Mac x86_64: Mach exception support

src/trusted/service_runtime/osx/mach_exception_handler.c

 /*
  * Copyright (c) 2012 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 #include "native_client/src/trusted/service_runtime/osx/mach_exception_handler.h"
 
 #include <mach/mach.h>
 #include <mach/mach_vm.h>
 #include <mach/thread_status.h>
 #include <pthread.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 
 #include "native_client/src/include/nacl_macros.h"
 #include "native_client/src/include/portability.h"
 #include "native_client/src/shared/platform/nacl_check.h"
 #include "native_client/src/shared/platform/nacl_log.h"
 #include "native_client/src/trusted/service_runtime/arch/sel_ldr_arch.h"
 #include "native_client/src/trusted/service_runtime/nacl_app.h"
 #include "native_client/src/trusted/service_runtime/nacl_app_thread.h"
 #include "native_client/src/trusted/service_runtime/nacl_config.h"
 #include "native_client/src/trusted/service_runtime/nacl_exc.h"
 #include "native_client/src/trusted/service_runtime/nacl_exception.h"
 #include "native_client/src/trusted/service_runtime/nacl_globals.h"
 #include "native_client/src/trusted/service_runtime/nacl_switch_to_app.h"
+#include "native_client/src/trusted/service_runtime/osx/crash_filter.h"
+#include "native_client/src/trusted/service_runtime/osx/mach_thread_map.h"
 #include "native_client/src/trusted/service_runtime/sel_ldr.h"
 #include "native_client/src/trusted/service_runtime/sel_rt.h"
 
-/* Only handle x86_32 for now. */
-#if NACL_ARCH(NACL_BUILD_ARCH) == NACL_x86 && NACL_BUILD_SUBARCH == 32
+#if NACL_ARCH(NACL_BUILD_ARCH) == NACL_x86
 
 
 /*
  * MIG generated message pump from /usr/include/mach/exc.defs
  * Tweaked to place in an isolated namespace.
  */
 boolean_t nacl_exc_server(
     mach_msg_header_t *InHeadP,
     mach_msg_header_t *OutHeadP);
 
@@ skipping 41 matching lines @@
   if (write(pipe_fd, &buf, sizeof(buf)) != sizeof(buf)) {
     NaClLog(LOG_FATAL, "FireDebugStubEvent: Can't send debug stub event\n");
   }
 }
 
 static int HandleException(mach_port_t thread_port,
                            exception_type_t exception, int *is_untrusted) {
   mach_msg_type_number_t size;
   x86_thread_state_t regs;
   kern_return_t result;
+#if NACL_BUILD_SUBARCH == 32
   uint16_t trusted_cs = NaClGetGlobalCs();
   uint16_t trusted_ds = NaClGetGlobalDs();
+#endif
   uint32_t nacl_thread_index;
   struct NaClApp *nap;
   struct NaClAppThread *natp;
   struct NaClExceptionFrame frame;
   uintptr_t frame_addr_user;
   uintptr_t frame_addr_sys;
 
   /* Assume untrusted crash until we know otherwise. */
   *is_untrusted = TRUE;
 
   /* Capture the register state of the 'excepting' thread. */
-  size = sizeof(regs) / sizeof(natural_t);
+  size = x86_THREAD_STATE_COUNT;
   result = thread_get_state(thread_port, x86_THREAD_STATE,
-                            (void *) &regs, &size);
+                            (thread_state_t) &regs, &size);
   if (result != KERN_SUCCESS) {
     return 0;
   }
+#if NACL_BUILD_SUBARCH == 32
+  CHECK(regs.tsh.flavor == x86_THREAD_STATE32);
+#elif NACL_BUILD_SUBARCH == 64
+  CHECK(regs.tsh.flavor == x86_THREAD_STATE64);
+#endif
 
+#if NACL_BUILD_SUBARCH == 32
   /*
    * If trusted_cs is 0 (which is not a usable segment selector), the
    * sandbox has not been initialised yet, so there can be no untrusted
    * code running.
    */
   if (trusted_cs == 0) {
     *is_untrusted = FALSE;
     return 0;
   }
+#endif
 
   /*
    * If the current code segment is the trusted one, we aren't in the
    * sandbox.
    * TODO(bradnelson): This makes the potentially false assumption that cs is
    *     the last thing to change when switching into untrusted code. We need
    *     tests to vet this.
    */
+#if NACL_BUILD_SUBARCH == 32
   if (regs.uts.ts32.__cs == trusted_cs) {
     /*
      * If we are single-stepping, allow NaClSwitchRemainingRegsViaECX()
      * to continue in order to restore control to untrusted code.
      */
     if (exception == EXC_BREAKPOINT &&
         (regs.uts.ts32.__eflags & NACL_X86_TRAP_FLAG) != 0 &&
         regs.uts.ts32.__eip >= (uintptr_t) NaClSwitchRemainingRegsViaECX &&
         regs.uts.ts32.__eip < (uintptr_t) NaClSwitchRemainingRegsAsmEnd) {
       return 1;
     }
     *is_untrusted = FALSE;
     return 0;
   }
 
   /*
    * We can get the thread index from the segment selector used for TLS
    * from %gs >> 3.
    * TODO(bradnelson): Migrate that knowledge to a single shared location.
    */
   nacl_thread_index = regs.uts.ts32.__gs >> 3;
+#elif NACL_BUILD_SUBARCH == 64
+  nacl_thread_index = GetNaClThreadIndexForMachThread(thread_port);
+  if (!nacl_thread_index) {

[Mark Seaborn, 2013/02/14 00:37:54]

Make this "if (nacl_thread_index == NACL_TLS_INDEX_INVALID)"

+    *is_untrusted = FALSE;
+    return 0;
+  }
+#endif
+
   natp = NaClAppThreadGetFromIndex(nacl_thread_index);
   nap = natp->nap;
+#if NACL_BUILD_SUBARCH == 64
+  *is_untrusted = NaClMachThreadStateIsInUntrusted(natp, &regs);
+  /*
+   * If trusted code accidentally jumped to untrusted code, don't let the
+   * untrusted exception handler take over.
+   */
+  if (*is_untrusted &&
+      (natp->suspend_state & NACL_APP_THREAD_UNTRUSTED) == 0) {
+    *is_untrusted = 0;
+  }
+  if (!*is_untrusted) {
+    return 0;
+  }
+#endif
 
   if (nap->enable_faulted_thread_queue) {
     /*
      * If we are single-stepping, step through until we reach untrusted code.
      */
+#if NACL_BUILD_SUBARCH == 32
     if (exception == EXC_BREAKPOINT &&
         (regs.uts.ts32.__eflags & NACL_X86_TRAP_FLAG) != 0) {
       if (regs.uts.ts32.__eip >= nap->all_regs_springboard.start_addr &&
           regs.uts.ts32.__eip < nap->all_regs_springboard.end_addr) {
         return 1;
       }
       /*
        * Step through the instruction we have been asked to restore
        * control to.
        */
       if (regs.uts.ts32.__eip == natp->user.gs_segment.new_prog_ctr) {
         return 1;
       }
     }
+#endif
 
     /*
      * Increment the kernel's thread suspension count so that the
      * thread remains suspended after we return.
      */
     result = thread_suspend(thread_port);
     if (result != KERN_SUCCESS) {
       NaClLog(LOG_FATAL, "HandleException: thread_suspend() call failed\n");
     }
     /*
@@ skipping 12 matching lines @@
    * Ignore all but bad accesses for now.
    * TODO(bradnelson): eventually consider these too:
    *     EXC_BAD_INSTRUCTION
    *     EXC_ARITHMETIC
    *     EXC_BREAKPOINT
    */
   if (exception != EXC_BAD_ACCESS) {
     return 0;
   }
 
+  /* Don't handle if no exception handler is set. */
+  if (nap->exception_handler == 0) {
+    return 0;
+  }
+
   /* Don't handle it if the exception flag is set. */
   if (natp->exception_flag) {
     return 0;
   }
   /* Set the flag. */
   natp->exception_flag = 1;
 
-  /* Don't handle if no exception handler is set. */
-  if (nap->exception_handler == 0) {
-    return 0;
-  }
-
   /* Get location of exception stack frame. */
   if (natp->exception_stack) {
     frame_addr_user = natp->exception_stack;
   } else {
     /* If not set default to user stack. */
-    frame_addr_user = regs.uts.ts32.__esp;
+#if NACL_BUILD_SUBARCH == 32
+    frame_addr_user = regs.uts.ts32.__esp - NACL_STACK_RED_ZONE;
+#elif NACL_BUILD_SUBARCH == 64
+    frame_addr_user = (regs.uts.ts64.__rsp & 0xffffffff) - NACL_STACK_RED_ZONE;

[Mark Seaborn, 2013/02/14 00:37:54]

Casting to uint32_t would be preferred over '& 0xffffffff'.  You can make
frame_addr_user uint32_t.

You can do "frame_addr_user -= NACL_STACK_RED_ZONE" outside the #ifs.

+#endif
   }
 
   /* Align stack frame properly. */
   frame_addr_user -=
       sizeof(struct NaClExceptionFrame) - NACL_STACK_PAD_BELOW_ALIGN;
   frame_addr_user &= ~NACL_STACK_ALIGN_MASK;
   frame_addr_user -= NACL_STACK_PAD_BELOW_ALIGN;
 
   /* Convert from user to system space. */
   frame_addr_sys = NaClUserToSysAddrRange(
       nap, frame_addr_user, sizeof(struct NaClExceptionFrame));
   if (frame_addr_sys == kNaClBadAddress) {
     return 0;
   }
 
   /* Set up the stack frame for the handler invocation. */
   frame.return_addr = 0;
+#if NACL_BUILD_SUBARCH == 32
   frame.context_ptr = frame_addr_user +
                       offsetof(struct NaClExceptionFrame, context);
   frame.context.prog_ctr = regs.uts.ts32.__eip;
   frame.context.stack_ptr = regs.uts.ts32.__esp;
   frame.context.frame_ptr = regs.uts.ts32.__ebp;
+#elif NACL_BUILD_SUBARCH == 64
+  frame.context.prog_ctr = regs.uts.ts64.__rip;
+  frame.context.stack_ptr = regs.uts.ts64.__rsp;
+  frame.context.frame_ptr = regs.uts.ts64.__rbp;
+#endif
 
   /*
    * Write the stack frame into untrusted address space.  We do not
    * write to the memory directly because that will fault if the
    * destination location is not writable.  Faulting is OK for NaCl
    * syscalls, but here we do not want to trigger an exception while
    * in the exception handler.  The overhead of using a Mach system
    * call to write to memory is acceptable here.
    */
   result = mach_vm_write(mach_task_self(), frame_addr_sys,
                          (uintptr_t) &frame, sizeof(frame));
   if (result != KERN_SUCCESS) {
     return 0;
   }
 
   /* Set up thread context to resume at handler. */
+#if NACL_BUILD_SUBARCH == 32
   natp->user.new_prog_ctr = nap->exception_handler;
   natp->user.stack_ptr = frame_addr_user;
+#endif
   /* TODO(bradnelson): put all registers in some default state. */
 
   /*
    * Put registers in right place to land at NaClSwitchNoSSEViaECX

[Mark Seaborn, 2013/02/14 00:37:54]

This comment should be inside "#if NACL_BUILD_SUBARCH == 32"

    * This is required because:
    *   - For an unknown reason thread_set_state resets %cs to the default
    *     value, even when set to something else, in current XNU versions.
    *   - An examination of the XNU sources indicates
    *     that setting the code which state the thread state resets
    *     %cs, %ds, %es, %ss to their default values in some early versions.
    *     (For instance: xnu-792.6.22/osfmk/i386/pcb.c:616)
    * This precludes going directly to the untrusted handler.
    * Instead we call a variant of NaClSwitchNoSSE which takes a pointer
    * to the thread user context in %ecx.
    */
+#if NACL_BUILD_SUBARCH == 32
   regs.uts.ts32.__eip = (uint32_t) &NaClSwitchNoSSEViaECX;
   regs.uts.ts32.__cs = trusted_cs;
   regs.uts.ts32.__ecx = (uint32_t) &natp->user;
   regs.uts.ts32.__ds = trusted_ds;
   regs.uts.ts32.__es = trusted_ds;  /* just for good measure */
   regs.uts.ts32.__ss = trusted_ds;  /* just for good measure */
   regs.uts.ts32.__eflags &= ~NACL_X86_DIRECTION_FLAG;
+#elif NACL_BUILD_SUBARCH == 64
+  regs.uts.ts64.__rip = NaClUserToSys(nap, nap->exception_handler);
+  regs.uts.ts64.__rsp = frame_addr_sys;
+  regs.uts.ts64.__rflags &= ~NACL_X86_DIRECTION_FLAG;
+  regs.uts.ts64.__rbp = nap->mem_start;
+
+  /* Argument 1 */
+  regs.uts.ts64.__rdi = frame_addr_user +
+                        offsetof(struct NaClExceptionFrame, context);
+#endif
   result = thread_set_state(thread_port, x86_THREAD_STATE,
                             (void *) &regs, size);
   if (result != KERN_SUCCESS) {
     return 0;
   }
 
   /* Return success, and resume the thread. */
   return 1;
 }
 
@@ skipping 267 matching lines @@
 failure:
   if (data) {
     if (MACH_PORT_NULL != data->exception_port) {
       mach_port_deallocate(current_task, data->exception_port);
     }
     free(data);
   }
   return FALSE;
 }
 
-#else  /* NACL_ARCH(NACL_BUILD_ARCH) == NACL_x86 && NACL_BUILD_SUBARCH == 32 */
-
-int NaClInterceptMachExceptions(void) {
-  return FALSE;
-}
-
-#endif  /* NACL_ARCH(NACL_BUILD_ARCH) == NACL_x86 && NACL_BUILD_SUBARCH == 32 */
+#endif  /* NACL_ARCH(NACL_BUILD_ARCH) == NACL_x86 */