how to extract the memory access trace of another direction of a condition branch?

94 views
Skip to first unread message

Acdas Zheng

unread,
Dec 2, 2021, 8:02:16 AM12/2/21
to DynamoRIO Users
how to extract the memory access trace of another direction of a condition branch?
for example,  we have a condition branch,
 if (x <  10) {
    a = array[x] ;
  }

when x= 50 and the length of array is 100, we want to collect the memory access trace of another direction of condition branch, e.g., the virtual address of array[50] . So, how to write the program code by using  DynamoRIO ? Could everybody show me the code?


Derek Bruening

unread,
Dec 2, 2021, 12:58:21 PM12/2/21
to dynamor...@googlegroups.com
You want to flip the direction of the branch?  Use instr_invert_cbr.

--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dynamorio-users/a0ce506b-b4a6-497f-883d-628a793f9e56n%40googlegroups.com.
Message has been deleted
Message has been deleted
Message has been deleted

Acdas Zheng

unread,
Dec 7, 2021, 4:17:52 AM12/7/21
to DynamoRIO Users
Actually,  I should ensure a program can run normally. This program may include multiple condition branches. At every conditon branch,  I  need to collect the memory access trace of a basic block along the flipped direction of the branch, and after that I need to make the program recover from this  flipped direction.   However,  using  instr_invert_cbr  directly  will trigger a exception and interrupt the program. So, how should I do ?

Now,  to collect the memory access trace of a basic block along the flipped direction of the branch, I insert part of memtrace_x86.c code ( in bold below) into at_not_taken function of cbr.c.  (I also upload an attachment for this. )
But,  the Instrumentation results show  " saw 0 memory references" .

/* Clean call for the 'not taken' case */
static void at_not_taken(app_pc src, app_pc fall)
{
    dr_mcontext_t mcontext = {
        sizeof(mcontext),
        DR_MC_ALL,
    };
    void *drcontext = dr_get_current_drcontext();
    app_pc trans_pc = fall;
    instrlist_t * trans_bb = decode_as_bb(drcontext,trans_pc);
    instr_t *trans_instr, *trans_next;
    int i = 0;
    for (trans_instr = instrlist_first(trans_bb);
         trans_instr != NULL;
         trans_instr = instr_get_next(trans_instr)) {
      
      if (instr_reads_memory(trans_instr)) {
           for (i = 0; i < instr_num_srcs(trans_instr); i++) {
               if (opnd_is_memory_reference(instr_get_src(trans_instr, i))) {
                   instrument_mem(drcontext, trans_bb, trans_instr, i, false);
               }
           }
      }
      if (instr_writes_memory(trans_instr)) {
          for (i = 0; i < instr_num_dsts(trans_instr); i++) {
              if (opnd_is_memory_reference(instr_get_dst(trans_instr, i))) {
                  instrument_mem(drcontext, trans_bb, trans_instr, i, true);
              }
          }
      }
    }
    /*
     * Record the fact that we've seen the not_taken case.
     */
    elem_t *elem = lookup(global_table, src);
    ASSERT(elem != NULL);
    elem->state |= CBR_NOT_TAKEN;

    /* 
trans_memtrace_x86.c

Derek Bruening

unread,
Dec 7, 2021, 6:40:15 PM12/7/21
to dynamor...@googlegroups.com
Forcing the application through unnatural code paths is not easy.  The DrFuzz tool runs a function in a loop over and over, checkpointing the register state and requiring no critical memory changes.  Running down one branch side and coming back would likely also require checkpointing.  If this is purely to get data for core wrong-path simulation, another approach is forking and just running best-effort as long as you can down the other path.

To view this discussion on the web visit https://groups.google.com/d/msgid/dynamorio-users/240d3391-7b9f-4bd5-9df0-4b3fadc3d2a5n%40googlegroups.com.

Acdas Zheng

unread,
Dec 7, 2021, 8:55:50 PM12/7/21
to DynamoRIO Users
Is it feasible to  compute  memory reference address  of  unnatural code paths  by getting machine context at every conditon branch ?

Derek Bruening

unread,
Dec 8, 2021, 5:49:02 PM12/8/21
to dynamor...@googlegroups.com
On Tue, Dec 7, 2021 at 8:55 PM Acdas Zheng <zhengya...@gmail.com> wrote:
Is it feasible to  compute  memory reference address  of  unnatural code paths  by getting machine context at every conditon branch ?

If you have an emulator to emulate instead of executing on the hardware.
 
Reply all
Reply to author
Forward
0 new messages