C++程序  |  485行  |  17.4 KB

/* Copyright (C) 2007-2010 The Android Open Source Project
**
** This software is licensed under the terms of the GNU General Public
** License version 2, as published by the Free Software Foundation, and
** may be copied, distributed, and modified under those terms.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
** GNU General Public License for more details.
*/

/*
 * Contains declarations of structures, routines, etc. that are commonly used
 * in memechecker framework.
 */

#ifndef QEMU_MEMCHECK_MEMCHECK_COMMON_H
#define QEMU_MEMCHECK_MEMCHECK_COMMON_H

/* This file should compile iff qemu is built with memory checking
 * configuration turned on. */
#ifndef CONFIG_MEMCHECK
#error CONFIG_MEMCHECK is not defined.
#endif  // CONFIG_MEMCHECK

#include "qemu-common.h"
#include "cpu.h"

#ifdef __cplusplus
extern "C" {
#endif

// =============================================================================
// Events generated by the guest system.
// =============================================================================

/* Notifies the emulator that libc has been initialized for a process.
 * Event's value parameter is PID for the process in context of which libc has
 * been initialized.
 */
#define TRACE_DEV_REG_LIBC_INIT             1536

/* Notifies the emulator about new memory block being allocated.
 * Event's value parameter points to MallocDesc instance in the guest's address
 * space that contains allocated block information. Note that 'libc_pid' field
 * of the descriptor is used by emulator to report failure in handling this
 * event. In case of failure emulator will zero that filed before completing
 * this event.
 */
#define TRACE_DEV_REG_MALLOC                1537

/* Notifies the emulator about memory block being freed.
 * Event's value parameter points to MallocFree descriptor instance in the
 * guest's address space that contains information about block that's being
 * freed. Note that 'libc_pid' field of the descriptor is used by emulator to
 * report failure in handling this event. In case of failure emulator will zero
 * that filed before completing this event.
 */
#define TRACE_DEV_REG_FREE_PTR              1538

/* Queries the emulator about memory block information.
 * Event's value parameter points to MallocDescQuery descriptor instance in the
 * guest's address space that contains query parameters. Note that 'libc_pid'
 * field of the descriptor is used by emulator to report failure in handling
 * this event. In case of failure emulator will zero that filed before
 * completing this event.
 */
#define TRACE_DEV_REG_QUERY_MALLOC          1539

/* Queries the emulator to print a string to its stdout.
 * Event's value parameter points to zero-terminated string to be printed. Note
 * that this string is located in the guest's address space.
 */
#define TRACE_DEV_REG_PRINT_USER_STR        1540

// =============================================================================
// Communication structures
// =============================================================================

/* Describes memory block allocated from the heap. This structure is passed
 * along with TRACE_DEV_REG_MALLOC event. This descriptor is used to inform
 * the emulator about new memory block being allocated from the heap. The entire
 * structure is initialized by the guest system before event is fired up. It is
 * important to remember that same structure (an exact copy) is also declared
 * in the libc's sources. So, every time a change is made to any of these
 * two declaration, another one must be also updated accordingly. */
typedef struct MallocDesc {
    /* Poniter to the memory block actually allocated from the heap. Note that
     * this is not the pointer that is returned to the malloc's caller. Pointer
     * returned to the caller is calculated by adding value stored in this field
     * to the value stored in prefix_size field of this structure.
     */
    target_ulong    ptr;

    /* Nuber of bytes requested by the malloc's caller. */
    uint32_t        requested_bytes;

    /* Byte size of the prefix data. Actual pointer returned to the malloc's
     * caller is calculated by adding value stored in this field to the value
     * stored in in the ptr field of this structure.
     */
    uint32_t        prefix_size;

    /* Byte size of the suffix data. */
    uint32_t        suffix_size;

    /* Id of the process that initialized libc instance, in which allocation
     * has occurred. This field is used by the emulator to report errors in
     * the course of TRACE_DEV_REG_MALLOC event handling. In case of an error,
     * emulator sets this field to zero (invalid value for a process ID).
     */
    uint32_t        libc_pid;

    /* Id of the process in context of which allocation has occurred.
     * Value in this field may differ from libc_pid value, if process that
     * is doing allocation has been forked from the process that initialized
     * libc instance.
     */
    uint32_t        allocator_pid;

    /* Number of access violations detected on this allocation. */
    uint32_t        av_count;
} MallocDesc;
/* Helpers for addressing field in MallocDesc structure, using which emulator
 * reports an error back to the guest.
 */
#define ALLOC_RES_OFFSET        ((uint32_t)&(((MallocDesc*)0)->libc_pid))
#define ALLOC_RES_ADDRESS(p)    (p + ALLOC_RES_OFFSET)

/* Describes memory block info queried from emulator. This structure is passed
 * along with TRACE_DEV_REG_QUERY_MALLOC event. When handling free and realloc
 * calls, it is required that we have information about memory blocks that were
 * actually allocated in previous calls to malloc, memalign, or realloc. Since
 * we don't keep this information directlry in the allocated block, but rather
 * we keep it in the emulator, we need to query emulator for that information
 * with TRACE_DEV_REG_QUERY_MALLOC query. The entire structure is initialized
 * by the guest system before event is fired up It is important to remember that
 * same structure (an exact copy) is also declared in the libc's sources. So,
 * every time a change is made to any of these two declaration, another one
 * must be also updated accordingly.
 */
typedef struct MallocDescQuery {
    /* Pointer for which information is queried. Note that this pointer doesn't
     * have to be exact pointer returned to malloc's caller, but can point
     * anywhere inside an allocated block, including guarding areas. Emulator
     * will respond with information about allocated block that contains this
     * pointer.
     */
    target_ulong    ptr;

    /* Id of the process that initialized libc instance, in which this query
     * is called. This field is used by the emulator to report errors in
     * the course of TRACE_DEV_REG_QUERY_MALLOC event handling. In case of an
     * error, emulator sets this field to zero (invalid value for a process ID).
     */
    uint32_t        libc_pid;

    /* Process ID in context of which query is made. */
    uint32_t        query_pid;

    /* Code of the allocation routine, in context of which query has been made:
     *  1 - free
     *  2 - realloc
     */
    uint32_t        routine;

    /* Address in guest's virtual space of memory allocation descriptor for the
     * queried pointer. Descriptor, addressed by this field is initialized by
     * the emulator in response to the query.
     */
    target_ulong    desc;
} MallocDescQuery;
/* Helpers for addressing field in MallocDescQuery structure using which
 * emulator reports an error back to the guest.
 */
#define QUERY_RES_OFFSET        ((uint32_t)&(((MallocDescQuery*)0)->libc_pid))
#define QUERY_RES_ADDRESS(p)    (p + QUERY_RES_OFFSET)

/* Describes memory block that is being freed back to the heap. This structure
 * is passed along with TRACE_DEV_REG_FREE_PTR event. The entire structure is
 * initialized by the guest system before event is fired up. It is important to
 * remember that same structure (an exact copy) is also declared in the libc's
 * sources. So, every time a change is made to any of these two declaration,
 * another one must be also updated accordingly.
 */
typedef struct MallocFree {
    /* Pointer to be freed. */
    uint32_t    ptr;

    /* Id of the process that initialized libc instance, in which this free
     * is called. This field is used by the emulator to report errors in
     * the course of TRACE_DEV_REG_FREE_PTR event handling. In case of an
     * error, emulator sets this field to zero (invalid value for a process ID).
     */
    uint32_t    libc_pid;

    /* Process ID in context of which memory is being freed. */
    uint32_t    free_pid;
} MallocFree;
/* Helpers for addressing field in MallocFree structure, using which emulator
 * reports an error back to the guest.
 */
#define FREE_RES_OFFSET         ((uint32_t)&(((MallocFree*)0)->libc_pid))
#define FREE_RES_ADDRESS(p)     (p + FREE_RES_OFFSET)

/* Extends MallocDesc structure with additional information, used by memchecker.
 */
typedef struct MallocDescEx {
    /* Allocation descriptor this structure extends. */
    MallocDesc      malloc_desc;

    /* Call stack that lead to memory allocation. The array is arranged in
     * accending order, where entry at index 0 corresponds to the routine
     * that allocated memory. */
    target_ulong*   call_stack;

    /* Number of entries in call_stack array. */
    uint32_t        call_stack_count;

    /* Set of misc. flags. See MDESC_FLAG_XXX bellow. */
    uint32_t        flags;
} MallocDescEx;

/* Indicates that memory has been allocated before process started execution.
 * After a process has been forked, but before it actually starts executing,
 * allocations can be made in context of that process PID. This flag marks such
 * allocations in the process' allocation descriptors map.
 */
#define MDESC_FLAG_TRANSITION_ENTRY         0x00000001

/* Indicates that memory block has been inherited from the parent process.
 * When a process is forked from its parent process, the forked process inherits
 * a copy of the parent process' heap. Thus, all allocations that were recorded
 * for the parent process must be also recorded for the forked process. This
 * flag marks entries in the forked process' allocation descriptors map that
 * were copied over from the parent process' allocation descriptors map.
 */
#define MDESC_FLAG_INHERITED_ON_FORK        0x00000002

/* Describes a memory mapping of an execution module in the guest system. */
typedef struct MMRangeDesc {
    /* Starting address of mmapping of a module in the guest's address space. */
    target_ulong            map_start;

    /* Ending address of mmapping of a module in the guest's address space. */
    target_ulong            map_end;

    /* Mmapping's execution offset. */
    target_ulong            exec_offset;

    /* Image path of the module that has been mapped with this mmapping. */
    char*                   path;
} MMRangeDesc;

/* Enumerates returned values for insert routines implemeted for red-black
 * tree maps.
 */
typedef enum {
    /* New entry has been inserted into the map. */
    RBT_MAP_RESULT_ENTRY_INSERTED = 0,

    /* An entry, matching the new one already exists in the map. */
    RBT_MAP_RESULT_ENTRY_ALREADY_EXISTS,

    /* An existing entry, matching the new one has been replaced
    * with the new entry.
    */
    RBT_MAP_RESULT_ENTRY_REPLACED,

    /* An error has occurred when inserting entry into the map. */
    RBT_MAP_RESULT_ERROR = -1,
} RBTMapResult;

/* Encapsulates an array of guest addresses, sorted in accending order. */
typedef struct AddrArray {
    /* Array of addresses. */
    target_ulong*   addr;

    /* Number of elements in the array. */
    int             num;
} AddrArray;

// =============================================================================
// Inlines
// =============================================================================

/* Gets pointer returned to malloc caller for the given allocation decriptor.
 * Param:
 *  desc - Allocation descriptor.
 * Return:
 *  Pointer to the allocated memory returned to the malloc caller.
 */
static inline target_ulong
mallocdesc_get_user_ptr(const MallocDesc* desc)
{
    return desc->ptr + desc->prefix_size;
}

/* Gets total size of the allocated block for the given descriptor.
 * Param:
 *  desc - Descriptor for the memory block, allocated in malloc handler.
 * Return:
 *  Total size of memory block allocated in malloc handler.
 */
static inline uint32_t
mallocdesc_get_alloc_size(const MallocDesc* desc)
{
    return desc->prefix_size + desc->requested_bytes + desc->suffix_size;
}

/* Gets the end of the allocated block for the given descriptor.
 * Param:
 *  desc - Descriptor for the memory block, allocated in malloc handler.
 * Return:
 *  Pointer to the end of the allocated block (next byte past the block).
 */
static inline target_ulong
mallocdesc_get_alloc_end(const MallocDesc* desc)
{
    return desc->ptr + mallocdesc_get_alloc_size(desc);
}

/* Gets the end of the allocated block available to the user for the given
 * descriptor.
 * Param:
 *  desc - Descriptor for the memory block, allocated in malloc handler.
 * Return:
 *  Pointer to the end of the allocated block available to the user (next byte
 *  past the block - suffix guarding area).
 */
static inline target_ulong
mallocdesc_get_user_alloc_end(const MallocDesc* desc)
{
    return mallocdesc_get_user_ptr(desc) + desc->requested_bytes;
}

/* Checks if allocation has been made before process started execution.
 * Param:
 *  desc - Allocation descriptor to check.
 * Return:
 *  boolean: 1 if allocation has been made before process started execution,
 *  or 0 if allocation has been made after process started execution.
 */
static inline int
mallocdescex_is_transition_entry(const MallocDescEx* desc)
{
    return (desc->flags & MDESC_FLAG_TRANSITION_ENTRY) != 0;
}

/* Checks if allocation block has been inherited on fork.
 * Param:
 *  desc - Allocation descriptor to check.
 * Return:
 *  boolean: 1 if allocation has been inherited on fork, or 0 if allocation
 *  has been made by this process..
 */
static inline int
mallocdescex_is_inherited_on_fork(const MallocDescEx* desc)
{
    return (desc->flags & MDESC_FLAG_INHERITED_ON_FORK) != 0;
}

/* Gets offset for the given address inside a mapped module.
 * Param:
 *  address - Address to get offset for.
 * Return:
 *  Offset of the given address inside a mapped module, represented with the
 *  given mmaping range descriptor.
 */
static inline target_ulong
mmrangedesc_get_module_offset(const MMRangeDesc* rdesc, target_ulong address)
{
    return address - rdesc->map_start + rdesc->exec_offset;
}

/* Checks if given address is contained in the given address array.
 * Return:
 *  boolean: 1 if address is contained in the array, or zero if it's not.
 */
static inline int
addrarray_check(const AddrArray* addr_array, target_ulong addr)
{
    if (addr_array->num != 0) {
        int m_min = 0;
        int m_max = addr_array->num - 1;

        /* May be odd for THUMB mode. */
        addr &= ~1;
        /* Since array is sorted we can do binary search here. */
        while (m_min <= m_max) {
            const int m = (m_min + m_max) >> 1;
            const target_ulong saved = addr_array->addr[m];
            if (addr == saved) {
                return 1;
            }
            if (addr < saved) {
                m_max = m - 1;
            } else {
                m_min = m + 1;
            }
        }
    }
    return 0;
}

/* Adds an address to the address array.
 * Return:
 *  1  - Address has been added to the array.
 *  -1 - Address already exists in the array.
 *  0  - Unable to expand the array.
 */
static inline int
addrarray_add(AddrArray* addr_array, target_ulong addr)
{
    target_ulong* new_arr;
    int m_min;
    int m_max;

    /* May be odd for THUMB mode. */
    addr &= ~1;
    if (addr_array->num == 0) {
        /* First element. */
        addr_array->addr = qemu_malloc(sizeof(target_ulong));
        assert(addr_array->addr != NULL);
        if (addr_array->addr == NULL) {
            return 0;
        }
        *addr_array->addr = addr;
        addr_array->num++;
        return 1;
    }

    /* Using binary search find the place where to insert new address. */
    m_min = 0;
    m_max = addr_array->num - 1;
    while (m_min <= m_max) {
        const int m = (m_min + m_max) >> 1;
        const target_ulong saved = addr_array->addr[m];
        if (addr == saved) {
            return -1;
        }
        if (addr < saved) {
            m_max = m - 1;
        } else {
            m_min = m + 1;
        }
    }
    if (m_max < 0) {
        m_max = 0;
    }
    /* Expand the array. */
    new_arr = qemu_malloc(sizeof(target_ulong) * (addr_array->num + 1));
    assert(new_arr != NULL);
    if (new_arr == NULL) {
        return 0;
    }
    /* Copy preceding elements to the new array. */
    if (m_max != 0) {
        memcpy(new_arr, addr_array->addr, m_max * sizeof(target_ulong));
    }
    if (addr > addr_array->addr[m_max]) {
        new_arr[m_max] = addr_array->addr[m_max];
        m_max++;
    }
    /* Insert new address. */
    new_arr[m_max] = addr;
    /* Copy remaining elements to the new array. */
    if (m_max < addr_array->num) {
        memcpy(new_arr + m_max + 1, addr_array->addr + m_max,
               (addr_array->num - m_max) * sizeof(target_ulong));
    }
    /* Swap arrays. */
    qemu_free(addr_array->addr);
    addr_array->addr = new_arr;
    addr_array->num++;
    return 1;
}

#ifdef __cplusplus
};  /* end of extern "C" */
#endif

#endif  // QEMU_MEMCHECK_MEMCHECK_COMMON_H