Example #1
unwind_interval *
process_addsub(xed_decoded_inst_t *xptr, const xed_inst_t *xi, interval_arg_t *iarg)
  highwatermark_t *hw_tmp = &(iarg->highwatermark);

  unwind_interval *next = iarg->current;
  const xed_operand_t* op0 = xed_inst_operand(xi,0);
  const xed_operand_t* op1 = xed_inst_operand(xi,1);
  xed_operand_enum_t   op0_name = xed_operand_name(op0);

  if (op0_name == XED_OPERAND_REG0) {
    xed_reg_enum_t reg0 = xed_decoded_inst_get_reg(xptr, op0_name);
    if (x86_isReg_SP(reg0)) {
      // we are adjusting the stack pointer

      if (xed_operand_name(op1) == XED_OPERAND_IMM0) {
	int sign = (iclass_eq(xptr, XED_ICLASS_ADD)) ? -1 : 1;
	long immedv = sign * xed_decoded_inst_get_signed_immediate(xptr);
	ra_loc istatus = iarg->current->ra_status;
	if ((istatus == RA_STD_FRAME) && (immedv > 0) &&
	    (hw_tmp->state & HW_SP_DECREMENTED)) {
	  // if we are in a standard frame and we see a second subtract,
	  // it is time to convert interval to a BP frame to minimize
	  // the chance we get the wrong offset for the return address
	  // in a routine that manipulates SP frequently (as in
	  // leapfrog_mod_leapfrog_ in the SPEC CPU2006 benchmark
	  // 459.GemsFDTD, when compiled with PGI 7.0.3 with high levels
	  // of optimization).
	  // 9 December 2007 -- John Mellor-Crummey
	next = new_ui(iarg->ins + xed_decoded_inst_get_length(xptr), 
		      istatus, iarg->current->sp_ra_pos + immedv, iarg->current->bp_ra_pos, 
		      iarg->current->bp_status, iarg->current->sp_bp_pos + immedv, 
		      iarg->current->bp_bp_pos, iarg->current);

	if (immedv > 0) {
	  if (HW_TEST_STATE(hw_tmp->state, 0, HW_SP_DECREMENTED)) {
	    // set the highwatermark and canonical interval upon seeing
	    // the FIRST subtract from SP; take no action on subsequent
	    // subtracts.
	    // test case: main in SPEC CPU2006 benchmark 470.lbm
	    // contains multiple subtracts from SP when compiled with
	    // PGI 7.0.3 with high levels of optimization. the first
	    // subtract from SP is to set up the frame; subsequent ones
	    // are to reserve space for arguments passed to functions.
	    // 9 December 2007 -- John Mellor-Crummey
	    hw_tmp->uwi = next;
	    hw_tmp->succ_inst_ptr = 
	      iarg->ins + xed_decoded_inst_get_length(xptr);
	    hw_tmp->state = 
	      HW_NEW_STATE(hw_tmp->state, HW_SP_DECREMENTED);
	    iarg->canonical_interval = next;
      } else {
	if (iarg->current->ra_status != RA_BP_FRAME){
	  // no immediate in add/subtract from stack pointer; switch to
	  // BP_FRAME
	  // 9 December 2007 -- John Mellor-Crummey
	  next = new_ui(iarg->ins + xed_decoded_inst_get_length(xptr), RA_BP_FRAME, 
			iarg->current->sp_ra_pos, iarg->current->bp_ra_pos, 
			iarg->current->bp_status, iarg->current->sp_bp_pos, 
			iarg->current->bp_bp_pos, iarg->current);
	  iarg->bp_frames_found = true;
  return next;
Example #2
static PyObject *get_signed_immediate(instruction_t *self)
    xed_int32_t imm;
    imm = xed_decoded_inst_get_signed_immediate(self->decoded_inst);
    return PyLong_FromLong(imm);
Example #3
File: trace.c Project: anhkgg/temu
/* This is the central function
  Given a memory address, reads a bunch of memory bytes and
    calls the disassembler to obtain the information
  Then it stores the information into the eh EntryHeader
void decode_address(uint32_t address, EntryHeader *eh, int ignore_taint)
  unsigned char insn_buf[MAX_INSN_BYTES];
  unsigned int is_stackpush = 0, is_stackpop = 0;
  unsigned int stackpushpop_acc = 0;

  if (xed2chris_regmapping[XED_REG_EAX][0] == 0) {
    assert(xed2chris_regmapping[XED_REG_EAX][0] != 0);

  /* Read memory from TEMU */
  TEMU_read_mem(address, MAX_INSN_BYTES, insn_buf);

  /* Disassemble instruction buffer */
  xed_decoded_inst_zero_set_mode(&xedd, &dstate);
  xed_error_enum_t xed_error =
    xed_decode(&xedd, STATIC_CAST(const xed_uint8_t*,insn_buf), MAX_INSN_BYTES);
  xed_bool_t okay = (xed_error == XED_ERROR_NONE);
  if (!okay) return;

  // Increase counters

  int i;

  /* Clear out Entry header */
  memset(eh, 0, sizeof(EntryHeader));

  /* Copy the address and instruction size */
  eh->address = address;
  eh->inst_size = xed_decoded_inst_get_length(&xedd);
  if (eh->inst_size > MAX_INSN_BYTES) eh->inst_size = MAX_INSN_BYTES;

  /* Copy instruction rawbytes */
  memcpy(eh->rawbytes, insn_buf, eh->inst_size);

  /* Get the number of XED operands */
  const xed_inst_t* xi = xed_decoded_inst_inst(&xedd);
  int xed_ops = xed_inst_noperands(xi);
  int op_idx = -1;

  /* Get the category of the instruction */
  xed_category_enum_t category = xed_decoded_inst_get_category(&xedd);

  /* Iterate over the XED operands */
  for(i = 0; i < xed_ops; i++) {
  	if(op_idx >= MAX_NUM_OPERANDS)
    //assert(op_idx < MAX_NUM_OPERANDS);

    /* Get operand */
    const xed_operand_t* op = xed_inst_operand(xi,i);
    xed_operand_enum_t op_name = xed_operand_name(op);

    switch(op_name) {
      /* Register */
      case XED_OPERAND_REG0:
      case XED_OPERAND_REG1:
      case XED_OPERAND_REG2:
      case XED_OPERAND_REG3:
      case XED_OPERAND_REG4:
      case XED_OPERAND_REG5:
      case XED_OPERAND_REG6:
      case XED_OPERAND_REG7:
      case XED_OPERAND_REG8:
      case XED_OPERAND_REG9:
      case XED_OPERAND_REG10:
      case XED_OPERAND_REG11:
      case XED_OPERAND_REG12:
      case XED_OPERAND_REG13:
      case XED_OPERAND_REG14:
      case XED_OPERAND_REG15: {
        xed_reg_enum_t reg_id = xed_decoded_inst_get_reg(&xedd, op_name);
        int regnum = xed2chris_regmapping[reg_id][1];

        // Special handling for Push
        if (reg_id == XED_REG_STACKPUSH) is_stackpush = 1;
        else if (reg_id == XED_REG_STACKPOP) is_stackpop = 1;

        if (-1 == regnum)
        else {
          eh->operand[op_idx].type = TRegister;
          eh->operand[op_idx].addr = xed2chris_regmapping[reg_id][0];
	  eh->operand[op_idx].length = 
	    (uint8_t) xed_decoded_inst_operand_length (&xedd, i);
	  eh->operand[op_idx].access = (uint8_t) xed_operand_rw (op);
          eh->operand[op_idx].value = TEMU_cpu_regs[regnum];
          switch (eh->operand[op_idx].addr) {
            case ax_reg:
            case bx_reg:
            case cx_reg:
            case dx_reg:
            case bp_reg:
            case sp_reg:
            case si_reg:
            case di_reg:
              eh->operand[op_idx].value &= 0xFFFF;
            case al_reg:
            case bl_reg:
            case cl_reg:
            case dl_reg:
              eh->operand[op_idx].value &= 0xFF;
            case ah_reg:
            case bh_reg:
            case ch_reg:
            case dh_reg:
              eh->operand[op_idx].value = (eh->operand[i].value & 0xFF00) >> 8;
        if (ignore_taint == 0) set_operand_data(&(eh->operand[op_idx]));

      /* Immediate */
      case XED_OPERAND_IMM0: {
        eh->operand[op_idx].type = TImmediate;
	eh->operand[op_idx].length = 
	  (uint8_t) xed_decoded_inst_operand_length (&xedd, i);
	eh->operand[op_idx].access = (uint8_t) xed_operand_rw (op);
        //xed_uint_t width = xed_decoded_inst_get_immediate_width(&xedd);
        if (xed_decoded_inst_get_immediate_is_signed(&xedd)) {
          xed_int32_t signed_imm_val = 
          eh->operand[op_idx].value = (uint32_t) signed_imm_val;
        else {
          xed_uint64_t unsigned_imm_val =
          eh->operand[op_idx].value = (uint32_t) unsigned_imm_val;
      /* Special immediate only used in ENTER instruction */
      case XED_OPERAND_IMM1: {
        eh->operand[op_idx].type = TImmediate;
	eh->operand[op_idx].length = 
	  (uint8_t) xed_decoded_inst_operand_length (&xedd, i);
	eh->operand[op_idx].access = (uint8_t) xed_operand_rw (op);
        xed_uint8_t unsigned_imm_val = 
        eh->operand[op_idx].value = (uint32_t) unsigned_imm_val;

      /* Memory */
      case XED_OPERAND_AGEN:
      case XED_OPERAND_MEM0:
      case XED_OPERAND_MEM1: {
	unsigned long base = 0;
	unsigned long index = 0;
	unsigned long scale = 1;
	unsigned long segbase = 0;
	unsigned short segsel = 0;
	unsigned long displacement = 0;
	unsigned int j;
	size_t remaining = 0;

	/* Set memory index */
        int mem_idx = 0;
        if (op_name == XED_OPERAND_MEM1) mem_idx = 1;

	unsigned int memlen = xed_decoded_inst_operand_length (&xedd, i);

	for (j = 0; j < memlen; j+=4) {
	  /* Initialization */
	  base = 0;
	  index = 0;
	  scale = 1;
	  segbase = 0;
	  segsel = 0;
	  displacement = 0;
	  remaining = memlen - j;

	  if(op_idx >= MAX_NUM_OPERANDS)
	  //assert(op_idx < MAX_NUM_OPERANDS);
	  eh->operand[op_idx].type = TMemLoc;
	  eh->operand[op_idx].access = (uint8_t) xed_operand_rw (op);
	  eh->operand[op_idx].length = 
	    remaining > 4 ? 4 : (uint8_t) remaining;

	  // Get Segment register
	  xed_reg_enum_t seg_regid = 

	  if (seg_regid != XED_REG_INVALID) {
	    const xed_operand_values_t *xopv = 
	    xed_bool_t default_segment = 
	      xed_operand_values_using_default_segment (xopv,mem_idx);

	    if (!default_segment) {
	      int segmentreg = xed2chris_regmapping[seg_regid][0] - 100;

	      segbase = TEMU_cpu_segs[segmentreg].base;
	      segsel = TEMU_cpu_segs[segmentreg].selector;

	      eh->memregs[op_idx][0].type = TRegister;
	      eh->memregs[op_idx][0].length = 2;
	      eh->memregs[op_idx][0].addr = xed2chris_regmapping[seg_regid][0];
	      eh->memregs[op_idx][0].access = (uint8_t) XED_OPERAND_ACTION_R;
	      eh->memregs[op_idx][0].value = segsel;
	      eh->memregs[op_idx][0].usage = memsegment;
	      if (ignore_taint == 0) 

	      int dt;
	      if (segsel & 0x4)       // ldt
		dt = TEMU_cpu_ldt->base;
	      else                    //gdt
		dt = TEMU_cpu_gdt->base;
	      segsel = segsel >> 3;

	      unsigned long segent = dt + 8 * segsel;
	      unsigned char segdes[8];
	      TEMU_read_mem(segent, 8, segdes);

#if 0
	      // debugging code to double check segbase value
	      unsigned long segbasenew = segdes[2] + segdes[3] * 256 +
	      segdes[4] * 256 * 256 + segdes[7] * 256 * 256 * 256;
	      if (segbase != segbasenew) {
		term_printf("segbase unexpected: 0x%08lX v.s 0x%08lX\n",
			segbase, segbasenew);
	      /* Segment descriptor is stored as a memory operand */
	      eh->memregs[op_idx][3].type = TMemLoc;
	      eh->memregs[op_idx][3].length = 4;
	      eh->memregs[op_idx][3].addr = segent;
	      eh->memregs[op_idx][3].access = 
	      eh->memregs[op_idx][3].value = *(uint32_t *) segdes;
	      eh->memregs[op_idx][3].tainted = 0;
	      eh->memregs[op_idx][3].usage = memsegent0;

	      eh->memregs[op_idx][4].type = TMemLoc;
	      eh->memregs[op_idx][4].length = 4;
	      eh->memregs[op_idx][4].addr = segent + 4;
	      eh->memregs[op_idx][4].access = 
	      eh->memregs[op_idx][4].value = *(uint32_t *) (segdes + 4);
	      eh->memregs[op_idx][4].tainted = 0;
	      eh->memregs[op_idx][4].usage = memsegent1;

	  // Get Base register
	  xed_reg_enum_t base_regid = 
	  if (base_regid != XED_REG_INVALID) {
	    int basereg = xed2chris_regmapping[base_regid][1];
	    base = TEMU_cpu_regs[basereg];
	    eh->memregs[op_idx][1].type = TRegister;
	    eh->memregs[op_idx][1].addr = xed2chris_regmapping[base_regid][0];
	    eh->memregs[op_idx][1].length = 4;
	    eh->memregs[op_idx][1].access = (uint8_t) XED_OPERAND_ACTION_R;
	    eh->memregs[op_idx][1].value = base;
	    eh->memregs[op_idx][1].usage = membase;
	    if (ignore_taint == 0) set_operand_data(&(eh->memregs[op_idx][1]));
	  // Get Index register and Scale
	  xed_reg_enum_t index_regid = 
	  if (mem_idx == 0 && index_regid != XED_REG_INVALID) {
	    int indexreg = xed2chris_regmapping[index_regid][1];
	    index = TEMU_cpu_regs[indexreg];
	    eh->memregs[op_idx][2].type = TRegister;
	    eh->memregs[op_idx][2].addr = xed2chris_regmapping[index_regid][0];
	    eh->memregs[op_idx][2].length = 4;
	    eh->memregs[op_idx][2].access = (uint8_t) XED_OPERAND_ACTION_R;
	    eh->memregs[op_idx][2].value = index;
	    eh->memregs[op_idx][2].usage = memindex;
	    if (ignore_taint == 0) set_operand_data(&(eh->memregs[op_idx][2]));

	    // Get Scale (AKA width) (only have a scale if the index exists)
	    if (xed_decoded_inst_get_scale(&xedd,i) != 0) {
	      scale = (unsigned long) xed_decoded_inst_get_scale(&xedd,mem_idx);
	  // Get displacement (AKA offset)
	  displacement = 
	    (unsigned long) xed_decoded_inst_get_memory_displacement

	  // Fix displacement for:
	  //   1) Any instruction that pushes into the stack, since ESP is 
	  //        decremented before memory operand is written using ESP. 
	  //        Affects: ENTER,PUSH,PUSHA,PUSHF,CALL
	  if (is_stackpush) {
            stackpushpop_acc += eh->operand[op_idx].length;
            displacement = displacement - stackpushpop_acc -j;
	  //   2) Pop instructions where the 
	  //      destination operand is a memory location that uses ESP 
	  //        as base or index register. 
	  //      The pop operations increments ESP and the written memory 
	  //        location address needs to be adjusted.
	  //      Affects: pop (%esp)
	  else if ((category == XED_CATEGORY_POP) && (!is_stackpop)) {
	    if ((eh->memregs[op_idx][1].addr == esp_reg) || 
		(eh->memregs[op_idx][2].addr == esp_reg)) 
	      displacement = displacement + eh->operand[op_idx].length;

	  // Calculate memory address accessed
	  eh->operand[op_idx].addr =
	    j + segbase + base + index * scale + displacement;

	  // Special handling for LEA instructions
	  if (op_name == XED_OPERAND_AGEN) {
	    eh->operand[op_idx].type = TMemAddress;
	    eh->operand[op_idx].length = 4;
	    has_page_fault = 0; // LEA won't trigger page fault
	  else {
	    has_page_fault = TEMU_read_mem(eh->operand[op_idx].addr,
	      (uint8_t *)&(eh->operand[op_idx].value));

	  // Check if instruction accesses user memory
	  // kernel_mem_start defined in shared/read_linux.c
	  if ((eh->operand[op_idx].addr < kernel_mem_start) &&
	    (op_name != XED_OPERAND_AGEN))
	    access_user_mem = 1;
	  if (ignore_taint == 0) set_operand_data(&(eh->operand[op_idx]));

      /* Jumps */
      case XED_OPERAND_PTR:  // pointer (always in conjunction with a IMM0)
      case XED_OPERAND_RELBR: { // branch displacements
          xed_uint_t disp = xed_decoded_inst_get_branch_displacement(&xedd);
	  /* Displacement is from instruction end */
	  /* Adjust displacement with instruction size */
	  disp = disp + eh->inst_size;
	  eh->operand[op_idx].type = TJump;
	  eh->operand[op_idx].length = 4;
	  eh->operand[op_idx].access = (uint8_t) xed_operand_rw (op);
	  eh->operand[op_idx].value = disp;

      /* Floating point registers */
      case XED_REG_X87CONTROL:
      case XED_REG_X87STATUS:
      case XED_REG_X87TOP:
      case XED_REG_X87TAG:
      case XED_REG_X87PUSH:
      case XED_REG_X87POP:
      case XED_REG_X87POP2:
          eh->operand[op_idx].type = TFloatRegister;
          eh->operand[op_idx].length = 4;
	  eh->operand[op_idx].access = (uint8_t) xed_operand_rw (op);
Example #4
void print_operands(xed_decoded_inst_t* xedd) {
    unsigned int i, noperands;
    cout << "Operands" << endl;
    const xed_inst_t* xi = xed_decoded_inst_inst(xedd);
    noperands = xed_inst_noperands(xi);
    for( i=0; i < noperands ; i++) { 
        const xed_operand_t* op = xed_inst_operand(xi,i);
        xed_operand_enum_t op_name = xed_operand_name(op);
        cout << i << " " << xed_operand_enum_t2str(op_name) << " ";
        switch(op_name) {
          case XED_OPERAND_AGEN:
          case XED_OPERAND_MEM0:
          case XED_OPERAND_MEM1:
            // we print memops in a different function
          case XED_OPERAND_PTR:  // pointer (always in conjunction with a IMM0)
          case XED_OPERAND_RELBR: { // branch displacements
              xed_uint_t disp_bits = xed_decoded_inst_get_branch_displacement_width(xedd);
              if (disp_bits) {
                  //cout  << "BRANCH_DISPLACEMENT_BYTES= " << disp_bits << " ";
                  xed_int32_t disp = xed_decoded_inst_get_branch_displacement(xedd);
                  //cout << hex << setfill('0') << setw(8) << disp << setfill(' ') << dec;

          case XED_OPERAND_IMM0: { // immediates
              xed_uint_t width = xed_decoded_inst_get_immediate_width(xedd);
              if (xed_decoded_inst_get_immediate_is_signed(xedd)) {
                  xed_int32_t x =xed_decoded_inst_get_signed_immediate(xedd);
                  //cout << hex << setfill('0') << setw(8) << x << setfill(' ') << dec 
                  //     << '(' << width << ')';
              else {
                  xed_uint64_t x = xed_decoded_inst_get_unsigned_immediate(xedd); 
                  //cout << hex << setfill('0') << setw(16) << x << setfill(' ') << dec 
                  //     << '(' << width << ')';
          case XED_OPERAND_IMM1: { // immediates
              xed_uint8_t x = xed_decoded_inst_get_second_immediate(xedd);
              //cout << hex << setfill('0') << setw(2) << (int)x << setfill(' ') << dec;

          case XED_OPERAND_REG0:
          case XED_OPERAND_REG1:
          case XED_OPERAND_REG2:
          case XED_OPERAND_REG3:
          case XED_OPERAND_REG4:
          case XED_OPERAND_REG5:
          case XED_OPERAND_REG6:
          case XED_OPERAND_REG7:
          case XED_OPERAND_REG8:
          case XED_OPERAND_REG9:
          case XED_OPERAND_REG10:
          case XED_OPERAND_REG11:
          case XED_OPERAND_REG12:
          case XED_OPERAND_REG13:
          case XED_OPERAND_REG14:
          case XED_OPERAND_REG15: {
              xed_reg_enum_t r = xed_decoded_inst_get_reg(xedd, op_name);
              cout << xed_operand_enum_t2str(op_name) << "=" << xed_reg_enum_t2str(r);
            //cout << "[Not currently printing value of field " << xed_operand_enum_t2str(op_name) << ']';

        //cout << " " << xed_operand_visibility_enum_t2str(xed_operand_operand_visibility(op))
        //     << " / " << xed_operand_action_enum_t2str(xed_operand_rw(op))
        //     << " / " << xed_operand_width_enum_t2str(xed_operand_width(op));
        //cout << " bytes=" << xed_decoded_inst_operand_length(xedd,i);
        //cout << endl;