1 /*
2 * Copyright (C) 2008 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "fault_handler.h"
18
19 #include <sys/ucontext.h>
20
21 #include "arch/instruction_set.h"
22 #include "art_method.h"
23 #include "base/enums.h"
24 #include "base/hex_dump.h"
25 #include "base/logging.h" // For VLOG.
26 #include "base/macros.h"
27 #include "base/safe_copy.h"
28 #include "runtime_globals.h"
29 #include "thread-current-inl.h"
30
31 #if defined(__APPLE__)
32 #define ucontext __darwin_ucontext
33
34 #if defined(__x86_64__)
35 // 64 bit mac build.
36 #define CTX_ESP uc_mcontext->__ss.__rsp
37 #define CTX_EIP uc_mcontext->__ss.__rip
38 #define CTX_EAX uc_mcontext->__ss.__rax
39 #define CTX_METHOD uc_mcontext->__ss.__rdi
40 #define CTX_RDI uc_mcontext->__ss.__rdi
41 #define CTX_JMP_BUF uc_mcontext->__ss.__rdi
42 #else
43 // 32 bit mac build.
44 #define CTX_ESP uc_mcontext->__ss.__esp
45 #define CTX_EIP uc_mcontext->__ss.__eip
46 #define CTX_EAX uc_mcontext->__ss.__eax
47 #define CTX_METHOD uc_mcontext->__ss.__eax
48 #define CTX_JMP_BUF uc_mcontext->__ss.__eax
49 #endif
50
51 #elif defined(__x86_64__)
52 // 64 bit linux build.
53 #define CTX_ESP uc_mcontext.gregs[REG_RSP]
54 #define CTX_EIP uc_mcontext.gregs[REG_RIP]
55 #define CTX_EAX uc_mcontext.gregs[REG_RAX]
56 #define CTX_METHOD uc_mcontext.gregs[REG_RDI]
57 #define CTX_RDI uc_mcontext.gregs[REG_RDI]
58 #define CTX_JMP_BUF uc_mcontext.gregs[REG_RDI]
59 #else
60 // 32 bit linux build.
61 #define CTX_ESP uc_mcontext.gregs[REG_ESP]
62 #define CTX_EIP uc_mcontext.gregs[REG_EIP]
63 #define CTX_EAX uc_mcontext.gregs[REG_EAX]
64 #define CTX_METHOD uc_mcontext.gregs[REG_EAX]
65 #define CTX_JMP_BUF uc_mcontext.gregs[REG_EAX]
66 #endif
67
68 //
69 // X86 (and X86_64) specific fault handler functions.
70 //
71
72 namespace art {
73
74 extern "C" void art_quick_throw_null_pointer_exception_from_signal();
75 extern "C" void art_quick_throw_stack_overflow();
76 extern "C" void art_quick_test_suspend();
77
78 // Get the size of an instruction in bytes.
79 // Return 0 if the instruction is not handled.
GetInstructionSize(const uint8_t * pc)80 static uint32_t GetInstructionSize(const uint8_t* pc) {
81 // Don't segfault if pc points to garbage.
82 char buf[15]; // x86/x86-64 have a maximum instruction length of 15 bytes.
83 ssize_t bytes = SafeCopy(buf, pc, sizeof(buf));
84
85 if (bytes == 0) {
86 // Nothing was readable.
87 return 0;
88 }
89
90 if (bytes == -1) {
91 // SafeCopy not supported, assume that the entire range is readable.
92 bytes = 16;
93 } else {
94 pc = reinterpret_cast<uint8_t*>(buf);
95 }
96
97 #define INCREMENT_PC() \
98 do { \
99 pc++; \
100 if (pc - startpc > bytes) { \
101 return 0; \
102 } \
103 } while (0)
104
105 #if defined(__x86_64)
106 const bool x86_64 = true;
107 #else
108 const bool x86_64 = false;
109 #endif
110
111 const uint8_t* startpc = pc;
112
113 uint8_t opcode = *pc;
114 INCREMENT_PC();
115 uint8_t modrm;
116 bool has_modrm = false;
117 bool two_byte = false;
118 uint32_t displacement_size = 0;
119 uint32_t immediate_size = 0;
120 bool operand_size_prefix = false;
121
122 // Prefixes.
123 while (true) {
124 bool prefix_present = false;
125 switch (opcode) {
126 // Group 3
127 case 0x66:
128 operand_size_prefix = true;
129 FALLTHROUGH_INTENDED;
130
131 // Group 1
132 case 0xf0:
133 case 0xf2:
134 case 0xf3:
135
136 // Group 2
137 case 0x2e:
138 case 0x36:
139 case 0x3e:
140 case 0x26:
141 case 0x64:
142 case 0x65:
143
144 // Group 4
145 case 0x67:
146 opcode = *pc;
147 INCREMENT_PC();
148 prefix_present = true;
149 break;
150 }
151 if (!prefix_present) {
152 break;
153 }
154 }
155
156 if (x86_64 && opcode >= 0x40 && opcode <= 0x4f) {
157 opcode = *pc;
158 INCREMENT_PC();
159 }
160
161 if (opcode == 0x0f) {
162 // Two byte opcode
163 two_byte = true;
164 opcode = *pc;
165 INCREMENT_PC();
166 }
167
168 bool unhandled_instruction = false;
169
170 if (two_byte) {
171 switch (opcode) {
172 case 0x10: // vmovsd/ss
173 case 0x11: // vmovsd/ss
174 case 0xb6: // movzx
175 case 0xb7:
176 case 0xbe: // movsx
177 case 0xbf:
178 modrm = *pc;
179 INCREMENT_PC();
180 has_modrm = true;
181 break;
182 default:
183 unhandled_instruction = true;
184 break;
185 }
186 } else {
187 switch (opcode) {
188 case 0x88: // mov byte
189 case 0x89: // mov
190 case 0x8b:
191 case 0x38: // cmp with memory.
192 case 0x39:
193 case 0x3a:
194 case 0x3b:
195 case 0x3c:
196 case 0x3d:
197 case 0x85: // test.
198 modrm = *pc;
199 INCREMENT_PC();
200 has_modrm = true;
201 break;
202
203 case 0x80: // group 1, byte immediate.
204 case 0x83:
205 case 0xc6:
206 modrm = *pc;
207 INCREMENT_PC();
208 has_modrm = true;
209 immediate_size = 1;
210 break;
211
212 case 0x81: // group 1, word immediate.
213 case 0xc7: // mov
214 modrm = *pc;
215 INCREMENT_PC();
216 has_modrm = true;
217 immediate_size = operand_size_prefix ? 2 : 4;
218 break;
219
220 case 0xf6:
221 case 0xf7:
222 modrm = *pc;
223 INCREMENT_PC();
224 has_modrm = true;
225 switch ((modrm >> 3) & 7) { // Extract "reg/opcode" from "modr/m".
226 case 0: // test
227 immediate_size = (opcode == 0xf6) ? 1 : (operand_size_prefix ? 2 : 4);
228 break;
229 case 2: // not
230 case 3: // neg
231 case 4: // mul
232 case 5: // imul
233 case 6: // div
234 case 7: // idiv
235 break;
236 default:
237 unhandled_instruction = true;
238 break;
239 }
240 break;
241
242 default:
243 unhandled_instruction = true;
244 break;
245 }
246 }
247
248 if (unhandled_instruction) {
249 VLOG(signals) << "Unhandled x86 instruction with opcode " << static_cast<int>(opcode);
250 return 0;
251 }
252
253 if (has_modrm) {
254 uint8_t mod = (modrm >> 6) & 3U /* 0b11 */;
255
256 // Check for SIB.
257 if (mod != 3U /* 0b11 */ && (modrm & 7U /* 0b111 */) == 4) {
258 INCREMENT_PC(); // SIB
259 }
260
261 switch (mod) {
262 case 0U /* 0b00 */: break;
263 case 1U /* 0b01 */: displacement_size = 1; break;
264 case 2U /* 0b10 */: displacement_size = 4; break;
265 case 3U /* 0b11 */:
266 break;
267 }
268 }
269
270 // Skip displacement and immediate.
271 pc += displacement_size + immediate_size;
272
273 VLOG(signals) << "x86 instruction length calculated as " << (pc - startpc);
274 if (pc - startpc > bytes) {
275 return 0;
276 }
277 return pc - startpc;
278 }
279
GetMethodAndReturnPcAndSp(siginfo_t * siginfo,void * context,ArtMethod ** out_method,uintptr_t * out_return_pc,uintptr_t * out_sp,bool * out_is_stack_overflow)280 void FaultManager::GetMethodAndReturnPcAndSp(siginfo_t* siginfo, void* context,
281 ArtMethod** out_method,
282 uintptr_t* out_return_pc,
283 uintptr_t* out_sp,
284 bool* out_is_stack_overflow) {
285 struct ucontext* uc = reinterpret_cast<struct ucontext*>(context);
286 *out_sp = static_cast<uintptr_t>(uc->CTX_ESP);
287 VLOG(signals) << "sp: " << std::hex << *out_sp;
288 if (*out_sp == 0) {
289 return;
290 }
291
292 // In the case of a stack overflow, the stack is not valid and we can't
293 // get the method from the top of the stack. However it's in EAX(x86)/RDI(x86_64).
294 uintptr_t* fault_addr = reinterpret_cast<uintptr_t*>(siginfo->si_addr);
295 uintptr_t* overflow_addr = reinterpret_cast<uintptr_t*>(
296 #if defined(__x86_64__)
297 reinterpret_cast<uint8_t*>(*out_sp) - GetStackOverflowReservedBytes(InstructionSet::kX86_64));
298 #else
299 reinterpret_cast<uint8_t*>(*out_sp) - GetStackOverflowReservedBytes(InstructionSet::kX86));
300 #endif
301 if (overflow_addr == fault_addr) {
302 *out_method = reinterpret_cast<ArtMethod*>(uc->CTX_METHOD);
303 *out_is_stack_overflow = true;
304 } else {
305 // The method is at the top of the stack.
306 *out_method = *reinterpret_cast<ArtMethod**>(*out_sp);
307 *out_is_stack_overflow = false;
308 }
309
310 uint8_t* pc = reinterpret_cast<uint8_t*>(uc->CTX_EIP);
311 VLOG(signals) << HexDump(pc, 32, true, "PC ");
312
313 if (pc == nullptr) {
314 // Somebody jumped to 0x0. Definitely not ours, and will definitely segfault below.
315 *out_method = nullptr;
316 return;
317 }
318
319 uint32_t instr_size = GetInstructionSize(pc);
320 if (instr_size == 0) {
321 // Unknown instruction, tell caller it's not ours.
322 *out_method = nullptr;
323 return;
324 }
325 *out_return_pc = reinterpret_cast<uintptr_t>(pc + instr_size);
326 }
327
Action(int,siginfo_t * sig,void * context)328 bool NullPointerHandler::Action(int, siginfo_t* sig, void* context) {
329 if (!IsValidImplicitCheck(sig)) {
330 return false;
331 }
332 struct ucontext *uc = reinterpret_cast<struct ucontext*>(context);
333 uint8_t* pc = reinterpret_cast<uint8_t*>(uc->CTX_EIP);
334 uint8_t* sp = reinterpret_cast<uint8_t*>(uc->CTX_ESP);
335
336 uint32_t instr_size = GetInstructionSize(pc);
337 if (instr_size == 0) {
338 // Unknown instruction, can't really happen.
339 return false;
340 }
341
342 // We need to arrange for the signal handler to return to the null pointer
343 // exception generator. The return address must be the address of the
344 // next instruction (this instruction + instruction size). The return address
345 // is on the stack at the top address of the current frame.
346
347 // Push the return address and fault address onto the stack.
348 uintptr_t retaddr = reinterpret_cast<uintptr_t>(pc + instr_size);
349 uintptr_t* next_sp = reinterpret_cast<uintptr_t*>(sp - 2 * sizeof(uintptr_t));
350 next_sp[1] = retaddr;
351 next_sp[0] = reinterpret_cast<uintptr_t>(sig->si_addr);
352 uc->CTX_ESP = reinterpret_cast<uintptr_t>(next_sp);
353
354 uc->CTX_EIP = reinterpret_cast<uintptr_t>(
355 art_quick_throw_null_pointer_exception_from_signal);
356 VLOG(signals) << "Generating null pointer exception";
357 return true;
358 }
359
360 // A suspend check is done using the following instruction sequence:
361 // (x86)
362 // 0xf720f1df: 648B058C000000 mov eax, fs:[0x8c] ; suspend_trigger
363 // .. some intervening instructions.
364 // 0xf720f1e6: 8500 test eax, [eax]
365 // (x86_64)
366 // 0x7f579de45d9e: 65488B0425A8000000 movq rax, gs:[0xa8] ; suspend_trigger
367 // .. some intervening instructions.
368 // 0x7f579de45da7: 8500 test eax, [eax]
369
370 // The offset from fs is Thread::ThreadSuspendTriggerOffset().
371 // To check for a suspend check, we examine the instructions that caused
372 // the fault.
Action(int,siginfo_t *,void * context)373 bool SuspensionHandler::Action(int, siginfo_t*, void* context) {
374 // These are the instructions to check for. The first one is the mov eax, fs:[xxx]
375 // where xxx is the offset of the suspend trigger.
376 uint32_t trigger = Thread::ThreadSuspendTriggerOffset<kRuntimePointerSize>().Int32Value();
377
378 VLOG(signals) << "Checking for suspension point";
379 #if defined(__x86_64__)
380 uint8_t checkinst1[] = {0x65, 0x48, 0x8b, 0x04, 0x25, static_cast<uint8_t>(trigger & 0xff),
381 static_cast<uint8_t>((trigger >> 8) & 0xff), 0, 0};
382 #else
383 uint8_t checkinst1[] = {0x64, 0x8b, 0x05, static_cast<uint8_t>(trigger & 0xff),
384 static_cast<uint8_t>((trigger >> 8) & 0xff), 0, 0};
385 #endif
386 uint8_t checkinst2[] = {0x85, 0x00};
387
388 struct ucontext *uc = reinterpret_cast<struct ucontext*>(context);
389 uint8_t* pc = reinterpret_cast<uint8_t*>(uc->CTX_EIP);
390 uint8_t* sp = reinterpret_cast<uint8_t*>(uc->CTX_ESP);
391
392 if (pc[0] != checkinst2[0] || pc[1] != checkinst2[1]) {
393 // Second instruction is not correct (test eax,[eax]).
394 VLOG(signals) << "Not a suspension point";
395 return false;
396 }
397
398 // The first instruction can a little bit up the stream due to load hoisting
399 // in the compiler.
400 uint8_t* limit = pc - 100; // Compiler will hoist to a max of 20 instructions.
401 uint8_t* ptr = pc - sizeof(checkinst1);
402 bool found = false;
403 while (ptr > limit) {
404 if (memcmp(ptr, checkinst1, sizeof(checkinst1)) == 0) {
405 found = true;
406 break;
407 }
408 ptr -= 1;
409 }
410
411 if (found) {
412 VLOG(signals) << "suspend check match";
413
414 // We need to arrange for the signal handler to return to the null pointer
415 // exception generator. The return address must be the address of the
416 // next instruction (this instruction + 2). The return address
417 // is on the stack at the top address of the current frame.
418
419 // Push the return address onto the stack.
420 uintptr_t retaddr = reinterpret_cast<uintptr_t>(pc + 2);
421 uintptr_t* next_sp = reinterpret_cast<uintptr_t*>(sp - sizeof(uintptr_t));
422 *next_sp = retaddr;
423 uc->CTX_ESP = reinterpret_cast<uintptr_t>(next_sp);
424
425 uc->CTX_EIP = reinterpret_cast<uintptr_t>(art_quick_test_suspend);
426
427 // Now remove the suspend trigger that caused this fault.
428 Thread::Current()->RemoveSuspendTrigger();
429 VLOG(signals) << "removed suspend trigger invoking test suspend";
430 return true;
431 }
432 VLOG(signals) << "Not a suspend check match, first instruction mismatch";
433 return false;
434 }
435
436 // The stack overflow check is done using the following instruction:
437 // test eax, [esp+ -xxx]
438 // where 'xxx' is the size of the overflow area.
439 //
440 // This is done before any frame is established in the method. The return
441 // address for the previous method is on the stack at ESP.
442
Action(int,siginfo_t * info,void * context)443 bool StackOverflowHandler::Action(int, siginfo_t* info, void* context) {
444 struct ucontext *uc = reinterpret_cast<struct ucontext*>(context);
445 uintptr_t sp = static_cast<uintptr_t>(uc->CTX_ESP);
446
447 uintptr_t fault_addr = reinterpret_cast<uintptr_t>(info->si_addr);
448 VLOG(signals) << "fault_addr: " << std::hex << fault_addr;
449 VLOG(signals) << "checking for stack overflow, sp: " << std::hex << sp <<
450 ", fault_addr: " << fault_addr;
451
452 #if defined(__x86_64__)
453 uintptr_t overflow_addr = sp - GetStackOverflowReservedBytes(InstructionSet::kX86_64);
454 #else
455 uintptr_t overflow_addr = sp - GetStackOverflowReservedBytes(InstructionSet::kX86);
456 #endif
457
458 // Check that the fault address is the value expected for a stack overflow.
459 if (fault_addr != overflow_addr) {
460 VLOG(signals) << "Not a stack overflow";
461 return false;
462 }
463
464 VLOG(signals) << "Stack overflow found";
465
466 // Since the compiler puts the implicit overflow
467 // check before the callee save instructions, the SP is already pointing to
468 // the previous frame.
469
470 // Now arrange for the signal handler to return to art_quick_throw_stack_overflow.
471 uc->CTX_EIP = reinterpret_cast<uintptr_t>(art_quick_throw_stack_overflow);
472
473 return true;
474 }
475 } // namespace art
476