i#7496 eret continuity: Set branch target using get_next_trace_pc() #7639
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…branch Adds logic in the drmemtrace scheduler to set the branch target of syscall- and switch-final indirect branch instructions (e.g., eret on AArch64) to the next instruction in the thread's trace. - The syscall-trace-final indirect branch now points to the next instruction as seen on the thread shard, which may be the syscall-fallthrough or the syscall instruction again for auto-restart syscalls. - The context-switch-trace-final indirect branch points to the next instruction of the new input. - When there is a syscall trace immediately followed by a switch trace, the syscall-final indirect branch still points to next instruction as seen on the thread shard. When reading the kernel trace templates, we discover and record the first instruction of the template, which we present as the next trace pc just prior to the trace's injection. Augments the get_next_trace_pc() implementation to return the next pc in the injected trace, when it is queried in the middle of dynamic injection. Enables invariant checks on the get_next_trace_pc() output during the dynamically injected part of the trace. Adds unit tests for: - analyzer parallel mode with syscall injection - scheduler syscall+switch injection that has some idles - extends existing syscall and switch scheduler tests Issue: #7496
|
I decided to create a new branch and PR for this approach and abandon #7614. The new logic added here is all different from #7614; scheduler_unit_tests.cpp is the only file that's kind of similar, so if you'd like to see the changes since your last #7614 review of that file, PTAL clients/drcachesim/tests/scheduler_unit_tests.cpp on https://github.com/DynamoRIO/dynamorio/compare/i7496-kernel-ibt-readahead..i7496-set-branch-target. |
derekbruening
approved these changes
Sep 20, 2025
Enables PC continuity checks in the invariant_checker that verify control flow continuity of the branch_target marker value to the post-syscall trace pc. Until #7639, the syscall-trace-end branch_target marker always held the syscall-fallthrough pc, but now it holds the pc of the actual next instr in the thread. This solves two previously-unhandled cases: auto-restart syscalls that resume control at the syscall pc itself, and control-transferring syscalls like sigreturn that resume control at some arbitrary pc. Also manually ran the invariant checker on two large internal app traces (x86 and aarch64), and confirmed that no unexpected invariant errors were reported. Issue: #7496
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds logic in the drmemtrace scheduler to set the branch target of syscall- and switch-final indirect branch instructions (e.g., eret on AArch64) to the next instruction in the thread's trace.
We use the memtrace_stream_t::get_next_trace_pc() API to discover the next trace pc that will be seen on a thread trace.
When reading the kernel trace templates, we discover and record the first instruction PC of the template, which we present as the next trace PC just prior to the trace's injection.
Augments the get_next_trace_pc() implementation to return the next pc in the injected trace, when it is queried in the middle of dynamic injection.
Enables invariant checks on the get_next_trace_pc() output during the dynamically injected part of the trace. Enables PC continuity checks in the invariant_checker that verify control flow continuity of the branch_target marker value to the post-syscall trace pc.
Adds unit tests to verify get_next_trace_pc() output, and kernel-trace-final indirect branch target values in various modes of operation:
Also manually ran the invariant checker on two large internal app traces (x86 and aarch64), and confirmed that no unexpected invariant errors were reported.
Issue: #7496