preserve cs changes from far ctis and iret

[derekbruening]

From bruen...@google.com on June 21, 2012 15:23:39

this was PR 271317

For 64-bit DR in WOW64 ( issue #49 ) we need to handle application cs changes. Splitting out from that case.

For common/decode we fail to reproduce the bad-segment fault of a native lretw (66 cb), and my current SEH64 setup fails to recover from a fault on only the target of a retw: so for now that test uses a retw. Once we have faithful cs preservation we can re-enable lretw.

On x64 "push cs" is an invalid instr; for now I'm pushing 0x33. This case covers fixing that as well.

*\ TODO far cti must exit code cache to update dcontext_t.x86_mode

or can we use last_fragment (but be wary of empty_fragment)? are we planning on requiring exits to update ibl tls slots?

ifdef X64

set_x86_mode(dcontext, TEST(FRAG_32_BIT, targetf->flags));

endif

Note that if we don't require a cache exit on mode switches we need to change the call to get_reset_exit_stub() to first see what mode of fragment the thread is suspended inside.

Original issue: http://code.google.com/p/dynamorio/issues/detail?id=823

[derekbruening]

From bruen...@google.com on June 21, 2012 13:10:46

*\ TODO currently not switching modes on far cti

0x0000000074c1271b 41 ff 2e ljmp (% r14 ) end_pc = 0x0000000074c1271e

exit_branch_type=0x12 bb->exit_target=0x0000000021353a40 make_writable: pc 0x00000000154c3000-0x00000000154ed000, currently r--- committed make_unwritable: pc 0x00000000154c3000-0x00000000154ed000, currently rw-- committed make_writable: pc 0x00000000154c3000-0x00000000154ed000, currently r--- committed make_unwritable: pc 0x00000000154c3000-0x00000000154ed000, currently rw-- committed SYSLOG_WARNING: Encountered a far indirect jump emit_fragment: bb use ibl <0x0000000021353a40> exit_branch_type=0x12 target=0x0000000021353a40 l->flags=0x9012 Fragment 2963, tag 0x0000000074c126ce, flags 0x1000030, shared, size 94: [wow64cpu.dll~CpuSimulate+0x11e,~TurboDispatchJumpAddressStart-0x77] Entry into F2963(0x0000000074c126ce).0x000000002152d7a0 (shared)

Exit from sourceless ibl: bb jmp* [](target 0x0000000077649e69 not in cache) fragment_add_ibl_target tag 0x0000000077649e69, branch 2, F0

dispatch: target = 0x0000000077649e69

interp: start_pc = 0x0000000077649e69 new shared vm area: 0x0000000077620000-0x00000000776f6000 ---- module ntdll.dll 0x0000000077649e69 8b ff mov %edi -> %edi 0x0000000077649e6b 55 push %rbp %rsp -> %rsp 0xfffffff8(%rsp) 0x0000000077649e6c 8b ec mov %esp -> %ebp 0x0000000077649e6e ff 75 0c push 0x0c(%rbp) %rsp -> %rsp 0xfffffff8(%rsp) 0x0000000077649e71 ff 75 08 push 0x08(%rbp) %rsp -> %rsp 0xfffffff8(%rsp) 0x0000000077649e74 e8 fd 00 00 00 call $0x0000000077649f76 %rsp -> %rsp 0xfffffff8(%rsp) NOT following direct call from 0x0000000077649e74 to 0x0000000077649f76 end_pc = 0x0000000077649e79

[derekbruening]

From bruen...@google.com on June 21, 2012 13:16:33

Owner: ya...@google.com

[derekbruening]

From bruen...@google.com on June 22, 2012 15:46:05

to really be general, would have to stick selector somewhere and do far cti either on way to ibl or at end of special "far ibl". but for the issue #751 prototype, if we do the set_x86_mode(), then next fragment will be 32-bit, and will use the special fcache_enter that does a mode switch. so forget general far cti handling: not worth it for prototype. just need to have the post-exit code figure out whether a mode switch or not and call set_x86_mode(). need some code sequence to communicate address of full far opnd to DR. special mangling. or could get app addr of the instr and decode from DR and emulate to get opnd. need to record next app pc as well either in the standard way or as part of the new segment communication.

[derekbruening]

From bruen...@google.com on June 23, 2012 07:07:41

may actually be simpler to do more in-cache and forget about dispatch figuring out what's going on:

proposal: mangle far indirect cti to:

spill xcx movzx selector -> xcx lea xcx -32_bit_cs -> xcx jecxz to_32 64: (punting on handling cs o/w) mov target -> xcx jmp 64-bit ibl to-32: dcontext -> ecx mov $1 -> x86_mode_offs(ecx) mov target -> ecx far ind jmp through const mem that targets 32-bit ibl

if ind branch memref uses xcx, need to spill another reg

handles unlinking nicely: just need 2nd const mem for unlink ibl. for 32 to 64, can do far direct jmp

update state xl8 to handle movzx of selector failing

[derekbruening]

From bruen...@google.com on June 27, 2012 08:15:28

/* issue #823: handle far cti transitions. For now only handling known cs values

• for WOW64. *
• One approach is to have the mode change happen in the fragment itself via
• ind branch mangling. But then we have the check for known cs there and
• thus multiple exits some of which are 32-bit and some of which are 64-bit
• which is messy. Instead, we spill another reg, put the selector in it,
• and jump to this ibl prefix routine. One drawback is that by not doing
• the mode transition in the fragment we give up on traces extending through
• it and we must make a far cti a trace barrier. *
• fragment:
• spill xax
• movzx selector -> xax
• spill xcx
• mov target -> xcx
• jmp far_ibl
• far_ibl:
• clear top 32 bits of xcx slot
• xchg xcx, xax
• lea xcx -32_bit_cs -> xcx
• jecxz to_32
• 64: (punting on handling cs o/w)
• xchg xcx, xax
• restore xax
• jmp 64-bit ibl
• to-32:
• dcontext -> ecx
• mov $1 -> x86_mode_offs(ecx)
• xchg xcx, xax
• restore xax
• far ind jmp through const mem that targets 32-bit ibl
• much simpler for state xl8: shouldn't need any added support.
• for unlinking, have two versions of the gencode, so the unlink
• is the standard fragment exit cti change only. */

Owner: bruen...@google.com

[derekbruening]

From bruen...@google.com on June 27, 2012 08:18:01

*\ TODO far direct cti handling

can statically see whether it's a cs we expect

unfortunately selector is last so would mess up exit cti patching

how about:

spill eax dcontext -> eax mov $0 -> x86_mode_offs(eax) restore eax jmp 33:next next: regular exit cti jmp to app target

• have to make sure to use 64-bit exit stub and fcache return.
• must end a trace.
• this enables linking 32-bit to 64-bit fragment (which is why can't do the set_x86_mode back in dispatch)

problem: stub size now depends not only on FRAG_ flags but link flags too! =>

• could make unlinkable and move the mode shift to DR
• could target far_ibl: less costly than going back to DR spill xax and xcx and fill them w/ consts
• or, add FRAG_ENDS_IN_FAR_DIRECT but still have uses that need to know whether for final branch or not: mid-fragment exit for trace, fragment prefix for -disable_traces

=> going with treating as indirect and using far_ibl