[llvm-dev] Instruction boundaries

via llvm-dev llvm-dev at lists.llvm.org
Tue Jun 26 08:36:29 PDT 2018 

Hi Muhui,
You are correct that the DWARF line table does not itemize every instruction. This is to reduce the size of the table.  DWARF assumes that any consumer of the line table will understand how to decode instructions on the target machine and be able to find successive instructions.  However, every address that *is* specified in the DWARF line table should be an actual instruction (except for an end_sequence).

If you want to distinguish instructions from jump tables, I think your only choice is to instrument the AsmPrinter or MC layer in the compiler.  DWARF does not provide that level of detail.  An LLVM IR pass simply cannot provide you with information about the final machine instructions.
--paulr

From: Muhui Jiang [mailto:jiangmuhui at gmail.com]
Sent: Tuesday, June 26, 2018 10:44 AM
To: Robinson, Paul
Cc: Yajin; llvm-dev
Subject: Re: [llvm-dev] Instruction boundaries

Hi paulr

Thanks for your very quick and detail reply. Now I understand something more but I still have the following questions.

As I said before, my goal is to know where the instructions are in one specific binary. In other words, instruction boundary.

Dwarf info will give us some information like function boundary. However, there might be some inline data inside the function. Thus, I may need the help from LLVM and Dwarf and combine them together.

Now according to my observation. Addresses listed in Dwarf line table are not always instructions and not all the instructions are listed inside the dwarf line table. Thus, Dwarf may not able to help me so much.

I try to use LLVM to write some pass. However, the LLVM pass is on the LLVM IR level and it only provides source level debugging information.  I still need Dwarf line mapping table for binary level information.

So generally speaking, I still don't know how or whether it is possible to use LLVM to get the ground truth of instruction boundary.

For a specific example, you could observe in the previous email that 0xa3a4 is an instruction and 0xa3a8 is an data for jump table(the jump table will start from 0xa3a8 and end at 0xa7d4). However, no information is related to these two addresses(0xa3a4 and 0xa3a8). I cannot get the instruction's ground truth. Thank you so much and if you need more information, please tell me. Many Thanks

Regards
Muhui

2018-06-26 10:14 GMT-04:00 <paul.robinson at sony.com<mailto:paul.robinson at sony.com>>:
I'm not familiar with the target instruction set, but if "MOV PC, R0" is not a return instruction, I'm guessing that the sequence starting at A39C is a dispatch through a jump table.  The jump table would be considered part of the instruction stream and included in the scope of the line table.  This is not a case where you would see end_sequence; my mistake.

The line table does not list every individual instruction.  For compactness, it lists instructions only when the associated source location changes.  All instructions between successive entries of the line table would have the same source location.

Line 0 indicates one of two things.  First, some optimizations might combine instructions from different source locations into a single new instruction.  Because the source location is now ambiguous, we report line 0 rather than arbitrarily choosing one of the original source locations. This is a known deficiency in how DWARF represents source locations for instructions.  It will require a change to the DWARF specification to address this problem.
Second, there might not be a specific source location for some instructions. This is most common for things like code to call global initializers prior to the start of the 'main()' function, but can occur in other situations.

I hope this addresses at least some of your questions.  I am happy to continue this discussion if some questions remain or if you have new questions.
--paulr
From: Muhui Jiang [mailto:jiangmuhui at gmail.com<mailto:jiangmuhui at gmail.com>]
Sent: Tuesday, June 26, 2018 9:38 AM

To: Robinson, Paul
Cc: Yajin; llvm-dev
Subject: Re: [llvm-dev] Instruction boundaries

Hi Paulr

I am using the llvm-dwarfdump. This is not the end of the function, thus there is no 'end_sequence' reported. Here I just want to give you an exception because you said that all the instructions should be listed inside dwarf line table. However, I found that it will lost some instructions. And some instruction's source line is zero.

Besides, I also noticed that inline data is listed inside the line table.

Regards
Muhui

2018-06-26 9:08 GMT-04:00 <paul.robinson at sony.com<mailto:paul.robinson at sony.com>>:
There should be a line-table entry for the end of the function, which appears to be missing from the dump you provided.  llvm-dwarfdump should report this address with 'end_sequence' in the Flags.  Are you using a different dumper?

I am not sure but my guess would be that inline data is not represented in the line table.  The line table's primary purpose is to inform the debugger about good breakpoint locations, and clearly you do not want to set breakpoints in data.  Inline data is probably contained within the code ranges described in the DW_TAG_subprogram, however.
--paulr

From: Muhui Jiang [mailto:jiangmuhui at gmail.com<mailto:jiangmuhui at gmail.com>]
Sent: Tuesday, June 26, 2018 1:44 AM
To: Robinson, Paul
Cc: Yajin; llvm-dev
Subject: Re: [llvm-dev] Instruction boundaries

Hi Paulr

According to my observation. Not all the instructions are listed in the line table.

For example.  We have address 0xa3a0 and 0xa3a4 as the instructions

.text:0000A394                 CMP     R1, #0x42
.text:0000A398                 BHI     loc_AB70
.text:0000A39C                 ADR     R1, off_A3A8
.text:0000A3A0                 LDR     R0, [R1,R0,LSL#2]
.text:0000A3A4                 MOV     PC, R0
.text:0000A3A4 ; ---------------------------------------------------------------------------
.text:0000A3A8 off_A3A8        DCD loc_AB3C            ; DATA XREF: main+AC↑o
.text:0000A3AC                 DCD loc_AB34
.text:0000A3B0                 DCD loc_AB70
.text:0000A3B4                 DCD loc_AB70

However, inside the line table. The description is end at 0xa39c. Do you have any ideas?

  196 0x000000000000a38c    956      7      1   0             0
  197 0x000000000000a39c      0      7      1   0             0
  198 0x000000000000a7d8    959     27      1   0             0  is_stmt
  199 0x000000000000a7f8    959     25      1   0             0
  200 0x000000000000a7fc    961     11      1   0             0  is_stmt
  201 0x000000000000a800    964     15      1   0             0  is_stmt
  202 0x000000000000a808    964     15      1   0             0

Regards
Muhui


2018-06-25 23:31 GMT-04:00 Muhui Jiang <jiangmuhui at gmail.com<mailto:jiangmuhui at gmail.com>>:
Hi paulr

Thanks for your reply. Though DWARF info give me the code address ranges, there might be inline data. If so, how to handle this case?

As for the dwarf line table. Sometimes, the source line might be zero. Do you know why? If all instructions should be describe in the line table, I think analyzing Dwarf line table is enough to get all the instructions addresses. Do you agree?

I would also cc my supervisor for the discussion.

Regards
Muhui

<paul.robinson at sony.com<mailto:paul.robinson at sony.com>>于2018年6月26日 周二上午2:38写道:
The main DWARF info should provide the code address ranges for each function, as well as the starting source location.  You could then use the line table to map code ranges to individual source lines.  That could give you a reasonable grasp of the source range for each function.
All addresses in the DWARF line table will be instruction addresses.  And in fact, all instructions should be described in the line table (assuming all source was compiled with debug info).
--paulr

From: llvm-dev [mailto:llvm-dev-bounces at lists.llvm.org<mailto:llvm-dev-bounces at lists.llvm.org>] On Behalf Of Muhui Jiang via llvm-dev
Sent: Monday, June 25, 2018 11:36 AM
To: llvm-dev
Subject: [llvm-dev] Instruction boundaries

Hi

I was wondering whether there are any methods to know what part of the target binary is code.

I have some ideas and hope to get your comments.

I would like to use LLVM's source level debugging information to extract the source lines belonging to every functions. Then use the dwarf mapping table to transfer the  source level information to binary address. Are there any better methods?

Besides, is the address listed inside dwarf line mapping table must be code rather than data?

Regards
Muhui



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20180626/9bcf223d/attachment-0001.html>

More information about the llvm-dev mailing list