Move validator_x86_XX.rl out of unreviewed.

src/trusted/validator_ragel/validator_x86_64.rl

 /*
  * Copyright (c) 2012 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 /*
  * This is the core of amd64-mode validator.  Please note that this file
  * combines ragel machine description and C language actions.  Please read
  * validator_internals.html first to understand how the whole thing is built:
  * it explains how the byte sequences are constructed, what constructs like
  * "@{}" or "REX_WRX?" mean, etc.
  */
 
 #include <assert.h>
 #include <errno.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
 #include "native_client/src/trusted/validator_ragel/bitmap.h"
-#include "native_client/src/trusted/validator_ragel/unreviewed/validator_internal.h"
+#include "native_client/src/trusted/validator_ragel/validator_internal.h"
 
 %%{
   machine x86_64_validator;
   alphtype unsigned char;
   variable p current_position;
   variable pe end_of_bundle;
   variable eof end_of_bundle;
   variable cs current_state;
 
   include byte_machine "byte_machines.rl";
@@ skipping 30 matching lines @@
     "native_client/src/trusted/validator_ragel/unreviewed/parse_instruction.rl";
   include cpuid_actions
     "native_client/src/trusted/validator_ragel/unreviewed/parse_instruction.rl";
 
   action check_access {
     CheckAccess(instruction_begin - data, base, index, restricted_register,
                 valid_targets, &instruction_info_collected);
   }
 
   # Action which marks last byte as not immediate.  Most 3DNow! instructions,
-  # some AVX and XOP instructions have this proerty.  It's referenced by
-  # decode_x86_32 machine in [autogenerated] "validator_x86_32_instruction.rl"
-  # file.
+  # some AVX and XOP instructions have this property.
+  #
+  # This action is referenced by decode_x86_32 ragel machine in [autogenerated]
+  # "validator_x86_64_instruction.rl" file.
   action last_byte_is_not_immediate {
     instruction_info_collected |= LAST_BYTE_IS_NOT_IMMEDIATE;
   }
 
   action modifiable_instruction {
     instruction_info_collected |= MODIFIABLE_INSTRUCTION;
   }
 
   action process_0_operands {
     Process0Operands(&restricted_register, &instruction_info_collected);
@@ skipping 44 matching lines @@
      # instruction (it gets assembled as 'lea 0x00(%rbp,%r15,1),%rbp').
      0x4a 0x8d 0x6c 0x3d 0x00               | # lea 0x00(%rbp,%r15,1),%rbp
      0x4a 0x8d 0xac 0x3d 0x00 0x00 0x00 0x00) # lea 0x00000000(%rbp,%r15,1),%rbp
     # Note: restricted_register keeps the restricted register as explained in
     # http://www.chromium.org/nativeclient/design-documents/nacl-sfi-model-on-x86-64-systems
     #
     # "Normal" instructions can not be used in a place where %rbp is restricted.
     # But since these instructions are "second half" of the %rbp sandboxing they
     # can be used *only* when %rbp is restricted.
     #
-    # That is (normal instruction):
+    # Compare:
     #   mov %eax,%ebp
     #   mov %esi,%edi   <- Error: %ebp is restricted
     # vs
     #   mov %esi,%edi
     #   add %r15,%rbp   <- Error: %ebp is *not* restricted
     # vs
     #   mov %eax,%ebp
     #   add %r15,%rbp   <- Ok: %rbp is restricted as it should be
     #
     # Check this precondition and mark the beginning of the instruction as
     # invalid jump for target.
     @{ if (restricted_register == REG_RBP)
+         /* RESTRICTED_REGISTER_USED is informational flag used in tests.  */
          instruction_info_collected |= RESTRICTED_REGISTER_USED;
        else
+         /* UNRESTRICTED_RSP_PROCESSED is error flag used in production.  */
          instruction_info_collected |= UNRESTRICTED_RBP_PROCESSED;
        restricted_register = NO_REG;
        UnmarkValidJumpTarget((instruction_begin - data), valid_targets);
     };
 
   # Special %rsp modifications - the ones which don't need a sandboxing.
   #
   # Note that there are two different opcodes for "mov": in x86-64 there are two
   # fields in ModR/M byte (REG field and RM field) and "mov" may be used to move
   # from REG field to RM or in the other direction thus there are two encodings
@@ skipping 48 matching lines @@
          instruction_info_collected |= UNRESTRICTED_RSP_PROCESSED;
        restricted_register = NO_REG;
        UnmarkValidJumpTarget((instruction_begin - data), valid_targets);
     };
 
   # naclcall or nacljmp. These are three-instruction indirection-jump sequences.
   #    and $~0x1f, %eXX
   #    and RBASE, %rXX
   #    jmpq *%rXX   (or: callq *%rXX)
   # Note: first "and $~0x1f, %eXX" is a normal instruction (it can occur not
-  # just as part of the naclcall/nacljmp, but also as a standolene instruction).
+  # just as part of the naclcall/nacljmp, but also as a standalene instruction).
   #
   # This means that when naclcall_or_nacljmp ragel machine will be combined with
   # "normal_instruction*" regular action process_1_operand_zero_extends will be
   # triggered when main ragel machine will accept "and $~0x1f, %eXX" x86-64
   # instruction.  This action will check if %rbp/%rsp is legally modified thus
   # we don't need to duplicate this logic in naclcall_or_nacljmp ragel machine.
   #
   # There are number of variants present which differ by the REX prefix usage:
   # we need to make sure "%eXX" in "and", "%rXX" in "add", and "%eXX" in "jmpq"
   # or "callq" is the same register and it's much simpler to do if one single
   # action handles only fixed number of bytes.
   #
   # Additional complication arises because x86-64 contains two different "add"
   # instruction: with "0x01" and "0x03" opcode.  They differ in the direction
   # used: both can encode "add %src_register, %dst_register", but the first one
   # uses field REG of the ModR/M byte for the src and field RM of the ModR/M
   # byte for the dst while last one uses field RM of the ModR/M byte for the src
   # and field REG of the ModR/M byte for dst.  Both should be allowed.
   #
-  # See AMD/Intel manual for clarification "add" instruction encoding.
+  # See AMD/Intel manual for clarification about “add” instruction encoding.
   #
   # REGISTER USAGE ABBREVIATIONS:
   #     E86:   legacy ia32 registers (all eight: %eax to %edi)
   #     R86:   64-bit counterparts for legacy 386 registers (%rax to %rdi)
   #     E64:   32-bit counterparts for new amd64 registers (%r8d to %r14d)
   #     R64:   new amd64 registers (only seven: %r8 to %r14)
   #     RBASE: %r15 (used as "base of untrusted world" in NaCl for amd64)
   naclcall_or_nacljmp =
     # This block encodes call and jump "superinstruction" of the following form:
     #     0: 83 e_ e0    and    $~0x1f,E86
@@ skipping 110 matching lines @@
       ((b_0100_xxx1 0xff (b_11_010_xxx - b_11_010_111)) |
     #### INSTRUCTION THREE: jmp (three bytes)
     # jmpq R64
        (b_0100_xxx1 0xff (b_11_100_xxx - b_11_100_111)))))
     @{
       ProcessNaclCallOrJmpAddToRegWithRex(&instruction_info_collected,
                                           &instruction_begin, current_position,
                                           data, valid_targets);
     };
 
-  # EMMS/SSE2/AVX instructions which have implicit %ds:(%rsi) operand
-  # maskmovq %mmX,%mmY
-  maskmovq =
-      REX_WRXB? (0x0f 0xf7)
-      @CPUFeature_EMMX modrm_registers;
-  # maskmovdqu %xmmX, %xmmY
-  maskmovdqu =
-      0x66 REX_WRXB? (0x0f 0xf7) @not_data16_prefix
-      @CPUFeature_SSE2 modrm_registers;
-  # vmaskmovdqu %xmmX, %xmmY
-  vmaskmovdqu =
-      ((0xc4 (VEX_RB & VEX_map00001) 0x79 @vex_prefix3) |
-      (0xc5 (0x79 | 0xf9) @vex_prefix_short)) 0xf7
-      @CPUFeature_AVX modrm_registers;
+  # EMMX/SSE/SSE2/AVX instructions which have implicit %ds:(%rsi) operand
+
+  # maskmovq %mmX,%mmY (EMMX or SSE)
+  maskmovq = REX_WRXB? 0x0f 0xf7 @CPUFeature_EMMXSSE modrm_registers;
+
+  # maskmovdqu %xmmX, %xmmY (SSE2)
+  maskmovdqu = 0x66 REX_WRXB? 0x0f 0xf7 @CPUFeature_SSE2 modrm_registers;
+
+  # vmaskmovdqu %xmmX, %xmmY (AVX)
+  vmaskmovdqu = ((0xc4 (VEX_RB & VEX_map00001) b_0_1111_0_01) |
+                 (0xc5 b_X_1111_0_01)) 0xf7 @CPUFeature_AVX modrm_registers;
+
   mmx_sse_rdi_instruction = maskmovq | maskmovdqu | vmaskmovdqu;
 
   # Temporary fix: for string instructions combination of data16 and rep(ne)
   # prefixes is disallowed to mimic old validator behavior.
   # See http://code.google.com/p/nativeclient/issues/detail?id=1950
 
   # data16rep = (data16 | rep data16 | data16 rep);
   # data16condrep = (data16 | condrep data16 | data16 condrep);
   data16rep = data16;
   data16condrep = data16;
@@ skipping 147 matching lines @@
     # Mark the instruction as special - currently this information is used only
     # in tests, but in the future we may use it for dynamic code modification
     # support.
     @{
        instruction_info_collected |= SPECIAL_INSTRUCTION;
     };
 
   # Remove special instructions which are only allowed in special cases.
   normal_instruction = one_instruction - special_instruction;
 
-  # Check if call is properly aligned.
+  # Ragel machine which checks if call is properly aligned.
   #
   # For direct call we explicitly encode all variations.  For indirect call
   # we accept all the special instructions which ends with indirect call.
   call_alignment =
     ((normal_instruction &
       # Direct call
       ((data16 REX_RXB? 0xe8 rel16) |
        (REX_WRXB? 0xe8 rel32) |
        (data16 REXW_RXB 0xe8 rel32))) |
      (special_instruction &
@@ skipping 59 matching lines @@
      * the ValidateChunkAMD64 function.
      *
      * It does not affect the case which we really care about (when code
      * is validatable), but makes it possible to detect more errors in one
      * run in tools like ncval.
      */
     continue;
   }
 
   # This is main ragel machine: it does 99% of validation work. There are only
-  # one thing to do with bundle if this machine accepts the bundle:
+  # one thing to do with bundle if this ragel machine accepts the bundle:
   #  * check for the state of the restricted_register at the end of the bundle.
   #     It's an error is %rbp or %rsp is restricted at the end of the bundle.
   # Additionally if all the bundles are fine you need to check that direct jumps
   # are corect.  Thiis is done in the following way:
   #  * DFA fills two arrays: valid_targets and jump_dests.
   #  * ProcessInvalidJumpTargets checks that "jump_dests & !valid_targets == 0".
   # All other checks are done here.
 
   main := ((call_alignment | normal_instruction | special_instruction)
      @end_of_instruction_cleanup)*
     $!report_fatal_error;
 
 }%%
 
+/*
+ * The "write data" statement causes Ragel to emit the constant static data
+ * needed by the ragel machine.
+ */
 %% write data;
 
 enum OperandKind {
   OPERAND_SANDBOX_IRRELEVANT = 0,
   /*
    * Currently we do not distinguish 8bit and 16bit modifications from
    * OPERAND_SANDBOX_UNRESTRICTED to match the behavior of the old validator.
    *
    * 8bit operands must be distinguished from other types because the REX prefix
    * regulates the choice between %ah and %spl, as well as %ch and %bpl.
@@ skipping 503 matching lines @@
       free(jump_dests);
       free(valid_targets);
       errno = ENOMEM;
       return FALSE;
     }
   }
 
   /*
    * This option is usually used in tests: we will process the whole chunk
    * in one pass. Usually each bundle is processed separately which means
-   * instructions (and super-instructions) can not cross borders of the bundle.
+   * instructions (and "superinstructions") can not cross borders of the bundle.
    */
   if (options & PROCESS_CHUNK_AS_A_CONTIGUOUS_STREAM)
     end_of_bundle = data + size;
   else
     end_of_bundle = data + kBundleSize;
 
   /*
    * Main loop.  Here we process the data array bundle-after-bundle.
    * Ragel-produced DFA does all the checks with one exception: direct jumps.
    * It collects the two arrays: valid_targets and jump_dests which are used
@@ skipping 15 matching lines @@
     uint32_t operand_states = 0;
     enum OperandName base = NO_REG;
     enum OperandName index = NO_REG;
     enum OperandName restricted_register =
       EXTRACT_RESTRICTED_REGISTER_INITIAL_VALUE(options);
     uint8_t rex_prefix = FALSE;
     /* Top three bits of VEX2 are inverted: see AMD/Intel manual.  */
     uint8_t vex_prefix2 = VEX_R | VEX_X | VEX_B;
     uint8_t vex_prefix3 = 0x00;
 
+    /*
+     * The "write init" statement causes Ragel to emit initialization code.
+     * This should be executed once before the ragel machine is started.
+     */
     %% write init;
+    /*
+     * The "write exec" statement causes Ragel to emit the ragel machine's
+     * execution code.
+     */
     %% write exec;
 
     /*
      * Ragel DFA accepted the bundle, but we still need to make sure the last
      * instruction haven't left %rbp or %rsp in restricted state.
      */
     if (restricted_register == REG_RBP)
       result &= user_callback(end_of_bundle, end_of_bundle,
                               RESTRICTED_RBP_UNPROCESSED |
                               ((REG_RBP << RESTRICTED_REGISTER_SHIFT) &
@@ skipping 11 matching lines @@
    */
   result &= ProcessInvalidJumpTargets(data, size, valid_targets, jump_dests,
                                       user_callback, callback_data);
 
   /* We only use malloc for a large code sequences  */
   if (jump_dests != &jump_dests_small) free(jump_dests);
   if (valid_targets != &valid_targets_small) free(valid_targets);
   if (!result) errno = EINVAL;
   return result;
 }