Re: [PATCH 2/2] aarch64: implement walking over the stack protector

[Andrew Pinski <pinskia@gmail.com>]

On Mon, Jun 2, 2014 at 10:03 PM, Kyle McMartin <kmcmarti@redhat.com> wrote:
> Stepping into a function which contains the stack protector sequences
> currently stops inside the prologue, resulting in us claiming to be on
> the opening bracket or similar, instead of a useful statement inside the
> function. Fix that by analysing the prologue instruction, and attempt to
> walk through the sequence of instructions which set up the stack
> protector canary.
>
> gdb/
> 2014-06-03  Kyle McMartin  <kmcmarti@redhat.com>
>
>         * aarch64-tdep.c (aarch64_skip_stack_chk_guard): New.
>         (aarch64_skip_prologue): Skip over stack protector setup if possible.
>
> gdb/testsuite/
> 2014-06-03  Kyle McMartin  <kmcmarti@redhat.com>
>
>         * gdb.arch/aarch64-stack_chk_guard.c: New file.
>         * gdb.arch/aarch64-stack_chk_guard.exp: New file.
> ---
>  gdb/aarch64-tdep.c                                 | 99 +++++++++++++++++++++-
>  gdb/testsuite/gdb.arch/aarch64-stack_chk_guard.c   | 28 ++++++
>  gdb/testsuite/gdb.arch/aarch64-stack_chk_guard.exp | 43 ++++++++++
>  3 files changed, 169 insertions(+), 1 deletion(-)
>  create mode 100644 gdb/testsuite/gdb.arch/aarch64-stack_chk_guard.c
>  create mode 100644 gdb/testsuite/gdb.arch/aarch64-stack_chk_guard.exp
>
> diff --git a/gdb/aarch64-tdep.c b/gdb/aarch64-tdep.c
> index 9550f42..0c900ce 100644
> --- a/gdb/aarch64-tdep.c
> +++ b/gdb/aarch64-tdep.c
> @@ -852,6 +852,99 @@ aarch64_analyze_prologue (struct gdbarch *gdbarch,
>    return start;
>  }
>
> +/* Attempt to skip the stack protector instructions in a function prologue.
> +   If PC points to the first instruction of the sequence, return the
> +   address of the instruction after the stack protector sequence.  Otherwise,
> +   return the original PC.
> +
> +   On AArch64, the stack protector sequence is composed of four instructions:
> +
> +    adrp x0, __stack_chk_guard
> +    add  x0, x0, #:lo12:__stack_chk_guard
> +    ldr  x0, [x0]
> +    str  x0, [x29, #end-of-stack]

Can you expand this for ILP32?  The sequence is the same except to use
w0 instead of x0.  Otherwise I can put it on my todo list to after I
submit the gdb support for ILP32.

Thanks,
Andrew Pinski

> +
> +   Which loads the address of __stack_chk_guard, then loads the guard from it,
> +   and stores it at the end of the stack.  */
> +
> +static CORE_ADDR
> +aarch64_skip_stack_chk_guard (CORE_ADDR pc, struct gdbarch *gdbarch)
> +{
> +  enum bfd_endian byte_order_for_code = gdbarch_byte_order_for_code (gdbarch);
> +  CORE_ADDR addr = pc;
> +  CORE_ADDR loc = pc;
> +  uint32_t insn;
> +  int64_t imm;
> +  int32_t imm32;
> +  unsigned rd, rd2, rn, rt;
> +  int page;
> +  const int insn_size = 4;
> +  struct bound_minimal_symbol stack_chk_guard;
> +
> +  /* Attempt to find the label formation of __stack_chk_guard.  */
> +  insn = read_memory_unsigned_integer (loc, insn_size, byte_order_for_code);
> +  if (!decode_adrp (loc, insn, &page, &rd, &imm))
> +    return pc;
> +
> +  /* Bail if we saw an ADR instruction, not an ADRP.  */
> +  if (!page)
> +    return pc;
> +
> +  loc += insn_size;
> +  addr &= ~((1 << 12) - 1);
> +  addr += imm;
> +
> +  insn = read_memory_unsigned_integer (loc, insn_size, byte_order_for_code);
> +  if (!decode_add_sub_imm (loc, insn, &rd2, &rn, &imm32))
> +    return pc;
> +
> +  /* Ensure ADD register matches the ADRP instruction.  */
> +  if (rn != rd)
> +    return pc;
> +
> +  loc += insn_size;
> +  addr += imm32;
> +
> +  /* See if we calculated the address of the __stack_chk_guard symbol.  */
> +  stack_chk_guard = lookup_minimal_symbol_by_pc (addr);
> +  if (stack_chk_guard.minsym
> +      && strncmp (MSYMBOL_LINKAGE_NAME (stack_chk_guard.minsym),
> +                 "__stack_chk_guard", strlen ("__stack_chk_guard")) != 0)
> +    return pc;
> +
> +  /* Check if the next instruction is a load from the same registers.  */
> +  insn = read_memory_unsigned_integer (loc, insn_size, byte_order_for_code);
> +  if (decode_masked_match (insn, 0xffc00000, 0xf9400000))
> +    {
> +      rt = insn & 0x1F;
> +      rn = (insn >> 5) & 0x1F;
> +
> +      if (rn != rd2)
> +       return pc;
> +    }
> +  else
> +    return pc;
> +
> +  /* Finally, look for a store of the guard to the stack.  */
> +  loc += insn_size;
> +  insn = read_memory_unsigned_integer (loc, insn_size, byte_order_for_code);
> +  if (decode_masked_match (insn, 0xffc00000, 0xf9000000))
> +    {
> +      unsigned rt2 = insn & 0x1F;
> +
> +      /* Check we're storing the guard from the previous load instruction.  */
> +      if (rt2 != rt)
> +        return pc;
> +    }
> +  else
> +    return pc;
> +
> +  /* If we've made it this far, we've walked through the 4 instruction
> +     sequence around __stack_chk_guard, and can skip over it in the function
> +     prologue.  */
> +  return loc + insn_size;
> +}
> +
>  /* Implement the "skip_prologue" gdbarch method.  */
>
>  static CORE_ADDR
> @@ -871,7 +964,11 @@ aarch64_skip_prologue (struct gdbarch *gdbarch, CORE_ADDR pc)
>         = skip_prologue_using_sal (gdbarch, func_addr);
>
>        if (post_prologue_pc != 0)
> -       return max (pc, post_prologue_pc);
> +       {
> +         post_prologue_pc = aarch64_skip_stack_chk_guard (post_prologue_pc,
> +                                                          gdbarch);
> +         return max (pc, post_prologue_pc);
> +       }
>      }
>
>    /* Can't determine prologue from the symbol table, need to examine
> diff --git a/gdb/testsuite/gdb.arch/aarch64-stack_chk_guard.c b/gdb/testsuite/gdb.arch/aarch64-stack_chk_guard.c
> new file mode 100644
> index 0000000..3cf52d9
> --- /dev/null
> +++ b/gdb/testsuite/gdb.arch/aarch64-stack_chk_guard.c
> @@ -0,0 +1,28 @@
> +/* This file is part of GDB, the GNU debugger.
> +
> +   Copyright 2014 Free Software Foundation, Inc.
> +
> +   This program is free software; you can redistribute it and/or modify
> +   it under the terms of the GNU General Public License as published by
> +   the Free Software Foundation; either version 3 of the License, or
> +   (at your option) any later version.
> +
> +   This program is distributed in the hope that it will be useful,
> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +   GNU General Public License for more details.
> +
> +   You should have received a copy of the GNU General Public License
> +   along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
> +
> +int stack_chk_guard_fn(void)
> +{
> +  /* Needs to be large enough to trigger -fstack-protector.  */
> +  char stack[64];
> +  return 0; /* Post function prologue statement.  */
> +}
> +
> +int main(void)
> +{
> +  return stack_chk_guard_fn();
> +}
> diff --git a/gdb/testsuite/gdb.arch/aarch64-stack_chk_guard.exp b/gdb/testsuite/gdb.arch/aarch64-stack_chk_guard.exp
> new file mode 100644
> index 0000000..7f60867
> --- /dev/null
> +++ b/gdb/testsuite/gdb.arch/aarch64-stack_chk_guard.exp
> @@ -0,0 +1,43 @@
> +# Copyright 2014 Free Software Foundation, Inc.
> +#
> +# This program is free software; you can redistribute it and/or modify
> +# it under the terms of the GNU General Public License as published by
> +# the Free Software Foundation; either version 3 of the License, or
> +# (at your option) any later version.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program; if not, write to the Free Software
> +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
> +#
> +# This file is part of the gdb testsuite.
> +
> +# Test that we single step past the __stack_chk_guard setup in the
> +# prologue of functions.
> +
> +if {![istarget "aarch64*"]} {
> +    verbose "Skipping ${gdb_test_file_name}."
> +    return
> +}
> +
> +standard_testfile
> +set additional_flags "additional_flags=-fstack-protector"
> +if { [gdb_compile "${srcdir}/${subdir}/${srcfile}" "${binfile}" executable [list debug $additional_flags]] != "" } {
> +    unsupported "compiler does not support -fstack-protector"
> +    return
> +}
> +
> +clean_restart "${binfile}"
> +if ![runto_main] {
> +    untested "could not run to main"
> +    return -1
> +}
> +
> +gdb_breakpoint "stack_chk_guard_fn"
> +
> +# Previously, we'd see a { as we're still in the function prologue.
> +gdb_continue_to_breakpoint "continue into stack_chk_guard_fn" ".*return 0;.*"
> --
> 1.9.3
>