memprof 0.2.5 → 0.2.6

data/ext/x86_64.c

@@ -1,28 +1,60 @@
 #if defined (_ARCH_x86_64_)
 
+#include <assert.h>
 #include <stdint.h>
 #include <string.h>
 
 #include "arch.h"
 #include "x86_gen.h"
 
-/* This is the stage 1 inline trampoline for hooking the inlined add_freelist
- * function .
+/*
+ * inline_st1_tramp - inline stage 1 trampoline
+ *
+ * This is the stage 1 inline trampoline that will replace the mov instruction
+ * that updates freelist from the inlined function add_freelist.
+ *
+ * Note that the mov instruction is 7 bytes wide, so this trampoline needs two
+ * bytes of NOPs to keep it 7 bytes wide.
+ *
+ * In order to use this structure, you must set the displacement field to a
+ * 32bit displacement from the next instruction to the stage 2 trampoline.
+ *
+ * TODO replace the 2, 1 byte NOPs with a wider 16bit NOP.
+ *
+ * Original code:
+ *
+ *  mov REGISTER, freelist  # update the head of the freelist
  *
- * NOTE: The original instruction mov %reg, freelist is 7 bytes wide,
- * whereas jmpq $displacement is only 5 bytes wide. We *must* pad out
- * the next two bytes. This will be important to remember below.
+ *  size = 7 bytes
+ *
+ * Code after tramp:
+ *
+ *  jmp 0xfeedface(%rip)    # jump to stage 2 trampoline
+ *  nop                     # 1 byte NOP pad
+ *  nop                     # 1 byte NOP pad
+ *
+ *  size = 7 bytes
  */
 struct inline_st1_tramp {
   unsigned char jmp;
   int32_t displacement;
   unsigned char pad[2];
 } __attribute__((__packed__)) inline_st1_tramp = {
-  .jmp  = '\xe9',
+  .jmp  = 0xe9,
   .displacement = 0,
-  .pad = {'\x90','\x90'},
+  .pad = {0x90, 0x90},
 };
 
+/*
+ * inline_st1_base - inline stage 1 base instruction
+ *
+ * This structure is designed to be "laid onto" a piece of memory to ease the
+ * parsing, modification, and length calculation of the original instruction
+ * that will be overwritten with a jmp to the stage 2 trampoline.
+ *
+ * In order to use this structure, you must set the displacement, rex, and
+ * rex bytes to accurately represent the original instruction.
+ */
 struct inline_st1_base {
   unsigned char rex;
   unsigned char mov;
@@ -30,17 +62,24 @@ struct inline_st1_base {
   int32_t displacement;
 } __attribute__((__packed__)) inline_st1_mov = {
   .rex = 0,
-  .mov = '\x89',
+  .mov = 0x89,
   .src_reg = 0,
   .displacement = 0
 };
 
 /*
- *  inline tramp stuff below
+ * arch_check_ins - architecture specific instruction check
+ *
+ * This function checks the opcodes at a specific adderss to see if
+ * they could be a move instruction.
+ *
+ * Returns 1 if the address matches a mov, 0 otherwise.
  */
 static int
 arch_check_ins(struct inline_st1_base *base)
 {
+  assert(base != NULL);
+
   /* is it a mov instruction? */
   if (base->mov == 0x89 &&
 
@@ -55,12 +94,40 @@ arch_check_ins(struct inline_st1_base *base)
   return 0;
 }
 
+/*
+ * arch_insert_inline_st2_tramp - architecture specific stage 2 tramp insert
+ *
+ * Given:
+ *    - addr - The base address of an instruction sequence.
+ *
+ *    - marker - This is the marker to search for which will indicate that the
+ *      instruction sequence has been located.
+ *
+ *    - trampoline - The address of the handler to redirect execution to.
+ *
+ *    - table_entry - Address of where the stage 2 trampoline code will reside
+ *
+ * This function will:
+ *    Insert and setup the stage 1 and stage 2 trampolines if addr points to an
+ *    instruction that could be from the inlined add_freelist function.
+ *
+ * This function returns 1 on failure and 0 on success.
+ */
 int
 arch_insert_inline_st2_tramp(void *addr, void *marker, void *trampoline, void *table_entry)
 {
+  assert(addr != NULL);
+  assert(marker != NULL);
+  assert(trampoline != NULL);
+  assert(table_entry != NULL);
+
   struct inline_st1_base *base = addr;
   struct inline_tramp_st2_entry *entry = table_entry;
 
+  /* TODO make this a compile time assert */
+  assert(sizeof(struct inline_st1_base) ==
+         sizeof(struct inline_st1_tramp));
+
   if (!arch_check_ins(base))
     return 1;
 
@@ -109,7 +176,7 @@ arch_insert_inline_st2_tramp(void *addr, void *marker, void *trampoline, void *t
      * NOPS. If its 7, we'll land directly on the next instruction.
      */
     default_inline_st2_tramp.jmp_displacement = (addr + sizeof(*base)) -
-                                                 (table_entry + sizeof(default_inline_st2_tramp));
+                                                (table_entry + sizeof(default_inline_st2_tramp));
 
     /* write the address of our C level trampoline in to the structure */
     default_inline_st2_tramp.frame.addr = trampoline;

data/ext/x86_64.h

@@ -5,7 +5,27 @@
 #include "arch.h"
 
 /*
- * This is the "normal" stage 2 trampoline with a default entry pre-filled
+ * tramp_st2_entry - stage 2 trampoline entry
+ *
+ * This trampoline calls a handler function via the callee saved register %rbx.
+ * The handler function is stored in the field 'addr'.
+ *
+ * A default pre-filled (except addr, of course) version of this trampoline is
+ * provided so that the opcodes do not need to be filled in every time it is
+ * used. You only need to set the addr field of default_st2_tramp and you are
+ * ready to roll.
+ *
+ * This trampoline is the assembly code:
+ *
+ * push %rbx                      # save %rbx
+ * push %rbp                      # save previous stack frame's %rbp
+ * mov  %rsp, %rbp                # update %rbp to be current stack pointer
+ * andl 0xFFFFFFFFFFFFFFF0, %rsp  # align stack pointer as per the ABI
+ * mov  ADDR, %rbx                # move address of handler into %rbx
+ * callq *%rbx                    # call handler
+ * pop %rbx                       # restore %rbx
+ * leave                          # restore %rbp, move stack pointer back
+ * ret                            # return
  */
 static struct tramp_st2_entry {
   unsigned char push_rbx;
@@ -19,20 +39,69 @@ static struct tramp_st2_entry {
   unsigned char rbx_restore;
   unsigned char ret;
 } __attribute__((__packed__)) default_st2_tramp = {
-  .push_rbx      = 0x53,                // push rbx
-  .push_rbp      = 0x55,                // push rbp
-  .save_rsp      = {0x48, 0x89, 0xe5},  // mov rsp, rbp
-  .align_rsp     = {0x48, 0x83, 0xe4, 0xf0}, // andl ~0x1, rsp
-  .mov           = {'\x48', '\xbb'},    // mov addr into rbx
-  .addr          = 0,                   // ^^^
-  .call          = {'\xff', '\xd3'},    // call rbx
-  .rbx_restore   = 0x5b,                // pop rbx
-  .leave         = 0xc9,                // leave
-  .ret           = 0xc3,                // ret
+  .push_rbx      = 0x53,
+  .push_rbp      = 0x55,
+  .save_rsp      = {0x48, 0x89, 0xe5},
+  .align_rsp     = {0x48, 0x83, 0xe4, 0xf0},
+  .mov           = {0x48, 0xbb},
+  .addr          = 0,
+  .call          = {0xff, 0xd3},
+  .rbx_restore   = 0x5b,
+  .leave         = 0xc9,
+  .ret           = 0xc3,
 };
 
 /*
- * This is the inline stage 2 trampoline with a default entry pre-filled
+ * inline_tramp_st2_entry - stage 2 inline trampoline entry
+ *
+ * This trampoline calls a handler function via the callee saved register %rbx,
+ * The handler function is stored in the field 'addr'.
+ *
+ * The major difference between this trampoline and the one above is that this
+ * trampoline is intended to be used as the target of an 'inline trampoline',
+ * that is code is redirected to this and the stack and registers may not be
+ * 'ready' for a function call.
+ *
+ * This trampoline provides space to regenerate the overwritten mov instruction
+ * and utmost care must be taken in order to recreate the overwritten
+ * instruction.
+ *
+ * This trampoline is hit with a jmp (NOT A CALL), and as such must take care
+ * to jmp back to resume execution.
+ *
+ * Like the above trampoline, this structure comes with a prefilled entry called
+ * default_inline_st2_tramp that has most of the fields prepopulated.
+ *
+ * To use this structure you must fill in:
+ *   - mov_displacement - should be set to the 32bit displacement from the next
+ *     instruction (i.e. frame) to freelist. This is used to recreate the
+ *     overwritten instruction.
+ *
+ *   - rdi_source_displacement - should be set to the 32bit displacement from
+ *     the next instruction (i.e. push_rbx) to freelist. This is used to load
+ *     freelist as the 1st argument to the handler.
+ *
+ *   - addr - the address of the handler function to call
+ *
+ *   - jmp_displacement - should be set to the 32bit displacement from the next
+ *     instruction to the instruction after the stage 1 trampoline. This is
+ *     used to resume execution after the handler has been hit.
+ *
+ *
+ * This structure represents the assembly code:
+ *
+ * mov SOURCE_REGISTER, freelist     # update the freelist
+ * push %rdi                         # save %rdi
+ * mov freelist, %rdi                # move first entry of freelist into %rdi
+ * push %rbp                         # save previous %rbp
+ * mov %rsp, %rbp                    # update %rbp to be current stack pointer
+ * andl 0xFFFFFFFFFFFFFFF0, %rsp     # align stack pointer as per ABI
+ * mov ADDR, %rbx                    # load handler address into %rbx
+ * callq *%rbx                       # call handler
+ * leave                             # reset stack pointer, restore %rbp
+ * pop %rbx                          # restore %rbx
+ * pop %rdi                          # restore %rdi
+ * jmp NEXT_INSN                     # jmp to instruction after stage 1 tramp
  */
 static struct inline_tramp_st2_entry {
   unsigned char rex;
@@ -66,15 +135,15 @@ static struct inline_tramp_st2_entry {
 
   .frame = {
     .push_rdi = 0x57,
-    .mov_rdi = {'\x48', '\x8b', '\x3d'},
+    .mov_rdi =  {0x48, 0x8b, 0x3d},
     .rdi_source_displacement = 0,
     .push_rbx = 0x53,
     .push_rbp = 0x55,
-    .save_rsp = {'\x48', '\x89', '\xe5'},
-    .align_rsp = {'\x48', '\x83', '\xe4', '\xf0'},
-    .mov = {'\x48', '\xbb'},
+    .save_rsp = {0x48, 0x89, 0xe5},
+    .align_rsp = {0x48, 0x83, 0xe4, 0xf0},
+    .mov = {0x48, 0xbb},
     .addr = 0,
-    .call = {'\xff', '\xd3'},
+    .call = {0xff, 0xd3},
     .leave = 0xc9,
     .rbx_restore = 0x5b,
     .rdi_restore = 0x5f,

data/ext/x86_gen.h

@@ -1,99 +1,139 @@
 #if !defined(_x86_gen_)
 #define _x86_gen_
 
+#include <assert.h>
 #include <sys/mman.h>
 #include <stdint.h>
 #include "arch.h"
 
-/* This structure makes it easier to find and update call instructions that
- * will become the stage 1 trampoline
+/*
+ * st1_base - stage 1 base instruction sequence
+ *
+ * This struct is intended to be "laid onto" a piece of memory to ease the
+ * parsing, use, and length calculation of call instructions that use a 32bit
+ * displacement.
+ *
+ * For example:   callq <0xdeadbeef> #rb_newobj
  */
 struct st1_base {
   unsigned char call;
   int32_t displacement;
 } __attribute__((__packed__)) st1_mov = {
-  .call        =  '\xe8',
+  .call         =  0xe8,
   .displacement =  0,
 };
 
-struct plt_entry {
-    unsigned char jmp[2];
-    uint32_t jmp_disp;
-    unsigned char pad[10];
-} __attribute__((__packed__));
-
+/*
+ * page_align - given an address, return a page aligned form
+ *
+ * TODO Don't assume page size, get it from sysconf and cache the result
+ */
 static inline void *
 page_align(void *addr)
 {
+  assert(addr != NULL);
   return (void *)((size_t)addr & ~(0xFFFF));
 }
 
+/*
+ * copy_instructions - copy count bytes from src to dest, taking care to use
+ * mprotect to mark the section read/write.
+ */
 static void
-copy_instructions(void *to, void *from, size_t count)
+copy_instructions(void *dest, void *src, size_t count)
 {
-  void *aligned_addr = page_align(to);
-  mprotect(aligned_addr, (to - aligned_addr) + 10, PROT_READ|PROT_WRITE|PROT_EXEC);
-  memcpy(to, from, count);
-  mprotect(aligned_addr, (to - aligned_addr) + 10, PROT_READ|PROT_EXEC);
+  assert(dest != NULL);
+  assert(src != NULL);
+
+  void *aligned_addr = page_align(dest);
+
+  /* I add "+ count" here to guard against the possibility of the instructions
+   * laying across a page boundary
+   */
+
+  mprotect(aligned_addr, (dest - aligned_addr) + count, PROT_READ|PROT_WRITE|PROT_EXEC);
+  memcpy(dest, src, count);
+  mprotect(aligned_addr, (dest - aligned_addr) + count, PROT_READ|PROT_EXEC);
 
   return;
 }
 
+/*
+ * WRITE_INSTRUCTIONS - page align start, recalculate len to take into account
+ * alignment, set the read/write permissions and execute the code stmt.
+ */
 #define WRITE_INSTRUCTIONS(start, len, stmt) do { \
-  mprotect(start, len, PROT_READ | PROT_WRITE | PROT_EXEC); \
+  void *aligned_addr = page_align((void *)start); \
+  int count = ((void *)start) - aligned_addr + len; \
+  mprotect(aligned_addr, count, PROT_READ | PROT_WRITE | PROT_EXEC); \
   stmt; \
-  mprotect(start, len, PROT_READ | PROT_EXEC); \
+  mprotect(aligned_addr, count, PROT_READ | PROT_EXEC); \
 } while (0)
 
+/*
+ * arch_insert_st1_tramp - architecture specific stage 1 trampoline insert
+ *
+ * Given:
+ *      - a start address (start),
+ *      - the absolute address of the function to intercept (trampee),
+ *      - the absolute address of the code to execute instead (tramp),
+ *
+ * This function will:
+ *    - interpret address start as a struct st1_base,
+ *    - check that the instruction at call is actually a call
+ *    - if so, check that the target of the call is trampee
+ *    - and change the target to tramp
+ *
+ * Returns 0 on success, 1 otherwise.
+ */
 int
 arch_insert_st1_tramp(void *start, void *trampee, void *tramp)
 {
+  assert(start != NULL);
+  assert(trampee != NULL);
+  assert(tramp != NULL);
+
   int32_t fn_addr = 0;
-  struct st1_base *check = (struct st1_base *)start;
-  void *aligned_addr = page_align(&(check->displacement));
+  struct st1_base *check = start;
 
   if (check->call == 0xe8) {
     fn_addr = check->displacement;
     if ((trampee - (void *)(check + 1)) == fn_addr) {
-      WRITE_INSTRUCTIONS(aligned_addr,
-                         ((void *)&(check->displacement) - aligned_addr) + 10,
+      WRITE_INSTRUCTIONS(&check->displacement,
+                         sizeof(*check),
                          (check->displacement = (tramp - (void *)(check + 1))));
-      return 1;
+      return 0;
     }
   }
 
-  return 0;
-}
-
-static void *
-get_got_addr(struct plt_entry *plt)
-{
-  return (void *)&(plt->pad) + plt->jmp_disp;
-}
-
-void
-arch_overwrite_got(void *plt, void *tramp)
-{
-  memcpy(get_got_addr(plt), &tramp, sizeof(void *));
-  return;
+  return 1;
 }
 
+/*
+ * arch_get_st2_tramp - architecture specific stage 2 tramp accessor. This
+ * function returns a pointer to the default stage 2 trampoline setting size
+ * if a non-NULL pointer was passed in.
+ */
 void *
 arch_get_st2_tramp(size_t *size)
 {
   if (size) {
-    *size = sizeof(struct tramp_st2_entry);
+    *size = sizeof(default_st2_tramp);
   }
 
   return &default_st2_tramp;
 }
 
-
+/*
+ * arch_get_inline_st2_tramp - architecture specific inline stage 2 tramp
+ * accessor. This function returns a pointer to the default inline stage 2
+ *  trampoline setting size if a non-NULL pointer was passed in.
+ */
 void *
 arch_get_inline_st2_tramp(size_t *size)
 {
   if (size) {
-    *size = sizeof(struct inline_tramp_st2_entry);
+    *size = sizeof(default_inline_st2_tramp);
   }
 
   return &default_inline_st2_tramp;