[panda-users] Fwd: PANDA_CB_BEFORE_BLOCK_EXEC doesn't fire for some basic blocks

Wed Apr 29 16:58:11 EDT 2015

Hi,

Are you running this on a replay or a live VM? If you are running it
on a live VM, then you will need to call panda_disable_tb_chaining()
in your plugin. Otherwise QEMU will create direct jumps between basic
blocks of generated code, which will skip over the basic block
callbacks.

We may want to move the location of that callback so that it works
even if TB chaining is turned on (i.e. by inserting it into generated
code directly, rather than putting it in the cpu_exec loop).

-Brendan

On Wed, Apr 29, 2015 at 4:50 PM, Igor R <boost.lists at gmail.com> wrote:
> Hello,
>
> I encountered a strange behavior of PANDA_CB_BEFORE_BLOCK_EXEC
> callback, and I'd appreciate any idea on the subject.
> The long story short: I noticed that this callback doesn't get called
> for some BBs, which are parts of a loop.
> I.e., during the first loop iteration all the BBs get invoked, but
> during the subsequent iterations some BBs are missing. (OTOH,
> PANDA_CB_INSN_EXEC seems to get called correctly for every iteration.)
> To get the minimal reproducing sample, I subscribe to this callback
> only, and print tb->pc for every BB laying within the main module of
> my process. I identify the process by some predefined "cookie".
>
> The program being tested is the following:
>
> #include <stdio.h>
>
> // to identify the process in PANDA plugin
> const int ID = 0x12345678;
>
> int main()
> {
>   int i = 0;
>   for ( ; i < 10; ++i)
>     printf("Hello!\n");
>   return 0;
> }
>
> ///////////
>
> The plugin is as follows:
>
>
> #include "config.h"
> #include "qemu-common.h"
> #include "cpu.h"
>
> #include "panda_plugin.h"
>
> #include <stdio.h>
> #include <stdlib.h>
>
> FILE *plugin_log;
>
> int before_block_callback(CPUState *env, TranslationBlock *tb)
> {
>   unsigned char buf[4];
>   cpu_memory_rw_debug(env, tb->pc, buf, 4, 0);
>   // print only BBs belonging to the main module of our process
>   if (*(int *)buf == 0x12345678 && tb->pc >= 0x08048320 && tb->pc < 0x080484b0)
>   {
>     fprintf(plugin_log, "0x%x", tb->pc);
>     fflush(plugin_log);
>   }
>   return 0;
> }
>
>
> bool init_plugin(void *self)
> {
>   panda_enable_precise_pc();
>   plugin_log = fopen("test_loop.txt", "w+");
>   panda_cb pcb;
>   pcb.before_block_exec = before_block_callback;
>   panda_register_callback(self, PANDA_CB_BEFORE_BLOCK_EXEC, pcb);
>   return true;
> }
>
> void uninit_plugin(void *self)
> {
>   fclose(plugin_log);
> }
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users