Calling the DatabaseCampaign with --inject-registers or
--force-inject-registers now injects into CPU registers. This is achieved
by reinterpreting data addresses in the DB as addresses within the register
file. (The mapping between registers and data addresses is implemented in
core/util/llvmdisassembler/LLVMtoFailTranslator.hpp.) The difference
between --inject-registers and --force-inject-registers is what the
experiment does when a data address is not interpretable as a register: the
former option then injects into memory (DatabaseCampaignMessage,
RegisterInjectionMode AUTO), the latter skips the injection altogether
(FORCE).
Currently only compiles together with the Bochs backend; the
DatabaseExperiment's redecodeCurrentInstruction() function must be
moved into the Bochs EEA to remedy this.
Change-Id: I23f152ac0adf4cb6fbe82377ac871e654263fe57
This change removes support for earlier LLVM versions; making them
work as well is simply too tedious.
Change-Id: I372a151279ceb2bfd6de101c9e0c15f0a4b18c03
- search for libdwarf.h in new locations (e.g., /usr/include/libdwarf/)
- build Bochs with -std=gnu++98 (gnu++14 is default since GCC 6.1)
- specify "proto2" syntax for protobuf messages
- minor build-system and C++ namespace fixes
Change-Id: I16dbc622c797ef8e936fe3c0fb9b03029d27529d
Instead of using the address difference between two neighboring symbols as
an indication for the symbol's size, import the size as reported by
`nm -S'.
Additionally, this change fixes an off-by-one, which had the effect that
the last symbol in the list was not imported at all.
Change-Id: I3c8e139b788018702526bb968e36d248dc3fe8fc
This change adds the capability to import an ELF's symbols
into the database. The functionality is implemented via a
shell script and will be merged into "import-trace", when
it's being cleaned up sometime in the near future, but for
now this suffices.
Change-Id: I933783659674fcf31f5181fc13661fe10f5b9fe8
Sometimes the lines in an objdump can get very long. Therefore, we limit
the size of the field, which is put into the database, to the maximal
size of the opcode, instruction, and comment column.
Change-Id: I8d7db33e8319f71e9dae14f683bba0ce1654b1f8
This was never a real problem, but keeps us on the safe side. Found
by Coverity Scan, CID 25731/25808/25817.
Change-Id: Ie4bd9fb52ff6140ce7ae024738b43c82f6f5045c
This fixes the (never intendedly occurring) case that no comma is
found in the SQL value list, and aligns the termination code with the
comment next to it. Found by Coverity Scan, CID 25653.
Change-Id: I98062748458a50603cd63a9017acd94eef0753f9
As the first cmd.parse() call was already checked before, parsing a
second time should never fail. Nevertheless, we can look at the
return value without much effort. Found by Coverity Scan, CID 25509.
Change-Id: I58466f5d123da2b541a6a88b72bafa1f754a581e
Up to now, the sanity checks only tested equivalence classes
determined by dynamic instructions (instr1/instr2), although the
actual timing boundaries (time1/time2) have been the really relevant
information for quite some time now. This change extends the checks
to time1/time2.
Change-Id: I53d1ed10684ff09f6b9f1245ef842dd0d85f2655
The sanity check testing whether the fault space is rectangular is
unnecessarily slow, as it joins the "trace" table without any reason,
and includes all variants instead of the currently imported one.
Change-Id: Icfe948290ec595209868952fc1639c979bd78d83
This change implements the following:
-DwarfReader now exports the address range of linetable-entries instead of
only the first address
-ElfImporter saves this range alongside the mapping
Change-Id: I7fe6361178f761a8f605a44bb0183c56a236cc95
This change alters DwarfReader and import-trace's ElfImporter so that they use
unsigned int for static address and line numbers instead of signed int.
Change-Id: I84ebbb500afd7cd4d93b137a35dcf736dc679fab
Up to now, source code lines and mappings from static instruction
addresses to lines could be linked to the wrong file if
dbg_filename.path contained duplicates. This is unfortunately the
normal case when importing multiple variants of the same program into
the database.
Change-Id: I57e71379584d7b01177606192b3aa644846225db
This change removes the "--debug" parameter, which previously imported the
mapping of source code lines to static instructions into the database. This
mapping is useless by itself (i.e. without "--sources"), which is why its
code was refactored into the code handling "--sources".
Change-Id: I4700eb0a98661f4df9eb3c190f00dcbe4df0e200
This change makes all C++-based tools in tools/ abort when they
encounter an unknown commandline parameter (both option or
non-option). This has already caused some confusion, as in some cases
unexpected behaviour can be the result. For example, "prune-trace -t
mytrace.tc -d database" up to now ignored the "-t" parameter, took
"mytrace.tc" as the first non-option parameter (and ignored it); as no
option parameter may follow the non-option parameters, all other
options were ignored as well.
Change-Id: Ia0812a518c4760fa28ed54979c81f43fa7aa096e
This change makes the RegisterImporter continue importing if it
encounters an instruction pointer that is not part of the disassembled
ELF binary (and, thus, cannot be disassembled). This is OK if we
don't want to inject into registers used by these instructions.
Change-Id: Ia9b5e7f789367f8386d63f235451dae5d399610d
This change extends import-trace's help functionality for importers,
adds the ?-operator to option "-i" and refactors main.cc a little.
The extensions are "doing something useful with the AliasedRegistry"
and are merely listings of all importers' prime aliases.
Change-Id: I7bb184fc45dd9f90664e37455edfccc704d99ef1
This change implements a generic registry in order to clean up import-trace's
code - it's possible (and reasonable) to use the registry for pruners as well.
Importer now extends AliasedRegisterable; all importers have been adapted
to suit the interface/abstract methods.
Each AliasedRegisterable should have at least one alias (the class' name
is a sensible choice) but can have several. The first specified alias is
the class' prime alias which can be used e.g. to list all registered objects.
Change-Id: If6daa34edce35a3b0194e4ba67ed3b44b74a49b0
This change limits fault injection to general-purpose registers, instead of
relying on the LLVM/Fail* bridge to only recognize the status register
(EFLAGS on x86) and general-purpose registers. Since this bridge just
learned to translate x86's control and segment registers, and these
registers need special handling for fault injection (def/use pruning does
not work here), only import register accesses from the RT_GP subset.
Status register and instruction pointer injection remain functional, and
import-trace now should work architecture independently.
Change-Id: Id8ad2f0a9dab1861bf16ea9443c3bdfe7213d3fa
Using Database::insert_multiple() instead of prepared statements
speeds up trace import by a factor of 3-4. While being there, we now
properly deal with nonexistent extended trace values (i.e., put NULLs
into the DB).
Side note: The ElfImporter should switch to insert_multiple(), too.
Change-Id: I96785e9775e3ef4f242fd50720d5c34adb4e88a1
Memory accesses that don't belong to the preceding IP event in the
trace *do* have a use case: a hardware interrupt causes the CPU to
push its state onto the (kernel) stack. At the moment we cannot
distinguish this case from a malformed trace (as we don't record the
occurrence of interrupts), hence this warning needs to be disabled for
now.
This reverts commit 84edd02b6f.
If the --debug option is set, the line number table of the elf binary will
be imported into the database. The information will be stored in the
"dbg_mapping" table.
If the --sources option is set, the source files will be imported
into the database. Only the files that were actually used in the
elf binary will be imported.
Change-Id: I0e9de6b456bc42b329c1700c25e5839d9552cdbb
The Fail* tools expect trace events to be ordered in a specific way:
memory-access events are supposed to come *after* the instruction
event for the instruction that caused them. Using a different order
may cause subtle problems with both fault-space pruning and fast
forwarding. This change introduces a warning message when such a
malformed trace is detected (i.e., when the instruction pointer of a
memory-access event does not match the preceding instruction event).
Change-Id: I8ae7420fd8ff26e2574590748bdcc5a63db76490
As non-gzipped trace files cause import-trace to always import zero
events, the input file is now openend as in the dump-trace tool, where
opening non-gzipped files obviously works fine.
In the medium term we should find a centralized solution for this,
instead of re-implementing it all over the place.
Change-Id: I75845c03c0bbdc2b6b578b83d492b7dbbb40f051
The ElfImporter is not a real trace importer, but we locate it
into the import-trace utility, since here the infrastructure is
already in place to import things related to an elf binary into
the database.
The ElfImporter calls objdump and dissassembles an elf binary
and imports the results into the database.
Change-Id: I6e35673c8dbee3b7e8dfc7549d10e5dca9b55935
Richard noticed that instr2 values are off by one when done with the
MemoryImporter vs. with his own importer. The core problem is that
the dynamic instruction counter in the Importer base class
(Importer::copy_to_database, instruction_count_t instr) gets increased
*after* reporting an IP event to the importer implementation; this has
the side-effect that memory access events have a +1 dynamic
instruction count offset with regard to the IP event of the
instruction they belong to.
Bottom line: IP events and all memory events belonging to that
instruction should have the same dynamic instruction number.
Christian argued for the numbers starting with 0, which, as a side
effect, relativizes the repercussions of the change introduced in the
previous commit, as the new "first" event gets the sequence number 0
now.
- All experiments and importers only dealing with memory accesses
(MemoryImporter) are affected by this change: The dynamic
instruction count now starts with 0 instead of 1. Together with
the previous commit, the only change is one additional dynamic
instruction at position 0. Note that existing trace files do not
have this additional instruction, which shifts all trace positions
by 1.
- All importers that process *only* IP events (InstructionImporter,
RandomJumpImporter, RegisterImporter) won't see any difference.
Commit 036e340, though, introduced a +1 offset.
- Experiments that use these instruction counts for navigating to
the target instruction must be checked to properly deal with the
dynamic instruction #0 (no forwarding necessary). All dynamic
instruction offsetting should now work uniformly for both memory
accesses and all other fault models. To be sure everything works
in order, sanity-check the current absolute instruction pointer
right before fault injection.
Change-Id: I3f509f1b47836fa78fd029a7bb7c36c878912d97
Without this change, import-trace won't recognize, e.g., the -e and -t
parameters if they come after a parameter that was added by the Importer:
import-trace -i objdump --objdump arm-none-eabi-objdump -e B.elf -t C.tc
[...]
[import-trace 14:37:32] couldn't open trace.pb
Change-Id: I9532b01e432055479c79d801b1ca2736a8fd21cc
The RegisterImporter splits each register into 1 byte chunks. The
--do-not-split flag prohibits this splitting. Be aware, that def/use
pruning won't work correctly in mixed-width cases (EAX/AX/AH/AL).
Change-Id: Ifa1930bdd9f317a6fd3ae50c4ff3cffc97504640
If you only need raw failure counts, no-effect write equivalence classes
are redundant and only slow down access to the trace and fspgroup tables.
This switch prevents any accesstype='W' entries from finding their way into
the trace table.
Change-Id: Ifb415994063a2107769bc80ebd2fd780de5a4dda
Initially this was implemented by directly passing through trace
events to the MemoryImporter, keeping a record of conditional jumps
and opcodes, and UPDATEing all inserted rows in a second pass when the
MemoryImporter is finished.
Unfortunately, UPDATE is very slow, and keeping all information in
memory till the end doesn't scale indefinitely. Therefore the
implementation now delays passing memory access events upwards to the
MemoryImporter only until enough branch history is aggregated, and
taps into Importer's database operations with a set of new virtual
functions that are called downwards.
Change-Id: I159b2533932087087fb3049f4ff07a5f17a25a00
A MemoryImporter that additionally imports Relyzer-style conditional
branch history, instruction opcodes, and a virtual
duration=time2-time1+1 column (MariaDB 5.2+ only) for fault-space
pruning purposes.
Change-Id: I6764a26fa8aae21655be44134b88fdee85e67ff6
This change touches several subsystems, tools and experiments
(sal, util, cmake, import-trace, generic-tracing, nanojpeg), and
changes details not worth separate commits.
Change-Id: Icd1d664d1be5cfc2212dbf77801c271183214d08
