//===-- MipsNaClELFStreamer.cpp - ELF Object Output for Mips NaCl ---------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// This file implements MCELFStreamer for Mips NaCl. It emits .o object files
// as required by NaCl's SFI sandbox. It inserts address-masking instructions
// before dangerous control-flow and memory access instructions. It inserts
// address-masking instructions after instructions that change the stack
// pointer. It ensures that the mask and the dangerous instruction are always
// emitted in the same bundle. It aligns call + branch delay to the bundle end,
// so that return address is always aligned to the start of next bundle.
//
//===----------------------------------------------------------------------===//
#include "Mips.h"
#include "MipsELFStreamer.h"
#include "MipsMCNaCl.h"
#include "llvm/MC/MCELFStreamer.h"
using namespace llvm;
#define DEBUG_TYPE "mips-mc-nacl"
namespace {
const unsigned IndirectBranchMaskReg = Mips::T6;
const unsigned LoadStoreStackMaskReg = Mips::T7;
/// Extend the generic MCELFStreamer class so that it can mask dangerous
/// instructions.
class MipsNaClELFStreamer : public MipsELFStreamer {
public:
MipsNaClELFStreamer(MCContext &Context, MCAsmBackend &TAB,
raw_pwrite_stream &OS, MCCodeEmitter *Emitter)
: MipsELFStreamer(Context, TAB, OS, Emitter), PendingCall(false) {}
~MipsNaClELFStreamer() override {}
private:
// Whether we started the sandboxing sequence for calls. Calls are bundled
// with branch delays and aligned to the bundle end.
bool PendingCall;
bool isIndirectJump(const MCInst &MI) {
if (MI.getOpcode() == Mips::JALR) {
// MIPS32r6/MIPS64r6 doesn't have a JR instruction and uses JALR instead.
// JALR is an indirect branch if the link register is $0.
assert(MI.getOperand(0).isReg());
return MI.getOperand(0).getReg() == Mips::ZERO;
}
return MI.getOpcode() == Mips::JR;
}
bool isStackPointerFirstOperand(const MCInst &MI) {
return (MI.getNumOperands() > 0 && MI.getOperand(0).isReg()
&& MI.getOperand(0).getReg() == Mips::SP);
}
bool isCall(const MCInst &MI, bool *IsIndirectCall) {
unsigned Opcode = MI.getOpcode();
*IsIndirectCall = false;
switch (Opcode) {
default:
return false;
case Mips::JAL:
case Mips::BAL:
case Mips::BAL_BR:
case Mips::BLTZAL:
case Mips::BGEZAL:
return true;
case Mips::JALR:
// JALR is only a call if the link register is not $0. Otherwise it's an
// indirect branch.
assert(MI.getOperand(0).isReg());
if (MI.getOperand(0).getReg() == Mips::ZERO)
return false;
*IsIndirectCall = true;
return true;
}
}
void emitMask(unsigned AddrReg, unsigned MaskReg,
const MCSubtargetInfo &STI) {
MCInst MaskInst;
MaskInst.setOpcode(Mips::AND);
MaskInst.addOperand(MCOperand::CreateReg(AddrReg));
MaskInst.addOperand(MCOperand::CreateReg(AddrReg));
MaskInst.addOperand(MCOperand::CreateReg(MaskReg));
MipsELFStreamer::EmitInstruction(MaskInst, STI);
}
// Sandbox indirect branch or return instruction by inserting mask operation
// before it.
void sandboxIndirectJump(const MCInst &MI, const MCSubtargetInfo &STI) {
unsigned AddrReg = MI.getOperand(0).getReg();
EmitBundleLock(false);
emitMask(AddrReg, IndirectBranchMaskReg, STI);
MipsELFStreamer::EmitInstruction(MI, STI);
EmitBundleUnlock();
}
// Sandbox memory access or SP change. Insert mask operation before and/or
// after the instruction.
void sandboxLoadStoreStackChange(const MCInst &MI, unsigned AddrIdx,
const MCSubtargetInfo &STI, bool MaskBefore,
bool MaskAfter) {
EmitBundleLock(false);
if (MaskBefore) {
// Sandbox memory access.
unsigned BaseReg = MI.getOperand(AddrIdx).getReg();
emitMask(BaseReg, LoadStoreStackMaskReg, STI);
}
MipsELFStreamer::EmitInstruction(MI, STI);
if (MaskAfter) {
// Sandbox SP change.
unsigned SPReg = MI.getOperand(0).getReg();
assert((Mips::SP == SPReg) && "Unexpected stack-pointer register.");
emitMask(SPReg, LoadStoreStackMaskReg, STI);
}
EmitBundleUnlock();
}
public:
/// This function is the one used to emit instruction data into the ELF
/// streamer. We override it to mask dangerous instructions.
void EmitInstruction(const MCInst &Inst,
const MCSubtargetInfo &STI) override {
// Sandbox indirect jumps.
if (isIndirectJump(Inst)) {
if (PendingCall)
report_fatal_error("Dangerous instruction in branch delay slot!");
sandboxIndirectJump(Inst, STI);
return;
}
// Sandbox loads, stores and SP changes.
unsigned AddrIdx;
bool IsStore;
bool IsMemAccess = isBasePlusOffsetMemoryAccess(Inst.getOpcode(), &AddrIdx,
&IsStore);
bool IsSPFirstOperand = isStackPointerFirstOperand(Inst);
if (IsMemAccess || IsSPFirstOperand) {
bool MaskBefore = (IsMemAccess
&& baseRegNeedsLoadStoreMask(Inst.getOperand(AddrIdx)
.getReg()));
bool MaskAfter = IsSPFirstOperand && !IsStore;
if (MaskBefore || MaskAfter) {
if (PendingCall)
report_fatal_error("Dangerous instruction in branch delay slot!");
sandboxLoadStoreStackChange(Inst, AddrIdx, STI, MaskBefore, MaskAfter);
return;
}
// fallthrough
}
// Sandbox calls by aligning call and branch delay to the bundle end.
// For indirect calls, emit the mask before the call.
bool IsIndirectCall;
if (isCall(Inst, &IsIndirectCall)) {
if (PendingCall)
report_fatal_error("Dangerous instruction in branch delay slot!");
// Start the sandboxing sequence by emitting call.
EmitBundleLock(true);
if (IsIndirectCall) {
unsigned TargetReg = Inst.getOperand(1).getReg();
emitMask(TargetReg, IndirectBranchMaskReg, STI);
}
MipsELFStreamer::EmitInstruction(Inst, STI);
PendingCall = true;
return;
}
if (PendingCall) {
// Finish the sandboxing sequence by emitting branch delay.
MipsELFStreamer::EmitInstruction(Inst, STI);
EmitBundleUnlock();
PendingCall = false;
return;
}
// None of the sandboxing applies, just emit the instruction.
MipsELFStreamer::EmitInstruction(Inst, STI);
}
};
} // end anonymous namespace
namespace llvm {
bool isBasePlusOffsetMemoryAccess(unsigned Opcode, unsigned *AddrIdx,
bool *IsStore) {
if (IsStore)
*IsStore = false;
switch (Opcode) {
default:
return false;
// Load instructions with base address register in position 1.
case Mips::LB:
case Mips::LBu:
case Mips::LH:
case Mips::LHu:
case Mips::LW:
case Mips::LWC1:
case Mips::LDC1:
case Mips::LL:
case Mips::LL_R6:
case Mips::LWL:
case Mips::LWR:
*AddrIdx = 1;
return true;
// Store instructions with base address register in position 1.
case Mips::SB:
case Mips::SH:
case Mips::SW:
case Mips::SWC1:
case Mips::SDC1:
case Mips::SWL:
case Mips::SWR:
*AddrIdx = 1;
if (IsStore)
*IsStore = true;
return true;
// Store instructions with base address register in position 2.
case Mips::SC:
case Mips::SC_R6:
*AddrIdx = 2;
if (IsStore)
*IsStore = true;
return true;
}
}
bool baseRegNeedsLoadStoreMask(unsigned Reg) {
// The contents of SP and thread pointer register do not require masking.
return Reg != Mips::SP && Reg != Mips::T8;
}
MCELFStreamer *createMipsNaClELFStreamer(MCContext &Context, MCAsmBackend &TAB,
raw_pwrite_stream &OS,
MCCodeEmitter *Emitter,
bool RelaxAll) {
MipsNaClELFStreamer *S = new MipsNaClELFStreamer(Context, TAB, OS, Emitter);
if (RelaxAll)
S->getAssembler().setRelaxAll(true);
// Set bundle-alignment as required by the NaCl ABI for the target.
S->EmitBundleAlignMode(MIPS_NACL_BUNDLE_ALIGN);
return S;
}
}