Change BKPT and UDF encodings on ARM.

src/trusted/validator_arm/validator_small_tests.cc

 /*
  * Copyright (c) 2012 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 #ifndef NACL_TRUSTED_BUT_NOT_TCB
 #error This file is not meant for use in the TCB
 #endif
 
@@ skipping 502 matching lines @@
         << undefined_insts[i].about;
     EXPECT_EQ(nacl_arm_dec::UNDEFINED, spy.GetSafetyLevel(first))
         << "Instruction must be flagged as UNDEFINED: "
         << undefined_insts[i].about;
     EXPECT_EQ(nacl_arm_val::kProblemUnsafe, first.problem())
         << "Instruction must be marked unsafe: "
         << undefined_insts[i].about;
   }
 }
 
-TEST_F(ValidatorTests, LessScaryUndefinedInstructions) {
-  // These instructions are specified by ARM as *permanently* undefined, so we
-  // treat them as a reliable Illegal Instruction trap.
-
-  static const AnnotatedInstruction perm_undefined[] = {
-    { 0xE7FFDEFE, "permanently undefined instruction produced by LLVM" },
-  };
-
-  for (unsigned i = 0; i < NACL_ARRAY_SIZE(perm_undefined); i++) {
-    arm_inst program[] = { perm_undefined[i].inst };
-    validation_should_pass(program,
-                           1,
-                           kDefaultBaseAddr,
-                           perm_undefined[i].about);
-  }
-}
-
 TEST_F(ValidatorTests, PcRelativeFirstInst) {
   // Note: This tests the fix for issue 2771.
   static const arm_inst pcrel_boundary_tests[] = {
     0xe59f0000,  // ldr     r0, [pc, #0]
     0xe320f000,  // nop     {0}
     0xe320f000,  // nop     {0}
     0xe320f000,  // nop     {0}"
   };
   validation_should_pass(pcrel_boundary_tests,
                          NACL_ARRAY_SIZE(pcrel_boundary_tests),
@@ skipping 469 matching lines @@
   // Run test to verify that "Push {pc}", encoding A2 on a8-248 of ARM manual,
   // is unsafe.
   all_cond_values_fail(0xe52dF004,  // push {pc}
                        kDefaultBaseAddr,
                        "push {pc} (A2 A8-248) should be unpredictable");
 }
 
 TEST_F(ValidatorTests, ConditionalBreakpoints) {
   ProblemSpy spy;
   arm_inst bkpt = 0xE1200070;  // BKPT #0
-  arm_inst pool_head = nacl_arm_dec::kLiteralPoolHeadInstruction;
+  arm_inst pool_head = nacl_arm_dec::kLiteralPoolHead;
   for (Instruction::Condition cond = Instruction::EQ;
        cond < Instruction::AL;
        cond = Instruction::Next(cond)) {
     bkpt = ChangeCond(bkpt, cond);
     pool_head = ChangeCond(pool_head, cond);
     EXPECT_FALSE(validate(&bkpt, 1, kDefaultBaseAddr, &spy))
         << "conditional breakpoint should be unpredictable";
     EXPECT_FALSE(validate(&pool_head, 1, kDefaultBaseAddr, &spy))
         << "conditional literal pool head should be unpredictable";
   }
 }
 
 TEST_F(ValidatorTests, LiteralPoolHeadIsBreakpoint) {
-  EXPECT_EQ(nacl_arm_dec::kLiteralPoolHeadInstruction & 0xFFF000F0,
+  EXPECT_EQ(nacl_arm_dec::kLiteralPoolHead & 0xFFF000F0,
             0xE1200070)  // BKPT #0
       << ("the literal pool head should be a breakpoint: "
           "it needs to act as a roadblock");
 }
 
+TEST_F(ValidatorTests, Breakpoint) {
+  EXPECT_EQ(nacl_arm_dec::kBreakpoint & 0xFFF000F0,
+            0xE1200070)  // BKPT #0
+      << ("the breakpoint instruction should be a breakpoint: "
+          "it needs to trap");
+}
+
+TEST_F(ValidatorTests, HaltFill) {
+  EXPECT_EQ(nacl_arm_dec::kHaltFill & 0xFFF000F0,
+            0xE7F000F0)  // UDF #0
+      << ("the halt fill instruction should be UDF: "
+          "it needs to trap");
+}
+
+TEST_F(ValidatorTests, AbortNow) {
+  EXPECT_EQ(nacl_arm_dec::kAbortNow & 0xFFF000F0,
+            0xE7F000F0)  // UDF #0
+      << ("the abort now instruction should be UDF: "
+          "it needs to trap");
+}
+
+TEST_F(ValidatorTests, FailValidation) {
+  EXPECT_EQ(nacl_arm_dec::kFailValidation & 0xFFF000F0,
+            0xE7F000F0)  // UDF #0
+      << ("the fail validation instruction should be UDF: "
+          "it needs to trap");
+}
+
+TEST_F(ValidatorTests, UDFAndBKPTValidateAsExpected) {
+  ProblemSpy spy;
+  for (uint32_t i = 0; i < 0xFFFF; ++i) {
+    arm_inst bkpt_inst = 0xE1200070 | ((i & 0xFFF0) << 4) | (i & 0xF);
+    arm_inst udf_inst  = 0xE7F000F0 | ((i & 0xFFF0) << 4) | (i & 0xF);
+    EXPECT_EQ(validate(&bkpt_inst, 1, kDefaultBaseAddr, &spy),
+              ((bkpt_inst == nacl_arm_dec::kLiteralPoolHead) ||
+               (bkpt_inst == nacl_arm_dec::kBreakpoint)));
+    EXPECT_EQ(validate(&udf_inst, 1, kDefaultBaseAddr, &spy),
+              ((udf_inst == nacl_arm_dec::kHaltFill) ||
+               (udf_inst == nacl_arm_dec::kAbortNow)));
+    // Tautological note: kFailValidation should fail validation.
+  }
+}
+
 TEST_F(ValidatorTests, LiteralPoolHeadInstruction) {
   // Make sure that literal pools are handled properly: they should be preceded
   // by a special breakpoint instruction at the start of the bundle, and can
   // then contain any bits that would otherwise look malicious.
   // Each literal pool bundle has to start with such a literal pool head.
   vector<arm_inst> literal_pool(_validator.InstructionsPerBundle(),
                                 0xEF000000);  // SVC #0
   literal_pool[0] = 0xE1200070;  // BKPT #0
   // Try out all BKPT encodings, and make sure only one of them works.
   for (uint32_t imm16 = 0; imm16 <= 0xFFFF; ++imm16) {
     literal_pool[0] = (literal_pool[0] & 0xFFF000F0) |
         (imm16 & 0xF) |
         ((imm16 & 0xFFF0) << 8);
-    if (literal_pool[0] == nacl_arm_dec::kLiteralPoolHeadInstruction) {
+    if (literal_pool[0] == nacl_arm_dec::kLiteralPoolHead) {
       validation_should_pass(literal_pool.data(),
                              literal_pool.size(),
                              kDefaultBaseAddr,
                              "valid literal pool: "
                              "starts with special BKPT");
     } else {
       validation_should_fail(literal_pool.data(),
                              literal_pool.size(),
                              kDefaultBaseAddr,
                              "invalid literal pool: "
                              "starts with just a regular BKPT");
     }
   }
 }
 
 TEST_F(ValidatorTests, LiteralPoolHeadPosition) {
   // Literal pools should only work when the head instruction is indeed at
   // the head.
   vector<arm_inst> literal_pool(_validator.InstructionsPerBundle());
   for (size_t pos = 0; pos <= literal_pool.size(); ++pos) {
     std::fill(literal_pool.begin(), literal_pool.end(), 0xEF000000);  // SVC #0
     if (pos != literal_pool.size()) {
       // We do one iteration without a literal pool head at all.
-      literal_pool[pos] = nacl_arm_dec::kLiteralPoolHeadInstruction;
+      literal_pool[pos] = nacl_arm_dec::kLiteralPoolHead;
     }
     if (pos == 0) {
       validation_should_pass(literal_pool.data(),
                              literal_pool.size(),
                              kDefaultBaseAddr,
                              "valid literal pool: "
                              "starts with special head instruction");
     } else {
       validation_should_fail(literal_pool.data(),
                              literal_pool.size(),
                              kDefaultBaseAddr,
                              "invalid literal pool: "
                              "doesn't start with special  head instruction");
     }
   }
 }
 
 TEST_F(ValidatorTests, LiteralPoolBig) {
   // Literal pools should be a single bundle wide, each must be preceded by
   // a pool head.
   vector<arm_inst> literal_pools(2 * _validator.InstructionsPerBundle());
   for (size_t pos = 0; pos <= literal_pools.size(); ++pos) {
     std::fill(literal_pools.begin(), literal_pools.end(),
               0xEF000000);  // SVC #0
-    literal_pools[pos] = nacl_arm_dec::kLiteralPoolHeadInstruction;
+    literal_pools[pos] = nacl_arm_dec::kLiteralPoolHead;
     validation_should_fail(literal_pools.data(),
                            literal_pools.size(),
                            kDefaultBaseAddr,
                            "invalid literal pool: two pools, one head");
   }
 }
 
 TEST_F(ValidatorTests, LiteralPoolBranch) {
   // Branching to a literal pool should only work at the head.
   // Construct a code region with a bundle of code, then a bundle-wide
   // literal pool, then another bundle of code.
   // Add a branch from different code locations, pointing at different
   // parts of the code. Pointing in the literal pool should fail, except
   // when pointing at the head.
   // Note that we don't actually put anything malicious in the literal pool,
   // and we still shouldn't be able to jump in the middle of it.
   const size_t bundle_pos = _validator.InstructionsPerBundle();
   vector<arm_inst> code(3 * bundle_pos);
   for (size_t b_pos = 0; b_pos < code.size(); ++b_pos) {
     if ((bundle_pos <= b_pos) && (b_pos < bundle_pos * 2)) {
       // Don't try putting the branch in the middle of the literal pool.
       continue;
     }
     std::fill(code.begin(), code.end(), 0xE320F000);  // NOP
-    code[bundle_pos] = nacl_arm_dec::kLiteralPoolHeadInstruction;
+    code[bundle_pos] = nacl_arm_dec::kLiteralPoolHead;
     for (size_t b_target = 0; b_target < code.size(); ++b_target) {
       // PC reads as current instruction address plus 8 (e.g. two instructions
       // ahead of b_pos).
       // imm24 is encoded with the bottom two bits zeroed out, which we
       // implicitly do by working with instructions instead of bytes.
       uint32_t imm24 = (b_target - b_pos - 2) & 0x00FFFFFF;
       code[b_pos] = 0xEA000000 | imm24;  // B #imm
       bool target_in_pool = (bundle_pos < b_target) &&
           (b_target < bundle_pos * 2);  // Excluding head.
       if (target_in_pool) {
@@ skipping 11 matching lines @@
   }
 }
 
 };  // anonymous namespace
 
 // Test driver function.
 int main(int argc, char *argv[]) {
   testing::InitGoogleTest(&argc, argv);
   return RUN_ALL_TESTS();
 }