Develop Reference

(epbf) Unable to use string.h apis on string that probe read from kernel

When I tried to do some string operations (strlen, strcpy and strtok) today, I found it is unable to use those string.h apis on string probe read from kernel.
It will raise unknown opcode error on python bcc/bpf and raise libbpf: failed to find BTF for extern 'strlen' on libbpf.
A pseudo code I tried as follows:
u64 ptr = PT_REGS_PARMX(regs);
char str1[10] = {};
char str2[10] = "test";
bpf_probe_read_kernel(str1, sizeof(str1), (const void *) ptr);
u64 len = strlen(str1); // error will raise here
len = strlen(str2); // but this is ok if string not read from kernel
Although strlen I could implement in:
u64 len = 0;
for(len; len < sizeof(str1); len++){
if (str1[len] == '\0') break;
}
I still wonder that why it is unable to use string.h apis
and how could make it able to use.

You can't call arbitrary kernel functions from BPF bytecode.
The reason it works for str2 is because it's a constant and the compiler therefore optimizes it to 4 without needing to call strlen.
If you need to compute the length of a string, you need to implement strlen() yourself or to copy one of the kernel's implementations. Note that in general, it is not recommended to perform computation on strings in BPF; that's a job better left to the userspace counterpart.

VC++ SSE code generation - is this a compiler bug?

A very particular code sequence in VC++ generated the following instruction (for Win32):
unpcklpd xmm0,xmmword ptr [ebp-40h]
2 questions arise:
(1) As far as I understand the intel manual, unpcklpd accepts as 2nd argument a 128-aligned memory address. If the address is relative to a stack frame alignment cannot be forced. Is this really a compiler bug?
(2) Exceptions are thrown from at the execution of this instruction only when run from the debugger, and even then not always. Even attaching to the process and executing this code does not throw. How can this be??
The particular exception thrown is access violation at 0xFFFFFFFF, but AFAIK that's just a code for misalignment.
[Edit:]
Here's some source that demonstrates the bad code generation - but typically doesn't cause a crash. (that's mostly what I'm wondering about)
[Edit 2:]
The code sample now reproduces the actual crash. This one also crashes outside the debugger - I suspect the difference occurs because the debugger launches the program at different typical base addresses.
// mock.cpp
#include <stdio.h>
struct mockVect2d
{
double x, y;
mockVect2d() {}
mockVect2d(double a, double b) : x(a), y(b) {}
mockVect2d operator + (const mockVect2d& u) {
return mockVect2d(x + u.x, y + u.y);
}
};
struct MockPoly
{
MockPoly() {}
mockVect2d* m_Vrts;
double m_Area;
int m_Convex;
bool m_ParClear;
void ClearPar() { m_Area = -1.; m_Convex = 0; m_ParClear = true; }
MockPoly(int len) { m_Vrts = new mockVect2d[len]; }
mockVect2d& Vrt(int i) {
if (!m_ParClear) ClearPar();
return m_Vrts[i];
}
const mockVect2d& GetCenter() { return m_Vrts[0]; }
};
struct MockItem
{
MockItem() : Contour(1) {}
MockPoly Contour;
};
struct Mock
{
Mock() {}
MockItem m_item;
virtual int GetCount() { return 2; }
virtual mockVect2d GetCenter() { return mockVect2d(1.0, 2.0); }
virtual MockItem GetItem(int i) { return m_item; }
};
void testInner(int a)
{
int c = 8;
printf("%d", c);
Mock* pMock = new Mock;
int Flag = true;
int nlr = pMock->GetCount();
if (nlr == 0)
return;
int flr = 1;
if (flr == nlr)
return;
if (Flag)
{
if (flr < nlr && flr>0) {
int c = 8;
printf("%d", c);
MockPoly pol(2);
mockVect2d ctr = pMock->GetItem(0).Contour.GetCenter();
// The mess happens here:
// ; 74 : pol.Vrt(1) = ctr + mockVect2d(0., 1.0);
//
// call ? Vrt#MockPoly##QAEAAUmockVect2d##H#Z; MockPoly::Vrt
// movdqa xmm0, XMMWORD PTR $T4[ebp]
// unpcklpd xmm0, QWORD PTR tv190[ebp] **** crash!
// movdqu XMMWORD PTR[eax], xmm0
pol.Vrt(0) = ctr + mockVect2d(1.0, 0.);
pol.Vrt(1) = ctr + mockVect2d(0., 1.0);
}
}
}
void main()
{
testInner(2);
return;
}
If you prefer, download a ready vcxproj with all the switches set from here. This includes the complete ASM too.

Update: this is now a confirmed VC++ compiler bug, hopefully to be resolved in VS2015 RTM.
Edit: The connect report, like many others, is now garbage. However the compiler bug seems to be resolved in VS2017 - not in 2015 update 3.

Since no one else has stepped up, I'm going to take a shot.
1) If the address is relative to a stack frame alignment cannot be forced. Is this really a compiler bug?
I'm not sure it is true that you cannot force alignment for stack variables. Consider this code:
struct foo
{
char a;
int b;
unsigned long long c;
};
int wmain(int argc, wchar_t* argv[])
{
foo moo;
moo.a = 1;
moo.b = 2;
moo.c = 3;
}
Looking at the startup code for main, we see:
00E31AB0 push ebp
00E31AB1 mov ebp,esp
00E31AB3 sub esp,0DCh
00E31AB9 push ebx
00E31ABA push esi
00E31ABB push edi
00E31ABC lea edi,[ebp-0DCh]
00E31AC2 mov ecx,37h
00E31AC7 mov eax,0CCCCCCCCh
00E31ACC rep stos dword ptr es:[edi]
00E31ACE mov eax,dword ptr [___security_cookie (0E440CCh)]
00E31AD3 xor eax,ebp
00E31AD5 mov dword ptr [ebp-4],eax
Adding __declspec(align(16)) to moo gives
01291AB0 push ebx
01291AB1 mov ebx,esp
01291AB3 sub esp,8
01291AB6 and esp,0FFFFFFF0h <------------------------
01291AB9 add esp,4
01291ABC push ebp
01291ABD mov ebp,dword ptr [ebx+4]
01291AC0 mov dword ptr [esp+4],ebp
01291AC4 mov ebp,esp
01291AC6 sub esp,0E8h
01291ACC push esi
01291ACD push edi
01291ACE lea edi,[ebp-0E8h]
01291AD4 mov ecx,3Ah
01291AD9 mov eax,0CCCCCCCCh
01291ADE rep stos dword ptr es:[edi]
01291AE0 mov eax,dword ptr [___security_cookie (12A40CCh)]
01291AE5 xor eax,ebp
01291AE7 mov dword ptr [ebp-4],eax
Apparently the compiler (VS2010 compiled debug for Win32), recognizing that we will need specific alignments for the code, takes steps to ensure it can provide that.
2) Exceptions are thrown from at the execution of this instruction only when run from the debugger, and even then not always. Even attaching to the process and executing this code does not throw. How can this be??
So, a couple of thoughts:
"and even then not always" - Not standing over your shoulder when you run this, I can't say for certain. However it seems plausible that just by random chance, stacks could get created with the alignment you need. By default, x86 uses 4byte stack alignment. If you need 16 byte alignment, you've got a 1 in 4 shot.
As for the rest (from https://msdn.microsoft.com/en-us/library/aa290049%28v=vs.71%29.aspx#ia64alignment_topic4):
On the x86 architecture, the operating system does not make the alignment fault visible to the application. ...you will also suffer performance degradation on the alignment fault, but it will be significantly less severe than on the Itanium, because the hardware will make the multiple accesses of memory to retrieve the unaligned data.
TLDR: Using __declspec(align(16)) should give you the alignment you want, even for stack variables. For unaligned accesses, the OS will catch the exception and handle it for you (at a cost of performance).
Edit1: Responding to the first 2 comments below:
Based on MS's docs, you are correct about the alignment of stack parameters, but they propose a solution as well:
You cannot specify alignment for function parameters. When data that
has an alignment attribute is passed by value on the stack, its
alignment is controlled by the calling convention. If data alignment
is important in the called function, copy the parameter into correctly
aligned memory before use.
Neither your sample on Microsoft connect nor the code about produce the same code for me (I'm only on vs2010), so I can't test this. But given this code from your sample:
struct mockVect2d
{
double x, y;
mockVect2d(double a, double b) : x(a), y(b) {}
It would seem that aligning either mockVect2d or the 2 doubles might help.

visual studio 2012 update 3 compiler bug - not calling dtor

I believe I've found a somewhat obscure but scary bug in the Visual Studio 2012 Update 3 C++ compiler. I found it while writing unit tests using gtest. The tests started showing memory leaks, and after investigating the problem seemed to reduce to a bug in the compiler.
I submitted the issue to Microsoft:
https://connect.microsoft.com/VisualStudio/feedback/details/794722/parameter-dtor-not-called-when-overloaded-operator-involved-in-return
In the past I've mistakenly called "compiler bug" on more of my own bugs than I care to admit. So I thought I'd post the question here in case anyone wants to attempt to reproduce the problem themselves. If I can be pointed towards a mistake of my own in this code, that would be extremely helpful! I'm really hoping it's not actually the case that the VC++ compiler fails to call destructors in the following program.
Note that the faulty behavior occurs with the optimizer disabled, so it's not an optimizer bug.
I tried this code in gcc 4.2.1 (i686-apple-darwin11) and it behaves as expected.
Here's the code for the single source file in the project:
#include <string>
int instance_count= 0;
class c {
public:
c( std::string s ) : m_s(s) { ++instance_count; }
c( const c& other ) : m_s(other.m_s) { ++instance_count; }
~c() {--instance_count;}
private:
std::string m_s;
};
class d {
public:
d() {}
void operator=(int) {}
};
void f( c c_ ) {
try {}
catch(...) { return d() = 5; }
}
int main( int argc, char* argv[] ) {
c instance("leak");
f(instance);
return instance_count == 1 ? 0 : -1;
}
To compile it in Visual Studio 2012 Update 3:
File -> New -> Project..., select Win32 Console Application, click OK then click Finish
Build -> Configuration Manager -> Active Solution Platform -> New..., select x64, click OK
Replace the contents of the main .cpp file with the above code
Either add #include "stdafx.h" to the top of the file or turn off precompiler headers
Run the program, note that the exit code is -1, I expect it to be 0. This seems to reproduce in both 32-bit and 64-bit builds, although I was focusing on 64-bit.
Comment out the try/catch blocks in f(), note that the exit code becomes 0. I don't see why this change should affect the exit code since the catch() block isn't even executing.

Looks like an issue in codegen. The dissassembly shows the following for function f.
With return statement -
try { }
002039B8 mov byte ptr [ebp-4],1
002039BC jmp f+6Eh (02039DEh)
catch(...) { return d() = 5; }
002039BE push 5
002039C0 lea ecx,[ebp-0D5h]
002039C6 call d::d (0201474h)
002039CB mov ecx,eax
002039CD call d::operator= (0201479h)
002039D2 mov eax,2039E7h
002039D7 ret
002039D8 mov eax,2039DEh
002039DD ret
$LN4:
002039DE mov dword ptr [ebp-4],0
002039E5 jmp $LN8+0Fh (02039F6h)
$LN8:
002039E7 mov dword ptr [ebp-4],0FFFFFFFFh
002039EE lea ecx,[c_]
002039F1 call c::~c (020101Eh)
}
Notice the jump f+6Eh(02039DEh) for dissassembly of try block. This jumps to
002039DE mov dword ptr [ebp-4],0
002039E5 jmp $LN8+0Fh (02039F6h)
which totally skips the call to destructor. One more thing to observe is that the call to destructor is before the closing brace ('}').
If we take a look at the code without return statement,
try { }
013839B8 mov byte ptr [ebp-4],1
013839BC jmp f+68h (013839D8h)
catch(...) { /*return*/ d() = 5; }
013839BE push 5
013839C0 lea ecx,[ebp-0D5h]
013839C6 call d::d (01381474h)
013839CB mov ecx,eax
013839CD call d::operator= (01381479h)
013839D2 mov eax,13839E1h
013839D7 ret
013839D8 mov dword ptr [ebp-4],0
013839DF jmp $LN8+7h (013839E8h)
$LN8:
013839E1 mov dword ptr [ebp-4],0
}
013839E8 mov dword ptr [ebp-4],0FFFFFFFFh
013839EF lea ecx,[c_]
013839F2 call c::~c (0138101Eh)
Here, the call to destructor is after the brace ('}').

Why does a C++ string not appear to have been initialized correctly when seen through the output of "print" in GDB?

I have the following piece of code.
#include <string>
#include <ctype.h>
std::string lowerCase(const std::string &exprName)
{
std::string dummy(exprName);
char firstChar = tolower(exprName.at(0));
dummy.replace(0, 1, &firstChar);
return dummy;
}
When I step through the code using GDB, and break at line 6 (std::string dummy(exprName)), I expect dummy to be empty. But when I print it using
p dummy
GDB prints a value for the variable in the following way
Breakpoint 1, lowerCase (exprName=...) at Utility.cpp:49
49 std::string dummy("");
(gdb) print dummy
$1 = {
static npos = 18446744073709551615,
_M_dataplus = {
<std::allocator<char>> = {
<__gnu_cxx::new_allocator<char>> = {<No data fields>}, <No data fields>},
members of std::basic_string<char, std::char_traits<char>, std::allocator<char> >::_Alloc_hider:
_M_p = 0x634261 "Expr * input2 = facade->derefE(facade->varE(v));\nNode * subject = f->"
}
}
Also, if I step to the next line of code, i.e.
char firstChar = tolower(exprName.at(0));
and I print the value of "dummy" in GDB, it's value remains the same and doesn't change to the value of exprName. I printed "exprName" and it definitely contains a different value!
This is baffling! Why would dummy not be initialized to the same value as that of exprName?

That is exactly what uninitialized means: the value is (sort of) unpredictable, and when you look at the contents, it is likely to not make sense.
In your case the _M_ptr pointer accidentally happens to point into a valid memory range, so you do see something which looks like a string. The contents depend on values temporarily stored on the stack by another function, called before this one.

How to generify data for "mov" instruction?

I need to understand just 1 single instruction and accordingly I need to generify the things.
I need to pass structures (Objects of User Defined Data Types) at runtime using following assembly code.
Where Following is User Defined Data Type namely WESContext :
typedef struct CWESContext
{
BSTR UserName;
BSTR MachineIP;
BSTR Certificate;
BSTR BrowserClienthandle;//Its the handle of the BrowserClient or Java Application Level Object
BSTR SessionID;
BSTR TaskID;// name of the original task
long LocaleID;//The location of the ultimate Caller
long FeatureID;//The feature ID mapping to some feature available in WESFW
long SessionTypeID;//Itmay be; Browser CLient Session, OPC Client Session, Authenticated OPC Clients session(as they have more rights), WESFWSystemClient.
SYSTEMTIME TimeStamp;//the time the original task was executed
DWORD Priority; //task priority of the original task
struct WESProductCategory
{
BSTR ProductCategoryName;
int serialNo;
struct WESDimensions
{
int weight;
struct WESVolume
{
int length;
int heigth;
int width;
} oVolume;
BSTR tempHeight;
BSTR otherUnknownDimensions;
} oDimensions;
} oWESProductCategory;
} CWESContext;
I have created the block enough of size WESContext and filled it with sample data.
int sizeOfWESContext = sizeof(CWESContext);
void *pWESContext = malloc(sizeOfWESContext);
void *pGenericPtr = pWESContext;
memset(pWESContext,0,sizeOfWESContext);
BSTR *bstrUserName = (BSTR*)pGenericPtr;
*bstrUserName = SysAllocString(CT2OLE(CA2T(results.at(0).c_str())));
bstrUserName++;
pGenericPtr = bstrUserName;
BSTR *bstrMachineIp = (BSTR*)pGenericPtr;
*bstrMachineIp = SysAllocString(CT2OLE(CA2T(results.at(1).c_str())));
bstrMachineIp++;
pGenericPtr = bstrMachineIp;
BSTR *bstrCertificate = (BSTR*)pGenericPtr;
*bstrCertificate = SysAllocString(CT2OLE(CA2T(results.at(2).c_str())));
bstrCertificate++;
pGenericPtr = bstrCertificate;
.....................
so on so forth...............
If I call it by passing this as object:
Calling Normaly :
MyCallableMethodUDT(((CWESContext)pWESContext));
Now following assembly i just pulled from Dissasembly view of Visual Studio while debugging.
mov esi,dword ptr [pWESContext]
sub esp,58h
mov ecx,16h
mov edi,esp
rep movs dword ptr es:[edi],dword ptr [esi]
I just need to understand 3rd line..
AS I increase members inside my User Defined Structure (i.e here WESContext) it increases but I am unable to conclude how it increases....? I need to generify this instruction so that whatever the Object is and whatever the size and whatever kind of data it contains....it should get pass by calling it with writing assembly instruction as written above.
Regards,
Usman

ecx is used as the count for the number of dwords to be copied by the rep movs instructions in line 5. It's copying data from the starting address pointed to by esi to the location starting at edi.
The value in ecx would be the size of the data that is being copied.