1 /* 2 * Mach Operating System 3 * Copyright (c) 1991,1990 Carnegie Mellon University 4 * All Rights Reserved. 5 * 6 * Permission to use, copy, modify and distribute this software and its 7 * documentation is hereby granted, provided that both the copyright 8 * notice and this permission notice appear in all copies of the 9 * software, derivative works or modified versions, and any portions 10 * thereof, and that both notices appear in supporting documentation. 11 * 12 * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS 13 * CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR 14 * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE. 15 * 16 * Carnegie Mellon requests users of this software to return to 17 * 18 * Software Distribution Coordinator or Software.Distribution@CS.CMU.EDU 19 * School of Computer Science 20 * Carnegie Mellon University 21 * Pittsburgh PA 15213-3890 22 * 23 * any improvements or extensions that they make and grant Carnegie the 24 * rights to redistribute these changes. 25 */ 26 27 /* 28 * Author: David B. Golub, Carnegie Mellon University 29 * Date: 7/90 30 */ 31 #if 0 32 //#include <sys/param.h> 33 //#include <sys/systm.h> 34 #endif 35 #if 0 36 #include <linux/kernel.h> 37 #include <linux/string.h> 38 #include <linux/kallsyms.h> 39 #endif 40 #include "ddb.h" 41 #include "db_sym.h" 42 #include "swifi.h" 43 44 #include "extra.h" 45 46 /* 47 * Multiple symbol tables 48 */ 49 #ifndef MAXNOSYMTABS 50 #define MAXNOSYMTABS 3 /* mach, ux, emulator */ 51 #endif 52 #if 0 53 54 static db_symtab_t db_symtabs[MAXNOSYMTABS] = {{0,},}; 55 static int db_nsymtab = 0; 56 57 static db_symtab_t *db_last_symtab; 58 59 static db_sym_t db_lookup __P(( char *symstr)); 60 static char *db_qualify __P((db_sym_t sym, char *symtabname)); 61 static boolean_t db_symbol_is_ambiguous __P((db_sym_t sym)); 62 static boolean_t db_line_at_pc __P((db_sym_t, char **, int *, 63 db_expr_t)); 64 65 /* 66 * Add symbol table, with given name, to list of symbol tables. 67 */ 68 void 69 db_add_symbol_table(start, end, name, ref) 70 char *start; 71 char *end; 72 char *name; 73 char *ref; 74 { 75 if (db_nsymtab >= MAXNOSYMTABS) { 76 printk ("No slots left for %s symbol table", name); 77 panic ("db_sym.c: db_add_symbol_table"); 78 } 79 80 db_symtabs[db_nsymtab].start = start; 81 db_symtabs[db_nsymtab].end = end; 82 db_symtabs[db_nsymtab].name = name; 83 db_symtabs[db_nsymtab].private = ref; 84 db_nsymtab++; 85 } 86 87 /* 88 * db_qualify("vm_map", "ux") returns "unix:vm_map". 89 * 90 * Note: return value points to static data whose content is 91 * overwritten by each call... but in practice this seems okay. 92 */ 93 static char * 94 db_qualify(sym, symtabname) 95 db_sym_t sym; 96 register char *symtabname; 97 { 98 char *symname; 99 static char tmp[256]; 100 101 db_symbol_values(sym, &symname, 0); 102 strcpy(tmp,symtabname); 103 strcat(tmp,":"); 104 strcat(tmp,symname); 105 return tmp; 106 } 107 108 109 boolean_t 110 db_eqname(src, dst, c) 111 char *src; 112 char *dst; 113 char c; 114 { 115 if (!strcmp(src, dst)) 116 return (TRUE); 117 if (src[0] == c) 118 return (!strcmp(src+1,dst)); 119 return (FALSE); 120 } 121 122 boolean_t 123 db_value_of_name(name, valuep) 124 char *name; 125 db_expr_t *valuep; 126 { 127 db_sym_t sym; 128 129 sym = db_lookup(name); 130 if (sym == DB_SYM_NULL) 131 return (FALSE); 132 db_symbol_values(sym, &name, valuep); 133 return (TRUE); 134 } 135 136 137 /* 138 * Lookup a symbol. 139 * If the symbol has a qualifier (e.g., ux:vm_map), 140 * then only the specified symbol table will be searched; 141 * otherwise, all symbol tables will be searched. 142 */ 143 static db_sym_t 144 db_lookup(symstr) 145 char *symstr; 146 { 147 db_sym_t sp; 148 register int i; 149 int symtab_start = 0; 150 int symtab_end = db_nsymtab; 151 register char *cp; 152 153 /* 154 * Look for, remove, and remember any symbol table specifier. 155 */ 156 for (cp = symstr; *cp; cp++) { 157 if (*cp == ':') { 158 *cp = '\0'; 159 for (i = 0; i < db_nsymtab; i++) { 160 if (! strcmp(symstr, db_symtabs[i].name)) { 161 symtab_start = i; 162 symtab_end = i + 1; 163 break; 164 } 165 } 166 *cp = ':'; 167 if (i == db_nsymtab) { 168 db_error("invalid symbol table name"); 169 } 170 symstr = cp+1; 171 } 172 } 173 174 /* 175 * Look in the specified set of symbol tables. 176 * Return on first match. 177 */ 178 for (i = symtab_start; i < symtab_end; i++) { 179 sp = X_db_lookup(&db_symtabs[i], symstr); 180 if (sp) { 181 db_last_symtab = &db_symtabs[i]; 182 return sp; 183 } 184 } 185 return 0; 186 } 187 188 /* 189 * Does this symbol name appear in more than one symbol table? 190 * Used by db_symbol_values to decide whether to qualify a symbol. 191 */ 192 static boolean_t db_qualify_ambiguous_names = FALSE; 193 194 static boolean_t 195 db_symbol_is_ambiguous(sym) 196 db_sym_t sym; 197 { 198 char *sym_name; 199 register int i; 200 register 201 boolean_t found_once = FALSE; 202 203 if (!db_qualify_ambiguous_names) 204 return FALSE; 205 206 db_symbol_values(sym, &sym_name, 0); 207 for (i = 0; i < db_nsymtab; i++) { 208 if (X_db_lookup(&db_symtabs[i], sym_name)) { 209 if (found_once) 210 return TRUE; 211 found_once = TRUE; 212 } 213 } 214 return FALSE; 215 } 216 217 /* 218 * Find the closest symbol to val, and return its name 219 * and the difference between val and the symbol found. 220 */ 221 db_sym_t 222 db_search_symbol( val, strategy, offp) 223 register db_addr_t val; 224 db_strategy_t strategy; 225 db_expr_t *offp; 226 { 227 register 228 unsigned int diff; 229 unsigned int newdiff; 230 register int i; 231 db_sym_t ret = DB_SYM_NULL, sym; 232 233 newdiff = diff = ~0; 234 db_last_symtab = 0; 235 for (i = 0; i < db_nsymtab; i++) { 236 sym = X_db_search_symbol(&db_symtabs[i], val, strategy, &newdiff); 237 if (newdiff < diff) { 238 db_last_symtab = &db_symtabs[i]; 239 diff = newdiff; 240 ret = sym; 241 } 242 } 243 *offp = diff; 244 return ret; 245 } 246 247 /* 248 * Return name and value of a symbol 249 */ 250 void 251 db_symbol_values(sym, namep, valuep) 252 db_sym_t sym; 253 char **namep; 254 db_expr_t *valuep; 255 { 256 db_expr_t value; 257 258 if (sym == DB_SYM_NULL) { 259 *namep = 0; 260 return; 261 } 262 263 X_db_symbol_values(sym, namep, &value); 264 if (db_symbol_is_ambiguous(sym)) 265 *namep = db_qualify(sym, db_last_symtab->name); 266 if (valuep) 267 *valuep = value; 268 } 269 270 271 /* 272 * Print a the closest symbol to value 273 * 274 * After matching the symbol according to the given strategy 275 * we print it in the name+offset format, provided the symbol's 276 * value is close enough (eg smaller than db_maxoff). 277 * We also attempt to print [filename:linenum] when applicable 278 * (eg for procedure names). 279 * 280 * If we could not find a reasonable name+offset representation, 281 * then we just print the value in hex. Small values might get 282 * bogus symbol associations, e.g. 3 might get some absolute 283 * value like _INCLUDE_VERSION or something, therefore we do 284 * not accept symbols whose value is "small" (and use plain hex). 285 */ 286 287 288 void 289 db_printsym(off, strategy) 290 db_expr_t off; 291 db_strategy_t strategy; 292 { 293 db_expr_t d; 294 char *filename; 295 char *name; 296 db_expr_t value; 297 int linenum; 298 db_sym_t cursym; 299 300 cursym = db_search_symbol(off, strategy, &d); 301 db_symbol_values(cursym, &name, &value); 302 if (name == 0) 303 value = off; 304 if (value >= DB_SMALL_VALUE_MIN && value <= DB_SMALL_VALUE_MAX) { 305 printk("0x%x", off); 306 return; 307 } 308 if (name == 0 || d >= db_maxoff) { 309 printk("0x%x", off); 310 return; 311 } 312 printk("%s", name); 313 if (d) 314 printk("+0x%x", d); 315 if (strategy == DB_STGY_PROC) { 316 // if (db_line_at_pc(cursym, &filename, &linenum, off)) 317 // printk(" [%s:%d]", filename, linenum); 318 } 319 } 320 321 #endif 322 323 unsigned int db_maxoff = 0x10000; 324 unsigned long modAddr = 0; 325 326 /* NWT: fault injection routine only. 327 * figure out start of function address given an address (off) in kernel text. 328 * name = function name 329 * value = function address 330 * d = difference between off and function address 331 * input is the desired address off and fault type 332 * returns closest instruction address (if found), NULL otherwise 333 */ 334 unsigned long 335 find_faulty_instr(db_expr_t off, int type, int *instr_len) 336 { 337 db_expr_t d; 338 char *name; 339 db_expr_t value, cur_value, prev_value = 0; 340 int verbose=0, found=0; 341 const char * mod_name = NULL; 342 unsigned long mod_start; 343 unsigned long mod_end; 344 const char * sec_name = NULL; 345 unsigned long sec_start; 346 unsigned long sec_end; 347 const char * sym_name = NULL; 348 unsigned long sym_start; 349 unsigned long sym_end; 350 351 352 *instr_len = 0; 353 if (kallsyms_address_to_symbol(off, 354 &mod_name, &mod_start, &mod_end, 355 &sec_name, &sec_start, &sec_end, 356 &sym_name, &sym_start, &sym_end) == 0) { 357 return(0); 358 } 359 360 value = (db_expr_t) sym_start; 361 d = off - sym_start; 362 name = (char *) sym_name; 363 364 if (name == 0) { 365 value = off; 366 } 367 368 if (value >= DB_SMALL_VALUE_MIN && value <= DB_SMALL_VALUE_MAX) { 369 printk("0x%x", off); 370 return 0; 371 } 372 373 if (name == 0 || d >= db_maxoff) { 374 printk("0x%x", off); 375 return 0 ; 376 } 377 /* 2) backup to start of function (SOF) 378 * 3) delineate instruction boundaries, find instruction length too. 379 */ 380 381 if(verbose) { 382 printk("function %s", sym_name); 383 } 384 385 /* 4) skip instructions until we get to our faulty address */ 386 cur_value = value; 387 while(cur_value < sec_end) { 388 if(verbose) { 389 #if 0 390 // db_printsym(cur_value, DB_STGY_PROC); 391 // printk(":\t"); 392 #endif 393 } 394 prev_value=cur_value; 395 modAddr=0; 396 if(verbose) { 397 #if 0 398 //cur_value=db_disasm(prev_value, FALSE); 399 #endif 400 } else { 401 cur_value=my_disasm(prev_value, FALSE); 402 } 403 404 /* 4a) bail out if instruction is leave (0xc9) */ 405 if(cur_value-prev_value == 1) { 406 unsigned char *c; 407 c=(unsigned char *) prev_value; 408 if(text_read_ub(c)==0xc9) { 409 if(verbose) printk("bailing out as we hit a leave\n"); 410 found=0; 411 break; 412 } 413 } 414 /* 5a) init fault: from SOF, look for movl $X, -Y(%ebp), 415 * (C645Fxxx or C745Fxxx) and replace with nop. 416 */ 417 if(type==INIT_FAULT) { 418 unsigned char *c; 419 c=(unsigned char *) prev_value; 420 421 if(*c==0x66 || *c==0x67) 422 c++; /* override prefix */ 423 424 if(*c==0xC6 || *c==0xC7) 425 c++; /* movb or movl imm */ 426 else 427 continue; 428 429 if(*c==0x45) 430 c++; /* [ebp] */ 431 else 432 continue; 433 434 if(*c & 0x80) 435 found=1; /* negative displacement */ 436 else 437 continue; 438 439 found=1; 440 break; 441 } else if(type==NOP_FAULT) { 442 /* 5b) nop*: replace instruction with nop */ 443 if(cur_value> off) { 444 found=1; 445 break; 446 } 447 } else if(type==DST_FAULT || type==SRC_FAULT) { 448 /* 5c) dst/src: flip bits in mod/rm, sib, disp or imm fields */ 449 if(cur_value>off && (cur_value-prev_value) > 1) { 450 found=1; 451 break; 452 } 453 } else if(type==BRANCH_FAULT || type==LOOP_FAULT) { 454 /* 5e) brc*: search forward utnil we hit a Jxx or rep (F3 or F2). 455 * replace instr with nop. 456 */ 457 unsigned char *c; 458 459 c=(unsigned char *) prev_value; 460 461 /* look for repX prefix */ 462 463 if(text_read_ub(c)==0xf3 || text_read_ub(c)==0xf2) { 464 if(verbose) 465 printk("found repX prefix\n"); 466 /* take out repX prefix only */ 467 found=1; 468 cur_value=prev_value+1; 469 break; 470 } else if( (text_read_ub(c)&0xf0)==0x70 || 471 (text_read_ub(c)>=0xe0 && text_read_ub(c)<=0xe2) ) { 472 /* look for jXX 8 (7X), loop,jcx (e0-3), jXX 16/32 (0f 8X) */ 473 found=1; 474 if(verbose) 475 printk("found jXX rel8, loop or jcx\n"); 476 break; 477 } else if(text_read_ub(c)==0x66 || 478 text_read_ub(c)==0x67) { /* override prefix */ 479 c++; 480 } else if(text_read_ub(c++)==0xf && (text_read_ub(c)&0xf0)==0x80 ) { 481 found=1; /* 0x0f 0x8X */ 482 if(verbose) printk("found branch!\n"); 483 break; 484 } 485 } else if(type==PTR_FAULT) { 486 /* 5f) ptr: if instruction has regmodrm byte (i_has_modrm), 487 * and mod field has address ([eyy]dispxx), eyy!=ebp 488 * flip 1 bit in lower byte (0x0f) or any bit in following 489 * bytes (sib, imm or disp). 490 */ 491 if(cur_value>off && modAddr) { 492 unsigned char *c; 493 c=(unsigned char *) modAddr; 494 if( text_read_ub(c)>0x3f && text_read_ub(c)<0xc0 && 495 (text_read_ub(c)&7)!=5 ) { 496 found=1; 497 break; 498 } 499 } 500 } else if(type==INTERFACE_FAULT) { 501 /* 5f) i/f: look for movl XX(ebp), reg or movb XX(ebp), reg, 502 * where XX is positive. replace instr with nop. 503 * movl=0x8a, movb=0x8b, mod=01XXX101 (disp8[ebp]), disp>0 504 */ 505 unsigned char *c; 506 c=(unsigned char *) prev_value; 507 if( text_read_ub(c)==0x8a || text_read_ub(c)==0x8b) { 508 c++; 509 if( ((text_read_ub(c++))&0xc7)==0x45 && (text_read_ub(c)&0x80)==0 ) { 510 /* 75% chance that we'll choose the next arg */ 511 if(random()&0x3) { 512 found=1; 513 break; 514 } else { 515 if(verbose) printk("skipped...\n"); 516 } 517 } 518 } 519 }else if(type==IRQ_FAULT) { 520 /* 5g) i/f: look for push reg or offset(reg) / popf, 521 * where XX is positive. replace instr with nop. 522 * movl=0x8a, movb=0x8b, mod=01XXX101 (disp8[ebp]), disp>0 523 */ 524 unsigned char *c; 525 c=(unsigned char *) prev_value; 526 if (((text_read_ub(c) & 0xf8) == 0x50) || 527 (text_read_ub(c) == 0xff)) { 528 if (text_read_ub(c) == 0xff) { 529 c++; 530 #if 0 531 // 532 // Look for push x(ebp) 533 #endif 534 if ((text_read_ub(c) & 0x78) != 0x70) { 535 continue; 536 } 537 /* 538 // Skip the offset 539 */ 540 c++; 541 } 542 c++; 543 if (text_read_ub(c) == 0x9d) { 544 /* 545 // Increment cur_value to include the 546 // popf instruction 547 */ 548 cur_value++; 549 found = 1; 550 break; 551 } 552 } 553 554 } 555 } 556 /* if we're doing nop fault, then we're done. 557 */ 558 if(found) { 559 *instr_len=cur_value-prev_value; 560 off=prev_value; 561 if(verbose) { 562 printk("%s", name); 563 if (d) printk("+0x%x", d); 564 printk(" @ %x, ", value); 565 printk("instr @ %x, len=%d, ", off, *instr_len); 566 #if 0 567 // db_disasm(prev_value, FALSE); 568 #endif 569 } 570 return off; 571 } else { 572 if(verbose) printk("cannot locate instruction in function\n"); 573 *instr_len=0; 574 return 0; 575 } 576 } 577 578 #if 0 579 static boolean_t 580 db_line_at_pc( sym, filename, linenum, pc) 581 db_sym_t sym; 582 char **filename; 583 int *linenum; 584 db_expr_t pc; 585 { 586 return X_db_line_at_pc( db_last_symtab, sym, filename, linenum, pc); 587 } 588 589 int 590 db_sym_numargs(sym, nargp, argnames) 591 db_sym_t sym; 592 int *nargp; 593 char **argnames; 594 { 595 return X_db_sym_numargs(db_last_symtab, sym, nargp, argnames); 596 } 597 598 #endif 599