i#2297: AARCH64: Implement mbr & cbr instrumentation #7005
Conversation
|
Help is wanted to fix mbr instrumentation: it sometimes receives small integers instead of actual target address, possibly some indices into the basic box cache? |
I assume it has the wrong register or something. There are no such "indices" in in-fragment code. Use the logs https://dynamorio.org/page_logging.html to see where the app's register values goes and which one is passed to the clean call. |
Implement cbr instrumentation for AARCH64, supporting cbz/cbnz/tbz/tbnz/bcond opcodes. Issue: DynamoRIO#2297
Document newly added instruction creation macros for EOR, CSINC and UBFM. Refactor XINST_CREATE_slr_s to use the new macro to create ubfm instruction. Fixes DynamoRIO#2297
jiegec
changed the title
|
Newly enabled count-ctis test is passed. Manually written dynamorio client to leverage cbr/mbr instrumentation also works correctly. |
|
A bug has been found: when |
Fixed in commit e9980ab. With this pull request, we are able to record the control flow transfer (regarding each branch) of a program on AARCH64 correctly. |
|
Please click the re-request review in the upper right when ready (comments resolved and tests green). |
Please do not force-push shared branches. This destroys the history and makes it a lot harder for reviewers! This is documented in several places: https://dynamorio.org/page_contributing.html, https://dynamorio.org/page_code_reviews.html#autotoc_md118. There is now no way to easily see the changes since the last round of reviews. You're forcing the reviewer to start from scratch; throwing away the anchors to all the prior comments; etc. |
I'm sorry for that. It spans too long time for this pull request for me to remember the rules.. |
To test the new cbr instrumentation of AARCH64, add additional branch pc check: dst == src + 0x8, and direction check to count-ctis. Region of interest is marked via nop; nop; add; nop sequence. The triple nops pattern does not work, because it also appears in other places.
|
I've sent you an invite to gain commit access. You can then merge here (need to resolve all the conversations by clicking Resolve first). You can then use branches on this DynamoRIO/dynamorio repository directly rather than a clone. |
Implement mbr & cbr instrumentation for AARCH64, previously only available for X86. For cbr instrumentation, there are three types of conditional branches on AARCH64:
Special care is implemented if the stolen register x28 is used as the operand, to avoid generating incorrect results.
For mbr instrumentation, the target address is placed in the register, which is later passed to the clean call from the user.
Additional instruction creation macros are added for ubfm and csinc instructions. Support for immediate operand is added to the INSTR_CREATE_eor macro. XINST_CREATE_slr_s is updated to use the new INSTR_CREATE_ubfm macro.
Count-ctis test is now enabled due to cbr & mbr instrumentation available on AARCH64. It has been enhanced to validate the direction and target address of conditional branches to validate the instrumentation.
The instrcalls and cbrtrace example clients are enabled as well. They are tested on real AARCH64 hardware. Additionally, a manually crafted dynamorio client can successfully capture the whole control flow transfer history with this pull reuqest.
Fixes: #2297 (only for AARCH64, ARM not yet) and #2919.