1 /* 2 * Copyright (C) 2008 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include "fault_handler.h" 18 19 #include <sys/ucontext.h> 20 21 #include "art_method.h" 22 #include "base/enums.h" 23 #include "base/hex_dump.h" 24 #include "base/logging.h" // For VLOG. 25 #include "base/macros.h" 26 #include "base/safe_copy.h" 27 #include "globals.h" 28 #include "thread-current-inl.h" 29 30 #if defined(__APPLE__) 31 #define ucontext __darwin_ucontext 32 33 #if defined(__x86_64__) 34 // 64 bit mac build. 35 #define CTX_ESP uc_mcontext->__ss.__rsp 36 #define CTX_EIP uc_mcontext->__ss.__rip 37 #define CTX_EAX uc_mcontext->__ss.__rax 38 #define CTX_METHOD uc_mcontext->__ss.__rdi 39 #define CTX_RDI uc_mcontext->__ss.__rdi 40 #define CTX_JMP_BUF uc_mcontext->__ss.__rdi 41 #else 42 // 32 bit mac build. 43 #define CTX_ESP uc_mcontext->__ss.__esp 44 #define CTX_EIP uc_mcontext->__ss.__eip 45 #define CTX_EAX uc_mcontext->__ss.__eax 46 #define CTX_METHOD uc_mcontext->__ss.__eax 47 #define CTX_JMP_BUF uc_mcontext->__ss.__eax 48 #endif 49 50 #elif defined(__x86_64__) 51 // 64 bit linux build. 52 #define CTX_ESP uc_mcontext.gregs[REG_RSP] 53 #define CTX_EIP uc_mcontext.gregs[REG_RIP] 54 #define CTX_EAX uc_mcontext.gregs[REG_RAX] 55 #define CTX_METHOD uc_mcontext.gregs[REG_RDI] 56 #define CTX_RDI uc_mcontext.gregs[REG_RDI] 57 #define CTX_JMP_BUF uc_mcontext.gregs[REG_RDI] 58 #else 59 // 32 bit linux build. 60 #define CTX_ESP uc_mcontext.gregs[REG_ESP] 61 #define CTX_EIP uc_mcontext.gregs[REG_EIP] 62 #define CTX_EAX uc_mcontext.gregs[REG_EAX] 63 #define CTX_METHOD uc_mcontext.gregs[REG_EAX] 64 #define CTX_JMP_BUF uc_mcontext.gregs[REG_EAX] 65 #endif 66 67 // 68 // X86 (and X86_64) specific fault handler functions. 69 // 70 71 namespace art { 72 73 extern "C" void art_quick_throw_null_pointer_exception_from_signal(); 74 extern "C" void art_quick_throw_stack_overflow(); 75 extern "C" void art_quick_test_suspend(); 76 77 // Get the size of an instruction in bytes. 78 // Return 0 if the instruction is not handled. 79 static uint32_t GetInstructionSize(const uint8_t* pc) { 80 // Don't segfault if pc points to garbage. 81 char buf[15]; // x86/x86-64 have a maximum instruction length of 15 bytes. 82 ssize_t bytes = SafeCopy(buf, pc, sizeof(buf)); 83 84 if (bytes == 0) { 85 // Nothing was readable. 86 return 0; 87 } 88 89 if (bytes == -1) { 90 // SafeCopy not supported, assume that the entire range is readable. 91 bytes = 16; 92 } else { 93 pc = reinterpret_cast<uint8_t*>(buf); 94 } 95 96 #define INCREMENT_PC() \ 97 do { \ 98 pc++; \ 99 if (pc - startpc > bytes) { \ 100 return 0; \ 101 } \ 102 } while (0) 103 104 #if defined(__x86_64) 105 const bool x86_64 = true; 106 #else 107 const bool x86_64 = false; 108 #endif 109 110 const uint8_t* startpc = pc; 111 112 uint8_t opcode = *pc; 113 INCREMENT_PC(); 114 uint8_t modrm; 115 bool has_modrm = false; 116 bool two_byte = false; 117 uint32_t displacement_size = 0; 118 uint32_t immediate_size = 0; 119 bool operand_size_prefix = false; 120 121 // Prefixes. 122 while (true) { 123 bool prefix_present = false; 124 switch (opcode) { 125 // Group 3 126 case 0x66: 127 operand_size_prefix = true; 128 FALLTHROUGH_INTENDED; 129 130 // Group 1 131 case 0xf0: 132 case 0xf2: 133 case 0xf3: 134 135 // Group 2 136 case 0x2e: 137 case 0x36: 138 case 0x3e: 139 case 0x26: 140 case 0x64: 141 case 0x65: 142 143 // Group 4 144 case 0x67: 145 opcode = *pc; 146 INCREMENT_PC(); 147 prefix_present = true; 148 break; 149 } 150 if (!prefix_present) { 151 break; 152 } 153 } 154 155 if (x86_64 && opcode >= 0x40 && opcode <= 0x4f) { 156 opcode = *pc; 157 INCREMENT_PC(); 158 } 159 160 if (opcode == 0x0f) { 161 // Two byte opcode 162 two_byte = true; 163 opcode = *pc; 164 INCREMENT_PC(); 165 } 166 167 bool unhandled_instruction = false; 168 169 if (two_byte) { 170 switch (opcode) { 171 case 0x10: // vmovsd/ss 172 case 0x11: // vmovsd/ss 173 case 0xb6: // movzx 174 case 0xb7: 175 case 0xbe: // movsx 176 case 0xbf: 177 modrm = *pc; 178 INCREMENT_PC(); 179 has_modrm = true; 180 break; 181 default: 182 unhandled_instruction = true; 183 break; 184 } 185 } else { 186 switch (opcode) { 187 case 0x88: // mov byte 188 case 0x89: // mov 189 case 0x8b: 190 case 0x38: // cmp with memory. 191 case 0x39: 192 case 0x3a: 193 case 0x3b: 194 case 0x3c: 195 case 0x3d: 196 case 0x85: // test. 197 modrm = *pc; 198 INCREMENT_PC(); 199 has_modrm = true; 200 break; 201 202 case 0x80: // group 1, byte immediate. 203 case 0x83: 204 case 0xc6: 205 modrm = *pc; 206 INCREMENT_PC(); 207 has_modrm = true; 208 immediate_size = 1; 209 break; 210 211 case 0x81: // group 1, word immediate. 212 case 0xc7: // mov 213 modrm = *pc; 214 INCREMENT_PC(); 215 has_modrm = true; 216 immediate_size = operand_size_prefix ? 2 : 4; 217 break; 218 219 case 0xf6: 220 case 0xf7: 221 modrm = *pc; 222 INCREMENT_PC(); 223 has_modrm = true; 224 switch ((modrm >> 3) & 7) { // Extract "reg/opcode" from "modr/m". 225 case 0: // test 226 immediate_size = (opcode == 0xf6) ? 1 : (operand_size_prefix ? 2 : 4); 227 break; 228 case 2: // not 229 case 3: // neg 230 case 4: // mul 231 case 5: // imul 232 case 6: // div 233 case 7: // idiv 234 break; 235 default: 236 unhandled_instruction = true; 237 break; 238 } 239 break; 240 241 default: 242 unhandled_instruction = true; 243 break; 244 } 245 } 246 247 if (unhandled_instruction) { 248 VLOG(signals) << "Unhandled x86 instruction with opcode " << static_cast<int>(opcode); 249 return 0; 250 } 251 252 if (has_modrm) { 253 uint8_t mod = (modrm >> 6) & 3U /* 0b11 */; 254 255 // Check for SIB. 256 if (mod != 3U /* 0b11 */ && (modrm & 7U /* 0b111 */) == 4) { 257 INCREMENT_PC(); // SIB 258 } 259 260 switch (mod) { 261 case 0U /* 0b00 */: break; 262 case 1U /* 0b01 */: displacement_size = 1; break; 263 case 2U /* 0b10 */: displacement_size = 4; break; 264 case 3U /* 0b11 */: 265 break; 266 } 267 } 268 269 // Skip displacement and immediate. 270 pc += displacement_size + immediate_size; 271 272 VLOG(signals) << "x86 instruction length calculated as " << (pc - startpc); 273 if (pc - startpc > bytes) { 274 return 0; 275 } 276 return pc - startpc; 277 } 278 279 void FaultManager::GetMethodAndReturnPcAndSp(siginfo_t* siginfo, void* context, 280 ArtMethod** out_method, 281 uintptr_t* out_return_pc, uintptr_t* out_sp) { 282 struct ucontext* uc = reinterpret_cast<struct ucontext*>(context); 283 *out_sp = static_cast<uintptr_t>(uc->CTX_ESP); 284 VLOG(signals) << "sp: " << std::hex << *out_sp; 285 if (*out_sp == 0) { 286 return; 287 } 288 289 // In the case of a stack overflow, the stack is not valid and we can't 290 // get the method from the top of the stack. However it's in EAX(x86)/RDI(x86_64). 291 uintptr_t* fault_addr = reinterpret_cast<uintptr_t*>(siginfo->si_addr); 292 uintptr_t* overflow_addr = reinterpret_cast<uintptr_t*>( 293 #if defined(__x86_64__) 294 reinterpret_cast<uint8_t*>(*out_sp) - GetStackOverflowReservedBytes(InstructionSet::kX86_64)); 295 #else 296 reinterpret_cast<uint8_t*>(*out_sp) - GetStackOverflowReservedBytes(InstructionSet::kX86)); 297 #endif 298 if (overflow_addr == fault_addr) { 299 *out_method = reinterpret_cast<ArtMethod*>(uc->CTX_METHOD); 300 } else { 301 // The method is at the top of the stack. 302 *out_method = *reinterpret_cast<ArtMethod**>(*out_sp); 303 } 304 305 uint8_t* pc = reinterpret_cast<uint8_t*>(uc->CTX_EIP); 306 VLOG(signals) << HexDump(pc, 32, true, "PC "); 307 308 if (pc == nullptr) { 309 // Somebody jumped to 0x0. Definitely not ours, and will definitely segfault below. 310 *out_method = nullptr; 311 return; 312 } 313 314 uint32_t instr_size = GetInstructionSize(pc); 315 if (instr_size == 0) { 316 // Unknown instruction, tell caller it's not ours. 317 *out_method = nullptr; 318 return; 319 } 320 *out_return_pc = reinterpret_cast<uintptr_t>(pc + instr_size); 321 } 322 323 bool NullPointerHandler::Action(int, siginfo_t* sig, void* context) { 324 if (!IsValidImplicitCheck(sig)) { 325 return false; 326 } 327 struct ucontext *uc = reinterpret_cast<struct ucontext*>(context); 328 uint8_t* pc = reinterpret_cast<uint8_t*>(uc->CTX_EIP); 329 uint8_t* sp = reinterpret_cast<uint8_t*>(uc->CTX_ESP); 330 331 uint32_t instr_size = GetInstructionSize(pc); 332 if (instr_size == 0) { 333 // Unknown instruction, can't really happen. 334 return false; 335 } 336 337 // We need to arrange for the signal handler to return to the null pointer 338 // exception generator. The return address must be the address of the 339 // next instruction (this instruction + instruction size). The return address 340 // is on the stack at the top address of the current frame. 341 342 // Push the return address and fault address onto the stack. 343 uintptr_t retaddr = reinterpret_cast<uintptr_t>(pc + instr_size); 344 uintptr_t* next_sp = reinterpret_cast<uintptr_t*>(sp - 2 * sizeof(uintptr_t)); 345 next_sp[1] = retaddr; 346 next_sp[0] = reinterpret_cast<uintptr_t>(sig->si_addr); 347 uc->CTX_ESP = reinterpret_cast<uintptr_t>(next_sp); 348 349 uc->CTX_EIP = reinterpret_cast<uintptr_t>( 350 art_quick_throw_null_pointer_exception_from_signal); 351 VLOG(signals) << "Generating null pointer exception"; 352 return true; 353 } 354 355 // A suspend check is done using the following instruction sequence: 356 // (x86) 357 // 0xf720f1df: 648B058C000000 mov eax, fs:[0x8c] ; suspend_trigger 358 // .. some intervening instructions. 359 // 0xf720f1e6: 8500 test eax, [eax] 360 // (x86_64) 361 // 0x7f579de45d9e: 65488B0425A8000000 movq rax, gs:[0xa8] ; suspend_trigger 362 // .. some intervening instructions. 363 // 0x7f579de45da7: 8500 test eax, [eax] 364 365 // The offset from fs is Thread::ThreadSuspendTriggerOffset(). 366 // To check for a suspend check, we examine the instructions that caused 367 // the fault. 368 bool SuspensionHandler::Action(int, siginfo_t*, void* context) { 369 // These are the instructions to check for. The first one is the mov eax, fs:[xxx] 370 // where xxx is the offset of the suspend trigger. 371 uint32_t trigger = Thread::ThreadSuspendTriggerOffset<kRuntimePointerSize>().Int32Value(); 372 373 VLOG(signals) << "Checking for suspension point"; 374 #if defined(__x86_64__) 375 uint8_t checkinst1[] = {0x65, 0x48, 0x8b, 0x04, 0x25, static_cast<uint8_t>(trigger & 0xff), 376 static_cast<uint8_t>((trigger >> 8) & 0xff), 0, 0}; 377 #else 378 uint8_t checkinst1[] = {0x64, 0x8b, 0x05, static_cast<uint8_t>(trigger & 0xff), 379 static_cast<uint8_t>((trigger >> 8) & 0xff), 0, 0}; 380 #endif 381 uint8_t checkinst2[] = {0x85, 0x00}; 382 383 struct ucontext *uc = reinterpret_cast<struct ucontext*>(context); 384 uint8_t* pc = reinterpret_cast<uint8_t*>(uc->CTX_EIP); 385 uint8_t* sp = reinterpret_cast<uint8_t*>(uc->CTX_ESP); 386 387 if (pc[0] != checkinst2[0] || pc[1] != checkinst2[1]) { 388 // Second instruction is not correct (test eax,[eax]). 389 VLOG(signals) << "Not a suspension point"; 390 return false; 391 } 392 393 // The first instruction can a little bit up the stream due to load hoisting 394 // in the compiler. 395 uint8_t* limit = pc - 100; // Compiler will hoist to a max of 20 instructions. 396 uint8_t* ptr = pc - sizeof(checkinst1); 397 bool found = false; 398 while (ptr > limit) { 399 if (memcmp(ptr, checkinst1, sizeof(checkinst1)) == 0) { 400 found = true; 401 break; 402 } 403 ptr -= 1; 404 } 405 406 if (found) { 407 VLOG(signals) << "suspend check match"; 408 409 // We need to arrange for the signal handler to return to the null pointer 410 // exception generator. The return address must be the address of the 411 // next instruction (this instruction + 2). The return address 412 // is on the stack at the top address of the current frame. 413 414 // Push the return address onto the stack. 415 uintptr_t retaddr = reinterpret_cast<uintptr_t>(pc + 2); 416 uintptr_t* next_sp = reinterpret_cast<uintptr_t*>(sp - sizeof(uintptr_t)); 417 *next_sp = retaddr; 418 uc->CTX_ESP = reinterpret_cast<uintptr_t>(next_sp); 419 420 uc->CTX_EIP = reinterpret_cast<uintptr_t>(art_quick_test_suspend); 421 422 // Now remove the suspend trigger that caused this fault. 423 Thread::Current()->RemoveSuspendTrigger(); 424 VLOG(signals) << "removed suspend trigger invoking test suspend"; 425 return true; 426 } 427 VLOG(signals) << "Not a suspend check match, first instruction mismatch"; 428 return false; 429 } 430 431 // The stack overflow check is done using the following instruction: 432 // test eax, [esp+ -xxx] 433 // where 'xxx' is the size of the overflow area. 434 // 435 // This is done before any frame is established in the method. The return 436 // address for the previous method is on the stack at ESP. 437 438 bool StackOverflowHandler::Action(int, siginfo_t* info, void* context) { 439 struct ucontext *uc = reinterpret_cast<struct ucontext*>(context); 440 uintptr_t sp = static_cast<uintptr_t>(uc->CTX_ESP); 441 442 uintptr_t fault_addr = reinterpret_cast<uintptr_t>(info->si_addr); 443 VLOG(signals) << "fault_addr: " << std::hex << fault_addr; 444 VLOG(signals) << "checking for stack overflow, sp: " << std::hex << sp << 445 ", fault_addr: " << fault_addr; 446 447 #if defined(__x86_64__) 448 uintptr_t overflow_addr = sp - GetStackOverflowReservedBytes(InstructionSet::kX86_64); 449 #else 450 uintptr_t overflow_addr = sp - GetStackOverflowReservedBytes(InstructionSet::kX86); 451 #endif 452 453 // Check that the fault address is the value expected for a stack overflow. 454 if (fault_addr != overflow_addr) { 455 VLOG(signals) << "Not a stack overflow"; 456 return false; 457 } 458 459 VLOG(signals) << "Stack overflow found"; 460 461 // Since the compiler puts the implicit overflow 462 // check before the callee save instructions, the SP is already pointing to 463 // the previous frame. 464 465 // Now arrange for the signal handler to return to art_quick_throw_stack_overflow. 466 uc->CTX_EIP = reinterpret_cast<uintptr_t>(art_quick_throw_stack_overflow); 467 468 return true; 469 } 470 } // namespace art 471