Move validator_x86_XX.rl out of unreviewed.

src/trusted/validator_ragel/validator_x86_64.rl

 /*
  * Copyright (c) 2012 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 #include <assert.h>
 #include <errno.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
-#include "native_client/src/trusted/validator_ragel/unreviewed/validator_internal.h"
+#include "native_client/src/trusted/validator_ragel/validator_internal.h"
 
 %%{
   machine x86_64_validator;
   alphtype unsigned char;
   variable p current_position;
   variable pe end_of_bundle;
   variable eof end_of_bundle;
   variable cs current_state;
 
   include byte_machine "byte_machines.rl";
@@ skipping 92 matching lines @@
   rbp_sandboxing =
     (b_0100_11x0 0x01 0xfd            | # add %r15,%rbp
      b_0100_10x1 0x03 0xef            | # add %r15,%rbp
      0x49 0x8d 0x2c 0x2f              | # lea (%r15,%rbp,1),%rbp
      0x4a 0x8d 0x6c 0x3d 0x00)          # lea 0x0(%rbp,%r15,1),%rbp
     @{ if (restricted_register == REG_RBP)
          instruction_info_collected |= RESTRICTED_REGISTER_USED;
        else
          instruction_info_collected |= UNRESTRICTED_RBP_PROCESSED;
        restricted_register = NO_REG;
-       BitmapClearBit(valid_targets, (instruction_start - data));
+       MakeJumpTargetInvalid((instruction_start - data), valid_targets);
     };
 
   # Special %rbp modifications without required sandboxing
   rsp_modifications =
     (b_0100_10x0 0x89 0xec)                        | # mov %rbp,%rsp
     (b_0100_10x0 0x8b 0xe5)                        | # mov %rbp,%rsp
     #(b_0100_1xx0 0x81 0xe4 any{3} (0x80 .. 0xff)) | # and $XXX,%rsp
     #Superfluous bits are not supported:
     # http://code.google.com/p/nativeclient/issues/detail?id=3012
     (b_0100_1000 0x83 0xe4 (0x80 .. 0xff))          # and $XXX,%rsp
     @process_0_operands;
 
   # Special instructions used for %rbp sandboxing
   rsp_sandboxing =
     (b_0100_11x0 0x01 0xfc            | # add %r15,%rsp
      b_0100_10x1 0x03 0xe7            | # add %r15,%rbp
      0x4a 0x8d 0x24 0x3c)               # lea (%rsp,%r15,1),%rsp
     @{ if (restricted_register == REG_RSP)
          instruction_info_collected |= RESTRICTED_REGISTER_USED;
        else
          instruction_info_collected |= UNRESTRICTED_RSP_PROCESSED;
        restricted_register = NO_REG;
-       BitmapClearBit(valid_targets, (instruction_start - data));
+       MakeJumpTargetInvalid((instruction_start - data), valid_targets);
     };
 
   # naclcall or nacljmp.  Note: first "and $~0x1f, %eXX" is a normal instruction
   # and as such will detect case where %rbp/%rsp is illegally modified.

[Brad Chen, 2012/09/29 00:06:00]

Suggestion for comment:
## REGISTER USAGE ABBREVIATIONS:
# By convention: rax == r0x, rcx == r1x, ...
#  R32: R version of legacy 386 registers a.k.a r1x .. r7x
#  R64: all
#  E32: 
#  E64:
#  RBASE: %r15 - NaCl base register (read-only)

# This block encodes call and jump instructions of the form:
#   41 83 e3 e0             and    $0xffffffe0,%r11d
#   4d 01 fb                add    %r15,%r11
#   41 ff e3                jmpq   *%r11
naclcall_or_nacljmp =
  #   83 xx e0                and    $0xffffffe0,%r11d
  #   4x 01 xx                add    %r15,%rxx
  #   4x ff xx                jmpq   *%r11   # or call
  #### INSTRUCTION ONE (three bytes)
  # and $~0x1f, E32
  (0x83 (0xe0|0xe1|0xe2|0xe3|0xe4|0xe5|0xe6|0xe7) 0xe0
  #### INSTRUCTION TWO (three bytes)
  # REX add RBASE, R32
   b_0100_11x0 0x01 (0xf8|0xf9|0xfa|0xfb|0xfc|0xfd|0xfe|0xff)
  #### INSTRUCTION THREE.a (three bytes plus optional REXP)
  # callq R32
  ((REX_WRX? 0xff (0xd0|0xd1|0xd2|0xd3|0xd4|0xd5|0xd6|0xd7)) |
  #### INSTRUCTION THREE.b (three bytes plus optional REXP)
  # jmpq R32
   (REX_WRX? 0xff (0xe0|0xe1|0xe2|0xe3|0xe4|0xe5|0xe6|0xe7))))
  # This action checks the consistency of registers referenced
  # in the individual instructions:
      @{
       instruction_start -= 6;
        if (RMFromModRM(instruction_start[1]) !=                                
           RMFromModRM(instruction_start[5]) ||
            RMFromModRM(instruction_start[1]) != RMFromModRM(*current_position))
          instruction_info_collected |= UNRECOGNIZED_INSTRUCTION;
        MakeJumpTargetInvalid((instruction_start - data) + 3, valid_targets);
        MakeJumpTargetInvalid((instruction_start - data) + 6, valid_targets);
        restricted_register = NO_REG;
      } |

[khim, 2012/10/03 22:30:10]

Done.

   naclcall_or_nacljmp =
      # and $~0x1f, %eax/%ecx/%edx/%ebx/%esp/%ebp/%esi/%edi
      (0x83 (0xe0|0xe1|0xe2|0xe3|0xe4|0xe5|0xe6|0xe7) 0xe0
      # add %r15,%rax/%rcx/%rdx/%rbx/%rsp/%rbp/%rsi/%rdi
       b_0100_11x0 0x01 (0xf8|0xf9|0xfa|0xfb|0xfc|0xfd|0xfe|0xff)
      # callq %rax/%rcx/%rdx/%rbx/%rsp/%rbp/%rsi/%rdi
      ((REX_WRX? 0xff (0xd0|0xd1|0xd2|0xd3|0xd4|0xd5|0xd6|0xd7)) |
      # jmpq %rax/%rcx/%rdx/%rbx/%rsp/%rbp/%rsi/%rdi
       (REX_WRX? 0xff (0xe0|0xe1|0xe2|0xe3|0xe4|0xe5|0xe6|0xe7))))
      @{
        instruction_start -= 6;
        if (RMFromModRM(instruction_start[1]) !=
                                             RMFromModRM(instruction_start[5]) ||
            RMFromModRM(instruction_start[1]) != RMFromModRM(*current_position))
          instruction_info_collected |= UNRECOGNIZED_INSTRUCTION;
-       BitmapClearBit(valid_targets, (instruction_start - data) + 3);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 6);
+       MakeJumpTargetInvalid((instruction_start - data) + 3, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 6, valid_targets);
        restricted_register = NO_REG;
      } |
 
      # and $~0x1f, %eax/%ecx/%edx/%ebx/%esp/%ebp/%esi/%edi
      (0x83 (0xe0|0xe1|0xe2|0xe3|0xe4|0xe5|0xe6|0xe7) 0xe0
      # add %r15,%rax/%rcx/%rdx/%rbx/%rsp/%rbp/%rsi/%rdi
       b_0100_10x1 0x03 (0xc7|0xcf|0xd7|0xdf|0xe7|0xef|0xf7|0xff)
      # callq %rax/%rcx/%rdx/%rbx/%rsp/%rbp/%rsi/%rdi
      ((REX_WRX? 0xff (0xd0|0xd1|0xd2|0xd3|0xd4|0xd5|0xd6|0xd7)) |
      # jmpq %rax/%rcx/%rdx/%rbx/%rsp/%rbp/%rsi/%rdi
       (REX_WRX? 0xff (0xe0|0xe1|0xe2|0xe3|0xe4|0xe5|0xe6|0xe7))))
      @{
        instruction_start -= 6;
        if (RMFromModRM(instruction_start[1]) !=
                                            RegFromModRM(instruction_start[5]) ||
            RMFromModRM(instruction_start[1]) != RMFromModRM(*current_position))
          instruction_info_collected |= UNRECOGNIZED_INSTRUCTION;
-       BitmapClearBit(valid_targets, (instruction_start - data) + 3);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 6);
+       MakeJumpTargetInvalid((instruction_start - data) + 3, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 6, valid_targets);
        restricted_register = NO_REG;
      } |
 
      # rex.R?X? and $~0x1f, %eax/%ecx/%edx/%ebx/%esp/%ebp/%esi/%edi
     ((REX_RX 0x83 (0xe0|0xe1|0xe2|0xe3|0xe4|0xe5|0xe6|0xe7) 0xe0
      # add %r15,%rax/%rcx/%rdx/%rbx/%rsp/%rbp/%rsi/%rdi
       b_0100_11x0 0x01 (0xf8|0xf9|0xfa|0xfb|0xfc|0xfd|0xfe|0xff)
      # callq %rax/%rcx/%rdx/%rbx/%rsp/%rbp/%rsi/%rdi
       ((REX_WRX? 0xff (0xd0|0xd1|0xd2|0xd3|0xd4|0xd5|0xd6|0xd7)) |
      # jmpq %rax/%rcx/%rdx/%rbx/%rsp/%rbp/%rsi/%rdi
       (REX_WRX? 0xff (0xe0|0xe1|0xe2|0xe3|0xe4|0xe5|0xe6|0xe7)))) |
 
      # and $~0x1f, %r8d/%r9d/%r10d/%r11d/%r12d/%r13d/%r14d
      (b_0100_0xx1 0x83 (0xe0|0xe1|0xe2|0xe3|0xe4|0xe5|0xe6) 0xe0
      # add %r15, %r8d/%r9d/%r10d/%r11d/%r12d/%r13d/%r14d
       b_0100_11x1 0x01 (0xf8|0xf9|0xfa|0xfb|0xfc|0xfd|0xfe)
      # callq %r8/%r9/%r10/%r11/%r12/%r13/%r14
      ((b_0100_xxx1 0xff (0xd0|0xd1|0xd2|0xd3|0xd4|0xd5|0xd6)) |
      # jmpq %r8/%r9/%r10/%r11/%r12/%r13/%r14
       (b_0100_xxx1 0xff (0xe0|0xe1|0xe2|0xe3|0xe4|0xe5|0xe6)))))
      @{
        instruction_start -= 7;
        if (RMFromModRM(instruction_start[2]) !=
                                             RMFromModRM(instruction_start[6]) ||
            RMFromModRM(instruction_start[2]) != RMFromModRM(*current_position))
          instruction_info_collected |= UNRECOGNIZED_INSTRUCTION;
-       BitmapClearBit(valid_targets, (instruction_start - data) + 4);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 7);
+       MakeJumpTargetInvalid((instruction_start - data) + 4, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 7, valid_targets);
        restricted_register = NO_REG;
      } |
 
      # rex.R?X? and $~0x1f, %eax/%ecx/%edx/%ebx/%esp/%ebp/%esi/%edi
     ((REX_RX 0x83 (0xe0|0xe1|0xe2|0xe3|0xe4|0xe5|0xe6|0xe7) 0xe0
      # add %r15,%rax/%rcx/%rdx/%rbx/%rsp/%rbp/%rsi/%rdi
       b_0100_10x1 0x03 (0xc7|0xcf|0xd7|0xdf|0xe7|0xef|0xf7|0xff)
      # callq %rax/%rcx/%rdx/%rbx/%rsp/%rbp/%rsi/%rdi
       ((REX_WRX? 0xff (0xd0|0xd1|0xd2|0xd3|0xd4|0xd5|0xd6|0xd7)) |
      # jmpq %rax/%rcx/%rdx/%rbx/%rsp/%rbp/%rsi/%rdi
       (REX_WRX? 0xff (0xe0|0xe1|0xe2|0xe3|0xe4|0xe5|0xe6|0xe7)))) |
 
      # and $~0x1f, %r8d/%r9d/%r10d/%r11d/%r12d/%r13d/%r14d
      (b_0100_0xx1 0x83 (0xe0|0xe1|0xe2|0xe3|0xe4|0xe5|0xe6) 0xe0
      # add %r15, %r8d/%r9d/%r10d/%r11d/%r12d/%r13d/%r14d
       b_0100_11x1 0x03 (0xc7|0xcf|0xd7|0xdf|0xe7|0xef|0xf7)
      # callq %r8/%r9/%r10/%r11/%r12/%r13/%r14
      ((b_0100_xxx1 0xff (0xd0|0xd1|0xd2|0xd3|0xd4|0xd5|0xd6)) |
      # jmpq %r8/%r9/%r10/%r11/%r12/%r13/%r14
       (b_0100_xxx1 0xff (0xe0|0xe1|0xe2|0xe3|0xe4|0xe5|0xe6)))))
      @{
        instruction_start -= 7;
        if (RMFromModRM(instruction_start[2]) !=
                                            RegFromModRM(instruction_start[6]) ||
            RMFromModRM(instruction_start[2]) != RMFromModRM(*current_position))
          instruction_info_collected |= UNRECOGNIZED_INSTRUCTION;
-       BitmapClearBit(valid_targets, (instruction_start - data) + 4);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 7);
+       MakeJumpTargetInvalid((instruction_start - data) + 4, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 7, valid_targets);
        restricted_register = NO_REG;
      };
 
   # EMMS/SSE2/AVX instructions which have implicit %ds:(%rsi) operand
   # maskmovq %mmX,%mmY
   maskmovq =
       REX_WRXB? (0x0f 0xf7)
       @CPUFeature_EMMX modrm_registers;
   # maskmovdqu %xmmX, %xmmY
   maskmovdqu =
@@ skipping 29 matching lines @@
     condrep? REXW_NONE? 0xa7 | # cmps[lq] %es:(%rdi),%ds:(%rsi)
 
     rep? 0xa4                | # movsb    %es:(%rdi),%ds:(%rsi)
     data16rep 0xa5           | # movsw    %es:(%rdi),%ds:(%rsi)
     rep? REXW_NONE? 0xa5     ; # movs[lq] %es:(%rdi),%ds:(%rsi)
 
   sandbox_instruction_rsi_no_rdi =
     (0x89 | 0x8b) 0xf6       . # mov %esi,%esi
     0x49 0x8d 0x34 0x37      . # lea (%r15,%rsi,1),%rsi
     string_instruction_rsi_no_rdi
     @{

[Brad Chen, 2012/09/29 00:06:00]

Please comment every action.
# This action redefines the range of the super-instruction
# to include the preceding sandboxing sequence, then
# invalidates jump targets on the interior of the
# super-instructions.
In this case it would also help if you made a procedure for this action, maybe
"RSandboxStringInst"?

[khim, 2012/10/03 22:30:10]

Done.

Functions make absolutely no sense here: we have quite a few magic numbers here.
They tie together action which is triggered and the DFA this action attached to
(magic numbers are offsets in said DFA). We MAY define bunch of constants to
satisfy the style guide but this IMNSHO will just make code less readable: each
particular define will only be used once and instead of having two entities
which are placed close to each other in a file we will have them in two
different files.

        instruction_start -= 6;
-       BitmapClearBit(valid_targets, (instruction_start - data) + 2);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 6);
+       MakeJumpTargetInvalid((instruction_start - data) + 2, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 6, valid_targets);
        restricted_register = NO_REG;
     } |
 
     REX_X (0x89 | 0x8b) 0xf6 . # mov %esi,%esi
     0x49 0x8d 0x34 0x37      . # lea (%r15,%rsi,1),%rsi
     string_instruction_rsi_no_rdi
     @{
        instruction_start -= 7;
-       BitmapClearBit(valid_targets, (instruction_start - data) + 3);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 7);
+       MakeJumpTargetInvalid((instruction_start - data) + 3, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 7, valid_targets);
        restricted_register = NO_REG;
     };
 
   sandbox_instruction_rdi_no_rsi =
     (0x89 | 0x8b) 0xff       . # mov %edi,%edi
     0x49 0x8d 0x3c 0x3f      . # lea (%r15,%rdi,1),%rdi
     (string_instruction_rdi_no_rsi | mmx_sse_rdi_instruction)
     @{
        instruction_start -= 6;
-       BitmapClearBit(valid_targets, (instruction_start - data) + 2);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 6);
+       MakeJumpTargetInvalid((instruction_start - data) + 2, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 6, valid_targets);
        restricted_register = NO_REG;
     } |
 
     REX_X (0x89 | 0x8b) 0xff . # mov %edi,%edi
     0x49 0x8d 0x3c 0x3f      . # lea (%r15,%rdi,1),%rdi
     (string_instruction_rdi_no_rsi | mmx_sse_rdi_instruction)
     @{
        instruction_start -= 7;
-       BitmapClearBit(valid_targets, (instruction_start - data) + 3);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 7);
+       MakeJumpTargetInvalid((instruction_start - data) + 3, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 7, valid_targets);
        restricted_register = NO_REG;
     };
 
 
   # String instructions which use both %ds:(%rsi) and %ds:(%rdi)
   sandbox_instruction_rsi_rdi =
     (0x89 | 0x8b) 0xf6       . # mov %esi,%esi

[Brad Chen, 2012/09/29 00:06:00]

# Note that 0x89 0xf6 and 0x8b 0xf6 both encode "mov %esi, %esi"

[khim, 2012/10/03 22:30:10]

Done.

     0x49 0x8d 0x34 0x37      . # lea (%r15,%rsi,1),%rsi
     (0x89 | 0x8b) 0xff       . # mov %edi,%edi
     0x49 0x8d 0x3c 0x3f      . # lea (%r15,%rdi,1),%rdi
     string_instruction_rsi_rdi
     @{
        instruction_start -= 12;
-       BitmapClearBit(valid_targets, (instruction_start - data) + 2);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 6);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 8);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 12);
+       MakeJumpTargetInvalid((instruction_start - data) + 2, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 6, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 8, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 12, valid_targets);
        restricted_register = NO_REG;
     } |
 
     (0x89 | 0x8b) 0xf6       . # mov %esi,%esi
     0x49 0x8d 0x34 0x37      . # lea (%r15,%rsi,1),%rsi
     REX_X (0x89 | 0x8b) 0xff . # mov %edi,%edi
     0x49 0x8d 0x3c 0x3f      . # lea (%r15,%rdi,1),%rdi
     string_instruction_rsi_rdi
     @{
        instruction_start -= 13;
-       BitmapClearBit(valid_targets, (instruction_start - data) + 2);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 6);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 9);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 13);
+       MakeJumpTargetInvalid((instruction_start - data) + 2, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 6, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 9, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 13, valid_targets);
        restricted_register = NO_REG;
     } |
 
     REX_X (0x89 | 0x8b) 0xf6 . # mov %esi,%esi
     0x49 0x8d 0x34 0x37      . # lea (%r15,%rsi,1),%rsi
     (0x89 | 0x8b) 0xff       . # mov %edi,%edi
     0x49 0x8d 0x3c 0x3f      . # lea (%r15,%rdi,1),%rdi
     string_instruction_rsi_rdi
     @{
        instruction_start -= 13;
-       BitmapClearBit(valid_targets, (instruction_start - data) + 3);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 7);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 9);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 13);
+       MakeJumpTargetInvalid((instruction_start - data) + 3, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 7, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 9, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 13, valid_targets);
        restricted_register = NO_REG;
     } |
 
     REX_X (0x89 | 0x8b) 0xf6 . # mov %esi,%esi
     0x49 0x8d 0x34 0x37      . # lea (%r15,%rsi,1),%rsi
     REX_X (0x89 | 0x8b) 0xff . # mov %edi,%edi
     0x49 0x8d 0x3c 0x3f      . # lea (%r15,%rdi,1),%rdi
     string_instruction_rsi_rdi
     @{
        instruction_start -= 14;
-       BitmapClearBit(valid_targets, (instruction_start - data) + 3);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 7);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 10);
-       BitmapClearBit(valid_targets, (instruction_start - data) + 14);
+       MakeJumpTargetInvalid((instruction_start - data) + 3, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 7, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 10, valid_targets);
+       MakeJumpTargetInvalid((instruction_start - data) + 14, valid_targets);
        restricted_register = NO_REG;
     };
 
   special_instruction =
     (rbp_modifications |
      rsp_modifications |
      rbp_sandboxing |
      rsp_sandboxing |
      naclcall_or_nacljmp |
      sandbox_instruction_rsi_no_rdi |
@@ skipping 18 matching lines @@
       (any* data16? REX_WRXB? 0xff ((opcode_2 | opcode_3) any* &
                                     (modrm_memory | modrm_registers)))))
     @{
       if (((current_position - data) & kBundleMask) != kBundleMask)
         instruction_info_collected |= BAD_CALL_ALIGNMENT;
     };
 
 
   main := ((call_alignment | normal_instruction | special_instruction)
      >{
-       BitmapSetBit(valid_targets, current_position - data);
+       MakeJumpTargetValid(current_position - data, valid_targets);
      }
      @{
        if ((instruction_info_collected &
                                (VALIDATION_ERRORS_MASK | BAD_CALL_ALIGNMENT)) ||
            (options & CALL_USER_CALLBACK_ON_EACH_INSTRUCTION)) {
          result &= user_callback(
              instruction_start, current_position,
              instruction_info_collected |
              ((restricted_register << RESTRICTED_REGISTER_SHIFT) &
               RESTRICTED_REGISTER_MASK), callback_data);
@@ skipping 94 matching lines @@
                                       user_callback, callback_data);
 
   /* We only use malloc for a large code sequences  */
   if (size > sizeof valid_targets_small) {
     free(jump_dests);
     free(valid_targets);
   }
   if (!result) errno = EINVAL;
   return result;
 }