adding malloc wrap and addr attr to mem instrument

Author: luickk

CMakeLists.txt

@@ -0,0 +1,16 @@
+project(sample)
+add_library(myclient SHARED memtrace.c error_detector.c)
+target_include_directories(myclient PRIVATE ${include/})
+find_package(DynamoRIO PATHS ../DynamoRIO/cmake)
+if (NOT DynamoRIO_FOUND)
+  message(FATAL_ERROR "DynamoRIO package required to build")
+endif(NOT DynamoRIO_FOUND)
+configure_DynamoRIO_client(myclient)
+use_DynamoRIO_extension(myclient "drmgr")
+use_DynamoRIO_extension(myclient "drreg")
+use_DynamoRIO_extension(myclient "drutil")
+use_DynamoRIO_extension(myclient "drx")
+use_DynamoRIO_extension(myclient "droption")
+use_DynamoRIO_extension(myclient "drsyms")
+use_DynamoRIO_extension(myclient "drcallstack")
+use_DynamoRIO_extension(myclient "drwrap")

README.md

@@ -1 +1,4 @@
-# BasicThreadErrorDetector
+# Basic Thread Error Detector based on DynamoRIO
+
+
+https://storage.googleapis.com/pub-tools-public-publication-data/pdf/35604.pdf

build.sh

@@ -0,0 +1,7 @@
+clang testPrograms/basicMultiThread.c -o basicMultiThread.elf -lpthread
+mkdir build
+rm build/libmyclient.so
+cd build
+cmake ../
+make
+cd ../

buildAndRun.sh

@@ -0,0 +1,2 @@
+bash build.sh
+../DynamoRIO/bin64/drrun -c build/libmyclient.so -- basicMultiThread.elf -lpthread

error_detector.c

@@ -0,0 +1,213 @@
+#include "include/memtrace.h"
+
+#define MAX_THREADS 100
+const u64 linear_set_size_increment = 1000000;
+
+// todo => shrink to 8 bytes. Should be possible if memory address access/accessing only store 
+// bytes of the virtual address that define the memory locations relative to the process pages)
+// reference: https://developer.arm.com/documentation/den0024/a/The-Memory-Management-Unit/Translating-a-Virtual-Address-to-a-Physical-Address
+// abstract: only the last 28 bits of an virtual address encode the actual loation(or index) of the address, the rest is context
+typedef struct MemoryAccess {
+   usize address_accessed;
+   u16 opcode;
+   u64 size;
+   u32 callee_thread_id;
+} MemoryAccess;
+
+typedef struct LockAccess {
+   usize lock_address;
+   u32 callee_thread_id;
+} LockAccess;
+
+typedef struct ThreadState {
+    u64 thread_id;
+    MemoryAccess *mem_read_set;
+    u64 mem_read_set_capacity;
+    u64 mem_read_set_len;
+
+    MemoryAccess *mem_write_set;
+    u64 mem_write_set_capacity;
+    u64 mem_write_set_len;
+
+    LockAccess *lock_unlock_set;
+    u64 lock_unlock_set_capacity;
+    u64 lock_unlock_set_len;
+
+    LockAccess *lock_lock_set;
+    u64 lock_lock_set_capacity;
+    u64 lock_lock_set_len;
+} ThreadState;
+
+ThreadState threads[MAX_THREADS] = {};
+u64 n_threads = 0;
+
+i64 findThreadByTId(u64 tid) {
+    u64 i;
+    for (i = 0; i <= n_threads; i++) {
+        if (threads[i].thread_id == tid) {
+            return i;
+        }
+    }
+    return -1;
+}
+
+void mem_analyse_exit() { 
+    u64 j;
+    for (j = 0; j < n_threads; j++) {
+        u64 i;
+        printf("Thread id: %ld \n", threads[j].thread_id);
+        printf("mem_write_set_len: %ld \n", threads[j].mem_write_set_len);
+        printf("mem_read_set_len: %ld \n", threads[j].mem_read_set_len);
+        printf("unlocks: %ld \n", threads[j].lock_unlock_set_len);
+        printf("locks: %ld \n", threads[j].lock_lock_set_len);
+        // for (i = 0; i < threads[j].mem_write_set_len; i++) {
+        //     printf("[%d]tid write access to address: %ld, size: %ld, opcode: %s \n", threads[j].mem_write_set[i].thread_id, threads[j].mem_write_set[i].address_accessed, threads[j].mem_write_set[i].size, (threads[j].mem_read_set[i].opcode > REF_TYPE_WRITE) ? decode_opcode_name(threads[j].mem_read_set[i].opcode) /* opcode for instr */ : (threads[j].mem_read_set[i].opcode == REF_TYPE_WRITE ? "w" : "r"));        
+        // }
+        // for (i = 0; i < threads[j].mem_read_set_len; i++) {
+        //     printf("[%d]tid read access to address: %ld, size: %ld, opcode: %s \n", threads[j].mem_write_set[i].thread_id, threads[j].mem_read_set[i].address_accessed, threads[j].mem_read_set[i].size, (threads[j].mem_read_set[i].opcode > REF_TYPE_WRITE) ? decode_opcode_name(threads[j].mem_read_set[i].opcode) /* opcode for instr */ : (threads[j].mem_read_set[i].opcode == REF_TYPE_WRITE ? "w" : "r"));
+        // }
+
+        free(threads[j].mem_write_set);
+        free(threads[j].mem_read_set);
+        free(threads[j].lock_lock_set);
+        free(threads[j].lock_unlock_set);
+    }
+}
+
+u32 mem_analyse_init() { 
+        return 1;
+}
+
+u32 mem_analyse_new_thread_init(u64 thread_id) {
+    if (n_threads >= MAX_THREADS) return 0;
+    threads[n_threads].thread_id = thread_id;
+
+    threads[n_threads].mem_read_set = (MemoryAccess*)malloc(sizeof(MemoryAccess) * linear_set_size_increment);
+    threads[n_threads].mem_read_set_capacity = linear_set_size_increment;
+    if (threads[n_threads].mem_read_set == NULL) {
+        printf("set allocation error \n");
+        return 0;    
+    }
+    threads[n_threads].mem_write_set = (MemoryAccess*)malloc(sizeof(MemoryAccess) * linear_set_size_increment);
+    threads[n_threads].mem_write_set_capacity = linear_set_size_increment;
+    if (threads[n_threads].mem_write_set == NULL) {
+        printf("set allocation error \n");
+        return 0;
+    }
+
+    threads[n_threads].lock_lock_set = (LockAccess*)malloc(sizeof(LockAccess) * linear_set_size_increment);
+    threads[n_threads].lock_lock_set_capacity = linear_set_size_increment;
+    if (threads[n_threads].lock_lock_set == NULL) {
+        printf("set allocation error \n");
+        return 0;
+    }
+    threads[n_threads].lock_unlock_set = (LockAccess*)malloc(sizeof(LockAccess) * linear_set_size_increment);
+    threads[n_threads].lock_unlock_set_capacity = linear_set_size_increment;    
+    if (threads[n_threads].lock_unlock_set == NULL) {
+        printf("set allocation error \n");
+        return 0;
+    }
+
+    n_threads += 1;
+    return 1;
+}
+
+void mem_analyse_thread_exit() {
+    // printf("thread exit \n");
+}
+
+void *increase_set_capacity(void *set, u64 *set_capacity) {
+    *set_capacity += linear_set_size_increment;
+    printf("new set_capacity: %ld \n", *set_capacity);
+    return realloc(set, *set_capacity);
+}
+
+void wrap_pre_unlock(void *wrapcxt, OUT void **user_data) {
+    void *addr = drwrap_get_arg(wrapcxt, 0);
+    u64 thread_id = dr_get_thread_id(wrapcxt);
+    // printf("pthread_unlock called\n");
+    i64 t_index = findThreadByTId(thread_id);
+    if (t_index < 0) {
+        // printf("error finding thread_id. %ld \n", thread_id);
+        return;    
+    }
+    ThreadState *curr_thread = &threads[t_index];
+    curr_thread->lock_unlock_set[curr_thread->lock_unlock_set_len].lock_address = (u64)addr;
+    curr_thread->lock_unlock_set[curr_thread->lock_unlock_set_len].callee_thread_id = thread_id;
+    curr_thread->lock_unlock_set_len += 1;
+}
+
+void wrap_pre_lock(void *wrapcxt, OUT void **user_data) {
+    void *addr = drwrap_get_arg(wrapcxt, 0);
+    // todo => wrong id
+    u64 thread_id = dr_get_thread_id(wrapcxt);
+    // printf("pthread_lock called %ld \n", thread_id);
+    i64 t_index = findThreadByTId(thread_id);
+    if (t_index < 0) {
+        // printf("error finding thread_id. %ld \n", thread_id);
+        return;        }
+    ThreadState *curr_thread = &threads[t_index];
+    curr_thread->lock_lock_set[curr_thread->lock_lock_set_len].lock_address = (u64)addr;
+    curr_thread->lock_lock_set[curr_thread->lock_lock_set_len].callee_thread_id = thread_id;
+    curr_thread->lock_lock_set_len += 1;
+}
+
+
+void wrap_post_malloc(void *wrapcxt, OUT void **user_data) {
+    void *addr = drwrap_get_retval(wrapcxt);
+    // todo => wrong id
+    u64 thread_id = dr_get_thread_id(wrapcxt);
+    // printf("pthread_lock called %ld \n", thread_id);
+    i64 t_index = findThreadByTId(thread_id);
+    if (t_index < 0) {
+        // printf("error finding thread_id. %ld \n", thread_id);
+        // return;    
+    }
+    ThreadState *curr_thread = &threads[t_index];
+    curr_thread->lock_lock_set[curr_thread->lock_lock_set_len].lock_address = (u64)addr;
+    curr_thread->lock_lock_set[curr_thread->lock_lock_set_len].callee_thread_id = thread_id;
+    curr_thread->lock_lock_set_len += 1;
+}
+
+// this is an event like fn that is envoked on every memory access (called by DynamRIO)
+void memtrace(void *drcontext, u64 thread_id) {
+    per_thread_t *data;
+    mem_ref_t *mem_ref, *buf_ptr;
+    data = drmgr_get_tls_field(drcontext, tls_idx);
+    buf_ptr = BUF_PTR(data->seg_base);
+    
+    i64 t_index = findThreadByTId(thread_id);
+    if (t_index < 0) {
+        // printf("error finding thread_id. %ld \n", thread_id);
+        return;    
+    }
+    ThreadState *curr_thread = &threads[t_index];
+    for (mem_ref = (mem_ref_t *)data->buf_base; mem_ref < buf_ptr; mem_ref++) {
+        if (mem_ref->type == 1 || mem_ref->type == 457 || mem_ref->type == 458 || mem_ref->type == 456 || mem_ref->type == 568) {
+            // mem write
+            if (curr_thread->mem_write_set_len >= curr_thread->mem_write_set_capacity) curr_thread->mem_write_set = increase_set_capacity(curr_thread->mem_write_set, &curr_thread->mem_write_set_capacity);
+            if (curr_thread->mem_write_set == NULL) exit(1);
+            curr_thread->mem_write_set[curr_thread->mem_write_set_len].address_accessed = (usize)mem_ref->addr;
+            curr_thread->mem_write_set[curr_thread->mem_write_set_len].opcode = mem_ref->type;
+            curr_thread->mem_write_set[curr_thread->mem_write_set_len].callee_thread_id = thread_id;
+            curr_thread->mem_write_set[curr_thread->mem_write_set_len].size = mem_ref->size;
+            curr_thread->mem_write_set_len += 1;
+        } else if(mem_ref->type == 0 || mem_ref->type == 227 || mem_ref->type == 225 || mem_ref->type == 197 || mem_ref->type == 228 || mem_ref->type == 229 || mem_ref->type == 299 || mem_ref->type == 173) {
+            // mem read
+            if (curr_thread->mem_read_set_len >= curr_thread->mem_read_set_capacity) curr_thread->mem_read_set = increase_set_capacity(curr_thread->mem_read_set, &curr_thread->mem_read_set_capacity);
+            if (curr_thread->mem_read_set == NULL) exit(1);
+            curr_thread->mem_read_set[curr_thread->mem_read_set_len].address_accessed = (usize)mem_ref->addr;
+            curr_thread->mem_read_set[curr_thread->mem_read_set_len].opcode = mem_ref->type;
+            curr_thread->mem_read_set[curr_thread->mem_read_set_len].callee_thread_id = thread_id;
+            curr_thread->mem_read_set[curr_thread->mem_read_set_len].size = mem_ref->size;
+            curr_thread->mem_read_set_len += 1;
+        }
+        //  else {
+        //     printf("missed %d \n", mem_ref->type);        
+        // }
+        // // /* We use PIFX to avoid leading zeroes and shrink the resulting file. */
+        // fprintf(data->logf, "" PIFX ": %2d, %s (%d)\n", (ptr_uint_t)mem_ref->addr, mem_ref->size, (mem_ref->type > REF_TYPE_WRITE) ? decode_opcode_name(mem_ref->type) /* opcode for instr */ : (mem_ref->type == REF_TYPE_WRITE ? "w" : "r"), mem_ref->type);
+        data->num_refs++;
+    }
+    BUF_PTR(data->seg_base) = data->buf_base;
+}

include/memtrace.h

@@ -0,0 +1,72 @@
+#include <stdio.h>
+#include <stddef.h> /* for offsetof */
+#include <string.h>
+#include <sys/syscall.h>
+#include "dr_api.h"
+#include "drmgr.h"
+#include "drreg.h"
+#include "drutil.h"
+#include "drx.h"
+#include "drwrap.h"
+#include "drcallstack.h"
+#include "drsyms.h"
+
+#include "types.h"
+
+#define SYS_MAX_ARGS 3
+#define TLS_SLOT(tls_base, enum_val) (void **)((byte *)(tls_base) + tls_offs + (enum_val))
+#define BUF_PTR(tls_base) *(mem_ref_t **)TLS_SLOT(tls_base, MEMTRACE_TLS_OFFS_BUF_PTR)
+
+enum {
+    REF_TYPE_READ = 0,
+    REF_TYPE_WRITE = 1,
+};
+/* Each mem_ref_t is a <type, size, addr> entry representing a memory reference
+ * instruction or the reference information, e.g.:
+ * - mem ref instr: { type = 42 (call), size = 5, addr = 0x7f59c2d002d3 }
+ * - mem ref info:  { type = 1 (write), size = 8, addr = 0x7ffeacab0ec8 }
+ */
+typedef struct _mem_ref_t {
+    ushort type; /* r(0), w(1), or opcode (assuming 0/1 are invalid opcode) */
+    ushort size; /* mem ref size or instr length */
+    app_pc addr; /* mem ref addr or instr pc */
+} mem_ref_t;
+
+/* Max number of mem_ref a buffer can have. It should be big enough
+ * to hold all entries between clean calls.
+ */
+#define MAX_NUM_MEM_REFS 4096
+/* The maximum size of buffer for holding mem_refs. */
+#define MEM_BUF_SIZE (sizeof(mem_ref_t) * MAX_NUM_MEM_REFS)
+
+/* thread private log file and counter */
+typedef struct {
+    byte *seg_base;
+    mem_ref_t *buf_base;
+    file_t log;
+    FILE *logf;
+    uint64 num_refs;
+
+    reg_t param[SYS_MAX_ARGS];
+    bool repeat;
+} per_thread_t;
+
+/* Allocated TLS slot offsets */
+enum {
+    MEMTRACE_TLS_OFFS_BUF_PTR,
+    MEMTRACE_TLS_COUNT, /* total number of TLS slots allocated */
+};
+
+int tls_idx;
+uint tls_offs;
+
+int num_syscalls;
+
+extern void memtrace(void *drcontext, u64 thread_id);
+extern u32 mem_analyse_init();
+extern void mem_analyse_exit();
+extern void mem_analyse_thread_exit();
+extern u32 mem_analyse_new_thread_init(u64 thread_id);
+extern void wrap_pre_unlock(void *wrapcxt, OUT void **user_data);
+extern void wrap_pre_lock(void *wrapcxt, OUT void **user_data);
+extern void wrap_post_malloc(void *wrapcxt, OUT void **user_data);

include/types.h

@@ -0,0 +1,16 @@
+#include <stdint.h>
+
+typedef uint8_t u8;
+typedef int8_t i8;
+
+typedef uint16_t u16;
+typedef int16_t i16;
+
+typedef uint32_t u32;
+typedef int32_t i32;
+
+typedef uint64_t u64;
+typedef int64_t i64;
+
+typedef intptr_t isize;
+typedef uintptr_t usize;