// Copyright 2015 Ted Mielczarek. See the COPYRIGHT // file at the top-level directory of this distribution. use crate::*; use minidump::format::CONTEXT_ARM; use minidump::system_info::{Cpu, Os}; use std::collections::HashMap; use test_assembler::*; struct TestFixture { pub raw: CONTEXT_ARM, pub modules: MinidumpModuleList, pub system_info: SystemInfo, pub symbols: HashMap, } impl TestFixture { pub fn new() -> TestFixture { TestFixture { raw: CONTEXT_ARM::default(), // Give the two modules reasonable standard locations and names // for tests to play with. modules: MinidumpModuleList::from_modules(vec![ MinidumpModule::new(0x40000000, 0x10000, "module1"), MinidumpModule::new(0x50000000, 0x10000, "module2"), ]), system_info: SystemInfo { os: Os::Ios, os_version: None, os_build: None, cpu: Cpu::Arm, cpu_info: None, cpu_microcode_version: None, cpu_count: 1, }, symbols: HashMap::new(), } } pub async fn walk_stack(&self, stack: Section) -> CallStack { let context = MinidumpContext { raw: MinidumpRawContext::Arm(self.raw.clone()), valid: MinidumpContextValidity::All, }; let base = stack.start().value().unwrap(); let size = stack.size(); let stack = stack.get_contents().unwrap(); let stack_memory = MinidumpMemory { desc: Default::default(), base_address: base, size, bytes: &stack, endian: scroll::LE, }; let symbolizer = Symbolizer::new(string_symbol_supplier(self.symbols.clone())); let mut stack = CallStack::with_context(context); walk_stack( 0, (), &mut stack, Some(UnifiedMemory::Memory(&stack_memory)), &self.modules, &self.system_info, &symbolizer, ) .await; stack } pub fn add_symbols(&mut self, name: String, symbols: String) { self.symbols.insert(name, symbols); } } #[tokio::test] async fn test_simple() { let mut f = TestFixture::new(); let stack = Section::new(); stack.start().set_const(0x80000000); // There should be no references to the stack in this walk: we don't // provide any call frame information, so trying to reconstruct the // context frame's caller should fail. So there's no need for us to // provide stack contents. f.raw.set_register("pc", 0x4000c020); f.raw.set_register("fp", 0x80000000); let s = f.walk_stack(stack).await; assert_eq!(s.frames.len(), 1); let f = &s.frames[0]; let m = f.module.as_ref().unwrap(); assert_eq!(m.code_file(), "module1"); } #[tokio::test] async fn test_scan_without_symbols() { // Scanning should work without any symbols let mut f = TestFixture::new(); let mut stack = Section::new(); stack.start().set_const(0x80000000); let return_address1 = 0x50000100u32; let return_address2 = 0x50000900u32; let frame1_sp = Label::new(); let frame2_sp = Label::new(); stack = stack // frame 0 .append_repeated(0, 16) // space .D32(0x40090000) // junk that's not .D32(0x60000000) // a return address .D32(return_address1) // actual return address // frame 1 .mark(&frame1_sp) .append_repeated(0, 16) // space .D32(0xF0000000) // more junk .D32(0x0000000D) .D32(return_address2) // actual return address // frame 2 .mark(&frame2_sp) .append_repeated(0, 32); // end of stack f.raw.set_register("pc", 0x40005510); // set an invalid non-zero value for the frame pointer // to force stack scanning f.raw.set_register("fp", 0x00000001); f.raw .set_register("sp", stack.start().value().unwrap() as u32); let s = f.walk_stack(stack).await; assert_eq!(s.frames.len(), 3); { // Frame 0 let frame = &s.frames[0]; assert_eq!(frame.trust, FrameTrust::Context); assert_eq!(frame.context.valid, MinidumpContextValidity::All); } { // Frame 1 let frame = &s.frames[1]; let valid = &frame.context.valid; assert_eq!(frame.trust, FrameTrust::Scan); if let MinidumpContextValidity::Some(ref which) = valid { assert_eq!(which.len(), 2); } else { unreachable!(); } if let MinidumpRawContext::Arm(ctx) = &frame.context.raw { assert_eq!(ctx.get_register("pc", valid).unwrap(), return_address1); assert_eq!( ctx.get_register("sp", valid).unwrap(), frame1_sp.value().unwrap() as u32 ); } else { unreachable!(); } } { // Frame 2 let frame = &s.frames[2]; let valid = &frame.context.valid; assert_eq!(frame.trust, FrameTrust::Scan); if let MinidumpContextValidity::Some(ref which) = valid { assert_eq!(which.len(), 2); } else { unreachable!(); } if let MinidumpRawContext::Arm(ctx) = &frame.context.raw { assert_eq!(ctx.get_register("pc", valid).unwrap(), return_address2); assert_eq!( ctx.get_register("sp", valid).unwrap(), frame2_sp.value().unwrap() as u32 ); } else { unreachable!(); } } } #[tokio::test] async fn test_scan_first_frame() { // The first (context) frame gets extra long scans, this test checks that. let mut f = TestFixture::new(); let mut stack = Section::new(); stack.start().set_const(0x80000000); let return_address1 = 0x50000100u32; let return_address2 = 0x50000900u32; let frame1_sp = Label::new(); let frame2_sp = Label::new(); stack = stack // frame 0 .append_repeated(0, 16) // space .D32(0x40090000) // junk that's not .D32(0x60000000) // a return address .append_repeated(0, 96) // more space .D32(return_address1) // actual return address // frame 1 .mark(&frame1_sp) .append_repeated(0, 32) // space .D32(0xF0000000) // more junk .D32(0x0000000D) .append_repeated(0, 336) // more space .D32(return_address2) // actual return address (won't be found) // frame 2 .mark(&frame2_sp) .append_repeated(0, 64); // end of stack f.raw.set_register("pc", 0x40005510); // set an invalid non-zero value for the frame pointer // to force stack scanning f.raw.set_register("fp", 0x00000001); f.raw .set_register("sp", stack.start().value().unwrap() as u32); let s = f.walk_stack(stack).await; assert_eq!(s.frames.len(), 2); { // Frame 0 let frame = &s.frames[0]; assert_eq!(frame.trust, FrameTrust::Context); assert_eq!(frame.context.valid, MinidumpContextValidity::All); } { // Frame 1 let frame = &s.frames[1]; let valid = &frame.context.valid; assert_eq!(frame.trust, FrameTrust::Scan); if let MinidumpContextValidity::Some(ref which) = valid { assert_eq!(which.len(), 2); } else { unreachable!(); } if let MinidumpRawContext::Arm(ctx) = &frame.context.raw { assert_eq!(ctx.get_register("pc", valid).unwrap(), return_address1); assert_eq!( ctx.get_register("sp", valid).unwrap(), frame1_sp.value().unwrap() as u32 ); } else { unreachable!(); } } } #[tokio::test] async fn test_invalid_lr() { let mut f = TestFixture::new(); f.system_info.os = Os::Linux; let mut stack = Section::new(); stack.start().set_const(0x80000000); let lr = Label::new(); let return_address1 = 0x50000100u32; let return_address2 = 0x50000900u32; let frame1_sp = Label::new(); let frame2_sp = Label::new(); let frame1_fp = Label::new(); let frame2_fp = Label::new(); stack = stack // frame 0 .append_repeated(0, 32) // space .mark(&lr) // the LR points to something on the stack .D32(0x0000000D) // junk that's not .D32(0xF0000000) // a return address .mark(&frame1_fp) // next fp will point to the next value .D32(&frame2_fp) // save current frame pointer .D32(return_address1) // save current link register .mark(&frame1_sp) // frame 1 .append_repeated(0, 32) // space .D32(0x0000000D) // junk that's not .D32(0xF0000000) // a return address .mark(&frame2_fp) .D32(0) .D32(return_address2) .mark(&frame2_sp); f.raw.set_register("pc", 0x40005510); f.raw.set_register("lr", lr.value().unwrap() as u32); f.raw.set_register("fp", frame1_fp.value().unwrap() as u32); f.raw .set_register("sp", stack.start().value().unwrap() as u32); let s = f.walk_stack(stack).await; assert_eq!(s.frames.len(), 3); { // Frame 0 let frame = &s.frames[0]; assert_eq!(frame.trust, FrameTrust::Context); assert_eq!(frame.context.valid, MinidumpContextValidity::All); } { // Frame 1 let frame = &s.frames[1]; let valid = &frame.context.valid; assert_eq!(frame.trust, FrameTrust::Scan); if let MinidumpContextValidity::Some(ref which) = valid { assert_eq!(which.len(), 2); } else { unreachable!(); } if let MinidumpRawContext::Arm(ctx) = &frame.context.raw { assert_eq!(ctx.get_register("pc", valid).unwrap(), return_address1); assert_eq!( ctx.get_register("sp", valid).unwrap(), frame1_sp.value().unwrap() as u32 ); } else { unreachable!(); } } { // Frame 2 let frame = &s.frames[2]; let valid = &frame.context.valid; assert_eq!(frame.trust, FrameTrust::Scan); if let MinidumpContextValidity::Some(ref which) = valid { assert_eq!(which.len(), 2); } else { unreachable!(); } if let MinidumpRawContext::Arm(ctx) = &frame.context.raw { assert_eq!(ctx.get_register("pc", valid).unwrap(), return_address2); assert_eq!( ctx.get_register("sp", valid).unwrap(), frame2_sp.value().unwrap() as u32 ); } else { unreachable!(); } } } #[tokio::test] async fn test_frame_pointer() { // Frame-pointer-based unwinding let mut f = TestFixture::new(); let mut stack = Section::new(); stack.start().set_const(0x80000000); let return_address1 = 0x50000100u32; let return_address2 = 0x50000900u32; let frame1_sp = Label::new(); let frame2_sp = Label::new(); let frame0_fp = Label::new(); let frame1_fp = Label::new(); let frame2_fp = Label::new(); stack = stack // frame 0 .append_repeated(0, 32) // space .D32(0x0000000D) // junk that's not .D32(0xF0000000) // a return address .mark(&frame0_fp) // next fp will point to the next value .D32(&frame1_fp) // save current frame pointer .D32(return_address1) // save current link register .mark(&frame1_sp) // frame 1 .append_repeated(0, 32) // space .D32(0x0000000D) // junk that's not .D32(0xF0000000) // a return address .mark(&frame1_fp) .D32(&frame2_fp) .D32(return_address2) .mark(&frame2_sp) // frame 2 .append_repeated(0, 32) // Whatever values on the stack. .D32(0x0000000D) // junk that's not .D32(0xF0000000) // a return address. .mark(&frame2_fp) .D32(0) .D32(0); f.raw.set_register("pc", 0x40005510); f.raw.set_register("lr", return_address1); f.raw.set_register("fp", frame0_fp.value().unwrap() as u32); f.raw .set_register("sp", stack.start().value().unwrap() as u32); let s = f.walk_stack(stack).await; assert_eq!(s.frames.len(), 3); { // Frame 0 let frame = &s.frames[0]; assert_eq!(frame.trust, FrameTrust::Context); assert_eq!(frame.context.valid, MinidumpContextValidity::All); } { // Frame 1 let frame = &s.frames[1]; let valid = &frame.context.valid; assert_eq!(frame.trust, FrameTrust::FramePointer); if let MinidumpContextValidity::Some(ref which) = valid { assert_eq!(which.len(), 3); } else { unreachable!(); } if let MinidumpRawContext::Arm(ctx) = &frame.context.raw { assert_eq!(ctx.get_register("pc", valid).unwrap(), return_address1); assert_eq!( ctx.get_register("sp", valid).unwrap(), frame1_sp.value().unwrap() as u32 ); assert_eq!( ctx.get_register("fp", valid).unwrap(), frame1_fp.value().unwrap() as u32 ); } else { unreachable!(); } } { // Frame 2 let frame = &s.frames[2]; let valid = &frame.context.valid; assert_eq!(frame.trust, FrameTrust::FramePointer); if let MinidumpContextValidity::Some(ref which) = valid { assert_eq!(which.len(), 3); } else { unreachable!(); } if let MinidumpRawContext::Arm(ctx) = &frame.context.raw { assert_eq!(ctx.get_register("pc", valid).unwrap(), return_address2); assert_eq!( ctx.get_register("sp", valid).unwrap(), frame2_sp.value().unwrap() as u32 ); assert_eq!( ctx.get_register("fp", valid).unwrap(), frame2_fp.value().unwrap() as u32 ); } else { unreachable!(); } } } #[tokio::test] async fn test_frame_pointer_stackless_leaf() { // Same as test_frame_pointer but frame0 is a stackless leaf. // // In the current implementation we will misunderstand this slightly // and basically "lose" frame 1, but still properly recover frame 2. // THIS TEST BREAKING MIGHT MEAN YOU'VE MADE THINGS WORK BETTER! let mut f = TestFixture::new(); let mut stack = Section::new(); stack.start().set_const(0x80000000); let return_address1 = 0x50000100u32; let return_address2 = 0x50000900u32; let frame1_sp = Label::new(); let frame2_sp = Label::new(); let frame1_fp = Label::new(); let frame2_fp = Label::new(); stack = stack // frame 0 (literally nothing!) .mark(&frame1_sp) // frame 1 (this is sadly dropped) .append_repeated(0, 32) // space .D32(0x0000000D) // junk that's not .D32(0xF0000000) // a return address .mark(&frame1_fp) .D32(&frame2_fp) .D32(return_address2) .mark(&frame2_sp) // frame 2 .append_repeated(0, 32) // Whatever values on the stack. .D32(0x0000000D) // junk that's not .D32(0xF0000000) // a return address. .mark(&frame2_fp) .D32(0) .D32(0); f.raw.set_register("pc", 0x40005510); f.raw.set_register("lr", return_address1); // we will sadly ignore this f.raw.set_register("fp", frame1_fp.value().unwrap() as u32); f.raw .set_register("sp", stack.start().value().unwrap() as u32); let s = f.walk_stack(stack).await; assert_eq!(s.frames.len(), 2); { // Frame 0 let frame = &s.frames[0]; assert_eq!(frame.trust, FrameTrust::Context); assert_eq!(frame.context.valid, MinidumpContextValidity::All); } { // Frame 2 (Found as Frame 1) let frame = &s.frames[1]; let valid = &frame.context.valid; assert_eq!(frame.trust, FrameTrust::FramePointer); if let MinidumpContextValidity::Some(ref which) = valid { assert_eq!(which.len(), 3); } else { unreachable!(); } if let MinidumpRawContext::Arm(ctx) = &frame.context.raw { assert_eq!(ctx.get_register("pc", valid).unwrap(), return_address2); assert_eq!( ctx.get_register("sp", valid).unwrap(), frame2_sp.value().unwrap() as u32 ); assert_eq!( ctx.get_register("fp", valid).unwrap(), frame2_fp.value().unwrap() as u32 ); } else { unreachable!(); } } } #[tokio::test] async fn test_frame_pointer_stackful_leaf() { // Same as test_frame_pointer but frame0 is a stackful leaf. // // In the current implementation we will misunderstand this slightly // and basically "lose" frame 1, but still properly recover frame 2. // THIS TEST BREAKING MIGHT MEAN YOU'VE MADE THINGS WORK BETTER! let mut f = TestFixture::new(); let mut stack = Section::new(); stack.start().set_const(0x80000000); let return_address1 = 0x50000100u32; let return_address2 = 0x50000900u32; let frame1_sp = Label::new(); let frame2_sp = Label::new(); let frame1_fp = Label::new(); let frame2_fp = Label::new(); stack = stack // frame 0 (all junk!) .append_repeated(0, 64) // space .D64(0x0000000D) // junk that's not .D64(0xF0000000) // a return address .mark(&frame1_sp) // frame 1 (this is sadly dropped) .append_repeated(0, 32) // space .D32(0x0000000D) // junk that's not .D32(0xF0000000) // a return address .mark(&frame1_fp) .D32(&frame2_fp) .D32(return_address2) .mark(&frame2_sp) // frame 2 .append_repeated(0, 32) // Whatever values on the stack. .D32(0x0000000D) // junk that's not .D32(0xF0000000) // a return address. .mark(&frame2_fp) .D32(0) .D32(0); f.raw.set_register("pc", 0x40005510); f.raw.set_register("lr", return_address1); // we will sadly ignore this f.raw.set_register("fp", frame1_fp.value().unwrap() as u32); f.raw .set_register("sp", stack.start().value().unwrap() as u32); let s = f.walk_stack(stack).await; assert_eq!(s.frames.len(), 2); { // Frame 0 let frame = &s.frames[0]; assert_eq!(frame.trust, FrameTrust::Context); assert_eq!(frame.context.valid, MinidumpContextValidity::All); } { // Frame 2 (Found as Frame 1) let frame = &s.frames[1]; let valid = &frame.context.valid; assert_eq!(frame.trust, FrameTrust::FramePointer); if let MinidumpContextValidity::Some(ref which) = valid { assert_eq!(which.len(), 3); } else { unreachable!(); } if let MinidumpRawContext::Arm(ctx) = &frame.context.raw { assert_eq!(ctx.get_register("pc", valid).unwrap(), return_address2); assert_eq!( ctx.get_register("sp", valid).unwrap(), frame2_sp.value().unwrap() as u32 ); assert_eq!( ctx.get_register("fp", valid).unwrap(), frame2_fp.value().unwrap() as u32 ); } else { unreachable!(); } } } #[tokio::test] async fn test_frame_pointer_infinite_equality() { // Leaf functions on Arm are allowed to not update the stack pointer, so // it's valid for the frame pointer analysis to conclude that the stack // pointer doesn't change. However we must only provide this allowance // to the first stack frame, or else we're vulnerable to infinite loops. // // One of the CFI tests already checks that we allow the leaf case to work, // so here we test that we don't get stuck in an infinite loop for the // non-leaf case. // // This is just a copy-paste of test_frame_pointer except for the line // "EVIL INFINITE FRAME POINTER" has been changed from frame2_fp to frame1_fp. let mut f = TestFixture::new(); let mut stack = Section::new(); stack.start().set_const(0x80000000); let return_address1 = 0x50000100u32; let return_address2 = 0x50000900u32; let frame1_sp = Label::new(); let frame2_sp = Label::new(); let frame0_fp = Label::new(); let frame1_fp = Label::new(); let frame2_fp = Label::new(); stack = stack // frame 0 .append_repeated(0, 32) // space .D32(0x0000000D) // junk that's not .D32(0xF0000000) // a return address .mark(&frame0_fp) // next fp will point to the next value .D32(&frame0_fp) // EVIL INFINITE FRAME POINTER .D32(return_address1) // save current link register .mark(&frame1_sp) // frame 1 .append_repeated(0, 32) // space .D32(0x0000000D) // junk that's not .D32(0xF0000000) // a return address .mark(&frame1_fp) .D32(&frame2_fp) .D32(return_address2) .mark(&frame2_sp) // frame 2 .append_repeated(0, 32) // Whatever values on the stack. .D32(0x0000000D) // junk that's not .D32(0xF0000000) // a return address. .mark(&frame2_fp) .D32(0) .D32(0); f.raw.set_register("pc", 0x40005510); f.raw.set_register("lr", return_address1); f.raw.set_register("fp", frame0_fp.value().unwrap() as u32); f.raw .set_register("sp", stack.start().value().unwrap() as u32); let s = f.walk_stack(stack).await; assert_eq!(s.frames.len(), 2); { // Frame 0 let frame = &s.frames[0]; assert_eq!(frame.trust, FrameTrust::Context); assert_eq!(frame.context.valid, MinidumpContextValidity::All); } { // Frame 1 (a messed up combination of frame 0 and 1) let frame = &s.frames[1]; let valid = &frame.context.valid; assert_eq!(frame.trust, FrameTrust::FramePointer); if let MinidumpContextValidity::Some(ref which) = valid { assert_eq!(which.len(), 3); } else { unreachable!(); } if let MinidumpRawContext::Arm(ctx) = &frame.context.raw { assert_eq!(ctx.get_register("pc", valid).unwrap(), return_address1); assert_eq!( ctx.get_register("sp", valid).unwrap(), frame1_sp.value().unwrap() as u32 ); assert_eq!( ctx.get_register("fp", valid).unwrap(), frame0_fp.value().unwrap() as u32 ); } else { unreachable!(); } } // Never get to frame 2, alas! } const CALLEE_SAVE_REGS: &[&str] = &["pc", "sp", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "fp"]; fn init_cfi_state() -> (TestFixture, Section, CONTEXT_ARM, MinidumpContextValidity) { let mut f = TestFixture::new(); let symbols = [ // The youngest frame's function. "FUNC 4000 1000 10 enchiridion\n", // Initially, nothing has been pushed on the stack, // and the return address is still in the link register. "STACK CFI INIT 4000 100 .cfa: sp .ra: lr\n", // Push r4, the frame pointer, and the link register. "STACK CFI 4001 .cfa: sp 12 + r4: .cfa 12 - ^", " r11: .cfa 8 - ^ .ra: .cfa 4 - ^\n", // Save r4..r7 in r0..r3: verify that we populate // the youngest frame with all the values we have. "STACK CFI 4002 r4: r0 r5: r1 r6: r2 r7: r3\n", // Restore r4..r7. Save the non-callee-saves register r1. "STACK CFI 4003 .cfa: sp 16 + r1: .cfa 16 - ^", " r4: r4 r5: r5 r6: r6 r7: r7\n", // Move the .cfa back four bytes, to point at the return // address, and restore the sp explicitly. "STACK CFI 4005 .cfa: sp 12 + r1: .cfa 12 - ^", " r11: .cfa 4 - ^ .ra: .cfa ^ sp: .cfa 4 +\n", // Recover the PC explicitly from a new stack slot; // provide garbage for the .ra. "STACK CFI 4006 .cfa: sp 16 + pc: .cfa 16 - ^\n", // The calling function. "FUNC 5000 1000 10 epictetus\n", // Mark it as end of stack. "STACK CFI INIT 5000 1000 .cfa: 0 .ra: 0\n", // A function whose CFI makes the stack pointer // go backwards. "FUNC 6000 1000 20 palinal\n", "STACK CFI INIT 6000 1000 .cfa: sp 4 - .ra: lr\n", // A function with CFI expressions that can't be // evaluated. "FUNC 7000 1000 20 rhetorical\n", "STACK CFI INIT 7000 1000 .cfa: moot .ra: ambiguous\n", ]; f.add_symbols(String::from("module1"), symbols.concat()); f.raw.set_register("pc", 0x40005510); f.raw.set_register("sp", 0x80000000); f.raw.set_register("fp", 0x8112e110); f.raw.iregs[4] = 0xb5d55e68; f.raw.iregs[5] = 0xebd134f3; f.raw.iregs[6] = 0xa31e74bc; f.raw.iregs[7] = 0x2dcb16b3; f.raw.iregs[8] = 0x2ada2137; f.raw.iregs[9] = 0xbbbb557d; f.raw.iregs[10] = 0x48bf8ca7; let raw_valid = MinidumpContextValidity::All; let expected = f.raw.clone(); let expected_regs = CALLEE_SAVE_REGS; let expected_valid = MinidumpContextValidity::Some(expected_regs.iter().copied().collect()); let stack = Section::new(); stack .start() .set_const(f.raw.get_register("sp", &raw_valid).unwrap() as u64); (f, stack, expected, expected_valid) } async fn check_cfi( f: TestFixture, stack: Section, expected: CONTEXT_ARM, expected_valid: MinidumpContextValidity, ) { let s = f.walk_stack(stack).await; assert_eq!(s.frames.len(), 2); { // Frame 0 let frame = &s.frames[0]; assert_eq!(frame.trust, FrameTrust::Context); assert_eq!(frame.context.valid, MinidumpContextValidity::All); } { // Frame 1 if let MinidumpContextValidity::Some(ref expected_regs) = expected_valid { let frame = &s.frames[1]; let valid = &frame.context.valid; assert_eq!(frame.trust, FrameTrust::CallFrameInfo); if let MinidumpContextValidity::Some(ref which) = valid { assert_eq!(which.len(), expected_regs.len()); } else { unreachable!(); } if let MinidumpRawContext::Arm(ctx) = &frame.context.raw { for reg in expected_regs { assert_eq!( ctx.get_register(reg, valid), expected.get_register(reg, &expected_valid), "{reg} registers didn't match!" ); } return; } } } unreachable!(); } #[tokio::test] async fn test_cfi_at_4000() { let (mut f, mut stack, expected, expected_valid) = init_cfi_state(); stack = stack.append_repeated(0, 120); f.raw.set_register("pc", 0x40004000); f.raw.set_register("lr", 0x40005510); check_cfi(f, stack, expected, expected_valid).await; } #[tokio::test] async fn test_cfi_at_4001() { let (mut f, mut stack, mut expected, expected_valid) = init_cfi_state(); let frame1_sp = Label::new(); stack = stack .D32(0xb5d55e68) // saved r4 .D32(0x8112e110) // saved fp .D32(0x40005510) // return address .mark(&frame1_sp) .append_repeated(0, 120); expected.set_register("sp", frame1_sp.value().unwrap() as u32); f.raw.set_register("pc", 0x40004001); f.raw.iregs[4] = 0x635adc9f; f.raw.set_register("fp", 0xbe145fc4); check_cfi(f, stack, expected, expected_valid).await; } #[tokio::test] async fn test_cfi_at_4002() { let (mut f, mut stack, mut expected, expected_valid) = init_cfi_state(); let frame1_sp = Label::new(); stack = stack .D32(0xfb81ff3d) // no longer saved r4 .D32(0x8112e110) // saved fp .D32(0x40005510) // return address .mark(&frame1_sp) .append_repeated(0, 120); expected.set_register("sp", frame1_sp.value().unwrap() as u32); f.raw.set_register("pc", 0x40004002); f.raw.iregs[0] = 0xb5d55e68; // saved r4 f.raw.iregs[1] = 0xebd134f3; // saved r5 f.raw.iregs[2] = 0xa31e74bc; // saved r6 f.raw.iregs[3] = 0x2dcb16b3; // saved r7 f.raw.iregs[4] = 0xfdd35466; // distinct callee r4 f.raw.iregs[5] = 0xf18c946c; // distinct callee r5 f.raw.iregs[6] = 0xac2079e8; // distinct callee r6 f.raw.iregs[7] = 0xa449829f; // distinct callee r7 f.raw.set_register("fp", 0xbe145fc4); check_cfi(f, stack, expected, expected_valid).await; } #[tokio::test] async fn test_cfi_at_4003() { let (mut f, mut stack, mut expected, mut expected_valid) = init_cfi_state(); let frame1_sp = Label::new(); stack = stack .D32(0x48c8dd5a) // saved r1 (even though it's not callee-saves) .D32(0xcb78040e) // no longer saved r4 .D32(0x8112e110) // saved fp .D32(0x40005510) // return address .mark(&frame1_sp) .append_repeated(0, 120); expected.set_register("sp", frame1_sp.value().unwrap() as u32); expected.iregs[1] = 0x48c8dd5a; if let MinidumpContextValidity::Some(ref mut which) = expected_valid { which.insert("r1"); } else { unreachable!(); } f.raw.set_register("pc", 0x40004003); f.raw.iregs[1] = 0xfb756319; check_cfi(f, stack, expected, expected_valid).await; } #[tokio::test] async fn test_cfi_at_4004() { // Should be the same as 4003 let (mut f, mut stack, mut expected, mut expected_valid) = init_cfi_state(); let frame1_sp = Label::new(); stack = stack .D32(0x48c8dd5a) // saved r1 (even though it's not callee-saves) .D32(0xcb78040e) // no longer saved r4 .D32(0x8112e110) // saved fp .D32(0x40005510) // return address .mark(&frame1_sp) .append_repeated(0, 120); expected.set_register("sp", frame1_sp.value().unwrap() as u32); expected.iregs[1] = 0x48c8dd5a; if let MinidumpContextValidity::Some(ref mut which) = expected_valid { which.insert("r1"); } else { unreachable!(); } f.raw.set_register("pc", 0x40004004); f.raw.iregs[1] = 0xfb756319; check_cfi(f, stack, expected, expected_valid).await; } #[tokio::test] async fn test_cfi_at_4005() { let (mut f, mut stack, mut expected, mut expected_valid) = init_cfi_state(); let frame1_sp = Label::new(); stack = stack .D32(0x48c8dd5a) // saved r1 (even though it's not callee-saves) .D32(0xf013f841) // no longer saved r4 .D32(0x8112e110) // saved fp .D32(0x40005510) // return address .mark(&frame1_sp) .append_repeated(0, 120); expected.set_register("sp", frame1_sp.value().unwrap() as u32); expected.iregs[1] = 0x48c8dd5a; if let MinidumpContextValidity::Some(ref mut which) = expected_valid { which.insert("r1"); } else { unreachable!(); } f.raw.set_register("pc", 0x40004005); f.raw.iregs[1] = 0xfb756319; check_cfi(f, stack, expected, expected_valid).await; } #[tokio::test] async fn test_cfi_at_4006() { // Here we provide an explicit rule for the PC, and have the saved .ra be // bogus. let (mut f, mut stack, mut expected, mut expected_valid) = init_cfi_state(); let frame1_sp = Label::new(); stack = stack .D32(0x40005510) // saved pc .D32(0x48c8dd5a) // saved r1 (even though it's not callee-saves) .D32(0xf013f841) // no longer saved r4 .D32(0x8112e110) // saved fp .D32(0xf8d15783) // .ra rule recovers this, which is garbage .mark(&frame1_sp) .append_repeated(0, 120); expected.set_register("sp", frame1_sp.value().unwrap() as u32); expected.iregs[1] = 0x48c8dd5a; if let MinidumpContextValidity::Some(ref mut which) = expected_valid { which.insert("r1"); } else { unreachable!(); } f.raw.set_register("pc", 0x40004006); f.raw.iregs[1] = 0xfb756319; check_cfi(f, stack, expected, expected_valid).await; } #[tokio::test] async fn test_cfi_reject_backwards() { // Check that we reject rules that would cause the stack pointer to // move in the wrong direction. let (mut f, mut stack, _expected, _expected_valid) = init_cfi_state(); stack = stack.append_repeated(0, 120); f.raw.set_register("pc", 0x40006000); f.raw.set_register("sp", 0x80000000); f.raw.set_register("lr", 0x40005510); let s = f.walk_stack(stack).await; assert_eq!(s.frames.len(), 1); } #[tokio::test] async fn test_cfi_reject_bad_exprs() { // Check that we reject rules whose expressions' evaluation fails. let (mut f, mut stack, _expected, _expected_valid) = init_cfi_state(); stack = stack.append_repeated(0, 120); f.raw.set_register("pc", 0x40007000); f.raw.set_register("sp", 0x80000000); let s = f.walk_stack(stack).await; assert_eq!(s.frames.len(), 1); } #[tokio::test] async fn test_frame_pointer_overflow() { // Make sure we don't explode when trying frame pointer analysis on a value // that will overflow. type Pointer = u32; let stack_max: Pointer = Pointer::MAX; let stack_size: Pointer = 1000; let bad_frame_ptr: Pointer = stack_max; let mut f = TestFixture::new(); let mut stack = Section::new(); let stack_start: Pointer = stack_max - stack_size; stack.start().set_const(stack_start as u64); stack = stack // frame 0 .append_repeated(0, stack_size as usize); // junk, not important to the test f.raw.set_register("pc", 0x7a100000); f.raw.set_register("fp", bad_frame_ptr); f.raw .set_register("sp", stack.start().value().unwrap() as Pointer); f.raw.set_register("lr", 0x7b302000); let s = f.walk_stack(stack).await; assert_eq!(s.frames.len(), 1); // As long as we don't panic, we're good! } #[tokio::test] async fn test_frame_pointer_overflow_nonsense_32bit_stack() { // same as test_frame_pointer_overflow, but we're going to abuse the fact // that rust-minidump prefers representing things in 64-bit to create // impossible stack addresses that overflow 32-bit integers but appear // valid in 64-bit. By doing this memory reads will "succeed" but // pointer math done in the native pointer width will overflow and // everything will be sad. type Pointer = u32; let pointer_size: u64 = std::mem::size_of::() as u64; let stack_max: u64 = Pointer::MAX as u64 + pointer_size * 2; let stack_size: u64 = 1000; let bad_frame_ptr: u64 = Pointer::MAX as u64 - pointer_size; let mut f = TestFixture::new(); let mut stack = Section::new(); let stack_start: u64 = stack_max - stack_size; stack.start().set_const(stack_start); stack = stack // frame 0 .append_repeated(0, 1000); // junk, not important to the test f.raw.set_register("pc", 0x7a100000); f.raw.set_register("fp", bad_frame_ptr as u32); f.raw .set_register("sp", stack.start().value().unwrap() as Pointer); f.raw.set_register("lr", 0x7b302000); let s = f.walk_stack(stack).await; assert_eq!(s.frames.len(), 1); // As long as we don't panic, we're good! } #[tokio::test] async fn test_frame_pointer_barely_no_overflow() { // This is a simple frame pointer test but with the all the values pushed // as close to the upper memory boundary as possible, to confirm that // our code doesn't randomly overflow *AND* isn't overzealous in // its overflow guards. let mut f = TestFixture::new(); let mut stack = Section::new(); type Pointer = u32; let stack_max: Pointer = Pointer::MAX; let pointer_size: Pointer = std::mem::size_of::() as Pointer; let stack_size: Pointer = pointer_size * 3; let stack_start: Pointer = stack_max - stack_size; let return_address: Pointer = 0x7b302000; stack.start().set_const(stack_start as u64); let frame0_fp = Label::new(); let frame1_sp = Label::new(); let frame1_fp = Label::new(); stack = stack // frame 0 .mark(&frame0_fp) .D32(&frame1_fp) // caller-pushed %rbp .D32(return_address) // actual return address // frame 1 .mark(&frame1_sp) .mark(&frame1_fp) // end of stack .D32(0); f.raw.set_register("pc", 0x7a100000); f.raw .set_register("fp", frame0_fp.value().unwrap() as Pointer); f.raw .set_register("sp", stack.start().value().unwrap() as Pointer); f.raw.set_register("lr", return_address); let s = f.walk_stack(stack).await; assert_eq!(s.frames.len(), 2); { // Frame 0 let frame = &s.frames[0]; let valid = &frame.context.valid; assert_eq!(frame.trust, FrameTrust::Context); assert_eq!(frame.context.valid, MinidumpContextValidity::All); if let MinidumpRawContext::Arm(ctx) = &frame.context.raw { assert_eq!( ctx.get_register("fp", valid).unwrap(), frame0_fp.value().unwrap() as Pointer ); } else { unreachable!(); } } { // Frame 1 let frame = &s.frames[1]; let valid = &frame.context.valid; assert_eq!(frame.trust, FrameTrust::FramePointer); if let MinidumpContextValidity::Some(ref which) = valid { assert_eq!(which.len(), 3); } else { unreachable!(); } if let MinidumpRawContext::Arm(ctx) = &frame.context.raw { assert_eq!(ctx.get_register("pc", valid).unwrap(), return_address); assert_eq!( ctx.get_register("sp", valid).unwrap(), frame1_sp.value().unwrap() as Pointer ); assert_eq!( ctx.get_register("fp", valid).unwrap(), frame1_fp.value().unwrap() as Pointer ); } else { unreachable!(); } } }