1 /* This file must be included from target-arm/translate.c */
2
3 /*****
4 *****
5 *****
6 ***** C O N F I G _ M E M C H E C K
7 *****
8 *****
9 *****/
10
11 #ifdef CONFIG_MEMCHECK
12
13 /*
14 * Memchecker addition in this module is intended to inject qemu callback into
15 * translated code for each BL/BLX, as well as BL/BLX returns. These callbacks
16 * are used to build calling stack of the thread in order to provide better
17 * reporting on memory access violations. Although this may seem as something
18 * that may gratly impact the performance, in reality it doesn't. Overhead that
19 * is added by setting up callbacks and by callbacks themselves is neglectable.
20 * On the other hand, maintaining calling stack can indeed add some perf.
21 * overhead (TODO: provide solid numbers here).
22 * One of the things to watch out with regards to injecting callbacks, is
23 * consistency between intermediate code generated for execution, and for guest
24 * PC address calculation. If code doesn't match, a segmentation fault is
25 * guaranteed.
26 */
27
28 #include "memcheck/memcheck_proc_management.h"
29 #include "memcheck/memcheck_api.h"
30
31 /* Array of return addresses detected in gen_intermediate_code_internal. */
32 AddrArray ret_addresses = { 0 };
33
34 /* Checks if call stack collection is enabled for the given context.
35 * We collect call stack only for the user mode (both, code and CPU), and on
36 * condition that memory checking, and call collection are enabled. It also
37 * seems that collecting stack for the linker code is excessive, as it doesn't
38 * provide much useful info for the memory checker.
39 * Return:
40 * boolean: 1 if stack collection is enabled for the given context, or 0 if
41 * it's not enabled.
42 */
43 static inline int
watch_call_stack(DisasContext * s)44 watch_call_stack(DisasContext *s)
45 {
46 if (!memcheck_enabled || !memcheck_watch_call_stack) {
47 return 0;
48 }
49
50 #ifndef CONFIG_USER_ONLY
51 if (!s->user) {
52 /* We're not interested in kernel mode CPU stack. */
53 return 0;
54 }
55 #endif // CONFIG_USER_ONLY
56
57 /* We're not interested in kernel code stack (pc >= 0xC0000000).
58 * Android specific: We're also not interested in android linker stack
59 * (0xB0000000 - 0xB00FFFFF) */
60 if (s->pc >= 0xC0000000 || (0xB0000000 <= s->pc && s->pc <= 0xB00FFFFF)) {
61 return 0;
62 }
63 return 1;
64 }
65
66 /* Checks if given ARM instruction is BL, or BLX.
67 * Return:
68 * boolean: 1 if ARM instruction is BL/BLX, or 0 if it's not.
69 */
70 static inline int
is_arm_bl_or_blx(uint32_t insn)71 is_arm_bl_or_blx(uint32_t insn)
72 {
73 /* ARM BL (immediate): xxxx 1011 xxxx xxxx xxxx xxxx xxxx xxxx
74 * ARM BLX (immediate): 1111 101x xxxx xxxx xxxx xxxx xxxx xxxx
75 * ARM BLX (register): xxxx 0001 0010 xxxx xxxx xxxx 0011 xxxx
76 */
77 if ((insn & 0x0F000000) == 0x0B000000 || // ARM BL (imm)
78 (insn & 0xFE000000) == 0xFA000000 || // ARM BLX (imm)
79 (insn & 0x0FF000F0) == 0x12000030) { // ARM BLX (reg)
80 return 1;
81 }
82 return 0;
83 }
84
85 /* Checks if given THUMB instruction is BL, or BLX.
86 * Param:
87 * insn - THUMB instruction to check.
88 * pc - Emulated PC address for the instruction.
89 * ret_off - If insn is BL, or BLX, upon return ret_off contains
90 * instruction's byte size. If instruction is not BL, or BLX, content of
91 * this parameter is undefined on return.
92 * Return:
93 * boolean: 1 if THUMB instruction is BL/BLX, or 0 if it's not.
94 */
95 static inline int
is_thumb_bl_or_blx(uint16_t insn,target_ulong pc,target_ulong * ret_off)96 is_thumb_bl_or_blx(uint16_t insn, target_ulong pc, target_ulong* ret_off)
97 {
98 /* THUMB BLX(register): 0100 0111 1xxx xxxx
99 * THUMB BL(1-stimmediate): 1111 0xxx xxxx xxxx
100 * THUMB BLX(1-stimmediate): 1111 0xxx xxxx xxxx
101 */
102 if ((insn & 0xFF80) == 0x4780) { // THUMB BLX(reg)
103 *ret_off = 2;
104 return 1;
105 } else if ((insn & 0xF800) == 0xF000) { // THUMB BL(X)(imm)
106 // This is a 32-bit THUMB. Get the second half of the instuction.
107 insn = lduw_code(pc + 2);
108 if ((insn & 0xC000) == 0xC000) {
109 *ret_off = 4;
110 return 1;
111 }
112 }
113 return 0;
114 }
115
116 /* Registers a return address detected in gen_intermediate_code_internal.
117 * NOTE: If return address has been registered as new in this routine, this will
118 * cause invalidation of all existing TBs that contain translated code for that
119 * address.
120 * NOTE: Before storing PC address in the array, we convert it from emulated
121 * address to a physical address. This way we deal with emulated addresses
122 * overlapping for different processes.
123 * Param:
124 * env - CPU state environment.
125 * addr - Return address to register.
126 * Return:
127 * 1 - Address has been registered in this routine.
128 * -1 - Address has been already registered before.
129 * 0 - Insufficient memory.
130 */
131 static int
register_ret_address(CPUState * env,target_ulong addr)132 register_ret_address(CPUState* env, target_ulong addr)
133 {
134 int ret;
135 if ((0x90000000 <= addr && addr <= 0xBFFFFFFF)) {
136 /* Address belongs to a module that always loads at this fixed address.
137 * So, we can keep this address in the global array. */
138 ret = addrarray_add(&ret_addresses, get_phys_addr_code(env, addr));
139 } else {
140 ret = addrarray_add(&ret_addresses, get_phys_addr_code(env, addr));
141 }
142 assert(ret != 0);
143
144 if (ret == 1) {
145 /* If this ret address has been added to the array, we need to make sure
146 * that all TBs that contain translated code for that address are
147 * invalidated. This will force retranslation of that code, which will
148 * make sure that our ret callback is set. This is also important part
149 * in keeping consistency between translated code, and intermediate code
150 * generated for guest PC calculation. If we don't invalidate TBs, and
151 * PC calculation code is generated, there will be inconsistency due to
152 * the fact that TB code doesn't contain ret callback, while PC calc
153 * code contains it. This inconsistency will lead to an immanent
154 * segmentation fault.*/
155 TranslationBlock* tb;
156 const target_ulong phys_pc = get_phys_addr_code(env, addr);
157 const target_ulong phys_page1 = phys_pc & TARGET_PAGE_MASK;
158
159 for(tb = tb_phys_hash[tb_phys_hash_func(phys_pc)]; tb != NULL;
160 tb = tb->phys_hash_next) {
161 if (tb->pc == addr && tb->page_addr[0] == phys_page1) {
162 tb_phys_invalidate(tb, -1);
163 }
164 }
165 }
166 return ret;
167 }
168
169 /* Checks if given address is recognized as a return address.
170 * Return:
171 * boolean: 1 if if given address is recognized as a return address,
172 * or 0 if it's not.
173 */
174 static inline int
is_ret_address(CPUState * env,target_ulong addr)175 is_ret_address(CPUState* env, target_ulong addr)
176 {
177 if ((0x90000000 <= addr && addr <= 0xBFFFFFFF)) {
178 return addrarray_check(&ret_addresses, get_phys_addr_code(env, addr));
179 } else {
180 return addrarray_check(&ret_addresses, get_phys_addr_code(env, addr));
181 }
182 }
183
184 /* Adds "on_call" callback into generated intermediate code. */
185 static inline void
set_on_call(target_ulong pc,target_ulong ret)186 set_on_call(target_ulong pc, target_ulong ret)
187 {
188 TCGv_ptr tmp_pc = tcg_const_ptr(pc & ~1);
189 TCGv_ptr tmp_ret = tcg_const_ptr(ret & ~1);
190
191 gen_helper_on_call(tmp_pc, tmp_ret);
192
193 tcg_temp_free_ptr(tmp_ret);
194 tcg_temp_free_ptr(tmp_pc);
195 }
196
197 /* Adds "on_ret" callback into generated intermediate code. */
198 static inline void
set_on_ret(target_ulong ret)199 set_on_ret(target_ulong ret)
200 {
201 TCGv_ptr tmp_ret = tcg_const_ptr(ret & ~1);
202
203 gen_helper_on_ret(tmp_ret);
204
205 tcg_temp_free_ptr(tmp_ret);
206 }
207
208
209 # define ANDROID_WATCH_CALLSTACK_ARM(s) \
210 if (watch_call_stack(s)) { \
211 if (is_ret_address(env, s->pc)) { \
212 set_on_ret(s->pc); \
213 } \
214 if (is_arm_bl_or_blx(insn)) { \
215 set_on_call(s->pc, s->pc + 4); \
216 if (!s->search_pc) { \
217 register_ret_address(env, s->pc + 4); \
218 } \
219 } \
220 }
221
222 # define ANDROID_WATCH_CALLSTACK_THUMB(s) \
223 if (watch_call_stack(s)) { \
224 target_ulong ret_off; \
225 if (is_ret_address(env, s->pc)) { \
226 set_on_ret(s->pc); \
227 } \
228 if (is_thumb_bl_or_blx(insn, s->pc, &ret_off)) { \
229 set_on_call(s->pc, s->pc + ret_off); \
230 if (!s->search_pc) { \
231 register_ret_address(env, s->pc + ret_off); \
232 } \
233 } \
234 }
235
236 # define ANDROID_DISAS_CONTEXT_FIELDS \
237 int search_pc;
238
239 # define ANDROID_START_CODEGEN(search_pc) \
240 dc->search_pc = search_pc
241
242 /* When memchecker is enabled, we need to keep a match between
243 * translated PC and guest PCs, so memchecker can quickly covert
244 * one to another. Note that we do that only for user mode. */
245 # define ANDROID_CHECK_CODEGEN_PC(search_pc) \
246 ((search_pc) || (memcheck_enabled && dc->user))
247
248 # define ANDROID_END_CODEGEN() \
249 do { \
250 if (memcheck_enabled && dc->user) { \
251 j = gen_opc_ptr - gen_opc_buf; \
252 lj++; \
253 while (lj <= j) \
254 gen_opc_instr_start[lj++] = 0; \
255 } \
256 } while (0)
257
258 #else /* !CONFIG_MEMCHECK */
259
260 # define ANDROID_WATCH_CALLSTACK_ARM ((void)0)
261 # define ANDROID_WATCH_CALLSTACK_THUMB ((void)0)
262 # define ANDROID_DISAS_CONTEXT_FIELDS /* nothing */
263 # define ANDROID_START_CODEGEN(s) ((void)(s))
264 # define ANDROID_CHECK_CODEGEN_PC(s) (s)
265 # define ANDROID_END_CODEGEN() ((void)0)
266
267 #endif /* !CONFIG_MEMCHECK */
268
269
270 /*****
271 *****
272 *****
273 ***** C O N F I G _ T R A C E
274 *****
275 *****
276 *****/
277
278 #ifdef CONFIG_TRACE
279
280 #include "android-trace.h"
281 #define gen_traceInsn() gen_helper_traceInsn()
282
283 static void
gen_traceTicks(int count)284 gen_traceTicks( int count )
285 {
286 TCGv tmp = tcg_temp_new_i32();
287 tcg_gen_movi_i32(tmp, count);
288 gen_helper_traceTicks(tmp);
289 tcg_temp_free_i32(tmp);
290 }
291
292 static void
gen_traceBB(uint64_t bbNum,void * tb)293 gen_traceBB( uint64_t bbNum, void* tb )
294 {
295 #if HOST_LONG_BITS == 32
296 TCGv_i64 tmpNum = tcg_temp_new_i64();
297 TCGv_i32 tmpTb = tcg_temp_new_i32();
298
299 tcg_gen_movi_i64(tmpNum, (int64_t)bbNum);
300 tcg_gen_movi_i32(tmpTb, (int32_t)tb);
301 gen_helper_traceBB32(tmpNum, tmpTb);
302 tcg_temp_free_i32(tmpTb);
303 tcg_temp_free_i64(tmpNum);
304 #elif HOST_LONG_BITS == 64
305 TCGv_i64 tmpNum = tcg_temp_new_i64();
306 TCGv_i64 tmpTb = tcg_temp_new_i64();
307
308 tcg_gen_movi_i64(tmpNum, (int64_t)bbNum);
309 tcg_gen_movi_i64(tmpTb, (int64_t)tb);
310 gen_helper_traceBB64(tmpNum, tmpTb);
311 tcg_temp_free_i64(tmpTb);
312 tcg_temp_free_i64(tmpNum);
313 #endif
314 }
315
316 # define ANDROID_TRACE_DECLS int ticks = 0;
317
318 # define ANDROID_TRACE_START_ARM() \
319 do { \
320 if (tracing) { \
321 trace_add_insn(insn, 0); \
322 ticks = get_insn_ticks_arm(insn); \
323 gen_traceInsn(); \
324 } \
325 } while (0)
326
327 # define ANDROID_TRACE_START_THUMB() \
328 do { \
329 if (tracing) { \
330 int ticks = get_insn_ticks_thumb(insn); \
331 trace_add_insn( insn_wrap_thumb(insn), 1 ); \
332 gen_traceInsn(); \
333 gen_traceTicks(ticks); \
334 } \
335 } while (0)
336
337 # define ANDROID_TRACE_GEN_TICKS() \
338 do { \
339 if (tracing) { \
340 } \
341 } while (0)
342
343 # define ANDROID_TRACE_GEN_SINGLE_TICK() \
344 do { \
345 if (tracing) { \
346 gen_traceTicks(1); \
347 ticks -= 1; \
348 } \
349 } while (0)
350
351 # define ANDROID_TRACE_GEN_OTHER_TICKS() \
352 do { \
353 if (tracing && ticks > 0) { \
354 gen_traceTicks(ticks); \
355 } \
356 } while (0)
357
358 # define ANDROID_TRACE_START_BB() \
359 do { \
360 if (tracing) { \
361 gen_traceBB(trace_static_bb_num(), tb); \
362 trace_bb_start(dc->pc); \
363 } \
364 } while (0)
365
366 # define ANDROID_TRACE_END_BB() \
367 do { \
368 if (tracing) { \
369 trace_bb_end(); \
370 } \
371 } while (0)
372
373 #else /* !CONFIG_TRACE */
374
375 # define ANDROID_TRACE_DECLS /* nothing */
376 # define ANDROID_TRACE_START_ARM() ((void)0)
377 # define ANDROID_TRACE_START_THUMB() ((void)0)
378
379 # define ANDROID_TRACE_GEN_TICKS() ((void)0)
380 # define ANDROID_TRACE_GEN_SINGLE_TICK() ((void)0)
381 # define ANDROID_TRACE_GEN_OTHER_TICKS() ((void)0)
382
383 # define ANDROID_TRACE_START_BB() ((void)0)
384 # define ANDROID_TRACE_END_BB() ((void)0)
385
386 #endif /* !CONFIG_TRACE */
387
388