1 /* Copyright (c) 2018, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #ifndef OPENSSL_HEADER_ABI_TEST_H
16 #define OPENSSL_HEADER_ABI_TEST_H
17
18 #include <gtest/gtest.h>
19
20 #include <string>
21 #include <type_traits>
22 #include <vector>
23
24 #include <openssl/base.h>
25
26 #include "../internal.h"
27
28
29 // abi_test provides routines for verifying that functions satisfy platform ABI
30 // requirements.
31 namespace abi_test {
32
33 // Result stores the result of an ABI test.
34 struct Result {
okResult35 bool ok() const { return errors.empty(); }
36
37 std::vector<std::string> errors;
38 };
39
40 namespace internal {
41
42 // DeductionGuard wraps |T| in a template, so that template argument deduction
43 // does not apply to it. This may be used to force C++ to deduce template
44 // arguments from another parameter.
45 template <typename T>
46 struct DeductionGuard {
47 using Type = T;
48 };
49
50 // Reg128 contains storage space for a 128-bit register.
51 struct alignas(16) Reg128 {
52 bool operator==(const Reg128 &x) const { return x.lo == lo && x.hi == hi; }
53 bool operator!=(const Reg128 &x) const { return !((*this) == x); }
54 uint64_t lo, hi;
55 };
56
57 // LOOP_CALLER_STATE_REGISTERS is a macro that iterates over all registers the
58 // callee is expected to save for the caller, with the exception of the stack
59 // pointer. The stack pointer is tested implicitly by the function successfully
60 // returning at all.
61 #if defined(OPENSSL_X86_64)
62
63 // References:
64 // SysV64: https://github.com/hjl-tools/x86-psABI/wiki/x86-64-psABI-1.0.pdf
65 // Win64: https://docs.microsoft.com/en-us/cpp/build/x64-software-conventions?view=vs-2017#register-usage
66 #if defined(OPENSSL_WINDOWS)
67 #define LOOP_CALLER_STATE_REGISTERS() \
68 CALLER_STATE_REGISTER(uint64_t, rbx) \
69 CALLER_STATE_REGISTER(uint64_t, rbp) \
70 CALLER_STATE_REGISTER(uint64_t, rdi) \
71 CALLER_STATE_REGISTER(uint64_t, rsi) \
72 CALLER_STATE_REGISTER(uint64_t, r12) \
73 CALLER_STATE_REGISTER(uint64_t, r13) \
74 CALLER_STATE_REGISTER(uint64_t, r14) \
75 CALLER_STATE_REGISTER(uint64_t, r15) \
76 CALLER_STATE_REGISTER(Reg128, xmm6) \
77 CALLER_STATE_REGISTER(Reg128, xmm7) \
78 CALLER_STATE_REGISTER(Reg128, xmm8) \
79 CALLER_STATE_REGISTER(Reg128, xmm9) \
80 CALLER_STATE_REGISTER(Reg128, xmm10) \
81 CALLER_STATE_REGISTER(Reg128, xmm11) \
82 CALLER_STATE_REGISTER(Reg128, xmm12) \
83 CALLER_STATE_REGISTER(Reg128, xmm13) \
84 CALLER_STATE_REGISTER(Reg128, xmm14) \
85 CALLER_STATE_REGISTER(Reg128, xmm15)
86 #else
87 #define LOOP_CALLER_STATE_REGISTERS() \
88 CALLER_STATE_REGISTER(uint64_t, rbx) \
89 CALLER_STATE_REGISTER(uint64_t, rbp) \
90 CALLER_STATE_REGISTER(uint64_t, r12) \
91 CALLER_STATE_REGISTER(uint64_t, r13) \
92 CALLER_STATE_REGISTER(uint64_t, r14) \
93 CALLER_STATE_REGISTER(uint64_t, r15)
94 #endif // OPENSSL_WINDOWS
95
96 #elif defined(OPENSSL_X86)
97
98 // References:
99 // SysV32: https://uclibc.org/docs/psABI-i386.pdf and
100 // Win32: https://docs.microsoft.com/en-us/cpp/cpp/argument-passing-and-naming-conventions?view=vs-2017
101 #define LOOP_CALLER_STATE_REGISTERS() \
102 CALLER_STATE_REGISTER(uint32_t, esi) \
103 CALLER_STATE_REGISTER(uint32_t, edi) \
104 CALLER_STATE_REGISTER(uint32_t, ebx) \
105 CALLER_STATE_REGISTER(uint32_t, ebp)
106
107 #elif defined(OPENSSL_ARM)
108
109 // References:
110 // AAPCS: https://developer.arm.com/docs/ihi0042/latest
111 // iOS32: https://developer.apple.com/library/archive/documentation/Xcode/Conceptual/iPhoneOSABIReference/Articles/ARMv6FunctionCallingConventions.html
112 // Linux: http://sourcery.mentor.com/sgpp/lite/arm/portal/kbattach142/arm_gnu_linux_%20abi.pdf
113 //
114 // ARM specifies a common calling convention, except r9 is left to the platform.
115 // Linux treats r9 as callee-saved, while iOS 3+ treats it as caller-saved. Most
116 // of our assembly treats it as callee-saved to be uniform, but we match the
117 // platform to avoid false positives when testing compiler-generated output.
118 #define LOOP_CALLER_STATE_REGISTERS_PRE_R9() \
119 CALLER_STATE_REGISTER(uint64_t, d8) \
120 CALLER_STATE_REGISTER(uint64_t, d9) \
121 CALLER_STATE_REGISTER(uint64_t, d10) \
122 CALLER_STATE_REGISTER(uint64_t, d11) \
123 CALLER_STATE_REGISTER(uint64_t, d12) \
124 CALLER_STATE_REGISTER(uint64_t, d13) \
125 CALLER_STATE_REGISTER(uint64_t, d14) \
126 CALLER_STATE_REGISTER(uint64_t, d15) \
127 CALLER_STATE_REGISTER(uint32_t, r4) \
128 CALLER_STATE_REGISTER(uint32_t, r5) \
129 CALLER_STATE_REGISTER(uint32_t, r6) \
130 CALLER_STATE_REGISTER(uint32_t, r7) \
131 CALLER_STATE_REGISTER(uint32_t, r8)
132 #define LOOP_CALLER_STATE_REGISTERS_POST_R9() \
133 CALLER_STATE_REGISTER(uint32_t, r10) \
134 CALLER_STATE_REGISTER(uint32_t, r11)
135 #if defined(OPENSSL_APPLE)
136 #define LOOP_CALLER_STATE_REGISTERS() \
137 LOOP_CALLER_STATE_REGISTERS_PRE_R9() \
138 LOOP_CALLER_STATE_REGISTERS_POST_R9()
139 #else // !OPENSSL_APPLE
140 #define LOOP_CALLER_STATE_REGISTERS() \
141 LOOP_CALLER_STATE_REGISTERS_PRE_R9() \
142 CALLER_STATE_REGISTER(uint32_t, r9) \
143 LOOP_CALLER_STATE_REGISTERS_POST_R9()
144 #endif // OPENSSL_APPLE
145
146 #elif defined(OPENSSL_AARCH64)
147
148 // References:
149 // AAPCS64: https://developer.arm.com/docs/ihi0055/latest
150 // iOS64: https://developer.apple.com/library/archive/documentation/Xcode/Conceptual/iPhoneOSABIReference/Articles/ARM64FunctionCallingConventions.html
151 //
152 // In aarch64, r18 (accessed as w18 or x18 in a 64-bit context) is the platform
153 // register. iOS says user code may not touch it. We found no clear reference
154 // for Linux. The iOS behavior implies portable assembly cannot use it, and
155 // aarch64 has many registers. Thus this framework ignores register's existence.
156 // We test r18 violations in arm-xlate.pl.
157 #define LOOP_CALLER_STATE_REGISTERS() \
158 /* Per AAPCS64, section 5.1.2, only the bottom 64 bits of v8-v15 */ \
159 /* are preserved. These are accessed as dN. */ \
160 CALLER_STATE_REGISTER(uint64_t, d8) \
161 CALLER_STATE_REGISTER(uint64_t, d9) \
162 CALLER_STATE_REGISTER(uint64_t, d10) \
163 CALLER_STATE_REGISTER(uint64_t, d11) \
164 CALLER_STATE_REGISTER(uint64_t, d12) \
165 CALLER_STATE_REGISTER(uint64_t, d13) \
166 CALLER_STATE_REGISTER(uint64_t, d14) \
167 CALLER_STATE_REGISTER(uint64_t, d15) \
168 /* For consistency with dN, use the 64-bit name xN, rather than */ \
169 /* the generic rN. */ \
170 CALLER_STATE_REGISTER(uint64_t, x19) \
171 CALLER_STATE_REGISTER(uint64_t, x20) \
172 CALLER_STATE_REGISTER(uint64_t, x21) \
173 CALLER_STATE_REGISTER(uint64_t, x22) \
174 CALLER_STATE_REGISTER(uint64_t, x23) \
175 CALLER_STATE_REGISTER(uint64_t, x24) \
176 CALLER_STATE_REGISTER(uint64_t, x25) \
177 CALLER_STATE_REGISTER(uint64_t, x26) \
178 CALLER_STATE_REGISTER(uint64_t, x27) \
179 CALLER_STATE_REGISTER(uint64_t, x28) \
180 CALLER_STATE_REGISTER(uint64_t, x29)
181
182 #elif defined(OPENSSL_PPC64LE)
183
184 // CRReg only compares the CR2-CR4 bits of a CR register.
185 struct CRReg {
maskedCRReg186 uint32_t masked() const { return value & 0x00fff000; }
187 bool operator==(CRReg r) const { return masked() == r.masked(); }
188 bool operator!=(CRReg r) const { return masked() != r.masked(); }
189 uint32_t value;
190 };
191
192 // References:
193 // ELFv2: http://openpowerfoundation.org/wp-content/uploads/resources/leabi/leabi-20170510.pdf
194 //
195 // Note vector and floating-point registers on POWER have two different names.
196 // Originally, there were 32 floating-point registers and 32 vector registers,
197 // labelled f0-f31 and v0-v31 respectively. Later, VSX (Vector Scalar Extension)
198 // unified them into 64 registers vs0-vs63. f0-f31 map to the lower halves of
199 // vs0-vs31. v0-v31 map to vs32-vs63. The ABI was defined in terms of pre-VSX
200 // names, so we use those names here. In particular, f14-f31 are
201 // callee-saved, but the upper halves of vs14-vs31 are not.
202 #define LOOP_CALLER_STATE_REGISTERS() \
203 CALLER_STATE_REGISTER(Reg128, v20) \
204 CALLER_STATE_REGISTER(Reg128, v21) \
205 CALLER_STATE_REGISTER(Reg128, v22) \
206 CALLER_STATE_REGISTER(Reg128, v23) \
207 CALLER_STATE_REGISTER(Reg128, v24) \
208 CALLER_STATE_REGISTER(Reg128, v25) \
209 CALLER_STATE_REGISTER(Reg128, v26) \
210 CALLER_STATE_REGISTER(Reg128, v27) \
211 CALLER_STATE_REGISTER(Reg128, v28) \
212 CALLER_STATE_REGISTER(Reg128, v29) \
213 CALLER_STATE_REGISTER(Reg128, v30) \
214 CALLER_STATE_REGISTER(Reg128, v31) \
215 CALLER_STATE_REGISTER(uint64_t, r14) \
216 CALLER_STATE_REGISTER(uint64_t, r15) \
217 CALLER_STATE_REGISTER(uint64_t, r16) \
218 CALLER_STATE_REGISTER(uint64_t, r17) \
219 CALLER_STATE_REGISTER(uint64_t, r18) \
220 CALLER_STATE_REGISTER(uint64_t, r19) \
221 CALLER_STATE_REGISTER(uint64_t, r20) \
222 CALLER_STATE_REGISTER(uint64_t, r21) \
223 CALLER_STATE_REGISTER(uint64_t, r22) \
224 CALLER_STATE_REGISTER(uint64_t, r23) \
225 CALLER_STATE_REGISTER(uint64_t, r24) \
226 CALLER_STATE_REGISTER(uint64_t, r25) \
227 CALLER_STATE_REGISTER(uint64_t, r26) \
228 CALLER_STATE_REGISTER(uint64_t, r27) \
229 CALLER_STATE_REGISTER(uint64_t, r28) \
230 CALLER_STATE_REGISTER(uint64_t, r29) \
231 CALLER_STATE_REGISTER(uint64_t, r30) \
232 CALLER_STATE_REGISTER(uint64_t, r31) \
233 CALLER_STATE_REGISTER(uint64_t, f14) \
234 CALLER_STATE_REGISTER(uint64_t, f15) \
235 CALLER_STATE_REGISTER(uint64_t, f16) \
236 CALLER_STATE_REGISTER(uint64_t, f17) \
237 CALLER_STATE_REGISTER(uint64_t, f18) \
238 CALLER_STATE_REGISTER(uint64_t, f19) \
239 CALLER_STATE_REGISTER(uint64_t, f20) \
240 CALLER_STATE_REGISTER(uint64_t, f21) \
241 CALLER_STATE_REGISTER(uint64_t, f22) \
242 CALLER_STATE_REGISTER(uint64_t, f23) \
243 CALLER_STATE_REGISTER(uint64_t, f24) \
244 CALLER_STATE_REGISTER(uint64_t, f25) \
245 CALLER_STATE_REGISTER(uint64_t, f26) \
246 CALLER_STATE_REGISTER(uint64_t, f27) \
247 CALLER_STATE_REGISTER(uint64_t, f28) \
248 CALLER_STATE_REGISTER(uint64_t, f29) \
249 CALLER_STATE_REGISTER(uint64_t, f30) \
250 CALLER_STATE_REGISTER(uint64_t, f31) \
251 CALLER_STATE_REGISTER(CRReg, cr)
252
253 #endif // X86_64 || X86 || ARM || AARCH64 || PPC64LE
254
255 // Enable ABI testing if all of the following are true.
256 //
257 // - We have CallerState and trampoline support for the architecture.
258 //
259 // - Assembly is enabled.
260 //
261 // - This is not a shared library build. Assembly functions are not reachable
262 // from tests in shared library builds.
263 #if defined(LOOP_CALLER_STATE_REGISTERS) && !defined(OPENSSL_NO_ASM) && \
264 !defined(BORINGSSL_SHARED_LIBRARY)
265 #define SUPPORTS_ABI_TEST
266
267 // CallerState contains all caller state that the callee is expected to
268 // preserve.
269 struct CallerState {
270 #define CALLER_STATE_REGISTER(type, name) type name;
271 LOOP_CALLER_STATE_REGISTERS()
272 #undef CALLER_STATE_REGISTER
273 };
274
275 // RunTrampoline runs |func| on |argv|, recording ABI errors in |out|. It does
276 // not perform any type-checking. If |unwind| is true and unwind tests have been
277 // enabled, |func| is single-stepped under an unwind test.
278 crypto_word_t RunTrampoline(Result *out, crypto_word_t func,
279 const crypto_word_t *argv, size_t argc,
280 bool unwind);
281
282 template <typename T>
ToWord(T t)283 inline crypto_word_t ToWord(T t) {
284 // ABIs typically pass floats and structs differently from integers and
285 // pointers. We only need to support the latter.
286 static_assert(std::is_integral<T>::value || std::is_pointer<T>::value,
287 "parameter types must be integral or pointer types");
288 // We only support types which fit in registers.
289 static_assert(sizeof(T) <= sizeof(crypto_word_t),
290 "parameter types must be at most word-sized");
291
292 // ABIs are complex around arguments that are smaller than native words.
293 // Parameters passed in memory are sometimes packed and sometimes padded to a
294 // word. When parameters are padded in memory or passed in a larger register,
295 // the unused bits may be undefined or sign- or zero-extended.
296 //
297 // We could simply cast to |crypto_word_t| everywhere but, on platforms where
298 // padding is undefined, we perturb the bits to test the function accounts for
299 // for this.
300 #if defined(OPENSSL_32_BIT)
301 // We never pass parameters smaller than int, so require word-sized parameters
302 // on 32-bit architectures for simplicity.
303 static_assert(sizeof(T) == 4, "parameter types must be word-sized");
304 return (crypto_word_t)t;
305 #elif defined(OPENSSL_PPC64LE)
306 // ELFv2, section 2.2.2.3 says the parameter save area sign- or zero-extends
307 // parameters passed in memory. Section 2.2.3 is unclear on how to handle
308 // register parameters, but section 2.2.2.3 additionally says that the memory
309 // copy of a parameter is identical to the register one.
310 return (crypto_word_t)t;
311 #elif defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)
312 // AAPCS64, section 5.4.2, clauses C.7 and C.14 says any remaining bits in
313 // aarch are unspecified. iOS64 contradicts this and says the callee extends
314 // arguments up to 32 bits, and only the upper 32 bits are unspecified.
315 //
316 // On x86_64, Win64 leaves all unused bits unspecified. SysV also leaves
317 // unused bits in stack parameters unspecified, but it behaves like iOS64 for
318 // register parameters. This was determined via experimentation.
319 //
320 // We limit to 32-bit and 64-bit parameters, the subset where the above all
321 // align, and then test that functions tolerate arbitrary unused bits.
322 //
323 // TODO(davidben): Find authoritative citations for x86_64. For x86_64, I
324 // observed the behavior of Clang, GCC, and MSVC. ABI rules here may be
325 // inferred from two kinds of experiments:
326 //
327 // 1. When passing a value to a small-argument-taking function, does the
328 // compiler ensure unused bits are cleared, sign-extended, etc.? Tests for
329 // register parameters are confounded by x86_64's implicit clearing of
330 // registers' upper halves, but passing some_u64 >> 1 usually clears this.
331 //
332 // 2. When compiling a small-argument-taking function, does the compiler make
333 // assumptions about unused bits of arguments?
334 //
335 // MSVC was observed to tolerate and produce arbitrary values for unused bits,
336 // which is conclusive. GCC and Clang, targeting Linux, were similarly
337 // conclusive on stack parameters. Clang was also conclusive for register
338 // parameters. Callers only extended parameters up to 32 bits, and callees
339 // took advantage of the 32-bit extension. GCC only exhibited the callee
340 // behavior.
341 static_assert(sizeof(T) >= 4, "parameters must be at least 32 bits wide");
342 crypto_word_t ret;
343 // Filling extra bits with 0xaa will be vastly out of bounds for code
344 // expecting either sign- or zero-extension. (0xaa is 0b10101010.)
345 OPENSSL_memset(&ret, 0xaa, sizeof(ret));
346 OPENSSL_memcpy(&ret, &t, sizeof(t));
347 return ret;
348 #else
349 #error "unknown architecture"
350 #endif
351 }
352
353 // CheckImpl runs |func| on |args|, recording ABI errors in |out|. If |unwind|
354 // is true and unwind tests have been enabled, |func| is single-stepped under an
355 // unwind test.
356 //
357 // It returns the value as a |crypto_word_t| to work around problems when |R| is
358 // void. |args| is wrapped in a |DeductionGuard| so |func| determines the
359 // template arguments. Otherwise, |args| may deduce |Args| incorrectly. For
360 // instance, if |func| takes const int *, and the caller passes an int *, the
361 // compiler will complain the deduced types do not match.
362 template <typename R, typename... Args>
CheckImpl(Result * out,bool unwind,R (* func)(Args...),typename DeductionGuard<Args>::Type...args)363 inline crypto_word_t CheckImpl(Result *out, bool unwind, R (*func)(Args...),
364 typename DeductionGuard<Args>::Type... args) {
365 // We only support up to 8 arguments, so all arguments on aarch64 and ppc64le
366 // are passed in registers. This is simpler and avoids the iOS discrepancy
367 // around packing small arguments on the stack. (See the iOS64 reference.)
368 static_assert(sizeof...(args) <= 8,
369 "too many arguments for abi_test_trampoline");
370
371 // Allocate one extra entry so MSVC does not complain about zero-size arrays.
372 crypto_word_t argv[sizeof...(args) + 1] = {
373 ToWord(args)...,
374 };
375 return RunTrampoline(out, reinterpret_cast<crypto_word_t>(func), argv,
376 sizeof...(args), unwind);
377 }
378 #else
379 // To simplify callers when ABI testing support is unavoidable, provide a backup
380 // CheckImpl implementation. It must be specialized for void returns because we
381 // call |func| directly.
382 template <typename R, typename... Args>
CheckImpl(Result * out,bool,R (* func)(Args...),typename DeductionGuard<Args>::Type...args)383 inline std::enable_if_t<!std::is_void<R>::value, crypto_word_t> CheckImpl(
384 Result *out, bool /* unwind */, R (*func)(Args...),
385 typename DeductionGuard<Args>::Type... args) {
386 *out = Result();
387 return func(args...);
388 }
389
390 template <typename... Args>
CheckImpl(Result * out,bool,void (* func)(Args...),typename DeductionGuard<Args>::Type...args)391 inline crypto_word_t CheckImpl(Result *out, bool /* unwind */,
392 void (*func)(Args...),
393 typename DeductionGuard<Args>::Type... args) {
394 *out = Result();
395 func(args...);
396 return 0;
397 }
398 #endif // SUPPORTS_ABI_TEST
399
400 // FixVAArgsString takes a string like "f, 1, 2" and returns a string like
401 // "f(1, 2)".
402 //
403 // This is needed because the |CHECK_ABI| macro below cannot be defined as
404 // CHECK_ABI(func, ...). The C specification requires that variadic macros bind
405 // at least one variadic argument. Clang, GCC, and MSVC all ignore this, but
406 // there are issues with trailing commas and different behaviors across
407 // compilers.
408 std::string FixVAArgsString(const char *str);
409
410 // CheckGTest behaves like |CheckImpl|, but it returns the correct type and
411 // raises GTest assertions on failure. If |unwind| is true and unwind tests are
412 // enabled, |func| is single-stepped under an unwind test.
413 template <typename R, typename... Args>
CheckGTest(const char * va_args_str,const char * file,int line,bool unwind,R (* func)(Args...),typename DeductionGuard<Args>::Type...args)414 inline R CheckGTest(const char *va_args_str, const char *file, int line,
415 bool unwind, R (*func)(Args...),
416 typename DeductionGuard<Args>::Type... args) {
417 Result result;
418 crypto_word_t ret = CheckImpl(&result, unwind, func, args...);
419 if (!result.ok()) {
420 testing::Message msg;
421 msg << "ABI failures in " << FixVAArgsString(va_args_str) << ":\n";
422 for (const auto &error : result.errors) {
423 msg << " " << error << "\n";
424 }
425 ADD_FAILURE_AT(file, line) << msg;
426 }
427 return (R)ret;
428 }
429
430 } // namespace internal
431
432 // Check runs |func| on |args| and returns the result. If ABI-testing is
433 // supported in this build configuration, it writes any ABI failures to |out|.
434 // Otherwise, it runs the function transparently.
435 template <typename R, typename... Args>
Check(Result * out,R (* func)(Args...),typename internal::DeductionGuard<Args>::Type...args)436 inline R Check(Result *out, R (*func)(Args...),
437 typename internal::DeductionGuard<Args>::Type... args) {
438 return (R)internal::CheckImpl(out, false, func, args...);
439 }
440
441 // EnableUnwindTests enables unwind tests, if supported. If not supported, it
442 // does nothing.
443 void EnableUnwindTests();
444
445 // UnwindTestsEnabled returns true if unwind tests are enabled and false
446 // otherwise.
447 bool UnwindTestsEnabled();
448
449 } // namespace abi_test
450
451 // CHECK_ABI calls the first argument on the remaining arguments and returns the
452 // result. If ABI-testing is supported in this build configuration, it adds a
453 // non-fatal GTest failure if the call did not satisfy ABI requirements.
454 //
455 // |CHECK_ABI| does return the value and thus may replace any function call,
456 // provided it takes only simple parameters. However, it is recommended to test
457 // ABI separately from functional tests of assembly. Fully instrumenting a
458 // function for ABI checking requires single-stepping the function, which is
459 // inefficient.
460 //
461 // Functional testing requires coverage of input values, while ABI testing only
462 // requires branch coverage. Most of our assembly is constant-time, so usually
463 // only a few instrumented calls are necessary.
464 //
465 // TODO(https://crbug.com/boringssl/259): Most of Windows assembly currently
466 // fails SEH testing. For now, |CHECK_ABI| behaves like |CHECK_ABI_NO_UNWIND|
467 // on Windows. Functions which work with unwind testing on Windows should use
468 // |CHECK_ABI_SEH|.
469 #if defined(OPENSSL_WINDOWS)
470 #define CHECK_ABI(...) CHECK_ABI_NO_UNWIND(__VA_ARGS__)
471 #else
472 #define CHECK_ABI(...) CHECK_ABI_SEH(__VA_ARGS__)
473 #endif
474
475 // CHECK_ABI_SEH behaves like |CHECK_ABI| but enables unwind testing on Windows.
476 #define CHECK_ABI_SEH(...) \
477 abi_test::internal::CheckGTest(#__VA_ARGS__, __FILE__, __LINE__, true, \
478 __VA_ARGS__)
479
480 // CHECK_ABI_NO_UNWIND behaves like |CHECK_ABI| but disables unwind testing.
481 #define CHECK_ABI_NO_UNWIND(...) \
482 abi_test::internal::CheckGTest(#__VA_ARGS__, __FILE__, __LINE__, false, \
483 __VA_ARGS__)
484
485
486 // Internal functions.
487
488 #if defined(SUPPORTS_ABI_TEST)
489 struct Uncallable {
490 Uncallable() = delete;
491 };
492
493 extern "C" {
494
495 // abi_test_trampoline loads callee-saved registers from |state|, calls |func|
496 // with |argv|, then saves the callee-saved registers into |state|. It returns
497 // the result of |func|. If |unwind| is non-zero, this function triggers unwind
498 // instrumentation.
499 //
500 // We give |func| type |crypto_word_t| to avoid tripping MSVC's warning 4191.
501 crypto_word_t abi_test_trampoline(crypto_word_t func,
502 abi_test::internal::CallerState *state,
503 const crypto_word_t *argv, size_t argc,
504 crypto_word_t unwind);
505
506 #if defined(OPENSSL_X86_64)
507 // abi_test_unwind_start points at the instruction that starts unwind testing in
508 // |abi_test_trampoline|. This is the value of the instruction pointer at the
509 // first |SIGTRAP| during unwind testing.
510 //
511 // This symbol is not a function and should not be called.
512 void abi_test_unwind_start(Uncallable);
513
514 // abi_test_unwind_return points at the instruction immediately after the call in
515 // |abi_test_trampoline|. When unwinding the function under test, this is the
516 // expected address in the |abi_test_trampoline| frame. After this address, the
517 // unwind tester should ignore |SIGTRAP| until |abi_test_unwind_stop|.
518 //
519 // This symbol is not a function and should not be called.
520 void abi_test_unwind_return(Uncallable);
521
522 // abi_test_unwind_stop is the value of the instruction pointer at the final
523 // |SIGTRAP| during unwind testing.
524 //
525 // This symbol is not a function and should not be called.
526 void abi_test_unwind_stop(Uncallable);
527
528 // abi_test_bad_unwind_wrong_register preserves the ABI, but annotates the wrong
529 // register in unwind metadata.
530 void abi_test_bad_unwind_wrong_register(void);
531
532 // abi_test_bad_unwind_temporary preserves the ABI, but temporarily corrupts the
533 // storage space for a saved register, breaking unwind.
534 void abi_test_bad_unwind_temporary(void);
535
536 #if defined(OPENSSL_WINDOWS)
537 // abi_test_bad_unwind_epilog preserves the ABI, and correctly annotates the
538 // prolog, but the epilog does not match Win64's rules, breaking unwind during
539 // the epilog.
540 void abi_test_bad_unwind_epilog(void);
541 #endif
542 #endif // OPENSSL_X86_64
543
544 #if defined(OPENSSL_X86_64) || defined(OPENSSL_X86)
545 // abi_test_get_and_clear_direction_flag clears the direction flag. If the flag
546 // was previously set, it returns one. Otherwise, it returns zero.
547 int abi_test_get_and_clear_direction_flag(void);
548
549 // abi_test_set_direction_flag sets the direction flag. This does not conform to
550 // ABI requirements and must only be called within a |CHECK_ABI| guard to avoid
551 // errors later in the program.
552 int abi_test_set_direction_flag(void);
553 #endif // OPENSSL_X86_64 || OPENSSL_X86
554
555 } // extern "C"
556 #endif // SUPPORTS_ABI_TEST
557
558
559 #endif // OPENSSL_HEADER_ABI_TEST_H
560