[lldb] Provide lr value in faulting frame on arm64 #138805

jasonmolenda · 2025-05-07T05:49:56Z

When a frameless function faults or is interrupted asynchronously, the UnwindPlan MAY have no register location rule for the return address register (lr on arm64); the value is simply live in the lr register when it was interrupted, and the frame below this on the stack -- e.g. sigtramp on a Unix system -- has the full register context, including that register.

RegisterContextUnwind::SavedLocationForRegister, when asked to find the caller's pc value, will first see if there is a pc register location. If there isn't, on a Return Address Register architecture like arm/mips/riscv, we rewrite the register request from "pc" to "RA register", and search for a location.

On frame 0 (the live frame) and an interrupted frame, the UnwindPlan may have no register location rule for the RA Reg, that is valid. A frameless function that never calls another may simply keep the return address in the live register the whole way. Our instruction emulation unwind plans explicitly add a rule (see Pavel's May 2024 change #91321 ), but an UnwindPlan sourced from debug_frame may not.

I've got a case where this exactly happens - clang debug_frame for arm64 where there is no register location for the lr in a frameless function. There is a fault in the middle of this frameless function and we only get the lr value from the fault handler below this frame if lr has a register location of IsSame, in line with Pavel's 2024 change.

Similar to how we see a request of the RA Reg from frame 0 after failing to find an unwind location for the pc register, the same style of special casing is needed when this is a function that was interrupted.

Without this change, we can find the pc of the frame that was executing when it was interrupted, but we need $lr to find its caller, and we don't descend down to the trap handler to get that value, truncating the stack.

rdar://145614545

When a frameless function faults or is interrupted asynchronously, the UnwindPlan MAY have no register location rule for the return address register (lr on arm64); the value is simply live in the lr register when it was interrupted, and the frame below this on the stack -- e.g. sigtramp on a Unix system -- has the full register context, including that register. RegisterContextUnwind::SavedLocationForRegister, when asked to find the caller's pc value, will first see if there is a pc register location. If there isn't, on a Return Address Register architecture like arm/mips/riscv, we rewrite the register request from "pc" to "RA register", and search for a location. On frame 0 (the live frame) and an interrupted frame, the UnwindPlan may have no register location rule for the RA Reg, that is valid. A frameless function that never calls another may simply keep the return address in the live register the whole way. Our instruction emulation unwind plans explicitly add a rule (see Pavel's May 2024 change llvm#91321 ), but an UnwindPlan sourced from debug_frame may not. I've got a case where this exactly happens - clang debug_frame for arm64 where there is no register location for the lr in a frameless function. There is a fault in the middle of this frameless function and we only get the lr value from the fault handler below this frame if lr has a register location of `IsSame`, in line with Pavel's 2024 change. Similar to how we see a request of the RA Reg from frame 0 after failing to find an unwind location for the pc register, the same style of special casing is needed when this is a function that was interrupted. Without this change, we can find the pc of the frame that was executing when it was interrupted, but we need $lr to find its caller, and we don't descend down to the trap handler to get that value, truncating the stack. rdar://145614545

llvmbot · 2025-05-07T05:50:31Z

@llvm/pr-subscribers-lldb

Author: Jason Molenda (jasonmolenda)

Changes

When a frameless function faults or is interrupted asynchronously, the UnwindPlan MAY have no register location rule for the return address register (lr on arm64); the value is simply live in the lr register when it was interrupted, and the frame below this on the stack -- e.g. sigtramp on a Unix system -- has the full register context, including that register.

RegisterContextUnwind::SavedLocationForRegister, when asked to find the caller's pc value, will first see if there is a pc register location. If there isn't, on a Return Address Register architecture like arm/mips/riscv, we rewrite the register request from "pc" to "RA register", and search for a location.

On frame 0 (the live frame) and an interrupted frame, the UnwindPlan may have no register location rule for the RA Reg, that is valid. A frameless function that never calls another may simply keep the return address in the live register the whole way. Our instruction emulation unwind plans explicitly add a rule (see Pavel's May 2024 change #91321 ), but an UnwindPlan sourced from debug_frame may not.

I've got a case where this exactly happens - clang debug_frame for arm64 where there is no register location for the lr in a frameless function. There is a fault in the middle of this frameless function and we only get the lr value from the fault handler below this frame if lr has a register location of IsSame, in line with Pavel's 2024 change.

Similar to how we see a request of the RA Reg from frame 0 after failing to find an unwind location for the pc register, the same style of special casing is needed when this is a function that was interrupted.

Without this change, we can find the pc of the frame that was executing when it was interrupted, but we need $lr to find its caller, and we don't descend down to the trap handler to get that value, truncating the stack.

rdar://145614545

Full diff: https://github.com/llvm/llvm-project/pull/138805.diff

1 Files Affected:

(modified) lldb/source/Target/RegisterContextUnwind.cpp (+15-4)

diff --git a/lldb/source/Target/RegisterContextUnwind.cpp b/lldb/source/Target/RegisterContextUnwind.cpp
index 3ed49e12476dd..23a86bee2518b 100644
--- a/lldb/source/Target/RegisterContextUnwind.cpp
+++ b/lldb/source/Target/RegisterContextUnwind.cpp
@@ -1377,6 +1377,7 @@ RegisterContextUnwind::SavedLocationForRegister(
         }
       }
 
+      // Check if the active_row has a register location listed.
       if (regnum.IsValid() &&
           active_row->GetRegisterInfo(regnum.GetAsKind(unwindplan_registerkind),
                                       unwindplan_regloc)) {
@@ -1390,11 +1391,10 @@ RegisterContextUnwind::SavedLocationForRegister(
       // This is frame 0 and we're retrieving the PC and it's saved in a Return
       // Address register and it hasn't been saved anywhere yet -- that is,
       // it's still live in the actual register. Handle this specially.
-
       if (!have_unwindplan_regloc && return_address_reg.IsValid() &&
-          IsFrameZero()) {
-        if (return_address_reg.GetAsKind(eRegisterKindLLDB) !=
-            LLDB_INVALID_REGNUM) {
+          return_address_reg.GetAsKind(eRegisterKindLLDB) !=
+              LLDB_INVALID_REGNUM) {
+        if (IsFrameZero()) {
           lldb_private::UnwindLLDB::ConcreteRegisterLocation new_regloc;
           new_regloc.type = UnwindLLDB::ConcreteRegisterLocation::
               eRegisterInLiveRegisterContext;
@@ -1408,6 +1408,17 @@ RegisterContextUnwind::SavedLocationForRegister(
                        return_address_reg.GetAsKind(eRegisterKindLLDB),
                        return_address_reg.GetAsKind(eRegisterKindLLDB));
           return UnwindLLDB::RegisterSearchResult::eRegisterFound;
+        } else if (BehavesLikeZerothFrame()) {
+          // This function was interrupted asynchronously -- it faulted,
+          // an async interrupt, a timer fired, a debugger expression etc.
+          // The caller's pc is in the Return Address register, but the
+          // UnwindPlan for this function may have no location rule for
+          // the RA reg.
+          // This means that the caller's return address is in the RA reg
+          // when the function was interrupted--descend down one stack frame
+          // to retrieve it from the trap handler's saved context.
+          unwindplan_regloc.SetSame();
+          have_unwindplan_regloc = true;
         }
       }

jasonmolenda · 2025-05-07T05:51:36Z

While working on this bug, I started musing about how we could switch the logic for how to handle registers more into UnwindPlans, wrote a little discourse with the idea. https://discourse.llvm.org/t/unhappiness-with-the-lldb-unwinder-register-passing-up-the-stack-interrup-trap-sigtramp-frames/86058

It's not something I'll be doing in the near term, but I know I'd like to get back to this.

jasonmolenda · 2025-05-07T05:53:40Z

Also while initially working on this issue I found I could fix it in two places in SavedLocationForRegister without considering the entirety of the method. This made me unhappy so I spent a bit of time going over all of SavedLocationForRegister until I felt confident I understood it, and then wrote the scariest NFC patch where I removed chunks of it (that are doing nothing) and restructured it so it was a lot easier to read, I thought. But I want to maybe bring that up separately because it's a lot of change and this method has a lot of edge cases - many tricky to test, and not tested well.

jasonmolenda · 2025-05-07T08:54:05Z

to be clear, when I mention a big chunk of SavedLocationForRegister which I don't think is actually doing anything -- I refuse to look at the history, but it looks suspiciously like something I wrote a decade ago :)

jasonmolenda · 2025-05-07T08:59:22Z

I am also not thrilled with the GetAsKind method for register numbering returning LLDB_INVALID_REGNUM, the code reads so poorly in this method because of it. But returning an optional would make other code more verbose unless I carried optionals through a lot further. I haven't been annoyed enough to try doing that yet.

labath · 2025-05-07T09:03:01Z

This makes sense to me, but is there any way to write a test case for it?

It sounds like something similar to this test could work. In fact, given that this test is disabled on darwin, I'm wondering if this patch does not fix it by any chance?

…upted

jasonmolenda · 2025-05-08T04:14:15Z

FTR that test is skipped on darwin because _sigtramp in libc on aarch64 doesn't have any hand-supplied eh_frame right now :/

I have a test case put together, with a few functions written in assembly with hand-added cfi directives. It's probably darwin specific assembly, obviously aarch64 only, but it exercises exactly the bug I am fixing. will wrap it up into a proper test in a tiny bit (hopefully tonight)

via the UnwindPlan. And use the trap handler flag for zeroth frame so we can properly unwind a frameless function that was interrupted while in the trap handler function.

jasonmolenda · 2025-05-08T06:32:33Z

I'm thinking I'll write an API test that instruction steps through the whole binary and backtraces at each point, making sure it can get every function between the current one & main at all points, just for fun extra stress testing. I was testing it like that by hand as I wrote the test input files.

to trap() and break_to_debugger() for fun, and add unwind instructions for the epilogue of trap(). When stopped in `break_to_debugger`, ``` * frame #0: 0x00000001000003e8 a.out`break_to_debugger + 4 frame swiftlang#1: 0x00000001000003d8 a.out`trap + 16 frame swiftlang#2: 0x00000001000003c0 a.out`to_be_interrupted + 20 frame swiftlang#3: 0x0000000100000398 a.out`main + 32 ``` Normally we can't provide a volatile register (e.g. x0) up the stack. And we can provide a non-volatile register (e.g. x20) up the stack. I added an IsSame rule for trap() and break_to_debugger() for x0, so it CAN be passed up the stack. And I added an Undefined rule for x20 to trap() so it CAN'T be provided up the stack. If a user selects `to_be_interrupted` and does `register read`, they'll get x0 and they won't get x20. From `main`, they will not get x0 or x20 (x0 because `to_be_interrupted` doesn't have an IsSame rule).

Also fix one bug in the by-hand unwind state in the assembly file.

ways in these hand-written UnwindPlans.

this compiling on linux? I think maybe the only difference is that the symbol names are prefixed with _ on darwin?

jasonmolenda · 2025-05-09T05:55:41Z

OK finished writing the test case. It starts at main() and instruction steps through the test program, checking that it can backtrace all the way to main() (including all the frames in the middle) at each instruction.

I also added tests for the non-ABI compliant fetching of x0 mid-stack and x20 being unfetchable mid-stack, with the hand-written eh_frame instructions in the assembly file. It has nothing to do with the frameless function that faults that I'm trying to fix here, but it was interesting that it works as I wanted so I'll add a test on it.

I have the test marked as skipUnlessDarwin but I'm not sure there's much to keep it from working on Linux. Maybe that I had to prefix the symbol names with _ on dawin? Might be easiest to update the .c file to call either to_be_interrupted or _to_be_interrupted depending on the OS if that's it.

JDevlieghere

Thanks for taking the time to com up with this test case. Pavel already signed off on the implementation so I think this is good to merge.

JDevlieghere · 2025-05-09T18:04:51Z

lldb/test/API/macosx/unwind-frameless-faulted/Makefile

+C_SOURCES := main.c
+
+interrupt-and-trap-funcs.o: interrupt-and-trap-funcs.s
+	$(CC) $(CFLAGS) -c -o interrupt-and-trap-funcs.o $(SRCDIR)/interrupt-and-trap-funcs.s


Should this pass a triple? I assume this works locally because you're on an arm64 host?

ach, that reminds me I need to skip this test unless arm64.

Darwin. There's a slight syntax diff for the ADRP + ADD pair and the label name. And the function names in Darwin are prepended with an _ and not on linux. clang on darwin runs the .s file through the preprocessor, but it doesn't seem to on linux. I renamed interrupt-and-trap-funcs.s to interrupt-and-trap-funcs.c and run it through the preprocessor then assemble it in Makefile now. The linux version would probably run on other AArch64 systems like FreeBSD but I haven't checked those.

because it can run on darwin or linux aarch64.

github-actions · 2025-05-10T01:48:35Z

✅ With the latest revision this PR passed the C/C++ code formatter.

jasonmolenda · 2025-05-10T01:49:24Z

Minor syntax adaptations to the assembly file to build on an aarch64 unbuntu 24.04, test updated and will run on linux or darwin now.

Add two more checks for non-ABI compliant register availability from the custom UnwindPlans.

jasonmolenda · 2025-05-10T02:09:12Z

Ah, lldb-server doesn't secretly migrate the pc past a builtin_debugtrap() BRK instruction on linux like debugserver does, the test will inf loop never advancing past the BRK.

where it does not advance past this BRK instruction automatically. Also add a limit on instruction stepping, so if this does get stuck in a loop it won't run forever. I haven't tested this on a linux system yet but in by-hand running on the binary, I saw the lldb-server behavior w.r.t builtin_debugtrap and this should be necessary.

.s file -- the Test python file also hardcodes the names of the functions and I don't want to prepend _ on linux to those names.

llvm-ci · 2025-05-10T03:10:27Z

LLVM Buildbot has detected a new failure on builder lldb-x86_64-debian running on lldb-x86_64-debian while building lldb at step 6 "test".

Full details are available at: https://lab.llvm.org/buildbot/#/builders/162/builds/22097