1 //===-- IRDynamicChecks.cpp -------------------------------------*- C++ -*-===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 10 // C Includes 11 // C++ Includes 12 // Other libraries and framework includes 13 #include "llvm/IR/Constants.h" 14 #include "llvm/IR/DataLayout.h" 15 #include "llvm/IR/Function.h" 16 #include "llvm/IR/Instructions.h" 17 #include "llvm/IR/Module.h" 18 #include "llvm/IR/Value.h" 19 #include "llvm/Support/raw_ostream.h" 20 21 // Project includes 22 #include "lldb/Expression/IRDynamicChecks.h" 23 24 #include "lldb/Core/ConstString.h" 25 #include "lldb/Core/Log.h" 26 #include "lldb/Expression/UtilityFunction.h" 27 #include "lldb/Target/ExecutionContext.h" 28 #include "lldb/Target/ObjCLanguageRuntime.h" 29 #include "lldb/Target/Process.h" 30 #include "lldb/Target/StackFrame.h" 31 #include "lldb/Target/Target.h" 32 33 using namespace llvm; 34 using namespace lldb_private; 35 36 static char ID; 37 38 #define VALID_POINTER_CHECK_NAME "_$__lldb_valid_pointer_check" 39 #define VALID_OBJC_OBJECT_CHECK_NAME "$__lldb_objc_object_check" 40 41 static const char g_valid_pointer_check_text[] = 42 "extern \"C\" void\n" 43 "_$__lldb_valid_pointer_check (unsigned char *$__lldb_arg_ptr)\n" 44 "{\n" 45 " unsigned char $__lldb_local_val = *$__lldb_arg_ptr;\n" 46 "}"; 47 48 DynamicCheckerFunctions::DynamicCheckerFunctions() = default; 49 50 DynamicCheckerFunctions::~DynamicCheckerFunctions() = default; 51 52 bool DynamicCheckerFunctions::Install(DiagnosticManager &diagnostic_manager, 53 ExecutionContext &exe_ctx) { 54 Error error; 55 m_valid_pointer_check.reset( 56 exe_ctx.GetTargetRef().GetUtilityFunctionForLanguage( 57 g_valid_pointer_check_text, lldb::eLanguageTypeC, 58 VALID_POINTER_CHECK_NAME, error)); 59 if (error.Fail()) 60 return false; 61 62 if (!m_valid_pointer_check->Install(diagnostic_manager, exe_ctx)) 63 return false; 64 65 Process *process = exe_ctx.GetProcessPtr(); 66 67 if (process) { 68 ObjCLanguageRuntime *objc_language_runtime = 69 process->GetObjCLanguageRuntime(); 70 71 if (objc_language_runtime) { 72 m_objc_object_check.reset(objc_language_runtime->CreateObjectChecker( 73 VALID_OBJC_OBJECT_CHECK_NAME)); 74 75 if (!m_objc_object_check->Install(diagnostic_manager, exe_ctx)) 76 return false; 77 } 78 } 79 80 return true; 81 } 82 83 bool DynamicCheckerFunctions::DoCheckersExplainStop(lldb::addr_t addr, 84 Stream &message) { 85 // FIXME: We have to get the checkers to know why they scotched the call in 86 // more detail, 87 // so we can print a better message here. 88 if (m_valid_pointer_check && m_valid_pointer_check->ContainsAddress(addr)) { 89 message.Printf("Attempted to dereference an invalid pointer."); 90 return true; 91 } else if (m_objc_object_check && 92 m_objc_object_check->ContainsAddress(addr)) { 93 message.Printf("Attempted to dereference an invalid ObjC Object or send it " 94 "an unrecognized selector"); 95 return true; 96 } 97 return false; 98 } 99 100 static std::string PrintValue(llvm::Value *V, bool truncate = false) { 101 std::string s; 102 raw_string_ostream rso(s); 103 V->print(rso); 104 rso.flush(); 105 if (truncate) 106 s.resize(s.length() - 1); 107 return s; 108 } 109 110 //---------------------------------------------------------------------- 111 /// @class Instrumenter IRDynamicChecks.cpp 112 /// @brief Finds and instruments individual LLVM IR instructions 113 /// 114 /// When instrumenting LLVM IR, it is frequently desirable to first search 115 /// for instructions, and then later modify them. This way iterators 116 /// remain intact, and multiple passes can look at the same code base without 117 /// treading on each other's toes. 118 /// 119 /// The Instrumenter class implements this functionality. A client first 120 /// calls Inspect on a function, which populates a list of instructions to 121 /// be instrumented. Then, later, when all passes' Inspect functions have 122 /// been called, the client calls Instrument, which adds the desired 123 /// instrumentation. 124 /// 125 /// A subclass of Instrumenter must override InstrumentInstruction, which 126 /// is responsible for adding whatever instrumentation is necessary. 127 /// 128 /// A subclass of Instrumenter may override: 129 /// 130 /// - InspectInstruction [default: does nothing] 131 /// 132 /// - InspectBasicBlock [default: iterates through the instructions in a 133 /// basic block calling InspectInstruction] 134 /// 135 /// - InspectFunction [default: iterates through the basic blocks in a 136 /// function calling InspectBasicBlock] 137 //---------------------------------------------------------------------- 138 class Instrumenter { 139 public: 140 //------------------------------------------------------------------ 141 /// Constructor 142 /// 143 /// @param[in] module 144 /// The module being instrumented. 145 //------------------------------------------------------------------ 146 Instrumenter(llvm::Module &module, DynamicCheckerFunctions &checker_functions) 147 : m_module(module), m_checker_functions(checker_functions), 148 m_i8ptr_ty(nullptr), m_intptr_ty(nullptr) {} 149 150 virtual ~Instrumenter() = default; 151 152 //------------------------------------------------------------------ 153 /// Inspect a function to find instructions to instrument 154 /// 155 /// @param[in] function 156 /// The function to inspect. 157 /// 158 /// @return 159 /// True on success; false on error. 160 //------------------------------------------------------------------ 161 bool Inspect(llvm::Function &function) { return InspectFunction(function); } 162 163 //------------------------------------------------------------------ 164 /// Instrument all the instructions found by Inspect() 165 /// 166 /// @return 167 /// True on success; false on error. 168 //------------------------------------------------------------------ 169 bool Instrument() { 170 for (InstIterator ii = m_to_instrument.begin(), 171 last_ii = m_to_instrument.end(); 172 ii != last_ii; ++ii) { 173 if (!InstrumentInstruction(*ii)) 174 return false; 175 } 176 177 return true; 178 } 179 180 protected: 181 //------------------------------------------------------------------ 182 /// Add instrumentation to a single instruction 183 /// 184 /// @param[in] inst 185 /// The instruction to be instrumented. 186 /// 187 /// @return 188 /// True on success; false otherwise. 189 //------------------------------------------------------------------ 190 virtual bool InstrumentInstruction(llvm::Instruction *inst) = 0; 191 192 //------------------------------------------------------------------ 193 /// Register a single instruction to be instrumented 194 /// 195 /// @param[in] inst 196 /// The instruction to be instrumented. 197 //------------------------------------------------------------------ 198 void RegisterInstruction(llvm::Instruction &i) { 199 m_to_instrument.push_back(&i); 200 } 201 202 //------------------------------------------------------------------ 203 /// Determine whether a single instruction is interesting to 204 /// instrument, and, if so, call RegisterInstruction 205 /// 206 /// @param[in] i 207 /// The instruction to be inspected. 208 /// 209 /// @return 210 /// False if there was an error scanning; true otherwise. 211 //------------------------------------------------------------------ 212 virtual bool InspectInstruction(llvm::Instruction &i) { return true; } 213 214 //------------------------------------------------------------------ 215 /// Scan a basic block to see if any instructions are interesting 216 /// 217 /// @param[in] bb 218 /// The basic block to be inspected. 219 /// 220 /// @return 221 /// False if there was an error scanning; true otherwise. 222 //------------------------------------------------------------------ 223 virtual bool InspectBasicBlock(llvm::BasicBlock &bb) { 224 for (llvm::BasicBlock::iterator ii = bb.begin(), last_ii = bb.end(); 225 ii != last_ii; ++ii) { 226 if (!InspectInstruction(*ii)) 227 return false; 228 } 229 230 return true; 231 } 232 233 //------------------------------------------------------------------ 234 /// Scan a function to see if any instructions are interesting 235 /// 236 /// @param[in] f 237 /// The function to be inspected. 238 /// 239 /// @return 240 /// False if there was an error scanning; true otherwise. 241 //------------------------------------------------------------------ 242 virtual bool InspectFunction(llvm::Function &f) { 243 for (llvm::Function::iterator bbi = f.begin(), last_bbi = f.end(); 244 bbi != last_bbi; ++bbi) { 245 if (!InspectBasicBlock(*bbi)) 246 return false; 247 } 248 249 return true; 250 } 251 252 //------------------------------------------------------------------ 253 /// Build a function pointer for a function with signature 254 /// void (*)(uint8_t*) with a given address 255 /// 256 /// @param[in] start_address 257 /// The address of the function. 258 /// 259 /// @return 260 /// The function pointer, for use in a CallInst. 261 //------------------------------------------------------------------ 262 llvm::Value *BuildPointerValidatorFunc(lldb::addr_t start_address) { 263 llvm::Type *param_array[1]; 264 265 param_array[0] = const_cast<llvm::PointerType *>(GetI8PtrTy()); 266 267 ArrayRef<llvm::Type *> params(param_array, 1); 268 269 FunctionType *fun_ty = FunctionType::get( 270 llvm::Type::getVoidTy(m_module.getContext()), params, true); 271 PointerType *fun_ptr_ty = PointerType::getUnqual(fun_ty); 272 Constant *fun_addr_int = 273 ConstantInt::get(GetIntptrTy(), start_address, false); 274 return ConstantExpr::getIntToPtr(fun_addr_int, fun_ptr_ty); 275 } 276 277 //------------------------------------------------------------------ 278 /// Build a function pointer for a function with signature 279 /// void (*)(uint8_t*, uint8_t*) with a given address 280 /// 281 /// @param[in] start_address 282 /// The address of the function. 283 /// 284 /// @return 285 /// The function pointer, for use in a CallInst. 286 //------------------------------------------------------------------ 287 llvm::Value *BuildObjectCheckerFunc(lldb::addr_t start_address) { 288 llvm::Type *param_array[2]; 289 290 param_array[0] = const_cast<llvm::PointerType *>(GetI8PtrTy()); 291 param_array[1] = const_cast<llvm::PointerType *>(GetI8PtrTy()); 292 293 ArrayRef<llvm::Type *> params(param_array, 2); 294 295 FunctionType *fun_ty = FunctionType::get( 296 llvm::Type::getVoidTy(m_module.getContext()), params, true); 297 PointerType *fun_ptr_ty = PointerType::getUnqual(fun_ty); 298 Constant *fun_addr_int = 299 ConstantInt::get(GetIntptrTy(), start_address, false); 300 return ConstantExpr::getIntToPtr(fun_addr_int, fun_ptr_ty); 301 } 302 303 PointerType *GetI8PtrTy() { 304 if (!m_i8ptr_ty) 305 m_i8ptr_ty = llvm::Type::getInt8PtrTy(m_module.getContext()); 306 307 return m_i8ptr_ty; 308 } 309 310 IntegerType *GetIntptrTy() { 311 if (!m_intptr_ty) { 312 llvm::DataLayout data_layout(&m_module); 313 314 m_intptr_ty = llvm::Type::getIntNTy(m_module.getContext(), 315 data_layout.getPointerSizeInBits()); 316 } 317 318 return m_intptr_ty; 319 } 320 321 typedef std::vector<llvm::Instruction *> InstVector; 322 typedef InstVector::iterator InstIterator; 323 324 InstVector m_to_instrument; ///< List of instructions the inspector found 325 llvm::Module &m_module; ///< The module which is being instrumented 326 DynamicCheckerFunctions 327 &m_checker_functions; ///< The dynamic checker functions for the process 328 329 private: 330 PointerType *m_i8ptr_ty; 331 IntegerType *m_intptr_ty; 332 }; 333 334 class ValidPointerChecker : public Instrumenter { 335 public: 336 ValidPointerChecker(llvm::Module &module, 337 DynamicCheckerFunctions &checker_functions) 338 : Instrumenter(module, checker_functions), 339 m_valid_pointer_check_func(nullptr) {} 340 341 ~ValidPointerChecker() override = default; 342 343 protected: 344 bool InstrumentInstruction(llvm::Instruction *inst) override { 345 Log *log(lldb_private::GetLogIfAllCategoriesSet(LIBLLDB_LOG_EXPRESSIONS)); 346 347 if (log) 348 log->Printf("Instrumenting load/store instruction: %s\n", 349 PrintValue(inst).c_str()); 350 351 if (!m_valid_pointer_check_func) 352 m_valid_pointer_check_func = BuildPointerValidatorFunc( 353 m_checker_functions.m_valid_pointer_check->StartAddress()); 354 355 llvm::Value *dereferenced_ptr = nullptr; 356 357 if (llvm::LoadInst *li = dyn_cast<llvm::LoadInst>(inst)) 358 dereferenced_ptr = li->getPointerOperand(); 359 else if (llvm::StoreInst *si = dyn_cast<llvm::StoreInst>(inst)) 360 dereferenced_ptr = si->getPointerOperand(); 361 else 362 return false; 363 364 // Insert an instruction to cast the loaded value to int8_t* 365 366 BitCastInst *bit_cast = 367 new BitCastInst(dereferenced_ptr, GetI8PtrTy(), "", inst); 368 369 // Insert an instruction to call the helper with the result 370 371 llvm::Value *arg_array[1]; 372 373 arg_array[0] = bit_cast; 374 375 llvm::ArrayRef<llvm::Value *> args(arg_array, 1); 376 377 CallInst::Create(m_valid_pointer_check_func, args, "", inst); 378 379 return true; 380 } 381 382 bool InspectInstruction(llvm::Instruction &i) override { 383 if (dyn_cast<llvm::LoadInst>(&i) || dyn_cast<llvm::StoreInst>(&i)) 384 RegisterInstruction(i); 385 386 return true; 387 } 388 389 private: 390 llvm::Value *m_valid_pointer_check_func; 391 }; 392 393 class ObjcObjectChecker : public Instrumenter { 394 public: 395 ObjcObjectChecker(llvm::Module &module, 396 DynamicCheckerFunctions &checker_functions) 397 : Instrumenter(module, checker_functions), 398 m_objc_object_check_func(nullptr) {} 399 400 ~ObjcObjectChecker() override = default; 401 402 enum msgSend_type { 403 eMsgSend = 0, 404 eMsgSendSuper, 405 eMsgSendSuper_stret, 406 eMsgSend_fpret, 407 eMsgSend_stret 408 }; 409 410 std::map<llvm::Instruction *, msgSend_type> msgSend_types; 411 412 protected: 413 bool InstrumentInstruction(llvm::Instruction *inst) override { 414 CallInst *call_inst = dyn_cast<CallInst>(inst); 415 416 if (!call_inst) 417 return false; // call_inst really shouldn't be nullptr, because otherwise 418 // InspectInstruction wouldn't have registered it 419 420 if (!m_objc_object_check_func) 421 m_objc_object_check_func = BuildObjectCheckerFunc( 422 m_checker_functions.m_objc_object_check->StartAddress()); 423 424 // id objc_msgSend(id theReceiver, SEL theSelector, ...) 425 426 llvm::Value *target_object; 427 llvm::Value *selector; 428 429 switch (msgSend_types[inst]) { 430 case eMsgSend: 431 case eMsgSend_fpret: 432 target_object = call_inst->getArgOperand(0); 433 selector = call_inst->getArgOperand(1); 434 break; 435 case eMsgSend_stret: 436 target_object = call_inst->getArgOperand(1); 437 selector = call_inst->getArgOperand(2); 438 break; 439 case eMsgSendSuper: 440 case eMsgSendSuper_stret: 441 return true; 442 } 443 444 // These objects should always be valid according to Sean Calannan 445 assert(target_object); 446 assert(selector); 447 448 // Insert an instruction to cast the receiver id to int8_t* 449 450 BitCastInst *bit_cast = 451 new BitCastInst(target_object, GetI8PtrTy(), "", inst); 452 453 // Insert an instruction to call the helper with the result 454 455 llvm::Value *arg_array[2]; 456 457 arg_array[0] = bit_cast; 458 arg_array[1] = selector; 459 460 ArrayRef<llvm::Value *> args(arg_array, 2); 461 462 CallInst::Create(m_objc_object_check_func, args, "", inst); 463 464 return true; 465 } 466 467 static llvm::Function *GetFunction(llvm::Value *value) { 468 if (llvm::Function *function = llvm::dyn_cast<llvm::Function>(value)) { 469 return function; 470 } 471 472 if (llvm::ConstantExpr *const_expr = 473 llvm::dyn_cast<llvm::ConstantExpr>(value)) { 474 switch (const_expr->getOpcode()) { 475 default: 476 return nullptr; 477 case llvm::Instruction::BitCast: 478 return GetFunction(const_expr->getOperand(0)); 479 } 480 } 481 482 return nullptr; 483 } 484 485 static llvm::Function *GetCalledFunction(llvm::CallInst *inst) { 486 return GetFunction(inst->getCalledValue()); 487 } 488 489 bool InspectInstruction(llvm::Instruction &i) override { 490 Log *log(lldb_private::GetLogIfAllCategoriesSet(LIBLLDB_LOG_EXPRESSIONS)); 491 492 CallInst *call_inst = dyn_cast<CallInst>(&i); 493 494 if (call_inst) { 495 const llvm::Function *called_function = GetCalledFunction(call_inst); 496 497 if (!called_function) 498 return true; 499 500 std::string name_str = called_function->getName().str(); 501 const char *name_cstr = name_str.c_str(); 502 503 if (log) 504 log->Printf("Found call to %s: %s\n", name_cstr, 505 PrintValue(call_inst).c_str()); 506 507 if (name_str.find("objc_msgSend") == std::string::npos) 508 return true; 509 510 if (!strcmp(name_cstr, "objc_msgSend")) { 511 RegisterInstruction(i); 512 msgSend_types[&i] = eMsgSend; 513 return true; 514 } 515 516 if (!strcmp(name_cstr, "objc_msgSend_stret")) { 517 RegisterInstruction(i); 518 msgSend_types[&i] = eMsgSend_stret; 519 return true; 520 } 521 522 if (!strcmp(name_cstr, "objc_msgSend_fpret")) { 523 RegisterInstruction(i); 524 msgSend_types[&i] = eMsgSend_fpret; 525 return true; 526 } 527 528 if (!strcmp(name_cstr, "objc_msgSendSuper")) { 529 RegisterInstruction(i); 530 msgSend_types[&i] = eMsgSendSuper; 531 return true; 532 } 533 534 if (!strcmp(name_cstr, "objc_msgSendSuper_stret")) { 535 RegisterInstruction(i); 536 msgSend_types[&i] = eMsgSendSuper_stret; 537 return true; 538 } 539 540 if (log) 541 log->Printf( 542 "Function name '%s' contains 'objc_msgSend' but is not handled", 543 name_str.c_str()); 544 545 return true; 546 } 547 548 return true; 549 } 550 551 private: 552 llvm::Value *m_objc_object_check_func; 553 }; 554 555 IRDynamicChecks::IRDynamicChecks(DynamicCheckerFunctions &checker_functions, 556 const char *func_name) 557 : ModulePass(ID), m_func_name(func_name), 558 m_checker_functions(checker_functions) {} 559 560 IRDynamicChecks::~IRDynamicChecks() = default; 561 562 bool IRDynamicChecks::runOnModule(llvm::Module &M) { 563 Log *log(lldb_private::GetLogIfAllCategoriesSet(LIBLLDB_LOG_EXPRESSIONS)); 564 565 llvm::Function *function = M.getFunction(StringRef(m_func_name)); 566 567 if (!function) { 568 if (log) 569 log->Printf("Couldn't find %s() in the module", m_func_name.c_str()); 570 571 return false; 572 } 573 574 if (m_checker_functions.m_valid_pointer_check) { 575 ValidPointerChecker vpc(M, m_checker_functions); 576 577 if (!vpc.Inspect(*function)) 578 return false; 579 580 if (!vpc.Instrument()) 581 return false; 582 } 583 584 if (m_checker_functions.m_objc_object_check) { 585 ObjcObjectChecker ooc(M, m_checker_functions); 586 587 if (!ooc.Inspect(*function)) 588 return false; 589 590 if (!ooc.Instrument()) 591 return false; 592 } 593 594 if (log && log->GetVerbose()) { 595 std::string s; 596 raw_string_ostream oss(s); 597 598 M.print(oss, nullptr); 599 600 oss.flush(); 601 602 log->Printf("Module after dynamic checks: \n%s", s.c_str()); 603 } 604 605 return true; 606 } 607 608 void IRDynamicChecks::assignPassManager(PMStack &PMS, PassManagerType T) {} 609 610 PassManagerType IRDynamicChecks::getPotentialPassManagerType() const { 611 return PMT_ModulePassManager; 612 } 613