drmemtrace fails to register filter event, but DR bails on finding syscall # due to clean call
I just noticed that the drmemtrace tracer has no syscall filter: so how is its pre-syscall working??
It looks like find_syscall_num() is broken and returns -1 for everything, even:
interp: start_pc = 0x00007fdf048655a0
0x00007fdf048655a0 b8 15 00 00 00 mov $0x00000015 -> %eax
0x00007fdf048655a5 0f 05 syscall -> %rcx
end_pc = 0x00007fdf048655a7It's b/c we delay until post-instru, in case the client changes the number, but then we do not skip meta instrs and bail due to the complex memtrace instru: well actually just due to the end-of-bb clean call which writes to eax.
bb ilist before mangling:
TAG 0x00007fdf048655a0
+0 m4 @0x00007fdef09284f0 65 48 8b 0c 25 b0 00 mov %gs:0x000000b0[8byte] -> %rcx
00 00
+9 m4 @0x00007fdef0927fe0 48 b8 a0 95 01 00 08 mov $0x20040008000195a0 -> %rax
00 04 20
+19 m4 @0x00007fdef09b0890 48 89 01 mov %rax -> (%rcx)[8byte]
+22 m4 @0x00007fdef0980bb0 <label>
+22 m4 @0x00007fdef0925390 48 8d 49 08 lea 0x08(%rcx) -> %rcx
+26 m4 @0x00007fdef0929ab0 65 48 89 0c 25 b0 00 mov %rcx -> %gs:0x000000b0[8byte]
00 00
+35 m4 @0x00007fdef09b1ef0 <label>
+35 L3 b8 15 00 00 00 mov $0x00000015 -> %eax
+40 m4 @0x00007fdef0929948 65 48 8b 0c 25 b0 00 mov %gs:0x000000b0[8byte] -> %rcx
00 00
+49 m4 @0x00007fdef0927db8 <label>
+49 m4 @0x00007fdef0924ef8 48 8b 09 mov (%rcx)[8byte] -> %rcx
+52 m4 @0x00007fdef09b1b50 e3 fe jrcxz @0x00007fdef09b0818[8byte] %rcx
+54 m4 @0x00007fdef09b1c40 65 48 a3 00 00 00 00 mov %rax -> %gs:0x00[8byte]
00 00 00 00
+65 m4 @0x00007fdef0929168 65 48 a1 20 00 00 00 mov %gs:0x20[8byte] -> %rax
00 00 00 00
+76 m4 @0x00007fdef0928d30 48 89 60 18 mov %rsp -> 0x18(%rax)[8byte]
+80 m4 @0x00007fdef09b0c08 48 8b a0 e8 02 00 00 mov 0x000002e8(%rax)[8byte] -> %rsp
+87 m4 @0x00007fdef09282e0 65 48 a1 00 00 00 00 mov %gs:0x00[8byte] -> %rax
00 00 00 00
+98 m4 @0x00007fdef0924d48 48 8d a4 24 58 fd ff lea 0xfffffd58(%rsp) -> %rsp
ff
+106 m4 @0x00007fdef09b2d00 e8 8b 73 f8 ff call $0x00007fdef08a8d80 %rsp -> %rsp 0xfffffff8(%rsp)[8byte]
+111 m4 @0x00007fdef0927e78 <label>
+111 m4 @0x00007fdef09252a0 e8 1a f6 15 90 call $0x00007fde80a8100f %rsp -> %rsp 0xfffffff8(%rsp)[8byte]
+116 m4 @0x00007fdef0925a80 e8 4b 74 f8 ff call $0x00007fdef08a8e40 %rsp -> %rsp 0xfffffff8(%rsp)[8byte]
+121 m4 @0x00007fdef09b0518 65 48 a3 00 00 00 00 mov %rax -> %gs:0x00[8byte]
00 00 00 00
+132 m4 @0x00007fdef09b1e78 65 48 a1 20 00 00 00 mov %gs:0x20[8byte] -> %rax
00 00 00 00
+143 m4 @0x00007fdef09b1d30 48 8b 60 18 mov 0x18(%rax)[8byte] -> %rsp
+147 m4 @0x00007fdef0929df8 65 48 a1 00 00 00 00 mov %gs:0x00[8byte] -> %rax
00 00 00 00
+158 m4 @0x00007fdef09b2370 <label>
+158 m4 @0x00007fdef09b0818 <label>
+158 m4 @0x00007fdef0980958 <label>
+158 m4 @0x00007fdef09b28c8 <label>
+158 L3 0f 05 syscall -> %rcx
+160 L4 @0x00007fdef09b2940 e9 b2 3b f4 13 jmp $0x00007fdf048655a7
END 0x00007fdf048655a0Consequences are maybe not so bad: if have complex instru, perf of exit to DR on every syscall is probably not a bottleneck. But it seems like we should be able to skip meta instrs and assume they do not affect the app's eax.
**** TODO update drmgr pre-syscall docs to talk about needing filter
Maybe even provide debug-build warning if register pre or post w/o filter? In both DR and drmgr?