1 //===-- IRDynamicChecks.cpp -------------------------------------*- C++ -*-===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 10 // C Includes 11 // C++ Includes 12 // Other libraries and framework includes 13 #include "llvm/Support/raw_ostream.h" 14 #include "llvm/IR/Constants.h" 15 #include "llvm/IR/DataLayout.h" 16 #include "llvm/IR/Function.h" 17 #include "llvm/IR/Instructions.h" 18 #include "llvm/IR/Module.h" 19 #include "llvm/IR/Value.h" 20 21 // Project includes 22 #include "lldb/Expression/IRDynamicChecks.h" 23 24 #include "lldb/Core/ConstString.h" 25 #include "lldb/Core/Log.h" 26 #include "lldb/Expression/UtilityFunction.h" 27 #include "lldb/Target/ExecutionContext.h" 28 #include "lldb/Target/ObjCLanguageRuntime.h" 29 #include "lldb/Target/Process.h" 30 #include "lldb/Target/StackFrame.h" 31 #include "lldb/Target/Target.h" 32 33 using namespace llvm; 34 using namespace lldb_private; 35 36 static char ID; 37 38 #define VALID_POINTER_CHECK_NAME "_$__lldb_valid_pointer_check" 39 #define VALID_OBJC_OBJECT_CHECK_NAME "$__lldb_objc_object_check" 40 41 static const char g_valid_pointer_check_text[] = 42 "extern \"C\" void\n" 43 "_$__lldb_valid_pointer_check (unsigned char *$__lldb_arg_ptr)\n" 44 "{\n" 45 " unsigned char $__lldb_local_val = *$__lldb_arg_ptr;\n" 46 "}"; 47 48 DynamicCheckerFunctions::DynamicCheckerFunctions() = default; 49 50 DynamicCheckerFunctions::~DynamicCheckerFunctions() = default; 51 52 bool 53 DynamicCheckerFunctions::Install(DiagnosticManager &diagnostic_manager, ExecutionContext &exe_ctx) 54 { 55 Error error; 56 m_valid_pointer_check.reset(exe_ctx.GetTargetRef().GetUtilityFunctionForLanguage(g_valid_pointer_check_text, 57 lldb::eLanguageTypeC, 58 VALID_POINTER_CHECK_NAME, 59 error)); 60 if (error.Fail()) 61 return false; 62 63 if (!m_valid_pointer_check->Install(diagnostic_manager, exe_ctx)) 64 return false; 65 66 Process *process = exe_ctx.GetProcessPtr(); 67 68 if (process) 69 { 70 ObjCLanguageRuntime *objc_language_runtime = process->GetObjCLanguageRuntime(); 71 72 if (objc_language_runtime) 73 { 74 m_objc_object_check.reset(objc_language_runtime->CreateObjectChecker(VALID_OBJC_OBJECT_CHECK_NAME)); 75 76 if (!m_objc_object_check->Install(diagnostic_manager, exe_ctx)) 77 return false; 78 } 79 } 80 81 return true; 82 } 83 84 bool 85 DynamicCheckerFunctions::DoCheckersExplainStop (lldb::addr_t addr, Stream &message) 86 { 87 // FIXME: We have to get the checkers to know why they scotched the call in more detail, 88 // so we can print a better message here. 89 if (m_valid_pointer_check && m_valid_pointer_check->ContainsAddress(addr)) 90 { 91 message.Printf ("Attempted to dereference an invalid pointer."); 92 return true; 93 } 94 else if (m_objc_object_check && m_objc_object_check->ContainsAddress(addr)) 95 { 96 message.Printf ("Attempted to dereference an invalid ObjC Object or send it an unrecognized selector"); 97 return true; 98 } 99 return false; 100 } 101 102 static std::string 103 PrintValue(llvm::Value *V, bool truncate = false) 104 { 105 std::string s; 106 raw_string_ostream rso(s); 107 V->print(rso); 108 rso.flush(); 109 if (truncate) 110 s.resize(s.length() - 1); 111 return s; 112 } 113 114 //---------------------------------------------------------------------- 115 /// @class Instrumenter IRDynamicChecks.cpp 116 /// @brief Finds and instruments individual LLVM IR instructions 117 /// 118 /// When instrumenting LLVM IR, it is frequently desirable to first search 119 /// for instructions, and then later modify them. This way iterators 120 /// remain intact, and multiple passes can look at the same code base without 121 /// treading on each other's toes. 122 /// 123 /// The Instrumenter class implements this functionality. A client first 124 /// calls Inspect on a function, which populates a list of instructions to 125 /// be instrumented. Then, later, when all passes' Inspect functions have 126 /// been called, the client calls Instrument, which adds the desired 127 /// instrumentation. 128 /// 129 /// A subclass of Instrumenter must override InstrumentInstruction, which 130 /// is responsible for adding whatever instrumentation is necessary. 131 /// 132 /// A subclass of Instrumenter may override: 133 /// 134 /// - InspectInstruction [default: does nothing] 135 /// 136 /// - InspectBasicBlock [default: iterates through the instructions in a 137 /// basic block calling InspectInstruction] 138 /// 139 /// - InspectFunction [default: iterates through the basic blocks in a 140 /// function calling InspectBasicBlock] 141 //---------------------------------------------------------------------- 142 class Instrumenter { 143 public: 144 //------------------------------------------------------------------ 145 /// Constructor 146 /// 147 /// @param[in] module 148 /// The module being instrumented. 149 //------------------------------------------------------------------ 150 Instrumenter (llvm::Module &module, 151 DynamicCheckerFunctions &checker_functions) : 152 m_module(module), 153 m_checker_functions(checker_functions), 154 m_i8ptr_ty(nullptr), 155 m_intptr_ty(nullptr) 156 { 157 } 158 159 virtual ~Instrumenter() = default; 160 161 //------------------------------------------------------------------ 162 /// Inspect a function to find instructions to instrument 163 /// 164 /// @param[in] function 165 /// The function to inspect. 166 /// 167 /// @return 168 /// True on success; false on error. 169 //------------------------------------------------------------------ 170 bool Inspect (llvm::Function &function) 171 { 172 return InspectFunction(function); 173 } 174 175 //------------------------------------------------------------------ 176 /// Instrument all the instructions found by Inspect() 177 /// 178 /// @return 179 /// True on success; false on error. 180 //------------------------------------------------------------------ 181 bool Instrument () 182 { 183 for (InstIterator ii = m_to_instrument.begin(), last_ii = m_to_instrument.end(); 184 ii != last_ii; 185 ++ii) 186 { 187 if (!InstrumentInstruction(*ii)) 188 return false; 189 } 190 191 return true; 192 } 193 194 protected: 195 //------------------------------------------------------------------ 196 /// Add instrumentation to a single instruction 197 /// 198 /// @param[in] inst 199 /// The instruction to be instrumented. 200 /// 201 /// @return 202 /// True on success; false otherwise. 203 //------------------------------------------------------------------ 204 virtual bool InstrumentInstruction(llvm::Instruction *inst) = 0; 205 206 //------------------------------------------------------------------ 207 /// Register a single instruction to be instrumented 208 /// 209 /// @param[in] inst 210 /// The instruction to be instrumented. 211 //------------------------------------------------------------------ 212 void RegisterInstruction(llvm::Instruction &i) 213 { 214 m_to_instrument.push_back(&i); 215 } 216 217 //------------------------------------------------------------------ 218 /// Determine whether a single instruction is interesting to 219 /// instrument, and, if so, call RegisterInstruction 220 /// 221 /// @param[in] i 222 /// The instruction to be inspected. 223 /// 224 /// @return 225 /// False if there was an error scanning; true otherwise. 226 //------------------------------------------------------------------ 227 virtual bool InspectInstruction(llvm::Instruction &i) 228 { 229 return true; 230 } 231 232 //------------------------------------------------------------------ 233 /// Scan a basic block to see if any instructions are interesting 234 /// 235 /// @param[in] bb 236 /// The basic block to be inspected. 237 /// 238 /// @return 239 /// False if there was an error scanning; true otherwise. 240 //------------------------------------------------------------------ 241 virtual bool InspectBasicBlock(llvm::BasicBlock &bb) 242 { 243 for (llvm::BasicBlock::iterator ii = bb.begin(), last_ii = bb.end(); 244 ii != last_ii; 245 ++ii) 246 { 247 if (!InspectInstruction(*ii)) 248 return false; 249 } 250 251 return true; 252 } 253 254 //------------------------------------------------------------------ 255 /// Scan a function to see if any instructions are interesting 256 /// 257 /// @param[in] f 258 /// The function to be inspected. 259 /// 260 /// @return 261 /// False if there was an error scanning; true otherwise. 262 //------------------------------------------------------------------ 263 virtual bool InspectFunction(llvm::Function &f) 264 { 265 for (llvm::Function::iterator bbi = f.begin(), last_bbi = f.end(); 266 bbi != last_bbi; 267 ++bbi) 268 { 269 if (!InspectBasicBlock(*bbi)) 270 return false; 271 } 272 273 return true; 274 } 275 276 //------------------------------------------------------------------ 277 /// Build a function pointer for a function with signature 278 /// void (*)(uint8_t*) with a given address 279 /// 280 /// @param[in] start_address 281 /// The address of the function. 282 /// 283 /// @return 284 /// The function pointer, for use in a CallInst. 285 //------------------------------------------------------------------ 286 llvm::Value *BuildPointerValidatorFunc(lldb::addr_t start_address) 287 { 288 llvm::Type *param_array[1]; 289 290 param_array[0] = const_cast<llvm::PointerType*>(GetI8PtrTy()); 291 292 ArrayRef<llvm::Type*> params(param_array, 1); 293 294 FunctionType *fun_ty = FunctionType::get(llvm::Type::getVoidTy(m_module.getContext()), params, true); 295 PointerType *fun_ptr_ty = PointerType::getUnqual(fun_ty); 296 Constant *fun_addr_int = ConstantInt::get(GetIntptrTy(), start_address, false); 297 return ConstantExpr::getIntToPtr(fun_addr_int, fun_ptr_ty); 298 } 299 300 //------------------------------------------------------------------ 301 /// Build a function pointer for a function with signature 302 /// void (*)(uint8_t*, uint8_t*) with a given address 303 /// 304 /// @param[in] start_address 305 /// The address of the function. 306 /// 307 /// @return 308 /// The function pointer, for use in a CallInst. 309 //------------------------------------------------------------------ 310 llvm::Value *BuildObjectCheckerFunc(lldb::addr_t start_address) 311 { 312 llvm::Type *param_array[2]; 313 314 param_array[0] = const_cast<llvm::PointerType*>(GetI8PtrTy()); 315 param_array[1] = const_cast<llvm::PointerType*>(GetI8PtrTy()); 316 317 ArrayRef<llvm::Type*> params(param_array, 2); 318 319 FunctionType *fun_ty = FunctionType::get(llvm::Type::getVoidTy(m_module.getContext()), params, true); 320 PointerType *fun_ptr_ty = PointerType::getUnqual(fun_ty); 321 Constant *fun_addr_int = ConstantInt::get(GetIntptrTy(), start_address, false); 322 return ConstantExpr::getIntToPtr(fun_addr_int, fun_ptr_ty); 323 } 324 325 PointerType *GetI8PtrTy() 326 { 327 if (!m_i8ptr_ty) 328 m_i8ptr_ty = llvm::Type::getInt8PtrTy(m_module.getContext()); 329 330 return m_i8ptr_ty; 331 } 332 333 IntegerType *GetIntptrTy() 334 { 335 if (!m_intptr_ty) 336 { 337 llvm::DataLayout data_layout(&m_module); 338 339 m_intptr_ty = llvm::Type::getIntNTy(m_module.getContext(), data_layout.getPointerSizeInBits()); 340 } 341 342 return m_intptr_ty; 343 } 344 345 typedef std::vector <llvm::Instruction *> InstVector; 346 typedef InstVector::iterator InstIterator; 347 348 InstVector m_to_instrument; ///< List of instructions the inspector found 349 llvm::Module &m_module; ///< The module which is being instrumented 350 DynamicCheckerFunctions &m_checker_functions; ///< The dynamic checker functions for the process 351 352 private: 353 PointerType *m_i8ptr_ty; 354 IntegerType *m_intptr_ty; 355 }; 356 357 class ValidPointerChecker : public Instrumenter 358 { 359 public: 360 ValidPointerChecker (llvm::Module &module, 361 DynamicCheckerFunctions &checker_functions) : 362 Instrumenter(module, checker_functions), 363 m_valid_pointer_check_func(nullptr) 364 { 365 } 366 367 ~ValidPointerChecker() override = default; 368 369 protected: 370 bool InstrumentInstruction(llvm::Instruction *inst) override 371 { 372 Log *log(lldb_private::GetLogIfAllCategoriesSet (LIBLLDB_LOG_EXPRESSIONS)); 373 374 if (log) 375 log->Printf("Instrumenting load/store instruction: %s\n", 376 PrintValue(inst).c_str()); 377 378 if (!m_valid_pointer_check_func) 379 m_valid_pointer_check_func = BuildPointerValidatorFunc(m_checker_functions.m_valid_pointer_check->StartAddress()); 380 381 llvm::Value *dereferenced_ptr = nullptr; 382 383 if (llvm::LoadInst *li = dyn_cast<llvm::LoadInst> (inst)) 384 dereferenced_ptr = li->getPointerOperand(); 385 else if (llvm::StoreInst *si = dyn_cast<llvm::StoreInst> (inst)) 386 dereferenced_ptr = si->getPointerOperand(); 387 else 388 return false; 389 390 // Insert an instruction to cast the loaded value to int8_t* 391 392 BitCastInst *bit_cast = new BitCastInst(dereferenced_ptr, 393 GetI8PtrTy(), 394 "", 395 inst); 396 397 // Insert an instruction to call the helper with the result 398 399 llvm::Value *arg_array[1]; 400 401 arg_array[0] = bit_cast; 402 403 llvm::ArrayRef<llvm::Value *> args(arg_array, 1); 404 405 CallInst::Create(m_valid_pointer_check_func, 406 args, 407 "", 408 inst); 409 410 return true; 411 } 412 413 bool InspectInstruction(llvm::Instruction &i) override 414 { 415 if (dyn_cast<llvm::LoadInst> (&i) || 416 dyn_cast<llvm::StoreInst> (&i)) 417 RegisterInstruction(i); 418 419 return true; 420 } 421 422 private: 423 llvm::Value *m_valid_pointer_check_func; 424 }; 425 426 class ObjcObjectChecker : public Instrumenter 427 { 428 public: 429 ObjcObjectChecker(llvm::Module &module, 430 DynamicCheckerFunctions &checker_functions) : 431 Instrumenter(module, checker_functions), 432 m_objc_object_check_func(nullptr) 433 { 434 } 435 436 ~ObjcObjectChecker() override = default; 437 438 enum msgSend_type 439 { 440 eMsgSend = 0, 441 eMsgSendSuper, 442 eMsgSendSuper_stret, 443 eMsgSend_fpret, 444 eMsgSend_stret 445 }; 446 447 std::map <llvm::Instruction *, msgSend_type> msgSend_types; 448 449 protected: 450 bool InstrumentInstruction(llvm::Instruction *inst) override 451 { 452 CallInst *call_inst = dyn_cast<CallInst>(inst); 453 454 if (!call_inst) 455 return false; // call_inst really shouldn't be nullptr, because otherwise InspectInstruction wouldn't have registered it 456 457 if (!m_objc_object_check_func) 458 m_objc_object_check_func = BuildObjectCheckerFunc(m_checker_functions.m_objc_object_check->StartAddress()); 459 460 // id objc_msgSend(id theReceiver, SEL theSelector, ...) 461 462 llvm::Value *target_object; 463 llvm::Value *selector; 464 465 switch (msgSend_types[inst]) 466 { 467 case eMsgSend: 468 case eMsgSend_fpret: 469 target_object = call_inst->getArgOperand(0); 470 selector = call_inst->getArgOperand(1); 471 break; 472 case eMsgSend_stret: 473 target_object = call_inst->getArgOperand(1); 474 selector = call_inst->getArgOperand(2); 475 break; 476 case eMsgSendSuper: 477 case eMsgSendSuper_stret: 478 return true; 479 } 480 481 // These objects should always be valid according to Sean Calannan 482 assert (target_object); 483 assert (selector); 484 485 // Insert an instruction to cast the receiver id to int8_t* 486 487 BitCastInst *bit_cast = new BitCastInst(target_object, 488 GetI8PtrTy(), 489 "", 490 inst); 491 492 // Insert an instruction to call the helper with the result 493 494 llvm::Value *arg_array[2]; 495 496 arg_array[0] = bit_cast; 497 arg_array[1] = selector; 498 499 ArrayRef<llvm::Value*> args(arg_array, 2); 500 501 CallInst::Create(m_objc_object_check_func, 502 args, 503 "", 504 inst); 505 506 return true; 507 } 508 509 static llvm::Function *GetFunction(llvm::Value *value) 510 { 511 if (llvm::Function *function = llvm::dyn_cast<llvm::Function>(value)) 512 { 513 return function; 514 } 515 516 if (llvm::ConstantExpr *const_expr = llvm::dyn_cast<llvm::ConstantExpr>(value)) 517 { 518 switch (const_expr->getOpcode()) 519 { 520 default: 521 return nullptr; 522 case llvm::Instruction::BitCast: 523 return GetFunction(const_expr->getOperand(0)); 524 } 525 } 526 527 return nullptr; 528 } 529 530 static llvm::Function *GetCalledFunction(llvm::CallInst *inst) 531 { 532 return GetFunction(inst->getCalledValue()); 533 } 534 535 bool InspectInstruction(llvm::Instruction &i) override 536 { 537 Log *log(lldb_private::GetLogIfAllCategoriesSet (LIBLLDB_LOG_EXPRESSIONS)); 538 539 CallInst *call_inst = dyn_cast<CallInst>(&i); 540 541 if (call_inst) 542 { 543 const llvm::Function *called_function = GetCalledFunction(call_inst); 544 545 if (!called_function) 546 return true; 547 548 std::string name_str = called_function->getName().str(); 549 const char* name_cstr = name_str.c_str(); 550 551 if (log) 552 log->Printf("Found call to %s: %s\n", name_cstr, PrintValue(call_inst).c_str()); 553 554 if (name_str.find("objc_msgSend") == std::string::npos) 555 return true; 556 557 if (!strcmp(name_cstr, "objc_msgSend")) 558 { 559 RegisterInstruction(i); 560 msgSend_types[&i] = eMsgSend; 561 return true; 562 } 563 564 if (!strcmp(name_cstr, "objc_msgSend_stret")) 565 { 566 RegisterInstruction(i); 567 msgSend_types[&i] = eMsgSend_stret; 568 return true; 569 } 570 571 if (!strcmp(name_cstr, "objc_msgSend_fpret")) 572 { 573 RegisterInstruction(i); 574 msgSend_types[&i] = eMsgSend_fpret; 575 return true; 576 } 577 578 if (!strcmp(name_cstr, "objc_msgSendSuper")) 579 { 580 RegisterInstruction(i); 581 msgSend_types[&i] = eMsgSendSuper; 582 return true; 583 } 584 585 if (!strcmp(name_cstr, "objc_msgSendSuper_stret")) 586 { 587 RegisterInstruction(i); 588 msgSend_types[&i] = eMsgSendSuper_stret; 589 return true; 590 } 591 592 if (log) 593 log->Printf("Function name '%s' contains 'objc_msgSend' but is not handled", name_str.c_str()); 594 595 return true; 596 } 597 598 return true; 599 } 600 601 private: 602 llvm::Value *m_objc_object_check_func; 603 }; 604 605 IRDynamicChecks::IRDynamicChecks(DynamicCheckerFunctions &checker_functions, 606 const char *func_name) : 607 ModulePass(ID), 608 m_func_name(func_name), 609 m_checker_functions(checker_functions) 610 { 611 } 612 613 IRDynamicChecks::~IRDynamicChecks() = default; 614 615 bool 616 IRDynamicChecks::runOnModule(llvm::Module &M) 617 { 618 Log *log(lldb_private::GetLogIfAllCategoriesSet (LIBLLDB_LOG_EXPRESSIONS)); 619 620 llvm::Function* function = M.getFunction(StringRef(m_func_name.c_str())); 621 622 if (!function) 623 { 624 if (log) 625 log->Printf("Couldn't find %s() in the module", m_func_name.c_str()); 626 627 return false; 628 } 629 630 if (m_checker_functions.m_valid_pointer_check) 631 { 632 ValidPointerChecker vpc(M, m_checker_functions); 633 634 if (!vpc.Inspect(*function)) 635 return false; 636 637 if (!vpc.Instrument()) 638 return false; 639 } 640 641 if (m_checker_functions.m_objc_object_check) 642 { 643 ObjcObjectChecker ooc(M, m_checker_functions); 644 645 if (!ooc.Inspect(*function)) 646 return false; 647 648 if (!ooc.Instrument()) 649 return false; 650 } 651 652 if (log && log->GetVerbose()) 653 { 654 std::string s; 655 raw_string_ostream oss(s); 656 657 M.print(oss, nullptr); 658 659 oss.flush(); 660 661 log->Printf ("Module after dynamic checks: \n%s", s.c_str()); 662 } 663 664 return true; 665 } 666 667 void 668 IRDynamicChecks::assignPassManager(PMStack &PMS, 669 PassManagerType T) 670 { 671 } 672 673 PassManagerType 674 IRDynamicChecks::getPotentialPassManagerType() const 675 { 676 return PMT_ModulePassManager; 677 } 678