• Home
  • History
  • Annotate
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2008 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "fault_handler.h"
18 
19 #include <sys/ucontext.h>
20 
21 #include "art_method.h"
22 #include "base/enums.h"
23 #include "base/hex_dump.h"
24 #include "base/logging.h"  // For VLOG.
25 #include "base/macros.h"
26 #include "base/safe_copy.h"
27 #include "globals.h"
28 #include "thread-current-inl.h"
29 
30 #if defined(__APPLE__)
31 #define ucontext __darwin_ucontext
32 
33 #if defined(__x86_64__)
34 // 64 bit mac build.
35 #define CTX_ESP uc_mcontext->__ss.__rsp
36 #define CTX_EIP uc_mcontext->__ss.__rip
37 #define CTX_EAX uc_mcontext->__ss.__rax
38 #define CTX_METHOD uc_mcontext->__ss.__rdi
39 #define CTX_RDI uc_mcontext->__ss.__rdi
40 #define CTX_JMP_BUF uc_mcontext->__ss.__rdi
41 #else
42 // 32 bit mac build.
43 #define CTX_ESP uc_mcontext->__ss.__esp
44 #define CTX_EIP uc_mcontext->__ss.__eip
45 #define CTX_EAX uc_mcontext->__ss.__eax
46 #define CTX_METHOD uc_mcontext->__ss.__eax
47 #define CTX_JMP_BUF uc_mcontext->__ss.__eax
48 #endif
49 
50 #elif defined(__x86_64__)
51 // 64 bit linux build.
52 #define CTX_ESP uc_mcontext.gregs[REG_RSP]
53 #define CTX_EIP uc_mcontext.gregs[REG_RIP]
54 #define CTX_EAX uc_mcontext.gregs[REG_RAX]
55 #define CTX_METHOD uc_mcontext.gregs[REG_RDI]
56 #define CTX_RDI uc_mcontext.gregs[REG_RDI]
57 #define CTX_JMP_BUF uc_mcontext.gregs[REG_RDI]
58 #else
59 // 32 bit linux build.
60 #define CTX_ESP uc_mcontext.gregs[REG_ESP]
61 #define CTX_EIP uc_mcontext.gregs[REG_EIP]
62 #define CTX_EAX uc_mcontext.gregs[REG_EAX]
63 #define CTX_METHOD uc_mcontext.gregs[REG_EAX]
64 #define CTX_JMP_BUF uc_mcontext.gregs[REG_EAX]
65 #endif
66 
67 //
68 // X86 (and X86_64) specific fault handler functions.
69 //
70 
71 namespace art {
72 
73 extern "C" void art_quick_throw_null_pointer_exception_from_signal();
74 extern "C" void art_quick_throw_stack_overflow();
75 extern "C" void art_quick_test_suspend();
76 
77 // Get the size of an instruction in bytes.
78 // Return 0 if the instruction is not handled.
79 static uint32_t GetInstructionSize(const uint8_t* pc) {
80   // Don't segfault if pc points to garbage.
81   char buf[15];  // x86/x86-64 have a maximum instruction length of 15 bytes.
82   ssize_t bytes = SafeCopy(buf, pc, sizeof(buf));
83 
84   if (bytes == 0) {
85     // Nothing was readable.
86     return 0;
87   }
88 
89   if (bytes == -1) {
90     // SafeCopy not supported, assume that the entire range is readable.
91     bytes = 16;
92   } else {
93     pc = reinterpret_cast<uint8_t*>(buf);
94   }
95 
96 #define INCREMENT_PC()          \
97   do {                          \
98     pc++;                       \
99     if (pc - startpc > bytes) { \
100       return 0;                 \
101     }                           \
102   } while (0)
103 
104 #if defined(__x86_64)
105   const bool x86_64 = true;
106 #else
107   const bool x86_64 = false;
108 #endif
109 
110   const uint8_t* startpc = pc;
111 
112   uint8_t opcode = *pc;
113   INCREMENT_PC();
114   uint8_t modrm;
115   bool has_modrm = false;
116   bool two_byte = false;
117   uint32_t displacement_size = 0;
118   uint32_t immediate_size = 0;
119   bool operand_size_prefix = false;
120 
121   // Prefixes.
122   while (true) {
123     bool prefix_present = false;
124     switch (opcode) {
125       // Group 3
126       case 0x66:
127         operand_size_prefix = true;
128         FALLTHROUGH_INTENDED;
129 
130       // Group 1
131       case 0xf0:
132       case 0xf2:
133       case 0xf3:
134 
135       // Group 2
136       case 0x2e:
137       case 0x36:
138       case 0x3e:
139       case 0x26:
140       case 0x64:
141       case 0x65:
142 
143       // Group 4
144       case 0x67:
145         opcode = *pc;
146         INCREMENT_PC();
147         prefix_present = true;
148         break;
149     }
150     if (!prefix_present) {
151       break;
152     }
153   }
154 
155   if (x86_64 && opcode >= 0x40 && opcode <= 0x4f) {
156     opcode = *pc;
157     INCREMENT_PC();
158   }
159 
160   if (opcode == 0x0f) {
161     // Two byte opcode
162     two_byte = true;
163     opcode = *pc;
164     INCREMENT_PC();
165   }
166 
167   bool unhandled_instruction = false;
168 
169   if (two_byte) {
170     switch (opcode) {
171       case 0x10:        // vmovsd/ss
172       case 0x11:        // vmovsd/ss
173       case 0xb6:        // movzx
174       case 0xb7:
175       case 0xbe:        // movsx
176       case 0xbf:
177         modrm = *pc;
178         INCREMENT_PC();
179         has_modrm = true;
180         break;
181       default:
182         unhandled_instruction = true;
183         break;
184     }
185   } else {
186     switch (opcode) {
187       case 0x88:        // mov byte
188       case 0x89:        // mov
189       case 0x8b:
190       case 0x38:        // cmp with memory.
191       case 0x39:
192       case 0x3a:
193       case 0x3b:
194       case 0x3c:
195       case 0x3d:
196       case 0x85:        // test.
197         modrm = *pc;
198         INCREMENT_PC();
199         has_modrm = true;
200         break;
201 
202       case 0x80:        // group 1, byte immediate.
203       case 0x83:
204       case 0xc6:
205         modrm = *pc;
206         INCREMENT_PC();
207         has_modrm = true;
208         immediate_size = 1;
209         break;
210 
211       case 0x81:        // group 1, word immediate.
212       case 0xc7:        // mov
213         modrm = *pc;
214         INCREMENT_PC();
215         has_modrm = true;
216         immediate_size = operand_size_prefix ? 2 : 4;
217         break;
218 
219       case 0xf6:
220       case 0xf7:
221         modrm = *pc;
222         INCREMENT_PC();
223         has_modrm = true;
224         switch ((modrm >> 3) & 7) {  // Extract "reg/opcode" from "modr/m".
225           case 0:  // test
226             immediate_size = (opcode == 0xf6) ? 1 : (operand_size_prefix ? 2 : 4);
227             break;
228           case 2:  // not
229           case 3:  // neg
230           case 4:  // mul
231           case 5:  // imul
232           case 6:  // div
233           case 7:  // idiv
234             break;
235           default:
236             unhandled_instruction = true;
237             break;
238         }
239         break;
240 
241       default:
242         unhandled_instruction = true;
243         break;
244     }
245   }
246 
247   if (unhandled_instruction) {
248     VLOG(signals) << "Unhandled x86 instruction with opcode " << static_cast<int>(opcode);
249     return 0;
250   }
251 
252   if (has_modrm) {
253     uint8_t mod = (modrm >> 6) & 3U /* 0b11 */;
254 
255     // Check for SIB.
256     if (mod != 3U /* 0b11 */ && (modrm & 7U /* 0b111 */) == 4) {
257       INCREMENT_PC();     // SIB
258     }
259 
260     switch (mod) {
261       case 0U /* 0b00 */: break;
262       case 1U /* 0b01 */: displacement_size = 1; break;
263       case 2U /* 0b10 */: displacement_size = 4; break;
264       case 3U /* 0b11 */:
265         break;
266     }
267   }
268 
269   // Skip displacement and immediate.
270   pc += displacement_size + immediate_size;
271 
272   VLOG(signals) << "x86 instruction length calculated as " << (pc - startpc);
273   if (pc - startpc > bytes) {
274     return 0;
275   }
276   return pc - startpc;
277 }
278 
279 void FaultManager::GetMethodAndReturnPcAndSp(siginfo_t* siginfo, void* context,
280                                              ArtMethod** out_method,
281                                              uintptr_t* out_return_pc, uintptr_t* out_sp) {
282   struct ucontext* uc = reinterpret_cast<struct ucontext*>(context);
283   *out_sp = static_cast<uintptr_t>(uc->CTX_ESP);
284   VLOG(signals) << "sp: " << std::hex << *out_sp;
285   if (*out_sp == 0) {
286     return;
287   }
288 
289   // In the case of a stack overflow, the stack is not valid and we can't
290   // get the method from the top of the stack.  However it's in EAX(x86)/RDI(x86_64).
291   uintptr_t* fault_addr = reinterpret_cast<uintptr_t*>(siginfo->si_addr);
292   uintptr_t* overflow_addr = reinterpret_cast<uintptr_t*>(
293 #if defined(__x86_64__)
294       reinterpret_cast<uint8_t*>(*out_sp) - GetStackOverflowReservedBytes(InstructionSet::kX86_64));
295 #else
296       reinterpret_cast<uint8_t*>(*out_sp) - GetStackOverflowReservedBytes(InstructionSet::kX86));
297 #endif
298   if (overflow_addr == fault_addr) {
299     *out_method = reinterpret_cast<ArtMethod*>(uc->CTX_METHOD);
300   } else {
301     // The method is at the top of the stack.
302     *out_method = *reinterpret_cast<ArtMethod**>(*out_sp);
303   }
304 
305   uint8_t* pc = reinterpret_cast<uint8_t*>(uc->CTX_EIP);
306   VLOG(signals) << HexDump(pc, 32, true, "PC ");
307 
308   if (pc == nullptr) {
309     // Somebody jumped to 0x0. Definitely not ours, and will definitely segfault below.
310     *out_method = nullptr;
311     return;
312   }
313 
314   uint32_t instr_size = GetInstructionSize(pc);
315   if (instr_size == 0) {
316     // Unknown instruction, tell caller it's not ours.
317     *out_method = nullptr;
318     return;
319   }
320   *out_return_pc = reinterpret_cast<uintptr_t>(pc + instr_size);
321 }
322 
323 bool NullPointerHandler::Action(int, siginfo_t* sig, void* context) {
324   if (!IsValidImplicitCheck(sig)) {
325     return false;
326   }
327   struct ucontext *uc = reinterpret_cast<struct ucontext*>(context);
328   uint8_t* pc = reinterpret_cast<uint8_t*>(uc->CTX_EIP);
329   uint8_t* sp = reinterpret_cast<uint8_t*>(uc->CTX_ESP);
330 
331   uint32_t instr_size = GetInstructionSize(pc);
332   if (instr_size == 0) {
333     // Unknown instruction, can't really happen.
334     return false;
335   }
336 
337   // We need to arrange for the signal handler to return to the null pointer
338   // exception generator.  The return address must be the address of the
339   // next instruction (this instruction + instruction size).  The return address
340   // is on the stack at the top address of the current frame.
341 
342   // Push the return address and fault address onto the stack.
343   uintptr_t retaddr = reinterpret_cast<uintptr_t>(pc + instr_size);
344   uintptr_t* next_sp = reinterpret_cast<uintptr_t*>(sp - 2 * sizeof(uintptr_t));
345   next_sp[1] = retaddr;
346   next_sp[0] = reinterpret_cast<uintptr_t>(sig->si_addr);
347   uc->CTX_ESP = reinterpret_cast<uintptr_t>(next_sp);
348 
349   uc->CTX_EIP = reinterpret_cast<uintptr_t>(
350       art_quick_throw_null_pointer_exception_from_signal);
351   VLOG(signals) << "Generating null pointer exception";
352   return true;
353 }
354 
355 // A suspend check is done using the following instruction sequence:
356 // (x86)
357 // 0xf720f1df:         648B058C000000      mov     eax, fs:[0x8c]  ; suspend_trigger
358 // .. some intervening instructions.
359 // 0xf720f1e6:                   8500      test    eax, [eax]
360 // (x86_64)
361 // 0x7f579de45d9e: 65488B0425A8000000      movq    rax, gs:[0xa8]  ; suspend_trigger
362 // .. some intervening instructions.
363 // 0x7f579de45da7:               8500      test    eax, [eax]
364 
365 // The offset from fs is Thread::ThreadSuspendTriggerOffset().
366 // To check for a suspend check, we examine the instructions that caused
367 // the fault.
368 bool SuspensionHandler::Action(int, siginfo_t*, void* context) {
369   // These are the instructions to check for.  The first one is the mov eax, fs:[xxx]
370   // where xxx is the offset of the suspend trigger.
371   uint32_t trigger = Thread::ThreadSuspendTriggerOffset<kRuntimePointerSize>().Int32Value();
372 
373   VLOG(signals) << "Checking for suspension point";
374 #if defined(__x86_64__)
375   uint8_t checkinst1[] = {0x65, 0x48, 0x8b, 0x04, 0x25, static_cast<uint8_t>(trigger & 0xff),
376       static_cast<uint8_t>((trigger >> 8) & 0xff), 0, 0};
377 #else
378   uint8_t checkinst1[] = {0x64, 0x8b, 0x05, static_cast<uint8_t>(trigger & 0xff),
379       static_cast<uint8_t>((trigger >> 8) & 0xff), 0, 0};
380 #endif
381   uint8_t checkinst2[] = {0x85, 0x00};
382 
383   struct ucontext *uc = reinterpret_cast<struct ucontext*>(context);
384   uint8_t* pc = reinterpret_cast<uint8_t*>(uc->CTX_EIP);
385   uint8_t* sp = reinterpret_cast<uint8_t*>(uc->CTX_ESP);
386 
387   if (pc[0] != checkinst2[0] || pc[1] != checkinst2[1]) {
388     // Second instruction is not correct (test eax,[eax]).
389     VLOG(signals) << "Not a suspension point";
390     return false;
391   }
392 
393   // The first instruction can a little bit up the stream due to load hoisting
394   // in the compiler.
395   uint8_t* limit = pc - 100;   // Compiler will hoist to a max of 20 instructions.
396   uint8_t* ptr = pc - sizeof(checkinst1);
397   bool found = false;
398   while (ptr > limit) {
399     if (memcmp(ptr, checkinst1, sizeof(checkinst1)) == 0) {
400       found = true;
401       break;
402     }
403     ptr -= 1;
404   }
405 
406   if (found) {
407     VLOG(signals) << "suspend check match";
408 
409     // We need to arrange for the signal handler to return to the null pointer
410     // exception generator.  The return address must be the address of the
411     // next instruction (this instruction + 2).  The return address
412     // is on the stack at the top address of the current frame.
413 
414     // Push the return address onto the stack.
415     uintptr_t retaddr = reinterpret_cast<uintptr_t>(pc + 2);
416     uintptr_t* next_sp = reinterpret_cast<uintptr_t*>(sp - sizeof(uintptr_t));
417     *next_sp = retaddr;
418     uc->CTX_ESP = reinterpret_cast<uintptr_t>(next_sp);
419 
420     uc->CTX_EIP = reinterpret_cast<uintptr_t>(art_quick_test_suspend);
421 
422     // Now remove the suspend trigger that caused this fault.
423     Thread::Current()->RemoveSuspendTrigger();
424     VLOG(signals) << "removed suspend trigger invoking test suspend";
425     return true;
426   }
427   VLOG(signals) << "Not a suspend check match, first instruction mismatch";
428   return false;
429 }
430 
431 // The stack overflow check is done using the following instruction:
432 // test eax, [esp+ -xxx]
433 // where 'xxx' is the size of the overflow area.
434 //
435 // This is done before any frame is established in the method.  The return
436 // address for the previous method is on the stack at ESP.
437 
438 bool StackOverflowHandler::Action(int, siginfo_t* info, void* context) {
439   struct ucontext *uc = reinterpret_cast<struct ucontext*>(context);
440   uintptr_t sp = static_cast<uintptr_t>(uc->CTX_ESP);
441 
442   uintptr_t fault_addr = reinterpret_cast<uintptr_t>(info->si_addr);
443   VLOG(signals) << "fault_addr: " << std::hex << fault_addr;
444   VLOG(signals) << "checking for stack overflow, sp: " << std::hex << sp <<
445     ", fault_addr: " << fault_addr;
446 
447 #if defined(__x86_64__)
448   uintptr_t overflow_addr = sp - GetStackOverflowReservedBytes(InstructionSet::kX86_64);
449 #else
450   uintptr_t overflow_addr = sp - GetStackOverflowReservedBytes(InstructionSet::kX86);
451 #endif
452 
453   // Check that the fault address is the value expected for a stack overflow.
454   if (fault_addr != overflow_addr) {
455     VLOG(signals) << "Not a stack overflow";
456     return false;
457   }
458 
459   VLOG(signals) << "Stack overflow found";
460 
461   // Since the compiler puts the implicit overflow
462   // check before the callee save instructions, the SP is already pointing to
463   // the previous frame.
464 
465   // Now arrange for the signal handler to return to art_quick_throw_stack_overflow.
466   uc->CTX_EIP = reinterpret_cast<uintptr_t>(art_quick_throw_stack_overflow);
467 
468   return true;
469 }
470 }       // namespace art
471