1 /* This file must be included from target-arm/translate.c */ 2 3 /***** 4 ***** 5 ***** 6 ***** C O N F I G _ M E M C H E C K 7 ***** 8 ***** 9 *****/ 10 11 #ifdef CONFIG_MEMCHECK 12 13 /* 14 * Memchecker addition in this module is intended to inject qemu callback into 15 * translated code for each BL/BLX, as well as BL/BLX returns. These callbacks 16 * are used to build calling stack of the thread in order to provide better 17 * reporting on memory access violations. Although this may seem as something 18 * that may gratly impact the performance, in reality it doesn't. Overhead that 19 * is added by setting up callbacks and by callbacks themselves is neglectable. 20 * On the other hand, maintaining calling stack can indeed add some perf. 21 * overhead (TODO: provide solid numbers here). 22 * One of the things to watch out with regards to injecting callbacks, is 23 * consistency between intermediate code generated for execution, and for guest 24 * PC address calculation. If code doesn't match, a segmentation fault is 25 * guaranteed. 26 */ 27 28 #include "memcheck/memcheck_proc_management.h" 29 #include "memcheck/memcheck_api.h" 30 31 /* Array of return addresses detected in gen_intermediate_code_internal. */ 32 AddrArray ret_addresses = { 0 }; 33 34 /* Checks if call stack collection is enabled for the given context. 35 * We collect call stack only for the user mode (both, code and CPU), and on 36 * condition that memory checking, and call collection are enabled. It also 37 * seems that collecting stack for the linker code is excessive, as it doesn't 38 * provide much useful info for the memory checker. 39 * Return: 40 * boolean: 1 if stack collection is enabled for the given context, or 0 if 41 * it's not enabled. 42 */ 43 static inline int 44 watch_call_stack(DisasContext *s) 45 { 46 if (!memcheck_enabled || !memcheck_watch_call_stack) { 47 return 0; 48 } 49 50 #ifndef CONFIG_USER_ONLY 51 if (!s->user) { 52 /* We're not interested in kernel mode CPU stack. */ 53 return 0; 54 } 55 #endif // CONFIG_USER_ONLY 56 57 /* We're not interested in kernel code stack (pc >= 0xC0000000). 58 * Android specific: We're also not interested in android linker stack 59 * (0xB0000000 - 0xB00FFFFF) */ 60 if (s->pc >= 0xC0000000 || (0xB0000000 <= s->pc && s->pc <= 0xB00FFFFF)) { 61 return 0; 62 } 63 return 1; 64 } 65 66 /* Checks if given ARM instruction is BL, or BLX. 67 * Return: 68 * boolean: 1 if ARM instruction is BL/BLX, or 0 if it's not. 69 */ 70 static inline int 71 is_arm_bl_or_blx(uint32_t insn) 72 { 73 /* ARM BL (immediate): xxxx 1011 xxxx xxxx xxxx xxxx xxxx xxxx 74 * ARM BLX (immediate): 1111 101x xxxx xxxx xxxx xxxx xxxx xxxx 75 * ARM BLX (register): xxxx 0001 0010 xxxx xxxx xxxx 0011 xxxx 76 */ 77 if ((insn & 0x0F000000) == 0x0B000000 || // ARM BL (imm) 78 (insn & 0xFE000000) == 0xFA000000 || // ARM BLX (imm) 79 (insn & 0x0FF000F0) == 0x12000030) { // ARM BLX (reg) 80 return 1; 81 } 82 return 0; 83 } 84 85 /* Checks if given THUMB instruction is BL, or BLX. 86 * Param: 87 * insn - THUMB instruction to check. 88 * pc - Emulated PC address for the instruction. 89 * ret_off - If insn is BL, or BLX, upon return ret_off contains 90 * instruction's byte size. If instruction is not BL, or BLX, content of 91 * this parameter is undefined on return. 92 * Return: 93 * boolean: 1 if THUMB instruction is BL/BLX, or 0 if it's not. 94 */ 95 static inline int 96 is_thumb_bl_or_blx(uint16_t insn, target_ulong pc, target_ulong* ret_off) 97 { 98 /* THUMB BLX(register): 0100 0111 1xxx xxxx 99 * THUMB BL(1-stimmediate): 1111 0xxx xxxx xxxx 100 * THUMB BLX(1-stimmediate): 1111 0xxx xxxx xxxx 101 */ 102 if ((insn & 0xFF80) == 0x4780) { // THUMB BLX(reg) 103 *ret_off = 2; 104 return 1; 105 } else if ((insn & 0xF800) == 0xF000) { // THUMB BL(X)(imm) 106 // This is a 32-bit THUMB. Get the second half of the instuction. 107 insn = lduw_code(pc + 2); 108 if ((insn & 0xC000) == 0xC000) { 109 *ret_off = 4; 110 return 1; 111 } 112 } 113 return 0; 114 } 115 116 /* Registers a return address detected in gen_intermediate_code_internal. 117 * NOTE: If return address has been registered as new in this routine, this will 118 * cause invalidation of all existing TBs that contain translated code for that 119 * address. 120 * NOTE: Before storing PC address in the array, we convert it from emulated 121 * address to a physical address. This way we deal with emulated addresses 122 * overlapping for different processes. 123 * Param: 124 * env - CPU state environment. 125 * addr - Return address to register. 126 * Return: 127 * 1 - Address has been registered in this routine. 128 * -1 - Address has been already registered before. 129 * 0 - Insufficient memory. 130 */ 131 static int 132 register_ret_address(CPUState* env, target_ulong addr) 133 { 134 int ret; 135 if ((0x90000000 <= addr && addr <= 0xBFFFFFFF)) { 136 /* Address belongs to a module that always loads at this fixed address. 137 * So, we can keep this address in the global array. */ 138 ret = addrarray_add(&ret_addresses, get_phys_addr_code(env, addr)); 139 } else { 140 ret = addrarray_add(&ret_addresses, get_phys_addr_code(env, addr)); 141 } 142 assert(ret != 0); 143 144 if (ret == 1) { 145 /* If this ret address has been added to the array, we need to make sure 146 * that all TBs that contain translated code for that address are 147 * invalidated. This will force retranslation of that code, which will 148 * make sure that our ret callback is set. This is also important part 149 * in keeping consistency between translated code, and intermediate code 150 * generated for guest PC calculation. If we don't invalidate TBs, and 151 * PC calculation code is generated, there will be inconsistency due to 152 * the fact that TB code doesn't contain ret callback, while PC calc 153 * code contains it. This inconsistency will lead to an immanent 154 * segmentation fault.*/ 155 TranslationBlock* tb; 156 const target_ulong phys_pc = get_phys_addr_code(env, addr); 157 const target_ulong phys_page1 = phys_pc & TARGET_PAGE_MASK; 158 159 for(tb = tb_phys_hash[tb_phys_hash_func(phys_pc)]; tb != NULL; 160 tb = tb->phys_hash_next) { 161 if (tb->pc == addr && tb->page_addr[0] == phys_page1) { 162 tb_phys_invalidate(tb, -1); 163 } 164 } 165 } 166 return ret; 167 } 168 169 /* Checks if given address is recognized as a return address. 170 * Return: 171 * boolean: 1 if if given address is recognized as a return address, 172 * or 0 if it's not. 173 */ 174 static inline int 175 is_ret_address(CPUState* env, target_ulong addr) 176 { 177 if ((0x90000000 <= addr && addr <= 0xBFFFFFFF)) { 178 return addrarray_check(&ret_addresses, get_phys_addr_code(env, addr)); 179 } else { 180 return addrarray_check(&ret_addresses, get_phys_addr_code(env, addr)); 181 } 182 } 183 184 /* Adds "on_call" callback into generated intermediate code. */ 185 static inline void 186 set_on_call(target_ulong pc, target_ulong ret) 187 { 188 TCGv_ptr tmp_pc = tcg_const_ptr(pc & ~1); 189 TCGv_ptr tmp_ret = tcg_const_ptr(ret & ~1); 190 191 gen_helper_on_call(tmp_pc, tmp_ret); 192 193 tcg_temp_free_ptr(tmp_ret); 194 tcg_temp_free_ptr(tmp_pc); 195 } 196 197 /* Adds "on_ret" callback into generated intermediate code. */ 198 static inline void 199 set_on_ret(target_ulong ret) 200 { 201 TCGv_ptr tmp_ret = tcg_const_ptr(ret & ~1); 202 203 gen_helper_on_ret(tmp_ret); 204 205 tcg_temp_free_ptr(tmp_ret); 206 } 207 208 209 # define ANDROID_WATCH_CALLSTACK_ARM(s) \ 210 if (watch_call_stack(s)) { \ 211 if (is_ret_address(env, s->pc)) { \ 212 set_on_ret(s->pc); \ 213 } \ 214 if (is_arm_bl_or_blx(insn)) { \ 215 set_on_call(s->pc, s->pc + 4); \ 216 if (!s->search_pc) { \ 217 register_ret_address(env, s->pc + 4); \ 218 } \ 219 } \ 220 } 221 222 # define ANDROID_WATCH_CALLSTACK_THUMB(s) \ 223 if (watch_call_stack(s)) { \ 224 target_ulong ret_off; \ 225 if (is_ret_address(env, s->pc)) { \ 226 set_on_ret(s->pc); \ 227 } \ 228 if (is_thumb_bl_or_blx(insn, s->pc, &ret_off)) { \ 229 set_on_call(s->pc, s->pc + ret_off); \ 230 if (!s->search_pc) { \ 231 register_ret_address(env, s->pc + ret_off); \ 232 } \ 233 } \ 234 } 235 236 # define ANDROID_DISAS_CONTEXT_FIELDS \ 237 int search_pc; 238 239 # define ANDROID_START_CODEGEN(search_pc) \ 240 dc->search_pc = search_pc 241 242 /* When memchecker is enabled, we need to keep a match between 243 * translated PC and guest PCs, so memchecker can quickly covert 244 * one to another. Note that we do that only for user mode. */ 245 # define ANDROID_CHECK_CODEGEN_PC(search_pc) \ 246 ((search_pc) || (memcheck_enabled && dc->user)) 247 248 # define ANDROID_END_CODEGEN() \ 249 do { \ 250 if (memcheck_enabled && dc->user) { \ 251 j = gen_opc_ptr - gen_opc_buf; \ 252 lj++; \ 253 while (lj <= j) \ 254 gen_opc_instr_start[lj++] = 0; \ 255 } \ 256 } while (0) 257 258 #else /* !CONFIG_MEMCHECK */ 259 260 # define ANDROID_WATCH_CALLSTACK_ARM ((void)0) 261 # define ANDROID_WATCH_CALLSTACK_THUMB ((void)0) 262 # define ANDROID_DISAS_CONTEXT_FIELDS /* nothing */ 263 # define ANDROID_START_CODEGEN(s) ((void)(s)) 264 # define ANDROID_CHECK_CODEGEN_PC(s) (s) 265 # define ANDROID_END_CODEGEN() ((void)0) 266 267 #endif /* !CONFIG_MEMCHECK */ 268 269 270 /***** 271 ***** 272 ***** 273 ***** C O N F I G _ T R A C E 274 ***** 275 ***** 276 *****/ 277 278 #ifdef CONFIG_TRACE 279 280 #include "android-trace.h" 281 #define gen_traceInsn() gen_helper_traceInsn() 282 283 static void 284 gen_traceTicks( int count ) 285 { 286 TCGv tmp = tcg_temp_new_i32(); 287 tcg_gen_movi_i32(tmp, count); 288 gen_helper_traceTicks(tmp); 289 tcg_temp_free_i32(tmp); 290 } 291 292 static void 293 gen_traceBB( uint64_t bbNum, void* tb ) 294 { 295 #if HOST_LONG_BITS == 32 296 TCGv_i64 tmpNum = tcg_temp_new_i64(); 297 TCGv_i32 tmpTb = tcg_temp_new_i32(); 298 299 tcg_gen_movi_i64(tmpNum, (int64_t)bbNum); 300 tcg_gen_movi_i32(tmpTb, (int32_t)tb); 301 gen_helper_traceBB32(tmpNum, tmpTb); 302 tcg_temp_free_i32(tmpTb); 303 tcg_temp_free_i64(tmpNum); 304 #elif HOST_LONG_BITS == 64 305 TCGv_i64 tmpNum = tcg_temp_new_i64(); 306 TCGv_i64 tmpTb = tcg_temp_new_i64(); 307 308 tcg_gen_movi_i64(tmpNum, (int64_t)bbNum); 309 tcg_gen_movi_i64(tmpTb, (int64_t)tb); 310 gen_helper_traceBB64(tmpNum, tmpTb); 311 tcg_temp_free_i64(tmpTb); 312 tcg_temp_free_i64(tmpNum); 313 #endif 314 } 315 316 # define ANDROID_TRACE_DECLS int ticks = 0; 317 318 # define ANDROID_TRACE_START_ARM() \ 319 do { \ 320 if (tracing) { \ 321 trace_add_insn(insn, 0); \ 322 ticks = get_insn_ticks_arm(insn); \ 323 gen_traceInsn(); \ 324 } \ 325 } while (0) 326 327 # define ANDROID_TRACE_START_THUMB() \ 328 do { \ 329 if (tracing) { \ 330 int ticks = get_insn_ticks_thumb(insn); \ 331 trace_add_insn( insn_wrap_thumb(insn), 1 ); \ 332 gen_traceInsn(); \ 333 gen_traceTicks(ticks); \ 334 } \ 335 } while (0) 336 337 # define ANDROID_TRACE_GEN_TICKS() \ 338 do { \ 339 if (tracing) { \ 340 } \ 341 } while (0) 342 343 # define ANDROID_TRACE_GEN_SINGLE_TICK() \ 344 do { \ 345 if (tracing) { \ 346 gen_traceTicks(1); \ 347 ticks -= 1; \ 348 } \ 349 } while (0) 350 351 # define ANDROID_TRACE_GEN_OTHER_TICKS() \ 352 do { \ 353 if (tracing && ticks > 0) { \ 354 gen_traceTicks(ticks); \ 355 } \ 356 } while (0) 357 358 # define ANDROID_TRACE_START_BB() \ 359 do { \ 360 if (tracing) { \ 361 gen_traceBB(trace_static_bb_num(), tb); \ 362 trace_bb_start(dc->pc); \ 363 } \ 364 } while (0) 365 366 # define ANDROID_TRACE_END_BB() \ 367 do { \ 368 if (tracing) { \ 369 trace_bb_end(); \ 370 } \ 371 } while (0) 372 373 #else /* !CONFIG_TRACE */ 374 375 # define ANDROID_TRACE_DECLS /* nothing */ 376 # define ANDROID_TRACE_START_ARM() ((void)0) 377 # define ANDROID_TRACE_START_THUMB() ((void)0) 378 379 # define ANDROID_TRACE_GEN_TICKS() ((void)0) 380 # define ANDROID_TRACE_GEN_SINGLE_TICK() ((void)0) 381 # define ANDROID_TRACE_GEN_OTHER_TICKS() ((void)0) 382 383 # define ANDROID_TRACE_START_BB() ((void)0) 384 # define ANDROID_TRACE_END_BB() ((void)0) 385 386 #endif /* !CONFIG_TRACE */ 387 388
