1 /*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "slicer/instrumentation.h"
18 #include "slicer/dex_ir_builder.h"
19
20 namespace slicer {
21
22 namespace {
23
24 struct BytecodeConvertingVisitor : public lir::Visitor {
25 lir::Bytecode* out = nullptr;
Visitslicer::__anon9dc31ed30111::BytecodeConvertingVisitor26 bool Visit(lir::Bytecode* bytecode) {
27 out = bytecode;
28 return true;
29 }
30 };
31
BoxValue(lir::Bytecode * bytecode,lir::CodeIr * code_ir,ir::Type * type,dex::u4 src_reg,dex::u4 dst_reg)32 void BoxValue(lir::Bytecode* bytecode,
33 lir::CodeIr* code_ir,
34 ir::Type* type,
35 dex::u4 src_reg,
36 dex::u4 dst_reg) {
37 bool is_wide = false;
38 const char* boxed_type_name = nullptr;
39 switch (*(type->descriptor)->c_str()) {
40 case 'Z':
41 boxed_type_name = "Ljava/lang/Boolean;";
42 break;
43 case 'B':
44 boxed_type_name = "Ljava/lang/Byte;";
45 break;
46 case 'C':
47 boxed_type_name = "Ljava/lang/Character;";
48 break;
49 case 'S':
50 boxed_type_name = "Ljava/lang/Short;";
51 break;
52 case 'I':
53 boxed_type_name = "Ljava/lang/Integer;";
54 break;
55 case 'J':
56 is_wide = true;
57 boxed_type_name = "Ljava/lang/Long;";
58 break;
59 case 'F':
60 boxed_type_name = "Ljava/lang/Float;";
61 break;
62 case 'D':
63 is_wide = true;
64 boxed_type_name = "Ljava/lang/Double;";
65 break;
66 }
67 SLICER_CHECK(boxed_type_name != nullptr);
68
69 ir::Builder builder(code_ir->dex_ir);
70 std::vector<ir::Type*> param_types;
71 param_types.push_back(type);
72
73 auto boxed_type = builder.GetType(boxed_type_name);
74 auto ir_proto = builder.GetProto(boxed_type, builder.GetTypeList(param_types));
75
76 auto ir_method_decl = builder.GetMethodDecl(
77 builder.GetAsciiString("valueOf"), ir_proto, boxed_type);
78
79 auto boxing_method = code_ir->Alloc<lir::Method>(ir_method_decl, ir_method_decl->orig_index);
80
81 auto args = code_ir->Alloc<lir::VRegRange>(src_reg, 1 + is_wide);
82 auto boxing_invoke = code_ir->Alloc<lir::Bytecode>();
83 boxing_invoke->opcode = dex::OP_INVOKE_STATIC_RANGE;
84 boxing_invoke->operands.push_back(args);
85 boxing_invoke->operands.push_back(boxing_method);
86 code_ir->instructions.InsertBefore(bytecode, boxing_invoke);
87
88 auto move_result = code_ir->Alloc<lir::Bytecode>();
89 move_result->opcode = dex::OP_MOVE_RESULT_OBJECT;
90 move_result->operands.push_back(code_ir->Alloc<lir::VReg>(dst_reg));
91 code_ir->instructions.InsertBefore(bytecode, move_result);
92 }
93
MethodLabel(ir::EncodedMethod * ir_method)94 std::string MethodLabel(ir::EncodedMethod* ir_method) {
95 auto signature_str = ir_method->decl->prototype->Signature();
96 return ir_method->decl->parent->Decl() + "->" + ir_method->decl->name->c_str() + signature_str;
97 }
98
99 } // namespace
100
Apply(lir::CodeIr * code_ir)101 bool EntryHook::Apply(lir::CodeIr* code_ir) {
102 lir::Bytecode* bytecode = nullptr;
103 // find the first bytecode in the method body to insert the hook before it
104 for (auto instr : code_ir->instructions) {
105 BytecodeConvertingVisitor visitor;
106 instr->Accept(&visitor);
107 bytecode = visitor.out;
108 if (bytecode != nullptr) {
109 break;
110 }
111 }
112 if (bytecode == nullptr) {
113 return false;
114 }
115 if (tweak_ == Tweak::ArrayParams) {
116 return InjectArrayParamsHook(code_ir, bytecode);
117 }
118
119 ir::Builder builder(code_ir->dex_ir);
120 const auto ir_method = code_ir->ir_method;
121
122 // construct the hook method declaration
123 std::vector<ir::Type*> param_types;
124 if ((ir_method->access_flags & dex::kAccStatic) == 0) {
125 ir::Type* this_argument_type;
126 switch (tweak_) {
127 case Tweak::ThisAsObject:
128 this_argument_type = builder.GetType("Ljava/lang/Object;");
129 break;
130 default:
131 this_argument_type = ir_method->decl->parent;
132 break;
133 }
134 param_types.push_back(this_argument_type);
135 }
136 if (ir_method->decl->prototype->param_types != nullptr) {
137 const auto& orig_param_types = ir_method->decl->prototype->param_types->types;
138 param_types.insert(param_types.end(), orig_param_types.begin(), orig_param_types.end());
139 }
140
141 auto ir_proto = builder.GetProto(builder.GetType("V"),
142 builder.GetTypeList(param_types));
143
144 auto ir_method_decl = builder.GetMethodDecl(
145 builder.GetAsciiString(hook_method_id_.method_name), ir_proto,
146 builder.GetType(hook_method_id_.class_descriptor));
147
148 auto hook_method = code_ir->Alloc<lir::Method>(ir_method_decl, ir_method_decl->orig_index);
149
150 // argument registers
151 auto regs = ir_method->code->registers;
152 auto args_count = ir_method->code->ins_count;
153 auto args = code_ir->Alloc<lir::VRegRange>(regs - args_count, args_count);
154
155 // invoke hook bytecode
156 auto hook_invoke = code_ir->Alloc<lir::Bytecode>();
157 hook_invoke->opcode = dex::OP_INVOKE_STATIC_RANGE;
158 hook_invoke->operands.push_back(args);
159 hook_invoke->operands.push_back(hook_method);
160
161 // insert the hook before the first bytecode in the method body
162 code_ir->instructions.InsertBefore(bytecode, hook_invoke);
163 return true;
164 }
165
GenerateShiftParamsCode(lir::CodeIr * code_ir,lir::Instruction * position,dex::u4 shift)166 void GenerateShiftParamsCode(lir::CodeIr* code_ir, lir::Instruction* position, dex::u4 shift) {
167 const auto ir_method = code_ir->ir_method;
168 SLICER_CHECK(ir_method->code->ins_count > 0);
169
170 // build a param list with the explicit "this" argument for non-static methods
171 std::vector<ir::Type*> param_types;
172 if ((ir_method->access_flags & dex::kAccStatic) == 0) {
173 param_types.push_back(ir_method->decl->parent);
174 }
175 if (ir_method->decl->prototype->param_types != nullptr) {
176 const auto& orig_param_types = ir_method->decl->prototype->param_types->types;
177 param_types.insert(param_types.end(), orig_param_types.begin(), orig_param_types.end());
178 }
179
180 const dex::u4 regs = ir_method->code->registers;
181 const dex::u4 ins_count = ir_method->code->ins_count;
182 SLICER_CHECK(regs >= ins_count);
183
184 // generate the args "relocation" instructions
185 dex::u4 reg = regs - ins_count;
186 for (const auto& type : param_types) {
187 auto move = code_ir->Alloc<lir::Bytecode>();
188 switch (type->GetCategory()) {
189 case ir::Type::Category::Reference:
190 move->opcode = dex::OP_MOVE_OBJECT_16;
191 move->operands.push_back(code_ir->Alloc<lir::VReg>(reg - shift));
192 move->operands.push_back(code_ir->Alloc<lir::VReg>(reg));
193 reg += 1;
194 break;
195 case ir::Type::Category::Scalar:
196 move->opcode = dex::OP_MOVE_16;
197 move->operands.push_back(code_ir->Alloc<lir::VReg>(reg - shift));
198 move->operands.push_back(code_ir->Alloc<lir::VReg>(reg));
199 reg += 1;
200 break;
201 case ir::Type::Category::WideScalar:
202 move->opcode = dex::OP_MOVE_WIDE_16;
203 move->operands.push_back(code_ir->Alloc<lir::VRegPair>(reg - shift));
204 move->operands.push_back(code_ir->Alloc<lir::VRegPair>(reg));
205 reg += 2;
206 break;
207 case ir::Type::Category::Void:
208 SLICER_FATAL("void parameter type");
209 }
210 code_ir->instructions.InsertBefore(position, move);
211 }
212 }
213
InjectArrayParamsHook(lir::CodeIr * code_ir,lir::Bytecode * bytecode)214 bool EntryHook::InjectArrayParamsHook(lir::CodeIr* code_ir, lir::Bytecode* bytecode) {
215 ir::Builder builder(code_ir->dex_ir);
216 const auto ir_method = code_ir->ir_method;
217 auto param_types_list = ir_method->decl->prototype->param_types;
218 auto param_types = param_types_list != nullptr ? param_types_list->types : std::vector<ir::Type*>();
219 bool is_static = (ir_method->access_flags & dex::kAccStatic) != 0;
220
221 // number of registers that we need to operate
222 dex::u2 regs_count = 3;
223 auto non_param_regs = ir_method->code->registers - ir_method->code->ins_count;
224
225 // do we have enough registers to operate?
226 bool needsExtraRegs = non_param_regs < regs_count;
227 if (needsExtraRegs) {
228 // we don't have enough registers, so we allocate more, we will shift
229 // params to their original registers later.
230 code_ir->ir_method->code->registers += regs_count - non_param_regs;
231 }
232
233 // use three first registers:
234 // all three are needed when we "aput" a string/boxed-value (1) into an array (2) at an index (3)
235
236 // register that will store size of during allocation
237 // later will be reused to store index when do "aput"
238 dex::u4 array_size_reg = 0;
239 // register that will store an array that will be passed
240 // as a parameter in entry hook
241 dex::u4 array_reg = 1;
242 // stores result of boxing (if it's needed); also stores the method signature string
243 dex::u4 value_reg = 2;
244 // array size bytecode
245 auto const_size_op = code_ir->Alloc<lir::Bytecode>();
246 const_size_op->opcode = dex::OP_CONST;
247 const_size_op->operands.push_back(code_ir->Alloc<lir::VReg>(array_size_reg));
248 const_size_op->operands.push_back(code_ir->Alloc<lir::Const32>(
249 2 + param_types.size())); // method signature + params + "this" object
250 code_ir->instructions.InsertBefore(bytecode, const_size_op);
251
252 // allocate array
253 const auto obj_array_type = builder.GetType("[Ljava/lang/Object;");
254 auto allocate_array_op = code_ir->Alloc<lir::Bytecode>();
255 allocate_array_op->opcode = dex::OP_NEW_ARRAY;
256 allocate_array_op->operands.push_back(code_ir->Alloc<lir::VReg>(array_reg));
257 allocate_array_op->operands.push_back(code_ir->Alloc<lir::VReg>(array_size_reg));
258 allocate_array_op->operands.push_back(
259 code_ir->Alloc<lir::Type>(obj_array_type, obj_array_type->orig_index));
260 code_ir->instructions.InsertBefore(bytecode, allocate_array_op);
261
262 // fill the array with parameters passed into function
263
264 std::vector<ir::Type*> types;
265 types.push_back(builder.GetType("Ljava/lang/String;")); // method signature string
266 if (!is_static) {
267 types.push_back(ir_method->decl->parent); // "this" object
268 }
269
270 types.insert(types.end(), param_types.begin(), param_types.end()); // parameters
271
272 // register where params start
273 dex::u4 current_reg = ir_method->code->registers - ir_method->code->ins_count;
274 // reuse not needed anymore register to store indexes
275 dex::u4 array_index_reg = array_size_reg;
276 int i = 0;
277 for (auto type: types) {
278 dex::u4 src_reg = 0;
279 if (i == 0) { // method signature string
280 // e.g. const-string v2, "(I[Ljava/lang/String;)Ljava/lang/String;"
281 // for (int, String[]) -> String
282 auto const_str_op = code_ir->Alloc<lir::Bytecode>();
283 const_str_op->opcode = dex::OP_CONST_STRING;
284 const_str_op->operands.push_back(code_ir->Alloc<lir::VReg>(value_reg)); // dst
285 auto method_label = builder.GetAsciiString(MethodLabel(ir_method).c_str());
286 const_str_op->operands.push_back(
287 code_ir->Alloc<lir::String>(method_label, method_label->orig_index)); // src
288 code_ir->instructions.InsertBefore(bytecode, const_str_op);
289 src_reg = value_reg;
290 } else if (type->GetCategory() != ir::Type::Category::Reference) {
291 BoxValue(bytecode, code_ir, type, current_reg, value_reg);
292 src_reg = value_reg;
293 current_reg += 1 + (type->GetCategory() == ir::Type::Category::WideScalar);
294 } else {
295 src_reg = current_reg;
296 current_reg++;
297 }
298
299 auto index_const_op = code_ir->Alloc<lir::Bytecode>();
300 index_const_op->opcode = dex::OP_CONST;
301 index_const_op->operands.push_back(code_ir->Alloc<lir::VReg>(array_index_reg));
302 index_const_op->operands.push_back(code_ir->Alloc<lir::Const32>(i++));
303 code_ir->instructions.InsertBefore(bytecode, index_const_op);
304
305 auto aput_op = code_ir->Alloc<lir::Bytecode>();
306 aput_op->opcode = dex::OP_APUT_OBJECT;
307 aput_op->operands.push_back(code_ir->Alloc<lir::VReg>(src_reg));
308 aput_op->operands.push_back(code_ir->Alloc<lir::VReg>(array_reg));
309 aput_op->operands.push_back(code_ir->Alloc<lir::VReg>(array_index_reg));
310 code_ir->instructions.InsertBefore(bytecode, aput_op);
311
312 // if function is static, then jumping over index 1
313 // since null should be be passed in this case
314 if (i == 1 && is_static) i++;
315 }
316
317 std::vector<ir::Type*> hook_param_types;
318 hook_param_types.push_back(obj_array_type);
319
320 auto ir_proto = builder.GetProto(builder.GetType("V"),
321 builder.GetTypeList(hook_param_types));
322
323 auto ir_method_decl = builder.GetMethodDecl(
324 builder.GetAsciiString(hook_method_id_.method_name), ir_proto,
325 builder.GetType(hook_method_id_.class_descriptor));
326
327 auto hook_method = code_ir->Alloc<lir::Method>(ir_method_decl, ir_method_decl->orig_index);
328 auto args = code_ir->Alloc<lir::VRegRange>(array_reg, 1);
329 auto hook_invoke = code_ir->Alloc<lir::Bytecode>();
330 hook_invoke->opcode = dex::OP_INVOKE_STATIC_RANGE;
331 hook_invoke->operands.push_back(args);
332 hook_invoke->operands.push_back(hook_method);
333 code_ir->instructions.InsertBefore(bytecode, hook_invoke);
334
335 // clean up registries used by us
336 // registers are assigned to a marker value 0xFE_FE_FE_FE (decimal
337 // value: -16843010) to help identify use of uninitialized registers.
338 for (dex::u2 i = 0; i < regs_count; ++i) {
339 auto cleanup = code_ir->Alloc<lir::Bytecode>();
340 cleanup->opcode = dex::OP_CONST;
341 cleanup->operands.push_back(code_ir->Alloc<lir::VReg>(i));
342 cleanup->operands.push_back(code_ir->Alloc<lir::Const32>(0xFEFEFEFE));
343 code_ir->instructions.InsertBefore(bytecode, cleanup);
344 }
345
346 // now we have to shift params to their original registers
347 if (needsExtraRegs) {
348 GenerateShiftParamsCode(code_ir, bytecode, regs_count - non_param_regs);
349 }
350 return true;
351 }
352
Apply(lir::CodeIr * code_ir)353 bool ExitHook::Apply(lir::CodeIr* code_ir) {
354 ir::Builder builder(code_ir->dex_ir);
355 const auto ir_method = code_ir->ir_method;
356 const auto declared_return_type = ir_method->decl->prototype->return_type;
357 bool return_as_object = (tweak_ & Tweak::ReturnAsObject) != 0;
358 // do we have a void-return method?
359 bool return_void = (::strcmp(declared_return_type->descriptor->c_str(), "V") == 0);
360 // returnAsObject supports only object return type;
361 SLICER_CHECK(!return_as_object ||
362 (declared_return_type->GetCategory() == ir::Type::Category::Reference));
363 const auto return_type = return_as_object ? builder.GetType("Ljava/lang/Object;")
364 : declared_return_type;
365
366 bool pass_method_signature = (tweak_ & Tweak::PassMethodSignature) != 0;
367 // construct the hook method declaration
368 std::vector<ir::Type*> param_types;
369 if (pass_method_signature) {
370 param_types.push_back(builder.GetType("Ljava/lang/String;"));
371 }
372 if (!return_void) {
373 param_types.push_back(return_type);
374 }
375
376 auto ir_proto = builder.GetProto(return_type, builder.GetTypeList(param_types));
377
378 auto ir_method_decl = builder.GetMethodDecl(
379 builder.GetAsciiString(hook_method_id_.method_name), ir_proto,
380 builder.GetType(hook_method_id_.class_descriptor));
381
382 auto hook_method = code_ir->Alloc<lir::Method>(ir_method_decl, ir_method_decl->orig_index);
383
384 // find and instrument all return instructions
385 for (auto instr : code_ir->instructions) {
386 BytecodeConvertingVisitor visitor;
387 instr->Accept(&visitor);
388 auto bytecode = visitor.out;
389 if (bytecode == nullptr) {
390 continue;
391 }
392
393 dex::Opcode move_result_opcode = dex::OP_NOP;
394 dex::u4 reg = 0;
395 int reg_count = 0;
396 switch (bytecode->opcode) {
397 case dex::OP_RETURN_VOID:
398 SLICER_CHECK(return_void);
399 break;
400 case dex::OP_RETURN:
401 SLICER_CHECK(!return_void);
402 move_result_opcode = dex::OP_MOVE_RESULT;
403 reg = bytecode->CastOperand<lir::VReg>(0)->reg;
404 reg_count = 1;
405 break;
406 case dex::OP_RETURN_OBJECT:
407 SLICER_CHECK(!return_void);
408 move_result_opcode = dex::OP_MOVE_RESULT_OBJECT;
409 reg = bytecode->CastOperand<lir::VReg>(0)->reg;
410 reg_count = 1;
411 break;
412 case dex::OP_RETURN_WIDE:
413 SLICER_CHECK(!return_void);
414 move_result_opcode = dex::OP_MOVE_RESULT_WIDE;
415 reg = bytecode->CastOperand<lir::VRegPair>(0)->base_reg;
416 reg_count = 2;
417 break;
418 default:
419 // skip the bytecode...
420 continue;
421 }
422
423 dex::u4 scratch_reg = 0;
424 // load method signature into scratch_reg
425 if (pass_method_signature) {
426 // is there a register that can be overtaken
427 bool needsScratchReg = ir_method->code->registers < reg_count + 1;
428 if (needsScratchReg) {
429 // don't renumber registers underneath us
430 slicer::AllocateScratchRegs alloc_regs(1, false);
431 alloc_regs.Apply(code_ir);
432 }
433
434 // we need use one register before results to put signature there
435 // however result starts in register 0, thefore it is shifted
436 // to register 1
437 if (reg == 0 && bytecode->opcode != dex::OP_RETURN_VOID) {
438 auto move_op = code_ir->Alloc<lir::Bytecode>();
439 switch (bytecode->opcode) {
440 case dex::OP_RETURN_OBJECT:
441 move_op->opcode = dex::OP_MOVE_OBJECT_16;
442 move_op->operands.push_back(code_ir->Alloc<lir::VReg>(reg + 1));
443 move_op->operands.push_back(code_ir->Alloc<lir::VReg>(reg));
444 break;
445 case dex::OP_RETURN:
446 move_op->opcode = dex::OP_MOVE_16;
447 move_op->operands.push_back(code_ir->Alloc<lir::VReg>(reg + 1));
448 move_op->operands.push_back(code_ir->Alloc<lir::VReg>(reg));
449 break;
450 case dex::OP_RETURN_WIDE:
451 move_op->opcode = dex::OP_MOVE_WIDE_16;
452 move_op->operands.push_back(code_ir->Alloc<lir::VRegPair>(reg + 1));
453 move_op->operands.push_back(code_ir->Alloc<lir::VRegPair>(reg));
454 break;
455 default:
456 SLICER_FATAL("Unexpected opcode %d", bytecode->opcode);
457 }
458 code_ir->instructions.InsertBefore(bytecode, move_op);
459 // return is the last call, return is shifted to one, so taking over 0 registry
460 scratch_reg = 0;
461 } else {
462 // return is the last call, so we're taking over previous registry
463 scratch_reg = bytecode->opcode == dex::OP_RETURN_VOID ? 0 : reg - 1;
464 }
465
466
467 // return is the last call, so we're taking over previous registry
468 auto method_label = builder.GetAsciiString(MethodLabel(ir_method).c_str());
469 auto const_str_op = code_ir->Alloc<lir::Bytecode>();
470 const_str_op->opcode = dex::OP_CONST_STRING;
471 const_str_op->operands.push_back(code_ir->Alloc<lir::VReg>(scratch_reg)); // dst
472 const_str_op->operands.push_back(code_ir->Alloc<lir::String>(method_label, method_label->orig_index)); // src
473 code_ir->instructions.InsertBefore(bytecode, const_str_op);
474 }
475
476 auto args = pass_method_signature
477 ? code_ir->Alloc<lir::VRegRange>(scratch_reg, reg_count + 1)
478 : code_ir->Alloc<lir::VRegRange>(reg, reg_count);
479 auto hook_invoke = code_ir->Alloc<lir::Bytecode>();
480 hook_invoke->opcode = dex::OP_INVOKE_STATIC_RANGE;
481 hook_invoke->operands.push_back(args);
482 hook_invoke->operands.push_back(hook_method);
483 code_ir->instructions.InsertBefore(bytecode, hook_invoke);
484
485 // move result back to the right register
486 //
487 // NOTE: we're reusing the original return's operand,
488 // which is valid and more efficient than allocating
489 // a new LIR node, but it's also fragile: we need to be
490 // very careful about mutating shared nodes.
491 //
492 if (move_result_opcode != dex::OP_NOP) {
493 auto move_result = code_ir->Alloc<lir::Bytecode>();
494 move_result->opcode = move_result_opcode;
495 move_result->operands.push_back(bytecode->operands[0]);
496 code_ir->instructions.InsertBefore(bytecode, move_result);
497
498 if ((tweak_ & Tweak::ReturnAsObject) != 0) {
499 auto check_cast = code_ir->Alloc<lir::Bytecode>();
500 check_cast->opcode = dex::OP_CHECK_CAST;
501 check_cast->operands.push_back(code_ir->Alloc<lir::VReg>(reg));
502 check_cast->operands.push_back(
503 code_ir->Alloc<lir::Type>(declared_return_type, declared_return_type->orig_index));
504 code_ir->instructions.InsertBefore(bytecode, check_cast);
505 }
506 }
507 }
508
509 return true;
510 }
511
Apply(lir::CodeIr * code_ir)512 bool DetourHook::Apply(lir::CodeIr* code_ir) {
513 ir::Builder builder(code_ir->dex_ir);
514
515 // search for matching invoke-virtual[/range] bytecodes
516 for (auto instr : code_ir->instructions) {
517 BytecodeConvertingVisitor visitor;
518 instr->Accept(&visitor);
519 auto bytecode = visitor.out;
520 if (bytecode == nullptr) {
521 continue;
522 }
523
524 dex::Opcode new_call_opcode = GetNewOpcode(bytecode->opcode);
525 if (new_call_opcode == dex::OP_NOP) {
526 continue;
527 }
528
529 auto orig_method = bytecode->CastOperand<lir::Method>(1)->ir_method;
530 if (!orig_method_id_.Match(orig_method)) {
531 // this is not the method you're looking for...
532 continue;
533 }
534
535 // construct the detour method declaration
536 // (matching the original method, plus an explicit "this" argument)
537 std::vector<ir::Type*> param_types;
538 param_types.push_back(orig_method->parent);
539 if (orig_method->prototype->param_types != nullptr) {
540 const auto& orig_param_types = orig_method->prototype->param_types->types;
541 param_types.insert(param_types.end(), orig_param_types.begin(),
542 orig_param_types.end());
543 }
544
545 auto ir_proto = builder.GetProto(orig_method->prototype->return_type,
546 builder.GetTypeList(param_types));
547
548 auto ir_method_decl = builder.GetMethodDecl(
549 builder.GetAsciiString(detour_method_id_.method_name), ir_proto,
550 builder.GetType(detour_method_id_.class_descriptor));
551
552 auto detour_method =
553 code_ir->Alloc<lir::Method>(ir_method_decl, ir_method_decl->orig_index);
554
555 // We mutate the original invoke bytecode in-place: this is ok
556 // because lir::Instructions can't be shared (referenced multiple times)
557 // in the code IR. It's also simpler and more efficient than allocating a
558 // new IR invoke bytecode.
559 bytecode->opcode = new_call_opcode;
560 bytecode->operands[1] = detour_method;
561 }
562
563 return true;
564 }
565
GetNewOpcode(dex::Opcode opcode)566 dex::Opcode DetourVirtualInvoke::GetNewOpcode(dex::Opcode opcode) {
567 switch (opcode) {
568 case dex::OP_INVOKE_VIRTUAL:
569 return dex::OP_INVOKE_STATIC;
570 case dex::OP_INVOKE_VIRTUAL_RANGE:
571 return dex::OP_INVOKE_STATIC_RANGE;
572 default:
573 // skip instruction ...
574 return dex::OP_NOP;
575 }
576 }
577
GetNewOpcode(dex::Opcode opcode)578 dex::Opcode DetourInterfaceInvoke::GetNewOpcode(dex::Opcode opcode) {
579 switch (opcode) {
580 case dex::OP_INVOKE_INTERFACE:
581 return dex::OP_INVOKE_STATIC;
582 case dex::OP_INVOKE_INTERFACE_RANGE:
583 return dex::OP_INVOKE_STATIC_RANGE;
584 default:
585 // skip instruction ...
586 return dex::OP_NOP;
587 }
588 }
589
590 // Register re-numbering visitor
591 // (renumbers vN to vN+shift)
592 class RegsRenumberVisitor : public lir::Visitor {
593 public:
RegsRenumberVisitor(int shift)594 explicit RegsRenumberVisitor(int shift) : shift_(shift) {
595 SLICER_CHECK(shift > 0);
596 }
597
598 private:
Visit(lir::Bytecode * bytecode)599 virtual bool Visit(lir::Bytecode* bytecode) override {
600 for (auto operand : bytecode->operands) {
601 operand->Accept(this);
602 }
603 return true;
604 }
605
Visit(lir::DbgInfoAnnotation * dbg_annotation)606 virtual bool Visit(lir::DbgInfoAnnotation* dbg_annotation) override {
607 for (auto operand : dbg_annotation->operands) {
608 operand->Accept(this);
609 }
610 return true;
611 }
612
Visit(lir::VReg * vreg)613 virtual bool Visit(lir::VReg* vreg) override {
614 vreg->reg += shift_;
615 return true;
616 }
617
Visit(lir::VRegPair * vreg_pair)618 virtual bool Visit(lir::VRegPair* vreg_pair) override {
619 vreg_pair->base_reg += shift_;
620 return true;
621 }
622
Visit(lir::VRegList * vreg_list)623 virtual bool Visit(lir::VRegList* vreg_list) override {
624 for (auto& reg : vreg_list->registers) {
625 reg += shift_;
626 }
627 return true;
628 }
629
Visit(lir::VRegRange * vreg_range)630 virtual bool Visit(lir::VRegRange* vreg_range) override {
631 vreg_range->base_reg += shift_;
632 return true;
633 }
634
635 private:
636 int shift_ = 0;
637 };
638
639 // Try to allocate registers by renumbering the existing allocation
640 //
641 // NOTE: we can't bump the register count over 16 since it may
642 // make existing bytecodes "unencodable" (if they have 4 bit reg fields)
643 //
RegsRenumbering(lir::CodeIr * code_ir)644 void AllocateScratchRegs::RegsRenumbering(lir::CodeIr* code_ir) {
645 SLICER_CHECK(left_to_allocate_ > 0);
646 int delta = std::min(left_to_allocate_,
647 16 - static_cast<int>(code_ir->ir_method->code->registers));
648 if (delta < 1) {
649 // can't allocate any registers through renumbering
650 return;
651 }
652 assert(delta <= 16);
653
654 // renumber existing registers
655 RegsRenumberVisitor visitor(delta);
656 for (auto instr : code_ir->instructions) {
657 instr->Accept(&visitor);
658 }
659
660 // we just allocated "delta" registers (v0..vX)
661 Allocate(code_ir, 0, delta);
662 }
663
664 // Allocates registers by generating prologue code to relocate params
665 // into their original registers (parameters are allocated in the last IN registers)
666 //
667 // There are three types of register moves depending on the value type:
668 // 1. vreg -> vreg
669 // 2. vreg/wide -> vreg/wide
670 // 3. vreg/obj -> vreg/obj
671 //
ShiftParams(lir::CodeIr * code_ir)672 void AllocateScratchRegs::ShiftParams(lir::CodeIr* code_ir) {
673 const auto ir_method = code_ir->ir_method;
674 SLICER_CHECK(left_to_allocate_ > 0);
675
676 const dex::u4 shift = left_to_allocate_;
677 Allocate(code_ir, ir_method->code->registers, left_to_allocate_);
678 assert(left_to_allocate_ == 0);
679
680 // generate the args "relocation" instructions
681 auto first_instr = *(code_ir->instructions.begin());
682 GenerateShiftParamsCode(code_ir, first_instr, shift);
683 }
684
685 // Mark [first_reg, first_reg + count) as scratch registers
Allocate(lir::CodeIr * code_ir,dex::u4 first_reg,int count)686 void AllocateScratchRegs::Allocate(lir::CodeIr* code_ir, dex::u4 first_reg, int count) {
687 SLICER_CHECK(count > 0 && count <= left_to_allocate_);
688 code_ir->ir_method->code->registers += count;
689 left_to_allocate_ -= count;
690 for (int i = 0; i < count; ++i) {
691 SLICER_CHECK(scratch_regs_.insert(first_reg + i).second);
692 }
693 }
694
695 // Allocate scratch registers without doing a full register allocation:
696 //
697 // 1. if there are not params, increase the method regs count and we're done
698 // 2. if the method uses less than 16 registers, we can renumber the existing registers
699 // 3. if we still have registers to allocate, increase the method registers count,
700 // and generate prologue code to shift the param regs into their original registers
701 //
Apply(lir::CodeIr * code_ir)702 bool AllocateScratchRegs::Apply(lir::CodeIr* code_ir) {
703 const auto code = code_ir->ir_method->code;
704 // .dex bytecode allows up to 64k vregs
705 SLICER_CHECK(code->registers + allocate_count_ <= (1 << 16));
706
707 scratch_regs_.clear();
708 left_to_allocate_ = allocate_count_;
709
710 // can we allocate by simply incrementing the method regs count?
711 if (code->ins_count == 0) {
712 Allocate(code_ir, code->registers, left_to_allocate_);
713 return true;
714 }
715
716 // allocate as many registers as possible using renumbering
717 if (allow_renumbering_) {
718 RegsRenumbering(code_ir);
719 }
720
721 // if we still have registers to allocate, generate prologue
722 // code to shift the params into their original registers
723 if (left_to_allocate_ > 0) {
724 ShiftParams(code_ir);
725 }
726
727 assert(left_to_allocate_ == 0);
728 assert(scratch_regs_.size() == size_t(allocate_count_));
729 return true;
730 }
731
InstrumentMethod(ir::EncodedMethod * ir_method)732 bool MethodInstrumenter::InstrumentMethod(ir::EncodedMethod* ir_method) {
733 SLICER_CHECK(ir_method != nullptr);
734 if (ir_method->code == nullptr) {
735 // can't instrument abstract methods
736 return false;
737 }
738
739 // apply all the queued transformations
740 lir::CodeIr code_ir(ir_method, dex_ir_);
741 for (const auto& transformation : transformations_) {
742 if (!transformation->Apply(&code_ir)) {
743 // the transformation failed, bail out...
744 return false;
745 }
746 }
747 code_ir.Assemble();
748 return true;
749 }
750
InstrumentMethod(const ir::MethodId & method_id)751 bool MethodInstrumenter::InstrumentMethod(const ir::MethodId& method_id) {
752 // locate the method to be instrumented
753 ir::Builder builder(dex_ir_);
754 auto ir_method = builder.FindMethod(method_id);
755 if (ir_method == nullptr) {
756 // we couldn't find the specified method
757 return false;
758 }
759 return InstrumentMethod(ir_method);
760 }
761
762 } // namespace slicer
763