1 //===-- IRDynamicChecks.cpp -------------------------------------*- C++ -*-===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 10 // C Includes 11 // C++ Includes 12 // Other libraries and framework includes 13 #include "llvm/Support/raw_ostream.h" 14 #include "llvm/IR/Constants.h" 15 #include "llvm/IR/DataLayout.h" 16 #include "llvm/IR/Function.h" 17 #include "llvm/IR/Instructions.h" 18 #include "llvm/IR/Module.h" 19 #include "llvm/IR/Value.h" 20 21 // Project includes 22 #include "lldb/Expression/IRDynamicChecks.h" 23 24 #include "lldb/Core/ConstString.h" 25 #include "lldb/Core/Log.h" 26 #include "lldb/Expression/UtilityFunction.h" 27 #include "lldb/Target/ExecutionContext.h" 28 #include "lldb/Target/ObjCLanguageRuntime.h" 29 #include "lldb/Target/Process.h" 30 #include "lldb/Target/StackFrame.h" 31 #include "lldb/Target/Target.h" 32 33 using namespace llvm; 34 using namespace lldb_private; 35 36 static char ID; 37 38 #define VALID_POINTER_CHECK_NAME "_$__lldb_valid_pointer_check" 39 #define VALID_OBJC_OBJECT_CHECK_NAME "$__lldb_objc_object_check" 40 41 static const char g_valid_pointer_check_text[] = 42 "extern \"C\" void\n" 43 "_$__lldb_valid_pointer_check (unsigned char *$__lldb_arg_ptr)\n" 44 "{\n" 45 " unsigned char $__lldb_local_val = *$__lldb_arg_ptr;\n" 46 "}"; 47 48 DynamicCheckerFunctions::DynamicCheckerFunctions() = default; 49 50 DynamicCheckerFunctions::~DynamicCheckerFunctions() = default; 51 52 bool 53 DynamicCheckerFunctions::Install(Stream &error_stream, 54 ExecutionContext &exe_ctx) 55 { 56 Error error; 57 m_valid_pointer_check.reset(exe_ctx.GetTargetRef().GetUtilityFunctionForLanguage(g_valid_pointer_check_text, 58 lldb::eLanguageTypeC, 59 VALID_POINTER_CHECK_NAME, 60 error)); 61 if (error.Fail()) 62 return false; 63 64 if (!m_valid_pointer_check->Install(error_stream, exe_ctx)) 65 return false; 66 67 Process *process = exe_ctx.GetProcessPtr(); 68 69 if (process) 70 { 71 ObjCLanguageRuntime *objc_language_runtime = process->GetObjCLanguageRuntime(); 72 73 if (objc_language_runtime) 74 { 75 m_objc_object_check.reset(objc_language_runtime->CreateObjectChecker(VALID_OBJC_OBJECT_CHECK_NAME)); 76 77 if (!m_objc_object_check->Install(error_stream, exe_ctx)) 78 return false; 79 } 80 } 81 82 return true; 83 } 84 85 bool 86 DynamicCheckerFunctions::DoCheckersExplainStop (lldb::addr_t addr, Stream &message) 87 { 88 // FIXME: We have to get the checkers to know why they scotched the call in more detail, 89 // so we can print a better message here. 90 if (m_valid_pointer_check && m_valid_pointer_check->ContainsAddress(addr)) 91 { 92 message.Printf ("Attempted to dereference an invalid pointer."); 93 return true; 94 } 95 else if (m_objc_object_check && m_objc_object_check->ContainsAddress(addr)) 96 { 97 message.Printf ("Attempted to dereference an invalid ObjC Object or send it an unrecognized selector"); 98 return true; 99 } 100 return false; 101 } 102 103 static std::string 104 PrintValue(llvm::Value *V, bool truncate = false) 105 { 106 std::string s; 107 raw_string_ostream rso(s); 108 V->print(rso); 109 rso.flush(); 110 if (truncate) 111 s.resize(s.length() - 1); 112 return s; 113 } 114 115 //---------------------------------------------------------------------- 116 /// @class Instrumenter IRDynamicChecks.cpp 117 /// @brief Finds and instruments individual LLVM IR instructions 118 /// 119 /// When instrumenting LLVM IR, it is frequently desirable to first search 120 /// for instructions, and then later modify them. This way iterators 121 /// remain intact, and multiple passes can look at the same code base without 122 /// treading on each other's toes. 123 /// 124 /// The Instrumenter class implements this functionality. A client first 125 /// calls Inspect on a function, which populates a list of instructions to 126 /// be instrumented. Then, later, when all passes' Inspect functions have 127 /// been called, the client calls Instrument, which adds the desired 128 /// instrumentation. 129 /// 130 /// A subclass of Instrumenter must override InstrumentInstruction, which 131 /// is responsible for adding whatever instrumentation is necessary. 132 /// 133 /// A subclass of Instrumenter may override: 134 /// 135 /// - InspectInstruction [default: does nothing] 136 /// 137 /// - InspectBasicBlock [default: iterates through the instructions in a 138 /// basic block calling InspectInstruction] 139 /// 140 /// - InspectFunction [default: iterates through the basic blocks in a 141 /// function calling InspectBasicBlock] 142 //---------------------------------------------------------------------- 143 class Instrumenter { 144 public: 145 //------------------------------------------------------------------ 146 /// Constructor 147 /// 148 /// @param[in] module 149 /// The module being instrumented. 150 //------------------------------------------------------------------ 151 Instrumenter (llvm::Module &module, 152 DynamicCheckerFunctions &checker_functions) : 153 m_module(module), 154 m_checker_functions(checker_functions), 155 m_i8ptr_ty(nullptr), 156 m_intptr_ty(nullptr) 157 { 158 } 159 160 virtual ~Instrumenter() = default; 161 162 //------------------------------------------------------------------ 163 /// Inspect a function to find instructions to instrument 164 /// 165 /// @param[in] function 166 /// The function to inspect. 167 /// 168 /// @return 169 /// True on success; false on error. 170 //------------------------------------------------------------------ 171 bool Inspect (llvm::Function &function) 172 { 173 return InspectFunction(function); 174 } 175 176 //------------------------------------------------------------------ 177 /// Instrument all the instructions found by Inspect() 178 /// 179 /// @return 180 /// True on success; false on error. 181 //------------------------------------------------------------------ 182 bool Instrument () 183 { 184 for (InstIterator ii = m_to_instrument.begin(), last_ii = m_to_instrument.end(); 185 ii != last_ii; 186 ++ii) 187 { 188 if (!InstrumentInstruction(*ii)) 189 return false; 190 } 191 192 return true; 193 } 194 195 protected: 196 //------------------------------------------------------------------ 197 /// Add instrumentation to a single instruction 198 /// 199 /// @param[in] inst 200 /// The instruction to be instrumented. 201 /// 202 /// @return 203 /// True on success; false otherwise. 204 //------------------------------------------------------------------ 205 virtual bool InstrumentInstruction(llvm::Instruction *inst) = 0; 206 207 //------------------------------------------------------------------ 208 /// Register a single instruction to be instrumented 209 /// 210 /// @param[in] inst 211 /// The instruction to be instrumented. 212 //------------------------------------------------------------------ 213 void RegisterInstruction(llvm::Instruction &i) 214 { 215 m_to_instrument.push_back(&i); 216 } 217 218 //------------------------------------------------------------------ 219 /// Determine whether a single instruction is interesting to 220 /// instrument, and, if so, call RegisterInstruction 221 /// 222 /// @param[in] i 223 /// The instruction to be inspected. 224 /// 225 /// @return 226 /// False if there was an error scanning; true otherwise. 227 //------------------------------------------------------------------ 228 virtual bool InspectInstruction(llvm::Instruction &i) 229 { 230 return true; 231 } 232 233 //------------------------------------------------------------------ 234 /// Scan a basic block to see if any instructions are interesting 235 /// 236 /// @param[in] bb 237 /// The basic block to be inspected. 238 /// 239 /// @return 240 /// False if there was an error scanning; true otherwise. 241 //------------------------------------------------------------------ 242 virtual bool InspectBasicBlock(llvm::BasicBlock &bb) 243 { 244 for (llvm::BasicBlock::iterator ii = bb.begin(), last_ii = bb.end(); 245 ii != last_ii; 246 ++ii) 247 { 248 if (!InspectInstruction(*ii)) 249 return false; 250 } 251 252 return true; 253 } 254 255 //------------------------------------------------------------------ 256 /// Scan a function to see if any instructions are interesting 257 /// 258 /// @param[in] f 259 /// The function to be inspected. 260 /// 261 /// @return 262 /// False if there was an error scanning; true otherwise. 263 //------------------------------------------------------------------ 264 virtual bool InspectFunction(llvm::Function &f) 265 { 266 for (llvm::Function::iterator bbi = f.begin(), last_bbi = f.end(); 267 bbi != last_bbi; 268 ++bbi) 269 { 270 if (!InspectBasicBlock(*bbi)) 271 return false; 272 } 273 274 return true; 275 } 276 277 //------------------------------------------------------------------ 278 /// Build a function pointer for a function with signature 279 /// void (*)(uint8_t*) with a given address 280 /// 281 /// @param[in] start_address 282 /// The address of the function. 283 /// 284 /// @return 285 /// The function pointer, for use in a CallInst. 286 //------------------------------------------------------------------ 287 llvm::Value *BuildPointerValidatorFunc(lldb::addr_t start_address) 288 { 289 llvm::Type *param_array[1]; 290 291 param_array[0] = const_cast<llvm::PointerType*>(GetI8PtrTy()); 292 293 ArrayRef<llvm::Type*> params(param_array, 1); 294 295 FunctionType *fun_ty = FunctionType::get(llvm::Type::getVoidTy(m_module.getContext()), params, true); 296 PointerType *fun_ptr_ty = PointerType::getUnqual(fun_ty); 297 Constant *fun_addr_int = ConstantInt::get(GetIntptrTy(), start_address, false); 298 return ConstantExpr::getIntToPtr(fun_addr_int, fun_ptr_ty); 299 } 300 301 //------------------------------------------------------------------ 302 /// Build a function pointer for a function with signature 303 /// void (*)(uint8_t*, uint8_t*) with a given address 304 /// 305 /// @param[in] start_address 306 /// The address of the function. 307 /// 308 /// @return 309 /// The function pointer, for use in a CallInst. 310 //------------------------------------------------------------------ 311 llvm::Value *BuildObjectCheckerFunc(lldb::addr_t start_address) 312 { 313 llvm::Type *param_array[2]; 314 315 param_array[0] = const_cast<llvm::PointerType*>(GetI8PtrTy()); 316 param_array[1] = const_cast<llvm::PointerType*>(GetI8PtrTy()); 317 318 ArrayRef<llvm::Type*> params(param_array, 2); 319 320 FunctionType *fun_ty = FunctionType::get(llvm::Type::getVoidTy(m_module.getContext()), params, true); 321 PointerType *fun_ptr_ty = PointerType::getUnqual(fun_ty); 322 Constant *fun_addr_int = ConstantInt::get(GetIntptrTy(), start_address, false); 323 return ConstantExpr::getIntToPtr(fun_addr_int, fun_ptr_ty); 324 } 325 326 PointerType *GetI8PtrTy() 327 { 328 if (!m_i8ptr_ty) 329 m_i8ptr_ty = llvm::Type::getInt8PtrTy(m_module.getContext()); 330 331 return m_i8ptr_ty; 332 } 333 334 IntegerType *GetIntptrTy() 335 { 336 if (!m_intptr_ty) 337 { 338 llvm::DataLayout data_layout(&m_module); 339 340 m_intptr_ty = llvm::Type::getIntNTy(m_module.getContext(), data_layout.getPointerSizeInBits()); 341 } 342 343 return m_intptr_ty; 344 } 345 346 typedef std::vector <llvm::Instruction *> InstVector; 347 typedef InstVector::iterator InstIterator; 348 349 InstVector m_to_instrument; ///< List of instructions the inspector found 350 llvm::Module &m_module; ///< The module which is being instrumented 351 DynamicCheckerFunctions &m_checker_functions; ///< The dynamic checker functions for the process 352 353 private: 354 PointerType *m_i8ptr_ty; 355 IntegerType *m_intptr_ty; 356 }; 357 358 class ValidPointerChecker : public Instrumenter 359 { 360 public: 361 ValidPointerChecker (llvm::Module &module, 362 DynamicCheckerFunctions &checker_functions) : 363 Instrumenter(module, checker_functions), 364 m_valid_pointer_check_func(nullptr) 365 { 366 } 367 368 ~ValidPointerChecker() override = default; 369 370 protected: 371 bool InstrumentInstruction(llvm::Instruction *inst) override 372 { 373 Log *log(lldb_private::GetLogIfAllCategoriesSet (LIBLLDB_LOG_EXPRESSIONS)); 374 375 if (log) 376 log->Printf("Instrumenting load/store instruction: %s\n", 377 PrintValue(inst).c_str()); 378 379 if (!m_valid_pointer_check_func) 380 m_valid_pointer_check_func = BuildPointerValidatorFunc(m_checker_functions.m_valid_pointer_check->StartAddress()); 381 382 llvm::Value *dereferenced_ptr = nullptr; 383 384 if (llvm::LoadInst *li = dyn_cast<llvm::LoadInst> (inst)) 385 dereferenced_ptr = li->getPointerOperand(); 386 else if (llvm::StoreInst *si = dyn_cast<llvm::StoreInst> (inst)) 387 dereferenced_ptr = si->getPointerOperand(); 388 else 389 return false; 390 391 // Insert an instruction to cast the loaded value to int8_t* 392 393 BitCastInst *bit_cast = new BitCastInst(dereferenced_ptr, 394 GetI8PtrTy(), 395 "", 396 inst); 397 398 // Insert an instruction to call the helper with the result 399 400 llvm::Value *arg_array[1]; 401 402 arg_array[0] = bit_cast; 403 404 llvm::ArrayRef<llvm::Value *> args(arg_array, 1); 405 406 CallInst::Create(m_valid_pointer_check_func, 407 args, 408 "", 409 inst); 410 411 return true; 412 } 413 414 bool InspectInstruction(llvm::Instruction &i) override 415 { 416 if (dyn_cast<llvm::LoadInst> (&i) || 417 dyn_cast<llvm::StoreInst> (&i)) 418 RegisterInstruction(i); 419 420 return true; 421 } 422 423 private: 424 llvm::Value *m_valid_pointer_check_func; 425 }; 426 427 class ObjcObjectChecker : public Instrumenter 428 { 429 public: 430 ObjcObjectChecker(llvm::Module &module, 431 DynamicCheckerFunctions &checker_functions) : 432 Instrumenter(module, checker_functions), 433 m_objc_object_check_func(nullptr) 434 { 435 } 436 437 ~ObjcObjectChecker() override = default; 438 439 enum msgSend_type 440 { 441 eMsgSend = 0, 442 eMsgSendSuper, 443 eMsgSendSuper_stret, 444 eMsgSend_fpret, 445 eMsgSend_stret 446 }; 447 448 std::map <llvm::Instruction *, msgSend_type> msgSend_types; 449 450 protected: 451 bool InstrumentInstruction(llvm::Instruction *inst) override 452 { 453 CallInst *call_inst = dyn_cast<CallInst>(inst); 454 455 if (!call_inst) 456 return false; // call_inst really shouldn't be nullptr, because otherwise InspectInstruction wouldn't have registered it 457 458 if (!m_objc_object_check_func) 459 m_objc_object_check_func = BuildObjectCheckerFunc(m_checker_functions.m_objc_object_check->StartAddress()); 460 461 // id objc_msgSend(id theReceiver, SEL theSelector, ...) 462 463 llvm::Value *target_object; 464 llvm::Value *selector; 465 466 switch (msgSend_types[inst]) 467 { 468 case eMsgSend: 469 case eMsgSend_fpret: 470 target_object = call_inst->getArgOperand(0); 471 selector = call_inst->getArgOperand(1); 472 break; 473 case eMsgSend_stret: 474 target_object = call_inst->getArgOperand(1); 475 selector = call_inst->getArgOperand(2); 476 break; 477 case eMsgSendSuper: 478 case eMsgSendSuper_stret: 479 return true; 480 } 481 482 // These objects should always be valid according to Sean Calannan 483 assert (target_object); 484 assert (selector); 485 486 // Insert an instruction to cast the receiver id to int8_t* 487 488 BitCastInst *bit_cast = new BitCastInst(target_object, 489 GetI8PtrTy(), 490 "", 491 inst); 492 493 // Insert an instruction to call the helper with the result 494 495 llvm::Value *arg_array[2]; 496 497 arg_array[0] = bit_cast; 498 arg_array[1] = selector; 499 500 ArrayRef<llvm::Value*> args(arg_array, 2); 501 502 CallInst::Create(m_objc_object_check_func, 503 args, 504 "", 505 inst); 506 507 return true; 508 } 509 510 bool InspectInstruction(llvm::Instruction &i) override 511 { 512 Log *log(lldb_private::GetLogIfAllCategoriesSet (LIBLLDB_LOG_EXPRESSIONS)); 513 514 CallInst *call_inst = dyn_cast<CallInst>(&i); 515 516 if (call_inst) 517 { 518 // This metadata is set by IRForTarget::MaybeHandleCall(). 519 520 MDNode *metadata = call_inst->getMetadata("lldb.call.realName"); 521 522 if (!metadata) 523 return true; 524 525 if (metadata->getNumOperands() != 1) 526 { 527 if (log) 528 log->Printf("Function call metadata has %d operands for [%p] %s", 529 metadata->getNumOperands(), 530 static_cast<void*>(call_inst), 531 PrintValue(call_inst).c_str()); 532 return false; 533 } 534 535 MDString *real_name = dyn_cast<MDString>(metadata->getOperand(0)); 536 537 if (!real_name) 538 { 539 if (log) 540 log->Printf("Function call metadata is not an MDString for [%p] %s", 541 static_cast<void*>(call_inst), 542 PrintValue(call_inst).c_str()); 543 return false; 544 } 545 546 std::string name_str = real_name->getString(); 547 const char* name_cstr = name_str.c_str(); 548 549 if (log) 550 log->Printf("Found call to %s: %s\n", name_cstr, PrintValue(call_inst).c_str()); 551 552 if (name_str.find("objc_msgSend") == std::string::npos) 553 return true; 554 555 if (!strcmp(name_cstr, "objc_msgSend")) 556 { 557 RegisterInstruction(i); 558 msgSend_types[&i] = eMsgSend; 559 return true; 560 } 561 562 if (!strcmp(name_cstr, "objc_msgSend_stret")) 563 { 564 RegisterInstruction(i); 565 msgSend_types[&i] = eMsgSend_stret; 566 return true; 567 } 568 569 if (!strcmp(name_cstr, "objc_msgSend_fpret")) 570 { 571 RegisterInstruction(i); 572 msgSend_types[&i] = eMsgSend_fpret; 573 return true; 574 } 575 576 if (!strcmp(name_cstr, "objc_msgSendSuper")) 577 { 578 RegisterInstruction(i); 579 msgSend_types[&i] = eMsgSendSuper; 580 return true; 581 } 582 583 if (!strcmp(name_cstr, "objc_msgSendSuper_stret")) 584 { 585 RegisterInstruction(i); 586 msgSend_types[&i] = eMsgSendSuper_stret; 587 return true; 588 } 589 590 if (log) 591 log->Printf("Function name '%s' contains 'objc_msgSend' but is not handled", name_str.c_str()); 592 593 return true; 594 } 595 596 return true; 597 } 598 599 private: 600 llvm::Value *m_objc_object_check_func; 601 }; 602 603 IRDynamicChecks::IRDynamicChecks(DynamicCheckerFunctions &checker_functions, 604 const char *func_name) : 605 ModulePass(ID), 606 m_func_name(func_name), 607 m_checker_functions(checker_functions) 608 { 609 } 610 611 IRDynamicChecks::~IRDynamicChecks() = default; 612 613 bool 614 IRDynamicChecks::runOnModule(llvm::Module &M) 615 { 616 Log *log(lldb_private::GetLogIfAllCategoriesSet (LIBLLDB_LOG_EXPRESSIONS)); 617 618 llvm::Function* function = M.getFunction(StringRef(m_func_name.c_str())); 619 620 if (!function) 621 { 622 if (log) 623 log->Printf("Couldn't find %s() in the module", m_func_name.c_str()); 624 625 return false; 626 } 627 628 if (m_checker_functions.m_valid_pointer_check) 629 { 630 ValidPointerChecker vpc(M, m_checker_functions); 631 632 if (!vpc.Inspect(*function)) 633 return false; 634 635 if (!vpc.Instrument()) 636 return false; 637 } 638 639 if (m_checker_functions.m_objc_object_check) 640 { 641 ObjcObjectChecker ooc(M, m_checker_functions); 642 643 if (!ooc.Inspect(*function)) 644 return false; 645 646 if (!ooc.Instrument()) 647 return false; 648 } 649 650 if (log && log->GetVerbose()) 651 { 652 std::string s; 653 raw_string_ostream oss(s); 654 655 M.print(oss, nullptr); 656 657 oss.flush(); 658 659 log->Printf ("Module after dynamic checks: \n%s", s.c_str()); 660 } 661 662 return true; 663 } 664 665 void 666 IRDynamicChecks::assignPassManager(PMStack &PMS, 667 PassManagerType T) 668 { 669 } 670 671 PassManagerType 672 IRDynamicChecks::getPotentialPassManagerType() const 673 { 674 return PMT_ModulePassManager; 675 } 676