GET data at memory access instructions without clean call.

[小林佑矢]

Hello,

I am writing to ask you help me collect data of memory access instructions.

Although I have already found one solution in another question, it utilizes clean call function which would be slower than inserted instructions.

I am facing performance issue as well, so that the solution is not good for me.

Instead of clean call function, I decided to expand memtrace_x86.c.

The strategy is that when the instruction is read, we read content at the accessed address before the instruction execution. When the instruction is write, we read content at the address after the instruction execution.

At first I modified instrument_mem() as below and add data field to mem_ref_t structure.

static void instrument_mem(void *drcontext, instrlist_t *ilist, instr_t *where,

               int pos, bool write)

{

       instr_t *instr, *call, *restore, *end = where;

       opnd_t   ref, opnd1, opnd2;

       reg_id_t reg1, reg2, reg3;

       drvector_t allowed;

       app_pc pc;

        /* Steal two scratch registers.

        * reg2 must be ECX or RCX for jecxz.

        */

       drreg_init_and_fill_vector(&allowed, false);//initialize allowed variable

        drreg_set_vector_entry(&allowed, DR_REG_XCX, true);

       if (drreg_reserve_register(drcontext, ilist, where, &allowed, &reg2) != DRREG_SUCCESS ||

                       drreg_reserve_register(drcontext, ilist, where, NULL, &reg1) != DRREG_SUCCESS ||

                       drreg_reserve_register(drcontext, ilist, where, NULL, &reg3) != DRREG_SUCCESS) {

               DR_ASSERT(false); /* cannot recover */

               drvector_delete(&allowed);

               return;

       }

       drvector_delete(&allowed);  

   ...........


/* Store size in memory ref */

   opnd1 = OPND_CREATE_MEMPTR(reg2, offsetof(mem_ref_t, size));

  /* drutil_opnd_mem_size_in_bytes handles OP_enter */

  opnd2 = OPND_CREATE_INT32(drutil_opnd_mem_size_in_bytes(ref, where));

  instr = INSTR_CREATE_mov_st(drcontext, opnd1, opnd2);

  instrlist_meta_preinsert(ilist, where, instr);

        /* Store data to be written/read*/

       if(!write){

               opnd1 = opnd_create_reg(reg3);

               opnd2 = OPND_CREATE_MEMPTR(reg1, 0);

               instr = INSTR_CREATE_mov_ld(drcontext, opnd1, opnd2);

               instrlist_meta_preinsert(ilist, where, instr);

                opnd1 = OPND_CREATE_MEMPTR(reg2, offsetof(mem_ref_t, data));

               opnd2 = opnd_create_reg(reg3);

               instr = INSTR_CREATE_mov_st(drcontext, opnd1, opnd2);

//              instrlist_meta_preinsert(ilist, where, instr);

     
  }

    .......

      instrlist_meta_preinsert(ilist, where, restore);

     if (drreg_unreserve_register(drcontext, ilist, end, reg1) != DRREG_SUCCESS ||

                       drreg_unreserve_register(drcontext, ilist, end, reg2) != DRREG_SUCCESS ||

                       drreg_unreserve_register(drcontext, ilist, end, reg3) != DRREG_SUCCESS)

               DR_ASSERT(false);

}

After that modifying, I ran the client and got the following output.

kobayashi-y@localhost:~/source/DynamoRIO-Linux-6.2.0-2/samples/bin$ ../../bin64/drrun  -c libmemtrace_x86_text.so -- /bin/ls

Client memtrace is running

Data file /home/kobayashi-y/source/DynamoRIO-Linux-6.2.0-2/samples/bin/memtrace.ls.16986.0000.log created

Instrumentation results:

  saw 510 memory references

Segmentation fault

To identify when the segmentation fault occur, I modified exit_event() and I got output as below.

static void

event_exit()

{

#ifdef SHOW_RESULTS

char msg[512];

int len;

len = dr_snprintf(msg, sizeof(msg)/sizeof(msg[0]),

"Instrumentation results:\n"

"  saw %llu memory references\n",

num_refs);

DR_ASSERT(len > 0);

NULL_TERMINATE_BUFFER(msg);

DISPLAY_STRING(msg);

#endif /* SHOW_RESULTS */

code_cache_exit();

if (!drmgr_unregister_tls_field(tls_index) ||

!drmgr_unregister_thread_init_event(event_thread_init) ||

!drmgr_unregister_thread_exit_event(event_thread_exit) ||

!drmgr_unregister_bb_insertion_event(event_bb_insert) ||

drreg_exit() != DRREG_SUCCESS)

DR_ASSERT(false);

dr_mutex_destroy(mutex);

drutil_exit();

drmgr_exit();
        DISPLAY_STRING(msg); //added 

}

Data file /home/kobayashi-y/source/DynamoRIO-Linux-6.2.0-2/samples/bin/memtrace.ls.17217.0000.log created

Instrumentation results:

  saw 510 memory references

Instrumentation results:

  saw 510 memory references

Segmentation fault

Therefore, I found that the segmentation fault occurs inside of drrun process.

Do you know how to modify the memtrace_x86 sample?

Thank you in advance.

[小林佑矢]

In addition, the output does not contain the output from 'ls' command.

Then the process is terminated at earlier stage.

2017年2月3日金曜日 13時42分42秒 UTC+9 小林佑矢:

[Derek Bruening]

A diff vs memtrace_x86.c may be easier to read.  Note that de-referencing app memory can fault and such an instr should have a translation set.

Did you do the standard debugging steps: run -debug, look at the log.  -debug -loglevel 4 will show the precise instruction where the fault happened.

--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-users+unsubscribe@googlegroups.com.
To post to this group, send email to dynamorio-users@googlegroups.com.
Visit this group at https://groups.google.com/group/dynamorio-users.
For more options, visit https://groups.google.com/d/optout.

[小林佑矢]

Thank you, Derek.

As you mentioned, I think dereferencing causes Segmentation Fault.

I attach the output from drrun with debug options.

$ ../../bin64/drrun -debug -loglevel 4 -c libmemtrace_x86_text.so -- /bin/ls

<log dir=/home/kobayashi-y/source/DynamoRIO-Linux-6.2.0-2/samples/bin/../../bin64/../logs/ls.13147.00000000>

<Starting application /usr/bin/ls (13147)>

<Paste into GDB to debug DynamoRIO clients:

set confirm off

add-symbol-file '/home/kobayashi-y/source/DynamoRIO-Linux-6.2.0-2/samples/bin/libmemtrace_x86_text.so' 0x00000000720029d0

add-symbol-file '/home/kobayashi-y/source/DynamoRIO-Linux-6.2.0-2/lib64/debug/libdynamorio.so' 0x000000007102d808

add-symbol-file '/home/kobayashi-y/source/DynamoRIO-Linux-6.2.0-2/ext/lib64/debug/libdrmgr.so' 0x0000000073002980

add-symbol-file '/home/kobayashi-y/source/DynamoRIO-Linux-6.2.0-2/ext/lib64/debug/libdrreg.so' 0x0000000078002720

add-symbol-file '/home/kobayashi-y/source/DynamoRIO-Linux-6.2.0-2/ext/lib64/debug/libdrutil.so' 0x0000000075001610

add-symbol-file '/home/kobayashi-y/source/DynamoRIO-Linux-6.2.0-2/ext/lib64/debug/libdrx.so' 0x0000000077002950

add-symbol-file '/usr/lib64/libc.so.6' 0x00007f6a5bd223b0

add-symbol-file '/usr/lib64/ld-linux-x86-64.so.2' 0x00007f6a5bae0af0

>

<Initial options = -no_dynamic_options -loglevel 4 -client_lib '/home/kobayashi-y/source/DynamoRIO-Linux-6.2.0-2/samples/bin/libmemtrace_x86_text.so;0;' -code_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >

Client memtrace is running

Data file /home/kobayashi-y/source/DynamoRIO-Linux-6.2.0-2/samples/bin/memtrace.ls.13147.0000.log created

<Application /usr/bin/ls (13147) DynamoRIO usage error : meta-instr faulted?  must set translation field and handle fault!>

<Usage error: meta-instr faulted?  must set translation field and handle fault! (/dynamorio_package/core/translate.c, line 720)

version 6.2.0, build 2

-no_dynamic_options -loglevel 4 -client_lib '/home/kobayashi-y/source/DynamoRIO-Linux-6.2.0-2/samples/bin/libmemtrace_x86_text.so;0;' -code_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2di

0x0000000047665ea0 0x0000000071117d76

0x0000000047665ef0 0x0000000071223a21

0x0000000047665fd0 0x0000000071225b69

0x0000000047666620 0x00000000712260e7

0x0000000047666660 0x000000007120235e

0x00000000476666c0 0x00000000712ebf98

0x00000000476669a0 0x00000000712f069a

0x0000000047666ba0 0x00000000712f3111

0x0000000047666c30 0x00000000712b8992

0x00007ffd6621fbb0 0x00007f6a5c0dbe36

0x0000000000400040 0x0000000000000040

/home/kobayashi-y/source/DynamoRIO-Linux-6.2.0-2/samples/bin/libmemtrace_x86_text.so=0x0000000072000000

/usr/lib64/libc.so.6=0x00007f6a5bd03000

/usr/lib64/ld-linux-x86-64.so.2=0x00007f6a5bae0000

/home/kobayashi-y/source/DynamoRIO-Linux-6.2.0-2/ext/lib64/debug/libdrx.so=0x0000000077000000

/home/kobayashi-y/source/DynamoRIO-Linux-6.2.0-2/ext/lib64/debug/libdrutil.so=0x0000000075000000

/home/kobayashi-y/source/DynamoRIO-Linux-6.2.0-2/ext/lib64/debu>

In addition, I would ask you to give me references or explanation about translation field.

Sincerely,

Yuya  Kobayashi 

2017年2月4日土曜日 7時30分44秒 UTC+9 Derek Bruening:

To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-use...@googlegroups.com.
To post to this group, send email to dynamor...@googlegroups.com.

[小林佑矢]

Dear Derek,

In addition, I have another question.

Can this `memtrace_x86` trap all memory access from qemu-kvm?

I am looking for the way to do that.

Thank you.

2017年2月3日金曜日 13時42分42秒 UTC+9 小林佑矢:

[Qin Zhao]

On Feb 6, 2017 03:50, "小林佑矢" <ky.ep...@gmail.com> wrote:

Dear Derek,

In addition, I have another question.

Can this `memtrace_x86` trap all memory access from qemu-kvm?

DR only see instructions at user mode.

--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-users+unsubscribe@googlegroups.com.
To post to this group, send email to dynamorio-users@googlegroups.com.

[nine ky]

Thank you, qin.

I will give up to trace memory accesses in KVM.

2017年2月6日月曜日 22時06分59秒 UTC+9 qin:

To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-use...@googlegroups.com.
To post to this group, send email to dynamor...@googlegroups.com.

[Derek Bruening]

http://dynamorio.org/docs/API_BT.html#sec_translation

Note that it is the first hit when searching for "dynamorio translation" so it should be easy to find.

See also DR tutorial slides on translation under optional slides at the end.

To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-users+unsubscribe@googlegroups.com.
To post to this group, send email to dynamorio-users@googlegroups.com.