Add tests for Valgrind annotations

[byron-hawkins]

With the ANNOTATIONS feature enabled, DR can handle any of the Valgrind annotations from valgrind.h and memcheck.h. This annotation handling should be tested for correctness in a variety of configurations and usage scenarios, including:

• fast decoding
• truncated basic blocks
• app compiled with full optimizations

Performance of annotation decoding should also be verified. This issue will require several commits.

[derekbruening]

Is this a dup of #1468?

[byron-hawkins]

I was thinking #1468 would be specific to the DR annotations. It mentions some issues that aren't especially important for the Valgrind annotations, and vice versa. But if you prefer, we can use one issue for both.

[byron-hawkins]

Client modifications to annotated basic blocks may lead to some special cases. For reference, here's a sample Valgrind annotation from x64 Linux:

   0x400d8a <main+421>: mov    -0x14(%rbp),%edi        # annotation arg setup
   0x400d8d <main+424>: movq   $0x4d43000b,-0x320(%rbp)
   0x400d98 <main+435>: mov    -0x20(%rbp),%rax
   0x400d9c <main+439>: mov    %rax,-0x318(%rbp)
   0x400da3 <main+446>: movq   $0x4d2,-0x310(%rbp)
   0x400dae <main+457>: movq   $0x0,-0x308(%rbp)
   0x400db9 <main+468>: movq   $0x0,-0x300(%rbp)
   0x400dc4 <main+479>: movq   $0x0,-0x2f8(%rbp)
   0x400dcf <main+490>: lea    -0x320(%rbp),%rax
   0x400dd6 <main+497>: mov    $0x0,%ebx
   0x400ddb <main+502>: mov    %ebx,%edx
   0x400ddd <main+504>: rol    $0x3,%rdi              # special sequence start
   0x400de1 <main+508>: rol    $0xd,%rdi              #
   0x400de5 <main+512>: rol    $0x3d,%rdi             #
   0x400de9 <main+516>: rol    $0x33,%rdi             #
   0x400ded <main+520>: xchg   %rbx,%rbx              # special sequence end
   0x400df0 <main+523>: mov    %rdx,%rax              # app instruction
   0x400df3 <main+526>: mov    %rax,-0x280(%rbp)
   0x400dfa <main+533>: mov    -0x280(%rbp),%rax
   0x400e01 <main+540>: mov    %edi,%eax
   0x400e03 <main+542>: cmp    -0x14(%rbp),%eax
   0x400e06 <main+545>: je     0x400e1e <main+569>    # end annotated bb
   0x400e08 <main+547>: mov    %edi,%edx              # next bb

1. The client may remove some or all of the instructions from the annotated bb (0x400d8a-0x400e06) and request that translation/execution resume at the next bb (0x400e08). I'm assuming there is a way for clients to do this, though I don't know exactly how. Possible annotation handling for this case:
   • instrument the truncated basic block with the annotation handler call (though it probably won't work correctly, and might crash)
   • skip the annotation
2. The client may truncate the annotated bb prior to the "special sequence" of rol and allow DR to resume at the truncation point. In this case I would assume the annotation should be instrumented following the point where 0x400ddb eventually gets translated.
3. The client might remove (skip) some of the annotation's argument setup instructions and allow DR to continue translation to the rol sequence. If we instrument the annotation, it may crash, depending on which arguments the annotation uses (some may be placeholders) and which instructions the client removed. It seems like this is not really our problem, even though there might be cases where the app crashes with annotations enabled, yet does not crash with annotations disabled.