/* * Copyright (c) 2005, Johns Hopkins University and The EROS Group, LLC. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * *  * Redistributions of source code must retain the above copyright *    notice, this list of conditions and the following disclaimer. *  * Redistributions in binary form must reproduce the above *    copyright notice, this list of conditions and the following *    disclaimer in the documentation and/or other materials provided *    with the distribution. * *  * Neither the name of the Johns Hopkins University, nor the name *    of The EROS Group, LLC, nor the names of their contributors may *    be used to endorse or promote products derived from this *    software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. */#include <stdbool.h>#include <stdio.h>#include <signal.h>#include <asm/sigcontext.h>#include <sys/mman.h>#include "switches.h"#include "debug.h"#include "util.h"#include "machine.h"#include "decode.h"#include "emit.h"#include "xlcore.h"#include "perf.h"#include <unistd.h>#include <sys/types.h>#include <sys/stat.h>#include <sys/user.h>#include <fcntl.h>#include <errno.h>#include <string.h>#include <stdlib.h>#ifdef INLINE_EMITTERS#define INLINE static inline#else#define INLINE static#endif#ifdef INLINE_EMITTERS#include "emit-inline.c"/* emit_normal() repeated here for inlining purposes *//* WARNING: Changes should be done in emit.c as well */inline static bool inline_emit_normal(machine_t *M, decode_t *d){  unsigned i;  unsigned count = M->next_eip - d->decode_eip;#ifdef PROFILE  M->ptState->s_normal_cnt++;  bb_emit_inc(M, MFLD(M, ptState->normal_cnt));#endif  DEBUG(emits)    fprintf(DBG, "%lu: Normal %lx %s!\n", M->nTrInstr, d->decode_eip, ((OpCode *)d->pEntry)->disasm);#ifdef STATIC_PASS  memcpy(M->bbOut, (unsigned char *)d->mem_decode_eip, count);#else  memcpy(M->bbOut, (unsigned char *)d->decode_eip, count);#endif  M->bbOut += count;  return false;}#endif /* INLINE_EMITTERS */#ifdef USE_SIEVE#ifdef SEPARATE_SIEVES #include "chtable.c"#endif#endifENTRY_POINT bb_entry * lookup_bb_eip(machine_t *M, unsigned long src_eip){#ifdef USE_DIFF_HASH									  bb_entry *curr =  M->lookup_table[((src_eip-M->guest_start_eip) & (LOOKUP_TABLE_SIZE - 1))];#else  bb_entry *curr =  M->lookup_table[(src_eip & (LOOKUP_TABLE_SIZE - 1))];#endif  while ((curr != NULL) && (curr->src_bb_eip != src_eip))    curr = curr->next;  DEBUG(lookup) {    if(curr == NULL)      fprintf(DBG, "\nLooking up %lx Failed\n", src_eip);    else       fprintf(DBG, "\nLooking up %lx Success\n", src_eip);  }  return curr;}#include "xlate-helper.c"#ifdef USE_SIEVEINLINE voidbb_setup_hash_table(machine_t *M){  int i;  for (i=0 ; i<NBUCKETS ; i++)  {    bb_emit_jump(M, M->slow_dispatch_bb);    M->bbOut += 3;  }}#endif /* USE_SIEVE */ void xlate_for_sieve (machine_t *M){  bb_entry *entry_node;  bucket_entry *bucket;	/* Hash bucket onto which this basic-block 			   will chain onto (at the head)   	*/  unsigned char *next_instr; /* Sequentially next instr of the above - 				used just to compute relative jump destination	*/  unsigned long node; /* A node of the hash chain */  M->comming_from_call_indirect = false;  entry_node = xlate_bb(M);#ifdef USE_SIEVE  /*   bucket =  */  /*     (bucket_entry *)(M->hash_table + (((unsigned long)entry_node->src_bb_eip) & SIEVE_HASH_MASK)); */  bucket = (bucket_entry *) SIEVE_HASH_BUCKET(M->hash_table, ((unsigned long)entry_node->src_bb_eip));  //  fprintf(DBG, "Hash bucket start at %lx, this = %lx\n", M->hash_table, bucket);  /*** Sensitive to the size of Jump Instruction in Bucket ***/  next_instr = ((unsigned char *)bucket) + 5  ;  node = (unsigned long) (next_instr + bucket->rel);  bucket->rel = M->bbOut - next_instr;  /*   fprintf(DBG, "Bucket #%ld seip = %lx teip = %lx at %lx\n",  */  /* 	 ((unsigned char*)bucket - (M->hash_table))/sizeof(bucket_entry), */  /* 	 entry_node->src_bb_eip, */  /* 	 entry_node->trans_bb_eip, */  /* 	 M->bbOut); */  /*   fflush(DBG); */  #ifdef SIEVE_WITHOUT_PPF  /* mov 0x4(%esp),%ecx */  bb_emit_byte(M, 0x8bu); // 8b /r  bb_emit_byte(M, 0x4cu); // 01 001 100  bb_emit_byte(M, 0x24u); // 00 100 100  bb_emit_byte(M, 0x4u);  /* lea -entry->src_bb_eip(%ecx),%ecx */  bb_emit_byte(M, 0x8Du); // 8D /r  bb_emit_byte(M, 0x89u); // 10 001 001   bb_emit_w32(M, (-((long)(entry_node->src_bb_eip))));  /* jecxz equal */  bb_emit_byte(M, 0xe3u);  bb_emit_byte(M, 0x05u);  /* jmp $next_bucket */  bb_emit_jump(M, (unsigned char *)node);  /* equal: pop %ecx */  bb_emit_byte(M, 0x59u);  /* leal 4(%esp) %esp */  bb_emit_byte(M, 0x8du); // 8d /r  bb_emit_byte(M, 0x64u); // 01 100 100  bb_emit_byte(M, 0x24u); // 00 100 100  bb_emit_byte(M, 0x4u);  /* jmp $translated_block */  bb_emit_jump (M, (unsigned char *)entry_node->trans_bb_eip);#else  /* cmpl $entry->src_bb_eip, (%esp) */  bb_emit_byte(M, 0x81u); // 81 /7  bb_emit_byte(M, 0x7cu); // 01 111 100  bb_emit_byte(M, 0x24u); // 00 100 100  bb_emit_byte(M, 0x4u);  bb_emit_w32(M, entry_node->src_bb_eip);  /* jne $(next_bb) */  bb_emit_byte (M, 0x0Fu);  bb_emit_byte (M, 0x85u);  bb_emit_w32 (M, node - ((unsigned long)M->bbOut + 4));  /* popf */  bb_emit_byte (M, 0x9Du);  /* leal 4(%esp) %esp */  bb_emit_byte(M, 0x8du); // 8d /r  bb_emit_byte(M, 0x64u); // 01 100 100  bb_emit_byte(M, 0x24u); // 00 100 100  bb_emit_byte(M, 0x4u);  /* jmp $translated_block */  bb_emit_jump (M, (unsigned char *)entry_node->trans_bb_eip);#endif /* SIEVE_WITHOUT_PPF */   M->jmp_target = (unsigned char *)entry_node->trans_bb_eip;#ifdef PROFILE  M->ptState->hash_nodes_cnt++;#endif#endif /* USE_SIEVE */}#define BORDER_START  do {				\    /* mov $200, M->border_esp */			\    bb_emit_byte(M, 0xc7u); /* c7 /0 */			\    bb_emit_byte(M, 0x05u);    /* 00 000 101 */		\    bb_emit_w32(M, (unsigned long) &M->border_esp);	\    bb_emit_w32(M, 0x200u);				\  } while(0)#define BORDER_END do {					\    /* mov $0, M->border_esp */				\    bb_emit_byte(M, 0xc7u); /* c7 /0 */			\    bb_emit_byte(M, 0x05u);    /* 00 000 101 */		\    bb_emit_w32(M, (unsigned long) &M->border_esp);	\    bb_emit_w32(M, 0x0u);				\  } while(0)INLINE void bb_setup_post_xlate(machine_t *M) // [len = 30b]{  /* mov 36(esp) %eax */			         bb_emit_byte(M, 0x8bu);  // 8b /r  bb_emit_byte(M, 0x44u);  // 01 000 100   bb_emit_byte(M, 0x24u);  bb_emit_byte(M, 36u);    /* mov %eax, (esp) */  bb_emit_byte(M, 0x89u);  // 89 /r  bb_emit_byte(M, 0x04u);  // 00 000 100   bb_emit_byte(M, 0x24u);    /* mov M->jmp_target, %eax */  bb_emit_byte(M, 0x8bu); // 8b /r  bb_emit_byte(M, 0x05u); // 00 000 101  bb_emit_w32(M, MFLD(M, jmp_target));   /* mov %eax 36(%esp) */  bb_emit_byte(M, 0x89u);  // 89 /r  bb_emit_byte(M, 0x44u);  // 01 000 100   bb_emit_byte(M, 0x24u);  bb_emit_byte(M, 36u);    BORDER_END;  /* 2f: popf */  bb_emit_byte(M, 0x9du);		    /* popa */  bb_emit_byte(M, 0x61u);		    /* ret */  bb_emit_byte(M, 0xc3u);  }INLINE void bb_setup_startup_slow_dispatch_bb(machine_t *M){  /* Emit the special BB that first translates the destination basic-block      and then transfers control into the basic block. */    BORDER_START;    /* PUSH imm32:M */  bb_emit_byte(M, 0x68u);	  bb_emit_w32(M, (unsigned long)M);       /* Call xlate_for_sieve */  bb_emit_call(M, (unsigned char*)&xlate_for_sieve);  bb_setup_post_xlate(M);}#ifdef USE_SIEVE#ifdef SIEVE_WITHOUT_PPFINLINE void bb_setup_slow_dispatch_bb(machine_t *M){  /* Emit the special BB that first translates the destination basic-block      Found and then transfers control into the basic block. */  /*  fast_dispatch_bb who is my caller, would have done a Push %ecx */  /* Pop %ecx */  bb_emit_byte(M, 0x59u);  /* pop M->fixregs.eip */  bb_emit_byte(M, 0x8Fu); // 8F /0  bb_emit_byte(M, 0x05u); // 00 000 101  bb_emit_w32(M, MREG(M, eip));  /* PUSHF */  bb_emit_byte(M, 0x9cu);		  /* PUSHA */  bb_emit_byte(M, 0x60u);		  BORDER_START;  /* PUSH imm32:M */  bb_emit_byte(M, 0x68u);	  bb_emit_w32(M, (unsigned long)M);       /* Call xlate_for_sieve */  bb_emit_call(M, (unsigned char*)&xlate_for_sieve);  bb_setup_post_xlate(M);}#elseINLINE void bb_setup_slow_dispatch_bb(machine_t *M){  /* Emit the special BB that first translates the destination basic-block      Found and then transfers control into the basic block. */  /* pop M->eflags */  bb_emit_byte(M, 0x8Fu); // 8F /0  bb_emit_byte(M, 0x05u); // 00 000 101  bb_emit_w32(M, MFLD(M, eflags));  /* pop M->fixregs.eip */  bb_emit_byte(M, 0x8Fu); // 8F /0  bb_emit_byte(M, 0x05u); // 00 000 101  bb_emit_w32(M, MREG(M, eip));  // Better than popf and then pushf and use of intermediate register?  /* push M->eflags */  bb_emit_byte(M, 0xFFu); // FF /6  bb_emit_byte(M, 0x35u); // 00 110 101  bb_emit_w32(M, MFLD(M, eflags));  bb_emit_byte(M, 0x60u);		/* PUSHA */  BORDER_START;  /* PUSH imm32:M */  bb_emit_byte(M, 0x68u);	  bb_emit_w32(M, (unsigned long)M);        /* Call xlate_for_sieve */  bb_emit_call(M, (unsigned char *)&xlate_for_sieve);  bb_setup_post_xlate(M);}#endif /* SIEVE_WITHOUT_PPF */#else /* USE_SIEVE */INLINE void bb_setup_slow_dispatch_bb(machine_t *M){  /* Emit the special BB that first translates the destination basic-block      Found and then transfers control into the basic block. */  /* pop M->fixregs.eip */  bb_emit_byte(M, 0x8Fu); // 8F /0  bb_emit_byte(M, 0x05u); // 00 000 101  bb_emit_w32(M, MREG(M, eip));  bb_emit_byte(M, 0x9cu);	        /* PUSHF */  bb_emit_byte(M, 0x60u);		/* PUSHA */  BORDER_START;  /* PUSH imm32:M */  bb_emit_byte(M, 0x68u);	  bb_emit_w32(M, (unsigned long)M);        /* Call xlate_for_sieve */  bb_emit_call(M, M->xlate_for_sieve);  bb_setup_post_xlate(M);}#endif /* USE_SIEVE */voidxlate_for_patch_block(machine_t *M) {  // Setup the EIP  M->fixregs.eip = *((unsigned long *)(M->backpatch_block));    // Note the Patch point  M->patch_point = (unsigned char *)(*((unsigned long *)				       ((M->backpatch_block) + 4)));  M->comming_from_call_indirect = false;  //Translate the target  xlate_bb(M);  // Patch at patch_point  *((unsigned long *)(M->patch_point)) = (M->jmp_target - 					  (M->patch_point + 4));    }INLINE voidbb_setup_backpatch_and_dispatch_bb (machine_t *M){  //bb_emit_byte(M, 0x65u); /* GS Segment Override Prefix - for accessing the M structure */  bb_emit_byte(M, 0x8Fu); /* POP M->backpatch_block */  bb_emit_byte(M, 0x05u); /* 00 000 101 */  bb_emit_w32(M, MFLD(M, backpatch_block));  bb_emit_byte(M, 0x9cu);		/* PUSHF */  bb_emit_byte(M, 0x60u);		/* PUSHA */  BORDER_START;  bb_emit_byte(M, 0x68u);		// PUSH imm32:M  bb_emit_w32(M, (unsigned long)M);  bb_emit_call(M, (unsigned char *)xlate_for_patch_block);  bb_setup_post_xlate(M);  }#ifdef USE_SIEVEINLINE voidbb_setup_call_calls_fast_dispatch_bb(machine_t *M){  /* Emit the special BB that transfers control from     one basic-block to another within the basic block cache. */#ifdef PROFILE_RET_MISS  bb_emit_inc(M, MFLD(M, ptState->ret_miss_cnt));#endif  /* mov 0x4(%esp),%ecx */  bb_emit_byte(M, 0x8bu); // 8b /r  bb_emit_byte(M, 0x4cu); // 01 001 100  bb_emit_byte(M, 0x24u); // 00 100 100  bb_emit_byte(M, 0x4u);#ifndef SMALL_HASH  /* lea 0x0(,%ecx,2),%ecx */  bb_emit_byte(M, 0x8Du); // 8D /r  bb_emit_byte(M, 0x0Cu); // 00 001 100  bb_emit_byte(M, 0x4du); // 01 001 101  bb_emit_w32(M, 0x0u);   // This 0 word is needed.                           // There is no other addressing mode.  /* movzwl %cx,%ecx */  bb_emit_byte(M, 0x0Fu); // 0F B7 /R  bb_emit_byte(M, 0xB7u);  bb_emit_byte(M, 0xC9u); // 11 001 001  /* lea M->hash_table(,%ecx,4),%ecx */  bb_emit_byte(M, 0x8Du); // 8D /r  bb_emit_byte(M, 0x0Cu); // 00 001 100  bb_emit_byte(M, 0x8du); // 10 001 101  bb_emit_w32(M, (unsigned long)M->hash_table);#else  /* lea 0x0(,%ecx,4),%ecx */  bb_emit_byte(M, 0x8Du); // 8D /r  bb_emit_byte(M, 0x0Cu); // 00 001 100  bb_emit_byte(M, 0x8du); // 10 001 101  bb_emit_w32(M, 0x0u);   // This 0 word is needed.                           // There is no other addressing mode.  /* movzwl %cx,%ecx */  bb_emit_byte(M, 0x0Fu); // 0F B7 /R  bb_emit_byte(M, 0xB7u);  bb_emit_byte(M, 0xC9u); // 11 001 001  /* lea M->hash_table(,%ecx,2),%ecx */  bb_emit_byte(M, 0x8Du); // 8D /r  bb_emit_byte(M, 0x0Cu); // 00 001 100  bb_emit_byte(M, 0x4du); // 01 001 101  bb_emit_w32(M, (unsigned long)M->hash_table);#endif  //50:	ff e1                	jmp    *%ecx  bb_emit_byte(M, 0xffu);  bb_emit_byte(M, 0xe1u);  /*   /\* jmp *M->hash_table(,%ecx,4) *\/ */  /*   bb_emit_byte(M, 0xFFu); // FF /4 */  /*   bb_emit_byte(M, 0x24u); // 00 100 100 */  /*   bb_emit_byte(M, 0x8Du); // 10 001 101 */  /*   bb_emit_w32(M, (unsigned long) M->hash_table); */}INLINE voidbb_setup_ret_calls_fast_dispatch_bb(machine_t *M){  /* Emit the special BB that transfers control from     one basic-block to another within the basic block cache. */#ifdef PROFILE_RET_MISS  bb_emit_inc(M, MFLD(M, ptState->ret_ret_miss_cnt));#endif  /* push %ecx */  bb_emit_byte(M, 0x51u);  /* mov 0x4(%esp),%ecx */  bb_emit_byte(M, 0x8bu); // 8b /r  bb_emit_byte(M, 0x4cu); // 01 001 100  bb_emit_byte(M, 0x24u); // 00 100 100  bb_emit_byte(M, 0x4u);#ifndef SMALL_HASH  /* lea 0x0(,%ecx,2),%ecx */  bb_emit_byte(M, 0x8Du); // 8D /r  bb_emit_byte(M, 0x0Cu); // 00 001 100  bb_emit_byte(M, 0x4du); // 01 001 101  bb_emit_w32(M, 0x0u);   // This 0 word is needed.                           // There is no other addressing mode.  /* movzwl %cx,%ecx */  bb_emit_byte(M, 0x0Fu); // 0F B7 /R  bb_emit_byte(M, 0xB7u);  bb_emit_byte(M, 0xC9u); // 11 001 001  /* lea M->hash_table(,%ecx,4),%ecx */  bb_emit_byte(M, 0x8Du); // 8D /r  bb_emit_byte(M, 0x0Cu); // 00 001 100  bb_emit_byte(M, 0x8du); // 10 001 101  bb_emit_w32(M, (unsigned long)M->hash_table);#else  /* lea 0x0(,%ecx,4),%ecx */  bb_emit_byte(M, 0x8Du); // 8D /r  bb_emit_byte(M, 0x0Cu); // 00 001 100  bb_emit_byte(M, 0x8du); // 10 001 101  bb_emit_w32(M, 0x0u);   // This 0 word is needed.                           // There is no other addressing mode.