1 //===- ARMDisassembler.cpp - Disassembler for ARM/Thumb ISA -----*- C++ -*-===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file is part of the ARM Disassembler. 11 // It contains code to implement the public interfaces of ARMDisassembler and 12 // ThumbDisassembler, both of which are instances of MCDisassembler. 13 // 14 //===----------------------------------------------------------------------===// 15 16 #define DEBUG_TYPE "arm-disassembler" 17 18 #include "ARMDisassembler.h" 19 #include "ARMDisassemblerCore.h" 20 21 #include "llvm/ADT/OwningPtr.h" 22 #include "llvm/MC/EDInstInfo.h" 23 #include "llvm/MC/MCInst.h" 24 #include "llvm/Target/TargetRegistry.h" 25 #include "llvm/Support/Debug.h" 26 #include "llvm/Support/MemoryObject.h" 27 #include "llvm/Support/ErrorHandling.h" 28 #include "llvm/Support/raw_ostream.h" 29 30 //#define DEBUG(X) do { X; } while (0) 31 32 /// ARMGenDecoderTables.inc - ARMDecoderTables.inc is tblgen'ed from 33 /// ARMDecoderEmitter.cpp TableGen backend. It contains: 34 /// 35 /// o Mappings from opcode to ARM/Thumb instruction format 36 /// 37 /// o static uint16_t decodeInstruction(uint32_t insn) - the decoding function 38 /// for an ARM instruction. 39 /// 40 /// o static uint16_t decodeThumbInstruction(field_t insn) - the decoding 41 /// function for a Thumb instruction. 42 /// 43 #include "ARMGenDecoderTables.inc" 44 45 #include "ARMGenEDInfo.inc" 46 47 using namespace llvm; 48 49 /// showBitVector - Use the raw_ostream to log a diagnostic message describing 50 /// the inidividual bits of the instruction. 51 /// 52 static inline void showBitVector(raw_ostream &os, const uint32_t &insn) { 53 // Split the bit position markers into more than one lines to fit 80 columns. 54 os << " 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11" 55 << " 10 9 8 7 6 5 4 3 2 1 0 \n"; 56 os << "---------------------------------------------------------------" 57 << "----------------------------------\n"; 58 os << '|'; 59 for (unsigned i = 32; i != 0; --i) { 60 if (insn >> (i - 1) & 0x01) 61 os << " 1"; 62 else 63 os << " 0"; 64 os << (i%4 == 1 ? '|' : ':'); 65 } 66 os << '\n'; 67 // Split the bit position markers into more than one lines to fit 80 columns. 68 os << "---------------------------------------------------------------" 69 << "----------------------------------\n"; 70 os << '\n'; 71 } 72 73 /// decodeARMInstruction is a decorator function which tries special cases of 74 /// instruction matching before calling the auto-generated decoder function. 75 static unsigned decodeARMInstruction(uint32_t &insn) { 76 if (slice(insn, 31, 28) == 15) 77 goto AutoGenedDecoder; 78 79 // Special case processing, if any, goes here.... 80 81 // LLVM combines the offset mode of A8.6.197 & A8.6.198 into STRB. 82 // The insufficient encoding information of the combined instruction confuses 83 // the decoder wrt BFC/BFI. Therefore, we try to recover here. 84 // For BFC, Inst{27-21} = 0b0111110 & Inst{6-0} = 0b0011111. 85 // For BFI, Inst{27-21} = 0b0111110 & Inst{6-4} = 0b001 & Inst{3-0} =! 0b1111. 86 if (slice(insn, 27, 21) == 0x3e && slice(insn, 6, 4) == 1) { 87 if (slice(insn, 3, 0) == 15) 88 return ARM::BFC; 89 else 90 return ARM::BFI; 91 } 92 93 // Ditto for STRBT, which is a super-instruction for A8.6.199 Encodings 94 // A1 & A2. 95 // As a result, the decoder fails to deocode USAT properly. 96 if (slice(insn, 27, 21) == 0x37 && slice(insn, 5, 4) == 1) 97 return ARM::USAT; 98 // As a result, the decoder fails to deocode UQADD16 properly. 99 if (slice(insn, 27, 20) == 0x66 && slice(insn, 7, 4) == 1) 100 return ARM::UQADD16; 101 102 // Ditto for ADDSrs, which is a super-instruction for A8.6.7 & A8.6.8. 103 // As a result, the decoder fails to decode UMULL properly. 104 if (slice(insn, 27, 21) == 0x04 && slice(insn, 7, 4) == 9) { 105 return ARM::UMULL; 106 } 107 108 // Ditto for STR_PRE, which is a super-instruction for A8.6.194 & A8.6.195. 109 // As a result, the decoder fails to decode SBFX properly. 110 if (slice(insn, 27, 21) == 0x3d && slice(insn, 6, 4) == 5) 111 return ARM::SBFX; 112 113 // And STRB_PRE, which is a super-instruction for A8.6.197 & A8.6.198. 114 // As a result, the decoder fails to decode UBFX properly. 115 if (slice(insn, 27, 21) == 0x3f && slice(insn, 6, 4) == 5) 116 return ARM::UBFX; 117 118 // Ditto for STRT, which is a super-instruction for A8.6.210 Encoding A1 & A2. 119 // As a result, the decoder fails to deocode SSAT properly. 120 if (slice(insn, 27, 21) == 0x35 && slice(insn, 5, 4) == 1) 121 return ARM::SSAT; 122 123 // Ditto for RSCrs, which is a super-instruction for A8.6.146 & A8.6.147. 124 // As a result, the decoder fails to decode STRHT/LDRHT/LDRSHT/LDRSBT. 125 if (slice(insn, 27, 24) == 0) { 126 switch (slice(insn, 21, 20)) { 127 case 2: 128 switch (slice(insn, 7, 4)) { 129 case 11: 130 return ARM::STRHT; 131 default: 132 break; // fallthrough 133 } 134 break; 135 case 3: 136 switch (slice(insn, 7, 4)) { 137 case 11: 138 return ARM::LDRHT; 139 case 13: 140 return ARM::LDRSBT; 141 case 15: 142 return ARM::LDRSHT; 143 default: 144 break; // fallthrough 145 } 146 break; 147 default: 148 break; // fallthrough 149 } 150 } 151 152 // Ditto for SBCrs, which is a super-instruction for A8.6.152 & A8.6.153. 153 // As a result, the decoder fails to decode STRH_Post/LDRD_POST/STRD_POST 154 // properly. 155 if (slice(insn, 27, 25) == 0 && slice(insn, 20, 20) == 0) { 156 unsigned PW = slice(insn, 24, 24) << 1 | slice(insn, 21, 21); 157 switch (slice(insn, 7, 4)) { 158 case 11: 159 switch (PW) { 160 case 2: // Offset 161 return ARM::STRH; 162 case 3: // Pre-indexed 163 return ARM::STRH_PRE; 164 case 0: // Post-indexed 165 return ARM::STRH_POST; 166 default: 167 break; // fallthrough 168 } 169 break; 170 case 13: 171 switch (PW) { 172 case 2: // Offset 173 return ARM::LDRD; 174 case 3: // Pre-indexed 175 return ARM::LDRD_PRE; 176 case 0: // Post-indexed 177 return ARM::LDRD_POST; 178 default: 179 break; // fallthrough 180 } 181 break; 182 case 15: 183 switch (PW) { 184 case 2: // Offset 185 return ARM::STRD; 186 case 3: // Pre-indexed 187 return ARM::STRD_PRE; 188 case 0: // Post-indexed 189 return ARM::STRD_POST; 190 default: 191 break; // fallthrough 192 } 193 break; 194 default: 195 break; // fallthrough 196 } 197 } 198 199 // Ditto for SBCSSrs, which is a super-instruction for A8.6.152 & A8.6.153. 200 // As a result, the decoder fails to decode LDRH_POST/LDRSB_POST/LDRSH_POST 201 // properly. 202 if (slice(insn, 27, 25) == 0 && slice(insn, 20, 20) == 1) { 203 unsigned PW = slice(insn, 24, 24) << 1 | slice(insn, 21, 21); 204 switch (slice(insn, 7, 4)) { 205 case 11: 206 switch (PW) { 207 case 2: // Offset 208 return ARM::LDRH; 209 case 3: // Pre-indexed 210 return ARM::LDRH_PRE; 211 case 0: // Post-indexed 212 return ARM::LDRH_POST; 213 default: 214 break; // fallthrough 215 } 216 break; 217 case 13: 218 switch (PW) { 219 case 2: // Offset 220 return ARM::LDRSB; 221 case 3: // Pre-indexed 222 return ARM::LDRSB_PRE; 223 case 0: // Post-indexed 224 return ARM::LDRSB_POST; 225 default: 226 break; // fallthrough 227 } 228 break; 229 case 15: 230 switch (PW) { 231 case 2: // Offset 232 return ARM::LDRSH; 233 case 3: // Pre-indexed 234 return ARM::LDRSH_PRE; 235 case 0: // Post-indexed 236 return ARM::LDRSH_POST; 237 default: 238 break; // fallthrough 239 } 240 break; 241 default: 242 break; // fallthrough 243 } 244 } 245 246 AutoGenedDecoder: 247 // Calling the auto-generated decoder function. 248 return decodeInstruction(insn); 249 } 250 251 // Helper function for special case handling of LDR (literal) and friends. 252 // See, for example, A6.3.7 Load word: Table A6-18 Load word. 253 // See A8.6.57 T3, T4 & A8.6.60 T2 and friends for why we morphed the opcode 254 // before returning it. 255 static unsigned T2Morph2LoadLiteral(unsigned Opcode) { 256 switch (Opcode) { 257 default: 258 return Opcode; // Return unmorphed opcode. 259 260 case ARM::t2LDR_POST: case ARM::t2LDR_PRE: 261 case ARM::t2LDRi12: case ARM::t2LDRi8: 262 case ARM::t2LDRs: case ARM::t2LDRT: 263 return ARM::t2LDRpci; 264 265 case ARM::t2LDRB_POST: case ARM::t2LDRB_PRE: 266 case ARM::t2LDRBi12: case ARM::t2LDRBi8: 267 case ARM::t2LDRBs: case ARM::t2LDRBT: 268 return ARM::t2LDRBpci; 269 270 case ARM::t2LDRH_POST: case ARM::t2LDRH_PRE: 271 case ARM::t2LDRHi12: case ARM::t2LDRHi8: 272 case ARM::t2LDRHs: case ARM::t2LDRHT: 273 return ARM::t2LDRHpci; 274 275 case ARM::t2LDRSB_POST: case ARM::t2LDRSB_PRE: 276 case ARM::t2LDRSBi12: case ARM::t2LDRSBi8: 277 case ARM::t2LDRSBs: case ARM::t2LDRSBT: 278 return ARM::t2LDRSBpci; 279 280 case ARM::t2LDRSH_POST: case ARM::t2LDRSH_PRE: 281 case ARM::t2LDRSHi12: case ARM::t2LDRSHi8: 282 case ARM::t2LDRSHs: case ARM::t2LDRSHT: 283 return ARM::t2LDRSHpci; 284 } 285 } 286 287 // Helper function for special case handling of PLD (literal) and friends. 288 // See A8.6.117 T1 & T2 and friends for why we morphed the opcode 289 // before returning it. 290 static unsigned T2Morph2PLDLiteral(unsigned Opcode) { 291 switch (Opcode) { 292 default: 293 return Opcode; // Return unmorphed opcode. 294 295 case ARM::t2PLDi8: case ARM::t2PLDs: 296 case ARM::t2PLDWi12: case ARM::t2PLDWi8: 297 case ARM::t2PLDWs: 298 return ARM::t2PLDi12; 299 300 case ARM::t2PLIi8: case ARM::t2PLIs: 301 return ARM::t2PLIi12; 302 } 303 } 304 305 /// decodeThumbSideEffect is a decorator function which can potentially twiddle 306 /// the instruction or morph the returned opcode under Thumb2. 307 /// 308 /// First it checks whether the insn is a NEON or VFP instr; if true, bit 309 /// twiddling could be performed on insn to turn it into an ARM NEON/VFP 310 /// equivalent instruction and decodeInstruction is called with the transformed 311 /// insn. 312 /// 313 /// Next, there is special handling for Load byte/halfword/word instruction by 314 /// checking whether Rn=0b1111 and call T2Morph2LoadLiteral() on the decoded 315 /// Thumb2 instruction. See comments below for further details. 316 /// 317 /// Finally, one last check is made to see whether the insn is a NEON/VFP and 318 /// decodeInstruction(insn) is invoked on the original insn. 319 /// 320 /// Otherwise, decodeThumbInstruction is called with the original insn. 321 static unsigned decodeThumbSideEffect(bool IsThumb2, unsigned &insn) { 322 if (IsThumb2) { 323 uint16_t op1 = slice(insn, 28, 27); 324 uint16_t op2 = slice(insn, 26, 20); 325 326 // A6.3 32-bit Thumb instruction encoding 327 // Table A6-9 32-bit Thumb instruction encoding 328 329 // The coprocessor instructions of interest are transformed to their ARM 330 // equivalents. 331 332 // --------- Transform Begin Marker --------- 333 if ((op1 == 1 || op1 == 3) && slice(op2, 6, 4) == 7) { 334 // A7.4 Advanced SIMD data-processing instructions 335 // U bit of Thumb corresponds to Inst{24} of ARM. 336 uint16_t U = slice(op1, 1, 1); 337 338 // Inst{28-24} of ARM = {1,0,0,1,U}; 339 uint16_t bits28_24 = 9 << 1 | U; 340 DEBUG(showBitVector(errs(), insn)); 341 setSlice(insn, 28, 24, bits28_24); 342 return decodeInstruction(insn); 343 } 344 345 if (op1 == 3 && slice(op2, 6, 4) == 1 && slice(op2, 0, 0) == 0) { 346 // A7.7 Advanced SIMD element or structure load/store instructions 347 // Inst{27-24} of Thumb = 0b1001 348 // Inst{27-24} of ARM = 0b0100 349 DEBUG(showBitVector(errs(), insn)); 350 setSlice(insn, 27, 24, 4); 351 return decodeInstruction(insn); 352 } 353 // --------- Transform End Marker --------- 354 355 unsigned unmorphed = decodeThumbInstruction(insn); 356 357 // See, for example, A6.3.7 Load word: Table A6-18 Load word. 358 // See A8.6.57 T3, T4 & A8.6.60 T2 and friends for why we morphed the opcode 359 // before returning it to our caller. 360 if (op1 == 3 && slice(op2, 6, 5) == 0 && slice(op2, 0, 0) == 1 361 && slice(insn, 19, 16) == 15) { 362 unsigned morphed = T2Morph2LoadLiteral(unmorphed); 363 if (morphed != unmorphed) 364 return morphed; 365 } 366 367 // See, for example, A8.6.117 PLD,PLDW (immediate) T1 & T2, and friends for 368 // why we morphed the opcode before returning it to our caller. 369 if (slice(insn, 31, 25) == 0x7C && slice(insn, 15, 12) == 0xF 370 && slice(insn, 22, 22) == 0 && slice(insn, 20, 20) == 1 371 && slice(insn, 19, 16) == 15) { 372 unsigned morphed = T2Morph2PLDLiteral(unmorphed); 373 if (morphed != unmorphed) 374 return morphed; 375 } 376 377 // One last check for NEON/VFP instructions. 378 if ((op1 == 1 || op1 == 3) && slice(op2, 6, 6) == 1) 379 return decodeInstruction(insn); 380 381 // Fall through. 382 } 383 384 return decodeThumbInstruction(insn); 385 } 386 387 // 388 // Public interface for the disassembler 389 // 390 391 bool ARMDisassembler::getInstruction(MCInst &MI, 392 uint64_t &Size, 393 const MemoryObject &Region, 394 uint64_t Address, 395 raw_ostream &os) const { 396 // The machine instruction. 397 uint32_t insn; 398 uint8_t bytes[4]; 399 400 // We want to read exactly 4 bytes of data. 401 if (Region.readBytes(Address, 4, (uint8_t*)bytes, NULL) == -1) 402 return false; 403 404 // Encoded as a small-endian 32-bit word in the stream. 405 insn = (bytes[3] << 24) | 406 (bytes[2] << 16) | 407 (bytes[1] << 8) | 408 (bytes[0] << 0); 409 410 unsigned Opcode = decodeARMInstruction(insn); 411 ARMFormat Format = ARMFormats[Opcode]; 412 Size = 4; 413 414 DEBUG({ 415 errs() << "\nOpcode=" << Opcode << " Name=" <<ARMUtils::OpcodeName(Opcode) 416 << " Format=" << stringForARMFormat(Format) << '(' << (int)Format 417 << ")\n"; 418 showBitVector(errs(), insn); 419 }); 420 421 OwningPtr<ARMBasicMCBuilder> Builder(CreateMCBuilder(Opcode, Format)); 422 if (!Builder) 423 return false; 424 425 Builder->setupBuilderForSymbolicDisassembly(getLLVMOpInfoCallback(), 426 getDisInfoBlock(), getMCContext(), 427 Address); 428 429 if (!Builder->Build(MI, insn)) 430 return false; 431 432 return true; 433 } 434 435 bool ThumbDisassembler::getInstruction(MCInst &MI, 436 uint64_t &Size, 437 const MemoryObject &Region, 438 uint64_t Address, 439 raw_ostream &os) const { 440 // The Thumb instruction stream is a sequence of halfwords. 441 442 // This represents the first halfword as well as the machine instruction 443 // passed to decodeThumbInstruction(). For 16-bit Thumb instruction, the top 444 // halfword of insn is 0x00 0x00; otherwise, the first halfword is moved to 445 // the top half followed by the second halfword. 446 unsigned insn = 0; 447 // Possible second halfword. 448 uint16_t insn1 = 0; 449 450 // A6.1 Thumb instruction set encoding 451 // 452 // If bits [15:11] of the halfword being decoded take any of the following 453 // values, the halfword is the first halfword of a 32-bit instruction: 454 // o 0b11101 455 // o 0b11110 456 // o 0b11111. 457 // 458 // Otherwise, the halfword is a 16-bit instruction. 459 460 // Read 2 bytes of data first. 461 uint8_t bytes[2]; 462 if (Region.readBytes(Address, 2, (uint8_t*)bytes, NULL) == -1) 463 return false; 464 465 // Encoded as a small-endian 16-bit halfword in the stream. 466 insn = (bytes[1] << 8) | bytes[0]; 467 unsigned bits15_11 = slice(insn, 15, 11); 468 bool IsThumb2 = false; 469 470 // 32-bit instructions if the bits [15:11] of the halfword matches 471 // { 0b11101 /* 0x1D */, 0b11110 /* 0x1E */, ob11111 /* 0x1F */ }. 472 if (bits15_11 == 0x1D || bits15_11 == 0x1E || bits15_11 == 0x1F) { 473 IsThumb2 = true; 474 if (Region.readBytes(Address + 2, 2, (uint8_t*)bytes, NULL) == -1) 475 return false; 476 // Encoded as a small-endian 16-bit halfword in the stream. 477 insn1 = (bytes[1] << 8) | bytes[0]; 478 insn = (insn << 16 | insn1); 479 } 480 481 // The insn could potentially be bit-twiddled in order to be decoded as an ARM 482 // NEON/VFP opcode. In such case, the modified insn is later disassembled as 483 // an ARM NEON/VFP instruction. 484 // 485 // This is a short term solution for lack of encoding bits specified for the 486 // Thumb2 NEON/VFP instructions. The long term solution could be adding some 487 // infrastructure to have each instruction support more than one encodings. 488 // Which encoding is used would be based on which subtarget the compiler/ 489 // disassembler is working with at the time. This would allow the sharing of 490 // the NEON patterns between ARM and Thumb2, as well as potential greater 491 // sharing between the regular ARM instructions and the 32-bit wide Thumb2 492 // instructions as well. 493 unsigned Opcode = decodeThumbSideEffect(IsThumb2, insn); 494 495 ARMFormat Format = ARMFormats[Opcode]; 496 Size = IsThumb2 ? 4 : 2; 497 498 DEBUG({ 499 errs() << "Opcode=" << Opcode << " Name=" << ARMUtils::OpcodeName(Opcode) 500 << " Format=" << stringForARMFormat(Format) << '(' << (int)Format 501 << ")\n"; 502 showBitVector(errs(), insn); 503 }); 504 505 OwningPtr<ARMBasicMCBuilder> Builder(CreateMCBuilder(Opcode, Format)); 506 if (!Builder) 507 return false; 508 509 Builder->SetSession(const_cast<Session *>(&SO)); 510 511 Builder->setupBuilderForSymbolicDisassembly(getLLVMOpInfoCallback(), 512 getDisInfoBlock(), getMCContext(), 513 Address); 514 515 if (!Builder->Build(MI, insn)) 516 return false; 517 518 return true; 519 } 520 521 // A8.6.50 522 // Valid return values are {1, 2, 3, 4}, with 0 signifying an error condition. 523 static unsigned short CountITSize(unsigned ITMask) { 524 // First count the trailing zeros of the IT mask. 525 unsigned TZ = CountTrailingZeros_32(ITMask); 526 if (TZ > 3) { 527 DEBUG(errs() << "Encoding error: IT Mask '0000'"); 528 return 0; 529 } 530 return (4 - TZ); 531 } 532 533 /// Init ITState. Note that at least one bit is always 1 in mask. 534 bool Session::InitIT(unsigned short bits7_0) { 535 ITCounter = CountITSize(slice(bits7_0, 3, 0)); 536 if (ITCounter == 0) 537 return false; 538 539 // A8.6.50 IT 540 unsigned short FirstCond = slice(bits7_0, 7, 4); 541 if (FirstCond == 0xF) { 542 DEBUG(errs() << "Encoding error: IT FirstCond '1111'"); 543 return false; 544 } 545 if (FirstCond == 0xE && ITCounter != 1) { 546 DEBUG(errs() << "Encoding error: IT FirstCond '1110' && Mask != '1000'"); 547 return false; 548 } 549 550 ITState = bits7_0; 551 552 return true; 553 } 554 555 /// Update ITState if necessary. 556 void Session::UpdateIT() { 557 assert(ITCounter); 558 --ITCounter; 559 if (ITCounter == 0) 560 ITState = 0; 561 else { 562 unsigned short NewITState4_0 = slice(ITState, 4, 0) << 1; 563 setSlice(ITState, 4, 0, NewITState4_0); 564 } 565 } 566 567 static MCDisassembler *createARMDisassembler(const Target &T) { 568 return new ARMDisassembler; 569 } 570 571 static MCDisassembler *createThumbDisassembler(const Target &T) { 572 return new ThumbDisassembler; 573 } 574 575 extern "C" void LLVMInitializeARMDisassembler() { 576 // Register the disassembler. 577 TargetRegistry::RegisterMCDisassembler(TheARMTarget, 578 createARMDisassembler); 579 TargetRegistry::RegisterMCDisassembler(TheThumbTarget, 580 createThumbDisassembler); 581 } 582 583 EDInstInfo *ARMDisassembler::getEDInfo() const { 584 return instInfoARM; 585 } 586 587 EDInstInfo *ThumbDisassembler::getEDInfo() const { 588 return instInfoARM; 589 } 590
