| /* Copyright (C) 2007-2010 The Android Open Source Project |
| ** |
| ** This software is licensed under the terms of the GNU General Public |
| ** License version 2, as published by the Free Software Foundation, and |
| ** may be copied, distributed, and modified under those terms. |
| ** |
| ** This program is distributed in the hope that it will be useful, |
| ** but WITHOUT ANY WARRANTY; without even the implied warranty of |
| ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| ** GNU General Public License for more details. |
| */ |
| |
| /* |
| * Contains declarations of structures, routines, etc. that are commonly used |
| * in memechecker framework. |
| */ |
| |
| #ifndef QEMU_MEMCHECK_MEMCHECK_COMMON_H |
| #define QEMU_MEMCHECK_MEMCHECK_COMMON_H |
| |
| #include "qemu-common.h" |
| #include "cpu.h" |
| |
| #ifdef __cplusplus |
| extern "C" { |
| #endif |
| |
| // ============================================================================= |
| // Events generated by the guest system. |
| // ============================================================================= |
| |
| /* Notifies the emulator that libc has been initialized for a process. |
| * Event's value parameter is PID for the process in context of which libc has |
| * been initialized. |
| */ |
| #define TRACE_DEV_REG_LIBC_INIT 1536 |
| |
| /* Notifies the emulator about new memory block being allocated. |
| * Event's value parameter points to MallocDesc instance in the guest's address |
| * space that contains allocated block information. Note that 'libc_pid' field |
| * of the descriptor is used by emulator to report failure in handling this |
| * event. In case of failure emulator will zero that filed before completing |
| * this event. |
| */ |
| #define TRACE_DEV_REG_MALLOC 1537 |
| |
| /* Notifies the emulator about memory block being freed. |
| * Event's value parameter points to MallocFree descriptor instance in the |
| * guest's address space that contains information about block that's being |
| * freed. Note that 'libc_pid' field of the descriptor is used by emulator to |
| * report failure in handling this event. In case of failure emulator will zero |
| * that filed before completing this event. |
| */ |
| #define TRACE_DEV_REG_FREE_PTR 1538 |
| |
| /* Queries the emulator about memory block information. |
| * Event's value parameter points to MallocDescQuery descriptor instance in the |
| * guest's address space that contains query parameters. Note that 'libc_pid' |
| * field of the descriptor is used by emulator to report failure in handling |
| * this event. In case of failure emulator will zero that filed before |
| * completing this event. |
| */ |
| #define TRACE_DEV_REG_QUERY_MALLOC 1539 |
| |
| /* Queries the emulator to print a string to its stdout. |
| * Event's value parameter points to zero-terminated string to be printed. Note |
| * that this string is located in the guest's address space. |
| */ |
| #define TRACE_DEV_REG_PRINT_USER_STR 1540 |
| |
| // ============================================================================= |
| // Communication structures |
| // ============================================================================= |
| |
| /* Describes memory block allocated from the heap. This structure is passed |
| * along with TRACE_DEV_REG_MALLOC event. This descriptor is used to inform |
| * the emulator about new memory block being allocated from the heap. The entire |
| * structure is initialized by the guest system before event is fired up. It is |
| * important to remember that same structure (an exact copy) is also declared |
| * in the libc's sources. So, every time a change is made to any of these |
| * two declaration, another one must be also updated accordingly. */ |
| typedef struct MallocDesc { |
| /* Poniter to the memory block actually allocated from the heap. Note that |
| * this is not the pointer that is returned to the malloc's caller. Pointer |
| * returned to the caller is calculated by adding value stored in this field |
| * to the value stored in prefix_size field of this structure. |
| */ |
| target_ulong ptr; |
| |
| /* Nuber of bytes requested by the malloc's caller. */ |
| uint32_t requested_bytes; |
| |
| /* Byte size of the prefix data. Actual pointer returned to the malloc's |
| * caller is calculated by adding value stored in this field to the value |
| * stored in in the ptr field of this structure. |
| */ |
| uint32_t prefix_size; |
| |
| /* Byte size of the suffix data. */ |
| uint32_t suffix_size; |
| |
| /* Id of the process that initialized libc instance, in which allocation |
| * has occurred. This field is used by the emulator to report errors in |
| * the course of TRACE_DEV_REG_MALLOC event handling. In case of an error, |
| * emulator sets this field to zero (invalid value for a process ID). |
| */ |
| uint32_t libc_pid; |
| |
| /* Id of the process in context of which allocation has occurred. |
| * Value in this field may differ from libc_pid value, if process that |
| * is doing allocation has been forked from the process that initialized |
| * libc instance. |
| */ |
| uint32_t allocator_pid; |
| |
| /* Number of access violations detected on this allocation. */ |
| uint32_t av_count; |
| } MallocDesc; |
| /* Helpers for addressing field in MallocDesc structure, using which emulator |
| * reports an error back to the guest. |
| */ |
| #define ALLOC_RES_OFFSET ((uint32_t)(ptrdiff_t)&(((MallocDesc*)0)->libc_pid)) |
| #define ALLOC_RES_ADDRESS(p) (p + ALLOC_RES_OFFSET) |
| |
| /* Describes memory block info queried from emulator. This structure is passed |
| * along with TRACE_DEV_REG_QUERY_MALLOC event. When handling free and realloc |
| * calls, it is required that we have information about memory blocks that were |
| * actually allocated in previous calls to malloc, memalign, or realloc. Since |
| * we don't keep this information directlry in the allocated block, but rather |
| * we keep it in the emulator, we need to query emulator for that information |
| * with TRACE_DEV_REG_QUERY_MALLOC query. The entire structure is initialized |
| * by the guest system before event is fired up It is important to remember that |
| * same structure (an exact copy) is also declared in the libc's sources. So, |
| * every time a change is made to any of these two declaration, another one |
| * must be also updated accordingly. |
| */ |
| typedef struct MallocDescQuery { |
| /* Pointer for which information is queried. Note that this pointer doesn't |
| * have to be exact pointer returned to malloc's caller, but can point |
| * anywhere inside an allocated block, including guarding areas. Emulator |
| * will respond with information about allocated block that contains this |
| * pointer. |
| */ |
| target_ulong ptr; |
| |
| /* Id of the process that initialized libc instance, in which this query |
| * is called. This field is used by the emulator to report errors in |
| * the course of TRACE_DEV_REG_QUERY_MALLOC event handling. In case of an |
| * error, emulator sets this field to zero (invalid value for a process ID). |
| */ |
| uint32_t libc_pid; |
| |
| /* Process ID in context of which query is made. */ |
| uint32_t query_pid; |
| |
| /* Code of the allocation routine, in context of which query has been made: |
| * 1 - free |
| * 2 - realloc |
| */ |
| uint32_t routine; |
| |
| /* Address in guest's virtual space of memory allocation descriptor for the |
| * queried pointer. Descriptor, addressed by this field is initialized by |
| * the emulator in response to the query. |
| */ |
| target_ulong desc; |
| } MallocDescQuery; |
| /* Helpers for addressing field in MallocDescQuery structure using which |
| * emulator reports an error back to the guest. |
| */ |
| #define QUERY_RES_OFFSET ((uint32_t)(ptrdiff_t)&(((MallocDescQuery*)0)->libc_pid)) |
| #define QUERY_RES_ADDRESS(p) (p + QUERY_RES_OFFSET) |
| |
| /* Describes memory block that is being freed back to the heap. This structure |
| * is passed along with TRACE_DEV_REG_FREE_PTR event. The entire structure is |
| * initialized by the guest system before event is fired up. It is important to |
| * remember that same structure (an exact copy) is also declared in the libc's |
| * sources. So, every time a change is made to any of these two declaration, |
| * another one must be also updated accordingly. |
| */ |
| typedef struct MallocFree { |
| /* Pointer to be freed. */ |
| uint32_t ptr; |
| |
| /* Id of the process that initialized libc instance, in which this free |
| * is called. This field is used by the emulator to report errors in |
| * the course of TRACE_DEV_REG_FREE_PTR event handling. In case of an |
| * error, emulator sets this field to zero (invalid value for a process ID). |
| */ |
| uint32_t libc_pid; |
| |
| /* Process ID in context of which memory is being freed. */ |
| uint32_t free_pid; |
| } MallocFree; |
| /* Helpers for addressing field in MallocFree structure, using which emulator |
| * reports an error back to the guest. |
| */ |
| #define FREE_RES_OFFSET ((uint32_t)(ptrdiff_t)&(((MallocFree*)0)->libc_pid)) |
| #define FREE_RES_ADDRESS(p) (p + FREE_RES_OFFSET) |
| |
| /* Extends MallocDesc structure with additional information, used by memchecker. |
| */ |
| typedef struct MallocDescEx { |
| /* Allocation descriptor this structure extends. */ |
| MallocDesc malloc_desc; |
| |
| /* Call stack that lead to memory allocation. The array is arranged in |
| * accending order, where entry at index 0 corresponds to the routine |
| * that allocated memory. */ |
| target_ulong* call_stack; |
| |
| /* Number of entries in call_stack array. */ |
| uint32_t call_stack_count; |
| |
| /* Set of misc. flags. See MDESC_FLAG_XXX bellow. */ |
| uint32_t flags; |
| } MallocDescEx; |
| |
| /* Indicates that memory has been allocated before process started execution. |
| * After a process has been forked, but before it actually starts executing, |
| * allocations can be made in context of that process PID. This flag marks such |
| * allocations in the process' allocation descriptors map. |
| */ |
| #define MDESC_FLAG_TRANSITION_ENTRY 0x00000001 |
| |
| /* Indicates that memory block has been inherited from the parent process. |
| * When a process is forked from its parent process, the forked process inherits |
| * a copy of the parent process' heap. Thus, all allocations that were recorded |
| * for the parent process must be also recorded for the forked process. This |
| * flag marks entries in the forked process' allocation descriptors map that |
| * were copied over from the parent process' allocation descriptors map. |
| */ |
| #define MDESC_FLAG_INHERITED_ON_FORK 0x00000002 |
| |
| /* Describes a memory mapping of an execution module in the guest system. */ |
| typedef struct MMRangeDesc { |
| /* Starting address of mmapping of a module in the guest's address space. */ |
| target_ulong map_start; |
| |
| /* Ending address of mmapping of a module in the guest's address space. */ |
| target_ulong map_end; |
| |
| /* Mmapping's execution offset. */ |
| target_ulong exec_offset; |
| |
| /* Image path of the module that has been mapped with this mmapping. */ |
| char* path; |
| } MMRangeDesc; |
| |
| /* Enumerates returned values for insert routines implemeted for red-black |
| * tree maps. |
| */ |
| typedef enum { |
| /* New entry has been inserted into the map. */ |
| RBT_MAP_RESULT_ENTRY_INSERTED = 0, |
| |
| /* An entry, matching the new one already exists in the map. */ |
| RBT_MAP_RESULT_ENTRY_ALREADY_EXISTS, |
| |
| /* An existing entry, matching the new one has been replaced |
| * with the new entry. |
| */ |
| RBT_MAP_RESULT_ENTRY_REPLACED, |
| |
| /* An error has occurred when inserting entry into the map. */ |
| RBT_MAP_RESULT_ERROR = -1, |
| } RBTMapResult; |
| |
| /* Encapsulates an array of guest addresses, sorted in accending order. */ |
| typedef struct AddrArray { |
| /* Array of addresses. */ |
| target_ulong* addr; |
| |
| /* Number of elements in the array. */ |
| int num; |
| } AddrArray; |
| |
| // ============================================================================= |
| // Inlines |
| // ============================================================================= |
| |
| /* Gets pointer returned to malloc caller for the given allocation decriptor. |
| * Param: |
| * desc - Allocation descriptor. |
| * Return: |
| * Pointer to the allocated memory returned to the malloc caller. |
| */ |
| static inline target_ulong |
| mallocdesc_get_user_ptr(const MallocDesc* desc) |
| { |
| return desc->ptr + desc->prefix_size; |
| } |
| |
| /* Gets total size of the allocated block for the given descriptor. |
| * Param: |
| * desc - Descriptor for the memory block, allocated in malloc handler. |
| * Return: |
| * Total size of memory block allocated in malloc handler. |
| */ |
| static inline uint32_t |
| mallocdesc_get_alloc_size(const MallocDesc* desc) |
| { |
| return desc->prefix_size + desc->requested_bytes + desc->suffix_size; |
| } |
| |
| /* Gets the end of the allocated block for the given descriptor. |
| * Param: |
| * desc - Descriptor for the memory block, allocated in malloc handler. |
| * Return: |
| * Pointer to the end of the allocated block (next byte past the block). |
| */ |
| static inline target_ulong |
| mallocdesc_get_alloc_end(const MallocDesc* desc) |
| { |
| return desc->ptr + mallocdesc_get_alloc_size(desc); |
| } |
| |
| /* Gets the end of the allocated block available to the user for the given |
| * descriptor. |
| * Param: |
| * desc - Descriptor for the memory block, allocated in malloc handler. |
| * Return: |
| * Pointer to the end of the allocated block available to the user (next byte |
| * past the block - suffix guarding area). |
| */ |
| static inline target_ulong |
| mallocdesc_get_user_alloc_end(const MallocDesc* desc) |
| { |
| return mallocdesc_get_user_ptr(desc) + desc->requested_bytes; |
| } |
| |
| /* Checks if allocation has been made before process started execution. |
| * Param: |
| * desc - Allocation descriptor to check. |
| * Return: |
| * boolean: 1 if allocation has been made before process started execution, |
| * or 0 if allocation has been made after process started execution. |
| */ |
| static inline int |
| mallocdescex_is_transition_entry(const MallocDescEx* desc) |
| { |
| return (desc->flags & MDESC_FLAG_TRANSITION_ENTRY) != 0; |
| } |
| |
| /* Checks if allocation block has been inherited on fork. |
| * Param: |
| * desc - Allocation descriptor to check. |
| * Return: |
| * boolean: 1 if allocation has been inherited on fork, or 0 if allocation |
| * has been made by this process.. |
| */ |
| static inline int |
| mallocdescex_is_inherited_on_fork(const MallocDescEx* desc) |
| { |
| return (desc->flags & MDESC_FLAG_INHERITED_ON_FORK) != 0; |
| } |
| |
| /* Gets offset for the given address inside a mapped module. |
| * Param: |
| * address - Address to get offset for. |
| * Return: |
| * Offset of the given address inside a mapped module, represented with the |
| * given mmaping range descriptor. |
| */ |
| static inline target_ulong |
| mmrangedesc_get_module_offset(const MMRangeDesc* rdesc, target_ulong address) |
| { |
| return address - rdesc->map_start + rdesc->exec_offset; |
| } |
| |
| /* Checks if given address is contained in the given address array. |
| * Return: |
| * boolean: 1 if address is contained in the array, or zero if it's not. |
| */ |
| static inline int |
| addrarray_check(const AddrArray* addr_array, target_ulong addr) |
| { |
| if (addr_array->num != 0) { |
| int m_min = 0; |
| int m_max = addr_array->num - 1; |
| |
| /* May be odd for THUMB mode. */ |
| addr &= ~1; |
| /* Since array is sorted we can do binary search here. */ |
| while (m_min <= m_max) { |
| const int m = (m_min + m_max) >> 1; |
| const target_ulong saved = addr_array->addr[m]; |
| if (addr == saved) { |
| return 1; |
| } |
| if (addr < saved) { |
| m_max = m - 1; |
| } else { |
| m_min = m + 1; |
| } |
| } |
| } |
| return 0; |
| } |
| |
| /* Adds an address to the address array. |
| * Return: |
| * 1 - Address has been added to the array. |
| * -1 - Address already exists in the array. |
| * 0 - Unable to expand the array. |
| */ |
| static inline int |
| addrarray_add(AddrArray* addr_array, target_ulong addr) |
| { |
| target_ulong* new_arr; |
| int m_min; |
| int m_max; |
| |
| /* May be odd for THUMB mode. */ |
| addr &= ~1; |
| if (addr_array->num == 0) { |
| /* First element. */ |
| addr_array->addr = g_malloc(sizeof(target_ulong)); |
| assert(addr_array->addr != NULL); |
| if (addr_array->addr == NULL) { |
| return 0; |
| } |
| *addr_array->addr = addr; |
| addr_array->num++; |
| return 1; |
| } |
| |
| /* Using binary search find the place where to insert new address. */ |
| m_min = 0; |
| m_max = addr_array->num - 1; |
| while (m_min <= m_max) { |
| const int m = (m_min + m_max) >> 1; |
| const target_ulong saved = addr_array->addr[m]; |
| if (addr == saved) { |
| return -1; |
| } |
| if (addr < saved) { |
| m_max = m - 1; |
| } else { |
| m_min = m + 1; |
| } |
| } |
| if (m_max < 0) { |
| m_max = 0; |
| } |
| /* Expand the array. */ |
| new_arr = g_malloc(sizeof(target_ulong) * (addr_array->num + 1)); |
| assert(new_arr != NULL); |
| if (new_arr == NULL) { |
| return 0; |
| } |
| /* Copy preceding elements to the new array. */ |
| if (m_max != 0) { |
| memcpy(new_arr, addr_array->addr, m_max * sizeof(target_ulong)); |
| } |
| if (addr > addr_array->addr[m_max]) { |
| new_arr[m_max] = addr_array->addr[m_max]; |
| m_max++; |
| } |
| /* Insert new address. */ |
| new_arr[m_max] = addr; |
| /* Copy remaining elements to the new array. */ |
| if (m_max < addr_array->num) { |
| memcpy(new_arr + m_max + 1, addr_array->addr + m_max, |
| (addr_array->num - m_max) * sizeof(target_ulong)); |
| } |
| /* Swap arrays. */ |
| g_free(addr_array->addr); |
| addr_array->addr = new_arr; |
| addr_array->num++; |
| return 1; |
| } |
| |
| #ifdef __cplusplus |
| }; /* end of extern "C" */ |
| #endif |
| |
| #endif // QEMU_MEMCHECK_MEMCHECK_COMMON_H |