE_mov_imm(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* Store address in memory ref */
opnd1 = OPND_CREATE_MEMPTR(reg2, offsetof(mem_ref_t, addr));
opnd2 = opnd_create_reg(reg1);
instr = INSTR_CREATE_mov_st(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* Store size in memory ref */
opnd1 = OPND_CREATE_MEMPTR(reg2, offsetof(mem_ref_t, size));
/* drutil_opnd_mem_size_in_bytes handles OP_enter */
opnd2 = OPND_CREATE_INT32(drutil_opnd_mem_size_in_bytes(ref, where));
instr = INSTR_CREATE_mov_st(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* Store pc in memory ref */
pc = instr_get_app_pc(where);
/* For 64-bit, we can't use a 64-bit immediate so we split pc into two halves.
* We could alternatively load it into reg1 and then store reg1.
* We use a convenience routine that does the two-step store for us.
*/
opnd1 = OPND_CREATE_MEMPTR(reg2, offsetof(mem_ref_t, pc));
instrlist_insert_mov_immed_ptrsz(drcontext, (ptr_int_t) pc, opnd1,
ilist, where, &first, &second);
instr_set_ok_to_mangle(first, false/*meta*/);
if (second != NULL)
instr_set_ok_to_mangle(second, false/*meta*/);
/* Increment reg value by pointer size using lea instr */
opnd1 = opnd_create_reg(reg2);
opnd2 = opnd_create_base_disp(reg2, DR_REG_NULL, 0,
sizeof(mem_ref_t),
OPSZ_lea);
instr = INSTR_CREATE_lea(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* Update the data->buf_ptr */
drmgr_insert_read_tls_field(drcontext, tls_index, ilist, where, reg1);
opnd1 = OPND_CREATE_MEMPTR(reg1, offsetof(per_thread_t, buf_ptr));
opnd2 = opnd_create_reg(reg2);
instr = INSTR_CREATE_mov_st(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* we use lea + jecxz trick for better performance
* lea and jecxz won't disturb the eflags, so we won't insert
* code to save and restore application's eflags.
*/
/* lea [reg2 - buf_end] => reg2 */
opnd1 = opnd_create_reg(reg1);
opnd2 = OPND_CREATE_MEMPTR(reg1, offsetof(per_thread_t, buf_end));
instr = INSTR_CREATE_mov_ld(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
opnd1 = opnd_create_reg(reg2);
opnd2 = opnd_create_base_disp(reg1, reg2, 1, 0, OPSZ_lea);
instr = INSTR_CREATE_lea(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* jecxz call */
call = INSTR_CREATE_label(drcontext);
opnd1 = opnd_create_instr(call);
instr = INSTR_CREATE_jecxz(drcontext, opnd1);
instrlist_meta_preinsert(ilist, where, instr);
/* jump restore to skip clean call */
restore = INSTR_CREATE_label(drcontext);
opnd1 = opnd_create_instr(restore);
instr = INSTR_CREATE_jmp(drcontext, opnd1);
instrlist_meta_preinsert(ilist, where, instr);
/* clean call */
/* We jump to lean procedure which performs full context switch and
* clean call invocation. This is to reduce the code cache size.
*/
instrlist_meta_preinsert(ilist, where, call);
/* mov restore DR_REG_XCX */
opnd1 = opnd_create_reg(reg2);
/* this is the return address for jumping back from lean procedure */
opnd2 = opnd_create_instr(restore);
/* We could use instrlist_insert_mov_instr_addr(), but with a register
* destination we know we can use a 64-bit immediate.
*/
instr = INSTR_CREATE_mov_imm(drcontext, opnd1, opnd2);
instrlist_meta_preinsert(ilist, where, instr);
/* jmp code_cache */
opnd1 = opnd_create_pc(code_cache);
instr = INSTR_CREATE_jmp(drcontext, opnd1);
instrlist_meta_preinsert(ilist, where, instr);
/* restore %reg */
instrlist_meta_preinsert(ilist, where, restore);
dr_restore_reg(drcontext, ilist, where, reg1, SPILL_SLOT_2);
dr_restore_reg(drcontext, ilist, where, reg2, SPILL_SLOT_3);
}
static dr_emit_flags_t
event_app_instruction(void *drcontext, void *tag, instrlist_t *bb, instr_t *inst,
bool for_trace, bool translating, void *user_data)
{
reg_id_t reg_ptr = IF_X86_ELSE(DR_REG_XDX, TEST_REG);
reg_id_t reg_tmp = IF_X86_ELSE(DR_REG_XCX, DR_REG_R3);
/* We need a third register on ARM, because updating the buf pointer
* requires a second scratch reg.
*/
reg_id_t scratch = IF_X86_ELSE(reg_tmp, DR_REG_R5);
ptr_int_t subtest = (ptr_int_t) user_data;
if (!instr_is_label(inst))
return DR_EMIT_DEFAULT;
#ifdef X86
scratch = reg_resize_to_opsz(scratch, OPSZ_4);
#endif
if (subtest == DRX_BUF_TEST_1_C) {
/* testing fast circular buffer */
/* test to make sure that on first invocation, the buffer is empty */
dr_insert_clean_call(drcontext, bb, inst, verify_buffers_empty, false, 1,
OPND_CREATE_INTPTR(circular_fast));
/* load the buf pointer, and then write a garbage element to the buffer */
drx_buf_insert_load_buf_ptr(drcontext, circular_fast, bb, inst, reg_ptr);
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
DR_REG_NULL, opnd_create_reg(scratch), OPSZ_4, 0);
drx_buf_insert_update_buf_ptr(drcontext, circular_fast, bb, inst, reg_ptr,
reg_tmp, sizeof(int));
/* verify the buffer was written to */
dr_insert_clean_call(drcontext, bb, inst, verify_buffers_dirty, false, 2,
OPND_CREATE_INTPTR(circular_fast),
opnd_create_reg(scratch));
/* fast circular buffer: trigger an overflow */
drx_buf_insert_load_buf_ptr(drcontext, circular_fast, bb, inst, reg_ptr);
drx_buf_insert_update_buf_ptr(drcontext, circular_fast, bb, inst, reg_ptr,
reg_tmp, CIRCULAR_FAST_SZ - sizeof(int));
/* the buffer is now clean */
dr_insert_clean_call(drcontext, bb, inst, verify_buffers_empty, false, 1,
OPND_CREATE_INTPTR(circular_fast));
} else if (subtest == DRX_BUF_TEST_2_C) {
/* testing slow circular buffer */
/* test to make sure that on first invocation, the buffer is empty */
dr_insert_clean_call(drcontext, bb, inst, verify_buffers_empty, false, 1,
OPND_CREATE_INTPTR(circular_slow));
/* load the buf pointer, and then write an element to the buffer */
drx_buf_insert_load_buf_ptr(drcontext, circular_slow, bb, inst, reg_ptr);
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
DR_REG_NULL, opnd_create_reg(scratch), OPSZ_4, 0);
drx_buf_insert_update_buf_ptr(drcontext, circular_slow, bb, inst, reg_ptr,
DR_REG_NULL, sizeof(int));
/* verify the buffer was written to */
dr_insert_clean_call(drcontext, bb, inst, verify_buffers_dirty, false, 2,
OPND_CREATE_INTPTR(circular_slow),
opnd_create_reg(scratch));
/* slow circular buffer: trigger a fault */
drx_buf_insert_load_buf_ptr(drcontext, circular_slow, bb, inst, reg_ptr);
drx_buf_insert_update_buf_ptr(drcontext, circular_slow, bb, inst, reg_ptr,
DR_REG_NULL, CIRCULAR_SLOW_SZ - sizeof(int));
/* the "trigger" is a write, so we write whatever garbage is in reg_tmp */
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
DR_REG_NULL, opnd_create_reg(scratch), OPSZ_4, 0);
/* the buffer is now clean */
dr_insert_clean_call(drcontext, bb, inst, verify_buffers_empty, false, 1,
OPND_CREATE_INTPTR(circular_slow));
} else if (subtest == DRX_BUF_TEST_3_C) {
/* testing trace buffer */
/* test to make sure that on first invocation, the buffer is empty */
dr_insert_clean_call(drcontext, bb, inst, verify_buffers_empty, false, 1,
OPND_CREATE_INTPTR(trace));
/* load the buf pointer, and then write an element to the buffer */
drx_buf_insert_load_buf_ptr(drcontext, trace, bb, inst, reg_ptr);
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
DR_REG_NULL, opnd_create_reg(scratch), OPSZ_4, 0);
drx_buf_insert_update_buf_ptr(drcontext, trace, bb, inst, reg_ptr,
DR_REG_NULL, sizeof(int));
/* verify the buffer was written to */
dr_insert_clean_call(drcontext, bb, inst, verify_buffers_dirty, false, 2,
OPND_CREATE_INTPTR(trace),
opnd_create_reg(scratch));
/* trace buffer: trigger a fault and verify */
drx_buf_insert_load_buf_ptr(drcontext, trace, bb, inst, reg_ptr);
drx_buf_insert_update_buf_ptr(drcontext, trace, bb, inst, reg_ptr,
DR_REG_NULL, TRACE_SZ - sizeof(int));
/* the "trigger" is a write, so we write whatever garbage is in reg_tmp */
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
DR_REG_NULL, opnd_create_reg(scratch), OPSZ_4, 0);
/* the buffer is now clean */
dr_insert_clean_call(drcontext, bb, inst, verify_buffers_empty, false, 1,
OPND_CREATE_INTPTR(trace));
} else if (subtest == DRX_BUF_TEST_4_C) {
/* test immediate store: 8 bytes (if possible), 4 bytes, 2 bytes and 1 byte */
/* "ABCDEFGH\x00" (x2 for x64) */
drx_buf_insert_load_buf_ptr(drcontext, circular_fast, bb, inst, reg_ptr);
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
scratch, opnd_create_immed_int(0x41, OPSZ_1),
OPSZ_1, 0);
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
scratch, opnd_create_immed_int(0x42, OPSZ_1),
OPSZ_1, 1);
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
scratch, opnd_create_immed_int(0x4443, OPSZ_2),
OPSZ_2, 2);
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
scratch, opnd_create_immed_int(0x48474645, OPSZ_4),
OPSZ_4, 4);
#ifdef X64
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
scratch, opnd_create_immed_int(0x4847464544434241,
OPSZ_8),
OPSZ_8, 8);
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
scratch, opnd_create_immed_int(0x00, OPSZ_1),
OPSZ_1, 17);
#else
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
scratch, opnd_create_immed_int(0x00, OPSZ_1),
OPSZ_1, 9);
#endif
dr_insert_clean_call(drcontext, bb, inst, verify_store, false, 1,
OPND_CREATE_INTPTR(circular_fast));
} else if (subtest == DRX_BUF_TEST_5_C) {
/* test register store: 8 bytes (if possible), 4 bytes, 2 bytes and 1 byte */
/* "ABCDEFGH\x00" (x2 for x64) */
drx_buf_insert_load_buf_ptr(drcontext, circular_fast, bb, inst, reg_ptr);
scratch = reg_resize_to_opsz(scratch, OPSZ_1);
MINSERT(bb, inst, XINST_CREATE_load_int
(drcontext,
opnd_create_reg(scratch),
opnd_create_immed_int(0x41, OPSZ_1)));
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
DR_REG_NULL, opnd_create_reg(scratch),
OPSZ_1, 0);
MINSERT(bb, inst, XINST_CREATE_load_int
(drcontext,
opnd_create_reg(scratch),
opnd_create_immed_int(0x42, OPSZ_1)));
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
DR_REG_NULL, opnd_create_reg(scratch),
OPSZ_1, 1);
scratch = reg_resize_to_opsz(scratch, OPSZ_2);
MINSERT(bb, inst, XINST_CREATE_load_int
(drcontext,
opnd_create_reg(scratch),
opnd_create_immed_int(0x4443, OPSZ_2)));
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
DR_REG_NULL, opnd_create_reg(scratch),
OPSZ_2, 2);
scratch = reg_resize_to_opsz(scratch, OPSZ_4);
#ifdef X86
MINSERT(bb, inst, XINST_CREATE_load_int
(drcontext,
opnd_create_reg(scratch),
opnd_create_immed_int(0x48474645, OPSZ_4)));
#else
instrlist_insert_mov_immed_ptrsz(drcontext, 0x48474645,
opnd_create_reg(reg_resize_to_opsz
(scratch, OPSZ_PTR)),
bb, inst, NULL, NULL);
#endif
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
DR_REG_NULL, opnd_create_reg(scratch),
OPSZ_4, 4);
#ifdef X64
scratch = reg_resize_to_opsz(scratch, OPSZ_8);
/* only way to reliably move a 64 bit int into a register */
instrlist_insert_mov_immed_ptrsz(drcontext, 0x4847464544434241,
opnd_create_reg(scratch),
bb, inst, NULL, NULL);
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
DR_REG_NULL, opnd_create_reg(scratch),
OPSZ_8, 8);
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
scratch, opnd_create_immed_int(0x00, OPSZ_1),
OPSZ_1, 17);
#else
drx_buf_insert_buf_store(drcontext, circular_fast, bb, inst, reg_ptr,
scratch, opnd_create_immed_int(0x00, OPSZ_1),
OPSZ_1, 9);
#endif
dr_insert_clean_call(drcontext, bb, inst, verify_store, false, 1,
OPND_CREATE_INTPTR(circular_fast));
} else if (subtest == DRX_BUF_TEST_6_C) {
/* Currently, the fast circular buffer does not recommend variable-size
* writes, for good reason. We don't test the memcpy operation on the
* fast circular buffer.
*/
/* verify memcpy works on the slow clrcular buffer */
drx_buf_insert_load_buf_ptr(drcontext, circular_slow, bb, inst, reg_ptr);
instrlist_insert_mov_immed_ptrsz(drcontext, (ptr_int_t)test_copy,
opnd_create_reg(reg_resize_to_opsz
(scratch, OPSZ_PTR)),
bb, inst, NULL, NULL);
drx_buf_insert_buf_memcpy(drcontext, circular_slow, bb, inst,
reg_ptr, reg_resize_to_opsz(scratch, OPSZ_PTR),
sizeof(test_copy));
/* NULL out the buffer */
drx_buf_insert_load_buf_ptr(drcontext, circular_slow, bb, inst, reg_ptr);
instrlist_insert_mov_immed_ptrsz(drcontext, (ptr_int_t)test_null,
opnd_create_reg(reg_resize_to_opsz
(scratch, OPSZ_PTR)),
bb, inst, NULL, NULL);
drx_buf_insert_buf_memcpy(drcontext, circular_slow, bb, inst,
reg_ptr, reg_resize_to_opsz(scratch, OPSZ_PTR),
sizeof(test_null));
/* Unfortunately, we can't just use the check in verify_buffer_empty, because
* drx_buf_insert_buf_memcpy() incrememnts the buffer pointer internally, unlike
* drx_buf_insert_buf_store(). We simply check that the buffer was NULLed out.
*/
dr_insert_clean_call(drcontext, bb, inst, (void *)verify_buffers_nulled, false, 1,
OPND_CREATE_INTPTR(circular_slow));
/* verify memcpy works on the trace buffer */
drx_buf_insert_load_buf_ptr(drcontext, trace, bb, inst, reg_ptr);
instrlist_insert_mov_immed_ptrsz(drcontext, (ptr_int_t)test_copy,
opnd_create_reg(reg_resize_to_opsz
(scratch, OPSZ_PTR)),
bb, inst, NULL, NULL);
drx_buf_insert_buf_memcpy(drcontext, trace, bb, inst,
reg_ptr, reg_resize_to_opsz(scratch, OPSZ_PTR),
sizeof(test_copy));
/* NULL out the buffer */
drx_buf_insert_load_buf_ptr(drcontext, trace, bb, inst, reg_ptr);
instrlist_insert_mov_immed_ptrsz(drcontext, (ptr_int_t)test_null,
opnd_create_reg(reg_resize_to_opsz
(scratch, OPSZ_PTR)),
bb, inst, NULL, NULL);
drx_buf_insert_buf_memcpy(drcontext, trace, bb, inst,
reg_ptr, reg_resize_to_opsz(scratch, OPSZ_PTR),
sizeof(test_null));
/* verify buffer was NULLed */
dr_insert_clean_call(drcontext, bb, inst, (void *)verify_buffers_nulled, false, 1,
OPND_CREATE_INTPTR(trace));
}
return DR_EMIT_DEFAULT;
}
static
dr_emit_flags_t bb_event(void* drcontext, void *tag, instrlist_t* bb, bool for_trace, bool translating)
{
instr_t* instr = instrlist_first(bb);
instr_t *ins1, *ins2;
global_var = (ptr_uint_t)INT_MAX + 1;
dr_prepare_for_call(drcontext, bb, instr);
/* test push_imm */
instrlist_insert_push_immed_ptrsz(drcontext, (ptr_int_t)1,
bb, instr, &ins1, &ins2);
instr_set_ok_to_mangle(ins1, false);
if (ins2 != NULL) /* ins2 should be NULL */
dr_fprintf(STDERR, "Error on push 1\n");
#ifdef X64
MINSERT(bb, instr, INSTR_CREATE_mov_ld
(drcontext,
opnd_create_reg(IF_LINUX_ELSE(DR_REG_RDX, DR_REG_R8)),
OPND_CREATE_MEMPTR(DR_REG_RSP, 0)));
#endif
instrlist_insert_push_immed_ptrsz(drcontext, (ptr_int_t)-1,
bb, instr, &ins1, &ins2);
instr_set_ok_to_mangle(ins1, false);
if (ins2 != NULL) /* ins2 should be NULL */
dr_fprintf(STDERR, "Error on push -1\n");
#ifdef X64
MINSERT(bb, instr, INSTR_CREATE_mov_ld
(drcontext,
opnd_create_reg(IF_LINUX_ELSE(DR_REG_RSI, DR_REG_RDX)),
OPND_CREATE_MEMPTR(DR_REG_RSP, 0)));
#endif
instrlist_insert_push_immed_ptrsz(drcontext, global_var,
bb, instr, &ins1, &ins2);
instr_set_ok_to_mangle(ins1, false);
#ifdef X64
if (ins2 == NULL) /* ins2 should not be NULL */
dr_fprintf(STDERR, "Error on push tag\n");
else
instr_set_ok_to_mangle(ins2, false);
#endif
#ifdef X64
MINSERT(bb, instr, INSTR_CREATE_mov_ld
(drcontext,
opnd_create_reg(IF_LINUX_ELSE(DR_REG_RDI, DR_REG_RCX)),
OPND_CREATE_MEMPTR(DR_REG_RSP, 0)));
#endif
/* test mov_imm */
instrlist_insert_mov_immed_ptrsz(drcontext, global_var,
OPND_CREATE_ABSMEM(&var0, OPSZ_PTR),
bb, instr,
&ins1, &ins2);
instr_set_ok_to_mangle(ins1, false);
#ifdef X64
if (ins2 == NULL) /* ins2 should not be NULL */
dr_fprintf(STDERR, "Error on mov %p\n", global_var);
else
instr_set_ok_to_mangle(ins2, false);
#endif
instrlist_insert_mov_immed_ptrsz(drcontext, (ptr_int_t)-1,
OPND_CREATE_ABSMEM(&var1, OPSZ_PTR),
bb, instr, &ins1, &ins2);
instr_set_ok_to_mangle(ins1, false);
if (ins2 != NULL) /* ins2 should be NULL */
dr_fprintf(STDERR, "Error on mov -1\n");
instrlist_insert_mov_immed_ptrsz(drcontext, (ptr_int_t)1,
OPND_CREATE_ABSMEM(&var2, OPSZ_PTR),
bb, instr, &ins1, &ins2);
instr_set_ok_to_mangle(ins1, false);
if (ins2 != NULL) /* ins2 should be NULL */
dr_fprintf(STDERR, "Error on mov 1\n");
/* call */
MINSERT(bb, instr, INSTR_CREATE_call
(drcontext, opnd_create_pc((void*)my_abort)));
dr_cleanup_after_call(drcontext, bb, instr, 0);
return DR_EMIT_DEFAULT;
}
