aboutsummaryrefslogtreecommitdiffstats
path: root/target-arm
diff options
context:
space:
mode:
authorVladimir Chtchetkine <vchtchetkine@google.com>2010-02-16 10:38:35 -0800
committerVladimir Chtchetkine <vchtchetkine@google.com>2010-02-18 15:22:07 -0800
commit5389aa19033153c09556d1362a8b8a56abccb8f5 (patch)
tree5d731effe5bd5d2f162f06aadec7212045eaef3d /target-arm
parent76dbca0489ab98a46f2954bc7b77c3df6f9d8264 (diff)
downloadexternal_qemu-5389aa19033153c09556d1362a8b8a56abccb8f5.zip
external_qemu-5389aa19033153c09556d1362a8b8a56abccb8f5.tar.gz
external_qemu-5389aa19033153c09556d1362a8b8a56abccb8f5.tar.bz2
Merge memory checking from sandbox
Change-id: Ibce845d0
Diffstat (limited to 'target-arm')
-rw-r--r--target-arm/cpu.h9
-rw-r--r--target-arm/helper.c12
-rw-r--r--target-arm/helpers.h15
-rw-r--r--target-arm/memcheck_arm_helpers.h200
-rw-r--r--target-arm/translate.c80
5 files changed, 313 insertions, 3 deletions
diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index f98655f..afc0146 100644
--- a/target-arm/cpu.h
+++ b/target-arm/cpu.h
@@ -417,6 +417,15 @@ static inline int cpu_mmu_index (CPUState *env)
return (env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_USR ? 1 : 0;
}
+static inline int is_cpu_user (CPUState *env)
+{
+#ifdef CONFIG_USER_ONLY
+ return 1;
+#else
+ return (env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_USR;
+#endif // CONFIG_USER_ONLY
+}
+
#if defined(CONFIG_USER_ONLY)
static inline void cpu_clone_regs(CPUState *env, target_ulong newsp)
{
diff --git a/target-arm/helper.c b/target-arm/helper.c
index 9ac7e25..56d9953 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -10,6 +10,9 @@
#ifdef CONFIG_TRACE
#include "trace.h"
#endif
+#ifdef CONFIG_MEMCHECK
+#include "memcheck/memcheck_api.h"
+#endif // CONFIG_MEMCHECK
static uint32_t cortexa8_cp15_c0_c1[8] =
{ 0x1031, 0x11, 0x400, 0, 0x31100003, 0x20000000, 0x01202000, 0x11 };
@@ -2668,3 +2671,12 @@ void HELPER(set_teecr)(CPUState *env, uint32_t val)
}
}
+#ifdef CONFIG_MEMCHECK
+void HELPER(on_call)(void* pc, void* ret) {
+ memcheck_on_call((target_ulong)pc, (target_ulong)ret);
+}
+
+void HELPER(on_ret)(void* ret) {
+ memcheck_on_ret((target_ulong)ret);
+}
+#endif // CONFIG_MEMCHECK
diff --git a/target-arm/helpers.h b/target-arm/helpers.h
index abc54d2..a42b3ae 100644
--- a/target-arm/helpers.h
+++ b/target-arm/helpers.h
@@ -466,4 +466,19 @@ DEF_HELPER_3(iwmmxt_muladdswl, i64, i64, i32, i32)
DEF_HELPER_2(set_teecr, void, env, i32)
+#ifdef CONFIG_MEMCHECK
+/* Hooks to translated BL/BLX. This callback is used to build thread's
+ * calling stack.
+ * Param:
+ * First pointer contains guest PC where BL/BLX has been found.
+ * Second pointer contains guest PC where BL/BLX will return.
+ */
+DEF_HELPER_2(on_call, void, ptr, ptr)
+/* Hooks to return from translated BL/BLX. This callback is used to build
+ * thread's calling stack.
+ * Param:
+ * Pointer contains guest PC where BL/BLX will return.
+ */
+DEF_HELPER_1(on_ret, void, ptr)
+#endif // CONFIG_MEMCHECK
#include "def-helper.h"
diff --git a/target-arm/memcheck_arm_helpers.h b/target-arm/memcheck_arm_helpers.h
new file mode 100644
index 0000000..a05668a
--- /dev/null
+++ b/target-arm/memcheck_arm_helpers.h
@@ -0,0 +1,200 @@
+/* Copyright (C) 2007-2010 The Android Open Source Project
+**
+** This software is licensed under the terms of the GNU General Public
+** License version 2, as published by the Free Software Foundation, and
+** may be copied, distributed, and modified under those terms.
+**
+** This program is distributed in the hope that it will be useful,
+** but WITHOUT ANY WARRANTY; without even the implied warranty of
+** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+** GNU General Public License for more details.
+*/
+
+/*
+ * Contains implementation of memcheck helper routines used by ARM's translator.
+ */
+
+#ifndef QEMU_TARGET_ARM_MEMCHECK_ARM_HELPERS_H
+#define QEMU_TARGET_ARM_MEMCHECK_ARM_HELPERS_H
+
+/* This file should compile iff qemu is built with memory checking
+ * configuration turned on. */
+#ifndef CONFIG_MEMCHECK
+#error CONFIG_MEMCHECK is not defined.
+#endif // CONFIG_MEMCHECK
+
+#include "helpers.h"
+#include "memcheck/memcheck_api.h"
+
+/* Array of return addresses detected in gen_intermediate_code_internal. */
+AddrArray ret_addresses = { 0 };
+
+/* Checks if call stack collection is enabled for the given context.
+ * We collect call stack only for the user mode (both, code and CPU), and on
+ * condition that memory checking, and call collection are enabled. It also
+ * seems that collecting stack for the linker code is excessive, as it doesn't
+ * provide much useful info for the memory checker.
+ * Return:
+ * boolean: 1 if stack collection is enabled for the given context, or 0 if
+ * it's not enabled.
+ */
+static inline int
+watch_call_stack(DisasContext *s)
+{
+ if (!memcheck_enabled || !memcheck_watch_call_stack) {
+ return 0;
+ }
+
+#ifndef CONFIG_USER_ONLY
+ if (!s->user) {
+ /* We're not interested in kernel mode CPU stack. */
+ return 0;
+ }
+#endif // CONFIG_USER_ONLY
+
+ /* We're not interested in kernel code stack (pc >= 0xC0000000).
+ * Android specific: We're also not interested in android linker stack
+ * (0xB0000000 - 0xB00FFFFF) */
+ if (s->pc >= 0xC0000000 || (0xB0000000 <= s->pc && s->pc <= 0xB00FFFFF)) {
+ return 0;
+ }
+ return 1;
+}
+
+/* Checks if given ARM instruction is BL, or BLX.
+ * Return:
+ * boolean: 1 if ARM instruction is BL/BLX, or 0 if it's not.
+ */
+static inline int
+is_arm_bl_or_blx(uint32_t insn)
+{
+ /* ARM BL (immediate): xxxx 1011 xxxx xxxx xxxx xxxx xxxx xxxx
+ * ARM BLX (immediate): 1111 101x xxxx xxxx xxxx xxxx xxxx xxxx
+ * ARM BLX (register): xxxx 0001 0010 xxxx xxxx xxxx 0011 xxxx
+ */
+ if ((insn & 0x0F000000) == 0x0B000000 || // ARM BL (imm)
+ (insn & 0xFE000000) == 0xFA000000 || // ARM BLX (imm)
+ (insn & 0x0FF000F0) == 0x12000030) { // ARM BLX (reg)
+ return 1;
+ }
+ return 0;
+}
+
+/* Checks if given THUMB instruction is BL, or BLX.
+ * Param:
+ * insn - THUMB instruction to check.
+ * ret_off - If insn is BL, or BLX, upon return ret_off contains
+ * instruction's byte size. If instruction is not BL, or BLX, content of
+ * this parameter is undefined on return.
+ * Return:
+ * boolean: 1 if THUMB instruction is BL/BLX, or 0 if it's not.
+ */
+static inline int
+is_thumb_bl_or_blx(uint16_t insn, target_ulong* ret_off)
+{
+ /* THUMB BLX(register): 0100 0111 1xxx xxxx
+ * THUMB BL(1-stimmediate): 1111 0xxx xxxx xxxx
+ * THUMB BLX(1-stimmediate): 1111 0xxx xxxx xxxx
+ */
+ if ((insn & 0xFF80) == 0x4780) { // THUMB BLX(reg)
+ *ret_off = 2;
+ return 1;
+ } else if ((insn & 0xF800) == 0xF000) { // THUMB BL(X)(imm)
+ *ret_off = 4;
+ return 1;
+ }
+ return 0;
+}
+
+/* Registers a return address detected in gen_intermediate_code_internal.
+ * NOTE: If return address has been registered as new in this routine, this will
+ * cause invalidation of all existing TBs that contain translated code for that
+ * address.
+ * Param:
+ * env - CPU state environment.
+ * addr - Return address to register.
+ * Return:
+ * 1 - Address has been registered in this routine.
+ * -1 - Address has been already registered before.
+ * 0 - Insufficient memory.
+ */
+static int
+register_ret_address(CPUState* env, target_ulong addr)
+{
+ int ret;
+ if ((0x90000000 <= addr && addr <= 0xBFFFFFFF)) {
+ /* Address belongs to a module that always loads at this fixed address.
+ * So, we can keep this address in the global array. */
+ ret = addrarray_add(&ret_addresses, addr);
+ } else {
+ /* TODO: Figure out how to move "floating" part to the process
+ * descriptor. */
+ ret = addrarray_add(&ret_addresses, addr);
+ }
+ assert(ret != 0);
+
+ if (ret == 1) {
+ /* If this ret address has been added to the array, we need to make sure
+ * that all TBs that contain translated code for that address are
+ * invalidated. This will force retranslation of that code, which will
+ * make sure that our ret callback is set. This is also important part
+ * in keeping consistency between translated code, and intermediate code
+ * generated for guest PC calculation. If we don't invalidate TBs, and
+ * PC calculation code is generated, there will be inconsistency due to
+ * the fact that TB code doesn't contain ret callback, while PC calc
+ * code contains it. This inconsistency will lead to an immanent
+ * segmentation fault.*/
+ TranslationBlock* tb;
+ const target_ulong phys_pc = get_phys_addr_code(env, addr);
+ const target_ulong phys_page1 = phys_pc & TARGET_PAGE_MASK;
+
+ for(tb = tb_phys_hash[tb_phys_hash_func(phys_pc)]; tb != NULL;
+ tb = tb->phys_hash_next) {
+ if (tb->pc == addr && tb->page_addr[0] == phys_page1) {
+ tb_phys_invalidate(tb, -1);
+ }
+ }
+ }
+ return ret;
+}
+
+/* Checks if given address is recognized as a return address.
+ * Return:
+ * boolean: 1 if if given address is recognized as a return address,
+ * or 0 if it's not.
+ */
+static inline int
+is_ret_address(target_ulong addr)
+{
+ if ((0x90000000 <= addr && addr <= 0xBFFFFFFF)) {
+ return addrarray_check(&ret_addresses, addr);
+ } else {
+ return addrarray_check(&ret_addresses, addr);
+ }
+}
+
+/* Adds "on_call" callback into generated intermediate code. */
+static inline void
+set_on_call(target_ulong pc, target_ulong ret)
+{
+ TCGv_ptr tmp_pc = tcg_const_ptr(pc & ~1);
+ TCGv_ptr tmp_ret = tcg_const_ptr(ret & ~1);
+
+ gen_helper_on_call(tmp_pc, tmp_ret);
+
+ tcg_temp_free_ptr(tmp_ret);
+ tcg_temp_free_ptr(tmp_pc);
+}
+
+/* Adds "on_ret" callback into generated intermediate code. */
+static inline void
+set_on_ret(target_ulong ret)
+{
+ TCGv_ptr tmp_ret = tcg_const_ptr(ret & ~1);
+
+ gen_helper_on_ret(tmp_ret);
+
+ tcg_temp_free_ptr(tmp_ret);
+}
+
+#endif // QEMU_TARGET_ARM_MEMCHECK_ARM_HELPERS_H
diff --git a/target-arm/translate.c b/target-arm/translate.c
index b6e1a34..4432c7b 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -65,6 +65,9 @@ typedef struct DisasContext {
#if !defined(CONFIG_USER_ONLY)
int user;
#endif
+#ifdef CONFIG_MEMCHECK
+ int search_pc;
+#endif // CONFIG_MEMCHECK
} DisasContext;
#if defined(CONFIG_USER_ONLY)
@@ -77,6 +80,26 @@ typedef struct DisasContext {
#include "helpers.h"
#endif /* CONFIG_TRACE */
+#ifdef CONFIG_MEMCHECK
+/*
+ * Memchecker addition in this module is intended to inject qemu callback into
+ * translated code for each BL/BLX, as well as BL/BLX returns. These callbacks
+ * are used to build calling stack of the thread in order to provide better
+ * reporting on memory access violations. Although this may seem as something
+ * that may gratly impact the performance, in reality it doesn't. Overhead that
+ * is added by setting up callbacks and by callbacks themselves is neglectable.
+ * On the other hand, maintaining calling stack can indeed add some perf.
+ * overhead (TODO: provide solid numbers here).
+ * One of the things to watch out with regards to injecting callbacks, is
+ * consistency between intermediate code generated for execution, and for guest
+ * PC address calculation. If code doesn't match, a segmentation fault is
+ * guaranteed.
+ */
+
+#include "memcheck/memcheck_proc_management.h"
+#include "memcheck_arm_helpers.h"
+#endif // CONFIG_MEMCHECK
+
/* These instructions trap after executing, so defer them until after the
conditional executions state has been updated. */
#define DISAS_WFI 4
@@ -5783,8 +5806,22 @@ static void disas_arm_insn(CPUState * env, DisasContext *s)
TCGv tmp3;
TCGv addr;
TCGv_i64 tmp64;
-
insn = ldl_code(s->pc);
+
+#ifdef CONFIG_MEMCHECK
+ if (watch_call_stack(s)) {
+ if (is_ret_address(s->pc)) {
+ set_on_ret(s->pc);
+ }
+ if (is_arm_bl_or_blx(insn)) {
+ set_on_call(s->pc, s->pc + 4);
+ if (!s->search_pc) {
+ register_ret_address(env, s->pc + 4);
+ }
+ }
+ }
+#endif // CONFIG_MEMCHECK
+
#ifdef CONFIG_TRACE
if (tracing) {
trace_add_insn(insn, 0);
@@ -5792,6 +5829,7 @@ static void disas_arm_insn(CPUState * env, DisasContext *s)
gen_traceInsn();
}
#endif
+
s->pc += 4;
/* M variants do not implement ARM mode. */
@@ -6985,7 +7023,6 @@ static void disas_arm_insn(CPUState * env, DisasContext *s)
case 0xb:
{
int32_t offset;
-
/* branch (and link) */
val = (int32_t)s->pc;
if (insn & (1 << 24)) {
@@ -7170,9 +7207,11 @@ static int disas_thumb2_insn(CPUState *env, DisasContext *s, uint16_t insn_hw1)
gen_traceTicks(ticks);
}
#endif
- s->pc += 2;
+
insn |= (uint32_t)insn_hw1 << 16;
+ s->pc += 2;
+
if ((insn & 0xf800e800) != 0xf000e800) {
ARCH(6T2);
}
@@ -8149,6 +8188,22 @@ static void disas_thumb_insn(CPUState *env, DisasContext *s)
}
insn = lduw_code(s->pc);
+
+#ifdef CONFIG_MEMCHECK
+ if (watch_call_stack(s)) {
+ target_ulong ret_off;
+ if (is_ret_address(s->pc)) {
+ set_on_ret(s->pc);
+ }
+ if (is_thumb_bl_or_blx(insn, &ret_off)) {
+ set_on_call(s->pc, s->pc + ret_off);
+ if (!s->search_pc) {
+ register_ret_address(env, s->pc + ret_off);
+ }
+ }
+ }
+#endif // CONFIG_MEMCHECK
+
#ifdef CONFIG_TRACE
if (tracing) {
int ticks = get_insn_ticks_thumb(insn);
@@ -8834,6 +8889,9 @@ static inline void gen_intermediate_code_internal(CPUState *env,
dc->user = (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_USR;
}
#endif
+#ifdef CONFIG_MEMCHECK
+ dc->search_pc = search_pc;
+#endif // CONFIG_MEMCHECK
cpu_F0s = tcg_temp_new_i32();
cpu_F1s = tcg_temp_new_i32();
cpu_F0d = tcg_temp_new_i64();
@@ -8892,7 +8950,15 @@ static inline void gen_intermediate_code_internal(CPUState *env,
}
}
}
+
+#ifdef CONFIG_MEMCHECK
+ /* When memchecker is enabled, we need to keep a match between
+ * translated PC and guest PCs, so memchecker can quickly covert
+ * one to another. Note that we do that only for user mode. */
+ if (search_pc || (memcheck_enabled && dc->user)) {
+#else // CONFIG_MEMCHECK
if (search_pc) {
+#endif // CONFIG_MEMCHECK
j = gen_opc_ptr - gen_opc_buf;
if (lj < j) {
lj++;
@@ -9039,6 +9105,14 @@ done_generating:
while (lj <= j)
gen_opc_instr_start[lj++] = 0;
} else {
+#ifdef CONFIG_MEMCHECK
+ if (memcheck_enabled && dc->user) {
+ j = gen_opc_ptr - gen_opc_buf;
+ lj++;
+ while (lj <= j)
+ gen_opc_instr_start[lj++] = 0;
+ }
+#endif // CONFIG_MEMCHECK
tb->size = dc->pc - pc_start;
tb->icount = num_insns;
}