WIP: start hooking in obtained info

nia-e · nia-e · commit f7aa8a66091e · 2025-05-22T13:02:47.000+02:00
diff --git a/src/alloc_addresses/mod.rs b/src/alloc_addresses/mod.rs
@@ -468,13 +468,25 @@ pub trait EvalContextExt<'tcx>: crate::MiriInterpCxExt<'tcx> {
     /// This overapproximates the modifications which external code might make to memory:
     /// We set all reachable allocations as initialized, mark all reachable provenances as exposed
     /// and overwrite them with `Provenance::WILDCARD`.
-    fn prepare_exposed_for_native_call(&mut self) -> InterpResult<'tcx> {
+    fn prepare_exposed_for_native_call(&mut self, _paranoid: bool) -> InterpResult<'tcx> {
         let this = self.eval_context_mut();
         // We need to make a deep copy of this list, but it's fine; it also serves as scratch space
         // for the search within `prepare_for_native_call`.
         let exposed: Vec<AllocId> =
             this.machine.alloc_addresses.get_mut().exposed.iter().copied().collect();
-        this.prepare_for_native_call(exposed)
+        this.prepare_for_native_call(exposed /*, paranoid*/)
+    }
+
+    /// Makes use of information obtained about memory accesses during FFI to determine which
+    /// provenances should be exposed. Note that if `prepare_exposed_for_native_call` was not
+    /// called before the FFI (with `paranoid` set to false) then some of the writes may be
+    /// lost!
+    fn apply_events(&mut self, _events: crate::shims::trace::MemEvents) -> InterpResult<'tcx> {
+        let this = self.eval_context_mut();
+        let _exposed: Vec<AllocId> =
+            this.machine.alloc_addresses.get_mut().exposed.iter().copied().collect();
+        interp_ok(())
+        //this.apply_accesses(exposed, events.reads, events.writes)
     }
 }
 
diff --git a/src/shims/native_lib.rs b/src/shims/native_lib.rs
@@ -92,7 +92,8 @@ trait EvalContextExtPriv<'tcx>: crate::MiriInterpCxExt<'tcx> {
     fn get_func_ptr_explicitly_from_lib(&mut self, link_name: Symbol) -> Option<CodePtr> {
         let this = self.eval_context_mut();
         // Try getting the function from the shared library.
-        let (lib, lib_path) = this.machine.native_lib.as_ref().unwrap();
+        // On windows `_lib_path` will be unused, hence the name starting with `_`.
+        let (lib, _lib_path) = this.machine.native_lib.as_ref().unwrap();
         let func: libloading::Symbol<'_, unsafe extern "C" fn()> =
             unsafe { lib.get(link_name.as_str().as_bytes()).ok()? };
         #[expect(clippy::as_conversions)] // fn-ptr to raw-ptr cast needs `as`.
@@ -109,17 +110,16 @@ trait EvalContextExtPriv<'tcx>: crate::MiriInterpCxExt<'tcx> {
         // This code is a reimplementation of the mechanism for getting `dli_fname` in `libloading`,
         // from: https://docs.rs/libloading/0.7.3/src/libloading/os/unix/mod.rs.html#411
         // using the `libc` crate where this interface is public.
-        let mut info = std::mem::MaybeUninit::<libc::Dl_info>::zeroed();
+        let mut info = std::mem::MaybeUninit::<libc::Dl_info>::uninit();
         unsafe {
             if libc::dladdr(fn_ptr, info.as_mut_ptr()) != 0 {
                 let info = info.assume_init();
                 #[cfg(target_os = "cygwin")]
                 let fname_ptr = info.dli_fname.as_ptr();
                 #[cfg(not(target_os = "cygwin"))]
                 let fname_ptr = info.dli_fname;
-                assert!(!fname_ptr.is_null());
                 if std::ffi::CStr::from_ptr(fname_ptr).to_str().unwrap()
-                    != lib_path.to_str().unwrap()
+                    != _lib_path.to_str().unwrap()
                 {
                     return None;
                 }
@@ -180,10 +180,8 @@ pub trait EvalContextExt<'tcx>: crate::MiriInterpCxExt<'tcx> {
             }
         }
 
-        if super::trace::Supervisor::init().is_err() {
-            // Worst-case prepare all exposed memory.
-            this.prepare_exposed_for_native_call()?;
-        }
+        // Prepare all exposed memory, depending on whether we have a supervisor process.
+        this.prepare_exposed_for_native_call(super::trace::Supervisor::init().is_err())?;
 
         // Convert them to `libffi::high::Arg` type.
         let libffi_args = libffi_args
@@ -193,6 +191,9 @@ pub trait EvalContextExt<'tcx>: crate::MiriInterpCxExt<'tcx> {
 
         // Call the function and store output, depending on return type in the function signature.
         let ret = this.call_native_with_args(link_name, dest, code_ptr, libffi_args)?;
+        if let Some(events) = super::trace::Supervisor::get_events() {
+            this.apply_events(events)?;
+        }
         this.write_immediate(*ret, dest)?;
         interp_ok(true)
     }
@@ -202,15 +203,12 @@ pub trait EvalContextExt<'tcx>: crate::MiriInterpCxExt<'tcx> {
 unsafe fn do_native_call<T: libffi::high::CType>(ptr: CodePtr, args: &[ffi::Arg<'_>]) -> T {
     use shims::trace::Supervisor;
 
-    let ret = unsafe {
+    unsafe {
         Supervisor::start_ffi();
         let ret = ffi::call(ptr, args);
         Supervisor::end_ffi();
         ret
-    };
-    let accesses = Supervisor::get_events().unwrap();
-    eprintln!("accesses: {accesses:#018x?}");
-    ret
+    }
 }
 
 #[cfg(not(all(unix, any(target_arch = "x86", target_arch = "x86_64"))))]
diff --git a/src/shims/trace.rs b/src/shims/trace.rs
@@ -1,3 +1,5 @@
+use std::ops::Range;
+
 use ipc_channel::ipc;
 use nix::sys::{ptrace, signal, wait};
 use nix::unistd;
@@ -161,7 +163,21 @@ impl Supervisor {
     pub fn get_events() -> Option<MemEvents> {
         let mut sv_guard = SUPERVISOR.lock().unwrap();
         let sv = sv_guard.take()?;
-        let ret = sv.r_event.recv().ok();
+        // On the off-chance something really weird happens, don't block forever
+        let ret = sv
+            .r_event
+            .try_recv_timeout(std::time::Duration::from_secs(1))
+            .map_err(|e| {
+                match e {
+                    ipc::TryRecvError::IpcError(e) => ipc::TryRecvError::IpcError(e),
+                    ipc::TryRecvError::Empty => {
+                        // timed out!
+                        eprintln!("Waiting for accesses from supervisor timed out!");
+                        ipc::TryRecvError::Empty
+                    }
+                }
+            })
+            .ok();
         *sv_guard = Some(sv);
         ret
     }
@@ -176,47 +192,9 @@ pub enum TraceRequest {
 
 #[derive(serde::Serialize, serde::Deserialize, Debug)]
 pub struct MemEvents {
-    pub accesses: Vec<(u64, u64, MemAccessType)>,
-    pub mappings: Vec<(u64, u64)>,
-}
-
-#[derive(serde::Serialize, serde::Deserialize, Debug, Clone)]
-pub enum MemAccessType {
-    Read,
-    Write,
-    ReadWrite,
-}
-
-impl MemAccessType {
-    fn update(&mut self, other: MemAccessType) {
-        match self {
-            MemAccessType::Read =>
-                match other {
-                    MemAccessType::Read => (),
-                    _ => *self = MemAccessType::ReadWrite,
-                },
-            MemAccessType::Write =>
-                match other {
-                    MemAccessType::Write => (),
-                    _ => *self = MemAccessType::ReadWrite,
-                },
-            MemAccessType::ReadWrite => (),
-        }
-    }
-
-    pub fn did_read(&self) -> bool {
-        match self {
-            MemAccessType::Write => false,
-            _ => true,
-        }
-    }
-
-    pub fn did_write(&self) -> bool {
-        match self {
-            MemAccessType::Read => false,
-            _ => true,
-        }
-    }
+    pub reads: Vec<Range<u64>>,
+    pub writes: Vec<Range<u64>>,
+    pub mappings: Vec<Range<u64>>,
 }
 
 struct ChildListener {
@@ -274,8 +252,9 @@ impl Iterator for ChildListener {
 /// created before the fork are the same).
 fn sv_loop(listener: ChildListener, t_event: ipc::IpcSender<MemEvents>) -> ! {
     // Things that we return to the child process
-    let mut accesses: Vec<(u64, u64, MemAccessType)> = vec![];
-    let mut mappings: Vec<(u64, u64)> = vec![];
+    let mut reads: Vec<Range<u64>> = vec![];
+    let mut writes: Vec<Range<u64>> = vec![];
+    let mut mappings: Vec<Range<u64>> = vec![];
 
     // Memory allocated on the MiriMachine
     let mut ch_pages = vec![];
@@ -310,7 +289,9 @@ fn sv_loop(listener: ChildListener, t_event: ipc::IpcSender<MemEvents>) -> ! {
                     wait::WaitStatus::Stopped(pid, signal) => {
                         match signal {
                             signal::SIGSEGV => {
-                                if let Err(ret) = handle_segfault(pid, &ch_pages, &mut accesses) {
+                                if let Err(ret) =
+                                    handle_segfault(pid, &ch_pages, &mut reads, &mut writes)
+                                {
                                     retcode = ret;
                                     break 'listen;
                                 }
@@ -354,7 +335,10 @@ fn sv_loop(listener: ChildListener, t_event: ipc::IpcSender<MemEvents>) -> ! {
                                         #[expect(clippy::as_conversions)]
                                         if regs.retval() as isize > 0 {
                                             let addr = regs.retval();
-                                            mappings.push((addr.to_u64(), len.to_u64()));
+                                            mappings.push(
+                                                addr.to_u64()
+                                                    ..addr.to_u64().strict_add(len.to_u64()),
+                                            );
                                         }
                                     }
                                     Err(ret) => {
@@ -412,8 +396,9 @@ fn sv_loop(listener: ChildListener, t_event: ipc::IpcSender<MemEvents>) -> ! {
 
                     TraceRequest::EndFfi => {
                         signal::kill(main_pid, signal::SIGSTOP).unwrap();
-                        t_event.send(MemEvents { accesses, mappings }).unwrap();
-                        accesses = vec![];
+                        t_event.send(MemEvents { reads, writes, mappings }).unwrap();
+                        reads = vec![];
+                        writes = vec![];
                         mappings = vec![];
                         if let Err(ret) = wait_for_signal(main_pid, signal::SIGSTOP, false) {
                             retcode = ret;
@@ -509,19 +494,18 @@ fn wait_for_syscall(pid: unistd::Pid, syscall: i64) -> Result<libc::user_regs_st
 fn handle_munmap(
     pid: unistd::Pid,
     regs: libc::user_regs_struct,
-    mappings: &mut Vec<(u64, u64)>,
+    mappings: &mut Vec<Range<u64>>,
 ) -> Result<(), i32> {
     // The unmap call might hit multiple mappings we've saved,
     // or overlap with them partially (or both)
     let um_start = regs.arg1().to_u64();
     let um_len = regs.arg2().to_u64();
     let um_end = um_start.strict_add(um_len);
     let mut idxes = vec![];
-    for (idx, &(mp_start, len)) in mappings.iter().enumerate() {
-        let mp_end = mp_start.strict_add(len);
-        let cond = (mp_start..mp_end).contains(&um_start)
-            || (mp_start..mp_end).contains(&um_end)
-            || (um_start..um_end).contains(&mp_start);
+    for (idx, mp) in mappings.iter().enumerate() {
+        let cond = mp.contains(&um_start)
+            || mp.contains(&um_end)
+            || (um_start..um_end).contains(&mp.start);
 
         if cond {
             idxes.push(idx);
@@ -542,16 +526,15 @@ fn handle_munmap(
         // but it may be only partial so we may readd some sections
         for idx in idxes {
             let um_end = um_start.strict_add(um_len);
-            let (mp_start, mp_len) = mappings.remove(idx);
-            let mp_end = mp_len.strict_add(mp_len);
+            let mp = mappings.remove(idx);
 
-            if mp_start < um_start {
-                let preserved_len_head = um_start.strict_sub(mp_start);
-                mappings.push((mp_start, preserved_len_head));
+            if mp.start < um_start {
+                let preserved_len_head = um_start.strict_sub(mp.start);
+                mappings.push(mp.start..mp.start.strict_add(preserved_len_head));
             }
-            if mp_end > um_end {
-                let preserved_len_tail = mp_end.strict_sub(um_end);
-                mappings.push((um_end, preserved_len_tail));
+            if mp.end > um_end {
+                let preserved_len_tail = mp.end.strict_sub(um_end);
+                mappings.push(um_end..um_end.strict_add(preserved_len_tail));
             }
         }
     }
@@ -562,7 +545,8 @@ fn handle_munmap(
 fn handle_segfault(
     pid: unistd::Pid,
     ch_pages: &[u64],
-    accesses: &mut Vec<(u64, u64, MemAccessType)>,
+    reads: &mut Vec<Range<u64>>,
+    writes: &mut Vec<Range<u64>>,
 ) -> Result<(), i32> {
     let siginfo = ptrace::getsiginfo(pid).unwrap();
     let addr = unsafe { siginfo.si_addr().addr().to_u64() };
@@ -617,28 +601,44 @@ fn handle_segfault(
         let instr = decoder.decode();
         let memsize = instr.op_code().memory_size().size().to_u64();
         let mem = fac.info(&instr).used_memory();
-        let acc = mem.iter().fold(None, |mut curr: Option<MemAccessType>, m| {
-            if let Some(m) = match m.access() {
-                iced_x86::OpAccess::Read => Some(MemAccessType::Read),
-                iced_x86::OpAccess::CondRead => Some(MemAccessType::Read),
-                iced_x86::OpAccess::Write => Some(MemAccessType::Write),
-                iced_x86::OpAccess::CondWrite => Some(MemAccessType::Write),
-                iced_x86::OpAccess::ReadWrite => Some(MemAccessType::ReadWrite),
-                iced_x86::OpAccess::ReadCondWrite => Some(MemAccessType::ReadWrite),
-                _ => None,
-            } {
-                if let Some(curr) = curr.as_mut() {
-                    curr.update(m);
+
+        for acc in mem {
+            let mut r = false;
+            let mut w = false;
+            match acc.access() {
+                iced_x86::OpAccess::Read | iced_x86::OpAccess::CondRead => {
+                    r = true;
+                }
+                iced_x86::OpAccess::Write | iced_x86::OpAccess::CondWrite => {
+                    w = true;
+                }
+                iced_x86::OpAccess::ReadWrite | iced_x86::OpAccess::ReadCondWrite => {
+                    r = true;
+                    w = true;
+                }
+                _ => (),
+            }
+            let addr_end = addr.strict_add(memsize);
+            if r {
+                if let Some(idx) = reads.iter().position(|r| r.start <= addr_end && addr <= r.end) {
+                    let mut rg = reads[idx].clone();
+                    rg.start = std::cmp::min(rg.start, addr);
+                    rg.end = std::cmp::max(rg.end, addr_end);
+                    reads[idx] = rg;
                 } else {
-                    curr = Some(m);
+                    reads.push(addr..addr_end);
                 }
             }
-            curr
-        });
-        if let Some(acc) = acc {
-            match accesses.iter().position(|&(a, len, _)| a == addr && len == memsize) {
-                Some(pos) => accesses[pos].2.update(acc),
-                None => accesses.push((addr, memsize, acc)),
+            if w {
+                if let Some(idx) = writes.iter().position(|r| r.start <= addr_end && addr <= r.end)
+                {
+                    let mut rg = writes[idx].clone();
+                    rg.start = std::cmp::min(rg.start, addr);
+                    rg.end = std::cmp::max(rg.end, addr_end);
+                    writes[idx] = rg;
+                } else {
+                    writes.push(addr..addr_end);
+                }
             }
         }
         #[expect(clippy::as_conversions)]
@@ -660,7 +660,7 @@ fn handle_segfault(
 
 fn handle_sigtrap(
     pid: unistd::Pid,
-    mappings: &mut Vec<(u64, u64)>,
+    mappings: &mut Vec<Range<u64>>,
     malloc_bytes: i64,
     realloc_bytes: i64,
     free_bytes: i64,
@@ -677,31 +677,24 @@ fn handle_sigtrap(
     match regs.ip().strict_sub(1) {
         a if a == malloc_addr => {
             let size = regs.arg1().to_u64(); // !
-            let ptr = intercept_retptr(pid, regs, malloc_addr, malloc_bytes)?;
-            if ptr > 0 {
-                mappings.push((ptr as u64, size));
+            if let Ok(ptr) = intercept_retptr(pid, regs, malloc_addr, malloc_bytes)?.try_into() {
+                mappings.push(ptr..ptr.strict_add(size));
             }
         }
         a if a == realloc_addr => {
             let old_ptr = regs.arg1().to_u64();
             let size = regs.arg2().to_u64();
-            let pos = mappings
-                .iter()
-                .position(|&(ptr, size)| ptr <= old_ptr && old_ptr < ptr.strict_add(size));
+            let pos = mappings.iter().position(|rg| rg.start <= old_ptr && old_ptr < rg.end);
             if let Some(pos) = pos {
                 let _ = mappings.remove(pos);
             }
-            let ptr = intercept_retptr(pid, regs, realloc_addr, realloc_bytes)?;
-            if ptr > 0 {
-                mappings.push((ptr as u64, size));
+            if let Ok(ptr) = intercept_retptr(pid, regs, realloc_addr, realloc_bytes)?.try_into() {
+                mappings.push(ptr..ptr.strict_add(size));
             }
         }
         a if a == free_addr => {
             let old_ptr = regs.arg1().to_u64();
-            //let size = regs.rdi;
-            let pos = mappings
-                .iter()
-                .position(|&(ptr, size)| ptr <= old_ptr && old_ptr < ptr.strict_add(size));
+            let pos = mappings.iter().position(|rg| rg.start <= old_ptr && old_ptr < rg.end);
             if let Some(pos) = pos {
                 let _ = mappings.remove(pos);
             }
