From 5389aa19033153c09556d1362a8b8a56abccb8f5 Mon Sep 17 00:00:00 2001 From: Vladimir Chtchetkine Date: Tue, 16 Feb 2010 10:38:35 -0800 Subject: Merge memory checking from sandbox Change-id: Ibce845d0 --- target-arm/cpu.h | 9 ++ target-arm/helper.c | 12 +++ target-arm/helpers.h | 15 +++ target-arm/memcheck_arm_helpers.h | 200 ++++++++++++++++++++++++++++++++++++++ target-arm/translate.c | 80 ++++++++++++++- 5 files changed, 313 insertions(+), 3 deletions(-) create mode 100644 target-arm/memcheck_arm_helpers.h (limited to 'target-arm') diff --git a/target-arm/cpu.h b/target-arm/cpu.h index f98655f..afc0146 100644 --- a/target-arm/cpu.h +++ b/target-arm/cpu.h @@ -417,6 +417,15 @@ static inline int cpu_mmu_index (CPUState *env) return (env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_USR ? 1 : 0; } +static inline int is_cpu_user (CPUState *env) +{ +#ifdef CONFIG_USER_ONLY + return 1; +#else + return (env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_USR; +#endif // CONFIG_USER_ONLY +} + #if defined(CONFIG_USER_ONLY) static inline void cpu_clone_regs(CPUState *env, target_ulong newsp) { diff --git a/target-arm/helper.c b/target-arm/helper.c index 9ac7e25..56d9953 100644 --- a/target-arm/helper.c +++ b/target-arm/helper.c @@ -10,6 +10,9 @@ #ifdef CONFIG_TRACE #include "trace.h" #endif +#ifdef CONFIG_MEMCHECK +#include "memcheck/memcheck_api.h" +#endif // CONFIG_MEMCHECK static uint32_t cortexa8_cp15_c0_c1[8] = { 0x1031, 0x11, 0x400, 0, 0x31100003, 0x20000000, 0x01202000, 0x11 }; @@ -2668,3 +2671,12 @@ void HELPER(set_teecr)(CPUState *env, uint32_t val) } } +#ifdef CONFIG_MEMCHECK +void HELPER(on_call)(void* pc, void* ret) { + memcheck_on_call((target_ulong)pc, (target_ulong)ret); +} + +void HELPER(on_ret)(void* ret) { + memcheck_on_ret((target_ulong)ret); +} +#endif // CONFIG_MEMCHECK diff --git a/target-arm/helpers.h b/target-arm/helpers.h index abc54d2..a42b3ae 100644 --- a/target-arm/helpers.h +++ b/target-arm/helpers.h @@ -466,4 +466,19 @@ DEF_HELPER_3(iwmmxt_muladdswl, i64, i64, i32, i32) DEF_HELPER_2(set_teecr, void, env, i32) +#ifdef CONFIG_MEMCHECK +/* Hooks to translated BL/BLX. This callback is used to build thread's + * calling stack. + * Param: + * First pointer contains guest PC where BL/BLX has been found. + * Second pointer contains guest PC where BL/BLX will return. + */ +DEF_HELPER_2(on_call, void, ptr, ptr) +/* Hooks to return from translated BL/BLX. This callback is used to build + * thread's calling stack. + * Param: + * Pointer contains guest PC where BL/BLX will return. + */ +DEF_HELPER_1(on_ret, void, ptr) +#endif // CONFIG_MEMCHECK #include "def-helper.h" diff --git a/target-arm/memcheck_arm_helpers.h b/target-arm/memcheck_arm_helpers.h new file mode 100644 index 0000000..a05668a --- /dev/null +++ b/target-arm/memcheck_arm_helpers.h @@ -0,0 +1,200 @@ +/* Copyright (C) 2007-2010 The Android Open Source Project +** +** This software is licensed under the terms of the GNU General Public +** License version 2, as published by the Free Software Foundation, and +** may be copied, distributed, and modified under those terms. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +*/ + +/* + * Contains implementation of memcheck helper routines used by ARM's translator. + */ + +#ifndef QEMU_TARGET_ARM_MEMCHECK_ARM_HELPERS_H +#define QEMU_TARGET_ARM_MEMCHECK_ARM_HELPERS_H + +/* This file should compile iff qemu is built with memory checking + * configuration turned on. */ +#ifndef CONFIG_MEMCHECK +#error CONFIG_MEMCHECK is not defined. +#endif // CONFIG_MEMCHECK + +#include "helpers.h" +#include "memcheck/memcheck_api.h" + +/* Array of return addresses detected in gen_intermediate_code_internal. */ +AddrArray ret_addresses = { 0 }; + +/* Checks if call stack collection is enabled for the given context. + * We collect call stack only for the user mode (both, code and CPU), and on + * condition that memory checking, and call collection are enabled. It also + * seems that collecting stack for the linker code is excessive, as it doesn't + * provide much useful info for the memory checker. + * Return: + * boolean: 1 if stack collection is enabled for the given context, or 0 if + * it's not enabled. + */ +static inline int +watch_call_stack(DisasContext *s) +{ + if (!memcheck_enabled || !memcheck_watch_call_stack) { + return 0; + } + +#ifndef CONFIG_USER_ONLY + if (!s->user) { + /* We're not interested in kernel mode CPU stack. */ + return 0; + } +#endif // CONFIG_USER_ONLY + + /* We're not interested in kernel code stack (pc >= 0xC0000000). + * Android specific: We're also not interested in android linker stack + * (0xB0000000 - 0xB00FFFFF) */ + if (s->pc >= 0xC0000000 || (0xB0000000 <= s->pc && s->pc <= 0xB00FFFFF)) { + return 0; + } + return 1; +} + +/* Checks if given ARM instruction is BL, or BLX. + * Return: + * boolean: 1 if ARM instruction is BL/BLX, or 0 if it's not. + */ +static inline int +is_arm_bl_or_blx(uint32_t insn) +{ + /* ARM BL (immediate): xxxx 1011 xxxx xxxx xxxx xxxx xxxx xxxx + * ARM BLX (immediate): 1111 101x xxxx xxxx xxxx xxxx xxxx xxxx + * ARM BLX (register): xxxx 0001 0010 xxxx xxxx xxxx 0011 xxxx + */ + if ((insn & 0x0F000000) == 0x0B000000 || // ARM BL (imm) + (insn & 0xFE000000) == 0xFA000000 || // ARM BLX (imm) + (insn & 0x0FF000F0) == 0x12000030) { // ARM BLX (reg) + return 1; + } + return 0; +} + +/* Checks if given THUMB instruction is BL, or BLX. + * Param: + * insn - THUMB instruction to check. + * ret_off - If insn is BL, or BLX, upon return ret_off contains + * instruction's byte size. If instruction is not BL, or BLX, content of + * this parameter is undefined on return. + * Return: + * boolean: 1 if THUMB instruction is BL/BLX, or 0 if it's not. + */ +static inline int +is_thumb_bl_or_blx(uint16_t insn, target_ulong* ret_off) +{ + /* THUMB BLX(register): 0100 0111 1xxx xxxx + * THUMB BL(1-stimmediate): 1111 0xxx xxxx xxxx + * THUMB BLX(1-stimmediate): 1111 0xxx xxxx xxxx + */ + if ((insn & 0xFF80) == 0x4780) { // THUMB BLX(reg) + *ret_off = 2; + return 1; + } else if ((insn & 0xF800) == 0xF000) { // THUMB BL(X)(imm) + *ret_off = 4; + return 1; + } + return 0; +} + +/* Registers a return address detected in gen_intermediate_code_internal. + * NOTE: If return address has been registered as new in this routine, this will + * cause invalidation of all existing TBs that contain translated code for that + * address. + * Param: + * env - CPU state environment. + * addr - Return address to register. + * Return: + * 1 - Address has been registered in this routine. + * -1 - Address has been already registered before. + * 0 - Insufficient memory. + */ +static int +register_ret_address(CPUState* env, target_ulong addr) +{ + int ret; + if ((0x90000000 <= addr && addr <= 0xBFFFFFFF)) { + /* Address belongs to a module that always loads at this fixed address. + * So, we can keep this address in the global array. */ + ret = addrarray_add(&ret_addresses, addr); + } else { + /* TODO: Figure out how to move "floating" part to the process + * descriptor. */ + ret = addrarray_add(&ret_addresses, addr); + } + assert(ret != 0); + + if (ret == 1) { + /* If this ret address has been added to the array, we need to make sure + * that all TBs that contain translated code for that address are + * invalidated. This will force retranslation of that code, which will + * make sure that our ret callback is set. This is also important part + * in keeping consistency between translated code, and intermediate code + * generated for guest PC calculation. If we don't invalidate TBs, and + * PC calculation code is generated, there will be inconsistency due to + * the fact that TB code doesn't contain ret callback, while PC calc + * code contains it. This inconsistency will lead to an immanent + * segmentation fault.*/ + TranslationBlock* tb; + const target_ulong phys_pc = get_phys_addr_code(env, addr); + const target_ulong phys_page1 = phys_pc & TARGET_PAGE_MASK; + + for(tb = tb_phys_hash[tb_phys_hash_func(phys_pc)]; tb != NULL; + tb = tb->phys_hash_next) { + if (tb->pc == addr && tb->page_addr[0] == phys_page1) { + tb_phys_invalidate(tb, -1); + } + } + } + return ret; +} + +/* Checks if given address is recognized as a return address. + * Return: + * boolean: 1 if if given address is recognized as a return address, + * or 0 if it's not. + */ +static inline int +is_ret_address(target_ulong addr) +{ + if ((0x90000000 <= addr && addr <= 0xBFFFFFFF)) { + return addrarray_check(&ret_addresses, addr); + } else { + return addrarray_check(&ret_addresses, addr); + } +} + +/* Adds "on_call" callback into generated intermediate code. */ +static inline void +set_on_call(target_ulong pc, target_ulong ret) +{ + TCGv_ptr tmp_pc = tcg_const_ptr(pc & ~1); + TCGv_ptr tmp_ret = tcg_const_ptr(ret & ~1); + + gen_helper_on_call(tmp_pc, tmp_ret); + + tcg_temp_free_ptr(tmp_ret); + tcg_temp_free_ptr(tmp_pc); +} + +/* Adds "on_ret" callback into generated intermediate code. */ +static inline void +set_on_ret(target_ulong ret) +{ + TCGv_ptr tmp_ret = tcg_const_ptr(ret & ~1); + + gen_helper_on_ret(tmp_ret); + + tcg_temp_free_ptr(tmp_ret); +} + +#endif // QEMU_TARGET_ARM_MEMCHECK_ARM_HELPERS_H diff --git a/target-arm/translate.c b/target-arm/translate.c index b6e1a34..4432c7b 100644 --- a/target-arm/translate.c +++ b/target-arm/translate.c @@ -65,6 +65,9 @@ typedef struct DisasContext { #if !defined(CONFIG_USER_ONLY) int user; #endif +#ifdef CONFIG_MEMCHECK + int search_pc; +#endif // CONFIG_MEMCHECK } DisasContext; #if defined(CONFIG_USER_ONLY) @@ -77,6 +80,26 @@ typedef struct DisasContext { #include "helpers.h" #endif /* CONFIG_TRACE */ +#ifdef CONFIG_MEMCHECK +/* + * Memchecker addition in this module is intended to inject qemu callback into + * translated code for each BL/BLX, as well as BL/BLX returns. These callbacks + * are used to build calling stack of the thread in order to provide better + * reporting on memory access violations. Although this may seem as something + * that may gratly impact the performance, in reality it doesn't. Overhead that + * is added by setting up callbacks and by callbacks themselves is neglectable. + * On the other hand, maintaining calling stack can indeed add some perf. + * overhead (TODO: provide solid numbers here). + * One of the things to watch out with regards to injecting callbacks, is + * consistency between intermediate code generated for execution, and for guest + * PC address calculation. If code doesn't match, a segmentation fault is + * guaranteed. + */ + +#include "memcheck/memcheck_proc_management.h" +#include "memcheck_arm_helpers.h" +#endif // CONFIG_MEMCHECK + /* These instructions trap after executing, so defer them until after the conditional executions state has been updated. */ #define DISAS_WFI 4 @@ -5783,8 +5806,22 @@ static void disas_arm_insn(CPUState * env, DisasContext *s) TCGv tmp3; TCGv addr; TCGv_i64 tmp64; - insn = ldl_code(s->pc); + +#ifdef CONFIG_MEMCHECK + if (watch_call_stack(s)) { + if (is_ret_address(s->pc)) { + set_on_ret(s->pc); + } + if (is_arm_bl_or_blx(insn)) { + set_on_call(s->pc, s->pc + 4); + if (!s->search_pc) { + register_ret_address(env, s->pc + 4); + } + } + } +#endif // CONFIG_MEMCHECK + #ifdef CONFIG_TRACE if (tracing) { trace_add_insn(insn, 0); @@ -5792,6 +5829,7 @@ static void disas_arm_insn(CPUState * env, DisasContext *s) gen_traceInsn(); } #endif + s->pc += 4; /* M variants do not implement ARM mode. */ @@ -6985,7 +7023,6 @@ static void disas_arm_insn(CPUState * env, DisasContext *s) case 0xb: { int32_t offset; - /* branch (and link) */ val = (int32_t)s->pc; if (insn & (1 << 24)) { @@ -7170,9 +7207,11 @@ static int disas_thumb2_insn(CPUState *env, DisasContext *s, uint16_t insn_hw1) gen_traceTicks(ticks); } #endif - s->pc += 2; + insn |= (uint32_t)insn_hw1 << 16; + s->pc += 2; + if ((insn & 0xf800e800) != 0xf000e800) { ARCH(6T2); } @@ -8149,6 +8188,22 @@ static void disas_thumb_insn(CPUState *env, DisasContext *s) } insn = lduw_code(s->pc); + +#ifdef CONFIG_MEMCHECK + if (watch_call_stack(s)) { + target_ulong ret_off; + if (is_ret_address(s->pc)) { + set_on_ret(s->pc); + } + if (is_thumb_bl_or_blx(insn, &ret_off)) { + set_on_call(s->pc, s->pc + ret_off); + if (!s->search_pc) { + register_ret_address(env, s->pc + ret_off); + } + } + } +#endif // CONFIG_MEMCHECK + #ifdef CONFIG_TRACE if (tracing) { int ticks = get_insn_ticks_thumb(insn); @@ -8834,6 +8889,9 @@ static inline void gen_intermediate_code_internal(CPUState *env, dc->user = (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_USR; } #endif +#ifdef CONFIG_MEMCHECK + dc->search_pc = search_pc; +#endif // CONFIG_MEMCHECK cpu_F0s = tcg_temp_new_i32(); cpu_F1s = tcg_temp_new_i32(); cpu_F0d = tcg_temp_new_i64(); @@ -8892,7 +8950,15 @@ static inline void gen_intermediate_code_internal(CPUState *env, } } } + +#ifdef CONFIG_MEMCHECK + /* When memchecker is enabled, we need to keep a match between + * translated PC and guest PCs, so memchecker can quickly covert + * one to another. Note that we do that only for user mode. */ + if (search_pc || (memcheck_enabled && dc->user)) { +#else // CONFIG_MEMCHECK if (search_pc) { +#endif // CONFIG_MEMCHECK j = gen_opc_ptr - gen_opc_buf; if (lj < j) { lj++; @@ -9039,6 +9105,14 @@ done_generating: while (lj <= j) gen_opc_instr_start[lj++] = 0; } else { +#ifdef CONFIG_MEMCHECK + if (memcheck_enabled && dc->user) { + j = gen_opc_ptr - gen_opc_buf; + lj++; + while (lj <= j) + gen_opc_instr_start[lj++] = 0; + } +#endif // CONFIG_MEMCHECK tb->size = dc->pc - pc_start; tb->icount = num_insns; } -- cgit v1.1