Detect when 5 level paging was used during recording but is not available during replay. (#3900)

khuey · web-flow · commit 6ef3252b1488 · 2025-01-23T12:46:00.000-08:00
Support (or lack thereof) for 56 bit addresses is a trace portability hazard
that we want to detect up front. We record the maximum width of virtual
addresses used in the trace, which is trivially observable from the addresses that
pass through AddressSpace::map. Then during replay of a trace that uses 5
level paging we attempt to map something above the standard 47 bit address
space, and if it fails, we die with a useful error message.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -1134,6 +1134,7 @@ set(BASIC_TESTS
   kill_newborn
   kill_ptracee
   landlock
+  x86/la57
   large_hole
   large_write_deadlock
   legacy_ugid
diff --git a/src/AddressSpace.cc b/src/AddressSpace.cc
@@ -818,6 +818,17 @@ KernelMapping AddressSpace::map(Task* t, remote_ptr<void> addr,
     return m;
   }
 
+  if (t->session().is_recording()) {
+    uint8_t bits = virtual_address_size(t->arch(), addr + num_bytes - 1);
+    // NB: Ignore addresses with no leading zeroes on 64 bit architectures
+    // (where they are in the kernel) but not on 32 bit x86 (where the
+    // 2-3GB range is available to userspace).
+    if (bits != 64) {
+      static_cast<RecordTask*>(t)->
+        trace_writer().note_virtual_address_size(bits);
+    }
+  }
+
   remove_range(dont_fork, MemoryRange(addr, num_bytes));
   remove_range(wipe_on_fork, MemoryRange(addr, num_bytes));
 
diff --git a/src/ReplaySession.cc b/src/ReplaySession.cc
@@ -270,6 +270,8 @@ ReplaySession::ReplaySession(const std::string& dir, const Flags& flags)
   }
 
   set_intel_pt_enabled(flags.intel_pt_start_checking_event >= 0);
+
+  check_virtual_address_size();
 }
 
 ReplaySession::ReplaySession(const ReplaySession& other)
@@ -303,6 +305,22 @@ ReplaySession::~ReplaySession() {
   DEBUG_ASSERT(emufs().size() == 0);
 }
 
+void ReplaySession::check_virtual_address_size() const
+{
+  uint8_t virtual_address_size_needed = trace_in.max_virtual_address_size();
+  if (virtual_address_size_supported(virtual_address_size_needed)) {
+    return;
+  }
+
+  if (rr::Flags::get().force_things) {
+    LOG(warn) << "Virtual address size is unsupported but forcing anyways.";
+    return;
+  }
+
+  CLEAN_FATAL() << "The trace uses " << (uint32_t)virtual_address_size_needed <<
+      " bit virtual addresses but this system does not support that size.";
+}
+
 ReplaySession::shr_ptr ReplaySession::clone() {
   LOG(debug) << "Deepforking ReplaySession " << this << " ...";
 
diff --git a/src/ReplaySession.h b/src/ReplaySession.h
@@ -380,6 +380,8 @@ class ReplaySession final : public Session {
   ReplaySession(const std::string& dir, const Flags& flags);
   ReplaySession(const ReplaySession& other);
 
+  void check_virtual_address_size() const;
+
   ReplayTask* revive_task_for_exec();
   ReplayTask* setup_replay_one_trace_frame(ReplayTask* t);
   void advance_to_next_trace_frame();
diff --git a/src/TraceInfoCommand.cc b/src/TraceInfoCommand.cc
@@ -97,6 +97,11 @@ static int dump_trace_info(const string& trace_dir, FILE* out) {
     }
   }
 
+  uint8_t max_virtual_address_size = trace.max_virtual_address_size();
+  if (max_virtual_address_size > 0) {
+    fprintf(out, "  \"maxVirtualAddressSize\":%d,\n", max_virtual_address_size);
+  }
+
   if (!trace.uname().sysname.empty()) {
     const auto& uname = trace.uname();
     fputs("  \"uname\":{", out);
diff --git a/src/TraceStream.cc b/src/TraceStream.cc
@@ -1366,13 +1366,14 @@ TraceWriter::TraceWriter(const std::string& file_name,
                   1),
       ticks_semantics_(ticks_semantics_),
       mmap_count(0),
+      max_virtual_address_size(0),
       has_cpuid_faulting_(false),
       xsave_fip_fdp_quirk_(false),
       fdp_exception_only_quirk_(false),
       clear_fip_fdp_(false),
       supports_file_data_cloning_(false),
       chaos_mode(false)
-       {
+{
   this->ticks_semantics_ = ticks_semantics_;
 
   for (Substream s = SUBSTREAM_FIRST; s < SUBSTREAM_COUNT; ++s) {
@@ -1490,6 +1491,7 @@ void TraceWriter::close(CloseStatus status, const TraceUuid* uuid) {
   header.setExclusionRangeEnd(exclusion_range.end().as_int());
   header.setRuntimePageSize(page_size());
   header.setPreloadLibraryPageSize(PRELOAD_LIBRARY_PAGE_SIZE);
+  header.setMaxVirtualAddressSize(max_virtual_address_size);
 
   {
     struct utsname uname_buf;
@@ -1651,6 +1653,7 @@ TraceReader::TraceReader(const string& dir)
   preload_thread_locals_recorded_ = header.getPreloadThreadLocalsRecorded();
   ticks_semantics_ = from_trace_ticks_semantics(header.getTicksSemantics());
   rrcall_base_ = header.getRrcallBase();
+  max_virtual_address_size_ = header.getMaxVirtualAddressSize();
   syscallbuf_fds_disabled_size_ = header.getSyscallbufFdsDisabledSize();
   syscallbuf_hdr_size_ = header.getSyscallbufHdrSize();
   required_forward_compatibility_version_ = header.getRequiredForwardCompatibilityVersion();
@@ -1745,6 +1748,7 @@ TraceReader::TraceReader(const TraceReader& other)
   xcr0_ = other.xcr0_;
   preload_thread_locals_recorded_ = other.preload_thread_locals_recorded_;
   rrcall_base_ = other.rrcall_base_;
+  max_virtual_address_size_ = other.max_virtual_address_size_;
   arch_ = other.arch_;
   chaos_mode_ = other.chaos_mode_;
   chaos_mode_known_ = other.chaos_mode_known_;
diff --git a/src/TraceStream.h b/src/TraceStream.h
@@ -5,6 +5,7 @@
 
 #include <unistd.h>
 
+#include <algorithm>
 #include <map>
 #include <memory>
 #include <set>
@@ -276,6 +277,10 @@ class TraceWriter : public TraceStream {
   void set_clear_fip_fdp(bool value) { clear_fip_fdp_ = value; }
   bool clear_fip_fdp() const { return clear_fip_fdp_; }
   void set_chaos_mode(bool value) { chaos_mode = value; }
+  void note_virtual_address_size(uint8_t value) {
+    DEBUG_ASSERT(value < 64);
+    max_virtual_address_size = std::max(max_virtual_address_size, value);
+  }
 
   enum CloseStatus {
     /**
@@ -330,6 +335,7 @@ class TraceWriter : public TraceStream {
   // rename it, so our flock() lock stays held on it.
   ScopedFd version_fd;
   uint32_t mmap_count;
+  uint8_t max_virtual_address_size;
   bool has_cpuid_faulting_;
   bool xsave_fip_fdp_quirk_;
   bool fdp_exception_only_quirk_;
@@ -497,6 +503,9 @@ class TraceReader : public TraceStream {
   MemoryRange exclusion_range() const {
     return exclusion_range_;
   }
+  uint8_t max_virtual_address_size() const {
+    return max_virtual_address_size_;
+  }
 
   enum TraceQuirks {
     // Whether the /proc/<pid>/mem calls were explicitly recorded in this trace
@@ -537,6 +546,7 @@ class TraceReader : public TraceStream {
   bool chaos_mode_known_;
   bool chaos_mode_;
   int rrcall_base_;
+  uint8_t max_virtual_address_size_;
   uint32_t syscallbuf_fds_disabled_size_;
   uint32_t syscallbuf_hdr_size_;
   int required_forward_compatibility_version_;
diff --git a/src/kernel_abi.cc b/src/kernel_abi.cc
@@ -385,4 +385,21 @@ template <typename Arch> static size_t user_fpregs_struct_size_arch() {
 size_t user_fpregs_struct_size(SupportedArch arch) {
   RR_ARCH_FUNCTION(user_fpregs_struct_size_arch, arch)
 }
+
+template <typename Arch> static uint8_t virtual_address_size_arch(remote_ptr<void> ptr) {
+  return sizeof(typename Arch::unsigned_word) * 8 - Arch::clz_ptr(ptr);
+}
+
+uint8_t virtual_address_size(SupportedArch arch, remote_ptr<void> ptr) {
+  RR_ARCH_FUNCTION(virtual_address_size_arch, arch, ptr)
+}
+
+template <typename Arch> static uint8_t default_virtual_address_size_arch() {
+  return Arch::default_virtual_address_size;
+}
+
+uint8_t default_virtual_address_size(SupportedArch arch) {
+  RR_ARCH_FUNCTION(default_virtual_address_size_arch, arch)
+}
+
 }
diff --git a/src/kernel_abi.h b/src/kernel_abi.h
@@ -291,6 +291,10 @@ struct WordSize32Defs {
     uint32_t n_type;
   } ElfNhdr;
   RR_VERIFY_TYPE_ARCH(RR_NATIVE_ARCH, ::Elf32_Nhdr, ElfNhdr);
+
+  static uint8_t clz_ptr(remote_ptr<void> ptr) {
+    return __builtin_clz(ptr.as_int());
+  }
 };
 
 struct WordSize64Defs {
@@ -387,6 +391,10 @@ struct WordSize64Defs {
     uint32_t n_type;
   } ElfNhdr;
   RR_VERIFY_TYPE_ARCH(RR_NATIVE_ARCH, ::Elf64_Nhdr, ElfNhdr);
+
+  static uint8_t clz_ptr(remote_ptr<void> ptr) {
+    return __builtin_clzl(ptr.as_int());
+  }
 };
 
 /**
@@ -2002,6 +2010,8 @@ struct BaseArch : public wordsize,
 struct X64Arch : public BaseArch<SupportedArch::x86_64, WordSize64Defs> {
   typedef X64Arch Arch64;
 
+  static const uint8_t default_virtual_address_size = 47;
+
   static const size_t elfmachine = EM::X86_64;
   static const size_t elfendian = ELFENDIAN::DATA2LSB;
 
@@ -2206,6 +2216,8 @@ struct X64Arch : public BaseArch<SupportedArch::x86_64, WordSize64Defs> {
 struct X86Arch : public BaseArch<SupportedArch::x86, WordSize32Defs> {
   typedef X64Arch Arch64;
 
+  static const uint8_t default_virtual_address_size = 32;
+
   static const size_t elfmachine = EM::I386;
   static const size_t elfendian = ELFENDIAN::DATA2LSB;
 
@@ -2462,6 +2474,8 @@ struct GenericArch : public BaseArch<arch_, wordsize> {
 struct ARM64Arch : public GenericArch<SupportedArch::aarch64, WordSize64Defs> {
   typedef ARM64Arch Arch64;
 
+  static const uint8_t default_virtual_address_size = 47;
+
   static const size_t elfmachine = EM::AARCH64;
   static const size_t elfendian = ELFENDIAN::DATA2LSB;
 
@@ -2649,6 +2663,13 @@ size_t sigaction_sigset_size(SupportedArch arch);
 size_t user_regs_struct_size(SupportedArch arch);
 size_t user_fpregs_struct_size(SupportedArch arch);
 
+/* Returns the number of bits necessary for this particular virtual address. */
+uint8_t virtual_address_size(SupportedArch arch, remote_ptr<void> ptr);
+/* Returns the number of bits supported by default on this architecture for
+ * *userspace* virtual addresses.
+ */
+uint8_t default_virtual_address_size(SupportedArch arch);
+
 #if defined(__i386__)
 typedef X86Arch NativeArch;
 #elif defined(__x86_64__)
diff --git a/src/rr_trace.capnp b/src/rr_trace.capnp
@@ -145,6 +145,13 @@ struct Header {
   syscallbufHdrSize @26 :UInt32 = 30;
   # Result of uname(2). Possibly useful for diagnostics or LLDB qHostInfo.
   uname @27 :UtsName;
+  # The highest virtual address size (in bits) needed to replay this trace. Some
+  # platforms (e.g. x86-64) have multiple possible virtual address sizes, and
+  # trace portability requires that traces that require a higher virtual address
+  # size are not replayed on systems that only support a lower virtual address
+  # size. A value of 0, only present for traces recorded before this was added,
+  # means the default value for the relevant arch.
+  maxVirtualAddressSize @28 :UInt8 = 0;
 }
 
 # A file descriptor belonging to a task
diff --git a/src/test/x86/la57.c b/src/test/x86/la57.c
@@ -0,0 +1,18 @@
+/* -*- Mode: C; tab-width: 8; c-basic-offset: 2; indent-tabs-mode: nil; -*- */
+
+#include "util.h"
+
+int main(void) {
+#ifdef __x86_64__
+  size_t num_bytes = sysconf(_SC_PAGESIZE);
+  /* NB: No MAP_FIXED here, to allow the test to pass on systems without
+   * 5 level paging.
+   */
+  void* map = mmap((void*)(1ULL << 47), num_bytes, PROT_READ | PROT_WRITE,
+                   MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+  test_assert(map != MAP_FAILED);
+#endif
+
+  atomic_puts("EXIT-SUCCESS");
+  return 0;
+}
diff --git a/src/util.cc b/src/util.cc
@@ -2650,4 +2650,44 @@ optional<int> read_perf_event_paranoid() {
   return value;
 }
 
+bool virtual_address_size_supported(uint8_t bits) {
+  DEBUG_ASSERT(bits < 64);
+
+  // The easy, statically-determinable case.
+  // Legacy traces with bits == 0 will take this offramp too.
+  if (default_virtual_address_size(NativeArch::arch()) >= bits) {
+    return true;
+  }
+
+  // The architecture may have extensions (like five level paging) that allow
+  // higher addresses to be used. See if they're available.
+  size_t num_bytes = page_size();
+  void* ptr = (void*)(1ULL << (bits - 1));
+  void* map = mmap(ptr, num_bytes, PROT_NONE,
+                   MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED_NOREPLACE, -1, 0);
+  if (map == ptr) {
+    // If we successfully mapped at a high address, the extensions work.
+    munmap(map, num_bytes);
+    return true;
+  }
+
+  if (map == MAP_FAILED) {
+    if (errno == EEXIST) {
+      // If we failed to map because something else was already at the high
+      // address, the extensions work.
+      return true;
+    }
+    // If we failed for some other reason, assume the extensions do not work.
+    return false;
+  }
+
+  // If we got back a different address, assume the extensions do not work.
+  // NB: We could potentially be on a kernel that supports five level paging (so
+  // >= 4.14) but not MAP_FIXED_NOREPLACE (so < 4.17) *and* have something
+  // already using the address we tried. Handling that situation correctly
+  // adds substantial complexity, so we just give a false negative there.
+  munmap(map, num_bytes);
+  return false;
+}
+
 } // namespace rr
diff --git a/src/util.h b/src/util.h
@@ -699,6 +699,8 @@ void base_name(std::string& s);
 
 std::optional<int> read_perf_event_paranoid();
 
+bool virtual_address_size_supported(uint8_t bit_size);
+
 } // namespace rr
 
 #endif /* RR_UTIL_H_ */

Original file line number	Diff line number	Diff line change
`@@ -97,6 +97,11 @@ static int dump_trace_info(const string& trace_dir, FILE* out) {`
`97`	`97`	`}`
`98`	`98`	`}`
`99`	`99`
	`100`	`+ uint8_t max_virtual_address_size = trace.max_virtual_address_size();`
	`101`	`+ if (max_virtual_address_size > 0) {`
	`102`	`+ fprintf(out, " \"maxVirtualAddressSize\":%d,\n", max_virtual_address_size);`
	`103`	`+ }`
	`104`	`+`
`100`	`105`	`if (!trace.uname().sysname.empty()) {`
`101`	`106`	`const auto& uname = trace.uname();`
`102`	`107`	`fputs(" \"uname\":{", out);`