Merge pull request #109 from S2E/issue/xxx-executor-ref3

Various refactorings (round #3)

Author: vitalych

klee/include/klee/Executor.h

@@ -107,8 +107,6 @@ class Executor {
     /// \invariant \ref addedStates and \ref removedStates are disjoint.
     StateSet m_removedStates;
 
-    llvm::Function *getTargetFunction(llvm::Value *calledVal);
-
     void executeInstruction(ExecutionState &state, KInstruction *ki);
 
     void initializeGlobalObject(ExecutionState &state, const ObjectStatePtr &os, const llvm::Constant *c,
@@ -127,16 +125,11 @@ class Executor {
     void executeMemoryOperation(ExecutionState &state, bool isWrite, ref<Expr> address,
                                 ref<Expr> value /* undef if read */, KInstruction *target /* undef if write */);
 
-    /// The current state is about to be branched.
-    /// Give a chance to S2E to checkpoint the current device state
-    /// so that the branched state gets it as well.
-    virtual void notifyBranch(ExecutionState &state);
-
     /// When the fork is complete and state properly updated,
     /// notify the S2EExecutor, so that it can generate an onFork event.
     /// Sending notification after the fork completed
     /// allows plugins to kill states and exit to the CPU loop safely.
-    virtual void notifyFork(ExecutionState &originalState, ref<Expr> &condition, Executor::StatePair &targets);
+    virtual void notifyFork(ExecutionState &originalState, ref<Expr> &condition, Executor::StatePair &targets) = 0;
 
     const Cell &eval(KInstruction *ki, unsigned index, LLVMExecutionState &state) const;
 
@@ -166,8 +159,6 @@ class Executor {
     // remove state from queue and delete
     virtual void terminateState(ExecutionState &state);
 
-    virtual void terminateState(ExecutionState &state, const std::string &reason);
-
     virtual const llvm::Module *setModule(llvm::Module *module);
 
     /*** State accessor methods ***/

klee/lib/Core/Executor.cpp

@@ -290,11 +290,6 @@ void Executor::initializeGlobals(ExecutionState &state) {
     }
 }
 
-void Executor::notifyBranch(ExecutionState &state) {
-    // Should not get here
-    pabort("Must go through S2E");
-}
-
 Executor::StatePair Executor::fork(ExecutionState &current, const ref<Expr> &condition_,
                                    bool keepConditionTrueInCurrentState) {
     auto condition = current.simplifyExpr(condition_);
@@ -361,7 +356,6 @@ Executor::StatePair Executor::fork(ExecutionState &current, const ref<Expr> &con
     }
 
     // Branch
-    notifyBranch(current);
     auto branchedState = current.clone();
     m_addedStates.insert(branchedState);
 
@@ -405,7 +399,6 @@ Executor::StatePair Executor::fork(ExecutionState &current) {
         return StatePair(&current, nullptr);
     }
 
-    notifyBranch(current);
     auto clonedState = current.clone();
     m_addedStates.insert(clonedState);
 
@@ -415,11 +408,6 @@ Executor::StatePair Executor::fork(ExecutionState &current) {
     return StatePair(&current, clonedState);
 }
 
-void Executor::notifyFork(ExecutionState &originalState, ref<Expr> &condition, Executor::StatePair &targets) {
-    // Should not get here
-    pabort("Must go through S2E");
-}
-
 const Cell &Executor::eval(KInstruction *ki, unsigned index, LLVMExecutionState &state) const {
     assert(index < ki->inst->getNumOperands());
     int vnumber = ki->operands[index];
@@ -449,6 +437,41 @@ static inline const llvm::fltSemantics *fpWidthToSemantics(unsigned width) {
     }
 }
 
+/// Compute the true target of a function call, resolving LLVM aliases
+/// and bitcasts.
+static Function *getTargetFunction(Value *calledVal) {
+    SmallPtrSet<const GlobalValue *, 3> Visited;
+
+    Constant *c = dyn_cast<Constant>(calledVal);
+    if (!c) {
+        return 0;
+    }
+
+    while (true) {
+        if (GlobalValue *gv = dyn_cast<GlobalValue>(c)) {
+            if (!Visited.insert(gv).second) {
+                return 0;
+            }
+
+            if (Function *f = dyn_cast<Function>(gv)) {
+                return f;
+            } else if (GlobalAlias *ga = dyn_cast<GlobalAlias>(gv)) {
+                c = ga->getAliasee();
+            } else {
+                return 0;
+            }
+        } else if (llvm::ConstantExpr *ce = dyn_cast<llvm::ConstantExpr>(c)) {
+            if (ce->getOpcode() == Instruction::BitCast) {
+                c = ce->getOperand(0);
+            } else {
+                return 0;
+            }
+        } else {
+            return 0;
+        }
+    }
+}
+
 void Executor::executeCall(ExecutionState &state, KInstruction *ki, Function *f, std::vector<ref<Expr>> &arguments) {
     Instruction *i = ki->inst;
     auto &llvmState = state.llvm;
@@ -679,41 +702,6 @@ void Executor::executeCall(ExecutionState &state, KInstruction *ki, Function *f,
     }
 }
 
-/// Compute the true target of a function call, resolving LLVM aliases
-/// and bitcasts.
-Function *Executor::getTargetFunction(Value *calledVal) {
-    SmallPtrSet<const GlobalValue *, 3> Visited;
-
-    Constant *c = dyn_cast<Constant>(calledVal);
-    if (!c) {
-        return 0;
-    }
-
-    while (true) {
-        if (GlobalValue *gv = dyn_cast<GlobalValue>(c)) {
-            if (!Visited.insert(gv).second) {
-                return 0;
-            }
-
-            if (Function *f = dyn_cast<Function>(gv)) {
-                return f;
-            } else if (GlobalAlias *ga = dyn_cast<GlobalAlias>(gv)) {
-                c = ga->getAliasee();
-            } else {
-                return 0;
-            }
-        } else if (llvm::ConstantExpr *ce = dyn_cast<llvm::ConstantExpr>(c)) {
-            if (ce->getOpcode() == Instruction::BitCast) {
-                c = ce->getOperand(0);
-            } else {
-                return 0;
-            }
-        } else {
-            return 0;
-        }
-    }
-}
-
 void Executor::executeInstruction(ExecutionState &state, KInstruction *ki) {
     *klee::stats::instructions += 1;
     auto &llvmState = state.llvm;
@@ -1584,11 +1572,6 @@ void Executor::terminateState(ExecutionState &state) {
     }
 }
 
-void Executor::terminateState(ExecutionState &state, const std::string &reason) {
-    *klee_warning_stream << "Terminating state: " << reason << "\n";
-    terminateState(state);
-}
-
 extern "C" {
 typedef uint64_t (*external_fcn_t)(...);
 }

libs2e/src/s2e-kvm-vm.cpp

@@ -144,7 +144,7 @@ int VM::memoryReadWrite(kvm_mem_rw *mem) {
 
 int VM::registerFixedRegion(kvm_fixed_region *region) {
 #ifdef CONFIG_SYMBEX_MP
-    s2e_register_ram2(region->name, region->host_address, region->size, region->flags & KVM_MEM_SHARED_CONCRETE);
+    s2e_register_ram(region->name, region->host_address, region->size, region->flags & KVM_MEM_SHARED_CONCRETE);
 #endif
     return 0;
 }

libs2ecore/include/s2e/S2EExecutionState.h

@@ -153,6 +153,8 @@ class S2EExecutionState : public klee::ExecutionState, public klee::IConcretizer
     /** Set when execution enters doInterrupt, reset when it exits. */
     bool m_runningExceptionEmulationCode;
 
+    llvm::SmallVector<klee::ObjectKey, 8> m_saveOnContextSwitch;
+
     virtual void addressSpaceChange(const klee::ObjectKey &key, const klee::ObjectStateConstPtr &oldState,
                                     const klee::ObjectStatePtr &newState);
 
@@ -195,6 +197,7 @@ class S2EExecutionState : public klee::ExecutionState, public klee::IConcretizer
 
         m_memIoVaddr = state.m_memIoVaddr;
         m_runningExceptionEmulationCode = state.m_runningExceptionEmulationCode;
+        m_saveOnContextSwitch = state.m_saveOnContextSwitch;
     }
 
     virtual klee::ExecutionStatePtr clone();
@@ -306,6 +309,10 @@ class S2EExecutionState : public klee::ExecutionState, public klee::IConcretizer
     /** Copy concrete values to the execution state storage */
     void switchToSymbolic();
 
+    void registerRam(uint64_t size, uint64_t hostAddress, bool isSharedConcrete, const char *name);
+    void saveSharedConcreteMemory();
+    void restoreSharedConcreteMemory();
+
     bool isForkingEnabled() const {
         return !forkDisabled;
     }

libs2ecore/include/s2e/S2EExecutor.h

@@ -59,8 +59,6 @@ class S2EExecutor : public klee::Executor {
 
     klee::KFunction *m_dummyMain;
 
-    std::vector<klee::ObjectKey> m_saveOnContextSwitch;
-
     bool m_executeAlwaysKlee;
 
     bool m_forkProcTerminateCurrentState;
@@ -104,9 +102,6 @@ class S2EExecutor : public klee::Executor {
     void initializeExecution(S2EExecutionState *initialState, bool executeAlwaysKlee);
 
     void registerCpu(S2EExecutionState *initialState, CPUX86State *cpuEnv);
-    void registerRam(S2EExecutionState *initialState, struct MemoryDesc *region, uint64_t startAddress, uint64_t size,
-                     uint64_t hostAddress, bool isSharedConcrete, bool saveOnContextSwitch = true,
-                     const char *name = "");
 
     void registerSharedExternalObject(S2EExecutionState *state, void *address, unsigned size);
 
@@ -209,8 +204,6 @@ class S2EExecutor : public klee::Executor {
 
     void doLoadBalancing();
 
-    void notifyBranch(klee::ExecutionState &state);
-
     void initializeStateSwitchTimer();
     static void stateSwitchTimerCallback(void *opaque);
 

libs2ecore/include/s2e/s2e_libcpu.h

@@ -102,10 +102,7 @@ void s2e_initialize_execution(int execute_always_klee);
 
 void s2e_register_cpu(struct CPUX86State *cpu_env);
 
-void s2e_register_ram(struct MemoryDesc *region, uint64_t start_address, uint64_t size, uint64_t host_address,
-                      int is_shared_concrete, int save_on_context_switch, const char *name);
-
-void s2e_register_ram2(const char *name, uint64_t host_address, uint64_t size, int is_shared_concrete);
+void s2e_register_ram(const char *name, uint64_t host_address, uint64_t size, int is_shared_concrete);
 
 uintptr_t se_get_host_address(uint64_t paddr);
 

libs2ecore/src/S2EExecutionState.cpp

@@ -56,6 +56,17 @@ extern llvm::cl::opt<bool> PrintForkingStatus;
 extern llvm::cl::opt<bool> VerboseStateDeletion;
 extern llvm::cl::opt<bool> DebugConstraints;
 
+// clang-format off
+namespace {
+    // This should be true by default, because otherwise overheads are way too high.
+    // Drawback is that execution is not fully consistent by default.
+    llvm::cl::opt<bool>
+    StateSharedMemory("state-shared-memory",
+            llvm::cl::desc("Allow unimportant memory regions (like video RAM) to be shared between states"),
+            llvm::cl::init(true));
+}
+// clang-format on
+
 namespace s2e {
 
 using namespace klee;
@@ -89,11 +100,29 @@ ExecutionStatePtr S2EExecutionState::clone() {
     // This means that we must clean owned-by-us flag in S2E TLB.
     assert(m_active);
 
+    s2e_kvm_flush_disk();
+
     m_tlb.clearTlbOwnership();
 #if defined(SE_ENABLE_PHYSRAM_TLB)
     m_tlb.clearRamTlb();
 #endif
 
+    saveSharedConcreteMemory();
+
+    // We must not save the current tb, because this pointer will become
+    // stale on state restore. If a signal occurs while restoring the state,
+    // its handler will try to unlink a stale tb, which could cause a hang
+    // or a crash.
+    auto old_tb = env->current_tb;
+    env->current_tb = nullptr;
+    m_registers.saveConcreteState();
+    env->current_tb = old_tb;
+
+    cpu_disable_ticks();
+    s2e_kvm_save_device_state();
+    m_timersState = timers_state;
+    cpu_enable_ticks();
+
     S2EExecutionState *ret = new S2EExecutionState(*this);
 
     ret->m_stateID = g_s2e->fetchAndIncrementStateId();
@@ -109,6 +138,78 @@ ExecutionStatePtr S2EExecutionState::clone() {
     return ret;
 }
 
+void S2EExecutionState::registerRam(uint64_t size, uint64_t hostAddress, bool isSharedConcrete, const char *name) {
+#ifdef CONFIG_SYMBEX_MP
+    assert(m_stateID == 0 && "Ram registration must be done in the initial state");
+    assert((size & ~TARGET_PAGE_MASK) == 0);
+    assert((hostAddress & ~TARGET_PAGE_MASK) == 0);
+
+    g_s2e->getDebugStream() << "Adding memory block (size = " << hexval(size) << ", hostAddr = " << hexval(hostAddress)
+                            << ", isSharedConcrete=" << isSharedConcrete << ", name=" << name << ")\n";
+
+    for (uint64_t addr = hostAddress; addr < hostAddress + size; addr += SE_RAM_OBJECT_SIZE) {
+
+        auto os = addExternalObject((void *) addr, SE_RAM_OBJECT_SIZE, false, isSharedConcrete);
+
+        os->setMemoryPage(true);
+
+        if (!isSharedConcrete) {
+            os->setSplittable(true);
+            os->setNotifyOnConcretenessChange(true);
+        }
+
+#ifdef S2E_DEBUG_MEMOBJECT_NAME
+        std::stringstream ss;
+        ss << name << "_" << std::hex << (addr - hostAddress);
+        mo->setName(ss.str());
+#endif
+
+        if (isSharedConcrete && !StateSharedMemory) {
+            m_saveOnContextSwitch.push_back(os->getKey());
+        }
+    }
+
+    if (!isSharedConcrete) {
+        // mprotecting does not actually free the RAM, it's still committed,
+        // we need to explicitely unmap it.
+        // mprotect((void*) hostAddress, size, PROT_NONE);
+        if (munmap((void *) hostAddress, size) < 0) {
+            g_s2e->getWarningsStream(nullptr) << "Could not unmap host RAM\n";
+            exit(-1);
+        }
+
+        // Make sure that the memory space is reserved and won't be used anymore
+        // so that there are no conflicts with klee memory objects.
+        void *newhost = mmap((void *) hostAddress, size, PROT_NONE, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0, 0);
+        if (newhost == MAP_FAILED || newhost != (void *) hostAddress) {
+            g_s2e->getWarningsStream(nullptr) << "Could not map host RAM\n";
+            exit(-1);
+        }
+    }
+
+    m_asCache.registerPool(hostAddress, size);
+#endif
+}
+
+void S2EExecutionState::saveSharedConcreteMemory() {
+    for (auto &mo : m_saveOnContextSwitch) {
+        auto os = addressSpace().findObject(mo.address);
+        auto wos = addressSpace().getWriteable(os);
+        uint8_t *store = wos->getConcreteBuffer();
+        assert(store);
+        memcpy(store, (uint8_t *) mo.address, mo.size);
+    }
+}
+
+void S2EExecutionState::restoreSharedConcreteMemory() {
+    for (auto &mo : m_saveOnContextSwitch) {
+        auto os = addressSpace().findObject(mo.address);
+        const uint8_t *store = os->getConcreteBuffer();
+        assert(store);
+        memcpy((uint8_t *) mo.address, store, mo.size);
+    }
+}
+
 /***/
 
 void S2EExecutionState::enableForking() {