]> git.saurik.com Git - apple/xnu.git/blame - bsd/dev/i386/fasttrap_isa.c
projects / apple / xnu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xnu-1228.3.13.tar.gz
[apple/xnu.git] / bsd / dev / i386 / fasttrap_isa.c
CommitLineData
2d21ac55
A		 1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22/*
23 * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 */
26
27/*
28 * #pragma ident "@(#)fasttrap_isa.c 1.23 06/09/19 SMI"
29 */
30
31#ifdef KERNEL
32#ifndef _KERNEL
33#define _KERNEL /* Solaris vs. Darwin */
34#endif
35#endif
36
37#include <sys/fasttrap_isa.h>
38#include <sys/fasttrap_impl.h>
39#include <sys/dtrace.h>
40#include <sys/dtrace_impl.h>
41
42#include "fasttrap_regset.h"
43
44#include <sys/dtrace_ptss.h>
45#include <kern/debug.h>
46
47#define proc_t struct proc
48
49/*
50 * Lossless User-Land Tracing on x86
51 * ---------------------------------
52 *
53 * The execution of most instructions is not dependent on the address; for
54 * these instructions it is sufficient to copy them into the user process's
55 * address space and execute them. To effectively single-step an instruction
56 * in user-land, we copy out the following sequence of instructions to scratch
57 * space in the user thread's ulwp_t structure.
58 *
59 * We then set the program counter (%eip or %rip) to point to this scratch
60 * space. Once execution resumes, the original instruction is executed and
61 * then control flow is redirected to what was originally the subsequent
62 * instruction. If the kernel attemps to deliver a signal while single-
63 * stepping, the signal is deferred and the program counter is moved into the
64 * second sequence of instructions. The second sequence ends in a trap into
65 * the kernel where the deferred signal is then properly handled and delivered.
66 *
67 * For instructions whose execute is position dependent, we perform simple
68 * emulation. These instructions are limited to control transfer
69 * instructions in 32-bit mode, but in 64-bit mode there's the added wrinkle
70 * of %rip-relative addressing that means that almost any instruction can be
71 * position dependent. For all the details on how we emulate generic
72 * instructions included %rip-relative instructions, see the code in
73 * fasttrap_pid_probe() below where we handle instructions of type
74 * FASTTRAP_T_COMMON (under the header: Generic Instruction Tracing).
75 */
76
77#define FASTTRAP_MODRM_MOD(modrm) (((modrm) >> 6) & 0x3)
78#define FASTTRAP_MODRM_REG(modrm) (((modrm) >> 3) & 0x7)
79#define FASTTRAP_MODRM_RM(modrm) ((modrm) & 0x7)
80#define FASTTRAP_MODRM(mod, reg, rm) (((mod) << 6) | ((reg) << 3) | (rm))
81
82#define FASTTRAP_SIB_SCALE(sib) (((sib) >> 6) & 0x3)
83#define FASTTRAP_SIB_INDEX(sib) (((sib) >> 3) & 0x7)
84#define FASTTRAP_SIB_BASE(sib) ((sib) & 0x7)
85
86#define FASTTRAP_REX_W(rex) (((rex) >> 3) & 1)
87#define FASTTRAP_REX_R(rex) (((rex) >> 2) & 1)
88#define FASTTRAP_REX_X(rex) (((rex) >> 1) & 1)
89#define FASTTRAP_REX_B(rex) ((rex) & 1)
90#define FASTTRAP_REX(w, r, x, b) \
91 (0x40 | ((w) << 3) | ((r) << 2) | ((x) << 1) | (b))
92
93/*
94 * Single-byte op-codes.
95 */
96#define FASTTRAP_PUSHL_EBP 0x55
97
98#define FASTTRAP_JO 0x70
99#define FASTTRAP_JNO 0x71
100#define FASTTRAP_JB 0x72
101#define FASTTRAP_JAE 0x73
102#define FASTTRAP_JE 0x74
103#define FASTTRAP_JNE 0x75
104#define FASTTRAP_JBE 0x76
105#define FASTTRAP_JA 0x77
106#define FASTTRAP_JS 0x78
107#define FASTTRAP_JNS 0x79
108#define FASTTRAP_JP 0x7a
109#define FASTTRAP_JNP 0x7b
110#define FASTTRAP_JL 0x7c
111#define FASTTRAP_JGE 0x7d
112#define FASTTRAP_JLE 0x7e
113#define FASTTRAP_JG 0x7f
114
115#define FASTTRAP_NOP 0x90
116
117#define FASTTRAP_MOV_EAX 0xb8
118#define FASTTRAP_MOV_ECX 0xb9
119
120#define FASTTRAP_RET16 0xc2
121#define FASTTRAP_RET 0xc3
122
123#define FASTTRAP_LOOPNZ 0xe0
124#define FASTTRAP_LOOPZ 0xe1
125#define FASTTRAP_LOOP 0xe2
126#define FASTTRAP_JCXZ 0xe3
127
128#define FASTTRAP_CALL 0xe8
129#define FASTTRAP_JMP32 0xe9
130#define FASTTRAP_JMP8 0xeb
131
132#define FASTTRAP_INT3 0xcc
133#define FASTTRAP_INT 0xcd
134#define T_DTRACE_RET 0x7f
135
136#define FASTTRAP_2_BYTE_OP 0x0f
137#define FASTTRAP_GROUP5_OP 0xff
138
139/*
140 * Two-byte op-codes (second byte only).
141 */
142#define FASTTRAP_0F_JO 0x80
143#define FASTTRAP_0F_JNO 0x81
144#define FASTTRAP_0F_JB 0x82
145#define FASTTRAP_0F_JAE 0x83
146#define FASTTRAP_0F_JE 0x84
147#define FASTTRAP_0F_JNE 0x85
148#define FASTTRAP_0F_JBE 0x86
149#define FASTTRAP_0F_JA 0x87
150#define FASTTRAP_0F_JS 0x88
151#define FASTTRAP_0F_JNS 0x89
152#define FASTTRAP_0F_JP 0x8a
153#define FASTTRAP_0F_JNP 0x8b
154#define FASTTRAP_0F_JL 0x8c
155#define FASTTRAP_0F_JGE 0x8d
156#define FASTTRAP_0F_JLE 0x8e
157#define FASTTRAP_0F_JG 0x8f
158
159#define FASTTRAP_EFLAGS_OF 0x800
160#define FASTTRAP_EFLAGS_DF 0x400
161#define FASTTRAP_EFLAGS_SF 0x080
162#define FASTTRAP_EFLAGS_ZF 0x040
163#define FASTTRAP_EFLAGS_AF 0x010
164#define FASTTRAP_EFLAGS_PF 0x004
165#define FASTTRAP_EFLAGS_CF 0x001
166
167/*
168 * Instruction prefixes.
169 */
170#define FASTTRAP_PREFIX_OPERAND 0x66
171#define FASTTRAP_PREFIX_ADDRESS 0x67
172#define FASTTRAP_PREFIX_CS 0x2E
173#define FASTTRAP_PREFIX_DS 0x3E
174#define FASTTRAP_PREFIX_ES 0x26
175#define FASTTRAP_PREFIX_FS 0x64
176#define FASTTRAP_PREFIX_GS 0x65
177#define FASTTRAP_PREFIX_SS 0x36
178#define FASTTRAP_PREFIX_LOCK 0xF0
179#define FASTTRAP_PREFIX_REP 0xF3
180#define FASTTRAP_PREFIX_REPNE 0xF2
181
182#define FASTTRAP_NOREG 0xff
183
184/*
185 * Map between instruction register encodings and the kernel constants which
186 * correspond to indicies into struct regs.
187 */
188
189/*
190 * APPLE NOTE: We are cheating here. The regmap is used to decode which register
191 * a given instruction is trying to reference. OS X does not have extended registers
192 * for 32 bit apps, but the *order* is the same. So for 32 bit state, we will return:
193 *
194 * REG_RAX -> EAX
195 * REG_RCX -> ECX
196 * ...
197 * REG_RDI -> EDI
198 *
199 * The fasttrap_getreg function knows how to make the correct transformation.
200 */
201#if __sol64 || defined(__APPLE__)
202static const uint8_t regmap[16] = {
203 REG_RAX, REG_RCX, REG_RDX, REG_RBX, REG_RSP, REG_RBP, REG_RSI, REG_RDI,
204 REG_R8, REG_R9, REG_R10, REG_R11, REG_R12, REG_R13, REG_R14, REG_R15,
205};
206#else
207static const uint8_t regmap[8] = {
208 EAX, ECX, EDX, EBX, UESP, EBP, ESI, EDI
209};
210#endif
211
212static user_addr_t fasttrap_getreg(x86_saved_state_t *, uint_t);
213
214static uint64_t
215fasttrap_anarg(x86_saved_state_t *regs, int function_entry, int argno)
216{
217 uint64_t value;
218 int shift = function_entry ? 1 : 0;
219
220 x86_saved_state64_t *regs64;
221 x86_saved_state32_t *regs32;
222 unsigned int p_model;
223
224 if (is_saved_state64(regs)) {
225 regs64 = saved_state64(regs);
226 regs32 = NULL;
227 p_model = DATAMODEL_LP64;
228 } else {
229 regs64 = NULL;
230 regs32 = saved_state32(regs);
231 p_model = DATAMODEL_ILP32;
232 }
233
234 if (p_model == DATAMODEL_LP64) {
235 user_addr_t stack;
236
237 /*
238 * In 64-bit mode, the first six arguments are stored in
239 * registers.
240 */
241 if (argno < 6)
242 return ((&regs64->rdi)[argno]);
243
244 stack = regs64->isf.rsp + sizeof(uint64_t) * (argno - 6 + shift);
245 DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
246 value = dtrace_fuword64(stack);
247 DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT | CPU_DTRACE_BADADDR);
248 } else {
249 uint32_t *stack = (uint32_t *)regs32->uesp;
250 DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
251 value = dtrace_fuword32((user_addr_t)(unsigned long)&stack[argno + shift]);
252 DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT | CPU_DTRACE_BADADDR);
253 }
254
255 return (value);
256}
257
258/*ARGSUSED*/
259int
260fasttrap_tracepoint_init(proc_t *p, fasttrap_tracepoint_t *tp, user_addr_t pc,
261 fasttrap_probe_type_t type)
262{
263#pragma unused(type)
264 uint8_t instr[FASTTRAP_MAX_INSTR_SIZE + 10];
265 size_t len = FASTTRAP_MAX_INSTR_SIZE;
266 size_t first = MIN(len, PAGE_SIZE - (pc & PAGE_MASK));
267 uint_t start = 0;
268 size_t size;
269 int rmindex;
270 uint8_t seg, rex = 0;
271 unsigned int p_model = (p->p_flag & P_LP64) ? DATAMODEL_LP64 : DATAMODEL_ILP32;
272
273 /*
274 * Read the instruction at the given address out of the process's
275 * address space. We don't have to worry about a debugger
276 * changing this instruction before we overwrite it with our trap
277 * instruction since P_PR_LOCK is set. Since instructions can span
278 * pages, we potentially read the instruction in two parts. If the
279 * second part fails, we just zero out that part of the instruction.
280 */
281 /*
282 * APPLE NOTE: Of course, we do not have a P_PR_LOCK, so this is racey...
283 */
284 if (uread(p, &instr[0], first, pc) != 0)
285 return (-1);
286 if (len > first &&
287 uread(p, &instr[first], len - first, pc + first) != 0) {
288 bzero(&instr[first], len - first);
289 len = first;
290 }
291
292 /*
293 * If the disassembly fails, then we have a malformed instruction.
294 */
295 if ((size = dtrace_instr_size_isa(instr, p_model, &rmindex)) <= 0)
296 return (-1);
297
298 /*
299 * Make sure the disassembler isn't completely broken.
300 */
301 ASSERT(-1 <= rmindex && rmindex < (int)size);
302
303 /*
304 * If the computed size is greater than the number of bytes read,
305 * then it was a malformed instruction possibly because it fell on a
306 * page boundary and the subsequent page was missing or because of
307 * some malicious user.
308 */
309 if (size > len)
310 return (-1);
311
312 tp->ftt_size = (uint8_t)size;
313 tp->ftt_segment = FASTTRAP_SEG_NONE;
314
315 /*
316 * Find the start of the instruction's opcode by processing any
317 * legacy prefixes.
318 */
319 for (;;) {
320 seg = 0;
321 switch (instr[start]) {
322 case FASTTRAP_PREFIX_SS:
323 seg++;
324 /*FALLTHRU*/
325 case FASTTRAP_PREFIX_GS:
326 seg++;
327 /*FALLTHRU*/
328 case FASTTRAP_PREFIX_FS:
329 seg++;
330 /*FALLTHRU*/
331 case FASTTRAP_PREFIX_ES:
332 seg++;
333 /*FALLTHRU*/
334 case FASTTRAP_PREFIX_DS:
335 seg++;
336 /*FALLTHRU*/
337 case FASTTRAP_PREFIX_CS:
338 seg++;
339 /*FALLTHRU*/
340 case FASTTRAP_PREFIX_OPERAND:
341 case FASTTRAP_PREFIX_ADDRESS:
342 case FASTTRAP_PREFIX_LOCK:
343 case FASTTRAP_PREFIX_REP:
344 case FASTTRAP_PREFIX_REPNE:
345 if (seg != 0) {
346 /*
347 * It's illegal for an instruction to specify
348 * two segment prefixes -- give up on this
349 * illegal instruction.
350 */
351 if (tp->ftt_segment != FASTTRAP_SEG_NONE)
352 return (-1);
353
354 tp->ftt_segment = seg;
355 }
356 start++;
357 continue;
358 }
359 break;
360 }
361
362#if __sol64 || defined(__APPLE__)
363 /*
364 * Identify the REX prefix on 64-bit processes.
365 */
366 if (p_model == DATAMODEL_LP64 && (instr[start] & 0xf0) == 0x40)
367 rex = instr[start++];
368#endif
369
370 /*
371 * Now that we're pretty sure that the instruction is okay, copy the
372 * valid part to the tracepoint.
373 */
374 bcopy(instr, tp->ftt_instr, FASTTRAP_MAX_INSTR_SIZE);
375
376 tp->ftt_type = FASTTRAP_T_COMMON;
377 if (instr[start] == FASTTRAP_2_BYTE_OP) {
378 switch (instr[start + 1]) {
379 case FASTTRAP_0F_JO:
380 case FASTTRAP_0F_JNO:
381 case FASTTRAP_0F_JB:
382 case FASTTRAP_0F_JAE:
383 case FASTTRAP_0F_JE:
384 case FASTTRAP_0F_JNE:
385 case FASTTRAP_0F_JBE:
386 case FASTTRAP_0F_JA:
387 case FASTTRAP_0F_JS:
388 case FASTTRAP_0F_JNS:
389 case FASTTRAP_0F_JP:
390 case FASTTRAP_0F_JNP:
391 case FASTTRAP_0F_JL:
392 case FASTTRAP_0F_JGE:
393 case FASTTRAP_0F_JLE:
394 case FASTTRAP_0F_JG:
395 tp->ftt_type = FASTTRAP_T_JCC;
396 tp->ftt_code = (instr[start + 1] & 0x0f) | FASTTRAP_JO;
397 tp->ftt_dest = pc + tp->ftt_size +
398 *(int32_t *)&instr[start + 2];
399 break;
400 }
401 } else if (instr[start] == FASTTRAP_GROUP5_OP) {
402 uint_t mod = FASTTRAP_MODRM_MOD(instr[start + 1]);
403 uint_t reg = FASTTRAP_MODRM_REG(instr[start + 1]);
404 uint_t rm = FASTTRAP_MODRM_RM(instr[start + 1]);
405
406 if (reg == 2 || reg == 4) {
407 uint_t i, sz;
408
409 if (reg == 2)
410 tp->ftt_type = FASTTRAP_T_CALL;
411 else
412 tp->ftt_type = FASTTRAP_T_JMP;
413
414 if (mod == 3)
415 tp->ftt_code = 2;
416 else
417 tp->ftt_code = 1;
418
419 ASSERT(p_model == DATAMODEL_LP64 || rex == 0);
420
421 /*
422 * See AMD x86-64 Architecture Programmer's Manual
423 * Volume 3, Section 1.2.7, Table 1-12, and
424 * Appendix A.3.1, Table A-15.
425 */
426 if (mod != 3 && rm == 4) {
427 uint8_t sib = instr[start + 2];
428 uint_t index = FASTTRAP_SIB_INDEX(sib);
429 uint_t base = FASTTRAP_SIB_BASE(sib);
430
431 tp->ftt_scale = FASTTRAP_SIB_SCALE(sib);
432
433 tp->ftt_index = (index == 4) ?
434 FASTTRAP_NOREG :
435 regmap[index | (FASTTRAP_REX_X(rex) << 3)];
436 tp->ftt_base = (mod == 0 && base == 5) ?
437 FASTTRAP_NOREG :
438 regmap[base | (FASTTRAP_REX_B(rex) << 3)];
439
440 i = 3;
441 sz = mod == 1 ? 1 : 4;
442 } else {
443 /*
444 * In 64-bit mode, mod == 0 and r/m == 5
445 * denotes %rip-relative addressing; in 32-bit
446 * mode, the base register isn't used. In both
447 * modes, there is a 32-bit operand.
448 */
449 if (mod == 0 && rm == 5) {
450#if __sol64 || defined(__APPLE__)
451 if (p_model == DATAMODEL_LP64)
452 tp->ftt_base = REG_RIP;
453 else
454#endif
455 tp->ftt_base = FASTTRAP_NOREG;
456 sz = 4;
457 } else {
458 uint8_t base = rm |
459 (FASTTRAP_REX_B(rex) << 3);
460
461 tp->ftt_base = regmap[base];
462 sz = mod == 1 ? 1 : mod == 2 ? 4 : 0;
463 }
464 tp->ftt_index = FASTTRAP_NOREG;
465 i = 2;
466 }
467
468 if (sz == 1)
469 tp->ftt_dest = *(int8_t *)&instr[start + i];
470 else if (sz == 4)
471 tp->ftt_dest = *(int32_t *)&instr[start + i];
472 else
473 tp->ftt_dest = 0;
474 }
475 } else {
476 switch (instr[start]) {
477 case FASTTRAP_RET:
478 tp->ftt_type = FASTTRAP_T_RET;
479 break;
480
481 case FASTTRAP_RET16:
482 tp->ftt_type = FASTTRAP_T_RET16;
483 tp->ftt_dest = *(uint16_t *)&instr[start + 1];
484 break;
485
486 case FASTTRAP_JO:
487 case FASTTRAP_JNO:
488 case FASTTRAP_JB:
489 case FASTTRAP_JAE:
490 case FASTTRAP_JE:
491 case FASTTRAP_JNE:
492 case FASTTRAP_JBE:
493 case FASTTRAP_JA:
494 case FASTTRAP_JS:
495 case FASTTRAP_JNS:
496 case FASTTRAP_JP:
497 case FASTTRAP_JNP:
498 case FASTTRAP_JL:
499 case FASTTRAP_JGE:
500 case FASTTRAP_JLE:
501 case FASTTRAP_JG:
502 tp->ftt_type = FASTTRAP_T_JCC;
503 tp->ftt_code = instr[start];
504 tp->ftt_dest = pc + tp->ftt_size +
505 (int8_t)instr[start + 1];
506 break;
507
508 case FASTTRAP_LOOPNZ:
509 case FASTTRAP_LOOPZ:
510 case FASTTRAP_LOOP:
511 tp->ftt_type = FASTTRAP_T_LOOP;
512 tp->ftt_code = instr[start];
513 tp->ftt_dest = pc + tp->ftt_size +
514 (int8_t)instr[start + 1];
515 break;
516
517 case FASTTRAP_JCXZ:
518 tp->ftt_type = FASTTRAP_T_JCXZ;
519 tp->ftt_dest = pc + tp->ftt_size +
520 (int8_t)instr[start + 1];
521 break;
522
523 case FASTTRAP_CALL:
524 tp->ftt_type = FASTTRAP_T_CALL;
525 tp->ftt_dest = pc + tp->ftt_size +
526 *(int32_t *)&instr[start + 1];
527 tp->ftt_code = 0;
528 break;
529
530 case FASTTRAP_JMP32:
531 tp->ftt_type = FASTTRAP_T_JMP;
532 tp->ftt_dest = pc + tp->ftt_size +
533 *(int32_t *)&instr[start + 1];
534 break;
535 case FASTTRAP_JMP8:
536 tp->ftt_type = FASTTRAP_T_JMP;
537 tp->ftt_dest = pc + tp->ftt_size +
538 (int8_t)instr[start + 1];
539 break;
540
541 case FASTTRAP_PUSHL_EBP:
542 if (start == 0)
543 tp->ftt_type = FASTTRAP_T_PUSHL_EBP;
544 break;
545
546 case FASTTRAP_NOP:
547#if __sol64 || defined(__APPLE__)
548 ASSERT(p_model == DATAMODEL_LP64 || rex == 0);
549
550 /*
551 * On sol64 we have to be careful not to confuse a nop
552 * (actually xchgl %eax, %eax) with an instruction using
553 * the same opcode, but that does something different
554 * (e.g. xchgl %r8d, %eax or xcghq %r8, %rax).
555 */
556 if (FASTTRAP_REX_B(rex) == 0)
557#endif
558 tp->ftt_type = FASTTRAP_T_NOP;
559 break;
560
561 case FASTTRAP_INT3:
562 /*
563 * The pid provider shares the int3 trap with debugger
564 * breakpoints so we can't instrument them.
565 */
566 ASSERT(instr[start] == FASTTRAP_INSTR);
567 return (-1);
568
569 case FASTTRAP_INT:
570 /*
571 * Interrupts seem like they could be traced with
572 * no negative implications, but it's possible that
573 * a thread could be redirected by the trap handling
574 * code which would eventually return to the
575 * instruction after the interrupt. If the interrupt
576 * were in our scratch space, the subsequent
577 * instruction might be overwritten before we return.
578 * Accordingly we refuse to instrument any interrupt.
579 */
580 return (-1);
581 }
582 }
583
584#if __sol64 || defined(__APPLE__)
585 if (p_model == DATAMODEL_LP64 && tp->ftt_type == FASTTRAP_T_COMMON) {
586 /*
587 * If the process is 64-bit and the instruction type is still
588 * FASTTRAP_T_COMMON -- meaning we're going to copy it out an
589 * execute it -- we need to watch for %rip-relative
590 * addressing mode. See the portion of fasttrap_pid_probe()
591 * below where we handle tracepoints with type
592 * FASTTRAP_T_COMMON for how we emulate instructions that
593 * employ %rip-relative addressing.
594 */
595 if (rmindex != -1) {
596 uint_t mod = FASTTRAP_MODRM_MOD(instr[rmindex]);
597 uint_t reg = FASTTRAP_MODRM_REG(instr[rmindex]);
598 uint_t rm = FASTTRAP_MODRM_RM(instr[rmindex]);
599
600 ASSERT(rmindex > (int)start);
601
602 if (mod == 0 && rm == 5) {
603 /*
604 * We need to be sure to avoid other
605 * registers used by this instruction. While
606 * the reg field may determine the op code
607 * rather than denoting a register, assuming
608 * that it denotes a register is always safe.
609 * We leave the REX field intact and use
610 * whatever value's there for simplicity.
611 */
612 if (reg != 0) {
613 tp->ftt_ripmode = FASTTRAP_RIP_1 |
614 (FASTTRAP_RIP_X *
615 FASTTRAP_REX_B(rex));
616 rm = 0;
617 } else {
618 tp->ftt_ripmode = FASTTRAP_RIP_2 |
619 (FASTTRAP_RIP_X *
620 FASTTRAP_REX_B(rex));
621 rm = 1;
622 }
623
624 tp->ftt_modrm = tp->ftt_instr[rmindex];
625 tp->ftt_instr[rmindex] =
626 FASTTRAP_MODRM(2, reg, rm);
627 }
628 }
629 }
630#endif
631
632 return (0);
633}
634
635int
636fasttrap_tracepoint_install(proc_t *p, fasttrap_tracepoint_t *tp)
637{
638 fasttrap_instr_t instr = FASTTRAP_INSTR;
639
640 if (uwrite(p, &instr, 1, tp->ftt_pc) != 0)
641 return (-1);
642
643 return (0);
644}
645
646int
647fasttrap_tracepoint_remove(proc_t *p, fasttrap_tracepoint_t *tp)
648{
649 uint8_t instr;
650
651 /*
652 * Distinguish between read or write failures and a changed
653 * instruction.
654 */
655 if (uread(p, &instr, 1, tp->ftt_pc) != 0)
656 return (0);
657 if (instr != FASTTRAP_INSTR)
658 return (0);
659 if (uwrite(p, &tp->ftt_instr[0], 1, tp->ftt_pc) != 0)
660 return (-1);
661
662 return (0);
663}
664
665static void
666fasttrap_return_common(x86_saved_state_t *regs, user_addr_t pc, pid_t pid,
667 user_addr_t new_pc)
668{
669 x86_saved_state64_t *regs64;
670 x86_saved_state32_t *regs32;
671 unsigned int p_model;
672
673 if (is_saved_state64(regs)) {
674 regs64 = saved_state64(regs);
675 regs32 = NULL;
676 p_model = DATAMODEL_LP64;
677 } else {
678 regs64 = NULL;
679 regs32 = saved_state32(regs);
680 p_model = DATAMODEL_ILP32;
681 }
682
683 fasttrap_tracepoint_t *tp;
684 fasttrap_bucket_t *bucket;
685 fasttrap_id_t *id;
686 lck_mtx_t *pid_mtx;
687
688 pid_mtx = &cpu_core[CPU->cpu_id].cpuc_pid_lock;
689 lck_mtx_lock(pid_mtx);
690 bucket = &fasttrap_tpoints.fth_table[FASTTRAP_TPOINTS_INDEX(pid, pc)];
691
692 for (tp = bucket->ftb_data; tp != NULL; tp = tp->ftt_next) {
693 if (pid == tp->ftt_pid && pc == tp->ftt_pc &&
694 !tp->ftt_proc->ftpc_defunct)
695 break;
696 }
697
698 /*
699 * Don't sweat it if we can't find the tracepoint again; unlike
700 * when we're in fasttrap_pid_probe(), finding the tracepoint here
701 * is not essential to the correct execution of the process.
702 */
703 if (tp == NULL) {
704 lck_mtx_unlock(pid_mtx);
705 return;
706 }
707
708 for (id = tp->ftt_retids; id != NULL; id = id->fti_next) {
709 /*
710 * If there's a branch that could act as a return site, we
711 * need to trace it, and check here if the program counter is
712 * external to the function.
713 */
714 if (tp->ftt_type != FASTTRAP_T_RET &&
715 tp->ftt_type != FASTTRAP_T_RET16 &&
716 new_pc - id->fti_probe->ftp_faddr <
717 id->fti_probe->ftp_fsize)
718 continue;
719
720 if (p_model == DATAMODEL_LP64) {
721 dtrace_probe(id->fti_probe->ftp_id,
722 pc - id->fti_probe->ftp_faddr,
723 regs64->rax, regs64->rdx, 0, 0);
724 } else {
725 dtrace_probe(id->fti_probe->ftp_id,
726 pc - id->fti_probe->ftp_faddr,
727 regs32->eax, regs32->edx, 0, 0);
728 }
729 }
730
731 lck_mtx_unlock(pid_mtx);
732}
733
734static void
735fasttrap_sigsegv(proc_t *p, uthread_t t, user_addr_t addr)
736{
737 proc_lock(p);
738
739 /* Set fault address and mark signal */
740 t->uu_code = addr;
741 t->uu_siglist |= sigmask(SIGSEGV);
742
743 /*
744 * XXX These two line may be redundant; if not, then we need
745 * XXX to potentially set the data address in the machine
746 * XXX specific thread state structure to indicate the address.
747 */
748 t->uu_exception = KERN_INVALID_ADDRESS; /* SIGSEGV */
749 t->uu_subcode = 0; /* XXX pad */
750
751 proc_unlock(p);
752
753 /* raise signal */
754 signal_setast(t->uu_context.vc_thread);
755}
756
757static void
758fasttrap_usdt_args64(fasttrap_probe_t *probe, x86_saved_state64_t *regs64, int argc,
759 uint64_t *argv)
760{
761 int i, x, cap = MIN(argc, probe->ftp_nargs);
762 user_addr_t stack = (user_addr_t)regs64->isf.rsp;
763
764 for (i = 0; i < cap; i++) {
765 x = probe->ftp_argmap[i];
766
767 if (x < 6) {
768 /* FIXME! This may be broken, needs testing */
769 argv[i] = (&regs64->rdi)[x];
770 } else {
771 fasttrap_fuword64_noerr(stack + (x * sizeof(uint64_t)), &argv[i]);
772 }
773 }
774
775 for (; i < argc; i++) {
776 argv[i] = 0;
777 }
778}
779
780static void
781fasttrap_usdt_args32(fasttrap_probe_t *probe, x86_saved_state32_t *regs32, int argc,
782 uint32_t *argv)
783{
784 int i, x, cap = MIN(argc, probe->ftp_nargs);
785 uint32_t *stack = (uint32_t *)regs32->uesp;
786
787 for (i = 0; i < cap; i++) {
788 x = probe->ftp_argmap[i];
789
790 fasttrap_fuword32_noerr((user_addr_t)(unsigned long)&stack[x], &argv[i]);
791 }
792
793 for (; i < argc; i++) {
794 argv[i] = 0;
795 }
796}
797
798/*
799 * FIXME!
800 */
801static int
802fasttrap_do_seg(fasttrap_tracepoint_t *tp, x86_saved_state_t *rp, user_addr_t *addr) // 64 bit
803{
804#pragma unused(tp, rp, addr)
805 printf("fasttrap_do_seg() called while unimplemented.\n");
806#if 0
807 proc_t *p = curproc;
808 user_desc_t *desc;
809 uint16_t sel, ndx, type;
810 uintptr_t limit;
811
812 switch (tp->ftt_segment) {
813 case FASTTRAP_SEG_CS:
814 sel = rp->r_cs;
815 break;
816 case FASTTRAP_SEG_DS:
817 sel = rp->r_ds;
818 break;
819 case FASTTRAP_SEG_ES:
820 sel = rp->r_es;
821 break;
822 case FASTTRAP_SEG_FS:
823 sel = rp->r_fs;
824 break;
825 case FASTTRAP_SEG_GS:
826 sel = rp->r_gs;
827 break;
828 case FASTTRAP_SEG_SS:
829 sel = rp->r_ss;
830 break;
831 }
832
833 /*
834 * Make sure the given segment register specifies a user priority
835 * selector rather than a kernel selector.
836 */
837 if (!SELISUPL(sel))
838 return (-1);
839
840 ndx = SELTOIDX(sel);
841
842 /*
843 * Check the bounds and grab the descriptor out of the specified
844 * descriptor table.
845 */
846 if (SELISLDT(sel)) {
847 if (ndx > p->p_ldtlimit)
848 return (-1);
849
850 desc = p->p_ldt + ndx;
851
852 } else {
853 if (ndx >= NGDT)
854 return (-1);
855
856 desc = cpu_get_gdt() + ndx;
857 }
858
859 /*
860 * The descriptor must have user privilege level and it must be
861 * present in memory.
862 */
863 if (desc->usd_dpl != SEL_UPL || desc->usd_p != 1)
864 return (-1);
865
866 type = desc->usd_type;
867
868 /*
869 * If the S bit in the type field is not set, this descriptor can
870 * only be used in system context.
871 */
872 if ((type & 0x10) != 0x10)
873 return (-1);
874
875 limit = USEGD_GETLIMIT(desc) * (desc->usd_gran ? PAGESIZE : 1);
876
877 if (tp->ftt_segment == FASTTRAP_SEG_CS) {
878 /*
879 * The code/data bit and readable bit must both be set.
880 */
881 if ((type & 0xa) != 0xa)
882 return (-1);
883
884 if (*addr > limit)
885 return (-1);
886 } else {
887 /*
888 * The code/data bit must be clear.
889 */
890 if ((type & 0x8) != 0)
891 return (-1);
892
893 /*
894 * If the expand-down bit is clear, we just check the limit as
895 * it would naturally be applied. Otherwise, we need to check
896 * that the address is the range [limit + 1 .. 0xffff] or
897 * [limit + 1 ... 0xffffffff] depending on if the default
898 * operand size bit is set.
899 */
900 if ((type & 0x4) == 0) {
901 if (*addr > limit)
902 return (-1);
903 } else if (desc->usd_def32) {
904 if (*addr < limit + 1 || 0xffff < *addr)
905 return (-1);
906 } else {
907 if (*addr < limit + 1 || 0xffffffff < *addr)
908 return (-1);
909 }
910 }
911
912 *addr += USEGD_GETBASE(desc);
913#endif /* 0 */
914 return (0);
915}
916
917/*
918 * Due to variances between Solaris and xnu, I have split this into a 32 bit and 64 bit
919 * code path. It still takes an x86_saved_state_t* argument, because it must sometimes
920 * call other methods that require a x86_saved_state_t.
921 *
922 * NOTE!!!!
923 *
924 * Any changes made to this method must be echo'd in fasttrap_pid_probe64!
925 *
926 */
927static int
928fasttrap_pid_probe32(x86_saved_state_t *regs)
929{
930 ASSERT(is_saved_state32(regs));
931
932 x86_saved_state32_t *regs32 = saved_state32(regs);
933 user_addr_t pc = regs32->eip - 1;
934 proc_t *p = current_proc();
935 user_addr_t new_pc = 0;
936 fasttrap_bucket_t *bucket;
937 lck_mtx_t *pid_mtx;
938 fasttrap_tracepoint_t *tp, tp_local;
939 pid_t pid;
940 dtrace_icookie_t cookie;
941 uint_t is_enabled = 0;
942
943 uthread_t uthread = (uthread_t)get_bsdthread_info(current_thread());
944
945 /*
946 * It's possible that a user (in a veritable orgy of bad planning)
947 * could redirect this thread's flow of control before it reached the
948 * return probe fasttrap. In this case we need to kill the process
949 * since it's in a unrecoverable state.
950 */
951 if (uthread->t_dtrace_step) {
952 ASSERT(uthread->t_dtrace_on);
953 fasttrap_sigtrap(p, uthread, pc);
954 return (0);
955 }
956
957 /*
958 * Clear all user tracing flags.
959 */
960 uthread->t_dtrace_ft = 0;
961 uthread->t_dtrace_pc = 0;
962 uthread->t_dtrace_npc = 0;
963 uthread->t_dtrace_scrpc = 0;
964 uthread->t_dtrace_astpc = 0;
965
966 /*
967 * Treat a child created by a call to vfork(2) as if it were its
968 * parent. We know that there's only one thread of control in such a
969 * process: this one.
970 */
971 /*
972 * APPLE NOTE: Terry says: "You need to hold the process locks (currently: kernel funnel) for this traversal"
973 * FIXME: How do we assert this?
974 */
975 while (p->p_lflag & P_LINVFORK)
976 p = p->p_pptr;
977
978 pid = p->p_pid;
979 pid_mtx = &cpu_core[CPU->cpu_id].cpuc_pid_lock;
980 lck_mtx_lock(pid_mtx);
981 bucket = &fasttrap_tpoints.fth_table[FASTTRAP_TPOINTS_INDEX(pid, pc)];
982
983 /*
984 * Lookup the tracepoint that the process just hit.
985 */
986 for (tp = bucket->ftb_data; tp != NULL; tp = tp->ftt_next) {
987 if (pid == tp->ftt_pid && pc == tp->ftt_pc &&
988 !tp->ftt_proc->ftpc_defunct)
989 break;
990 }
991
992 /*
993 * If we couldn't find a matching tracepoint, either a tracepoint has
994 * been inserted without using the pid<pid> ioctl interface (see
995 * fasttrap_ioctl), or somehow we have mislaid this tracepoint.
996 */
997 if (tp == NULL) {
998 lck_mtx_unlock(pid_mtx);
999 return (-1);
1000 }
1001
1002 /*
1003 * Set the program counter to the address of the traced instruction
1004 * so that it looks right in ustack() output.
1005 */
1006 regs32->eip = pc;
1007
1008 if (tp->ftt_ids != NULL) {
1009 fasttrap_id_t *id;
1010
1011 uint32_t s0, s1, s2, s3, s4, s5;
1012 uint32_t *stack = (uint32_t *)regs32->uesp;
1013
1014 /*
1015 * In 32-bit mode, all arguments are passed on the
1016 * stack. If this is a function entry probe, we need
1017 * to skip the first entry on the stack as it
1018 * represents the return address rather than a
1019 * parameter to the function.
1020 */
1021 fasttrap_fuword32_noerr((user_addr_t)(unsigned long)&stack[0], &s0);
1022 fasttrap_fuword32_noerr((user_addr_t)(unsigned long)&stack[1], &s1);
1023 fasttrap_fuword32_noerr((user_addr_t)(unsigned long)&stack[2], &s2);
1024 fasttrap_fuword32_noerr((user_addr_t)(unsigned long)&stack[3], &s3);
1025 fasttrap_fuword32_noerr((user_addr_t)(unsigned long)&stack[4], &s4);
1026 fasttrap_fuword32_noerr((user_addr_t)(unsigned long)&stack[5], &s5);
1027
1028 for (id = tp->ftt_ids; id != NULL; id = id->fti_next) {
1029 fasttrap_probe_t *probe = id->fti_probe;
1030
1031 if (id->fti_ptype == DTFTP_ENTRY) {
1032 /*
1033 * We note that this was an entry
1034 * probe to help ustack() find the
1035 * first caller.
1036 */
1037 cookie = dtrace_interrupt_disable();
1038 DTRACE_CPUFLAG_SET(CPU_DTRACE_ENTRY);
1039 dtrace_probe(probe->ftp_id, s1, s2,
1040 s3, s4, s5);
1041 DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_ENTRY);
1042 dtrace_interrupt_enable(cookie);
1043 } else if (id->fti_ptype == DTFTP_IS_ENABLED) {
1044 /*
1045 * Note that in this case, we don't
1046 * call dtrace_probe() since it's only
1047 * an artificial probe meant to change
1048 * the flow of control so that it
1049 * encounters the true probe.
1050 */
1051 is_enabled = 1;
1052 } else if (probe->ftp_argmap == NULL) {
1053 dtrace_probe(probe->ftp_id, s0, s1,
1054 s2, s3, s4);
1055 } else {
1056 uint32_t t[5];
1057
1058 fasttrap_usdt_args32(probe, regs32,
1059 sizeof (t) / sizeof (t[0]), t);
1060
1061 dtrace_probe(probe->ftp_id, t[0], t[1],
1062 t[2], t[3], t[4]);
1063 }
1064
1065 /* APPLE NOTE: Oneshot probes get one and only one chance... */
1066 if (probe->ftp_prov->ftp_provider_type == DTFTP_PROVIDER_ONESHOT) {
1067 fasttrap_tracepoint_remove(p, tp);
1068 }
1069 }
1070 }
1071
1072 /*
1073 * We're about to do a bunch of work so we cache a local copy of
1074 * the tracepoint to emulate the instruction, and then find the
1075 * tracepoint again later if we need to light up any return probes.
1076 */
1077 tp_local = *tp;
1078 lck_mtx_unlock(pid_mtx);
1079 tp = &tp_local;
1080
1081 /*
1082 * Set the program counter to appear as though the traced instruction
1083 * had completely executed. This ensures that fasttrap_getreg() will
1084 * report the expected value for REG_RIP.
1085 */
1086 regs32->eip = pc + tp->ftt_size;
1087
1088 /*
1089 * If there's an is-enabled probe connected to this tracepoint it
1090 * means that there was a 'xorl %eax, %eax' or 'xorq %rax, %rax'
1091 * instruction that was placed there by DTrace when the binary was
1092 * linked. As this probe is, in fact, enabled, we need to stuff 1
1093 * into %eax or %rax. Accordingly, we can bypass all the instruction
1094 * emulation logic since we know the inevitable result. It's possible
1095 * that a user could construct a scenario where the 'is-enabled'
1096 * probe was on some other instruction, but that would be a rather
1097 * exotic way to shoot oneself in the foot.
1098 */
1099 if (is_enabled) {
1100 regs32->eax = 1;
1101 new_pc = regs32->eip;
1102 goto done;
1103 }
1104
1105 /*
1106 * We emulate certain types of instructions to ensure correctness
1107 * (in the case of position dependent instructions) or optimize
1108 * common cases. The rest we have the thread execute back in user-
1109 * land.
1110 */
1111 switch (tp->ftt_type) {
1112 case FASTTRAP_T_RET:
1113 case FASTTRAP_T_RET16:
1114 {
1115 user_addr_t dst;
1116 user_addr_t addr;
1117 int ret;
1118
1119 /*
1120 * We have to emulate _every_ facet of the behavior of a ret
1121 * instruction including what happens if the load from %esp
1122 * fails; in that case, we send a SIGSEGV.
1123 */
1124 uint32_t dst32;
1125 ret = fasttrap_fuword32((user_addr_t)regs32->uesp, &dst32);
1126 dst = dst32;
1127 addr = regs32->uesp + sizeof (uint32_t);
1128
1129 if (ret == -1) {
1130 fasttrap_sigsegv(p, uthread, (user_addr_t)regs32->uesp);
1131 new_pc = pc;
1132 break;
1133 }
1134
1135 if (tp->ftt_type == FASTTRAP_T_RET16)
1136 addr += tp->ftt_dest;
1137
1138 regs32->uesp = addr;
1139 new_pc = dst;
1140 break;
1141 }
1142
1143 case FASTTRAP_T_JCC:
1144 {
1145 uint_t taken;
1146
1147 switch (tp->ftt_code) {
1148 case FASTTRAP_JO:
1149 taken = (regs32->efl & FASTTRAP_EFLAGS_OF) != 0;
1150 break;
1151 case FASTTRAP_JNO:
1152 taken = (regs32->efl & FASTTRAP_EFLAGS_OF) == 0;
1153 break;
1154 case FASTTRAP_JB:
1155 taken = (regs32->efl & FASTTRAP_EFLAGS_CF) != 0;
1156 break;
1157 case FASTTRAP_JAE:
1158 taken = (regs32->efl & FASTTRAP_EFLAGS_CF) == 0;
1159 break;
1160 case FASTTRAP_JE:
1161 taken = (regs32->efl & FASTTRAP_EFLAGS_ZF) != 0;
1162 break;
1163 case FASTTRAP_JNE:
1164 taken = (regs32->efl & FASTTRAP_EFLAGS_ZF) == 0;
1165 break;
1166 case FASTTRAP_JBE:
1167 taken = (regs32->efl & FASTTRAP_EFLAGS_CF) != 0 ||
1168 (regs32->efl & FASTTRAP_EFLAGS_ZF) != 0;
1169 break;
1170 case FASTTRAP_JA:
1171 taken = (regs32->efl & FASTTRAP_EFLAGS_CF) == 0 &&
1172 (regs32->efl & FASTTRAP_EFLAGS_ZF) == 0;
1173 break;
1174 case FASTTRAP_JS:
1175 taken = (regs32->efl & FASTTRAP_EFLAGS_SF) != 0;
1176 break;
1177 case FASTTRAP_JNS:
1178 taken = (regs32->efl & FASTTRAP_EFLAGS_SF) == 0;
1179 break;
1180 case FASTTRAP_JP:
1181 taken = (regs32->efl & FASTTRAP_EFLAGS_PF) != 0;
1182 break;
1183 case FASTTRAP_JNP:
1184 taken = (regs32->efl & FASTTRAP_EFLAGS_PF) == 0;
1185 break;
1186 case FASTTRAP_JL:
1187 taken = ((regs32->efl & FASTTRAP_EFLAGS_SF) == 0) !=
1188 ((regs32->efl & FASTTRAP_EFLAGS_OF) == 0);
1189 break;
1190 case FASTTRAP_JGE:
1191 taken = ((regs32->efl & FASTTRAP_EFLAGS_SF) == 0) ==
1192 ((regs32->efl & FASTTRAP_EFLAGS_OF) == 0);
1193 break;
1194 case FASTTRAP_JLE:
1195 taken = (regs32->efl & FASTTRAP_EFLAGS_ZF) != 0 ||
1196 ((regs32->efl & FASTTRAP_EFLAGS_SF) == 0) !=
1197 ((regs32->efl & FASTTRAP_EFLAGS_OF) == 0);
1198 break;
1199 case FASTTRAP_JG:
1200 taken = (regs32->efl & FASTTRAP_EFLAGS_ZF) == 0 &&
1201 ((regs32->efl & FASTTRAP_EFLAGS_SF) == 0) ==
1202 ((regs32->efl & FASTTRAP_EFLAGS_OF) == 0);
1203 break;
1204 default:
1205 taken = FALSE;
1206 }
1207
1208 if (taken)
1209 new_pc = tp->ftt_dest;
1210 else
1211 new_pc = pc + tp->ftt_size;
1212 break;
1213 }
1214
1215 case FASTTRAP_T_LOOP:
1216 {
1217 uint_t taken;
1218 greg_t cx = regs32->ecx--;
1219
1220 switch (tp->ftt_code) {
1221 case FASTTRAP_LOOPNZ:
1222 taken = (regs32->efl & FASTTRAP_EFLAGS_ZF) == 0 &&
1223 cx != 0;
1224 break;
1225 case FASTTRAP_LOOPZ:
1226 taken = (regs32->efl & FASTTRAP_EFLAGS_ZF) != 0 &&
1227 cx != 0;
1228 break;
1229 case FASTTRAP_LOOP:
1230 taken = (cx != 0);
1231 break;
1232 default:
1233 taken = FALSE;
1234 }
1235
1236 if (taken)
1237 new_pc = tp->ftt_dest;
1238 else
1239 new_pc = pc + tp->ftt_size;
1240 break;
1241 }
1242
1243 case FASTTRAP_T_JCXZ:
1244 {
1245 greg_t cx = regs32->ecx;
1246
1247 if (cx == 0)
1248 new_pc = tp->ftt_dest;
1249 else
1250 new_pc = pc + tp->ftt_size;
1251 break;
1252 }
1253
1254 case FASTTRAP_T_PUSHL_EBP:
1255 {
1256 user_addr_t addr = regs32->uesp - sizeof (uint32_t);
1257 int ret = fasttrap_suword32(addr, (uint32_t)regs32->ebp);
1258
1259 if (ret == -1) {
1260 fasttrap_sigsegv(p, uthread, addr);
1261 new_pc = pc;
1262 break;
1263 }
1264
1265 regs32->uesp = addr;
1266 new_pc = pc + tp->ftt_size;
1267 break;
1268 }
1269
1270 case FASTTRAP_T_NOP:
1271 new_pc = pc + tp->ftt_size;
1272 break;
1273
1274 case FASTTRAP_T_JMP:
1275 case FASTTRAP_T_CALL:
1276 if (tp->ftt_code == 0) {
1277 new_pc = tp->ftt_dest;
1278 } else {
1279 user_addr_t /* value ,*/ addr = tp->ftt_dest;
1280
1281 if (tp->ftt_base != FASTTRAP_NOREG)
1282 addr += fasttrap_getreg(regs, tp->ftt_base);
1283 if (tp->ftt_index != FASTTRAP_NOREG)
1284 addr += fasttrap_getreg(regs, tp->ftt_index) <<
1285 tp->ftt_scale;
1286
1287 if (tp->ftt_code == 1) {
1288 /*
1289 * If there's a segment prefix for this
1290 * instruction, we'll need to check permissions
1291 * and bounds on the given selector, and adjust
1292 * the address accordingly.
1293 */
1294 if (tp->ftt_segment != FASTTRAP_SEG_NONE &&
1295 fasttrap_do_seg(tp, regs, &addr) != 0) {
1296 fasttrap_sigsegv(p, uthread, addr);
1297 new_pc = pc;
1298 break;
1299 }
1300
1301 uint32_t value32;
1302 addr = (user_addr_t)(uint32_t)addr;
1303 if (fasttrap_fuword32(addr, &value32) == -1) {
1304 fasttrap_sigsegv(p, uthread, addr);
1305 new_pc = pc;
1306 break;
1307 }
1308 new_pc = value32;
1309 } else {
1310 new_pc = addr;
1311 }
1312 }
1313
1314 /*
1315 * If this is a call instruction, we need to push the return
1316 * address onto the stack. If this fails, we send the process
1317 * a SIGSEGV and reset the pc to emulate what would happen if
1318 * this instruction weren't traced.
1319 */
1320 if (tp->ftt_type == FASTTRAP_T_CALL) {
1321 user_addr_t addr = regs32->uesp - sizeof (uint32_t);
1322 int ret = fasttrap_suword32(addr, (uint32_t)(pc + tp->ftt_size));
1323
1324 if (ret == -1) {
1325 fasttrap_sigsegv(p, uthread, addr);
1326 new_pc = pc;
1327 break;
1328 }
1329
1330 regs32->uesp = addr;
1331 }
1332 break;
1333
1334 case FASTTRAP_T_COMMON:
1335 {
1336 user_addr_t addr;
1337 uint8_t scratch[2 * FASTTRAP_MAX_INSTR_SIZE + 5 + 2];
1338 uint_t i = 0;
1339
1340 /*
1341 * Generic Instruction Tracing
1342 * ---------------------------
1343 *
1344 * This is the layout of the scratch space in the user-land
1345 * thread structure for our generated instructions.
1346 *
1347 * 32-bit mode bytes
1348 * ------------------------ -----
1349 * a: <original instruction> <= 15
1350 * jmp <pc + tp->ftt_size> 5
1351 * b: <original instrction> <= 15
1352 * int T_DTRACE_RET 2
1353 * -----
1354 * <= 37
1355 *
1356 * 64-bit mode bytes
1357 * ------------------------ -----
1358 * a: <original instruction> <= 15
1359 * jmp 0(%rip) 6
1360 * <pc + tp->ftt_size> 8
1361 * b: <original instruction> <= 15
1362 * int T_DTRACE_RET 2
1363 * -----
1364 * <= 46
1365 *
1366 * The %pc is set to a, and curthread->t_dtrace_astpc is set
1367 * to b. If we encounter a signal on the way out of the
1368 * kernel, trap() will set %pc to curthread->t_dtrace_astpc
1369 * so that we execute the original instruction and re-enter
1370 * the kernel rather than redirecting to the next instruction.
1371 *
1372 * If there are return probes (so we know that we're going to
1373 * need to reenter the kernel after executing the original
1374 * instruction), the scratch space will just contain the
1375 * original instruction followed by an interrupt -- the same
1376 * data as at b.
1377 */
1378
1379 addr = uthread->t_dtrace_scratch->addr;
1380
1381 if (addr == 0LL) {
1382 fasttrap_sigtrap(p, uthread, pc); // Should be killing target proc
1383 new_pc = pc;
1384 break;
1385 }
1386
1387 ASSERT(tp->ftt_size < FASTTRAP_MAX_INSTR_SIZE);
1388
1389 uthread->t_dtrace_scrpc = addr;
1390 bcopy(tp->ftt_instr, &scratch[i], tp->ftt_size);
1391 i += tp->ftt_size;
1392
1393 /*
1394 * Set up the jmp to the next instruction; note that
1395 * the size of the traced instruction cancels out.
1396 */
1397 scratch[i++] = FASTTRAP_JMP32;
1398 *(uint32_t *)&scratch[i] = pc - addr - 5;
1399 i += sizeof (uint32_t);
1400
1401 uthread->t_dtrace_astpc = addr + i;
1402 bcopy(tp->ftt_instr, &scratch[i], tp->ftt_size);
1403 i += tp->ftt_size;
1404 scratch[i++] = FASTTRAP_INT;
1405 scratch[i++] = T_DTRACE_RET;
1406
1407 if (fasttrap_copyout(scratch, addr, i)) {
1408 fasttrap_sigtrap(p, uthread, pc);
1409 new_pc = pc;
1410 break;
1411 }
1412
1413 if (tp->ftt_retids != NULL) {
1414 uthread->t_dtrace_step = 1;
1415 uthread->t_dtrace_ret = 1;
1416 new_pc = uthread->t_dtrace_astpc;
1417 } else {
1418 new_pc = uthread->t_dtrace_scrpc;
1419 }
1420
1421 uthread->t_dtrace_pc = pc;
1422 uthread->t_dtrace_npc = pc + tp->ftt_size;
1423 uthread->t_dtrace_on = 1;
1424 break;
1425 }
1426
1427 default:
1428 panic("fasttrap: mishandled an instruction");
1429 }
1430
1431done:
1432 /*
1433 * APPLE NOTE:
1434 *
1435 * We're setting this earlier than Solaris does, to get a "correct"
1436 * ustack() output. In the Sun code, a() -> b() -> c() -> d() is
1437 * reported at: d, b, a. The new way gives c, b, a, which is closer
1438 * to correct, as the return instruction has already exectued.
1439 */
1440 regs32->eip = new_pc;
1441
1442 /*
1443 * If there were no return probes when we first found the tracepoint,
1444 * we should feel no obligation to honor any return probes that were
1445 * subsequently enabled -- they'll just have to wait until the next
1446 * time around.
1447 */
1448 if (tp->ftt_retids != NULL) {
1449 /*
1450 * We need to wait until the results of the instruction are
1451 * apparent before invoking any return probes. If this
1452 * instruction was emulated we can just call
1453 * fasttrap_return_common(); if it needs to be executed, we
1454 * need to wait until the user thread returns to the kernel.
1455 */
1456 if (tp->ftt_type != FASTTRAP_T_COMMON) {
1457 fasttrap_return_common(regs, pc, pid, new_pc);
1458 } else {
1459 ASSERT(uthread->t_dtrace_ret != 0);
1460 ASSERT(uthread->t_dtrace_pc == pc);
1461 ASSERT(uthread->t_dtrace_scrpc != 0);
1462 ASSERT(new_pc == uthread->t_dtrace_astpc);
1463 }
1464 }
1465
1466 return (0);
1467}
1468
1469/*
1470 * Due to variances between Solaris and xnu, I have split this into a 32 bit and 64 bit
1471 * code path. It still takes an x86_saved_state_t* argument, because it must sometimes
1472 * call other methods that require a x86_saved_state_t.
1473 *
1474 * NOTE!!!!
1475 *
1476 * Any changes made to this method must be echo'd in fasttrap_pid_probe32!
1477 *
1478 */
1479static int
1480fasttrap_pid_probe64(x86_saved_state_t *regs)
1481{
1482 ASSERT(is_saved_state64(regs));
1483
1484 x86_saved_state64_t *regs64 = saved_state64(regs);
1485 user_addr_t pc = regs64->isf.rip - 1;
1486 proc_t *p = current_proc();
1487 user_addr_t new_pc = 0;
1488 fasttrap_bucket_t *bucket;
1489 lck_mtx_t *pid_mtx;
1490 fasttrap_tracepoint_t *tp, tp_local;
1491 pid_t pid;
1492 dtrace_icookie_t cookie;
1493 uint_t is_enabled = 0;
1494
1495 uthread_t uthread = (uthread_t)get_bsdthread_info(current_thread());
1496
1497 /*
1498 * It's possible that a user (in a veritable orgy of bad planning)
1499 * could redirect this thread's flow of control before it reached the
1500 * return probe fasttrap. In this case we need to kill the process
1501 * since it's in a unrecoverable state.
1502 */
1503 if (uthread->t_dtrace_step) {
1504 ASSERT(uthread->t_dtrace_on);
1505 fasttrap_sigtrap(p, uthread, pc);
1506 return (0);
1507 }
1508
1509 /*
1510 * Clear all user tracing flags.
1511 */
1512 uthread->t_dtrace_ft = 0;
1513 uthread->t_dtrace_pc = 0;
1514 uthread->t_dtrace_npc = 0;
1515 uthread->t_dtrace_scrpc = 0;
1516 uthread->t_dtrace_astpc = 0;
1517 uthread->t_dtrace_regv = 0;
1518
1519 /*
1520 * Treat a child created by a call to vfork(2) as if it were its
1521 * parent. We know that there's only one thread of control in such a
1522 * process: this one.
1523 */
1524 /*
1525 * APPLE NOTE: Terry says: "You need to hold the process locks (currently: kernel funnel) for this traversal"
1526 * FIXME: How do we assert this?
1527 */
1528 while (p->p_lflag & P_LINVFORK)
1529 p = p->p_pptr;
1530
1531 pid = p->p_pid;
1532 pid_mtx = &cpu_core[CPU->cpu_id].cpuc_pid_lock;
1533 lck_mtx_lock(pid_mtx);
1534 bucket = &fasttrap_tpoints.fth_table[FASTTRAP_TPOINTS_INDEX(pid, pc)];
1535
1536 /*
1537 * Lookup the tracepoint that the process just hit.
1538 */
1539 for (tp = bucket->ftb_data; tp != NULL; tp = tp->ftt_next) {
1540 if (pid == tp->ftt_pid && pc == tp->ftt_pc &&
1541 !tp->ftt_proc->ftpc_defunct)
1542 break;
1543 }
1544
1545 /*
1546 * If we couldn't find a matching tracepoint, either a tracepoint has
1547 * been inserted without using the pid<pid> ioctl interface (see
1548 * fasttrap_ioctl), or somehow we have mislaid this tracepoint.
1549 */
1550 if (tp == NULL) {
1551 lck_mtx_unlock(pid_mtx);
1552 return (-1);
1553 }
1554
1555 /*
1556 * Set the program counter to the address of the traced instruction
1557 * so that it looks right in ustack() output.
1558 */
1559 regs64->isf.rip = pc;
1560
1561 if (tp->ftt_ids != NULL) {
1562 fasttrap_id_t *id;
1563
1564 for (id = tp->ftt_ids; id != NULL; id = id->fti_next) {
1565 fasttrap_probe_t *probe = id->fti_probe;
1566
1567 if (id->fti_ptype == DTFTP_ENTRY) {
1568 /*
1569 * We note that this was an entry
1570 * probe to help ustack() find the
1571 * first caller.
1572 */
1573 cookie = dtrace_interrupt_disable();
1574 DTRACE_CPUFLAG_SET(CPU_DTRACE_ENTRY);
1575 dtrace_probe(probe->ftp_id, regs64->rdi,
1576 regs64->rsi, regs64->rdx, regs64->rcx,
1577 regs64->r8);
1578 DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_ENTRY);
1579 dtrace_interrupt_enable(cookie);
1580 } else if (id->fti_ptype == DTFTP_IS_ENABLED) {
1581 /*
1582 * Note that in this case, we don't
1583 * call dtrace_probe() since it's only
1584 * an artificial probe meant to change
1585 * the flow of control so that it
1586 * encounters the true probe.
1587 */
1588 is_enabled = 1;
1589 } else if (probe->ftp_argmap == NULL) {
1590 dtrace_probe(probe->ftp_id, regs64->rdi,
1591 regs64->rsi, regs64->rdx, regs64->rcx,
1592 regs64->r8);
1593 } else {
1594 uint64_t t[5];
1595
1596 fasttrap_usdt_args64(probe, regs64,
1597 sizeof (t) / sizeof (t[0]), t);
1598
1599 dtrace_probe(probe->ftp_id, t[0], t[1],
1600 t[2], t[3], t[4]);
1601 }
1602
1603 /* APPLE NOTE: Oneshot probes get one and only one chance... */
1604 if (probe->ftp_prov->ftp_provider_type == DTFTP_PROVIDER_ONESHOT) {
1605 fasttrap_tracepoint_remove(p, tp);
1606 }
1607 }
1608 }
1609
1610 /*
1611 * We're about to do a bunch of work so we cache a local copy of
1612 * the tracepoint to emulate the instruction, and then find the
1613 * tracepoint again later if we need to light up any return probes.
1614 */
1615 tp_local = *tp;
1616 lck_mtx_unlock(pid_mtx);
1617 tp = &tp_local;
1618
1619 /*
1620 * Set the program counter to appear as though the traced instruction
1621 * had completely executed. This ensures that fasttrap_getreg() will
1622 * report the expected value for REG_RIP.
1623 */
1624 regs64->isf.rip = pc + tp->ftt_size;
1625
1626 /*
1627 * If there's an is-enabled probe connected to this tracepoint it
1628 * means that there was a 'xorl %eax, %eax' or 'xorq %rax, %rax'
1629 * instruction that was placed there by DTrace when the binary was
1630 * linked. As this probe is, in fact, enabled, we need to stuff 1
1631 * into %eax or %rax. Accordingly, we can bypass all the instruction
1632 * emulation logic since we know the inevitable result. It's possible
1633 * that a user could construct a scenario where the 'is-enabled'
1634 * probe was on some other instruction, but that would be a rather
1635 * exotic way to shoot oneself in the foot.
1636 */
1637 if (is_enabled) {
1638 regs64->rax = 1;
1639 new_pc = regs64->isf.rip;
1640 goto done;
1641 }
1642
1643 /*
1644 * We emulate certain types of instructions to ensure correctness
1645 * (in the case of position dependent instructions) or optimize
1646 * common cases. The rest we have the thread execute back in user-
1647 * land.
1648 */
1649 switch (tp->ftt_type) {
1650 case FASTTRAP_T_RET:
1651 case FASTTRAP_T_RET16:
1652 {
1653 user_addr_t dst;
1654 user_addr_t addr;
1655 int ret;
1656
1657 /*
1658 * We have to emulate _every_ facet of the behavior of a ret
1659 * instruction including what happens if the load from %esp
1660 * fails; in that case, we send a SIGSEGV.
1661 */
1662 ret = fasttrap_fuword64((user_addr_t)regs64->isf.rsp, &dst);
1663 addr = regs64->isf.rsp + sizeof (uint64_t);
1664
1665 if (ret == -1) {
1666 fasttrap_sigsegv(p, uthread, (user_addr_t)regs64->isf.rsp);
1667 new_pc = pc;
1668 break;
1669 }
1670
1671 if (tp->ftt_type == FASTTRAP_T_RET16)
1672 addr += tp->ftt_dest;
1673
1674 regs64->isf.rsp = addr;
1675 new_pc = dst;
1676 break;
1677 }
1678
1679 case FASTTRAP_T_JCC:
1680 {
1681 uint_t taken;
1682
1683 switch (tp->ftt_code) {
1684 case FASTTRAP_JO:
1685 taken = (regs64->isf.rflags & FASTTRAP_EFLAGS_OF) != 0;
1686 break;
1687 case FASTTRAP_JNO:
1688 taken = (regs64->isf.rflags & FASTTRAP_EFLAGS_OF) == 0;
1689 break;
1690 case FASTTRAP_JB:
1691 taken = (regs64->isf.rflags & FASTTRAP_EFLAGS_CF) != 0;
1692 break;
1693 case FASTTRAP_JAE:
1694 taken = (regs64->isf.rflags & FASTTRAP_EFLAGS_CF) == 0;
1695 break;
1696 case FASTTRAP_JE:
1697 taken = (regs64->isf.rflags & FASTTRAP_EFLAGS_ZF) != 0;
1698 break;
1699 case FASTTRAP_JNE:
1700 taken = (regs64->isf.rflags & FASTTRAP_EFLAGS_ZF) == 0;
1701 break;
1702 case FASTTRAP_JBE:
1703 taken = (regs64->isf.rflags & FASTTRAP_EFLAGS_CF) != 0 ||
1704 (regs64->isf.rflags & FASTTRAP_EFLAGS_ZF) != 0;
1705 break;
1706 case FASTTRAP_JA:
1707 taken = (regs64->isf.rflags & FASTTRAP_EFLAGS_CF) == 0 &&
1708 (regs64->isf.rflags & FASTTRAP_EFLAGS_ZF) == 0;
1709 break;
1710 case FASTTRAP_JS:
1711 taken = (regs64->isf.rflags & FASTTRAP_EFLAGS_SF) != 0;
1712 break;
1713 case FASTTRAP_JNS:
1714 taken = (regs64->isf.rflags & FASTTRAP_EFLAGS_SF) == 0;
1715 break;
1716 case FASTTRAP_JP:
1717 taken = (regs64->isf.rflags & FASTTRAP_EFLAGS_PF) != 0;
1718 break;
1719 case FASTTRAP_JNP:
1720 taken = (regs64->isf.rflags & FASTTRAP_EFLAGS_PF) == 0;
1721 break;
1722 case FASTTRAP_JL:
1723 taken = ((regs64->isf.rflags & FASTTRAP_EFLAGS_SF) == 0) !=
1724 ((regs64->isf.rflags & FASTTRAP_EFLAGS_OF) == 0);
1725 break;
1726 case FASTTRAP_JGE:
1727 taken = ((regs64->isf.rflags & FASTTRAP_EFLAGS_SF) == 0) ==
1728 ((regs64->isf.rflags & FASTTRAP_EFLAGS_OF) == 0);
1729 break;
1730 case FASTTRAP_JLE:
1731 taken = (regs64->isf.rflags & FASTTRAP_EFLAGS_ZF) != 0 ||
1732 ((regs64->isf.rflags & FASTTRAP_EFLAGS_SF) == 0) !=
1733 ((regs64->isf.rflags & FASTTRAP_EFLAGS_OF) == 0);
1734 break;
1735 case FASTTRAP_JG:
1736 taken = (regs64->isf.rflags & FASTTRAP_EFLAGS_ZF) == 0 &&
1737 ((regs64->isf.rflags & FASTTRAP_EFLAGS_SF) == 0) ==
1738 ((regs64->isf.rflags & FASTTRAP_EFLAGS_OF) == 0);
1739 break;
1740 default:
1741 taken = FALSE;
1742 }
1743
1744 if (taken)
1745 new_pc = tp->ftt_dest;
1746 else
1747 new_pc = pc + tp->ftt_size;
1748 break;
1749 }
1750
1751 case FASTTRAP_T_LOOP:
1752 {
1753 uint_t taken;
1754 uint64_t cx = regs64->rcx--;
1755
1756 switch (tp->ftt_code) {
1757 case FASTTRAP_LOOPNZ:
1758 taken = (regs64->isf.rflags & FASTTRAP_EFLAGS_ZF) == 0 &&
1759 cx != 0;
1760 break;
1761 case FASTTRAP_LOOPZ:
1762 taken = (regs64->isf.rflags & FASTTRAP_EFLAGS_ZF) != 0 &&
1763 cx != 0;
1764 break;
1765 case FASTTRAP_LOOP:
1766 taken = (cx != 0);
1767 break;
1768 default:
1769 taken = FALSE;
1770 }
1771
1772 if (taken)
1773 new_pc = tp->ftt_dest;
1774 else
1775 new_pc = pc + tp->ftt_size;
1776 break;
1777 }
1778
1779 case FASTTRAP_T_JCXZ:
1780 {
1781 uint64_t cx = regs64->rcx;
1782
1783 if (cx == 0)
1784 new_pc = tp->ftt_dest;
1785 else
1786 new_pc = pc + tp->ftt_size;
1787 break;
1788 }
1789
1790 case FASTTRAP_T_PUSHL_EBP:
1791 {
1792 user_addr_t addr = regs64->isf.rsp - sizeof (uint64_t);
1793 int ret = fasttrap_suword64(addr, (uint64_t)regs64->rbp);
1794
1795 if (ret == -1) {
1796 fasttrap_sigsegv(p, uthread, addr);
1797 new_pc = pc;
1798 break;
1799 }
1800
1801 regs64->isf.rsp = addr;
1802 new_pc = pc + tp->ftt_size;
1803 break;
1804 }
1805
1806 case FASTTRAP_T_NOP:
1807 new_pc = pc + tp->ftt_size;
1808 break;
1809
1810 case FASTTRAP_T_JMP:
1811 case FASTTRAP_T_CALL:
1812 if (tp->ftt_code == 0) {
1813 new_pc = tp->ftt_dest;
1814 } else {
1815 user_addr_t value, addr = tp->ftt_dest;
1816
1817 if (tp->ftt_base != FASTTRAP_NOREG)
1818 addr += fasttrap_getreg(regs, tp->ftt_base);
1819 if (tp->ftt_index != FASTTRAP_NOREG)
1820 addr += fasttrap_getreg(regs, tp->ftt_index) <<
1821 tp->ftt_scale;
1822
1823 if (tp->ftt_code == 1) {
1824 /*
1825 * If there's a segment prefix for this
1826 * instruction, we'll need to check permissions
1827 * and bounds on the given selector, and adjust
1828 * the address accordingly.
1829 */
1830 if (tp->ftt_segment != FASTTRAP_SEG_NONE &&
1831 fasttrap_do_seg(tp, regs, &addr) != 0) {
1832 fasttrap_sigsegv(p, uthread, addr);
1833 new_pc = pc;
1834 break;
1835 }
1836
1837 if (fasttrap_fuword64(addr, &value) == -1) {
1838 fasttrap_sigsegv(p, uthread, addr);
1839 new_pc = pc;
1840 break;
1841 }
1842 new_pc = value;
1843 } else {
1844 new_pc = addr;
1845 }
1846 }
1847
1848 /*
1849 * If this is a call instruction, we need to push the return
1850 * address onto the stack. If this fails, we send the process
1851 * a SIGSEGV and reset the pc to emulate what would happen if
1852 * this instruction weren't traced.
1853 */
1854 if (tp->ftt_type == FASTTRAP_T_CALL) {
1855 user_addr_t addr = regs64->isf.rsp - sizeof (uint64_t);
1856 int ret = fasttrap_suword64(addr, pc + tp->ftt_size);
1857
1858 if (ret == -1) {
1859 fasttrap_sigsegv(p, uthread, addr);
1860 new_pc = pc;
1861 break;
1862 }
1863
1864 regs64->isf.rsp = addr;
1865 }
1866 break;
1867
1868 case FASTTRAP_T_COMMON:
1869 {
1870 user_addr_t addr;
1871 uint8_t scratch[2 * FASTTRAP_MAX_INSTR_SIZE + 5 + 2];
1872 uint_t i = 0;
1873
1874 /*
1875 * Generic Instruction Tracing
1876 * ---------------------------
1877 *
1878 * This is the layout of the scratch space in the user-land
1879 * thread structure for our generated instructions.
1880 *
1881 * 32-bit mode bytes
1882 * ------------------------ -----
1883 * a: <original instruction> <= 15
1884 * jmp <pc + tp->ftt_size> 5
1885 * b: <original instrction> <= 15
1886 * int T_DTRACE_RET 2
1887 * -----
1888 * <= 37
1889 *
1890 * 64-bit mode bytes
1891 * ------------------------ -----
1892 * a: <original instruction> <= 15
1893 * jmp 0(%rip) 6
1894 * <pc + tp->ftt_size> 8
1895 * b: <original instruction> <= 15
1896 * int T_DTRACE_RET 2
1897 * -----
1898 * <= 46
1899 *
1900 * The %pc is set to a, and curthread->t_dtrace_astpc is set
1901 * to b. If we encounter a signal on the way out of the
1902 * kernel, trap() will set %pc to curthread->t_dtrace_astpc
1903 * so that we execute the original instruction and re-enter
1904 * the kernel rather than redirecting to the next instruction.
1905 *
1906 * If there are return probes (so we know that we're going to
1907 * need to reenter the kernel after executing the original
1908 * instruction), the scratch space will just contain the
1909 * original instruction followed by an interrupt -- the same
1910 * data as at b.
1911 *
1912 * %rip-relative Addressing
1913 * ------------------------
1914 *
1915 * There's a further complication in 64-bit mode due to %rip-
1916 * relative addressing. While this is clearly a beneficial
1917 * architectural decision for position independent code, it's
1918 * hard not to see it as a personal attack against the pid
1919 * provider since before there was a relatively small set of
1920 * instructions to emulate; with %rip-relative addressing,
1921 * almost every instruction can potentially depend on the
1922 * address at which it's executed. Rather than emulating
1923 * the broad spectrum of instructions that can now be
1924 * position dependent, we emulate jumps and others as in
1925 * 32-bit mode, and take a different tack for instructions
1926 * using %rip-relative addressing.
1927 *
1928 * For every instruction that uses the ModRM byte, the
1929 * in-kernel disassembler reports its location. We use the
1930 * ModRM byte to identify that an instruction uses
1931 * %rip-relative addressing and to see what other registers
1932 * the instruction uses. To emulate those instructions,
1933 * we modify the instruction to be %rax-relative rather than
1934 * %rip-relative (or %rcx-relative if the instruction uses
1935 * %rax; or %r8- or %r9-relative if the REX.B is present so
1936 * we don't have to rewrite the REX prefix). We then load
1937 * the value that %rip would have been into the scratch
1938 * register and generate an instruction to reset the scratch
1939 * register back to its original value. The instruction
1940 * sequence looks like this:
1941 *
1942 * 64-mode %rip-relative bytes
1943 * ------------------------ -----
1944 * a: <modified instruction> <= 15
1945 * movq $<value>, %<scratch> 6
1946 * jmp 0(%rip) 6
1947 * <pc + tp->ftt_size> 8
1948 * b: <modified instruction> <= 15
1949 * int T_DTRACE_RET 2
1950 * -----
1951 * 52
1952 *
1953 * We set curthread->t_dtrace_regv so that upon receiving
1954 * a signal we can reset the value of the scratch register.
1955 */
1956
1957 addr = uthread->t_dtrace_scratch->addr;
1958
1959 if (addr == 0LL) {
1960 fasttrap_sigtrap(p, uthread, pc); // Should be killing target proc
1961 new_pc = pc;
1962 break;
1963 }
1964
1965 ASSERT(tp->ftt_size < FASTTRAP_MAX_INSTR_SIZE);
1966
1967 uthread->t_dtrace_scrpc = addr;
1968 bcopy(tp->ftt_instr, &scratch[i], tp->ftt_size);
1969 i += tp->ftt_size;
1970
1971 if (tp->ftt_ripmode != 0) {
1972 uint64_t* reg;
1973
1974 ASSERT(tp->ftt_ripmode &
1975 (FASTTRAP_RIP_1 | FASTTRAP_RIP_2));
1976
1977 /*
1978 * If this was a %rip-relative instruction, we change
1979 * it to be either a %rax- or %rcx-relative
1980 * instruction (depending on whether those registers
1981 * are used as another operand; or %r8- or %r9-
1982 * relative depending on the value of REX.B). We then
1983 * set that register and generate a movq instruction
1984 * to reset the value.
1985 */
1986 if (tp->ftt_ripmode & FASTTRAP_RIP_X)
1987 scratch[i++] = FASTTRAP_REX(1, 0, 0, 1);
1988 else
1989 scratch[i++] = FASTTRAP_REX(1, 0, 0, 0);
1990
1991 if (tp->ftt_ripmode & FASTTRAP_RIP_1)
1992 scratch[i++] = FASTTRAP_MOV_EAX;
1993 else
1994 scratch[i++] = FASTTRAP_MOV_ECX;
1995
1996 switch (tp->ftt_ripmode) {
1997 case FASTTRAP_RIP_1:
1998 reg = &regs64->rax;
1999 uthread->t_dtrace_reg = REG_RAX;
2000 break;
2001 case FASTTRAP_RIP_2:
2002 reg = &regs64->rcx;
2003 uthread->t_dtrace_reg = REG_RCX;
2004 break;
2005 case FASTTRAP_RIP_1 | FASTTRAP_RIP_X:
2006 reg = &regs64->r8;
2007 uthread->t_dtrace_reg = REG_R8;
2008 break;
2009 case FASTTRAP_RIP_2 | FASTTRAP_RIP_X:
2010 reg = &regs64->r9;
2011 uthread->t_dtrace_reg = REG_R9;
2012 break;
2013 default:
2014 reg = NULL;
2015 panic("unhandled ripmode in fasttrap_pid_probe64");
2016 }
2017
2018 *(uint64_t *)&scratch[i] = *reg;
2019 uthread->t_dtrace_regv = *reg;
2020 *reg = pc + tp->ftt_size;
2021 i += sizeof (uint64_t);
2022 }
2023
2024 /*
2025 * Generate the branch instruction to what would have
2026 * normally been the subsequent instruction. In 32-bit mode,
2027 * this is just a relative branch; in 64-bit mode this is a
2028 * %rip-relative branch that loads the 64-bit pc value
2029 * immediately after the jmp instruction.
2030 */
2031 scratch[i++] = FASTTRAP_GROUP5_OP;
2032 scratch[i++] = FASTTRAP_MODRM(0, 4, 5);
2033 *(uint32_t *)&scratch[i] = 0;
2034 i += sizeof (uint32_t);
2035 *(uint64_t *)&scratch[i] = pc + tp->ftt_size;
2036 i += sizeof (uint64_t);
2037
2038 uthread->t_dtrace_astpc = addr + i;
2039 bcopy(tp->ftt_instr, &scratch[i], tp->ftt_size);
2040 i += tp->ftt_size;
2041 scratch[i++] = FASTTRAP_INT;
2042 scratch[i++] = T_DTRACE_RET;
2043
2044 if (fasttrap_copyout(scratch, addr, i)) {
2045 fasttrap_sigtrap(p, uthread, pc);
2046 new_pc = pc;
2047 break;
2048 }
2049
2050 if (tp->ftt_retids != NULL) {
2051 uthread->t_dtrace_step = 1;
2052 uthread->t_dtrace_ret = 1;
2053 new_pc = uthread->t_dtrace_astpc;
2054 } else {
2055 new_pc = uthread->t_dtrace_scrpc;
2056 }
2057
2058 uthread->t_dtrace_pc = pc;
2059 uthread->t_dtrace_npc = pc + tp->ftt_size;
2060 uthread->t_dtrace_on = 1;
2061 break;
2062 }
2063
2064 default:
2065 panic("fasttrap: mishandled an instruction");
2066 }
2067
2068done:
2069 /*
2070 * APPLE NOTE:
2071 *
2072 * We're setting this earlier than Solaris does, to get a "correct"
2073 * ustack() output. In the Sun code, a() -> b() -> c() -> d() is
2074 * reported at: d, b, a. The new way gives c, b, a, which is closer
2075 * to correct, as the return instruction has already exectued.
2076 */
2077 regs64->isf.rip = new_pc;
2078
2079
2080 /*
2081 * If there were no return probes when we first found the tracepoint,
2082 * we should feel no obligation to honor any return probes that were
2083 * subsequently enabled -- they'll just have to wait until the next
2084 * time around.
2085 */
2086 if (tp->ftt_retids != NULL) {
2087 /*
2088 * We need to wait until the results of the instruction are
2089 * apparent before invoking any return probes. If this
2090 * instruction was emulated we can just call
2091 * fasttrap_return_common(); if it needs to be executed, we
2092 * need to wait until the user thread returns to the kernel.
2093 */
2094 if (tp->ftt_type != FASTTRAP_T_COMMON) {
2095 fasttrap_return_common(regs, pc, pid, new_pc);
2096 } else {
2097 ASSERT(uthread->t_dtrace_ret != 0);
2098 ASSERT(uthread->t_dtrace_pc == pc);
2099 ASSERT(uthread->t_dtrace_scrpc != 0);
2100 ASSERT(new_pc == uthread->t_dtrace_astpc);
2101 }
2102 }
2103
2104 return (0);
2105}
2106
2107int
2108fasttrap_pid_probe(x86_saved_state_t *regs)
2109{
2110 if (is_saved_state64(regs))
2111 return fasttrap_pid_probe64(regs);
2112
2113 return fasttrap_pid_probe32(regs);
2114}
2115
2116int
2117fasttrap_return_probe(x86_saved_state_t *regs)
2118{
2119 x86_saved_state64_t *regs64;
2120 x86_saved_state32_t *regs32;
2121 unsigned int p_model;
2122
2123 if (is_saved_state64(regs)) {
2124 regs64 = saved_state64(regs);
2125 regs32 = NULL;
2126 p_model = DATAMODEL_LP64;
2127 } else {
2128 regs64 = NULL;
2129 regs32 = saved_state32(regs);
2130 p_model = DATAMODEL_ILP32;
2131 }
2132
2133 proc_t *p = current_proc();
2134 uthread_t uthread = (uthread_t)get_bsdthread_info(current_thread());
2135 user_addr_t pc = uthread->t_dtrace_pc;
2136 user_addr_t npc = uthread->t_dtrace_npc;
2137
2138 uthread->t_dtrace_pc = 0;
2139 uthread->t_dtrace_npc = 0;
2140 uthread->t_dtrace_scrpc = 0;
2141 uthread->t_dtrace_astpc = 0;
2142
2143 /*
2144 * Treat a child created by a call to vfork(2) as if it were its
2145 * parent. We know that there's only one thread of control in such a
2146 * process: this one.
2147 */
2148 /*
2149 * APPLE NOTE: Terry says: "You need to hold the process locks (currently: kernel funnel) for this traversal"
2150 * How do we assert this?
2151 */
2152 while (p->p_lflag & P_LINVFORK) {
2153 p = p->p_pptr;
2154 }
2155
2156 /*
2157 * We set rp->r_pc to the address of the traced instruction so
2158 * that it appears to dtrace_probe() that we're on the original
2159 * instruction, and so that the user can't easily detect our
2160 * complex web of lies. dtrace_return_probe() (our caller)
2161 * will correctly set %pc after we return.
2162 */
2163 if (p_model == DATAMODEL_LP64)
2164 regs64->isf.rip = pc;
2165 else
2166 regs32->eip = pc;
2167
2168 fasttrap_return_common(regs, pc, p->p_pid, npc);
2169
2170 return (0);
2171}
2172
2173uint64_t
2174fasttrap_pid_getarg(void *arg, dtrace_id_t id, void *parg, int argno,
2175 int aframes)
2176{
2177#pragma unused(arg, id, parg, aframes)
2178 return (fasttrap_anarg((x86_saved_state_t *)find_user_regs(current_thread()), 1, argno));
2179}
2180
2181uint64_t
2182fasttrap_usdt_getarg(void *arg, dtrace_id_t id, void *parg, int argno,
2183 int aframes)
2184{
2185#pragma unused(arg, id, parg, aframes)
2186 return (fasttrap_anarg((x86_saved_state_t *)find_user_regs(current_thread()), 0, argno));
2187}
2188
2189/*
2190 * APPLE NOTE: See comments by regmap array definition. We are cheating
2191 * when returning 32 bit registers.
2192 */
2193static user_addr_t
2194fasttrap_getreg(x86_saved_state_t *regs, uint_t reg)
2195{
2196 if (is_saved_state64(regs)) {
2197 x86_saved_state64_t *regs64 = saved_state64(regs);
2198
2199 switch (reg) {
2200 case REG_RAX: return regs64->rax;
2201 case REG_RCX: return regs64->rcx;
2202 case REG_RDX: return regs64->rdx;
2203 case REG_RBX: return regs64->rbx;
2204 case REG_RSP: return regs64->isf.rsp;
2205 case REG_RBP: return regs64->rbp;
2206 case REG_RSI: return regs64->rsi;
2207 case REG_RDI: return regs64->rdi;
2208 case REG_R8: return regs64->r8;
2209 case REG_R9: return regs64->r9;
2210 case REG_R10: return regs64->r10;
2211 case REG_R11: return regs64->r11;
2212 case REG_R12: return regs64->r12;
2213 case REG_R13: return regs64->r13;
2214 case REG_R14: return regs64->r14;
2215 case REG_R15: return regs64->r15;
2216 }
2217
2218 panic("dtrace: unhandled x86_64 getreg() constant");
2219 } else {
2220 x86_saved_state32_t *regs32 = saved_state32(regs);
2221
2222 switch (reg) {
2223 case REG_RAX: return regs32->eax;
2224 case REG_RCX: return regs32->ecx;
2225 case REG_RDX: return regs32->edx;
2226 case REG_RBX: return regs32->ebx;
2227 case REG_RSP: return regs32->uesp;
2228 case REG_RBP: return regs32->ebp;
2229 case REG_RSI: return regs32->esi;
2230 case REG_RDI: return regs32->edi;
2231 }
2232
2233 panic("dtrace: unhandled i386 getreg() constant");
2234 }
2235
2236 return 0;
2237}
mirror of XNU