Add more instructions to text-based spec.

src/trusted/validator_ragel/spec.py

 #!/usr/bin/python
 # Copyright (c) 2013 The Native Client Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # Executable specification of valid instructions and superinstructions (in terms
 # of their disassembler listing).
 # Should serve as formal and up-to-date ABI reference and as baseline for
 # validator exhaustive tests.
 
@@ skipping 199 matching lines @@
     '%ebp' : '%rbp',
     '%r8d' : '%r8',
     '%r9d' : '%r9',
     '%r10d' : '%r10',
     '%r11d' : '%r11',
     '%r12d' : '%r12',
     '%r13d' : '%r13',
     '%r14d' : '%r14',
     '%r15d' : '%r15'}
 
+REGS32 = REG32_TO_REG64.keys()
 REGS64 = REG32_TO_REG64.values()
 
 
 class Condition(object):
   """Represents assertion about the state of 64-bit registers.
 
   (used as precondition and postcondition)
 
   Supported assertions:
     0. %rpb and %rsp are sandboxed (and nothing is known about other registers)
@@ skipping 187 matching lines @@
   for op in write_operands:
     # TODO(shcherbina): disallow writes to
     #   cs, ds, es, fs, gs
     if op in ['%r15', '%r15d', '%r15w', '%r15b']:
       raise SandboxingError('changes to r15 are not allowed', instruction)
     if op in ['%bpl', '%bp', '%rbp']:
       raise SandboxingError('changes to rbp are not allowed', instruction)
     if op in ['%spl', '%sp', '%rsp']:
       raise SandboxingError('changes to rsp are not allowed', instruction)
 
-    if op in REG32_TO_REG64 and zero_extending:
+    if op in REGS32 and zero_extending:
       if not postcondition.Implies(Condition()):
         raise SandboxingError(
             '%s when zero-extending %s'
             % (postcondition.WhyNotImplies(Condition()), op),
             instruction)
 
       r = REG32_TO_REG64[op]
       if r in ['%rbp', '%rsp']:
         postcondition = Condition(restricted_instead_of_sandboxed=r)
       else:
@@ skipping 66 matching lines @@
           'segments in memory references are not allowed', instruction)
 
   if bitness == 32:
     if _InstructionNameIn(
         name,
         ['mov',  # including MOVD
          'add', 'sub', 'and', 'or', 'xor',
          'xchg', 'xadd',
          'inc', 'dec', 'neg', 'not',
          'lea',
+         'adc', 'bsf', 'bsr', 'lzcnt',
+         'btc', 'btr', 'bts', 'bt',
+         'cmp',
+         'cmc',
         ]):
       return Condition(), Condition()
     elif re.match(r'mov[sz][bwl][lqw]$', name):  # MOVSX, MOVSXD, MOVZX
       return Condition(), Condition()
+    elif name == 'bswap':
+      if ops[0] not in REGS32:
+        raise SandboxingError(
+            'bswap is only allowed with 32-bit operands',
+            instruction)
+      return Condition(), Condition()
     else:
       raise DoNotMatchError(instruction)
 
   elif bitness == 64:
     precondition = Condition()
     postcondition = Condition()
     zero_extending = False
     touches_memory = True
 
     if _InstructionNameIn(
@@ skipping 13 matching lines @@
       write_ops = ops
     elif _InstructionNameIn(name, ['inc', 'dec', 'neg', 'not']):
       assert len(ops) == 1
       zero_extending = True
       write_ops = ops
     elif name == 'lea':
       assert len(ops) == 2
       write_ops = [ops[1]]
       touches_memory = False
       zero_extending = True
+    elif _InstructionNameIn(
+        name,
+        ['adc', 'bsf', 'bsr', 'lzcnt']):
+      # Note: some versions of objdump (including one that is currently used
+      # in targeted tests) decode 'tzcnt' as 'repz bsf'
+      # (see validator_ragel/testdata/32/tzcnt.test)
+      # From sandboxing point of view bsf and tzcnt are the same, so
+      # we ignore this bug here.
+      # Same applies to 32-bit version.
+      assert len(ops) == 2
+      write_ops = [ops[1]]
+    elif _InstructionNameIn(name, ['btc', 'btr', 'bts', 'bt']):
+      assert len(ops) == 2
+      # bt* accept arbitrarily large bit offset when second
+      # operand is memory and offset is in register.
+      # Interestingly, when offset is immediate, it's taken modulo operand size,
+      # even when second operand is memory.
+      # Also, validator currently disallows
+      #   bt* <register>, <register>
+      # which is techincally safe. We disallow it in spec as well for
+      # simplicity.
+      if not re.match(_ImmediateRE() + r'$', ops[0]):
+        raise SandboxingError(
+            'bt* is only allowed with immediate as bit offset',
+            instruction)
+      if _InstructionNameIn(name, ['bt']):
+        write_ops = []
+      else:
+        write_ops = [ops[1]]
+    elif _InstructionNameIn(name, ['cmp']):
+      assert len(ops) == 2
+      write_ops = []
+    elif name == 'bswap':
+      assert len(ops) == 1
+      if ops[0] not in REGS32 + REGS64:
+        raise SandboxingError(
+            'bswap is only allowed with 32-bit and 64-bit operands',
+            instruction)
+      write_ops = ops
+    elif _InstructionNameIn(name, ['cmc']):
+      assert len(ops) == 0
+      write_ops = []
     else:
       raise DoNotMatchError(instruction)
 
     if touches_memory:
       precondition = _ProcessMemoryAccess(instruction, ops)
 
     postcondition = _ProcessOperandWrites(
         instruction, write_ops, zero_extending)
 
     return precondition, postcondition
@@ skipping 229 matching lines @@
       raise DoNotMatchError(superinstruction)
     if lea_r15_rsi_rsi.match(superinstruction[1].disasm) is None:
       raise DoNotMatchError(superinstruction)
     if mov_edi_edi.match(superinstruction[2].disasm) is None:
       raise DoNotMatchError(superinstruction)
     if lea_r15_rdi_rdi.match(superinstruction[3].disasm) is None:
       raise DoNotMatchError(superinstruction)
     return
 
   raise DoNotMatchError(superinstruction)