Make validator require read sandboxing on ARM.

src/trusted/validator_arm/inst_classes.cc

Index: src/trusted/validator_arm/inst_classes.cc
===================================================================
--- src/trusted/validator_arm/inst_classes.cc	(revision 6972)
+++ src/trusted/validator_arm/inst_classes.cc	(working copy)
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011 The Native Client Authors.  All rights reserved.
+ * Copyright (c) 2011 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
@@ -215,6 +215,22 @@
 }
 
 
+SafetyLevel LoadRegister::safety(const Instruction i) const {
+  bool pre_index = i.bit(24);
+  if (pre_index) {
+    // If pre_index is set, the address of the load is computed as the sum
+    // of the two register parameters.  We have checked that the first register
+    // is within the sandbox, but this would allow adding an arbitrary value
+    // to it, so it is not safe.
+    return FORBIDDEN;
+  }
+
+  // Don't let addressing writeback alter PC.
+  if (defs(i)[kRegisterPc]) return FORBIDDEN_OPERANDS;
+
+  return MAY_BE_SAFE;
+}
+
 RegisterList LoadRegister::defs(const Instruction i) const {
   if (writeback(i)) {
     Register rn(i.bits(19, 16));
@@ -224,7 +240,11 @@
   }
 }
 
+Register LoadRegister::base_address_register(const Instruction i) const {
+  return i.reg(19, 16);
+}
 
+
 RegisterList LoadImmediate::immediate_addressing_defs(const Instruction i)
     const {
   if (writeback(i)) {
@@ -235,21 +255,67 @@
   }
 }
 
+Register LoadImmediate::base_address_register(const Instruction i) const {
+  return i.reg(19, 16);
+}
 
+bool LoadImmediate::offset_is_immediate(Instruction i) const {
+  UNREFERENCED_PARAMETER(i);
+  return true;
+}
+
+
 RegisterList LoadDoubleI::defs(const Instruction i) const {
   return LoadImmediate::defs(i) + Register(i.bits(15, 12) + 1);
 }
 
+Register LoadDoubleI::base_address_register(const Instruction i) const {
+  return i.reg(19, 16);
+}
 
+bool LoadDoubleI::offset_is_immediate(Instruction i) const {
+  UNREFERENCED_PARAMETER(i);
+  return true;
+}
+
+
+SafetyLevel LoadDoubleR::safety(const Instruction i) const {
+  bool pre_index = i.bit(24);
+  if (pre_index) {
+    // If pre_index is set, the address of the load is computed as the sum
+    // of the two register parameters.  We have checked that the first register
+    // is within the sandbox, but this would allow adding an arbitrary value
+    // to it, so it is not safe.
+    return FORBIDDEN;
+  }
+
+  // Don't let addressing writeback alter PC.
+  if (defs(i)[kRegisterPc]) return FORBIDDEN_OPERANDS;
+
+  return MAY_BE_SAFE;
+}
+
 RegisterList LoadDoubleR::defs(const Instruction i) const {
   return LoadRegister::defs(i) + Register(i.bits(15, 12) + 1);
 }
 
+Register LoadDoubleR::base_address_register(const Instruction i) const {
+  return i.reg(19, 16);
+}
+
+Register LoadExclusive::base_address_register(const Instruction i) const {
+  return i.reg(19, 16);
+}
+
 RegisterList LoadDoubleExclusive::defs(const Instruction i) const {
   return LoadExclusive::defs(i) + Register(i.bits(15, 12) + 1);
 }
 
+Register LoadDoubleExclusive::base_address_register(const Instruction i) const {
+  return i.reg(19, 16);
+}
 
+
 SafetyLevel LoadMultiple::safety(const Instruction i) const {
   uint32_t rn = i.bits(19, 16);
   if (i.bit(21) && i.bit(rn)) {
@@ -273,7 +339,11 @@
   return i.bit(21)? i.reg(19, 16) : kRegisterNone;
 }
 
+Register LoadMultiple::base_address_register(const Instruction i) const {
+  return i.reg(19, 16);
+}
 
+
 /*
  * Vector load/stores
  */
@@ -304,7 +374,11 @@
   return kRegisterNone;
 }
 
+Register VectorLoad::base_address_register(const Instruction i) const {
+  return i.reg(19, 16);
+}
 
+
 SafetyLevel VectorStore::safety(Instruction i) const {
   if (defs(i)[kRegisterPc]) return FORBIDDEN_OPERANDS;