derekbruening
commented
9 years ago From bruen...@google.com on May 23, 2012 15:17:27
This issue was closed by revision r1379 .
Status: Fixed
Closed derekbruening closed 9 years ago
derekbruening
commented
9 years ago From bruen...@google.com on May 23, 2012 15:17:27
This issue was closed by revision r1379 .
Status: Fixed
derekbruening
commented
9 years ago From zhao...@google.com on May 24, 2012 07:43:12
The performance of "'mov $0 -> (xsp)' after the ret" approach:
spec2k6cmp CINT2006.128.ref.txt CINT2006.amd64.dr.ref.txt 400.perlbench 1.02 ( 686 / 674) 401.bzip2 1.00 ( 607 / 604) 403.gcc 1.02 ( 506 / 495) 429.mcf 0.99 ( 369 / 371) 445.gobmk 0.98 ( 759 / 776) 456.hmmer 1.00 ( 470 / 468) 458.sjeng 0.99 ( 857 / 862) 462.libquantum 1.01 ( 448 / 442) 464.h264ref 1.00 ( 1002 / 1001) 471.omnetpp 1.03 ( 451 / 438) 473.astar 1.02 ( 520 / 511) 483.xalancbmk 1.09 ( 403 / 369) average 1.01
spec2k6cmp CFP2006.129.ref.txt CFP2006.amd64.dr.ref.txt 410.bwaves 0.99 ( 705 / 712) 416.gamess 1.00 ( 1008 / 1003) 433.milc 1.00 ( 457 / 458) 434.zeusmp 1.00 ( 577 / 576) 435.gromacs 1.00 ( 604 / 604) 436.cactusADM 1.00 ( 1218 / 1217) 437.leslie3d 1.00 ( 852 / 848) 444.namd 0.99 ( 498 / 502) 447.dealII 1.26 ( 698 / 555) 450.soplex 1.01 ( 289 / 286) 453.povray 1.06 ( 314 / 297) 454.calculix 0.98 ( 979 / 997) 459.GemsFDTD 1.00 ( 793 / 794) 465.tonto 1.02 ( 722 / 711) 470.lbm 0.99 ( 314 / 317) 481.wrf 0.99 ( 881 / 886) 482.sphinx3 1.01 ( 689 / 682) average 1.02
little performance impact.
derekbruening
commented
9 years ago From bruen...@google.com on May 24, 2012 07:59:01
here's 32-bit INT comparing suite/tests/bin/libclient.retaddr.dll.so (calls dr_clobber_retaddr_after_read() on every single ret) vs libabort.dll.so modified to do nothing on bb event (but still has bb event, to trigger same elision, etc. from DR):
spec2k6cmp result/CINT2006.211.ref.txt result/CINT2006.210.ref.txt 400.perlbench 1.01 ( 517 / 512) 401.bzip2 1.00 ( 874 / 873) 403.gcc 1.00 ( 440 / 440) 429.mcf 1.02 ( 371 / 363) 445.gobmk 0.99 ( 644 / 648) 456.hmmer 1.01 ( 1216 / 1207) 458.sjeng 0.98 ( 755 / 771) 462.libquantum 1.00 ( 774 / 772) 464.h264ref 1.02 ( 1067 / 1050) 471.omnetpp 1.00 ( 428 / 426) 473.astar 1.00 ( 682 / 679) 483.xalancbmk 0.97 ( 340 / 350) average 1.00
From bruen...@google.com on May 22, 2012 16:26:55
for better callstacks, rather than zeroing the whole stack (which originally was meant to also eliminate stale leak pointers) we can zero just the retaddr. xref https://code.google.com/p/drmemory/issues/detail?id=870 and https://code.google.com/p/drmemory/issues/detail?id=886 but, hard to do b/c can't put code after retaddr. (note that -zero_stack only zeroes on alloc not dealloc)
potential solutions:
*** CANCELED copy retaddr to TLS slot and jmp\ through there CLOSED: [2012-05-22 Tue 15:34]
requires:
and will end up w/ asserts about app reading DR memory. would need some exception since our TLS is unaddr.
**\ CANCELED record all retaddr targets and zero out beyond-TOS there: ugh. CLOSED: [2012-05-22 Tue 15:34]
although this is after the ret_imm stack adjust. zeroing a bunch of slots would catch most scenarios except many-many-arg funcs.
**\ CANCELED add DR feature to insert code beyond ret CLOSED: [2012-05-22 Tue 15:34]
where that code is assumed to want to execute after the ret pops value and adjusts stack but before the ctl xfer. then just add single "mov $0 -> (xsp)" after the ret. want it before stack adjust actually.
but, will this mess up state xl8? it assumes it knows what happens inside instr_is_our_mangling() regions and that all spills are restored before leaving an our-mangling region.
how expose interface? client can pass any string of instrs? have to be meta and can't fault? but ours could fault.
xref the post-mangle bb event we always talked about: similar, but there client has to know DR's mangling xformations in addition to DR handling client sticking stuff in its mangling sequences when it does xl8. (xref issue #156: that that's traces)
**\ CANCELED custom exit stub code CLOSED: [2012-05-22 Tue 15:34]
DR used to have this feature: xref CUSTOM_EXIT_STUBS define. but now we use -no_indirect_stubs so there is no stub. custom ibl_ret prefix code? but want it before ret_imm stack adjust, or else have to zero lots of slots and then there's more risk.
**\ TODO dr_clobber_retaddr_after_read(ptr_uint_t value)
it's a tradeoff: if client can control the instrs it gets more complex for us to xl8. all kinds of corner cases. if we insert we limit to specific functionality but much simpler
does it take an instr so you can choose which ones, or it's a global flag and applies to all rets (and far rets and irets -- should just zero addr for those)?
Original issue: http://code.google.com/p/dynamorio/issues/detail?id=782