I am trying to replace a function call with another one. e.g. here is the code with 3 functions - print1, print2 and main:
#include <stdio.h>
extern "C" {
int print1()
{
printf("Inside print1\n");
return 0xdeadbeef;
}
int print2()
{
printf("Inside print2\n");
return 0xbeefdead;
}
int main(void)
{
return print1();
}
}"
My goal is to replace use of print1 (in main) with print2. I compile the above code into an llvm::Module* (called main in the code below) and then create an execution engine out of it.
std::string errMsg;
llvm::ExecutionEngine *ee =
llvm::EngineBuilder( main ).setErrorStr( &errMsg ).create();
ASSERT_NE( ee, nullptr )<<"Execution engine is nullptr:"<<errMsg;
At this point, I am able to get all the 3 functions (print1, print2 and main) from the execution engine and am able to execute them fine. However, problem occurs when I try to replace function "print1" with "print2", as follows:
llvm::Function *print1f = main->getFunction( "print1" );
llvm::Function *print2f = main->getFunction( "print2" );
llvm::Function *mainf = main->getFunction( "main" );
//carry out the replacement
print2f->takeName( print1f );
ee->freeMachineCodeForFunction( mainf );
ee->freeMachineCodeForFunction( print1f );
print1f->replaceAllUsesWith( print2f );
print1f->deleteBody();
print1f->dropAllReferences();
print1f->eraseFromParent();
//run main
void *mainfPtr = ee->getPointerToFunction( mainf );
mainfPtr = ee->recompileAndRelinkFunction( mainf );
ASSERT_NE( mainfPtr, nullptr );
ret = ((int(*)(void))(mainfPtr))();
*EXPECT_EQ(0xbeefdead, ret);*
However, ret is returned as 0xdeadbeef, as if print1 is being called and not print2. Can someone please let me know if I am following the right steps to replace the function call. If there is other method, please let me know.
thx
Vikas.
==========
If the compiler were to inline print1 in main, the function would never actually be called; Instead, main would have its own private version of print1's code pasted in. Since it doesn't actually have to refer to the shared print1 anymore, swapping in print2 might not affect main's behavior.
If you want to verify that this is the problem (and/or keep it from happening, if it is), try telling the compiler not to inline.
Related
I am writing the following code
#include "SwiWrapper.h"
#include <windows.h>
HINSTANCE hDLL;
SwiWrapper::SwiWrapper()
{
}
SwiWrapper::~SwiWrapper()
{
}
bool SwiWrapper::Initialize()
{ // Handle to DLL
hDLL = LoadLibrary("SWI32.dll");
return true;
}
void SwiWrapper::CloseDll()
{
FreeLibrary(hDLL);
}
//WiRawImage* CALLSPEC WiCreateRawImage ARGSPEC((void));
typedef WiRawImage*(*FuncWiCreateRawImage) (void);
WiRawImage * SwiWrapper::WiCreateRawImage()
{
FuncWiCreateRawImage Exec = (FuncWiCreateRawImage)GetProcAddress(hDLL, "WiCreateRawImage");
return Exec();
}
//WiCmpImage* CALLSPEC WiCreateCmpImage ARGSPEC((void));
typedef WiCmpImage*(*FuncWiCreateCmpImage) (void);
WiCmpImage * SwiWrapper::WiCreateCmpImage()
{
FuncWiCreateCmpImage Exec = (FuncWiCreateCmpImage)GetProcAddress(hDLL, "WiCreateCmpImage");
return Exec();
}
// WiDecmpOptions* CALLSPEC WiCreateDecmpOptions ARGSPEC((void));
typedef WiDecmpOptions*(*FuncWiCreateDecmpOptions) (void);
WiDecmpOptions * SwiWrapper::WiCreateDecmpOptions()
{
FuncWiCreateDecmpOptions Exec = (FuncWiCreateDecmpOptions)GetProcAddress(hDLL, "WiCreateDecmpOptions");
return Exec();
}
//int CALLSPEC WiDecompress ARGSPEC(( WiDecmpOptions *DecmpOptions, WiRawImage *RawImage, WiCmpImage *CmpImage ));
typedef int(*WiDecompressFunc) (WiDecmpOptions*, WiRawImage*, WiCmpImage*);
int SwiWrapper::WiDecompress(WiDecmpOptions * DecmpOptions, WiRawImage * RawImage, WiCmpImage * CmpImage)
{
WiDecompressFunc Exec = (WiDecompressFunc)GetProcAddress(hDLL, "WiDecompress");
int result = Exec(DecmpOptions, RawImage, CmpImage);
return 0;
}
And I am using it like this
SwiWrapper *wrapper = new SwiWrapper();
if (initialized)
{
image = wrapper->WiCreateRawImage();
cmpImage = wrapper->WiCreateCmpImage();
decmpOpts = wrapper->WiCreateDecmpOptions();
GetCmpImage(cmpImage, "path\\data.bin");
SetDecompressionOptions(decmpOpts);
wrapper->WiDecompress(decmpOpts, image, cmpImage); //This line is failing
FileImage("path\\data.jpg", image);
wrapper->CloseDll();
}
However when I reach the following line wrapper->WiDecompress(decmpOpts, image, cmpImage); it fails and gives the following error
Run-Time Check Failure #0 - The value of ESP was not properly saved
across a function call. This is usually a result of calling a
function declared with one calling convention with a function pointer
declared with a different calling convention.
I think that I am messing up with the parameters but I am not sure what I am doing wrong. I have the header file to know the input and outputs.
I am not that experienced with C++, well not lately, so my searching didn't get me to an answer that worked although I found a few Stackoverflow solutions on the error but I cannot figure out what I need to change
Everything that I have on the swi32.dll is in this rar file in this dropbox link
https://www.dropbox.com/s/2bfhylzb2evrggp/Lib.rar?dl=0
My full source code is in the following link
https://www.dropbox.com/s/jkxfyt6xjeanvng/ConsoleApplication1.rar?dl=0
Because all other function don't take an argument, I suppose that the CALLSPEC that is mentioned in the comment for the Decompress function is different to the calling convention you use.
Recheck the calling conventions and the definition of your typedef for the Decompress function.
I have managed to get it working by changing
this line
typedef int(*WiDecompressFunc) (WiDecmpOptions*, WiRawImage*, WiCmpImage*);
to this line
typedef int(__stdcall *WiDecompressFunc)(WiDecmpOptions * DecmpOptions, WiRawImage * RawImage, WiCmpImage * CmpImage);
Credits to:
#Mgetz, #HansPassant who pointed out to use __stdcall and also the link how to use it
EveryOne. I have a project which call some func to get time such as
time_t t = time(NULL);
#ifndef _WIN32
timespec ts;
if( -1 == clock_gettime(CLOCK_MONOTONIC,&ts) )
GenErrnoErr()
return uint64( ( ((uint64)ts.tv_sec*1000 + (uint64)ts.tv_nsec/1000000) - m_uBaseTime ) * ms_dTimeRatio ) ;
#else
LARGE_INTEGER uTime;
QueryPerformanceCounter(&uTime);
return uint64( ( uint64(uTime.QuadPart/CFrequency::Instance().Get().QuadPart) - m_uBaseTime ) * ms_dTimeRatio );
#endif
`
what I wana is to hook all this time func, without change the code exist. when it calls time(NULL) or other func, it returns the time i faked.
The usual way that this sort of thing is done is with the --wrap option to the linker. It works like this:
Write your replacement function, but instead of naming it time(...), name it __wrap_time(...);
In your replacement function, if you need to call the original time() function, actually call __real_time();
When linking the program, add the following option: --wrap=time. This will make the linker link any other module's call to time() to __wrap_time(), and yet still allow the original time() function to be called via __real_time().
Thus:
// Need this to satisfy the compiler
extern time_t __real_time(time_t *seconds);
time_t __wrap_time(time_t *seconds) {
if (seconds==NULL) {
return 0;
} // if
return __real_time(seconds)
} // __wrap_time(seconds)
Detour the function in the process to your hook. You'll need to inject a dll to hook it, and add a jmp to your hook function address within the original functions epilogue. Some more info would help too...
I know the basics of interacting with lua and C, and I am currently trying to perform the following line of lua in c++
Func1():Func2().Table1.value1
I am trying to get the value of "value2" and use it in my C program. The following is the code I wrote to attempt to get this value in C.
int GetNumber()
{
int retn = 0;
g_clientlua.lua_getfield(LUA_REGISTRYINDEX, "Player");
g_clientlua.lua_getfield(-1, "Func2");
g_clientlua.lua_getfield(LUA_GLOBALSINDEX, "Func1");
g_clientlua.lua_call(0, 1);
g_clientlua.lua_call(1, 1);
if (g_clientlua.lua_isnil(-1))
return retn;
g_clientlua.lua_getfield(-1, "Table1");
if (g_clientlua.lua_isnil(-1))
return retn;
g_clientlua.lua_getfield(-1, "value1");
if (g_clientlua.lua_isnil(-1))
return retn;
retn = (int)g_clientlua.lua_tointeger(-1);
}
The clientlua thing is an object that basically just allows me to call a method which calls it's lua_* function equivalent and fills the lua_state pointer parameter with a member variable that is a pointer to the lua state.
Every time I call this, it complains about me causing a lua stack leak. To solve this, I tried adding a lua_pop(3) to the end, but then it just crashes my program without reporting an error, so I assume I am doing something wrong.
Anyone have any words of wisdom for me? Kinda lost here. I doubt the above code is even written properly, how would I write the above lua call in C?
You need to call Func1 before you try to get Func2 as Func2 comes from the table that Func1 returns (and not from the global table).
Then you need to call Func2 and look up Table1 in that returned value, etc.
What "stack leak" complaint are you getting? If you are calling this function from C directly then yes, you need to be sure that anything you put on the lua stack (that isn't for consumption by the caller, etc.) is popped from the lua stack before you return.
The GetNumber function isn't doing exactly the same as the lua snippet you're going for. Specifically GetNumber is getting the value of "Func2" from the registry while your lua snippet is getting the value of "Func2" from the table returned by Func1(). Unless you're certain that registry.Player.Func2 == Func1().Func2 is always true, your C++ version will not have the same behavior.
Let's break down Func1():Func2().Table1.value1 into more explicit steps to help with the C translation:
Get function associated with _G.Func1
Call that function and get a table back
Get function associated with "Func2" from the returned table in step 2
Call that function and pass as argument the table from step 2. Get another table back as result
I found it helpful to track what the stack contains as a side-comment as the operations are performed:
int GetNumber()
{
// Func1()
gclientlua.lua_getfield(LUA_GLOBALSINDEX, "Func1"); // Func1
g_clientlua.lua_call(0, 1); // {}
// Func2( {} )
g_clientlua.lua_getfield(-1, "Func2"); // {}, Func2
g_clientlua.lua_insert(-2); // Func2, {}
g_clientlua.lua_call(1, 1); // {}
if( g_clientlua.lua_type(-1) != LUA_TTABLE )
{
g_clientlua.lua_pop(1);
return 0;
}
// {}.Table1
g_clientlua.lua_getfield(-1, "Table1"); // {}, {}(Table1)
if( g_clientlua.lua_type(-1) != LUA_TTABLE )
{
g_clientlua.lua_pop(2);
return 0;
}
// tonumber( Table1.value1 )
g_clientlua.lua_getfield(-1, "value1"); // {}, {}(Table1), value1
int retn = g_clientlua.lua_tointeger(-1);
g_clientlua.lua_pop(3);
return retn;
}
Notice that GetNumber pops off all the arguments it places on the stack before returning. This ensures that GetNumber leaves the lua stack the way it was found. This can probably be automated with RAII if you're using C++.
I am looking for a clever way to track function calls and returns.
I know I can use the debugger, but I would like a way to just have it print something out to the terminal when calling a function vs having to step through code.
I am thinking that I might be able to use the preprocessor, but I am not sure what would be the best way to go about this.
Or is there a way to use gdb to print out the information that would be useful, while not having to step through the code.
Most compilers allow you to inject an instrumentation function before and after the function call.
In MSVC they are _penter and _pexit. A nice article: http://www.drdobbs.com/184403601.
In GCC you would use the -finstrument-functions option, see the docs.
You can use debug libaries or map files to get more info.
A quite intrussive solution is using RAII to control the scope of the function. This will have a great impact in performance, but will be quite explicit in the logs without requiring the user to add instrumentation in all possible code paths that may leave the function:
class ScopeLogger {
public:
ScopeLogger( std::string const & msg ) : msg(msg)
{ std::cout << "Enter: " << msg << std::endl; }
~ScopeLogger()
{ std::cout << "Exit: " << msg << std::endl; }
std::string msg;
};
#if DEBUG
#define FUNCTION(x) ScopeLogger l_##x##_scope(x);
#endif
void foo( int value ) {
FUNCTION( __FUNCTION__ );
if ( value > 10 ) throw std::exception;
std::cout << "." << std::endl;
}
int main() {
foo(0); // Enter: foo\n.\nExit: foo
foo(100); // Enter: foo\nExit: foo
}
If the code is single threaded, you might even want to add a static variable with some indentation level to ScopedLogger without adding too much to the already heavy performance impact:
class ScopeLogger {
public:
ScopeLogger( std::string const & msg ) : msg(msg)
{ std::cout << std::string(indent++,' ') << "Enter: " << msg << std::endl; }
~ScopeLogger()
{ std::cout << std::string(--indent,' ') << "Exit: " << msg << std::endl; }
std::string msg;
static int indent;
};
int ScopeLogger::indent = 0;
Since you are using GCC, you can also use linker function wrapping.
Link-Time Replacement / Wrapping
– GCC option: -Wl,--wrap,function_name
Basically, you can take a function called "function_name()" and wrap it with a function called "__wrap_function_name()". You can access the original function by calling "__real_function_name()".
#define BEGIN_FUNC(X) printf("Function %s Entered",X)
#define END_FUNC(X) printf("Function %s End",X)
foo()
{
BEGIN_FUNC(__func__);
//Your code here
END_FUNC(__func__);
}
I think if you write a macro like above and use it for every function as described then you can get the logs on the terminal.
You may want to look at Valgrind's Callgrind which can track function calls into a pretty graph. It will show function calls, but not the parameter or return values.
Or is there a way to use gdb to print out the information that would be useful, while not having to step through the code
Yes. Set a breakpoint only at the functions that you actually care about. Use "continue" until you get to those functions or until your program crashes. Then use "backtrace" (or "bt") to get a stack trace.
If you need to automate it, you might take a look at TARGET_ASM_FUNCTION_END_PROLOGUE and TARGET_ASM_FUNCTION_BEGIN_EPILOGUE. These are compiler hooks that will let you specify pieces of assembly to be emitted along with the normal function prologue/epilogue -- in your case, you'd use them to emit a little assembly to log the entry/exit from the function in question. You could also look at FUNCTION_PROFILE and/or PROFILE_HOOK (e.g., at: http://gcc.gnu.org/onlinedocs/gccint/Function-Entry.html).
Below is an example illustrating the GCC side of the answer by Jonathan Fischoff.
Here we call external tool addr2line to print the location as functionName at /path/to/file.cpp:line instead of simply the address. I've tried using dladdr for this (as suggested in a comment to the answer linked above), but it returned only null pointers in dli_sname for me.
This approach of resolving the addresses has some drawbacks:
It's slow due to fork/execve/file read.
It needs exact file path to the binary containing the address, so the simple code below can't print symbols in shared libraries.
// Instrumentation
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
static void __attribute__((no_instrument_function))
log_func(const void* funcAddr, const char* action, const void* callSite)
{
char cmd[50];
snprintf(cmd, sizeof cmd, "addr2line -Cpfe /proc/%d/exe %p", getpid(), funcAddr);
fprintf(stderr, "%p %s %p ", callSite, action, funcAddr);
system(cmd);
}
extern "C" void __attribute__((no_instrument_function))
__cyg_profile_func_enter(void* this_fn, void* call_site)
{
log_func(this_fn, "->", call_site);
}
extern "C" void __attribute__((no_instrument_function))
__cyg_profile_func_exit(void* this_fn, void* call_site)
{
log_func(this_fn, "<-", call_site);
}
// Actual code we're tracing
#include <iostream>
struct Test
{
Test() { std::cout << "Hi, I'm Test constructor\n"; }
void method() const { std::cout << "And I'm Test method\n"; }
};
int main()
{
std::cout << "Hello, my name is main\n";
Test test;
test.method();
}
Compilation and running:
$ g++ test.cpp -o test -g -finstrument-functions && time ./test
0x8048b0b -> 0x804899b _GLOBAL__sub_I___cyg_profile_func_enter at /tmp/test.cpp:41
0x80489c4 -> 0x804890b __static_initialization_and_destruction_0(int, int) at /tmp/test.cpp:41
0x80489c4 <- 0x804890b __static_initialization_and_destruction_0(int, int) at /tmp/test.cpp:41
0x8048b0b <- 0x804899b _GLOBAL__sub_I___cyg_profile_func_enter at /tmp/test.cpp:41
0xf7a0de71 -> 0x804886a main at /tmp/test.cpp:37
Hello, my name is main
0x80488b1 -> 0x80489de Test::Test() at /tmp/test.cpp:32
Hi, I'm Test constructor
0x80488b1 <- 0x80489de Test::Test() at /tmp/test.cpp:32
0x80488c0 -> 0x8048a4a Test::method() const at /tmp/test.cpp:33
And I'm Test method
0x80488c0 <- 0x8048a4a Test::method() const at /tmp/test.cpp:33
0xf7a0de71 <- 0x804886a main at /tmp/test.cpp:37
real 0m0.062s
user 0m0.054s
sys 0m0.008s
There is a __FUNCTION__ (Reference) macro used to determine what method (in the format Class::Method) you're in, but this is more of a manual process.
However, when I needed the same 'trace' information recently, I could not find a automatic method.
Supposed I register many different function names in Lua to the same function in C. Now, everytime my C function is called, is there a way to determine which function name was invoked?
for example:
int runCommand(lua_State *lua)
{
const char *name = // getFunctionName(lua) ? how would I do this part
for(int i = 0; i < functions.size; i++)
if(functions[i].name == name)
functions[i].Call()
}
int main()
{
...
lua_register(lua, "delay", runCommand);
lua_register(lua, "execute", runCommand);
lua_register(lua, "loadPlugin", runCommand);
lua_register(lua, "loadModule", runCommand);
lua_register(lua, "delay", runCommand);
}
So, how do I get the name of what ever function called it?
Another way to attack your question is by using upvalues. Basically, you register the C functions with the function below instead of lua_register:
void my_lua_register(lua_State *L, const char *name, lua_CFunction f)
{
lua_pushstring(L, name);
lua_pushcclosure(L, f, 1);
lua_setglobal(L, name);
}
Then, getFunctionName is straight forward
const char* getFunctionName(lua_State* L)
{
return lua_tostring(L, lua_upvalueindex(1));
}
That said, what you trying to do seems fishy - what are you trying to achieve? The runCommand function posted in the question looks like a horribly inefficient way to do something that Lua does for you anyway.
You can use lua_getinfo : http://pgl.yoyo.org/luai/i/lua_getinfo
This might work:
const char* lua_getcurrentfunction(lua_State* L) {
lua_Debug ar;
lua_getstack(L, 1, &ar);
lua_getinfo(L, "f", &ar);
return ar.name;
}
There is one caveat:
name: a reasonable name for the given function. Because functions in Lua are first-class values, they do not have a fixed name: some functions may be the value of multiple global variables, while others may be stored only in a table field. The lua_getinfo function checks how the function was called to find a suitable name. If it cannot find a name, then name is set to NULL.
An alternative solution would be to register a metatable for the Lua environment table that implements the __index metamethod for dispatching these functions calls.
Unfortunately, that's not possible - among other things, because functions in Lua don't actually have to have a name at all. (Consider: (loadstring("a=1"))() is executing a nameless function returned from loadstring.)
If you're willing to slurp up all unknown function executions, you may be able to play games with setmetatable and currying:
-- This function would not be in lua in your example,
-- you'd be doing lua_register( lua, "runCommandNamed", runCommandNamed )
-- and writing a runCommandNamed in C.
function runCommandNamed( cmd, ... )
print( "running command", cmd, "with arguments", ... )
end
-- The rest would be somewhere in lua-land:
local utilMetaTable = {
__index = function ( t, key )
return function( ... ) -- mmm, curry
runCommandNamed( key, ... )
end
end
}
_util = {}
setmetatable( _util, utilMetaTable )
-- prints "running command CommandOne with arguments arg1 arg2 arg3"
_util.CommandOne( "arg1", "arg2", "arg3" )
-- prints "running command CommandTwo with arguments argA argB"
_util.CommandTwo( "argA", "argB" )
In this example, I've only slurped up unknown executions under _util rather than in the global table.