xlcore.c

二进制翻译的一个软件

/*
 * Copyright (c) 2005, Johns Hopkins University and The EROS Group, LLC.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *  * Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *  * Redistributions in binary form must reproduce the above
 *    copyright notice, this list of conditions and the following
 *    disclaimer in the documentation and/or other materials provided
 *    with the distribution.
 *
 *  * Neither the name of the Johns Hopkins University, nor the name
 *    of The EROS Group, LLC, nor the names of their contributors may
 *    be used to endorse or promote products derived from this
 *    software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include <stdbool.h>
#include <stdio.h>
#include <signal.h>
#include <asm/sigcontext.h>
#include <sys/mman.h>
#include "switches.h"
#include "debug.h"
#include "util.h"
#include "machine.h"
#include "decode.h"
#include "emit.h"
#include "xlcore.h"
#include "perf.h"
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/user.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>

#ifdef INLINE_EMITTERS
#define INLINE static inline
#else
#define INLINE static
#endif

#ifdef INLINE_EMITTERS
#include "emit-inline.c"

/* emit_normal() repeated here for inlining purposes */
/* WARNING: Changes should be done in emit.c as well */
inline static bool 
inline_emit_normal(machine_t *M, decode_t *d)
{
  unsigned i;
  unsigned count = M->next_eip - d->decode_eip;
#ifdef PROFILE
  M->ptState->s_normal_cnt++;
  bb_emit_inc(M, MFLD(M, ptState->normal_cnt));
#endif

  DEBUG(emits)
    fprintf(DBG, "%lu: Normal %lx %s!\n", M->nTrInstr, d->decode_eip, ((OpCode *)d->pEntry)->disasm);

#ifdef STATIC_PASS
  memcpy(M->bbOut, (unsigned char *)d->mem_decode_eip, count);
#else
  memcpy(M->bbOut, (unsigned char *)d->decode_eip, count);
#endif
  M->bbOut += count;

  return false;
}
#endif /* INLINE_EMITTERS */

#ifdef USE_SIEVE
#ifdef SEPARATE_SIEVES 
#include "chtable.c"
#endif
#endif


ENTRY_POINT bb_entry * 
lookup_bb_eip(machine_t *M, unsigned long src_eip)
{
#ifdef USE_DIFF_HASH									
  bb_entry *curr =  M->lookup_table[((src_eip-M->guest_start_eip) & (LOOKUP_TABLE_SIZE - 1))];
#else
  bb_entry *curr =  M->lookup_table[(src_eip & (LOOKUP_TABLE_SIZE - 1))];
#endif

  while ((curr != NULL) && (curr->src_bb_eip != src_eip))
    curr = curr->next;

  DEBUG(lookup) {
    if(curr == NULL)
      fprintf(DBG, "\nLooking up %lx Failed\n", src_eip);
    else 
      fprintf(DBG, "\nLooking up %lx Success\n", src_eip);
  }
  return curr;
}

#include "xlate-helper.c"


#ifdef USE_SIEVE
INLINE void
bb_setup_hash_table(machine_t *M)
{
  int i;
  for (i=0 ; i<NBUCKETS ; i++)  {
    bb_emit_jump(M, M->slow_dispatch_bb);
    M->bbOut += 3;
  }
}
#endif /* USE_SIEVE */ 


void 
xlate_for_sieve (machine_t *M)
{
  bb_entry *entry_node;
  bucket_entry *bucket;	/* Hash bucket onto which this basic-block 
			   will chain onto (at the head)   	*/
  unsigned char *next_instr; /* Sequentially next instr of the above - 
				used just to compute relative jump destination	*/
  unsigned long node; /* A node of the hash chain */

  M->comming_from_call_indirect = false;

  entry_node = xlate_bb(M);

#ifdef USE_SIEVE
  /*   bucket =  */
  /*     (bucket_entry *)(M->hash_table + (((unsigned long)entry_node->src_bb_eip) & SIEVE_HASH_MASK)); */

  bucket = (bucket_entry *) SIEVE_HASH_BUCKET(M->hash_table, ((unsigned long)entry_node->src_bb_eip));
  //  fprintf(DBG, "Hash bucket start at %lx, this = %lx\n", M->hash_table, bucket);

  /*** Sensitive to the size of Jump Instruction in Bucket ***/
  next_instr = ((unsigned char *)bucket) + 5  ;

  node = (unsigned long) (next_instr + bucket->rel);
  bucket->rel = M->bbOut - next_instr;

  /*   fprintf(DBG, "Bucket #%ld seip = %lx teip = %lx at %lx\n",  */
  /* 	 ((unsigned char*)bucket - (M->hash_table))/sizeof(bucket_entry), */
  /* 	 entry_node->src_bb_eip, */
  /* 	 entry_node->trans_bb_eip, */
  /* 	 M->bbOut); */
  /*   fflush(DBG); */
  
#ifdef SIEVE_WITHOUT_PPF
  /* mov 0x4(%esp),%ecx */
  bb_emit_byte(M, 0x8bu); // 8b /r
  bb_emit_byte(M, 0x4cu); // 01 001 100
  bb_emit_byte(M, 0x24u); // 00 100 100
  bb_emit_byte(M, 0x4u);

  /* lea -entry->src_bb_eip(%ecx),%ecx */
  bb_emit_byte(M, 0x8Du); // 8D /r
  bb_emit_byte(M, 0x89u); // 10 001 001 
  bb_emit_w32(M, (-((long)(entry_node->src_bb_eip))));

  /* jecxz equal */
  bb_emit_byte(M, 0xe3u);
  bb_emit_byte(M, 0x05u);

  /* jmp $next_bucket */
  bb_emit_jump(M, (unsigned char *)node);

  /* equal: pop %ecx */
  bb_emit_byte(M, 0x59u);

  /* leal 4(%esp) %esp */
  bb_emit_byte(M, 0x8du); // 8d /r
  bb_emit_byte(M, 0x64u); // 01 100 100
  bb_emit_byte(M, 0x24u); // 00 100 100
  bb_emit_byte(M, 0x4u);

  /* jmp $translated_block */
  bb_emit_jump (M, (unsigned char *)entry_node->trans_bb_eip);
#else

  /* cmpl $entry->src_bb_eip, (%esp) */
  bb_emit_byte(M, 0x81u); // 81 /7
  bb_emit_byte(M, 0x7cu); // 01 111 100
  bb_emit_byte(M, 0x24u); // 00 100 100
  bb_emit_byte(M, 0x4u);
  bb_emit_w32(M, entry_node->src_bb_eip);

  /* jne $(next_bb) */
  bb_emit_byte (M, 0x0Fu);
  bb_emit_byte (M, 0x85u);
  bb_emit_w32 (M, node - ((unsigned long)M->bbOut + 4));

  /* popf */
  bb_emit_byte (M, 0x9Du);

  /* leal 4(%esp) %esp */
  bb_emit_byte(M, 0x8du); // 8d /r
  bb_emit_byte(M, 0x64u); // 01 100 100
  bb_emit_byte(M, 0x24u); // 00 100 100
  bb_emit_byte(M, 0x4u);

  /* jmp $translated_block */
  bb_emit_jump (M, (unsigned char *)entry_node->trans_bb_eip);
#endif /* SIEVE_WITHOUT_PPF */
 
  M->jmp_target = (unsigned char *)entry_node->trans_bb_eip;
#ifdef PROFILE
  M->ptState->hash_nodes_cnt++;
#endif
#endif /* USE_SIEVE */
}


#define BORDER_START  do {				\
    /* mov $200, M->border_esp */			\
    bb_emit_byte(M, 0xc7u); /* c7 /0 */			\
    bb_emit_byte(M, 0x05u);    /* 00 000 101 */		\
    bb_emit_w32(M, (unsigned long) &M->border_esp);	\
    bb_emit_w32(M, 0x200u);				\
  } while(0)

#define BORDER_END do {					\
    /* mov $0, M->border_esp */				\
    bb_emit_byte(M, 0xc7u); /* c7 /0 */			\
    bb_emit_byte(M, 0x05u);    /* 00 000 101 */		\
    bb_emit_w32(M, (unsigned long) &M->border_esp);	\
    bb_emit_w32(M, 0x0u);				\
  } while(0)


INLINE void 
bb_setup_post_xlate(machine_t *M) // [len = 30b]
{
  /* mov 36(esp) %eax */			       
  bb_emit_byte(M, 0x8bu);  // 8b /r
  bb_emit_byte(M, 0x44u);  // 01 000 100 
  bb_emit_byte(M, 0x24u);
  bb_emit_byte(M, 36u);
  
  /* mov %eax, (esp) */
  bb_emit_byte(M, 0x89u);  // 89 /r
  bb_emit_byte(M, 0x04u);  // 00 000 100 
  bb_emit_byte(M, 0x24u);
  
  /* mov M->jmp_target, %eax */
  bb_emit_byte(M, 0x8bu); // 8b /r
  bb_emit_byte(M, 0x05u); // 00 000 101
  bb_emit_w32(M, MFLD(M, jmp_target)); 

  /* mov %eax 36(%esp) */
  bb_emit_byte(M, 0x89u);  // 89 /r
  bb_emit_byte(M, 0x44u);  // 01 000 100 
  bb_emit_byte(M, 0x24u);
  bb_emit_byte(M, 36u);
  
  BORDER_END;

  /* 2f: popf */
  bb_emit_byte(M, 0x9du);		
  
  /* popa */
  bb_emit_byte(M, 0x61u);		
  
  /* ret */
  bb_emit_byte(M, 0xc3u);  
}

INLINE void 
bb_setup_startup_slow_dispatch_bb(machine_t *M)
{
  /* Emit the special BB that first translates the destination basic-block 
     and then transfers control into the basic block. */
  
  BORDER_START;
  
  /* PUSH imm32:M */
  bb_emit_byte(M, 0x68u);	
  bb_emit_w32(M, (unsigned long)M);     

  /* Call xlate_for_sieve */
  bb_emit_call(M, (unsigned char*)&xlate_for_sieve);

  bb_setup_post_xlate(M);
}


#ifdef USE_SIEVE
#ifdef SIEVE_WITHOUT_PPF

INLINE void 
bb_setup_slow_dispatch_bb(machine_t *M)
{
  /* Emit the special BB that first translates the destination basic-block 
     Found and then transfers control into the basic block. */

  /*  fast_dispatch_bb who is my caller, would have done a Push %ecx */
  /* Pop %ecx */
  bb_emit_byte(M, 0x59u);

  /* pop M->fixregs.eip */
  bb_emit_byte(M, 0x8Fu); // 8F /0
  bb_emit_byte(M, 0x05u); // 00 000 101
  bb_emit_w32(M, MREG(M, eip));

  /* PUSHF */
  bb_emit_byte(M, 0x9cu);		
  /* PUSHA */
  bb_emit_byte(M, 0x60u);		

  BORDER_START;

  /* PUSH imm32:M */
  bb_emit_byte(M, 0x68u);	
  bb_emit_w32(M, (unsigned long)M);     

  /* Call xlate_for_sieve */
  bb_emit_call(M, (unsigned char*)&xlate_for_sieve);

  bb_setup_post_xlate(M);
}

#else

INLINE void 
bb_setup_slow_dispatch_bb(machine_t *M)
{
  /* Emit the special BB that first translates the destination basic-block 
     Found and then transfers control into the basic block. */

  /* pop M->eflags */
  bb_emit_byte(M, 0x8Fu); // 8F /0
  bb_emit_byte(M, 0x05u); // 00 000 101
  bb_emit_w32(M, MFLD(M, eflags));

  /* pop M->fixregs.eip */
  bb_emit_byte(M, 0x8Fu); // 8F /0
  bb_emit_byte(M, 0x05u); // 00 000 101
  bb_emit_w32(M, MREG(M, eip));

  // Better than popf and then pushf and use of intermediate register?
  /* push M->eflags */
  bb_emit_byte(M, 0xFFu); // FF /6
  bb_emit_byte(M, 0x35u); // 00 110 101
  bb_emit_w32(M, MFLD(M, eflags));

  bb_emit_byte(M, 0x60u);		/* PUSHA */

  BORDER_START;

  /* PUSH imm32:M */
  bb_emit_byte(M, 0x68u);	
  bb_emit_w32(M, (unsigned long)M);     
 
  /* Call xlate_for_sieve */
  bb_emit_call(M, (unsigned char *)&xlate_for_sieve);

  bb_setup_post_xlate(M);
}
#endif /* SIEVE_WITHOUT_PPF */
#else /* USE_SIEVE */
INLINE void 
bb_setup_slow_dispatch_bb(machine_t *M)
{
  /* Emit the special BB that first translates the destination basic-block 
     Found and then transfers control into the basic block. */

  /* pop M->fixregs.eip */
  bb_emit_byte(M, 0x8Fu); // 8F /0
  bb_emit_byte(M, 0x05u); // 00 000 101
  bb_emit_w32(M, MREG(M, eip));

  bb_emit_byte(M, 0x9cu);	        /* PUSHF */
  bb_emit_byte(M, 0x60u);		/* PUSHA */

  BORDER_START;

  /* PUSH imm32:M */
  bb_emit_byte(M, 0x68u);	
  bb_emit_w32(M, (unsigned long)M);     
 
  /* Call xlate_for_sieve */
  bb_emit_call(M, M->xlate_for_sieve);

  bb_setup_post_xlate(M);
}
#endif /* USE_SIEVE */

void
xlate_for_patch_block(machine_t *M) 
{
  // Setup the EIP
  M->fixregs.eip = *((unsigned long *)(M->backpatch_block));  

  // Note the Patch point
  M->patch_point = (unsigned char *)(*((unsigned long *)
				       ((M->backpatch_block) + 4)));
  M->comming_from_call_indirect = false;

  //Translate the target
  xlate_bb(M);

  // Patch at patch_point
  *((unsigned long *)(M->patch_point)) = (M->jmp_target - 
					  (M->patch_point + 4));    
}

INLINE void
bb_setup_backpatch_and_dispatch_bb (machine_t *M)
{
  //bb_emit_byte(M, 0x65u); /* GS Segment Override Prefix - for accessing the M structure */
  bb_emit_byte(M, 0x8Fu); /* POP M->backpatch_block */
  bb_emit_byte(M, 0x05u); /* 00 000 101 */
  bb_emit_w32(M, MFLD(M, backpatch_block));

  bb_emit_byte(M, 0x9cu);		/* PUSHF */
  bb_emit_byte(M, 0x60u);		/* PUSHA */

  BORDER_START;

  bb_emit_byte(M, 0x68u);		// PUSH imm32:M
  bb_emit_w32(M, (unsigned long)M);
  bb_emit_call(M, (unsigned char *)xlate_for_patch_block);

  bb_setup_post_xlate(M);  
}

#ifdef USE_SIEVE
INLINE void
bb_setup_call_calls_fast_dispatch_bb(machine_t *M)
{
  /* Emit the special BB that transfers control from
     one basic-block to another within the basic block cache. */

#ifdef PROFILE_RET_MISS
  bb_emit_inc(M, MFLD(M, ptState->ret_miss_cnt));
#endif

  /* mov 0x4(%esp),%ecx */
  bb_emit_byte(M, 0x8bu); // 8b /r
  bb_emit_byte(M, 0x4cu); // 01 001 100
  bb_emit_byte(M, 0x24u); // 00 100 100
  bb_emit_byte(M, 0x4u);

#ifndef SMALL_HASH
  /* lea 0x0(,%ecx,2),%ecx */
  bb_emit_byte(M, 0x8Du); // 8D /r
  bb_emit_byte(M, 0x0Cu); // 00 001 100
  bb_emit_byte(M, 0x4du); // 01 001 101
  bb_emit_w32(M, 0x0u);   // This 0 word is needed. 
                          // There is no other addressing mode.

  /* movzwl %cx,%ecx */
  bb_emit_byte(M, 0x0Fu); // 0F B7 /R
  bb_emit_byte(M, 0xB7u);
  bb_emit_byte(M, 0xC9u); // 11 001 001

  /* lea M->hash_table(,%ecx,4),%ecx */
  bb_emit_byte(M, 0x8Du); // 8D /r
  bb_emit_byte(M, 0x0Cu); // 00 001 100
  bb_emit_byte(M, 0x8du); // 10 001 101
  bb_emit_w32(M, (unsigned long)M->hash_table);

#else
  /* lea 0x0(,%ecx,4),%ecx */
  bb_emit_byte(M, 0x8Du); // 8D /r
  bb_emit_byte(M, 0x0Cu); // 00 001 100
  bb_emit_byte(M, 0x8du); // 10 001 101
  bb_emit_w32(M, 0x0u);   // This 0 word is needed. 
                          // There is no other addressing mode.

  /* movzwl %cx,%ecx */
  bb_emit_byte(M, 0x0Fu); // 0F B7 /R
  bb_emit_byte(M, 0xB7u);
  bb_emit_byte(M, 0xC9u); // 11 001 001

  /* lea M->hash_table(,%ecx,2),%ecx */
  bb_emit_byte(M, 0x8Du); // 8D /r
  bb_emit_byte(M, 0x0Cu); // 00 001 100
  bb_emit_byte(M, 0x4du); // 01 001 101
  bb_emit_w32(M, (unsigned long)M->hash_table);
#endif


  //50:	ff e1                	jmp    *%ecx
  bb_emit_byte(M, 0xffu);
  bb_emit_byte(M, 0xe1u);
  /*   /\* jmp *M->hash_table(,%ecx,4) *\/ */
  /*   bb_emit_byte(M, 0xFFu); // FF /4 */
  /*   bb_emit_byte(M, 0x24u); // 00 100 100 */
  /*   bb_emit_byte(M, 0x8Du); // 10 001 101 */
  /*   bb_emit_w32(M, (unsigned long) M->hash_table); */
}

INLINE void
bb_setup_ret_calls_fast_dispatch_bb(machine_t *M)
{
  /* Emit the special BB that transfers control from
     one basic-block to another within the basic block cache. */

#ifdef PROFILE_RET_MISS
  bb_emit_inc(M, MFLD(M, ptState->ret_ret_miss_cnt));
#endif

  /* push %ecx */
  bb_emit_byte(M, 0x51u);

  /* mov 0x4(%esp),%ecx */
  bb_emit_byte(M, 0x8bu); // 8b /r
  bb_emit_byte(M, 0x4cu); // 01 001 100
  bb_emit_byte(M, 0x24u); // 00 100 100
  bb_emit_byte(M, 0x4u);

#ifndef SMALL_HASH
  /* lea 0x0(,%ecx,2),%ecx */
  bb_emit_byte(M, 0x8Du); // 8D /r
  bb_emit_byte(M, 0x0Cu); // 00 001 100
  bb_emit_byte(M, 0x4du); // 01 001 101
  bb_emit_w32(M, 0x0u);   // This 0 word is needed. 
                          // There is no other addressing mode.

  /* movzwl %cx,%ecx */
  bb_emit_byte(M, 0x0Fu); // 0F B7 /R
  bb_emit_byte(M, 0xB7u);
  bb_emit_byte(M, 0xC9u); // 11 001 001

  /* lea M->hash_table(,%ecx,4),%ecx */
  bb_emit_byte(M, 0x8Du); // 8D /r
  bb_emit_byte(M, 0x0Cu); // 00 001 100
  bb_emit_byte(M, 0x8du); // 10 001 101
  bb_emit_w32(M, (unsigned long)M->hash_table);

#else
  /* lea 0x0(,%ecx,4),%ecx */
  bb_emit_byte(M, 0x8Du); // 8D /r
  bb_emit_byte(M, 0x0Cu); // 00 001 100
  bb_emit_byte(M, 0x8du); // 10 001 101
  bb_emit_w32(M, 0x0u);   // This 0 word is needed. 
                          // There is no other addressing mode.