A mechanism to identify/forbid/"rewrite" non-temporal instructions (and other)

src/trusted/validator/driver/ncval.cc

 /*
  * Copyright (c) 2012 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ skipping 37 matching lines @@
   string message;
   Error(uint32_t offset, string message) : offset(offset), message(message) {}
 };
 
 
 struct UserData {
   Segment segment;
   vector<Error> *errors;
   vector<Jump> *jumps;
   set<uint32_t> *bad_jump_targets;
+  uint32_t flags;
   UserData(Segment segment,
            vector<Error> *errors,
            vector<Jump> *jumps,
-           set<uint32_t> *bad_jump_targets)
+           set<uint32_t> *bad_jump_targets,
+           uint32_t flags)
       : segment(segment),
         errors(errors),
         jumps(jumps),
-        bad_jump_targets(bad_jump_targets) {
+        bad_jump_targets(bad_jump_targets),
+        flags(flags) {
   }
 };
 
 
 Bool ProcessInstruction(
     const uint8_t *begin, const uint8_t *end,
     uint32_t validation_info, void *user_data_ptr) {
 
   UserData &user_data = *reinterpret_cast<UserData *>(user_data_ptr);
   vector<Error> &errors = *user_data.errors;
@@ skipping 11 matching lines @@
                                                      user_data.segment.data);
     if (validation_info & RELATIVE_8BIT) {
       program_counter += reinterpret_cast<const int8_t *>(end)[-1];
       user_data.jumps->push_back(Jump(offset, program_counter));
     } else if (validation_info & RELATIVE_32BIT) {
       program_counter += reinterpret_cast<const int32_t *>(end)[-1];
       user_data.jumps->push_back(Jump(offset, program_counter));
     }
   }
 
+  // If we are not disabling non-temporals, they should pass validation, and
+  // the corresponding validation_info bit is simply cleared.
+  if (user_data.flags != DISABLE_NONTEMPORALS)
+    validation_info &= ~UNSUPPORTED_INSTRUCTION;
+
   Bool result = (validation_info & (VALIDATION_ERRORS_MASK | BAD_JUMP_TARGET))
                 ? FALSE
                 : TRUE;
 
   // We clear bit for each processed error, and in the end if there are still
   // errors we did not report, we produce generic error message.
   // This way, if validator interface was changed (new error bits were
   // introduced), we at least wouldn't ignore them completely.
 
   // TODO(shcherbina): deal with code duplication somehow.
 
   if (validation_info & UNRECOGNIZED_INSTRUCTION) {
     validation_info &= ~UNRECOGNIZED_INSTRUCTION;
     errors.push_back(Error(offset, "unrecognized instruction"));
   }
 
   if (validation_info & DIRECT_JUMP_OUT_OF_RANGE) {
     validation_info &= ~DIRECT_JUMP_OUT_OF_RANGE;
     errors.push_back(Error(offset, "direct jump out of range"));
   }
 
   if (validation_info & CPUID_UNSUPPORTED_INSTRUCTION) {
     validation_info &= ~CPUID_UNSUPPORTED_INSTRUCTION;
     errors.push_back(Error(offset, "required CPU feature not found"));
   }
 
+  if (validation_info & UNSUPPORTED_INSTRUCTION) {
+    validation_info &= ~UNSUPPORTED_INSTRUCTION;
+    errors.push_back(Error(offset, "unsupported instruction"));
+  }
+
   if (validation_info & FORBIDDEN_BASE_REGISTER) {
     validation_info &= ~FORBIDDEN_BASE_REGISTER;
     errors.push_back(Error(offset, "improper memory address - bad base"));
   }
 
   if (validation_info & UNRESTRICTED_INDEX_REGISTER) {
     validation_info &= ~UNRESTRICTED_INDEX_REGISTER;
     errors.push_back(Error(offset, "improper memory address - bad index"));
   }
 
@@ skipping 52 matching lines @@
 
   return result;
 }
 
 
 Bool ProcessError(
     const uint8_t *begin, const uint8_t *end,
     uint32_t validation_info, void *user_data_ptr) {
   UNREFERENCED_PARAMETER(begin);
   UNREFERENCED_PARAMETER(end);
-  UNREFERENCED_PARAMETER(validation_info);
-  UNREFERENCED_PARAMETER(user_data_ptr);
-  return FALSE;
+  UserData &user_data = *reinterpret_cast<UserData *>(user_data_ptr);
+
+  // We do the same thing as in ProcessInstruction(): If we are not disabling
+  // non-temporals, they should pass validation, and the corresponding
+  // validation_info bit is simply cleared.
+  if (user_data.flags != DISABLE_NONTEMPORALS)
+    validation_info &= ~UNSUPPORTED_INSTRUCTION;
+
+  Bool result = (validation_info & (VALIDATION_ERRORS_MASK | BAD_JUMP_TARGET))
+                ? FALSE
+                : TRUE;
+  return result;
 }
 
 
 typedef Bool ValidateChunkFunc(
     const uint8_t *data, size_t size,
     uint32_t options,
     const NaClCPUFeaturesX86 *cpu_features,
     ValidationCallbackFunc user_callback,
     void *callback_data);
 
 
 bool ValidateX86(
     const Segment &segment,
     ValidateChunkFunc validate_chunk,
-    vector<Error> *errors) {
+    vector<Error> *errors,
+    uint32_t flags) {
 
   errors->clear();
 
   if (segment.vaddr % kBundleSize != 0) {
     errors->push_back(Error(
         segment.vaddr,
         "Text segment offset in memory is not bundle-aligned."));
     return false;
   }
 
   if (segment.size % kBundleSize != 0) {
     char buf[100];
     SNPRINTF(buf, sizeof buf,
              "Text segment size (0x%" NACL_PRIx32 ") is not "
              "multiple of bundle size.",
              segment.size);
     errors->push_back(Error(segment.vaddr + segment.size, buf));
     return false;
   }
 
   vector<Jump> jumps;
   set<uint32_t> bad_jump_targets;
 
-  UserData user_data(segment, errors, &jumps, &bad_jump_targets);
+  UserData user_data(segment, errors, &jumps, &bad_jump_targets, flags);
 
   // TODO(shcherbina): customize from command line
 
   // We collect all errors except bad jump targets, and we separately
   // memoize all direct jumps (or calls) and bad jump targets.
   Bool result = validate_chunk(
       segment.data, segment.size,
       CALL_USER_CALLBACK_ON_EACH_INSTRUCTION, &kFullCPUIDFeatures,
       ProcessInstruction, &user_data);
 
   // Report destinations of jumps that lead to bad targets.
   for (size_t i = 0; i < jumps.size(); i++) {
     const Jump &jump = jumps[i];
     if (bad_jump_targets.count(jump.to) > 0)
       errors->push_back(Error(jump.from, "bad jump target"));
   }
 
   // Run validator as it is run in loader, without callback on each instruction,
   // and ensure that results match. If ncval is guaranteed to return the same
   // result as actual validator, it can be reliably used as validator wrapper
   // for testing.
   CHECK(result == validate_chunk(
       segment.data, segment.size,
       0, &kFullCPUIDFeatures,
-      ProcessError, NULL));
+      ProcessError, &user_data));
 
   return static_cast<bool>(result);
 }
 
 
 class NcvalArmProblemReporter : public ProblemReporter {
  public:
   explicit NcvalArmProblemReporter(vector<Error> *errors) : errors(errors) {}
 
  protected:
@@ skipping 40 matching lines @@
       nacl_arm_dec::RegisterList(nacl_arm_dec::Register::Sp()),
       &cpu_features);
 
   NcvalArmProblemReporter reporter(errors);
   return validator.validate(segments, &reporter);
 }
 
 
 void Usage() {
   fprintf(stderr, "Usage:\n");
-  fprintf(stderr, "    ncval [-v] <ELF file>\n");
+  fprintf(stderr, "    ncval [-vd] <ELF file>\n");
 }
 
 
 struct Options {
-  Options() : input_file(NULL), verbose(false) {}
+  Options() : input_file(NULL), verbose(false), flags(0) {}
   const char *input_file;
   bool verbose;
+  uint32_t flags;
 };
 
 
 void ParseOptions(int argc, char **argv, Options *options) {
   int opt;
-  while ((opt = getopt(argc, argv, "v")) != -1) {
+  while ((opt = getopt(argc, argv, "vd")) != -1) {
     switch (opt) {
       case 'v':
         options->verbose = true;
         break;
+      case 'd':
+        options->flags = DISABLE_NONTEMPORALS;
+        break;
       default:
         fprintf(stderr, "ERROR: unknown option: [%c]\n\n", opt);
         Usage();
         exit(-1);
     }
   }
 
   if (argc - optind != 1) {
     fprintf(stderr, "ERROR: too many arguments provided\n\n");
     Usage();
@@ skipping 11 matching lines @@
   elf_load::Image image;
   elf_load::ReadImage(options.input_file, &image);
 
   elf_load::Architecture architecture = elf_load::GetElfArch(image);
   Segment segment = elf_load::GetElfTextSegment(image);
 
   vector<Error> errors;
   bool result = false;
   switch (architecture) {
     case elf_load::X86_32:
-      result = ValidateX86(segment, ValidateChunkIA32, &errors);
+      result = ValidateX86(segment, ValidateChunkIA32, &errors,
+                           options.flags);
       break;
     case elf_load::X86_64:
-      result = ValidateX86(segment, ValidateChunkAMD64, &errors);
+      result = ValidateX86(segment, ValidateChunkAMD64, &errors,
+                           options.flags);
       break;
     case elf_load::ARM:
       result = ValidateArm(segment, &errors);
       break;
     default:
       CHECK(false);
   }
 
   for (size_t i = 0; i < errors.size(); i++) {
     const Error &e = errors[i];
     fprintf(stderr, "%8" NACL_PRIx32 ": %s\n", e.offset, e.message.c_str());
   }
 
   if (!result) {
     fprintf(stderr, "Invalid.\n");
     return 1;
   }
 
   if (options.verbose) {
     fprintf(stderr, "Valid.\n");
   }
   return 0;
 }