1 /* -*- mode: C; c-basic-offset: 3; -*- */
2 
3 /*--------------------------------------------------------------------*/
4 /*--- Reading of ARM(32) EXIDX unwind information      readexidx.c ---*/
5 /*--------------------------------------------------------------------*/
6 
7 /*
8    This file is part of Valgrind, a dynamic binary instrumentation
9    framework.
10 
11    Copyright (C) 2014-2015 Mozilla Foundation
12 
13    This program is free software; you can redistribute it and/or
14    modify it under the terms of the GNU General Public License as
15    published by the Free Software Foundation; either version 2 of the
16    License, or (at your option) any later version.
17 
18    This program is distributed in the hope that it will be useful, but
19    WITHOUT ANY WARRANTY; without even the implied warranty of
20    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
21    General Public License for more details.
22 
23    You should have received a copy of the GNU General Public License
24    along with this program; if not, write to the Free Software
25    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
26    02111-1307, USA.
27 
28    The GNU General Public License is contained in the file COPYING.
29 */
30 
31 /* libunwind - a platform-independent unwind library
32    Copyright 2011 Linaro Limited
33 
34 This file is part of libunwind.
35 
36 Permission is hereby granted, free of charge, to any person obtaining
37 a copy of this software and associated documentation files (the
38 "Software"), to deal in the Software without restriction, including
39 without limitation the rights to use, copy, modify, merge, publish,
40 distribute, sublicense, and/or sell copies of the Software, and to
41 permit persons to whom the Software is furnished to do so, subject to
42 the following conditions:
43 
44 The above copyright notice and this permission notice shall be
45 included in all copies or substantial portions of the Software.
46 
47 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
48 EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
49 MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
50 NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
51 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
52 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
53 WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.  */
54 
55 
56 // Copyright (c) 2010 Google Inc.
57 // All rights reserved.
58 //
59 // Redistribution and use in source and binary forms, with or without
60 // modification, are permitted provided that the following conditions are
61 // met:
62 //
63 //     * Redistributions of source code must retain the above copyright
64 // notice, this list of conditions and the following disclaimer.
65 //     * Redistributions in binary form must reproduce the above
66 // copyright notice, this list of conditions and the following disclaimer
67 // in the documentation and/or other materials provided with the
68 // distribution.
69 //     * Neither the name of Google Inc. nor the names of its
70 // contributors may be used to endorse or promote products derived from
71 // this software without specific prior written permission.
72 //
73 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
74 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
75 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
76 // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
77 // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
78 // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
79 // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
80 // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
81 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
82 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
83 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
84 
85 
86 // Derived originally from libunwind, with very extensive modifications.
87 /* Contributed by Julian Seward <jseward@acm.org> */
88 
89 
90 // This file translates EXIDX unwind information into the same format
91 // that Valgrind uses for CFI information.  Hence Valgrind's CFI
92 // unwinding abilities also become usable for EXIDX.
93 //
94 // See: "Exception Handling ABI for the ARM Architecture", ARM IHI 0038A
95 // http://infocenter.arm.com/help/topic/com.arm.doc.ihi0038a/IHI0038A_ehabi.pdf
96 
97 // EXIDX data is presented in two parts:
98 //
99 // * an index table.  This contains two words per routine,
100 //   the first of which identifies the routine, and the second
101 //   of which is a reference to the unwind bytecode.  If the
102 //   bytecode is very compact -- 3 bytes or less -- it can be
103 //   stored directly in the second word.
104 //
105 // * an area containing the unwind bytecodes.
106 //
107 // General flow is: ML_(read_exidx) iterates over all
108 // of the index table entries (pairs).  For each entry, it:
109 //
110 // * calls ExtabEntryExtract to copy the bytecode out into
111 // an intermediate buffer.
112 
113 // * uses ExtabEntryDecode to parse the intermediate
114 //   buffer.  Each bytecode instruction is bundled into a
115 //   arm_ex_to_module::extab_data structure, and handed to ..
116 //
117 // * .. TranslateCmd, which generates the pseudo-CFI
118 //   records that Valgrind stores.
119 
120 // This file is derived from the following files in the Mozilla tree
121 // toolkit/crashreporter/google-breakpad:
122 //   src/common/arm_ex_to_module.cc
123 //   src/common/arm_ex_reader.cc
124 
125 
126 #if defined(VGA_arm)
127 
128 #include "pub_core_basics.h"
129 #include "pub_core_libcbase.h"
130 #include "pub_core_libcprint.h"
131 #include "pub_core_libcassert.h"
132 #include "pub_core_options.h"
133 
134 #include "priv_storage.h"
135 #include "priv_readexidx.h"
136 
137 
complain(const HChar * str)138 static void complain ( const HChar* str )
139 {
140    if (!VG_(clo_xml) && VG_(clo_verbosity) > 1)
141       VG_(message)(Vg_UserMsg,
142                    "  Warning: whilst reading EXIDX: %s\n", str);
143 }
144 
145 
146 /*------------------------------------------------------------*/
147 /*--- MemoryRange                                          ---*/
148 /*------------------------------------------------------------*/
149 
150 typedef  struct { Addr start; SizeT len; }  MemoryRange;
151 
152 /* Initialise |mr| for [start .. start+len).  Zero ranges are allowed,
153    but wraparounds are not.  Returns True on success. */
MemoryRange__init(MemoryRange * mr,const void * startV,SizeT len)154 static Bool MemoryRange__init ( /*OUT*/MemoryRange* mr,
155                                 const void* startV, SizeT len )
156 {
157    VG_(memset)(mr, 0, sizeof(*mr));
158    /* This relies on Addr being unsigned. */
159    Addr start = (Addr)startV;
160    if (len > 0 && start + len - 1 < start) {
161       return False;
162    }
163    mr->start = start;
164    mr->len   = len;
165    return True;
166 }
167 
MemoryRange__covers(MemoryRange * mr,const void * startV,SizeT len)168 static Bool MemoryRange__covers ( MemoryRange* mr,
169                                   const void* startV, SizeT len )
170 {
171    vg_assert(len > 0);
172    if (mr->len == 0) {
173       return False;
174    }
175    Addr start = (Addr)startV;
176    return start >= mr->start && start + len - 1 <= mr->start + mr->len - 1;
177 }
178 
179 
180 /*------------------------------------------------------------*/
181 /*--- (Pass 1 of 3) The EXIDX extractor                    ---*/
182 /*------------------------------------------------------------*/
183 
184 #define ARM_EXIDX_CANT_UNWIND 0x00000001
185 #define ARM_EXIDX_COMPACT     0x80000000
186 #define ARM_EXTBL_OP_FINISH   0xb0
187 #define ARM_EXIDX_TABLE_LIMIT (255*4)
188 
189 /* These are in the ARM-defined format, so their layout is important. */
190 typedef
191    struct { UInt addr; UInt data; }
192    ExidxEntry;
193 
194 
195 typedef
196    enum {
197       ExSuccess=1,      // success
198       ExInBufOverflow,  // out-of-range while reading .exidx
199       ExOutBufOverflow, // output buffer is too small
200       ExCantUnwind,     // this function is marked CANT_UNWIND
201       ExCantRepresent,  // entry valid, but we can't represent it
202       ExInvalid         // entry is invalid
203    }
204    ExExtractResult;
205 
206 
207 /* Helper function for fishing bits out of the EXIDX representation. */
Prel31ToAddr(const void * addr)208 static const void* Prel31ToAddr(const void* addr)
209 {
210    UInt offset32 = *(const UInt*)addr;
211    // sign extend offset32[30:0] to 64 bits -- copy bit 30 to positions
212    // 63:31 inclusive.
213    ULong offset64 = offset32;
214    if (offset64 & (1ULL << 30))
215       offset64 |= 0xFFFFFFFF80000000ULL;
216    else
217       offset64 &= 0x000000007FFFFFFFULL;
218    return ((const UChar*)addr) + (UWord)offset64;
219 }
220 
221 
222 // Extract unwind bytecode for the function denoted by |entry| into |buf|,
223 // and return the number of bytes of |buf| written, along with a code
224 // indicating the outcome.
225 static
ExtabEntryExtract(MemoryRange * mr_exidx,MemoryRange * mr_extab,const ExidxEntry * entry,UChar * buf,SizeT buf_size,SizeT * buf_used)226 ExExtractResult ExtabEntryExtract ( MemoryRange* mr_exidx,
227                                     MemoryRange* mr_extab,
228                                     const ExidxEntry* entry,
229                                     UChar* buf, SizeT buf_size,
230                                     /*OUT*/SizeT* buf_used)
231 {
232    Bool ok;
233    MemoryRange mr_out;
234    ok = MemoryRange__init(&mr_out, buf, buf_size);
235    if (!ok) return ExOutBufOverflow;
236 
237    *buf_used = 0;
238 
239 #  define PUT_BUF_U8(_byte) \
240       do { if (!MemoryRange__covers(&mr_out, &buf[*buf_used], 1)) \
241               return ExOutBufOverflow; \
242            buf[(*buf_used)++] = (_byte); } while (0)
243 
244 #  define GET_EX_U32(_lval, _addr, _mr) \
245       do { if (!MemoryRange__covers((_mr), (const void*)(_addr), 4)) \
246               return ExInBufOverflow; \
247            (_lval) = *(const UInt*)(_addr); } while (0)
248 
249 #  define GET_EXIDX_U32(_lval, _addr) \
250       GET_EX_U32(_lval, _addr, mr_exidx)
251 
252 #  define GET_EXTAB_U32(_lval, _addr) \
253       GET_EX_U32(_lval, _addr, mr_extab)
254 
255    UInt data;
256    GET_EXIDX_U32(data, &entry->data);
257 
258    // A function can be marked CANT_UNWIND if (eg) it is known to be
259    // at the bottom of the stack.
260    if (data == ARM_EXIDX_CANT_UNWIND)
261       return ExCantUnwind;
262 
263    UInt  pers;          // personality number
264    UInt  extra;         // number of extra data words required
265    UInt  extra_allowed; // number of extra data words allowed
266    const UInt* extbl_data;    // the handler entry, if not inlined
267 
268    if (data & ARM_EXIDX_COMPACT) {
269       // The handler table entry has been inlined into the index table entry.
270       // In this case it can only be an ARM-defined compact model, since
271       // bit 31 is 1.  Only personalities 0, 1 and 2 are defined for the
272       // ARM compact model, but 1 and 2 are "Long format" and may require
273       // extra data words.  Hence the allowable personalities here are:
274       //   personality 0, in which case 'extra' has no meaning
275       //   personality 1, with zero extra words
276       //   personality 2, with zero extra words
277       extbl_data = NULL;
278       pers  = (data >> 24) & 0x0F;
279       extra = (data >> 16) & 0xFF;
280       extra_allowed = 0;
281    }
282    else {
283       // The index table entry is a pointer to the handler entry.  Note
284       // that Prel31ToAddr will read the given address, but we already
285       // range-checked above.
286       extbl_data = Prel31ToAddr(&entry->data);
287       GET_EXTAB_U32(data, extbl_data);
288       if (!(data & ARM_EXIDX_COMPACT)) {
289          // This denotes a "generic model" handler.  That will involve
290          // executing arbitrary machine code, which is something we
291          // can't represent here; hence reject it.
292          return ExCantRepresent;
293       }
294       // So we have a compact model representation.  Again, 3 possible
295       // personalities, but this time up to 255 allowable extra words.
296       pers  = (data >> 24) & 0x0F;
297       extra = (data >> 16) & 0xFF;
298       extra_allowed = 255;
299       extbl_data++;
300    }
301 
302    // Now look at the handler table entry.  The first word is |data|
303    // and subsequent words start at |*extbl_data|.  The number of
304    // extra words to use is |extra|, provided that the personality
305    // allows extra words.  Even if it does, none may be available --
306    // extra_allowed is the maximum number of extra words allowed. */
307    if (pers == 0) {
308       // "Su16" in the documentation -- 3 unwinding insn bytes
309       // |extra| has no meaning here; instead that byte is an unwind-info byte
310       PUT_BUF_U8(data >> 16);
311       PUT_BUF_U8(data >> 8);
312       PUT_BUF_U8(data);
313    }
314    else if ((pers == 1 || pers == 2) && extra <= extra_allowed) {
315       // "Lu16" or "Lu32" respectively -- 2 unwinding insn bytes,
316       // and up to 255 extra words.
317       PUT_BUF_U8(data >> 8);
318       PUT_BUF_U8(data);
319       UInt j;
320       for (j = 0; j < extra; j++) {
321          GET_EXTAB_U32(data, extbl_data);
322          extbl_data++;
323          PUT_BUF_U8(data >> 24);
324          PUT_BUF_U8(data >> 16);
325          PUT_BUF_U8(data >> 8);
326          PUT_BUF_U8(data >> 0);
327       }
328    }
329    else {
330       // The entry is invalid.
331       return ExInvalid;
332    }
333 
334    // Make sure the entry is terminated with "FINISH"
335    if (*buf_used > 0 && buf[(*buf_used) - 1] != ARM_EXTBL_OP_FINISH)
336       PUT_BUF_U8(ARM_EXTBL_OP_FINISH);
337 
338    return ExSuccess;
339 
340 #  undef GET_EXTAB_U32
341 #  undef GET_EXIDX_U32
342 #  undef GET_U32
343 #  undef PUT_BUF_U8
344 }
345 
346 
347 /*------------------------------------------------------------*/
348 /*--- (Pass 2 of 3) The EXIDX decoder                      ---*/
349 /*------------------------------------------------------------*/
350 
351 /* This (ExtabData) is an intermediate structure, used to carry
352    information from the decoder (pass 2) to the summariser (pass 3).
353    I don't think its layout is important. */
354 typedef
355    enum {
356       ARM_EXIDX_CMD_FINISH=0x100,
357       ARM_EXIDX_CMD_SUB_FROM_VSP,
358       ARM_EXIDX_CMD_ADD_TO_VSP,
359       ARM_EXIDX_CMD_REG_POP,
360       ARM_EXIDX_CMD_REG_TO_SP,
361       ARM_EXIDX_CMD_VFP_POP,
362       ARM_EXIDX_CMD_WREG_POP,
363       ARM_EXIDX_CMD_WCGR_POP,
364       ARM_EXIDX_CMD_RESERVED,
365       ARM_EXIDX_CMD_REFUSED
366    }
367    ExtabCmd;
368 
showExtabCmd(ExtabCmd cmd)369 static const HChar* showExtabCmd ( ExtabCmd cmd ) {
370    switch (cmd) {
371       case ARM_EXIDX_CMD_FINISH:       return "FINISH";
372       case ARM_EXIDX_CMD_SUB_FROM_VSP: return "SUB_FROM_VSP";
373       case ARM_EXIDX_CMD_ADD_TO_VSP:   return "ADD_TO_VSP";
374       case ARM_EXIDX_CMD_REG_POP:      return "REG_POP";
375       case ARM_EXIDX_CMD_REG_TO_SP:    return "REG_TO_SP";
376       case ARM_EXIDX_CMD_VFP_POP:      return "VFP_POP";
377       case ARM_EXIDX_CMD_WREG_POP:     return "WREG_POP";
378       case ARM_EXIDX_CMD_WCGR_POP:     return "WCGR_POP";
379       case ARM_EXIDX_CMD_RESERVED:     return "RESERVED";
380       case ARM_EXIDX_CMD_REFUSED:      return "REFUSED";
381       default:                         return "???";
382    }
383 }
384 
385 
386 typedef
387    struct { ExtabCmd cmd; UInt data; }
388    ExtabData;
389 
ppExtabData(const ExtabData * etd)390 static void ppExtabData ( const ExtabData* etd ) {
391    VG_(printf)("ExtabData{%-12s 0x%08x}", showExtabCmd(etd->cmd), etd->data);
392 }
393 
394 
395 enum extab_cmd_flags {
396    ARM_EXIDX_VFP_SHIFT_16 = 1 << 16,
397    ARM_EXIDX_VFP_FSTMD = 1 << 17, // distinguishes FSTMxxD from FSTMxxX
398 };
399 
400 
401 /* Forwards */
402 typedef  struct _SummState  SummState;
403 static Int TranslateCmd(/*MOD*/SummState* state, const ExtabData* edata);
404 
405 
406 // Take the unwind information extracted by ExtabEntryExtract
407 // and parse it into frame-unwind instructions.  These are as
408 // specified in "Table 4, ARM-defined frame-unwinding instructions"
409 // in the specification document detailed in comments at the top
410 // of this file.
411 //
412 // This reads from |buf[0, +data_size)|.  It checks for overruns of
413 // the input buffer and returns a negative value if that happens, or
414 // for any other failure cases.  It returns zero in case of success.
415 // Whilst reading the input, it dumps the result in |*state|.
416 static
ExtabEntryDecode(SummState * state,const UChar * buf,SizeT buf_size)417 Int ExtabEntryDecode(/*OUT*/SummState* state, const UChar* buf, SizeT buf_size)
418 {
419    if (buf == NULL || buf_size == 0)
420       return -3;
421 
422    MemoryRange mr_in;
423    Bool ok = MemoryRange__init(&mr_in, buf, buf_size);
424    if (!ok)
425       return -2;
426 
427 #  define GET_BUF_U8(_lval) \
428       do { if (!MemoryRange__covers(&mr_in, buf, 1)) \
429               return -4; \
430            (_lval) = *(buf++); } while (0)
431 
432    const UChar* end = buf + buf_size;
433 
434    while (buf < end) {
435       ExtabData edata;
436       VG_(bzero_inline)(&edata, sizeof(edata));
437 
438       UChar op;
439       GET_BUF_U8(op);
440       if ((op & 0xc0) == 0x00) {
441          // vsp = vsp + (xxxxxx << 2) + 4
442          edata.cmd  = ARM_EXIDX_CMD_ADD_TO_VSP;
443          edata.data = (((Int)op & 0x3f) << 2) + 4;
444       }
445       else if ((op & 0xc0) == 0x40) {
446          // vsp = vsp - (xxxxxx << 2) - 4
447          edata.cmd  = ARM_EXIDX_CMD_SUB_FROM_VSP;
448          edata.data = (((Int)op & 0x3f) << 2) + 4;
449       }
450       else if ((op & 0xf0) == 0x80) {
451          UChar op2;
452          GET_BUF_U8(op2);
453          if (op == 0x80 && op2 == 0x00) {
454             // Refuse to unwind
455             edata.cmd = ARM_EXIDX_CMD_REFUSED;
456          } else {
457             // Pop up to 12 integer registers under masks {r15-r12},{r11-r4}
458             edata.cmd  = ARM_EXIDX_CMD_REG_POP;
459             edata.data = ((op & 0xf) << 8) | op2;
460             edata.data = edata.data << 4;
461          }
462       }
463       else if ((op & 0xf0) == 0x90) {
464          if (op == 0x9d || op == 0x9f) {
465             // 9d: Reserved as prefix for ARM register to register moves
466             // 9f: Reserved as prefix for Intel Wireless MMX reg to reg moves
467             edata.cmd = ARM_EXIDX_CMD_RESERVED;
468          } else {
469             // Set vsp = r[nnnn]
470             edata.cmd  = ARM_EXIDX_CMD_REG_TO_SP;
471             edata.data = op & 0x0f;
472          }
473       }
474       else if ((op & 0xf0) == 0xa0) {
475          // Pop r4 to r[4+nnn],          or
476          // Pop r4 to r[4+nnn] and r14
477          Int nnn    = (op & 0x07);
478          edata.data = (1 << (nnn + 1)) - 1;
479          edata.data = edata.data << 4;
480          if (op & 0x08) edata.data |= 1 << 14;
481          edata.cmd = ARM_EXIDX_CMD_REG_POP;
482       }
483       else if (op == ARM_EXTBL_OP_FINISH) {
484          // Finish
485          edata.cmd = ARM_EXIDX_CMD_FINISH;
486          buf = end;
487       }
488       else if (op == 0xb1) {
489          UChar op2;
490          GET_BUF_U8(op2);
491          if (op2 == 0 || (op2 & 0xf0)) {
492             // Spare
493             edata.cmd = ARM_EXIDX_CMD_RESERVED;
494          } else {
495             // Pop integer registers under mask {r3,r2,r1,r0}
496             edata.cmd = ARM_EXIDX_CMD_REG_POP;
497             edata.data = op2 & 0x0f;
498          }
499       }
500       else if (op == 0xb2) {
501          // vsp = vsp + 0x204 + (uleb128 << 2)
502          ULong offset = 0;
503          UChar byte, shift = 0;
504          do {
505             GET_BUF_U8(byte);
506             offset |= (byte & 0x7f) << shift;
507             shift += 7;
508          } while ((byte & 0x80) && buf < end);
509          edata.data = offset * 4 + 0x204;
510          edata.cmd  = ARM_EXIDX_CMD_ADD_TO_VSP;
511       }
512       else if (op == 0xb3 || op == 0xc8 || op == 0xc9) {
513          // b3: Pop VFP regs D[ssss]    to D[ssss+cccc],    FSTMFDX-ishly
514          // c8: Pop VFP regs D[16+ssss] to D[16+ssss+cccc], FSTMFDD-ishly
515          // c9: Pop VFP regs D[ssss]    to D[ssss+cccc],    FSTMFDD-ishly
516          edata.cmd = ARM_EXIDX_CMD_VFP_POP;
517          GET_BUF_U8(edata.data);
518          if (op == 0xc8) edata.data |= ARM_EXIDX_VFP_SHIFT_16;
519          if (op != 0xb3) edata.data |= ARM_EXIDX_VFP_FSTMD;
520       }
521       else if ((op & 0xf8) == 0xb8 || (op & 0xf8) == 0xd0) {
522          // b8: Pop VFP regs D[8] to D[8+nnn], FSTMFDX-ishly
523          // d0: Pop VFP regs D[8] to D[8+nnn], FSTMFDD-ishly
524          edata.cmd  = ARM_EXIDX_CMD_VFP_POP;
525          edata.data = 0x80 | (op & 0x07);
526          if ((op & 0xf8) == 0xd0) edata.data |= ARM_EXIDX_VFP_FSTMD;
527       }
528       else if (op >= 0xc0 && op <= 0xc5) {
529          // Intel Wireless MMX pop wR[10]-wr[10+nnn], nnn != 6,7
530          edata.cmd  = ARM_EXIDX_CMD_WREG_POP;
531          edata.data = 0xa0 | (op & 0x07);
532       }
533       else if (op == 0xc6) {
534          // Intel Wireless MMX pop wR[ssss] to wR[ssss+cccc]
535          edata.cmd = ARM_EXIDX_CMD_WREG_POP;
536          GET_BUF_U8(edata.data);
537       }
538       else if (op == 0xc7) {
539          UChar op2;
540          GET_BUF_U8(op2);
541          if (op2 == 0 || (op2 & 0xf0)) {
542             // Spare
543             edata.cmd = ARM_EXIDX_CMD_RESERVED;
544          } else {
545             // Intel Wireless MMX pop wCGR registers under mask {wCGR3,2,1,0}
546             edata.cmd = ARM_EXIDX_CMD_WCGR_POP;
547             edata.data = op2 & 0x0f;
548          }
549       }
550       else {
551          // Spare
552          edata.cmd = ARM_EXIDX_CMD_RESERVED;
553       }
554 
555       if (0)
556          VG_(printf)("  edata:  cmd %08x  data %08x\n",
557                      (UInt)edata.cmd, edata.data);
558 
559       Int ret = TranslateCmd ( state, &edata );
560       if (ret < 0) return ret;
561    }
562    return 0;
563 
564 # undef GET_BUF_U8
565 }
566 
567 
568 /*------------------------------------------------------------*/
569 /*--- (Pass 3 of 3) The EXIDX summariser                   ---*/
570 /*------------------------------------------------------------*/
571 
572 /* In this translation into DiCfSI_m, we're going to have the CFA play
573    the role of the VSP.  That means that the VSP can be exactly any of
574    the CFA expressions, viz: {r7,r11,r12,r13) +/- offset.
575 
576    All of this would be a lot simpler if the DiCfSI_m representation
577    was just a bit more expressive and orthogonal.  But it isn't.
578 
579    The central difficulty is that, although we can track changes
580    to the offset of VSP (via vsp_off), we can't deal with assignments
581    of an entirely new expression to it, because the existing
582    rules in |cfi| will almost certainly refer to the CFA, and so
583    changing it will make them invalid.  Hence, below:
584 
585    * for the case ARM_EXIDX_CMD_REG_TO_SP we simply disallow
586      assignment, and hence give up, if any rule refers to CFA
587 
588    * for the case ARM_EXIDX_CMD_REG_POP, the SP (hence, VSP) is
589      updated by the pop, give up.
590 
591    This is an ugly hack to work around not having a better (LUL-like)
592    expression representation.  That said, these restrictions don't
593    appear to be a big problem in practice.
594 */
595 
596 struct _SummState {
597    // The DiCfSI_m under construction
598    DiCfSI_m   cfi;
599    Int        vsp_off;
600    // For generating CFI register expressions, if needed.
601    DebugInfo* di;
602 };
603 
604 
605 /* Generate a trivial CfiExpr, for the ARM(32) integer register
606    numbered |gprNo|.  First ensure this DebugInfo has a cfsi_expr
607    array in which to park it.  Returns -1 if |gprNo| cannot be
608    represented, otherwise returns a value >= 0. */
609 static
gen_CfiExpr_CfiReg_ARM_GPR(DebugInfo * di,UInt gprNo)610 Int gen_CfiExpr_CfiReg_ARM_GPR ( /*MB_MOD*/DebugInfo* di, UInt gprNo )
611 {
612    CfiReg creg = Creg_INVALID;
613    switch (gprNo) {
614       case 13: creg = Creg_ARM_R13; break;
615       case 12: creg = Creg_ARM_R12; break;
616       case 15: creg = Creg_ARM_R15; break;
617       case 14: creg = Creg_ARM_R14; break;
618       case 7:  creg = Creg_ARM_R7;  break;
619       default: break;
620    }
621    if (creg == Creg_INVALID) {
622       return -1;
623    }
624    if (!di->cfsi_exprs) {
625       di->cfsi_exprs = VG_(newXA)( ML_(dinfo_zalloc), "di.gCCAG",
626                                    ML_(dinfo_free), sizeof(CfiExpr) );
627    }
628    Int res = ML_(CfiExpr_CfiReg)( di->cfsi_exprs, creg );
629    vg_assert(res >= 0);
630    return res;
631 }
632 
633 
634 /* Given a DiCfSI_m, find the _how/_off pair for the given ARM(32) GPR
635    number inside |cfsi_m|, or return NULL for both if that register
636    number is not represented. */
637 static
maybeFindExprForRegno(UChar ** howPP,Int ** offPP,DiCfSI_m * cfsi_m,Int regNo)638 void maybeFindExprForRegno( /*OUT*/UChar** howPP, /*OUT*/Int** offPP,
639                             DiCfSI_m* cfsi_m, Int regNo )
640 {
641    switch (regNo) {
642       case 15: *howPP = &cfsi_m->ra_how;  *offPP = &cfsi_m->ra_off;  return;
643       case 14: *howPP = &cfsi_m->r14_how; *offPP = &cfsi_m->r14_off; return;
644       case 13: *howPP = &cfsi_m->r13_how; *offPP = &cfsi_m->r13_off; return;
645       case 12: *howPP = &cfsi_m->r12_how; *offPP = &cfsi_m->r12_off; return;
646       case 11: *howPP = &cfsi_m->r11_how; *offPP = &cfsi_m->r11_off; return;
647       case 7:  *howPP = &cfsi_m->r7_how;  *offPP = &cfsi_m->r7_off;  return;
648       default: break;
649    }
650    *howPP = NULL; *offPP = NULL;
651 }
652 
653 
654 /* Set cfi.cfa_{how,off} so as to be a copy of the expression denoted
655    by (how,off), if it is possible to do so.  Returns True on
656    success. */
657 static
setCFAfromCFIR(DiCfSI_m * cfi,XArray * cfsi_exprs,UChar how,Int off)658 Bool setCFAfromCFIR( /*MOD*/DiCfSI_m* cfi, XArray*/*CfiExpr*/ cfsi_exprs,
659                      UChar how, Int off )
660 {
661    switch (how) {
662       case CFIR_EXPR:
663          if (!cfsi_exprs) return False;
664          CfiExpr* e = (CfiExpr*)VG_(indexXA)(cfsi_exprs, off);
665          if (e->tag != Cex_CfiReg) return False;
666          if (e->Cex.CfiReg.reg == Creg_ARM_R7) {
667             cfi->cfa_how = CFIC_ARM_R7REL;
668             cfi->cfa_off = 0;
669             return True;
670          }
671          ML_(ppCfiExpr)(cfsi_exprs, off);
672          vg_assert(0);
673       default:
674          break;
675    }
676    VG_(printf)("setCFAfromCFIR: FAIL: how %d off %d\n", how, off);
677    vg_assert(0);
678    return False;
679 }
680 
681 
682 #define ARM_EXBUF_START(x) (((x) >> 4) & 0x0f)
683 #define ARM_EXBUF_COUNT(x) ((x) & 0x0f)
684 #define ARM_EXBUF_END(x)   (ARM_EXBUF_START(x) + ARM_EXBUF_COUNT(x))
685 
686 
mentionsCFA(DiCfSI_m * cfi)687 static Bool mentionsCFA ( DiCfSI_m* cfi )
688 {
689 #  define MENTIONS_CFA(_how) ((_how) == CFIR_CFAREL || (_how) == CFIR_MEMCFAREL)
690    if (MENTIONS_CFA(cfi->ra_how))  return True;
691    if (MENTIONS_CFA(cfi->r14_how)) return True;
692    if (MENTIONS_CFA(cfi->r13_how)) return True;
693    if (MENTIONS_CFA(cfi->r12_how)) return True;
694    if (MENTIONS_CFA(cfi->r11_how)) return True;
695    if (MENTIONS_CFA(cfi->r7_how))  return True;
696    return False;
697 #  undef MENTIONS_CFA
698 }
699 
700 
701 // Translate command from extab_data to command for Module.
702 static
TranslateCmd(SummState * state,const ExtabData * edata)703 Int TranslateCmd(/*MOD*/SummState* state, const ExtabData* edata)
704 {
705    /* Stay sane: check that the CFA has the expected form. */
706    vg_assert(state);
707    switch (state->cfi.cfa_how) {
708       case CFIC_ARM_R13REL: case CFIC_ARM_R12REL:
709       case CFIC_ARM_R11REL: case CFIC_ARM_R7REL: break;
710       default: vg_assert(0);
711    }
712 
713    if (0) {
714       VG_(printf)("  TranslateCmd: ");
715       ppExtabData(edata);
716       VG_(printf)("\n");
717    }
718 
719    Int ret = 0;
720    switch (edata->cmd) {
721       case ARM_EXIDX_CMD_FINISH:
722          /* Copy LR to PC if there isn't currently a rule for PC in force. */
723          if (state->cfi.ra_how == CFIR_UNKNOWN) {
724             if (state->cfi.r14_how == CFIR_UNKNOWN) {
725                state->cfi.ra_how = CFIR_EXPR;
726                state->cfi.ra_off = gen_CfiExpr_CfiReg_ARM_GPR(state->di, 14);
727                vg_assert(state->cfi.ra_off >= 0);
728             } else {
729                state->cfi.ra_how = state->cfi.r14_how;
730                state->cfi.ra_off = state->cfi.r14_off;
731             }
732          }
733          break;
734       case ARM_EXIDX_CMD_SUB_FROM_VSP:
735          state->vsp_off -= (Int)(edata->data);
736          break;
737       case ARM_EXIDX_CMD_ADD_TO_VSP:
738          state->vsp_off += (Int)(edata->data);
739          break;
740       case ARM_EXIDX_CMD_REG_POP: {
741          UInt i;
742          for (i = 0; i < 16; i++) {
743             if (edata->data & (1 << i)) {
744                // See if we're summarising for int register |i|.  If so,
745                // describe how to pull it off the stack.  The cast of |i| is
746                // a bit of a kludge but works because DW_REG_ARM_Rn has the
747                // value |n|, for 0 <= |n| <= 15 -- that is, for the ARM
748                // general-purpose registers.
749                UChar* rX_howP = NULL;
750                Int*   rX_offP = NULL;
751                maybeFindExprForRegno(&rX_howP, &rX_offP, &state->cfi, i);
752                if (rX_howP) {
753                   vg_assert(rX_offP);
754                   /* rX_howP and rX_offP point at one of the rX fields
755                      in |state->cfi|.  Hence the following assignments
756                      are really updating |state->cfi|. */
757                   *rX_howP = CFIR_MEMCFAREL;
758                   *rX_offP = state->vsp_off;
759                } else {
760                   /* We're not tracking this register, so ignore it. */
761                   vg_assert(!rX_offP);
762                }
763                state->vsp_off += 4;
764             }
765          }
766          /* Set cfa in case the SP got popped. */
767          if (edata->data & (1 << 13)) {
768             //  vsp = curr_rules_.mR13expr;
769             //state->cfi.cfa_how =
770             //state->cfi.cfa_off =
771             //state->vsp_off = 0;
772             // If this happens, it would make the existing CFA references
773             // in the summary invalid.  So give up instead.
774             goto cant_summarise;
775          }
776          break;
777          }
778       case ARM_EXIDX_CMD_REG_TO_SP: {
779          /* We're generating a new value for the CFA/VSP here.  Hence,
780             if the summary already refers to the CFA at all, we can't
781             go any further, and have to abandon summarisation. */
782          if (mentionsCFA(&state->cfi))
783             goto cant_summarise;
784          vg_assert(edata->data < 16);
785          Int reg_no = edata->data;
786          // Same comment as above, re the casting of |reg_no|, applies.
787          UChar* rX_howP = NULL;
788          Int*   rX_offP = NULL;
789          maybeFindExprForRegno(&rX_howP, &rX_offP, &state->cfi, reg_no);
790          if (rX_howP) {
791             vg_assert(rX_offP);
792             if (*rX_howP == CFIR_UNKNOWN) {
793                //curr_rules_.mR13expr = LExpr(LExpr::NODEREF, reg_no, 0);
794                Int expr_ix = gen_CfiExpr_CfiReg_ARM_GPR(state->di, reg_no);
795                if (expr_ix >= 0) {
796                   state->cfi.r13_how = CFIR_EXPR;
797                   state->cfi.r13_off = expr_ix;
798                } else {
799                   goto cant_summarise;
800                }
801             } else {
802                //curr_rules_.mR13expr = *reg_exprP;
803                state->cfi.r13_how = *rX_howP;
804                state->cfi.r13_off = *rX_offP;
805             }
806             //vsp = curr_rules_.mR13expr;
807             Bool ok = setCFAfromCFIR( &state->cfi, state->di->cfsi_exprs,
808                                       state->cfi.r13_how, state->cfi.r13_off );
809             if (!ok) goto cant_summarise;
810             state->vsp_off = 0;
811          } else {
812             vg_assert(!rX_offP);
813          }
814          break;
815       }
816       case ARM_EXIDX_CMD_VFP_POP: {
817          /* Don't recover VFP registers, but be sure to adjust the stack
818             pointer. */
819          UInt i;
820          for (i = ARM_EXBUF_START(edata->data);
821               i <= ARM_EXBUF_END(edata->data); i++) {
822             state->vsp_off += 8;
823          }
824          if (!(edata->data & ARM_EXIDX_VFP_FSTMD)) {
825             state->vsp_off += 4;
826          }
827          break;
828       }
829       case ARM_EXIDX_CMD_WREG_POP: {
830          UInt i;
831          for (i = ARM_EXBUF_START(edata->data);
832               i <= ARM_EXBUF_END(edata->data); i++) {
833             state->vsp_off += 8;
834          }
835          break;
836       }
837       case ARM_EXIDX_CMD_WCGR_POP: {
838          UInt i;
839          // Pop wCGR registers under mask {wCGR3,2,1,0}, hence "i < 4"
840          for (i = 0; i < 4; i++) {
841             if (edata->data & (1 << i)) {
842                state->vsp_off += 4;
843             }
844          }
845          break;
846       }
847       case ARM_EXIDX_CMD_REFUSED:
848       case ARM_EXIDX_CMD_RESERVED:
849          ret = -1;
850          break;
851    }
852    return ret;
853 
854  cant_summarise:
855    return -10;
856 }
857 
858 
859 /* Initialise the EXIDX summariser, by writing initial values in |state|. */
860 static
AddStackFrame(SummState * state,DebugInfo * di)861 void AddStackFrame ( /*OUT*/SummState* state,
862                      DebugInfo* di )
863 {
864    VG_(bzero_inline)(state, sizeof(*state));
865    state->vsp_off = 0;
866    state->di      = di;
867    /* Initialise the DiCfSI_m that we are building. */
868    state->cfi.cfa_how = CFIC_ARM_R13REL;
869    state->cfi.cfa_off = 0;
870    state->cfi.ra_how  = CFIR_UNKNOWN;
871    state->cfi.r14_how = CFIR_UNKNOWN;
872    state->cfi.r13_how = CFIR_UNKNOWN;
873    state->cfi.r12_how = CFIR_UNKNOWN;
874    state->cfi.r11_how = CFIR_UNKNOWN;
875    state->cfi.r7_how  = CFIR_UNKNOWN;
876 }
877 
878 static
SubmitStackFrame(DebugInfo * di,SummState * state,Addr avma,SizeT len)879 void SubmitStackFrame( /*MOD*/DebugInfo* di,
880                        SummState* state, Addr avma, SizeT len )
881 {
882    // JRS: I'm really not sure what this means, or if it is necessary
883    // return address always winds up in pc
884    //stack_frame_entry_->initial_rules[ustr__ZDra()] // ".ra"
885    //  = stack_frame_entry_->initial_rules[ustr__pc()];
886    // maybe don't need to do anything here?
887 
888    // the final value of vsp is the new value of sp.
889    switch (state->cfi.cfa_how) {
890       case CFIC_ARM_R13REL: case CFIC_ARM_R12REL:
891       case CFIC_ARM_R11REL: case CFIC_ARM_R7REL: break;
892       default: vg_assert(0);
893    }
894    state->cfi.r13_how = CFIR_CFAREL;
895    state->cfi.r13_off = state->vsp_off;
896 
897    // Finally, add the completed RuleSet to the SecMap
898    if (len > 0) {
899 
900       // Futz with the rules for r4 .. r11 in the same way as happens
901       // with the CFI summariser:
902       /* Mark callee-saved registers (r4 .. r11) as unchanged, if there is
903        no other information about them.  FIXME: do this just once, at
904        the point where the ruleset is committed. */
905       if (state->cfi.r7_how == CFIR_UNKNOWN) {
906          state->cfi.r7_how = CFIR_SAME;
907          state->cfi.r7_off = 0;
908       }
909       if (state->cfi.r11_how == CFIR_UNKNOWN) {
910          state->cfi.r11_how = CFIR_SAME;
911          state->cfi.r11_off = 0;
912       }
913       if (state->cfi.r12_how == CFIR_UNKNOWN) {
914          state->cfi.r12_how = CFIR_SAME;
915          state->cfi.r12_off = 0;
916       }
917       if (state->cfi.r14_how == CFIR_UNKNOWN) {
918          state->cfi.r14_how = CFIR_SAME;
919          state->cfi.r14_off = 0;
920       }
921 
922       // And add them
923       ML_(addDiCfSI)(di, avma, len, &state->cfi);
924       if (di->trace_cfi)
925          ML_(ppDiCfSI)(di->cfsi_exprs, avma, len, &state->cfi);
926    }
927 }
928 
929 
930 /*------------------------------------------------------------*/
931 /*--- Top level                                            ---*/
932 /*------------------------------------------------------------*/
933 
ML_(read_exidx)934 void ML_(read_exidx) ( /*MOD*/DebugInfo* di,
935                        UChar*   exidx_img, SizeT exidx_size,
936                        UChar*   extab_img, SizeT extab_size,
937                        Addr     text_last_svma,
938                        PtrdiffT text_bias )
939 {
940    if (di->trace_cfi)
941       VG_(printf)("BEGIN ML_(read_exidx) exidx_img=[%p, +%lu) "
942                   "extab_img=[%p, +%lu) text_last_svma=%lx text_bias=%lx\n",
943                   exidx_img, exidx_size, extab_img, extab_size,
944                   text_last_svma, (UWord)text_bias);
945    Bool ok;
946    MemoryRange mr_exidx, mr_extab;
947    ok =       MemoryRange__init(&mr_exidx, exidx_img, exidx_size);
948    ok = ok && MemoryRange__init(&mr_extab, extab_img, extab_size);
949    if (!ok) {
950       complain(".exidx or .extab image area wraparound");
951       return;
952    }
953 
954    const ExidxEntry* start_img = (const ExidxEntry*)exidx_img;
955    const ExidxEntry* end_img   = (const ExidxEntry*)(exidx_img + exidx_size);
956 
957    if (VG_(clo_verbosity) > 1)
958       VG_(message)(Vg_DebugMsg, "  Reading EXIDX entries: %lu available\n",
959                    exidx_size / sizeof(ExidxEntry) );
960 
961    // Iterate over each of the EXIDX entries (pairs of 32-bit words).
962    // These occupy the entire .exidx section.
963    UWord n_attempted = 0, n_successful = 0;
964 
965    const ExidxEntry* entry_img;
966    for (entry_img = start_img; entry_img < end_img; ++entry_img) {
967 
968       n_attempted++;
969       // Figure out the code address range that this table entry_img is
970       // associated with.
971       Addr avma = (Addr)Prel31ToAddr(&entry_img->addr);
972       if (di->trace_cfi)
973          VG_(printf)("XXX1 entry: entry->addr 0x%x, avma 0x%lx\n",
974                      entry_img->addr, avma);
975 
976       Addr next_avma;
977       if (entry_img < end_img - 1) {
978          next_avma = (Addr)Prel31ToAddr(&(entry_img+1)->addr);
979       } else {
980          // This is the last EXIDX entry in the sequence, so we don't
981          // have an address for the start of the next function, to limit
982          // this one.  Instead use the address of the last byte of the
983          // text section associated with this .exidx section, that we
984          // have been given.  So as to avoid junking up the CFI unwind
985          // tables with absurdly large address ranges in the case where
986          // text_last_svma_ is wrong, only use the value if it is nonzero
987          // and within one page of |svma|.  Otherwise assume a length of 1.
988          //
989          // In some cases, gcc has been observed to finish the exidx
990          // section with an entry of length 1 marked CANT_UNWIND,
991          // presumably exactly for the purpose of giving a definite
992          // length for the last real entry, without having to look at
993          // text segment boundaries.
994          Addr text_last_avma = text_last_svma + text_bias;
995 
996          Bool plausible;
997          Addr maybe_next_avma = text_last_avma + 1;
998          if (maybe_next_avma > avma && maybe_next_avma - avma <= 4096) {
999             next_avma = maybe_next_avma;
1000             plausible = True;
1001          } else {
1002             next_avma = avma + 1;
1003             plausible = False;
1004          }
1005 
1006          if (!plausible && avma != text_last_avma + 1) {
1007             HChar buf[100];
1008             VG_(snprintf)(buf, sizeof(buf),
1009                           "Implausible EXIDX last entry size %lu"
1010                           "; using 1 instead.", text_last_avma - avma);
1011             buf[sizeof(buf)-1] = 0;
1012             complain(buf);
1013          }
1014       }
1015 
1016       // Extract the unwind info into |buf|.  This might fail for
1017       // various reasons.  It involves reading both the .exidx and
1018       // .extab sections.  All accesses to those sections are
1019       // bounds-checked.
1020       if (di->trace_cfi)
1021          VG_(printf)("XXX1 entry is for AVMA 0x%lx 0x%lx\n",
1022                      avma, next_avma-1);
1023       UChar buf[ARM_EXIDX_TABLE_LIMIT];
1024       SizeT buf_used = 0;
1025       ExExtractResult res
1026          = ExtabEntryExtract(&mr_exidx, &mr_extab,
1027                              entry_img, buf, sizeof(buf), &buf_used);
1028       if (res != ExSuccess) {
1029          // Couldn't extract the unwind info, for some reason.  Move on.
1030          switch (res) {
1031             case ExInBufOverflow:
1032                complain("ExtabEntryExtract: .exidx/.extab section overrun");
1033                break;
1034             case ExOutBufOverflow:
1035                complain("ExtabEntryExtract: bytecode buffer overflow");
1036                break;
1037             case ExCantUnwind:
1038                // Some functions are marked CantUnwind by the compiler.
1039                // Don't record these as attempted, since that's just
1040                // confusing, and failure to summarise them is not the fault
1041                // of this code.
1042                n_attempted--;
1043                if (0)
1044                   complain("ExtabEntryExtract: function is marked CANT_UNWIND");
1045                break;
1046             case ExCantRepresent:
1047                complain("ExtabEntryExtract: bytecode can't be represented");
1048                break;
1049             case ExInvalid:
1050                complain("ExtabEntryExtract: index table entry is invalid");
1051                break;
1052             default: {
1053                HChar mbuf[100];
1054                VG_(snprintf)(mbuf, sizeof(mbuf),
1055                              "ExtabEntryExtract: unknown error: %d", (Int)res);
1056                buf[sizeof(mbuf)-1] = 0;
1057                complain(mbuf);
1058                break;
1059             }
1060          }
1061          continue;
1062       }
1063 
1064       // Finally, work through the unwind instructions in |buf| and
1065       // create CFI entries that Valgrind can use.  This can also fail.
1066       // First, initialise the summariser's running state, into which
1067       // ExtabEntryDecode will write the CFI entries.
1068 
1069       SummState state;
1070       AddStackFrame( &state, di );
1071       Int ret = ExtabEntryDecode( &state, buf, buf_used );
1072       if (ret < 0) {
1073          /* Failed summarisation.  Ignore and move on. */
1074          HChar mbuf[100];
1075          VG_(snprintf)(mbuf, sizeof(mbuf),
1076                        "ExtabEntryDecode: failed with error code: %d", ret);
1077          mbuf[sizeof(mbuf)-1] = 0;
1078          complain(mbuf);
1079       } else {
1080          /* Successful summarisation.  Add it to the collection. */
1081          SubmitStackFrame( di, &state, avma, next_avma - avma );
1082          n_successful++;
1083       }
1084 
1085    } /* iterating over .exidx */
1086 
1087    if (VG_(clo_verbosity) > 1)
1088       VG_(message)(Vg_DebugMsg,
1089                    "  Reading EXIDX entries: %lu attempted, %lu successful\n",
1090                    n_attempted, n_successful);
1091 }
1092 
1093 #endif /* defined(VGA_arm) */
1094 
1095 /*--------------------------------------------------------------------*/
1096 /*--- end                                              readexidx.c ---*/
1097 /*--------------------------------------------------------------------*/
1098