IRDynamicChecks.cpp source code [lldb/source/Plugins/ExpressionParser/Clang/IRDynamicChecks.cpp]

1	//===-- IRDynamicChecks.cpp -----------------------------------------------===//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8
9	#include "llvm/IR/Constants.h"
10	#include "llvm/IR/DataLayout.h"
11	#include "llvm/IR/Function.h"
12	#include "llvm/IR/Instructions.h"
13	#include "llvm/IR/Module.h"
14	#include "llvm/IR/Value.h"
15	#include "llvm/Support/raw_ostream.h"
16
17	#include "IRDynamicChecks.h"
18
19	#include "lldb/Expression/UtilityFunction.h"
20	#include "lldb/Target/ExecutionContext.h"
21	#include "lldb/Target/Language.h"
22	#include "lldb/Target/Process.h"
23	#include "lldb/Target/StackFrame.h"
24	#include "lldb/Target/Target.h"
25	#include "lldb/Utility/ConstString.h"
26	#include "lldb/Utility/LLDBLog.h"
27	#include "lldb/Utility/Log.h"
28
29	#include "Plugins/LanguageRuntime/ObjC/ObjCLanguageRuntime.h"
30
31	using namespace llvm;
32	using namespace lldb_private;
33
34	static char ID;
35
36	#define VALID_OBJC_OBJECT_CHECK_NAME "$__lldb_objc_object_check"
37
38	ClangDynamicCheckerFunctions::ClangDynamicCheckerFunctions()
39	: DynamicCheckerFunctions (DCF_Clang) {}
40
41	ClangDynamicCheckerFunctions::~ClangDynamicCheckerFunctions() = default;
42
43	llvm::Error
44	ClangDynamicCheckerFunctions::Install(DiagnosticManager &diagnostic_manager,
45	ExecutionContext &exe_ctx) {
46	if (Process *process = exe_ctx.GetProcessPtr()) {
47	ObjCLanguageRuntime *objc_language_runtime =
48	ObjCLanguageRuntime::Get(process&: *process);
49
50	SourceLanguage lang = process->GetTarget().GetLanguage();
51	if (!lang)
52	if (auto *frame = exe_ctx.GetFramePtr())
53	lang = frame->GetLanguage();
54
55	if (objc_language_runtime &&
56	Language::LanguageIsObjC(language: lang.AsLanguageType())) {
57	Expected<std::unique_ptr<UtilityFunction>> checker_fn =
58	objc_language_runtime->CreateObjectChecker(VALID_OBJC_OBJECT_CHECK_NAME, exe_ctx);
59	if (!checker_fn)
60	return checker_fn.takeError();
61	m_objc_object_check = std::move(*checker_fn);
62	}
63	}
64
65	return Error::success();
66	}
67
68	bool ClangDynamicCheckerFunctions::DoCheckersExplainStop(lldb::addr_t addr,
69	Stream &message) {
70	// FIXME: We have to get the checkers to know why they scotched the call in
71	// more detail,
72	// so we can print a better message here.
73	if (m_objc_object_check && m_objc_object_check ->ContainsAddress(address: addr)) {
74	message.Printf(format: "Attempted to dereference an invalid ObjC Object or send it "
75	"an unrecognized selector");
76	return true;
77	}
78	return false;
79	}
80
81	static std::string PrintValue(llvm::Value V, bool* truncate = false) {
82	std::string s;
83	raw_string_ostream rso(s);
84	V->print(O&: rso);
85	if (truncate)
86	s.resize(n: s.length() - `1`);
87	return s;
88	}
89
90	/// \class Instrumenter IRDynamicChecks.cpp
91	/// Finds and instruments individual LLVM IR instructions
92	///
93	/// When instrumenting LLVM IR, it is frequently desirable to first search for
94	/// instructions, and then later modify them. This way iterators remain
95	/// intact, and multiple passes can look at the same code base without
96	/// treading on each other's toes.
97	///
98	/// The Instrumenter class implements this functionality. A client first
99	/// calls Inspect on a function, which populates a list of instructions to be
100	/// instrumented. Then, later, when all passes' Inspect functions have been
101	/// called, the client calls Instrument, which adds the desired
102	/// instrumentation.
103	///
104	/// A subclass of Instrumenter must override InstrumentInstruction, which
105	/// is responsible for adding whatever instrumentation is necessary.
106	///
107	/// A subclass of Instrumenter may override:
108	///
109	/// - InspectInstruction [default: does nothing]
110	///
111	/// - InspectBasicBlock [default: iterates through the instructions in a
112	/// basic block calling InspectInstruction]
113	///
114	/// - InspectFunction [default: iterates through the basic blocks in a
115	/// function calling InspectBasicBlock]
116	class Instrumenter {
117	public:
118	/// Constructor
119	///
120	/// \param[in] module
121	/// The module being instrumented.
122	Instrumenter(llvm::Module &module,
123	std::shared_ptr<UtilityFunction> checker_function)
124	: m_module(module), m_checker_function (checker_function) {}
125
126	virtual ~Instrumenter() = default;
127
128	/// Inspect a function to find instructions to instrument
129	///
130	/// \param[in] function
131	/// The function to inspect.
132	///
133	/// \return
134	/// True on success; false on error.
135	bool Inspect(llvm::Function &function) { return InspectFunction(f&: function); }
136
137	/// Instrument all the instructions found by Inspect()
138	///
139	/// \return
140	/// True on success; false on error.
141	bool Instrument() {
142	for (InstIterator ii = m_to_instrument.begin(),
143	last_ii = m_to_instrument.end();
144	ii != last_ii; ++ii) {
145	if (!InstrumentInstruction(inst: *ii))
146	return false;
147	}
148
149	return true;
150	}
151
152	protected:
153	/// Add instrumentation to a single instruction
154	///
155	/// \param[in] inst
156	/// The instruction to be instrumented.
157	///
158	/// \return
159	/// True on success; false otherwise.
160	virtual bool InstrumentInstruction(llvm::Instruction *inst) = `0`;
161
162	/// Register a single instruction to be instrumented
163	///
164	/// \param[in] inst
165	/// The instruction to be instrumented.
166	void RegisterInstruction(llvm::Instruction &inst) {
167	m_to_instrument.push_back(x: &inst);
168	}
169
170	/// Determine whether a single instruction is interesting to instrument,
171	/// and, if so, call RegisterInstruction
172	///
173	/// \param[in] i
174	/// The instruction to be inspected.
175	///
176	/// \return
177	/// False if there was an error scanning; true otherwise.
178	virtual bool InspectInstruction(llvm::Instruction &i) { return true; }
179
180	/// Scan a basic block to see if any instructions are interesting
181	///
182	/// \param[in] bb
183	/// The basic block to be inspected.
184	///
185	/// \return
186	/// False if there was an error scanning; true otherwise.
187	virtual bool InspectBasicBlock(llvm::BasicBlock &bb) {
188	for (llvm::BasicBlock::iterator ii = bb.begin(), last_ii = bb.end();
189	ii != last_ii; ++ii) {
190	if (!InspectInstruction(i&: *ii))
191	return false;
192	}
193
194	return true;
195	}
196
197	/// Scan a function to see if any instructions are interesting
198	///
199	/// \param[in] f
200	/// The function to be inspected.
201	///
202	/// \return
203	/// False if there was an error scanning; true otherwise.
204	virtual bool InspectFunction(llvm::Function &f) {
205	for (llvm::Function::iterator bbi = f.begin(), last_bbi = f.end();
206	bbi != last_bbi; ++bbi) {
207	if (!InspectBasicBlock(bb&: *bbi))
208	return false;
209	}
210
211	return true;
212	}
213
214	/// Build a function pointer for a function with signature void
215	/// ()(uint8_t, uint8_t) with a given address*
216	///
217	/// \param[in] start_address
218	/// The address of the function.
219	///
220	/// \return
221	/// The function pointer, for use in a CallInst.
222	llvm::FunctionCallee BuildObjectCheckerFunc(lldb::addr_t start_address) {
223	llvm::Type *param_array[`2`];
224
225	param_array[`0`] = const_cast<llvm::PointerType *>(GetI8PtrTy());
226	param_array[`1`] = const_cast<llvm::PointerType *>(GetI8PtrTy());
227
228	ArrayRef<llvm::Type *> params(param_array, `2`);
229
230	FunctionType *fun_ty = FunctionType::get(
231	Result: llvm::Type::getVoidTy(C&: m_module.getContext()), Params: params, isVarArg: true);
232	PointerType *fun_ptr_ty = PointerType::getUnqual(C&: m_module.getContext());
233	Constant *fun_addr_int =
234	ConstantInt::get(Ty: GetIntptrTy(), V: start_address, IsSigned: false);
235	return {fun_ty, ConstantExpr::getIntToPtr(C: fun_addr_int, Ty: fun_ptr_ty)};
236	}
237
238	PointerType *GetI8PtrTy() {
239	if (!m_i8ptr_ty)
240	m_i8ptr_ty = llvm::PointerType::getUnqual(C&: m_module.getContext());
241
242	return m_i8ptr_ty;
243	}
244
245	IntegerType *GetIntptrTy() {
246	if (!m_intptr_ty) {
247	m_intptr_ty = llvm::Type::getIntNTy(
248	C&: m_module.getContext(),
249	N: m_module.getDataLayout().getPointerSizeInBits());
250	}
251
252	return m_intptr_ty;
253	}
254
255	typedef std::vector<llvm::Instruction *> InstVector;
256	typedef InstVector::iterator InstIterator;
257
258	InstVector m_to_instrument; ///< List of instructions the inspector found
259	llvm::Module &m_module; ///< The module which is being instrumented
260	std::shared_ptr<UtilityFunction>
261	m_checker_function; ///< The dynamic checker function for the process
262
263	private:
264	PointerType m_i8ptr_ty = nullptr*;
265	IntegerType m_intptr_ty = nullptr*;
266	};
267
268	class ObjcObjectChecker : public Instrumenter {
269	public:
270	ObjcObjectChecker(llvm::Module &module,
271	std::shared_ptr<UtilityFunction> checker_function)
272	: Instrumenter (module, checker_function),
273	m_objc_object_check_func (nullptr) {}
274
275	~ObjcObjectChecker() override = default;
276
277	enum msgSend_type {
278	eMsgSend = `0`,
279	eMsgSendSuper,
280	eMsgSendSuper_stret,
281	eMsgSend_fpret,
282	eMsgSend_stret
283	};
284
285	std::map<llvm::Instruction *, msgSend_type> msgSend_types;
286
287	protected:
288	bool InstrumentInstruction(llvm::Instruction *inst) override {
289	CallInst *call_inst = dyn_cast<CallInst>(Val: inst);
290
291	if (!call_inst)
292	return false; // call_inst really shouldn't be nullptr, because otherwise
293	// InspectInstruction wouldn't have registered it
294
295	if (!m_objc_object_check_func)
296	m_objc_object_check_func =
297	BuildObjectCheckerFunc(start_address: m_checker_function ->StartAddress());
298
299	// id objc_msgSend(id theReceiver, SEL theSelector, ...)
300
301	llvm::Value *target_object;
302	llvm::Value *selector;
303
304	switch (msgSend_types [inst]) {
305	case eMsgSend:
306	case eMsgSend_fpret:
307	// On arm64, clang uses objc_msgSend for scalar and struct return
308	// calls. The call instruction will record which was used.
309	if (call_inst->hasStructRetAttr()) {
310	target_object = call_inst->getArgOperand(i: `1`);
311	selector = call_inst->getArgOperand(i: `2`);
312	} else {
313	target_object = call_inst->getArgOperand(i: `0`);
314	selector = call_inst->getArgOperand(i: `1`);
315	}
316	break;
317	case eMsgSend_stret:
318	target_object = call_inst->getArgOperand(i: `1`);
319	selector = call_inst->getArgOperand(i: `2`);
320	break;
321	case eMsgSendSuper:
322	case eMsgSendSuper_stret:
323	return true;
324	}
325
326	// These objects should always be valid according to Sean Calannan
327	assert(target_object);
328	assert(selector);
329
330	// Insert an instruction to call the helper with the result
331
332	llvm::Value *arg_array[`2`];
333
334	arg_array[`0`] = target_object;
335	arg_array[`1`] = selector;
336
337	ArrayRef<llvm::Value *> args(arg_array, `2`);
338
339	CallInst::Create(Func: m_objc_object_check_func, Args: args, NameStr: "", InsertBefore: inst->getIterator());
340
341	return true;
342	}
343
344	static llvm::Function GetFunction(llvm::Value value) {
345	if (llvm::Function *function = llvm::dyn_cast<llvm::Function>(Val: value)) {
346	return function;
347	}
348
349	if (llvm::ConstantExpr *const_expr =
350	llvm::dyn_cast<llvm::ConstantExpr>(Val: value)) {
351	switch (const_expr->getOpcode()) {
352	default:
353	return nullptr;
354	case llvm::Instruction::BitCast:
355	return GetFunction(value: const_expr->getOperand(i_nocapture: `0`));
356	}
357	}
358
359	return nullptr;
360	}
361
362	static llvm::Function GetCalledFunction(llvm::CallInst inst) {
363	return GetFunction(value: inst->getCalledOperand());
364	}
365
366	bool InspectInstruction(llvm::Instruction &i) override {
367	Log *log = GetLog(mask: LLDBLog::Expressions);
368
369	CallInst *call_inst = dyn_cast<CallInst>(Val: &i);
370
371	if (call_inst) {
372	const llvm::Function *called_function = GetCalledFunction(inst: call_inst);
373
374	if (!called_function)
375	return true;
376
377	std::string name_str = called_function->getName().str();
378	const char *name_cstr = name_str.c_str();
379
380	LLDB_LOGF(log, "Found call to %s: %s\n", name_cstr,
381	PrintValue(call_inst).c_str());
382
383	if (name_str.find(s: "objc_msgSend") == std::string::npos)
384	return true;
385
386	if (!strcmp(s1: name_cstr, s2: "objc_msgSend")) {
387	RegisterInstruction(inst&: i);
388	msgSend_types [&i] = eMsgSend;
389	return true;
390	}
391
392	if (!strcmp(s1: name_cstr, s2: "objc_msgSend_stret")) {
393	RegisterInstruction(inst&: i);
394	msgSend_types [&i] = eMsgSend_stret;
395	return true;
396	}
397
398	if (!strcmp(s1: name_cstr, s2: "objc_msgSend_fpret")) {
399	RegisterInstruction(inst&: i);
400	msgSend_types [&i] = eMsgSend_fpret;
401	return true;
402	}
403
404	if (!strcmp(s1: name_cstr, s2: "objc_msgSendSuper")) {
405	RegisterInstruction(inst&: i);
406	msgSend_types [&i] = eMsgSendSuper;
407	return true;
408	}
409
410	if (!strcmp(s1: name_cstr, s2: "objc_msgSendSuper_stret")) {
411	RegisterInstruction(inst&: i);
412	msgSend_types [&i] = eMsgSendSuper_stret;
413	return true;
414	}
415
416	LLDB_LOGF(log,
417	"Function name '%s' contains 'objc_msgSend' but is not handled",
418	name_str.c_str());
419
420	return true;
421	}
422
423	return true;
424	}
425
426	private:
427	llvm::FunctionCallee m_objc_object_check_func;
428	};
429
430	IRDynamicChecks::IRDynamicChecks(
431	ClangDynamicCheckerFunctions &checker_functions, const char *func_name)
432	: ModulePass (ID), m_func_name (func_name),
433	m_checker_functions(checker_functions) {}
434
435	IRDynamicChecks::~IRDynamicChecks() = default;
436
437	bool IRDynamicChecks::runOnModule(llvm::Module &M) {
438	Log *log = GetLog(mask: LLDBLog::Expressions);
439
440	llvm::Function *function = M.getFunction(Name: StringRef (m_func_name));
441
442	if (!function) {
443	LLDB_LOGF(log, "Couldn't find %s() in the module", m_func_name.c_str());
444
445	return false;
446	}
447
448	if (m_checker_functions.m_objc_object_check) {
449	ObjcObjectChecker ooc(M, m_checker_functions.m_objc_object_check);
450
451	if (!ooc.Inspect(function&: *function))
452	return false;
453
454	if (!ooc.Instrument())
455	return false;
456	}
457
458	if (log && log->GetVerbose()) {
459	std::string s;
460	raw_string_ostream oss(s);
461
462	M.print(OS&: oss, AAW: nullptr);
463
464	LLDB_LOGF(log, "Module after dynamic checks: \n%s", s.c_str());
465	}
466
467	return true;
468	}
469
470	void IRDynamicChecks::assignPassManager(PMStack &PMS, PassManagerType T) {}
471
472	PassManagerType IRDynamicChecks::getPotentialPassManagerType() const {
473	return PMT_ModulePassManager;
474	}
475

source code of lldb/source/Plugins/ExpressionParser/Clang/IRDynamicChecks.cpp