Mac x86_64: Mach exception support

src/trusted/service_runtime/osx/mach_exception_handler.c

 /*
  * Copyright (c) 2012 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 #include "native_client/src/trusted/service_runtime/osx/mach_exception_handler.h"
 
 #include <mach/mach.h>
 #include <mach/mach_vm.h>
 #include <mach/thread_status.h>
 #include <pthread.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 
 #include "native_client/src/include/nacl_macros.h"
 #include "native_client/src/include/portability.h"
 #include "native_client/src/shared/platform/nacl_check.h"
 #include "native_client/src/shared/platform/nacl_log.h"
 #include "native_client/src/trusted/service_runtime/arch/sel_ldr_arch.h"
 #include "native_client/src/trusted/service_runtime/nacl_app.h"
 #include "native_client/src/trusted/service_runtime/nacl_app_thread.h"
 #include "native_client/src/trusted/service_runtime/nacl_config.h"
 #include "native_client/src/trusted/service_runtime/nacl_exc.h"
 #include "native_client/src/trusted/service_runtime/nacl_exception.h"
 #include "native_client/src/trusted/service_runtime/nacl_globals.h"
 #include "native_client/src/trusted/service_runtime/nacl_switch_to_app.h"
+#include "native_client/src/trusted/service_runtime/nacl_tls.h"
+#include "native_client/src/trusted/service_runtime/osx/mach_thread_map.h"
+#include "native_client/src/trusted/service_runtime/osx/mach_thread_trusted_state.h"
 #include "native_client/src/trusted/service_runtime/sel_ldr.h"
 #include "native_client/src/trusted/service_runtime/sel_rt.h"
 
-/* Only handle x86_32 for now. */
-#if NACL_ARCH(NACL_BUILD_ARCH) == NACL_x86 && NACL_BUILD_SUBARCH == 32
+#if NACL_ARCH(NACL_BUILD_ARCH) == NACL_x86
 
 
 /*
  * MIG generated message pump from /usr/include/mach/exc.defs
  * Tweaked to place in an isolated namespace.
  */
 boolean_t nacl_exc_server(
     mach_msg_header_t *InHeadP,
     mach_msg_header_t *OutHeadP);
 
@@ skipping 36 matching lines @@
   }
 }
 
 static void FireDebugStubEvent(int pipe_fd) {
   char buf = 0;
   if (write(pipe_fd, &buf, sizeof(buf)) != sizeof(buf)) {
     NaClLog(LOG_FATAL, "FireDebugStubEvent: Can't send debug stub event\n");
   }
 }
 
+#if NACL_BUILD_SUBARCH == 32
+
+#define NATIVE_x86_THREAD_STATE x86_THREAD_STATE32
+#define TSx ts32
+
+#define TS_xCX TSx.__ecx

[Mark Seaborn, 2013/02/14 23:55:02]

I'm not overly keen on adding macros for accessing *all* of these fields.  It
adds extra levels of indirection that the reader needs to follow to see the
underlying struct.

Maybe just add macros for fields that are common between 32-bit and 64-bit?

e.g.

#define X86_FLAGS(regs) ((regs).uts.ts32.__eflags)
#define X86_PROG_CTR(regs) ((regs).uts.ts32.__eip)

Also making this look like a function is more compositional than having a
#define for a compound field name like "ts32.__eflags".

+#define TS_xBP TSx.__ebp
+#define TS_xSP TSx.__esp
+#define TS_SS TSx.__ss
+#define TS_xFLAGS TSx.__eflags
+#define TS_xIP TSx.__eip
+#define TS_CS TSx.__cs
+#define TS_DS TSx.__ds
+#define TS_ES TSx.__es
+#define TS_GS TSx.__gs
+
+#elif NACL_BUILD_SUBARCH == 64
+
+#define NATIVE_x86_THREAD_STATE x86_THREAD_STATE64
+#define TSx ts64
+
+#define TS_xDI TSx.__rdi
+#define TS_xBP TSx.__rbp
+#define TS_xSP TSx.__rsp
+#define TS_xIP TSx.__rip
+#define TS_xFLAGS TSx.__rflags
+
+#endif  /* NACL_BUILD_SUBARCH */
+
 static int HandleException(mach_port_t thread_port,
                            exception_type_t exception, int *is_untrusted) {
   mach_msg_type_number_t size;
   x86_thread_state_t regs;
   kern_return_t result;
-  uint16_t trusted_cs = NaClGetGlobalCs();
-  uint16_t trusted_ds = NaClGetGlobalDs();
   uint32_t nacl_thread_index;
   struct NaClApp *nap;
   struct NaClAppThread *natp;
   struct NaClExceptionFrame frame;
-  uintptr_t frame_addr_user;
+  uint32_t frame_addr_user;
   uintptr_t frame_addr_sys;
+#if NACL_BUILD_SUBARCH == 32
+  uint16_t trusted_cs = NaClGetGlobalCs();
+  uint16_t trusted_ds = NaClGetGlobalDs();
+#endif
 
   /* Assume untrusted crash until we know otherwise. */
   *is_untrusted = TRUE;
 
   /* Capture the register state of the 'excepting' thread. */
-  size = sizeof(regs) / sizeof(natural_t);
+  size = x86_THREAD_STATE_COUNT;
   result = thread_get_state(thread_port, x86_THREAD_STATE,
-                            (void *) &regs, &size);
+                            (thread_state_t) &regs, &size);
   if (result != KERN_SUCCESS) {
     return 0;
   }
+  CHECK(regs.tsh.flavor == NATIVE_x86_THREAD_STATE);
 
+#if NACL_BUILD_SUBARCH == 32
   /*
    * If trusted_cs is 0 (which is not a usable segment selector), the
    * sandbox has not been initialised yet, so there can be no untrusted
    * code running.
    */
   if (trusted_cs == 0) {
     *is_untrusted = FALSE;
     return 0;
   }
 
   /*
    * If the current code segment is the trusted one, we aren't in the
    * sandbox.
    * TODO(bradnelson): This makes the potentially false assumption that cs is
    *     the last thing to change when switching into untrusted code. We need
    *     tests to vet this.
    */
-  if (regs.uts.ts32.__cs == trusted_cs) {
+  if (regs.uts.TS_CS == trusted_cs) {
     /*
      * If we are single-stepping, allow NaClSwitchRemainingRegsViaECX()
      * to continue in order to restore control to untrusted code.
      */
     if (exception == EXC_BREAKPOINT &&
-        (regs.uts.ts32.__eflags & NACL_X86_TRAP_FLAG) != 0 &&
-        regs.uts.ts32.__eip >= (uintptr_t) NaClSwitchRemainingRegsViaECX &&
-        regs.uts.ts32.__eip < (uintptr_t) NaClSwitchRemainingRegsAsmEnd) {
+        (regs.uts.TS_xFLAGS & NACL_X86_TRAP_FLAG) != 0 &&
+        regs.uts.TS_xIP >= (uintptr_t) NaClSwitchRemainingRegsViaECX &&
+        regs.uts.TS_xIP < (uintptr_t) NaClSwitchRemainingRegsAsmEnd) {
       return 1;
     }
     *is_untrusted = FALSE;
     return 0;
   }
 
   /*
    * We can get the thread index from the segment selector used for TLS
    * from %gs >> 3.
    * TODO(bradnelson): Migrate that knowledge to a single shared location.
    */
-  nacl_thread_index = regs.uts.ts32.__gs >> 3;
+  nacl_thread_index = regs.uts.TS_GS >> 3;
+#elif NACL_BUILD_SUBARCH == 64
+  nacl_thread_index = NaClGetThreadIndexForMachThread(thread_port);
+  if (nacl_thread_index == NACL_TLS_INDEX_INVALID) {
+    *is_untrusted = FALSE;
+    return 0;
+  }
+#endif
+
   natp = NaClAppThreadGetFromIndex(nacl_thread_index);
   nap = natp->nap;
 
+#if NACL_BUILD_SUBARCH == 64

[Mark Seaborn, 2013/02/14 23:55:02]

It looks like you don't need this #if, and your intention was that
NaClMachThreadStateIsInUntrusted() should work for x86-32 too?

+  *is_untrusted = NaClMachThreadStateIsInUntrusted(&regs, nacl_thread_index);
+  /*
+   * If trusted code accidentally jumped to untrusted code, don't let the
+   * untrusted exception handler take over.
+   */
+  if (*is_untrusted &&
+      (natp->suspend_state & NACL_APP_THREAD_UNTRUSTED) == 0) {
+    *is_untrusted = 0;
+  }
+  if (!*is_untrusted) {
+    return 0;
+  }
+#endif
+
   if (nap->enable_faulted_thread_queue) {
+#if NACL_BUILD_SUBARCH == 32
     /*
      * If we are single-stepping, step through until we reach untrusted code.
      */
     if (exception == EXC_BREAKPOINT &&
-        (regs.uts.ts32.__eflags & NACL_X86_TRAP_FLAG) != 0) {
-      if (regs.uts.ts32.__eip >= nap->all_regs_springboard.start_addr &&
-          regs.uts.ts32.__eip < nap->all_regs_springboard.end_addr) {
+        (regs.uts.TS_xFLAGS & NACL_X86_TRAP_FLAG) != 0) {
+      if (regs.uts.TS_xIP >= nap->all_regs_springboard.start_addr &&
+          regs.uts.TS_xIP < nap->all_regs_springboard.end_addr) {
         return 1;
       }
       /*
        * Step through the instruction we have been asked to restore
        * control to.
        */
-      if (regs.uts.ts32.__eip == natp->user.gs_segment.new_prog_ctr) {
+      if (regs.uts.TS_xIP == natp->user.gs_segment.new_prog_ctr) {
         return 1;
       }
     }
+#endif
 
     /*
      * Increment the kernel's thread suspension count so that the
      * thread remains suspended after we return.
      */
     result = thread_suspend(thread_port);
     if (result != KERN_SUCCESS) {
       NaClLog(LOG_FATAL, "HandleException: thread_suspend() call failed\n");
     }
     /*
      * Notify the handler running on another thread.  This must happen
      * after the thread_suspend() call, otherwise the handler might
      * receive the notification and attempt to decrement the thread's
      * suspension count before we have incremented it.
      */
     natp->fault_signal = ExceptionCodeToNaClSignalNumber(exception);
     AtomicIncrement(&nap->faulted_thread_count, 1);
     FireDebugStubEvent(nap->faulted_thread_fd_write);
     return 1;
   }
 
-  /*
-   * Ignore all but bad accesses for now.
-   * TODO(bradnelson): eventually consider these too:
-   *     EXC_BAD_INSTRUCTION
-   *     EXC_ARITHMETIC
-   *     EXC_BREAKPOINT
-   */
-  if (exception != EXC_BAD_ACCESS) {
-    return 0;
-  }
-
-  /* Don't handle it if the exception flag is set. */
-  if (natp->exception_flag) {
-    return 0;
-  }
-  /* Set the flag. */
-  natp->exception_flag = 1;
-
-  /* Don't handle if no exception handler is set. */
-  if (nap->exception_handler == 0) {
-    return 0;
-  }
-
   /* Get location of exception stack frame. */
   if (natp->exception_stack) {
     frame_addr_user = natp->exception_stack;
   } else {
     /* If not set default to user stack. */
-    frame_addr_user = regs.uts.ts32.__esp;
+    frame_addr_user = regs.uts.TS_xSP - NACL_STACK_RED_ZONE;
   }
 
   /* Align stack frame properly. */
   frame_addr_user -=
       sizeof(struct NaClExceptionFrame) - NACL_STACK_PAD_BELOW_ALIGN;
   frame_addr_user &= ~NACL_STACK_ALIGN_MASK;
   frame_addr_user -= NACL_STACK_PAD_BELOW_ALIGN;
 
   /* Convert from user to system space. */
   frame_addr_sys = NaClUserToSysAddrRange(
       nap, frame_addr_user, sizeof(struct NaClExceptionFrame));
   if (frame_addr_sys == kNaClBadAddress) {
     return 0;
   }
 
+  /*
+   * Ignore all but bad accesses for now.
+   * TODO(bradnelson): eventually consider these too:
+   *     EXC_BAD_INSTRUCTION
+   *     EXC_ARITHMETIC
+   *     EXC_BREAKPOINT
+   */
+  if (exception != EXC_BAD_ACCESS) {
+    return 0;
+  }
+
+  /* Don't handle if no exception handler is set. */
+  if (nap->exception_handler == 0) {

[Mark Seaborn, 2013/02/14 23:55:02]

I can see why you reordered this before checking exception_flag (though this
seems like an unrelated change that should maybe be separate?).

But I think it's better to check nap->exception_handler before looking at
natp->exception_stack.

[Mark Mentovai, 2013/02/15 17:36:42]

Mark Seaborn wrote:
I can put this back how it was and address it in a follow-up.

Actually, I was thinking of just using “goto” to clear exception_flag for the
late failure cases, mach_vm_write and thread_set_state. I’ll just work all of
that into the follow-up.

+    return 0;
+  }
+
+  /* Don't handle it if the exception flag is set. */
+  if (natp->exception_flag) {
+    return 0;
+  }
+  /* Set the flag. */
+  natp->exception_flag = 1;
+
   /* Set up the stack frame for the handler invocation. */
   frame.return_addr = 0;
+  frame.context.prog_ctr = regs.uts.TS_xIP;
+  frame.context.stack_ptr = regs.uts.TS_xSP;
+  frame.context.frame_ptr = regs.uts.TS_xBP;
+#if NACL_BUILD_SUBARCH == 32
   frame.context_ptr = frame_addr_user +
                       offsetof(struct NaClExceptionFrame, context);
-  frame.context.prog_ctr = regs.uts.ts32.__eip;
-  frame.context.stack_ptr = regs.uts.ts32.__esp;
-  frame.context.frame_ptr = regs.uts.ts32.__ebp;
+#endif
 
   /*
    * Write the stack frame into untrusted address space.  We do not
    * write to the memory directly because that will fault if the
    * destination location is not writable.  Faulting is OK for NaCl
    * syscalls, but here we do not want to trigger an exception while
    * in the exception handler.  The overhead of using a Mach system
    * call to write to memory is acceptable here.
    */
   result = mach_vm_write(mach_task_self(), frame_addr_sys,
                          (uintptr_t) &frame, sizeof(frame));
   if (result != KERN_SUCCESS) {
     return 0;
   }
 
   /* Set up thread context to resume at handler. */
-  natp->user.new_prog_ctr = nap->exception_handler;
-  natp->user.stack_ptr = frame_addr_user;
   /* TODO(bradnelson): put all registers in some default state. */
-
+#if NACL_BUILD_SUBARCH == 32
   /*
    * Put registers in right place to land at NaClSwitchNoSSEViaECX
    * This is required because:
    *   - For an unknown reason thread_set_state resets %cs to the default
    *     value, even when set to something else, in current XNU versions.
    *   - An examination of the XNU sources indicates
    *     that setting the code which state the thread state resets
    *     %cs, %ds, %es, %ss to their default values in some early versions.
    *     (For instance: xnu-792.6.22/osfmk/i386/pcb.c:616)
    * This precludes going directly to the untrusted handler.
    * Instead we call a variant of NaClSwitchNoSSE which takes a pointer
    * to the thread user context in %ecx.
    */
-  regs.uts.ts32.__eip = (uint32_t) &NaClSwitchNoSSEViaECX;
-  regs.uts.ts32.__cs = trusted_cs;
-  regs.uts.ts32.__ecx = (uint32_t) &natp->user;
-  regs.uts.ts32.__ds = trusted_ds;
-  regs.uts.ts32.__es = trusted_ds;  /* just for good measure */
-  regs.uts.ts32.__ss = trusted_ds;  /* just for good measure */
-  regs.uts.ts32.__eflags &= ~NACL_X86_DIRECTION_FLAG;
+  natp->user.new_prog_ctr = nap->exception_handler;
+  natp->user.stack_ptr = frame_addr_user;
+  regs.uts.TS_xIP = (uint32_t) &NaClSwitchNoSSEViaECX;
+  regs.uts.TS_CS = trusted_cs;
+  regs.uts.TS_xCX = (uint32_t) &natp->user;
+  regs.uts.TS_DS = trusted_ds;
+  regs.uts.TS_ES = trusted_ds;  /* just for good measure */
+  regs.uts.TS_SS = trusted_ds;  /* just for good measure */
+#elif NACL_BUILD_SUBARCH == 64
+  regs.uts.TS_xIP = NaClUserToSys(nap, nap->exception_handler);
+  regs.uts.TS_xSP = frame_addr_sys;
+  regs.uts.TS_xBP = nap->mem_start;
+
+  /* Argument 1 */
+  regs.uts.TS_xDI = frame_addr_user +
+                    offsetof(struct NaClExceptionFrame, context);
+#endif
+  regs.uts.TS_xFLAGS &= ~NACL_X86_DIRECTION_FLAG;
   result = thread_set_state(thread_port, x86_THREAD_STATE,
-                            (void *) &regs, size);
+                            (thread_state_t) &regs, size);
   if (result != KERN_SUCCESS) {
     return 0;
   }
 
   /* Return success, and resume the thread. */
   return 1;
 }
 
 
 static kern_return_t ForwardException(
@@ skipping 265 matching lines @@
 failure:
   if (data) {
     if (MACH_PORT_NULL != data->exception_port) {
       mach_port_deallocate(current_task, data->exception_port);
     }
     free(data);
   }
   return FALSE;
 }
 
-#else  /* NACL_ARCH(NACL_BUILD_ARCH) == NACL_x86 && NACL_BUILD_SUBARCH == 32 */
-
-int NaClInterceptMachExceptions(void) {
-  return FALSE;
-}
-
-#endif  /* NACL_ARCH(NACL_BUILD_ARCH) == NACL_x86 && NACL_BUILD_SUBARCH == 32 */
+#endif  /* NACL_ARCH(NACL_BUILD_ARCH) == NACL_x86 */