llvm-project/lldb/examples/darwin/heap_find/heap.py

494 lines
24 KiB
Python

#!/usr/bin/python
#----------------------------------------------------------------------
# This module is designed to live inside the "lldb" python package
# in the "lldb.macosx" package. To use this in the embedded python
# interpreter using "lldb" just import it:
#
# (lldb) script import lldb.macosx.heap
#----------------------------------------------------------------------
import lldb
import commands
import optparse
import os
import os.path
import re
import shlex
import string
import tempfile
import lldb.utils.symbolication
g_libheap_dylib_dir = None
g_libheap_dylib_dict = dict()
g_verbose = False
def load_dylib():
if lldb.target:
global g_libheap_dylib_dir
global g_libheap_dylib_dict
triple = lldb.target.triple
if triple in g_libheap_dylib_dict:
libheap_dylib_path = g_libheap_dylib_dict[triple]
else:
if not g_libheap_dylib_dir:
g_libheap_dylib_dir = tempfile.gettempdir() + '/lldb-dylibs'
triple_dir = g_libheap_dylib_dir + '/' + triple + '/' + __name__
if not os.path.exists(triple_dir):
os.makedirs(triple_dir)
libheap_dylib_path = triple_dir + '/libheap.dylib'
g_libheap_dylib_dict[triple] = libheap_dylib_path
heap_code_directory = os.path.dirname(__file__) + '/heap'
heap_source_file = heap_code_directory + '/heap_find.cpp'
# Check if the dylib doesn't exist, or if "heap_find.cpp" is newer than the dylib
if not os.path.exists(libheap_dylib_path) or os.stat(heap_source_file).st_mtime > os.stat(libheap_dylib_path).st_mtime:
# Remake the dylib
make_command = '(cd "%s" ; make EXE="%s" ARCH=%s)' % (heap_code_directory, libheap_dylib_path, string.split(triple, '-')[0])
(make_exit_status, make_output) = commands.getstatusoutput(make_command)
if make_exit_status != 0:
return 'error: make failed: %s' % (make_output)
if os.path.exists(libheap_dylib_path):
libheap_dylib_spec = lldb.SBFileSpec(libheap_dylib_path)
if lldb.target.FindModule(libheap_dylib_spec):
return None # success, 'libheap.dylib' already loaded
if lldb.process:
state = lldb.process.state
if state == lldb.eStateStopped:
(libheap_dylib_path)
error = lldb.SBError()
image_idx = lldb.process.LoadImage(libheap_dylib_spec, error)
if error.Success():
return None
else:
if error:
return 'error: %s' % error
else:
return 'error: "process load \'%s\'" failed' % libheap_dylib_spec
else:
return 'error: process is not stopped'
else:
return 'error: invalid process'
else:
return 'error: file does not exist "%s"' % libheap_dylib_path
else:
return 'error: invalid target'
debugger.HandleCommand('process load "%s"' % libheap_dylib_path)
if lldb.target.FindModule(libheap_dylib_spec):
return None # success, 'libheap.dylib' already loaded
return 'error: failed to load "%s"' % libheap_dylib_path
def get_member_types_for_offset(value_type, offset, member_list):
member = value_type.GetFieldAtIndex(0)
search_bases = False
if member:
if member.GetOffsetInBytes() <= offset:
for field_idx in range (value_type.GetNumberOfFields()):
member = value_type.GetFieldAtIndex(field_idx)
member_byte_offset = member.GetOffsetInBytes()
member_end_byte_offset = member_byte_offset + member.type.size
if member_byte_offset <= offset and offset < member_end_byte_offset:
member_list.append(member)
get_member_types_for_offset (member.type, offset - member_byte_offset, member_list)
return
else:
search_bases = True
else:
search_bases = True
if search_bases:
for field_idx in range (value_type.GetNumberOfDirectBaseClasses()):
member = value_type.GetDirectBaseClassAtIndex(field_idx)
member_byte_offset = member.GetOffsetInBytes()
member_end_byte_offset = member_byte_offset + member.type.size
if member_byte_offset <= offset and offset < member_end_byte_offset:
member_list.append(member)
get_member_types_for_offset (member.type, offset - member_byte_offset, member_list)
return
for field_idx in range (value_type.GetNumberOfVirtualBaseClasses()):
member = value_type.GetVirtualBaseClassAtIndex(field_idx)
member_byte_offset = member.GetOffsetInBytes()
member_end_byte_offset = member_byte_offset + member.type.size
if member_byte_offset <= offset and offset < member_end_byte_offset:
member_list.append(member)
get_member_types_for_offset (member.type, offset - member_byte_offset, member_list)
return
def append_regex_callback(option, opt, value, parser):
try:
ivar_regex = re.compile(value)
parser.values.ivar_regex_blacklist.append(ivar_regex)
except:
print 'error: an exception was thrown when compiling the ivar regular expression for "%s"' % value
def add_common_options(parser):
parser.add_option('-v', '--verbose', action='store_true', dest='verbose', help='display verbose debug info', default=False)
parser.add_option('-t', '--type', action='store_true', dest='print_type', help='print the full value of the type for each matching malloc block', default=False)
parser.add_option('-o', '--po', action='store_true', dest='print_object_description', help='print the object descriptions for any matches', default=False)
parser.add_option('-m', '--memory', action='store_true', dest='memory', help='dump the memory for each matching block', default=False)
parser.add_option('-f', '--format', type='string', dest='format', help='the format to use when dumping memory if --memory is specified', default=None)
parser.add_option('-I', '--omit-ivar-regex', type='string', action='callback', callback=append_regex_callback, dest='ivar_regex_blacklist', default=[], help='specify one or more regular expressions used to backlist any matches that are in ivars')
parser.add_option('-s', '--stack', action='store_true', dest='stack', help='gets the stack that allocated each malloc block if MallocStackLogging is enabled', default=False)
parser.add_option('-S', '--stack-history', action='store_true', dest='stack_history', help='gets the stack history for all allocations whose start address matches each malloc block if MallocStackLogging is enabled', default=False)
parser.add_option('-M', '--max-matches', type='int', dest='max_matches', help='the maximum number of matches to print', default=256)
parser.add_option('-O', '--offset', type='int', dest='offset', help='the matching data must be at this offset', default=-1)
def dump_stack_history_entry(result, stack_history_entry, idx):
address = int(stack_history_entry.address)
if address:
type_flags = int(stack_history_entry.type_flags)
symbolicator = lldb.utils.symbolication.Symbolicator()
symbolicator.target = lldb.target
type_str = ''
if type_flags == 0:
type_str = 'free'
else:
if type_flags & 2:
type_str = 'alloc'
elif type_flags & 4:
type_str = 'free'
elif type_flags & 1:
type_str = 'generic'
else:
type_str = hex(type_flags)
result.AppendMessage('stack[%u]: addr = 0x%x, type=%s, frames:' % (idx, address, type_str))
frame_idx = 0
idx = 0
pc = int(stack_history_entry.frames[idx])
while pc != 0:
if pc >= 0x1000:
frames = symbolicator.symbolicate(pc)
if frames:
for frame in frames:
result.AppendMessage(' [%u] %s' % (frame_idx, frame))
frame_idx += 1
else:
result.AppendMessage(' [%u] 0x%x' % (frame_idx, pc))
frame_idx += 1
idx = idx + 1
pc = int(stack_history_entry.frames[idx])
else:
pc = 0
result.AppendMessage('')
def dump_stack_history_entries(result, addr, history):
# malloc_stack_entry *get_stack_history_for_address (const void * addr)
expr = 'get_stack_history_for_address((void *)0x%x, %u)' % (addr, history)
expr_sbvalue = lldb.frame.EvaluateExpression (expr)
if expr_sbvalue.error.Success():
if expr_sbvalue.unsigned:
expr_value = lldb.value(expr_sbvalue)
idx = 0;
stack_history_entry = expr_value[idx]
while int(stack_history_entry.address) != 0:
dump_stack_history_entry(result, stack_history_entry, idx)
idx = idx + 1
stack_history_entry = expr_value[idx]
else:
result.AppendMessage('"%s" returned zero' % (expr))
else:
result.AppendMessage('error: expression failed "%s" => %s' % (expr, expr_sbvalue.error))
def display_match_results (result, options, arg_str_description, expr_sbvalue, print_no_matches = True):
if expr_sbvalue.error.Success():
if expr_sbvalue.unsigned:
match_value = lldb.value(expr_sbvalue)
i = 0
match_idx = 0
while 1:
print_entry = True
match_entry = match_value[i]; i += 1
if i >= options.max_matches:
result.AppendMessage('error: the max number of matches (%u) was reached, use the --max-matches option to get more results' % (options.max_matches))
break
malloc_addr = match_entry.addr.sbvalue.unsigned
if malloc_addr == 0:
break
malloc_size = int(match_entry.size)
offset = int(match_entry.offset)
if options.offset >= 0 and options.offset != offset:
print_entry = False
else:
match_addr = malloc_addr + offset
dynamic_value = match_entry.addr.sbvalue.GetDynamicValue(lldb.eDynamicCanRunTarget)
description = '[%u] %s: addr = 0x%x' % (match_idx, arg_str_description, malloc_addr)
if offset != 0:
description += ' + %u' % (offset)
description += ', size = %u' % (malloc_size)
derefed_dynamic_value = None
if dynamic_value.type.name == 'void *':
if options.type == 'pointer' and malloc_size == 4096:
error = lldb.SBError()
data = bytearray(lldb.process.ReadMemory(malloc_addr, 16, error))
if data == '\xa1\xa1\xa1\xa1AUTORELEASE!':
description += ', type = (AUTORELEASE!)'
else:
derefed_dynamic_value = dynamic_value.deref
if derefed_dynamic_value:
derefed_dynamic_type = derefed_dynamic_value.type
derefed_dynamic_type_size = derefed_dynamic_type.size
derefed_dynamic_type_name = derefed_dynamic_type.name
description += ', type = %s <%u>' % (derefed_dynamic_type_name, derefed_dynamic_type_size)
if offset < derefed_dynamic_type_size:
member_list = list();
get_member_types_for_offset (derefed_dynamic_type, offset, member_list)
if member_list:
member_path = ''
for member in member_list:
member_name = member.name
if member_name:
if member_path:
member_path += '.'
member_path += member_name
if member_path:
if options.ivar_regex_blacklist:
for ivar_regex in options.ivar_regex_blacklist:
if ivar_regex.match(member_path):
print_entry = False
description += ', ivar = %s' % (member_path)
if print_entry:
match_idx += 1
if description:
result.AppendMessage(description)
if options.print_type and derefed_dynamic_value:
result.AppendMessage('%s' % (derefed_dynamic_value))
if options.print_object_description and dynamic_value:
desc = dynamic_value.GetObjectDescription()
if desc:
result.AppendMessage(', po=%s' % (desc))
if options.memory:
cmd_result = lldb.SBCommandReturnObject()
memory_command = "memory read -f %s 0x%x 0x%x" % (options.format, malloc_addr, malloc_addr + malloc_size)
lldb.debugger.GetCommandInterpreter().HandleCommand(memory_command, cmd_result)
result.AppendMessage(cmd_result.GetOutput())
if options.stack_history:
dump_stack_history_entries(result, malloc_addr, 1)
elif options.stack:
dump_stack_history_entries(result, malloc_addr, 0)
return i
elif print_no_matches:
result.AppendMessage('no matches found for %s' % (arg_str_description))
else:
result.AppendMessage(expr_sbvalue.error )
return 0
def heap_search(result, options, arg_str):
dylid_load_err = load_dylib()
if dylid_load_err:
result.AppendMessage(dylid_load_err)
return
expr = None
arg_str_description = arg_str
if options.type == 'pointer':
expr = 'find_pointer_in_heap((void *)%s)' % (arg_str)
arg_str_description = 'malloc block containing pointer %s' % arg_str
if options.format == None:
options.format = "A" # 'A' is "address" format
elif options.type == 'isa':
expr = 'find_pointer_in_heap((void *)%s)' % (arg_str)
arg_str_description = 'objective C classes with isa %s' % arg_str
options.offset = 0
if options.format == None:
options.format = "A" # 'A' is "address" format
elif options.type == 'cstr':
expr = 'find_cstring_in_heap("%s")' % arg_str
arg_str_description = 'malloc block containing "%s"' % arg_str
elif options.type == 'addr':
expr = 'find_block_for_address((void *)%s)' % arg_str
arg_str_description = 'malloc block for %s' % arg_str
else:
result.AppendMessage('error: invalid type "%s"\nvalid values are "pointer", "cstr"' % options.type)
return
if options.format == None:
options.format = "Y" # 'Y' is "bytes with ASCII" format
display_match_results (result, options, arg_str_description, lldb.frame.EvaluateExpression (expr))
def ptr_refs(debugger, command, result, dict):
command_args = shlex.split(command)
usage = "usage: %prog [options] <EXPR> [EXPR ...]"
description='''Searches the heap for pointer references on darwin user space programs.
Any matches that were found will dump the malloc blocks that contain the pointers
and might be able to print what kind of objects the pointers are contained in using
dynamic type information in the program.'''
parser = optparse.OptionParser(description=description, prog='ptr_refs',usage=usage)
add_common_options(parser)
try:
(options, args) = parser.parse_args(command_args)
except:
return
options.type = 'pointer'
if args:
for data in args:
heap_search (result, options, data)
else:
resultresult.AppendMessage('error: no pointer arguments were given')
def cstr_refs(debugger, command, result, dict):
command_args = shlex.split(command)
usage = "usage: %prog [options] <CSTR> [CSTR ...]"
description='''Searches the heap for C string references on darwin user space programs.
Any matches that were found will dump the malloc blocks that contain the C strings
and might be able to print what kind of objects the pointers are contained in using
dynamic type information in the program.'''
parser = optparse.OptionParser(description=description, prog='cstr_refs',usage=usage)
add_common_options(parser)
try:
(options, args) = parser.parse_args(command_args)
except:
return
options.type = 'cstr'
if args:
for data in args:
heap_search (result, options, data)
else:
result.AppendMessage('error: no c string arguments were given to search for');
def malloc_info(debugger, command, result, dict):
command_args = shlex.split(command)
usage = "usage: %prog [options] <EXPR> [EXPR ...]"
description='''Searches the heap a malloc block that contains the addresses specified as arguments.
Any matches that were found will dump the malloc blocks that match or contain
the specified address. The matching blocks might be able to show what kind
of objects they are using dynamic type information in the program.'''
parser = optparse.OptionParser(description=description, prog='cstr_refs',usage=usage)
add_common_options(parser)
try:
(options, args) = parser.parse_args(command_args)
except:
return
options.type = 'addr'
if args:
for data in args:
heap_search (result, options, data)
else:
result.AppendMessage('error: no c string arguments were given to search for')
def malloc_history(debugger, command, result, dict):
command_args = shlex.split(command)
usage = "usage: %prog [options] <EXPR> [EXPR ...]"
description='''Gets the allocation history for an expression whose result is an address.
Programs should set the MallocStackLogging=1 in the environment to enable stack history. This can be done
with "process launch -v MallocStackLogging=1 -- [arg1 ...]"'''
dylid_load_err = load_dylib()
if dylid_load_err:
result.AppendMessage(dylid_load_err)
else:
if command_args:
for addr_expr_str in command_args:
expr_sbvalue = lldb.frame.EvaluateExpression (addr_expr_str)
if expr_sbvalue.error.Success():
addr = expr_sbvalue.unsigned
if addr != 0:
dump_stack_history_entries (addr, 1)
else:
result.AppendMessage('error: expression error for "%s": %s' % (addr_expr_str, expr_sbvalue.error))
else:
result.AppendMessage('error: no address expressions were specified')
def section_ptr_refs(debugger, command, result, dict):
command_args = shlex.split(command)
usage = "usage: %prog [options] <EXPR> [EXPR ...]"
description='''Searches section contents for pointer values in darwin user space programs.'''
parser = optparse.OptionParser(description=description, prog='section_ptr_refs',usage=usage)
add_common_options(parser)
parser.add_option('--section', action='append', type='string', dest='section_names', help='section name to search', default=list())
try:
(options, args) = parser.parse_args(command_args)
except:
return
options.type = 'pointer'
sections = list()
section_modules = list()
if not options.section_names:
result.AppendMessage('error: at least one section must be specified with the --section option')
return
for module in lldb.target.modules:
for section_name in options.section_names:
section = module.section[section_name]
if section:
sections.append (section)
section_modules.append (module)
if sections:
dylid_load_err = load_dylib()
if dylid_load_err:
result.AppendMessage(dylid_load_err)
return
for expr_str in args:
for (idx, section) in enumerate(sections):
expr = 'find_pointer_in_memory(0x%xllu, %ullu, (void *)%s)' % (section.addr.load_addr, section.size, expr_str)
arg_str_description = 'section %s.%s containing "%s"' % (section_modules[idx].file.fullpath, section.name, expr_str)
num_matches = display_match_results (result, options, arg_str_description, lldb.frame.EvaluateExpression (expr), False)
if num_matches:
if num_matches < options.max_matches:
options.max_matches = options.max_matches - num_matches
else:
options.max_matches = 0
if options.max_matches == 0:
return
else:
result.AppendMessage('error: no sections were found that match any of %s' % (', '.join(options.section_names)))
def objc_refs(debugger, command, result, dict):
command_args = shlex.split(command)
usage = "usage: %prog [options] <EXPR> [EXPR ...]"
description='''Find all heap allocations given one or more objective C class names.'''
parser = optparse.OptionParser(description=description, prog='object_refs',usage=usage)
add_common_options(parser)
try:
(options, args) = parser.parse_args(command_args)
except:
return
dylid_load_err = load_dylib()
if dylid_load_err:
result.AppendMessage(dylid_load_err)
else:
if args:
for class_name in args:
addr_expr_str = "(void *)[%s class]" % class_name
expr_sbvalue = lldb.frame.EvaluateExpression (addr_expr_str)
if expr_sbvalue.error.Success():
isa = expr_sbvalue.unsigned
if isa:
options.type = 'isa'
heap_search (result, options, '0x%x' % isa)
else:
result.AppendMessage('error: Can\'t find isa for an ObjC class named "%s"' % (class_name))
else:
result.AppendMessage('error: expression error for "%s": %s' % (addr_expr_str, expr_sbvalue.error))
else:
result.AppendMessage('error: no address expressions were specified')
if __name__ == '__main__':
lldb.debugger = lldb.SBDebugger.Create()
# This initializer is being run from LLDB in the embedded command interpreter
# Add any commands contained in this module to LLDB
lldb.debugger.HandleCommand('command script add -f lldb.macosx.heap.ptr_refs ptr_refs')
lldb.debugger.HandleCommand('command script add -f lldb.macosx.heap.cstr_refs cstr_refs')
lldb.debugger.HandleCommand('command script add -f lldb.macosx.heap.malloc_info malloc_info')
lldb.debugger.HandleCommand('command script add -f lldb.macosx.heap.malloc_history malloc_history')
lldb.debugger.HandleCommand('command script add -f lldb.macosx.heap.section_ptr_refs section_ptr_refs')
lldb.debugger.HandleCommand('command script add -f lldb.macosx.heap.objc_refs objc_refs')
print '"ptr_refs", "cstr_refs", "malloc_info", "malloc_history" and "section_ptr_refs" commands have been installed, use the "--help" options on these commands for detailed help.'