Callstack_instr: Is popping up to 10 entries sensible? #1513
Description
Hello there,
I am currently using an approach similar to PANDA, embedding callbacks into QEMU's v8 source code for malware research in my master's thesis. One of my core needs is to keep track of currently called, but not yet returned, procedures. This is where a shadow callstack becomes very useful.
My shadow callstack implementation (in C) encountered some issues with determining when to pop and ensuring the return is correct. My approach was to add boolean variables is_call and is_ret (with respect to the parsed opcodes in that TB) to the TranslationBlock data structure at translation time.
On a call, I push the pc to the callstack and hook the return address. When the hook is executed, it pops the callstack until it reaches a stored stack index referring to the earlier pushed pc.
Coming along your implementation of the callstack_instr plugin I have learned about the interrupts! Earlier I have totally missed them, which probably screwed my shadow callstack.
What confuses me about your implementation is that you pop up to 10 TBs before TB execution (if it was not interrupted):
// Search up to 10 down
for (int i = v.size() - 1; i > ((int)(v.size() - 10)) && i >= 0; i--) {
if (tb->pc == v[i].pc) {
PPP_RUN_CB(on_ret, cpu, w[i]);
v.erase(v.begin() + i, v.end());
w.erase(w.begin() + i, w.end());
break;
}
}My new approach uses an additional map that is stack-segregated, with the return address (tb->pc + tb->size) as the key and a simple uint as a counter. On every call, I add the return address with a count of 1, or increment it if it already exists.
Before every TB execution, I check whether the current pc is in that map. If so, I pop the callstack until the return address is found. Then, I decrease the related value in the map by one or remove it if it would be zero.
I'm confused and wondering if I'm misunderstanding something.
I'd love some feedback if my approach is totally off and the current one of callstack_instr is the sensible.